[Snort-devel] Extracting packet headers from existing tcpdump/snort binary files

Dragos Ruiu dr at ...40...
Tue Jan 29 01:09:12 EST 2002

On Fri, 25 Jan 2002 14:25:19 -0500
"Lou Carosielli" <Lou.Carosielli at ...1099...> wrote:

> Good day Mr Roesch,
> I have been trying to extract packet headers in binary tcpdump format
> from existing tcpdump/snort binary files that contain whole packets and
> have noticed that the -P snaplength switch does not function when using
> the -r switch to read a binary tcpdump file. Are there any suggestions
> on how I can reduce the size of an exiting tcpdump file by creating a
> binary file containing only the packet headers?

The world is your oyster when you can write a computer program.
You should be able to code up a small program to do this yourself
very quickly.

tcpdump files have a simple format: 
-a 24 byte file header 
-following records/packets which all start with the length 
 of the packet in bytes as a 32 bit integer. The length is
 the fourth 32 bit integer out of four in the 16 byte 
 packet header (the first two are timestamps, and the 
 third is the truncation/snaplen length).

A short program to read them in fiddle with the truncation length and 
truncate them upon writing them out is left as an excercise for the reader :-).


Requisite Commercial Content and Disclaimers:  http://cansecwest.com
CanSecWest Network Security Training Conference - Vancouver B.C. - May 1-3 2002
OpenSnort IDS Sensors: http://www.sourcefire.com

More information about the Snort-devel mailing list