[Oisf-devel] proposed patch to add archive mode to pcap-log module

Roberto Martelloni rmartelloni at gmail.com
Thu May 24 14:05:40 UTC 2012


>
> On 05/24/2012 12:58 PM, Roberto Martelloni wrote:
> >* Also a fix to the file name are added.*>* In archive mode the file name is in this format:*>* hostname-YYYYMMDD-HHMMSS.pcap*
> The hostname is the ids system's hostname?
>
> Is the hostname part of the FQDN returned from the libc function
gethostname() .


> >* I've added this mode of running to allow a software in pipe to read data*>* only from NON running file dump and to allow a system administrator to*>* identify which file are actually in dump and which one are already*>* dumped and closed.*
> So if I understand correctly, the problem this should solve is to make
> sure it's clear to the administrator which of the logged pcap files in
> the log directory are already completed?
>
>
Yes, but not only that.
For example you can point a software to check the archive_dest_dir path and
move/elaborate all the files in it without the need to identify which file
are currently dumped by suricata.

R.

-- 
Roberto Martelloni
boos @ http://boos.core-dumped.info
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120524/aac2165a/attachment-0002.html>


More information about the Oisf-devel mailing list