There is a difference in packet detection according to to_client/to_server. Assuming “stream_size:server,=,284” for comparison, frame 17 is detected when to_client is used. The reason is that the cumulative sequence of the server at the time corresponding to frame 17 is 284. On the other hand, if to_server is used, frame 18 is detected. In TCP, ACK indicates the peer’s Seq. Therefore, in frame 18, the sequence 284 of the server is marked as ACK. Frame 18 is detected because directionality is used as to_server.
Using directionality rather than not using directionality may be clearer in detection. However, it is difficult to just assume that the performance is affected by the difference according to the two directions. This is because the performance impact is mainly considered by specifying a distinct string such as fast_pattern(MPM).