Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort session reassembly problem

From: Erek Adams <erek () snort org>
Date: Mon, 10 Mar 2003 09:01:45 -0500 (EST)
On Mon, 10 Mar 2003, Sven Fichtner wrote:


Sounds like it would be useful to take tcpreplay which is a "tool to
replay saved tcpdump files at arbitrary speeds".


No, tcpreplay wouldn't be useful here.  It would replay the packets on the
wire, sure...  But he wants to "multiple keyword search on a tcpdump file.
The output I need is all the sessions containing those keywords.  The
complete session should be stored in case the keyword is found."  That's
what the problem is.  :-/

Ethereal does have a follow stream, which IIRC, you can 'zoom' in on just
that stream and write that section out to disk.  Granted, it's not elegant
or quick, but it would do in a pinch.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: