I have observed a portion of flow events where the source address is the opposite of the destination address. This makes it difficult to analyze the data and it is “dirty” data for me.
I compared the Moloch events and Moloch could recognize that the direction of the data flow was normal.
I observed 2 RST packets among the packets identified by Suricata as being in the wrong direction, is this the reason?
Can you reproduce this with a pcap or is it related to the packet capture method Suricata is using?
I observe that also very frequently, especially for encrypted tcp flows that are midstream pickups.
According to the FAQ, Suricata interpretes the first seen packet as being sent by the client and if it in fact came from the server, the direction is misinterpreted.
I wonder if it is a useful workaround to make the PacketSwap/FlowSwap instruction in flow-tcp.c (lines 1078ff.) conditional, like:
if(p->sp <= 1024 && p->dp > 1024) {
/* reverse packet and flow */
SCLogDebug("reversing flow and packet");
PacketSwap(p);
FlowSwap(p->flow);
}