Project

General

Profile

Actions
Copy link

Feature #8225

open

dpdk: recognize net_pcap driver and stop after no packets are rx_bursted

Added by Lukas Sismis 24 days ago. Updated 17 days ago.

Status:
Assigned
Priority:
Normal
Assignee:
Lukas Sismis
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

This can be used to read PCAP files, similarly to the PCAP reading mode in Suriacta. The purpose is to test DPDK capture method "offline". This can be done currently as well but Suricata is now stuck in the RX loop after the PCAP reading is finished. The PCAP end of file is characterized by receiving no packets.
The workaround nowadays is to use timeout command, but as a side effect, it slows the evaluation down because "the test" waits until the timeout duration elapses.

This, in turn, stops immediately after PCAP is read and processed.

Within the task, document this option and also evaluate if something like "streaming PCAP files" should be considered.

Subtasks 1 (1 open0 closed)

Feature #8229: dpdk: recognize net_pcap driver and stop after no packets are rx_bursted (8.0.x backport)AssignedLukas SismisActions
Actions
Copy link
 #1

Updated by OISF Ticketbot 24 days ago

  • Subtask #8229 added
Actions
Copy link
 #2

Updated by OISF Ticketbot 24 days ago

  • Label deleted (Needs backport to 8.0)
Actions
Copy link
 #3

Updated by Lukas Sismis 17 days ago

just some thought I came through - the system can support multiple "interface" == PCAP files, therefore it cannot close the whole Suricata after the first PCAP file is finished. It probably should leave flow/other records in the tables as is.

Actions
Copy link

Also available in: Atom PDF