I’m currently referring to the following Suricata documentation (15.1.1. Eve JSON Output — Suricata 6.0.0 documentation) that has the following configurations settings in the suricata.yaml file
types: - alert: # payload: yes # enable dumping payload in Base64 # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log # payload-printable: yes # enable dumping payload in printable (lossy) format # packet: yes # enable dumping of packet (without stream segments)
For the settings with packet:yes, may i clarify on the following
- What does enable dumping of packet (without stream segments) mean?
- I’ve seen that the packet information that is being output to the eve.json file was in Base64 format and is there anything that could be missing from output? I’ve also tried to convert the generated output to back to a pcap file and made a comparison using wireshark and observed that the length are same as per the original test pcap file. Is there anything that needs to take note here?
Thanks in advance for your time and assistance