Hello All,
I’m working on a project where I analyze pcap files using Suricata Offline. After converting the Eve.json file into CSV, I noticed that Suricata duplicated the Flow Id to many flows with the same Five-Tuple but different packet counts. I was waiting for individual flow Ids so I could extract flows of interest. Do you know how Suricata defines Flow IDs and why this is happening?
I appreciate any help you can provide.
Hi @zakaria_zakaria !
I noticed that Suricata duplicated the Flow Id to many flows with the same Five-Tuple but different packet counts.
that sounds about right. All the packets (hence diff packet numbers) with the same five tuple should belong to the same flow.
A very good read about how Suricata does flows and flow ids is an old post by our lead dev: Suricata Flow Logging | Inliniac
Please let me know if you intended to ask something else.
1 Like