My version is suricata-6.0.12
Configuration and package upload attachments
no rules
Could you please check why you can’t extract the file,thanks
suricata.yaml (73.7 KB)
ftpup.pcap (7.9 MB)
I need help, please 
Trying adding --runmode=single to your command line. The FTP connections can be picked up by different threads causing Suricata not to know what the data channel is when its first seen. This is more of a concern in pcaps that reading the wire though.
Thank you very much, I was able to restore some ftp data after using single threaded mode. However, there are some ftp-data protocols that do not seem to be recognized. Is this a current engine bug? Or did I have some configuration Settings wrong
By the way, this is the configuration file and run command after I changed the mode following your suggestion
suricata.yaml (73.7 KB)
suricata -c ./suricata.yaml -r ./pcap/ -l ./log()
Since I enabled a single thread in the configuration file, I did not add it to the command line, and I tested with the same result
Can you turn your test into a Suricata-Verify test?
Do you mean my question is not standardized? Then I will sort it out according to the way you gave the git project,Or do you want me to submit this issue on this git link 
suricata.zip (7.9 MB)
This is the result of my operation. Due to the upload limit, I deleted the input.pcap in the output directory.
Below is what my command line run shows:
[root@localhost suricata-6.0.12]# …/suricata-verify-master/createst.py --strictcsums 0705 …/suricata-verify-master/0705/ftpup.pcap
2023-07-05 15:33:10,742 - INFO - Running eve2test…
Traceback (most recent call last):
File “…/suricata-verify-master/createst.py”, line 465, in
main()
File “…/suricata-verify-master/createst.py”, line 461, in main
generate_eve()
File “…/suricata-verify-master/createst.py”, line 444, in generate_eve
eve2test()
File “…/suricata-verify-master/createst.py”, line 422, in eve2test
filter_event_type_params(eve_rules=content)
File “…/suricata-verify-master/createst.py”, line 255, in filter_event_type_params
write_to_file(data=all_eve_list)
File “…/suricata-verify-master/createst.py”, line 151, in write_to_file
except FileNotFoundError:
NameError: global name ‘FileNotFoundError’ is not defined
I’m still very troubled, I hope someone can help me
Please try:
../path/to/suricata-verify/createst.py mytestname /path/to/pcap
and make sure you’re running this command from a suricata dir 
Thank you very much for your answer. I may not have expressed it clearly. In fact, my last answer has correctly run the result that needs to be debugged, which is the same as the one I restored by running suricata directly (the file loaded in the message is missing). I want to know if this problem is a defect of the current engine or there is still something wrong with my configuration 
Actually, apologies from my end. I did not see the error message properly. I believe this is a Python version issue. Could you please try running the script with Python 3? That has this attribute.
I’m very sorry for the delay. I’m not good at the upgraded version of python. Fortunately, I installed it today, but I ran it again, and the result was the same as when I used python2.7. I’m a little frustrated, yes what’s wrong
Does /home/icy/workspace/suricata-verify-master/tests/0705 even exist?
It exists, and there are files to restore
Could you please check if the eve-log section of the suricata.yaml in the suricata dir that you are in has enabled: yes? Also, check permissions on suricata-verify/tests dir
I can’t think of other reasons it should fail this way rn.
I didn’t disable the output of eve.log. In fact, I didn’t load the rules at all. I just want to test the file restore function. I want to know why my ftp-data only extracts part of the content
I just tried your suricata.yaml and the pcap you shared and createst.py was able to create the test.
Ok, let’s go over it again step by step.
# Go into your suricata source code directory
cd /my/suricata/dir
# Here, you should have a suricata.yaml
grep -i "eve-log:" suricata.yaml -A 10
The above command should show you the following:
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
# Enable for multi-threaded eve.json output; output files are amended with
# an identifier, e.g., eve.9.json
#threaded: false
#prefix: "@cee: " # prefix to prepend to each log entry
# the following are valid when type: syslog above
#identity: "suricata"
#facility: local5
Now, if your suricata-verify code exists a level up, run createst as follows from the Suricata dir where you should be in right now.
python3 ../suricata-verify/run.py my-ftp-test /path/to/my/pcap
Note: I’d highly recommend to create a new test at this point as I see 0705 directories in places it shouldn’t have been perhaps manually created? Give a new name to the test and create a new one.
Your suricata-verify is owned by root, so, please make sure you’re running createst.py with root as well.
OK, thank you, have you seen from the test results that the pictures I transferred have been completely restored? It’s the one from the magical girl