[Snort-users] query .. please someone help.

Erek Adams erek at ...950...
Wed Sep 17 05:57:02 EDT 2003


On Tue, 16 Sep 2003, Clayton Mascarenhas wrote:

> Could I please know why I keep getting ... "responding! TCP[2] IP[0]
> UDP[0]" a million times on my screen everytime I run snort on a traffic
> data file? Its like that statement runs in some sort of a never ending
> loop. Please could I know why this is happening and how do I stop this
> from happening. Is there any option that goes with my snort command
> line

Are you sure that the message isn't "returning" instead?  If it is...

Snort is telling you that something isn't right on your network.  You've
got something creating packets with bad checksums.  If you take a look at
lines 88-103 in src/detect.c you'll see this:

    88      /*
    89       *  If the packet has an invalid checksum marked, throw that
    90       *  traffic away as no end host should accept it.
    91       *
    92       *  This can be disabled by config checksum_mode: none
    93       */
    94
    95      if(p->csum_flags)
    96      {
    97          printf("returning! TCP (%d) IP (%d) UDP (%d) \n",
    98                 (p->csum_flags & CSE_TCP),
    99                 (p->csum_flags & CSE_IP),
   100                 (p->csum_flags & CSE_UDP)
   101                 );
   102          return 0;
   103      }

Does that help?

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list