Sniffer v.4.0 to tcpdump capture file conversion headache

From: Carles Fragoso i Mariscal (cfragoso_at_cesca.es)
Date: 08/06/03

  • Next message: Rishi Pande: "snort- problems" 
    To: <focus-ids@securityfocus.com>
Date: Wed, 6 Aug 2003 04:10:30 +0200

    Maybe someone has dealt with this matter before and could
    prevent me from getting a big headache. :)

    I have been given some capture files which are not libpcap
    formatted:

      [root@honey tmp]# file capture.dump
      capture.dump: Sniffer capture file - version 4.0 (Ethernet)

    I want to process those files with some libpcap enabled tools
    such as tcpdump and snort so I applied file-conversion using
    the 'editcap' command from ethereal package:

      [root@honey tmp]# /usr/sbin/editcap -F libpcap capture.dump capture.new
      [root@honey tmp]# file capture.new
      capture.new: tcpdump capture file (little-endian) - version 2.4 (Ethernet)

    The problem is that after the conversion it seems to be a libpcap
    file and I can see the whole content properly but BPF filters
    DO NOT work!!!:

      [root@honey tmp]# tcpdump -nr capture.new
      ...
      HH:MM:SS.ssssss 802.1Q vlan#NNN P0 x.y.w.z.srcport > a.b.c.d.dstport:
    (..etc..)
      ...

      [root@honey tmp]# tcpdump -nr capture.new 'host x.y.w.z'
      [root@honey tmp]#

    In case it could help, I should say that the content is ethernet
    encapsulation with vlan tagging.

    Thanks in advance folks,

    -- Carlos

    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
    Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at: http://www.captusnetworks.com/ads/31.htm
    ---------------------------------------------------------------------------

  • Next message: Rishi Pande: "snort- problems"

    Relevant Pages

    • Re: Increasing ICMP Echo Requests
      ... In the company I'm working for, we also have noticed a increasing number of ICPM request. ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • Re: Increasing ICMP Echo Requests
      ... We are looking into filtering ICMP echo ... >Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • RE: DCOM worm with get.bat bot.rar
      ... DCOM worm with get.bat bot.rar ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • Re: lots of sobig virus emails.
      ... they shouldn't be sending mail to the ... Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • RE: Microsoft extinguishes windowsupdate.com
      ... Subject: Microsoft 'extinguishes' windowsupdate.com ... Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • Quantcast