1.3 Packet Logger Mode
OK, all of these commands are pretty cool, but if you want to record the packets to the disk, you need to specify a
logging directory and Snort will automatically know to go into packet logger mode:
./snort -dev -l ./log
Of course, this assumes you have a directory named log in the current directory. If you don't, Snort will exit with an
error message. When Snort runs in this mode, it collects every packet it sees and places it in a directory hierarchy
based upon the IP address of one of the hosts in the datagram.
If you just specify a plain -l switch, you may notice that Snort sometimes uses the address of the remote computer
as the directory in which it places packets, and sometimes it uses the local host address. In order to log relative to the
home network, you need to tell Snort which network is the home network:
./snort -dev -l ./log -h 192.168.1.0/24
This rule tells Snort that you want to print out the data link and TCP/IP headers as well as application data into the
directory ./log, and you want to log the packets relative to the 192.168.1.0 class C network. All incoming packets will
be recorded into subdirectories of the log directory, with the directory names being based on the address of the remote
(non-192.168.1) host. Note that if both hosts are on the home network, then they are recorded based upon the higher
of the two's port numbers, or in the case of a tie, the source address.
If you're on a high speed network or you want to log the packets into a more compact form for later analysis you
should consider logging in binary mode. Binary mode logs the packets in tcpdump format to a single binary file in the
logging directory:
./snort -l ./log -b
Note the command line changes here. We don't need to specify a home network any longer because binary mode
logs everything into a single file, which eliminates the need to tell it how to format the output directory structure.
Additionally, you don't need to run in verbose mode or specify the -d or -e switches because in binary mode the entire
packet is logged, not just sections of it. All that is really required to place Snort into logger mode is the specification
of a logging directory at the command line with the -l switch, the -b binary logging switch merely provides a modifier
to tell it to log the packets in something other than the default output format of plain ASCII text.
Once the packets have been logged to the binary file, you can read the packets back out of the file with any sniffer
that supports the tcpdump binary format such as tcpdump or Ethereal. Snort can also read the packets back by using
the -r switch, which puts it into playback mode. Packets from any tcpdump formatted file can be processed through
Snort in any of its run modes. For example, if you wanted to run a binary log file through Snort in sniffer mode to
dump the packets to the screen, you can try something like this:
./snort -dv -r packet.log
You can manipulate the data in the file in a number of ways through Snort's packet logging and intrusion detection
modes, as well as with the BPF interface that's available from the command line. For example, if you only wanted to
see the ICMP packets from the log file, simply specify a BPF filter at the command line and Snort will only see the
ICMP packets in the file:
6
./snort -dvr packet.log icmp
For more info on how to use the BPF interface, read the snort and tcpdump man pages.
