Investigating mangled packets from pre-processor

[twig les <twigles () yahoo com>]

Hey *, I'm looking at a bunch of messages regarding mangled
packets like these:

snort: [116:55:1] (snort_decoder): Truncated Tcp Options {TCP}
x.x.x.35:80 -> x.x.x.113:32190
(snort_decoder) WARNING: TCP Header length exceeds packet
length! {TCP} x.x.x.82:0 -> x.x.x.113:0

There are others but you get it.  My dilemma is that I'm not
sure how to figure out the source of these alarms or if they are
false alarms or not.  I have a suspect box in mind but I need
some proof (stupid scientific method...grumble grumble).  I
can't think of a way to capture this type of packet with TCPDump
and I can't do anything tricky with Snort since this is not a
signature.  Am I missing something?

Our Snort is Version 2.0.5 (Build 98) reporting to syslog only.

=====
-----------------------------------------------------------
With a few exceptions, secrecy is deeply incompatible with
democracy and with science.
     --Carl Sagan  
-----------------------------------------------------------

__________________________________
Do you Yahoo!?
Get better spam protection with Yahoo! Mail.
http://antispam.yahoo.com/tools


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users