Skip to main content

Local PCAP processing

How to capture a trace and process it on the Suricata Server

  1. Capture a PCAP
    1. Remote into a Router and run a Packet Sniff
    2. Save the output file to the router
  2. Copy the .pcap file to the Suricata Server
    1. From the local workstation run the following command

      scp <PCAP file> <user>@192.168.88.235:<destination path>
      Example:
      scp RT-GJISP.pcap seamajr@192.168.88.235:/home/seamajr/suricata/pcapfiles/RT-GJISP.pcap

    2. SSH into the Suricata Server

      ssh <user>@<server URL or IP Address>

      Example:
      ssh seamajr@192.168.88.235
    4. #!/usr/bin/env bash

# Define paths
PCAP_FILE="$1"
LOG_LOCATION="/home/seamajr/suricata/offlinetmp"
CONFIG_FILE="/etc/suricata/suricata.yaml"

# Check if PCAP file is provided and exists
if [ -z "$PCAP_FILE" ] || [ ! -f "$PCAP_FILE" ]; then
    echo "Error: PCAP file '$PCAP_FILE' doesn't exist or was not provided."
    echo "Usage: $0 <path_to_pcap_file>"
    exit 1
fi

# Check if log directory exists, create if needed
if [ ! -d "$LOG_LOCATION" ]; then
    echo "Creating Suricata log directory: $LOG_LOCATION"
    mkdir -p "$LOG_LOCATION"
    sudo chown suricata:suricata "$LOG_LOCATION"
    sudo chmod 755 "$LOG_LOCATION"
else
    echo "Log directory exists, clearing previous content..."
    rm -rf "$LOG_LOCATION"/* 2>/dev/null
fi

# Ensure Suricata has permissions to read the PCAP file
sudo chown suricata:suricata "$PCAP_FILE"
sudo chmod 644 "$PCAP_FILE"

# Run Suricata in offline mode
echo "Processing PCAP file with Suricata: $PCAP_FILE"
sudo suricata -c "$CONFIG_FILE" -k none -r "$PCAP_FILE" --runmode autofp -l "$LOG_LOCATION"
if [ $? -ne 0 ]; then
    echo "Error: Suricata failed to process the PCAP file!"
    exit 1
fi

# Print out alerts
echo -e "\nAlerts:\n"
if [ -f "$LOG_LOCATION/eve.json" ]; then
    grep '"event_type":"alert"' "$LOG_LOCATION/eve.json" | jq -r '.timestamp + " | " + (.alert.gid | tostring) + ":" + (.alert.signature_id | tostring) + ":" + (.alert.rev | tostring) + " | " + .alert.signature + " | " + .alert.category + " | " + .src_ip + ":" + (.src_port | tostring) + " -> " + .dest_ip + ":" + (.dest_port | tostring)'
    if [ $? -eq 0 ]; then
        echo -e "\nAlert processing complete."
    else
        echo "Error: Failed to process alerts with jq."
    fi
else
    echo "No alerts found in $LOG_LOCATION/eve.json"
fi

# Optional: Uncomment to launch EveBox in oneshot mode if installed
# evebox oneshot "$LOG_LOCATION/eve.json"
Back to top