Problem
You want to log your Snort data in PCAP format (TCPDump).
Solution
The Snort log_tcpdump output plug-in allows you to log and store data in PCAP format. Configure the snort.conf file with the name of the TCPDump logfile to use:
# log_tcpdump: log packets in binary tcpdump format # ------------------------------------------------- # The only argument is the output file name. # output log_tcpdump: tcpdump.log
Run Snort in NIDS mode so that it uses the snort.conf file to invoke the output plug-in:
C:Snortin>snort -l c:snortlog -c c:snortetcsnort.conf
Discussion
Snort's network architecture is based on the Packet Capture Library (PCAP) and uses libpcap for its underlying data capture. Many network analysis engines, sniffers, and statistics tools can read data in the PCAP format. You can use the log_tcpdump output plug-in to save the data and then view it with tools such as TCPDump and Ethereal.
See Also
http://www.tcpdump.org
http://www.ethereal.com
Logging to Email |
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance
Index