How to create pcap with packet:payload fields (eve.json)

I receive alerts in Eve JSON Format, but in some cases i need to export some suspicious alerts to pcap file.
As you know in this format there are some fields like packet, payload, linktype to generate pcap, But i didn’t find any tutorial about it.

Sample alert in eve json format:

    "alert": {
        "action": "allowed",
        "category": "Attempted Administrator Privilege Gain",
        "gid": 1,
        "metadata": {
            "attack_target": [
            "created_at": [
            "cve": [
            "deployment": [
            "former_category": [
            "signature_severity": [
            "tag": [
            "updated_at": [
        "rev": 1,
        "severity": 1,
        "signature": "ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (Outbound) (CVE-2021-44228)",
        "signature_id": 2034759
    "app_proto": "http",
    "dest_ip": "",
    "dest_port": 80,
    "event_type": "alert",
    "flow": {
        "bytes_toclient": 1762,
        "bytes_toserver": 14542,
        "pkts_toclient": 16,
        "pkts_toserver": 15,
        "start": "2021-12-25T17:21:18.082863+0100"
    "flow_id": 1915201646904239,
    "host": "sqi",
    "http": {
        "hostname": "",
        "http_method": "GET",
        "http_refer": "https://${jndi:ldap://}",
        "http_user_agent": "${jndi:ldap://}",
        "length": 0,
        "protocol": "HTTP/1.1",
        "url": "/?",
        "xff": "${jndi:ldap://}"
    "in_iface": "ens192",
    "metadata": {
        "flowbits": [
    "packet": "....QAfYP6AAAAQEICjfnaB7TeavLAQEFCvBlMN7wZTDf...",
    "packet_info": {
        "linktype": 1
    "proto": "TCP",
    "src_ip": "",
    "src_port": 15374,
    "stream": 1,
    "timestamp": "2021-12-25T17:21:18.141116+0100"

I’m looking for something like this link but (i think) it works with unified format not eve_json.

You could use the “packet” in the eve log and something like FlowSynth to recreate a tcp stream with the same payload.

Dear @ish
I checked eve2pcap again and i found it seems that’s what i looking for,
But i some cases (maybe large payloads), “stream” field is 1, how can i generate whole packet as a pcap file? because in this case eve2pcap just create a tcp packet without payload

and --payload option just create a raw packet without phy layer:

These are the current options at this time. In IDS mode, the packet isn’t that useful. It is usually not the packet that triggered the alert, so not of much use. And the payload is just the payload, so we have to fake out the headers with what we know from the eve record.

1 Like

But the packet has Ethernet layer and payload not, and also payload is not available in all alerts!
am i wrong?

Interesting Topic as I came back on Monday and over the weekend there was some traffic that triggered an alert that I have been curious about.

And although the packet might not be that useful pcaps are things that can be shared all around. Also I like to see the events in question (and associated events) in wireshark (or similar)

Aside from Suricata we are using Wazuh as SIEM and potential SOAR (with active response: Active response - Capabilities · Wazuh documentation) tool.Catch suspicious network traffic - Learning Wazuh
Wazuh seems to have ability to trigger tcpdump command based on alerts. Not sure how heavy this will be, but something I am looking into.

This seems to be promising: Configuration - Active response · Wazuh documentation