Clarification on pcap logging for a single packet

Please include the following information with your help request:

  • Suricata version
  • Operating system and/or Linux distribution
  • How you installed Suricata (from source, packages, something else)

I’ve tried a couple of different versions of Suricata 7.0, on Mac and Ubuntu.


I’ve been trying to just get Suricata working with a rule whereby when a signature is fired, just the offending packet is logged.

My suricata.yaml looks like;

  • pcap-log:
    enabled: yes
    filename: log.pcap

    conditional: tag

then in my rule i have;

metadata: tag;

however this seems to log all packets in the flow from when the rule is fired, not the single packet.

I wondered if anyone had any sucess with getting this working, or if I’m missing something ?

many thanks

This is meant to be used with the tag keyword, which turns out to be undocumented.

I’ve started doing that here:

Thanks - I’ll check this out and get back to you.

Hi Victor

Ok, this is lovely - exactly what I wanted;

Just a few nits/clarifications;

  1. There no details of direction, wasn’t sure if you could also have ‘both’ ?

  2. I have two signatures that fire on a flow, each logs 20 packets, this is per direction. I found that it would then log a total of 40 packets.

If there’s anything that I can do to help document let me know.

Thanks again for this, it’s awesome !