Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ip options alarm-hex value meaning?

Can someone clarify for me what an alarm id IP options: "0x14" means? This was seen in our secure Pix logs as a 106012 alarm id and im trying to correlate it with our sites IDS sensor logs. In relation to the ids 100x alarms involving ip options, is there any significance of the "0x14" hex?

thanks,

sal

2 REPLIES

Re: ip options alarm-hex value meaning?

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

Community Member

Re: ip options alarm-hex value meaning?

Basically, hex option=0x14 breaks down as follows:

|0001|0100|

The ip options field breaks down as:

0 bit: copy bit

1-2 bit: class option bits

3-7 bit: option number bits

So, 0x14 hex breaks down as:

copy bit: 0

class option: 0

option number: 20

From the table at:

IP OPTION NUMBERS

http://www.iana.org/assignments/ip-parameters

You can see that this is not a valid option.

It's sort of a router alert without the copy option.

However, RFC 2113 (Router Alerts) does not permit

that possibility.

You will need to get a sniffer trace of this traffic

and investigate this further to determine which device is initiating this traffic and why.

If you find out, please share your info.

HTH

Jeff

225
Views
0
Helpful
2
Replies
CreatePlease to create content