Actions
Support #5370
closedThe problem of Suricata reading Wireshark's pcap package
Description
Hello, I'm learning IDs. I wrote a Suricata rule. I used Wireshark and tcpdump to export two pcap packages and read them with the - R parameter. The result is that only the pcap package of tcpdump can be matched.
Files
Updated by Philippe Antoine 11 months ago
- Status changed from New to Closed
I guess Suricata relies on your libpcap to read the pcap files, so you should use pcap files that are supported by your libpcap library (and Wireshark may use different formats such as pcap-ng that are not supported by libpcap/tcpdump)
Actions