This is an example of using the Suricata library to capture live traffic from a network interface with custom packet handling and threading.

Building In Tree

The Suricata build system has created a Makefile that should allow you to build this application in-tree on most supported platforms. To build simply run:

make

Running

./live -i eth0 -l .

This example requires at least one -i option to specify the network interface to capture from. You can specify multiple interfaces to capture from multiple sources simultaneously - a separate worker thread will be created for each interface:

./live -i eth0 -i eth1

Any additional arguments are passed directly to Suricata as command line arguments.

Example with common options:

sudo ./live -i eth0 -- -l . -S rules.rules

Example capturing from multiple interfaces:

sudo ./live -i eth0 -i wlan0 -- -l . -S rules.rules

Shutdown: each worker thread may call EngineStop when its capture ends; the main loop waits for this signal, performs SuricataShutdown concurrently with per-thread SCTmThreadsSlotPacketLoopFinish, then joins all worker threads before GlobalsDestroy.

The example supports up to 16 interfaces simultaneously.

Building Out of Tree

A Makefile.example has also been generated to use as an example on how to build against the library in a standalone application.

First build and install the Suricata library including:

make install-library

make install-headers

Then run:

make -f Makefile.example

If you installed to a non-standard location, you need to ensure that libsuricata-config is in your path, for example:

PATH=/opt/suricata/bin:$PATH make -f Makefile.example