log/pcap: introduce tag as logging condition

This patch adds the tag as logging condition. If this option is
used all tagged packets are written to the pcap.

src/log-pcap.c

@@ -79,7 +79,8 @@
 
 typedef enum LogModeConditionalType_ {
     LOGMODE_COND_ALL,
-    LOGMODE_COND_ALERTS
+    LOGMODE_COND_ALERTS,
+    LOGMODE_COND_TAG
 } LogModeConditionalType;
 
 #define RING_BUFFER_MODE_DISABLED       0
@@ -237,13 +238,25 @@ static int PcapLogCondition(ThreadVars *tv, void *thread_data, const Packet *p)
     if (p->flags & PKT_PSEUDO_STREAM_END) {
         return FALSE;
     }
-    /* Log alerted flow */
-    if (ptd->pcap_log->conditional == LOGMODE_COND_ALERTS) {
-        if (p->alerts.cnt || (p->flow && FlowHasAlerts(p->flow))) {
-            return TRUE;
-        } else {
-            return FALSE;
-        }
+
+    /* Log alerted flow or tagged flow */
+    switch (ptd->pcap_log->conditional) {
+        case LOGMODE_COND_ALL:
+            break;
+        case LOGMODE_COND_ALERTS:
+            if (p->alerts.cnt || (p->flow && FlowHasAlerts(p->flow))) {
+                return TRUE;
+            } else {
+                return FALSE;
+            }
+            break;
+        case LOGMODE_COND_TAG:
+            if (p->flags & PKT_HAS_TAG) {
+                return TRUE;
+            } else {
+                return FALSE;
+            }
+            break;
     }
 
     if (IS_TUNNEL_PKT(p) && !IS_TUNNEL_ROOT_PKT(p)) {
@@ -680,7 +693,7 @@ static int PcapLog (ThreadVars *t, void *thread_data, const Packet *p)
 
     /* if we are using alerted logging and if packet is first one with alert in flow
      * then we need to dump in the pcap the stream acked by the packet */
-    if ((p->flags & PKT_FIRST_ALERTS) && (td->pcap_log->conditional == LOGMODE_COND_ALERTS)) {
+    if ((p->flags & PKT_FIRST_ALERTS) && (td->pcap_log->conditional != LOGMODE_COND_ALL)) {
         if (PKT_IS_TCP(p)) {
             /* dump fake packets for all segments we have on acked by packet */
 #ifdef HAVE_LIBLZ4
@@ -1557,10 +1570,13 @@ static OutputInitResult PcapLogInitCtx(ConfNode *conf)
             if (strcasecmp(s_conditional, "alerts") == 0) {
                 pl->conditional = LOGMODE_COND_ALERTS;
                 EnableTcpSessionDumping();
+            } else if (strcasecmp(s_conditional, "tag") == 0) {
+                pl->conditional = LOGMODE_COND_TAG;
+                EnableTcpSessionDumping();
             } else if (strcasecmp(s_conditional, "all") != 0) {
                 FatalError(SC_ERR_INVALID_ARGUMENT,
                         "log-pcap: invalid conditional \"%s\". Valid options: \"all\", "
-                        "or \"alerts\" mode ",
+                        "\"alerts\", or \"tag\" mode ",
                         s_conditional);
             }
         }

suricata.yaml.in

@@ -402,7 +402,8 @@ outputs:
       #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
       use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
       honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged.
-      # Use "all" to log all packets or use "alerts" to log only alerted packets and flows
+      # Use "all" to log all packets or use "alerts" to log only alerted packets and flows or "tag"
+      # to log only flow tagged via the "tag" keyword
       #conditional: all
 
   # a full alert log containing much information for signature writers