[Oisf-devel] Understanding Suricata

Victor Julien victor at inliniac.net
Tue Oct 15 10:23:08 UTC 2013 

On 10/15/2013 12:13 PM, Anil Joshi wrote:
> Thanks for the reply sir.
> As you given the packet flow so firstly I would like to go through the
> receive part so if i give suricata the pcap now how can i see the packet
> capture part of suricata and i mean how i debug it?

Please take into account a number of guidelines when using these
mailinglists:

1. don't cross post on multiple mailing lists
2. don't top-post
3. don't use html posts


Wrt your question. Fire up Suricata in gdb and step through it. It may
be good to set a break point on PcapFileCallbackLoop, as this is where a
packet starts.

Regards,
Victor

> 
> On Thu, Oct 10, 2013 at 1:01 PM, Anoop Saldanha <anoopsaldanha at gmail.com
> <mailto:anoopsaldanha at gmail.com>> wrote:
> 
>     On Wed, Oct 9, 2013 at 11:40 PM, Anil Joshi <aj27744 at gmail.com
>     <mailto:aj27744 at gmail.com>> wrote:
>     > Hi All,
>     >
>     > Hi i have an query for you actually i need a suggestion if i want to
>     > understand suricata working that mean how it takes packet how it
>     matches it
>     > against signtaure how should i proceed?
>     >
> 
>     I would suggest taking a pcap and stepping through the code.  You can
>     use the pcap file interface for this purpose
> 
>     suricata -c suricata.yaml -r path/to/pcap_file --runmode=single
> 
>     Suricata is modular, as in, each of the different phases is split into
>     an identifiable module - receive, decoder, stream, detection, verdict,
>     logging.
> 
>     Packets flow though the above sequence in a sequential manner.
> 
>     --
>     -------------------------------
>     Anoop Saldanha
>     http://www.poona.me
>     -------------------------------
> 
> 
> 
> 
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list