Re: Incorrect IP Flags Values in database output.

[waldo kitty <wkitty42 () windstream net>]

On 8/15/2011 20:24, kareem () khan net wrote:
> You are right on the bits. All of them get affected. My only reference for what
> is expected in the data base is the code for Base. In the base_payload.php file,
> the ip_frag field get pulled out of the database and is used to create a PCAP.
> Since the data in that field is not the flags, the PCAP that is created is
> incorrect. So, my assuption was that the database would be holding the flags.

that doesn't sound too kosher... shouldn't a PCAP be the actual data on the 
wire? fragments and all?? yes, i understand that in some cases the fragments are 
reassembled into one large packet with flags and packet size supposedly adjusted 
to match but while this is a GoodThing<tm> in some cases, it would seem to be 
not all that proper in others...




------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model 
configuration take the hassle out of deploying and managing Subversion and 
the tools developers use with it. Learn more about uberSVN and get a free 
download at:  http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation