Installing Snort: Sniffer mode

In this installment of Snort Report, learn how to run the open source IDS/IPS in sniffer mode.

Snort can operate in four modes, but we will concentrate on three and mention the fourth. First, we create a directory for our tests, and then we tell Snort to watch the loopback interface for traffic. In this mode (activated by -v) Snort is a simple network traffic sniffer.

In a separate terminal we send a single ICMP echo to the loopback address.

freebsd61-generic:/root# ping -c 1

Snort reports the following, and we interrupt capture with ctrl-C.

Sniffer mode is the simplest Snort mode, and it is best used to quickly ensure you can capture the traffic you expect to see on a given interface.

Snort: Fundamentals and installation tips for the channel

 Sniffer mode
  Packet logger mode
  Intrusion detection mode

About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog (

Dig Deeper on Cybersecurity risk assessment and management