Packet sniffing using Snort

I’ve explained in my last tutorial that how you can install snort on Ubuntu, if you have not installed it yet you can click here. In my article where I explained how to install snort, I mentioned that snort have two running modes,  today we will see how we can do packet sniffing using snort.

What is packet sniffing?

In packet sniffing all you do is look at all the packets passing through your interface, incoming as well as outgoing packets.

Pre-requisites for todays experiment

Before diving into todays experiment let see what do we need.

  1. VMware player, you can obtain VMware player from here.
  2. Ubuntu Desktop 16.04.1, if you have older versions you can use that as well. (I’ve tested it on 16.04.1)
  3. Two Virtual Network interface cards on your Ubuntu Virtual Machine

Install virtual machine

You need to create a virtual machine in VMware player and use ubuntu as an operating system, but their are few things you need to take care of before finishing your VM Setup. If you don’t know how to setup a virtual machine you can read an article here.

Run this command on your host node, it will open VMware virtual network editor, something like this :


Here you see three headings below ‘Type’:

  1. birdged (In front of bridge ‘external connection’ is ‘wlo’ which is my wireless card)
  2. host-only
  3. NAT

Now you have to make sure that your ‘external connection’ in front of bridge must be your network card that is connected to your router. It can be wireless or lan card as you can see below:


After that press ‘Save’ this window will close . You are now good to create your virtual machine, make sure your virtual machine have two interface cards with following modes

  • Bridge mode (You will use it for public services like ssh)
  • Host-only mode (This interface will run snort)

You can see the settings for both interface below:

Bridged mode


Host-only mode


Now you can start your machine, and after its online we need IP addresses for both the interfaces.

It will print out the IPs you have on both of your interface, please note interface that is bridged will have an IP similar to your host computer i.e

Your host computer:

Your bridged interface:

That is how you know which of your interface is bridged and which one is host-only interface.

Step 1

Note: I assume that you already have snort installed and configured before proceeding, if not you can click here.

Use the IP of your birdged interface and login to SSH, and run:

  1.  -dev : This argument will provide you with all details of packet including
    1. Packet header.
    2. Packet payload.
  2. -c – This argument tell snort where to read the configuration file.
  3. -i – this argument tell snort which interface to listen on (In our case its host-only interface)

My host-only interface name is ‘ens34’, yours might be different. After this command is executed successfully, you will get output similar to:

That means snort started to listen for packets on interface ‘ens34’. ( I assume here that host-only interface has IP )

Step 2: Capture Traffic

Open a terminal on your host computer (where VMware is installed).

-c 1 : Means only 1 ping packet, now you will see something like this on your terminal where snort is running:

Two packets are passed through interface, one is ECHO packet from machine where you initiated ping, and other is ECHO REPLY message from snort machine. You have successfully captured your first two packets on interface ‘ens34’.

Step 3: Perform nmap port scan on your snort machine

nmap is an easy tool to scan any machine for open ports, we will perform nmap scan on our snort machine and see how snort have captured the nmap packets.

This will be the output of nmap scan

Captured packets on snort

I’ve excluded some packets, to make it readable.

Why packet sniffing is beneficial?

You might be thinking why we trying to sniff packets when their is no actual use of it, many people think that packet sniffing is not very important part of snort, but I guess you can use packet sniffing to monitor your network.

If some one have performed nmap scan on your machine then you can easily track the packets, to make sure your open ports are not visible, and or block the IP trying to scan for open ports.

Leave a comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.