[Snort-users] TCP header length exceeds packet length

Phil Wood cpw at ...440...
Mon Nov 3 15:27:30 EST 2003


If extol is getting the tcp off the wire then they probably need to know
the mtu of your interface so you can set the snapshot length.

If extol is reading a file you prepared, then it was probably read with
a snaplen less than the maximum mtu of your interface.

Or, finally it might just be a corrupt packet.  You should do a full
packet capture of the offending pc spew with probably something like:

  tcpdump -i <interface> -s 1514 ... -w pc.pcap host pc

on the assumption that your using an ethernet interface for packet
capture.

On Mon, Nov 03, 2003 at 03:38:55PM +0100, Erik Nyman wrote:
> Hi!
> 
> I'm testing a tool built by extol
> (http://www.extol.com.my/news/warning/other/blaster_detection.htm) but I get
> this warning message that I don't understand.
> 
> WARNING: TCP Header length exceeds packet length!
> 
> I have searched for an explanation, but I can't find any.
> 
> Anyone that can explain what to do about the PC that sends these packets?
> 
> /Erik
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive?  Does it
> help you create better code?   SHARE THE LOVE, and help us help
> YOU!  Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood (cpw_at_lanl.gov)




More information about the Snort-users mailing list