From 8b016cff4b09873a3dc57e7b8613f973cd7a2f3a Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Mon, 23 Dec 2019 16:09:51 +0100
Subject: [PATCH] flow: only move lastts forward

Pcaps with timestamps jumping around could confuse flow timeout
handling otherwise.
---
 src/flow.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/flow.c b/src/flow.c
index a0e637ed94..49dc4a2e37 100644
--- a/src/flow.c
+++ b/src/flow.c
@@ -440,7 +440,8 @@ void FlowHandlePacketUpdate(Flow *f, Packet *p, ThreadVars *tv, DecodeThreadVars
     if (state != FLOW_STATE_CAPTURE_BYPASSED) {
 #endif
         /* update the last seen timestamp of this flow */
-        COPY_TIMESTAMP(&p->ts, &f->lastts);
+        if (timercmp(&p->ts, &f->lastts, >))
+            COPY_TIMESTAMP(&p->ts, &f->lastts);
 #ifdef CAPTURE_OFFLOAD
     } else {
         /* still seeing packet, we downgrade to local bypass */
-- 
2.47.2