[Snort-users] mysql to pcap?
security at ...5028...
Tue Sep 2 10:28:59 EDT 2008
Dirk Geschke wrote:
> Hi Tim,
>> I'm viewing snort events through a third-party tool that is fetching
>> the data from the mysql database snort is logging to. I want to be
>> able to select a particular event in the third-party tool and view it
>> in wireshark, so that I can subject the payload to wireshark's
>> protocol parsers.
>> But someone must have done this already. Right? :)
> you can not do this with the standard database scheme, there are
> some parameters, especially the headers, missing.
What is missing? You should be able to take the binary data and wrap a
pcap header on it and all should be well.
> I extended the database scheme to allow the storage of the missing
> parts so that you can rebuild the pcap file. All this is part of
> FLoP, maybe you should take a look at it:
> Best regards
More information about the Snort-users