eve2pcap – Eve Packet and Payload Conversion to pcap

I’ve added a new tool to my idstools package to convert the packets (or the payloads) found in Suricata eve logs to a pcap file.

To just grab the script, download eve2pcap.py and make it executable, or to install the complete idstools package (will install as idstools-eve2pcap):

pip install –upgrade idstools

Usage is pretty simple:

./eve2pcap.py -o output.pcap /path/to/eve.json

Or to use the payload field instead of the packet field:

./eve2pcap.py -o output.pcap –payload /path/to/eve.json

For straight packet conversion no dependencies are required other than Python and libpcap. Scapy is used for conversion of the payload field, so make sure to install it before trying to convert the payload.

It is also important to note that eve logs do not contain all the information to recreate the packet headers, so when converting payloads to pcap the headers are “manufactured” and may not always produce the best packet for the payload, so YMMV.

Advertisements

3 thoughts on “eve2pcap – Eve Packet and Payload Conversion to pcap

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s