Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Merging Snort capture files (take 2)

From: JP Vossen <vossenjp () netaxs com>
Date: Sun, 4 May 2003 02:29:48 -0400 (EDT)

Oops, just sent this to the request address by accident...  Hope it doesn't
get posted twice, and sorry 'bout that.


I just had to merge a couple of Snort pcap files back together to make it
easier to search for some packets. I found a script fragment at [0], but it
had a typo (was missing $ in 'if [ $COUNTER -eq 0 ]; then') and was not quite
what I wanted. I used it as a starting point and wrote this trivial script...
I thought it might be handy to have this in the archives.  This worked for me,
but it has NOT been extensively tested. YMMV.

----- Cut Here -----
#!/bin/sh
# 2003-04-24 JP Vossen
# Merge Snort or TCPDump capture files into a single file.
# See: http://marc.theaimsgroup.com/?l=snort-users&m=105093894100422&w=2

if [ "$1" = "-h" -o -z "$1" -o -z "$2" ]; then
    echo ''
    echo "usage: $0 {NEW file} '{files to merge-no wildcard}'"
    echo ''
    echo "      e.g.: $0 snort-all snort.log."
    echo ''
    echo 'Merge Snort or TCPDump capture files into a single file.'
    echo 'NOTE the single quotes around the second argument!!!'
    echo ''
    exit 1
fi

echo ''
echo "Merging $2 into $1..."
echo ''

(COUNTER=0;
 for i in $2; do
    if [ $COUNTER -eq 0 ]; then
        cat $i
        COUNTER=1;
    else
        cat $i | dd bs=24 skip=1
    fi
 done) > $1
----- Cut Here -----


Enjoy,
JP

[0] http://marc.theaimsgroup.com/?l=snort-users&m=105093894100422&w=2

------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|                jp () jpsdomain org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows 98 or better, so I installed
Linux..."





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: