Yup, this was what the problem was. I ended up writing a short C program
to rewrite the identifier in the nfcapd files. Attached at the bottom
just incase anyone else has the same issue, I warn you it's not great, I
haven't fully explored the nfcap header so you use it at your own risk.
That being said it just worked for me on 280Gb of flows.
Use it with find and xargs...
find . -type f | xargs -n 1 ~/altersource NEWSOURCENAME
Peter.
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main (int argc, char *argv[]) {
FILE *nfcap;
if (argc != 3) {
printf("syntax: %s <source> <file>\n", argv[0]);
return EXIT_FAILURE;
}
if ((nfcap = fopen(argv[2], "r+")) == NULL) {
printf("Could not open %s\n", argv[2]);
return EXIT_FAILURE;
}
fseek(nfcap, 12, SEEK_SET);
fwrite(argv[1], strlen(argv[1])+1, sizeof(char), nfcap);
fclose(nfcap);
return EXIT_SUCCESS;
}
Peter A. Wood e: [EMAIL PROTECTED]
Network Security Specialist
Technical Services Group
Lancaster University
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
