Recipe 9.21 Packet Sniffing with Snort

9.21.1 Problem

You want to use Snort as a simple packet sniffer.

9.21.2 Solution

To format and print network trace information:

# snort -v [-d|-X] [-C] [-e] [filter-expression]

To sniff packets from the network:

# snort [-i interface] [-P snap-length] [filter-expression]

To read network trace data you have saved previously:

$ snort -r filename [filter-expression]

9.21.3 Discussion

Snort can act as a simple packet sniffer, providing a level of detail between the terseness of tcpdump [Recipe 9.16] and the verbosity of tethereal. [Recipe 9.17] The -v option prints a summary of the protocol information for each packet. To dump the payload data in hexadecimal and ASCII, add the -d option (with the -C option if you care only about the characters). For more information about lower-level protocols, add -e to print a summary of the link-level (Ethernet) headers, or use -X instead of -d to dump the protocol headers along with the payload data:

# snort -veX
02/27-23:32:15.641528 52:54:4C:A:6B:CD -> 0:50:4:D5:8E:5A type:0x800 len:0x9A
192.168.33.1:20 -> 192.168.33.3:1058 TCP TTL:60 TOS:0x8 ID:28465 IpLen:20 DgmLen
:140
***AP*** Seq: 0xDCE2E01  Ack: 0xA3B50859  Win: 0x1C84  TcpLen: 20
0x0000: 00 50 04 D5 8E 5A 52 54 4C 0A 6B CD 08 00 45 08  .P...ZRTL.k...E.
0x0010: 00 8C 6F 31 00 00 3C 06 4B DE C0 A8 21 01 C0 A8  ..o1..<.K...!...
0x0020: 21 03 00 14 04 22 0D CE 2E 01 A3 B5 08 59 50 18  !....".......YP.
0x0030: 1C 84 34 BB 00 00 54 6F 75 72 69 73 74 73 20 2D  ..4...Tourists -
0x0040: 2D 20 68 61 76 65 20 73 6F 6D 65 20 66 75 6E 20  - have some fun
0x0050: 77 69 74 68 20 4E 65 77 20 59 6F 72 6B 27 73 20  with New York's
...

Addresses and ports are always printed numerically.

If your system is connected to multiple networks, use the -i option to select an interface for sniffing. Alternately, you can read libpcap-format trace files [Recipe 9.16] saved by Snort or some other compatible network sniffer, by using the -r option.

Append a filter expression to the command line to limit the data collected, using the same syntax as for tcpdump. [Recipe 9.16] Filter expressions can focus attention on specific machines (such as your production web server), or efficiently ignore uninteresting traffic, especially if it is causing false alarms. When Snort is displaying data from network trace files, the filter expression selects packets to be printed, a handy feature when playing back previously logged data.

By default, Snort captures entire packets to examine their payloads. If you are looking at only a few specific protocols, and you know that the data of interest is at the start of the packets, use the -P option to specify smaller snapshots and achieve an efficiency gain.

9.21.4 See Also

snort(8), tcpdump(1), tethereal(1). The Snort home page is http://www.snort.org.