Hi Guys,
I’m experiencing some issues when running reading pcaps from stdin. I’m quite sure this was possible in Suricata 7.0.8 and stopped working in Suricata 8.
I have seen at least the following errors in the logs: (2 different pcaps..)
- [1339269 - W#01] 2025-09-15 11:53:39 Error: pcap: failed to get first packet timestamp. pcap_next_ex(): -1
- [1339611 - W#01] 2025-09-15 11:58:12 Error: pcap: error code -1 invalid packet capture length 745042785, bigger than snaplen of 65535 for /dev/stdin
I have a gut feeling it has something to do with the implementation of the “HAVE_SETVBUF” patches that are implemented in suricata 8. but I cannot put my finger on the exact issue.
To reproduce you can easily run suricata on any stdin stream:
tcpdump -nr test.pcap -w - | /usr/bin/suricata -r /dev/stdin
Hope this makes more sense for you guys than it did for me, and it can be fixed in a future Suricata release.
Kind regards,
Wesley