[Snort-users] Using snort to process a TCPDump file

Bennett Todd bet at ...6163...
Tue Jan 7 08:12:10 EST 2003


2003-01-06T17:09:44 John Cherbini:
> I was interested in finding out if I can use snort to process a tcpdump
> log file.  Specifically, I have a file that I redirected tcpdump into,
> and I just want to run it through Snort to see if any of the packets
> match any rules.

"redirected" sounds like you're running tcpdump >outfile, as others
said this won't work.

You have to use "-w" to write a raw libpcap format dumpfile.

Even that isn't enough, though; by default tcpdump grabs only the
headers of the packets, and a little bit of the bodies (to contain
higher protocol level nested headers). To run snort on the capture
file, you need to capture the full bodies. So the invocation you
need is

	tcpdump -s 0 -w outfile

If you've got some partial captures of historical data that you want
snort to look at despite the fact that the packets are truncated,
you can do that by setting up a private link, and using
<URL:http://tcpreplay.sf.net/> to replay the traffic to snort;
tcpreplay includes the ability to reconstruct packets (by either
padding out to match the length, or adjusting the length to match
the capture, then fixing checksums).

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030107/eaa5c6ba/attachment.sig>


More information about the Snort-users mailing list