[Snort-users] Sniffers Misbehaviors (MS Network Monitor & tcpdump)?
fygrave at ...121...
Tue Jan 2 13:45:10 EST 2001
On Tue, Jan 02, 2001 at 10:31:56AM -0800, Ryan Russell wrote:
> On Wed, 3 Jan 2001, Fyodor wrote:
> > Aha.. that explains why (with just committed change applied) sometimes I observe 6-bytes difference
> > in legimate packets. Shall we get rid off those warning messages then? :)
> Dunno... I always thought it would be a fun covert channel to play with.
> I wonder if it's always 0's or what.
In my testings: yep. it's padded with zeros. (I think specification also recommends doing so).
> Would make an interesting research
> project. The padding will only exist at layer 2... the IP stack will
> typically never see it.
yep. the data also will be lost when passed through some 3rd level gateway/switch
but for making covert channels inside a LAN it should be enough I guess :)
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7 B288 5CE5 A713 0969 A4D1
More information about the Snort-users