Documentation #6725: document pcap file variables - Suricata - Open Information Security Foundation

Actions

Copy link

Documentation #6725

closed

document pcap file variables

Added by Jason Taylor 3 months ago. Updated about 1 month ago.

Status:

Closed

Priority:

Normal

Assignee:

Jason Taylor

Target version:

8.0.0-beta1

Affected Versions:

Effort:

Difficulty:

Label:

Description

from https://discord.com/channels/864648830553292840/888087709002891324/1201911877760720966

you can do the same with suri as well
[10:35 AM]
filename: "%n/so-pcap.%t"
[10:35 AM]
that creates a dir per thread
[10:35 AM]
and then you spread those threads on multiple drives

%n is the thread number
[10:39 AM]
and %t is the time stamp

VVelox — Today at 10:41 AM
What thread type?

Mike Reeves(Security Onion) — Today at 10:41 AM
https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L361-L381

its a worker thread
[10:42 AM]
this is if you choose the mode multi
[10:43 AM]
normal all threads dump to a single file but isn't as fast

Actions

Copy link

Updated by Juliana Fajardini Reichow 3 months ago

Target version changed from TBD to 8.0.0-beta1

Actions

Copy link

Updated by Jason Taylor 2 months ago

Status changed from New to Resolved

https://github.com/OISF/suricata/pull/10294 PR merged in https://github.com/OISF/suricata/pull/10413

Actions

Copy link

Updated by Jason Taylor about 1 month ago

Status changed from Resolved to Closed

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries