linuxgravity.com

Snort has different modes. Here, we will real world examples of how to use it as packet capture utility. Snort has to be run as root because it needs to put the network interface in promiscuous mode. To see IP protocol headers, type the following:

snort -v

You will see IP protocols headers passed by on the screen. To quit, press CTRL+C (If it does not seem to respond, it is because snort has not yet received a matching packet)

To run snort on a particular interface, type

snort -v -i eth2

To see IP headers as well as data ie application layer data, use -d

snort -vd

To capture datalink layer info (we will also see mac addresses), we use -e like

snort -vde

In the following example, we will sniff packets from source IP 192.168.2.1

snort -vde src host 192.168.2.1

To capture packets from source ip 192.168.2.1 and to port 25, so the following

snort -vde src host 192.168.2.1 and port 25

To capture traffic originated from 192.168.2.1 an destined to 192.168.10.10, do

snort -vde src host 192.168.2.1 and dst host 192.168.10.10

Be Sociable, Share!

• 

This entry was posted on Friday, August 21st, 2009 at 5:28 pm and is filed under Centos, Debian, Fedora, Red Hat, Ubuntu. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.