Snort里如何将一个tcpdump格式的二进制文件读取打印到屏幕上(图文详解)
不多说,直接上干货!
关于tcpdump二进制格式,这个基本概念不说。
支持tcpdump二进制格式的嗅探器工具,这里我说两个:tcpdump或者ethereal。
[root@datatest SecondWeek]# pwd /root/data/DARPA1999/SecondWeek [root@datatest SecondWeek]# ll total 391652 -rw-r--r--. 1 root root 401046958 Aug 9 12:40 inside.tcpdump [root@datatest SecondWeek]# snort -dv -r inside.tcpdump
我这里,读取的是DARPA 1999数据集的第二周的内网inside.tcpdump二进制数据。
这里的 -r命令,我就不说啦。 就是将一个tcpdump格式的二进制文件读取打印到屏幕上的意思。
这里,我扩展下
[root@datatest SecondWeek]# snort -v
这个命令搭配的意思是,使得snort只输出IP、TCP、UDP和ICMP的包头信息。
[root@datatest SecondWeek]# snort -v -r inside.tcpdump
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+WARNING: No preprocessors configured for policy 0. 03/08-21:01:46.461764 207.25.71.141:80 -> 172.16.112.194:1306 TCP TTL:63 TOS:0x0 ID:498 IpLen:20 DgmLen:44 ***A**S* Seq: 0x328B83B0 Ack: 0x48DA2A1F Win: 0x7FE0 TcpLen: 24 TCP Options (1) => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+WARNING: No preprocessors configured for policy 0. 03/08-21:01:46.461920 172.16.112.194:1306 -> 207.25.71.141:80 TCP TTL:64 TOS:0x0 ID:729 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x48DA2A1F Ack: 0x328B83B1 Win: 0x7D78 TcpLen: 20*** Caught Int-Signal WARNING: No preprocessors configured for policy 0. 03/08-21:01:46.869826 172.16.112.194:1559 -> 207.25.71.141:80 TCP TTL:64 TOS:0x0 ID:776 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x6F2E7AF7 Ack: 0xB057C6D7 Win: 0x7D78 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=============================================================================== Run time for packet processing was 0.228905 seconds Snort processed 746 packets. Snort ran for 0 days 0 hours 0 minutes 0 secondsPkts/sec: 746 =============================================================================== Memory usage summary:Total non-mmapped bytes (arena): 925696Bytes in mapped regions (hblkhd): 12906496Total allocated space (uordblks): 669520Total free space (fordblks): 256176Topmost releasable block (keepcost): 185520 =============================================================================== Packet I/O Totals:Received: 746Analyzed: 746 (100.000%)Dropped: 0 ( 0.000%)Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%)Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets):Eth: 746 (100.000%)VLAN: 0 ( 0.000%)IP4: 726 ( 97.319%)Frag: 0 ( 0.000%)ICMP: 0 ( 0.000%)UDP: 79 ( 10.590%)TCP: 647 ( 86.729%)IP6: 0 ( 0.000%)IP6 Ext: 0 ( 0.000%)IP6 Opts: 0 ( 0.000%)Frag6: 0 ( 0.000%)ICMP6: 0 ( 0.000%)UDP6: 0 ( 0.000%)TCP6: 0 ( 0.000%)Teredo: 0 ( 0.000%)ICMP-IP: 0 ( 0.000%)IP4/IP4: 0 ( 0.000%)IP4/IP6: 0 ( 0.000%)IP6/IP4: 0 ( 0.000%)IP6/IP6: 0 ( 0.000%)GRE: 0 ( 0.000%)GRE Eth: 0 ( 0.000%)IP6/IP4: 0 ( 0.000%)IP6/IP6: 0 ( 0.000%)GRE: 0 ( 0.000%)GRE Eth: 0 ( 0.000%)GRE VLAN: 0 ( 0.000%)GRE IP4: 0 ( 0.000%)GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%)GRE PPTP: 0 ( 0.000%)GRE ARP: 0 ( 0.000%)GRE IPX: 0 ( 0.000%)GRE Loop: 0 ( 0.000%)MPLS: 0 ( 0.000%)ARP: 8 ( 1.072%)IPX: 0 ( 0.000%)Eth Loop: 10 ( 1.340%)Eth Disc: 0 ( 0.000%)IP4 Disc: 0 ( 0.000%)IP6 Disc: 0 ( 0.000%)TCP Disc: 0 ( 0.000%)UDP Disc: 0 ( 0.000%)ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%)Other: 2 ( 0.268%) Bad Chk Sum: 0 ( 0.000%)Bad TTL: 0 ( 0.000%)S5 G 1: 0 ( 0.000%)S5 G 2: 0 ( 0.000%)Total: 746 =============================================================================== Snort exiting
[root@datatest SecondWeek]# snort -d
这个命令搭配的意思是,使得snort只包的数据信息。
[root@datatest SecondWeek]# snort -d -r inside.tcpdump
得到
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+WARNING: No preprocessors configured for policy 0. 03/08-21:00:58.188692 206.48.44.18:1054 -> 172.16.112.100:21 TCP TTL:126 TOS:0x0 ID:39424 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x17AD29 Ack: 0x17AE81 Win: 0x2238 TcpLen: 20=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+WARNING: No preprocessors configured for policy 0. 03/08-21:00:58.203130 172.16.112.100:21 -> 206.48.44.18:1054 TCP TTL:128 TOS:0x0 ID:38400 IpLen:20 DgmLen:87 DF ***AP*** Seq: 0x17AE81 Ack: 0x17AD29 Win: 0x2238 TcpLen: 20 32 32 30 20 68 75 6D 65 20 4D 69 63 72 6F 73 6F 220 hume Microso 66 74 20 46 54 50 20 53 65 72 76 69 63 65 20 28 ft FTP Service ( 56 65 72 73 69 6F 6E 20 32 2E 30 29 2E 0D 0A Version 2.0)... =============================================================================== Run time for packet processing was 0.232618 seconds Snort processed 254 packets. Snort ran for 0 days 0 hours 0 minutes 0 secondsPkts/sec: 254 =============================================================================== Memory usage summary:Total non-mmapped bytes (arena): 925696Bytes in mapped regions (hblkhd): 13180928Total allocated space (uordblks): 669520Total free space (fordblks): 256176Topmost releasable block (keepcost): 185520 =============================================================================== Packet I/O Totals:Received: 254Analyzed: 254 (100.000%)Dropped: 0 ( 0.000%)Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%)Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets):Eth: 254 (100.000%)VLAN: 0 ( 0.000%)IP4: 242 ( 95.276%)Frag: 0 ( 0.000%)ICMP: 0 ( 0.000%)UDP: 42 ( 16.535%)TCP: 200 ( 78.740%)IP6: 0 ( 0.000%)IP6 Ext: 0 ( 0.000%)IP6 Opts: 0 ( 0.000%)Frag6: 0 ( 0.000%)ICMP6: 0 ( 0.000%)UDP6: 0 ( 0.000%)TCP6: 0 ( 0.000%)Teredo: 0 ( 0.000%)ICMP-IP: 0 ( 0.000%)IP4/IP4: 0 ( 0.000%)IP4/IP6: 0 ( 0.000%)IP6/IP4: 0 ( 0.000%)IP6/IP6: 0 ( 0.000%)GRE: 0 ( 0.000%)GRE Eth: 0 ( 0.000%)GRE VLAN: 0 ( 0.000%)GRE IP4: 0 ( 0.000%)GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%)GRE PPTP: 0 ( 0.000%)GRE ARP: 0 ( 0.000%)GRE IPX: 0 ( 0.000%)GRE Loop: 0 ( 0.000%)MPLS: 0 ( 0.000%)ARP: 6 ( 2.362%)IPX: 0 ( 0.000%)Eth Loop: 5 ( 1.969%)Eth Disc: 0 ( 0.000%)IP4 Disc: 0 ( 0.000%)IP6 Disc: 0 ( 0.000%)TCP Disc: 0 ( 0.000%)UDP Disc: 0 ( 0.000%)ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%)Other: 1 ( 0.394%) Bad Chk Sum: 0 ( 0.000%)Bad TTL: 0 ( 0.000%)S5 G 1: 0 ( 0.000%)S5 G 2: 0 ( 0.000%)Total: 254 =============================================================================== Snort exiting [root@datatest SecondWeek]#
[root@datatest SecondWeek]# snort -dv
这个命令搭配的意思是,使得snort在输出IP、TCP、UDP和ICMP的包头信息的通俗,还显示包的数据信息。
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+WARNING: No preprocessors configured for policy 0. 03/08-21:01:42.867811 195.73.151.50:1028 -> 172.16.114.168:25 TCP TTL:63 TOS:0x0 ID:494 IpLen:20 DgmLen:77 DF ***AP*** Seq: 0xE888C943 Ack: 0x9A021B4D Win: 0x7D78 TcpLen: 20 4D 41 49 4C 20 46 72 6F 6D 3A 3C 61 76 72 61 70 MAIL From:<avrap 40 6C 61 6D 62 64 61 2E 6F 72 61 6E 67 65 2E 63 @lambda.orange.c 6F 6D 3E 0D 0A om>..=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+WARNING: No preprocessors configured for policy 0. 03/08-21:01:42.868044 172.16.114.168:25 -> 195.73.151.50:1028 TCP TTL:64 TOS:0x0 ID:542 IpLen:20 DgmLen:84 DF ***AP*** Seq: 0x9A021B4D Ack: 0xE888C968 Win: 0x7FE0 TcpLen: 20 32 35 30 20 3C 61 76 72 61 70 40 6C 61 6D 62 64 250 <avrap@lambd 61 2E 6F 72 61 6E 67 65 2E 63 6F 6D 3E 2E 2E 2E a.orange.com>... 20 53 65 6E 64 65 72 20 4F 6B 0D 0A Sender Ok..=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+*** Caught Int-Signal WARNING: No preprocessors configured for policy 0. 03/08-21:01:42.875769 195.73.151.50:1028 -> 172.16.114.168:25 TCP TTL:63 TOS:0x0 ID:498 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xE888CD92 Ack: 0x9A021BCE Win: 0x7D78 TcpLen: 20 6F 66 20 67 61 69 6E 2C 20 77 65 3A 0D 0A 20 20 of gain, we:.. 20 20 20 20 20 20 63 6F 75 6C 64 20 61 6C 73 6F could also 20 75 73 65 73 20 54 68 65 20 6F 66 20 4E 65 74 uses The of Net 77 6F 72 6B 20 6E 65 75 72 61 6C 20 6E 65 74 77 work neural netw 6F 72 6B 73 20 61 0D 0A 20 20 20 20 20 20 20 20 orks a.. 43 61 73 63 61 64 65 20 72 6F 75 74 69 6E 65 73 Cascade routines 20 79 65 61 72 20 61 76 61 69 6C 61 62 6C 65 20 year available 76 69 61 20 70 72 69 63 65 20 61 6E 64 20 54 68 via price and Th 65 20 62 75 67 0D 0A 20 20 20 20 20 20 20 20 69 e bug.. i 73 20 61 20 6C 65 63 74 75 72 65 20 6E 6F 74 65 s a lecture note 73 2E 20 0D 0A 0D 0A 20 20 20 20 20 20 20 20 57 s. .... W 68 65 6E 20 68 65 20 74 6F 20 64 6F 20 6E 6F 74 hen he to do not 20 68 61 76 65 20 61 6E 79 6F 6E 65 20 77 69 74 have anyone wit 68 20 74 6F 6D 6F 72 72 6F 77 2C 20 62 75 74 20 h tomorrow, but 74 68 65 0D 0A 20 20 20 20 20 20 20 20 65 6C 69 the.. eli 74 65 2C 20 42 75 74 20 49 20 49 20 6B 65 70 74 te, But I I kept 20 54 68 65 20 72 65 6D 61 69 6E 64 65 72 20 61 The remainder a 72 65 20 74 6F 20 74 72 61 69 6E 20 74 72 61 63 re to train trac 6B 73 20 62 79 0D 0A 20 20 20 20 20 20 20 20 74 ks by.. t 69 74 6C 65 3B 20 6F 6E 20 68 69 67 68 20 74 65 itle; on high te 6D 70 65 72 61 74 75 72 65 20 6C 69 6D 69 74 20 mperature limit 54 68 65 20 64 65 70 65 6E 64 73 20 6F 66 20 54 The depends of T 68 65 0D 0A 20 20 20 20 20 20 20 20 6E 65 78 74 he.. next 2E 20 20 54 65 6C 65 78 2E 20 20 4A 72 2E 20 20 . Telex. Jr. 4C 6F 6E 64 6F 6E 20 70 6C 61 79 73 20 41 6E 64 London plays And 72 65 20 54 65 6C 3A 20 61 20 77 68 69 6C 65 0D re Tel: a while. 0A 20 20 20 20 20 20 20 20 73 74 69 6C 6C 20 69 . still i 6E 20 61 2C 20 67 6F 6F 64 20 61 75 74 6F 6D 61 n a, good automa 74 69 63 61 6C 6C 79 20 77 68 69 63 68 20 64 6F tically which do 20 74 68 65 69 72 20 6D 61 69 6C 69 6E 67 0D 0A their mailing.. 20 20 20 20 20 20 20 20 46 69 6C 65 20 49 66 20 File If 54 68 65 20 6F 6E 65 73 20 64 6F 6E 27 74 20 6B The ones don't k 6E 6F 77 20 49 6E 74 72 6F 64 75 63 74 6F 72 79 now Introductory 20 63 6F 75 72 73 65 20 6F 66 0D 0A 20 20 20 20 course of.. 20 20 20 20 70 72 6F 6F 66 73 20 49 20 68 61 64 proofs I had 20 61 20 70 72 65 66 69 78 20 74 68 65 2E 20 20 a prefix the. 49 20 62 65 6C 69 65 76 65 20 74 68 65 20 76 61 I believe the va 6C 75 65 20 46 72 6F 6D 0D 0A 20 20 20 20 20 20 lue From.. 20 20 68 6F 73 74 20 68 6F 73 74 20 70 6F 72 74 host host port 20 74 6F 20 67 6C 6F 62 61 6C 20 65 61 63 68 20 to global each 53 70 65 61 6B 65 72 20 72 65 63 6F 67 6E 69 74 Speaker recognit 69 6F 6E 0D 0A 20 20 20 20 20 20 20 20 73 70 65 ion.. spe =============================================================================== Run time for packet processing was 0.521737 seconds Snort processed 343 packets. Snort ran for 0 days 0 hours 0 minutes 0 secondsPkts/sec: 343 =============================================================================== Memory usage summary:Total non-mmapped bytes (arena): 925696Bytes in mapped regions (hblkhd): 13180928Total allocated space (uordblks): 669520Total free space (fordblks): 256176Topmost releasable block (keepcost): 185520 =============================================================================== Packet I/O Totals:Received: 343Analyzed: 343 (100.000%)Dropped: 0 ( 0.000%)Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%)Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets):Eth: 343 (100.000%)VLAN: 0 ( 0.000%)IP4: 323 ( 94.169%)Frag: 0 ( 0.000%)ICMP: 0 ( 0.000%)UDP: 73 ( 21.283%)TCP: 250 ( 72.886%)IP6: 0 ( 0.000%)IP6 Ext: 0 ( 0.000%)IP4/IP6: 0 ( 0.000%)IP6/IP4: 0 ( 0.000%)IP6/IP6: 0 ( 0.000%)GRE: 0 ( 0.000%)GRE Eth: 0 ( 0.000%)GRE VLAN: 0 ( 0.000%)GRE IP4: 0 ( 0.000%)GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%)GRE PPTP: 0 ( 0.000%)GRE ARP: 0 ( 0.000%)GRE IPX: 0 ( 0.000%)GRE Loop: 0 ( 0.000%)MPLS: 0 ( 0.000%)ARP: 8 ( 2.332%)IPX: 0 ( 0.000%)Eth Loop: 10 ( 2.915%)Eth Disc: 0 ( 0.000%)IP4 Disc: 0 ( 0.000%)IP6 Disc: 0 ( 0.000%)TCP Disc: 0 ( 0.000%)UDP Disc: 0 ( 0.000%)ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%)Other: 2 ( 0.583%) Bad Chk Sum: 0 ( 0.000%)Bad TTL: 0 ( 0.000%)S5 G 1: 0 ( 0.000%)S5 G 2: 0 ( 0.000%)Total: 343 =============================================================================== Snort exiting [root@datatest SecondWeek]#
进一步,见
Snort 命令参数详解
转载于:https://www.cnblogs.com/zlslch/p/7333759.html
Snort里如何将一个tcpdump格式的二进制文件读取打印到屏幕上(图文详解)相关推荐
- git图文工具_全网最详细的Windows里Git client客户端管理工具SourceTree的下载与安装(图文详解)...
不多说,直接上干货! 很多人用Git命令行不熟练,那么可以尝试使用SourceTree进行操作. 安装之前的必备 (1)Git的安装 (2)net Framework 4.5 win7/8需要.net ...
- snort + barnyard2如何正确读取snort.unified2格式的数据集并且入库MySQL(图文详解)...
不多说,直接上干货! 为什么,要写这篇论文? 是因为,目前科研的我,正值研三,致力于网络安全.大数据.机器学习研究领域! 论文方向的需要,同时不局限于真实物理环境机器实验室的攻防环境.也不局限于真实物 ...
- Snort里如何将读取的包记录存到指定的目录下(图文详解)
不多说,直接上干货! 比如,在/root/log目录下. [root@datatest ~]# snort -dve -l /root/log 需要注意: 1) /log目录需要你自己建立,并修改权限 ...
- 基于CentOS6.5下snort+barnyard2+base的入侵检测系统的搭建(图文详解)(博主推荐)...
为什么,要写这篇论文? 是因为,目前科研的我,正值研三,致力于网络安全.大数据.机器学习研究领域! 论文方向的需要,同时不局限于真实物理环境机器实验室的攻防环境.也不局限于真实物理机器环境实验室的大数 ...
- 编程将一个整数分解成一个质因数的连乘积,并打印在屏幕上
//编程将一个整数分解成一个质因数的连乘积,并打印在屏幕上 //***本题的难点是既要找出质因数,又要保证其连乘为该数 //***需要两个循环,外循环与内循环 /*每个合数 都可以写成几个 质数 相乘 ...
- 全网最全的Windows下Anaconda2 / Anaconda3里Python语言实现定时发送微信消息给好友或群里(图文详解)...
不多说,直接上干货! 缘由: (1)最近看到情侣零点送祝福,感觉还是很浪漫的事情,相信有很多人熬夜为了给爱的人送上零点祝福,但是有时等着等着就睡着了或者时间并不是卡的那么准就有点强迫症了,这是也许程序 ...
- 全网最详细的Windows里Anaconda-Navigator启动后闪退的解决方案(图文详解)
全网最详细的Windows里Anaconda-Navigator启动后闪退的解决方案(图文详解) 参考文章: (1)全网最详细的Windows里Anaconda-Navigator启动后闪退的解决方案 ...
- 给Clouderamanager集群里安装基于Hive的大数据实时分析查询引擎工具Impala步骤(图文详解)...
不多说,直接上干货! 这个很简单,在集群机器里,选择就是了,本来自带就有Impala的. 扩展博客 给Ambari集群里安装基于Hive的大数据实时分析查询引擎工具Impala步骤(图文详解) 欢迎大 ...
- VMware里Ubuntu-14.04-desktop的VMware Tools安装图文详解
不多说,直接上干货! 总的来说,根据分为三个步骤. 步骤一: 点击 :虚拟机-–>安装VM tools 然后发现桌面会跳出如下问题: 客户机操作系统已将 CD-ROM 门锁定,并且可能正在使用 ...
- 用windows系统下的DOS命令将腾讯视频客户端下载的qlv文件转换成MP4格式(图文详解)
用windows系统下的DOS命令将腾讯视频客户端下载的qlv文件转换成MP4格式(图文详解) 前言 原理 工具 步骤 延伸 博主联系方式 前言 本人喜欢收集各种优秀的视频,但是很多情况下我们看到的视 ...
最新文章
- 【统计学习方法】线性可分支持向量机对鸢尾花(iris)数据集进行二分类
- Xen虚拟化之一:Xen环境组件详解
- matplotlib中plot的颜色
- 【编程】二叉树的先序、中序、后序遍历
- C语言代码注释必须用/**/ , 你没看错~
- 现代操作系统原理与实践01:操作系统概述
- 计算机用户组权限管理,配置Windows server 用户和组权限实验详解
- 凸优化与非线性优化基础(3)-- 二次规划Quadratic Programming
- IC卡读写器c++builder源代码续
- 面试题(三):高并发编程
- java高级实训输出张三李四_假设某数据库表中有一个姓名字段,查找姓名为张三和李四的条件是...
- 程序员怒怼产品经理最新表情包,叫我改Bug这辈子是不可能的
- 电子邮箱怎么填写正确格式?企业邮箱开通格式填写技巧
- 谷歌商店上架APP被拒绝
- 舌苔发白是什么原因造成的?
- 之杰的机器学习笔记:1.机器学习概述
- 基于C语言的 WAV 文件双声道转单声道的实现
- [转帖]深圳少儿医保如何绑定医院
- 不惧新冠疫情 DDN公司销售收入逆势增长
- 【Docker】——镜像