Suricata

When replaying with -r the attached pcap that contains 2 smb sessions, we got a series of SMB records. If we take one of the session(where we have a logoff) and sort the event by time, we got the following

cat /tmp/smb-2/eve.json | jq 'select(.event_type=="smb" and .smb.session_id==4398180728949)|{"time": .timestamp, "command":.smb.command}' -c | sort
{"time":"2021-06-30T20:28:32.664884+0200","command":"SMB2_COMMAND_SESSION_LOGOFF"}
{"time":"2021-06-30T22:52:21.504749+0200","command":"SMB2_COMMAND_SESSION_SETUP"}
{"time":"2021-06-30T22:52:21.504964+0200","command":"SMB2_COMMAND_TREE_CONNECT"}
{"time":"2021-06-30T22:52:21.700998+0200","command":"SMB2_COMMAND_IOCTL"}
{"time":"2021-06-30T22:52:31.921537+0200","command":"SMB2_COMMAND_TREE_DISCONNECT"}

So the logoff of the session comes 24 seconds before the setup of the same session.

By using lastts as timestamp in pseudo packet as done in https://github.com/OISF/suricata/pull/6921 we got

{"time":"2021-06-30T22:52:21.504749+0200","command":"SMB2_COMMAND_SESSION_SETUP"}
{"time":"2021-06-30T22:52:21.504964+0200","command":"SMB2_COMMAND_TREE_CONNECT"}
{"time":"2021-06-30T22:52:21.700998+0200","command":"SMB2_COMMAND_IOCTL"}
{"time":"2021-06-30T22:52:31.921537+0200","command":"SMB2_COMMAND_TREE_DISCONNECT"}
{"time":"2021-06-30T22:52:31.921736+0200","command":"SMB2_COMMAND_SESSION_LOGOFF"}