jasonish
commented
2 years ago Suricata will only log payload (or packet) for alerts. Other event types don't have the payload and can't be converted to pcap.
For myself, I use another tool I've written called Dumpy (https://github.com/jasonish/dumpy) that provides a bit of an http api over a directory of pcap files, then I use Suricata's full packet capture feature to log to pcaps. Of course you need to be prepared for performance impact and disk usage of doing so, but it is an option one can look into.
Every alert has the option to download the PCAP file on the Payload section.
Why is that option only present on the alerts?