Snort mailing list archives
Re: tcpdump filter question
From: James Hoagland <hoagland () SiliconDefense com>
Date: Thu, 21 Nov 2002 09:39:50 -0800
Hello Paul, At 10:01 AM -0700 11/21/02, Bradley, Paul wrote:
Using snort 1.9.0. scenario: logging packet data to a binary file with snort. i want to go in and investigate some tftp activity. i usually use tcpdump (3.6) to read the packets. this works: tcpdump -vvv -n -nn -r packet_file dst port 69 result = all the packets destined to tftp this doesn't work: tcpdump -vvv -n -nn -r packet_file 'tcp[2:2] = 69' result = nothing (no output)
First the stupid question. Are you sure there is TCP packets with dest port 69 in packet_file? I assume that you tried the filter 'tcp and (dst port = 69)' (or equivalent) with a different result.
When using tcpdump filters on a binary file created by snort, the built-in tcpdump macro filters work; however, the other style of filters don't. does this have something to do with the way snort creates the binary file? i'd like the 2nd style of the filters to work, as i can customize my packet queries.
AFAIK, Snort writes tcpdump files the same way most other programs do, with the libpcap API.
You might try this. Run tcpdump and snort at the same time, both writing to a binary file. You might want to have snort logging everything. Then query both files with the same query and compare results. If they differ, then there is something we should look into.
Actually, you might just want to run tcpdump first and give that file to snort as input (-r option). Then issue the same query on both.
Good luck, Jim -- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* --- Silicon Defense: IDS Solutions --- *| |* hoagland () SiliconDefense com, http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *| ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- tcpdump filter question Bradley, Paul (Nov 21)
- Re: tcpdump filter question James Hoagland (Nov 21)
- <Possible follow-ups>
- RE: tcpdump filter question Bradley, Paul (Nov 21)