Capturing Without Putting the Interface into Promiscuous Mode

Table of contents:

Problem

You want to capture and log packets without putting the interface into promiscuous mode. For example, you want to capture and log packets only for the system on which Snort is installed.

Solution

To disable promiscuous mode sniffing, use the -p command-line option:

C:Snortin>snort -dev -p

 

Discussion

By default, Snort captures packets in promiscuous mode, meaning it logs all traffic on the network to which it is attached. Disabling promiscuous mode causes Snort to monitor only the traffic that is going to and from your Snort system. You can use the -p command-line option in any of Snort's modes.

The following command captures packets in packet dump mode:

C:Snortin>snort -dev -p

The following command captures packets in packet logger mode:

C:Snortin>snort -de -l c:snortlog -p

The following command captures packets in NIDS mode:

C:Snortin>snort -de -l c:snortlog -c c:snortetcsnort.conf -p

These commands capture only the packets heading to or from the Snort system for each of the Snort modes.

See Also

Recipe 1.16

Recipe 1.17

Recipe 1.18

Reloading Snort Settings

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net