Packet Logger mode

You can use Snort as a sniffer and log the sniffed packets via logger mode. You only need to use the packet logger mode parameters, and Snort does the rest to accomplish this.

-l	Logger mode, target log and alert output directory. Default output folder is /var/log/snort The default action is to dump as tcpdump format in /var/log/snort
-K ASCII	Log packets in ASCII format.
-r	Reading option, read the dumped logs in Snort.
-n	Specify the number of packets that will process/read. Snort will stop after reading the specified number of packets.

I used sudo su to initialy change to root user as snort Snort needs superuser (root) rights to sniff the traffic. Then I used the command:

sudo snort -dev -l

to start snort in the packet logger mode. The -l . part of the command creates the logs in the current directory

After the following commands new logs should be generated

"-r" parameter also allows users to filter the binary log files. You can filter the processed log to see specific packets with the "-r" parameter and Berkeley Packet Filters (BPF).

• sudo snort -r logname.log -X

• sudo snort -r logname.log icmp

• sudo snort -r logname.log tcp

• sudo snort -r logname.log 'udp and port 53'