[Snort-users] Using snort to process a TCPDump file
mkettler at ...4108...
Mon Jan 6 16:02:05 EST 2003
Well, first, it would be impossible for snort to use redirected output from
plane-jane tcpdump > mycapture. By default most of the packet data is
missing and what's left isn't enough to be very useful to snort. However if
you use tcpdump -w to generate a raw-binary dump file, snort can process it
with snort. If you also need tcpdump plain-text data, you can convert the
raw binary using tcpdump -r.
see man snort:
Read the tcpdump-formatted file tcpdump-file. This
will cause Snort to read and process the file fed
to it. This is useful if, for instance, you've got
a bunch of SHADOW files that you want to process
for content, or even if you've got a bunch of
reassembled packet fragments which have been writ-
ten into a tcpdump formatted file.
and man tcpdump:
Write the raw packets to file rather than parsing and printing them
out. They can be analyzed later with the -r option. Standard out-
put is used if file is `-'.
At 03:09 PM 1/6/2003 -0700, you wrote:
>I was interested in finding out if I can use snort to process a tcpdump
>log file. Specifically, I have a file that I redirected tcpdump into, and
>I just want to run it through Snort to see if any of the packets match any
>I've read through the FAQ, and a few other documents on the site&..I can't
>find any reference to doing this.
>If there are better applications to do this, please let me know!
>Thank you for any advice!!
More information about the Snort-users