[bro] WeirdActivity truncated_NTP pb ?
christian at whoop.org
Sat Jan 8 11:38:12 PST 2005
On Sat, 2005-01-08 at 15:48 +0100, rmkml wrote:
> Happy New Year,
> I have this event :
> x.x.x.x/32785 > 188.8.131.52/123:
> but ntp request is not trunc :
> $ tcpdump383 -vvnSlr bro_truncated_ntp.pcap
> 14:54:20.883849 IP (tos 0x0, ttl 63, id 42724, offset 0, flags [DF],
> length: 40) x.x.x.x.32785 > 184.108.40.206.123: [udp sum ok]
> [len=12]NTPv2 res1, strat 2, poll 0, prec 1 dist 0.000000, disp 0.000000
Yes it is ... your output indicates that your trace contains truncated
NTP packets. Presumably you fed this trace to Bro...
>From the tcpdump manpage: "Packets truncated because of a limited
snapshot are indicated in the output with ``[|proto]'', where proto is
the name of the protocol level at which the truncation has occurred."
More information about the Bro