Hey,
I have a PCAPs directory which has many subdirectories within it.
I try to run Suricata in PCAP offline mode with the --pcap-file-recursive in order to read all the PCAPs within the sub directories but it seems Suricata only scans the PCAPs in the parent directory and ignores the subdirectories.
I run this command:
suricata -r pcaps --pcap-file-recursive -k none
For the purpose of testing, my pcaps directory consists of 1 PCAP and 1 directory with PCAP inside it. When I run Suricata with the command above it only read 1 PCAP:
28/2/2023 – 09:30:17 - - all 9 packet processing threads, 4 management threads initialized, engine started.
28/2/2023 – 09:30:17 - - Starting directory run for pcaps
28/2/2023 – 09:30:17 - - Processing pcaps directory pcaps, files must be newer than 0 and older than 18446744073709550616
28/2/2023 – 09:30:17 - - Found “pcaps/dec.pcap” at 1662289543000
28/2/2023 – 09:30:17 - - pcap file pcaps/dec.pcap end of file reached (pcap err code 0)
28/2/2023 – 09:30:17 - - Processed file pcaps/dec.pcap, processed up to 1662289543000
28/2/2023 – 09:30:17 - - Updating processed to 1662289543000
28/2/2023 – 09:30:17 - - Directory run mode complete
28/2/2023 – 09:30:17 - - Signal Received. Stopping engine.
28/2/2023 – 09:30:17 - - 0 new flows, 0 established flows were timed out, 0 flows in closed state
28/2/2023 – 09:30:17 - - time elapsed 0.124s
28/2/2023 – 09:30:17 - - 2 flows processed
28/2/2023 – 09:30:17 - - Pcap-file module read 1 files, 4 packets, 1424 bytes
My Suricata version is 6.0.6.