Problem
You want to capture and log packets without putting the interface into promiscuous mode. For example, you want to capture and log packets only for the system on which Snort is installed.
Solution
To disable promiscuous mode sniffing, use the -p command-line option:
C:Snortin>snort -dev -p
Discussion
By default, Snort captures packets in promiscuous mode, meaning it logs all traffic on the network to which it is attached. Disabling promiscuous mode causes Snort to monitor only the traffic that is going to and from your Snort system. You can use the -p command-line option in any of Snort's modes.
The following command captures packets in packet dump mode:
C:Snortin>snort -dev -p
The following command captures packets in packet logger mode:
C:Snortin>snort -de -l c:snortlog -p
The following command captures packets in NIDS mode:
C:Snortin>snort -de -l c:snortlog -c c:snortetcsnort.conf -p
These commands capture only the packets heading to or from the Snort system for each of the Snort modes.
See Also
Recipe 1.16
Recipe 1.17
Recipe 1.18
Reloading Snort Settings |
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance
Index