[Snort-users] simultaneous snort and tcpdump

Carl Gibbons cgibbons at ...6953...
Sat Sep 21 19:02:02 EDT 2002


Thanks, Bennett and Gary.

I was needlessly complicating matters.  Perhaps I still am: one
reason I want simultaneous snort/tcpdump is that "snort -b" only
seems to record packets on which it finds a rule match, and I want
to record other traffic as well.  Perhaps there's an elegant,
efficient way to do so with a single snort process?  - Carl

Bennett Todd wrote:
> >
> > As far as I know, you can just run your snort and your tcpdump at
> > the same time...

Gary Flynn wrote:
> My experiences are the same as Bennett's. I've got ntop and
> snort running on the same interface and they seem to be
> sharing it fine.
>
> When I first contemplated doing this, I did some superficial
> research that suggested to me that this wouldn't be a problem.
> After diving through pcap code and then into the kernel
> network handling code, I came to the conclusion that all
> pcap applications have a PF_SOCKET open whose packet_rcv()
> functions are sequentially called by the kernel.
>
> This seems to be very nicely documented in the following two
> articles:
>
> http://www.linuxjournal.com/article.php?sid=4852
> and
> http://www.linuxjournal.com/article.php?sid=5617





More information about the Snort-users mailing list