Snort里如何将一个tcpdump格式的二进制文件读取打印到屏幕上(图文详解)
不多说,直接上干货!
关于tcpdump二进制格式,这个基本概念不说。
支持tcpdump二进制格式的嗅探器工具,这里我说两个:tcpdump或者ethereal。
[root@datatest SecondWeek]# pwd
/root/data/DARPA1999/SecondWeek
[root@datatest SecondWeek]# ll
total
-rw-r--r--. root root Aug : inside.tcpdump
[root@datatest SecondWeek]# snort -dv -r inside.tcpdump
我这里,读取的是DARPA 1999数据集的第二周的内网inside.tcpdump二进制数据。
这里的 -r命令,我就不说啦。 就是将一个tcpdump格式的二进制文件读取打印到屏幕上的意思。
这里,我扩展下
[root@datatest SecondWeek]# snort -v
这个命令搭配的意思是,使得snort只输出IP、TCP、UDP和ICMP的包头信息。
[root@datatest SecondWeek]# snort -v -r inside.tcpdump
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::46.461764 207.25.71.141: -> 172.16.112.194:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen:
***A**S* Seq: 0x328B83B0 Ack: 0x48DA2A1F Win: 0x7FE0 TcpLen:
TCP Options () => MSS:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::46.461920 172.16.112.194: -> 207.25.71.141:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***A**** Seq: 0x48DA2A1F Ack: 0x328B83B1 Win: 0x7D78 TcpLen: *** Caught Int-Signal
WARNING: No preprocessors configured for policy .
/-::46.869826 172.16.112.194: -> 207.25.71.141:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***A**** Seq: 0x6F2E7AF7 Ack: 0xB057C6D7 Win: 0x7D78 TcpLen:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ===============================================================================
Run time for packet processing was 0.228905 seconds
Snort processed packets.
Snort ran for days hours minutes seconds
Pkts/sec:
===============================================================================
Memory usage summary:
Total non-mmapped bytes (arena):
Bytes in mapped regions (hblkhd):
Total allocated space (uordblks):
Total free space (fordblks):
Topmost releasable block (keepcost):
===============================================================================
Packet I/O Totals:
Received:
Analyzed: (100.000%)
Dropped: ( 0.000%)
Filtered: ( 0.000%)
Outstanding: ( 0.000%)
Injected:
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: (100.000%)
VLAN: ( 0.000%)
IP4: ( 97.319%)
Frag: ( 0.000%)
ICMP: ( 0.000%)
UDP: ( 10.590%)
TCP: ( 86.729%)
IP6: ( 0.000%)
IP6 Ext: ( 0.000%)
IP6 Opts: ( 0.000%)
Frag6: ( 0.000%)
ICMP6: ( 0.000%)
UDP6: ( 0.000%)
TCP6: ( 0.000%)
Teredo: ( 0.000%)
ICMP-IP: ( 0.000%)
IP4/IP4: ( 0.000%)
IP4/IP6: ( 0.000%)
IP6/IP4: ( 0.000%)
IP6/IP6: ( 0.000%)
GRE: ( 0.000%)
GRE Eth: ( 0.000%)
IP6/IP4: ( 0.000%)
IP6/IP6: ( 0.000%)
GRE: ( 0.000%)
GRE Eth: ( 0.000%)
GRE VLAN: ( 0.000%)
GRE IP4: ( 0.000%)
GRE IP6: ( 0.000%)
GRE IP6 Ext: ( 0.000%)
GRE PPTP: ( 0.000%)
GRE ARP: ( 0.000%)
GRE IPX: ( 0.000%)
GRE Loop: ( 0.000%)
MPLS: ( 0.000%)
ARP: ( 1.072%)
IPX: ( 0.000%)
Eth Loop: ( 1.340%)
Eth Disc: ( 0.000%)
IP4 Disc: ( 0.000%)
IP6 Disc: ( 0.000%)
TCP Disc: ( 0.000%)
UDP Disc: ( 0.000%)
ICMP Disc: ( 0.000%)
All Discard: ( 0.000%)
Other: ( 0.268%)
Bad Chk Sum: ( 0.000%)
Bad TTL: ( 0.000%)
S5 G : ( 0.000%)
S5 G : ( 0.000%)
Total:
===============================================================================
Snort exiting
[root@datatest SecondWeek]# snort -d
这个命令搭配的意思是,使得snort只包的数据信息。
[root@datatest SecondWeek]# snort -d -r inside.tcpdump
得到
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::58.188692 206.48.44.18: -> 172.16.112.100:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***A**** Seq: 0x17AD29 Ack: 0x17AE81 Win: 0x2238 TcpLen: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::58.203130 172.16.112.100: -> 206.48.44.18:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***AP*** Seq: 0x17AE81 Ack: 0x17AD29 Win: 0x2238 TcpLen:
6D 4D 6F 6F hume Microso
ft FTP Service (
6F 6E 2E 2E 0D 0A Version 2.0)...
===============================================================================
Run time for packet processing was 0.232618 seconds
Snort processed packets.
Snort ran for days hours minutes seconds
Pkts/sec:
===============================================================================
Memory usage summary:
Total non-mmapped bytes (arena):
Bytes in mapped regions (hblkhd):
Total allocated space (uordblks):
Total free space (fordblks):
Topmost releasable block (keepcost):
===============================================================================
Packet I/O Totals:
Received:
Analyzed: (100.000%)
Dropped: ( 0.000%)
Filtered: ( 0.000%)
Outstanding: ( 0.000%)
Injected:
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: (100.000%)
VLAN: ( 0.000%)
IP4: ( 95.276%)
Frag: ( 0.000%)
ICMP: ( 0.000%)
UDP: ( 16.535%)
TCP: ( 78.740%)
IP6: ( 0.000%)
IP6 Ext: ( 0.000%)
IP6 Opts: ( 0.000%)
Frag6: ( 0.000%)
ICMP6: ( 0.000%)
UDP6: ( 0.000%)
TCP6: ( 0.000%)
Teredo: ( 0.000%)
ICMP-IP: ( 0.000%)
IP4/IP4: ( 0.000%)
IP4/IP6: ( 0.000%)
IP6/IP4: ( 0.000%)
IP6/IP6: ( 0.000%)
GRE: ( 0.000%)
GRE Eth: ( 0.000%)
GRE VLAN: ( 0.000%)
GRE IP4: ( 0.000%)
GRE IP6: ( 0.000%)
GRE IP6 Ext: ( 0.000%)
GRE PPTP: ( 0.000%)
GRE ARP: ( 0.000%)
GRE IPX: ( 0.000%)
GRE Loop: ( 0.000%)
MPLS: ( 0.000%)
ARP: ( 2.362%)
IPX: ( 0.000%)
Eth Loop: ( 1.969%)
Eth Disc: ( 0.000%)
IP4 Disc: ( 0.000%)
IP6 Disc: ( 0.000%)
TCP Disc: ( 0.000%)
UDP Disc: ( 0.000%)
ICMP Disc: ( 0.000%)
All Discard: ( 0.000%)
Other: ( 0.394%)
Bad Chk Sum: ( 0.000%)
Bad TTL: ( 0.000%)
S5 G : ( 0.000%)
S5 G : ( 0.000%)
Total:
===============================================================================
Snort exiting
[root@datatest SecondWeek]#
[root@datatest SecondWeek]# snort -dv
这个命令搭配的意思是,使得snort在输出IP、TCP、UDP和ICMP的包头信息的通俗,还显示包的数据信息。
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::42.867811 195.73.151.50: -> 172.16.114.168:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***AP*** Seq: 0xE888C943 Ack: 0x9A021B4D Win: 0x7D78 TcpLen:
4D 4C 6F 6D 3A 3C MAIL From:<avrap
6C 6D 2E 6F 6E 2E @lambda.orange.c
6F 6D 3E 0D 0A om>.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::42.868044 172.16.114.168: -> 195.73.151.50:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***AP*** Seq: 0x9A021B4D Ack: 0xE888C968 Win: 0x7FE0 TcpLen:
3C 6C 6D <avrap@lambd
2E 6F 6E 2E 6F 6D 3E 2E 2E 2E a.orange.com>...
6E 4F 6B 0D 0A Sender Ok.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ *** Caught Int-Signal
WARNING: No preprocessors configured for policy .
/-::42.875769 195.73.151.50: -> 172.16.114.168:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***A**** Seq: 0xE888CD92 Ack: 0x9A021BCE Win: 0x7D78 TcpLen:
6F 6E 2C 3A 0D 0A of gain, we:..
6F 6C 6C 6F could also
6F 4E uses The of Net
6F 6B 6E 6C 6E work neural netw
6F 6B 0D 0A orks a..
6F 6E Cascade routines
6C 6C year available
6E via price and Th
0D 0A e bug.. i
6C 6E 6F s a lecture note
2E 0D 0A 0D 0A s. .... W
6E 6F 6F 6E 6F hen he to do not
6E 6F 6E have anyone wit
6F 6D 6F 6F 2C h tomorrow, but
0D 0A 6C the.. eli
2C 6B te, But I I kept
6D 6E The remainder a
6F 6E re to train trac
6B 0D 0A ks by.. t
6C 3B 6F 6E itle; on high te
6D 6C 6D mperature limit
6E 6F The depends of T
0D 0A 6E he.. next
2E 6C 2E 4A 2E . Telex. Jr.
4C 6F 6E 6F 6E 6C 6E London plays And
6C 3A 6C 0D re Tel: a while.
0A 6C 6C . still i
6E 2C 6F 6F 6F 6D n a, good automa
6C 6C 6F tically which do
6D 6C 6E 0D 0A their mailing..
6C File If
6F 6E 6F 6E 6B The ones don't k
6E 6F 6E 6F 6F now Introductory
6F 6F 0D 0A course of..
6F 6F proofs I had
2E a prefix the.
6C I believe the va
6C 6F 6D 0D 0A lue From..
6F 6F 6F host host port
6F 6C 6F 6C to global each
6B 6F 6E Speaker recognit
6F 6E 0D 0A ion.. spe
===============================================================================
Run time for packet processing was 0.521737 seconds
Snort processed packets.
Snort ran for days hours minutes seconds
Pkts/sec:
===============================================================================
Memory usage summary:
Total non-mmapped bytes (arena):
Bytes in mapped regions (hblkhd):
Total allocated space (uordblks):
Total free space (fordblks):
Topmost releasable block (keepcost):
===============================================================================
Packet I/O Totals:
Received:
Analyzed: (100.000%)
Dropped: ( 0.000%)
Filtered: ( 0.000%)
Outstanding: ( 0.000%)
Injected:
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: (100.000%)
VLAN: ( 0.000%)
IP4: ( 94.169%)
Frag: ( 0.000%)
ICMP: ( 0.000%)
UDP: ( 21.283%)
TCP: ( 72.886%)
IP6: ( 0.000%)
IP6 Ext: ( 0.000%)
IP4/IP6: ( 0.000%)
IP6/IP4: ( 0.000%)
IP6/IP6: ( 0.000%)
GRE: ( 0.000%)
GRE Eth: ( 0.000%)
GRE VLAN: ( 0.000%)
GRE IP4: ( 0.000%)
GRE IP6: ( 0.000%)
GRE IP6 Ext: ( 0.000%)
GRE PPTP: ( 0.000%)
GRE ARP: ( 0.000%)
GRE IPX: ( 0.000%)
GRE Loop: ( 0.000%)
MPLS: ( 0.000%)
ARP: ( 2.332%)
IPX: ( 0.000%)
Eth Loop: ( 2.915%)
Eth Disc: ( 0.000%)
IP4 Disc: ( 0.000%)
IP6 Disc: ( 0.000%)
TCP Disc: ( 0.000%)
UDP Disc: ( 0.000%)
ICMP Disc: ( 0.000%)
All Discard: ( 0.000%)
Other: ( 0.583%)
Bad Chk Sum: ( 0.000%)
Bad TTL: ( 0.000%)
S5 G : ( 0.000%)
S5 G : ( 0.000%)
Total:
===============================================================================
Snort exiting
[root@datatest SecondWeek]#
进一步,见
Snort里如何将一个tcpdump格式的二进制文件读取打印到屏幕上(图文详解)的更多相关文章
- 【适合公司业务】全网最详细的IDEA里如何正确新建【普通或者Maven】的Java web项目并发布到Tomcat上运行成功【博主强烈推荐】(类似eclipse里同一个workspace下【多个子项目】并存)(图文详解)
不多说,直接上干货! 首先,大家要明确,IDEA.Eclipse和MyEclipse等编辑器之间的新建和运行手法是不一样的. 如果是在Myeclipse里,则是File -> new -> ...
- 全网最详细的Windows系统里Oracle 11g R2 Database(64bit)的完全卸载(图文详解)
不多说,直接上干货! 前期博客 全网最详细的Windows系统里Oracle 11g R2 Database(64bit)的下载与安装(图文详解) 若你不想用了,则可安全卸载. 完全卸载Oracle ...
- Scala IDEA for Eclipse里用maven来创建scala和java项目代码环境(图文详解)
这篇博客 是在Scala IDEA for Eclipse里手动创建scala代码编写环境. Scala IDE for Eclipse的下载.安装和WordCount的初步使用(本地模式和集群模式) ...
- 给ambari集群里的kafka安装基于web的kafka管理工具Kafka-manager(图文详解)
不多说,直接上干货! 参考博客 基于Web的Kafka管理器工具之Kafka-manager的编译部署详细安装 (支持kafka0.8.0.9和0.10以后版本)(图文详解)(默认端口或任意自定义端口 ...
- 全网最详细的Windows里Git client客户端管理工具SourceTree的下载与安装(图文详解)
不多说,直接上干货! 很多人用Git命令行不熟练,那么可以尝试使用SourceTree进行操作. 安装之前的必备 (1)Git的安装 Git学习系列之Windows上安装Git详细步骤(图文详解 ...
- 如何正确在IDEA 里maven构建的项目中引入lib的jar包(图文详解)
不多说,直接上干货! 问题详情 以下是我,maven构建出来的最新spark2.2.0-bin-hadoop2.6的项目. 有些依赖包,maven还是无法一次性满足,所以,得手动加入lib的jar包. ...
- ubuntu16.04里如何正确添加用root用户来登录图形界面(图文详解)
不多说,直接上干货! Ubuntu版本都默认不允许使用root登录,必须要改配置文件. 第一步: 首先设置root密码,利用现有管理员帐户登陆Ubuntu,在终端执行命令:sudo passwd ro ...
- snort + barnyard2如何正确读取snort.unified2格式的数据集并且入库MySQL(图文详解)
不多说,直接上干货! 为什么,要写这篇论文? 是因为,目前科研的我,正值研三,致力于网络安全.大数据.机器学习研究领域! 论文方向的需要,同时不局限于真实物理环境机器实验室的攻防环境.也不局限于真实物 ...
- Snort里如何将读取的包记录存到指定的目录下(图文详解)
不多说,直接上干货! 比如,在/root/log目录下. [root@datatest ~]# snort -dve -l /root/log 需要注意: 1) /log目录需要你自己建立,并修改权限 ...
随机推荐
- CDN具体解释(篇二)
还有还有一个问题就是全部的内容都放在同一个地方.假设我们的server在芝加哥,那么美国中西部的人们訪问server的响应时间和用户体验就比香港.德国.南非以及佛罗里达州的用户好.由于那些用户离ser ...
- 纯C语言实现简单封装继承机制
0 继承是OO设计的基础 继承是OO设计中的基本部分,也是实现多态的基础,C++,C#,Objective-C.Java.PHP.JavaScript等为OO而设计的语言,其语言本身对实现继承提供了直 ...
- linux php nginx php-fpm 关系 动态进程生成
yum install php yum install php-fpm 启动fpm [root@VM_141_64_centos html]# service php-fpm restart Redi ...
- VS2010 根据WSDL文件(java Web Service)生成.cs文件
我们添加webService引用,一般是通过 添加服务引用完成的,其实 添加服务引用 在背后为我们生成了代理类. 我们手动生成代理类方法: 1.通过java Web Service,生成wsdl文件: ...
- HttpsURLConnection 安全传输(HTTPS--Secure Hypertext Transfer Protocol-安全超文本传输协议)
HttpsURLConnection 扩展 HttpURLConnection,支持各种特定于 https 功能.此类使用 HostnameVerifier 和 SSLSocketFactory.为这 ...
- ubuntu切换中英文通用方法,ubuntu中文语言
1:点击桌面右上角的齿轮,选择“system settings”进入系统设置界面
- Cmake的介绍和使用 Cmake实践【转】
本文转载自:http://www.cppblog.com/Roger/archive/2011/11/17/160368.html Cmake的介绍和使用 Cmake实践 Cmake优点: 1. ...
- POJ3264 Balanced Lineup —— 线段树单点更新 区间最大最小值
题目链接:https://vjudge.net/problem/POJ-3264 For the daily milking, Farmer John's N cows (1 ≤ N ≤ 50,000 ...
- 配置RabbitMQ远程访问
本文参考自:http://flashing.iteye.com/blog/1797531 1.如果远程客户端网络状况不是太好,比如adsl什么的,那么一定在客户端打开requstedHeartbeat ...
- WdatePicker.js的使用方法(转)
WdatePicker.js的使用方法 博客分类: 其他 1. 跨无限级框架显示 无论你把日期控件放在哪里,你都不需要担心会被外层的iframe所遮挡进而影响客户体验,因为My97日期控件是可以跨 ...