[Oisf-users] Issue when using directory for offline pcap mode
Eric Urban
eurban at umn.edu
Wed Feb 28 15:41:41 UTC 2018
I should have mentioned yesterday I tried this with both Suricata 3.1 and
also 4.0.4 with the same results and the same error message. This is being
attempted on CentOS 7.4.
I also tried a few variations of the command like "suricata -r ." in the
directory with the pcap files and "suricata -r pcaps" without the trailing
forward slash. The pcap files load successfully if I do them one by one
and there are only pcap files in that directory.
On Tue, Feb 27, 2018 at 5:21 PM, Eric Urban <eurban at umn.edu> wrote:
> The documentation at http://suricata.readthedocs.io
> /en/latest/command-line-options.html#cmdoption-r states that "Run in pcap
> offline mode reading files from pcap file. If <path> specifies a directory,
> all files in that directory will be processed in order of modified time
> maintaining flow state between files."
>
> When I try to specify a directory that contains several pcap files, using
> the command like "sudo suricata -r pcaps/", I get the error:
> 27/2/2018 -- 22:32:45 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - error
> reading dump file: Is a directory
>
> Does anyone know if I doing something wrong as it seems from the
> documentation that this should work?
>
> Thank you,
>
> Eric Urban
> University Information Security | Office of Information Technology |
> it.umn.edu
> University of Minnesota | umn.edu
> eurban at umn.edu
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180228/61f200c9/attachment-0002.html>
More information about the Oisf-users
mailing list