Deciphering https traffic log.pcap files

a_m (Ebonatharix the Firebreather) November 3, 2024, 5:37pm 1

hello ,
how can i read log.pcap.xxx files with suricata from my /var/log/suricata directory ?
how can i to decipher the traffic?
also, I’m not sure I selected the right category

could you help me ?
Regards

Jeff_Lucovsky (Jeff Lucovsky) November 3, 2024, 7:11pm 2

Since these are pcap files, any tool or utility that handles them can be used.
Common ones are tcpdump, tshark, or wireshark (graphical UI). There are others depending on your needs but these are commonly used.

a_m (Ebonatharix the Firebreather) November 3, 2024, 7:20pm 3

how to decrypt the files too, where are the keys and how to use them?

Jeff_Lucovsky (Jeff Lucovsky) November 4, 2024, 1:07pm 4

The pcap files produced by Suricata are compressed – they are not encrypted. You can use gzip or another Linux utility to decompress.

a_m (Ebonatharix the Firebreather) November 4, 2024, 6:58pm 5

I mean the basic traffic of log.pcap files, I’m not talking about a supposed encryption layer above, we are agreed?

Andreas_Herz (Andreas Herz) November 4, 2024, 9:51pm 6

For encrypted traffic you would have to acquire the keys, depending on the protocol you could do the decipher in wireshark

Topic		Replies	Views	Activity
Suricata http traffic parse exception in mirror traffic Help	5	900	January 25, 2022
Suricata cannot parse tls/http traffice Help	10	342	September 19, 2024
Application detection and duplicate TCP/SYN Help	6	1243	September 1, 2022
Suricata Pcap options Developers	1	541	January 26, 2022
Bypassing encrypted traffic does not seem to work Help	8	1731	December 10, 2021