A question regarding packets de-duplication

xifeng · March 7, 2024, 7:41am

Suricata 7.0.2

Operating system debian

installed Suricata from source

We use tcpreplay to replay the same pcap packet to Suricata multiple times at a speed of 5MB/s, and we’ve found that when continuously replaying the same packets, Suricata does not output all alerts. For example, if A.pcap is played only once, it will generate 10 alerts, but if replayed 3 times with 5MB/s, it might only result in 15 ~ 16 alerts.
My question is, does Suricata have a mechanism that, when faced with the above situation, uses the 5-tuples to determine they belong to the same packet and then bypasses/de-duplicate them?

Andreas_Herz · April 25, 2024, 8:03pm

This highly depends on the type of traffic and how it’s replayed. Since it’s always the same traffic there can be some overlap. Can you provide the pcaps, the runcommand for tcpreplay as well as suricata, the suricata.yaml and also the stats.log and signatures?

Also check the flow event types if they correlate to what you would expect.

Topic		Replies	Views
Packets dropping or not Help	1	317	September 9, 2021
Application detection and duplicate TCP/SYN Help	6	1016	September 1, 2022
Pcap_cnt and fragmented packets Help	1	201	December 12, 2023
Dpdk packet loss Help suricata , dpdk	8	319	February 26, 2024
Delayed event logs in live capture mode Help suricata	4	475	June 21, 2022

A question regarding packets de-duplication

Related Topics