Reading a Saved Capture File


You have a binary capture file that you want to read. For example, a file that was captured with Snort using the binary option, TCPDump, or Ethereal.


Use the -r option to read a capture file, whether from Snort, TCPDump, Ethereal, or any other program that creates a libpcap format file:

C:Snortin>snort -dv -r c:snortlogsnort.log.1085148255



Snort can read capture files that have been saved using the libpcap format. Snort reads its own saved capture files, as well as binary capture files from sniffer programs, such as TCPDump and Ethereal. Snort reads capture files by using the -r command-line option, which puts it into playback mode. You must specify the logfile path and name as a parameter to the -r option. The following is an example of reading the binary file snort.log.1085148255:

C:Snortin>snort -dv -r c:snortlogsnort.log.1085148255

The following command reads the binary file snort.log.1085148255 and logs all traffic in ASCII format in the appropriate directories:

C:Snortin>snort -r c:snortlogsnort.log.1085148255 -l 


The following command reads the binary file snort.log.108514825 and processes the traffic according to the parameters in the snort.conf file. It looks for any traffic that matches the signatures in the rules files:

C:Snortin>snort -r c:snortlogsnort.log.1085148255 -l

c:snortlog -c c:snortetcsnort.conf

The following command reads the binary file snort.log.1085148255 and displays only the TCP traffic to the screen:

C:Snortin>snort -dv -r c:snortlogsnort.log.1085148255 tcp

When processing capture files, Snort can be used in any of its three modes; sniffer, packet logger, and NIDS. The first example displays the logfile packets to the screen. You can also choose to log them to ASCII files or run the file through the rules engine. You can also use the command-line filters to look for certain packets as you process the logfile, such as TCP packets.

See Also

Recipe 1.17

Recipe 1.18

Running Snort as a Linux Daemon

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance


Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167 © 2008-2020.
If you may any questions please contact us: