Re: hi

[Phil Wood <cpw () lanl gov>]

You don't need snort.

% tcpdump -r your_pcap_file 'tcp[13] & 0x10 = 0x10' -nqvtt | sed -e 's/ .* id / /' -e 's/).*//'

Your milage will vary, depending on the output of your version of tcpdump.
The above works on output like this:

1033237689.373504 192.168.1.1.1024 > 10.1.1.2.22: tcp 52 (DF) [tos 0x10] (ttl 64, id 3239)

and produces a line like this:

1033237689.373504 3239

Later,

On Fri, Sep 27, 2002 at 09:30:22PM -0400, MADAMANCHI, RAJESH KUMAR wrote:
> hi all, 
> im new to snort.., i appreciate if someone can help me with my question..., 
>
> i just have some huge tcpdump binary files with me. i need the
> procedure(using snort) to parse these binary files and get the timestamps of
> all the tcp packets with the ACK flag set. 
>
> for eg, i want a text file which consists of the timestamp and the 'ID'
> value for all the packets with ACK flag set 
>
> later my program is supposed to read these timestamps and process.... 
>
> please someone reply me abt how to do this 
>
> thanx in advance 
> -rajesh 
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw () lanl gov



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users