[Snort-users] tcpdump and snort report 2 different TTL values

Chris Green cmg at ...950...
Tue Apr 2 04:14:50 EST 2002

Safka <safka at ...5399...> writes:
> When I read the file back in using tcpdump, i see the ttl value of 128
> (both hosts are on the same segment). 
> When I read the file using Snort I get 2 alerts - one with the tool's
> TTL value of 255 and one with the w2k ttl of 128. I can live with this
> however I was wondering why this behavior is occuring.
> Any thoughts ?

Smells like a unsigned/signed bug in readback though not sure.  Would
you send me the pcap for the packet?

Chris Green <cmg at ...950...>
"I'm beginning to think that my router may be confused."

More information about the Snort-users mailing list