Snort里如何将一个tcpdump格式的二进制文件读取打印到屏幕上(图文详解)
不多说,直接上干货!
关于tcpdump二进制格式,这个基本概念不说。
支持tcpdump二进制格式的嗅探器工具,这里我说两个:tcpdump或者ethereal。
[root@datatest SecondWeek]# pwd
/root/data/DARPA1999/SecondWeek
[root@datatest SecondWeek]# ll
total
-rw-r--r--. root root Aug : inside.tcpdump
[root@datatest SecondWeek]# snort -dv -r inside.tcpdump
我这里,读取的是DARPA 1999数据集的第二周的内网inside.tcpdump二进制数据。
这里的 -r命令,我就不说啦。 就是将一个tcpdump格式的二进制文件读取打印到屏幕上的意思。
这里,我扩展下
[root@datatest SecondWeek]# snort -v
这个命令搭配的意思是,使得snort只输出IP、TCP、UDP和ICMP的包头信息。
[root@datatest SecondWeek]# snort -v -r inside.tcpdump
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::46.461764 207.25.71.141: -> 172.16.112.194:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen:
***A**S* Seq: 0x328B83B0 Ack: 0x48DA2A1F Win: 0x7FE0 TcpLen:
TCP Options () => MSS:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::46.461920 172.16.112.194: -> 207.25.71.141:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***A**** Seq: 0x48DA2A1F Ack: 0x328B83B1 Win: 0x7D78 TcpLen: *** Caught Int-Signal
WARNING: No preprocessors configured for policy .
/-::46.869826 172.16.112.194: -> 207.25.71.141:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***A**** Seq: 0x6F2E7AF7 Ack: 0xB057C6D7 Win: 0x7D78 TcpLen:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ===============================================================================
Run time for packet processing was 0.228905 seconds
Snort processed packets.
Snort ran for days hours minutes seconds
Pkts/sec:
===============================================================================
Memory usage summary:
Total non-mmapped bytes (arena):
Bytes in mapped regions (hblkhd):
Total allocated space (uordblks):
Total free space (fordblks):
Topmost releasable block (keepcost):
===============================================================================
Packet I/O Totals:
Received:
Analyzed: (100.000%)
Dropped: ( 0.000%)
Filtered: ( 0.000%)
Outstanding: ( 0.000%)
Injected:
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: (100.000%)
VLAN: ( 0.000%)
IP4: ( 97.319%)
Frag: ( 0.000%)
ICMP: ( 0.000%)
UDP: ( 10.590%)
TCP: ( 86.729%)
IP6: ( 0.000%)
IP6 Ext: ( 0.000%)
IP6 Opts: ( 0.000%)
Frag6: ( 0.000%)
ICMP6: ( 0.000%)
UDP6: ( 0.000%)
TCP6: ( 0.000%)
Teredo: ( 0.000%)
ICMP-IP: ( 0.000%)
IP4/IP4: ( 0.000%)
IP4/IP6: ( 0.000%)
IP6/IP4: ( 0.000%)
IP6/IP6: ( 0.000%)
GRE: ( 0.000%)
GRE Eth: ( 0.000%)
IP6/IP4: ( 0.000%)
IP6/IP6: ( 0.000%)
GRE: ( 0.000%)
GRE Eth: ( 0.000%)
GRE VLAN: ( 0.000%)
GRE IP4: ( 0.000%)
GRE IP6: ( 0.000%)
GRE IP6 Ext: ( 0.000%)
GRE PPTP: ( 0.000%)
GRE ARP: ( 0.000%)
GRE IPX: ( 0.000%)
GRE Loop: ( 0.000%)
MPLS: ( 0.000%)
ARP: ( 1.072%)
IPX: ( 0.000%)
Eth Loop: ( 1.340%)
Eth Disc: ( 0.000%)
IP4 Disc: ( 0.000%)
IP6 Disc: ( 0.000%)
TCP Disc: ( 0.000%)
UDP Disc: ( 0.000%)
ICMP Disc: ( 0.000%)
All Discard: ( 0.000%)
Other: ( 0.268%)
Bad Chk Sum: ( 0.000%)
Bad TTL: ( 0.000%)
S5 G : ( 0.000%)
S5 G : ( 0.000%)
Total:
===============================================================================
Snort exiting
[root@datatest SecondWeek]# snort -d
这个命令搭配的意思是,使得snort只包的数据信息。
[root@datatest SecondWeek]# snort -d -r inside.tcpdump
得到
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::58.188692 206.48.44.18: -> 172.16.112.100:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***A**** Seq: 0x17AD29 Ack: 0x17AE81 Win: 0x2238 TcpLen: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::58.203130 172.16.112.100: -> 206.48.44.18:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***AP*** Seq: 0x17AE81 Ack: 0x17AD29 Win: 0x2238 TcpLen:
6D 4D 6F 6F hume Microso
ft FTP Service (
6F 6E 2E 2E 0D 0A Version 2.0)...
===============================================================================
Run time for packet processing was 0.232618 seconds
Snort processed packets.
Snort ran for days hours minutes seconds
Pkts/sec:
===============================================================================
Memory usage summary:
Total non-mmapped bytes (arena):
Bytes in mapped regions (hblkhd):
Total allocated space (uordblks):
Total free space (fordblks):
Topmost releasable block (keepcost):
===============================================================================
Packet I/O Totals:
Received:
Analyzed: (100.000%)
Dropped: ( 0.000%)
Filtered: ( 0.000%)
Outstanding: ( 0.000%)
Injected:
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: (100.000%)
VLAN: ( 0.000%)
IP4: ( 95.276%)
Frag: ( 0.000%)
ICMP: ( 0.000%)
UDP: ( 16.535%)
TCP: ( 78.740%)
IP6: ( 0.000%)
IP6 Ext: ( 0.000%)
IP6 Opts: ( 0.000%)
Frag6: ( 0.000%)
ICMP6: ( 0.000%)
UDP6: ( 0.000%)
TCP6: ( 0.000%)
Teredo: ( 0.000%)
ICMP-IP: ( 0.000%)
IP4/IP4: ( 0.000%)
IP4/IP6: ( 0.000%)
IP6/IP4: ( 0.000%)
IP6/IP6: ( 0.000%)
GRE: ( 0.000%)
GRE Eth: ( 0.000%)
GRE VLAN: ( 0.000%)
GRE IP4: ( 0.000%)
GRE IP6: ( 0.000%)
GRE IP6 Ext: ( 0.000%)
GRE PPTP: ( 0.000%)
GRE ARP: ( 0.000%)
GRE IPX: ( 0.000%)
GRE Loop: ( 0.000%)
MPLS: ( 0.000%)
ARP: ( 2.362%)
IPX: ( 0.000%)
Eth Loop: ( 1.969%)
Eth Disc: ( 0.000%)
IP4 Disc: ( 0.000%)
IP6 Disc: ( 0.000%)
TCP Disc: ( 0.000%)
UDP Disc: ( 0.000%)
ICMP Disc: ( 0.000%)
All Discard: ( 0.000%)
Other: ( 0.394%)
Bad Chk Sum: ( 0.000%)
Bad TTL: ( 0.000%)
S5 G : ( 0.000%)
S5 G : ( 0.000%)
Total:
===============================================================================
Snort exiting
[root@datatest SecondWeek]#
[root@datatest SecondWeek]# snort -dv
这个命令搭配的意思是,使得snort在输出IP、TCP、UDP和ICMP的包头信息的通俗,还显示包的数据信息。
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::42.867811 195.73.151.50: -> 172.16.114.168:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***AP*** Seq: 0xE888C943 Ack: 0x9A021B4D Win: 0x7D78 TcpLen:
4D 4C 6F 6D 3A 3C MAIL From:<avrap
6C 6D 2E 6F 6E 2E @lambda.orange.c
6F 6D 3E 0D 0A om>.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::42.868044 172.16.114.168: -> 195.73.151.50:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***AP*** Seq: 0x9A021B4D Ack: 0xE888C968 Win: 0x7FE0 TcpLen:
3C 6C 6D <avrap@lambd
2E 6F 6E 2E 6F 6D 3E 2E 2E 2E a.orange.com>...
6E 4F 6B 0D 0A Sender Ok.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ *** Caught Int-Signal
WARNING: No preprocessors configured for policy .
/-::42.875769 195.73.151.50: -> 172.16.114.168:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***A**** Seq: 0xE888CD92 Ack: 0x9A021BCE Win: 0x7D78 TcpLen:
6F 6E 2C 3A 0D 0A of gain, we:..
6F 6C 6C 6F could also
6F 4E uses The of Net
6F 6B 6E 6C 6E work neural netw
6F 6B 0D 0A orks a..
6F 6E Cascade routines
6C 6C year available
6E via price and Th
0D 0A e bug.. i
6C 6E 6F s a lecture note
2E 0D 0A 0D 0A s. .... W
6E 6F 6F 6E 6F hen he to do not
6E 6F 6E have anyone wit
6F 6D 6F 6F 2C h tomorrow, but
0D 0A 6C the.. eli
2C 6B te, But I I kept
6D 6E The remainder a
6F 6E re to train trac
6B 0D 0A ks by.. t
6C 3B 6F 6E itle; on high te
6D 6C 6D mperature limit
6E 6F The depends of T
0D 0A 6E he.. next
2E 6C 2E 4A 2E . Telex. Jr.
4C 6F 6E 6F 6E 6C 6E London plays And
6C 3A 6C 0D re Tel: a while.
0A 6C 6C . still i
6E 2C 6F 6F 6F 6D n a, good automa
6C 6C 6F tically which do
6D 6C 6E 0D 0A their mailing..
6C File If
6F 6E 6F 6E 6B The ones don't k
6E 6F 6E 6F 6F now Introductory
6F 6F 0D 0A course of..
6F 6F proofs I had
2E a prefix the.
6C I believe the va
6C 6F 6D 0D 0A lue From..
6F 6F 6F host host port
6F 6C 6F 6C to global each
6B 6F 6E Speaker recognit
6F 6E 0D 0A ion.. spe
===============================================================================
Run time for packet processing was 0.521737 seconds
Snort processed packets.
Snort ran for days hours minutes seconds
Pkts/sec:
===============================================================================
Memory usage summary:
Total non-mmapped bytes (arena):
Bytes in mapped regions (hblkhd):
Total allocated space (uordblks):
Total free space (fordblks):
Topmost releasable block (keepcost):
===============================================================================
Packet I/O Totals:
Received:
Analyzed: (100.000%)
Dropped: ( 0.000%)
Filtered: ( 0.000%)
Outstanding: ( 0.000%)
Injected:
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: (100.000%)
VLAN: ( 0.000%)
IP4: ( 94.169%)
Frag: ( 0.000%)
ICMP: ( 0.000%)
UDP: ( 21.283%)
TCP: ( 72.886%)
IP6: ( 0.000%)
IP6 Ext: ( 0.000%)
IP4/IP6: ( 0.000%)
IP6/IP4: ( 0.000%)
IP6/IP6: ( 0.000%)
GRE: ( 0.000%)
GRE Eth: ( 0.000%)
GRE VLAN: ( 0.000%)
GRE IP4: ( 0.000%)
GRE IP6: ( 0.000%)
GRE IP6 Ext: ( 0.000%)
GRE PPTP: ( 0.000%)
GRE ARP: ( 0.000%)
GRE IPX: ( 0.000%)
GRE Loop: ( 0.000%)
MPLS: ( 0.000%)
ARP: ( 2.332%)
IPX: ( 0.000%)
Eth Loop: ( 2.915%)
Eth Disc: ( 0.000%)
IP4 Disc: ( 0.000%)
IP6 Disc: ( 0.000%)
TCP Disc: ( 0.000%)
UDP Disc: ( 0.000%)
ICMP Disc: ( 0.000%)
All Discard: ( 0.000%)
Other: ( 0.583%)
Bad Chk Sum: ( 0.000%)
Bad TTL: ( 0.000%)
S5 G : ( 0.000%)
S5 G : ( 0.000%)
Total:
===============================================================================
Snort exiting
[root@datatest SecondWeek]#
进一步,见
Snort里如何将一个tcpdump格式的二进制文件读取打印到屏幕上(图文详解)的更多相关文章
- 【适合公司业务】全网最详细的IDEA里如何正确新建【普通或者Maven】的Java web项目并发布到Tomcat上运行成功【博主强烈推荐】(类似eclipse里同一个workspace下【多个子项目】并存)(图文详解)
不多说,直接上干货! 首先,大家要明确,IDEA.Eclipse和MyEclipse等编辑器之间的新建和运行手法是不一样的. 如果是在Myeclipse里,则是File -> new -> ...
- 全网最详细的Windows系统里Oracle 11g R2 Database(64bit)的完全卸载(图文详解)
不多说,直接上干货! 前期博客 全网最详细的Windows系统里Oracle 11g R2 Database(64bit)的下载与安装(图文详解) 若你不想用了,则可安全卸载. 完全卸载Oracle ...
- Scala IDEA for Eclipse里用maven来创建scala和java项目代码环境(图文详解)
这篇博客 是在Scala IDEA for Eclipse里手动创建scala代码编写环境. Scala IDE for Eclipse的下载.安装和WordCount的初步使用(本地模式和集群模式) ...
- 给ambari集群里的kafka安装基于web的kafka管理工具Kafka-manager(图文详解)
不多说,直接上干货! 参考博客 基于Web的Kafka管理器工具之Kafka-manager的编译部署详细安装 (支持kafka0.8.0.9和0.10以后版本)(图文详解)(默认端口或任意自定义端口 ...
- 全网最详细的Windows里Git client客户端管理工具SourceTree的下载与安装(图文详解)
不多说,直接上干货! 很多人用Git命令行不熟练,那么可以尝试使用SourceTree进行操作. 安装之前的必备 (1)Git的安装 Git学习系列之Windows上安装Git详细步骤(图文详解 ...
- 如何正确在IDEA 里maven构建的项目中引入lib的jar包(图文详解)
不多说,直接上干货! 问题详情 以下是我,maven构建出来的最新spark2.2.0-bin-hadoop2.6的项目. 有些依赖包,maven还是无法一次性满足,所以,得手动加入lib的jar包. ...
- ubuntu16.04里如何正确添加用root用户来登录图形界面(图文详解)
不多说,直接上干货! Ubuntu版本都默认不允许使用root登录,必须要改配置文件. 第一步: 首先设置root密码,利用现有管理员帐户登陆Ubuntu,在终端执行命令:sudo passwd ro ...
- snort + barnyard2如何正确读取snort.unified2格式的数据集并且入库MySQL(图文详解)
不多说,直接上干货! 为什么,要写这篇论文? 是因为,目前科研的我,正值研三,致力于网络安全.大数据.机器学习研究领域! 论文方向的需要,同时不局限于真实物理环境机器实验室的攻防环境.也不局限于真实物 ...
- Snort里如何将读取的包记录存到指定的目录下(图文详解)
不多说,直接上干货! 比如,在/root/log目录下. [root@datatest ~]# snort -dve -l /root/log 需要注意: 1) /log目录需要你自己建立,并修改权限 ...
随机推荐
- Qt Quick 图像处理实例之美图秀秀(附源代码下载)
在<Qt Quick 之 QML 与 C++ 混合编程具体解释>一文中我们解说了 QML 与 C++ 混合编程的方方面面的内容,这次我们通过一个图像处理应用.再来看一下 QML 与 C++ ...
- Pierce振荡器设计
一.Pierce振荡器电路 Inv:内部反相器,作用等同于放大器: Q:石英晶体或陶瓷晶振: RF:内部反馈电阻(使反相器工作在线性区): RExt:外部限流电阻(防止石英晶体被过分驱动): CL1. ...
- web爬虫之登录google paly 商店
我们先打开Google play 首页 ,点击右上角"登陆"button,即跳到登陆页面 每次我要用爬虫的方式来登陆某个站点的时候,我都会先随便输入一个账号password点击登陆 ...
- Spark调研笔记第3篇 - Spark集群相应用的调度策略简单介绍
Spark集群的调度分应用间调度和应用内调度两种情况,下文分别进行说明. 1. 应用间调度 1) 调度策略1: 资源静态分区 资源静态分区是指整个集群的资源被预先划分为多个partitions,资源分 ...
- Orange's_1_win7下搭建环境
工欲善其事,必先利其器. 由于公司电脑工作环境是win7,为了学习于渊的Orange,所以就在windows下配置环境: 1.nasm: nasm汇编 http://www.nasm.us/ ...
- Lnixu Bash
一.简单命令 1.创建文件(vi) vi hellowold.txt2.创建目录(mkdir) mkdir linux_bash3.删除文件(rm) rm helloworld.txt4.复制文件(c ...
- 自己写的Android端HttpUtil工具类
package com.sxt.jcjd.util; import java.io.IOException; import java.io.UnsupportedEncodingException; ...
- jupyter环境的安装
1,什么是jupyter notebook? 简介:jupyter notebook是基于网页的用户交互计算机的应用程序,其可被用于全过程计算:开发,文档编写,运行代码,和展示结果 简而言之,Jupy ...
- shell系统管理
背景知识 对于 Linux 系统管理员来说,没有比 shell 脚本编程更有用处的了.通常,Linux 系统管理员每天需要完成无数项任务,从监视系统磁盘空间和系统用户到备份重要文件.Shell 脚本可 ...
- 869C
dp 我好像很zz... 想了好长好长时间,然后没想出来,怒掉rating... 其实我们可以吧三种颜色两两计算,因为这样加入第三种颜色不会影响之前的方案,那么我们跑一个dp,计算数量分别为a,b的方 ...