[Snort-devel] problem in packet content captured by snort
pteufl at ...2495...
Sun Apr 25 23:40:01 EDT 2004
kanika malhotra wrote:
> For e.g. I am sending packet sizes of 100 bytes (hardcoded) but when I display p->data in my snort plugin, I see content which is > 100 bytes.
> Thanks in advance,
Do you have the stream4_reassembly preprocesser enabled? If it is active
it creates pseudo packets which have data from a sliding window from the
stream. I have seen packets which have more than 4000 bytes of payload.
More information about the Snort-devel