[Snort-users] "Saving State" in Snort
Michael L. Artz
dragon at ...8731...
Thu Apr 17 19:07:05 EDT 2003
Chris Green wrote:
>Finally a use for reading in off stdin
>(for i in *.cap.gz| do gzip -dc $i; done) | snort -r - <args>
This seems to fail for me on the "breaks" between files with the error:
pcap_loop: truncated dump file
I assume that this has to do with the little header that tcpdump adds to
the beginning of each file, i.e. I can mergecap them and run them
through just fine. Is there something that I am missing beyond 'cat
*.pcap | snort -r -'? Would a newer libpcap solve the problem?
Snort 1.9.1, fairly stock RH8.0.
More information about the Snort-users