From 95b126f65ad2335822431c2a98ce168edb0071c6 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 11 Mar 2024 13:39:50 -0400
Subject: [PATCH] Suricata PCAP Docs

---
 suricata.rst | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/suricata.rst b/suricata.rst
index 41d84587..fa66ca86 100644
--- a/suricata.rst
+++ b/suricata.rst
@@ -40,6 +40,11 @@ EXTERNAL_NET
 
 By default, EXTERNAL_NET is set to ``any`` (which includes ``HOME_NET``) to detect lateral movement inside your environment. You can modify this default value by going to :ref:`administration` --> Configuration --> suricata --> config --> vars --> address-groups --> EXTERNAL_NET.
 
+PCAP
+----
+
+Starting in 2.4.60, users now have the option to migrate PCAP to be captured by Suricata instead of Stenographer. This feature is in BETA There are 2 modes for Suricata PCAP. The first mode is TRANSITION that will keep Stenographer running but not capturing traffic. This allows for retrieval of PCAP frmo older PCAP stored in Steno as well as new PCAP generated from Suricata.  
+
 Performance
 -----------