[Oisf-users] Pcap-log issue
Peter Manev
petermanev at gmail.com
Tue Mar 15 16:01:03 UTC 2016
On Tue, Mar 15, 2016 at 8:57 AM, Murali Kandula <muralispruce at gmail.com> wrote:
> I tested this only few times(tcpreplayed http traffic) and during all this
> times, observed that Suricata is holding to those FIN packets. It will flush
> those packets only when I send more traffic(http traffic).
>
or when you stop it , correct?
> -Murali
>
> On Tue, Mar 15, 2016 at 11:44 AM, Peter Manev <petermanev at gmail.com> wrote:
>>
>> On Mon, Mar 14, 2016 at 8:39 AM, Murali Kandula <muralispruce at gmail.com>
>> wrote:
>> > Hello,
>> >
>> > Can any body help me on how to make sure Suricata flush all the packets
>> > immediately including the FIN packets?.
>>
>> Is it just the Fin packets missing every time?
>>
>> >
>> > -Murali
>> >
>> > On Thu, Mar 10, 2016 at 3:47 PM, Murali Kandula <muralispruce at gmail.com>
>> > wrote:
>> >>
>> >> Hello,
>> >>
>> >> I enabled the pcap-log option for Suricata. I replayed the traffic
>> >> related
>> >> to HTTP session and after a minute I opened the pcap file and didn't
>> >> observe
>> >> the FIN handshake. I am able to observe the FIN handshake after I
>> >> replayed a
>> >> traffic belong to another HTTP session.
>> >> I tried playing with the flow timeout belong to TCP and it didn't work.
>> >> Is
>> >> there any config parameter that I can use to log the packets
>> >> immediately?.
>> >>
>> >> -Murali
>> >
>> >
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> > http://suricata-ids.org/support/
>> > List:
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > Suricata User Conference November 9-11 in Washington, DC:
>> > http://oisfevents.net
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>
>
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list