I am currently utilizing Suricata in offline mode for analyzing a series of pcap files. I have observed an issue where the ‘pcap_cnt’ field from the json log appears to be an accumulated count of packets from all previously analyzed pcap files, rather than the count from the individual file currently being processed.
My objective is to identify the exact location or frame number within each individual pcap file when an alert is generated. This would enable me to map alerts to their precise location within a specific pcap file.
So is there a measure rather than testing with pcap files individually? Thank you!