[Oisf-users] Suricata "bogus savefile header" error message
Gerald Roy
15096873 at brookes.ac.uk
Sat Sep 9 09:51:45 UTC 2017
Hi Francis,
Yes this was the problem. If I capture just interface br0 then it all works
fine.
Thanks for your help.
Gezzaroy
On 17 Aug 2017 19:51, "Francis Trudeau" <ftrudeau at emergingthreats.net>
wrote:
I think it has to do with "-i any"
It saves it as a 'cooked' pcap:
$ sudo tcpdump -nnvv -i any -w butt.pcap
$ file butt.pcap
butt.pcap: tcpdump capture file (little-endian) - version 2.4 (Linux
"cooked", capture length 262144)
$ sudo tcpdump -nnvv -i wlan0 -w turd.pcap
$ file turd.pcap
turd.pcap: tcpdump capture file (little-endian) - version 2.4
(Ethernet, capture length 262144)
I don't get that error here, but I may have different types of
interfaces than you do. Try specifying one interface and see what
happens.
More info on Linux cooked-mode capture:
https://wiki.wireshark.org/SLL
FT
On Thu, Aug 17, 2017 at 2:37 AM, Gerald Roy <15096873 at brookes.ac.uk> wrote:
> Hi,
> I'm running Suricata 4.0.0 on a Raspberry Pi. I get the TCPDump PCAP
files
> from a Linksys WRT1900ACS router running DD-WRT and TCPDump 4.5.1. The
> capture logs are transferred from the router to the Pi over SSH with
> tcpdump -nn -i any -F tcpdumpfilter -w - | ssh -T pi at 192.168.0.9 "cat ->
> /home/pi/dogbert/br0-remote.pcap"
> and then on the Pi I run
> sudo suricata -c /etc/suricata/suricata.yaml -r
> /home/pi/dogbert/br0-remote.pcap
> I get the following error from Suricata "16/8/2017 -- 11:11:51 - <Error> -
> [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - error code -1 bogus savefile
header".
> What is going wrong? Any help appreciated.
> Thanks
> Gezzaroy
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170909/f73e84b2/attachment.html>
More information about the Oisf-users
mailing list