arpspoof preprocessor for offline PCAPs

[Michael Psaila <mp971 () york ac uk>]

Hi all,

Can the arpspoof preprocessor be used while running a PCAP file through
Snort?
Or does this preprocessor only work when sniffing traffic in real-time?

I've gone through the SNORT Users Manual and did quite a bit of googling,
but couldn't find an answer to my question.
If anyone could point me to a reference where this is documented, it would
be greatly appreciated.

I'm asking because I have enabled the arpspoof preprocessor in the
snort.conf file, and have set two IP/MAC pairs for it to monitor.
I then run a PCAP through Snort, but did not obtain anything from this
plug-in.

Many thanks for taking the time to read this post.

Regards,
Michael

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!