Snort mailing list archives
Re: Packet size in snort log
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 10 Nov 2003 18:02:57 -0500
At 09:29 AM 11/10/2003, nick travis wrote:
Below is section from my snort log, How can I figure out the size of this packet in bytes based off this info? > 11/10-08:58:30.639214 10.31.178.196:137 -> 10.31.179.255:137 > UDP TTL:128 TOS:0x0 ID:54163 IpLen:20 DgmLen:78 > Len: 50
Which length are you interested in? Ethernet, IP, or UDP? Packets have different sizes depending what layer you are interested in.
This packet was a 78 byte IP packet, with 20 bytes of IP header, 8 bytes of UDP header, and 50 bytes of UDP payload.
The IpLen: specifies the length of the IP headerThe DgmLen: specifies the total length of the IP packet, including all IP layer headers. The Len: specifies the payload length, at the lowest layer that snort could decode, which in this case is UDP.
Assuming ethernet headers and CRC of 18 bytes, the total on-ethernet-wire size of the was 96 bytes, or 92 bytes without CRC.
------------------------------------------------------- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Packet size in snort log nick travis (Nov 10)
- Re: Packet size in snort log Matt Kettler (Nov 10)