Created
January 9, 2018 18:30
-
-
Save jermdw/a39d86c36cedbfa9b9a16faed59434e5 to your computer and use it in GitHub Desktop.
Convert Base64 encoded packet capture from Suricata IDS into a binary PCAP file for analysis.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| import base64, struct, sys | |
| if len(sys.argv) > 1: | |
| try: | |
| binary = base64.decodestring(sys.argv[1]) | |
| #File header | |
| sys.stdout.write(struct.pack("IHHIIII", | |
| 0xa1b2c3d4, # Magic | |
| 2, # Major | |
| 4, # Minor | |
| 0, # This zone | |
| 0, # Sigfigs | |
| 0xffffffff, # Snaplen | |
| 1 # DataLink type (Ethernet) | |
| )) | |
| #Record header | |
| sys.stdout.write(struct.pack("IIII", | |
| 0, # Timestamp seconds | |
| 0, # Timestamp microseconds | |
| len(binary), # Length of packet in file | |
| len(binary) # Original length of packet | |
| )) | |
| #Record data | |
| sys.stdout.write(binary) | |
| except: | |
| sys.stderr.write('Invalid base64\n') | |
| else: | |
| sys.stdout.write("Usage: %s <base64>\n" % sys.argv[0]) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment