[Dshield] Snort entry I do not understand, what is PROTO255

MH procana at insight.rr.com
Thu Jun 30 15:40:26 GMT 2005

On Thu, Jun 30, 2005 at 08:14:05AM -0500, David McGaughey wrote:
> [snip]
> [**] [122:1:0] (portscan) TCP Portscan [**]
> 06/28-22:59:08.756282 4D:41:43:44:41:44 -> 4D:41:43:44:41:44 type:0x800
> len:0xB0
> -> XXX.XXX.XXX.XXX PROTO255 TTL:0 TOS:0x0 ID:19548 IpLen:20
> DgmLen:162
> Please note XXX.XXX.XXX.XXX - I took IP of internal machine out.  What is
> PROTO255?
> [snip]

Hi David,

The relevant information from the README.sfscan in the docs dir:

In order to get all the portscan information logged with the alert, snort
generates a pseudo-packet and uses the payload portion to store the additional
portscan information of priority count, connection count, IP count, port count,
IP range, and port range.  The characteristics of the packet are:

Src/Dst MAC Addr == MACDAD
IP Protocol == 255
IP TTL == 0

Hope this helps,


More information about the list mailing list