[Snort-users] "Saving State" in Snort

Chris Green cmg at ...1935...
Mon Apr 21 08:05:07 EDT 2003

"Michael L. Artz" <dragon at ...8731...> writes:

> Chris Green wrote:
>>Finally a use for reading in off stdin
>>(for i in *.cap.gz| do gzip -dc $i; done) | snort -r -  <args>
> This seems to fail for me on the "breaks" between files with the error:
> pcap_loop:  truncated dump file
> I assume that this has to do with the little header that tcpdump adds
> to the beginning of each file, i.e. I can mergecap them and run them
> through just fine.  Is there something that I am missing beyond 'cat
> *.pcap | snort -r -'?  Would a newer libpcap solve the problem?

Nah, I just saw a mailing list reply from Guy Harris over on the
tcpdump works mailing list that uses something more akin to

 for i in *.cap.gz;
    if [ COUNTER -eq 0 ];
        gzip -dc $i
        gzip -dc $i | dd bs=24 count=0 skip=1
 done) | snort -r -

> Snort 1.9.1, fairly stock RH8.0.
> -Mike
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Chris Green <cmg at ...1935...>
Laugh and the world laughs with you, snore and you sleep alone.

More information about the Snort-users mailing list