Pcap_cnt and fragmented packets

shisha · November 1, 2023, 3:22pm

Suricata version: 6.0.13

Ubuntu 20.04

Installed through debian packages

When trying to correlate Suricata alerts to packets with the pcap I noticed that the reported pcap_cnt exceeds that of the number of packets within the pcap. I am concerned with this being due to packet reconstruction of fragmented packets and the pcap_cnt incrementing in response. Is this a correct assumption and if so is there a way to return the pcap_cnt without that incrementation? If this assumption is incorrect then is there documentation I could be directed to in order to understand the misalignment of pcap_cnt and packet number?

Cheers

Andreas_Herz · December 12, 2023, 8:53pm

Do you run this on pcaps and if so, how do you run it?
Ideally an example so we could reproduce and debug it.

Topic		Replies	Views
A question regarding packets de-duplication Help suricata	1	66	April 25, 2024
Suricata can't parse http packet Help	2	578	January 23, 2022
Packets dropping or not Help	1	314	September 9, 2021
Application detection and duplicate TCP/SYN Help	6	1012	September 1, 2022
Suricata http traffic parse exception in mirror traffic Help	5	764	January 25, 2022

Pcap_cnt and fragmented packets

Related Topics