Packet Logger mode

You can use Snort as a sniffer and log the sniffed packets via logger mode. You only need to use the packet logger mode parameters, and Snort does the rest to accomplish this.

-l

Logger mode, target log and alert output directory. Default output folder is /var/log/snort

The default action is to dump as tcpdump format in /var/log/snort

-K ASCII

Log packets in ASCII format.

-r

Reading option, read the dumped logs in Snort.

-n

Specify the number of packets that will process/read. Snort will stop after reading the specified number of packets.

I used sudo su to initialy change to root user as snort Snort needs superuser (root) rights to sniff the traffic. Then I used the command:

sudo snort -dev -l

to start snort in the packet logger mode. The -l . part of the command creates the logs in the current directory

After the following commands new logs should be generated
"-r" parameter also allows users to filter the binary log files. You can filter the processed log to see specific packets with the "-r" parameter and Berkeley Packet Filters (BPF).

  • sudo snort -r logname.log -X

  • sudo snort -r logname.log icmp

  • sudo snort -r logname.log tcp

  • sudo snort -r logname.log 'udp and port 53'

PreviousSnort Sniffer modeNextRuntime Detection Evasion

Last updated