[Snort-users] tcp/510 probe

Christopher Cramer cec at ...68...
Wed Nov 29 10:27:55 EST 2000


Jess,

I would have to guess that ethereal has the same problem that snort used
to.  It is working off of the packet capture length, not the TCP/IP
length.  The problem is that ethernet specifies a minimum payload size of
46 bytes.  The minimum IP packet is 40 bytes, the difference?  6
bytes!  

So if you capture a TCP packet with 0 data bytes, the TCP/IP packet will
be 40 bytes, the ethernet payload will be 46 bytes.  A program only
trusting the capture size will report a 46 byte TCP/IP packet, not a 40
byte packet.  Ethernet specifies a 0 padding at the end if the payload is
smaller than the minimum payload, therefore those 6 bytes are filled w/
0s.

You should probably check w/ the ethereal guys for a fix.

-Chris

On Tue, 28 Nov 2000 jess at ...521... wrote:

> 	Hi!
> 
> 	In my case, here is the ethereal dump of the offending packet. It
> would be very interesting to know if the packet's characteristics match
> for the different attacks other people have suffered. We could discover if
> the different attackers are using the same tool.
> 
> 	I don't know if it's some kind of problem with my  capture file,
> but look at the 6 final bytes. Those six 0's should not exist as the
> IP lenght is set to 40 bytes.
> 
> 								JESS
> --- --- ---
> Internet Protocol
>     Version: 4
>     Header length: 20 bytes
>     Differentiated Services Field: 0x00 (DSCP 0x00: Default)
>         0000 00.. = Differentiated Services Codepoint: Default (0x00)
>         .... ..00 = Currently Unused: 0
>     Total Length: 40
>     Identification: 0xf0aa
>     Flags: 0x00
>         .0.. = Don't fragment: Not set
>         ..0. = More fragments: Not set
>     Fragment offset: 0
>     Time to live: 235
>     Protocol: TCP (0x06)
>     Header checksum: 0xce01 (correct)
>     Source: 204.182.234.16 (204.182.234.16)
>     Destination: xxx.xxx.xxx.xxx
> Transmission Control Protocol, Src Port: 510 (510), Dst Port: 510 (510),
> Seq: 50331648, Ack: 0
>     Source port: 510 (510)
>     Destination port: 510 (510)
>     Sequence number: 50331648
>     Header length: 20 bytes
>     Flags: 0x0002 (SYN)
>         ..0. .... = Urgent: Not set
>         ...0 .... = Acknowledgment: Not set
>         .... 0... = Push: Not set
>         .... .0.. = Reset: Not set
>         .... ..1. = Syn: Set
>         .... ...0 = Fin: Not set
>     Window size: 16383
> 
>    0  xxxx xxxx xxxx xxx  xxxx xxxx xxxx 4500   ........ {?...E. 
>   10  0028 c2df 4000 eb06 bbcc xxxx xxxx ccb6   .(.. at ...868... 
>   20  ea10 01fe 01fe 0000 0000 0300 0001 5014   ..............P. 
>   30  0000 97b0 0000 0000 0000 0000             ............
>                      ^^^^ ^^^^ ^^^^ 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 




More information about the Snort-users mailing list