[Oisf-users] How to know which packets caused an alert?

Lucas Augusto Mota de Alcantara lama2 at cin.ufpe.br
Wed Feb 12 19:35:09 UTC 2020


Thank you Sascha, I got it.

But it didn't work with small pcaps (like 4 or 5 packets), the eve json
doesn't include the pcap_cnt field in these cases. For bigger pcaps, the
pcap_cnt appears in the json file.
I didn't find what's the limit size for it be included or not.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200212/b9c77041/attachment.html>


More information about the Oisf-users mailing list