Snort mailing list archives

Re: Replaying pcaps through Snort

From: Joel Esler <jesler () sourcefire com>
Date: Sat, 6 Apr 2013 11:33:24 -0400

Nope.  -r is the correct command.  Hat other commands are you issuing Snort?

--
Joel Esler
Sent from my iPhone 

On Apr 6, 2013, at 8:43 AM, Y M <snort () outlook com> wrote:

I have a pcap generated from some testing, and lets assume that the source ip is 192.168.1.10:5432 and destination ip 
is 192.168.1.15:445, which conforms to the test scenario I was working with and as captured by wireshark.

However, replaying the pcap file through Snort (-r), Snort is reporting source and destination ip addresses 
backwards, i.e.:  source ip is 192.168.1.15:445 and the destination ip 192.168.1.10:5432.

What am i missing? Is there an extra argument i must input?

Thanks.
YM
------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Replaying pcaps through Snort Y M (Apr 06)
- Re: Replaying pcaps through Snort Joel Esler (Apr 06)
- <Possible follow-ups>
- Re: Replaying pcaps through Snort Y M (Apr 06)
  - Re: Replaying pcaps through Snort waldo kitty (Apr 06)
    - Re: Replaying pcaps through Snort Y M (Apr 06)
    - Re: Replaying pcaps through Snort waldo kitty (Apr 06)
    - Re: Replaying pcaps through Snort Y M (Apr 06)
    - Re: Replaying pcaps through Snort waldo kitty (Apr 06)
- Re: Replaying pcaps through Snort Y M (Apr 06)
  - Re: Replaying pcaps through Snort Kurt Jensen CISSP (Apr 08)