[Snort-devel] Extracting packet headers from existing tcpdump/snort binary files
Imran William Smith
iwsmith at ...1111...
Tue Jan 29 01:57:04 EST 2002
There is also the tcpsplit program (see under tcpdump
web page) which splits tcpdump files by time. Not what you
wanted, but it still takes 'big tcpdump' and produces 'small tcpdump'...
Imran William Smith
Security Products Development
Mimos Bhd, Malaysia
----- Original Message -----
From: "Dragos Ruiu" <dr at ...40...>
To: "Lou Carosielli" <Lou.Carosielli at ...1099...>
Cc: <roesch at ...1100...>; <snort-devel at lists.sourceforge.net>;
<knight-s at ...1099...>
Sent: Tuesday, January 29, 2002 9:03 AM
Subject: Re: [Snort-devel] Extracting packet headers from existing
tcpdump/snort binary files
> On Fri, 25 Jan 2002 14:25:19 -0500
> "Lou Carosielli" <Lou.Carosielli at ...1099...> wrote:
> > Good day Mr Roesch,
> > I have been trying to extract packet headers in binary tcpdump format
> > from existing tcpdump/snort binary files that contain whole packets and
> > have noticed that the -P snaplength switch does not function when using
> > the -r switch to read a binary tcpdump file. Are there any suggestions
> > on how I can reduce the size of an exiting tcpdump file by creating a
> > binary file containing only the packet headers?
> The world is your oyster when you can write a computer program.
> You should be able to code up a small program to do this yourself
> very quickly.
> tcpdump files have a simple format:
> -a 24 byte file header
> -following records/packets which all start with the length
> of the packet in bytes as a 32 bit integer. The length is
> the fourth 32 bit integer out of four in the 16 byte
> packet header (the first two are timestamps, and the
> third is the truncation/snaplen length).
> A short program to read them in fiddle with the truncation length and
> truncate them upon writing them out is left as an excercise for the reader
> Requisite Commercial Content and Disclaimers: http://cansecwest.com
> CanSecWest Network Security Training Conference - Vancouver B.C. - May 1-3
> OpenSnort IDS Sensors: http://www.sourcefire.com
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
More information about the Snort-devel