Feature #2222
closedBatch submission of PCAPs over the socket
Description
Currently, it is only possible to send a single PCAP file to the socket. A method to send a list of (pcap, output-dir)-combinations would be very helpful to reduce the amount of messages of the socket.
Updated by Andreas Herz over 6 years ago
- Target version set to TBD
How do you think such a combination should look like? Or do you just want to use -r /tmp/foobar instead of -r /tmp/foobar/1.pcap, -r /tmp/foobar/2.pcap and so on?
Updated by Ralph Broenink over 6 years ago
Andreas Herz wrote:
How do you think such a combination should look like? Or do you just want to use -r /tmp/foobar instead of -r /tmp/foobar/1.pcap, -r /tmp/foobar/2.pcap and so on?
I'm thinking more like providing a list of pcaps through the socket, e.g. s.send_command("pcap-files", {"filenames": ["1.pcap","2.pcap"], "output-dirs": ["/1", "/2"]})
Multiple output-dirs is something that is needed as long as issue #1386 is not resolved.
Updated by Danny Browning over 6 years ago
I believe this PR satisfies this request, but not https://redmine.openinfosecfoundation.org/issues/1386
Updated by Danny Browning over 6 years ago
- Status changed from New to Feedback
- Assignee changed from Anonymous to Danny Browning
Ralph, that PR allows a directory to be specified with multiple files, but suricata state will not be reset between files, and files will be processed in order of modified time.
If you want reset between files with separate output directory, I can do another PR. Looking at a format of
{
"command" : "pcap-files",
"arguments" : {
"files" : [
{
"filename" : "path-to-file",
"output-dir" : "path-to-output-directory"
},
...
]
}
}
Updated by Danny Browning over 6 years ago
- Has duplicate Feature #2299: pcap: read directory with pcaps from the commandline added
Updated by Danny Browning over 6 years ago
- Has duplicate Feature #724: Prevent resetting in UNIX socket mode added
Updated by Danny Browning over 6 years ago
- Has duplicate Feature #1476: Suricata Unix socket PCAP processing stats should not need to reset after each run added
Updated by Victor Julien over 6 years ago
- Has duplicate deleted (Feature #724: Prevent resetting in UNIX socket mode)
Updated by Victor Julien over 6 years ago
- Related to Feature #724: Prevent resetting in UNIX socket mode added
Updated by Victor Julien over 6 years ago
- Has duplicate deleted (Feature #1476: Suricata Unix socket PCAP processing stats should not need to reset after each run)
Updated by Victor Julien over 6 years ago
- Has duplicate deleted (Feature #2299: pcap: read directory with pcaps from the commandline)
Updated by Victor Julien over 6 years ago
- Related to Feature #2299: pcap: read directory with pcaps from the commandline added
Updated by Victor Julien over 6 years ago
- Status changed from Feedback to Closed
- Target version changed from TBD to 4.1beta1