How to test Suricata with pcap replay

Suricata can process a saved packet capture in offline replay mode when a rule change or sensor build needs the same traffic more than once. A small known pcap lets the engine inspect repeatable packets and produce alert evidence without waiting for live traffic or changing a production capture interface.

The -r option reads a pcap file in offline mode, -l writes output into a selected directory, and -S loads only the supplied test rules for that run. Keeping those controls together separates the replay logs from the service's normal files and keeps a lab signature from mixing with the full production ruleset.

Use a copied lab capture that contains traffic the test rule is expected to match. A capture named replay-test.pcap with the string uid=0(root) in a TCP payload gives fast.log and eve.json the same local signature to check.

Related: How to test Suricata configuration
Related: How to read Suricata stats logs

Steps to test Suricata with pcap replay:

  1. Create a lab directory for the replay files. 
    $ mkdir suricata-pcap-test
  2. Enter the lab directory. 
    $ cd suricata-pcap-test
  3. Copy the known test capture into the lab directory. 
    $ cp ~/captures/replay-test.pcap ./replay-test.pcap

    The local rule expects uid=0(root) inside a TCP payload. Replace the capture and rule as a pair when testing a different known signal.

  4. Create a local alert rule that matches the test payload. 
    $ cat > local-pcap-test.rules <<'EOF'
alert tcp any any -> any any (msg:"LOCAL PCAP replay test payload"; content:"uid=0(root)"; sid:9000001; rev:1;)
EOF

    Use a local sid value that does not collide with production rules. This one-rule file keeps the replay focused on the packet and output path being tested.

  5. Create a fresh log directory for the replay output. 
    $ mkdir replay-logs
  6. Replay the pcap through Suricata with the local test rule. 
    $ suricata -r replay-test.pcap -l replay-logs -S local-pcap-test.rules -k none
i: suricata: This is Suricata version 8.0.3 RELEASE running in USER mode
i: threads: Threads created -> RX: 1 W: 8 FM: 1 FR: 1   Engine started.
i: suricata: Signal Received.  Stopping engine.
i: pcap: read 1 file, 1 packets, 149 bytes

    -k none disables checksum validation for this replay, which avoids false misses when a capture was made on a host with checksum offload. Leave checksum validation enabled when checksum correctness is part of the test.

  7. Confirm that Suricata wrote replay log files. 
    $ ls replay-logs
eve.json
fast.log
stats.log
suricata.log
  8. Check fast.log for the expected local alert. 
    $ cat replay-logs/fast.log
06/25/2026-07:52:03.000000  [**] [1:9000001:1] LOCAL PCAP replay test payload [**] [Classification: (null)] [Priority: 3] {TCP} 198.51.100.23:4444 -> 10.20.30.40:80
  9. Check eve.json for the same signature and endpoints. 
    $ jq -r 'select(.event_type=="alert") | [.alert.signature_id, .alert.signature, .src_ip, .dest_ip, .proto] | @tsv' replay-logs/eve.json
9000001	LOCAL PCAP replay test payload	198.51.100.23	10.20.30.40	TCP

    Matching fast.log and eve.json output confirms that the replay reached detection and both alert outputs.
    Related: How to read Suricata eve.json logs

  10. Remove the copied lab files after saving any needed evidence. 
    $ rm -rf replay-logs local-pcap-test.rules replay-test.pcap

    Run the cleanup from the lab directory only. The command removes the copied pcap, the local test rule, and the replay logs in the current directory.