Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Suricata pcap log cleanup & format question - wireshark doesnt recognise format

    IDS/IPS
    2
    3
    1540
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      firewalluser last edited by

      Got a load of suricata pcaps for each interface/vlan which are sizable.

      I cant see or maybe dont understand an option which removes the oldest pcaps.

      2nd Question is what format are these pcaps in as I have just downloaded them to analyse and windows wireshark latest 64bit version doesnt recognise the format of one pcap so wont load and throws the following message when trying to load a 2nd suricata pcap file.

      The capture file appears to be damaged or corrupt. (pcap: File has 1499520894-byte packet, bigger than maximum of 262144).

      These are the pcaps from the dhcp enabled router into the pfsense optx interface setup as a wan connection, but as the pfsense ran out of disk space due to running logging and it might have corrupted the file which could explain the above message.

      Interesting to note the DHCP server also stopped assigning IP addresses once the disk was full.

      Edit. All the pcaps which could be accessed in part by wireshark and didnt throw a corrupted file message all displayed a message similar to the one in italics above, the difference being the File has 1499520894-byte packet was different for each file. Some sort of file truncation or something perhaps?

      Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

      Asch Conformity, mainly the blind leading the blind.

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        As you found out, Suricata can log a LOT of data on a busy network.  That is why the settings on the LOG MGMT tab are there.  They can be helpful with preventing disk space exhaustion.

        I don't have a Suricata VM up and running at the moment (and I run Snort on my production firewall), but I think there are some settings on the LOG MGMT tab that control how long pcap files are kept before being archived/deleted.

        Bill

        1 Reply Last reply Reply Quote 0
        • F
          firewalluser last edited by

          I should know soon if the pcap issue is related to my other post with some sort of file truncation or not.

          Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

          Asch Conformity, mainly the blind leading the blind.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post