Project

General

Profile

Actions

Task #2219

closed

Save pcap only if alert

Added by Marco Mazza about 7 years ago. Updated about 2 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:

Description

Hello, I'm trying to figure out how to save a pcap file on alert.
I can't find any bug/doc/manual for this purpouse.
I have a heavy traffic flow being processed by suricata 4.0.0 (30 sec are 1 GB of pcap) so it's quite difficult to save everything.
I don't think BPF would help me, but I could be wrong. I would like to start saving only the packet seen as alert. I already know this could not be useful as the entire pcap, but it would be a nice start for me.
How should I achieve this goal? If it's already possible I could write some documentation to add here.
Many thanks


Related issues 3 (1 open2 closed)

Related to Suricata - Task #2309: SuriCon 2017 brainstormAssignedVictor JulienActions
Related to Suricata - Feature #385: Configuration option to log all known (pcap) data for a stream when an alert firesClosedCommunity TicketActions
Related to Suricata - Feature #120: Capture full session on alertClosedScott JordanActions
Actions

Also available in: Atom PDF