[Snort-users] snort and packet sniffing

James Riden j.riden at ...11179...
Wed Aug 18 19:41:03 EDT 2004


Stef <stefmit at ...11827...> writes:

> The one reason I could think of would be formatiing and output values
> of one, compared to the other, perhaps?!?!
>
> --- sample tcpdump:
>
> 19:46:30.149248 00:10:db:20:e6:c2 > 00:0a:95:a9:e3:60, ethertype IPv4,
> length 78: IP (tos 0x0, ttl  50, id 38278, offset 0, flags [DF],
> length: 60) p20.www.dcn.yahoo.com.http > 172.19.3.230.60836: S [tcp
> sum ok] 2888742917:2888742917(0) ack 3825328951 win 65535 <mss
> 1460,nop,wscale 1,nop,nop,timestamp 553709764 2833864592>
> 0x0000   4500 003c 9586 4000 3206 b4ff d86d 75cf        E..<.. at ...12300...
> 0x0010   ac13 03e6 0050 eda4 ac2e b805 e401 e337        .....P.........7
> 0x0020   a012 ffff 211f 0000 0204 05b4 0103 0301        ....!...........
> 0x0030   0101 080a 2100 f0c4 a8e9 5790 eb1d 0f5d        ....!.....W....]
>
>
> --- sample snort, with similar packet
>
> 08/18-19:47:11.966415 0:10:DB:20:E6:C2 -> 0:A:95:A9:E3:60 type:0x800 len:0x4E
> 216.109.117.110:80 -> 172.19.3.230:61197 TCP TTL:49 TOS:0x0 ID:20853
> IpLen:20 DgmLen:60 DF
> ***A**S* Seq: 0xA26752A9  Ack: 0xA04BE66E  Win: 0xFFFF  TcpLen: 40
> TCP Options (6) => MSS: 1460 NOP WS: 1 NOP NOP TS: 553707434 2833864676 
> 0x0000: 00 0A 95 A9 E3 60 00 10 DB 20 E6 C2 08 00 45 00  .....`... ....E.
> 0x0010: 00 3C 51 75 40 00 31 06 FA 71 D8 6D 75 6E AC 13  .<Qu at ...12301...
> 0x0020: 03 E6 00 50 EF 0D A2 67 52 A9 A0 4B E6 6E A0 12  ...P...gR..K.n..
> 0x0030: FF FF D8 7F 00 00 02 04 05 B4 01 03 03 01 01 01  ................
> 0x0040: 08 0A 21 00 E7 AA A8 E9 57 E4 5C 4B 44 0B        ..!.....W.\KD.
>
> See nicer and more complete description of fields, in snort's case ...
>
> Stef

There's tethereal, a text version of ethereal, if you want good
protocol decoding. Or you can capture to a file using tcpdump, and
decode with another tool, such as snort or ethereal:

% tcpdump -w store.cap

% snort -r store.cap

cheers,
 Jamie
-- 
James Riden / j.riden at ...11179... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/






More information about the Snort-users mailing list