Support #5370
closed
The problem of Suricata reading Wireshark's pcap package
Added by kk4l sc almost 2 years ago.
Updated 11 months ago.
Description
Hello, I'm learning IDs. I wrote a Suricata rule. I used Wireshark and tcpdump to export two pcap packages and read them with the - R parameter. The result is that only the pcap package of tcpdump can be matched.
https://s1.ax1x.com/2022/05/21/OjmOF1.png
Files
Are you able to share the pcaps?
- Status changed from New to Closed
I guess Suricata relies on your libpcap to read the pcap files, so you should use pcap files that are supported by your libpcap library (and Wireshark may use different formats such as pcap-ng that are not supported by libpcap/tcpdump)
Also available in: Atom
PDF