When I use Suricata on PCAP mode, the pcap file originally from tshark cannot be read. The following is the error at runtime:
18/3/2021 -- 10:29:16 - <Notice> - This is Suricata version 6.0.1 RELEASE running in USER mode 18/3/2021 -- 10:29:26 - <Error> - [ERRCODE: SC_ERR_UNIMPLEMENTED(88)] - datalink type 239 not (yet) supported in module PcapFile. 18/3/2021 -- 10:29:26 - <Warning> - [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - Failed to init pcap file /Volumes/APFS TOSHIBA/Tor Router/20210318/capturefile_00282_20210317191528.pcap, skipping 18/3/2021 -- 10:29:26 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started. 18/3/2021 -- 10:29:26 - <Error> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - pcap file reader thread failed to initialize 18/3/2021 -- 10:29:26 - <Notice> - Signal Received. Stopping engine.
This problem has troubled me for a long time, and I still haven’t figured out what’s wrong until now.
Please help me, thanks a lot!