[Snort-users] multiple files off of stdin?
Michael L. Artz
dragon at ...8731...
Sat Apr 19 08:07:04 EDT 2003
Don't know if the last message got through, sorry if this is a dup ...
Anyway, is there a way to have snort process multiple files off of
cat file1.pcap file2.pcap | snort -r - <other args>
fails just before processing file2 with the error: "pcap_loop:
truncated dump file", which I assume has to do with the little header
that libpcap formatted files have at the beginning. I can mergecap the
files and run them through fine, it is only when I try and run multiple
pcap files through, in a fashion such as:
(for i in *.cap.gz| do gzip -dc $i; done) | snort -r - <args>
which I can't easily mergecap because of space issues. Plus, I have the
files spread across multiple DVDs and would like to have a little script
that creates a snort pipe and then pumps pcap files to it, which could
be written so that snort (and all session and reassembly information)
survives a change of dvd.
More information about the Snort-users