Next: 1.7 Basic Output Up: 1. Snort Overview Previous: 1.5 Packet Acquisition Contents
Instead of having Snort listen on an interface, you can give it a packet capture to read. Snort will read and analyze the packets as if they came off the wire. This can be useful for testing and debugging Snort.
Any of the below can be specified multiple times on the command line (-r included) and in addition to other Snort command line options. Note, however, that specifying -pcap-reset and -pcap-show multiple times has the same effect as specifying them once.
| Option | Description |
|---|---|
| -r <file> | Read a single pcap. |
| -pcap-single=<file> | Same as -r. Added for completeness. |
| -pcap-file=<file> | File that contains a list of pcap files to read. Can specify path to each pcap or directory to recurse to get pcaps. |
| -pcap-list="<list>" | A space separated list of pcaps to read. |
| -pcap-dir=<dir> | A directory to recurse to look for pcaps. Sorted in ASCII order. |
| -pcap-filter=<filter> | Shell style filter to apply when getting pcaps from file or directory. This filter will apply to any -pcap-file or -pcap-dir arguments following. Use -pcap-no-filter to delete filter for following -pcap-file or -pcap-dir arguments or specify -pcap-filter again to forget previous filter and to apply to following -pcap-file or -pcap-dir arguments. |
| -pcap-no-filter | Reset to use no filter when getting pcaps from file or directory. |
| -pcap-reset | If reading multiple pcaps, reset snort to post-configuration state before reading next pcap. The default, i.e. without this option, is not to reset state. |
| -pcap-show | Print a line saying what pcap is currently being read. |
$ snort -r foo.pcap
$ snort --pcap-single=foo.pcap
$ cat foo.txt
foo1.pcap
foo2.pcap
/home/foo/pcaps
$ snort --pcap-file=foo.txt
This will read foo1.pcap, foo2.pcap and all files under /home/foo/pcaps. Note that Snort will not try to determine whether the files under that directory are really pcap files or not.
$ snort --pcap-list="foo1.pcap foo2.pcap foo3.pcap"
This will read foo1.pcap, foo2.pcap and foo3.pcap.
$ snort --pcap-dir="/home/foo/pcaps"
This will include all of the files under /home/foo/pcaps.
$ cat foo.txt
foo1.pcap
foo2.pcap
/home/foo/pcaps
$ snort --pcap-filter="*.pcap" --pcap-file=foo.txt
$ snort --pcap-filter="*.pcap" --pcap-dir=/home/foo/pcaps
The above will only include files that match the shell pattern "*.pcap", in other words, any file ending in ".pcap".
$ snort --pcap-filter="*.pcap --pcap-file=foo.txt \
> --pcap-filter="*.cap" --pcap-dir=/home/foo/pcaps
In the above, the first filter "*.pcap" will only be applied to the pcaps in the file "foo.txt" (and any directories that are recursed in that file). The addition of the second filter "*.cap" will cause the first filter to be forgotten and then applied to the directory /home/foo/pcaps, so only files ending in ".cap" will be included from that directory.
$ snort --pcap-filter="*.pcap --pcap-file=foo.txt \
> --pcap-no-filter --pcap-dir=/home/foo/pcaps
In this example, the first filter will be applied to foo.txt, then no filter will be applied to the files found under /home/foo/pcaps, so all files found under /home/foo/pcaps will be included.
$ snort --pcap-filter="*.pcap --pcap-file=foo.txt \
> --pcap-no-filter --pcap-dir=/home/foo/pcaps \
> --pcap-filter="*.cap" --pcap-dir=/home/foo/pcaps2
In this example, the first filter will be applied to foo.txt, then no filter will be applied to the files found under /home/foo/pcaps, so all files found under /home/foo/pcaps will be included, then the filter "*.cap" will be applied to files found under /home/foo/pcaps2.
$ snort --pcap-dir=/home/foo/pcaps --pcap-reset
The above example will read all of the files under /home/foo/pcaps, but after each pcap is read, Snort will be reset to a post-configuration state, meaning all buffers will be flushed, statistics reset, etc. For each pcap, it will be like Snort is seeing traffic for the first time.
$ snort --pcap-dir=/home/foo/pcaps --pcap-show
The above example will read all of the files under /home/foo/pcaps and will print a line indicating which pcap is currently being read.