[Snort-devel] Extracting packet headers from existing tcpdump/snort binary files

Lou Carosielli Lou.Carosielli at ...1099...
Fri Jan 25 11:26:06 EST 2002

Good day Mr Roesch,

I have been trying to extract packet headers in binary tcpdump format
from existing tcpdump/snort binary files that contain whole packets and
have noticed that the -P snaplength switch does not function when using
the -r switch to read a binary tcpdump file. Are there any suggestions
on how I can reduce the size of an exiting tcpdump file by creating a
binary file containing only the packet headers?

I am running snort 1.8p1 on an x86 machine with Linux 2.4.2-2 (Red Hat

The original tcpdump binary files were captured by using:
        snort -A none -b -c rules_file -q -D -l log_directory1
        (where rules_file is basically only collecting TCP, UDP, and
ICMP packets)

I tried to capture only the packet headers of the exiting tcpdump binary
files by using:
        snort -A none -b -c rules_file -q -P 68 -l log_directory2 -r

It appears that the -P 68 switch was ignored as an identical copy of the
existing snort file was created vice one containing only the packet

Any assistance in this matter would be greatly appreciated.

Lou Carosielli

More information about the Snort-devel mailing list