9.21. Packet Sniffing with Snort

Problem

You want to use Snort as a simple packet sniffer.

Solution

To format and print network trace information:

# snort -v [-d|-X] [-C] [-e] [filter-expression]

To sniff packets from the network:

# snort [-i interface] [-P snap-length] [filter-expression]

To read network trace data you have saved previously:

$ snort -r filename [filter-expression]

Discussion

Snort can act as a simple packet sniffer, providing a level of detail between the terseness of tcpdump [Recipe 9.16] and the verbosity of tethereal. [Recipe 9.17] The -v option prints a summary of the protocol information for each packet. To dump the payload data in hexadecimal and ASCII, add the -d option (with the -C option if you care only about the characters). For more information about lower-level protocols, add -e to print a summary of the link-level (Ethernet) headers, or use -X instead of -d to dump the protocol headers along with the payload data:

# snort -veX 02/27-23:32:15.641528 52:54:4C:A:6B:CD -> 0:50:4:D5:8E:5A type:0x800 len:0x9A 192.168.33.1:20 -> 192.168.33.3:1058 TCP TTL:60 TOS:0x8 ID:28465 IpLen:20 DgmLen :140 ***AP*** Seq: 0xDCE2E01 Ack: 0xA3B50859 Win: 0x1C84 TcpLen: 20 0x0000: 00 50 04 D5 8E 5A 52 54 4C 0A 6B CD 08 00 45 08 .P...ZRTL.k...E. 0x0010: 00 8C 6F 31 00 00 3C 06 4B DE C0 A8 21 01 C0 A8 ..o1..<.K...!... 0x0020: 21 03 00 14 04 22 0D CE 2E 01 A3 B5 08 59 50 18 !....".......YP. 0x0030: 1C 84 34 BB 00 00 54 6F 75 72 69 73 74 73 20 2D ..4...Tourists - 0x0040: 2D 20 68 61 ...

Get Linux Security Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.