Inaccurate flow information about a conversation

Hi there,

Thank you in advance!

I used a simple PCAP file to test & inspect the flow event from the log eve.json.
But i noticed there were asymmetry information comparing w/ the same conversation by wireshark.
The output flow-info is as follows and i’m pretty sure that there’s no other flow events related with the same IP pair.

{“timestamp”:“2021-08-27T13:00:49.565747+0800”,“flow_id”:2251211159079321,“in_iface”:“eno1”,“event_type”:“flow”,“src_ip”:“135.192.213.9”,“src_port”:59853,“dest_ip”:“143.41.37.190”,“dest_port”:23,“proto”:“TCP”,“flow”:{“pkts_toserver”:2,“pkts_toclient”:2,“bytes_toserver”:120,“bytes_toclient”:120,“start”:“2021-08-27T13:00:35.952729+0800”,“end”:“2021-08-27T13:00:36.053011+0800”,“age”:1,“state”:“new”,“reason”:“shutdown”,“alerted”:false},“tcp”:{“tcp_flags”:“00”,“tcp_flags_ts”:“00”,“tcp_flags_tc”:“00”}}

And the same conversation by Wireshark is as follows, please notice that the packets counts for both directions are greater then the ones from the above piece of log.

issue1866×206 13.2 KB

Can you share the pcap?

0000005327.pcap (4.0 KB)
Thanks, i’ve uploaded the pcap file.
Besides this pcap file, i found there’re other pcaps meet the same situation when replaying the packets via TcpReplay.

Figured it was becoz something wrong w/ the Tcpreplay tool that i used. sorry.

But i found Suricata would like to drop packets marked with issue ‘IPv4 total length exceeds packet length’ displayed in wireshark.