From: Eric Leblond <eric@regit.org>
Date: Thu, 25 Feb 2021 21:50:01 +0000 (+0100)
Subject: log/pcap: fix conditional pcap in tag mode
X-Git-Tag: suricata-7.0.0-beta1~566
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8f0ef48e82fa8f30fa17b0536a9c15f8cd4dddc9;p=thirdparty%2Fsuricata.git

log/pcap: fix conditional pcap in tag mode

We were missing the first packet when using condition pcap logging
in tag mode as it was not tagged. As a result we were not getting
the stream data triggering the alert in the pcap file.
---

diff --git a/src/log-pcap.c b/src/log-pcap.c
index 88c4f14be3..9d54a93f23 100644
--- a/src/log-pcap.c
+++ b/src/log-pcap.c
@@ -252,7 +252,7 @@ static int PcapLogCondition(ThreadVars *tv, void *thread_data, const Packet *p)
             }
             break;
         case LOGMODE_COND_TAG:
-            if (p->flags & PKT_HAS_TAG) {
+            if (p->flags & (PKT_HAS_TAG | PKT_FIRST_TAG)) {
                 return TRUE;
             } else {
                 return FALSE;