[Snort-users] Re: ARP Spoof does not show MAC

Stephen W. Thompson thompson+snort at ...1016...
Fri Apr 2 07:36:11 EST 2004

"Kim Wall" <kwall at ...10348...> wrote:

> I was hoping someone can clue me in on what is happening. I am using
> Snort with packet sampling. I currently have my entire network sending
> sampled packets to a single Snort sensor. Obviously, I have had to trim
> the rules files in order to make sense in a sampled environment. I have
> recently configured ARP Spoof, but the alerts in the alert file do not
> include the MAC address of the offending datagram (the one performing
> ARP poisoning).

I discovered similar behavior last week, by chance.  Even with the
-e and the -X flags, I could not get "snort -dv 'arp'" to show the
MAC addresses, and I, too, was trying to understand ARP poisoning.

I switched to tcpdump (with "-v -v -n -l -x -e -s 2000" flags) and
found that it *did* show MAC addresses, even for packets saved by snort
and for which snort still did not show MACs.  So for now, I use tcpdump
for that situation (and for non IP traffic), and snort otherwise.
(Yeah, I could throw ethereal into the mix, too...)

However, after that work, I return to a theme that's been mentioned
several times before in this forum.  When analyzing MACs on a subnet,
arpwatch may be a more appropriate tool than snort.  [Caveat: I've not
used the plugins for snort such as ARP Spoof yet.]

En paz,

More information about the Snort-users mailing list