[Snort-users] -d packet capture

Erek Adams erek at ...577...
Sat Sep 22 06:57:02 EDT 2001

On Fri, 21 Sep 2001, Greg Sarsons wrote:

> Is there a way to not grab the whole packet with snort?  For example in
> tcpdump I can set the size.

Yeppers.  From 'snort -?' you get...

        -P <snap>  set explicit snaplen of packet (default: 1514)

If tcpdump behavior is what you want set it to 63.

> If I don't want to grab the whole packet am I better off grabbing with
> tcpdump and then using snort after?

No, not since you can do what you want. :)

> When dumping to binary file and is either snort or tcpdump(grabbing the
> whole packet) more efficient?

I don't know.  :)  I'd love to say snort, but I've not done any testing to see
how fast it can just dump packets as compared to tcpdump.  IIRC there was
someone on the list who was trying to do just such a comparision.  You might
be able to track them down thru the archives.

Good luck!

Erek Adams

More information about the Snort-users mailing list