[Snort-devel] Problems with finding original data packets?
erek at ...835...
Fri Jul 18 05:49:24 EDT 2003
On Thu, 17 Jul 2003, ANDREW TING ZHOU wrote:
> I'm trying to read original data packets in terms of the source/target IP
> in the alert file. Original data packets are not always kept in same
> place, sometime in source directories and sometime in target directories.
> Is there a way that I can find original data packets from the alert file?
> What is the naming convention for files in source/target directories?
Save yourself some time effort and hassle--Log to binary. Use the ouput
tcpdump plugin and store the packets on disk in a binary form. Once they
are there, you can come back and look at the packets in thier original
format. That way you don't deal with the logging issues from the one
directory per IP method.
snort -dvr <file> 'host 10.10.10.10'
That would give you all of the packets that caused an alert going to or
from 10.10.10.10. And yes, you can use any BPF filter expression you
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-devel