Re: IDS with traffic analysis (basically) = sniffer

["Perry E. Metzger" <perry () piermont com>]

"John Kozubik" <john_kozubik_dc () hotmail com> writes:
> Just a note - if you are doing traffic analysis (as opposed to content 
> analysis) with an IDS, you are basically recording _every_ packet that 
> comes through.
>
> Therefore, for all practical purposes, the IDS _is_ a sniffer.  
> Commercial sniffing packages will be better, however, at analyzing 
> attacks in progress (i.e. put the sniffer in the DMZ and watch what is 
> happening) whereas the IDS is more of a reference to look back upon and 
> analyze.

Why?

Most sniffers I've seen aren't nearly as good as NFR. Hell, most of
them aren't as good as TCPDUMP. What makes you think "commercial
sniffing packages" are much good at *anything*?

Perry