[Snort-users] snort and packet sniffing
dprice153 at ...6436...
Thu Aug 19 08:37:02 EDT 2004
I know of ethereal, tcpdump, and of course snort...
Another question for anyone on the list, I was informed that snort will also
show me the contents of an email message ( in source format ).
This is why I decided to persue snort over the other options out there.
On Thursday 19 August 2004 10:28 am, Matt Kettler wrote:
> At 09:29 PM 8/18/2004, Stef wrote:
> >The one reason I could think of would be formatiing and output values
> >of one, compared to the other, perhaps?!?!
> Possibly.. I mostly wanted to inspire the poster to consider other tools,
> ones which he/she may even already have installed or available as a package
> on their distro CD before downloading and installing snort.
> As an aside, it would be interesting to see which performs better under
> load.. I suspect that tcpdump will perform better, since use of text output
> in snort is discouraged and probably not a heavy focus of developer
> (note: you'd have to use -n to tcpdump, since tcpdump does RDNS and
> /etc/services lookups by default, and snort doesn't support them at all.
> The RDNS could slow tcpdump down considerably)
> >See nicer and more complete description of fields, in snort's case ..
> Ahh, yes, snort's type:0x800 is much clearer than tcpdump's ethertype:IPv4.
> I suppose it's a matter of taste, and I'd agree that some might prefer one
> format vs another, but IMO, one of snort's weaknesses is vague and cryptic
> packet decode.
> (side comment on matters of taste: I'd love to commend the genius of
> ambiguity that created "iplen:" and "dgmlen:", which sound like they should
> be same thing, the length of the IP datagram, but are really "ip header
> length" and "ip datagram length". How one gets "header" from "iplen" is
> beyond me.)
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
deano at ...12296...
More information about the Snort-users