[Snort-users] BPF filters for the intimidated

Paul Schmehl pauls at ...6838...
Fri Jul 23 12:33:05 EDT 2004


I didn't realize bpf filters could use tcpdump-type input.  *That* I can 
already do.

--On Friday, July 23, 2004 03:18:05 PM -0400 Jeff Dell 
<jdell at ...1095...> wrote:

> I don't know of a tutorial, but you can read about BPF (Berkeley Packet
> Filter) on the TCPDump man page at:
> http://www.tcpdump.org/tcpdump_man.html
>
> You will quickly see that there is really no need to know hex unless you
> are doing some complex filtering...
>
> Cheers,
> Jeff
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Paul Schmehl
> Sent: Friday, July 23, 2004 2:16 PM
> To: Snort-User Mailing List
> Subject: [Snort-users] BPF filters for the intimidated
>
> Does anyone know a good source for a tutorial on BFP filters?  Reading
> the  man page has me crossing my eyes and growning.
>
> I want to capture udp packets on port 53 to one host, including the
> entire  payload.  I've figured out the hex address for the host, but the
> rest  escapes me.
>
> Paul Schmehl (pauls at ...6838...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/ir/security/
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>



Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/




More information about the Snort-users mailing list