
<div dir="ltr"><div>Hi,<br><br></div>Not sure of your requirements but maybe this could save you time if you are looking for indexing of PCAPs.<br><br><a href="http://blog.alejandronolla.com/2013/04/06/moloch-capturing-and-indexing-network-traffic-in-realtime/">http://blog.alejandronolla.com/2013/04/06/moloch-capturing-and-indexing-network-traffic-in-realtime/</a><br>

<a href="https://github.com/aol/moloch">https://github.com/aol/moloch</a><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 16 December 2013 23:51, Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>

Hash: SHA1<br>

<br>

Hi all,<br>

<br>

I'm interested in potentially indexing the pcap files that suricata<br>

exports.  Ideally I would like to roll the pcap files when they are 1Gb<br>

in size and then parse them with my indexing program.<br>

<br>

My question is what happens to long-lived TCP flows that could<br>

potentially span multiple files.  Does anyone know if suri logs packets<br>

from tcp flows as they arrive, or queues them up and only writes them<br>

when the session is closed or hits the stream cap?<br>

<br>

- --<br>

Cooper Nelson<br>

Network Security Analyst<br>

UCSD ACT Security Team<br>

<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042<br>

-----BEGIN PGP SIGNATURE-----<br>

Version: GnuPG v2.0.17 (MingW32)<br>

Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>

<br>

iQEcBAEBAgAGBQJSr5IQAAoJEKIFRYQsa8FWTNMH/RUJM7ICzum/FQEke+amQ0om<br>

rPvS7UUjE83/EH2Yzf+7ER64xyx4JW6TV2HcXYTHMnswC+4/AXn3DUzd5i9F4BeW<br>

Ows+dd77IRQI/R5E0La5HrbWJBR0pVi6ASUyMqtpIt7O4xRzhexbxjn83TXBCBzT<br>

99ggFWB4yYLdMUaY/TD5s60kjp0EhcKmJf1L62Oomm0r4nztXtNHRNv9PNhozTr7<br>

1J2wnwXYZwhioD4377fgHzT8diJ/n8xsN4k6LqvhLBgfTfpp5ccRCfO6Iq1iZq88<br>

DGkWUOIGILUUOpWR1Ovt0Puevd0aCWTAYJeSkdG6p2TjAYBv8kJsAkEqv4tzi8w=<br>

=jZIJ<br>

-----END PGP SIGNATURE-----<br>

_______________________________________________<br>

Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>

Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>

List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>

</blockquote></div><br></div>