Hi, I am using Suricata to capture traffic on a network interface. When I tried to replay a pcap (included 2 tcp sessions) with tcpreplay, only the events from first session were logged out, the events from second session were delayed, about 2 or 3 minutes later. I realized that they came out at the same time with the event flow log. I couldn’t find out the reason.
Can you explain for me about this exception and how to handle it?
Thanks.
Hi – welcome to the community!
What version of Suricata are you using?
What command are you using to start Suricata?
You’re using tcpreplay to inject packets onto the network – are you doing this from the same system on which Suricata is running?
Hi, Thanks for your response.
I’m currently using suricata 6.2.0.
The command I used was ‘suricata -c suricata.yaml -i ens33 -v’, with ens33 is my network interface.
And i’m running tcpreplay on the same machine.
Could it be that the TCP session is never properly closed? Try running your tests again but with a shorter active timeout in your suricata config.
Yes, turn out that my HTTP request didn’t get any response (didn’t make a complete transaction), and that cause it was skipped until reassembled when the flow timed out.
1 Like