Tcpreplay with suricata

xifeng · June 10, 2022, 3:35am

Hello there,

Are there any problems with my suricata.yaml settings?
The version of my Suricata is 6.0.3.

I could read pcap file with the following command and signature alerts drop into eve.json.

suricata -c /etc/suricata/suricata.yaml -r somePcap.pcap

I tried to replay the same pcap with tcpreplay with:
tcpreplay -i eth0 somePcap.pcap

But in this case, there is no alerts in eve.json and all.

I tired to fix the checksum withTcprewrite and replayed the pcap again, but it still didn’t work.

suricatalfon · June 10, 2022, 5:02am

Hí,
I usually use tcpreplay-edit. For example:

sudo tcpreplay-edit -i eno1 -v --pps=50 --pnat=10.5.3.0/24:192.168.1.0/24 somePcap.pcap

xifeng · June 10, 2022, 5:17am

Thank you, i fixed the MTU to a larger volume and it works.

Topic		Replies	Views
Offilne pcap doesn't show traffic into eve.json / fast.log Help	1	286	February 27, 2023
Pcap_filename in eve.json is not accurate when using --pcap-file-continuous Developers bug	24	1264	May 16, 2022
How to create a separate eve.json for each processed pcap file? Help	18	1739	December 19, 2022
Eve JSON Output with configuration : packet: yes Help centos	2	1034	August 28, 2021
Unexpectedly seeing alert records written to eve.json when pass rules are triggered Help	4	838	November 18, 2022