I’m running Suricata 6.0.1 in IDS mode on CentOS 7 (kernel 3.10.0-1160.6.1.el7.x86_64) and I specify “-i p1p2” on the command line. I believe the docs say Suricata will pick the best available method of capture with the -i switch. Is there something in the suricata log file that says whether I am in pcap or af-packet mode?
Hi,
Welcome to the community!
You can use suricatasc to retrieve the capture mode (and run mode).
To retrieve the capture mode:
$ sudo python3 python/bin/suricatasc -c "capture-mode" /usr/local/var/run/suricata/suricata-command.socket
{"message": "AF_PACKET_DEV", "return": "OK"}
Suricata’s log will contain the pathname to the socket – use:
$ grep "socket file" /tmp/ll/suricata.log
[4153763] 16/1/2021 -- 09:10:58 - (unix-manager.c:132) <Info> (UnixNew) -- Using unix socket file '/usr/local/var/run/suricata/suricata-command.socket'
1 Like
Thanks for the help Jeff! Using the Centos 7 pre-built package provided by OISF, I was able to get the info via the following method:
~# /usr/bin/suricatasc -c “capture-mode” /var/run/suricata/suricata-command.socket
{“message”: “AF_PACKET_DEV”, “return”: “OK”}
1 Like