[Oisf-devel] Pcap file open issue with Suricata 3
Andreas Herz
andi at geekosphere.org
Fri Jun 15 20:30:48 UTC 2018
On 12/06/18 at 14:32, Hwang In Chan wrote:
> Hello!
>
> I am working on Suricata 3 source code to add an additional feature to it.
>
> I know Suricata 3 reads a pcap file in the command line.
>
> We added another function to extract eml files when it reads Pcap in the
> command line.
>
> https://github.com/CPP-CProgramming/Suricata/blob/...
> <https://github.com/CPP-CProgramming/Suricata/blob/master/src/app-layer-smtp.c#L1613-L1619>
>
> https://github.com/CPP-CProgramming/Suricata/blob/...
> <https://github.com/CPP-CProgramming/Suricata/blob/master/src/util-file.c#L780>
>
> However, it shows a abnormal behavior when it reads a Pcap file.
>
> https://drive.google.com/file/d/1TpQnZJyTgCilKPV4H...
> <https://drive.google.com/file/d/1TpQnZJyTgCilKPV4H4l-Z43P2EUPW6Kg/view?usp=drive_web>
>
> If it reads 200 eml files out of pcap file, it only writes 191 files.
>
> It does not read and write all the files out of Pcap, but misses some files.
>
> We believe that this issue disappeared in Suricata 4.
Can you try to reproduce it with most recent versions of suricata?
--
Andreas Herz
More information about the Oisf-devel
mailing list