Snort mailing list archives

RE: capturing arp

From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Mon, 14 Apr 2003 13:47:39 -0400

I'm not certified in any particular area, certifiable maybe, but not
certified.  My tests show that both tcpdump and windump (i.e., libpcap and
winpcap, respectively) can "capture" arp packets, or at least filter on them
using BFP filters.  For example: 

        windump -i1 -s256 -e -v arp  

Causes windump to only display arp packets.  

But this doesn't answer your question as to why Snort gaks on an arp rule.
I've not looked at the source code, but maybe Snort isn't designed to handle
arp packets in rules?!  

I'll leave that question for Snort dev. team.  


-----Original Message-----
From: Spencer, Arthur [mailto:Arthur.Spencer () umassmed edu]
Sent: Monday, April 14, 2003 8:39 AM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] capturing arp


In all of my tests you can't capture arp packets because they are
handled in hardware.  If you use Nemesis and generate an ARP packet it
isn't captured by Ethereal or Network General Sniffer.  

* Arthur J. Spencer (CISSP, CCNP, CCDP, MCSE, CNE)
 

-----Original Message-----
From: Patrick Amirian [mailto:pamirian () calculus ca] 
Sent: Friday, April 11, 2003 3:41 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] capturing arp

Hi guys,
I'm trying to caputre all arp packets doing


Alert arp any any <> any any

But I'm getting a segfault.
Ideas ?

Thank you. 



-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The
debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost
and 
disoriented. TotalView can help you find your way. Available on major
UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

capturing arp Patrick Amirian (Apr 11)
- Re: capturing arp Chris Green (Apr 14)
- <Possible follow-ups>
- Re: capturing arp Sergio Aldo Casas (Apr 13)
- RE: capturing arp Spencer, Arthur (Apr 14)
  - RE: capturing arp Rich Adamson (Apr 14)
  - Re: capturing arp Jacques (Apr 14)
  - Re: capturing arp Edin Dizdarevic (Apr 14)
- RE: capturing arp L. Christopher Luther (Apr 14)