Add info about pcap log compression to user guide

author Max Fillinger <maximilian.fillinger@fox-it.com>

Thu, 25 Jan 2018 12:54:58 +0000 (13:54 +0100)

committer Victor Julien <victor@inliniac.net>

Thu, 3 May 2018 11:29:28 +0000 (13:29 +0200)
author Max Fillinger <maximilian.fillinger@fox-it.com>
Thu, 25 Jan 2018 12:54:58 +0000 (13:54 +0100)
committer Victor Julien <victor@inliniac.net>
Thu, 3 May 2018 11:29:28 +0000 (13:29 +0200)
diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst

index 91a8b0f136bfcc693d5fc912449dc648aee7af31..caa9ec3df2cfd8212ac0adc1da65e54858cc7a3a 100644 (file)
--- a/doc/userguide/configuration/suricata-yaml.rst
+++ b/doc/userguide/configuration/suricata-yaml.rst
@@ -457,6 +457,14 @@ If you would like to use Suricata with Sguil, do not forget to enable
  Remember that in the 'normal' mode, the file will be saved in
  default-log-dir or in the absolute path (if set).
  
+The pcap files can be compressed before being written to disk by setting
+the compression option to lz4. This option is incompatible with sguil
+mode. Note: On Windows, this option increases disk I/O instead of
+reducing it. When using lz4 compression, you can enable checksums using
+the lz4-checksum option, and you can set the compression level lz4-level
+to a value between 0 and 16, where higher levels result in higher
+compression.
+
  By default all packets are logged except:
  
  - TCP streams beyond stream.reassembly.depth
author	Max Fillinger <maximilian.fillinger@fox-it.com>
	Thu, 25 Jan 2018 12:54:58 +0000 (13:54 +0100)
committer	Victor Julien <victor@inliniac.net>
	Thu, 3 May 2018 11:29:28 +0000 (13:29 +0200)