Snort mailing list archives
Re: Using snort to process a TCPDump file
From: Bennett Todd <bet () rahul net>
Date: Tue, 7 Jan 2003 11:08:19 -0500
2003-01-06T17:09:44 John Cherbini:
I was interested in finding out if I can use snort to process a tcpdump log file. Specifically, I have a file that I redirected tcpdump into, and I just want to run it through Snort to see if any of the packets match any rules.
"redirected" sounds like you're running tcpdump >outfile, as others said this won't work. You have to use "-w" to write a raw libpcap format dumpfile. Even that isn't enough, though; by default tcpdump grabs only the headers of the packets, and a little bit of the bodies (to contain higher protocol level nested headers). To run snort on the capture file, you need to capture the full bodies. So the invocation you need is tcpdump -s 0 -w outfile If you've got some partial captures of historical data that you want snort to look at despite the fact that the packets are truncated, you can do that by setting up a private link, and using <URL:http://tcpreplay.sf.net/> to replay the traffic to snort; tcpreplay includes the ability to reconstruct packets (by either padding out to match the length, or adjusting the length to match the capture, then fixing checksums). -Bennett
Attachment:
_bin
Description:
Current thread:
- Using snort to process a TCPDump file John Cherbini (Jan 06)
- Re: Using snort to process a TCPDump file Ashley Thomas (Jan 06)
- Re: Using snort to process a TCPDump file Matt Kettler (Jan 06)
- Re: Using snort to process a TCPDump file Bennett Todd (Jan 07)