Snort mailing list archives
Re: How does TCP connections over multiple Pcap files
From: Mark A via Snort-users <snort-users () lists snort org>
Date: Mon, 23 Jul 2018 09:08:01 +1000
Hi Albert, No, as packets are dumped on a minute to minute basis. Does that mean snort does not keep track of the connection states over multiple pcaps. Ie, the state of a connection must exist in the same pcap? On Sun., 22 Jul. 2018, 02:43 Al Lewis (allewi), <allewi () cisco com> wrote:
Hello, Have you tried combining the pcaps offline into one and then replaying that into snort? *Albert Lewis* ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco com *From: *Snort-users <snort-users-bounces () lists snort org> on behalf of Mark A via Snort-users <snort-users () lists snort org> *Reply-To: *Mark A <sec.marka () gmail com> *Date: *Saturday, July 21, 2018 at 10:27 AM *To: *"snort-users () lists snort org" <snort-users () lists snort org> *Subject: *[Snort-users] How does TCP connections over multiple Pcap files Hi all, Was just wondering if snort can handle a connection that is spread over multiple PCAP files? If so, how (or any documentation that points to how it works) The likely example will be 1) You have two routers (Router A and Router B) connected to the same ISP. 2) BGP has been configured so that traffic is load balanced to the ISP from the two routers. 3) Captures are running on the ISP facing interfaces on Router A and Router B and sent to a directory. 3) Snort is configured to read pcaps off a directory A TCP connection from your LAN to a server on the internet is made. The packets are split in a round robin fashion between Router A and Router B. Kind Regards, Mark A
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- How does TCP connections over multiple Pcap files Mark A via Snort-users (Jul 21)
- Re: How does TCP connections over multiple Pcap files Al Lewis (allewi) via Snort-users (Jul 23)
- Re: How does TCP connections over multiple Pcap files Mark A via Snort-users (Jul 23)
- Re: How does TCP connections over multiple Pcap files wkitty42--- via Snort-users (Jul 24)
- Re: How does TCP connections over multiple Pcap files wkitty42--- via Snort-users (Jul 24)
- Re: How does TCP connections over multiple Pcap files Mark A via Snort-users (Jul 23)
- Re: How does TCP connections over multiple Pcap files Russ via Snort-users (Jul 23)
- Re: How does TCP connections over multiple Pcap files wkitty42--- via Snort-users (Jul 24)
- Re: How does TCP connections over multiple Pcap files Al Lewis (allewi) via Snort-users (Jul 23)