[Snort-users] reading tcpdump file

Jeff Dell jdell at ...1095...
Mon Oct 11 16:40:20 EDT 2004

We had this same problem on our honeynet and had to start a new snort
process that was dedicated to tcpdump. What you are seeing can be caused by
a few different reasons... here are a couple:

1. It is not logging the fragmented packets, but the reassembled packet. If
you only want to log tcp traffic, you might want to turn off the
preprocessors. However this should be fixed in the newer versions of Snort.

2. You might not be capturing both sides of the transmission. I would try
 	alert tcp any any <> any any



-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Edward Young
Sent: Monday, October 11, 2004 6:23 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] reading tcpdump file


I am trying to read a tcpdump file into snort.  For some reason, it seems 
that some of the tcp packets are being ignored for some reason.  The only 
reason I can think of is because the tcpdump file only captured at most 96 
bytes of each frame.

The only rule I have in my config file is "alert tcp any any -> any any" and

these are the results that I get:

Snort processed 37298 packets.
Breakdown by protocol:
    TCP: 32827      (88.013%)
    UDP: 475        (1.274%)
   ICMP: 32         (0.086%)
    ARP: 3176       (8.515%)
  EAPOL: 0          (0.000%)
   IPv6: 4          (0.011%)
    IPX: 7          (0.019%)
  OTHER: 531        (1.424%)
DISCARD: 246        (0.660%)
Action Stats:
ALERTS: 32621
LOGGED: 32621

Where do those remaining 206 packets go?  They are tcp so why aren't they 
logged?  I'm thinking that those 206 frames are the frames that are 


Edward Young 

This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list