Hi. There isn't support of log prefix writing into pcap. Read this: https://wiki.wireshark.org/Development/LibpcapFileFormat On 13 April 2018 at 01:19, darius <dram@xxxxxxxxxxx> wrote: > Hello all, > > I'm trying to get prefix logged into pcap file, the same way as it is > done in syslog. Everything works out of the box with syslog, but it > doesn't with pcap format. I have enabled stack in ulogd.conf: > > # this is a stack for NFLOG packet-based logging to PCAP > stack=log2:NFLOG,base1:BASE,pcap1:PCAP > > [log2] > group=1 > > [pcap1]file="/var/log/ulogd.pcap" > sync=1 > > Loggin rule in nftables looks simple: > > tcp dport {ssh} counter log prefix "IN" group 1 log prefix "_INPUT_" > group 2 accept > > > So, packets are logged: both in syslog and pcap. I can see prefix in > syslog with 'logread', but there is no prefix in pcap file when I > analyze it in Wireshark. Logging itself works ok. Any ideas what I'm > doing wrong? > > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Anton. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
