Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Using snort to process a TCPDump file

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 06 Jan 2003 19:03:40 -0500
Well, first, it would be impossible for snort to use redirected output from plane-jane tcpdump > mycapture. By default most of the packet data is missing and what's left isn't enough to be very useful to snort. However if you use tcpdump -w to generate a raw-binary dump file, snort can process it with snort. If you also need tcpdump plain-text data, you can convert the raw binary using tcpdump -r. 


see man snort:

       -r tcpdump-file
              Read the tcpdump-formatted file tcpdump-file.  This
              will  cause  Snort to read and process the file fed
              to it.  This is useful if, for instance, you've got
              a  bunch  of  SHADOW files that you want to process
              for content, or even  if  you've  got  a  bunch  of
              reassembled  packet fragments which have been writ-
              ten into a tcpdump formatted file.

and man tcpdump:

     -w file
           Write the raw packets to file rather than parsing and printing them
           out.  They can be analyzed later with the -r option.  Standard out-
           put is used if file is `-'.

At 03:09 PM 1/6/2003 -0700, you wrote:


Hello everyone&&
I was interested in finding out if I can use snort to process a tcpdump log file. Specifically, I have a file that I redirected tcpdump into, and I just want to run it through Snort to see if any of the packets match any rules.
I've read through the FAQ, and a few other documents on the site&..I can't find any reference to doing this. 

If there are better applications to do this, please let me know!

Thank you for any advice!!

John Cherbini




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: