Snort mailing list archives

RE: "OTHER" protocol packets

From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Wed, 13 Nov 2002 16:22:17 -0500

Other could be any other IP protocol type, I believe (ESP, GRE, etc).  You could try ntop, if you're interested in 
seeing what's out there--great tool.

-----Original Message-----
From: Peter Caffin [mailto:peterc+snortlist () autons net au]
Sent: Wednesday, November 13, 2002 4:03 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] "OTHER" protocol packets

Hi all,

I have a colocated box running snort that has produced the following
summary (snort run 2002/11/13 7.03am to 11/14 4.44am WST +0800):

  Snort analyzed 277068 out of 277068 packets,
  dropping 0(0.000%) packets
  Breakdown by protocol:                Action Stats:
      TCP: 28700      (10.358%)         ALERTS: 0
      UDP: 84281      (30.419%)         LOGGED: 0
     ICMP: 68         (0.025%)          PASSED: 0
      ARP: 119465     (43.118%)
     IPv6: 0          (0.000%)
      IPX: 0          (0.000%)
    OTHER: 44554      (16.081%)
  DISCARD: 0          (0.000%)

It's not a high-traffic site by any means and the box has 
been located in
a /25 subnet with some of their other customers. (The UDP is 
high due to
their colocated luser customers sending out volumes of 
netbios and bootp
crap to their broadcast.)

What really concerns me is the extremely high ARP count (I've opened a
case with my provider) and the stuff listed as "OTHER".

Anyone care to speculate what sort of traffic is this "OTHER" protocol
garbage might be? Can anyone recommend any tools that would 
be useful to
find out?

Thanks.

-- 
----------------------------------------------------------------------
Peter Caffin, Automatic Networking Solutions Pty. Ltd. (ACN 099822965)
http://www.autons.net.au/   PO Box 283, North Perth WA 6906, Australia
----------------------------------------------------------------------

-------------------------------------------------------
This sf.net email is sponsored by: Are you worried about 
your web server security? Click here for a FREE Thawte 
Apache SSL Guide and answer your Apache SSL security 
needs: http://www.gothawte.com/rd523.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by: Are you worried about
your web server security? Click here for a FREE Thawte
Apache SSL Guide and answer your Apache SSL security
needs: http://www.gothawte.com/rd523.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

"OTHER" protocol packets Peter Caffin (Nov 13)
- Re: "OTHER" protocol packets Michael Anderson (Nov 13)
- <Possible follow-ups>
- RE: "OTHER" protocol packets McCammon, Keith (Nov 13)