[Snort-users] Merging Snort capture files (take 2)

JP Vossen vossenjp at ...8683...
Sat May 3 23:31:06 EDT 2003


Oops, just sent this to the request address by accident...  Hope it doesn't
get posted twice, and sorry 'bout that.


I just had to merge a couple of Snort pcap files back together to make it
easier to search for some packets. I found a script fragment at [0], but it
had a typo (was missing $ in 'if [ $COUNTER -eq 0 ]; then') and was not quite
what I wanted. I used it as a starting point and wrote this trivial script...
I thought it might be handy to have this in the archives.  This worked for me,
but it has NOT been extensively tested. YMMV.

----- Cut Here -----
#!/bin/sh
# 2003-04-24 JP Vossen
# Merge Snort or TCPDump capture files into a single file.
# See: http://marc.theaimsgroup.com/?l=snort-users&m=105093894100422&w=2

if [ "$1" = "-h" -o -z "$1" -o -z "$2" ]; then
    echo ''
    echo "usage: $0 {NEW file} '{files to merge-no wildcard}'"
    echo ''
    echo "	e.g.: $0 snort-all snort.log."
    echo ''
    echo 'Merge Snort or TCPDump capture files into a single file.'
    echo 'NOTE the single quotes around the second argument!!!'
    echo ''
    exit 1
fi

echo ''
echo "Merging $2 into $1..."
echo ''

(COUNTER=0;
 for i in $2; do
    if [ $COUNTER -eq 0 ]; then
        cat $i
        COUNTER=1;
    else
        cat $i | dd bs=24 skip=1
    fi
 done) > $1
----- Cut Here -----


Enjoy,
JP

[0] http://marc.theaimsgroup.com/?l=snort-users&m=105093894100422&w=2

------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|                jp at ...8684...
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows 98 or better, so I installed
Linux..."







More information about the Snort-users mailing list