Home page logo

snort logo Snort mailing list archives

Re: Replaying pcaps through Snort
From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 06 Apr 2013 11:27:19 -0500

On 4/6/2013 10:41, Y M wrote:
Nothing, just -c for the conf file.

I'm writing some rules, which worked fine on a real environment. But when
running on a test environment, replicating the same real scenario, its getting

do you have $HOME_NET and $EXTERNAL_NET defined properly/same in the test 
environment as in the live environment?

So I thought im looking at the wrong direction; tagging on the responses, not
the requests, but the responses do not contain the content im matching on.

By the way, im planning to submit the rules to the VRT once I finish testing.

From: Joel Esler <mailto:jesler () sourcefire com>
Sent: ‎4/‎6/‎2013 6:33 PM
To: Y M <mailto:snort () outlook com>
Cc: snort <mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Replaying pcaps through Snort

Nope. -r is the correct command. Hat other commands are you issuing Snort?

*Joel Esler*
Sent from my iPhone 

On Apr 6, 2013, at 8:43 AM, Y M <snort () outlook com <mailto:snort () outlook com>>

I have a pcap generated from some testing, and lets assume that the source ip
is and destination ip is, which conforms to
the test scenario I was working with and as captured by wireshark.

However, replaying the pcap file through Snort (-r), Snort is reporting source
and destination ip addresses backwards, i.e.: source ip is
and the destination ip

What am i missing? Is there an extra argument i must input?

Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]