Suricata 8.0.0 and read PCAP /dev/stdin
25 views
Skip to first unread message
suri cata
Jul 10, 2025, 3:01:56 AMJul 10
to SELKS
Hi,
Sorry for posting on the SELKS forum because I'm not receiving confirmation emails from the Suricata Discord forum or the Suricata forums.
Before, with Suricata 7, I did this and it worked:
sudo trafr -s | sudo /usr/bin/suricata -r /dev/stdin -knone -v -c /etc/suricata7/suricata7.yaml -l ./ --runmode autofp
Now, with Suricata 8, doing the same thing:
sudo trafr -s | sudo /usr/bin/suricata -r /dev/stdin -knone -v -c /etc/suricata8/suricata/suricata8.yaml -l ./ --runmode autof
I get the following error:
Info: detect: 52794 signatures processed. 1319 are IP-only rules, 4522 are inspecting packet payload, 46861 inspect application layer, 0 are decoder event only
Notice: mpm-hs: Rule group caching - loaded: 108 newly cached: 0 total cacheable: 108
Error: pcap: failed to get first packet timestamp. pcap_next_ex(): -1
Warning: pcap: Failed to init pcap file /dev/stdin, skipping
Error: pcap: pcap file reader thread failed to initialize
Notice: threads: Threads created -> RX: 1 W: 4 FM: 1 FR: 1 Engine started.
Notice: suricata: Signal Received. Stopping engine.
Notice: mpm-hs: Rule group caching - loaded: 108 newly cached: 0 total cacheable: 108
Error: pcap: failed to get first packet timestamp. pcap_next_ex(): -1
Warning: pcap: Failed to init pcap file /dev/stdin, skipping
Error: pcap: pcap file reader thread failed to initialize
Notice: threads: Threads created -> RX: 1 W: 4 FM: 1 FR: 1 Engine started.
Notice: suricata: Signal Received. Stopping engine.
Regards,
suri cata
Jul 10, 2025, 12:29:36 PMJul 10
to SELKS
Hí,
The only way there is, as a temporary patch, for it to work (sleep 2):
mkfifo ./suricata
sudo trafr -s | tcpdump -nn -r - -s0 -U -w ./suricata tcp & sleep 2 & sudo /usr/bin/bin/bin/suricata -r ./suricata -v -c /etc/suricata8/suricata/suricata8.yaml -l ./ --runmode autofp
Info: pcap: Starting file run for ./suricata
Notice: threads: Threads created -> RX: 1 W: 4 FM: 1 FR: 1 Engine started.
Best Regards,
Peter Manev
Jul 12, 2025, 7:57:31 AMJul 12
to suri cata, SELKS
Thanks for sharing the information for your solution !
> --
> Discord: Let's talk about SELKS on
> https://discord.com/channels/911231224448712714/911238451842666546
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/blog
> Twitter: @StamusN
> ---
> You received this message because you are subscribed to the Google Groups "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/selks/899a4f3d-2f06-4058-b1f6-2a1858ca6104n%40googlegroups.com.
--
Regards,
Peter Manev
> Discord: Let's talk about SELKS on
> https://discord.com/channels/911231224448712714/911238451842666546
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/blog
> Twitter: @StamusN
> ---
> You received this message because you are subscribed to the Google Groups "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/selks/899a4f3d-2f06-4058-b1f6-2a1858ca6104n%40googlegroups.com.
--
Regards,
Peter Manev
Reply all
Reply to author
Forward
Message has been deleted
0 new messages