Feeding Suricata from a FIFO Pipe with PCAP Data

hockeyice · July 7, 2024, 10:51pm

Have a nice day!

I have a question regarding the setup of Suricata for real-time packet analysis. I am looking to continuously feed Suricata with packets in PCAP format that are being delivered through a Linux named pipe (FIFO). I am aware that Suricata has options to feed from multiple PCAP files in the same directory, but this scenario is a bit different.

Is it feasible for Suricata to process packets from the same FIFO in an infinite loop without interruption? Any guidance or insights on how to configure this setup would be greatly appreciated.

Thank you in advance for your help!

Andreas_Herz · July 31, 2024, 9:16pm

I think one option would be to create a dummy0 interface to which you feed the packets (via tcpreplay for example) and use that interface as a capture interface in Suricata. You can create such dummy interfaces on LInux.

Topic		Replies	Views
Feeding suricata with a pcap streaming? Help	2	795	May 1, 2021
How to have suricata keep parsing a bunch of pcaps? Help	1	404	October 19, 2021
Use suricata to replay pcap file without any output Help	4	675	August 4, 2021
Suricata communication state reset when analyzing files Help	5	520	February 27, 2021
Pcap dump using Napatech card Help	3	944	May 15, 2020

Feeding Suricata from a FIFO Pipe with PCAP Data

Related topics