Feature #5499
Updated by Erik Hjelmvik 17 days ago
Implement a PCAP-over-IP client, so that packets can be read from a TCP socket as an alternative to reading a pcap file or sniffing an interface. PCAP-over-IP can be used to live-stream captured packets from a remote sniffer to Suricata Suricata, but the most useful use-case is probably in order to read decrypted HTTPS traffic from a TLS proxy without having to replay it to a dummy network interface. The PCAP stream might be decrypted HTTPS traffic from a TLS proxy or packets from a "pcap-broker":https://github.com/fox-it/pcap-broker. There are several downsides of replaying packets to an interface, such as requiring root privs and risk of packet loss, so reading them from a TCP socket instead is preferable. It would be nice if Suricata would support the same TCP socket interface syntax as Wireshark/tshark. https://wiki.wireshark.org/CaptureSetup/Pipes.md#tcp-socket <pre><code class="shell"> suricata -i TCP@192.168.1.2:57012 </code></pre> Or if the TCP socket could be specified with -r: <pre><code class="shell"> suricata -r TCP@192.168.1.2:57012 </code></pre> Another option would be to add a custom option specifically for PCAP-over-IP: <pre><code class="shell"> suricata --pcapoveripconnect 192.168.1.2:57012 </code></pre>