[Oisf-users] Question about suricata pcap logging function.
Kevin Ross
kevross33 at googlemail.com
Tue Dec 17 21:08:21 UTC 2013
Hi,
Not sure of your requirements but maybe this could save you time if you are
looking for indexing of PCAPs.
http://blog.alejandronolla.com/2013/04/06/moloch-capturing-and-indexing-network-traffic-in-realtime/
https://github.com/aol/moloch
On 16 December 2013 23:51, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi all,
>
> I'm interested in potentially indexing the pcap files that suricata
> exports. Ideally I would like to roll the pcap files when they are 1Gb
> in size and then parse them with my indexing program.
>
> My question is what happens to long-lived TCP flows that could
> potentially span multiple files. Does anyone know if suri logs packets
> from tcp flows as they arrive, or queues them up and only writes them
> when the session is closed or hits the stream cap?
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJSr5IQAAoJEKIFRYQsa8FWTNMH/RUJM7ICzum/FQEke+amQ0om
> rPvS7UUjE83/EH2Yzf+7ER64xyx4JW6TV2HcXYTHMnswC+4/AXn3DUzd5i9F4BeW
> Ows+dd77IRQI/R5E0La5HrbWJBR0pVi6ASUyMqtpIt7O4xRzhexbxjn83TXBCBzT
> 99ggFWB4yYLdMUaY/TD5s60kjp0EhcKmJf1L62Oomm0r4nztXtNHRNv9PNhozTr7
> 1J2wnwXYZwhioD4377fgHzT8diJ/n8xsN4k6LqvhLBgfTfpp5ccRCfO6Iq1iZq88
> DGkWUOIGILUUOpWR1Ovt0Puevd0aCWTAYJeSkdG6p2TjAYBv8kJsAkEqv4tzi8w=
> =jZIJ
> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20131217/dcd2e3ef/attachment-0002.html>
More information about the Oisf-users
mailing list