[Snort-users] BPF filters for the intimidated

Matt Kettler mkettler at ...4108...
Fri Jul 23 13:10:14 EDT 2004


At 03:32 PM 7/23/2004, Paul Schmehl wrote:
>I didn't realize bpf filters could use tcpdump-type input.  *That* I can 
>already do.

Well, BPF is the filter that tcpdump uses. Thus it's no coincidence that 
they accept the same input, it's the same filter.

The BPF is actually implemented in the kernel, so it's a convenient 
interface for nearly any program like tcpdump or snort to use. Hence the 
common filter format.















More information about the Snort-users mailing list