Re: Showing dump of only matched paquets.

[Russ Combs <rcombs () sourcefire com>]

On Tue, Mar 22, 2011 at 6:49 PM, ab1197590 () gmail com <ab1197590 () gmail com>wrote:

> Does it work as you would have hoped if you specify an expression?
>
> > From the man page:
>
>  expression
>              selects  which  packets  will  be  dumped.   If no expression
> is
>              given, all packets on the net will be dumped.   Otherwise,
>  only
>              packets for which expression is `true' will be dumped.

The expression here is a BPF which can be used to select packets in dump
mode.

For IDS mode, -A cmg will dump the alerting packets in hex.

> On Sat, Mar 19, 2011 at 7:27 PM, Gustavo Guillermo Perez
> <gustavo () compunauta com> wrote:
> > Hello dear list, I'm trying to setup snort to make a little sniffer, and
> I
> > need something like -dv but only with the rules matched not wit all the
> > paquets.
> >
> > The rules works so fine and logs into the log file excellent and I can
> read
> > the log with -dv -r /var/log/snort/snort.logxxxx wit only matched packets
> but
> > not in realtime, there is any way to do this in realtime?, it means to
> show
> > the HEX output with all info but only with mached packets?
> >
> > Best regards in advance.
> > --
> > Gustavo Guillermo Perez
> > http://www.compunauta.com
> > http://www.compunauta.net
> > http://anuncios.compunauta.net
> ------------------------------------------------------------------------------
> > Colocation vs. Managed Hosting
> > A question and answer guide to determining the best fit
> > for your organization - today and in the future.
> > http://p.sf.net/sfu/internap-sfd2d
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ------------------------------------------------------------------------------
> Enable your software for Intel(R) Active Management Technology to meet the
> growing manageability and security demands of your customers. Businesses
> are taking advantage of Intel(R) vPro (TM) technology - will your software
> be a part of the solution? Download the Intel(R) Manageability Checker
> today! http://p.sf.net/sfu/intel-dev2devmar
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users