Re: mysql to pcap?

[Dirk Geschke <dirk () geschke-online de>]

Hi Jason,

> > you can not do this with the standard database scheme, there are
> > some parameters, especially the headers, missing.
>
> What is missing? You should be able to take the binary data and wrap a
> pcap header on it and all should be well.
>
> Details please.

it is long ago that I took a look at the code. But the payload in
the database does not include the ip header and for tcp packets 
even the tcp_header is missing. So this is one part which is 
missing. The iphdr and tcphdr tables are incomplete, some possible 
values are missing and some are not as expected. AFAIR the ip_tos 
field does only say if the field is used or not but you will not 
get the value of this field.

This is the reason why FLoP extends the database and probably why
sguil is using a complete different design.

Best regards

Dirk

-- 
+----------------------------------------------------------------------+
| Dr. Dirk Geschke       / Plankensteinweg 61    / 85435 Erding        |
| Telefon: 08122-559448  / Mobil: 0176-96906350 / Fax: 08122-9818106   |
| dirk () geschke-online de / dirk () lug-erding de  / kontakt () lug-erding de | 
+----------------------------------------------------------------------+

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users