Re: reading tcpdump file

["Edward Young" <ey52 () columbia edu>]

That worked perfectly.   Thanks.

Edward Young

----- Original Message ----- 
From: "Jeff Dell" <jdell () activeworx com>
To: "'Edward Young'" <ey52 () columbia edu>; 
<snort-users () lists sourceforge net>
Sent: Tuesday, October 12, 2004 10:13 AM
Subject: RE: [Snort-users] reading tcpdump file


> You also might want to try adding "-k none" to your command line. This is 
> to
> ignore checksums. If the program that logged this TCPDump file mangled the
> packets, your checksums will fail and snort will ignore them.
>
> Jeff
>
> -----Original Message-----
> From: Edward Young [mailto:ey52 () columbia edu]
> Sent: Tuesday, October 12, 2004 10:08 AM
> To: Jeff Dell; snort-users () lists sourceforge net
> Subject: Re: [Snort-users] reading tcpdump file
>
> Thanks for the suggestions but neither worked.  There were no 
> preprocessors.
>
> I only had that one rule in my conf file.
>
> So am I getting problems because the packets are incomplete?
>
> I tried "alert tcp any any <> any any (content:"get"; nocase;)" on the
> tcpdump file but didn't get any alerts on that file.
>
> I checked the tcpdump file in Ethereal and did find packets with "get" in
> the payload but they were marked as "Short Frame".  Does snort handle 
> these
> "Short Frame" packets differently from complete packets?
>
> Thanks,
>
> Edward Young
>
> ----- Original Message ----- 
> From: "Jeff Dell" <jdell () activeworx com>
> To: "'Edward Young'" <ey52 () columbia edu>;
> <snort-users () lists sourceforge net>
> Sent: Monday, October 11, 2004 7:36 PM
> Subject: RE: [Snort-users] reading tcpdump file
>
>
> > We had this same problem on our honeynet and had to start a new snort
> > process that was dedicated to tcpdump. What you are seeing can be caused
> > by
> > a few different reasons... here are a couple:
> >
> > 1. It is not logging the fragmented packets, but the reassembled packet.
> > If
> > you only want to log tcp traffic, you might want to turn off the
> > preprocessors. However this should be fixed in the newer versions of
> > Snort.
> >
> > 2. You might not be capturing both sides of the transmission. I would try
> > this:
> >  alert tcp any any <> any any
> >
> > Cheers,
> >
> > Jeff
> >
> > -----Original Message-----
> > From: snort-users-admin () lists sourceforge net
> > [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Edward 
> > Young
> > Sent: Monday, October 11, 2004 6:23 PM
> > To: snort-users () lists sourceforge net
> > Subject: [Snort-users] reading tcpdump file
> >
> > Hi,
> >
> > I am trying to read a tcpdump file into snort.  For some reason, it seems
> > that some of the tcp packets are being ignored for some reason.  The only
> > reason I can think of is because the tcpdump file only captured at most 
> > 96
> > bytes of each frame.
> >
> > The only rule I have in my config file is "alert tcp any any -> any any"
> > and
> >
> > these are the results that I get:
> >
> > Snort processed 37298 packets.
> ============================================================================
> > ===
> > Breakdown by protocol:
> >    TCP: 32827      (88.013%)
> >    UDP: 475        (1.274%)
> >   ICMP: 32         (0.086%)
> >    ARP: 3176       (8.515%)
> >  EAPOL: 0          (0.000%)
> >   IPv6: 4          (0.011%)
> >    IPX: 7          (0.019%)
> >  OTHER: 531        (1.424%)
> > DISCARD: 246        (0.660%)
> ============================================================================
> > ===
> > Action Stats:
> > ALERTS: 32621
> > LOGGED: 32621
> > PASSED: 0
> >
> > Where do those remaining 206 packets go?  They are tcp so why aren't they
> > logged?  I'm thinking that those 206 frames are the frames that are
> > incomplete.
> >
> > Thanks,
> >
> > Edward Young
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> > Use IT products in your business? Tell us what you think of them. Give us
> > Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
> > more
> > http://productguide.itmanagersjournal.com/guidepromo.tmpl
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> > Use IT products in your business? Tell us what you think of them. Give us
> > Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
> > more
> > http://productguide.itmanagersjournal.com/guidepromo.tmpl
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users