[Snort-users] take a .pcap file and convert to .csv file

Jason security at ...5028...
Sun Mar 6 16:29:34 EST 2005


if you are doing this offline and you want every packet to create a line 
then you need a rule like follows as your only rule

alert ip any any -> any any (msg:"Insane logs"; sid:3000000; rev:1)

There are likely better tools for creating a cvs file with header 
information but it will work.

Neil wrote:
> 
> 
> snort users list:
> 
>  
> 
> I am new to snort.
> 
> I am running snort on a windows XP box (sorry my *nix boxes are 
> currently offline).
> 
> How do I simultaneously read a tcpdump file and output this same file to 
> csv (for Excel use)?
> 
>  
> 
> I can read the tcpdump file
> 
> F:\snort\bin>snort -r  file.pcap
> 
>  
> 
> and I have added the following to snort.conf
> 
> output alert_CSV: F:\Snort\log\alert.csv 
> timestamp,msg,proto,src,srcport,dst,dstport
> 
>  
> 
>  
> 
> However, How do I combine both actions at once?
> 
>  
> 
> When I run F:\snort\bin>snort -r  file.pcap  a csv file never materializes.
> 
>  
> 
> I've read through several email archives, and did not quite see this 
> issue, and tried a few things from answers to other questions with no luck.
> 
> Thanks
> 
> -neil
> 




More information about the Snort-users mailing list