[Snort-devel] pbs with snort 190 and vlan and fiber network card ...

fde fde at ...1415...
Fri Oct 25 06:54:04 EDT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I have a pbs when I use snort 1.9.0,

and I use vlan and giga fiber.

Im start snort on this option :
 -b (format log libpcap)
 -s (format syslog)

I am many "(spp_stream4) TCP CHECKSUM CHANGED ON RETRANSMISSION ..." on syslog

and when I read this log_libpcap with tcpdump v3.7.1 :
tcpdump -vvnSlr snort.xxx not vlan 2

I find only packets with checksums incorrect! :

17:22:04.185313 193.249.127.105.1348 > 195.117.22.35.80: P [bad tcp cksum 37bf!] 3872386164:3872387262(1098) ack 1496436 win 32696 [tos 0x10]  (ttl 240, id 0, len 1138, bad cksum 0!)
17:22:17.493266 62.160.47.253.40136 > 195.117.22.110.80: P [bad tcp cksum e88!] 3873589852:3873590992(1140) ack 311561911 win 35040 [tos 0x10]  (ttl 240, id 0, len 1180, bad cksum 0!)
17:22:32.423895 213.244.181.2.55427 > 196.46.27.145.80: P [bad tcp cksum 5445!] 2177854958:2177856355(1397) ack 3824694442 win 24616 [tos 0x10]  (ttl 240, id 0, len 1437, bad cksum 0!)

I start restart snort and start tcpdump on background :
tcpdump -vvnSls 1522 -r nge0 -w test.tcpdump

And I not found this packet with checksums incorrect whith tcpdump_-w_file !

I found similary packet but the ips are reversed !


Do somebody have an idea?


Here my conf :
OS = OpenBSD32 snapshot 3/10/2002
PIII 933Mhz, 512Mo RAM, SCSI
one NetGear Fiber GA621 on PCI 32bits (nge0)

Regards.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (MingW32)

iD8DBQE9uU72fAAnR+tGCiERAkfgAJ4xuP0F8PYGiaLGyTtPylFNoC25xgCfYSgm
3x7Vq+W6olgM1mG47VWCy4U=
=rqKk
-----END PGP SIGNATURE-----





More information about the Snort-devel mailing list