Snort mailing list archives

Problem of converting tcpdump.list (.txt) file to pcap format

From: "2014/2015 - Nsabimana Thierry" <thierry.nsabimana () aims-cameroon org>
Date: Sat, 2 Jun 2018 13:29:29 +0100

*Hello everyone,*


*I have applied DARPA dataset on my implemented IDS using Soft computing (
Genetic Algorithm and Self Orginized Feature Map) to classify and to detect
malicious attacks. I  used tcpdump.list (.txt) file which contains normal
connections and abnormal connections, and everything was good.*
*So, I have tried to apply the same file (** tcpdump.list (.txt)) on Snort
IDS but I found that txt file is not compatible with Snort. I googled to
the Internet in order to find a converter which can transform txt file to
pcap file, I found two command lines:  *
*1) text2pcap tcpdump.list tcpdump.pcap this actually returns Input from:
tcpdump.list Output to: tcpdump.pcap Output format: PCAP Read *

*113001 potential packets, wrote 0 packets.*


*This command line is just reading but no writing.*
*2) *
*od -Ax -tx1 -v tcpdump.list | text2pcap -m1460 -T1234,1234 - tcpdump.pcap*



*this actually returns the following output:Read 113001 potential packets,
wrote 113001 packets (172891316 bytes)*














*This command line was at least good but the problem of it, after
converting to pcap file, the tcpdump.pcap file contains the same source IP
address, the same destination IP address, the same source Port and
destination Port, and the same protocal (TCP) for all  packets. Some of the
packets are posted below:13:03:35.000000 IP 10.1.1.1.1234 > 10.2.2.2.1234:
Flags [none], seq 0:1460, win 8192, length 146013:03:35.000001 IP
10.1.1.1.1234 > 10.2.2.2.1234: Flags [none], seq 1460:2920, win 8192,
length 146013:03:35.000002 IP 10.1.1.1.1234 > 10.2.2.2.1234: Flags [none],
seq 2920:4380, win 8192, length 146013:03:35.000003 IP 10.1.1.1.1234 >
10.2.2.2.1234: Flags [none], seq 4380:5840, win 8192, length
146013:03:35.000004 IP 10.1.1.1.1234 > 10.2.2.2.1234: Flags [none], seq
5840:7300, win 8192, length 146013:03:35.000005 IP 10.1.1.1.1234 >
10.2.2.2.1234: Flags [none], seq 7300:8760, win 8192, length
146013:03:35.000006 IP 10.1.1.1.1234 > 10.2.2.2.1234: Flags [none], seq
8760:10220, win 8192, length 146013:03:35.000007 IP 10.1.1.1.1234 >
10.2.2.2.1234: Flags [none], seq 10220:11680, win 8192, length 1460*



*Coud you please help me to find out a good converter ?*


*Thank you.*

*Thierry*



-- 

*PhD Student In Computer Science*
*University of Abomey Calavi, IMSP*
*Email: thierry.nsabimana () aims-cameroon org
<thierry.nsabimana () aims-cameroon org>*
*Email: thierry.nsabimana () imsp-uac org
<thierry.nsabimana () aims-cameroon org>*
*Tel: +229 61 403 104*
*AIMS-CAMEROON ALUMNI *

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

Problem of converting tcpdump.list (.txt) file to pcap format 2014/2015 - Nsabimana Thierry (Jun 04)
- Re: Problem of converting tcpdump.list (.txt) file to pcap format Bruno Riccelli (Jun 06)
- <Possible follow-ups>
- Problem of converting tcpdump.list (.txt) file to pcap format 2014/2015 - Nsabimana Thierry (Jun 06)