Suricata pcap log cleanup & format question - wireshark doesnt recognise format



  • Got a load of suricata pcaps for each interface/vlan which are sizable.

    I cant see or maybe dont understand an option which removes the oldest pcaps.

    2nd Question is what format are these pcaps in as I have just downloaded them to analyse and windows wireshark latest 64bit version doesnt recognise the format of one pcap so wont load and throws the following message when trying to load a 2nd suricata pcap file.

    The capture file appears to be damaged or corrupt. (pcap: File has 1499520894-byte packet, bigger than maximum of 262144).

    These are the pcaps from the dhcp enabled router into the pfsense optx interface setup as a wan connection, but as the pfsense ran out of disk space due to running logging and it might have corrupted the file which could explain the above message.

    Interesting to note the DHCP server also stopped assigning IP addresses once the disk was full.

    Edit. All the pcaps which could be accessed in part by wireshark and didnt throw a corrupted file message all displayed a message similar to the one in italics above, the difference being the File has 1499520894-byte packet was different for each file. Some sort of file truncation or something perhaps?



  • As you found out, Suricata can log a LOT of data on a busy network.  That is why the settings on the LOG MGMT tab are there.  They can be helpful with preventing disk space exhaustion.

    I don't have a Suricata VM up and running at the moment (and I run Snort on my production firewall), but I think there are some settings on the LOG MGMT tab that control how long pcap files are kept before being archived/deleted.

    Bill



  • I should know soon if the pcap issue is related to my other post with some sort of file truncation or not.


Log in to reply