Suricata

Suricata reports total packets and bytes in flow logs, which counts the total data volume transferred including the overhead of layer 3 & 4 protocols. In forensic investigations, the volume of data transferred is a very frequently-used metric but it is more usefully reported as the number of bytes transferred without the protocol level overhead, as the number of bytes that would have been sent & received by the endpoint applications over their sockets. Zeek reports these values as orig_bytes and resp_bytes separately from the total byte counts including overhead, and Suricata could do something similar.

{
  "timestamp": "2025-09-12T22:55:02.341058+0000",
  "flow_id": 1746311224371101,
  "event_type": "flow",
  "src_ip": "192.168.88.117",
  "src_port": 49921,
  "dest_ip": "142.251.215.228",
  "dest_port": 443,
  "proto": "TCP",
  "app_proto": "tls",
  "flow": {
    "pkts_toserver": 23,
    "pkts_toclient": 26,
    "bytes_toserver": 2121,
    "bytes_toclient": 24077,
    "start": "2025-09-12T22:55:02.341058+0000",
    "end": "2025-09-12T22:55:02.460308+0000",
    "age": 0,
    "state": "closed",
    "reason": "shutdown",
    "alerted": true
  },
  "tcp": {
    "tcp_flags": "1b",
    "tcp_flags_ts": "1b",
    "tcp_flags_tc": "1b",
    "syn": true,
    "fin": true,
    "psh": true,
    "ack": true,
    "state": "last_ack",
    "ts_max_regions": 1,
    "tc_max_regions": 1
  }
}

This example is a flow log from a simple GET to google.com, for this packet capture Wireshark's "follow stream" reports 591 bytes to server and 22k to client, which would be very useful if reported directly by Suricata.