Saturday, 6 August 2016

Using Snort as packet sniffer

Snort has different modes. Here, we will real world examples of how to use it as packet capture utility. Snort has to be run as root because it needs to put the network interface in promiscuous mode. To see IP protocol headers, type the following:
snort -v
You will see IP protocols headers passed by on the screen. To quit, press CTRL+C (If it does not seem to respond, it is because snort has not yet received a matching packet)
To run snort on a particular interface, type
snort -v -i eth2
To see IP headers as well as data ie application layer data, use -d
snort -vd
To capture datalink layer info (we will also see mac addresses), we use -e like
snort -vde
In the following example, we will sniff packets from source IP
snort -vde src host
To capture packets from source ip and to port 25, so the following
snort -vde src host and port 25
To capture traffic originated from an destined to, do
snort -vde src host and dst host