getpacket

NAME
SYNTAX
DESCRIPTION
OPTIONS
FILES
EXAMPLES
AUTHORS
NOTES
SEE ALSO

NAME

getpacket − Program to build a pcap packet from a snort database.

SYNTAX

getpacket [−ahtvz] [−c <config>] −C CounterID −S SensorID [−w DumpFile]

DESCRIPTION

getpacket tries to create a pcap based network packet from a snort database based on the sensor ID and the counter ID.
An extended database scheme is necessary and can be filled with the −f option of servsock or the parameter FullPayload in the servsock.conf file.

OPTIONS

−a

Build a pcap file of all packets with the same revision (tagged packets) which contain SID and CID. The option −t is automatically activated. Therefore you need an extended database scheme (see README.payload).

−c <config>

Use the file config as configuration file. In this file the options for the database access must be set. The default is the file getpacket.conf in the configuration directory mentioned during installation. See getpacket.conf(5) for more details.
NOTE: A configuration file is required!

−C CountID

Sets the CID for the packet which should be rebuild, see option −S. This option is required.

−S SensorID

Sets the SID for the packet which should be rebuild, see option −C. This option is required. Both, SID and CID build the unambigous key to find the packet in the database.

−h

Print a help message and exit.

−t

Build a pcap file of all packets with the same revision (tagged packets) starting with SID and CID. Therefore you need an extended database scheme (see README.payload).

−v

Output version information and exit.

−w DumpFile

Sets the name for the file where the pcap data should be stored. The special file ’’ represents stdout. The default is to use the file "/var/tmp/dump".

−z

Do not follow tagged packets. This overwrites the activation of reference in the configuration file.

FILES

getpacket.conf

EXAMPLES

To run this program the standard way type (for sensor 1 and packet number 101 of this sensor):

getpacket −S 1 −C 101

To run it, use the servsock.conf(5) file and write the data to tcpdump:

getpacket −c servsock.conf −S 1 −C 101 −w |tcpdump −r −

AUTHORS

Dirk Geschke <Dirk@geschke−online.de>

NOTES

You can use the servsock.conf(5) file instead of an own getpacket.conf(5) file. The additional and not needed values are simply printed as warning to stderr.
stderr
is used to avoid problems if the pcap packet is printed to stdout.

SEE ALSO

getpacket.conf(5), servsock.conf(5), snort(8)