pcap: refactor delete-when-done to support non-alerts

doc/userguide/capture-hardware/pcap-file.rst

@@ -15,6 +15,8 @@ Configuration
     checksum-checks: auto
     # buffer-size: 128 KiB
     # tenant-id: none
+    # Applies to file and directory. Options: false (no deletion), true (always delete),
+    #   "non-alerts" (delete only files with no alerts)
     # delete-when-done: false
     # recursive: false
     # continuous: false
@@ -85,9 +87,22 @@ Other options
 
 **delete-when-done**
 
-- If ``true``, Suricata deletes the PCAP file after processing.
-- The command-line option is
-  :ref:`--pcap-file-delete <cmdline-option-pcap-file-delete>`
+Controls when PCAP files are deleted after processing. Three values are supported:
+
+- ``false`` (default): Files are never deleted
+- ``true``: Files are always deleted after processing
+- ``"non-alerts"``: Files are deleted only if they didn't generate any alerts
+
+.. note::
+
+   The command-line option :ref:`--pcap-file-delete <cmdline-option-pcap-file-delete>`
+   overrides this configuration and forces "always delete" mode (``true``).
+
+.. warning::
+
+   When using ``"non-alerts"`` mode, file deletion is deferred until thread
+   cleanup to ensure alert counts are finalized. This may delay deletion
+   compared to other modes.
 
 **BPF filter**
 

doc/userguide/partials/options.rst

@@ -80,10 +80,23 @@
 
 .. option:: --pcap-file-delete
 
-   Used with the -r option to indicate that the mode should delete pcap files
-   after they have been processed. This is useful with pcap-file-continuous to
-   continuously feed files to a directory and have them cleaned up when done. If
-   this option is not set, pcap files will not be deleted after processing.
+   Used with the -r option to force deletion of pcap files after they have been
+   processed. This is useful with pcap-file-continuous to continuously feed files
+   to a directory and have them cleaned up when done.
+
+   **command-line vs Configuration**: This command-line option overrides the
+   ``pcap-file.delete-when-done`` configuration option in ``suricata.yaml`` and
+   forces "always delete" mode (equivalent to ``delete-when-done: true``).
+
+   **For more control**, use the ``pcap-file.delete-when-done`` configuration
+   option instead, which supports three values:
+
+   - ``false`` (default): No files are deleted
+   - ``true``: All files are deleted after processing  
+   - ``"non-alerts"``: Only files that generated no alerts are deleted
+
+   If neither ``--pcap-file-delete`` nor ``delete-when-done`` is configured, 
+   pcap files will not be deleted after processing.
 
 .. _cmdline-option-pcap-file-buffer-size:
 

src/detect-engine-alert.c

@@ -37,6 +37,7 @@
 #include "util-validate.h"
 
 #include "action-globals.h"
+#include "source-pcap-file-helper.h"
 
 /** tag signature we use for tag alerts */
 static Signature g_tag_signature;
@@ -597,6 +598,26 @@ void PacketAlertFinalize(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *d
             p->flags |= PKT_FIRST_ALERTS;
         }
     }
+
+    /* For pcap-file mode: any packet tied to a pcap file that produced
+     * alerts should increment that file's alert counter. This ensures
+     * delete-when-done: "non-alerts" does not delete files with stream-
+     * only or pseudo-packet alerts. */
+    if (p->alerts.cnt > 0) {
+        /* Best-effort attribute to current pcap file if not already set */
+        if (p->pcap_v.pfv == NULL) {
+            PcapFileFileVars *cur = PcapFileGetCurrentPfv();
+            if (cur == NULL) {
+                cur = PcapFileGetCurrentPfvGlobal();
+            }
+            if (cur != NULL) {
+                p->pcap_v.pfv = cur;
+            }
+        }
+        if (p->pcap_v.pfv != NULL) {
+            PcapFileAddAlertCount(p->pcap_v.pfv, p->alerts.cnt);
+        }
+    }
 }
 
 #ifdef UNITTESTS

src/flow-timeout.c

@@ -65,6 +65,8 @@
 
 #include "util-profiling.h"
 
+#include "source-pcap-file-helper.h"
+
 /**
  * \internal
  * \brief Pseudo packet setup to finish a flow when needed.
@@ -105,6 +107,18 @@ static inline Packet *FlowPseudoPacketSetup(
     p->payload = NULL;
     p->payload_len = 0;
 
+    /* In pcap-file mode, associate pseudo end-of-flow packets with the
+     * current file so their alerts are counted via PacketAlertFinalize. */
+    {
+        PcapFileFileVars *pfv = PcapFileGetCurrentPfv();
+        if (pfv != NULL) {
+            p->pcap_v.pfv = pfv;
+            p->ReleasePacket = PcapFileReleasePseudoPacket;
+            /* Hold a ref so deletion defers until pseudo is released */
+            SC_ATOMIC_ADD(pfv->ref_cnt, 1);
+        }
+    }
+
     /* apply reversed flow logic after setting direction to the packet */
     direction ^= ((f->flags & FLOW_DIR_REVERSED) != 0);
 

src/runmode-unittests.c

@@ -115,6 +115,7 @@
 #include "decode-vntag.h"
 #include "decode-vxlan.h"
 #include "decode-pppoe.h"
+#include "source-pcap-file-helper.h"
 
 #include "output-json-stats.h"
 
@@ -210,6 +211,7 @@ static void RegisterUnittests(void)
     StreamingBufferRegisterTests();
     MacSetRegisterTests();
     FlowRateRegisterTests();
+    SourcePcapFileHelperRegisterTests();
 #ifdef OS_WIN32
     Win32SyscallRegisterTests();
 #endif