<div dir="ltr">Thanks Cooper, that seems like the bit i was missing, as expected it was right in front of me.  I'll try that out.<div><br></div><div>Thanks again,<br>Jeff</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 31, 2017 at 1:04 PM, Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    <div class="m_7990976466446965296moz-cite-prefix">Enabled the Unified2 logging and then
      extract the pcaps with u2boat (ships with snort).<br>
      <br>
      -Coop<span class=""><br>
      <br>
      On 10/31/2017 7:42 AM, Jeff Dyke wrote:<br>
    </span></div>
    <blockquote type="cite"><span class="">
      
      <div dir="ltr">I've read the docs regarding pcap.log, but was
        curious if i could log only packets that generate an alert (not
        a drop). I may have missed something in the eve configuration.
        It would not be the end of the world to use pcap, but wanted to
        make sure i wasn't missing something obvious.
        <div><br>
        </div>
        <div>Thanks!</div>
      </div>
      <br>
      <fieldset class="m_7990976466446965296mimeAttachmentHeader"></fieldset>
      <br>
      </span><pre>______________________________<wbr>_________________
Suricata IDS Users mailing list: <a class="m_7990976466446965296moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@<wbr>openinfosecfoundation.org</a>
Site: <a class="m_7990976466446965296moz-txt-link-freetext" href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a class="m_7990976466446965296moz-txt-link-freetext" href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/<wbr>support/</a>
List: <a class="m_7990976466446965296moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a>

Conference: <a class="m_7990976466446965296moz-txt-link-freetext" href="https://suricon.net" target="_blank">https://suricon.net</a>
Trainings: <a class="m_7990976466446965296moz-txt-link-freetext" href="https://suricata-ids.org/training/" target="_blank">https://suricata-ids.org/<wbr>training/</a></pre><span class="HOEnZb"><font color="#888888">
    </font></span></blockquote><span class="HOEnZb"><font color="#888888">
    <p><br>
    </p>
    <pre class="m_7990976466446965296moz-signature" cols="72">-- 
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
<a class="m_7990976466446965296moz-txt-link-abbreviated" href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a> x41042</pre>
  </font></span></div>

</blockquote></div><br></div>