[Snort-users] Hardcore -r question

John Sage jsage at ...2022...
Mon Jun 11 21:45:57 EDT 2001


I'm playing with using the -r switch and tcpdump syntax on a binary log 
file, and I'm having one heckuva time understanding why this command line:

snort -dv -r snort-0609 at ...2233... 'tcp[3:1] == 111 '

returns what it does.

I expect it to return packets with destination port 111, which it does, 
but WTF? it returns five other packets with a value of 62319 as the 
destination port, too.

This says, I think, go into the tcp header 3 bytes (first byte's zero,) 
and a one byte offset into that, and look at it -- and if it's "111" 
then true and show me the packet.

It does exactly the same thing if I say:

snort -dv -r snort-0609 at ...2233... 'tcp[3] == 111 '

(Of course, if I just chill out and say "snort -dv -r 
snort-0609 at ...2233... dst port 111" it works just fine...)

Anyway, what am I missing?

- John


snort -dv -r snort-0609 at ...2233... 'tcp[3:1] == 111 '

         --== Initializing Snort ==--
TCPDUMP file reading mode.
Reading network traffic from "snort-0609 at ...2233..." file.
snaplen = 1514

         --== Initialization Complete ==--
06/09-07:55:39.985460 208.178.109.50:80 -> 12.82.128.242:62319
TCP TTL:53 TOS:0x0 ID:51688 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0xE3BDFC2B  Ack: 0xE4569CFB  Win: 0x3EBC  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 282142772 430770634 NOP
TCP Options => WS: 0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/09-07:55:40.275486 208.178.109.50:80 -> 12.82.128.242:62319
TCP TTL:53 TOS:0x0 ID:51694 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xE3BDFC2C  Ack: 0xE4569F69  Win: 0x3C4E  TcpLen: 32
TCP Options (3) => NOP NOP TS: 282142802 430770652

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/09-07:55:40.295450 208.178.109.50:80 -> 12.82.128.242:62319
TCP TTL:53 TOS:0x0 ID:51696 IpLen:20 DgmLen:52 DF
***A***F Seq: 0xE3BDFE28  Ack: 0xE4569F69  Win: 0x3EBC  TcpLen: 32
TCP Options (3) => NOP NOP TS: 282142802 430770652

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/09-07:55:40.415514 208.178.109.50:80 -> 12.82.128.242:62319
TCP TTL:53 TOS:0x0 ID:51695 IpLen:20 DgmLen:560 DF
***AP*** Seq: 0xE3BDFC2C  Ack: 0xE4569F69  Win: 0x3EBC  TcpLen: 32
TCP Options (3) => NOP NOP TS: 282142802 430770652
48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D  HTTP/1.1 200 OK.
0A 44 61 74 65 3A 20 53 61 74 2C 20 30 39 20 4A  .Date: Sat, 09 J
75 6E 20 32 30 30 31 20 31 34 3A 35 35 3A 33 39  un 2001 14:55:39
20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70   GMT..Server: Ap
61 63 68 65 2F 31 2E 33 2E 31 32 20 28 55 6E 69  ache/1.3.12 (Uni
78 29 20 50 48 50 2F 33 2E 30 2E 31 36 20 6D 6F  x) PHP/3.0.16 mo
<snip>

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/09-07:55:40.595464 208.178.109.50:80 -> 12.82.128.242:62319
TCP TTL:53 TOS:0x0 ID:51701 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xE3BDFE29  Ack: 0xE4569F6A  Win: 0x3EBC  TcpLen: 32
TCP Options (3) => NOP NOP TS: 282142833 430770695

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/09-11:42:15.844824 202.101.230.112:35932 -> 12.82.128.242:111
TCP TTL:237 TOS:0x0 ID:57191 IpLen:20 DgmLen:44 DF
******S* Seq: 0x42F039C4  Ack: 0x0  Win: 0x2238  TcpLen: 24
TCP Options (1) => MSS: 1460

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/09-11:42:18.875184 202.101.230.112:35932 -> 12.82.128.242:111
TCP TTL:237 TOS:0x0 ID:57192 IpLen:20 DgmLen:40 DF
*****R** Seq: 0x42F039C5  Ack: 0x0  Win: 0x2238  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/09-15:08:11.145983 207.249.68.130:49620 -> 12.82.128.242:111
TCP TTL:241 TOS:0x0 ID:41055 IpLen:20 DgmLen:44 DF
******S* Seq: 0x4A27B537  Ack: 0x0  Win: 0x2238  TcpLen: 24
TCP Options (1) => MSS: 1460

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/09-15:08:14.526320 207.249.68.130:49620 -> 12.82.128.242:111
TCP TTL:241 TOS:0x0 ID:41056 IpLen:20 DgmLen:40 DF
*****R** Seq: 0x4A27B538  Ack: 0x0  Win: 0x2238  TcpLen: 20


===============================================================================

Snort processed 9 packets.
Breakdown by protocol:                Action Stats:

     TCP: 9          (100.000%)         ALERTS: 0
     UDP: 0          (0.000%)          LOGGED: 0
    ICMP: 0          (0.000%)          PASSED: 0
     ARP: 0          (0.000%)
    IPv6: 0          (0.000%)
     IPX: 0          (0.000%)
   OTHER: 0          (0.000%)
===============================================================================
Fragmentation Stats:
Fragmented IP Packets: 0          (0.000%)
    Rebuilt IP Packets: 0
    Frag elements used: 0
Discarded(incomplete): 0
    Discarded(timeout): 0
===============================================================================

TCP Stream Reassembly Stats:
    TCP Packets Used:      0          (0.000%)
    Reconstructed Packets: 0          (0.000%)
    Streams Reconstructed: 0
===============================================================================





More information about the Snort-users mailing list