[Oisf-devel] proposed patch to add archive mode to pcap-log module
Victor Julien
victor at inliniac.net
Thu May 24 12:41:12 UTC 2012
On 05/24/2012 12:58 PM, Roberto Martelloni wrote:
> Hello to all,
>
> in the attachment there is a patch to suricata 1.2.1 that add a new mode
> to handle pcap-log file dump.
>
> With this patch if you set pcap-log mode to the value "archive"
> suricata check for two more variables:
>
> - archive_temp_dir
> - archive_dest_dir
>
> archive_temp_dir is the directory path where pcap file are temporarily
> stored until they are closed.
>
> archive_dest_dir is the path where the pcap file is rotated after it is
> closed.
>
> Also a fix to the file name are added.
> In archive mode the file name is in this format:
> hostname-YYYYMMDD-HHMMSS.pcap
>
> I've added this mode of running to allow a software in pipe to read data
> only from NON running file dump and to allow a system administrator to
> identify which file are actually in dump and which one are already
> dumped and closed.
>
> If this patch seams useful to other with some minor modification let me
> know and eventually I can fix it.
>
> Also let me know if this patch can be inserted in the mainline code.
Can you resubmit a patch that does only code changes, no changes to
coding style in other parts of the existing code? Patch is really hard
to read now. Also, patches should be against the git master if you want
us to consider them for inclusion.
Thanks,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list