From: Jason Ish <jason.ish@oisf.net>
Date: Wed, 18 Jan 2023 18:33:48 +0000 (-0600)
Subject: log-pcap: remove early output initializing if offline
X-Git-Tag: suricata-7.0.0-rc1~90
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=30a2cfa6937965395ce79b458841e93a2219e6af;p=thirdparty%2Fsuricata.git

log-pcap: remove early output initializing if offline

Remove early opening of output files if running in an offline mode, as
we don't yet know the timestamp to use.

Prevents the first pcap files being opened with a timestamp of 0,
bringing us back to the same behvaviour of pcap logging in 6.0.

Issue: 5374
---

diff --git a/src/log-pcap.c b/src/log-pcap.c
index dad889df43..df6bf82930 100644
--- a/src/log-pcap.c
+++ b/src/log-pcap.c
@@ -1104,11 +1104,14 @@ static TmEcode PcapLogDataInit(ThreadVars *t, const void *initdata, void **data)
 #endif /* INIT_RING_BUFFER */
     }
 
-    if (pl->mode == LOGMODE_MULTI) {
-        PcapLogOpenFileCtx(td->pcap_log);
-    } else {
-        if (pl->filename == NULL) {
-            PcapLogOpenFileCtx(pl);
+    /* Don't early initialize output files if in a PCAP file mode. */
+    if (IsRunModeOffline(RunmodeGetCurrent())) {
+        if (pl->mode == LOGMODE_MULTI) {
+            PcapLogOpenFileCtx(td->pcap_log);
+        } else {
+            if (pl->filename == NULL) {
+                PcapLogOpenFileCtx(pl);
+            }
         }
     }