Convert Base64 encoded packet capture from Suricata IDS into a binary PCAP file for analysis.
#!/usr/bin/env python2
import base64, struct, sys
if len(sys.argv) > 1:
try:
binary = base64.decodestring(sys.argv[1])
#File header
sys.stdout.write(struct.pack("IHHIIII",
0xa1b2c3d4, # Magic
2, # Major
4, # Minor
0, # This zone
0, # Sigfigs
0xffffffff, # Snaplen
1 # DataLink type (Ethernet)
))
#Record header
sys.stdout.write(struct.pack("IIII",
0, # Timestamp seconds
0, # Timestamp microseconds
len(binary), # Length of packet in file
len(binary) # Original length of packet
))
#Record data
sys.stdout.write(binary)
except:
sys.stderr.write('Invalid base64\n')
else:
sys.stdout.write("Usage: %s <base64>\n" % sys.argv[0])