From 4e23d61f89065da6baeb66d0be400cdbeb050681 Mon Sep 17 00:00:00 2001
From: Seth Grover <seth.d.grover@gmail.com>
Date: Wed, 22 Jan 2025 07:24:52 -0700
Subject: [PATCH] fix logic for autoarkime/forcearkime

---
 shared/bin/pcap_processor.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/shared/bin/pcap_processor.py b/shared/bin/pcap_processor.py
index 32a47d93c..aee26ca76 100755
--- a/shared/bin/pcap_processor.py
+++ b/shared/bin/pcap_processor.py
@@ -169,11 +169,18 @@ def arkimeCaptureFileWorker(arkimeWorkerArgs):
                 if os.path.isfile(fileInfo[FILE_INFO_DICT_NAME]):
                     # Arkime this PCAP if it's tagged "AUTOARKIME" or if the global autoArkime flag is turned on.
                     if (
-                        forceArkime
-                        or autoArkime
+                        autoArkime
                         or (
                             (FILE_INFO_DICT_TAGS in fileInfo) and ARKIME_AUTOARKIME_TAG in fileInfo[FILE_INFO_DICT_TAGS]
                         )
+                    ) and (
+                        forceArkime
+                        or (
+                            not any(
+                                os.path.basename(fileInfo[FILE_INFO_DICT_NAME]).startswith(prefix)
+                                for prefix in ('mnetsniff', 'mtcpdump')
+                            )
+                        )
                     ):
                         # finalize tags list
                         fileInfo[FILE_INFO_DICT_TAGS] = (