Hi
I run a dark net and feed data to one of the well known security
organisations. I get the dark net data from the drop logs on our
firewall by running tcpdump with appropriate filters. Up until now I
have piped the data from tcpdump though a perl script to produce a
standardised ascii version that is then shipped off for aggregation
and analysis.
Now we would like to export a pcap file and things get a little
strange. Some systems (MacOSX and whatever the folk doing the analysis
use) recognise the link type and will read the file OK, *but* as soon
as you apply a filter you don't get any output. Linux systems refuse
to read the files at all giving an unknown link type error.
Does anyone have any suggestions as to how we can get data in pf log
files into pcap files that can be read (and filtered) on other systems.
Worst comes to the worst I'll get tcpdump to record the traffic from
from the incoming interface rather than extracting it from the pf logs.
Russell Fulton
Information Security Officer, The University of Auckland
New Zealand
