Snort: Snort itself can be used to log packets to a directory. My favorite utility just for that option alone. A typical command line:ĭaemonlogger -d -n packetfiles -g pcapgrp -u pcapuser -t 3600 -i eth0 not port 22 For example, -M 90 makes sure the disk usage never exceeds 90%. One nice option is the -M option that will allow you to log packets and automatically delete old logs if the disk fills up. I am also excluding ssh traffic to show how BPF syntax can be used to limit capture.ĭaemonlogger: This comes out of the snort project. To make it a bit easier to compare, I added an example command line for each tool that will listen on the eth0 interface and rotate logs once an hour. By using libpcap, all these tools are able to use BPF to limit the collected data and they all produce pcap output.
I limited myself to open source tools that are meant to run unattended (no GUI) on a remote system and use libpcap. As a quick follow-up to Didier's post, I wanted to quickly summarize some of the other tools (aside from tcpdump) that can be used to collect full packet captures.
0 kommentar(er)
