[Snort-devel] Not IPv4 datagram warnings
cmg at ...402...
Wed Oct 9 10:44:10 EDT 2002
"Christopher J. Oliver" <cjo at ...37...> writes:
> Re all,
> I have a box snorting raw pppoe with a newly upgrade 1.9.0 snort
> binary rpm (from snort.org), and I'm getting daily IPv4 datagram
> warnings like the following:
> [**] [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! [**]
> 10/08-21:38:07.068312 220.127.116.11 -> 18.104.22.168 IP TTL:0 TOS:0x1
> ID:1540 IpLen:0 DgmLen:2048
Please send me a copy of the pcap from those machines so that I may
find out what the decoder problem is.
> The IP's seem to stay the same, no matter what time of the day, and
> I'm seeing about 20 of these or thereabouts per day.
> Could someone shed some light or advice and how to track down what's
> really going on?
It means that snort couldn't figure out how to process this
You can use -b and save the packet off and mail it to me.
After that, you may add
config disable_decode_alerts into your snort.conf
Chris Green <cmg at ...402...>
Let not the sands of time get in your lunch.
More information about the Snort-devel