pcap: refactor delete-when-done to support non-alerts

doc/userguide/capture-hardware/pcap-file.rst

@@ -15,6 +15,8 @@ Configuration
     checksum-checks: auto
     # buffer-size: 128 KiB
     # tenant-id: none
+    # Applies to file and directory. Options: false (no deletion), true (always delete),
+    #   "non-alerts" (delete only files with no alerts)
     # delete-when-done: false
     # recursive: false
     # continuous: false
@@ -85,9 +87,22 @@ Other options
 
 **delete-when-done**
 
-- If ``true``, Suricata deletes the PCAP file after processing.
-- The command-line option is
-  :ref:`--pcap-file-delete <cmdline-option-pcap-file-delete>`
+Controls when PCAP files are deleted after processing. Three values are supported:
+
+- ``false`` (default): Files are never deleted
+- ``true``: Files are always deleted after processing
+- ``"non-alerts"``: Files are deleted only if they didn't generate any alerts
+
+.. note::
+
+   The command-line option :ref:`--pcap-file-delete <cmdline-option-pcap-file-delete>`
+   overrides this configuration and forces "always delete" mode (``true``).
+
+.. warning::
+
+   When using ``"non-alerts"`` mode, file deletion is deferred until thread
+   cleanup to ensure alert counts are finalized. This may delay deletion
+   compared to other modes.
 
 **BPF filter**
 

doc/userguide/partials/options.rst

@@ -80,10 +80,23 @@
 
 .. option:: --pcap-file-delete
 
-   Used with the -r option to indicate that the mode should delete pcap files
-   after they have been processed. This is useful with pcap-file-continuous to
-   continuously feed files to a directory and have them cleaned up when done. If
-   this option is not set, pcap files will not be deleted after processing.
+   Used with the -r option to force deletion of pcap files after they have been
+   processed. This is useful with pcap-file-continuous to continuously feed files
+   to a directory and have them cleaned up when done.
+
+   **command-line vs Configuration**: This command-line option overrides the
+   ``pcap-file.delete-when-done`` configuration option in ``suricata.yaml`` and
+   forces "always delete" mode (equivalent to ``delete-when-done: true``).
+
+   **For more control**, use the ``pcap-file.delete-when-done`` configuration
+   option instead, which supports three values:
+
+   - ``false`` (default): No files are deleted
+   - ``true``: All files are deleted after processing  
+   - ``"non-alerts"``: Only files that generated no alerts are deleted
+
+   If neither ``--pcap-file-delete`` nor ``delete-when-done`` is configured, 
+   pcap files will not be deleted after processing.
 
 .. _cmdline-option-pcap-file-buffer-size:
 

src/Makefile.am

@@ -618,6 +618,7 @@ noinst_HEADERS = \
 	win32-misc.h \
 	win32-service.h \
 	win32-syscall.h \
+	capture-hooks.h \
 	win32-syslog.h
 
 libsuricata_c_a_SOURCES = \
@@ -1204,7 +1205,8 @@ libsuricata_c_a_SOURCES = \
 	util-var.c \
 	win32-misc.c \
 	win32-service.c \
-	win32-syscall.c
+	win32-syscall.c \
+	capture-hooks.c
 
 EXTRA_DIST = \
 	${PRIVATE_INCLUDES} \

src/capture-hooks.c

@@ -0,0 +1,26 @@
+#include "suricata-common.h"
+#include "capture-hooks.h"
+
+static CaptureOnPacketWithAlertsHook g_on_alerts_hook = NULL;
+static CaptureOnPseudoPacketCreatedHook g_on_pseudo_created_hook = NULL;
+
+void CaptureHooksSet(
+        CaptureOnPacketWithAlertsHook on_alerts, CaptureOnPseudoPacketCreatedHook on_pseudo_created)
+{
+    g_on_alerts_hook = on_alerts;
+    g_on_pseudo_created_hook = on_pseudo_created;
+}
+
+void CaptureHooksOnPacketWithAlerts(const Packet *p)
+{
+    if (g_on_alerts_hook != NULL) {
+        g_on_alerts_hook(p);
+    }
+}
+
+void CaptureHooksOnPseudoPacketCreated(Packet *p)
+{
+    if (g_on_pseudo_created_hook != NULL) {
+        g_on_pseudo_created_hook(p);
+    }
+}

src/capture-hooks.h

@@ -0,0 +1,20 @@
+#ifndef SURICATA_CAPTURE_HOOKS_H
+#define SURICATA_CAPTURE_HOOKS_H
+
+#include "suricata-common.h"
+
+struct Packet_;
+typedef struct Packet_ Packet;
+
+typedef void (*CaptureOnPacketWithAlertsHook)(const Packet *p);
+typedef void (*CaptureOnPseudoPacketCreatedHook)(Packet *p);
+
+/* Register/clear hooks (called by capture implementations) */
+void CaptureHooksSet(CaptureOnPacketWithAlertsHook on_alerts,
+        CaptureOnPseudoPacketCreatedHook on_pseudo_created);
+
+/* Invoke hooks (called from generic code, safe if unset) */
+void CaptureHooksOnPacketWithAlerts(const Packet *p);
+void CaptureHooksOnPseudoPacketCreated(Packet *p);
+
+#endif /* SURICATA_CAPTURE_HOOKS_H */

src/detect-engine-alert.c

@@ -37,6 +37,7 @@
 #include "util-validate.h"
 
 #include "action-globals.h"
+#include "capture-hooks.h"
 
 /** tag signature we use for tag alerts */
 static Signature g_tag_signature;
@@ -597,6 +598,12 @@ void PacketAlertFinalize(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *d
             p->flags |= PKT_FIRST_ALERTS;
         }
     }
+
+    /* Notify capture layer about packets with alerts, capture impl may
+     * update per-capture context (e.g. pcap-file alert counts). */
+    if (p->alerts.cnt > 0) {
+        CaptureHooksOnPacketWithAlerts(p);
+    }
 }
 
 #ifdef UNITTESTS

src/runmode-unittests.c

@@ -115,6 +115,7 @@
 #include "decode-vntag.h"
 #include "decode-vxlan.h"
 #include "decode-pppoe.h"
+#include "source-pcap-file-helper.h"
 
 #include "output-json-stats.h"
 
@@ -210,6 +211,7 @@ static void RegisterUnittests(void)
     StreamingBufferRegisterTests();
     MacSetRegisterTests();
     FlowRateRegisterTests();
+    SourcePcapFileHelperRegisterTests();
 #ifdef OS_WIN32
     Win32SyscallRegisterTests();
 #endif