Skip to content

Instantly share code, notes, and snippets.

@RobertLarsen

RobertLarsen/base64_to_pcap.py

Created September 9, 2015 08:36
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save RobertLarsen/bdc741193a1c553a8ed5 to your computer and use it in GitHub Desktop.
Save RobertLarsen/bdc741193a1c553a8ed5 to your computer and use it in GitHub Desktop.
Download ZIP
Turn a packed captured by Suricata and stored in base64 into a pcap
Raw
base64_to_pcap.py
#!/usr/bin/env python2
import base64, struct, sys
if len(sys.argv) > 1:
try:
binary = base64.decodestring(sys.argv[1])
#File header
sys.stdout.write(struct.pack("IHHIIII",
0xa1b2c3d4, # Magic
2, # Major
4, # Minor
0, # This zone
0, # Sigfigs
0xffffffff, # Snaplen
1 # DataLink type (Ethernet)
))
#Record header
sys.stdout.write(struct.pack("IIII",
0, # Timestamp seconds
0, # Timestamp microseconds
len(binary), # Length of packet in file
len(binary) # Original length of packet
))
#Record data
sys.stdout.write(binary)
except:
sys.stderr.write('Invalid base64\n')
else:
sys.stdout.write("Usage: %s <base64>\n" % sys.argv[0])
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment