@ARP@arp@[55011,59486,65534][0,0,0]
@ICMP@icmp || icmpv6@[49680,49737,65535][0,0,0]
@TCP RST@tcp.flags.reset eq 1@[37008,0,0][65535,63121,32911]
-@TTL low or unexpected@( ! ip.dst == 224.0.0.0/4 && ip.ttl < 5) || (ip.dst == 224.0.0.0/24 && ip.ttl != 1)@[37008,0,0][65535,65535,65535]
+@TTL low or unexpected@( ! ip.dst == 224.0.0.0/4 && ip.ttl < 5 && !pim) || (ip.dst == 224.0.0.0/24 && ip.ttl != 1)@[37008,0,0][65535,65535,65535]
@Checksum Errors@cdp.checksum_bad==1 || edp.checksum_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || mstp.checksum_bad==1@[0,0,0][65535,24383,24383]
@SMB@smb || nbss || nbns || nbipx || ipxsap || netbios@[65534,64008,39339][0,0,0]
@HTTP@http || tcp.port == 80@[36107,65535,32590][0,0,0]
* be expected to be 1. (see RFC 3171) Flag a TTL greater than 1.
*
* Flag a low TTL if the packet is not destined for a multicast address
- * (e.g. 224.0.0.0/4).
+ * (e.g. 224.0.0.0/4) ... and the payload isn't protocol 103 (PIM).
+ * (see http://tools.ietf.org/html/rfc3973#section-4.7).
*/
if (is_a_local_network_control_block_addr(dst32)) {
ttl = local_network_control_block_addr_valid_ttl(dst32);
expert_add_info_format(pinfo, ttl_item, PI_SEQUENCE, PI_NOTE,
"\"Time To Live\" != %d for a packet sent to the Local Network Control Block (see RFC 3171)", ttl);
}
- } else if (!is_a_multicast_addr(dst32) && iph->ip_ttl < 5) {
+ } else if (!is_a_multicast_addr(dst32) && iph->ip_ttl < 5 && (iph->ip_p != IP_PROTO_PIM)) {
expert_add_info_format(pinfo, ttl_item, PI_SEQUENCE, PI_NOTE, "\"Time To Live\" only %u", iph->ip_ttl);
}