Skip to main content

Version: 0.20.x

eve2pcap

eve2pcap is a utility program that converts Suricata EVE JSON records to PCAP files.

Usage

evebox util eve2pcap [OPTIONS] --output <output.pcap> <input-files>...

Where:

<input-files>... are one or more EVE JSON files containing Suricata events
--output <output.pcap> is the name of the PCAP file to create

Options

-o, --output <file> - Output PCAP file (required)
-P, --payload - Extract payload field instead of packet field
-h, --help - Print help information

Examples

Convert an EVE JSON file to PCAP:

evebox util eve2pcap --output output.pcap /var/log/suricata/eve.json

Extract payload field instead of packet field:

evebox util eve2pcap --payload --output output.pcap /var/log/suricata/eve.json

Notes

The eve2pcap utility only converts flow records that contain packet data or payload data. Events without packet or payload data will be skipped.

Usage
Options
Examples
Notes