[Snort-users] playback and udp

Greg Sarsons gsarsons at ...3971...
Sat Nov 17 11:16:02 EST 2001


Is it possible when during playback specifying udp as the tfc type that
the destination udp port be empty?

Why?  Well I have a script the parses the playback and when I look at
inbound udp traffic at a point on the network the totals traffic by port
there is and entry for ' '

The output should be 
<port number>  <hits>  <total octets>

For some reason inbound traffic going to a subnet I see

   110657 113557672
67 852 384811
etc

if I do the same thing with outbound

21 22 2074
25 60 2040
etc

or even tcp outbound 

1 9 432
20 1 48

I'm stumped so I guess it there anything that could make a udp packet
have not port or appear to have no port defined.

Greg









More information about the Snort-users mailing list