Snort mailing list archives

Previous By Date Next
Previous By Thread Next

ICMP : Strange icmp payload decoding

From: Domingos Costa <domingos () microlink com br>
Date: Thu, 28 Aug 2003 15:55:48 -0300
Hi,
When i click on a icmp alert, such as icmp dest. unreach. or icmp TTL exceeded, the payload field appears with a strange IP src/dst. For example, Acid shows me ip source 0.0.0.0:0 and ip dest 0.0.0.0:224 for the packet below. How can i configure snort/acid to show me the correct information? I saw some question in the SnortUsers list with this same problem, but was fixed last year. It was a little mistake in acid. I'm using Snort 2.0.0 build 72 and ACID v0.9.6b23. 

Thanks,

Domingos Costa



[...]
Generated by ACID v0.9.6b23 on Thu, 28 Aug 2003 13:42:29 -0300

------------------------------------------------------------------------------
#(1 - 639884) [2003-08-27 13:04:19] [snort/450] ICMP Time-To-Live Exceeded in Transit (Undefined Code!) 
IPv4: ip_outsidemynet -> ip_insidemynet
      hlen=5 TOS=192 dlen=56 ID=47806 flags=0 offset=0 TTL=250 chksum=59304
ICMP: type=Time Exceeded code=0
      checksum=48041 id= seq=
Payload: ....E..0f.@...n.......Y....[....
[...]










ACID v0.9.6b23

Version 2.0.0 (Build 72)



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: