tcpdump - showing data size

["netsec novice" <netsec9 () hotmail com>]

I have recently set up SNORT with the basic signatures and as a side effect 
have discovered that our Risc server seems to be sending out a bunch of icmp 
echo request traffic.  I am trying to narrow down the destination hosts to 
give our Unix admin more info to determine the source of the requests (app, 
cron, etc.).  The rule that is triggering the alert in SNORT is 'Large ICMP 
packet' which is defined by the rule:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IMCP Large ICMP Packet"; 
dsize: > 800;

I can tell from the Snort logs that the risc box is initiating the echo 
requests.  I am running 'tcpdump icmp[0]=8' on the Risc server and I am 
wanting to narrow the capture down to the packets that are triggering the 
alerts (ie > 800).  How do I display the packet size? Is dsize synonymous 
with bytes ie. > 800 bytes?  I have tried the -v operator but it doesn't 
really show much.
Any help is appreciated.

N

_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com



-------------------------------------------------------
This sf.net email is sponsored by: DEDICATED SERVERS only $89!
Linux or FreeBSD, FREE setup, FAST network. Get your own server 
today at http://www.ServePath.com/indexfm.htm
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users