[Snort-users] Snort & tcpdump
Crist J. Clark
cjclark at ...960...
Sat Mar 10 01:40:40 EST 2001
On Fri, Mar 09, 2001 at 06:53:10PM +0100, Guillaume wrote:
> Hi !
> I installed some snort boxes on switched networks.
> As I checked why I was not able to see all the traffic, I notided that
> tcpdump seems to "see" much more traffic than snort does, using it as a
> packet sniffer, I mean without any rule (something like snort -v net
> With snort I just capture traffic going through and coming from the
> switches (Alteon), when I see more stuff with tcpdump.
> So I am now wondering if I do not miss a lot with my snort boxes (all
> began because I was wondering why I did not captured portscan activities
> since end of February...).
> If anybody or someone (:-)) has an explanation...
Are you running tcpdump like,
# tcpdump ip
Snort only pays attention to IP datagrams. tcpdump will display ARP
and other frames containing non-IP data by default.
Crist J. Clark cjclark at ...485...
More information about the Snort-users