Actions
Bug #1887
closedpcap-log sets snaplen to -1
Affected Versions:
Effort:
Difficulty:
Label:
Description
When dumping packets with pcap-log, suricata sets the snaplen to -1:
https://github.com/inliniac/suricata/blob/69863f7b1c34fadf6148066dbc099e17812cabee/src/log-pcap.c#L291-L292:
This results in broken pcaps. Some tools, e.g. tcpdump/libpcap treats "-1" as an unsigned integer – and as it is larger than the builtin maximum, it refuses to work with it at all:
# tcpdump -r /var/log/suricata/pcap.1.1473343332.19746 tcpdump: invalid file capture length 4294967295, bigger than maximum of 262144
Actions