Question about the transition between Stenographer and Suricata #12624
-
|
In the documentation for Suricata there is this statement: Suricata has the ability to stop capturing PCAP once a flow reaches a specific stream depth. Security Onion sets this stream depth to 1MB by default. This means that once the PCAP flow reaches 1MB, Suricata will stop recording packets for that flow. Does Stenographer do this too? Or is this just a feature of Suricata? Can this option be turned off if you want to capture the whole flow? Thanks Joe |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
No Stenographer is not flow aware like Suricata is. Suricata by default will also capture the entire flow. To enable the abbreviated PCAP you would need to set use-stream-depth to yes. |
Beta Was this translation helpful? Give feedback.
No Stenographer is not flow aware like Suricata is. Suricata by default will also capture the entire flow. To enable the abbreviated PCAP you would need to set use-stream-depth to yes.