Snort's second mode involves acting as a packet logger when given the -l switch and a directory to store traffic.
After sending another ICMP echo while Snort is running, a look in the tests directory reveals a file created by Snort called snort.log.1164036694.
Using the date command's -r switch shows the numeric code after "snort.log" represents the time in seconds when the packet trace was created.
Any Libpcap-compatible sniffer can read the file, such as Tcpdump or even Snort. The -X switch tells Snort to report all packet details.
Snort: Fundamentals and installation tips for the channel
Packet logger mode
Intrusion detection mode
About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog (taosecurity.blogspot.com).