[Oisf-users] Suricata "bogus savefile header" error message

Gerald Roy 15096873 at brookes.ac.uk
Sat Sep 9 09:51:45 UTC 2017

Hi Francis,

Yes this was the problem. If I capture just interface br0 then it all works

Thanks for your help.

On 17 Aug 2017 19:51, "Francis Trudeau" <ftrudeau at emergingthreats.net>

I think it has to do with "-i any"

It saves it as a 'cooked' pcap:

$ sudo tcpdump -nnvv -i any -w butt.pcap

$ file butt.pcap
butt.pcap: tcpdump capture file (little-endian) - version 2.4 (Linux
"cooked", capture length 262144)

$ sudo tcpdump -nnvv -i wlan0 -w turd.pcap

$ file turd.pcap
turd.pcap: tcpdump capture file (little-endian) - version 2.4
(Ethernet, capture length 262144)

I don't get that error here, but I may have different types of
interfaces than you do.  Try specifying one interface and see what

More info on Linux cooked-mode capture:



On Thu, Aug 17, 2017 at 2:37 AM, Gerald Roy <15096873 at brookes.ac.uk> wrote:
> Hi,
> I'm running Suricata 4.0.0 on a Raspberry Pi.  I get the TCPDump PCAP
> from a Linksys WRT1900ACS router running DD-WRT and TCPDump 4.5.1.  The
> capture logs are transferred from the router to the Pi over SSH with
> tcpdump -nn -i any -F tcpdumpfilter -w - | ssh -T pi at "cat ->
> /home/pi/dogbert/br0-remote.pcap"
> and then on the Pi I run
> sudo suricata -c /etc/suricata/suricata.yaml -r
> /home/pi/dogbert/br0-remote.pcap
> I get the following error from Suricata "16/8/2017 -- 11:11:51 - <Error> -
> [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - error code -1 bogus savefile
> What is going wrong?  Any help appreciated.
> Thanks
> Gezzaroy
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170909/f73e84b2/attachment.html>

More information about the Oisf-users mailing list