[Snort-users] Problem of converting tcpdump.list (.txt) file to pcap format

Bruno Riccelli bruno at lesc.ufc.br
Tue Jun 5 09:03:31 EDT 2018


Hello Everyone,
I'm working with DARPA dataset too. Why do you not use the pcap/tcpdump
file dataset available in Lincoln Laboratory website (
https://www.ll.mit.edu/ideval/data/)? Thus, you don't need to convert
tcpdump.list in pcap files.

Best Regards.

2018-06-02 9:29 GMT-03:00 2014/2015 - Nsabimana Thierry <
thierry.nsabimana at aims-cameroon.org>:

>
>
> *Hello everyone,*
>
>
> *I have applied DARPA dataset on my implemented IDS using Soft computing (
> Genetic Algorithm and Self Orginized Feature Map) to classify and to detect
> malicious attacks. I  used tcpdump.list (.txt) file which contains normal
> connections and abnormal connections, and everything was good.*
> *So, I have tried to apply the same file (** tcpdump.list (.txt)) on
> Snort IDS but I found that txt file is not compatible with Snort. I googled
> to the Internet in order to find a converter which can transform txt file
> to pcap file, I found two command lines:  *
> *1) text2pcap tcpdump.list tcpdump.pcap this actually returns Input from:
> tcpdump.list Output to: tcpdump.pcap Output format: PCAP Read *
>
> *113001 potential packets, wrote 0 packets.*
>
>
> *This command line is just reading but no writing.*
> *2) *
> *od -Ax -tx1 -v tcpdump.list | text2pcap -m1460 -T1234,1234 - tcpdump.pcap*
>
>
>
> *this actually returns the following output:Read 113001 potential packets,
> wrote 113001 packets (172891316 bytes)*
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *This command line was at least good but the problem of it, after
> converting to pcap file, the tcpdump.pcap file contains the same source IP
> address, the same destination IP address, the same source Port and
> destination Port, and the same protocal (TCP) for all  packets. Some of the
> packets are posted below:13:03:35.000000 IP 10.1.1.1.1234 > 10.2.2.2.1234:
> Flags [none], seq 0:1460, win 8192, length 146013:03:35.000001 IP
> 10.1.1.1.1234 > 10.2.2.2.1234: Flags [none], seq 1460:2920, win 8192,
> length 146013:03:35.000002 IP 10.1.1.1.1234 > 10.2.2.2.1234: Flags [none],
> seq 2920:4380, win 8192, length 146013:03:35.000003 IP 10.1.1.1.1234 >
> 10.2.2.2.1234: Flags [none], seq 4380:5840, win 8192, length
> 146013:03:35.000004 IP 10.1.1.1.1234 > 10.2.2.2.1234: Flags [none], seq
> 5840:7300, win 8192, length 146013:03:35.000005 IP 10.1.1.1.1234 >
> 10.2.2.2.1234: Flags [none], seq 7300:8760, win 8192, length
> 146013:03:35.000006 IP 10.1.1.1.1234 > 10.2.2.2.1234: Flags [none], seq
> 8760:10220, win 8192, length 146013:03:35.000007 IP 10.1.1.1.1234 >
> 10.2.2.2.1234: Flags [none], seq 10220:11680, win 8192, length 1460*
>
>
>
> *Coud you please help me to find out a good converter ?*
>
>
> *Thank you.*
>
> *Thierry*
>
>
>
> --
>
> *PhD Student In Computer Science*
> *University of Abomey Calavi, IMSP*
> *Email: thierry.nsabimana at aims-cameroon.org
> <thierry.nsabimana at aims-cameroon.org>*
> *Email: thierry.nsabimana at imsp-uac.org
> <thierry.nsabimana at aims-cameroon.org>*
> *Tel: +229 61 403 104*
> *AIMS-CAMEROON ALUMNI *
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-
> the-mailing-list-etiquette
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180605/49695126/attachment.html>


More information about the Snort-users mailing list