Analyzing Sniffed (Pcap) Traffic

Problem

You have some pcap traffic that you want to analyze for malicious traffic.

Solution

Use Snort's -r option to read a pcap capture file, whether from Snort, TCPDump, Ethereal, or any other program that creates a libpcap format file:

C:Snortin>snort -dv -r c:snortlogsnort.log.1085148255

Discussion

Snort can read and analyze pcap capture files in the libpcap format. Snort can read its own saved capture files, as well as binary capture files from sniffer programs such as TCPDump and Ethereal. The -r command-line option puts Snort into playback mode so it can read captured files. You must specify the pcap file path and name as a parameter to the -r option. The following is an example of reading the binary file pcap.08012004:

C:Snortin>snort -dv -r c:snortlogpcap.08012004

The following command reads the binary file pcap.08012004 and logs all traffic in ASCII format in the appropriate directories:

C:Snortin>snort -r c:snortlogpcap.08012004 -l c:snortlog

The following command reads the binary file pcap.08012004 and processes the traffic according to the parameters in the snort.conf file. It looks for any traffic that matches the signatures in the rules files:

C:Snortin>snort -r c:snortlogpcap.08012004 -l c:snortlog -c c :snortetcsnort.conf

The following command reads the binary file pcap.08012004 and displays only the TCP traffic on the screen:

C:Snortin>snort -dv -r c:snortlogpcap.08012004 tcp

Snort can process capture files in any of its three modes: sniffer, packet logger, and NIDS. The first example displays the logfile packets on the screen. You can also choose to log them to ASCII files or run the file through the rules engine. You can also use the command-line filters to look for certain packets as you process the logfile, such as TCP packets.

See Also

Recipe 2.14