[Snort-users] [!] WARNING: Not IPv4 datagram! - huh?

John Sage jsage at ...2022...
Sun May 27 17:40:37 EDT 2001


Fyodor:

Thanks..

..I was a little surprised to see this kinda smashed into the middle of 
the logging output, and not on every packet, but just every now and then.

Is this something that's actually in only *some* of the packets, or 
something that snort's doing?

- John

Fyodor wrote:

>> 05/27-09:19:24.672817 193.0.0.203:80 -> 12.82.128.32:62282
>> TCP TTL:48 TOS:0x0 ID:12316 IpLen:20 DgmLen:1500 DF
>> ***A**** Seq: 0xE47968E8  Ack: 0xFC7D383B  Win: 0x6028  TcpLen: 32
>> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xc561])
>> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xc561])
>> TCP Options (3) => NOP NOP TS: 34889575 318946608
>> :
> 
> 
> that means that it is seeing datagrams with '5' in version field. The
> datagram size is 0xc561.. :) actually it meant to be headerlength there,
> but I looked at the code and realized that I messed things up abit ;-)
> 
> hope it helps.
> -Fyodor





More information about the Snort-users mailing list