Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata pcap log cleanup & format question - wireshark doesnt recognise format

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      firewalluser
      last edited by

      Got a load of suricata pcaps for each interface/vlan which are sizable.

      I cant see or maybe dont understand an option which removes the oldest pcaps.

      2nd Question is what format are these pcaps in as I have just downloaded them to analyse and windows wireshark latest 64bit version doesnt recognise the format of one pcap so wont load and throws the following message when trying to load a 2nd suricata pcap file.

      The capture file appears to be damaged or corrupt. (pcap: File has 1499520894-byte packet, bigger than maximum of 262144).

      These are the pcaps from the dhcp enabled router into the pfsense optx interface setup as a wan connection, but as the pfsense ran out of disk space due to running logging and it might have corrupted the file which could explain the above message.

      Interesting to note the DHCP server also stopped assigning IP addresses once the disk was full.

      Edit. All the pcaps which could be accessed in part by wireshark and didnt throw a corrupted file message all displayed a message similar to the one in italics above, the difference being the File has 1499520894-byte packet was different for each file. Some sort of file truncation or something perhaps?

      Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

      Asch Conformity, mainly the blind leading the blind.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        As you found out, Suricata can log a LOT of data on a busy network.  That is why the settings on the LOG MGMT tab are there.  They can be helpful with preventing disk space exhaustion.

        I don't have a Suricata VM up and running at the moment (and I run Snort on my production firewall), but I think there are some settings on the LOG MGMT tab that control how long pcap files are kept before being archived/deleted.

        Bill

        1 Reply Last reply Reply Quote 0
        • F
          firewalluser
          last edited by

          I should know soon if the pcap issue is related to my other post with some sort of file truncation or not.

          Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

          Asch Conformity, mainly the blind leading the blind.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.