[Snort-users] How to dump a certain number of tcp packets (for TCPDUMP) when an alert is fired

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Tue Sep 7 00:47:01 EDT 2004

--On 06 September 2004 17:30 -0400 Jason <security at ...5028...> wrote:

> You still want log_tcpdump however you can create another output type for
> just the alerts you want to go into the tcpdump format file. You can
> create as many alert types as you would like for different files for
> different alerts... Just watch how they are ordered in the rare case you
> hit a dependency.
> http://www.snort.org/docs/snort_manual/node16.html#SECTION004210000000000
> 00000

Alternatively, FLoP will log packet data of the triggering packet and 
subsequent packets to the configured database. getpacket (included in the 
FLoP) distro can extract these packets to a pcap file that can be loaded by 

The next version (or maybe the version after :) of FLoP will preserve 
Snort's 'reference' tag through to the database. This allows getpacket to 
reconstruct any number of related packets into a single pcap file.

Best Regards,
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9

More information about the Snort-users mailing list