- Suricata version: 6.0.13
- Ubuntu 20.04
- Installed through debian packages
When trying to correlate Suricata alerts to packets with the pcap I noticed that the reported pcap_cnt exceeds that of the number of packets within the pcap. I am concerned with this being due to packet reconstruction of fragmented packets and the pcap_cnt incrementing in response. Is this a correct assumption and if so is there a way to return the pcap_cnt without that incrementation? If this assumption is incorrect then is there documentation I could be directed to in order to understand the misalignment of pcap_cnt and packet number?