Suricata

Using a yaml that has pcap log enable and that honor stream depth for capture:

--- suricata.yaml    2016-09-25 16:26:56.024983383 +0200
+++ suricata-logpcap.yaml    2016-09-25 16:17:27.234726515 +0200
@@ -330,7 +330,7 @@
   # - encrypted streams after the key exchange
   #
   - pcap-log:
-      enabled: no
+      enabled: yes
       filename: log.pcap

       # File size limit.  Can be specified in kb, mb, gb.  Just a number
@@ -343,7 +343,7 @@
       mode: normal # normal, multi or sguil.
       #sguil-base-dir: /nsm_data/
       #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
-      use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
+      use-stream-depth: yes #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
       honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.

suricata -r benches/iperf.pcap -c suricata-logpcap.yaml

we get a one hundred Mo file instead of something around the stream depth size of 1Mo.

This is due to the fact, we have only one big session in the file and suricata is not honoring the stream depth:

If we look at the check stopping pcap logging we see that no STREAM DEPTH reached flag has been set:

        /* streams that hit depth */
        if ((ssn->client.flags & STREAMTCP_STREAM_FLAG_DEPTH_REACHED) ||
             (ssn->server.flags & STREAMTCP_STREAM_FLAG_DEPTH_REACHED))
        {
            p->flags |= PKT_STREAM_NOPCAPLOG;
        }

Implemented by https://github.com/inliniac/suricata/pull/2279 and merged.