Project

General

Profile

Actions

Bug #1887

closed

pcap-log sets snaplen to -1

Added by Jens Goldberg about 8 years ago. Updated almost 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When dumping packets with pcap-log, suricata sets the snaplen to -1:
https://github.com/inliniac/suricata/blob/69863f7b1c34fadf6148066dbc099e17812cabee/src/log-pcap.c#L291-L292:

This results in broken pcaps. Some tools, e.g. tcpdump/libpcap treats "-1" as an unsigned integer – and as it is larger than the builtin maximum, it refuses to work with it at all:

# tcpdump -r /var/log/suricata/pcap.1.1473343332.19746
tcpdump: invalid file capture length 4294967295, bigger than maximum of 262144
Actions

Also available in: Atom PDF