[Snort-users] Using snort to process a TCPDump file

Matt Kettler mkettler at ...4108...
Mon Jan 6 16:02:05 EST 2003


Well, first, it would be impossible for snort to use redirected output from 
plane-jane tcpdump > mycapture. By default most of the packet data is 
missing and what's left isn't enough to be very useful to snort. However if 
you use tcpdump -w to generate a raw-binary dump file, snort can process it 
with snort. If you also need tcpdump plain-text data, you can convert the 
raw binary using tcpdump -r.


see man snort:

        -r tcpdump-file
               Read the tcpdump-formatted file tcpdump-file.  This
               will  cause  Snort to read and process the file fed
               to it.  This is useful if, for instance, you've got
               a  bunch  of  SHADOW files that you want to process
               for content, or even  if  you've  got  a  bunch  of
               reassembled  packet fragments which have been writ-
               ten into a tcpdump formatted file.

and man tcpdump:

      -w file
            Write the raw packets to file rather than parsing and printing them
            out.  They can be analyzed later with the -r option.  Standard out-
            put is used if file is `-'.

At 03:09 PM 1/6/2003 -0700, you wrote:

>Hello everyone&&
>
>I was interested in finding out if I can use snort to process a tcpdump 
>log file.  Specifically, I have a file that I redirected tcpdump into, and 
>I just want to run it through Snort to see if any of the packets match any 
>rules.
>
>I've read through the FAQ, and a few other documents on the site&..I can't 
>find any reference to doing this.
>
>If there are better applications to do this, please let me know!
>
>Thank you for any advice!!
>
>John Cherbini





More information about the Snort-users mailing list