21.8. PCAP File Reading

Suricata offers a pcap-file capture method to process PCAP files and directories of PCAP files in an offline or live-feed manner.

21.8.1. Configuration

pcap-file:
  checksum-checks: auto
  # buffer-size: 128 KiB
  # tenant-id: none
  # delete-when-done: false
  # recursive: false
  # continuous: false
  # delay: 30
  # poll-interval: 5

21.8.2. Buffer Size

This option specifies the size of the read buffer for the PCAP file. The larger the buffer, the more data Suricata can read at once. This can improve performance, especially for large files. The size can be specified through the command line option, see --pcap-file-buffer-size

21.8.4. Other options

checksum-checks

  • auto (default): Suricata detects checksum offloading statistically.

  • yes: Forces checksum validation.

  • no: Disables checksum validation.

  • The command-line option is -k

tenant-id

  • Specifies the tenant for multi-tenant setups with direct select.

  • The PCAP is processed by the detection engine assigned to the specified tenant.

delete-when-done

  • If true, Suricata deletes the PCAP file after processing.

  • The command-line option is --pcap-file-delete

BPF filter

  • Suricata supports BPF filters for packet capture that is also applicable to the pcap-file capture method.

  • The BPF filter is specified in the file with the -F command-line option.