Snort mailing list archives
Re: Need to log FULL packets
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 13 Mar 2002 13:59:43 -0500
Well, first I'm wondering what version of snort you are running. Snort 1.9??? Erm, snort 1.8.4 isn't even in non beta yet as far as I can tell (1.8.4 beta4 was released march 2). Is 1.9 what the CVS image tarballs call themselves? If so, why are you using snort-current for production use? (that's a development branch snapshot, which really could use a better name on the website, the term "current" risks implying "current release").
As far as switches go -X (full dump including IP headers) or -d (application layer only, no IP headers) should be all you need.
You claim the data looks like it is "cut off", since this is UDP we are talking about, have you checked to make sure you're not only catching one fragment of a multi-fragment UDP packet. Note that dumping the application layer data like this will slow snort down enough that it becomes quite likely that if a UDP packet gets fragmented you may miss some of the following fragments while the first one is dumped.
If this is the case, you might make sure that the frag2 preprocessor is on to defragment the UDP packet prior to passing it up and dumping it.
At 01:06 PM 3/13/2002 -0500, Sheahan, Paul (PCLN-NW) wrote:
Hello, I'm doing an investigation on some unusual UDP traffic on my network and am using Snort 1.9 on Linux to monitor the data. The traces of each packet are getting cut off in the logs. How can I be sure I am getting ALL of each packet in the traces? The more info I can gather on each packet during this test would be ideal (I'm not concerned about speed or missed packets). Can anyone recommend the correct Snort switches so I can gather the MOST thorough data? Thanks in advance! Paul
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Need to log FULL packets Sheahan, Paul (PCLN-NW) (Mar 13)
- <Possible follow-ups>
- Re: Need to log FULL packets Matt Kettler (Mar 13)
- Re: Need to log FULL packets Junaidi Bin Sapari (Mar 13)
- Message not available
- Re: Need to log FULL packets Matt Kettler (Mar 13)
- Re: Need to log FULL packets Brian (Mar 19)