PACKET LOGGER MODE
this mode is used for long-term storage, forensics, or when the need to analyze traffic at a later time is required. Snort, TCPDump and Wireshark can read and handle the binary like output. However, if the logs were created with the "-K ASCII" parameter, Snort can't read them.
LOGGING: BINARY
root@dco:~$ sudo snort -dev -l .
* -v Verbose. Display the TCP/IP output in the console.
* -d display the packet data (payload).
* -e Display the link-layer (TCP/IP/UDP/ICMP) headers.
* the -l creates the logs in the specified directory
- the above example creates the logs in the 'current directory'
- the default output directory can be configured in the snort.config file
- the default log directory is useful for continuous monitoring operations, and the "-l" parameter is much more useful for testing purposes. LOGGING: ASCII
root@dco:~$ sudo snort -dev -K ASCII
* the -K specifies the output format for logged packets.
* the output will be stored in a readable ASCII format instead of binary data
* this method is useful when tools to parse PCAP are unavailable
- the output can be read by any text editor tools or via the cat utilityREADING: BINARY
Last updated