I add log to print threshold info. As result, I find threshold entry’s time always equal to packet’s time in pcap live mode, while threshold entry’s time always equal to the first packet’s time before new entry generates in pcap file mode. It seems like suricata always generates new threshold entry while packet’s time changes in pcap live mode.
1 Like