[Snort-users] Packet payload

Erek Adams erek at ...577...
Sat Jun 8 20:12:02 EDT 2002

On Sat, 8 Jun 2002, Ashley Thomas wrote:

> When there is a snort alert happens can we see the
> packet payload that caused this alert ?
> the logging that was created contained only as much info as the
> alert...
> any pointers ?

Perhaps....  First off, we need to know a few things since that makes a
difference on how/where to find data.

	What type of logging?  ASCII, Binary?

	If ASCII the packet payload should be inside the dir you
specified with the "-l <dirname>".  You should find these files in
/var/log/snort unless you picked somewhere else with the commandline switch.
It will be broken down in the format <IP>/<type_of_traffic>:<ports>.  This is
also known as ASCII logging.

	If it's binary logging ("-b" option) then it's located in the binary
file inside of the /var/log/snort dir or wherever you placed it with '-l
<logdir>', then simply use 'snort -vader <filename> -l <logdir>' to dump out
all the packets in the binary logs.

	If you're just getting alerts--You can't see the data.  You didn't
store it anywhere.  :(

	Hope that helps!

Erek Adams

More information about the Snort-users mailing list