Suricata cannot read tshark pcap file

When I use Suricata on PCAP mode, the pcap file originally from tshark cannot be read. The following is the error at runtime:

18/3/2021 -- 10:29:16 - <Notice> - This is Suricata version 6.0.1 RELEASE running in USER mode
18/3/2021 -- 10:29:26 - <Error> - [ERRCODE: SC_ERR_UNIMPLEMENTED(88)] - datalink type 239 not (yet) supported in module PcapFile.
18/3/2021 -- 10:29:26 - <Warning> - [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - Failed to init pcap file /Volumes/APFS TOSHIBA/Tor Router/20210318/capturefile_00282_20210317191528.pcap, skipping
18/3/2021 -- 10:29:26 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
18/3/2021 -- 10:29:26 - <Error> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - pcap file reader thread failed to initialize
18/3/2021 -- 10:29:26 - <Notice> - Signal Received.  Stopping engine.

This problem has troubled me for a long time, and I still haven’t figured out what’s wrong until now.
Please help me, thanks a lot!

Hi,

Try editing the pcap like this. Then run suricata with the pcap: capturefile.pcap

editcap /Volumes/APFS TOSHIBA/Tor Router/20210318/capturefile_00282_20210317191528.pcap -F pcap -T ether /Volumes/APFS TOSHIBA/Tor Router/20210318/capturefile.pcap

NOTE: editcap is part of Wireshark.

regards

It works, Thanks a lot!!!

1 Like