<div dir="ltr"><div>Hi,<br><br></div>Not sure of your requirements but maybe this could save you time if you are looking for indexing of PCAPs.<br><br><a href="http://blog.alejandronolla.com/2013/04/06/moloch-capturing-and-indexing-network-traffic-in-realtime/">http://blog.alejandronolla.com/2013/04/06/moloch-capturing-and-indexing-network-traffic-in-realtime/</a><br>
<a href="https://github.com/aol/moloch">https://github.com/aol/moloch</a><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 16 December 2013 23:51, Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
Hi all,<br>
<br>
I'm interested in potentially indexing the pcap files that suricata<br>
exports.  Ideally I would like to roll the pcap files when they are 1Gb<br>
in size and then parse them with my indexing program.<br>
<br>
My question is what happens to long-lived TCP flows that could<br>
potentially span multiple files.  Does anyone know if suri logs packets<br>
from tcp flows as they arrive, or queues them up and only writes them<br>
when the session is closed or hits the stream cap?<br>
<br>
- --<br>
Cooper Nelson<br>
Network Security Analyst<br>
UCSD ACT Security Team<br>
<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.17 (MingW32)<br>
Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
iQEcBAEBAgAGBQJSr5IQAAoJEKIFRYQsa8FWTNMH/RUJM7ICzum/FQEke+amQ0om<br>
rPvS7UUjE83/EH2Yzf+7ER64xyx4JW6TV2HcXYTHMnswC+4/AXn3DUzd5i9F4BeW<br>
Ows+dd77IRQI/R5E0La5HrbWJBR0pVi6ASUyMqtpIt7O4xRzhexbxjn83TXBCBzT<br>
99ggFWB4yYLdMUaY/TD5s60kjp0EhcKmJf1L62Oomm0r4nztXtNHRNv9PNhozTr7<br>
1J2wnwXYZwhioD4377fgHzT8diJ/n8xsN4k6LqvhLBgfTfpp5ccRCfO6Iq1iZq88<br>
DGkWUOIGILUUOpWR1Ovt0Puevd0aCWTAYJeSkdG6p2TjAYBv8kJsAkEqv4tzi8w=<br>
=jZIJ<br>
-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</blockquote></div><br></div>