To run snort in sniffer mode you must use the -v (verbose) option. This is also known as “packet dump” mode.
Some other handy switches to run along with -v are:
- -d : Dump the application layer
- -e : Display the second layer header info
user@ubuntu:~$ sudo /usr/local/snort/bin/snort -dev -i eth2
Running in packet dump mode
–== Initializing Snort ==–
Initializing Output Plugins!
Initializing Network Interface eth2
Decoding Ethernet on interface eth2
–== Initialization Complete ==–
,,_ -*> Snort! 0:25:0:AB:5D:5E type:0x800 len:0x1E2
192.168.1.72:22 -> 192.168.1.68:49881 TCP TTL:64 TOS:0x10 ID:62667 IpLen:20 DgmLen:468 DF
***AP*** Seq: 0x14FDDB64 Ack: 0x772FDCF7 Win: 0xD7 TcpLen: 32
TCP Options (3) => NOP NOP TS: 329485 808331071
36 36 7F E5 01 6B 87 26 7A 13 9A E2 58 50 41 A6 66…k.&z…XPA.
20 F6 C0 FF E8 42 BE CB A9 54 3F 58 79 7C F9 73 ….B…T?Xy|.s
1D 55 9F F3 6F 73 35 24 40 B3 6C 18 4A 99 E5 78 .U..os5$@.l.J..x
0A FB 65 1C 41 B0 89 E9 E9 AF E9 12 FA 5B 0A DB ..e.A……..[..
F7 64 75 08 F3 27 D2 6A D7 6E 00 AA FA 32 83 19 .du..’.j.n…2..