[Snort-users] Incorrect IP Flags Values in database output.

waldo kitty wkitty42 at ...14940...
Mon Aug 15 22:13:13 EDT 2011

On 8/15/2011 20:24, kareem at ...15353... wrote:
> You are right on the bits. All of them get affected. My only reference for what
> is expected in the data base is the code for Base. In the base_payload.php file,
> the ip_frag field get pulled out of the database and is used to create a PCAP.
> Since the data in that field is not the flags, the PCAP that is created is
> incorrect. So, my assuption was that the database would be holding the flags.

that doesn't sound too kosher... shouldn't a PCAP be the actual data on the 
wire? fragments and all?? yes, i understand that in some cases the fragments are 
reassembled into one large packet with flags and packet size supposedly adjusted 
to match but while this is a GoodThing<tm> in some cases, it would seem to be 
not all that proper in others...

More information about the Snort-users mailing list