[Snort-users] tcp/510 probe

Bill Marquette wlmarque at ...8...
Wed Nov 29 09:33:27 EST 2000


Jess, the minimum size of a packet on the wire in ethernet land is 60 bytes.  If
your packet doesn't completely fill 60 bytes your network stack should NULL pad
it before it dumps it on the wire.  So, yes this is normal to see in captures of
small packets (such as your SYN example).

--Bill



From: jess at ...521... on 11/28/2000 02:33 PM

To:   Len Burns <lenb at ...750...>
cc:   andy lowton <andy at ...586...>
      snort-users at lists.sourceforge.net
Client:
Subject:  Re: [Snort-users] tcp/510 probe



     Hi!

     In my case, here is the ethereal dump of the offending packet. It
would be very interesting to know if the packet's characteristics match
for the different attacks other people have suffered. We could discover if
the different attackers are using the same tool.

     I don't know if it's some kind of problem with my  capture file,
but look at the 6 final bytes. Those six 0's should not exist as the
IP lenght is set to 40 bytes.

                                         JESS
--- --- ---
Internet Protocol
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Currently Unused: 0
    Total Length: 40
    Identification: 0xf0aa
    Flags: 0x00
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 235
    Protocol: TCP (0x06)
    Header checksum: 0xce01 (correct)
    Source: 204.182.234.16 (204.182.234.16)
    Destination: xxx.xxx.xxx.xxx
Transmission Control Protocol, Src Port: 510 (510), Dst Port: 510 (510),
Seq: 50331648, Ack: 0
    Source port: 510 (510)
    Destination port: 510 (510)
    Sequence number: 50331648
    Header length: 20 bytes
    Flags: 0x0002 (SYN)
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 16383

   0  xxxx xxxx xxxx xxx  xxxx xxxx xxxx 4500   ........ {?...E.
  10  0028 c2df 4000 eb06 bbcc xxxx xxxx ccb6   .(.. at ...868...
  20  ea10 01fe 01fe 0000 0000 0300 0001 5014   ..............P.
  30  0000 97b0 0000 0000 0000 0000             ............
                     ^^^^ ^^^^ ^^^^






_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users









More information about the Snort-users mailing list