Unable to capture the complete packet in a single pass

0verflow · July 15, 2025, 2:51pm

Suricata version: 7.0.8

Operating system: Ubuntu 20.04.6 LTS

How to installed Suricata: packages

When Suricata is configured with pcap-log to save packets that trigger alerts, only the HTTP request packet is recorded immediately. The corresponding response packet, however, will only be written into the saved pcap file when a subsequent alert occurs in that flow. How can this be resolved?

My Configuration：

  - pcap-log:
      enabled: yes
      filename: pcaps/log-%t-%n.pcap
      limit: 10mb
      max-files: 100
      compression: none
      mode: multi 
      use-stream-depth: no 
      honor-pass-rules: no
      conditional: alerts

When an alert is triggered, only the request packet is captured—there is no corresponding response packet.

The response packet from the previous alert is only written into the pcap file when another alert is triggered.

My use case requires extracting the pcap traffic for each alert individually. However, the issue described above prevents me from doing so. I sincerely hope someone can help me resolve this.

Andreas_Herz · July 17, 2025, 8:46pm

Please provide the suricata.yaml and stats.log as well as the suricata.log and the run command.

In addition to that, upgrade to 7.0.11 and maybe even try 8.0.0

0verflow · July 18, 2025, 2:05am

Thanks for your reply.

Now I installed Suricata 8.0 version as you suggested.

Suricata version: 8.0.0 RELEASE
Operating system: Ubuntu 24.04.1 LTS
How to installed Suricata: packages

All the related files have been placed in the files.zip archive.

files.zip (97.7 KB)

I tested it again. When an alert is first triggered using the test signature, only the request packet is captured.

The response packet corresponding to the previous alert is only written to the pcap file when the next alert occurs.

I think you can try it yourself to see if the issue really exists.

0verflow · July 21, 2025, 1:17am

I want to make sure you saw it?

jufajardini · July 22, 2025, 4:03pm

Hello,

I’m not an expert, but I’ve noticed that you’re using mode: multi which leads to the creation of multiple (per thread) pcap files (cf 12.1. Suricata.yaml — Suricata 8.0.1-dev documentation). If you change that to mode: normal do you see any differences?

0verflow · July 23, 2025, 12:45am

The same is true. The complete data packet cannot be seen and will be written only after the next alarm.

jufajardini · July 24, 2025, 1:41pm

Can you share the pcap, suricata.yaml and log files from when you do that change, please?

0verflow · July 25, 2025, 2:21am

in here: https://forum.suricata.io/uploads/short-url/eHwWFbw10bCvzhPyGufbU0Ig4R3.zip

jufajardini · July 25, 2025, 1:24pm

That link is without the aforementioned change to the suricata yaml. I’m asking for a sample of when the change is done, and suricata run with those settings

0verflow · July 26, 2025, 1:25am

Yes, but I encountered the problem when running with this configuration. As you can imagine, this is a common problem. I think it would be better if you try it according to the method I said.

jufajardini · July 28, 2025, 8:21pm

I understand, but sometimes we ask such questions to gather a better understanding of the scenario, when it happens, and what are the differences, so we can possibly help