[Snort-users] Running Snort in Sniffer mode

Matt Kettler mkettler at ...4108...
Thu Apr 22 14:40:00 EDT 2004


At 12:05 PM 4/22/2004, Marlon.Richards at ...11130... wrote:
>I have the Engage security EagleX package running on a windows2000 box. It
>is a flavour of snort, msql and ACID. I think the default config is that of
>and IDS but i would like to configure it as a sniffer that would allow me
>collect any analysis data on a continual basis. I have ethereal but it
>cannot continuously collect data. Are there any open source solutions that
>do that (something similar to NIA's Sniffer Portable).?

AFAIK Snort's sniffer mode doesn't really log to databases.. it's 
more-or-less the same as tcpdump. It just pumps packets to the screen and 
that's all.

It should also be noted that "Sniffer Portable" isn't really a sniffer in 
the conventional sense. Sniffers log packets. Sniffer Portable logs traffic 
statistics, and conversational flows without logging data.

As far as ethereal goes, why can't you run it continuously?  Doesn't it 
have an option to force over-writing of the buffer when the buffer get's full?
Packetyzer (an ethereal port to windows) seems to handle that mode quite 
well, although I've never tried to run it forever, I have run it well past 
the buffer limits.







More information about the Snort-users mailing list