Hi I am running two suricatas.
One is running with af-packet configuration and the other with napatech configuration.
Also, while running suricata, it is dumping pcap files with tshark at the same time.
In the case of af-packet, pcap files can be dumped without any special configuration.
For napatech, it was not possible to dump the pcap file with tshark.
According to the link below, suricata supports the napatech API, so that other applications can use napatech’s libpcap.
My question is, if I want suricata to use napatech API, not libpcap, I want to know if I need some configurations and how to configure it.
-Installation of napatech & suricata was the same as the link below.
Napatech provides the
capfileconvert programs that (1) capture and direct network traffic to a proprietary formatted file (2) which can be converted by
capfileconvert into a pcap file.
Are you trying to capture pcaps while Suricata is executing using Suricata or will a stand aside solution using
capture and then later,
capfileconvert be sufficient?
I want to use tshark because I need to capture pcap using BPF filter, time duration, file size and etc.
If I can dump a pcap with suricata and set such limits, I can use suricata.
And I want to know, as I asked at the beginning, that when I install suricata with default settings, suricata use the napatech API.
Suricata uses the non-PCAP Napatech interface to retrieve packets from the Napatech streams. Napatech can be used in “native” or “pcap” mode (these are not the actual names, but the point is that the Napatech interface is modal).
tshark or equivalent can’t be used directly to retrieve packets while Suricata is also retrieving packets from the Napatech streams.
That’s why I suggested using
capfileconvert. You could set up a pipleline that creates pcap format files and then use your BPF filtering, duration, etc.