[Snort-users] capturing arp

L. Christopher Luther CLuther at ...6333...
Mon Apr 14 10:48:09 EDT 2003


I'm not certified in any particular area, certifiable maybe, but not
certified.  My tests show that both tcpdump and windump (i.e., libpcap and
winpcap, respectively) can "capture" arp packets, or at least filter on them
using BFP filters.  For example: 

	windump -i1 -s256 -e -v arp  

Causes windump to only display arp packets.  

But this doesn't answer your question as to why Snort gaks on an arp rule.
I've not looked at the source code, but maybe Snort isn't designed to handle
arp packets in rules?!  

I'll leave that question for Snort dev. team.  


-----Original Message-----
From: Spencer, Arthur [mailto:Arthur.Spencer at ...8870...]
Sent: Monday, April 14, 2003 8:39 AM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] capturing arp


In all of my tests you can't capture arp packets because they are
handled in hardware.  If you use Nemesis and generate an ARP packet it
isn't captured by Ethereal or Network General Sniffer.  

* Arthur J. Spencer (CISSP, CCNP, CCDP, MCSE, CNE)
 

-----Original Message-----
From: Patrick Amirian [mailto:pamirian at ...8855...] 
Sent: Friday, April 11, 2003 3:41 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] capturing arp

Hi guys,
I'm trying to caputre all arp packets doing


Alert arp any any <> any any

But I'm getting a segfault.
Ideas ?

Thank you. 



-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The
debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost
and 
disoriented. TotalView can help you find your way. Available on major
UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030414/ac8145cb/attachment.html>


More information about the Snort-users mailing list