Suricata

Just a thought, I wonder if it would make more sense to use tcpdump instead, it's applicable to many more scenarios like when there is no desktop environment available. So a more generic guide on:

It is necessary to know which interface card on your computer is being used for traffic.

would be very useful. Its a pretty common question I think.

Jason Ish wrote in #note-1:

Just a thought, I wonder if it would make more sense to use tcpdump instead, it's applicable to many more scenarios like when there is no desktop environment available. So a more generic guide on:

It is necessary to know which interface card on your computer is being used for traffic.

would be very useful. Its a pretty common question I think.

Could this be a separate task? Reason: for a newcomer, I imagine it may be easier to try and reproduce the steps in the current guide, see what doesn't work, and then update as needed, than to write a guide from scratch. So while I agree that that's a good guide to have, I think the difficulty level may increase.

I suppose it could be its own guide. I've never paid attention to this one before...

But, Running Wireshark with sudo or as root is considered bad security practice, even by the Wireshark project: https://wiki.wireshark.org/Security

Requiring a bit more setup to run safely on live traffic: https://wiki.wireshark.org/CaptureSetup/CapturePrivileges#setting-network-privileges-for-dumpcap-if-your-kernel-and-file-system-support-file-capabilities

Jason Ish wrote in #note-3:

I suppose it could be its own guide. I've never paid attention to this one before...

But, Running Wireshark with sudo or as root is considered bad security practice, even by the Wireshark project: https://wiki.wireshark.org/Security

Requiring a bit more setup to run safely on live traffic: https://wiki.wireshark.org/CaptureSetup/CapturePrivileges#setting-network-privileges-for-dumpcap-if-your-kernel-and-file-system-support-file-capabilities

Let's make this change a requirement, when someone claims this one, then :)

Jason Ish wrote in #note-1:

Just a thought, I wonder if it would make more sense to use tcpdump instead, it's applicable to many more scenarios like when there is no desktop environment available. So a more generic guide on:

It is necessary to know which interface card on your computer is being used for traffic.

would be very useful. Its a pretty common question I think.

I think I just confused myself. I interpreted that you wanted a guide on using tcpdump to sniff packets.
But... do you also want a guide on how to know which interface card is being used for traffic? (just so I create the correct tickets :P )

Juliana Fajardini Reichow wrote in #note-5:

Jason Ish wrote in #note-1:

Just a thought, I wonder if it would make more sense to use tcpdump instead, it's applicable to many more scenarios like when there is no desktop environment available. So a more generic guide on:

It is necessary to know which interface card on your computer is being used for traffic.

would be very useful. Its a pretty common question I think.

I think I just confused myself. I interpreted that you wanted a guide on using tcpdump to sniff packets.
But... do you also want a guide on how to know which interface card is being used for traffic? (just so I create the correct tickets :P )

I think the "missing guide" is the one that helps you determine what interface you need to be running Suricata on it. I think a guide using tcpdump is the most versatile here (but not a guide on tcpdump itself, out of scope). Following the Wireshark guide:

- Convert ifconfig to ip --brief address as ifconfig isn't install by default on many Linux systems these days
- Run tcpdump, are you seeing the packets you expect to see, perhaps with an address filter