To run snort in sniffer mode you must use the -v (verbose) option. This is also known as “packet dump” mode.
Some other handy switches to run along with -v are:
- -d : Dump the application layer
- -e : Display the second layer header info
user@ubuntu:~$ sudo /usr/local/snort/bin/snort -dev -i eth2
Running in packet dump mode
–== Initializing Snort ==–
Initializing Output Plugins!
Initializing Network Interface eth2
Decoding Ethernet on interface eth2
–== Initialization Complete ==–
,,_ -*> Snort! <*- o" )~ Version 2.8.6.1 (Build 39) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2010 Sourcefire, Inc., et al. Using PCRE version: 7.8 2008-09-05 Not Using PCAP_FRAMES 10/05-02:13:52.120503 0:50:56:2B:20:C8 -> 0:25:0:AB:5D:5E type:0x800 len:0x1E2
192.168.1.72:22 -> 192.168.1.68:49881 TCP TTL:64 TOS:0x10 ID:62667 IpLen:20 DgmLen:468 DF
***AP*** Seq: 0x14FDDB64 Ack: 0x772FDCF7 Win: 0xD7 TcpLen: 32
TCP Options (3) => NOP NOP TS: 329485 808331071
36 36 7F E5 01 6B 87 26 7A 13 9A E2 58 50 41 A6 66…k.&z…XPA.
20 F6 C0 FF E8 42 BE CB A9 54 3F 58 79 7C F9 73 ….B…T?Xy|.s
1D 55 9F F3 6F 73 35 24 40 B3 6C 18 4A 99 E5 78 [email protected]
0A FB 65 1C 41 B0 89 E9 E9 AF E9 12 FA 5B 0A DB ..e.A……..[..
F7 64 75 08 F3 27 D2 6A D7 6E 00 AA FA 32 83 19 .du..’.j.n…2..