Project

General

Profile

Actions

Bug #1887

closed

pcap-log sets snaplen to -1

Added by Jens Goldberg about 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When dumping packets with pcap-log, suricata sets the snaplen to -1:
https://github.com/inliniac/suricata/blob/69863f7b1c34fadf6148066dbc099e17812cabee/src/log-pcap.c#L291-L292:

This results in broken pcaps. Some tools, e.g. tcpdump/libpcap treats "-1" as an unsigned integer – and as it is larger than the builtin maximum, it refuses to work with it at all:

# tcpdump -r /var/log/suricata/pcap.1.1473343332.19746
tcpdump: invalid file capture length 4294967295, bigger than maximum of 262144
Actions #1

Updated by Andreas Herz about 5 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #2

Updated by Victor Julien over 4 years ago

  • Status changed from New to Closed
  • Assignee changed from OISF Dev to Jason Ish
  • Target version changed from TBD to 3.2.1
Actions

Also available in: Atom PDF