Need help in understanding "timestamp" field in "flow" event type of eve.json

aanand · August 14, 2023, 12:00am

Hi all, I need some help in understanding the meaning of “timestamp” field of flow event types in eve.json output of Suricata. What does this timestamp represent? I noticed that “timestamp” is different from “start” and “end” of the flow. In some cases, the value of timestamps are before the start of flow, in other cases, timestamps are after the start of flow. In some cases, I also observed the timestamp is 1970-01-01T00:00:00.000000+0000 (which i guessed could be because suricata is somehow reading unix timestamp 0).
Any help in understanding this is much appreciated.

Thanks

Jeff_Lucovsky · August 25, 2023, 2:41pm

The timestamp in flow records corresponds to the wall clock time when Suricata ingests packets from a “live” data source, e.g, using eth0 or equivalent.

When Suricata ingests packets fro a pcap, the timestop will correspond to the timestamp of packet being processed by suricata.

Topic		Replies	Views
Eve.json only shows "event_type":"flow" Help	7	1594	October 22, 2020
Rules and log files	1	1029	November 28, 2023
Help Needed ! Suricata drops - ,"metadata":{"flowints":{"http.anomaly.count":1}}, Rules ips , rules	5	277	October 7, 2023
IPS: dropped packets with no `signature_id` and questions about the flow event Help	9	862	February 28, 2022
Eve.json windows timestamp field has "Eastern Daylight Time" appended to timestamp Help	22	3208	June 22, 2020

Need help in understanding "timestamp" field in "flow" event type of eve.json

Related topics