Reading a Saved Capture File

Problem

You have a binary capture file that you want to read. For example, a file that was captured with Snort using the binary option, TCPDump, or Ethereal.

Solution

Use the -r option to read a capture file, whether from Snort, TCPDump, Ethereal, or any other program that creates a libpcap format file:

C:Snortin>snort -dv -r c:snortlogsnort.log.1085148255

 

Discussion

Snort can read capture files that have been saved using the libpcap format. Snort reads its own saved capture files, as well as binary capture files from sniffer programs, such as TCPDump and Ethereal. Snort reads capture files by using the -r command-line option, which puts it into playback mode. You must specify the logfile path and name as a parameter to the -r option. The following is an example of reading the binary file snort.log.1085148255:

C:Snortin>snort -dv -r c:snortlogsnort.log.1085148255

The following command reads the binary file snort.log.1085148255 and logs all traffic in ASCII format in the appropriate directories:

C:Snortin>snort -r c:snortlogsnort.log.1085148255 -l 

c:snortlog

The following command reads the binary file snort.log.108514825 and processes the traffic according to the parameters in the snort.conf file. It looks for any traffic that matches the signatures in the rules files:

C:Snortin>snort -r c:snortlogsnort.log.1085148255 -l

c:snortlog -c c:snortetcsnort.conf

The following command reads the binary file snort.log.1085148255 and displays only the TCP traffic to the screen:

C:Snortin>snort -dv -r c:snortlogsnort.log.1085148255 tcp

When processing capture files, Snort can be used in any of its three modes; sniffer, packet logger, and NIDS. The first example displays the logfile packets to the screen. You can also choose to log them to ASCII files or run the file through the rules engine. You can also use the command-line filters to look for certain packets as you process the logfile, such as TCP packets.

See Also

Recipe 1.17

Recipe 1.18

Running Snort as a Linux Daemon

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net