1. Sensor parameter "interface" can become
an empty string, when the interface of
this sensor changes. Therefore I have
2. ip_flags doesn't say anything about the
DF-flag and the MF-flag. It is taken
from p->frag_flag, which only indicates
whether or not the packet is fragmented.
Hence I replaced "DF" and "MF" by "fragment".
3. I have tried to fix the IP fragmentation
offset field. Now this field is in line
with what ethereal shows to me.
4. I have added a hex representation to the IP,
TCP and ICMP checksums in order to make it
easier to compare them with ethereal.
5. I have added base64 support for IP options
and for TCP options.
6. I have corrected a variable name in a
debug block: $encoding
7. I have removed the special sfportscan MAC
address containing ASCII codes for "MACDAD"
from being displayed, as one can mix up
those codes with real MAC addresses.
8. I have turned TCP offset from 32 bit words
into bytes, cf. RFC 793, 3.1 (= p. 16).
Now one can check more easily whether
or not IP header length plus offset is
equal to the length claimed by the field
The patch has been generated by
diff -Nur base_qry_alert.php.orig base_qry_alert.php >