Support #2983
closed
Added by John Smith over 5 years ago.
Updated about 5 years ago.
Description
in pcap offline mode,like suricata -c /etc/suricata/suricata.yaml -r modbus.pcap.There is no thing if I use 'printf' in app-layer-modbus.c.Do I need dispose the suricata.yaml?
- Tracker changed from Bug to Support
- Subject changed from in pcap offline mode to no modbus output
- Assignee deleted (
Victor Julien)
- Target version deleted (
4.1.5)
Did you enable the modbus parser in your yaml? Did you check the packet checksums? Did you enable midstream in case the modbus sessions have no TCP 3whs, etc?
OK,Victor.As you say,I have changed the midstream to true;the parser to yes;the checksum to no.Then the modbus parser is ok in pcap offline mode. I also add a new parser for iec104 and the parser iec104 is ok in AF-Packet mode or NFQ mode,but there is no output in pcap offline mode.So should I do some others thins?
I have no idea why it doesn't work for pcaps. It will be hard to say without access to the parsers.
- Assignee set to Community Ticket
- Target version set to Support
- Status changed from New to Closed
Also available in: Atom
PDF