<div dir="ltr"><div class="gmail_extra"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">I should have mentioned yesterday I tried this with both Suricata 3.1 and also 4.0.4 with the same results and the same error message.  This is being attempted on CentOS 7.4.<br></div></div></div></div></div></div></div></div></div><div class="gmail_quote"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">I also tried a few variations of the command like "suricata -r ." in the directory with the pcap files and "suricata -r pcaps" without the trailing forward slash.  The pcap files load successfully if I do them one by one and there are only pcap files in that directory.</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><div><br></div></div><div class="gmail_extra" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><br><div class="gmail_quote">On Tue, Feb 27, 2018 at 5:21 PM, Eric Urban<span> </span><span dir="ltr"><<a href="mailto:eurban@umn.edu" target="_blank" style="color:rgb(17,85,204)">eurban@umn.edu</a>></span><span> </span>wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>The documentation at<span> </span><a href="http://suricata.readthedocs.io/en/latest/command-line-options.html#cmdoption-r" target="_blank" style="color:rgb(17,85,204)">http://suricata.readthedocs.io<wbr>/en/latest/command-line-option<wbr>s.html#cmdoption-r</a><span> </span>states that "Run in pcap offline mode reading files from pcap file. If <path> specifies a directory, all files in that directory will be processed in order of modified time maintaining flow state between files."</div><div><br></div><div>When I try to specify a directory that contains several pcap files, using the command like "sudo suricata -r pcaps/", I get the error:</div><div>27/2/2018 -- 22:32:45 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - error reading dump file: Is a directory<br></div><div><br></div><div>Does anyone know if I doing something wrong as it seems from the documentation that this should work?</div><div><br></div><div>Thank you,</div><div><br></div><div><div class="gmail-m_-4795905878205871689m_-2574581185712732508m_723803836384679471gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span style="color:rgb(0,0,0);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;font-weight:bold;line-height:17.29px;white-space:nowrap">Eric Urban</span><br></div><div dir="ltr"><span style="color:rgb(0,0,0);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap">University Information Security | Office of Information Technology | </span><a href="http://it.umn.edu/" target="_blank" style="color:rgb(17,85,204);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap">it.umn.edu</a><br style="color:rgb(0,0,0);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap"><span style="color:rgb(0,0,0);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap">University of Minnesota | </span><a href="http://umn.edu/" target="_blank" style="color:rgb(17,85,204);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap">umn.edu</a><br style="color:rgb(0,0,0);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap"><a href="mailto:eurban@umn.edu" target="_blank" style="color:rgb(17,85,204);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap">eurban@umn.edu</a><font face="verdana, sans-serif" style="color:rgb(136,136,136);font-size:12.8px"><br></font></div></div></div></div></div></div></div></div></div></div></blockquote></div></div><br class="gmail-Apple-interchange-newline"><br></div></div></div>