Tcpreplay with suricata

xifeng · June 10, 2022, 3:35am

Hello there,

Are there any problems with my suricata.yaml settings?
The version of my Suricata is 6.0.3.

I could read pcap file with the following command and signature alerts drop into eve.json.

suricata -c /etc/suricata/suricata.yaml -r somePcap.pcap

I tried to replay the same pcap with tcpreplay with:
tcpreplay -i eth0 somePcap.pcap

But in this case, there is no alerts in eve.json and all.

I tired to fix the checksum withTcprewrite and replayed the pcap again, but it still didn’t work.

suricatalfon · June 10, 2022, 5:02am

Hí,
I usually use tcpreplay-edit. For example:

sudo tcpreplay-edit -i eno1 -v --pps=50 --pnat=10.5.3.0/24:192.168.1.0/24 somePcap.pcap

xifeng · June 10, 2022, 5:17am

Thank you, i fixed the MTU to a larger volume and it works.

Topic		Replies	Views
"pcap_cnt" is not accurate on TCP streams Help suricata	2	459	January 26, 2023
Offilne pcap doesn't show traffic into eve.json / fast.log Help	1	322	February 27, 2023
Some match bypass? Rules rules	27	1979	September 17, 2021
Use suricata to replay pcap file without any output Help	4	689	August 4, 2021
Pcap_filename in eve.json is not accurate when using --pcap-file-continuous Developers bug	24	1425	May 16, 2022