doc: update file-extraction section

author Giuseppe Longo <giuseppe@glongo.it>

Mon, 28 Jan 2019 20:39:07 +0000 (21:39 +0100)

committer Victor Julien <victor@inliniac.net>

Mon, 16 Sep 2019 10:47:56 +0000 (12:47 +0200)
author Giuseppe Longo <giuseppe@glongo.it>
Mon, 28 Jan 2019 20:39:07 +0000 (21:39 +0100)
committer Victor Julien <victor@inliniac.net>
Mon, 16 Sep 2019 10:47:56 +0000 (12:47 +0200)
diff --git a/doc/userguide/file-extraction/file-extraction.rst b/doc/userguide/file-extraction/file-extraction.rst

index 1c2e564e999a9c1793ad436058a00de25de3103f..05fb48118074a4ae8b7e4a521c05d1d0c9675330 100644 (file)
--- a/doc/userguide/file-extraction/file-extraction.rst
+++ b/doc/userguide/file-extraction/file-extraction.rst
@@ -66,6 +66,19 @@ of the filename. For example, if the SHA256 hex string of an extracted
  file starts with "f9bc6d..." the file we be placed in the directory
  `filestore/f9`.
  
+
+The size of a file that can be stored depends on ``file-store.stream-depth``,
+if this value is reached a file can be truncated and might not be stored completely.
+If not enabled, ``stream.reassembly.depth`` will be considered.
+
+Setting ``file-store.stream-depth`` to 0 permits to store any files.
+
+``file-store.stream-depth`` will always override ``stream.reassembly.depth``
+when filestore keyword is used.
+
+A protocol parser, like modbus, could permit to set a different
+store-depth value and use it rather than ``file-store.stream-depth``.
+
  Using the SHA256 for file names allows for automatic de-duplication of
  extracted files. However, the timestamp of a pre-existing file will be
  updated if the same files is extracted again, similar to the `touch`
author	Giuseppe Longo <giuseppe@glongo.it>
	Mon, 28 Jan 2019 20:39:07 +0000 (21:39 +0100)
committer	Victor Julien <victor@inliniac.net>
	Mon, 16 Sep 2019 10:47:56 +0000 (12:47 +0200)