Bug #1887: pcap-log sets snaplen to -1 - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #1887

closed

pcap-log sets snaplen to -1

Added by Jens Goldberg over 7 years ago. Updated about 7 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Jason Ish

Target version:

3.2.1

Affected Versions:

Effort:

Difficulty:

Label:

Description

When dumping packets with pcap-log, suricata sets the snaplen to -1:
https://github.com/inliniac/suricata/blob/69863f7b1c34fadf6148066dbc099e17812cabee/src/log-pcap.c#L291-L292:

This results in broken pcaps. Some tools, e.g. tcpdump/libpcap treats "-1" as an unsigned integer – and as it is larger than the builtin maximum, it refuses to work with it at all:

# tcpdump -r /var/log/suricata/pcap.1.1473343332.19746
tcpdump: invalid file capture length 4294967295, bigger than maximum of 262144

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #1887

pcap-log sets snaplen to -1

Updated by Andreas Herz over 7 years ago

Updated by Victor Julien about 7 years ago