[Snort-users] Sniffers Misbehaviors (MS Network Monitor & tcpdump)?

Ryan Russell ryan at ...35...
Tue Jan 2 14:37:23 EST 2001


On Wed, 3 Jan 2001, Fyodor wrote:

> so here complain if buffer length is bigger that ETHERNET_MTU which is 1500 bytes. This conclusion
> (IMHO) actually isn't fully correct, other datalinks may have different MTU (normally smaller, but
> maybe there's a one which is not?).
> --

FDDI is 4096.  Don't remember what Toekn Ring is... I think it's bigger
than 1500.  There's a spec for some giant Ethernet frames that goes to I
think 64K.  Serial lines can be configured for all sorts of MTU.  Lesse...
here's one doc, MS of all places:

http://support.microsoft.com/support/kb/articles/Q140/3/75.asp

Don't know what link layers Snort (libpcap?) intends to support... but
1500 is too small for a hard max.

					Ryan





More information about the Snort-users mailing list