Snort mailing list archives
RE: bpf filter?
From: Jason Opperisano <jopperisano () netcriticalgroup com>
Date: Sun, 22 Jul 2001 23:56:01 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 snort [snort options] arp or icmp ^^^^^^^^^^^ this is your bpf filter to do just icmp echo requests and replies: snort [snort options] arp or \(icmp[0] = 8 or icmp[0] = 0\) "man tcpdump" will also provide a wealth of other details for you. hope this helps - -jason - -----Original Message----- From: gatekeeper () globe com ph [mailto:gatekeeper () globe com ph] Sent: Sunday, July 22, 2001 10:29 PM To: snort-users () lists sourceforge net Subject: [Snort-users] bpf filter? Hi, I captured some traffic using tcpdump format (-b) and was able to decode (-r) on a per protocol basis (port 23, 80, 110 etc). I now wanted to just log 'icmp' or 'arp' traffic but could not seem to figure out how to do it. I guess I would need a bpf filter to do this? I would appreciate some sample how to do this so I can log , for example, just icmp type 0 or type 8? Thanks a lot? jun g. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBO1ugxKnGvB5QXYGaEQIe0ACgva/UsOBETkWwzQSsEfb7cqs3i3wAoO9C jB+JzmxfTYZvkvWM88tFTLwR =boX0 -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- bpf filter? gatekeeper (Jul 22)
- <Possible follow-ups>
- RE: bpf filter? Jason Opperisano (Jul 22)
- bpf negation gatekeeper (Jul 24)