Skip to content

pcap: refactor delete-when-done to support non-alerts; handle pseudo-… #14442

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
oferda4 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

pcap: refactor delete-when-done to support non-alerts; handle pseudo-… #14442

oferda4 wants to merge 1 commit into from

Conversation

@oferda4
Copy link

@oferda4 oferda4 commented Dec 8, 2025

Make sure these boxes are checked accordingly before submitting your Pull Request -- thank you.

Contribution style:

Our Contribution agreements:

Changes (if applicable):

Describe changes:
Allowing change the behaviour of --pcap-file-delete to only delete pcaps with no alerts via config.

Previous PR: #14151
Changes:

  • Merged duplicate p->alerts.cnt > 0 checks.
  • Removed erroneous hook call.
  • Replaced attribute((constructor)).
  • Simplified TLS to single global pointer.
  • Fixed pass-rule alert counting.
  • Fixed unit test.

Provide values to any of the below to override the defaults.

  • To use a Suricata-Verify or Suricata-Update pull request,
    link to the pull request in the respective _BRANCH variable.
  • Leave unused overrides blank or remove.

SV_BRANCH=OISF/suricata-verify#2799

@oferda4
pcap: refactor delete-when-done to support non-alerts; handle pseudo-…
f56d27b 
…packet alerts

Refactor pcap file deletion to use a single delete-when-done option
with three values instead of separate boolean options:
- false (default): No deletion
- true: Always delete files
- "non-alerts": Delete only files with no alerts

Also account for alerts produced by pseudo packets (flow timeout / shutdown flush):
- Introduce small capture hooks and invoke on pseudo-packet creation so the
  capture layer can retain references and observe alerts emitted after the last
  live packet
- Call the hook from both TmThreadDisableReceiveThreads and TmThreadDrainPacketThreads

Key changes:
- Replace should_delete/delete_non_alerts_only bools with enum
- Move alert counter from global to per-file PcapFileFileVars
- Relocate alert counting from PacketAlertFinalize to pcap module
- Ensure thread safety for both single and continuous pcap modes
- Add unit tests for configuration parsing and pseudo-packet alert path

The --pcap-file-delete command line option overrides YAML config
and forces "always delete" mode for backward compatibility.

Documentation updated to reflect the new three-value configuration.

Fixes OISF#7786
@oferda4 oferda4 requested review from a team, jufajardini and victorjulien as code owners December 8, 2025 19:21
@oferda4 oferda4 mentioned this pull request Dec 9, 2025
Open
@github-actions
Copy link

github-actions bot commented Dec 9, 2025

NOTE: This PR may contain new authors.

@codecov
Copy link

codecov bot commented Dec 9, 2025

Codecov Report

❌ Patch coverage is 98.57820% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.22%. Comparing base (354e998) to head (f56d27b).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #14442      +/-   ##
==========================================
+ Coverage   84.20%   84.22%   +0.02%     
==========================================
  Files        1013     1014       +1     
  Lines      262383   262788     +405     
==========================================
+ Hits       220936   221345     +409     
+ Misses      41447    41443       -4
Flag Coverage Δ
fuzzcorpus 63.17% <51.40%> (-0.02%) ⬇️
livemode 18.72% <2.80%> (-0.04%) ⬇️
pcap 44.62% <78.50%> (+0.01%) ⬆️
suricata-verify 64.98% <86.91%> (+<0.01%) ⬆️
unittests 59.29% <90.75%> (+0.05%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

catenacyber
catenacyber reviewed Dec 18, 2025
View reviewed changes
doc/userguide/partials/options.rst

**For more control**, use the ``pcap-file.delete-when-done`` configuration
option instead, which supports three values:

Copy link
Contributor

@catenacyber catenacyber Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit extra space

catenacyber
catenacyber reviewed Dec 18, 2025
View reviewed changes
Copy link
Contributor

@catenacyber catenacyber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the big work :-)

CI : ✅
Code : was the capture hooks design validated ? Does it mean that one alert on flow timeout can belong to multiple pcaps ?
Commits segmentation : ok... was it not possible to split in smaller commits ?
Commit messages : really good
Git ID set : looks fine for me
CLA : you say you signed it
Doc update : looks good to me
Redmine ticket : ok
Rustfmt : no rust
Tests : put some comments there, but look good
Dependencies added: none

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@catenacyber catenacyber catenacyber left review comments

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@oferda4 @catenacyber