[bro] WeirdActivity truncated_NTP pb ?

Christian Kreibich christian at whoop.org
Sat Jan 8 11:38:12 PST 2005


On Sat, 2005-01-08 at 15:48 +0100, rmkml wrote:
> Hi,
> 
> Happy New Year,
> 
> I have this event :
> 
> 1105106060.883849:WeirdActivity:NOTICE_ALARM_ALWAYS:::::::::::truncated_NTP 
> x.x.x.x/32785 > 157.99.64.66/123:
> 
> but ntp request is not trunc :
> 
> $ tcpdump383 -vvnSlr bro_truncated_ntp.pcap
> 14:54:20.883849 IP (tos 0x0, ttl  63, id 42724, offset 0, flags [DF], 
> length: 40) x.x.x.x.32785 > 157.99.64.66.123: [udp sum ok] 
> [len=12]NTPv2 res1, strat 2, poll 0, prec 1 dist 0.000000, disp 0.000000 
> [|ntp]
  ^^^^^^

Yes it is ... your output indicates that your trace contains truncated
NTP packets. Presumably you fed this trace to Bro...

>From the tcpdump manpage: "Packets  truncated  because  of a limited
snapshot are indicated in the output with ``[|proto]'', where  proto  is
the name of the protocol level at which the truncation has occurred."

Cheers,
Christian.
-- 
________________________________________________________________________
                                          http://www.cl.cam.ac.uk/~cpk25
                                                    http://www.whoop.org





More information about the Bro mailing list