Feature #8225
opendpdk: recognize net_pcap driver and stop after no packets are rx_bursted
Description
This can be used to read PCAP files, similarly to the PCAP reading mode in Suriacta. The purpose is to test DPDK capture method "offline". This can be done currently as well but Suricata is now stuck in the RX loop after the PCAP reading is finished. The PCAP end of file is characterized by receiving no packets.
The workaround nowadays is to use timeout command, but as a side effect, it slows the evaluation down because "the test" waits until the timeout duration elapses.
This, in turn, stops immediately after PCAP is read and processed.
Within the task, document this option and also evaluate if something like "streaming PCAP files" should be considered.
Updated by OISF Ticketbot about 1 month ago
- Label deleted (
Needs backport to 8.0)
Updated by Lukas Sismis about 1 month ago
just some thought I came through - the system can support multiple "interface" == PCAP files, therefore it cannot close the whole Suricata after the first PCAP file is finished. It probably should leave flow/other records in the tables as is.
Updated by Lukas Sismis 18 days ago
- Assignee changed from Lukas Sismis to Mahmoud Maatuq
Mahmoud also opened a discussion in the DPDK Slack for even nicer support of EOF when PCAP reading.
https://dpdkproject.slack.com/archives/CB2UPBU48/p1770496847835459
At the moment, there is no clear solution better than relying on 0 packet RXed.