Actions
Bug #1887
closedpcap-log sets snaplen to -1
Affected Versions:
Effort:
Difficulty:
Label:
Description
When dumping packets with pcap-log, suricata sets the snaplen to -1:
https://github.com/inliniac/suricata/blob/69863f7b1c34fadf6148066dbc099e17812cabee/src/log-pcap.c#L291-L292:
This results in broken pcaps. Some tools, e.g. tcpdump/libpcap treats "-1" as an unsigned integer – and as it is larger than the builtin maximum, it refuses to work with it at all:
# tcpdump -r /var/log/suricata/pcap.1.1473343332.19746 tcpdump: invalid file capture length 4294967295, bigger than maximum of 262144
Updated by Andreas Herz over 8 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Victor Julien almost 8 years ago
- Status changed from New to Closed
- Assignee changed from OISF Dev to Jason Ish
- Target version changed from TBD to 3.2.1
Actions