Snort里如何将一个tcpdump格式的二进制文件读取打印到屏幕上(图文详解)
不多说,直接上干货!
关于tcpdump二进制格式,这个基本概念不说。
支持tcpdump二进制格式的嗅探器工具,这里我说两个:tcpdump或者ethereal。
[root@datatest SecondWeek]# pwd
/root/data/DARPA1999/SecondWeek
[root@datatest SecondWeek]# ll
total
-rw-r--r--. root root Aug : inside.tcpdump
[root@datatest SecondWeek]# snort -dv -r inside.tcpdump
我这里,读取的是DARPA 1999数据集的第二周的内网inside.tcpdump二进制数据。
这里的 -r命令,我就不说啦。 就是将一个tcpdump格式的二进制文件读取打印到屏幕上的意思。
这里,我扩展下
[root@datatest SecondWeek]# snort -v
这个命令搭配的意思是,使得snort只输出IP、TCP、UDP和ICMP的包头信息。
[root@datatest SecondWeek]# snort -v -r inside.tcpdump
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::46.461764 207.25.71.141: -> 172.16.112.194:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen:
***A**S* Seq: 0x328B83B0 Ack: 0x48DA2A1F Win: 0x7FE0 TcpLen:
TCP Options () => MSS:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::46.461920 172.16.112.194: -> 207.25.71.141:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***A**** Seq: 0x48DA2A1F Ack: 0x328B83B1 Win: 0x7D78 TcpLen: *** Caught Int-Signal
WARNING: No preprocessors configured for policy .
/-::46.869826 172.16.112.194: -> 207.25.71.141:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***A**** Seq: 0x6F2E7AF7 Ack: 0xB057C6D7 Win: 0x7D78 TcpLen:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ===============================================================================
Run time for packet processing was 0.228905 seconds
Snort processed packets.
Snort ran for days hours minutes seconds
Pkts/sec:
===============================================================================
Memory usage summary:
Total non-mmapped bytes (arena):
Bytes in mapped regions (hblkhd):
Total allocated space (uordblks):
Total free space (fordblks):
Topmost releasable block (keepcost):
===============================================================================
Packet I/O Totals:
Received:
Analyzed: (100.000%)
Dropped: ( 0.000%)
Filtered: ( 0.000%)
Outstanding: ( 0.000%)
Injected:
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: (100.000%)
VLAN: ( 0.000%)
IP4: ( 97.319%)
Frag: ( 0.000%)
ICMP: ( 0.000%)
UDP: ( 10.590%)
TCP: ( 86.729%)
IP6: ( 0.000%)
IP6 Ext: ( 0.000%)
IP6 Opts: ( 0.000%)
Frag6: ( 0.000%)
ICMP6: ( 0.000%)
UDP6: ( 0.000%)
TCP6: ( 0.000%)
Teredo: ( 0.000%)
ICMP-IP: ( 0.000%)
IP4/IP4: ( 0.000%)
IP4/IP6: ( 0.000%)
IP6/IP4: ( 0.000%)
IP6/IP6: ( 0.000%)
GRE: ( 0.000%)
GRE Eth: ( 0.000%)
IP6/IP4: ( 0.000%)
IP6/IP6: ( 0.000%)
GRE: ( 0.000%)
GRE Eth: ( 0.000%)
GRE VLAN: ( 0.000%)
GRE IP4: ( 0.000%)
GRE IP6: ( 0.000%)
GRE IP6 Ext: ( 0.000%)
GRE PPTP: ( 0.000%)
GRE ARP: ( 0.000%)
GRE IPX: ( 0.000%)
GRE Loop: ( 0.000%)
MPLS: ( 0.000%)
ARP: ( 1.072%)
IPX: ( 0.000%)
Eth Loop: ( 1.340%)
Eth Disc: ( 0.000%)
IP4 Disc: ( 0.000%)
IP6 Disc: ( 0.000%)
TCP Disc: ( 0.000%)
UDP Disc: ( 0.000%)
ICMP Disc: ( 0.000%)
All Discard: ( 0.000%)
Other: ( 0.268%)
Bad Chk Sum: ( 0.000%)
Bad TTL: ( 0.000%)
S5 G : ( 0.000%)
S5 G : ( 0.000%)
Total:
===============================================================================
Snort exiting
[root@datatest SecondWeek]# snort -d
这个命令搭配的意思是,使得snort只包的数据信息。
[root@datatest SecondWeek]# snort -d -r inside.tcpdump
得到
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::58.188692 206.48.44.18: -> 172.16.112.100:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***A**** Seq: 0x17AD29 Ack: 0x17AE81 Win: 0x2238 TcpLen: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::58.203130 172.16.112.100: -> 206.48.44.18:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***AP*** Seq: 0x17AE81 Ack: 0x17AD29 Win: 0x2238 TcpLen:
6D 4D 6F 6F hume Microso
ft FTP Service (
6F 6E 2E 2E 0D 0A Version 2.0)...
===============================================================================
Run time for packet processing was 0.232618 seconds
Snort processed packets.
Snort ran for days hours minutes seconds
Pkts/sec:
===============================================================================
Memory usage summary:
Total non-mmapped bytes (arena):
Bytes in mapped regions (hblkhd):
Total allocated space (uordblks):
Total free space (fordblks):
Topmost releasable block (keepcost):
===============================================================================
Packet I/O Totals:
Received:
Analyzed: (100.000%)
Dropped: ( 0.000%)
Filtered: ( 0.000%)
Outstanding: ( 0.000%)
Injected:
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: (100.000%)
VLAN: ( 0.000%)
IP4: ( 95.276%)
Frag: ( 0.000%)
ICMP: ( 0.000%)
UDP: ( 16.535%)
TCP: ( 78.740%)
IP6: ( 0.000%)
IP6 Ext: ( 0.000%)
IP6 Opts: ( 0.000%)
Frag6: ( 0.000%)
ICMP6: ( 0.000%)
UDP6: ( 0.000%)
TCP6: ( 0.000%)
Teredo: ( 0.000%)
ICMP-IP: ( 0.000%)
IP4/IP4: ( 0.000%)
IP4/IP6: ( 0.000%)
IP6/IP4: ( 0.000%)
IP6/IP6: ( 0.000%)
GRE: ( 0.000%)
GRE Eth: ( 0.000%)
GRE VLAN: ( 0.000%)
GRE IP4: ( 0.000%)
GRE IP6: ( 0.000%)
GRE IP6 Ext: ( 0.000%)
GRE PPTP: ( 0.000%)
GRE ARP: ( 0.000%)
GRE IPX: ( 0.000%)
GRE Loop: ( 0.000%)
MPLS: ( 0.000%)
ARP: ( 2.362%)
IPX: ( 0.000%)
Eth Loop: ( 1.969%)
Eth Disc: ( 0.000%)
IP4 Disc: ( 0.000%)
IP6 Disc: ( 0.000%)
TCP Disc: ( 0.000%)
UDP Disc: ( 0.000%)
ICMP Disc: ( 0.000%)
All Discard: ( 0.000%)
Other: ( 0.394%)
Bad Chk Sum: ( 0.000%)
Bad TTL: ( 0.000%)
S5 G : ( 0.000%)
S5 G : ( 0.000%)
Total:
===============================================================================
Snort exiting
[root@datatest SecondWeek]#
[root@datatest SecondWeek]# snort -dv
这个命令搭配的意思是,使得snort在输出IP、TCP、UDP和ICMP的包头信息的通俗,还显示包的数据信息。
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::42.867811 195.73.151.50: -> 172.16.114.168:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***AP*** Seq: 0xE888C943 Ack: 0x9A021B4D Win: 0x7D78 TcpLen:
4D 4C 6F 6D 3A 3C MAIL From:<avrap
6C 6D 2E 6F 6E 2E @lambda.orange.c
6F 6D 3E 0D 0A om>.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::42.868044 172.16.114.168: -> 195.73.151.50:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***AP*** Seq: 0x9A021B4D Ack: 0xE888C968 Win: 0x7FE0 TcpLen:
3C 6C 6D <avrap@lambd
2E 6F 6E 2E 6F 6D 3E 2E 2E 2E a.orange.com>...
6E 4F 6B 0D 0A Sender Ok.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ *** Caught Int-Signal
WARNING: No preprocessors configured for policy .
/-::42.875769 195.73.151.50: -> 172.16.114.168:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***A**** Seq: 0xE888CD92 Ack: 0x9A021BCE Win: 0x7D78 TcpLen:
6F 6E 2C 3A 0D 0A of gain, we:..
6F 6C 6C 6F could also
6F 4E uses The of Net
6F 6B 6E 6C 6E work neural netw
6F 6B 0D 0A orks a..
6F 6E Cascade routines
6C 6C year available
6E via price and Th
0D 0A e bug.. i
6C 6E 6F s a lecture note
2E 0D 0A 0D 0A s. .... W
6E 6F 6F 6E 6F hen he to do not
6E 6F 6E have anyone wit
6F 6D 6F 6F 2C h tomorrow, but
0D 0A 6C the.. eli
2C 6B te, But I I kept
6D 6E The remainder a
6F 6E re to train trac
6B 0D 0A ks by.. t
6C 3B 6F 6E itle; on high te
6D 6C 6D mperature limit
6E 6F The depends of T
0D 0A 6E he.. next
2E 6C 2E 4A 2E . Telex. Jr.
4C 6F 6E 6F 6E 6C 6E London plays And
6C 3A 6C 0D re Tel: a while.
0A 6C 6C . still i
6E 2C 6F 6F 6F 6D n a, good automa
6C 6C 6F tically which do
6D 6C 6E 0D 0A their mailing..
6C File If
6F 6E 6F 6E 6B The ones don't k
6E 6F 6E 6F 6F now Introductory
6F 6F 0D 0A course of..
6F 6F proofs I had
2E a prefix the.
6C I believe the va
6C 6F 6D 0D 0A lue From..
6F 6F 6F host host port
6F 6C 6F 6C to global each
6B 6F 6E Speaker recognit
6F 6E 0D 0A ion.. spe
===============================================================================
Run time for packet processing was 0.521737 seconds
Snort processed packets.
Snort ran for days hours minutes seconds
Pkts/sec:
===============================================================================
Memory usage summary:
Total non-mmapped bytes (arena):
Bytes in mapped regions (hblkhd):
Total allocated space (uordblks):
Total free space (fordblks):
Topmost releasable block (keepcost):
===============================================================================
Packet I/O Totals:
Received:
Analyzed: (100.000%)
Dropped: ( 0.000%)
Filtered: ( 0.000%)
Outstanding: ( 0.000%)
Injected:
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: (100.000%)
VLAN: ( 0.000%)
IP4: ( 94.169%)
Frag: ( 0.000%)
ICMP: ( 0.000%)
UDP: ( 21.283%)
TCP: ( 72.886%)
IP6: ( 0.000%)
IP6 Ext: ( 0.000%)
IP4/IP6: ( 0.000%)
IP6/IP4: ( 0.000%)
IP6/IP6: ( 0.000%)
GRE: ( 0.000%)
GRE Eth: ( 0.000%)
GRE VLAN: ( 0.000%)
GRE IP4: ( 0.000%)
GRE IP6: ( 0.000%)
GRE IP6 Ext: ( 0.000%)
GRE PPTP: ( 0.000%)
GRE ARP: ( 0.000%)
GRE IPX: ( 0.000%)
GRE Loop: ( 0.000%)
MPLS: ( 0.000%)
ARP: ( 2.332%)
IPX: ( 0.000%)
Eth Loop: ( 2.915%)
Eth Disc: ( 0.000%)
IP4 Disc: ( 0.000%)
IP6 Disc: ( 0.000%)
TCP Disc: ( 0.000%)
UDP Disc: ( 0.000%)
ICMP Disc: ( 0.000%)
All Discard: ( 0.000%)
Other: ( 0.583%)
Bad Chk Sum: ( 0.000%)
Bad TTL: ( 0.000%)
S5 G : ( 0.000%)
S5 G : ( 0.000%)
Total:
===============================================================================
Snort exiting
[root@datatest SecondWeek]#
进一步,见
Snort里如何将一个tcpdump格式的二进制文件读取打印到屏幕上(图文详解)的更多相关文章
- 【适合公司业务】全网最详细的IDEA里如何正确新建【普通或者Maven】的Java web项目并发布到Tomcat上运行成功【博主强烈推荐】(类似eclipse里同一个workspace下【多个子项目】并存)(图文详解)
不多说,直接上干货! 首先,大家要明确,IDEA.Eclipse和MyEclipse等编辑器之间的新建和运行手法是不一样的. 如果是在Myeclipse里,则是File -> new -> ...
- 全网最详细的Windows系统里Oracle 11g R2 Database(64bit)的完全卸载(图文详解)
不多说,直接上干货! 前期博客 全网最详细的Windows系统里Oracle 11g R2 Database(64bit)的下载与安装(图文详解) 若你不想用了,则可安全卸载. 完全卸载Oracle ...
- Scala IDEA for Eclipse里用maven来创建scala和java项目代码环境(图文详解)
这篇博客 是在Scala IDEA for Eclipse里手动创建scala代码编写环境. Scala IDE for Eclipse的下载.安装和WordCount的初步使用(本地模式和集群模式) ...
- 给ambari集群里的kafka安装基于web的kafka管理工具Kafka-manager(图文详解)
不多说,直接上干货! 参考博客 基于Web的Kafka管理器工具之Kafka-manager的编译部署详细安装 (支持kafka0.8.0.9和0.10以后版本)(图文详解)(默认端口或任意自定义端口 ...
- 全网最详细的Windows里Git client客户端管理工具SourceTree的下载与安装(图文详解)
不多说,直接上干货! 很多人用Git命令行不熟练,那么可以尝试使用SourceTree进行操作. 安装之前的必备 (1)Git的安装 Git学习系列之Windows上安装Git详细步骤(图文详解 ...
- 如何正确在IDEA 里maven构建的项目中引入lib的jar包(图文详解)
不多说,直接上干货! 问题详情 以下是我,maven构建出来的最新spark2.2.0-bin-hadoop2.6的项目. 有些依赖包,maven还是无法一次性满足,所以,得手动加入lib的jar包. ...
- ubuntu16.04里如何正确添加用root用户来登录图形界面(图文详解)
不多说,直接上干货! Ubuntu版本都默认不允许使用root登录,必须要改配置文件. 第一步: 首先设置root密码,利用现有管理员帐户登陆Ubuntu,在终端执行命令:sudo passwd ro ...
- snort + barnyard2如何正确读取snort.unified2格式的数据集并且入库MySQL(图文详解)
不多说,直接上干货! 为什么,要写这篇论文? 是因为,目前科研的我,正值研三,致力于网络安全.大数据.机器学习研究领域! 论文方向的需要,同时不局限于真实物理环境机器实验室的攻防环境.也不局限于真实物 ...
- Snort里如何将读取的包记录存到指定的目录下(图文详解)
不多说,直接上干货! 比如,在/root/log目录下. [root@datatest ~]# snort -dve -l /root/log 需要注意: 1) /log目录需要你自己建立,并修改权限 ...
随机推荐
- android 多进程 Binder AIDL Service
本文參考http://blog.csdn.net/saintswordsman/article/details/5130947 android的多进程是通过Binder来实现的,一个类,继承了Bind ...
- 关于axis2.1.6与websphere7的包冲突问题的解决方式
1,复制axis2.1.6内的module目录内的全部文件到lib 并改动扩展名为.jar 2,删除module目录(可选,不删除也能够) 3,部署到was 4,设置was相应应用程序的类载入方案为父 ...
- MySQL之——server保持与MySQL的连接
转载请注明出处:http://blog.csdn.net/l1028386804/article/details/47008019 server程序常常要訪问数据库,而且server程序是长时间保持运 ...
- ios UIWebView 播放优酷土豆视频
将以下的代码嵌套在html里.然后webView载入这个网页.或这段html码,即可了,无须要使用像网上说的html5去兼容 watermark/2/text/aHR0cDovL2Jsb2cuY3Nk ...
- PP-判断生产订单状态(关闭)
方法一.工单号通过 resb找到对象号 然后找到状态为I0045利用表JEST与TJ02T . 方法二.函数'STATU_CHECK' 检查工单状态为'I0045' 则为已做技术性关闭. READ T ...
- jackson实体为NULL或者为空不显示
1.实体上 @JsonInclude(JsonInclude.Include.NON_NULL) 将该注解放在属性上,如果该属性为null则不参与序列化: 如果放在类上边,那对这个类的全部属性起作用 ...
- hta+vbs+js+div+css (javascript是原生态的)
talbe是javascript动态生成的,根据你的sql语句来的,分页是vbs用数组来造的轮子,vbs这脚本虽然强大,却没有返回数据集的东东,数组来做简单的分页还是比较简单的,批量跟新呢?是上传ex ...
- 7-39 Math对象
7-39 Math对象 学习要点 掌握常用的数学计算方法 温馨提示:关于学习方法的建议 不要强求自己讲参考手册上所以的属性和方法都搞清楚,原因如下: 有些属性和方法非常生僻,很少用,甚至经过一段时间后 ...
- Masonry复杂ScrollView布局
前言 说到iOS自动布局,有很多的解决办法.有的人使用xib/storyboard自动布局,也有人使用frame来适配.对于前者,笔者并不喜欢,也不支持.对于后者,更是麻烦,到处计算高度.宽度等,千万 ...
- I.MX6 wpa_applicant 开启 debug 输出
/*********************************************************************** * I.MX6 wpa_applicant 开启 de ...