snifos converts FortiOS sniffer output to
pcapng. It's written in Rust, and
tries to be fast and flexible.
- Generates pcapng files, with interface name and packet direction information (if that information is available in the input file).
- Supports absolute and relative timestamps.
- Can extract multiple pcapng files from a single input file.
(
--split) - Supports the "raw IP" link type (
LINKTYPE_RAW), useful for converting packets captured on tunnel interfaces. (--raw) - Memory and storage efficient. It doesn't generate an intermediate file, nor does it store all packets in memory.
- Single binary, with no runtime dependency, for Linux, MacOS and Windows.
$ ./snifos -h
snifos 0.1.0
A tool for converting FortiOS sniffer output to pcapng
USAGE:
snifos [FLAGS] [OPTIONS] --input <INPUT> --output <OUTPUT>
FLAGS:
-h, --help Prints help information
-s, --split Create a new pcapng file for each sniffer run in the input
-V, --version Prints version information
-v, --verbose Enables verbose output
OPTIONS:
-i, --input <INPUT> Input file (use - for stdin)
-o, --output <OUTPUT> Output file (use - for stdout)
-r, --raw <RAW>... Regex matching interfaces converted with the raw link type
$ ./snifos -i test.txt -o test.pcapng
Creating a new file: test.pcapng
If the input file contains the output of multiple instances of the sniffer command, you can split it into multiple pcapng files.
$ ./snifos -i test.txt -o test --split
Creating a new file: test-1.pcapng
Creating a new file: test-2.pcapng
In this case, the -o argument takes a prefix. This prefix is used to
generate the output file names.
If captured packets on some interfaces in the input file don't contain
the Ethernet header, you can use the --raw (or -r) to convert them
properly. Any interface names matching regular expressions passed in
this way, are treated as "raw IP" links. This is especially useful
when converting packets captured on tunnel interface (e.g. IPsec).
$ ./snifos -i test.txt -o test.pcapng --raw 'tunnel.*'
Creating a new file: test.pcapng
Relative timestamps are converted to absolute timestamps before being written to the output file. This is done by adding the relative time to a "start" time (which is the system clock time at the time parsing starts for the output of a sniffer run).
Quick unscientific comparison with the Perl-based converter (that uses text2pcap internally):
$ uname -a
Linux leela 5.10.16-arch1-1 #1 SMP PREEMPT Sat, 13 Feb 2021 20:50:18 +0000 x86_64 GNU/Linux
$ time target/release/snifos -i large.txt -o large.pcapng
Creating a new file: large.pcapng
real 0m8.450s
user 0m8.282s
sys 0m0.163s
$ tcpdump -n --count -r large.pcapng
reading from file large.pcapng, link-type EN10MB (Ethernet), snapshot length 262144
100000 packets
$ rm large.pcapng
$ time ./fgt2eth.pl -in large.txt -out large.pcap
real 1m56.745s
user 1m31.995s
sys 1m2.213s
$ tcpdump -n --count -r large.pcap
reading from file large.pcap, link-type EN10MB (Ethernet), snapshot length 262144
100000 packets
This project is licensed under the MIT license.
See LICENSE-MIT for details.