[Snort-users] simultaneous snort and tcpdump
cgibbons at ...6953...
Sat Sep 21 19:02:02 EDT 2002
Thanks, Bennett and Gary.
I was needlessly complicating matters. Perhaps I still am: one
reason I want simultaneous snort/tcpdump is that "snort -b" only
seems to record packets on which it finds a rule match, and I want
to record other traffic as well. Perhaps there's an elegant,
efficient way to do so with a single snort process? - Carl
Bennett Todd wrote:
> > As far as I know, you can just run your snort and your tcpdump at
> > the same time...
Gary Flynn wrote:
> My experiences are the same as Bennett's. I've got ntop and
> snort running on the same interface and they seem to be
> sharing it fine.
> When I first contemplated doing this, I did some superficial
> research that suggested to me that this wouldn't be a problem.
> After diving through pcap code and then into the kernel
> network handling code, I came to the conclusion that all
> pcap applications have a PF_SOCKET open whose packet_rcv()
> functions are sequentially called by the kernel.
> This seems to be very nicely documented in the following two
More information about the Snort-users