The manual describes the performance implications of using this feature and how it enables you to view the offending packet data in MARS. But as I understand after some three months usage it's the alert action "produce verbose alert" on the IDSM that produce the trigger packet and context packet...not the "Pull IP logs" option. I've been trying this option out a few times but it gives me no difference.
Anyone has a better understanding of this function? I sort of hoped MARS would download a pcap file and include it as a link i the raw packet view but it seems that was wishful thinking.