GetPcapFromSancpIndex.pl   v 0.1

This is a Perl script that works with SANCP version 1.6.2+ index output files to retrieve packets from within large pcap files without the added time-cost of file parsing.

Download link: getpcapfromsancpindex.pl

HOWTO: getpcapfromsancpindex.pl
=============================

The default format of the index output file contains sancp_id, output_filename, start_pos, stop_pos. This format requires you to know the sancp_id of a connection to locate the corresponding packet offsets. You can find the required sancp_id in the realtime or stats output files, OR you can just modify the index output format to include this additional information.

In the example below, I modify the 'index' output format in the sancp.conf  to include the basic 5-tuple information required to distinguish connections.  Since the script expects the first four fields to remain relatively the same, we can preserve this format by appending our required fields to the format as shown below.

  Example:   

        echo "default index log" >> sancp.conf
        echo "format index delimiter='|' sancp_id, output_filename, start_pos, stop_pos, src_ip_dotted, dst_ip_dotted, ip_proto, src_port, dst_port" >> sancp.conf
        sancp -i eth0 -c sancp.conf -d /myarchivedir/ -D

    The above enables the index output and adds the 5-tuple information to the end of the index output format, and then starts sancp with this new configuration.  

    Now you can extract packets for related sessions/flows as shown below.

        grep "|192.168.1.1|192.168.1.2|17|137|137|" /myarchivedir/index | ./getpcapfromsancpindex.pl   192.168.1.1_
 

Suggestions:
- provide a full path when running SANCP (using '-d /fullpath') to ensure absolute filenames are written to the 'index' file
- you may also want to replace sancp_id with another field such as 'start_time_local_unixtime' to replace the larger 64-bit time based value with the smaller 32-bit time based value


John (20080314)