Snort mailing list archives

Re: tcpdump filter question

From: James Hoagland <hoagland () SiliconDefense com>
Date: Thu, 21 Nov 2002 09:39:50 -0800


Hello Paul,

At 10:01 AM -0700 11/21/02, Bradley, Paul wrote:

Using snort 1.9.0.

scenario:  logging packet data to a binary file with snort.  i want to go in
and investigate some tftp activity.  i usually use tcpdump (3.6) to read the
packets.  this works:

tcpdump -vvv -n -nn -r packet_file dst port 69

result = all the packets destined to tftp

this doesn't work:

tcpdump -vvv -n -nn -r packet_file 'tcp[2:2] = 69'

result = nothing (no output)

First the stupid question. Are you sure there is TCP packets withdest port 69 in packet_file? I assume that you tried the filter 'tcpand (dst port = 69)' (or equivalent) with a different result.

When using tcpdump filters on a binary file created by snort, the built-in
tcpdump macro filters work; however, the other style of filters don't.  does
this have something to do with the way snort creates the binary file?  i'd
like the 2nd style of the filters to work, as i can customize my packet
queries.

AFAIK, Snort writes tcpdump files the same way most other programsdo, with the libpcap API.

You might try this. Run tcpdump and snort at the same time, bothwriting to a binary file. You might want to have snort loggingeverything. Then query both files with the same query and compareresults. If they differ, then there is something we should look into.

Actually, you might just want to run tcpdump first and give that fileto snort as input (-r option). Then issue the same query on both.


Good luck,

  Jim
--
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

tcpdump filter question Bradley, Paul (Nov 21)
- Re: tcpdump filter question James Hoagland (Nov 21)
- <Possible follow-ups>
- RE: tcpdump filter question Bradley, Paul (Nov 21)