I need to set up a machine that will log all packets traversing a gateway. The gateway is a Cisco router, and I'm mirroring a port over, so getting the packets to the machine isn't the issue. It's the processing and handling that I need advice with.

There are two things I want to do with this set up. The first is to create daily (possibly hourly) pcap style binary files that will rotate on a monthly basis. This is easy to accomplish with daemonlogger. I just tell it to make a new file after x time and to keep y files.

The second thing is to pass this info into an analysis program. I'm looking at using splunk, which will give a ton of power in terms of searching and reporting. The only problem is that I need to feed the data into splunk. I have made a configuration bundle that will ingest the output of snort by directing it into a named pipe. One difficulty is that I wish to log the entire packet, but not really the hex part. So far snort is the only thing I've found that will log text of the packet contents and ignore the hex.

I can use snort to read the pcap files generated by daemonlogger, but the filenames change with every epoch and it needs some sort of buffering. If you start a file going and then have snort read it, snort will eventually hit the EOF and stop even though more stuff is being logged to it. I'd have to get it into a pipe so that snort didn't stop attempting to process it.

So any suggestions on how to get this into something that will be stable and work reliably? I've looked at things like ACID and BASE, but those are mostly for intrusion detection with snort. I'm not doing any filtering or processing....just logging every packet.

No you're not. You want to log packets w/o processing yet you use Snort to extract human readable text from pcaps and still maintain you're "not doing any filtering or processing". How does that match? Maybe explain (reason, requirements, examples and such) what details exactly you're interested in wrt logging.

sorry, by no processing I mean I'm not running an IDS. I'm not analyzing the packets for traffic patterns or intrusions. Just converting to text and logging.

Check http://www.splunkbase.com/addons/Fie...ork_IDS_-_IPS/ ?

i looked at those. Unfortunately those are for dealing with the alerts generated by the IDS, and not the packet flow.

I asked you for details but you don't post any.
Simply means you're not helping us to help you.
So I'm sorry. I see nothing I can help you with here.