Logging in PCAP Format (TCPDump)

Table of contents:

Problem

You want to log your Snort data in PCAP format (TCPDump).

Solution

The Snort log_tcpdump output plug-in allows you to log and store data in PCAP format. Configure the snort.conf file with the name of the TCPDump logfile to use:

# log_tcpdump: log packets in binary tcpdump format

# -------------------------------------------------

# The only argument is the output file name.

#

output log_tcpdump: tcpdump.log

Run Snort in NIDS mode so that it uses the snort.conf file to invoke the output plug-in:

C:Snortin>snort -l c:snortlog -c c:snortetcsnort.conf

 

Discussion

Snort's network architecture is based on the Packet Capture Library (PCAP) and uses libpcap for its underlying data capture. Many network analysis engines, sniffers, and statistics tools can read data in the PCAP format. You can use the log_tcpdump output plug-in to save the data and then view it with tools such as TCPDump and Ethereal.

See Also

http://www.tcpdump.org

http://www.ethereal.com

Logging to Email

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net