Bug #1117
closedPCAP file count does not persist
Description
When Suricata is restarted the PCAP file count resets, which results in old PCAP files not being removed/rolled.
in log-pcap.c::PcapLogDataInit() the file count is always initialized to 1:
pl->file_cnt = 1;
It would be nice if the file count maintained state between runs so that 'max-files:' would not be exceeded.
Perhaps this could be achieved by determining how many PCAP files exist in the directory when Suricata starts up and initialize the count to that number, or perhaps at least a configurable option to remove old PCAP files when PCAP initializes.
Updated by Victor Julien about 10 years ago
- Target version set to 3.0RC2
In the file extraction storage module I had the same issue. Here I choose to have a 'waldo', a sort of bookmark file that stores the id. That way consecutive runs would know where the last left off. Would that suit your needs as well?
Btw, before hacking away at this code, please note that there are significant changes pending. They will be merged after the 2.0 release. https://github.com/inliniac/suricata/tree/dev-pcap-multi-v2
Updated by Paul Gofran about 10 years ago
Yes, a similar 'waldo' feature would be great.
Thanks,
Paul
Updated by Victor Julien almost 9 years ago
- Target version changed from 3.0RC2 to TBD
Updated by Victor Julien over 7 years ago
- Status changed from New to Closed
- Assignee changed from OISF Dev to Jason Ish
- Target version changed from TBD to 3.2