[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    Re: [Snort-users] icmp port unreachable
From:       Fyodor <fygrave () tigerteam ! net>
Date:       2000-12-28 10:01:04
[Download RAW message or body]

On Thu, Dec 28, 2000 at 02:48:05AM +0200, Ofir Arkin wrote:
> Well, you can add a tcpdump like line:
> 
> .......Offending Packet: <Source IP> <Destination IP> <Protocol Used>
> <Source Port> <Destination Port>
> 
> This will help a lot when trying to correlate the ICMP Error messages with
> the offending packets in an attempt to understand what have happened and
> why.
> 
> When Marty comes back.... ADD THIS ONE :)
> 

Does it make a lot of difference from the current format:

12/28-16:57:17.745165 192.168.1.202 -> 192.168.1.205
ICMP TTL:255 TOS:0xC0 ID:36167 IpLen:20 DgmLen:62
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
192.168.1.205:2346 -> 192.168.1.202:22
UDP TTL:64 TOS:0x0 ID:35112 IpLen:20 DgmLen:34
Len: 14
** END OF DUMP
00 00 00 00 45 00 00 22 89 28 00 00 40 11 6C BB  ....E..".(..@.l.
C0 A8 01 CD C0 A8 01 CA 09 2A 00 16 00 0E 40 C8  .........*....@.
64 73 66 64 66 0A                                dsfdf.



Modifying phrasing isn't a big hassle here.. if it really would change anything ;-P

-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/mailman/listinfo/snort-users

[prev in list] [next in list] [prev in thread] [next in thread]