Bug #1117
closed
PCAP file count does not persist
Added by Paul Gofran about 10 years ago.
Updated over 7 years ago.
Description
When Suricata is restarted the PCAP file count resets, which results in old PCAP files not being removed/rolled.
in log-pcap.c::PcapLogDataInit() the file count is always initialized to 1:
pl->file_cnt = 1;
It would be nice if the file count maintained state between runs so that 'max-files:' would not be exceeded.
Perhaps this could be achieved by determining how many PCAP files exist in the directory when Suricata starts up and initialize the count to that number, or perhaps at least a configurable option to remove old PCAP files when PCAP initializes.
- Target version set to 3.0RC2
In the file extraction storage module I had the same issue. Here I choose to have a 'waldo', a sort of bookmark file that stores the id. That way consecutive runs would know where the last left off. Would that suit your needs as well?
Btw, before hacking away at this code, please note that there are significant changes pending. They will be merged after the 2.0 release. https://github.com/inliniac/suricata/tree/dev-pcap-multi-v2
Yes, a similar 'waldo' feature would be great.
Thanks,
Paul
- Target version changed from 3.0RC2 to TBD
- Status changed from New to Closed
- Assignee changed from OISF Dev to Jason Ish
- Target version changed from TBD to 3.2
Also available in: Atom
PDF