[Snort-users] -b binary logging question

John Sage jsage at ...2022...
Mon Sep 2 21:49:02 EDT 2002


Having a discussion off-list about the -b binary logging switch, and
suddenly I'm wondering...

Does the -b binary logging switch *always* record all packets on the
interface?

Or is the set of packets logged by -b changed when one starts to
specify a snort.conf and thus check the packets against rules, whether
alerts or passes?


"If you're on a high speed network or you want to log the packets into
a more compact form for later analysis you should consider logging in
"binary mode". Binary mode logs the packets in "tcpdump format" to a
single binary file in the logging directory:

./snort -l ./log -b

Note the command line changes here. We don't need to specify a home
network any longer because binary mode logs everything into a single
file, which eliminates the need to tell it how to format the output
directory structure."


This implies that -b gets everything.

OK: does it *always* get everything?


- John
-- 
"In those days, you could not buy a $2000 200MHz Pentium server."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the Snort-users mailing list