[Snort-users] Time based oddity.

Martin Roesch roesch at ...421...
Fri Oct 6 23:02:52 EDT 2000


That's kind of cool.  It's probably like what Fyodor said, defragged packets
being reassembled with whacked timestamps.  Very interesting...

     -Marty

Erek Adams wrote:
> 
> Ok, I'm a bit baffled at this:
> 
> [Line Numbers added for easier reading... :) ]
> 
> Oct  3 02:12:16 202.103.237.30:35784 -> xxx.yyy.xxx.66:80 SYN **S*****   1
> Oct  3 02:12:17 202.103.237.30:36385 -> xxx.yyy.xxx.71:80 SYN **S*****   2
> Oct  3 02:12:16 202.103.237.30:36384 -> xxx.yyy.xxx.70:80 SYN **S*****   3
> Oct  3 02:12:18 202.103.237.30:37058 -> xxx.yyy.xxx.67:80 SYN **S*****   4
> Oct  3 02:12:18 202.103.237.30:37089 -> xxx.yyy.xxx.69:80 SYN **S*****   5
> Oct  3 02:12:18 202.103.237.30:37092 -> xxx.yyy.xxx.68:80 SYN **S*****   6
> Oct  3 02:12:18 202.103.237.30:37363 -> xxx.yyy.xxx.82:80 SYN **S*****   7
> Oct  3 02:12:18 202.103.237.30:37383 -> xxx.yyy.xxx.86:80 SYN **S*****   8
> Oct  3 02:12:19 202.103.237.30:37698 -> xxx.yyy.xxx.73:80 SYN **S*****   9
> Oct  4 18:08:54 202.103.237.30:25412 -> xxx.yyy.xxx.66:80 SYN **S*****  10
> Oct  4 18:08:51 202.103.237.30:25414 -> xxx.yyy.xxx.67:80 SYN **S*****  11
> Oct  4 18:08:51 202.103.237.30:64165 -> xxx.yyy.xxx.68:80 SYN **S*****  12
> Oct  4 18:08:53 202.103.237.30:64167 -> xxx.yyy.xxx.69:80 SYN **S*****  13
> Oct  4 18:08:53 202.103.237.30:64168 -> xxx.yyy.xxx.70:80 SYN **S*****  14
> Oct  4 18:08:53 202.103.237.30:64169 -> xxx.yyy.xxx.71:80 SYN **S*****  15
> Oct  4 18:08:51 202.103.237.30:64174 -> xxx.yyy.xxx.73:80 SYN **S*****  16
> Oct  4 18:08:51 202.103.237.30:64184 -> xxx.yyy.xxx.82:80 SYN **S*****  17
> Oct  4 18:08:51 202.103.237.30:25465 -> xxx.yyy.xxx.86:80 SYN **S*****  18
> Oct  4 18:08:54 202.103.237.30:25414 -> xxx.yyy.xxx.67:80 SYN **S*****  19
> Oct  4 18:08:54 202.103.237.30:25465 -> xxx.yyy.xxx.86:80 SYN **S*****  20
> 
> Now, notice the 'packet time' of packets 1-3.  Line one is at :16, line 2 is
> :17 and then line three is :16 again?
> 
> Lines 10-20:  Again the time isn't sequential.
> 
> Now I might be crazy, but that just doesn't seem 'normal/right'.  Questions,
> Comments and Suggestions are welcome!
> 
> Has anyone else seen this?  Or have I managed to make a complete fool out of
> myself?
> 
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list