[Snort-users] Snort outputing like tcpdump

Erek Adams erek at ...950...
Fri Jan 17 09:31:02 EST 2003

On Fri, 17 Jan 2003, Christopher Lyon wrote:

> Is there a way not log the payload?

Short answer:  No.

Longer answer:  I don't have my Stephens book handy right now, it's
somewhere buried in a moving box, so this info isn't as acurate as I would
like.  Different types of packets have different header sizes.  One may
have 40 bytes, one may have 60 bytes, etc.  As I said, Tcpdump grabs 68
bytes of the packet and works with that.  Snort grabs 1514 bytes.  If you
want to change how much Snort grabs, use the -P command line option.
snort -P 68 will have Snort reading exactly as Tcpdump would.

If you're attempting to use that for Intrusions, it's all but worthless.
If you're trying to do it for tracking your users, just use tcpdump,
urlsnarf, or something like that.  If you're trying to get it into a DB,
modify the db ouptut plugin not to send the payload once it's got the
headers decoded.


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list