Suricata Alert PCAP

Hacker7 · April 4, 2022, 11:17am

I am downloading GitHub - scottfgjordan/suricata at pcap-conditional-v2.2.13
as zip . because git clone not works it downloads suricata 6.0.4
I configure and make suricata

In suricata.yaml , I am setting -pcap-log : enabled to yes and conditional : alerts

it generate a pcap
But see difference
origincal pcap http in wire shark (attached pic)

Now see in log.pcap formed

There more packets than original and Info section doesn’t contain information which was present in original

also in previous version of pcap-conditional v2.2 , packet number were same as original but this Info section of wireshark was truncated.

I want it to be same as original pcap for all alert packets

This function is from Suricata 7.0.0-dev

Thanks

Topic		Replies	Views
Conditional PCAP may not log packets for all alerts	1	628	April 29, 2023
Capture file not always exsits for alerts (Suricata v.7 Conditional PCAP)	4	512	April 23, 2023
Pcap Capture - Include 3WHS and remaining flow data before TCP/HTTP alert	1	51	August 7, 2024
Suricata not trigger Alert via file Pcap record from Wireshark Help	5	992	June 8, 2023
Network traffic not processed by Suricata Help suricata	4	493	June 21, 2023