[Snort-devel] Not IPv4 datagram warnings

Chris Green cmg at ...402...
Wed Oct 9 10:44:10 EDT 2002


"Christopher J. Oliver" <cjo at ...37...> writes:

> Re all,
>
> I have a box snorting raw pppoe with a newly upgrade 1.9.0 snort
> binary rpm (from snort.org), and I'm getting daily IPv4 datagram
> warnings like the following:
>
> [**] [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! [**]
> 10/08-21:38:07.068312 116.0.64.231 -> 49.1.0.0 IP TTL:0 TOS:0x1
> ID:1540 IpLen:0 DgmLen:2048

Please send me a copy of the pcap from those machines so that I may
find out what the decoder problem is.

>
> The IP's seem to stay the same, no matter what time of the day, and
> I'm seeing about 20 of these or thereabouts per day.
>
> Could someone shed some light or advice and how to track down what's
> really going on?

It means that snort couldn't figure out how to process this
datagram.

You can use -b and save the packet off and mail it to me.

After that, you may add

config disable_decode_alerts into your snort.conf




-- 
Chris Green <cmg at ...402...>
Let not the sands of time get in your lunch.




More information about the Snort-devel mailing list