Snort里如何将一个tcpdump格式的二进制文件读取打印到屏幕上(图文详解)
不多说,直接上干货!
关于tcpdump二进制格式,这个基本概念不说。
支持tcpdump二进制格式的嗅探器工具,这里我说两个:tcpdump或者ethereal。
[root@datatest SecondWeek]# pwd
/root/data/DARPA1999/SecondWeek
[root@datatest SecondWeek]# ll
total
-rw-r--r--. root root Aug : inside.tcpdump
[root@datatest SecondWeek]# snort -dv -r inside.tcpdump
我这里,读取的是DARPA 1999数据集的第二周的内网inside.tcpdump二进制数据。
这里的 -r命令,我就不说啦。 就是将一个tcpdump格式的二进制文件读取打印到屏幕上的意思。
这里,我扩展下
[root@datatest SecondWeek]# snort -v
这个命令搭配的意思是,使得snort只输出IP、TCP、UDP和ICMP的包头信息。
[root@datatest SecondWeek]# snort -v -r inside.tcpdump
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::46.461764 207.25.71.141: -> 172.16.112.194:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen:
***A**S* Seq: 0x328B83B0 Ack: 0x48DA2A1F Win: 0x7FE0 TcpLen:
TCP Options () => MSS:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::46.461920 172.16.112.194: -> 207.25.71.141:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***A**** Seq: 0x48DA2A1F Ack: 0x328B83B1 Win: 0x7D78 TcpLen: *** Caught Int-Signal
WARNING: No preprocessors configured for policy .
/-::46.869826 172.16.112.194: -> 207.25.71.141:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***A**** Seq: 0x6F2E7AF7 Ack: 0xB057C6D7 Win: 0x7D78 TcpLen:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ===============================================================================
Run time for packet processing was 0.228905 seconds
Snort processed packets.
Snort ran for days hours minutes seconds
Pkts/sec:
===============================================================================
Memory usage summary:
Total non-mmapped bytes (arena):
Bytes in mapped regions (hblkhd):
Total allocated space (uordblks):
Total free space (fordblks):
Topmost releasable block (keepcost):
===============================================================================
Packet I/O Totals:
Received:
Analyzed: (100.000%)
Dropped: ( 0.000%)
Filtered: ( 0.000%)
Outstanding: ( 0.000%)
Injected:
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: (100.000%)
VLAN: ( 0.000%)
IP4: ( 97.319%)
Frag: ( 0.000%)
ICMP: ( 0.000%)
UDP: ( 10.590%)
TCP: ( 86.729%)
IP6: ( 0.000%)
IP6 Ext: ( 0.000%)
IP6 Opts: ( 0.000%)
Frag6: ( 0.000%)
ICMP6: ( 0.000%)
UDP6: ( 0.000%)
TCP6: ( 0.000%)
Teredo: ( 0.000%)
ICMP-IP: ( 0.000%)
IP4/IP4: ( 0.000%)
IP4/IP6: ( 0.000%)
IP6/IP4: ( 0.000%)
IP6/IP6: ( 0.000%)
GRE: ( 0.000%)
GRE Eth: ( 0.000%)
IP6/IP4: ( 0.000%)
IP6/IP6: ( 0.000%)
GRE: ( 0.000%)
GRE Eth: ( 0.000%)
GRE VLAN: ( 0.000%)
GRE IP4: ( 0.000%)
GRE IP6: ( 0.000%)
GRE IP6 Ext: ( 0.000%)
GRE PPTP: ( 0.000%)
GRE ARP: ( 0.000%)
GRE IPX: ( 0.000%)
GRE Loop: ( 0.000%)
MPLS: ( 0.000%)
ARP: ( 1.072%)
IPX: ( 0.000%)
Eth Loop: ( 1.340%)
Eth Disc: ( 0.000%)
IP4 Disc: ( 0.000%)
IP6 Disc: ( 0.000%)
TCP Disc: ( 0.000%)
UDP Disc: ( 0.000%)
ICMP Disc: ( 0.000%)
All Discard: ( 0.000%)
Other: ( 0.268%)
Bad Chk Sum: ( 0.000%)
Bad TTL: ( 0.000%)
S5 G : ( 0.000%)
S5 G : ( 0.000%)
Total:
===============================================================================
Snort exiting
[root@datatest SecondWeek]# snort -d
这个命令搭配的意思是,使得snort只包的数据信息。
[root@datatest SecondWeek]# snort -d -r inside.tcpdump
得到
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::58.188692 206.48.44.18: -> 172.16.112.100:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***A**** Seq: 0x17AD29 Ack: 0x17AE81 Win: 0x2238 TcpLen: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::58.203130 172.16.112.100: -> 206.48.44.18:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***AP*** Seq: 0x17AE81 Ack: 0x17AD29 Win: 0x2238 TcpLen:
6D 4D 6F 6F hume Microso
ft FTP Service (
6F 6E 2E 2E 0D 0A Version 2.0)...
===============================================================================
Run time for packet processing was 0.232618 seconds
Snort processed packets.
Snort ran for days hours minutes seconds
Pkts/sec:
===============================================================================
Memory usage summary:
Total non-mmapped bytes (arena):
Bytes in mapped regions (hblkhd):
Total allocated space (uordblks):
Total free space (fordblks):
Topmost releasable block (keepcost):
===============================================================================
Packet I/O Totals:
Received:
Analyzed: (100.000%)
Dropped: ( 0.000%)
Filtered: ( 0.000%)
Outstanding: ( 0.000%)
Injected:
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: (100.000%)
VLAN: ( 0.000%)
IP4: ( 95.276%)
Frag: ( 0.000%)
ICMP: ( 0.000%)
UDP: ( 16.535%)
TCP: ( 78.740%)
IP6: ( 0.000%)
IP6 Ext: ( 0.000%)
IP6 Opts: ( 0.000%)
Frag6: ( 0.000%)
ICMP6: ( 0.000%)
UDP6: ( 0.000%)
TCP6: ( 0.000%)
Teredo: ( 0.000%)
ICMP-IP: ( 0.000%)
IP4/IP4: ( 0.000%)
IP4/IP6: ( 0.000%)
IP6/IP4: ( 0.000%)
IP6/IP6: ( 0.000%)
GRE: ( 0.000%)
GRE Eth: ( 0.000%)
GRE VLAN: ( 0.000%)
GRE IP4: ( 0.000%)
GRE IP6: ( 0.000%)
GRE IP6 Ext: ( 0.000%)
GRE PPTP: ( 0.000%)
GRE ARP: ( 0.000%)
GRE IPX: ( 0.000%)
GRE Loop: ( 0.000%)
MPLS: ( 0.000%)
ARP: ( 2.362%)
IPX: ( 0.000%)
Eth Loop: ( 1.969%)
Eth Disc: ( 0.000%)
IP4 Disc: ( 0.000%)
IP6 Disc: ( 0.000%)
TCP Disc: ( 0.000%)
UDP Disc: ( 0.000%)
ICMP Disc: ( 0.000%)
All Discard: ( 0.000%)
Other: ( 0.394%)
Bad Chk Sum: ( 0.000%)
Bad TTL: ( 0.000%)
S5 G : ( 0.000%)
S5 G : ( 0.000%)
Total:
===============================================================================
Snort exiting
[root@datatest SecondWeek]#
[root@datatest SecondWeek]# snort -dv
这个命令搭配的意思是,使得snort在输出IP、TCP、UDP和ICMP的包头信息的通俗,还显示包的数据信息。
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::42.867811 195.73.151.50: -> 172.16.114.168:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***AP*** Seq: 0xE888C943 Ack: 0x9A021B4D Win: 0x7D78 TcpLen:
4D 4C 6F 6D 3A 3C MAIL From:<avrap
6C 6D 2E 6F 6E 2E @lambda.orange.c
6F 6D 3E 0D 0A om>.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy .
/-::42.868044 172.16.114.168: -> 195.73.151.50:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***AP*** Seq: 0x9A021B4D Ack: 0xE888C968 Win: 0x7FE0 TcpLen:
3C 6C 6D <avrap@lambd
2E 6F 6E 2E 6F 6D 3E 2E 2E 2E a.orange.com>...
6E 4F 6B 0D 0A Sender Ok.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ *** Caught Int-Signal
WARNING: No preprocessors configured for policy .
/-::42.875769 195.73.151.50: -> 172.16.114.168:
TCP TTL: TOS:0x0 ID: IpLen: DgmLen: DF
***A**** Seq: 0xE888CD92 Ack: 0x9A021BCE Win: 0x7D78 TcpLen:
6F 6E 2C 3A 0D 0A of gain, we:..
6F 6C 6C 6F could also
6F 4E uses The of Net
6F 6B 6E 6C 6E work neural netw
6F 6B 0D 0A orks a..
6F 6E Cascade routines
6C 6C year available
6E via price and Th
0D 0A e bug.. i
6C 6E 6F s a lecture note
2E 0D 0A 0D 0A s. .... W
6E 6F 6F 6E 6F hen he to do not
6E 6F 6E have anyone wit
6F 6D 6F 6F 2C h tomorrow, but
0D 0A 6C the.. eli
2C 6B te, But I I kept
6D 6E The remainder a
6F 6E re to train trac
6B 0D 0A ks by.. t
6C 3B 6F 6E itle; on high te
6D 6C 6D mperature limit
6E 6F The depends of T
0D 0A 6E he.. next
2E 6C 2E 4A 2E . Telex. Jr.
4C 6F 6E 6F 6E 6C 6E London plays And
6C 3A 6C 0D re Tel: a while.
0A 6C 6C . still i
6E 2C 6F 6F 6F 6D n a, good automa
6C 6C 6F tically which do
6D 6C 6E 0D 0A their mailing..
6C File If
6F 6E 6F 6E 6B The ones don't k
6E 6F 6E 6F 6F now Introductory
6F 6F 0D 0A course of..
6F 6F proofs I had
2E a prefix the.
6C I believe the va
6C 6F 6D 0D 0A lue From..
6F 6F 6F host host port
6F 6C 6F 6C to global each
6B 6F 6E Speaker recognit
6F 6E 0D 0A ion.. spe
===============================================================================
Run time for packet processing was 0.521737 seconds
Snort processed packets.
Snort ran for days hours minutes seconds
Pkts/sec:
===============================================================================
Memory usage summary:
Total non-mmapped bytes (arena):
Bytes in mapped regions (hblkhd):
Total allocated space (uordblks):
Total free space (fordblks):
Topmost releasable block (keepcost):
===============================================================================
Packet I/O Totals:
Received:
Analyzed: (100.000%)
Dropped: ( 0.000%)
Filtered: ( 0.000%)
Outstanding: ( 0.000%)
Injected:
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: (100.000%)
VLAN: ( 0.000%)
IP4: ( 94.169%)
Frag: ( 0.000%)
ICMP: ( 0.000%)
UDP: ( 21.283%)
TCP: ( 72.886%)
IP6: ( 0.000%)
IP6 Ext: ( 0.000%)
IP4/IP6: ( 0.000%)
IP6/IP4: ( 0.000%)
IP6/IP6: ( 0.000%)
GRE: ( 0.000%)
GRE Eth: ( 0.000%)
GRE VLAN: ( 0.000%)
GRE IP4: ( 0.000%)
GRE IP6: ( 0.000%)
GRE IP6 Ext: ( 0.000%)
GRE PPTP: ( 0.000%)
GRE ARP: ( 0.000%)
GRE IPX: ( 0.000%)
GRE Loop: ( 0.000%)
MPLS: ( 0.000%)
ARP: ( 2.332%)
IPX: ( 0.000%)
Eth Loop: ( 2.915%)
Eth Disc: ( 0.000%)
IP4 Disc: ( 0.000%)
IP6 Disc: ( 0.000%)
TCP Disc: ( 0.000%)
UDP Disc: ( 0.000%)
ICMP Disc: ( 0.000%)
All Discard: ( 0.000%)
Other: ( 0.583%)
Bad Chk Sum: ( 0.000%)
Bad TTL: ( 0.000%)
S5 G : ( 0.000%)
S5 G : ( 0.000%)
Total:
===============================================================================
Snort exiting
[root@datatest SecondWeek]#
进一步,见
Snort里如何将一个tcpdump格式的二进制文件读取打印到屏幕上(图文详解)的更多相关文章
- 【适合公司业务】全网最详细的IDEA里如何正确新建【普通或者Maven】的Java web项目并发布到Tomcat上运行成功【博主强烈推荐】(类似eclipse里同一个workspace下【多个子项目】并存)(图文详解)
不多说,直接上干货! 首先,大家要明确,IDEA.Eclipse和MyEclipse等编辑器之间的新建和运行手法是不一样的. 如果是在Myeclipse里,则是File -> new -> ...
- 全网最详细的Windows系统里Oracle 11g R2 Database(64bit)的完全卸载(图文详解)
不多说,直接上干货! 前期博客 全网最详细的Windows系统里Oracle 11g R2 Database(64bit)的下载与安装(图文详解) 若你不想用了,则可安全卸载. 完全卸载Oracle ...
- Scala IDEA for Eclipse里用maven来创建scala和java项目代码环境(图文详解)
这篇博客 是在Scala IDEA for Eclipse里手动创建scala代码编写环境. Scala IDE for Eclipse的下载.安装和WordCount的初步使用(本地模式和集群模式) ...
- 给ambari集群里的kafka安装基于web的kafka管理工具Kafka-manager(图文详解)
不多说,直接上干货! 参考博客 基于Web的Kafka管理器工具之Kafka-manager的编译部署详细安装 (支持kafka0.8.0.9和0.10以后版本)(图文详解)(默认端口或任意自定义端口 ...
- 全网最详细的Windows里Git client客户端管理工具SourceTree的下载与安装(图文详解)
不多说,直接上干货! 很多人用Git命令行不熟练,那么可以尝试使用SourceTree进行操作. 安装之前的必备 (1)Git的安装 Git学习系列之Windows上安装Git详细步骤(图文详解 ...
- 如何正确在IDEA 里maven构建的项目中引入lib的jar包(图文详解)
不多说,直接上干货! 问题详情 以下是我,maven构建出来的最新spark2.2.0-bin-hadoop2.6的项目. 有些依赖包,maven还是无法一次性满足,所以,得手动加入lib的jar包. ...
- ubuntu16.04里如何正确添加用root用户来登录图形界面(图文详解)
不多说,直接上干货! Ubuntu版本都默认不允许使用root登录,必须要改配置文件. 第一步: 首先设置root密码,利用现有管理员帐户登陆Ubuntu,在终端执行命令:sudo passwd ro ...
- snort + barnyard2如何正确读取snort.unified2格式的数据集并且入库MySQL(图文详解)
不多说,直接上干货! 为什么,要写这篇论文? 是因为,目前科研的我,正值研三,致力于网络安全.大数据.机器学习研究领域! 论文方向的需要,同时不局限于真实物理环境机器实验室的攻防环境.也不局限于真实物 ...
- Snort里如何将读取的包记录存到指定的目录下(图文详解)
不多说,直接上干货! 比如,在/root/log目录下. [root@datatest ~]# snort -dve -l /root/log 需要注意: 1) /log目录需要你自己建立,并修改权限 ...
随机推荐
- 【Android数据存储】- File
个人学习整理.如有不足之处,请不吝不吝赐教. 转载请注明:@CSU-Max 读写本应用程序数据目录中的文件 此种方法读写的文件在/data/data/<应用程序包名>中 ...
- 基于编程人员Python学习第一章节
基于廖雪峰的python零基础学习后,自我总结.适用于有一定基础的编程人员,对我而言,则是基于.net已有方面,通过学习,记录自我觉得有用的地方,便于后续回顾. 主要以快速定位内容,通过直观代码输入输 ...
- 软件质量之道:PCLint之中的一个
故天将降大任于斯人也,必先苦其心志,劳其筋骨,饿其体肤,空乏其身,行拂乱其所为,所以动心忍性,增益其所不能. 孟子 1引子 今天听老韩一席话,当真是感慨万千啊.心怀斗志昂扬.奋斗十年,到头来.却看到身 ...
- LuaInterface简单介绍
LuaInterface简单介绍 Lua是一种非常好的扩展性语言.Lua解释器被设计成一个非常easy嵌入到宿主程序的库.LuaInterface则用于实现Lua和CLR的混合编程. (一)Lua f ...
- 使用PowerShell 创建SharePoint 站点
使用PowerShell 创建SharePoint 站点 在SharePoint开发中,你应该学会使用PowerShell管理SharePoint网站.SharePoint Manag ...
- 什么是 XML Schema?
XML Schema 的作用是定义 XML 文档的合法构建模块,类似 DTD. XML Schema: 定义可出现在文档中的元素 定义可出现在文档中的属性 定义哪个元素是子元素 定义子元素的次序 定义 ...
- FOUNDATION OF ASYNCHRONOUS PROGRAMMING
The async and await keywords are just a compiler feature. The compiler creates code by using the Tas ...
- 省市区三级-javabean和mybatis
bean: package com.baiwang.moirai.model.sys; import com.fasterxml.jackson.annotation.JsonInclude; /** ...
- Linux设备驱动--块设备(四)之“自造请求”
前面, 我们已经讨论了内核所作的在队列中优化请求顺序的工作; 这个工作包括排列请求和, 或许, 甚至延迟队列来允许一个预期的请求到达. 这些技术在处理一个真正的旋转的磁盘驱动器时有助于系统的性能. 但 ...
- 关于数论【polya计数法】
可以预见数论推公式是有多么蛋疼. 让我简明扼要的讲讲吧(多都说不出来,毕竟才做了两道题)其实呢,这个算法应该归入群论,有个有用的东西:置换群,它表示一个集合包括很多的置换.先讲讲置换吧:↓(这是个置换 ...