[Snort-users] snort and packet sniffing

Matt Kettler mkettler at ...4108...
Thu Aug 19 07:30:07 EDT 2004

At 09:29 PM 8/18/2004, Stef wrote:
>The one reason I could think of would be formatiing and output values
>of one, compared to the other, perhaps?!?!

Possibly.. I mostly wanted to inspire the poster to consider other tools, 
ones which he/she may even already have installed or available as a package 
on their distro CD before downloading and installing snort.

As an aside, it would be interesting to see which performs better under 
load.. I suspect that tcpdump will perform better, since use of text output 
in snort is discouraged and probably not a heavy focus of developer 

(note: you'd have to use -n to tcpdump, since tcpdump does RDNS and 
/etc/services lookups by default, and snort doesn't support them at all. 
The RDNS could slow tcpdump down considerably)

>See nicer and more complete description of fields, in snort's case ..

Ahh, yes, snort's type:0x800 is much clearer than tcpdump's ethertype:IPv4.

I suppose it's a matter of taste, and I'd agree that some might prefer one 
format vs another, but IMO, one of snort's weaknesses is vague and cryptic 
packet decode.

(side comment on matters of taste: I'd love to commend the genius of 
ambiguity that created "iplen:" and "dgmlen:", which sound like they should 
be same thing, the length of the IP datagram, but are really "ip header 
length" and "ip datagram length". How one gets "header" from "iplen" is 
beyond me.)

More information about the Snort-users mailing list