[Snort-users] Snort & tcpdump

Crist J. Clark cjclark at ...960...
Sat Mar 10 01:40:40 EST 2001

On Fri, Mar 09, 2001 at 06:53:10PM +0100, Guillaume wrote:
> Hi !
> I installed some snort boxes on switched networks.
> As I checked why I was not able to see all the traffic, I notided that
> tcpdump seems to "see" much more traffic than snort does, using it as a
> packet sniffer, I mean without any rule (something like snort -v net
> 172.10.0...).
> With snort I just capture traffic going through and coming from the
> switches (Alteon), when I see more stuff with tcpdump.
> So I am now wondering if I do not miss a lot with my snort boxes (all
> began because I was wondering why I did not captured portscan activities
> since end of February...).
> If anybody or someone (:-)) has an explanation...

Are you running tcpdump like,

  # tcpdump ip

Snort only pays attention to IP datagrams. tcpdump will display ARP
and other frames containing non-IP data by default.
Crist J. Clark                           cjclark at ...485...

More information about the Snort-users mailing list