Re: -b binary capture

[Erek Adams <erek () theadamsfamily net>]

On Fri, 28 Sep 2001, Greg Sarsons wrote:

> I see that snort by default with binary dump captures 1514.  Well this
> is just to much for my little 30 Gig hard drive on a busy school
> network.  I'm going to do some analysis with snort after but will also
> be using tcptrace, ipfw and a few others.
>
> If I grab 10%, say 150 vice 1514, will I really be limiting what I can
> do after?  Doesn't tcpdump by default grab 68.

You limit youself because if you don't get the full packet payload.  That can
be the difference between a false postive and an actual attack.

And yes, tcpdump does grab 68.  Just headers, no payload.

> The traffic bw from what I know on the network has peaked at about
> 20Mb/sec but the average seems to be 11Mb/sec.  If I plug into another
> smaller subnet the traffic bw could drop even more.

Sounds about average for what you are describing.

> Again this has got to fit on a 30Gig drive.  The more days that I can
> capture the better for the statistics.  Filling the hard drive in only
> one day doesn't really give a nice look.

Ug...  I'm assuming you're using IDE?

> Any recommendations?

Other that drop a $100 and get another drive?  :-)  You might consider
dumping the data off to another box for post processing every so often.

You're in kinda a tough spot...  Sorry I can't be of more help.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users