Snort mailing list archives
RE: reading tcpdump file
From: "Jeff Dell" <jdell () activeworx com>
Date: Mon, 11 Oct 2004 19:36:24 -0400
We had this same problem on our honeynet and had to start a new snort process that was dedicated to tcpdump. What you are seeing can be caused by a few different reasons... here are a couple: 1. It is not logging the fragmented packets, but the reassembled packet. If you only want to log tcp traffic, you might want to turn off the preprocessors. However this should be fixed in the newer versions of Snort. 2. You might not be capturing both sides of the transmission. I would try this: alert tcp any any <> any any Cheers, Jeff -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Edward Young Sent: Monday, October 11, 2004 6:23 PM To: snort-users () lists sourceforge net Subject: [Snort-users] reading tcpdump file Hi, I am trying to read a tcpdump file into snort. For some reason, it seems that some of the tcp packets are being ignored for some reason. The only reason I can think of is because the tcpdump file only captured at most 96 bytes of each frame. The only rule I have in my config file is "alert tcp any any -> any any" and these are the results that I get: Snort processed 37298 packets. ============================================================================ === Breakdown by protocol: TCP: 32827 (88.013%) UDP: 475 (1.274%) ICMP: 32 (0.086%) ARP: 3176 (8.515%) EAPOL: 0 (0.000%) IPv6: 4 (0.011%) IPX: 7 (0.019%) OTHER: 531 (1.424%) DISCARD: 246 (0.660%) ============================================================================ === Action Stats: ALERTS: 32621 LOGGED: 32621 PASSED: 0 Where do those remaining 206 packets go? They are tcp so why aren't they logged? I'm thinking that those 206 frames are the frames that are incomplete. Thanks, Edward Young ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- reading tcpdump file Edward Young (Oct 11)
- RE: reading tcpdump file Jeff Dell (Oct 11)
- Re: reading tcpdump file Edward Young (Oct 12)
- RE: reading tcpdump file Jeff Dell (Oct 12)
- Re: reading tcpdump file Edward Young (Oct 12)
- Re: reading tcpdump file Edward Young (Oct 12)
- RE: reading tcpdump file Jeff Dell (Oct 11)