Snort has three operating modes: Sniffer, Packet Logger, and Network Intrusion Detection System.
Sniffer
Enter the command: “#snort -v” to print the TCP/IP header information on the screen. For easier review, you can output the results to a file. For details, please refer to the file snort_v.txt. Below is a partial screenshot:
If you want to (1) view data from both the application and data link layers; (2) log all packets to the hard drive; (3) log only local network traffic, you can use the command: “# snort -dev -l ./log -h10.1.0.0/8”. For details, refer to the file snort.log.1432557776. Here, the command “#snort -dv -rsnort.log.1432557776” is used to print packets from the binary tcpdump format file to the screen. See the partial screenshot below:
If you only want to extract UDP packets from the log file, you can enter: “# snort -dvr snort.log.1432557776 udp”. Below is a screenshot of one such packet:
Network Intrusion Detection System
To use Snort as a basic network intrusion detection system, you can enter the command mentioned above:
Check the results:
As you can see, it has started successfully. Note that the path must not contain Chinese characters; otherwise, you may encounter the strange error stating “No alert file or directory.”