[Snort-devel] Unknown Datagram decoding problem (snort233b14)

rmkml rmkml at ...879...
Sat Jun 4 14:38:59 EDT 2005


Hi

I received this packet and snort233b14 two event this :

06/03-21:58:40.703132  [**] [1:402:7] ICMP Destination Unreachable Port 
Unreachable [**] [Classification: Misc activity] [Priority: 3] {ICMP} 
12.176.64.5 -> 0.0.0.0
06/03-21:58:40.703132  [**] [116:108:1] (snort_decoder) Unknown Datagram 
decoding problem! [**] [Classification: Misc activity] [Priority: 3] 
{ICMP} 12.176.64.5 -> 0.0.0.0

look this packet with tcpdump383 :
21:58:40.703132 IP (tos 0x0, ttl 190, id 34207, offset 0, flags [none], 
length: 28) 12.176.64.5 > 0.0.0.0: [|icmp]
         0x0000:  4500 001c 859f 0000 xxxx xxxx 0cb0 4005  E............. at ...300...
         0x0010:  3e17 22b8 0303 fcfc 0000 0000 0000 0000  >.".............
         0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............

look this packet with tethereal :
Frame 1 (60 bytes on wire, 60 bytes captured)
     Arrival Time: Jun  3, 2005 21:58:40.703132000
     Time delta from previous packet: 0.000000000 seconds
     Time since reference or first frame: 0.000000000 seconds
     Frame Number: 1
     Packet Length: 60 bytes
     Capture Length: 60 bytes
Ethernet II, Src: 00:0f:24:91:4d:07, Dst: 00:07:e8:0c:28:78
     Destination: 00:07:e8:0c:28:78 (00:07:e8:0c:28:78)
     Source: 00:0f:24:91:4d:07 (00:0f:24:91:4d:07)
     Type: IP (0x0800)
     Trailer: 00000000000000000000000000000000...
Internet Protocol, Src Addr: 12.176.64.5 (12.176.64.5), Dst Addr: 
0.0.0.0 (0.0.0.0)
     Version: 4
     Header length: 20 bytes
     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
         0000 00.. = Differentiated Services Codepoint: Default (0x00)
         .... ..0. = ECN-Capable Transport (ECT): 0
         .... ...0 = ECN-CE: 0
     Total Length: 28
     Identification: 0x859f (34207)
     Flags: 0x00
         0... = Reserved bit: Not set
         .0.. = Don't fragment: Not set
         ..0. = More fragments: Not set
     Fragment offset: 0
     Time to live: 190
     Protocol: ICMP (0x01)
     Header checksum: 0xc9bd (correct)
     Source: 12.176.64.5 (12.176.64.5)
     Destination: 0.0.0.0 (0.0.0.0)
Internet Control Message Protocol
     Type: 3 (Destination unreachable)
     Code: 3 (Port unreachable)
     Checksum: 0xfcfc (correct)

snort 191b234 :
ICMP Unreachable IP short header (0 bytes)
06/03-21:58:40.703132  [**] [116:108:1] (snort_decoder) Unknown Datagram 
decoding problem! [**] [Classification: Misc activity] [Priority: 3] 
{ICMP} 12.176.64.5 -> 0.0.0.0
06/03-21:58:40.703132  [**] [1:402:4] ICMP Destination Unreachable (Port 
Unreachable) [**] [Classification: Misc activity] [Priority: 3] {ICMP} 
12.176.64.5 -> 0.0.0.0

tcpdump391pre :
21:58:40.703132 IP (tos 0x0, ttl 190, id 34207, offset 0, flags [none], 
proto: ICMP (1), length: 28) 12.176.64.5 > 0.0.0.0: [|icmp]


Regards
Rmkml




More information about the Snort-devel mailing list