[Snort-users] tcpdump and snort report 2 different TTL values
cmg at ...950...
Tue Apr 2 04:14:50 EST 2002
Safka <safka at ...5399...> writes:
> When I read the file back in using tcpdump, i see the ttl value of 128
> (both hosts are on the same segment).
> When I read the file using Snort I get 2 alerts - one with the tool's
> TTL value of 255 and one with the w2k ttl of 128. I can live with this
> however I was wondering why this behavior is occuring.
> Any thoughts ?
Smells like a unsigned/signed bug in readback though not sure. Would
you send me the pcap for the packet?
Chris Green <cmg at ...950...>
"I'm beginning to think that my router may be confused."
More information about the Snort-users