[Snort-users] snort and packet sniffing

Stef stefmit at ...11827...
Wed Aug 18 18:30:01 EDT 2004


The one reason I could think of would be formatiing and output values
of one, compared to the other, perhaps?!?!

--- sample tcpdump:

19:46:30.149248 00:10:db:20:e6:c2 > 00:0a:95:a9:e3:60, ethertype IPv4,
length 78: IP (tos 0x0, ttl  50, id 38278, offset 0, flags [DF],
length: 60) p20.www.dcn.yahoo.com.http > 172.19.3.230.60836: S [tcp
sum ok] 2888742917:2888742917(0) ack 3825328951 win 65535 <mss
1460,nop,wscale 1,nop,nop,timestamp 553709764 2833864592>
0x0000   4500 003c 9586 4000 3206 b4ff d86d 75cf        E..<.. at ...12300...
0x0010   ac13 03e6 0050 eda4 ac2e b805 e401 e337        .....P.........7
0x0020   a012 ffff 211f 0000 0204 05b4 0103 0301        ....!...........
0x0030   0101 080a 2100 f0c4 a8e9 5790 eb1d 0f5d        ....!.....W....]


--- sample snort, with similar packet

08/18-19:47:11.966415 0:10:DB:20:E6:C2 -> 0:A:95:A9:E3:60 type:0x800 len:0x4E
216.109.117.110:80 -> 172.19.3.230:61197 TCP TTL:49 TOS:0x0 ID:20853
IpLen:20 DgmLen:60 DF
***A**S* Seq: 0xA26752A9  Ack: 0xA04BE66E  Win: 0xFFFF  TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 1 NOP NOP TS: 553707434 2833864676 
0x0000: 00 0A 95 A9 E3 60 00 10 DB 20 E6 C2 08 00 45 00  .....`... ....E.
0x0010: 00 3C 51 75 40 00 31 06 FA 71 D8 6D 75 6E AC 13  .<Qu at ...12301...
0x0020: 03 E6 00 50 EF 0D A2 67 52 A9 A0 4B E6 6E A0 12  ...P...gR..K.n..
0x0030: FF FF D8 7F 00 00 02 04 05 B4 01 03 03 01 01 01  ................
0x0040: 08 0A 21 00 E7 AA A8 E9 57 E4 5C 4B 44 0B        ..!.....W.\KD.

See nicer and more complete description of fields, in snort's case ...

Stef

On Wed, 18 Aug 2004 17:42:21 -0400, Matt Kettler <mkettler at ...4108...> wrote:
> At 01:04 PM 8/18/2004, Dean Price wrote:
> >I have what may be a simple question...
> >
> >Can snort be a packet sniffer on a stand alone machine on a non-switched
> >network?
> 
> Yes, but why? tcpdump is a simpler, smaller and better tool if all you want
> to do is sniff packets.
> 
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list