Re: Reconstruction of TCP packets

[Jason Haar <Jason.Haar () trimble co nz>]

On Mon, Mar 29, 2004 at 05:19:22AM -0800, Rajesh Joseph wrote:
> I know stream4 (stream4_reassemble) is used to reassemble the tcp packets,
> But in my case it is not doing so..... It only dumps that packet which
> caused the alert but not the entire assembled packet.

I think Snort cannot do what you want. What you want is to capture an
arbitrary amount of traffic and reconstruct it into a single stream - for
snort to do that without making itself susceptable to DoS attacks would
require infinite memory. Snort uses a "sliding window" thingy to limit the
amount of RAM it needs to allocate to any particular data stream.

What about just capturing what you want with:

tcpdump -n -s0 -w/tmp/raw.tcpdump -i <DEV> <BF FILTER>

then you can read that into Ethereal and it'll reconstruct it (assuming it's
not a stupid amount of data - same issues as snort...)

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users