[Oisf-users] Getting session data

Cooper F. Nelson cnelson at ucsd.edu
Wed Nov 19 13:55:37 UTC 2014

Hash: SHA1

Is this what you want?

> Packet log (pcap-log)
> With the pcap-log option you can save all packets, that are registered by Suricata, in a log file named log.pcap. This way, you can take a look at all packets whenever you want.
> In the normal mode a pcap file is created in the default-log-dir. It can also be created elsewhere if a absolute path is set in the yaml-file.
> The file that is saved in example the default -log-dir /var/log/suricata, can be be opened with every program which supports the pcap file format. This can be Wireshark, TCPdump, Suricata, Snort and many others.
> The pcap-log option can be enabled and disabled.
> There is a size limit for the pcap-log file that can be set. The default limit is 32 MB. If the log-file reaches this limit, the file will be rotated and a new one will be created.

From: >

On 11/19/2014 3:19 AM, Charles DeVoe wrote:
> When we started this project it was decided that we need the session
> data along with the alert.  Back then we found that the only way we
> could get this was by using the debug output (although there may have
> been another way).  I attempted to install Suricata with prelude support
> and that failed during the ./configure process.
> So to get to the point.  What methods are available for getting session
> data and which is the best?
> "Thank you for your Support"
> Bartyles and James
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)


More information about the Oisf-users mailing list