[Snort-users] snort and tcpdump
jsage at ...2022...
Fri Feb 8 01:06:04 EST 2002
See: man 1 tcpdump -s [snaplen]
-s Snarf snaplen bytes of data from each packet rather than the
default of 68 (with SunOS's NIT, the minimum is actually 96). 68
bytes is adequate for IP, ICMP, TCP and UDP but may truncate proto
col information from name server and NFS packets (see below).
Packets truncated because of a limited snapshot are indicated in
the output with ``[|proto]'', where proto is the name of the proto
col level at which the truncation has occurred. Note that taking
larger snapshots both increases the amount of time it takes to pro
cess packets and, effectively, decreases the amount of packet
buffering. This may cause packets to be lost. You should limit
snaplen to the smallest number that will capture the protocol
information you're interested in. Setting snaplen to 0 means use
the required length to catch whole packets.
and man 8 snort -p [snap-length]
Set the packet snaplen to snap-length
Most people don't type their own logfiles; but, what do I care?
On Thu, Feb 07, 2002 at 11:03:49PM -0800, Ganu Skop wrote:
> hi all,
> got this matter to solve;
> anyone got a paper/reference on tcpdump and snort - a
> reference need it pretty badly.
> as in my opinion, tcpdump by default only capture 60
> bytes of data (no payload) and we need to do the
> filter based on abnormal packet behaviour - more or
> less like shadow ids.
> where as snort has all the feature with rules , stream
> assembly and etc.
> therefore it's better to run snort than capture
> tcpdump and load it back to snort ..right ?
> need ur feedback
More information about the Snort-users