From e891ef3d4ed414987b485d88ac144e5d6fb981f0 Mon Sep 17 00:00:00 2001
From: jason taylor <jtfas90@gmail.com>
Date: Wed, 31 Jan 2024 14:51:58 +0000
Subject: [PATCH] doc: add pcap file logging variable details

Signed-off-by: jason taylor <jtfas90@gmail.com>
---
 doc/userguide/configuration/suricata-yaml.rst | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst
index c04573778b..920be73530 100644
--- a/doc/userguide/configuration/suricata-yaml.rst
+++ b/doc/userguide/configuration/suricata-yaml.rst
@@ -505,6 +505,27 @@ the alert.
       mode: normal # "normal" or multi
       conditional: alerts
 
+In ``normal`` mode a pcap file "filename" is created in the default-log-dir or as
+specified by "dir". ``normal`` mode is generally not as performant as ``multi``
+mode.
+
+In multi mode, multiple pcap files are created (per thread) which performs
+better than ``normal`` mode.
+
+In multi mode the filename takes a few special variables:
+  - %n representing the thread number
+  - %i representing the thread id
+  - %t representing the timestamp (secs or secs.usecs based on 'ts-format')
+  
+  Example: filename: pcap.%n.%t
+
+.. note:: It is possible to use directories but the directories are not
+  created by Suricata. For example ``filename: pcaps/%n/log.%s`` will log into
+  the pre-existing ``pcaps`` directory and per thread sub directories.
+  
+.. note:: that the limit and max-files settings are enforced per thread. So the
+  size limit using 8 threads with 1000mb files and 2000 files is about 16TiB.
+
 Verbose Alerts Log (alert-debug.log)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~