<div dir="ltr">Shivani<div><br></div><div>This what we are trying: </div><div>suricata -c suricata.yaml --PCAP=default <br></div><div><br></div><div>and this is the error in the suricata.log</div><div><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:Calibri,sans-serif"><span style="font-size:11pt;color:rgb(31,73,125)">Failure when trying to get feature ioctl for “default”; no such device</span></p></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 3, 2019 at 10:36 PM David Decker <<a href="mailto:x.faith@gmail.com">x.faith@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">It could have been --pcap, will have to verify this in the morning. <div><br></div><div>Thanks</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 3, 2019 at 10:24 PM Shivani Bhardwaj <<a href="mailto:shivanib134@gmail.com" target="_blank">shivanib134@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi David!<br>
<br>
On Tue, Jun 4, 2019 at 9:02 AM David Decker <<a href="mailto:x.faith@gmail.com" target="_blank">x.faith@gmail.com</a>> wrote:<br>
><br>
> Working on a project that uses Suricata, (just rcvd)<br>
> Suricata is failing to start at boot.<br>
><br>
> One thing we noticed was<br>
> suricata -c suricata.yaml pcap default (was a command line) where it states it failed.<br>
><br>
> I understand the -c is for suricata.yaml to use as configuration file, but what is the PCAP default used for?<br>
> Dont think I have seen this before.<br>
> Where is the best place to start troubleshooting?<br>
><br>
I think you could try the "-vv" option to the command and maybe check<br>
if the logs can reveal something for you then?<br>
There is "--pcap" option for running suricata in PCAP mode (see<br>
<a href="https://suricata.readthedocs.io/en/suricata-4.1.3/command-line-options.html#cmdoption-pcap" rel="noreferrer" target="_blank">https://suricata.readthedocs.io/en/suricata-4.1.3/command-line-options.html#cmdoption-pcap</a>),<br>
however with just "pcap", it seems that the output is the same as<br>
running simply "suricata" on command line.<br>
<br>
Let us know if you find anything in the verbose output that we can use<br>
to assist you.<br>
<br>
> Thanks<br>
> David<br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
><br>
> Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
> Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a><br>
<br>
<br>
<br>
-- <br>
Shivani<br>
<a href="https://about.me/shivani.bhardwaj" rel="noreferrer" target="_blank">https://about.me/shivani.bhardwaj</a><br>
</blockquote></div>
</blockquote></div>