Reading pcaps in Snort
======================
Any of the below can be specified multiple times on the command line
(-r included) and in addition to other Snort command line options.
Note, however, that specifying --pcap-reset and --pcap-show multiple times
has the same effect as specifying them once.
Command line arguments
----------------------
-r <file> Read a single pcap.
--pcap-single=<file> Same as -r. Added for completeness.
--pcap-file=<file> File that contains a list of pcaps to read. Can
specify path to pcap or directory to recurse to
get pcaps.
--pcap-list="<list>" A space separated list of pcaps to read.
--pcap-dir=<dir> A directory to recurse to look for pcaps. Sorted
in ascii order.
--pcap-filter=<filter> Shell style filter to apply when getting pcaps from
file or directory. This filter will apply to any
--pcap-file or --pcap-dir args following. Use
--pcap-no-filter to delete filter for following
--pcap-file or --pcap-dir args or specify
--pcap-filter again to forget previous filter and
to apply to following --pcap-file or --pcap-dir args.
--pcap-no-filter Reset to use no filter when getting pcaps from file
or directory.
--pcap-reset If reading multiple pcaps, reset snort to
post-configuration state before reading next pcap.
The default, i.e. without this option, is not to
reset state.
--pcap-show Print a line saying what pcap is currently being read.
Examples
--------
Read a single pcap:
$ snort -r foo.pcap
$ snort --pcap-single=foo.pcap
Read pcaps from a file:
$ cat foo.txt
foo1.pcap
foo2.pcap
/home/foo/pcaps
$ snort --pcap-file=foo.txt
This will read foo1.pcap, foo2.pcap and all files under /home/foo/pcaps.
Note that Snort will not try to determine whether the files under that
directory are really pcap files or not.
Read pcaps from a command line list:
$ snort --pcap-list="foo1.pcap foo2.pcap foo3.pcap"
This will read foo1.pcap, foo2.pcap and foo3.pcap
Read pcaps under a directory:
$ snort --pcap-dir="/home/foo/pcaps"
This will include all of the files under /home/foo/pcaps.
Using filters:
$ cat foo.txt
foo1.pcap
foo2.pcap
/home/foo/pcaps
$ snort --pcap-filter="*.pcap" --pcap-file=foo.txt
$ snort --pcap-filter="*.pcap" --pcap-dir=/home/foo/pcaps
The above will only include files that match the shell pattern "*.pcap",
in other words, any file ending in ".pcap".
$ snort --pcap-filter="*.pcap --pcap-file=foo.txt \
> --pcap-filter="*.cap" --pcap-dir=/home/foo/pcaps
In the above, the first filter "*.pcap" will only be applied to the
pcaps in the file "foo.txt" (and any directories that are recursed
in that file). The addition of the second filter "*.cap" will cause
the first filter to be forgotten and then applied to the directory
/home/foo/pcaps, so only files ending in ".cap" will be included from
that directory.
$ snort --pcap-filter="*.pcap --pcap-file=foo.txt \
> --pcap-no-filter --pcap-dir=/home/foo/pcaps
In this example, the first filter will be applied to foo.txt, then
no filter will be applied to the files found under /home/foo/pcaps,
so all files found under /home/foo/pcaps will be included.
$ snort --pcap-filter="*.pcap --pcap-file=foo.txt \
> --pcap-no-filter --pcap-dir=/home/foo/pcaps \
> --pcap-filter="*.cap" --pcap-dir=/home/foo/pcaps2
In this example, the first filter will be applied to foo.txt, then
no filter will be applied to the files found under /home/foo/pcaps,
so all files found under /home/foo/pcaps will be included, then the
filter "*.cap" will be applied to files found under /home/foo/pcaps2.
Resetting state:
$ snort --pcap-dir=/home/foo/pcaps --pcap-reset
The above example will read all of the files under /home/foo/pcaps, but
after each pcap is read, Snort will be reset to a post-configuration
state, meaning all buffers will be flushed, statistics reset, etc. For
each pcap, it will be like Snort is seeing traffic for the first time.
Printing the pcap:
$ snort --pcap-dir=/home/foo/pcaps --pcap-show
The above example will read all of the files under /home/foo/pcaps and
will print a line indicating which pcap is currently being read.
distrib
>
Mandriva
>
current
>
i586
>
media
>
main-updates
>
by-pkgid
>
ff1a1cc6fcf738dd1e56fbe0bb6e9d38
>
files
>
66
