[Snort-users] reading tcpdump file
ey52 at ...2868...
Mon Oct 11 15:26:25 EDT 2004
I am trying to read a tcpdump file into snort. For some reason, it seems
that some of the tcp packets are being ignored for some reason. The only
reason I can think of is because the tcpdump file only captured at most 96
bytes of each frame.
The only rule I have in my config file is "alert tcp any any -> any any" and
these are the results that I get:
Snort processed 37298 packets.
Breakdown by protocol:
TCP: 32827 (88.013%)
UDP: 475 (1.274%)
ICMP: 32 (0.086%)
ARP: 3176 (8.515%)
EAPOL: 0 (0.000%)
IPv6: 4 (0.011%)
IPX: 7 (0.019%)
OTHER: 531 (1.424%)
DISCARD: 246 (0.660%)
Where do those remaining 206 packets go? They are tcp so why aren't they
logged? I'm thinking that those 206 frames are the frames that are
More information about the Snort-users