[Oisf-users] Question about suricata pcap logging function.
Cooper F. Nelson
cnelson at ucsd.edu
Mon Dec 16 23:51:44 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
I'm interested in potentially indexing the pcap files that suricata
exports. Ideally I would like to roll the pcap files when they are 1Gb
in size and then parse them with my indexing program.
My question is what happens to long-lived TCP flows that could
potentially span multiple files. Does anyone know if suri logs packets
from tcp flows as they arrive, or queues them up and only writes them
when the session is closed or hits the stream cap?
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJSr5IQAAoJEKIFRYQsa8FWTNMH/RUJM7ICzum/FQEke+amQ0om
rPvS7UUjE83/EH2Yzf+7ER64xyx4JW6TV2HcXYTHMnswC+4/AXn3DUzd5i9F4BeW
Ows+dd77IRQI/R5E0La5HrbWJBR0pVi6ASUyMqtpIt7O4xRzhexbxjn83TXBCBzT
99ggFWB4yYLdMUaY/TD5s60kjp0EhcKmJf1L62Oomm0r4nztXtNHRNv9PNhozTr7
1J2wnwXYZwhioD4377fgHzT8diJ/n8xsN4k6LqvhLBgfTfpp5ccRCfO6Iq1iZq88
DGkWUOIGILUUOpWR1Ovt0Puevd0aCWTAYJeSkdG6p2TjAYBv8kJsAkEqv4tzi8w=
=jZIJ
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list