[Snort-users] snort -r output

John Sage jsage at ...2022...
Mon Apr 21 07:43:03 EDT 2003


Cheeyong:

On or about Mon, Apr 21, 2003 at 04:19:01PM +0800, Tay Chee Yong posited:
> Hi list,
> 
> I am pretty new to snort, and i would like to find out how do I decode the
> snort -r output?  Could anyone tell me what does hex value stand for, and
> why are there "......."?
> 
> Basically, I am trying to find out the patterns of the packets, so that I
> can match by the content in my rules.
> 
> 04/21-16:02:57.719998 210.24.246.13:62764 -> 203.120.90.33:53
> UDP TTL:124 TOS:0x0 ID:31492 IpLen:20 DgmLen:70
> Len: 42
> 01 62 01 00 00 01 00 00 00 00 00 00 09 4D 41 52  .b...........MAR
> 4B 45 54 49 4E 47 07 61 6C 63 6F 74 65 63 00 00  KETING.alcotec..
> 01 00 01 00 00 00 00 00 00 00                    ..........

The first three lines (I hope..) should be self-explanatory.

The fourth through sixth lines represent the packet, with hexadecimal
on the left and an ASCII decoding on the right. Those hexadecimal
pairs (0x09 for example) that do not represent ASCII characters are
represented as dots "...."

If you have a hex-to-ASCII conversion table (try man ascii..) or
conversion tool (I use 2.pl; see: http://freshmeat.net/projects/2/ but
it doesn't seem to be available right now...) you can see that the
sequence 4d 41 52 4b 45 54 49 4e 47 represents "MARKETING" in capital
letters, which is shown decoded in the right column.

Get a copy of "TCP/IP Illustrated" vol. 1, WR Stevens, Addison
Weseley, pubs, if you really want to get into decoding the packet
headers.


- John
-- 
"You are in a twisty maze of weblogs, all alike."

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705




More information about the Snort-users mailing list