[Oisf-users] Issue when using directory for offline pcap mode

Victor Julien lists at inliniac.net
Wed Feb 28 15:51:26 UTC 2018 

On 28-02-18 16:41, Eric Urban wrote:
> I should have mentioned yesterday I tried this with both Suricata 3.1
> and also 4.0.4 with the same results and the same error message.  This
> is being attempted on CentOS 7.4.
> 
> I also tried a few variations of the command like "suricata -r ." in the
> directory with the pcap files and "suricata -r pcaps" without the
> trailing forward slash.  The pcap files load successfully if I do them
> one by one and there are only pcap files in that directory.

This feature is new in the 4.1dev tree. So it will be available when 4.1
is out.

Cheers,
Victor

> 
> On Tue, Feb 27, 2018 at 5:21 PM, Eric Urban <eurban at umn.edu
> <mailto:eurban at umn.edu>> wrote:
> 
>     The documentation
>     at http://suricata.readthedocs.io/en/latest/command-line-options.html#cmdoption-r
>     <http://suricata.readthedocs.io/en/latest/command-line-options.html#cmdoption-r> states
>     that "Run in pcap offline mode reading files from pcap file. If
>     <path> specifies a directory, all files in that directory will be
>     processed in order of modified time maintaining flow state between
>     files."
> 
>     When I try to specify a directory that contains several pcap files,
>     using the command like "sudo suricata -r pcaps/", I get the error:
>     27/2/2018 -- 22:32:45 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] -
>     error reading dump file: Is a directory
> 
>     Does anyone know if I doing something wrong as it seems from the
>     documentation that this should work?
> 
>     Thank you,
> 
>     Eric Urban
>     University Information Security | Office of Information Technology
>     | it.umn.edu <http://it.umn.edu/>
>     University of Minnesota | umn.edu <http://umn.edu/>
>     eurban at umn.edu <mailto:eurban at umn.edu>
> 
> 
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list