Hi, I'm wondering how suricata decides which packet to capture and dump in the unified2 log file and which not to. I'm running Snorby to collect the alerts, and I've noticed that sometimes for a single rule, some of the alerts have the packet dump present and some not. Regards, Nikolay