[Snort-users] Running Snort in Sniffer mode
mkettler at ...4108...
Thu Apr 22 14:40:00 EDT 2004
At 12:05 PM 4/22/2004, Marlon.Richards at ...11130... wrote:
>I have the Engage security EagleX package running on a windows2000 box. It
>is a flavour of snort, msql and ACID. I think the default config is that of
>and IDS but i would like to configure it as a sniffer that would allow me
>collect any analysis data on a continual basis. I have ethereal but it
>cannot continuously collect data. Are there any open source solutions that
>do that (something similar to NIA's Sniffer Portable).?
AFAIK Snort's sniffer mode doesn't really log to databases.. it's
more-or-less the same as tcpdump. It just pumps packets to the screen and
It should also be noted that "Sniffer Portable" isn't really a sniffer in
the conventional sense. Sniffers log packets. Sniffer Portable logs traffic
statistics, and conversational flows without logging data.
As far as ethereal goes, why can't you run it continuously? Doesn't it
have an option to force over-writing of the buffer when the buffer get's full?
Packetyzer (an ethereal port to windows) seems to handle that mode quite
well, although I've never tried to run it forever, I have run it well past
the buffer limits.
More information about the Snort-users