Snort Modes

59

11/20 15:56:14.632519 192.168.1.2:22  > 192.168.1.100:2474

TCP TTL:64 TOS:0x10 ID:57043 IpLen:20 DgmLen:120 DF

***AP*** Seq: 0xF5683D2A  Ack: 0x9DAEEE9C  Win: 0x6330  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

11/20 15:56:14.633891 192.168.1.2:22  > 192.168.1.100:2474

TCP TTL:64 TOS:0x10 ID:57044 IpLen:20 DgmLen:184 DF

***AP*** Seq: 0xF5683D7A  Ack: 0x9DAEEE9C  Win: 0x6330  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Snort will continue to display captured packets on the screen until you break using

Ctrl C. At the time Snort terminates, it will display statistical information.

Let us now analyze the information displayed on screen when you run Snort in the

packet capture mode. The following is a typical output for a TCP packet:

11/20 15:56:14.633891 192.168.1.2:22  > 192.168.1.100:2474

TCP TTL:64 TOS:0x10 ID:57044 IpLen:20 DgmLen:184 DF

***AP*** Seq: 0xF5683D7A  Ack: 0x9DAEEE9C  Win: 0x6330  TcpLen: 20

If you analyze the output, you can see the following information about the packet:

  Date and time the packet was captured.

  Source IP address is 192.168.1.2 .

  Source port number is 22.

  Destination IP address is 192.168.1.100.

  Destination port is 2474. 

  Transport layer protocol used in this packet is TCP. 

  Time To Live or TTL value in the IP header part is 64.

  Type of Service or TOS value is 0x10.

  Packet ID is 57044.

  Length of IP header is 20.

  IP payload is 184 bytes long.

  Don't Fragment or DF bit is set in IP header. 

  Two TCP flags A and P are on.

  TCP sequence number is 0xF5683D7A.

  Acknowledgement number in TCP header is 0xDAEEE9C.

  TCP Window field is 0x6330.

  TCP header length is 20.

You can display more information with captured packets using more command

line options. The following command displays some information about application data