Re: How does TCP connections over multiple Pcap files

[Russ via Snort-users <snort-users () lists snort org>]

Hi Mark,

Snort can't handle that scenario but you may be able to get the pcaps 
combined using mergecap if the router clocks are close enough.

Russ

On 7/21/18 12:57 AM, Mark A via Snort-users wrote:
> Hi all,
>
> Was just wondering if snort can handle a connection that is spread 
> over multiple PCAP files? If so, how (or any documentation that points 
> to how it works)
>
>
> The likely example will be
>
> 1) You have two routers (Router A and Router B) connected to the same ISP.
> 2) BGP has been configured so that traffic is load balanced to the ISP 
> from the two routers.
> 3) Captures are running on the ISP facing interfaces on Router A and 
> Router B and sent to a directory.
> 3) Snort is configured to read pcaps off a directory
>
> A TCP connection from your LAN to a server on the internet is made. 
> The packets are split in a round robin fashion between Router A and 
> Router B.
>
> Kind Regards,
> Mark A
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
>         To unsubscribe, send an email to:
>         snort-users-leave () lists snort org
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette