Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: bpf filter?

From: Jason Opperisano <jopperisano () netcriticalgroup com>
Date: Sun, 22 Jul 2001 23:56:01 -0400
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

snort [snort options] arp or icmp
                      ^^^^^^^^^^^
                      this is your bpf filter

to do just icmp echo requests and replies:

snort [snort options] arp or \(icmp[0] = 8 or icmp[0] = 0\)

"man tcpdump" will also provide a wealth of other details for you. 
hope this helps

- -jason

- -----Original Message-----
From: gatekeeper () globe com ph [mailto:gatekeeper () globe com ph]
Sent: Sunday, July 22, 2001 10:29 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] bpf filter?


Hi,

I captured some traffic using tcpdump format (-b) and was able to
decode (-r) on a per protocol basis (port 23, 80, 110 etc). I now
wanted to just log 'icmp' or 'arp' traffic but could not seem to
figure out how to do it. I guess I would need a bpf filter to do
this? I would appreciate some sample how to do this so I can log ,
for example, just icmp type 0 or type 8?

Thanks a lot?

jun g.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBO1ugxKnGvB5QXYGaEQIe0ACgva/UsOBETkWwzQSsEfb7cqs3i3wAoO9C
jB+JzmxfTYZvkvWM88tFTLwR
=boX0
-----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: