Actions
Documentation #6725
closeddocument pcap file variables
Affected Versions:
Effort:
Difficulty:
Label:
Description
from https://discord.com/channels/864648830553292840/888087709002891324/1201911877760720966
you can do the same with suri as well
[10:35 AM]
filename: "%n/so-pcap.%t"
[10:35 AM]
that creates a dir per thread
[10:35 AM]
and then you spread those threads on multiple drives
%n is the thread number
[10:39 AM]
and %t is the time stamp
VVelox — Today at 10:41 AM
What thread type?
Mike Reeves(Security Onion) — Today at 10:41 AM
https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L361-L381
its a worker thread
[10:42 AM]
this is if you choose the mode multi
[10:43 AM]
normal all threads dump to a single file but isn't as fast
Actions