Capturing and Viewing Packets

Problem

You want to use Snort to capture and view packets in real time to monitor network traffic.

Solution

To see the TCP and IP packet header information, use the -v option:

C:Snortin>snort -v

To see application-layer headers, use the -d option. To see the data link-layer headers, use the -e option. You can use all three command-line options together:

C:Snortin>snort -dev

 

Discussion

Snort is an efficient and effective packet sniffer for capturing and viewing network traffic. The output follows a typical sniffer text format like TCPDump or Ethereal.

You can use Snort to view network traffic by providing the necessary command-line options. The simplest way is to provide the -v (verbose) command-line option. However, this shows you only the TCP and IP packet header information, as in the following:

C:Snortin>snort -v

Running in packet dump mode

Log directory = log

 

Initializing Network Interface DeviceNPF_ 

{572FF0E6-9A1E-42B5-A2AF-A5A307B613EF}

 

 --= = Initializing Snort = =--

Initializing Output Plugins!

Decoding Ethernet on interface DeviceNPF_ 

{572FF0E6-9A1E-42B5-A2AF-A5A307B613EF}

 

 --= = Initialization Complete = =--

 

-*> Snort! <*-

Version 2.2.0-ODBC-MySQL-FlexRESP-WIN32 (Build 30)

By Martin Roesch (roesch@sourcefire.com, www.snort.org)

1.7-WIN32 Port By Michael Davis (mike@datanerds.net, 

www.datanerds.net/~mike)

1.8 - 2.x WIN32 Port By Chris Reid 

(chris.reid@codecraftconsultants.com)

 

09/14-11:16:50.213014 192.168.100.70:1051 -> 216.155.193.130:5050

TCP TTL:128 TOS:0x0 ID:39709 IpLen:20 DgmLen:60 DF

***AP*** Seq: 0xDA7FD499 Ack: 0x17EA2F6B Win: 0x4121 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

 

09/14-11:16:50.231051 192.168.100.70:1052 -> 205.188.5.252:5190

TCP TTL:128 TOS:0x0 ID:39710 IpLen:20 DgmLen:46 DF

***AP*** Seq: 0xDA819839 Ack: 0xFC65B33A Win: 0x422F TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

A better way to view network traffic uses the -d and -e command-line options along with the -v option. The -d option provides application-layer information and all network-layer headers (TCP, UDP, and ICMP). The -e option provides the data link-layer header information.

C:Snortin>snort -dev

Running in packet dump mode

Log directory = log

 

Initializing Network Interface DeviceNPF_

{572FF0E6-9A1E-42B5-A2AF-A5A307B613EF}

 

 --= = Initializing Snort = =--

Initializing Output Plugins!

Decoding Ethernet on interface DeviceNPF_

{572FF0E6-9A1E-42B5-A2AF-A5A307B613EF}

 

 --= = Initialization Complete = =--

 

-*> Snort! <*-

Version 2.2.0-ODBC-MySQL-FlexRESP-WIN32 (Build 30)

By Martin Roesch (roesch@sourcefire.com, www.snort.org)

1.7-WIN32 Port By Michael Davis (mike@datanerds.net,

www.datanerds.net/~mike)

1.8 - 2.x WIN32 Port By Chris Reid

(chris.reid@codecraftconsultants.com)

 

09/14-11:31:11.087457 0:C:F1:11:D:66 -> 0:5:5D:ED:3B:C6 type:0x800

len:0x1B3

192.168.100.70:2381 -> 64.233.161.104:80 TCP TTL:128 TOS:0x0

ID:42992 IpLen:20 DgmLen:421 DF

***AP*** Seq: 0x65EF083A Ack: 0xF49E57A Win: 0x3EFC TcpLen: 20

47 45 54 20 2F 69 6D 61 67 65 73 2F 6C 6F 67 6F GET /images/logo

2E 67 69 66 20 48 54 54 50 2F 31 2E 31 0D 0A 41 .gif HTTP/1.1..A

63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 52 65 66 65 ccept: */*..Refe

72 65 72 3A 20 68 74 74 70 3A 2F 2F 77 77 77 2E rer: http://www.

67 6F 6F 67 6C 65 2E 63 6F 6D 2F 0D 0A 41 63 63 google.com/..Acc

65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E ept-Language: en

2D 75 73 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F -us..Accept-Enco

64 69 6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C ding: gzip, defl

61 74 65 0D 0A 49 66 2D 4D 6F 64 69 66 69 65 64 ate..If-Modified

2D 53 69 6E 63 65 3A 20 4D 6F 6E 2C 20 32 32 20 -Since: Mon, 22

4D 61 72 20 32 30 30 34 20 32 33 3A 30 34 3A 32 Mar 2004 23:04:2

33 20 47 4D 54 0D 0A 55 73 65 72 2D 41 67 65 6E 3 GMT..User-Agen

74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 t: Mozilla/4.0 (

63 6F 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 compatible; MSIE

20 36 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 6.0; Windows NT

20 35 2E 30 29 0D 0A 48 6F 73 74 3A 20 77 77 77 5.0)..Host: www

2E 67 6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 43 6F 6E .google.com..Con

6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C nection: Keep-Al

69 76 65 0D 0A 43 6F 6F 6B 69 65 3A 20 50 52 45 ive..Cookie: PRE

46 3D 49 44 3D 31 63 36 37 35 33 39 62 31 35 61 F=ID=1c67539b15a

37 31 63 33 64 3A 54 4D 3D 31 30 37 38 38 34 39 71c3d:TM=1078849

32 34 30 3A 4C 4D 3D 31 30 37 38 38 34 39 34 36 240:LM=107884946

39 3A 54 42 3D 32 3A 53 3D 38 42 52 37 43 51 33 9:TB=2:S=8BR7CQ3

51 64 6C 45 78 51 68 79 6F 0D 0A 0D 0A QdlExQhyo....

 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

 

09/14-11:31:11.111213 0:5:5D:ED:3B:C6 -> 0:C:F1:11:D:66 type:0x800

len:0xB5

64.233.161.104:80 -> 192.168.100.70:2381 TCP TTL:50 TOS:0x10

ID:19943 IpLen:20 DgmLen:167

***AP*** Seq: 0xF49E57A Ack: 0x65EF09B7 Win: 0x4551 TcpLen: 20

48 54 54 50 2F 31 2E 31 20 33 30 34 20 4E 6F 74 HTTP/1.1 304 Not

20 4D 6F 64 69 66 69 65 64 0D 0A 43 6F 6E 74 65 Modified..Conte

6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 68 74 nt-Type: text/ht

6D 6C 0D 0A 53 65 72 76 65 72 3A 20 47 57 53 2F ml..Server: GWS/

32 2E 31 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 2.1..Content-Len

67 74 68 3A 20 30 0D 0A 44 61 74 65 3A 20 46 72 gth: 0..Date: Fr

69 2C 20 31 34 20 4D 61 79 20 32 30 30 34 20 31 i, 14 May 2004 1

35 3A 33 30 3A 33 34 20 47 4D 54 0D 0A 0D 0A 5:30:34 GMT....

 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Once you are done viewing the packets displayed on your screen, you can type Ctrl-C to exit. You are provided with a summary of the packets that were collected. This includes a breakdown by protocol and actions.


= = = = = = = = = = = = = = = = = = = = = = = =

Snort received 24 packets

 Analyzed: 24(100.000%)

 Dropped: 0(0.000%)

= = = = = = = = = = = = = = = = = = = = = = = =

Breakdown by protocol:

 TCP: 20 (83.333%)

 UDP: 1 (4.167%)

 ICMP: 0 (0.000%)

 ARP: 3 (12.500%)

 EAPOL: 0 (0.000%)

 IPv6: 0 (0.000%)

 IPX: 0 (0.000%)

 OTHER: 0 (0.000%)

DISCARD: 0 (0.000%)

= = = = = = = = = = = = = = = = = = = = = = = =

Action Stats:

ALERTS: 0

LOGGED: 0

PASSED: 0

= = = = = = = = = = = = = = = = = = = = = = = =

pcap_loop: read error: PacketReceivePacket failed

Run time for packet processing was 36.766000 seconds

One word of caution: when capturing and viewing packets in real time, this can cause significant performance degradation of your system.

See Also

Recipe 1.17

Logging Packets That Snort Captures

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net