The TCP flag in the suricata output file(eve.json) does not match the actual situation

phospherus · March 13, 2024, 5:18am

I use nmap for sA scanning
The following are the data packets in Wireshark

The following is the content of eve.json

I want to know why the TCP flag in Wireshark is ack,but the TCP flag in Eve.log is “00”

vjulien · March 13, 2024, 5:25am

Do you have midstream enabled? Packets with SYN/ACK will not lead to a TcpSession set up otherwise, and this logging depends on that. We should probably just not log the field in this case.

phospherus · March 13, 2024, 5:54am

Thank you for your reply!I have found the location of the configuration,but I am not familiar with how to configure this part.May I ask how I can modify the content of midstream to solve my problem？
I have set midstream to true here

Topic		Replies	Views
Eve JSON Output with configuration : packet: yes Help centos	2	1049	August 28, 2021
Suricata 7.0.1-dev and a giant json data logging spike Developers	4	244	August 11, 2023
HTTP request header And HTTP response header NOT IN eve.json Help suricata	8	455	August 21, 2023
Rules and log files	1	350	November 28, 2023
Eve.json only shows "event_type":"flow" Help	7	1393	October 22, 2020

The TCP flag in the suricata output file(eve.json) does not match the actual situation

Related Topics