Support #5370: The problem of Suricata reading Wireshark's pcap package - Suricata - Open Information Security Foundation

Actions

Copy link

Support #5370

closed

The problem of Suricata reading Wireshark's pcap package

Added by kk4l sc almost 2 years ago. Updated 11 months ago.

Status:

Closed

Priority:

Normal

Assignee:

OISF Dev

Affected Versions:

6.0.6

Label:

Beginner

Description

Hello, I'm learning IDs. I wrote a Suricata rule. I used Wireshark and tcpdump to export two pcap packages and read them with the - R parameter. The result is that only the pcap package of tcpdump can be matched.

https://s1.ax1x.com/2022/05/21/OjmOF1.png

Files

OjmOF1.png (224 KB) OjmOF1.png

kk4l sc, 05/21/2022 05:55 AM

Actions

Copy link

Updated by Victor Julien almost 2 years ago

Are you able to share the pcaps?

Actions

Copy link

Updated by Philippe Antoine 11 months ago

Status changed from New to Closed

I guess Suricata relies on your libpcap to read the pcap files, so you should use pcap files that are supported by your libpcap library (and Wireshark may use different formats such as pcap-ng that are not supported by libpcap/tcpdump)

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Support #5370

The problem of Suricata reading Wireshark's pcap package

Updated by Victor Julien almost 2 years ago

Updated by Philippe Antoine 11 months ago