[Snort-users] snort and packet sniffing
mkettler at ...4108...
Thu Aug 19 07:30:07 EDT 2004
At 09:29 PM 8/18/2004, Stef wrote:
>The one reason I could think of would be formatiing and output values
>of one, compared to the other, perhaps?!?!
Possibly.. I mostly wanted to inspire the poster to consider other tools,
ones which he/she may even already have installed or available as a package
on their distro CD before downloading and installing snort.
As an aside, it would be interesting to see which performs better under
load.. I suspect that tcpdump will perform better, since use of text output
in snort is discouraged and probably not a heavy focus of developer
(note: you'd have to use -n to tcpdump, since tcpdump does RDNS and
/etc/services lookups by default, and snort doesn't support them at all.
The RDNS could slow tcpdump down considerably)
>See nicer and more complete description of fields, in snort's case ..
Ahh, yes, snort's type:0x800 is much clearer than tcpdump's ethertype:IPv4.
I suppose it's a matter of taste, and I'd agree that some might prefer one
format vs another, but IMO, one of snort's weaknesses is vague and cryptic
(side comment on matters of taste: I'd love to commend the genius of
ambiguity that created "iplen:" and "dgmlen:", which sound like they should
be same thing, the length of the IP datagram, but are really "ip header
length" and "ip datagram length". How one gets "header" from "iplen" is
More information about the Snort-users