Re: snort and packet sniffing

[James Riden <j.riden () massey ac nz>]

Stef <stefmit () gmail com> writes:

> The one reason I could think of would be formatiing and output values
> of one, compared to the other, perhaps?!?!
>
> --- sample tcpdump:
>
> 19:46:30.149248 00:10:db:20:e6:c2 > 00:0a:95:a9:e3:60, ethertype IPv4,
> length 78: IP (tos 0x0, ttl  50, id 38278, offset 0, flags [DF],
> length: 60) p20.www.dcn.yahoo.com.http > 172.19.3.230.60836: S [tcp
> sum ok] 2888742917:2888742917(0) ack 3825328951 win 65535 <mss
> 1460,nop,wscale 1,nop,nop,timestamp 553709764 2833864592>
> 0x0000   4500 003c 9586 4000 3206 b4ff d86d 75cf        E..<..@.2....mu.
> 0x0010   ac13 03e6 0050 eda4 ac2e b805 e401 e337        .....P.........7
> 0x0020   a012 ffff 211f 0000 0204 05b4 0103 0301        ....!...........
> 0x0030   0101 080a 2100 f0c4 a8e9 5790 eb1d 0f5d        ....!.....W....]
>
>
> --- sample snort, with similar packet
>
> 08/18-19:47:11.966415 0:10:DB:20:E6:C2 -> 0:A:95:A9:E3:60 type:0x800 len:0x4E
> 216.109.117.110:80 -> 172.19.3.230:61197 TCP TTL:49 TOS:0x0 ID:20853
> IpLen:20 DgmLen:60 DF
> ***A**S* Seq: 0xA26752A9  Ack: 0xA04BE66E  Win: 0xFFFF  TcpLen: 40
> TCP Options (6) => MSS: 1460 NOP WS: 1 NOP NOP TS: 553707434 2833864676 
> 0x0000: 00 0A 95 A9 E3 60 00 10 DB 20 E6 C2 08 00 45 00  .....`... ....E.
> 0x0010: 00 3C 51 75 40 00 31 06 FA 71 D8 6D 75 6E AC 13  .<Qu ()  1  q mun..
> 0x0020: 03 E6 00 50 EF 0D A2 67 52 A9 A0 4B E6 6E A0 12  ...P...gR..K.n..
> 0x0030: FF FF D8 7F 00 00 02 04 05 B4 01 03 03 01 01 01  ................
> 0x0040: 08 0A 21 00 E7 AA A8 E9 57 E4 5C 4B 44 0B        ..!.....W.\KD.
>
> See nicer and more complete description of fields, in snort's case ...
>
> Stef

There's tethereal, a text version of ethereal, if you want good
protocol decoding. Or you can capture to a file using tcpdump, and
decode with another tool, such as snort or ethereal:

% tcpdump -w store.cap

% snort -r store.cap

cheers,
 Jamie
-- 
James Riden / j.riden () massey ac nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/




-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users