Logging Packets That Snort Captures


You want to use Snort to log your network traffic to files in real time.


To log network traffic to a set of files and directories, use the -l option:

C:Snortin>snort -de -l c:snortlog

To log network traffic relative to your home network, use the -h option:

C:Snortin>snort -l c:snortlog -h

To log network traffic in binary format, use the -b option in conjunction with the -l option:

C:Snortin>snort -l c:snortlog -b

To specify a name for the binary logfile, use the -L option:

C:Snortin>snort -l c:snortlog -L test



Snort can be used to log network traffic in a variety of ways. By providing the necessary command-line options, you can log the data to files sorted by directory or to a binary file. Network traffic can be logged to a set of files and directories by using the -l command-line option. You must provide the name of the directory to which you wish to log the data. For our example, we have used the default log directory C:Snortlog. If you wish to use a different log directory, make sure it exists first, or Snort exits with an error.

C:Snortin>snort -de -l c:snortlog

Running in packet logging mode

Log directory = c:snortlog


Initializing Network Interface DeviceNPF_



 --= = Initializing Snort = =--

Initializing Output Plugins!

Decoding Ethernet on interface DeviceNPF_



 --= = Initialization Complete = =--


-*> Snort! <*-

Version 2.2.0-ODBC-MySQL-FlexRESP-WIN32 (Build 30)

By Martin Roesch (roesch@sourcefire.com, www.snort.org)

1.7-WIN32 Port By Michael Davis (mike@datanerds.net,


1.8 - 2.x WIN32 Port By Chris Reid


You won't see any data output on the screen when you are logging in this format, unless you also use the -v command-line option. Once you are through capturing data, you may exit the program by typing Ctrl-C. This displays the summary and statistics of the packets that have been captured. Change to the log directory and you'll notice that one or more folders have been created and named by IP address. These folders contain text files of the logged data.


 Volume in drive C has no label.

 Volume Serial Number is 643C-4C37


 Directory of C:Snortlog


09/14/2004 12:09p 

. 09/14/2004 12:09p

.. 09/14/2004 12:13p 09/14/2004 12:13p 0 File(s) 0 bytes 4 Dir(s) 22,730,764,288 bytes free

Snort creates the logfiles within these directories according to session. The source and destination ports are part of the titles. They can be viewed at the command line or by using your favorite text viewer, such as Notepad.exe.



C:Snortlog192.168.100.70>type TCP_3255-80.ids


09/14-15:30:13.461210 0:C:F1:11:D:66 -> 0:5:5D:ED:3B:C6 type:0x800

len:0x3E -> TCP TTL:128 TOS:0x0

ID:14364 IpLen:20 DgmLen:48 DF

******S* Seq: 0x3DE17A13 Ack: 0x0 Win: 0x4000 TcpLen: 28

TCP Options (4) => MSS: 1460 NOP NOP SackOK 




09/14-15:30:13.480385 0:5:5D:ED:3B:C6 -> 0:C:F1:11:D:66 type:0x800

len:0x3C -> TCP TTL:242 TOS:0x0

ID:22049 IpLen:20 DgmLen:44

***A**S* Seq: 0xEE155CFA Ack: 0x3DE17A14 Win: 0x1FFE TcpLen: 24

TCP Options (1) => MSS: 1460 




09/14-15:30:13.480407 0:C:F1:11:D:66 -> 0:5:5D:ED:3B:C6 type:0x800

len:0x36 -> TCP TTL:128 TOS:0x0

ID:14366 IpLen:20 DgmLen:40 DF

***A**** Seq: 0x3DE17A14 Ack: 0xEE155CFB Win: 0x4470 TcpLen: 20




09/14-15:30:13.480853 0:C:F1:11:D:66 -> 0:5:5D:ED:3B:C6 type:0x800

len:0x151 -> TCP TTL:128 TOS:0x0

ID:14367 IpLen:20 DgmLen:323 DF

***AP*** Seq: 0x3DE17A14 Ack: 0xEE155CFB Win: 0x4470 TcpLen: 20

47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A GET / HTTP/1.1..

41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 41 63 63 Accept: */*..Acc

65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E ept-Language: en

2D 75 73 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F -us..Accept-Enco

64 69 6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C ding: gzip, defl

61 74 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A ate..User-Agent:

20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F Mozilla/4.0 (co

6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 mpatible; MSIE 6

2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 .0; Windows NT 5

2E 30 29 0D 0A 48 6F 73 74 3A 20 77 77 77 2E 67 .0)..Host: www.g

6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 43 6F 6E 6E 65 oogle.com..Conne

63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 ction: Keep-Aliv

65 0D 0A 43 6F 6F 6B 69 65 3A 20 50 52 45 46 3D e..Cookie: PREF=

49 44 3D 31 63 36 37 35 33 39 62 31 35 61 37 31 ID=1c67539b15a71

63 33 64 3A 54 4D 3D 31 30 37 38 38 34 39 32 34 c3d:TM=107884924

30 3A 4C 4D 3D 31 30 37 38 38 34 39 34 36 39 3A 0:LM=1078849469:

54 42 3D 32 3A 53 3D 38 42 52 37 43 51 33 51 64 TB=2:S=8BR7CQ3Qd

6C 45 78 51 68 79 6F 0D 0A 0D 0A lExQhyo....



You can use the -h option to make sure your files are logged relative to the home network. Snort logs packets from both the local and remote computer IP addresses as directory names, depending on who initiated the connection. You can use the -h command-line option to log relative to the home network. This way, all directories are named after the remote computer IP addresses. The following command specifies that is the home network.

C:Snortin>snort -l c:snortlog -h

Another option, and a much faster one, is to log the data in binary log format. Other sniffers such as TCPDump and Ethereal can read data in this type of format. However, it is not readable by a text viewer. To log in binary format, you must use the -b command-line option in conjunction with -l. The -b option specifies that you wish to log the packets in binary format. You won't see any data output on the screen when you are logging in binary format, unless you also use the -v command-line option. You don't need to specify the -d or -e command-line options, because by default, the binary option logs the entire packet.

C:Snortin>snort -l c:snortlog -b

This command creates a file called snort.log.1084553605 in the C:Snortlog directory. You can specify a name for the logfile by using the -L option. When using the -L option, you do not need to specify the -b option, because it automatically logs in binary format.

C:Snortin>snort -l c:snortlog -L test

This command creates a file called test.1084554709 in the C:Snortlog directory.

Keep in mind that logging network traffic consumes hard drive space. This is relative to how much traffic crosses the segment you are monitoring. Logging traffic can also create a heavy load on the CPU of the Snort system. Logging traffic in binary mode is great for high-speed networks and compact storage. Binary files can then be reviewed later using Snort, TCPDump, Ethereal, or other binary log compatible programs.

A common reason for using Snort is to capture and log only certain transactionsfor instance, when a purchase is made over the web site. This is done in compliance with various laws, and is required for repudiation of online purchases and/or mouse-click agreements.

See Also

Recipe 1.16

Recipe 1.19

Running Snort to Detect Intrusions

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance


Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net