Hello Together

What is the best way to use the Pcap logs? How do I find out in which Pcap log contains the packets for an alert?
I use Suricata 5.0.4_1 on Pfsense

I am new to Suricata

thanks and best regards

There is no way at this time to easily jump from an alert to its location in a pcap. The features, mainly the pcap logging features is quite independent of the other features and is more a feature to remove the requirement of needing another tool to perform pcap logging to disk.

You’d still need to take the 5 tuple and timestamp from an alert and search your pcaps.