PCAP output file issue

rahul · September 4, 2024, 12:28pm

Please include the following information with your help request:

Suricata version-7.0

Operating system- ubuntu
installed using package

i have enabled pcap output in suricata.
but multiple pcap files are generating.
is it possible to have one pcap file for each day?
that is, at the end of the month, 30 or 31 pcap files should be there.

Jeff_Lucovsky · September 4, 2024, 12:33pm

Are you using the pcap-log section?

If so, pcap files created by suricata have a size and count restriction. You could use logrotate to combine each day’s files into a daily digest (using mergecap)

rahul · September 5, 2024, 11:21am

there is a compression option in suricata.yml (lz4) , and i enabled it.
now new pcap files are generating (max_size is 1GB and file limit is 5)
with .lz4 extension, with size reaching upto 1GB

Topic		Replies	Views
Suricata crashes when suricata.yaml setting max-file to 1 in pcap-log config Help suricata	4	331	September 13, 2023
File handles generated by the pcap-log module are not broken Help suricata	0	93	March 26, 2024
Suricata exits with errors when running with -r and --pcap-file-continuous Help suricata , pcaps	2	326	January 19, 2024
Use suricata to replay pcap file without any output Help	4	680	August 4, 2021
Suricata can't parse http packet Help	2	703	January 23, 2022

PCAP output file issue

Related topics