[Oisf-users] change destination of pcap files
Victor Julien
lists at inliniac.net
Tue Feb 21 13:18:17 UTC 2017
On 21-02-17 14:11, erik clark wrote:
> I am trying to change the location of the pcap files being generated on
> alert to
>
> /opt/suricata/var/pcap
>
> Also, I cant seem to capture this anyway. I have
>
> - eve-log:
> types:
> - alert:
> packet: yes
>
> but I see nowhere that the files are being captured. Please advise what
> I did wrong. Thanks!
EVE is not a pcap log, but a json log.
For pcap recording see
http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#packet-log-pcap-log
It's unconditional though.
Other methods are:
- take eve.packet and post-process the json to convert to pcap
- unified2 -> barnyard2 -> pcap
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list