Suricata 8.0.0 and read PCAP /dev/stdin
38 views
Skip to first unread message
suri cata
Jul 10, 2025, 3:01:56 AM7/10/25
to SELKS
Hi,
Sorry for posting on the SELKS forum because I'm not receiving confirmation emails from the Suricata Discord forum or the Suricata forums.
Before, with Suricata 7, I did this and it worked:
sudo trafr -s | sudo /usr/bin/suricata -r /dev/stdin -knone -v -c /etc/suricata7/suricata7.yaml -l ./ --runmode autofp
Now, with Suricata 8, doing the same thing:
sudo trafr -s | sudo /usr/bin/suricata -r /dev/stdin -knone -v -c /etc/suricata8/suricata/suricata8.yaml -l ./ --runmode autof
I get the following error:
Info: detect: 52794 signatures processed. 1319 are IP-only rules, 4522 are inspecting packet payload, 46861 inspect application layer, 0 are decoder event only
Notice: mpm-hs: Rule group caching - loaded: 108 newly cached: 0 total cacheable: 108
Error: pcap: failed to get first packet timestamp. pcap_next_ex(): -1
Warning: pcap: Failed to init pcap file /dev/stdin, skipping
Error: pcap: pcap file reader thread failed to initialize
Notice: threads: Threads created -> RX: 1 W: 4 FM: 1 FR: 1 Engine started.
Notice: suricata: Signal Received. Stopping engine.
Notice: mpm-hs: Rule group caching - loaded: 108 newly cached: 0 total cacheable: 108
Error: pcap: failed to get first packet timestamp. pcap_next_ex(): -1
Warning: pcap: Failed to init pcap file /dev/stdin, skipping
Error: pcap: pcap file reader thread failed to initialize
Notice: threads: Threads created -> RX: 1 W: 4 FM: 1 FR: 1 Engine started.
Notice: suricata: Signal Received. Stopping engine.
Regards,
suri cata
Jul 10, 2025, 12:29:36 PM7/10/25
to SELKS
Hí,
The only way there is, as a temporary patch, for it to work (sleep 2):
mkfifo ./suricata
sudo trafr -s | tcpdump -nn -r - -s0 -U -w ./suricata tcp & sleep 2 & sudo /usr/bin/bin/bin/suricata -r ./suricata -v -c /etc/suricata8/suricata/suricata8.yaml -l ./ --runmode autofp
Info: pcap: Starting file run for ./suricata
Notice: threads: Threads created -> RX: 1 W: 4 FM: 1 FR: 1 Engine started.
Best Regards,
Peter Manev
Jul 12, 2025, 7:57:31 AM7/12/25
to suri cata, SELKS
Thanks for sharing the information for your solution !
> --
> Discord: Let's talk about SELKS on
> https://discord.com/channels/911231224448712714/911238451842666546
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/blog
> Twitter: @StamusN
> ---
> You received this message because you are subscribed to the Google Groups "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/selks/899a4f3d-2f06-4058-b1f6-2a1858ca6104n%40googlegroups.com.
--
Regards,
Peter Manev
> Discord: Let's talk about SELKS on
> https://discord.com/channels/911231224448712714/911238451842666546
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/blog
> Twitter: @StamusN
> ---
> You received this message because you are subscribed to the Google Groups "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/selks/899a4f3d-2f06-4058-b1f6-2a1858ca6104n%40googlegroups.com.
--
Regards,
Peter Manev
Reply all
Reply to author
Forward
Message has been deleted
0 new messages