<div dir="ltr">Not a full script that tails the file, but its something. Say if you have some events, and want to look deeper into and you just have the eve.json file.<div><br></div><div><a href="https://github.com/Maxtors/evepcapparser">https://github.com/Maxtors/evepcapparser</a><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2014-12-17 17:48 GMT+01:00 Victor Julien <span dir="ltr"><<a href="mailto:lists@inliniac.net" target="_blank">lists@inliniac.net</a>></span>:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 12/17/2014 04:18 PM, Eric Leblond wrote:<br>
> Hi,<br>
><br>
> On Wed, 2014-12-17 at 16:11 +0100, Michał Purzyński wrote:<br>
>> Hey, starting from 2.1beta1 Suricata can output packet data, base64<br>
>> encoded, in JSON. I decided to give it a try and am wondering, how do<br>
>> I convert the data to pcap format?<br>
><br>
> You can use scapy (<a href="http://www.secdev.org/projects/scapy/doc/index.html" target="_blank">http://www.secdev.org/projects/scapy/doc/index.html</a>)<br>
> for that:<br>
><br>
> $ scapy<br>
> Welcome to Scapy (2.2.0)<br>
>>>> import base64<br>
>>>> packet = "2FDmPDJQ9MrlS21yCABFAAA0/nVAADQGosRnKXw3wKgBgaqAABZAL82qoYTE9YARAPrDawAAAQEICgdqPOgTApaN"<br>
>>>> p = Ether(base64.b64decode(packet))<br>
>>>> wrpcap("/tmp/payload.pcap",p)<br>
><br>
<br>
</span>Nice one Eric. Someone should write script to tail eve.json and write<br>
pcaps in the <sid>.pcap format...<br>
<br>
Although it's just a single packet currently. Would like to add more,<br>
but not sure how yet.<br>
<span class="HOEnZb"><font color="#888888">--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a></div></div></blockquote></div></div>