[Oisf-users] Suricata "bogus savefile header" error message

Francis Trudeau ftrudeau at emergingthreats.net
Thu Aug 17 18:50:53 UTC 2017

I think it has to do with "-i any"

It saves it as a 'cooked' pcap:

$ sudo tcpdump -nnvv -i any -w butt.pcap

$ file butt.pcap
butt.pcap: tcpdump capture file (little-endian) - version 2.4 (Linux
"cooked", capture length 262144)

$ sudo tcpdump -nnvv -i wlan0 -w turd.pcap

$ file turd.pcap
turd.pcap: tcpdump capture file (little-endian) - version 2.4
(Ethernet, capture length 262144)

I don't get that error here, but I may have different types of
interfaces than you do.  Try specifying one interface and see what

More info on Linux cooked-mode capture:



On Thu, Aug 17, 2017 at 2:37 AM, Gerald Roy <15096873 at brookes.ac.uk> wrote:
> Hi,
> I'm running Suricata 4.0.0 on a Raspberry Pi.  I get the TCPDump PCAP files
> from a Linksys WRT1900ACS router running DD-WRT and TCPDump 4.5.1.  The
> capture logs are transferred from the router to the Pi over SSH with
> tcpdump -nn -i any -F tcpdumpfilter -w - | ssh -T pi at "cat ->
> /home/pi/dogbert/br0-remote.pcap"
> and then on the Pi I run
> sudo suricata -c /etc/suricata/suricata.yaml -r
> /home/pi/dogbert/br0-remote.pcap
> I get the following error from Suricata "16/8/2017 -- 11:11:51 - <Error> -
> [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - error code -1 bogus savefile header".
> What is going wrong?  Any help appreciated.
> Thanks
> Gezzaroy
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/

More information about the Oisf-users mailing list