log/pcap: fix conditional pcap in tag mode

We were missing the first packet when using condition pcap logging
in tag mode as it was not tagged. As a result we were not getting
the stream data triggering the alert in the pcap file.

diff --git a/src/log-pcap.c b/src/log-pcap.c
index 88c4f14be3eae6a9508a2d4048f688d09a7d17e5..9d54a93f23967ae86cf95ef893e03c768de7b1c1 100644 (file)
--- a/src/log-pcap.c
+++ b/src/log-pcap.c
@@ -252,7 +252,7 @@ static int PcapLogCondition(ThreadVars *tv, void *thread_data, const Packet *p)
             }
             break;
         case LOGMODE_COND_TAG:
-            if (p->flags & PKT_HAS_TAG) {
+            if (p->flags & (PKT_HAS_TAG | PKT_FIRST_TAG)) {
                 return TRUE;
             } else {
                 return FALSE;