From: Eric Leblond Date: Wed, 10 Mar 2021 15:40:12 +0000 (+0100) Subject: log/pcap: log segments for pseudo packets X-Git-Tag: suricata-7.0.0-beta1~565 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=584136ecb7ee1879984aa560b40b1a3a4ab4652e;p=thirdparty%2Fsuricata.git log/pcap: log segments for pseudo packets --- diff --git a/src/log-pcap.c b/src/log-pcap.c index 9d54a93f23..5cb4c30626 100644 --- a/src/log-pcap.c +++ b/src/log-pcap.c @@ -236,10 +236,6 @@ static int PcapLogCondition(ThreadVars *tv, void *thread_data, const Packet *p) { PcapLogThreadData *ptd = (PcapLogThreadData *)thread_data; - if (p->flags & PKT_PSEUDO_STREAM_END) { - return FALSE; - } - /* Log alerted flow or tagged flow */ switch (ptd->pcap_log->conditional) { case LOGMODE_COND_ALL: @@ -260,6 +256,10 @@ static int PcapLogCondition(ThreadVars *tv, void *thread_data, const Packet *p) break; } + if (p->flags & PKT_PSEUDO_STREAM_END) { + return FALSE; + } + if (IS_TUNNEL_PKT(p) && !IS_TUNNEL_ROOT_PKT(p)) { return FALSE; } @@ -602,11 +602,8 @@ static int PcapLog (ThreadVars *t, void *thread_data, const Packet *p) PcapLogThreadData *td = (PcapLogThreadData *)thread_data; PcapLogData *pl = td->pcap_log; - if ((p->flags & PKT_PSEUDO_STREAM_END) || - ((p->flags & PKT_STREAM_NOPCAPLOG) && - (pl->use_stream_depth == USE_STREAM_DEPTH_ENABLED)) || - (pl->honor_pass_rules && (p->flags & PKT_NOPACKET_INSPECTION))) - { + if (((p->flags & PKT_STREAM_NOPCAPLOG) && (pl->use_stream_depth == USE_STREAM_DEPTH_ENABLED)) || + (pl->honor_pass_rules && (p->flags & PKT_NOPACKET_INSPECTION))) { return TM_ECODE_OK; } @@ -696,6 +693,11 @@ static int PcapLog (ThreadVars *t, void *thread_data, const Packet *p) #else PcapLogDumpSegments(td, NULL, p); #endif + if (p->flags & PKT_PSEUDO_STREAM_END) { + PcapLogUnlock(pl); + return TM_ECODE_OK; + } + /* PcapLogDumpSegment has writtens over the PcapLogData variables so need to update */ pl->h->ts.tv_sec = p->ts.tv_sec; pl->h->ts.tv_usec = p->ts.tv_usec;