Saturday 6 August 2016

Using Snort as packet sniffer

Snort has different modes. Here, we will real world examples of how to use it as packet capture utility. Snort has to be run as root because it needs to put the network interface in promiscuous mode. To see IP protocol headers, type the following:
snort -v
You will see IP protocols headers passed by on the screen. To quit, press CTRL+C (If it does not seem to respond, it is because snort has not yet received a matching packet)
To run snort on a particular interface, type
snort -v -i eth2
To see IP headers as well as data ie application layer data, use -d
snort -vd
To capture datalink layer info (we will also see mac addresses), we use -e like
snort -vde
In the following example, we will sniff packets from source IP 192.168.2.1
snort -vde src host 192.168.2.1
To capture packets from source ip 192.168.2.1 and to port 25, so the following
snort -vde src host 192.168.2.1 and port 25
To capture traffic originated from 192.168.2.1 an destined to 192.168.10.10, do
snort -vde src host 192.168.2.1 and dst host 192.168.10.10