-----Original Message-----
Subject: [Snort-users] need help : (snort decoder) Bad Traffic Loopback IP
On one machine i get a
(snort decoder) Bad Traffic Loopback IP
with
127.0.0.1:2638 255.255.255.255:2638 UDP
report.
How can i trace where this broadcast came from (pid)/PC ?
I wonder why only one pc gets this broadcast msg, for testing i pulled
this pc out of
network and msg didn't come again.
Now i wonder if it is generated by the pc itself - but why vanished msg
when pulling off
network cable- or if msg comes from network - but why don't fetch other
sensors this msg - .
i don't wanna disable complete decoder to get rid of this message. But in
the end i'd like
to find out what src of msg is and stop it.
Step 1 will be to determine whether or not the packet is actually "on the
wire." This can be done with Ethereal or whatever your favorite sniffer is.
Just be sure to specify the actual interface you think the packet may be
arriving on when sniffing.
I suspect that you will discover that this packet is not occurring on the
wire but only on the local network stack. The easy fix for this will be to
specify Snort's listening interface using '-i'. That way, traffic that
occurs on the local machine's loopback interface won't be processed by
Snort.
PaulM
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
