 | 1 | initial version |
You can configure Suricata to log the packet generating the Alert (packet=yes) and then you can extract it from the logging.
See also:
Would that fit your needs?
If not, you can filter on the items in the log entry, but it will never be an exact match, unless the timestamps of suricata exactly match the timestamps in the pcaps, which is next to impossible. As the packets pass the different processes separately. The best filter you can make is:
ip.src==<src> and ip.dst==<dst> and udp.srcport==<srcport> and udp.dstport==<dstport> and frame.len==<length> and frame.time_epoch >= <time from log> - <delta> and frame.time_epoch <= <time from log> + <delta>
Where you choose delta to be larger than the max time difference between the timestamps in suricata and the timestamps in the pcap file. Please note that you will need to use the timestamp including the microseconds.
