Snort mailing list archives
Re: how to convert payload data from MySQL data table to tcpdump formated data?
From: Martin Olsson <elof () sentor se>
Date: Thu, 23 Oct 2003 15:29:52 +0200 (CEST)
On Thu, 23 Oct 2003, Martin Olsson wrote:
I got the following snort data install in the Data table in MySQL: | 1 | 2082 | 485454502F312E312034303320466F7262696464656E0D0A446174653A205765642C2032 32204F637420323030332031333A35363A333420474D540D0A5365727665723A20417061 6368652F322E302E3430202852656420486174204C696E7578290D0A4163636570742D52 616E6765733A2062797465730D0A436F6E74656E742D4C656E6774683A20323839380D0A 436F6E6E656374696F6E3A20636C6F73650D0A436F6E74656E742D547970653A20746578 742F68746D6C3B20636861727365743D49534F2D383835392D310D0A0D0A | How can I convert the above data_payload to a tcpdump formatted file?I too am very interested in this! I want to add a button at the bottom of the ACID-page with packet payload. When clicking on this button, the payload from the database is converted into a tcpdump (pcap) file and then fed into tethereal. The output from tethereal, a nice decode of the packet, is then presented in my browser. This would be great for (at least) four reasons: * Now you can see the decoded content of a DNS request/response, you can see what network an "ICMP redirect net"-packet contain and so on. * You can see the MAC addresses. ACID don't display them. * You can send the pcap-file to others, parse it with your favourite tool, etc. * A report to the customer looks better with a decoded packet than just the Hex/ASCII-dump from ACID.
Aw! I just discovered that the logged data is NOT the entire packet, just the protocol data payload. Damn! Is there some way to rebuild the entire packet from the data logged to ACID? /Martin ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- error in running SnortSnarf, (continued)
- error in running SnortSnarf samwun (Oct 19)
- Re: [Snort-Users] Patching Snort with SnortSAM Frank Knobbe (Oct 19)
- how to populate snort payload data to MySQL? samwun (Oct 22)
- RE: how to populate snort payload data to MySQL? Jeff Dell (Oct 22)
- RE: how to populate snort payload data to MySQL? samwun (Oct 22)
- how to convert payload data from MySQL data table to tcpdump formated data? samwun (Oct 22)
- Re: how to convert payload data from MySQL data table to tcpdump formated data? Erek Adams (Oct 22)
- Re: how to convert payload data from MySQL data table to tcpdump formated data? Sam Wun (Oct 23)
- Distributed tcpdump output log file from snort. sam (Oct 23)
- Re: how to convert payload data from MySQL data table to tcpdump formated data? Martin Olsson (Oct 24)
- Re: how to convert payload data from MySQL data table to tcpdump formated data? Martin Olsson (Oct 23)
- RE: how to convert payload data from MySQL data table to tcpdump formated data? samwun (Oct 23)
- RE: how to convert payload data from MySQL data table to tcpdump formated data? Jeff Dell (Oct 23)
- RE: how to convert payload data from MySQL data table to tcpdump formated data? samwun (Oct 23)
- RE: how to convert payload data from MySQL data table to tcpdump formated data? samwun (Oct 23)
- Re: how to populate snort payload data to MySQL? Kenneth G. Arnold (Oct 23)
- RE: how to populate snort payload data to MySQL? samwun (Oct 22)
- RE: how to populate snort payload data to MySQL? Kenneth G. Arnold (Oct 23)
- snort tcpdump binary file mirroing over network. samwun (Oct 24)
- Re: snort tcpdump binary file mirroing over network. Erek Adams (Oct 24)
- RE: snort tcpdump binary file mirroing over network. samwun (Oct 24)