Feeding suricata with a pcap streaming?

Hi

I’m asking for help about this particular network configuration of mine, and how to feed suricata with a live pcap streaming.

I own a Fritz!BOX router, which have the capability to stream the internet traffic from different points, into a pcap file. Usually you start and stop the recording from the web interface and just save the file that you can use offline with any other applications.

I installed ntopng and I have integrated suricata with it. The guys from ntopng made a script which is able to start the streaming of the Fritz!BOX to feed ntopng so effectively you can do a live capture even if the router hasn’t a monitor port. Now, my idea was to use the same script to feed suricata since it already provide all the necessary actions: login to the router, selecting the interface and starting the stream. And here is where I stopped.

I tried (not sure if correctly because I am not good at scripting) to… send the pcap streaming by “piping” it into suricata with some “-r” or other option which seems to work (in the form of command sequence) but suricata tells me that it fail to init the pcap file. Can it read a “pcap streaming in a not closed file”? I am not sure if I have made myself clear because I am not a professional on this, but eventually I’ll try better and with more informations.

Thank you!

Sounds like Suricata dislikes reading open files, and file is probably open if it is being continually written to. If that is the case then perhaps it would be easier to batch the files into let’s say 10min segments and let Suricata read the complete files.

The file looks always open to me too, as the size doesn’t rise also. Your suggestion is probably the only way at this point, thank you.