Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Packet size in snort log

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 10 Nov 2003 18:02:57 -0500
At 09:29 AM 11/10/2003, nick travis wrote:

Below is section from my snort log, How can I figure out the size of
this packet in bytes based off this info?


> 11/10-08:58:30.639214 10.31.178.196:137 -> 10.31.179.255:137
> UDP TTL:128 TOS:0x0 ID:54163 IpLen:20 DgmLen:78
> Len: 50
Which length are you interested in? Ethernet, IP, or UDP? Packets have different sizes depending what layer you are interested in.
This packet was a 78 byte IP packet, with 20 bytes of IP header, 8 bytes of UDP header, and 50 bytes of UDP payload. 

The IpLen: specifies the length of the IP header
The DgmLen: specifies the total length of the IP packet, including all IP layer headers. The Len: specifies the payload length, at the lowest layer that snort could decode, which in this case is UDP.
Assuming ethernet headers and CRC of 18 bytes, the total on-ethernet-wire size of the was 96 bytes, or 92 bytes without CRC. 


-------------------------------------------------------
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: