hello ,
how can i read log.pcap.xxx files with suricata from my /var/log/suricata
directory ?
how can i to decipher the traffic?
also, I’m not sure I selected the right category
could you help me ?
Regards
hello ,
how can i read log.pcap.xxx files with suricata from my /var/log/suricata
directory ?
how can i to decipher the traffic?
also, I’m not sure I selected the right category
could you help me ?
Regards
Since these are pcap files, any tool or utility that handles them can be used.
Common ones are tcpdump
, tshark
, or wireshark
(graphical UI). There are others depending on your needs but these are commonly used.
how to decrypt the files too, where are the keys and how to use them?
The pcap files produced by Suricata are compressed – they are not encrypted. You can use gzip
or another Linux utility to decompress.
I mean the basic traffic of log.pcap files, I’m not talking about a supposed encryption layer above, we are agreed?
For encrypted traffic you would have to acquire the keys, depending on the protocol you could do the decipher in wireshark
in this case, create the sslkey.log file , and add it to the file ~/.bashrc
, as per this link: [How to Decrypt SSL using Chrome or Firefox and Wireshark in Linux]
regards