[Snort-users] Best practice for Snort with pcap file?

Nishant Bhat nishant.bhat at gmail.com
Fri Jun 16 17:52:27 EDT 2017


(Noob question) I'm setting up Snort 3, and the manual shows both how to
set up Snort to listen to live traffic on a network interface, and how to
have Snort inspect a packet capture file. I'm wondering which of these
configurations is a better practice? I see more examples of the
pcap-inspection setup, so I'm assuming this is what tends to get used. It
also seems like this is the only way to take advantage of Snort 3's
multithreading.

In this case, do people usually set up a separate instance of tcpdump to
capture packets? If so, how do you avoid having the pcap file use all your
disk space? Thanks in advance!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170616/1eaf1f05/attachment.html>


More information about the Snort-users mailing list