[Snort-sigs] A question on ethernet padding

James Lay jlay at ...3266...
Thu Jan 23 11:07:27 EST 2014


Does snort treat ethernet padding as data?  Wireshark shows that I have 
1 byte of data in a packet after my ethernet and ip headers.  My 
ethernet header, normally 14 bytes, includes 17 bytes of Padding.  Does 
snort consider the padding as data?  Trying to figure out what offset 
and depth to use on this rule.  Hope I'm explaining this well..thanks 
all.

James




More information about the Snort-sigs mailing list