Capturing and Viewing Packets
Problem
You want to use Snort to capture and view packets in real time to monitor network traffic.
Solution
To see the TCP and IP packet header information, use the -v option:
C:Snortin>snort -v
To see application-layer headers, use the -d option. To see the data link-layer headers, use the -e option. You can use all three command-line options together:
C:Snortin>snort -dev
Discussion
Snort is an efficient and effective packet sniffer for capturing and viewing network traffic. The output follows a typical sniffer text format like TCPDump or Ethereal.
You can use Snort to view network traffic by providing the necessary command-line options. The simplest way is to provide the -v (verbose) command-line option. However, this shows you only the TCP and IP packet header information, as in the following:
C:Snortin>snort -v Running in packet dump mode Log directory = log Initializing Network Interface DeviceNPF_ {572FF0E6-9A1E-42B5-A2AF-A5A307B613EF} --= = Initializing Snort = =-- Initializing Output Plugins! Decoding Ethernet on interface DeviceNPF_ {572FF0E6-9A1E-42B5-A2AF-A5A307B613EF} --= = Initialization Complete = =-- -*> Snort! <*- Version 2.2.0-ODBC-MySQL-FlexRESP-WIN32 (Build 30) By Martin Roesch (roesch@sourcefire.com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike@datanerds.net, www.datanerds.net/~mike) 1.8 - 2.x WIN32 Port By Chris Reid (chris.reid@codecraftconsultants.com) 09/14-11:16:50.213014 192.168.100.70:1051 -> 216.155.193.130:5050 TCP TTL:128 TOS:0x0 ID:39709 IpLen:20 DgmLen:60 DF ***AP*** Seq: 0xDA7FD499 Ack: 0x17EA2F6B Win: 0x4121 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/14-11:16:50.231051 192.168.100.70:1052 -> 205.188.5.252:5190 TCP TTL:128 TOS:0x0 ID:39710 IpLen:20 DgmLen:46 DF ***AP*** Seq: 0xDA819839 Ack: 0xFC65B33A Win: 0x422F TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
A better way to view network traffic uses the -d and -e command-line options along with the -v option. The -d option provides application-layer information and all network-layer headers (TCP, UDP, and ICMP). The -e option provides the data link-layer header information.
C:Snortin>snort -dev Running in packet dump mode Log directory = log Initializing Network Interface DeviceNPF_ {572FF0E6-9A1E-42B5-A2AF-A5A307B613EF} --= = Initializing Snort = =-- Initializing Output Plugins! Decoding Ethernet on interface DeviceNPF_ {572FF0E6-9A1E-42B5-A2AF-A5A307B613EF} --= = Initialization Complete = =-- -*> Snort! <*- Version 2.2.0-ODBC-MySQL-FlexRESP-WIN32 (Build 30) By Martin Roesch (roesch@sourcefire.com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike@datanerds.net, www.datanerds.net/~mike) 1.8 - 2.x WIN32 Port By Chris Reid (chris.reid@codecraftconsultants.com) 09/14-11:31:11.087457 0:C:F1:11:D:66 -> 0:5:5D:ED:3B:C6 type:0x800 len:0x1B3 192.168.100.70:2381 -> 64.233.161.104:80 TCP TTL:128 TOS:0x0 ID:42992 IpLen:20 DgmLen:421 DF ***AP*** Seq: 0x65EF083A Ack: 0xF49E57A Win: 0x3EFC TcpLen: 20 47 45 54 20 2F 69 6D 61 67 65 73 2F 6C 6F 67 6F GET /images/logo 2E 67 69 66 20 48 54 54 50 2F 31 2E 31 0D 0A 41 .gif HTTP/1.1..A 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 52 65 66 65 ccept: */*..Refe 72 65 72 3A 20 68 74 74 70 3A 2F 2F 77 77 77 2E rer: http://www. 67 6F 6F 67 6C 65 2E 63 6F 6D 2F 0D 0A 41 63 63 google.com/..Acc 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E ept-Language: en 2D 75 73 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F -us..Accept-Enco 64 69 6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C ding: gzip, defl 61 74 65 0D 0A 49 66 2D 4D 6F 64 69 66 69 65 64 ate..If-Modified 2D 53 69 6E 63 65 3A 20 4D 6F 6E 2C 20 32 32 20 -Since: Mon, 22 4D 61 72 20 32 30 30 34 20 32 33 3A 30 34 3A 32 Mar 2004 23:04:2 33 20 47 4D 54 0D 0A 55 73 65 72 2D 41 67 65 6E 3 GMT..User-Agen 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 t: Mozilla/4.0 ( 63 6F 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 compatible; MSIE 20 36 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 6.0; Windows NT 20 35 2E 30 29 0D 0A 48 6F 73 74 3A 20 77 77 77 5.0)..Host: www 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 43 6F 6E .google.com..Con 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C nection: Keep-Al 69 76 65 0D 0A 43 6F 6F 6B 69 65 3A 20 50 52 45 ive..Cookie: PRE 46 3D 49 44 3D 31 63 36 37 35 33 39 62 31 35 61 F=ID=1c67539b15a 37 31 63 33 64 3A 54 4D 3D 31 30 37 38 38 34 39 71c3d:TM=1078849 32 34 30 3A 4C 4D 3D 31 30 37 38 38 34 39 34 36 240:LM=107884946 39 3A 54 42 3D 32 3A 53 3D 38 42 52 37 43 51 33 9:TB=2:S=8BR7CQ3 51 64 6C 45 78 51 68 79 6F 0D 0A 0D 0A QdlExQhyo.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/14-11:31:11.111213 0:5:5D:ED:3B:C6 -> 0:C:F1:11:D:66 type:0x800 len:0xB5 64.233.161.104:80 -> 192.168.100.70:2381 TCP TTL:50 TOS:0x10 ID:19943 IpLen:20 DgmLen:167 ***AP*** Seq: 0xF49E57A Ack: 0x65EF09B7 Win: 0x4551 TcpLen: 20 48 54 54 50 2F 31 2E 31 20 33 30 34 20 4E 6F 74 HTTP/1.1 304 Not 20 4D 6F 64 69 66 69 65 64 0D 0A 43 6F 6E 74 65 Modified..Conte 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 68 74 nt-Type: text/ht 6D 6C 0D 0A 53 65 72 76 65 72 3A 20 47 57 53 2F ml..Server: GWS/ 32 2E 31 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 2.1..Content-Len 67 74 68 3A 20 30 0D 0A 44 61 74 65 3A 20 46 72 gth: 0..Date: Fr 69 2C 20 31 34 20 4D 61 79 20 32 30 30 34 20 31 i, 14 May 2004 1 35 3A 33 30 3A 33 34 20 47 4D 54 0D 0A 0D 0A 5:30:34 GMT.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Once you are done viewing the packets displayed on your screen, you can type Ctrl-C to exit. You are provided with a summary of the packets that were collected. This includes a breakdown by protocol and actions.
= = = = = = = = = = = = = = = = = = = = = = = = Snort received 24 packets Analyzed: 24(100.000%) Dropped: 0(0.000%) = = = = = = = = = = = = = = = = = = = = = = = = Breakdown by protocol: TCP: 20 (83.333%) UDP: 1 (4.167%) ICMP: 0 (0.000%) ARP: 3 (12.500%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) = = = = = = = = = = = = = = = = = = = = = = = = Action Stats: ALERTS: 0 LOGGED: 0 PASSED: 0 = = = = = = = = = = = = = = = = = = = = = = = = pcap_loop: read error: PacketReceivePacket failed Run time for packet processing was 36.766000 seconds
One word of caution: when capturing and viewing packets in real time, this can cause significant performance degradation of your system.
See Also
Recipe 1.17
Logging Packets That Snort Captures
|