|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Sniffer v.4.0 to tcpdump capture file conversion headache
Date: Tue Aug 05 2003 - 22:10:30 EDT
Maybe someone has dealt with this matter before and could
prevent me from getting a big headache. :)
I have been given some capture files which are not libpcap formatted:
[root@honey tmp]# file capture.dump
capture.dump: Sniffer capture file - version 4.0 (Ethernet)
I want to process those files with some libpcap enabled tools such as tcpdump and snort so I applied file-conversion using the 'editcap' command from ethereal package:
[root@honey tmp]# /usr/sbin/editcap -F libpcap capture.dump capture.new
[root@honey tmp]# file capture.new
capture.new: tcpdump capture file (little-endian) - version 2.4 (Ethernet)
The problem is that after the conversion it seems to be a libpcap file and I can see the whole content properly but BPF filters DO NOT work!!!:
[root@honey tmp]# tcpdump -nr capture.new
...
HH:MM:SS.ssssss 802.1Q vlan#NNN P0 x.y.w.z.srcport > a.b.c.d.dstport:
(..etc..)
...
[root@honey tmp]# tcpdump -nr capture.new 'host x.y.w.z'
[root@honey tmp]#
In case it could help, I should say that the content is ethernet encapsulation with vlan tagging.
Thanks in advance folks,
- Carlos
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:16 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |