Throttle Triggered Precision PCAP

I’m working on a trigger that will start a precision PCAP if a ThreatIntel IP address performs an HTTP connection with specific attributes.

However, given the number of ThreatIntel IP addresses, I’d like to throttle the number of precision PCAPs running at any given time. For example:

if (noPCAP > 20)
{ return;}
{ <code to start PCAP> }

I’ve written code that adds and increments a Session key when a PCAP is started, but I’m struggling with linking the initial key value to the number of running captures when the trigger starts.

Am I missing something, or is there no way to check the number of already running captures at the start of a trigger?

There is not a way to determine the number of already running captures in the Trigger. The docs do state, however:

There is a maximum of 128 concurrent packet captures in the system. If that limit is reached, subsequent calls to Flow.captureStart() will generate a warning visible in the debug log, but the trigger will continue to execute.

When you make a call to captureStart(), it will return null if the capture failed to start.

If you are not already, I would utilize the various options in captureStart() to limit the amount of packets each PPCAP contains. Are there any criteria where you could explicitly call captureStop()?

I’m already limiting the number of packets captured in each PPCAP; the problem is with limiting the number of PPCAPs initiated.

I’ll look at criteria for captureStop() and see if there’s anything that works.