Re: mysql to pcap?

[Jason <security () brvenik com>]

Dirk Geschke wrote:
> Hi Tim,
>
> > I'm viewing snort events through a third-party tool that is fetching
> > the data from the mysql database snort is logging to.  I want to be
> > able to select a particular event in the third-party tool and view it
> > in wireshark, so that I can subject the payload to wireshark's
> > protocol parsers.
>
> [...]
>
> > But someone must have done this already.  Right?  :)
>
> you can not do this with the standard database scheme, there are
> some parameters, especially the headers, missing.

What is missing? You should be able to take the binary data and wrap a
pcap header on it and all should be well.

Details please.

> I extended the database scheme to allow the storage of the missing
> parts so that you can rebuild the pcap file. All this is part of
> FLoP, maybe you should take a look at it:
>
>    http://www.geschke-online.de/FLoP/
>
> Best regards
>
> Dirk

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users