[Snort-users] Snort capturing ARP packets

sgt_b sgt_b at ...11733...
Fri May 28 11:52:05 EDT 2004

Hey everyone,

Under what circumstances would Snort capture (or alert on) ARP packets? 
Is the arpspoof preprocessor the only thing that would trigger an alert 
based on an ARP packet?
 From snort.conf:
"To make use of this preprocessor you must specify the IP and hardware 
address of hosts on the same layer 2 segment as you."
Does this mean that in order for arpsoof to work, one has to statically 
map all IP-MAC pairs? Seems like a lot of work for little return. ;)


More information about the Snort-users mailing list