Snort mailing list archives

Re: Snort handling multiple Pcap files

From: "Asad, Hafiz ul" <Hafiz-ul.Asad () city ac uk>
Date: Thu, 12 Jan 2017 18:32:11 +0000

Thanks for this! I have two pcap files (about 600 MB each), if I analyse them one-by-one, it took snort 2.9.8.0 about 1 
mint 10 sec to process them. But if I use any option of multiple files, e.g. --pcap-list “<list>”, it takes like 
forever for snort to finish and I have to manually stop it. Any solution for this?

Asad

From: Al Lewis (allewi) [mailto:allewi () cisco com]
Sent: 06 January 2017 18:57
To: Asad, Hafiz ul <Hafiz-ul.Asad () city ac uk>; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort handling multiple Pcap files

Run snort -h

   --pcap-single <tf>              Same as -r.
   --pcap-file <file>              file that contains a list of pcaps to read - read mode is implied.
   --pcap-list "<list>"            a space separated list of pcaps to read - read mode is implied.
   --pcap-dir <dir>                a directory to recurse to look for pcaps - read mode is implied.

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: "Asad, Hafiz ul" <Hafiz-ul.Asad () city ac uk<mailto:Hafiz-ul.Asad () city ac uk>>
Date: Friday, January 6, 2017 at 12:53 PM
To: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>
Subject: [Snort-users] Snort handling multiple Pcap files

Snort Users,

Is it possible that snort could analyse multiple ‘pcap’ files. To be more specific, is it possible to have ,

Snort  -r file1.pcap file2.pcap….filen.pcap

Regards
Asad

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort handling multiple Pcap files Asad, Hafiz ul (Jan 06)
- <Possible follow-ups>
- Re: Snort handling multiple Pcap files Al Lewis (allewi) (Jan 06)
  - Re: Snort handling multiple Pcap files Asad, Hafiz ul (Jan 12)