[Snort-users] Packet size in snort log

Matt Kettler mkettler at ...4108...
Mon Nov 10 15:02:07 EST 2003


At 09:29 AM 11/10/2003, nick travis wrote:
>Below is section from my snort log, How can I figure out the size of
>this packet in bytes based off this info?
>
>
> > 11/10-08:58:30.639214 10.31.178.196:137 -> 10.31.179.255:137
> > UDP TTL:128 TOS:0x0 ID:54163 IpLen:20 DgmLen:78
> > Len: 50

Which length are you interested in? Ethernet, IP, or UDP? Packets have 
different sizes depending what layer you are interested in.

This packet was a 78 byte IP packet, with 20 bytes of IP header, 8 bytes of 
UDP header, and 50 bytes of UDP payload.

The IpLen: specifies the length of the IP header
The DgmLen: specifies the total length of the IP packet, including all IP 
layer headers.
The Len: specifies the payload length, at the lowest layer that snort could 
decode, which in this case is UDP.

Assuming ethernet headers and CRC of 18 bytes, the total on-ethernet-wire 
size of the was 96 bytes, or 92 bytes without CRC. 





More information about the Snort-users mailing list