[Snort-users] Snort outputting like tcpdump

Christopher Lyon cslyon at ...6523...
Sun Jan 19 10:06:02 EST 2003

Got it,
So I would be better off using tcpdump, ethereal or something like that
do capture what I want and log it to a separate database.

> -----Original Message-----
> From: Erek Adams [mailto:erek at ...950...]
> Sent: Friday, January 17, 2003 9:21 AM
> To: Christopher Lyon
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Snort outputing like tcpdump
> On Fri, 17 Jan 2003, Christopher Lyon wrote:
> > Is there a way not log the payload?
> Short answer:  No.
> Longer answer:  I don't have my Stephens book handy right now, it's
> somewhere buried in a moving box, so this info isn't as acurate as I
> like.  Different types of packets have different header sizes.  One
> have 40 bytes, one may have 60 bytes, etc.  As I said, Tcpdump grabs
> bytes of the packet and works with that.  Snort grabs 1514 bytes.  If
> want to change how much Snort grabs, use the -P command line option.
> snort -P 68 will have Snort reading exactly as Tcpdump would.
> If you're attempting to use that for Intrusions, it's all but
> If you're trying to do it for tracking your users, just use tcpdump,
> urlsnarf, or something like that.  If you're trying to get it into a
> modify the db ouptut plugin not to send the payload once it's got the
> headers decoded.
> Cheers!
> -----
> Erek Adams
>    "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list