[Snorby] extract pcap takes 10 minutes

[kaiserboss]

Hello,

when trying to get pcap with openfpc from snorby, I have to wait 10 minutes before the pcap is ready to be extracted. Is there a way to fasten this process?

regards.

[leonward]

When you say wait until it's ready to be extracted - do you mean the extract takes 10 minutes? If so, this could well be the case in a large deployment (lots of data), but it doesn't always have to be that way.

Searching over large number of pcap files takes time, so the longer the time window you're asking for, the more data that has to be searched. There are also tweaks that you can make with the size of the pcap files that are created. Send me the relevant syslog output of when a search takes place and perhaps I can provide some advice.

[kaiserboss]

Hello, thanx for your reply.

When I say 10 minutes it's the time I have to wait until a pcap with packets is provided by openfpc.

Before the 10 minutes if I try to get a pcap, I get an empty pcap file.

I am trying to set 1Go instead of 2Go in openfpc configuration file.

I ll tell you if it fastens the pcap generation.

Regards.

[CyberTaoFlow]

Perhaps look at npcapindex from n2disk project. Creates bitmap based index of pcap greatly accelerating the extraction process.