[Snort-devel] Extracting packet headers from existing tcpdump/snort binary files
dr at ...40...
Tue Jan 29 01:09:12 EST 2002
On Fri, 25 Jan 2002 14:25:19 -0500
"Lou Carosielli" <Lou.Carosielli at ...1099...> wrote:
> Good day Mr Roesch,
> I have been trying to extract packet headers in binary tcpdump format
> from existing tcpdump/snort binary files that contain whole packets and
> have noticed that the -P snaplength switch does not function when using
> the -r switch to read a binary tcpdump file. Are there any suggestions
> on how I can reduce the size of an exiting tcpdump file by creating a
> binary file containing only the packet headers?
The world is your oyster when you can write a computer program.
You should be able to code up a small program to do this yourself
tcpdump files have a simple format:
-a 24 byte file header
-following records/packets which all start with the length
of the packet in bytes as a 32 bit integer. The length is
the fourth 32 bit integer out of four in the 16 byte
packet header (the first two are timestamps, and the
third is the truncation/snaplen length).
A short program to read them in fiddle with the truncation length and
truncate them upon writing them out is left as an excercise for the reader :-).
Requisite Commercial Content and Disclaimers: http://cansecwest.com
CanSecWest Network Security Training Conference - Vancouver B.C. - May 1-3 2002
OpenSnort IDS Sensors: http://www.sourcefire.com
More information about the Snort-devel