Re: Diagnostic message -- what's up?

[Erek Adams <erek () snort org>]

On Wed, 20 Aug 2003, Richard Crane wrote:

> I am getting a lot of these messages since switching to v 2.0.1:
>
>
> returning! TCP (2) IP (0) UDP (0)
> returning! TCP (2) IP (0) UDP (0)
> returning! TCP (2) IP (0) UDP (0)

[...snip...]

> Shortly after startup, the messages start. They tend to come in
> clusters of 10-15 at about 1-2 minute intervals.
>
> Any suggestions?

Snort is telling you that something isn't right on your network.  You've
got something creating packets with bad checksums.  If you take a look at
lines 88-103 in src/detect.c you'll see this:

    88      /*
    89       *  If the packet has an invalid checksum marked, throw that
    90       *  traffic away as no end host should accept it.
    91       *
    92       *  This can be disabled by config checksum_mode: none
    93       */
    94
    95      if(p->csum_flags)
    96      {
    97          printf("returning! TCP (%d) IP (%d) UDP (%d) \n",
    98                 (p->csum_flags & CSE_TCP),
    99                 (p->csum_flags & CSE_IP),
   100                 (p->csum_flags & CSE_UDP)
   101                 );
   102          return 0;
   103      }

Does that help?

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users