[Snort-users] hi

Phil Wood cpw at ...440...
Sat Sep 28 11:39:03 EDT 2002


You don't need snort.

% tcpdump -r your_pcap_file 'tcp[13] & 0x10 = 0x10' -nqvtt | sed -e 's/ .* id / /' -e 's/).*//'

Your milage will vary, depending on the output of your version of tcpdump.
The above works on output like this:

1033237689.373504 192.168.1.1.1024 > 10.1.1.2.22: tcp 52 (DF) [tos 0x10] (ttl 64, id 3239)

and produces a line like this:

1033237689.373504 3239

Later,

On Fri, Sep 27, 2002 at 09:30:22PM -0400, MADAMANCHI, RAJESH KUMAR wrote:
> hi all, 
> im new to snort.., i appreciate if someone can help me with my question..., 
> 
> i just have some huge tcpdump binary files with me. i need the
> procedure(using snort) to parse these binary files and get the timestamps of
> all the tcp packets with the ACK flag set. 
> 
> for eg, i want a text file which consists of the timestamp and the 'ID'
> value for all the packets with ACK flag set 
> 
> later my program is supposed to read these timestamps and process.... 
> 
> please someone reply me abt how to do this 
> 
> thanx in advance 
> -rajesh 
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list