Suricata Error while processing PCAP

Shashwat_Adhikari · May 7, 2022, 7:18pm

Hi, I am trying to process a large pcap file (~30 GB), but it throws this error:

- [ERRCODE: SC_ERR_PCAP_OPEN_OFFLINE(26)] - failed to get first packet timestamp. pcap_next_ex(): -1

I was told this pcap file was merged from multiple small ones, I don’t know if that could create any problems.

suricatalfon · May 9, 2022, 5:00am

Hi,

It is possible that the pcap file has a problem because of what you mention. You can use to repair it:

pcapfix

Topic		Replies	Views
Getting errors trying to analyze pcap file in offline mode Help suricata	3	572	April 17, 2023
Suricata cannot read tshark pcap file	2	1371	March 18, 2021
ERRCODE: SC_ERR_PCAP_TRANSLATE(201) failed to find a pcap device for IP 192.2.5.8 Help	1	430	September 28, 2021
Suricata can't parse http packet Help	2	574	January 23, 2022
The file restoration function fails to restore the ftp pcap package Help file-extraction	19	381	August 11, 2023