How to use the pcap Log

FH089 · December 27, 2020, 9:37am

Hello Together

What is the best way to use the Pcap logs? How do I find out in which Pcap log contains the packets for an alert?
I use Suricata 5.0.4_1 on Pfsense

I am new to Suricata

thanks and best regards

ish · December 29, 2020, 3:09pm

There is no way at this time to easily jump from an alert to its location in a pcap. The features, mainly the pcap logging features is quite independent of the other features and is more a feature to remove the requirement of needing another tool to perform pcap logging to disk.

You’d still need to take the 5 tuple and timestamp from an alert and search your pcaps.

idarlund · January 30, 2023, 4:38pm

Sorry for bumping such an old thread.
Where can these logged pcaps be found? Are they available to be downloaded from the pfsense web gui, or do I have to get them trough ssh?

bmeeks · January 31, 2023, 2:05pm

The Suricata package used on pfSense is unique to pfSense. Questions about the use of that package and its GUI interface should be posted on the Netgate IDS/IPS sub-forum here: https://forum.netgate.com/category/53/ids-ips.

Topic		Replies	Views
How to log alert into a pcap Help	4	690	July 18, 2023
Which packets triggering the alerts that fired by a bunch of pcaps Help	1	166	July 13, 2023
How to find out which packets triggering the alert Help	2	884	December 13, 2021
Conditional PCAP may not log packets for all alerts	1	484	April 29, 2023
Conditional pcap-log fails to log packets for some alerts when using "pcap-file-continuous" flag Help suricata	7	839	July 31, 2023

How to use the pcap Log

Related Topics