From 6089951a6fdfb13364f20f1b9ef72f69db51e399 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Thu, 16 Oct 2025 13:44:57 +0200
Subject: [PATCH] tests: add test for bpf in pcap multi logging (issue 8002)

---
 .../README.md                                 |  1 +
 .../suricata.yaml                             | 27 +++++++++++++++++++
 .../test.yaml                                 | 18 +++++++++++++
 3 files changed, 46 insertions(+)
 create mode 100644 tests/pcap-log-uncompressed-03-multi-bpf/README.md
 create mode 100644 tests/pcap-log-uncompressed-03-multi-bpf/suricata.yaml
 create mode 100644 tests/pcap-log-uncompressed-03-multi-bpf/test.yaml

diff --git a/tests/pcap-log-uncompressed-03-multi-bpf/README.md b/tests/pcap-log-uncompressed-03-multi-bpf/README.md
new file mode 100644
index 000000000..fb9cb125b
--- /dev/null
+++ b/tests/pcap-log-uncompressed-03-multi-bpf/README.md
@@ -0,0 +1 @@
+Test that Suricata will apply bpf in multi-mode.
diff --git a/tests/pcap-log-uncompressed-03-multi-bpf/suricata.yaml b/tests/pcap-log-uncompressed-03-multi-bpf/suricata.yaml
new file mode 100644
index 000000000..f3a75a0c2
--- /dev/null
+++ b/tests/pcap-log-uncompressed-03-multi-bpf/suricata.yaml
@@ -0,0 +1,27 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - stats:
+  - pcap-log:
+      enabled: yes
+      filename: log.pcap.%n-%t-%i
+      compression: none
+      mode: multi
+      limit: 4mb
+      ts-format: usec
+      bpf-filter: tcp and not port 443
+
+# Enable enging logging to JSON so we can verify it.
+logging:
+  outputs:
+    - console:
+        enabled: yes
+    - file:
+        enabled: yes
+        level: perf
+        filename: eve.json
+        type: json
diff --git a/tests/pcap-log-uncompressed-03-multi-bpf/test.yaml b/tests/pcap-log-uncompressed-03-multi-bpf/test.yaml
new file mode 100644
index 000000000..bf4b101dd
--- /dev/null
+++ b/tests/pcap-log-uncompressed-03-multi-bpf/test.yaml
@@ -0,0 +1,18 @@
+requires:
+  min-version: 9
+      
+pcap: ../bug-2482-01/proxyCONNECT_443.pcap
+
+args:
+  - --runmode=single
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.pcap_log.written: 38
+        stats.pcap_log.filtered_bpf: 14063
+  - shell:
+      args: find . -type f -name 'log.pcap.1-1523389*.*-*' | wc -l | xargs
+      expect: 1
-- 
2.47.3