[Snort-users] "Saving State" in Snort

Michael L. Artz dragon at ...8731...
Thu Apr 17 19:07:05 EDT 2003


Chris Green wrote:

>Finally a use for reading in off stdin
>
>(for i in *.cap.gz| do gzip -dc $i; done) | snort -r -  <args>
>

This seems to fail for me on the "breaks" between files with the error:

pcap_loop:  truncated dump file

I assume that this has to do with the little header that tcpdump adds to 
the beginning of each file, i.e. I can mergecap them and run them 
through just fine.  Is there something that I am missing beyond 'cat 
*.pcap | snort -r -'?  Would a newer libpcap solve the problem?

Snort 1.9.1, fairly stock RH8.0.

-Mike





More information about the Snort-users mailing list