jermdw
1/9/2018 - 6:30 PM

Convert Base64 encoded packet capture from Suricata IDS into a binary PCAP file for analysis.

Convert Base64 encoded packet capture from Suricata IDS into a binary PCAP file for analysis.

#!/usr/bin/env python2

import base64, struct, sys

if len(sys.argv) > 1:
    try:
        binary = base64.decodestring(sys.argv[1])
        #File header
        sys.stdout.write(struct.pack("IHHIIII", 
                            0xa1b2c3d4,  # Magic
                            2,           # Major
                            4,           # Minor
                            0,           # This zone
                            0,           # Sigfigs
                            0xffffffff,  # Snaplen
                            1            # DataLink type (Ethernet)
        ))
        
        #Record header
        sys.stdout.write(struct.pack("IIII",
                            0,           # Timestamp seconds
                            0,           # Timestamp microseconds
                            len(binary), # Length of packet in file
                            len(binary)  # Original length of packet
        ))
        
        #Record data
        sys.stdout.write(binary)
    except:
        sys.stderr.write('Invalid base64\n')
else:
    sys.stdout.write("Usage: %s <base64>\n" % sys.argv[0])