[Snort-users] Hardcore -r question
Mark.Evans at ...2251...
Tue Jun 12 20:58:37 EDT 2001
note that 111 in binary is 01101111
and that 62319 in binary is 1111001101101111
so if you just look at the binary then they
both match on the 2nd byte - the one that [3:1]
it would have matched a whole load of other
packets that ended 01101111 if you had received
as i understand it (ymmv)
> From: Martin Roesch [mailto:roesch at ...1935...]
> Subject: Re: [Snort-users] Hardcore -r question
> Try 'tcp[2:2] == 111', I bet that'll work. BPF starts
> counting at zero for headers, so tcp[0:2] covers the first
> 16-bits of the tcp header, tcp[2:2] covers the second
> 16-bits (i.e. the destination port).
> You could also just say 'dst port 111'.
> John Sage wrote:
> > I'm playing with using the -r switch and tcpdump syntax on
> a binary log file, and I'm having one heckuva time understanding why
> this command line:
> > snort -dv -r snort-0609 at ...2233... 'tcp[3:1] == 111 '
> > returns what it does.
> > I expect it to return packets with destination port 111,
> which it does,
> > but WTF? it returns five other packets with a value of 62319 as the
> > destination port, too.
More information about the Snort-users