[Oisf-users] Running suricata as a pcap collector

Victor Julien lists at inliniac.net
Tue Jan 28 14:23:58 UTC 2014


On 01/28/2014 03:17 PM, C. L. Martinez wrote:
> On Tue, Jan 28, 2014 at 2:15 PM, Victor Julien <lists at inliniac.net> wrote:
>> On 01/28/2014 03:12 PM, C. L. Martinez wrote:
>>>  Is it possible to run suricata as a pcap collector like daemonlogger
>>> or netsniff-ng does?? Running without rules and applying some bpf
>>> filters ...
>>
>> Yes, just enable the pcap-log module in your yaml. The current
>> implementation is not very efficient though.
>>
>> In the git master there is a new command line option --disable-detection
>> which disables the detection engine completely, making it more efficient
>> than just running w/o rules.
>>
>> Also, some profiling code for pcap logging is in progress here:
>> https://github.com/inliniac/suricata/pull/749
>>
>> --
> 
> Thanks Victor. Is this feature present in 2.0beta2?? Or only
> downloading git code??

It's part of both 1.4.x and 2.x

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list