IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Sniffer v.4.0 to tcpdump capture file conversion headache

From: "Carles Fragoso i Mariscal" <cfragoso () cesca es>
Date: Thu, 7 Aug 2003 13:47:00 +0200
Some people emailed me directly and gave me the right solution
to the problem I described.

It was not a matter of conversion, it was a BPF syntax problem:

  doesn't work
  [root@honey tmp]# tcpdump -nr capture.new 'host x.y.w.z'
  [root@honey tmp]#

  works!!!
  [root@honey tmp]# tcpdump -nr capture.new 'vlan and host x.y.w.z'
  ...
  HH:MM:SS.ssssss 802.1Q vlan#NNN P0 x.y.w.z.srcport > a.b.c.d.dstport:
  ...
  [root@honey tmp]#

So that brings me to the conclusion that the first sentence would
only work with 'native-vlan' packets (non-802.1q-tagged packets).

Thank you guys! ;)

-- Carlos

-----Mensaje original-----
De: Carles Fragoso i Mariscal [mailto:cfragoso () cesca es]
Enviado el: miƩrcoles, 06 de agosto de 2003 4:11
Para: focus-ids () securityfocus com
Asunto: Sniffer v.4.0 to tcpdump capture file conversion headache


Maybe someone has dealt with this matter before and could
prevent me from getting a big headache. :)

I have been given some capture files which are not libpcap
formatted:

  [root@honey tmp]# file capture.dump
  capture.dump: Sniffer capture file - version 4.0 (Ethernet)

I want to process those files with some libpcap enabled tools
such as tcpdump and snort so I applied file-conversion using
the 'editcap' command from ethereal package:

  [root@honey tmp]# /usr/sbin/editcap -F libpcap capture.dump capture.new
  [root@honey tmp]# file capture.new
  capture.new: tcpdump capture file (little-endian) - version 2.4 (Ethernet)

The problem is that after the conversion it seems to be a libpcap
file and I can see the whole content properly but BPF filters
DO NOT work!!!:

  [root@honey tmp]# tcpdump -nr capture.new
  ...
  HH:MM:SS.ssssss 802.1Q vlan#NNN P0 x.y.w.z.srcport > a.b.c.d.dstport:
(..etc..)
  ...

  [root@honey tmp]# tcpdump -nr capture.new 'host x.y.w.z'
  [root@honey tmp]#

In case it could help, I should say that the content is ethernet
encapsulation with vlan tagging.

Thanks in advance folks,

-- Carlos






---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------



---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: