[Oisf-users] Tagged packets different from original packets

Luis Escamilla luis at cyberopsec.com.mx
Thu Apr 18 00:26:09 UTC 2019

Sure, here is a link to the pcaps: https://wetransfer.com/downloads/7cf3693258b7d2e87287a52d3f40357e20190418002225/e489d55f96f84713faeb23053601592920190418002225/18b29f

From: Peter Manev <petermanev at gmail.com>
Date: Saturday, April 13, 2019 at 10:16 AM
To: Luis Escamilla <luis at cyberopsec.com.mx>
Cc: "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.openinfosecfoundation.org>
Subject: Re: [Oisf-users] Tagged packets different from original packets

On 13 Apr 2019, at 02:29, Luis Escamilla <luis at cyberopsec.com.mx<mailto:luis at cyberopsec.com.mx>> wrote:
Hi everyone.

I’m trying to assemble a pcap file from the tagged packets resulting from the firing of an alert, the problem is, the packets in the resulting pcap file differ from the original packets, specifically the identification field is sometimes incremented or decremented by one.

Does anyone know what this issue could


What is the diff ?
Is it possible to share the two pcaps or share how to reproduce your test case ?

Thank you

Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190418/253c2bbb/attachment.html>

More information about the Oisf-users mailing list