Honeypots mailing list archives

extracting syslog data out of raw pcap dumps

From: "Chris Boubalos" <boubalos () md5sa com>
Date: Thu, 5 Jun 2003 12:27:24 +0300

Hi all,

Honeynet or not, if someone has a syslog server lost or compromized, there
is always
a chance to recoved log entries from within a raw capture.

To make this easier i wrote an open source utility to extract syslog entries
from a pcap dump file ( like tcpdump's save files).
output is in the form of:
============================================================================
=
date srcMACaddr/srcIPaddr <facilityandlevel>syslogdata
    i.e.
    Oct 14 15:33:42 00:02:A5:9C:60:1E/10.0.0.42 <13>root: blah...
    or
    Oct 14 15:35:04 00:02:A5:9C:60:1E/10.0.0.42 <13>root:
blahhhhhhhhhhhhhh(incomplete) 118 bytes missing.
============================================================================
=
syslog data will be on stdout
    while everything else is on stderr
 i.e. warnings and a report like:

  logdump-1.0  (extract syslog packets from tcpdump files)
   - dump file information -
  filename             ANOTHERTEST-short
  snaplen              96
  pcap version      2.4
  syslog packets    7
  filter string:          udp dst port 514

In case someone finds it usefull, i would be very interested in comments and
suggestions.
Its at:
 http://www.md5sa.com/downloads/logdump/logdump-1.0.tgz
 http://www.md5sa.com/downloads/logdump/README

___________________
Chris Boubalos
Security & Forensics Team Leader
MD5 S.A.
boubalos () md5sa com
www.md5sa.com

Current thread:

extracting syslog data out of raw pcap dumps Chris Boubalos (Jun 05)