log2pcap

log2pcap [OPTIONS] <unified2_log_file> <output_pcap_file>

-r <rule_file>
    
Specifies the path to a Snort rules file. This allows
log2pcap to display the actual rule messages
associated with the SIDs found in the unified2 log,
providing more human-readable context for alerts.


-v
    
Enables verbose output, providing more details about
the conversion process, including information on records
processed and errors encountered.


-N <event_id>
    
Filters the input unified2 log to process only events
matching the specified Event ID. This is useful for
extracting packets related to a specific alert instance.


-S <sensor_id>
    
Filters the input unified2 log to process only events
originating from a specific Sensor ID. Useful in
environments with multiple Snort sensors.


-L <packet_limit>
    
Limits the number of packets extracted and written
to the output PCAP file to the specified count.
This can be used to manage output file size.

log2pcap is a utility typically included with the Snort Intrusion Detection System (IDS). Its primary function is to convert Snort's proprietary unified2 binary log format into a standard PCAP (Packet Capture) file.

This conversion is invaluable for security analysts as it allows them to reconstruct and analyze the actual network traffic that triggered specific Snort alerts. By transforming log data into PCAP, tools like Wireshark or similar network protocol analyzers can be used to deep-dive into the packet contents, helping to understand the nature of an attack, validate alerts, or perform detailed forensic analysis. It effectively bridges the gap between Snort's alert logs and common network analysis tools, providing a richer context for security events.

log2pcap is primarily designed for Snort's unified2 log format and is not a general-purpose text-to-PCAP converter. It requires that the original packet data be present within the unified2 logs, which depends on Snort's logging configuration (e.g., output unified2: log_packets must be enabled in snort.conf). Without packet data in the logs, it can only extract alert metadata, not full packets.

log2pcap works specifically with Snort's unified2 log format. This binary format was designed to efficiently store both alert metadata and the actual network packets that triggered those alerts. This integrated approach allows log2pcap to extract the full packet payload, which is crucial for detailed forensic analysis, unlike simpler text-based alert logs.

The ability to reconstruct original network packets from IDS logs significantly enhances forensic capabilities. Analysts can replay traffic, inspect packet headers and payloads, and corroborate alert data with actual network events using familiar tools like Wireshark, rather than being limited to textual alert summaries.

log2pcap has been a core utility within the Snort IDS ecosystem for many years, developed alongside Snort to facilitate the forensic analysis of IDS alerts. Its purpose is to convert Snort's internal binary log format (unified2) into a widely compatible PCAP format. Its evolution is tied directly to Snort's development and its increasing sophistication in logging and alert management, playing a crucial role in post-detection analysis workflows for security professionals.

snort(8), tcpdump(1), wireshark(1), editcap(1), mergecap(1)