Re: ICMP Large PAcket

[Jeff Nathan <jeff () snort org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jose,

That looks like a possible programming bug in a piece of software.

1472 bytes is the amount of space available in an Ethernet frame after 
taking account for the IP header and the 8 byte ICMP header: 1500 - (20 + 
8).

The fact that you're seeing the payload full of zeros looks like memory was 
allocated for a full-size Ethernet frame and then no data was put in the 
Ethernet frame following the ICMP header.  The most plausible reason the 
packet's payload is all zeros is that when memory was allocated for the 
Ethernet frame, it was zeroed out (ie: malloc() and then memset() or 
calloc() ... )

- -Jeff



- --On Thursday, March 20, 2003 11:11:53 -0600 Jose Ramon Hernandez Macias 
<jhernandez () alestra com mx> wrote:

> Hi dudes,
>
> I´m actually receiving a lot of ICMP Large Packet alerts, after I analyzed
> most of the packets I´ve seen all of them
> are echo request packets with a size of 1472 bytes of NULL, so the alarm
> is triggered with >800 . My question is
> do you recommend me to increase the size to >1472 or >1500 ?
>
> Thanks
>
> Jose
> "Rapidity is the essence of war: take advantage of the enemy´s
> unreadiness, make your way by unexpected routes, and attack unguarded
> spots." -- Sun Tzu
>
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Tablet PC.
> Does your code think in ink? You could win a Tablet PC.
> Get a free Tablet PC hat just for playing. What are you waiting for?
> http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


- --
http://cerberus.sourcefire.com/~jeff       (pgp key available)
"Great spirits have always encountered violent opposition from mediocre
minds."
- - Albert Einstein
    
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)

iD8DBQE+ei9fEqr8+Gkj0/0RArHTAJoDuNriBclFtBA7qcVdG3od1+b1oQCcCvKB
Tl42GIlLq29PGEErSVQq8kQ=
=FvXi
-----END PGP SIGNATURE-----



-------------------------------------------------------
This SF.net email is sponsored by: Tablet PC.
Does your code think in ink? You could win a Tablet PC.
Get a free Tablet PC hat just for playing. What are you waiting for?
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users