Suricata and pcap files

Hello guys, I’m trying to play packages from my Mikrotik router to Suricata via Packet Sniffer, it sends in pcap format. But looking at eve.json, it doesn’t capture any traffic, just something other than the internet network but just that, do I have to activate something for it to read the packages coming in pcap?


Are you trying to read pcap files from the file system? If so use suricata -r [path to file]
If you are using TZSP to send the traffic to another machine, sniffer with streaming-server set, then you need a tool to create data Suricata can parse from the TZSP stream.

Quick finds on google:

Hello, I didn’t quite understand, do I have to play this file on the meerkat? And in mikrotik instead of using packet sniffer to use TZSP?

Can you paste the command you are using to run Packet Sniffer?

in mikrotik? I only active in session Tools>packet Sniffer

And on which machine is Suricata running?

on a separate machine, where on mikrotik I pointed to play the packages for the IP of the meerkat, and on the meerkat I configured to listen on the X interface

Have you tried running tcpdump on the interface receiving the traffic from the Mikrotik box?
Opening the pcap in wireshark could tell you if you are getting mirrored traffic on the interface.

Looking at it seems like the only way to send the sniffed traffic is using TZSP (look at streaming-server). You will need something to decode the TZSP stream in front of Suricata if thats the case.
Though I’m not familiar with Mikrotik so there could of course be some other way for it to send mirrored traffic.

1 Like