Hello everyone,

I have applied DARPA dataset on my implemented IDS using Soft computing ( Genetic Algorithm and Self Orginized Feature Map) to classify and to detect malicious attacks. I  used tcpdump.list (.txt) file which contains normal connections and abnormal connections, and everything was good.

So, I have tried to apply the same file ( tcpdump.list (.txt)) on Snort IDS but I found that txt file is not compatible with Snort. I googled to the Internet in order to find a converter which can transform txt file to pcap file, I found two command lines: 
1) text2pcap tcpdump.list tcpdump.pcap this actually returns Input from: tcpdump.list Output to: tcpdump.pcap Output format: PCAP Read 113001 potential packets, wrote 0 packets.

This command line is just reading but no writing.

2) od -Ax -tx1 -v tcpdump.list | text2pcap -m1460 -T1234,1234 - tcpdump.pcap

this actually returns the following output:

Read 113001 potential packets, wrote 113001 packets (172891316 bytes)


This command line was at least good but the problem of it, after converting to pcap file, the tcpdump.pcap file contains the same source IP address, the same destination IP address, the same source Port and destination Port, and the same protocal (TCP) for all  packets. Some of the packets are posted below:

13:03:35.000000 IP 10.1.1.1.1234 > 10.2.2.2.1234: Flags [none], seq 0:1460, win 8192, length 1460
13:03:35.000001 IP 10.1.1.1.1234 > 10.2.2.2.1234: Flags [none], seq 1460:2920, win 8192, length 1460
13:03:35.000002 IP 10.1.1.1.1234 > 10.2.2.2.1234: Flags [none], seq 2920:4380, win 8192, length 1460
13:03:35.000003 IP 10.1.1.1.1234 > 10.2.2.2.1234: Flags [none], seq 4380:5840, win 8192, length 1460
13:03:35.000004 IP 10.1.1.1.1234 > 10.2.2.2.1234: Flags [none], seq 5840:7300, win 8192, length 1460
13:03:35.000005 IP 10.1.1.1.1234 > 10.2.2.2.1234: Flags [none], seq 7300:8760, win 8192, length 1460
13:03:35.000006 IP 10.1.1.1.1234 > 10.2.2.2.1234: Flags [none], seq 8760:10220, win 8192, length 1460
13:03:35.000007 IP 10.1.1.1.1234 > 10.2.2.2.1234: Flags [none], seq 10220:11680, win 8192, length 1460


Coud you please help me to find out a good converter ?


Thank you.

Thierry
 

--

PhD Student In Computer Science
University of Abomey Calavi, IMSP
Tel: +229 61 403 104
AIMS-CAMEROON ALUMNI