Snort mailing list archives

Re: snort -r output

From: John Sage <jsage () finchhaven com>
Date: Mon, 21 Apr 2003 07:41:54 -0700

Cheeyong:

On or about Mon, Apr 21, 2003 at 04:19:01PM +0800, Tay Chee Yong posited:

Hi list,

I am pretty new to snort, and i would like to find out how do I decode the
snort -r output?  Could anyone tell me what does hex value stand for, and
why are there "......."?

Basically, I am trying to find out the patterns of the packets, so that I
can match by the content in my rules.

04/21-16:02:57.719998 210.24.246.13:62764 -> 203.120.90.33:53
UDP TTL:124 TOS:0x0 ID:31492 IpLen:20 DgmLen:70
Len: 42
01 62 01 00 00 01 00 00 00 00 00 00 09 4D 41 52  .b...........MAR
4B 45 54 49 4E 47 07 61 6C 63 6F 74 65 63 00 00  KETING.alcotec..
01 00 01 00 00 00 00 00 00 00                    ..........


The first three lines (I hope..) should be self-explanatory.

The fourth through sixth lines represent the packet, with hexadecimal
on the left and an ASCII decoding on the right. Those hexadecimal
pairs (0x09 for example) that do not represent ASCII characters are
represented as dots "...."

If you have a hex-to-ASCII conversion table (try man ascii..) or
conversion tool (I use 2.pl; see: http://freshmeat.net/projects/2/ but
it doesn't seem to be available right now...) you can see that the
sequence 4d 41 52 4b 45 54 49 4e 47 represents "MARKETING" in capital
letters, which is shown decoded in the right column.

Get a copy of "TCP/IP Illustrated" vol. 1, WR Stevens, Addison
Weseley, pubs, if you really want to get into decoding the packet
headers.


- John
-- 
"You are in a twisty maze of weblogs, all alike."

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort -r output Tay Chee Yong (Apr 21)
- Re: snort -r output John Sage (Apr 21)
- Re: snort -r output twig les (Apr 21)