[Snort-users] tcpdump - showing data size

netsec novice netsec9 at ...125...
Tue Oct 1 15:17:16 EDT 2002

I have recently set up SNORT with the basic signatures and as a side effect 
have discovered that our Risc server seems to be sending out a bunch of icmp 
echo request traffic.  I am trying to narrow down the destination hosts to 
give our Unix admin more info to determine the source of the requests (app, 
cron, etc.).  The rule that is triggering the alert in SNORT is 'Large ICMP 
packet' which is defined by the rule:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IMCP Large ICMP Packet"; 
dsize: > 800;

I can tell from the Snort logs that the risc box is initiating the echo 
requests.  I am running 'tcpdump icmp[0]=8' on the Risc server and I am 
wanting to narrow the capture down to the packets that are triggering the 
alerts (ie > 800).  How do I display the packet size? Is dsize synonymous 
with bytes ie. > 800 bytes?  I have tried the -v operator but it doesn't 
really show much.
Any help is appreciated.


Chat with friends online, try MSN Messenger: http://messenger.msn.com

More information about the Snort-users mailing list