[Snort-users] Sniffers Misbehaviors (MS Network Monitor & tcpdump)?

Fyodor fygrave at ...121...
Tue Jan 2 13:45:10 EST 2001


On Tue, Jan 02, 2001 at 10:31:56AM -0800, Ryan Russell wrote:
> On Wed, 3 Jan 2001, Fyodor wrote:
> 
> > Aha.. that explains why (with just committed change applied) sometimes I observe 6-bytes difference
> > in legimate packets. Shall we get rid off those warning messages then? :)
> >
> 
> Dunno... I always thought it would be a fun covert channel to play with.
> I wonder if it's always 0's or what.

In my testings: yep. it's padded with zeros. (I think specification also recommends doing so).

>  Would make an interesting research
> project.  The padding will only exist at layer 2... the IP stack will
> typically never see it.
> 

yep. the data also will be lost when passed through some 3rd level gateway/switch
but for making covert channels inside a LAN it should be enough I guess :)

-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1




More information about the Snort-users mailing list