To rebuild a packet to a pcap format based on the information of the
database you have to extend the "normal" snort database as used with
ACID:

    ALTER TABLE data ADD COLUMN data_header TEXT;
    ALTER TABLE data ADD COLUMN pcap_header TEXT;
    ALTER TABLE schema ADD COLUMN full_payload SMALLINT;
    UPDATE schema SET full_payload=1;

NOTE: If you use MySQL 5 or later you have to put backticks aroun
      `schema`. Starting with MySQL version 5 `schema` is now a 
      restricted word.

The first entry adds the lower level header to the database,
the second adds the pcap header information like the timestamp
and capture length.

The third entry is to be able to check for the additional fields.

The UPDATE is needed to allow the storage of the additional information
in the database. This must be entered on the database interface and is
not done by servsock.

You can also append the above 4 lines to the create_postgresql
or create_mysql scripts in the snort/contrib directory and re-
create the database.

To rebuild a packet to a pcap format containing all related tagged 
packets you have to extend the "normal" snort database as used with 
ACID in addition to the above changes:

    ALTER TABLE event ADD COLUMN reference INT8;
    ALTER TABLE schema ADD COLUMN reference SMALLINT;
    UPDATE schema SET reference=1;

The first entry adds the reference that snort sets to be the same for the
initial alert and all 'Tagged Packet' alerts that are generated after that
alert triggers.

The second entry is to be able to check for the additional fields.

The UPDATE is needed to allow the storage of the additional information
in the database. This must be entered on the database interface and is
not done by servsock.

You can also append the above 3 lines to the create_postgresql
or create_mysql scripts in the snort/contrib directory and re-
create the database.

IMPORTANT NOTE: If tagged packets should be stored in the database
                together with the alert packet then you have to 
                mention the "all" keyword in output alert_unixsock_db    
                in snort.conf. Tagged packets are only written to the
                LOG chain.

NOTE: The -t option of getpacket builds a pcap file starting 
      with the given SID and CID which contain all the same 
      reference. The -a option does nearly the same but starts 
      with the first packet with this reference. The reference 
      is only unique within one running instance of snort. So 
      if snort is restarted it may happen that another tagged 
      session uses the same reference id.

To build the "getpacket" program you have to mention the option

 --enable-getpacket

to the configure command call.

Actually only the HEX scheme is supported to use this feature.
ASCII won't make any sense and BASE64 is not yet supported.

P
Further the program is restricted to ethernet header but to
use other link level data is not really a problem.

The pcap files created with getpacket can be read by tcpdump
and ethereal without problems. This way the packet analyzing
features of these programs can be used which are much more
useful then the plain ascii representation of e.g. ACID.

ACID Note: There should be no problem to use this extended
database together with acid.