Project

General

Profile

Actions
Copy link

Feature #5499

open

PCAP-over-IP client

Added by Erik Hjelmvik almost 3 years ago. Updated 6 months ago.

Status:
In Progress
Priority:
Normal
Assignee:
Mahmoud Maatuq
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Implement a PCAP-over-IP client, so that packets can be read from a TCP socket as an alternative to reading a pcap file or sniffing an interface.

PCAP-over-IP can be used to live-stream captured packets from a remote sniffer to Suricata, but the most useful use-case is probably in order to read decrypted HTTPS traffic from a TLS proxy without having to replay it to a dummy network interface. There are several downsides of replaying packets to an interface, such as requiring root privs and risk of packet loss, so reading them from a TCP socket instead is preferable.

It would be nice if Suricata would support the same TCP socket interface syntax as Wireshark/tshark.
https://wiki.wireshark.org/CaptureSetup/Pipes.md#tcp-socket

suricata -i TCP@192.168.1.2:57012

Or if the TCP socket could be specified with -r:

suricata -r TCP@192.168.1.2:57012

Another option would be to add a custom option specifically for PCAP-over-IP:

suricata --pcapoveripconnect 192.168.1.2:57012

Files

pcapoverip.diff (8.49 KB) pcapoverip.diff Hans Vermeer, 09/26/2024 07:42 PM
Actions
Copy link
 #1

Updated by Brandon Murphy over 1 year ago

Actions
Copy link
 #2

Updated by Victor Julien over 1 year ago

  • Assignee changed from OISF Dev to Community Ticket

While a nice idea, I don't see us working on this anytime soon. So could be a nice project for someone looking to contribute.

Actions
Copy link
 #3

Updated by Mahmoud Maatuq about 1 year ago

  • Status changed from New to Assigned
  • Assignee changed from Community Ticket to Mahmoud Maatuq
Actions
Copy link
 #4

Updated by Hans Vermeer 10 months ago

In case this will be picked up again to merge into main, I've attached a dirty patch we applied to commit 31bed10ff6666cc122ebca7b2283fd2bd1b9ba90 to get this working.

Actions
Copy link
 #5

Updated by Victor Julien 10 months ago

Any interest in cleaning it up and submitting it for inclusion?

Actions
Copy link
 #6

Updated by Juliana Fajardini Reichow 7 months ago

Hi @Mahmoud Maatuq are you still working on this issue?

Actions
Copy link
 #7

Updated by Mahmoud Maatuq 7 months ago

Hey @Juliana Fajardini Reichow, I almost forgot about this ticket, but yes I'm going to work on it, thanks for the remainder.

Actions
Copy link
 #8

Updated by Mahmoud Maatuq 7 months ago

  • Status changed from Assigned to In Progress
Actions
Copy link

Also available in: Atom PDF