[Snort-users] snort and packet sniffing

Dean Price dprice153 at ...6436...
Thu Aug 19 08:37:02 EDT 2004

I know of ethereal, tcpdump, and of course snort... 

Another question for anyone on the list, I was informed that snort will also 
show me the contents of an email message ( in source format ). 

This is why I decided to persue snort over the other options out there.

On Thursday 19 August 2004 10:28 am, Matt Kettler wrote:
> At 09:29 PM 8/18/2004, Stef wrote:
> >The one reason I could think of would be formatiing and output values
> >of one, compared to the other, perhaps?!?!
> Possibly.. I mostly wanted to inspire the poster to consider other tools,
> ones which he/she may even already have installed or available as a package
> on their distro CD before downloading and installing snort.
> As an aside, it would be interesting to see which performs better under
> load.. I suspect that tcpdump will perform better, since use of text output
> in snort is discouraged and probably not a heavy focus of developer
> tweaking/tuning.
> (note: you'd have to use -n to tcpdump, since tcpdump does RDNS and
> /etc/services lookups by default, and snort doesn't support them at all.
> The RDNS could slow tcpdump down considerably)
> >See nicer and more complete description of fields, in snort's case ..
> Ahh, yes, snort's type:0x800 is much clearer than tcpdump's ethertype:IPv4.
> I suppose it's a matter of taste, and I'd agree that some might prefer one
> format vs another, but IMO, one of snort's weaknesses is vague and cryptic
> packet decode.
> (side comment on matters of taste: I'd love to commend the genius of
> ambiguity that created "iplen:" and "dgmlen:", which sound like they should
> be same thing, the length of the IP datagram, but are really "ip header
> length" and "ip datagram length". How one gets "header" from "iplen" is
> beyond me.)
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Thank You,
Dean Price
deano at ...12296...

More information about the Snort-users mailing list