Suricata exits with errors when running with -r and --pcap-file-continuous

Hello,

I would like to let Suricata analyze pcap files created by another tool on a local folder.
When I use the command

suricata -c /etc/suricata/suricata.yaml -r ~/pcaps --pcap-file-continuous --pcap-file-delete -vvv

Suricata starts scanning the folder, but after a couple of seconds it crashes with the following message:

Error: threads: thread “FM#01” failed to start in time: flags 0003 [TmThreadWaitOnThreadRunning:tm-threads.c:1830]

I’m running Ubuntu 22.04 and I’ve tried both version 7.0.2 from Ubuntu repositories and version 8.0.0-dev compiled from source, but the result it’s the same. If I remove the --pcap-file-continuous option from the command, Suricata scans the directory once, evaluates the pcaps inside that dir and exits without any error, so I think that the problem could be related to that option.

The only workaround I foud so far is to make a cronjob to schedule Suricata to perform a single scan of the pcap folder, but I would like to have a more reliable solution.

Can you give me any hint?
Thanks!

Hi Alessandro, welcome!

I’ve tried to replicate your setup:

suricata -r /tmp/pcaps/ --pcap-file-continuous --pcap-file-delete -vvvv

and, indeed, on Suri 7.0.2, I get the same result:

Info: pcap: Processing pcaps directory /tmp/pcaps/, files must be newer than 0 and older than 1705604840362 [PcapDirectoryDispatch:source-pcap-file-directory-helper.c:497]
Info: pcap: Processing pcaps directory /tmp/pcaps/, files must be newer than 0 and older than 1705604845362 [PcapDirectoryDispatch:source-pcap-file-directory-helper.c:497]
Info: pcap: Processing pcaps directory /tmp/pcaps/, files must be newer than 0 and older than 1705604850363 [PcapDirectoryDispatch:source-pcap-file-directory-helper.c:497]
Error: threads: thread "FM#01" failed to start in time: flags 0003 [TmThreadWaitOnThreadRunning:tm-threads.c:1832]

I’ll let others make the judgement but indeed it looks like a bug that we’ll need to take care of.
Thanks for reporting that.

Hi Lukas,

thanks for your reply. Yesterday I made some further tests; I started Suricata making it listen on a Unix socket with the following command:

suricata -c ~/suricata_tests/suricata.yaml -l ~/suricata_tests/logs --unix-socket=custom.socket -vvvv

After that, I used suricatasc to connect to the Unix socket and I sent the command:

pcap-file-continuous /home/st5/pcaps .

Suricata then started polling the directory for pcap files without crashing. Hence, I think that the problem could be related to the bootstrap procedure when using the –pcap-file-continuous parameter.
Hope that this can help in finding a solution to a possible bug.