Re: Using snort to process a TCPDump file

[Bennett Todd <bet () rahul net>]

2003-01-06T17:09:44 John Cherbini:
> I was interested in finding out if I can use snort to process a tcpdump
> log file.  Specifically, I have a file that I redirected tcpdump into,
> and I just want to run it through Snort to see if any of the packets
> match any rules.

"redirected" sounds like you're running tcpdump >outfile, as others
said this won't work.

You have to use "-w" to write a raw libpcap format dumpfile.

Even that isn't enough, though; by default tcpdump grabs only the
headers of the packets, and a little bit of the bodies (to contain
higher protocol level nested headers). To run snort on the capture
file, you need to capture the full bodies. So the invocation you
need is

        tcpdump -s 0 -w outfile

If you've got some partial captures of historical data that you want
snort to look at despite the fact that the packets are truncated,
you can do that by setting up a private link, and using
<URL:http://tcpreplay.sf.net/> to replay the traffic to snort;
tcpreplay includes the ability to reconstruct packets (by either
padding out to match the length, or adjusting the length to match
the capture, then fixing checksums).

-Bennett

Attachment: _bin
Description: