[Snort-devel] Extracting packet headers from existing tcpdump/snort binary files

Lou Carosielli Lou.Carosielli at ...1099...
Fri Jan 25 11:26:06 EST 2002


Good day Mr Roesch,

I have been trying to extract packet headers in binary tcpdump format
from existing tcpdump/snort binary files that contain whole packets and
have noticed that the -P snaplength switch does not function when using
the -r switch to read a binary tcpdump file. Are there any suggestions
on how I can reduce the size of an exiting tcpdump file by creating a
binary file containing only the packet headers?

I am running snort 1.8p1 on an x86 machine with Linux 2.4.2-2 (Red Hat
7.1).

The original tcpdump binary files were captured by using:
        snort -A none -b -c rules_file -q -D -l log_directory1
        (where rules_file is basically only collecting TCP, UDP, and
ICMP packets)

I tried to capture only the packet headers of the exiting tcpdump binary
files by using:
        snort -A none -b -c rules_file -q -P 68 -l log_directory2 -r
snort_file_name

It appears that the -P 68 switch was ignored as an identical copy of the
existing snort file was created vice one containing only the packet
headers.

Any assistance in this matter would be greatly appreciated.

--
Lou Carosielli





More information about the Snort-devel mailing list