Snort mailing list archives

Re: [!] WARNING: Not IPv4 datagram! - huh?

From: John Sage <jsage () finchhaven com>
Date: Sun, 27 May 2001 14:40:37 -0700

Fyodor:

Thanks..

..I was a little surprised to see this kinda smashed into the middle ofthe logging output, and not on every packet, but just every now and then.

Is this something that's actually in only *some* of the packets, orsomething that snort's doing?


- John

Fyodor wrote:

05/27-09:19:24.672817 193.0.0.203:80 -> 12.82.128.32:62282
TCP TTL:48 TOS:0x0 ID:12316 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xE47968E8  Ack: 0xFC7D383B  Win: 0x6028  TcpLen: 32
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xc561])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xc561])
TCP Options (3) => NOP NOP TS: 34889575 318946608
:



that means that it is seeing datagrams with '5' in version field. The
datagram size is 0xc561.. :) actually it meant to be headerlength there,
but I looked at the code and realized that I messed things up abit ;-)

hope it helps.
-Fyodor



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

[!] WARNING: Not IPv4 datagram! - huh? John Sage (May 27)
- Re: [!] WARNING: Not IPv4 datagram! - huh? Fyodor (May 27)
  - Re: [!] WARNING: Not IPv4 datagram! - huh? John Sage (May 27)