Problem
You have a binary capture file that you want to read. For example, a file that was captured with Snort using the binary option, TCPDump, or Ethereal.
Solution
Use the -r option to read a capture file, whether from Snort, TCPDump, Ethereal, or any other program that creates a libpcap format file:
C:Snortin>snort -dv -r c:snortlogsnort.log.1085148255
Discussion
Snort can read capture files that have been saved using the libpcap format. Snort reads its own saved capture files, as well as binary capture files from sniffer programs, such as TCPDump and Ethereal. Snort reads capture files by using the -r command-line option, which puts it into playback mode. You must specify the logfile path and name as a parameter to the -r option. The following is an example of reading the binary file snort.log.1085148255:
C:Snortin>snort -dv -r c:snortlogsnort.log.1085148255
The following command reads the binary file snort.log.1085148255 and logs all traffic in ASCII format in the appropriate directories:
C:Snortin>snort -r c:snortlogsnort.log.1085148255 -l c:snortlog
The following command reads the binary file snort.log.108514825 and processes the traffic according to the parameters in the snort.conf file. It looks for any traffic that matches the signatures in the rules files:
C:Snortin>snort -r c:snortlogsnort.log.1085148255 -l c:snortlog -c c:snortetcsnort.conf
The following command reads the binary file snort.log.1085148255 and displays only the TCP traffic to the screen:
C:Snortin>snort -dv -r c:snortlogsnort.log.1085148255 tcp
When processing capture files, Snort can be used in any of its three modes; sniffer, packet logger, and NIDS. The first example displays the logfile packets to the screen. You can also choose to log them to ASCII files or run the file through the rules engine. You can also use the command-line filters to look for certain packets as you process the logfile, such as TCP packets.
See Also
Recipe 1.17
Recipe 1.18
Running Snort as a Linux Daemon |
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance
Index