[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] icmp port unreachable
From: Fyodor <fygrave () tigerteam ! net>
Date: 2000-12-28 10:01:04
[Download RAW message or body]
On Thu, Dec 28, 2000 at 02:48:05AM +0200, Ofir Arkin wrote:
> Well, you can add a tcpdump like line:
>
> .......Offending Packet: <Source IP> <Destination IP> <Protocol Used>
> <Source Port> <Destination Port>
>
> This will help a lot when trying to correlate the ICMP Error messages with
> the offending packets in an attempt to understand what have happened and
> why.
>
> When Marty comes back.... ADD THIS ONE :)
>
Does it make a lot of difference from the current format:
12/28-16:57:17.745165 192.168.1.202 -> 192.168.1.205
ICMP TTL:255 TOS:0xC0 ID:36167 IpLen:20 DgmLen:62
Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
192.168.1.205:2346 -> 192.168.1.202:22
UDP TTL:64 TOS:0x0 ID:35112 IpLen:20 DgmLen:34
Len: 14
** END OF DUMP
00 00 00 00 45 00 00 22 89 28 00 00 40 11 6C BB ....E..".(..@.l.
C0 A8 01 CD C0 A8 01 CA 09 2A 00 16 00 0E 40 C8 .........*....@.
64 73 66 64 66 0A dsfdf.
Modifying phrasing isn't a big hassle here.. if it really would change anything ;-P
--
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7 B288 5CE5 A713 0969 A4D1
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/mailman/listinfo/snort-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic