<div dir="auto"><div>Hi Francis,<div dir="auto"><br></div><div dir="auto">Yes this was the problem. If I capture just interface br0 then it all works fine. </div><div dir="auto"><br></div><div dir="auto">Thanks for your help.</div><div dir="auto">Gezzaroy</div><div dir="auto"><br></div><br><div class="gmail_extra"><br><div class="gmail_quote">On 17 Aug 2017 19:51, "Francis Trudeau" <<a href="mailto:ftrudeau@emergingthreats.net">ftrudeau@emergingthreats.net</a>> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I think it has to do with "-i any"<br>
<br>
It saves it as a 'cooked' pcap:<br>
<br>
$ sudo tcpdump -nnvv -i any -w butt.pcap<br>
<br>
$ file butt.pcap<br>
butt.pcap: tcpdump capture file (little-endian) - version 2.4 (Linux<br>
"cooked", capture length 262144)<br>
<br>
$ sudo tcpdump -nnvv -i wlan0 -w turd.pcap<br>
<br>
$ file turd.pcap<br>
turd.pcap: tcpdump capture file (little-endian) - version 2.4<br>
(Ethernet, capture length 262144)<br>
<br>
I don't get that error here, but I may have different types of<br>
interfaces than you do.  Try specifying one interface and see what<br>
happens.<br>
<br>
More info on Linux cooked-mode capture:<br>
<br>
<a href="https://wiki.wireshark.org/SLL" rel="noreferrer" target="_blank">https://wiki.wireshark.org/SLL</a><br>
<br>
FT<br>
<div class="elided-text"><br>
<br>
<br>
<br>
<br>
On Thu, Aug 17, 2017 at 2:37 AM, Gerald Roy <<a href="mailto:15096873@brookes.ac.uk">15096873@brookes.ac.uk</a>> wrote:<br>
> Hi,<br>
> I'm running Suricata 4.0.0 on a Raspberry Pi.  I get the TCPDump PCAP files<br>
> from a Linksys WRT1900ACS router running DD-WRT and TCPDump 4.5.1.  The<br>
> capture logs are transferred from the router to the Pi over SSH with<br>
> tcpdump -nn -i any -F tcpdumpfilter -w - | ssh -T <a href="mailto:pi@192.168.0.9">pi@192.168.0.9</a> "cat -><br>
> /home/pi/dogbert/br0-remote.<wbr>pcap"<br>
> and then on the Pi I run<br>
> sudo suricata -c /etc/suricata/suricata.yaml -r<br>
> /home/pi/dogbert/br0-remote.<wbr>pcap<br>
> I get the following error from Suricata "16/8/2017 -- 11:11:51 - <Error> -<br>
> [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - error code -1 bogus savefile header".<br>
> What is going wrong?  Any help appreciated.<br>
> Thanks<br>
> Gezzaroy<br>
><br>
><br>
</div>> ______________________________<wbr>_________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
><br>
> Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
> Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a><br>
</blockquote></div><br></div></div></div>