[Oisf-devel] PCAP log VLAN splitting

LUIS MANUEL SILVA CASTILLO luismsilvacastillo at gmail.com
Tue May 15 06:37:40 UTC 2018


Hi Peter,

Thanks for your reply!
I managed to build a Dockerfile with some explanation of the whole idea.
git clone https://manosil78@bitbucket.org/manosil78/pcap-lua.git

I am using a Lua wrapper from Github project to be able to write from Lua
to disk. I have also made a small change to Suricata in Lua output to
display vlan id in packet tuple

I'm more than happy to further discuss any additional questions and look
forward to your comments


Regards,


Manuel

On Thu, May 10, 2018 at 3:53 PM, Peter Manev <petermanev at gmail.com> wrote:

>
>
> > On 10 May 2018, at 02:02, LUIS MANUEL SILVA CASTILLO <
> luismsilvacastillo at gmail.com> wrote:
> >
> > Hi,
> >
> > my client wishes to use Suricata as Packet Capture solution. However,
> there is an additional request to store packets from VLANs to their
> respective PCAP file. For instance VLAN 1 -> PCAP_Log_TS_TN_VLAN_1 same for
> VLAN 2 and so on and so forth. Solution is also to be run on high speed
> network and needs to be able to cope with up-to 10Gbps link. So far I have
> tried to use Lua script both at logging and engine but unable to achieve
> 10G. I can get capture and splitting but writing does not perform as
> required. My next step would be to try to modify Suricata code to achieve
> requested feature but I want to ask first if there is any previous work or
> someone else had done something similar so I can get started.
>
> I would suggest testing the writing first(10gbs writing - sustained, is
> not so trivial - in my experience anyway). That way you would be able to
> confirm where the bottle neck is first - writing or anywhere in the post
> processing.
>
> Are you writing per thread?
> Would be interesting to see the lua script if possible.
>
>
> >
> > Thanks you very much in advance and look forward to your comments
> >
> > Manuel
> >
> > _______________________________________________
> > Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Participate: http://suricata-ids.org/
> participate/
> > List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-devel
> > Redmine: https://redmine.openinfosecfoundation.org/
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20180515/723a0e65/attachment.html>


More information about the Oisf-devel mailing list