[Snort-users] tcpdump for [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])]

John Sage jsage at ...2022...
Mon Jul 22 13:17:03 EDT 2002


Max:

But I replayed the capture you posted perfectly, so it's nothing to
do with a switch or anything -- the capture is being created
accurately, it's just that when you replay it, something gets broken.


[toot at ...2057... /home/www/html/sys_docs/test]# snort -v -r snort_not_loggin.dump
Log directory = /var/log/snort
TCPDUMP file reading mode.
Reading network traffic from "snort_not_loggin.dump" file.
snaplen = 96

<snip>

Run time for packet processing was 0.18953 seconds

===============================================================================

Snort processed 28 packets.
Breakdown by protocol:                Action Stats:

    TCP: 24         (85.714%)         ALERTS: 0         
    UDP: 2          (7.143%)          LOGGED: 0         
   ICMP: 0          (0.000%)          PASSED: 0         
    ARP: 2          (7.143%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
===============================================================================


I'm replaying your post on a box that appears identical: RHL 7.2;
libpcap 0.6.2; snort 1.8.7 build 128.

You're not running this through a pager ("more" or "less") are you?

I've noticed weirdnesses from time to time when trying to page through
a binary logfile on readback...


- John
-- 
"Cowardly refusing to create an empty archive."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 



On Mon, Jul 22, 2002 at 02:35:09PM -0500, max valdez wrote:
> This is my snort Output
> 
> Snort doesn't recognizes something in the packets.
> 
> I'm on a RH 7.3 box, libpcap-0.6.2-12
> 
> But As someone smart said, the problem might be on the switch.
> 
> anything else needed ?
> 
> 
> 
> -------------------
> [max at ...6407... max]$ snort  -v -r tcpdump-snort-not-loggin
> Log directory = /var/log/snort
> TCPDUMP file reading mode.
> Reading network traffic from "tcpdump-snort-not-loggin" file.
> snaplen = 96
> 
>         --== Initializing Snort ==--
> 
>         --== Initialization Complete ==--
> 
> -*> Snort! <*-
> Version 1.8.7 (Build 128)
> By Martin Roesch (roesch at ...1935..., www.snort.org)
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
> 07/22-11:49:16.689735 ARP who-has 132.248.33.14 tell 132.248.33.254
> 
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x6c00])
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x4e00])
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
> 07/22-11:49:19.150067 ARP who-has 132.248.33.14 tell 132.248.33.254
> 
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
> [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
> Run time for packet processing was 0.430 seconds
> 
> 
> ===============================================================================
> 
> Snort processed 28 packets.
> Breakdown by protocol:                Action Stats:
> 
>     TCP: 0          (0.000%)          ALERTS: 0
>     UDP: 0          (0.000%)          LOGGED: 0
>    ICMP: 0          (0.000%)          PASSED: 0
>     ARP: 2          (7.143%)
>    IPv6: 0          (0.000%)
>     IPX: 0          (0.000%)
>   OTHER: 0          (0.000%)
> ===============================================================================
> Fragmentation Stats:
> Fragmented IP Packets: 0          (0.000%)
>    Rebuilt IP Packets: 0
>    Frag elements used: 0
> Discarded(incomplete): 0
>    Discarded(timeout): 0
> ===============================================================================
> 
> TCP Stream Reassembly Stats:
>    TCP Packets Used:      0          (0.000%)
>    Reconstructed Packets: 0          (0.000%)
>    Streams Reconstructed: 0
> ===============================================================================
> 
> Snort received signal 3, exiting
> 
> ----




More information about the Snort-users mailing list