[Snort-devel] problem in packet content captured by snort

kanika malhotra kmalhotr at ...1956...
Sun Apr 25 21:16:02 EDT 2004


We have written a detection plugin for the worm detection. But there has been something wierd happening recently. I have multiple machines on my LAN, all of which are sending traffic to the gateway of the LAN. My snort code resides on the gateway.
The content of my worm packets is similar across packets but when I display them via p->data in my plugin, I see more content than the original packet sent from my machines. 

For e.g. I am sending packet sizes of 100 bytes (hardcoded) but when I display p->data in my snort plugin, I see content which is > 100 bytes. I displayed p->dsize, which shows 100, but when I check the sieof p->data it is > 100. I dont know why this is happening, but this is creating problems for me when I try to look at the content of my packets for my plugin. The garbage data looks like left over data from other packets received by Snort, thus am wondering do I need to flush out the contents of p->data or what is the error here?

I have \0 the buffer that I send from the machines, and have also displayed the packet sent and received on my sources and destinations. They look the same to me (as sent) but for some reason Snort seems to be seeing more data than sent.

Does any one have any clue why this is happening?

Thanks in advance,


More information about the Snort-devel mailing list