[Oisf-devel] proposed patch to add archive mode to pcap-log module

Roberto Martelloni rmartelloni at gmail.com
Thu May 24 14:05:40 UTC 2012

> On 05/24/2012 12:58 PM, Roberto Martelloni wrote:
> >* Also a fix to the file name are added.*>* In archive mode the file name is in this format:*>* hostname-YYYYMMDD-HHMMSS.pcap*
> The hostname is the ids system's hostname?
> Is the hostname part of the FQDN returned from the libc function
gethostname() .

> >* I've added this mode of running to allow a software in pipe to read data*>* only from NON running file dump and to allow a system administrator to*>* identify which file are actually in dump and which one are already*>* dumped and closed.*
> So if I understand correctly, the problem this should solve is to make
> sure it's clear to the administrator which of the logged pcap files in
> the log directory are already completed?
Yes, but not only that.
For example you can point a software to check the archive_dest_dir path and
move/elaborate all the files in it without the need to identify which file
are currently dumped by suricata.


Roberto Martelloni
boos @ http://boos.core-dumped.info
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120524/aac2165a/attachment-0002.html>

More information about the Oisf-devel mailing list