suricata
log-pcap.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 
19 /**
20  * \file
21  *
22  * \author William Metcalf <William.Metcalf@gmail.com>
23  * \author Victor Julien <victor@inliniac.net>
24  *
25  * Pcap packet logging module.
26  */
27 
28 #include "suricata-common.h"
29 #include "util-fmemopen.h"
30 
31 #ifdef HAVE_LIBLZ4
32 #include <lz4frame.h>
33 #endif /* HAVE_LIBLZ4 */
34 
35 #if defined(HAVE_DIRENT_H) && defined(HAVE_FNMATCH_H)
36 #define INIT_RING_BUFFER
37 #include <dirent.h>
38 #include <fnmatch.h>
39 #endif
40 
41 #include "debug.h"
42 #include "detect.h"
43 #include "flow.h"
44 #include "conf.h"
45 
46 #include "threads.h"
47 #include "threadvars.h"
48 #include "tm-threads.h"
49 
50 #include "util-unittest.h"
51 #include "log-pcap.h"
52 #include "decode-ipv4.h"
53 
54 #include "util-error.h"
55 #include "util-debug.h"
56 #include "util-time.h"
57 #include "util-byte.h"
58 #include "util-misc.h"
59 #include "util-cpu.h"
60 #include "util-atomic.h"
61 
62 #include "source-pcap.h"
63 
64 #include "output.h"
65 
66 #include "queue.h"
67 
68 #define DEFAULT_LOG_FILENAME "pcaplog"
69 #define MODULE_NAME "PcapLog"
70 #define MIN_LIMIT 4 * 1024 * 1024
71 #define DEFAULT_LIMIT 100 * 1024 * 1024
72 #define DEFAULT_FILE_LIMIT 0
73 
74 #define LOGMODE_NORMAL 0
75 #define LOGMODE_SGUIL 1
76 #define LOGMODE_MULTI 2
77 
78 #define RING_BUFFER_MODE_DISABLED 0
79 #define RING_BUFFER_MODE_ENABLED 1
80 
81 #define TS_FORMAT_SEC 0
82 #define TS_FORMAT_USEC 1
83 
84 #define USE_STREAM_DEPTH_DISABLED 0
85 #define USE_STREAM_DEPTH_ENABLED 1
86 
87 #define HONOR_PASS_RULES_DISABLED 0
88 #define HONOR_PASS_RULES_ENABLED 1
89 
90 #define PCAP_SNAPLEN 262144
91 
92 SC_ATOMIC_DECLARE(uint32_t, thread_cnt);
93 
94 typedef struct PcapFileName_ {
95  char *filename;
96  char *dirname;
97 
98  /* Like a struct timeval, but with fixed size. This is only used when
99  * seeding the ring buffer on start. */
100  struct {
101  uint64_t secs;
102  uint32_t usecs;
103  };
104 
105  TAILQ_ENTRY(PcapFileName_) next; /**< Pointer to next Pcap File for tailq. */
106 } PcapFileName;
107 
108 typedef struct PcapLogProfileData_ {
109  uint64_t total;
110  uint64_t cnt;
111 } PcapLogProfileData;
112 
113 #define MAX_TOKS 9
114 #define MAX_FILENAMELEN 513
115 
116 enum PcapLogCompressionFormat {
117  PCAP_LOG_COMPRESSION_FORMAT_NONE,
118  PCAP_LOG_COMPRESSION_FORMAT_LZ4,
119 };
120 
121 typedef struct PcapLogCompressionData_ {
122  enum PcapLogCompressionFormat format;
123  uint8_t *buffer;
124  uint64_t buffer_size;
125 #ifdef HAVE_LIBLZ4
126  LZ4F_compressionContext_t lz4f_context;
127  LZ4F_preferences_t lz4f_prefs;
128 #endif /* HAVE_LIBLZ4 */
129  FILE *file;
130  uint8_t *pcap_buf;
131  uint64_t pcap_buf_size;
132  FILE *pcap_buf_wrapper;
133  uint64_t bytes_in_block;
134 } PcapLogCompressionData;
135 
136 /**
137  * PcapLog thread vars
138  *
139  * Used for storing file options.
140  */
141 typedef struct PcapLogData_ {
142  int use_stream_depth; /**< use stream depth i.e. ignore packets that reach limit */
143  int honor_pass_rules; /**< don't log if pass rules have matched */
144  int is_private; /**< TRUE if ctx is thread local */
145  SCMutex plog_lock;
146  uint64_t pkt_cnt; /**< total number of packets */
147  struct pcap_pkthdr *h; /**< pcap header struct */
148  char *filename; /**< current filename */
149  int mode; /**< normal or sguil */
150  int prev_day; /**< last day, for finding out when */
151  uint64_t size_current; /**< file current size */
152  uint64_t size_limit; /**< file size limit */
153  pcap_t *pcap_dead_handle; /**< pcap_dumper_t needs a handle */
154  pcap_dumper_t *pcap_dumper; /**< actually writes the packets */
155  uint64_t profile_data_size; /**< track in bytes how many bytes we wrote */
156  uint32_t file_cnt; /**< count of pcap files we currently have */
157  uint32_t max_files; /**< maximum files to use in ring buffer mode */
158 
159  PcapLogProfileData profile_lock;
160  PcapLogProfileData profile_write;
161  PcapLogProfileData profile_unlock;
162  PcapLogProfileData profile_handles; // open handles
163  PcapLogProfileData profile_close;
164  PcapLogProfileData profile_open;
165  PcapLogProfileData profile_rotate;
166 
167  TAILQ_HEAD(, PcapFileName_) pcap_file_list;
168 
169  uint32_t thread_number; /**< thread number, first thread is 1, second 2, etc */
170  int use_ringbuffer; /**< ring buffer mode enabled or disabled */
171  int timestamp_format; /**< timestamp format sec or usec */
172  char *prefix; /**< filename prefix */
173  const char *suffix; /**< filename suffix */
174  char dir[PATH_MAX]; /**< pcap log directory */
175  int reported;
176  int threads; /**< number of threads (only set in the global) */
177  char *filename_parts[MAX_TOKS];
178  int filename_part_cnt;
179 
180  PcapLogCompressionData compression;
181 } PcapLogData;
182 
183 typedef struct PcapLogThreadData_ {
184  PcapLogData *pcap_log;
185 } PcapLogThreadData;
186 
187 /* Pattern for extracting timestamp from pcap log files. */
188 static const char timestamp_pattern[] = ".*?(\\d+)(\\.(\\d+))?";
189 static pcre *pcre_timestamp_code = NULL;
190 static pcre_extra *pcre_timestamp_extra = NULL;
191 
192 /* global pcap data for when we're using multi mode. At exit we'll
193  * merge counters into this one and then report counters. */
194 static PcapLogData *g_pcap_data = NULL;
195 
196 static int PcapLogOpenFileCtx(PcapLogData *);
197 static int PcapLog(ThreadVars *, void *, const Packet *);
198 static TmEcode PcapLogDataInit(ThreadVars *, const void *, void **);
199 static TmEcode PcapLogDataDeinit(ThreadVars *, void *);
200 static void PcapLogFileDeInitCtx(OutputCtx *);
201 static OutputInitResult PcapLogInitCtx(ConfNode *);
202 static void PcapLogProfilingDump(PcapLogData *);
203 static int PcapLogCondition(ThreadVars *, const Packet *);
204 
205 void PcapLogRegister(void)
206 {
207  OutputRegisterPacketModule(LOGGER_PCAP, MODULE_NAME, "pcap-log",
208  PcapLogInitCtx, PcapLog, PcapLogCondition, PcapLogDataInit,
209  PcapLogDataDeinit, NULL);
210  PcapLogProfileSetup();
211  SC_ATOMIC_INIT(thread_cnt);
212  return;
213 }
214 
215 #define PCAPLOG_PROFILE_START \
216  uint64_t pcaplog_profile_ticks = UtilCpuGetTicks()
217 
218 #define PCAPLOG_PROFILE_END(prof) \
219  (prof).total += (UtilCpuGetTicks() - pcaplog_profile_ticks); \
220  (prof).cnt++
221 
222 static int PcapLogCondition(ThreadVars *tv, const Packet *p)
223 {
224  if (p->flags & PKT_PSEUDO_STREAM_END) {
225  return FALSE;
226  }
227  if (IS_TUNNEL_PKT(p) && !IS_TUNNEL_ROOT_PKT(p)) {
228  return FALSE;
229  }
230  return TRUE;
231 }
232 
233 /**
234  * \brief Function to close pcaplog file
235  *
236  * \param t Thread Variable containing input/output queue, cpu affinity etc.
237  * \param pl PcapLog thread variable.
238  */
239 static int PcapLogCloseFile(ThreadVars *t, PcapLogData *pl)
240 {
241  if (pl != NULL) {
242  PCAPLOG_PROFILE_START;
243 
244  if (pl->pcap_dumper != NULL) {
245  pcap_dump_close(pl->pcap_dumper);
246 #ifdef HAVE_LIBLZ4
247  PcapLogCompressionData *comp = &pl->compression;
248  if (comp->format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
249  /* pcap_dump_close() has closed its output ``file'',
250  * so we need to call fmemopen again. */
251 
252  comp->pcap_buf_wrapper = SCFmemopen(comp->pcap_buf,
253  comp->pcap_buf_size, "w");
254  if (comp->pcap_buf_wrapper == NULL) {
255  SCLogError(SC_ERR_FOPEN, "SCFmemopen failed: %s",
256  strerror(errno));
257  return TM_ECODE_FAILED;
258  }
259  }
260 #endif /* HAVE_LIBLZ4 */
261  }
262  pl->size_current = 0;
263  pl->pcap_dumper = NULL;
264 
265  if (pl->pcap_dead_handle != NULL)
266  pcap_close(pl->pcap_dead_handle);
267  pl->pcap_dead_handle = NULL;
268 
269 #ifdef HAVE_LIBLZ4
270  PcapLogCompressionData *comp = &pl->compression;
271  if (comp->format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
272  /* pcap_dump_close did not write any data because we call
273  * pcap_dump_flush() after every write when writing
274  * compressed output. */
275  uint64_t bytes_written = LZ4F_compressEnd(comp->lz4f_context,
276  comp->buffer, comp->buffer_size, NULL);
277  if (LZ4F_isError(bytes_written)) {
278  SCLogError(SC_ERR_PCAP_LOG_COMPRESS, "LZ4F_compressEnd: %s",
279  LZ4F_getErrorName(bytes_written));
280  return TM_ECODE_FAILED;
281  }
282  if (fwrite(comp->buffer, 1, bytes_written, comp->file) < bytes_written) {
283  SCLogError(SC_ERR_FWRITE, "fwrite failed: %s", strerror(errno));
284  return TM_ECODE_FAILED;
285  }
286  fclose(comp->file);
287  comp->bytes_in_block = 0;
288  }
289 #endif /* HAVE_LIBLZ4 */
290 
291  PCAPLOG_PROFILE_END(pl->profile_close);
292  }
293 
294  return 0;
295 }
296 
297 static void PcapFileNameFree(PcapFileName *pf)
298 {
299  if (pf != NULL) {
300  if (pf->filename != NULL) {
301  SCFree(pf->filename);
302  }
303  if (pf->dirname != NULL) {
304  SCFree(pf->dirname);
305  }
306  SCFree(pf);
307  }
308 
309  return;
310 }
311 
312 /**
313  * \brief Function to rotate pcaplog file
314  *
315  * \param t Thread Variable containing input/output queue, cpu affinity etc.
316  * \param pl PcapLog thread variable.
317  *
318  * \retval 0 on succces
319  * \retval -1 on failure
320  */
321 static int PcapLogRotateFile(ThreadVars *t, PcapLogData *pl)
322 {
323  PcapFileName *pf;
324  PcapFileName *pfnext;
325 
326  PCAPLOG_PROFILE_START;
327 
328  if (PcapLogCloseFile(t,pl) < 0) {
329  SCLogDebug("PcapLogCloseFile failed");
330  return -1;
331  }
332 
333  if (pl->use_ringbuffer == RING_BUFFER_MODE_ENABLED && pl->file_cnt >= pl->max_files) {
334  pf = TAILQ_FIRST(&pl->pcap_file_list);
335  SCLogDebug("Removing pcap file %s", pf->filename);
336 
337  if (remove(pf->filename) != 0) {
338  // VJ remove can fail because file is already gone
339  //LogWarning(SC_ERR_PCAP_FILE_DELETE_FAILED,
340  // "failed to remove log file %s: %s",
341  // pf->filename, strerror( errno ));
342  }
343 
344  /* Remove directory if Sguil mode and no files left in sguil dir */
345  if (pl->mode == LOGMODE_SGUIL) {
346  pfnext = TAILQ_NEXT(pf,next);
347 
348  if (strcmp(pf->dirname, pfnext->dirname) == 0) {
349  SCLogDebug("Current entry dir %s and next entry %s "
350  "are equal: not removing dir",
351  pf->dirname, pfnext->dirname);
352  } else {
353  SCLogDebug("current entry %s and %s are "
354  "not equal: removing dir",
355  pf->dirname, pfnext->dirname);
356 
357  if (remove(pf->dirname) != 0) {
358  SCLogWarning(SC_ERR_PCAP_FILE_DELETE_FAILED,
359  "failed to remove sguil log %s: %s",
360  pf->dirname, strerror( errno ));
361  }
362  }
363  }
364 
365  TAILQ_REMOVE(&pl->pcap_file_list, pf, next);
366  PcapFileNameFree(pf);
367  pl->file_cnt--;
368  }
369 
370  if (PcapLogOpenFileCtx(pl) < 0) {
371  SCLogError(SC_ERR_FOPEN, "opening new pcap log file failed");
372  return -1;
373  }
374  pl->file_cnt++;
375  SCLogDebug("file_cnt %u", pl->file_cnt);
376 
377  PCAPLOG_PROFILE_END(pl->profile_rotate);
378  return 0;
379 }
380 
381 static int PcapLogOpenHandles(PcapLogData *pl, const Packet *p)
382 {
383  PCAPLOG_PROFILE_START;
384 
385  SCLogDebug("Setting pcap-log link type to %u", p->datalink);
386 
387  if (pl->pcap_dead_handle == NULL) {
388  if ((pl->pcap_dead_handle = pcap_open_dead(p->datalink,
389  PCAP_SNAPLEN)) == NULL) {
390  SCLogDebug("Error opening dead pcap handle");
391  return TM_ECODE_FAILED;
392  }
393  }
394 
395  if (pl->pcap_dumper == NULL) {
396  if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_NONE) {
397  if ((pl->pcap_dumper = pcap_dump_open(pl->pcap_dead_handle,
398  pl->filename)) == NULL) {
399  SCLogInfo("Error opening dump file %s", pcap_geterr(pl->pcap_dead_handle));
400  return TM_ECODE_FAILED;
401  }
402  }
403 #ifdef HAVE_LIBLZ4
404  else if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
405  PcapLogCompressionData *comp = &pl->compression;
406  if ((pl->pcap_dumper = pcap_dump_fopen(pl->pcap_dead_handle,
407  comp->pcap_buf_wrapper)) == NULL) {
408  SCLogError(SC_ERR_OPENING_FILE, "Error opening dump file %s",
409  pcap_geterr(pl->pcap_dead_handle));
410  return TM_ECODE_FAILED;
411  }
412  comp->file = fopen(pl->filename, "w");
413  if (comp->file == NULL) {
414  SCLogError(SC_ERR_OPENING_FILE,
415  "Error opening file for compressed output: %s",
416  strerror(errno));
417  return TM_ECODE_FAILED;
418  }
419 
420  uint64_t bytes_written = LZ4F_compressBegin(comp->lz4f_context,
421  comp->buffer, comp->buffer_size, NULL);
422  if (LZ4F_isError(bytes_written)) {
423  SCLogError(SC_ERR_PCAP_LOG_COMPRESS, "LZ4F_compressBegin: %s",
424  LZ4F_getErrorName(bytes_written));
425  return TM_ECODE_FAILED;
426  }
427  if (fwrite(comp->buffer, 1, bytes_written, comp->file) < bytes_written) {
428  SCLogError(SC_ERR_FWRITE, "fwrite failed: %s", strerror(errno));
429  return TM_ECODE_FAILED;
430  }
431  }
432 #endif /* HAVE_LIBLZ4 */
433  }
434 
435  PCAPLOG_PROFILE_END(pl->profile_handles);
436  return TM_ECODE_OK;
437 }
438 
439 /** \internal
440  * \brief lock wrapper for main PcapLog() function
441  * NOTE: only meant for use in main PcapLog() function.
442  */
443 static void PcapLogLock(PcapLogData *pl)
444 {
445  if (!(pl->is_private)) {
446  PCAPLOG_PROFILE_START;
447  SCMutexLock(&pl->plog_lock);
448  PCAPLOG_PROFILE_END(pl->profile_lock);
449  }
450 }
451 
452 /** \internal
453  * \brief unlock wrapper for main PcapLog() function
454  * NOTE: only meant for use in main PcapLog() function.
455  */
456 static void PcapLogUnlock(PcapLogData *pl)
457 {
458  if (!(pl->is_private)) {
459  PCAPLOG_PROFILE_START;
460  SCMutexUnlock(&pl->plog_lock);
461  PCAPLOG_PROFILE_END(pl->profile_unlock);
462  }
463 }
464 
465 /**
466  * \brief Pcap logging main function
467  *
468  * \param t threadvar
469  * \param p packet
470  * \param data thread module specific data
471  * \param pq pre-packet-queue
472  * \param postpq post-packet-queue
473  *
474  * \retval TM_ECODE_OK on succes
475  * \retval TM_ECODE_FAILED on serious error
476  */
477 static int PcapLog (ThreadVars *t, void *thread_data, const Packet *p)
478 {
479  size_t len;
480  int rotate = 0;
481  int ret = 0;
482 
483  PcapLogThreadData *td = (PcapLogThreadData *)thread_data;
484  PcapLogData *pl = td->pcap_log;
485 
486  if ((p->flags & PKT_PSEUDO_STREAM_END) ||
487  ((p->flags & PKT_STREAM_NOPCAPLOG) &&
488  (pl->use_stream_depth == USE_STREAM_DEPTH_ENABLED)) ||
489  (IS_TUNNEL_PKT(p) && !IS_TUNNEL_ROOT_PKT(p)) ||
490  (pl->honor_pass_rules && (p->flags & PKT_NOPACKET_INSPECTION)))
491  {
492  return TM_ECODE_OK;
493  }
494 
495  PcapLogLock(pl);
496 
497  pl->pkt_cnt++;
498  pl->h->ts.tv_sec = p->ts.tv_sec;
499  pl->h->ts.tv_usec = p->ts.tv_usec;
500  pl->h->caplen = GET_PKT_LEN(p);
501  pl->h->len = GET_PKT_LEN(p);
502  len = sizeof(*pl->h) + GET_PKT_LEN(p);
503 
504  if (pl->filename == NULL) {
505  ret = PcapLogOpenFileCtx(pl);
506  if (ret < 0) {
507  PcapLogUnlock(pl);
508  return TM_ECODE_FAILED;
509  }
510  SCLogDebug("Opening PCAP log file %s", pl->filename);
511  }
512 
513  if (pl->mode == LOGMODE_SGUIL) {
514  struct tm local_tm;
515  struct tm *tms = SCLocalTime(p->ts.tv_sec, &local_tm);
516  if (tms->tm_mday != pl->prev_day) {
517  rotate = 1;
518  pl->prev_day = tms->tm_mday;
519  }
520  }
521 
522  PcapLogCompressionData *comp = &pl->compression;
523  if (comp->format == PCAP_LOG_COMPRESSION_FORMAT_NONE) {
524  if ((pl->size_current + len) > pl->size_limit || rotate) {
525  if (PcapLogRotateFile(t,pl) < 0) {
526  PcapLogUnlock(pl);
527  SCLogDebug("rotation of pcap failed");
528  return TM_ECODE_FAILED;
529  }
530  }
531  }
532 #ifdef HAVE_LIBLZ4
533  else if (comp->format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
534  /* When writing compressed pcap logs, we have no way of knowing
535  * for sure whether adding this packet would cause the current
536  * file to exceed the size limit. Thus, we record the number of
537  * bytes that have been fed into lz4 since the last write, and
538  * act as if they would be written uncompressed. */
539 
540  if ((pl->size_current + comp->bytes_in_block + len) > pl->size_limit ||
541  rotate) {
542  if (PcapLogRotateFile(t,pl) < 0) {
543  PcapLogUnlock(pl);
544  SCLogDebug("rotation of pcap failed");
545  return TM_ECODE_FAILED;
546  }
547  }
548  }
549 #endif /* HAVE_LIBLZ4 */
550 
551  /* XXX pcap handles, nfq, pfring, can only have one link type ipfw? we do
552  * this here as we don't know the link type until we get our first packet */
553  if (pl->pcap_dead_handle == NULL || pl->pcap_dumper == NULL) {
554  if (PcapLogOpenHandles(pl, p) != TM_ECODE_OK) {
555  PcapLogUnlock(pl);
556  return TM_ECODE_FAILED;
557  }
558  }
559 
560  PCAPLOG_PROFILE_START;
561  pcap_dump((u_char *)pl->pcap_dumper, pl->h, GET_PKT_DATA(p));
562  if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_NONE) {
563  pl->size_current += len;
564  }
565 #ifdef HAVE_LIBLZ4
566  else if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
567  pcap_dump_flush(pl->pcap_dumper);
568  uint64_t in_size = (uint64_t)ftell(comp->pcap_buf_wrapper);
569  uint64_t out_size = LZ4F_compressUpdate(comp->lz4f_context,
570  comp->buffer, comp->buffer_size, comp->pcap_buf, in_size, NULL);
571  if (LZ4F_isError(len)) {
572  SCLogError(SC_ERR_PCAP_LOG_COMPRESS, "LZ4F_compressUpdate: %s",
573  LZ4F_getErrorName(len));
574  return TM_ECODE_FAILED;
575  }
576  if (fseek(pl->compression.pcap_buf_wrapper, 0, SEEK_SET) != 0) {
577  SCLogError(SC_ERR_FSEEK, "fseek failed: %s", strerror(errno));
578  return TM_ECODE_FAILED;
579  }
580  if (fwrite(comp->buffer, 1, out_size, comp->file) < out_size) {
581  SCLogError(SC_ERR_FWRITE, "fwrite failed: %s", strerror(errno));
582  return TM_ECODE_FAILED;
583  }
584  if (out_size > 0) {
585  pl->size_current += out_size;
586  comp->bytes_in_block = len;
587  } else {
588  comp->bytes_in_block += len;
589  }
590  }
591 #endif /* HAVE_LIBLZ4 */
592 
593  PCAPLOG_PROFILE_END(pl->profile_write);
594  pl->profile_data_size += len;
595 
596  SCLogDebug("pl->size_current %"PRIu64", pl->size_limit %"PRIu64,
597  pl->size_current, pl->size_limit);
598 
599  PcapLogUnlock(pl);
600  return TM_ECODE_OK;
601 }
602 
603 static PcapLogData *PcapLogDataCopy(const PcapLogData *pl)
604 {
605  BUG_ON(pl->mode != LOGMODE_MULTI);
606  PcapLogData *copy = SCCalloc(1, sizeof(*copy));
607  if (unlikely(copy == NULL)) {
608  return NULL;
609  }
610 
611  copy->h = SCCalloc(1, sizeof(*copy->h));
612  if (unlikely(copy->h == NULL)) {
613  SCFree(copy);
614  return NULL;
615  }
616 
617  copy->prefix = SCStrdup(pl->prefix);
618  if (unlikely(copy->prefix == NULL)) {
619  SCFree(copy->h);
620  SCFree(copy);
621  return NULL;
622  }
623 
624  copy->suffix = pl->suffix;
625 
626  /* settings TODO move to global cfg struct */
627  copy->is_private = TRUE;
628  copy->mode = pl->mode;
629  copy->max_files = pl->max_files;
630  copy->use_ringbuffer = pl->use_ringbuffer;
631  copy->timestamp_format = pl->timestamp_format;
632  copy->use_stream_depth = pl->use_stream_depth;
633  copy->size_limit = pl->size_limit;
634 
635  const PcapLogCompressionData *comp = &pl->compression;
636  PcapLogCompressionData *copy_comp = &copy->compression;
637  copy_comp->format = comp->format;
638 #ifdef HAVE_LIBLZ4
639  if (comp->format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
640  /* We need to allocate a new compression context and buffers for
641  * the copy. First copy the things that can simply be copied. */
642 
643  copy_comp->buffer_size = comp->buffer_size;
644  copy_comp->pcap_buf_size = comp->pcap_buf_size;
645  copy_comp->lz4f_prefs = comp->lz4f_prefs;
646 
647  /* Allocate the buffers. */
648 
649  copy_comp->buffer = SCMalloc(copy_comp->buffer_size);
650  if (copy_comp->buffer == NULL) {
651  SCLogError(SC_ERR_MEM_ALLOC, "SCMalloc failed: %s",
652  strerror(errno));
653  SCFree(copy->h);
654  SCFree(copy);
655  return NULL;
656  }
657  copy_comp->pcap_buf = SCMalloc(copy_comp->pcap_buf_size);
658  if (copy_comp->pcap_buf == NULL) {
659  SCLogError(SC_ERR_MEM_ALLOC, "SCMalloc failed: %s",
660  strerror(errno));
661  SCFree(copy_comp->buffer);
662  SCFree(copy->h);
663  SCFree(copy);
664  return NULL;
665  }
666  copy_comp->pcap_buf_wrapper = SCFmemopen(copy_comp->pcap_buf,
667  copy_comp->pcap_buf_size, "w");
668  if (copy_comp->pcap_buf_wrapper == NULL) {
669  SCLogError(SC_ERR_FOPEN, "SCFmemopen failed: %s", strerror(errno));
670  SCFree(copy_comp->buffer);
671  SCFree(copy_comp->pcap_buf);
672  SCFree(copy->h);
673  SCFree(copy);
674  return NULL;
675  }
676 
677  /* Initialize a new compression context. */
678 
679  LZ4F_errorCode_t errcode =
680  LZ4F_createCompressionContext(&copy_comp->lz4f_context, 1);
681  if (LZ4F_isError(errcode)) {
682  SCLogError(SC_ERR_PCAP_LOG_COMPRESS,
683  "LZ4F_createCompressionContext failed: %s",
684  LZ4F_getErrorName(errcode));
685  fclose(copy_comp->pcap_buf_wrapper);
686  SCFree(copy_comp->buffer);
687  SCFree(copy_comp->pcap_buf);
688  SCFree(copy->h);
689  SCFree(copy);
690  return NULL;
691  }
692 
693  /* Initialize the rest. */
694 
695  copy_comp->file = NULL;
696  copy_comp->bytes_in_block = 0;
697  }
698 #endif /* HAVE_LIBLZ4 */
699 
700  TAILQ_INIT(&copy->pcap_file_list);
701  SCMutexInit(&copy->plog_lock, NULL);
702 
703  strlcpy(copy->dir, pl->dir, sizeof(copy->dir));
704 
705  int i;
706  for (i = 0; i < pl->filename_part_cnt && i < MAX_TOKS; i++)
707  copy->filename_parts[i] = pl->filename_parts[i];
708  copy->filename_part_cnt = pl->filename_part_cnt;
709 
710  /* set thread number, first thread is 1 */
711  copy->thread_number = SC_ATOMIC_ADD(thread_cnt, 1);
712 
713  SCLogDebug("copied, returning %p", copy);
714  return copy;
715 }
716 
717 #ifdef INIT_RING_BUFFER
718 static int PcapLogGetTimeOfFile(const char *filename, uint64_t *secs,
719  uint32_t *usecs)
720 {
721  int pcre_ovecsize = 4 * 3;
722  int pcre_ovec[pcre_ovecsize];
723  char buf[PATH_MAX];
724 
725  int n = pcre_exec(pcre_timestamp_code, pcre_timestamp_extra,
726  filename, strlen(filename), 0, 0, pcre_ovec,
727  pcre_ovecsize);
728  if (n != 2 && n != 4) {
729  /* No match. */
730  return 0;
731  }
732 
733  if (n >= 2) {
734  /* Extract seconds. */
735  if (pcre_copy_substring(filename, pcre_ovec, pcre_ovecsize,
736  1, buf, sizeof(buf)) < 0) {
737  return 0;
738  }
739  if (ByteExtractStringUint64(secs, 10, 0, buf) < 0) {
740  return 0;
741  }
742  }
743  if (n == 4) {
744  /* Extract microseconds. */
745  if (pcre_copy_substring(filename, pcre_ovec, pcre_ovecsize,
746  3, buf, sizeof(buf)) < 0) {
747  return 0;
748  }
749  if (ByteExtractStringUint32(usecs, 10, 0, buf) < 0) {
750  return 0;
751  }
752  }
753 
754  return 1;
755 }
756 
757 static TmEcode PcapLogInitRingBuffer(PcapLogData *pl)
758 {
759  char pattern[PATH_MAX];
760 
761  SCLogInfo("Initializing PCAP ring buffer for %s/%s.",
762  pl->dir, pl->prefix);
763 
764  strlcpy(pattern, pl->dir, PATH_MAX);
765  if (pattern[strlen(pattern) - 1] != '/') {
766  strlcat(pattern, "/", PATH_MAX);
767  }
768  if (pl->mode == LOGMODE_MULTI) {
769  for (int i = 0; i < pl->filename_part_cnt; i++) {
770  char *part = pl->filename_parts[i];
771  if (part == NULL || strlen(part) == 0) {
772  continue;
773  }
774  if (part[0] != '%' || strlen(part) < 2) {
775  strlcat(pattern, part, PATH_MAX);
776  continue;
777  }
778  switch (part[1]) {
779  case 'i':
780  SCLogError(SC_ERR_INVALID_ARGUMENT,
781  "Thread ID not allowed inring buffer mode.");
782  return TM_ECODE_FAILED;
783  case 'n': {
784  char tmp[PATH_MAX];
785  snprintf(tmp, PATH_MAX, "%"PRIu32, pl->thread_number);
786  strlcat(pattern, tmp, PATH_MAX);
787  break;
788  }
789  case 't':
790  strlcat(pattern, "*", PATH_MAX);
791  break;
792  default:
793  SCLogError(SC_ERR_INVALID_ARGUMENT,
794  "Unsupported format character: %%%s", part);
795  return TM_ECODE_FAILED;
796  }
797  }
798  } else {
799  strlcat(pattern, pl->prefix, PATH_MAX);
800  strlcat(pattern, ".*", PATH_MAX);
801  }
802  strlcat(pattern, pl->suffix, PATH_MAX);
803 
804  char *basename = strrchr(pattern, '/');
805  *basename++ = '\0';
806 
807  /* Pattern is now just the directory name. */
808  DIR *dir = opendir(pattern);
809  if (dir == NULL) {
810  SCLogWarning(SC_ERR_DIR_OPEN, "Failed to open directory %s: %s",
811  pattern, strerror(errno));
812  return TM_ECODE_FAILED;
813  }
814 
815  for (;;) {
816  struct dirent *entry = readdir(dir);
817  if (entry == NULL) {
818  break;
819  }
820  if (fnmatch(basename, entry->d_name, 0) != 0) {
821  continue;
822  }
823 
824  uint64_t secs = 0;
825  uint32_t usecs = 0;
826 
827  if (!PcapLogGetTimeOfFile(entry->d_name, &secs, &usecs)) {
828  /* Failed to get time stamp out of file name. Not necessarily a
829  * failure as the file might just not be a pcap log file. */
830  continue;
831  }
832 
833  PcapFileName *pf = SCCalloc(sizeof(*pf), 1);
834  if (unlikely(pf == NULL)) {
835  goto fail;
836  }
837  char path[PATH_MAX];
838  if (snprintf(path, PATH_MAX, "%s/%s", pattern, entry->d_name) == PATH_MAX)
839  goto fail;
840 
841  if ((pf->filename = SCStrdup(path)) == NULL) {
842  goto fail;
843  }
844  if ((pf->dirname = SCStrdup(pattern)) == NULL) {
845  goto fail;
846  }
847  pf->secs = secs;
848  pf->usecs = usecs;
849 
850  if (TAILQ_EMPTY(&pl->pcap_file_list)) {
851  TAILQ_INSERT_TAIL(&pl->pcap_file_list, pf, next);
852  } else {
853  /* Ordered insert. */
854  PcapFileName *it = NULL;
855  TAILQ_FOREACH(it, &pl->pcap_file_list, next) {
856  if (pf->secs < it->secs) {
857  break;
858  } else if (pf->secs == it->secs && pf->usecs < it->usecs) {
859  break;
860  }
861  }
862  if (it == NULL) {
863  TAILQ_INSERT_TAIL(&pl->pcap_file_list, pf, next);
864  } else {
865  TAILQ_INSERT_BEFORE(it, pf, next);
866  }
867  }
868  pl->file_cnt++;
869  continue;
870 
871  fail:
872  if (pf != NULL) {
873  if (pf->filename != NULL) {
874  SCFree(pf->filename);
875  }
876  if (pf->dirname != NULL) {
877  SCFree(pf->dirname);
878  }
879  SCFree(pf);
880  }
881  break;
882  }
883 
884  if (pl->file_cnt > pl->max_files) {
885  PcapFileName *pf = TAILQ_FIRST(&pl->pcap_file_list);
886  while (pf != NULL && pl->file_cnt > pl->max_files) {
887  SCLogDebug("Removing PCAP file %s", pf->filename);
888  if (remove(pf->filename) != 0) {
889  SCLogWarning(SC_WARN_REMOVE_FILE,
890  "Failed to remove PCAP file %s: %s", pf->filename,
891  strerror(errno));
892  }
893  TAILQ_REMOVE(&pl->pcap_file_list, pf, next);
894  PcapFileNameFree(pf);
895  pf = TAILQ_FIRST(&pl->pcap_file_list);
896  pl->file_cnt--;
897  }
898  }
899 
900  closedir(dir);
901 
902  /* For some reason file count is initialized at one, instead of 0. */
903  SCLogNotice("Ring buffer initialized with %d files.", pl->file_cnt - 1);
904 
905  return TM_ECODE_OK;
906 }
907 #endif /* INIT_RING_BUFFER */
908 
909 static TmEcode PcapLogDataInit(ThreadVars *t, const void *initdata, void **data)
910 {
911  if (initdata == NULL) {
912  SCLogDebug("Error getting context for LogPcap. \"initdata\" argument NULL");
913  return TM_ECODE_FAILED;
914  }
915 
916  PcapLogData *pl = ((OutputCtx *)initdata)->data;
917 
918  PcapLogThreadData *td = SCCalloc(1, sizeof(*td));
919  if (unlikely(td == NULL))
920  return TM_ECODE_FAILED;
921 
922  if (pl->mode == LOGMODE_MULTI)
923  td->pcap_log = PcapLogDataCopy(pl);
924  else
925  td->pcap_log = pl;
926  BUG_ON(td->pcap_log == NULL);
927 
928  PcapLogLock(td->pcap_log);
929 
930  /** Use the Ouptut Context (file pointer and mutex) */
931  td->pcap_log->pkt_cnt = 0;
932  td->pcap_log->pcap_dead_handle = NULL;
933  td->pcap_log->pcap_dumper = NULL;
934  if (td->pcap_log->file_cnt < 1) {
935  td->pcap_log->file_cnt = 1;
936  }
937 
938  struct timeval ts;
939  memset(&ts, 0x00, sizeof(struct timeval));
940  TimeGet(&ts);
941  struct tm local_tm;
942  struct tm *tms = SCLocalTime(ts.tv_sec, &local_tm);
943  td->pcap_log->prev_day = tms->tm_mday;
944 
945  PcapLogUnlock(td->pcap_log);
946 
947  /* count threads in the global structure */
948  SCMutexLock(&pl->plog_lock);
949  pl->threads++;
950  SCMutexUnlock(&pl->plog_lock);
951 
952  *data = (void *)td;
953 
954  if (pl->max_files && (pl->mode == LOGMODE_MULTI || pl->threads == 1)) {
955 #ifdef INIT_RING_BUFFER
956  if (PcapLogInitRingBuffer(td->pcap_log) == TM_ECODE_FAILED) {
957  return TM_ECODE_FAILED;
958  }
959 #else
960  SCLogInfo("Unable to initialize ring buffer on this platform.");
961 #endif /* INIT_RING_BUFFER */
962  }
963 
964  return TM_ECODE_OK;
965 }
966 
967 static void StatsMerge(PcapLogData *dst, PcapLogData *src)
968 {
969  dst->profile_open.total += src->profile_open.total;
970  dst->profile_open.cnt += src->profile_open.cnt;
971 
972  dst->profile_close.total += src->profile_close.total;
973  dst->profile_close.cnt += src->profile_close.cnt;
974 
975  dst->profile_write.total += src->profile_write.total;
976  dst->profile_write.cnt += src->profile_write.cnt;
977 
978  dst->profile_rotate.total += src->profile_rotate.total;
979  dst->profile_rotate.cnt += src->profile_rotate.cnt;
980 
981  dst->profile_handles.total += src->profile_handles.total;
982  dst->profile_handles.cnt += src->profile_handles.cnt;
983 
984  dst->profile_lock.total += src->profile_lock.total;
985  dst->profile_lock.cnt += src->profile_lock.cnt;
986 
987  dst->profile_unlock.total += src->profile_unlock.total;
988  dst->profile_unlock.cnt += src->profile_unlock.cnt;
989 
990  dst->profile_data_size += src->profile_data_size;
991 }
992 
993 static void PcapLogDataFree(PcapLogData *pl)
994 {
995 
996  PcapFileName *pf;
997  while ((pf = TAILQ_FIRST(&pl->pcap_file_list)) != NULL) {
998  TAILQ_REMOVE(&pl->pcap_file_list, pf, next);
999  PcapFileNameFree(pf);
1000  }
1001  if (pl == g_pcap_data) {
1002  for (int i = 0; i < MAX_TOKS; i++) {
1003  if (pl->filename_parts[i] != NULL) {
1004  SCFree(pl->filename_parts[i]);
1005  }
1006  }
1007  }
1008  SCFree(pl->h);
1009  SCFree(pl->filename);
1010  SCFree(pl->prefix);
1011 
1012 #ifdef HAVE_LIBLZ4
1013  if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
1014  SCFree(pl->compression.buffer);
1015  fclose(pl->compression.pcap_buf_wrapper);
1016  SCFree(pl->compression.pcap_buf);
1017  LZ4F_errorCode_t errcode =
1018  LZ4F_freeCompressionContext(pl->compression.lz4f_context);
1019  if (LZ4F_isError(errcode)) {
1020  SCLogWarning(SC_ERR_MEM_ALLOC, "Error freeing lz4 context.");
1021  }
1022  }
1023 #endif /* HAVE_LIBLZ4 */
1024  SCFree(pl);
1025 }
1026 
1027 /**
1028  * \brief Thread deinit function.
1029  *
1030  * \param t Thread Variable containing input/output queue, cpu affinity etc.
1031  * \param data PcapLog thread data.
1032  * \retval TM_ECODE_OK on succces
1033  * \retval TM_ECODE_FAILED on failure
1034  */
1035 static TmEcode PcapLogDataDeinit(ThreadVars *t, void *thread_data)
1036 {
1037  PcapLogThreadData *td = (PcapLogThreadData *)thread_data;
1038  PcapLogData *pl = td->pcap_log;
1039 
1040  if (pl->pcap_dumper != NULL) {
1041  if (PcapLogCloseFile(t,pl) < 0) {
1042  SCLogDebug("PcapLogCloseFile failed");
1043  }
1044  }
1045 
1046  if (pl->mode == LOGMODE_MULTI) {
1047  SCMutexLock(&g_pcap_data->plog_lock);
1048  StatsMerge(g_pcap_data, pl);
1049  g_pcap_data->reported++;
1050  if (g_pcap_data->threads == g_pcap_data->reported)
1051  PcapLogProfilingDump(g_pcap_data);
1052  SCMutexUnlock(&g_pcap_data->plog_lock);
1053  } else {
1054  if (pl->reported == 0) {
1055  PcapLogProfilingDump(pl);
1056  pl->reported = 1;
1057  }
1058  }
1059 
1060  if (pl != g_pcap_data) {
1061  PcapLogDataFree(pl);
1062  }
1063 
1064  SCFree(td);
1065  return TM_ECODE_OK;
1066 }
1067 
1068 
1069 static int ParseFilename(PcapLogData *pl, const char *filename)
1070 {
1071  char *toks[MAX_TOKS] = { NULL };
1072  int tok = 0;
1073  char str[MAX_FILENAMELEN] = "";
1074  int s = 0;
1075  int i, x;
1076  char *p = NULL;
1077  size_t filename_len = 0;
1078 
1079  if (filename) {
1080  filename_len = strlen(filename);
1081  if (filename_len > (MAX_FILENAMELEN-1)) {
1082  SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid filename option. Max filename-length: %d",MAX_FILENAMELEN-1);
1083  goto error;
1084  }
1085 
1086  for (i = 0; i < (int)strlen(filename); i++) {
1087  if (tok >= MAX_TOKS) {
1088  SCLogError(SC_ERR_INVALID_ARGUMENT,
1089  "invalid filename option. Max 2 %%-sign options");
1090  goto error;
1091  }
1092 
1093  str[s++] = filename[i];
1094 
1095  if (filename[i] == '%') {
1096  str[s-1] = '\0';
1097  SCLogDebug("filename with %%-sign: %s", str);
1098 
1099  p = SCStrdup(str);
1100  if (p == NULL)
1101  goto error;
1102  toks[tok++] = p;
1103 
1104  s = 0;
1105 
1106  if (i+1 < (int)strlen(filename)) {
1107  if (tok >= MAX_TOKS) {
1108  SCLogError(SC_ERR_INVALID_ARGUMENT,
1109  "invalid filename option. Max 2 %%-sign options");
1110  goto error;
1111  }
1112 
1113  if (filename[i+1] != 'n' && filename[i+1] != 't' && filename[i+1] != 'i') {
1114  SCLogError(SC_ERR_INVALID_ARGUMENT,
1115  "invalid filename option. Valid %%-sign options: %%n, %%i and %%t");
1116  goto error;
1117  }
1118  str[0] = '%';
1119  str[1] = filename[i+1];
1120  str[2] = '\0';
1121  p = SCStrdup(str);
1122  if (p == NULL)
1123  goto error;
1124  toks[tok++] = p;
1125  i++;
1126  }
1127  }
1128  }
1129  if (s) {
1130  if (tok >= MAX_TOKS) {
1131  SCLogError(SC_ERR_INVALID_ARGUMENT,
1132  "invalid filename option. Max 3 %%-sign options");
1133  goto error;
1134 
1135  }
1136  str[s++] = '\0';
1137  p = SCStrdup(str);
1138  if (p == NULL)
1139  goto error;
1140  toks[tok++] = p;
1141  }
1142 
1143  /* finally, store tokens in the pl */
1144  for (i = 0; i < tok; i++) {
1145  if (toks[i] == NULL)
1146  goto error;
1147 
1148  SCLogDebug("toks[%d] %s", i, toks[i]);
1149  pl->filename_parts[i] = toks[i];
1150  }
1151  pl->filename_part_cnt = tok;
1152  }
1153  return 0;
1154 error:
1155  for (x = 0; x < MAX_TOKS; x++) {
1156  if (toks[x] != NULL)
1157  SCFree(toks[x]);
1158  }
1159  return -1;
1160 }
1161 
1162 /** \brief Fill in pcap logging struct from the provided ConfNode.
1163  * \param conf The configuration node for this output.
1164  * \retval output_ctx
1165  * */
1166 static OutputInitResult PcapLogInitCtx(ConfNode *conf)
1167 {
1168  OutputInitResult result = { NULL, false };
1169  const char *pcre_errbuf;
1170  int pcre_erroffset;
1171 
1172  PcapLogData *pl = SCMalloc(sizeof(PcapLogData));
1173  if (unlikely(pl == NULL)) {
1174  SCLogError(SC_ERR_MEM_ALLOC, "Failed to allocate Memory for PcapLogData");
1175  exit(EXIT_FAILURE);
1176  }
1177  memset(pl, 0, sizeof(PcapLogData));
1178 
1179  pl->h = SCMalloc(sizeof(*pl->h));
1180  if (pl->h == NULL) {
1181  SCLogError(SC_ERR_MEM_ALLOC,
1182  "Failed to allocate Memory for pcap header struct");
1183  exit(EXIT_FAILURE);
1184  }
1185 
1186  /* Set the defaults */
1187  pl->mode = LOGMODE_NORMAL;
1188  pl->max_files = DEFAULT_FILE_LIMIT;
1189  pl->use_ringbuffer = RING_BUFFER_MODE_DISABLED;
1190  pl->timestamp_format = TS_FORMAT_SEC;
1191  pl->use_stream_depth = USE_STREAM_DEPTH_DISABLED;
1192  pl->honor_pass_rules = HONOR_PASS_RULES_DISABLED;
1193 
1194  TAILQ_INIT(&pl->pcap_file_list);
1195 
1196  SCMutexInit(&pl->plog_lock, NULL);
1197 
1198  /* Initialize PCREs. */
1199  pcre_timestamp_code = pcre_compile(timestamp_pattern, 0, &pcre_errbuf,
1200  &pcre_erroffset, NULL);
1201  if (pcre_timestamp_code == NULL) {
1202  FatalError(SC_ERR_PCRE_COMPILE,
1203  "Failed to compile \"%s\" at offset %"PRIu32": %s",
1204  timestamp_pattern, pcre_erroffset, pcre_errbuf);
1205  }
1206  pcre_timestamp_extra = pcre_study(pcre_timestamp_code, 0, &pcre_errbuf);
1207  if (pcre_errbuf != NULL) {
1208  FatalError(SC_ERR_PCRE_STUDY, "Fail to study pcre: %s", pcre_errbuf);
1209  }
1210 
1211  /* conf params */
1212 
1213  const char *filename = NULL;
1214 
1215  if (conf != NULL) { /* To faciliate unit tests. */
1216  filename = ConfNodeLookupChildValue(conf, "filename");
1217  }
1218 
1219  if (filename == NULL)
1220  filename = DEFAULT_LOG_FILENAME;
1221 
1222  if ((pl->prefix = SCStrdup(filename)) == NULL) {
1223  exit(EXIT_FAILURE);
1224  }
1225 
1226  pl->suffix = "";
1227 
1228  if (filename) {
1229  if (ParseFilename(pl, filename) != 0)
1230  exit(EXIT_FAILURE);
1231  }
1232 
1233  pl->size_limit = DEFAULT_LIMIT;
1234  if (conf != NULL) {
1235  const char *s_limit = NULL;
1236  s_limit = ConfNodeLookupChildValue(conf, "limit");
1237  if (s_limit != NULL) {
1238  if (ParseSizeStringU64(s_limit, &pl->size_limit) < 0) {
1239  SCLogError(SC_ERR_INVALID_ARGUMENT,
1240  "Failed to initialize unified2 output, invalid limit: %s",
1241  s_limit);
1242  exit(EXIT_FAILURE);
1243  }
1244  if (pl->size_limit < 4096) {
1245  SCLogInfo("pcap-log \"limit\" value of %"PRIu64" assumed to be pre-1.2 "
1246  "style: setting limit to %"PRIu64"mb", pl->size_limit, pl->size_limit);
1247  uint64_t size = pl->size_limit * 1024 * 1024;
1248  pl->size_limit = size;
1249  } else if (pl->size_limit < MIN_LIMIT) {
1250  SCLogError(SC_ERR_INVALID_ARGUMENT,
1251  "Fail to initialize pcap-log output, limit less than "
1252  "allowed minimum.");
1253  exit(EXIT_FAILURE);
1254  }
1255  }
1256  }
1257 
1258  if (conf != NULL) {
1259  const char *s_mode = NULL;
1260  s_mode = ConfNodeLookupChildValue(conf, "mode");
1261  if (s_mode != NULL) {
1262  if (strcasecmp(s_mode, "sguil") == 0) {
1263  pl->mode = LOGMODE_SGUIL;
1264  } else if (strcasecmp(s_mode, "multi") == 0) {
1265  pl->mode = LOGMODE_MULTI;
1266  } else if (strcasecmp(s_mode, "normal") != 0) {
1267  SCLogError(SC_ERR_INVALID_ARGUMENT,
1268  "log-pcap: invalid mode \"%s\". Valid options: \"normal\", "
1269  "\"sguil\", or \"multi\" mode ", s_mode);
1270  exit(EXIT_FAILURE);
1271  }
1272  }
1273 
1274  const char *s_dir = NULL;
1275  s_dir = ConfNodeLookupChildValue(conf, "dir");
1276  if (s_dir == NULL) {
1277  s_dir = ConfNodeLookupChildValue(conf, "sguil-base-dir");
1278  }
1279  if (s_dir == NULL) {
1280  if (pl->mode == LOGMODE_SGUIL) {
1281  SCLogError(SC_ERR_LOGPCAP_SGUIL_BASE_DIR_MISSING,
1282  "log-pcap \"sguil\" mode requires \"sguil-base-dir\" "
1283  "option to be set.");
1284  exit(EXIT_FAILURE);
1285  } else {
1286  const char *log_dir = NULL;
1287  log_dir = ConfigGetLogDirectory();
1288 
1289  strlcpy(pl->dir,
1290  log_dir, sizeof(pl->dir));
1291  SCLogInfo("Using log dir %s", pl->dir);
1292  }
1293  } else {
1294  if (PathIsAbsolute(s_dir)) {
1295  strlcpy(pl->dir,
1296  s_dir, sizeof(pl->dir));
1297  } else {
1298  const char *log_dir = NULL;
1299  log_dir = ConfigGetLogDirectory();
1300 
1301  snprintf(pl->dir, sizeof(pl->dir), "%s/%s",
1302  log_dir, s_dir);
1303  }
1304 
1305  struct stat stat_buf;
1306  if (stat(pl->dir, &stat_buf) != 0) {
1307  SCLogError(SC_ERR_LOGDIR_CONFIG, "The sguil-base-dir directory \"%s\" "
1308  "supplied doesn't exist. Shutting down the engine",
1309  pl->dir);
1310  exit(EXIT_FAILURE);
1311  }
1312  SCLogInfo("Using log dir %s", pl->dir);
1313  }
1314 
1315  const char *compression_str = ConfNodeLookupChildValue(conf,
1316  "compression");
1317 
1318  PcapLogCompressionData *comp = &pl->compression;
1319  if (compression_str == NULL || strcmp(compression_str, "none") == 0) {
1320  comp->format = PCAP_LOG_COMPRESSION_FORMAT_NONE;
1321  comp->buffer = NULL;
1322  comp->buffer_size = 0;
1323  comp->file = NULL;
1324  comp->pcap_buf = NULL;
1325  comp->pcap_buf_size = 0;
1326  comp->pcap_buf_wrapper = NULL;
1327  } else if (strcmp(compression_str, "lz4") == 0) {
1328 #ifdef HAVE_LIBLZ4
1329  if (pl->mode == LOGMODE_SGUIL) {
1330  SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Compressed pcap "
1331  "logs are not possible in sguil mode");
1332  SCFree(pl->h);
1333  SCFree(pl);
1334  return result;
1335  }
1336  pl->compression.format = PCAP_LOG_COMPRESSION_FORMAT_LZ4;
1337 
1338  /* Use SCFmemopen so we can make pcap_dump write to a buffer. */
1339 
1340  comp->pcap_buf_size = sizeof(struct pcap_file_header) +
1341  sizeof(struct pcap_pkthdr) + PCAP_SNAPLEN;
1342  comp->pcap_buf = SCMalloc(comp->pcap_buf_size);
1343  if (comp->pcap_buf == NULL) {
1344  SCLogError(SC_ERR_MEM_ALLOC, "SCMalloc failed: %s",
1345  strerror(errno));
1346  exit(EXIT_FAILURE);
1347  }
1348  comp->pcap_buf_wrapper = SCFmemopen(comp->pcap_buf,
1349  comp->pcap_buf_size, "w");
1350  if (comp->pcap_buf_wrapper == NULL) {
1351  SCLogError(SC_ERR_FOPEN, "SCFmemopen failed: %s",
1352  strerror(errno));
1353  exit(EXIT_FAILURE);
1354  }
1355 
1356  /* Set lz4 preferences. */
1357 
1358  memset(&comp->lz4f_prefs, '\0', sizeof(comp->lz4f_prefs));
1359  comp->lz4f_prefs.frameInfo.blockSizeID = LZ4F_max4MB;
1360  comp->lz4f_prefs.frameInfo.blockMode = LZ4F_blockLinked;
1361  if (ConfNodeChildValueIsTrue(conf, "lz4-checksum")) {
1362  comp->lz4f_prefs.frameInfo.contentChecksumFlag = 1;
1363  }
1364  else {
1365  comp->lz4f_prefs.frameInfo.contentChecksumFlag = 0;
1366  }
1367  intmax_t lvl = 0;
1368  if (ConfGetChildValueInt(conf, "lz4-level", &lvl)) {
1369  if (lvl > 16) {
1370  lvl = 16;
1371  } else if (lvl < 0) {
1372  lvl = 0;
1373  }
1374  } else {
1375  lvl = 0;
1376  }
1377  comp->lz4f_prefs.compressionLevel = lvl;
1378 
1379  /* Allocate resources for lz4. */
1380 
1381  LZ4F_errorCode_t errcode =
1382  LZ4F_createCompressionContext(&pl->compression.lz4f_context, 1);
1383 
1384  if (LZ4F_isError(errcode)) {
1385  SCLogError(SC_ERR_PCAP_LOG_COMPRESS,
1386  "LZ4F_createCompressionContext failed: %s",
1387  LZ4F_getErrorName(errcode));
1388  exit(EXIT_FAILURE);
1389  }
1390 
1391  /* Calculate the size of the lz4 output buffer. */
1392 
1393  comp->buffer_size = LZ4F_compressBound(comp->pcap_buf_size,
1394  &comp->lz4f_prefs);
1395 
1396  comp->buffer = SCMalloc(comp->buffer_size);
1397  if (unlikely(comp->buffer == NULL)) {
1398  SCLogError(SC_ERR_MEM_ALLOC, "Failed to allocate memory for "
1399  "lz4 output buffer.");
1400  exit(EXIT_FAILURE);
1401  }
1402 
1403  comp->bytes_in_block = 0;
1404 
1405  /* Add the lz4 file extension to the log files. */
1406 
1407  pl->suffix = ".lz4";
1408 #else
1409  SCLogError(SC_ERR_INVALID_ARGUMENT, "lz4 compression was selected "
1410  "in pcap-log, but suricata was not compiled with lz4 "
1411  "support.");
1412  PcapLogDataFree(pl);
1413  return result;
1414 #endif /* HAVE_LIBLZ4 */
1415  }
1416  else {
1417  SCLogError(SC_ERR_INVALID_ARGUMENT, "Unsupported pcap-log "
1418  "compression format: %s", compression_str);
1419  PcapLogDataFree(pl);
1420  return result;
1421  }
1422 
1423  SCLogInfo("Selected pcap-log compression method: %s", compression_str);
1424  }
1425 
1426  SCLogInfo("using %s logging", pl->mode == LOGMODE_SGUIL ?
1427  "Sguil compatible" : (pl->mode == LOGMODE_MULTI ? "multi" : "normal"));
1428 
1429  uint32_t max_file_limit = DEFAULT_FILE_LIMIT;
1430  if (conf != NULL) {
1431  const char *max_number_of_files_s = NULL;
1432  max_number_of_files_s = ConfNodeLookupChildValue(conf, "max-files");
1433  if (max_number_of_files_s != NULL) {
1434  if (ByteExtractStringUint32(&max_file_limit, 10, 0,
1435  max_number_of_files_s) == -1) {
1436  SCLogError(SC_ERR_INVALID_ARGUMENT, "Failed to initialize "
1437  "pcap-log output, invalid number of files limit: %s",
1438  max_number_of_files_s);
1439  exit(EXIT_FAILURE);
1440  } else if (max_file_limit < 1) {
1441  SCLogError(SC_ERR_INVALID_ARGUMENT,
1442  "Failed to initialize pcap-log output, limit less than "
1443  "allowed minimum.");
1444  exit(EXIT_FAILURE);
1445  } else {
1446  pl->max_files = max_file_limit;
1447  pl->use_ringbuffer = RING_BUFFER_MODE_ENABLED;
1448  }
1449  }
1450  }
1451 
1452  const char *ts_format = NULL;
1453  if (conf != NULL) { /* To faciliate unit tests. */
1454  ts_format = ConfNodeLookupChildValue(conf, "ts-format");
1455  }
1456  if (ts_format != NULL) {
1457  if (strcasecmp(ts_format, "usec") == 0) {
1458  pl->timestamp_format = TS_FORMAT_USEC;
1459  } else if (strcasecmp(ts_format, "sec") != 0) {
1460  SCLogError(SC_ERR_INVALID_ARGUMENT,
1461  "log-pcap ts_format specified %s is invalid must be"
1462  " \"sec\" or \"usec\"", ts_format);
1463  exit(EXIT_FAILURE);
1464  }
1465  }
1466 
1467  const char *use_stream_depth = NULL;
1468  if (conf != NULL) { /* To faciliate unit tests. */
1469  use_stream_depth = ConfNodeLookupChildValue(conf, "use-stream-depth");
1470  }
1471  if (use_stream_depth != NULL) {
1472  if (ConfValIsFalse(use_stream_depth)) {
1473  pl->use_stream_depth = USE_STREAM_DEPTH_DISABLED;
1474  } else if (ConfValIsTrue(use_stream_depth)) {
1475  pl->use_stream_depth = USE_STREAM_DEPTH_ENABLED;
1476  } else {
1477  SCLogError(SC_ERR_INVALID_ARGUMENT,
1478  "log-pcap use_stream_depth specified is invalid must be");
1479  exit(EXIT_FAILURE);
1480  }
1481  }
1482 
1483  const char *honor_pass_rules = NULL;
1484  if (conf != NULL) { /* To faciliate unit tests. */
1485  honor_pass_rules = ConfNodeLookupChildValue(conf, "honor-pass-rules");
1486  }
1487  if (honor_pass_rules != NULL) {
1488  if (ConfValIsFalse(honor_pass_rules)) {
1489  pl->honor_pass_rules = HONOR_PASS_RULES_DISABLED;
1490  } else if (ConfValIsTrue(honor_pass_rules)) {
1491  pl->honor_pass_rules = HONOR_PASS_RULES_ENABLED;
1492  } else {
1493  SCLogError(SC_ERR_INVALID_ARGUMENT,
1494  "log-pcap honor-pass-rules specified is invalid");
1495  exit(EXIT_FAILURE);
1496  }
1497  }
1498 
1499  /* create the output ctx and send it back */
1500 
1501  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
1502  if (unlikely(output_ctx == NULL)) {
1503  SCLogError(SC_ERR_MEM_ALLOC, "Failed to allocate memory for OutputCtx.");
1504  exit(EXIT_FAILURE);
1505  }
1506  output_ctx->data = pl;
1507  output_ctx->DeInit = PcapLogFileDeInitCtx;
1508  g_pcap_data = pl;
1509 
1510  result.ctx = output_ctx;
1511  result.ok = true;
1512  return result;
1513 }
1514 
1515 static void PcapLogFileDeInitCtx(OutputCtx *output_ctx)
1516 {
1517  if (output_ctx == NULL)
1518  return;
1519 
1520  PcapLogData *pl = output_ctx->data;
1521 
1522  PcapFileName *pf = NULL;
1523  TAILQ_FOREACH(pf, &pl->pcap_file_list, next) {
1524  SCLogDebug("PCAP files left at exit: %s\n", pf->filename);
1525  }
1526  PcapLogDataFree(pl);
1527  SCFree(output_ctx);
1528  return;
1529 }
1530 
1531 /**
1532  * \brief Read the config set the file pointer, open the file
1533  *
1534  * \param PcapLogData.
1535  *
1536  * \retval -1 if failure
1537  * \retval 0 if succesful
1538  */
1539 static int PcapLogOpenFileCtx(PcapLogData *pl)
1540 {
1541  char *filename = NULL;
1542 
1543  PCAPLOG_PROFILE_START;
1544 
1545  if (pl->filename != NULL)
1546  filename = pl->filename;
1547  else {
1548  filename = SCMalloc(PATH_MAX);
1549  if (unlikely(filename == NULL)) {
1550  return -1;
1551  }
1552  pl->filename = filename;
1553  }
1554 
1555  /** get the time so we can have a filename with seconds since epoch */
1556  struct timeval ts;
1557  memset(&ts, 0x00, sizeof(struct timeval));
1558  TimeGet(&ts);
1559 
1560  /* Place to store the name of our PCAP file */
1561  PcapFileName *pf = SCMalloc(sizeof(PcapFileName));
1562  if (unlikely(pf == NULL)) {
1563  return -1;
1564  }
1565  memset(pf, 0, sizeof(PcapFileName));
1566 
1567  if (pl->mode == LOGMODE_SGUIL) {
1568  struct tm local_tm;
1569  struct tm *tms = SCLocalTime(ts.tv_sec, &local_tm);
1570 
1571  char dirname[32], dirfull[PATH_MAX] = "";
1572 
1573  snprintf(dirname, sizeof(dirname), "%04d-%02d-%02d",
1574  tms->tm_year + 1900, tms->tm_mon + 1, tms->tm_mday);
1575 
1576  /* create the filename to use */
1577  int ret = snprintf(dirfull, sizeof(dirfull), "%s/%s", pl->dir, dirname);
1578  if (ret < 0 || (size_t)ret >= sizeof(dirfull)) {
1579  SCLogError(SC_ERR_SPRINTF,"failed to construct path");
1580  goto error;
1581  }
1582 
1583  /* if mkdir fails file open will fail, so deal with errors there */
1584  (void)SCMkDir(dirfull, 0700);
1585 
1586  if ((pf->dirname = SCStrdup(dirfull)) == NULL) {
1587  SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory for "
1588  "directory name");
1589  goto error;
1590  }
1591 
1592  int written;
1593  if (pl->timestamp_format == TS_FORMAT_SEC) {
1594  written = snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32 "%s",
1595  dirfull, pl->prefix, (uint32_t)ts.tv_sec, pl->suffix);
1596  } else {
1597  written = snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32 ".%" PRIu32 "%s",
1598  dirfull, pl->prefix, (uint32_t)ts.tv_sec,
1599  (uint32_t)ts.tv_usec, pl->suffix);
1600  }
1601  if (written == PATH_MAX) {
1602  SCLogError(SC_ERR_SPRINTF,"log-pcap path overflow");
1603  goto error;
1604  }
1605  } else if (pl->mode == LOGMODE_NORMAL) {
1606  int ret;
1607  /* create the filename to use */
1608  if (pl->timestamp_format == TS_FORMAT_SEC) {
1609  ret = snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32 "%s", pl->dir,
1610  pl->prefix, (uint32_t)ts.tv_sec, pl->suffix);
1611  } else {
1612  ret = snprintf(filename, PATH_MAX,
1613  "%s/%s.%" PRIu32 ".%" PRIu32 "%s", pl->dir, pl->prefix,
1614  (uint32_t)ts.tv_sec, (uint32_t)ts.tv_usec, pl->suffix);
1615  }
1616  if (ret < 0 || (size_t)ret >= PATH_MAX) {
1617  SCLogError(SC_ERR_SPRINTF,"failed to construct path");
1618  goto error;
1619  }
1620  } else if (pl->mode == LOGMODE_MULTI) {
1621  if (pl->filename_part_cnt > 0) {
1622  /* assemble filename from stored tokens */
1623 
1624  strlcpy(filename, pl->dir, PATH_MAX);
1625  strlcat(filename, "/", PATH_MAX);
1626 
1627  int i;
1628  for (i = 0; i < pl->filename_part_cnt; i++) {
1629  if (pl->filename_parts[i] == NULL ||strlen(pl->filename_parts[i]) == 0)
1630  continue;
1631 
1632  /* handle variables */
1633  if (pl->filename_parts[i][0] == '%') {
1634  char str[64] = "";
1635  if (strlen(pl->filename_parts[i]) < 2)
1636  continue;
1637 
1638  switch(pl->filename_parts[i][1]) {
1639  case 'n':
1640  snprintf(str, sizeof(str), "%u", pl->thread_number);
1641  break;
1642  case 'i':
1643  {
1644  long thread_id = SCGetThreadIdLong();
1645  snprintf(str, sizeof(str), "%"PRIu64, (uint64_t)thread_id);
1646  break;
1647  }
1648  case 't':
1649  /* create the filename to use */
1650  if (pl->timestamp_format == TS_FORMAT_SEC) {
1651  snprintf(str, sizeof(str), "%"PRIu32, (uint32_t)ts.tv_sec);
1652  } else {
1653  snprintf(str, sizeof(str), "%"PRIu32".%"PRIu32,
1654  (uint32_t)ts.tv_sec, (uint32_t)ts.tv_usec);
1655  }
1656  }
1657  strlcat(filename, str, PATH_MAX);
1658 
1659  /* copy the rest over */
1660  } else {
1661  strlcat(filename, pl->filename_parts[i], PATH_MAX);
1662  }
1663  }
1664  strlcat(filename, pl->suffix, PATH_MAX);
1665  } else {
1666  int ret;
1667  /* create the filename to use */
1668  if (pl->timestamp_format == TS_FORMAT_SEC) {
1669  ret = snprintf(filename, PATH_MAX, "%s/%s.%u.%" PRIu32 "%s",
1670  pl->dir, pl->prefix, pl->thread_number,
1671  (uint32_t)ts.tv_sec, pl->suffix);
1672  } else {
1673  ret = snprintf(filename, PATH_MAX,
1674  "%s/%s.%u.%" PRIu32 ".%" PRIu32 "%s", pl->dir,
1675  pl->prefix, pl->thread_number, (uint32_t)ts.tv_sec,
1676  (uint32_t)ts.tv_usec, pl->suffix);
1677  }
1678  if (ret < 0 || (size_t)ret >= PATH_MAX) {
1679  SCLogError(SC_ERR_SPRINTF,"failed to construct path");
1680  goto error;
1681  }
1682  }
1683  SCLogDebug("multi-mode: filename %s", filename);
1684  }
1685 
1686  if ((pf->filename = SCStrdup(pl->filename)) == NULL) {
1687  SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory. For filename");
1688  goto error;
1689  }
1690  SCLogDebug("Opening pcap file log %s", pf->filename);
1691  TAILQ_INSERT_TAIL(&pl->pcap_file_list, pf, next);
1692 
1693  PCAPLOG_PROFILE_END(pl->profile_open);
1694  return 0;
1695 
1696 error:
1697  PcapFileNameFree(pf);
1698  return -1;
1699 }
1700 
1701 static int profiling_pcaplog_enabled = 0;
1702 static int profiling_pcaplog_output_to_file = 0;
1703 static char *profiling_pcaplog_file_name = NULL;
1704 static const char *profiling_pcaplog_file_mode = "a";
1705 
1706 static void FormatNumber(uint64_t num, char *str, size_t size)
1707 {
1708  if (num < 1000UL)
1709  snprintf(str, size, "%"PRIu64, num);
1710  else if (num < 1000000UL)
1711  snprintf(str, size, "%3.1fk", (float)num/1000UL);
1712  else if (num < 1000000000UL)
1713  snprintf(str, size, "%3.1fm", (float)num/1000000UL);
1714  else
1715  snprintf(str, size, "%3.1fb", (float)num/1000000000UL);
1716 }
1717 
1718 static void ProfileReportPair(FILE *fp, const char *name, PcapLogProfileData *p)
1719 {
1720  char ticks_str[32] = "n/a";
1721  char cnt_str[32] = "n/a";
1722  char avg_str[32] = "n/a";
1723 
1724  FormatNumber((uint64_t)p->cnt, cnt_str, sizeof(cnt_str));
1725  FormatNumber((uint64_t)p->total, ticks_str, sizeof(ticks_str));
1726  if (p->cnt && p->total)
1727  FormatNumber((uint64_t)(p->total/p->cnt), avg_str, sizeof(avg_str));
1728 
1729  fprintf(fp, "%-28s %-10s %-10s %-10s\n", name, cnt_str, avg_str, ticks_str);
1730 }
1731 
1732 static void ProfileReport(FILE *fp, PcapLogData *pl)
1733 {
1734  ProfileReportPair(fp, "open", &pl->profile_open);
1735  ProfileReportPair(fp, "close", &pl->profile_close);
1736  ProfileReportPair(fp, "write", &pl->profile_write);
1737  ProfileReportPair(fp, "rotate (incl open/close)", &pl->profile_rotate);
1738  ProfileReportPair(fp, "handles", &pl->profile_handles);
1739  ProfileReportPair(fp, "lock", &pl->profile_lock);
1740  ProfileReportPair(fp, "unlock", &pl->profile_unlock);
1741 }
1742 
1743 static void FormatBytes(uint64_t num, char *str, size_t size)
1744 {
1745  if (num < 1000UL)
1746  snprintf(str, size, "%"PRIu64, num);
1747  else if (num < 1048576UL)
1748  snprintf(str, size, "%3.1fKiB", (float)num/1000UL);
1749  else if (num < 1073741824UL)
1750  snprintf(str, size, "%3.1fMiB", (float)num/1000000UL);
1751  else
1752  snprintf(str, size, "%3.1fGiB", (float)num/1000000000UL);
1753 }
1754 
1755 static void PcapLogProfilingDump(PcapLogData *pl)
1756 {
1757  FILE *fp = NULL;
1758 
1759  if (profiling_pcaplog_enabled == 0)
1760  return;
1761 
1762  if (profiling_pcaplog_output_to_file == 1) {
1763  fp = fopen(profiling_pcaplog_file_name, profiling_pcaplog_file_mode);
1764  if (fp == NULL) {
1765  SCLogError(SC_ERR_FOPEN, "failed to open %s: %s",
1766  profiling_pcaplog_file_name, strerror(errno));
1767  return;
1768  }
1769  } else {
1770  fp = stdout;
1771  }
1772 
1773  /* counters */
1774  fprintf(fp, "\n\nOperation Cnt Avg ticks Total ticks\n");
1775  fprintf(fp, "---------------------------- ---------- ---------- -----------\n");
1776 
1777  ProfileReport(fp, pl);
1778  uint64_t total = pl->profile_write.total + pl->profile_rotate.total +
1779  pl->profile_handles.total + pl->profile_open.total +
1780  pl->profile_close.total + pl->profile_lock.total +
1781  pl->profile_unlock.total;
1782 
1783  /* overall stats */
1784  fprintf(fp, "\nOverall: %"PRIu64" bytes written, average %d bytes per write.\n",
1785  pl->profile_data_size, pl->profile_write.cnt ?
1786  (int)(pl->profile_data_size / pl->profile_write.cnt) : 0);
1787  fprintf(fp, " PCAP data structure overhead: %"PRIuMAX" per write.\n",
1788  (uintmax_t)sizeof(struct pcap_pkthdr));
1789 
1790  /* print total bytes written */
1791  char bytes_str[32];
1792  FormatBytes(pl->profile_data_size, bytes_str, sizeof(bytes_str));
1793  fprintf(fp, " Size written: %s\n", bytes_str);
1794 
1795  /* ticks per MiB and GiB */
1796  uint64_t ticks_per_mib = 0, ticks_per_gib = 0;
1797  uint64_t mib = pl->profile_data_size/(1024*1024);
1798  if (mib)
1799  ticks_per_mib = total/mib;
1800  char ticks_per_mib_str[32] = "n/a";
1801  if (ticks_per_mib > 0)
1802  FormatNumber(ticks_per_mib, ticks_per_mib_str, sizeof(ticks_per_mib_str));
1803  fprintf(fp, " Ticks per MiB: %s\n", ticks_per_mib_str);
1804 
1805  uint64_t gib = pl->profile_data_size/(1024*1024*1024);
1806  if (gib)
1807  ticks_per_gib = total/gib;
1808  char ticks_per_gib_str[32] = "n/a";
1809  if (ticks_per_gib > 0)
1810  FormatNumber(ticks_per_gib, ticks_per_gib_str, sizeof(ticks_per_gib_str));
1811  fprintf(fp, " Ticks per GiB: %s\n", ticks_per_gib_str);
1812 
1813  if (fp != stdout)
1814  fclose(fp);
1815 }
1816 
1817 void PcapLogProfileSetup(void)
1818 {
1819  ConfNode *conf = ConfGetNode("profiling.pcap-log");
1820  if (conf != NULL && ConfNodeChildValueIsTrue(conf, "enabled")) {
1821  profiling_pcaplog_enabled = 1;
1822  SCLogInfo("pcap-log profiling enabled");
1823 
1824  const char *filename = ConfNodeLookupChildValue(conf, "filename");
1825  if (filename != NULL) {
1826  const char *log_dir;
1827  log_dir = ConfigGetLogDirectory();
1828 
1829  profiling_pcaplog_file_name = SCMalloc(PATH_MAX);
1830  if (unlikely(profiling_pcaplog_file_name == NULL)) {
1831  SCLogError(SC_ERR_MEM_ALLOC, "can't duplicate file name");
1832  exit(EXIT_FAILURE);
1833  }
1834 
1835  snprintf(profiling_pcaplog_file_name, PATH_MAX, "%s/%s", log_dir, filename);
1836 
1837  const char *v = ConfNodeLookupChildValue(conf, "append");
1838  if (v == NULL || ConfValIsTrue(v)) {
1839  profiling_pcaplog_file_mode = "a";
1840  } else {
1841  profiling_pcaplog_file_mode = "w";
1842  }
1843 
1844  profiling_pcaplog_output_to_file = 1;
1845  SCLogInfo("pcap-log profiling output goes to %s (mode %s)",
1846  profiling_pcaplog_file_name, profiling_pcaplog_file_mode);
1847  }
1848  }
1849 }
SC_ATOMIC_DECLARE
SC_ATOMIC_DECLARE(uint32_t, thread_cnt)
PcapLogData_::filename
char * filename
Definition: log-pcap.c:148
SCMutex
#define SCMutex
Definition: threads-debug.h:114
TAILQ_INSERT_BEFORE
#define TAILQ_INSERT_BEFORE(listelm, elm, field)
Definition: queue.h:405
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
PcapLogRegister
void PcapLogRegister(void)
Definition: log-pcap.c:205
USE_STREAM_DEPTH_ENABLED
#define USE_STREAM_DEPTH_ENABLED
Definition: log-pcap.c:85
PcapLogData_::profile_open
PcapLogProfileData profile_open
Definition: log-pcap.c:164
TAILQ_FIRST
#define TAILQ_FIRST(head)
Definition: queue.h:339
PcapLogProfileData_
Definition: log-pcap.c:108
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:350
PcapLogData_::h
struct pcap_pkthdr * h
Definition: log-pcap.c:147
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:571
IS_TUNNEL_ROOT_PKT
#define IS_TUNNEL_ROOT_PKT(p)
Definition: decode.h:884
PcapLogData_::prev_day
int prev_day
Definition: log-pcap.c:150
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
OutputCtx_
Definition: tm-modules.h:78
PCAPLOG_PROFILE_END
#define PCAPLOG_PROFILE_END(prof)
Definition: log-pcap.c:218
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:265
PcapLogData_::size_current
uint64_t size_current
Definition: log-pcap.c:151
FALSE
#define FALSE
Definition: suricata-common.h:34
PcapLogData_::mode
int mode
Definition: log-pcap.c:149
SCFmemopen
#define SCFmemopen
Definition: util-fmemopen.h:52
SCMkDir
#define SCMkDir(a, b)
Definition: util-path.h:29
MAX_TOKS
#define MAX_TOKS
Definition: log-pcap.c:113
PcapLogCompressionData_::buffer
uint8_t * buffer
Definition: log-pcap.c:123
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
PcapLogData_::pkt_cnt
uint64_t pkt_cnt
Definition: log-pcap.c:146
PcapLogCompressionData_::buffer_size
uint64_t buffer_size
Definition: log-pcap.c:124
PcapLogData_::profile_unlock
PcapLogProfileData profile_unlock
Definition: log-pcap.c:161
PcapFileName_::dirname
char * dirname
Definition: log-pcap.c:96
RING_BUFFER_MODE_ENABLED
#define RING_BUFFER_MODE_ENABLED
Definition: log-pcap.c:79
PcapLogCompressionData_::pcap_buf_wrapper
FILE * pcap_buf_wrapper
Definition: log-pcap.c:132
strlcat
size_t strlcat(char *, const char *src, size_t siz)
Definition: util-strlcatu.c:45
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:107
PcapLogData_::honor_pass_rules
int honor_pass_rules
Definition: log-pcap.c:143
IS_TUNNEL_PKT
#define IS_TUNNEL_PKT(p)
Definition: decode.h:881
src
uint16_t src
Definition: app-layer-dnp3.h:2652
ByteExtractStringUint32
int ByteExtractStringUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:244
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
PcapLogProfileData_::cnt
uint64_t cnt
Definition: log-pcap.c:110
PcapLogData_::pcap_dumper
pcap_dumper_t * pcap_dumper
Definition: log-pcap.c:154
PcapLogData_::profile_lock
PcapLogProfileData profile_lock
Definition: log-pcap.c:159
TAILQ_HEAD
#define TAILQ_HEAD(name, type)
Definition: queue.h:321
PcapFileName_::secs
uint64_t secs
Definition: log-pcap.c:101
PcapLogData_::file_cnt
uint32_t file_cnt
Definition: log-pcap.c:156
TRUE
#define TRUE
Definition: suricata-common.h:33
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
PcapLogProfileSetup
void PcapLogProfileSetup(void)
Definition: log-pcap.c:1817
PcapLogThreadData_
Definition: log-pcap.c:183
ConfNodeChildValueIsTrue
int ConfNodeChildValueIsTrue(const ConfNode *node, const char *key)
Test if a configuration node has a true value.
Definition: conf.c:888
PcapLogCompressionData_
Definition: log-pcap.c:121
OutputInitResult_
Definition: output.h:41
PcapLogData_::pcap_dead_handle
pcap_t * pcap_dead_handle
Definition: log-pcap.c:153
ParseSizeStringU64
int ParseSizeStringU64(const char *size, uint64_t *res)
Definition: util-misc.c:203
ByteExtractStringUint64
int ByteExtractStringUint64(uint64_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:239
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
Initialize the previously declared atomic variable and it&#39;s lock.
Definition: util-atomic.h:81
PcapLogData_
Definition: log-pcap.c:141
str
#define str(s)
Definition: suricata-common.h:256
dst
uint16_t dst
Definition: app-layer-dnp3.h:2651
SCCalloc
#define SCCalloc(nm, a)
Definition: util-mem.h:253
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:843
OutputRegisterPacketModule
void OutputRegisterPacketModule(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output module.
Definition: output.c:163
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
PcapFileName_::filename
char * filename
Definition: log-pcap.c:95
SCLocalTime
struct tm * SCLocalTime(time_t timep, struct tm *result)
Definition: util-time.c:240
Packet_::datalink
int datalink
Definition: decode.h:574
TimeGet
void TimeGet(struct timeval *tv)
Definition: util-time.c:146
PcapLogCompressionData
struct PcapLogCompressionData_ PcapLogCompressionData
OutputInitResult_::ok
bool ok
Definition: output.h:43
TAILQ_INIT
#define TAILQ_INIT(head)
Definition: queue.h:370
PcapLogCompressionData_::pcap_buf_size
uint64_t pcap_buf_size
Definition: log-pcap.c:131
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
PcapLogData_::use_stream_depth
int use_stream_depth
Definition: log-pcap.c:142
SCGetThreadIdLong
#define SCGetThreadIdLong(...)
Definition: threads.h:253
PcapLogCompressionData_::bytes_in_block
uint64_t bytes_in_block
Definition: log-pcap.c:133
TAILQ_REMOVE
#define TAILQ_REMOVE(head, elm, field)
Definition: queue.h:412
PcapLogProfileData
struct PcapLogProfileData_ PcapLogProfileData
PcapLogCompressionData_::file
FILE * file
Definition: log-pcap.c:129
ConfValIsFalse
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:591
PcapLogData_::is_private
int is_private
Definition: log-pcap.c:144
MIN_LIMIT
#define MIN_LIMIT
Definition: log-pcap.c:70
PKT_PSEUDO_STREAM_END
#define PKT_PSEUDO_STREAM_END
Definition: decode.h:1094
USE_STREAM_DEPTH_DISABLED
#define USE_STREAM_DEPTH_DISABLED
Definition: log-pcap.c:84
PKT_STREAM_NOPCAPLOG
#define PKT_STREAM_NOPCAPLOG
Definition: decode.h:1097
DEFAULT_FILE_LIMIT
#define DEFAULT_FILE_LIMIT
Definition: log-pcap.c:72
PathIsAbsolute
int PathIsAbsolute(const char *path)
Check if a path is absolute.
Definition: util-path.c:39
PcapLogData_::profile_close
PcapLogProfileData profile_close
Definition: log-pcap.c:163
SCMutexInit
#define SCMutexInit(mut, mutattrs)
Definition: threads-debug.h:116
Packet_
Definition: decode.h:407
LOGMODE_SGUIL
#define LOGMODE_SGUIL
Definition: log-pcap.c:75
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:281
PcapLogData_::profile_handles
PcapLogProfileData profile_handles
Definition: log-pcap.c:162
PcapLogData_::size_limit
uint64_t size_limit
Definition: log-pcap.c:152
PcapLogData_::profile_write
PcapLogProfileData profile_write
Definition: log-pcap.c:160
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:566
RING_BUFFER_MODE_DISABLED
#define RING_BUFFER_MODE_DISABLED
Definition: log-pcap.c:78
TAILQ_INSERT_TAIL
#define TAILQ_INSERT_TAIL(head, elm, field)
Definition: queue.h:385
HONOR_PASS_RULES_ENABLED
#define HONOR_PASS_RULES_ENABLED
Definition: log-pcap.c:88
ConfNode_
Definition: conf.h:32
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:42
ConfigGetLogDirectory
const char * ConfigGetLogDirectory()
Definition: util-conf.c:36
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
PcapLogThreadData
struct PcapLogThreadData_ PcapLogThreadData
PcapLogData_::max_files
uint32_t max_files
Definition: log-pcap.c:157
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:254
LOGMODE_MULTI
#define LOGMODE_MULTI
Definition: log-pcap.c:76
SCFree
#define SCFree(a)
Definition: util-mem.h:322
PcapLogThreadData_::pcap_log
PcapLogData * pcap_log
Definition: log-pcap.c:184
DEFAULT_LIMIT
#define DEFAULT_LIMIT
Definition: log-pcap.c:71
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:269
TAILQ_ENTRY
#define TAILQ_ENTRY(type)
Definition: queue.h:330
PcapLogCompressionData_::pcap_buf
uint8_t * pcap_buf
Definition: log-pcap.c:130
PcapLogData_::plog_lock
SCMutex plog_lock
Definition: log-pcap.c:145
PcapFileName_::usecs
uint32_t usecs
Definition: log-pcap.c:102
PcapLogData_::profile_rotate
PcapLogProfileData profile_rotate
Definition: log-pcap.c:165
PKT_NOPACKET_INSPECTION
#define PKT_NOPACKET_INSPECTION
Definition: decode.h:1086
OutputCtx_::data
void * data
Definition: tm-modules.h:81
FatalError
#define FatalError(x,...)
Definition: util-debug.h:539
PcapLogProfileData_::total
uint64_t total
Definition: log-pcap.c:109
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:176
TS_FORMAT_SEC
#define TS_FORMAT_SEC
Definition: log-pcap.c:81
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:225
LOGMODE_NORMAL
#define LOGMODE_NORMAL
Definition: log-pcap.c:74
ConfGetChildValueInt
int ConfGetChildValueInt(const ConfNode *base, const char *name, intmax_t *val)
Definition: conf.c:469
PcapLogCompressionFormat
PcapLogCompressionFormat
Definition: log-pcap.c:116
SCStrdup
#define SCStrdup(a)
Definition: util-mem.h:268
MAX_FILENAMELEN
#define MAX_FILENAMELEN
Definition: log-pcap.c:114
DEFAULT_LOG_FILENAME
#define DEFAULT_LOG_FILENAME
Definition: log-pcap.c:68
PcapLogCompressionData_::format
enum PcapLogCompressionFormat format
Definition: log-pcap.c:122
HONOR_PASS_RULES_DISABLED
#define HONOR_PASS_RULES_DISABLED
Definition: log-pcap.c:87
TAILQ_NEXT
#define TAILQ_NEXT(elm, field)
Definition: queue.h:341
PcapLogData_::profile_data_size
uint64_t profile_data_size
Definition: log-pcap.c:155
TAILQ_EMPTY
#define TAILQ_EMPTY(head)
Definition: queue.h:347
PCAP_SNAPLEN
#define PCAP_SNAPLEN
Definition: log-pcap.c:90
len
uint8_t len
Definition: app-layer-dnp3.h:2649
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
TS_FORMAT_USEC
#define TS_FORMAT_USEC
Definition: log-pcap.c:82
Packet_::ts
struct timeval ts
Definition: decode.h:451
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:224
Packet_::flags
uint32_t flags
Definition: decode.h:443
MODULE_NAME
#define MODULE_NAME
Definition: log-pcap.c:69
PcapFileName_
Definition: log-pcap.c:94
PCAPLOG_PROFILE_START
#define PCAPLOG_PROFILE_START
Definition: log-pcap.c:215