[Oisf-devel] Pcap file open issue with Suricata 3
Hwang In Chan
neogeoss1 at gmail.com
Tue Jun 12 05:32:07 UTC 2018
Hello!
I am working on Suricata 3 source code to add an additional feature to it.
I know Suricata 3 reads a pcap file in the command line.
We added another function to extract eml files when it reads Pcap in the
command line.
https://github.com/CPP-CProgramming/Suricata/blob/...
<https://github.com/CPP-CProgramming/Suricata/blob/master/src/app-layer-smtp.c#L1613-L1619>
https://github.com/CPP-CProgramming/Suricata/blob/...
<https://github.com/CPP-CProgramming/Suricata/blob/master/src/util-file.c#L780>
However, it shows a abnormal behavior when it reads a Pcap file.
https://drive.google.com/file/d/1TpQnZJyTgCilKPV4H...
<https://drive.google.com/file/d/1TpQnZJyTgCilKPV4H4l-Z43P2EUPW6Kg/view?usp=drive_web>
If it reads 200 eml files out of pcap file, it only writes 191 files.
It does not read and write all the files out of Pcap, but misses some files.
We believe that this issue disappeared in Suricata 4.
If you have been aware of this issue, could you tell me how to avoid it?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20180612/1f4523b6/attachment.html>
More information about the Oisf-devel
mailing list