How to creat or edit **.pcap file to test suricata?

I want to create a pcap file by myself to test the system, but I don’t know how to create or edit the pcap file that has been recorded by tcpdump, so I ask here

Hello!

I am not familiar with the process of editing pcaps.
But I know of some tools that might help you:

  • Scapy allows one to create pcaps from scratch: https://scapy.net/
    (maybe it’s also possible to edit existing pcaps with that, but I’m unware)
  • There’s also this, for editing (I have never used it): Tshark | Edit Pcap

Hope that helps!

Depending on what you’re trying to create in a pcap, one alternative is to create a simple web server (in python) and then capture traffic with tcpdump -i lo0 (or similar) while interacting with the webserver using curl or wget

# python 3 server example
from http.server import BaseHTTPRequestHandler, HTTPServer
import time

hostName = "localhost"
serverPort = 8080

class MyServer(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header("Content-type", "text/html")
        self.end_headers()
        self.wfile.write(bytes("<html><head><title>https://pythonbasics.org</title></head>", "utf-8"))
        self.wfile.write(bytes("<p>Request: %s</p>" % self.path, "utf-8"))
        self.wfile.write(bytes("<body>", "utf-8"))
        self.wfile.write(bytes("<p>This is an example web server.</p>", "utf-8"))
        self.wfile.write(bytes("</body></html>", "utf-8"))

if __name__ == "__main__":
    webServer = HTTPServer((hostName, serverPort), MyServer)
    print("Server started http://%s:%s" % (hostName, serverPort))

    try:
                webServer.serve_forever()
    except KeyboardInterrupt:
                pass

    webServer.server_close()
1 Like

OK, thanks,I know this way,This method is more difficult to construct special test scenarios,Thanks for your suppport !I want to construct special test scenarios to test suricata ,But I don’t know how to construct **.pcap file。

Thanks for the help! Currently learning Scapy, I will learn Tshark.
How is the pcap file of suricata-verify constructed?

1 Like

You’re welcome! :slight_smile:

Some suricata-verify tests will have a README file indicating what is the source of the pcap used.
Some have been created with Scapy, some are from public wikis like wireshark, some are the result of running a local server and capturing the traffic, some have been shared in bug reports…

Suricata-verify will only require that you provide a valid pcap file.

Does this answer your question?

There is also flowsynth, GitHub - secureworks/flowsynth: a network packet capture compiler, a python tool to help create pcap files based on a configuration file.

For example, in the test suricata-verify/tests/ftp/ftp-too-long-command-first at master · OISF/suricata-verify · GitHub, you’ll see a ftp-too-long-command.syn that is used as input to flowsynth and it generates the pcap that can be found in the same directory.

1 Like

yes,Thanks!I’m QA and want to contribute to suricata-verify or suricata, how do I get started?

Hi,
I think the following can serve as a good starting point. It has almost all the basic guidelines and reference links:
Getting Started Contributing to Suricata

2 Likes

You beat me to it :stuck_out_tongue:

1 Like

Yes thanks, this tool solved my problem. What standard is the synfile edited according to?

I don’t think there is one. It is its own format. I’d just say add comments so someone else can follow along later. As can be seen by the repo we don’t use it often. It just fit that ftp test case very well that I used it.

1 Like