[Snort-users] snort and tcpdump

John Sage jsage at ...2022...
Fri Feb 8 01:06:04 EST 2002

See: man 1 tcpdump -s [snaplen]

-s  Snarf  snaplen  bytes  of  data  from  each  packet rather than the
default of 68 (with SunOS's NIT, the minimum is actually  96).   68
bytes is adequate for IP, ICMP, TCP and UDP but may truncate proto­
col information from name  server  and  NFS  packets  (see  below).
Packets  truncated  because  of a limited snapshot are indicated in
the output with ``[|proto]'', where proto is the name of the proto­
col  level  at which the truncation has occurred.  Note that taking
larger snapshots both increases the amount of time it takes to pro­
cess  packets  and,  effectively,  decreases  the  amount of packet
buffering.  This may cause packets to be lost.   You  should  limit
snaplen  to  the  smallest  number  that  will capture the protocol
information you're interested in.  Setting snaplen to 0  means  use
the required length to catch whole packets.

and man 8 snort -p [snap-length]

-P  snap-length
Set the packet snaplen to snap-length


- John

Most people don't type their own logfiles;  but, what do I care?

On Thu, Feb 07, 2002 at 11:03:49PM -0800, Ganu Skop wrote:
> hi all,
> got this matter to solve;
> anyone got a paper/reference  on tcpdump and snort - a
> reference need it pretty badly.
> as in my opinion, tcpdump by default only capture 60
> bytes of data (no payload) and we need to do the
> filter based on abnormal packet behaviour - more or
> less like shadow ids.
> where as snort has all the feature with rules , stream
> assembly and etc.
> therefore it's better to run snort than capture
> tcpdump and load it back to snort ..right ?
> need ur feedback
> =====
> //skopganu

More information about the Snort-users mailing list