策略引擎>> snifos>> 返回
项目作者: alirez

项目描述 :
Generates pcapng files from FortiGate sniffer output.
高级语言: Rust
项目地址: git://github.com/alirez/snifos.git
创建时间: 2021-03-08T06:38:51Z
项目社区:https://github.com/alirez/snifos
开源协议:MIT License
下载


snifos

snifos converts FortiOS sniffer output to
pcapng. It’s written in Rust, and
tries to be fast and flexible.

Features

  • Generates pcapng files, with interface name and packet direction
    information (if that information is available in the input file).
  • Supports absolute and relative timestamps.
  • Can extract multiple pcapng files from a single input file.
    (--split)
  • Supports the “raw IP” link type (LINKTYPE_RAW), useful for
    converting packets captured on tunnel interfaces. (--raw)
  • Memory and storage efficient. It doesn’t generate an intermediate
    file, nor does it store all packets in memory.
  • Single binary, with no runtime dependency, for Linux, MacOS and
    Windows.

Usage

  1. $ ./snifos -h
  2. snifos 0.1.0
  3. A tool for converting FortiOS sniffer output to pcapng
  5. USAGE:
  6.     snifos [FLAGS] [OPTIONS] --input <INPUT> --output <OUTPUT>
  8. FLAGS:
  9.     -h, --help       Prints help information
  10.     -s, --split      Create a new pcapng file for each sniffer run in the input
  11.     -V, --version    Prints version information
  12.     -v, --verbose    Enables verbose output
  14. OPTIONS:
  15.     -i, --input <INPUT>      Input file (use - for stdin)
  16.     -o, --output <OUTPUT>    Output file (use - for stdout)
  17.     -r, --raw <RAW>...       Regex matching interfaces converted with the raw link type

Generating a single output pcapng file

  1. $ ./snifos -i test.txt -o test.pcapng
  2. Creating a new file: test.pcapng

Generating one pcapng file for each sniffer run in the input file

If the input file contains the output of multiple instances of the
sniffer command, you can split it into multiple pcapng files.

  1. $ ./snifos -i test.txt -o test --split
  2. Creating a new file: test-1.pcapng
  3. Creating a new file: test-2.pcapng

In this case, the -o argument takes a prefix. This prefix is used to
generate the output file names.

If captured packets on some interfaces in the input file don’t contain
the Ethernet header, you can use the --raw (or -r) to convert them
properly. Any interface names matching regular expressions passed in
this way, are treated as “raw IP” links. This is especially useful
when converting packets captured on tunnel interface (e.g. IPsec).

  1. $ ./snifos -i test.txt -o test.pcapng --raw 'tunnel.*'
  2. Creating a new file: test.pcapng

Timestamps

Relative timestamps are converted to absolute timestamps before being
written to the output file. This is done by adding the relative time
to a “start” time (which is the system clock time at the time parsing
starts for the output of a sniffer run).

Performance

Quick unscientific comparison with the Perl-based converter (that uses text2pcap internally):

  1. $ uname -a
  2. Linux leela 5.10.16-arch1-1 #1 SMP PREEMPT Sat, 13 Feb 2021 20:50:18 +0000 x86_64 GNU/Linux
  4. $ time target/release/snifos -i large.txt -o large.pcapng
  5. Creating a new file: large.pcapng
  7. real    0m8.450s
  8. user    0m8.282s
  9. sys     0m0.163s
  11. $ tcpdump -n --count -r large.pcapng 
  12. reading from file large.pcapng, link-type EN10MB (Ethernet), snapshot length 262144
  13. 100000 packets
  14. $ rm large.pcapng 
  16. $ time ./fgt2eth.pl -in large.txt -out large.pcap
  18. real    1m56.745s
  19. user    1m31.995s
  20. sys     1m2.213s
  22. $ tcpdump -n --count -r large.pcap
  23. reading from file large.pcap, link-type EN10MB (Ethernet), snapshot length 262144
  24. 100000 packets

License

This project is licensed under the MIT license.

See LICENSE-MIT for details.