[Snort-users] mysql to pcap?

Dirk Geschke dirk at ...10648...
Tue Sep 2 10:41:44 EDT 2008


Hi Jason,

> > you can not do this with the standard database scheme, there are
> > some parameters, especially the headers, missing.
> 
> What is missing? You should be able to take the binary data and wrap a
> pcap header on it and all should be well.
> 
> Details please.

it is long ago that I took a look at the code. But the payload in
the database does not include the ip header and for tcp packets 
even the tcp_header is missing. So this is one part which is 
missing. The iphdr and tcphdr tables are incomplete, some possible 
values are missing and some are not as expected. AFAIR the ip_tos 
field does only say if the field is used or not but you will not 
get the value of this field.

This is the reason why FLoP extends the database and probably why
sguil is using a complete different design.

Best regards

Dirk

-- 
+----------------------------------------------------------------------+
| Dr. Dirk Geschke       / Plankensteinweg 61    / 85435 Erding        |
| Telefon: 08122-559448  / Mobil: 0176-96906350 / Fax: 08122-9818106   |
| dirk at ...10648... / dirk at ...13691...  / kontakt at ...13691... | 
+----------------------------------------------------------------------+




More information about the Snort-users mailing list