Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

so-import-pcap - improve single pcap use case #1239

Closed
websecusa opened this issue Apr 22, 2018 · 4 comments

Comments

Projects
2 participants
@websecusa
Copy link

commented Apr 22, 2018

Hi,
I like the use of mergecap, but only if there are multiple pcaps to process. I tried to run the so-import-pcap on a single netcapture.pcap (VERY LARGE PCAP), and mergecap is used.

Just thought that maybe if there is a single pcap used, that you may want to not use the mergecap feature.

Hope that this helps. Security Onion is GREAT!!

@dougburks

This comment has been minimized.

Copy link
Contributor

commented Apr 23, 2018

Hi @websecusa ,

I realize it may seem a little strange to mergecap a single pcap. However, it does actually provide a useful function. By running mergecap on that single pcap, it actually validates that the user has passed a file that is a valid pcap with no corruption. If it's an invalid or corrupted file, then mergecap will fail and so-import-pcap will not try to process any further.

Is running mergecap on your netcapture.pcap causing a problem?

@dougburks

This comment has been minimized.

Copy link
Contributor

commented Jan 31, 2019

Just pushed a commit yesterday that should improve the single pcap use case:
Security-Onion-Solutions/securityonion-elastic@47e1b1b

@dougburks dougburks added this to To do in 16.04.6.1 via automation Jan 31, 2019

@dougburks dougburks moved this from To do to In progress in 16.04.6.1 Jan 31, 2019

@dougburks dougburks self-assigned this Feb 13, 2019

@dougburks dougburks changed the title so-import-pcap - Single pcap - Why use mergecap so-import-pcap - improve single pcap use case Feb 18, 2019

@dougburks

This comment has been minimized.

Copy link
Contributor

commented May 3, 2019

@dougburks dougburks moved this from In progress to In Testing in 16.04.6.1 May 3, 2019

@dougburks

This comment has been minimized.

@dougburks dougburks closed this May 13, 2019

16.04.6.1 automation moved this from In Testing to Done May 13, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.