[Snort-users] -b binary logging question
jsage at ...2022...
Mon Sep 2 21:49:02 EDT 2002
Having a discussion off-list about the -b binary logging switch, and
suddenly I'm wondering...
Does the -b binary logging switch *always* record all packets on the
Or is the set of packets logged by -b changed when one starts to
specify a snort.conf and thus check the packets against rules, whether
alerts or passes?
"If you're on a high speed network or you want to log the packets into
a more compact form for later analysis you should consider logging in
"binary mode". Binary mode logs the packets in "tcpdump format" to a
single binary file in the logging directory:
./snort -l ./log -b
Note the command line changes here. We don't need to specify a home
network any longer because binary mode logs everything into a single
file, which eliminates the need to tell it how to format the output
This implies that -b gets everything.
OK: does it *always* get everything?
"In those days, you could not buy a $2000 200MHz Pentium server."
PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705
More information about the Snort-users