Support #3211
closednegative flow age
Description
Hi,
Did anyone encountered negative flow age before?
Suricata is used to process some old pcaps spanning several months using the -r command line option. From eve.json, there were some event_type=flow entries where the end date (eg: 1 Jul 2019) is a few months before the start date (eg: 30 Sep 2019) and therefore, age is a very big negative number.
In addition, some of the related timestamps for individual traffic (eg: under DNS) were recorded as 30 Sep 2019 instead of the actual DNS traffic recorded in the pcap (eg: 1 Jul, 8 Jul, 15 Jul, etc). This occurred when some of the pcaps were processed more than once. So the first timestamp for a unique traffic would be recorded with the correct timestamp from the pcap, but the subsequent duplicated traffic is tagged with a timestamp suspected to be the timestamp when the duplicated pcap is being processed again.
I thought this might be due to processing of duplicate pcaps but could not replicate the problem even when the same pcaps were re-processed.
Thank you.