21.8. PCAP File Reading
Suricata offers a pcap-file
capture method to process PCAP files and
directories of PCAP files in an offline or live-feed manner.
21.8.1. Configuration
pcap-file:
checksum-checks: auto
# buffer-size: 128 KiB
# tenant-id: none
# delete-when-done: false
# recursive: false
# continuous: false
# delay: 30
# poll-interval: 5
21.8.2. Buffer Size
This option specifies the size of the read buffer for the PCAP file. The larger the buffer, the more data Suricata can read at once. This can improve performance, especially for large files. The size can be specified through the command line option, see --pcap-file-buffer-size
21.8.4. Other options
checksum-checks
auto (default): Suricata detects checksum offloading statistically.
yes: Forces checksum validation.
no: Disables checksum validation.
The command-line option is -k
tenant-id
Specifies the tenant for multi-tenant setups with direct select.
The PCAP is processed by the detection engine assigned to the specified tenant.
delete-when-done
If
true
, Suricata deletes the PCAP file after processing.The command-line option is --pcap-file-delete
BPF filter
Suricata supports BPF filters for packet capture that is also applicable to the
pcap-file
capture method.The BPF filter is specified in the file with the -F command-line option.