[Snort-users] Problem of converting tcpdump.list (.txt) file to pcap format

2014/2015 - Nsabimana Thierry thierry.nsabimana at aims-cameroon.org
Tue Jun 5 07:05:59 EDT 2018


*Hello everyone,*


*I have applied DARPA dataset on my implemented IDS using Soft computing (
Genetic Algorithm and Self Orginized Feature Map) to classify and to detect
malicious attacks. I  used tcpdump.list (.txt) file which contains normal
connections and abnormal connections, and everything was good.*
*So, I have tried to apply the same file (** tcpdump.list (.txt)) on Snort
IDS but I found that txt file is not compatible with Snort. I googled to
find found out  a converter which can transform txt file to pcap file, I
found two command lines:  *
*1) text2pcap tcpdump.list tcpdump.pcap this actually returns Input from:
tcpdump.list Output to: tcpdump.pcap Output format: PCAP Read *

*113001 potential packets, wrote 0 packets.*


*This command line is just reading but no writing.*
*2) *
*od -Ax -tx1 -v tcpdump.list | text2pcap -m1460 -T1234,1234 - tcpdump.pcap*



*this actually returns the following output:Read 113001 potential packets,
wrote 113001 packets (172891316 bytes)*













*This command line was at least good but the problem of it, after
converting to pcap file, the tcpdump.pcap file contains the same source IP
address, the same destination IP address, the same source Port and
destination Port, and the same protocal (TCP) for all  packets. Some of the
packets are posted below:13:03:35.000000 IP 10.1.1.1.1234 > 10.2.2.2.1234:
Flags [none], seq 0:1460, win 8192, length 146013:03:35.000001 IP
10.1.1.1.1234 > 10.2.2.2.1234: Flags [none], seq 1460:2920, win 8192,
length 146013:03:35.000002 IP 10.1.1.1.1234 > 10.2.2.2.1234: Flags [none],
seq 2920:4380, win 8192, length 146013:03:35.000003 IP 10.1.1.1.1234 >
10.2.2.2.1234: Flags [none], seq 4380:5840, win 8192, length
146013:03:35.000004 IP 10.1.1.1.1234 > 10.2.2.2.1234: Flags [none], seq
5840:7300, win 8192, length 146013:03:35.000005 IP 10.1.1.1.1234 >
10.2.2.2.1234: Flags [none], seq 7300:8760, win 8192, length
146013:03:35.000006 IP 10.1.1.1.1234 > 10.2.2.2.1234: Flags [none], seq
8760:10220, win 8192, length 146013:03:35.000007 IP 10.1.1.1.1234 >
10.2.2.2.1234: Flags [none], seq 10220:11680, win 8192, length 1460*



*Coud you please help me to find out a good converter ?*


*Thank you.*

*Thierry*

-- 

*PhD Student In Computer Science*
*University of Abomey Calavi, IMSP*
*Email: thierry.nsabimana at aims-cameroon.org
<thierry.nsabimana at aims-cameroon.org>*
*Email: thierry.nsabimana at imsp-uac.org
<thierry.nsabimana at aims-cameroon.org>*
*Tel: +229 61 403 104*
*AIMS-CAMEROON ALUMNI *
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180605/c0b295c9/attachment.html>


More information about the Snort-users mailing list