diff --git a/src/flow-manager.c b/src/flow-manager.c
index 2a30fdcddc..0ccbea80f8 100644
--- a/src/flow-manager.c
+++ b/src/flow-manager.c
@@ -67,8 +67,6 @@
 
 #include "output-flow.h"
 
-#define FLOW_BYPASSED_TIMEOUT   6
-
 /* Run mode selected at suricata.c */
 extern int run_mode;
 
diff --git a/src/flow-private.h b/src/flow-private.h
index c1323db3b0..a523f6a07c 100644
--- a/src/flow-private.h
+++ b/src/flow-private.h
@@ -57,6 +57,8 @@
 #define FLOW_IPPROTO_ICMP_EMERG_NEW_TIMEOUT 10
 #define FLOW_IPPROTO_ICMP_EMERG_EST_TIMEOUT 100
 
+#define FLOW_BYPASSED_TIMEOUT   6
+
 enum {
     FLOW_PROTO_TCP = 0,
     FLOW_PROTO_UDP,
diff --git a/src/flow.c b/src/flow.c
index 8c82424c3c..3718d5c9fb 100644
--- a/src/flow.c
+++ b/src/flow.c
@@ -228,6 +228,13 @@ void FlowHandlePacketUpdate(Flow *f, Packet *p)
     if (state != FLOW_STATE_CAPTURE_BYPASSED) {
         /* update the last seen timestamp of this flow */
         COPY_TIMESTAMP(&p->ts, &f->lastts);
+    } else {
+        /* still seeing packet, we downgrade to local bypass */
+        if (p->ts.tv_sec - f->lastts.tv_sec > FLOW_BYPASSED_TIMEOUT / 2) {
+            SCLogDebug("Downgrading flow to local bypass");
+            COPY_TIMESTAMP(&p->ts, &f->lastts);
+            FlowUpdateState(f, FLOW_STATE_LOCAL_BYPASSED);
+        }
     }
 
     /* update flags and counters */