Feature #5499
openPCAP-over-IP client
Description
Implement a PCAP-over-IP client, so that packets can be read from a TCP socket as an alternative to reading a pcap file or sniffing an interface.
PCAP-over-IP can be used to live-stream captured packets from a remote sniffer to Suricata without having to replay it to a dummy network interface. The PCAP stream might be decrypted HTTPS traffic from a TLS proxy or packets from a pcap-broker. There are several downsides of replaying packets to an interface, such as requiring root privs and risk of packet loss, so reading them from a TCP socket instead is preferable.
It would be nice if Suricata would support the same TCP socket interface syntax as Wireshark/tshark.
https://wiki.wireshark.org/CaptureSetup/Pipes.md#tcp-socket
suricata -i TCP@192.168.1.2:57012
Or if the TCP socket could be specified with -r:
suricata -r TCP@192.168.1.2:57012
Another option would be to add a custom option specifically for PCAP-over-IP:
suricata --pcapoveripconnect 192.168.1.2:57012
Files
BM Updated by Brandon Murphy over 2 years ago
+1 to this, cool idea for integrating with PolarProxy!
Referenced here: https://forum.suricata.io/t/forward-inspected-traffic-from-suricata-to-other-virtual-instance-polarproxy/3572/6
VJ Updated by Victor Julien over 2 years ago
- Assignee changed from OISF Dev to Community Ticket
While a nice idea, I don't see us working on this anytime soon. So could be a nice project for someone looking to contribute.
MM Updated by Mahmoud Maatuq almost 2 years ago
- Status changed from New to Assigned
- Assignee changed from Community Ticket to Mahmoud Maatuq
HV Updated by Hans Vermeer over 1 year ago
- File pcapoverip.diff pcapoverip.diff added
In case this will be picked up again to merge into main, I've attached a dirty patch we applied to commit 31bed10ff6666cc122ebca7b2283fd2bd1b9ba90 to get this working.
VJ Updated by Victor Julien over 1 year ago
Any interest in cleaning it up and submitting it for inclusion?
JF Updated by Juliana Fajardini Reichow over 1 year ago
Hi @Mahmoud Maatuq are you still working on this issue?
MM Updated by Mahmoud Maatuq over 1 year ago
Hey @Juliana Fajardini Reichow, I almost forgot about this ticket, but yes I'm going to work on it, thanks for the remainder.
MM Updated by Mahmoud Maatuq over 1 year ago
- Status changed from Assigned to In Progress
PA Updated by Philippe Antoine about 1 year ago
EH Updated by Erik Hjelmvik 4 months ago
- Description updated (diff)