Using a yaml that has pcap log enable and that honor stream depth for capture:
--- suricata.yaml 2016-09-25 16:26:56.024983383 +0200
+++ suricata-logpcap.yaml 2016-09-25 16:17:27.234726515 +0200
@@ -330,7 +330,7 @@
# - encrypted streams after the key exchange
#
- pcap-log:
- enabled: no
+ enabled: yes
filename: log.pcap
# File size limit. Can be specified in kb, mb, gb. Just a number
@@ -343,7 +343,7 @@
mode: normal # normal, multi or sguil.
#sguil-base-dir: /nsm_data/
#ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
- use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
+ use-stream-depth: yes #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.
and running it on the attached file ipperf.pcap via
suricata -r benches/iperf.pcap -c suricata-logpcap.yaml
we get a one hundred Mo file instead of something around the stream depth size of 1Mo.
This is due to the fact, we have only one big session in the file and suricata is not honoring the stream depth:
If we look at the check stopping pcap logging we see that no STREAM DEPTH reached flag has been set:
/* streams that hit depth */
if ((ssn->client.flags & STREAMTCP_STREAM_FLAG_DEPTH_REACHED) ||
(ssn->server.flags & STREAMTCP_STREAM_FLAG_DEPTH_REACHED))
{
p->flags |= PKT_STREAM_NOPCAPLOG;
}