[Snort-devel] problem in packet content captured by snort

Peter Teufl pteufl at ...2495...
Sun Apr 25 23:40:01 EDT 2004


Hi,

kanika malhotra wrote:

> For e.g. I am sending packet sizes of 100 bytes (hardcoded) but when I display p->data in my snort plugin, I see content which is > 100 bytes. 
> Thanks in advance,

Do you have the stream4_reassembly preprocesser enabled? If it is active
it creates pseudo packets which have data from a sliding window from the 
stream. I have seen packets which have more than 4000 bytes of payload.

Regards,
Peter




More information about the Snort-devel mailing list