The flow id got changed even though I keep send the same packet

cifer · April 27, 2022, 4:04am

Hi there,

I found that the flow_id in the alert log may change after a while even though I keep sending the same packets (which means the packets are with the same src_port, src_addr, dst_port, dst_addr, proto).

I know that there’s a flow-timeouts configuration but I don’t think it’s the cause since I kept sending the packet without brreak.

So I think there may be some logic inside suricata that causes this behavior?

(note the id field in the screenshot is the flow_id field in eve log)

ish · April 27, 2022, 4:12am

Time is considered as part of the flow ID. Even though you are using the same 5 tuple, are you sure they are still part of the same TCP session?

You can check out the community id option (disabled by default) which doesn’t consider time which may provide the consistent ID you are after.

cifer · April 27, 2022, 4:24am

Thanks Jason.

Actually we found this same behavior for UDP packets stream as well, which I think there’s no session concept…

but let us enable the community id first and see what can we find…

Topic		Replies	Views
Flow_ID_Duplicated Help	1	447	August 25, 2022
Community flow id inconsistency Help	10	3448	April 30, 2020
Help Needed ! Suricata drops - ,"metadata":{"flowints":{"http.anomaly.count":1}}, Rules ips , rules	5	276	October 7, 2023
IPS: dropped packets with no `signature_id` and questions about the flow event Help	9	861	February 28, 2022
Suricate Flow event doesn't display ongoing ssh session Help	5	1151	April 26, 2020

The flow id got changed even though I keep send the same packet

Related topics