Support #1796
closed
PCAP_CNT value does not match Frame Number on TSHARK or Wireshark
Added by Xavier Lassoie about 9 years ago.
Updated about 9 years ago.
Description
When using Suricata offline using 'suricata -r log.pcap --runmode autofp -l logs/' and then searching an alert with Tshark (tshark -r log.pcap -V -Y "frame.number==46887") or Wireshark using the value of pcap_cnt in eve-alert.json file, we see that the packet is not matching the alert.
This is Suricata version 3.0 RELEASE
They should match. Can you add a test case?
It seems that I found the problem while I was busy on creating a test case. Before reading the pcap offline, I have stopped the Suricata Daemon which is in ONLINE mode, it seems that it had some problems to stop properly, so when I read the PCAP file offline, there was still a Suricata Online.
Now with the Suricata daemon correctly stopped, the 'pcap_cnt' matches the frame.number.
Thanks for your help.
- Tracker changed from Bug to Support
- Status changed from New to Closed
Also available in: Atom
PDF