[Oisf-users] Question about suricata pcap logging function.
Victor Julien
lists at inliniac.net
Tue Dec 17 08:14:34 UTC 2013
On 12/17/2013 12:51 AM, Cooper F. Nelson wrote:
> Hi all,
>
> I'm interested in potentially indexing the pcap files that
> suricata exports. Ideally I would like to roll the pcap files when
> they are 1Gb in size and then parse them with my indexing program.
>
> My question is what happens to long-lived TCP flows that could
> potentially span multiple files. Does anyone know if suri logs
> packets from tcp flows as they arrive, or queues them up and only
> writes them when the session is closed or hits the stream cap?
>
They are written into the pcap as they come in, so long lived sessions
may span multiple files in this case.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list