Snort mailing list archives

Re: UDP capture packet issue

From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Sun, 8 Apr 2018 23:35:25 +0000

Check your capture. The packets look to be truncated. When I run snort they are discarded…


First.. do something like this to filter out only the UDP packets (2276 of them) …

[speaker@speaker snort-2.9.11]$ tcpdump -n -r ~/1sec.pcap udp -w /tmp/UDP.pcap


Then check to see how many are there:

[speaker@speaker snort-2.9.11]$ tcpdump -n -r /tmp/UDP.pcap | wc -l

reading from file /tmp/UDP.pcap, link-type EN10MB (Ethernet)
2276



When I run snort I see they are discarded.

[speaker@speaker snort-2.9.11]$ ./bin/snort -c etc/snort.conf -r /tmp/UDP.pcap -Acmg -k none


   IP4 Disc:         2177 ( 95.650%)
  IP6 Disc:           99 (  4.350%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:         2276 (100.000%)



I opened it with wireshark and it says “Packet size limited during capture”. The IP headers say a value but the entire 
packets are short so they are discarded.


Hope this helps.



Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com<mailto:allewi () cisco com>

From: "rugg.vale () email it" <rugg.vale () email it>
Reply-To: "rugg.vale () email it" <rugg.vale () email it>
Date: Sunday, April 8, 2018 at 5:53 PM
To: "Al Lewis (allewi)" <allewi () cisco com>, "snort-users () lists snort org" <snort-users () lists snort org>
Subject: Re: [Snort-users] UDP capture packet issue

Hi Al In this file there are a lot of udp packets, but if i run snort with this comand: snort -c c:snortetcsnort.conf 
-A full -r 1sec.pcap; it show this protocol breakdown: Breakdown by protocol (includes rebuilt packets): Eth: 57848 
(100.000%) VLAN: 0 ( 0.000%) IP4: 56751 ( 98.104%) Frag: 0 ( 0.000%) ICMP: 411 ( 0.710%) UDP: 0 ( 0.000%) TCP: 14281 ( 
24.687%) IP6: 1097 ( 1.896%) IP6 Ext: 66 ( 0.114%) IP6 Opts: 0 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 1 ( 0.002%) UDP6: 0 
( 0.000%) TCP6: 65 ( 0.112%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) EAPOL: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 
0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 0 ( 0.000%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE 
IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 0 ( 0.000%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 
0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 0 ( 0.000%) IPX: 0 ( 0.000%) Eth Loop: 0 ( 0.000%) Eth Disc: 0 ( 
0.000%) IP4 Disc: 42059 ( 72.706%) IP6 Disc: 1031 ( 1.782%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 
0.000%) All Discard: 43090 ( 74.488%) Other: 0 ( 0.000%) Bad Chk Sum: 29 ( 0.050%) Bad TTL: 0 ( 0.000%) S5 G 1: 0 ( 
0.000%) S5 G 2: 0 ( 0.000%) Total: 57848 Thank you angain. --------- Original Message -------- Da: Al Lewis allewi To: 
snort-users () lists snort org Oggetto: Re: [Snort-users] UDP capture packet issue Data: 08/04/18 23:29 > > > > > > > >

It will be pretty difficult to assist if you don't provide: > Â  > > How you started snort (meaning what flags

used)The pcap itself so someone can inspect and/or test it(optional) The config file > Â  > Â  > > Albert Lewis > 
ENGINEER.SOFTWARE ENGINEERING > Cisco Systems Inc. > Email:Â allewi () cisco comÂ  > > Â  > > From: "rugg.vale () email 
it" > Reply-To: "rugg.vale () email it" > Date: Sunday, April 8, 2018 at 4:59 PM > To: "Al Lewis (allewi)" , 
"snort-users () lists snort org" > Subject: Re: [Snort-users] UDP capture packet issue > > > Â  > > Hi Al The pcap file 
is from mawilab dataset, and in the statistics don't show any discard UDP packets. I have starting Snort in NIDS mode, 
with the simple rule: alert udp any any -> any any (msg:"UDP packet"; > sid:10002), but the alert log too, don't show 
UDP packets. Maybe i must change something in the config file ? thank you for answar best regards --------- Original 
Message -------- Da: Al Lewis allewi To: snort-users () lists snort org Oggetto: Re: [Snort-users] > UDP capture packet 
issue Data: 08/04/18 22:19 > > > > > > > > > > Can you provide the pcap? > ÂÂ  > Does the snort exit stats show 
discarded packets? > ÂÂ  > Does the pcap have bad checksums? > ÂÂ  > How are you starting snort? > ÂÂ  > ÂÂ  > > Albert 
Lewis > ENGINEER.SOFTWARE > ENGINEERING > Cisco Systems Inc. > Email:ÂÂ allewi () cisco comÂÂ  > > ÂÂ  > > From: 
Snort-users on behalf of "rugg.vale () email it" > Reply-To: "rugg.vale () email it" > Date: Sunday, April 8, 2018 at 
3:30 PM > To: "snort-users () lists snort org" > Subject: [Snort-users] > UDP capture packet issue > > > ÂÂ  > > Hi 
i've a problem with udp packets. I've read a pcap file with snort, and in the breackdown by protocol don't show any 
packet UDP, the same pcap file open with wireshark shaw a lot of UDP packet. Could you please > why > i can't see the 
UDP packets with snort? thank you in advance for the help. best regards > > > > > > > > > > > > > >

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

UDP capture packet issue rugg . vale (Apr 08)
- Re: UDP capture packet issue Al Lewis (allewi) via Snort-users (Apr 09)
- Re: UDP capture packet issue wkitty42 (Apr 09)
- Re: UDP capture packet issue James Lay (Apr 09)
- <Possible follow-ups>
- Re: UDP capture packet issue rugg . vale (Apr 09)
  - Re: UDP capture packet issue Al Lewis (allewi) via Snort-users (Apr 09)
- Re: UDP capture packet issue rugg . vale (Apr 09)
  - Re: UDP capture packet issue Al Lewis (allewi) via Snort-users (Apr 09)