suricata
log-pcap.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 
19 /**
20  * \file
21  *
22  * \author William Metcalf <William.Metcalf@gmail.com>
23  * \author Victor Julien <victor@inliniac.net>
24  *
25  * Pcap packet logging module.
26  */
27 
28 #include "suricata-common.h"
29 #include "util-fmemopen.h"
30 
31 #ifdef HAVE_LIBLZ4
32 #include <lz4frame.h>
33 #endif /* HAVE_LIBLZ4 */
34 
35 #if defined(HAVE_DIRENT_H) && defined(HAVE_FNMATCH_H)
36 #define INIT_RING_BUFFER
37 #include <dirent.h>
38 #include <fnmatch.h>
39 #endif
40 
41 #include "debug.h"
42 #include "detect.h"
43 #include "flow.h"
44 #include "conf.h"
45 
46 #include "threads.h"
47 #include "threadvars.h"
48 #include "tm-threads.h"
49 
50 #include "util-unittest.h"
51 #include "log-pcap.h"
52 #include "decode-ipv4.h"
53 
54 #include "util-error.h"
55 #include "util-debug.h"
56 #include "util-time.h"
57 #include "util-byte.h"
58 #include "util-misc.h"
59 #include "util-cpu.h"
60 #include "util-atomic.h"
61 
62 #include "source-pcap.h"
63 
64 #include "output.h"
65 
66 #include "queue.h"
67 
68 #define DEFAULT_LOG_FILENAME "pcaplog"
69 #define MODULE_NAME "PcapLog"
70 #define MIN_LIMIT 4 * 1024 * 1024
71 #define DEFAULT_LIMIT 100 * 1024 * 1024
72 #define DEFAULT_FILE_LIMIT 0
73 
74 #define LOGMODE_NORMAL 0
75 #define LOGMODE_SGUIL 1
76 #define LOGMODE_MULTI 2
77 
78 #define RING_BUFFER_MODE_DISABLED 0
79 #define RING_BUFFER_MODE_ENABLED 1
80 
81 #define TS_FORMAT_SEC 0
82 #define TS_FORMAT_USEC 1
83 
84 #define USE_STREAM_DEPTH_DISABLED 0
85 #define USE_STREAM_DEPTH_ENABLED 1
86 
87 #define HONOR_PASS_RULES_DISABLED 0
88 #define HONOR_PASS_RULES_ENABLED 1
89 
90 #define PCAP_SNAPLEN 262144
91 
92 SC_ATOMIC_DECLARE(uint32_t, thread_cnt);
93 
94 typedef struct PcapFileName_ {
95  char *filename;
96  char *dirname;
97 
98  /* Like a struct timeval, but with fixed size. This is only used when
99  * seeding the ring buffer on start. */
100  struct {
101  uint64_t secs;
102  uint32_t usecs;
103  };
104 
105  TAILQ_ENTRY(PcapFileName_) next; /**< Pointer to next Pcap File for tailq. */
107 
108 typedef struct PcapLogProfileData_ {
109  uint64_t total;
110  uint64_t cnt;
112 
113 #define MAX_TOKS 9
114 #define MAX_FILENAMELEN 513
115 
119 };
120 
121 typedef struct PcapLogCompressionData_ {
123  uint8_t *buffer;
124  uint64_t buffer_size;
125 #ifdef HAVE_LIBLZ4
126  LZ4F_compressionContext_t lz4f_context;
127  LZ4F_preferences_t lz4f_prefs;
128 #endif /* HAVE_LIBLZ4 */
129  FILE *file;
130  uint8_t *pcap_buf;
131  uint64_t pcap_buf_size;
133  uint64_t bytes_in_block;
135 
136 /**
137  * PcapLog thread vars
138  *
139  * Used for storing file options.
140  */
141 typedef struct PcapLogData_ {
142  int use_stream_depth; /**< use stream depth i.e. ignore packets that reach limit */
143  int honor_pass_rules; /**< don't log if pass rules have matched */
144  int is_private; /**< TRUE if ctx is thread local */
146  uint64_t pkt_cnt; /**< total number of packets */
147  struct pcap_pkthdr *h; /**< pcap header struct */
148  char *filename; /**< current filename */
149  int mode; /**< normal or sguil */
150  int prev_day; /**< last day, for finding out when */
151  uint64_t size_current; /**< file current size */
152  uint64_t size_limit; /**< file size limit */
153  pcap_t *pcap_dead_handle; /**< pcap_dumper_t needs a handle */
154  pcap_dumper_t *pcap_dumper; /**< actually writes the packets */
155  uint64_t profile_data_size; /**< track in bytes how many bytes we wrote */
156  uint32_t file_cnt; /**< count of pcap files we currently have */
157  uint32_t max_files; /**< maximum files to use in ring buffer mode */
158 
166 
167  TAILQ_HEAD(, PcapFileName_) pcap_file_list;
168 
169  uint32_t thread_number; /**< thread number, first thread is 1, second 2, etc */
170  int use_ringbuffer; /**< ring buffer mode enabled or disabled */
171  int timestamp_format; /**< timestamp format sec or usec */
172  char *prefix; /**< filename prefix */
173  const char *suffix; /**< filename suffix */
174  char dir[PATH_MAX]; /**< pcap log directory */
175  int reported;
176  int threads; /**< number of threads (only set in the global) */
177  char *filename_parts[MAX_TOKS];
178  int filename_part_cnt;
179 
180  PcapLogCompressionData compression;
182 
183 typedef struct PcapLogThreadData_ {
186 
187 /* Pattern for extracting timestamp from pcap log files. */
188 static const char timestamp_pattern[] = ".*?(\\d+)(\\.(\\d+))?";
189 static pcre *pcre_timestamp_code = NULL;
190 static pcre_extra *pcre_timestamp_extra = NULL;
191 
192 /* global pcap data for when we're using multi mode. At exit we'll
193  * merge counters into this one and then report counters. */
194 static PcapLogData *g_pcap_data = NULL;
195 
196 static int PcapLogOpenFileCtx(PcapLogData *);
197 static int PcapLog(ThreadVars *, void *, const Packet *);
198 static TmEcode PcapLogDataInit(ThreadVars *, const void *, void **);
199 static TmEcode PcapLogDataDeinit(ThreadVars *, void *);
200 static void PcapLogFileDeInitCtx(OutputCtx *);
201 static OutputInitResult PcapLogInitCtx(ConfNode *);
202 static void PcapLogProfilingDump(PcapLogData *);
203 static int PcapLogCondition(ThreadVars *, const Packet *);
204 
205 void PcapLogRegister(void)
206 {
208  PcapLogInitCtx, PcapLog, PcapLogCondition, PcapLogDataInit,
209  PcapLogDataDeinit, NULL);
211  SC_ATOMIC_INIT(thread_cnt);
212  SC_ATOMIC_SET(thread_cnt, 1); /* first id is 1 */
213  return;
214 }
215 
216 #define PCAPLOG_PROFILE_START \
217  uint64_t pcaplog_profile_ticks = UtilCpuGetTicks()
218 
219 #define PCAPLOG_PROFILE_END(prof) \
220  (prof).total += (UtilCpuGetTicks() - pcaplog_profile_ticks); \
221  (prof).cnt++
222 
223 static int PcapLogCondition(ThreadVars *tv, const Packet *p)
224 {
225  if (p->flags & PKT_PSEUDO_STREAM_END) {
226  return FALSE;
227  }
228  if (IS_TUNNEL_PKT(p) && !IS_TUNNEL_ROOT_PKT(p)) {
229  return FALSE;
230  }
231  return TRUE;
232 }
233 
234 /**
235  * \brief Function to close pcaplog file
236  *
237  * \param t Thread Variable containing input/output queue, cpu affinity etc.
238  * \param pl PcapLog thread variable.
239  */
240 static int PcapLogCloseFile(ThreadVars *t, PcapLogData *pl)
241 {
242  if (pl != NULL) {
244 
245  if (pl->pcap_dumper != NULL) {
246  pcap_dump_close(pl->pcap_dumper);
247 #ifdef HAVE_LIBLZ4
248  PcapLogCompressionData *comp = &pl->compression;
250  /* pcap_dump_close() has closed its output ``file'',
251  * so we need to call fmemopen again. */
252 
253  comp->pcap_buf_wrapper = SCFmemopen(comp->pcap_buf,
254  comp->pcap_buf_size, "w");
255  if (comp->pcap_buf_wrapper == NULL) {
256  SCLogError(SC_ERR_FOPEN, "SCFmemopen failed: %s",
257  strerror(errno));
258  return TM_ECODE_FAILED;
259  }
260  }
261 #endif /* HAVE_LIBLZ4 */
262  }
263  pl->size_current = 0;
264  pl->pcap_dumper = NULL;
265 
266  if (pl->pcap_dead_handle != NULL)
267  pcap_close(pl->pcap_dead_handle);
268  pl->pcap_dead_handle = NULL;
269 
270 #ifdef HAVE_LIBLZ4
271  PcapLogCompressionData *comp = &pl->compression;
273  /* pcap_dump_close did not write any data because we call
274  * pcap_dump_flush() after every write when writing
275  * compressed output. */
276  uint64_t bytes_written = LZ4F_compressEnd(comp->lz4f_context,
277  comp->buffer, comp->buffer_size, NULL);
278  if (LZ4F_isError(bytes_written)) {
279  SCLogError(SC_ERR_PCAP_LOG_COMPRESS, "LZ4F_compressEnd: %s",
280  LZ4F_getErrorName(bytes_written));
281  return TM_ECODE_FAILED;
282  }
283  if (fwrite(comp->buffer, 1, bytes_written, comp->file) < bytes_written) {
284  SCLogError(SC_ERR_FWRITE, "fwrite failed: %s", strerror(errno));
285  return TM_ECODE_FAILED;
286  }
287  fclose(comp->file);
288  comp->bytes_in_block = 0;
289  }
290 #endif /* HAVE_LIBLZ4 */
291 
293  }
294 
295  return 0;
296 }
297 
298 static void PcapFileNameFree(PcapFileName *pf)
299 {
300  if (pf != NULL) {
301  if (pf->filename != NULL) {
302  SCFree(pf->filename);
303  }
304  if (pf->dirname != NULL) {
305  SCFree(pf->dirname);
306  }
307  SCFree(pf);
308  }
309 
310  return;
311 }
312 
313 /**
314  * \brief Function to rotate pcaplog file
315  *
316  * \param t Thread Variable containing input/output queue, cpu affinity etc.
317  * \param pl PcapLog thread variable.
318  *
319  * \retval 0 on succces
320  * \retval -1 on failure
321  */
322 static int PcapLogRotateFile(ThreadVars *t, PcapLogData *pl)
323 {
324  PcapFileName *pf;
325  PcapFileName *pfnext;
326 
328 
329  if (PcapLogCloseFile(t,pl) < 0) {
330  SCLogDebug("PcapLogCloseFile failed");
331  return -1;
332  }
333 
334  if (pl->use_ringbuffer == RING_BUFFER_MODE_ENABLED && pl->file_cnt >= pl->max_files) {
335  pf = TAILQ_FIRST(&pl->pcap_file_list);
336  SCLogDebug("Removing pcap file %s", pf->filename);
337 
338  if (remove(pf->filename) != 0) {
339  // VJ remove can fail because file is already gone
340  //LogWarning(SC_ERR_PCAP_FILE_DELETE_FAILED,
341  // "failed to remove log file %s: %s",
342  // pf->filename, strerror( errno ));
343  }
344 
345  /* Remove directory if Sguil mode and no files left in sguil dir */
346  if (pl->mode == LOGMODE_SGUIL) {
347  pfnext = TAILQ_NEXT(pf,next);
348 
349  if (strcmp(pf->dirname, pfnext->dirname) == 0) {
350  SCLogDebug("Current entry dir %s and next entry %s "
351  "are equal: not removing dir",
352  pf->dirname, pfnext->dirname);
353  } else {
354  SCLogDebug("current entry %s and %s are "
355  "not equal: removing dir",
356  pf->dirname, pfnext->dirname);
357 
358  if (remove(pf->dirname) != 0) {
360  "failed to remove sguil log %s: %s",
361  pf->dirname, strerror( errno ));
362  }
363  }
364  }
365 
366  TAILQ_REMOVE(&pl->pcap_file_list, pf, next);
367  PcapFileNameFree(pf);
368  pl->file_cnt--;
369  }
370 
371  if (PcapLogOpenFileCtx(pl) < 0) {
372  SCLogError(SC_ERR_FOPEN, "opening new pcap log file failed");
373  return -1;
374  }
375  pl->file_cnt++;
376  SCLogDebug("file_cnt %u", pl->file_cnt);
377 
379  return 0;
380 }
381 
382 static int PcapLogOpenHandles(PcapLogData *pl, const Packet *p)
383 {
385 
386  SCLogDebug("Setting pcap-log link type to %u", p->datalink);
387 
388  if (pl->pcap_dead_handle == NULL) {
389  if ((pl->pcap_dead_handle = pcap_open_dead(p->datalink,
390  PCAP_SNAPLEN)) == NULL) {
391  SCLogDebug("Error opening dead pcap handle");
392  return TM_ECODE_FAILED;
393  }
394  }
395 
396  if (pl->pcap_dumper == NULL) {
397  if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_NONE) {
398  if ((pl->pcap_dumper = pcap_dump_open(pl->pcap_dead_handle,
399  pl->filename)) == NULL) {
400  SCLogInfo("Error opening dump file %s", pcap_geterr(pl->pcap_dead_handle));
401  return TM_ECODE_FAILED;
402  }
403  }
404 #ifdef HAVE_LIBLZ4
405  else if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
406  PcapLogCompressionData *comp = &pl->compression;
407  if ((pl->pcap_dumper = pcap_dump_fopen(pl->pcap_dead_handle,
408  comp->pcap_buf_wrapper)) == NULL) {
409  SCLogError(SC_ERR_OPENING_FILE, "Error opening dump file %s",
410  pcap_geterr(pl->pcap_dead_handle));
411  return TM_ECODE_FAILED;
412  }
413  comp->file = fopen(pl->filename, "w");
414  if (comp->file == NULL) {
416  "Error opening file for compressed output: %s",
417  strerror(errno));
418  return TM_ECODE_FAILED;
419  }
420 
421  uint64_t bytes_written = LZ4F_compressBegin(comp->lz4f_context,
422  comp->buffer, comp->buffer_size, NULL);
423  if (LZ4F_isError(bytes_written)) {
424  SCLogError(SC_ERR_PCAP_LOG_COMPRESS, "LZ4F_compressBegin: %s",
425  LZ4F_getErrorName(bytes_written));
426  return TM_ECODE_FAILED;
427  }
428  if (fwrite(comp->buffer, 1, bytes_written, comp->file) < bytes_written) {
429  SCLogError(SC_ERR_FWRITE, "fwrite failed: %s", strerror(errno));
430  return TM_ECODE_FAILED;
431  }
432  }
433 #endif /* HAVE_LIBLZ4 */
434  }
435 
437  return TM_ECODE_OK;
438 }
439 
440 /** \internal
441  * \brief lock wrapper for main PcapLog() function
442  * NOTE: only meant for use in main PcapLog() function.
443  */
444 static void PcapLogLock(PcapLogData *pl)
445 {
446  if (!(pl->is_private)) {
448  SCMutexLock(&pl->plog_lock);
450  }
451 }
452 
453 /** \internal
454  * \brief unlock wrapper for main PcapLog() function
455  * NOTE: only meant for use in main PcapLog() function.
456  */
457 static void PcapLogUnlock(PcapLogData *pl)
458 {
459  if (!(pl->is_private)) {
461  SCMutexUnlock(&pl->plog_lock);
463  }
464 }
465 
466 /**
467  * \brief Pcap logging main function
468  *
469  * \param t threadvar
470  * \param p packet
471  * \param thread_data thread module specific data
472  *
473  * \retval TM_ECODE_OK on succes
474  * \retval TM_ECODE_FAILED on serious error
475  */
476 static int PcapLog (ThreadVars *t, void *thread_data, const Packet *p)
477 {
478  size_t len;
479  int rotate = 0;
480  int ret = 0;
481 
482  PcapLogThreadData *td = (PcapLogThreadData *)thread_data;
483  PcapLogData *pl = td->pcap_log;
484 
485  if ((p->flags & PKT_PSEUDO_STREAM_END) ||
486  ((p->flags & PKT_STREAM_NOPCAPLOG) &&
488  (IS_TUNNEL_PKT(p) && !IS_TUNNEL_ROOT_PKT(p)) ||
490  {
491  return TM_ECODE_OK;
492  }
493 
494  PcapLogLock(pl);
495 
496  pl->pkt_cnt++;
497  pl->h->ts.tv_sec = p->ts.tv_sec;
498  pl->h->ts.tv_usec = p->ts.tv_usec;
499  pl->h->caplen = GET_PKT_LEN(p);
500  pl->h->len = GET_PKT_LEN(p);
501  len = sizeof(*pl->h) + GET_PKT_LEN(p);
502 
503  if (pl->filename == NULL) {
504  ret = PcapLogOpenFileCtx(pl);
505  if (ret < 0) {
506  PcapLogUnlock(pl);
507  return TM_ECODE_FAILED;
508  }
509  SCLogDebug("Opening PCAP log file %s", pl->filename);
510  }
511 
512  if (pl->mode == LOGMODE_SGUIL) {
513  struct tm local_tm;
514  struct tm *tms = SCLocalTime(p->ts.tv_sec, &local_tm);
515  if (tms->tm_mday != pl->prev_day) {
516  rotate = 1;
517  pl->prev_day = tms->tm_mday;
518  }
519  }
520 
521  PcapLogCompressionData *comp = &pl->compression;
523  if ((pl->size_current + len) > pl->size_limit || rotate) {
524  if (PcapLogRotateFile(t,pl) < 0) {
525  PcapLogUnlock(pl);
526  SCLogDebug("rotation of pcap failed");
527  return TM_ECODE_FAILED;
528  }
529  }
530  }
531 #ifdef HAVE_LIBLZ4
532  else if (comp->format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
533  /* When writing compressed pcap logs, we have no way of knowing
534  * for sure whether adding this packet would cause the current
535  * file to exceed the size limit. Thus, we record the number of
536  * bytes that have been fed into lz4 since the last write, and
537  * act as if they would be written uncompressed. */
538 
539  if ((pl->size_current + comp->bytes_in_block + len) > pl->size_limit ||
540  rotate) {
541  if (PcapLogRotateFile(t,pl) < 0) {
542  PcapLogUnlock(pl);
543  SCLogDebug("rotation of pcap failed");
544  return TM_ECODE_FAILED;
545  }
546  }
547  }
548 #endif /* HAVE_LIBLZ4 */
549 
550  /* XXX pcap handles, nfq, pfring, can only have one link type ipfw? we do
551  * this here as we don't know the link type until we get our first packet */
552  if (pl->pcap_dead_handle == NULL || pl->pcap_dumper == NULL) {
553  if (PcapLogOpenHandles(pl, p) != TM_ECODE_OK) {
554  PcapLogUnlock(pl);
555  return TM_ECODE_FAILED;
556  }
557  }
558 
560  pcap_dump((u_char *)pl->pcap_dumper, pl->h, GET_PKT_DATA(p));
561  if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_NONE) {
562  pl->size_current += len;
563  }
564 #ifdef HAVE_LIBLZ4
565  else if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
566  pcap_dump_flush(pl->pcap_dumper);
567  uint64_t in_size = (uint64_t)ftell(comp->pcap_buf_wrapper);
568  uint64_t out_size = LZ4F_compressUpdate(comp->lz4f_context,
569  comp->buffer, comp->buffer_size, comp->pcap_buf, in_size, NULL);
570  if (LZ4F_isError(len)) {
571  SCLogError(SC_ERR_PCAP_LOG_COMPRESS, "LZ4F_compressUpdate: %s",
572  LZ4F_getErrorName(len));
573  return TM_ECODE_FAILED;
574  }
575  if (fseek(pl->compression.pcap_buf_wrapper, 0, SEEK_SET) != 0) {
576  SCLogError(SC_ERR_FSEEK, "fseek failed: %s", strerror(errno));
577  return TM_ECODE_FAILED;
578  }
579  if (fwrite(comp->buffer, 1, out_size, comp->file) < out_size) {
580  SCLogError(SC_ERR_FWRITE, "fwrite failed: %s", strerror(errno));
581  return TM_ECODE_FAILED;
582  }
583  if (out_size > 0) {
584  pl->size_current += out_size;
585  comp->bytes_in_block = len;
586  } else {
587  comp->bytes_in_block += len;
588  }
589  }
590 #endif /* HAVE_LIBLZ4 */
591 
593  pl->profile_data_size += len;
594 
595  SCLogDebug("pl->size_current %"PRIu64", pl->size_limit %"PRIu64,
596  pl->size_current, pl->size_limit);
597 
598  PcapLogUnlock(pl);
599  return TM_ECODE_OK;
600 }
601 
602 static PcapLogData *PcapLogDataCopy(const PcapLogData *pl)
603 {
604  BUG_ON(pl->mode != LOGMODE_MULTI);
605  PcapLogData *copy = SCCalloc(1, sizeof(*copy));
606  if (unlikely(copy == NULL)) {
607  return NULL;
608  }
609 
610  copy->h = SCCalloc(1, sizeof(*copy->h));
611  if (unlikely(copy->h == NULL)) {
612  SCFree(copy);
613  return NULL;
614  }
615 
616  copy->prefix = SCStrdup(pl->prefix);
617  if (unlikely(copy->prefix == NULL)) {
618  SCFree(copy->h);
619  SCFree(copy);
620  return NULL;
621  }
622 
623  copy->suffix = pl->suffix;
624 
625  /* settings TODO move to global cfg struct */
626  copy->is_private = TRUE;
627  copy->mode = pl->mode;
628  copy->max_files = pl->max_files;
629  copy->use_ringbuffer = pl->use_ringbuffer;
630  copy->timestamp_format = pl->timestamp_format;
632  copy->size_limit = pl->size_limit;
633 
634  const PcapLogCompressionData *comp = &pl->compression;
635  PcapLogCompressionData *copy_comp = &copy->compression;
636  copy_comp->format = comp->format;
637 #ifdef HAVE_LIBLZ4
639  /* We need to allocate a new compression context and buffers for
640  * the copy. First copy the things that can simply be copied. */
641 
642  copy_comp->buffer_size = comp->buffer_size;
643  copy_comp->pcap_buf_size = comp->pcap_buf_size;
644  copy_comp->lz4f_prefs = comp->lz4f_prefs;
645 
646  /* Allocate the buffers. */
647 
648  copy_comp->buffer = SCMalloc(copy_comp->buffer_size);
649  if (copy_comp->buffer == NULL) {
650  SCLogError(SC_ERR_MEM_ALLOC, "SCMalloc failed: %s",
651  strerror(errno));
652  SCFree(copy->h);
653  SCFree(copy);
654  return NULL;
655  }
656  copy_comp->pcap_buf = SCMalloc(copy_comp->pcap_buf_size);
657  if (copy_comp->pcap_buf == NULL) {
658  SCLogError(SC_ERR_MEM_ALLOC, "SCMalloc failed: %s",
659  strerror(errno));
660  SCFree(copy_comp->buffer);
661  SCFree(copy->h);
662  SCFree(copy);
663  return NULL;
664  }
665  copy_comp->pcap_buf_wrapper = SCFmemopen(copy_comp->pcap_buf,
666  copy_comp->pcap_buf_size, "w");
667  if (copy_comp->pcap_buf_wrapper == NULL) {
668  SCLogError(SC_ERR_FOPEN, "SCFmemopen failed: %s", strerror(errno));
669  SCFree(copy_comp->buffer);
670  SCFree(copy_comp->pcap_buf);
671  SCFree(copy->h);
672  SCFree(copy);
673  return NULL;
674  }
675 
676  /* Initialize a new compression context. */
677 
678  LZ4F_errorCode_t errcode =
679  LZ4F_createCompressionContext(&copy_comp->lz4f_context, 1);
680  if (LZ4F_isError(errcode)) {
682  "LZ4F_createCompressionContext failed: %s",
683  LZ4F_getErrorName(errcode));
684  fclose(copy_comp->pcap_buf_wrapper);
685  SCFree(copy_comp->buffer);
686  SCFree(copy_comp->pcap_buf);
687  SCFree(copy->h);
688  SCFree(copy);
689  return NULL;
690  }
691 
692  /* Initialize the rest. */
693 
694  copy_comp->file = NULL;
695  copy_comp->bytes_in_block = 0;
696  }
697 #endif /* HAVE_LIBLZ4 */
698 
699  TAILQ_INIT(&copy->pcap_file_list);
700  SCMutexInit(&copy->plog_lock, NULL);
701 
702  strlcpy(copy->dir, pl->dir, sizeof(copy->dir));
703 
704  int i;
705  for (i = 0; i < pl->filename_part_cnt && i < MAX_TOKS; i++)
706  copy->filename_parts[i] = pl->filename_parts[i];
707  copy->filename_part_cnt = pl->filename_part_cnt;
708 
709  /* set thread number, first thread is 1 */
710  copy->thread_number = SC_ATOMIC_ADD(thread_cnt, 1);
711 
712  SCLogDebug("copied, returning %p", copy);
713  return copy;
714 }
715 
716 #ifdef INIT_RING_BUFFER
717 static int PcapLogGetTimeOfFile(const char *filename, uint64_t *secs,
718  uint32_t *usecs)
719 {
720  int pcre_ovecsize = 4 * 3;
721  int pcre_ovec[pcre_ovecsize];
722  char buf[PATH_MAX];
723 
724  int n = pcre_exec(pcre_timestamp_code, pcre_timestamp_extra,
725  filename, strlen(filename), 0, 0, pcre_ovec,
726  pcre_ovecsize);
727  if (n != 2 && n != 4) {
728  /* No match. */
729  return 0;
730  }
731 
732  if (n >= 2) {
733  /* Extract seconds. */
734  if (pcre_copy_substring(filename, pcre_ovec, pcre_ovecsize,
735  1, buf, sizeof(buf)) < 0) {
736  return 0;
737  }
738  if (StringParseUint64(secs, 10, 0, buf) < 0) {
739  return 0;
740  }
741  }
742  if (n == 4) {
743  /* Extract microseconds. */
744  if (pcre_copy_substring(filename, pcre_ovec, pcre_ovecsize,
745  3, buf, sizeof(buf)) < 0) {
746  return 0;
747  }
748  if (StringParseUint32(usecs, 10, 0, buf) < 0) {
749  return 0;
750  }
751  }
752 
753  return 1;
754 }
755 
756 static TmEcode PcapLogInitRingBuffer(PcapLogData *pl)
757 {
758  char pattern[PATH_MAX];
759 
760  SCLogInfo("Initializing PCAP ring buffer for %s/%s.",
761  pl->dir, pl->prefix);
762 
763  strlcpy(pattern, pl->dir, PATH_MAX);
764  if (pattern[strlen(pattern) - 1] != '/') {
765  strlcat(pattern, "/", PATH_MAX);
766  }
767  if (pl->mode == LOGMODE_MULTI) {
768  for (int i = 0; i < pl->filename_part_cnt; i++) {
769  char *part = pl->filename_parts[i];
770  if (part == NULL || strlen(part) == 0) {
771  continue;
772  }
773  if (part[0] != '%' || strlen(part) < 2) {
774  strlcat(pattern, part, PATH_MAX);
775  continue;
776  }
777  switch (part[1]) {
778  case 'i':
780  "Thread ID not allowed inring buffer mode.");
781  return TM_ECODE_FAILED;
782  case 'n': {
783  char tmp[PATH_MAX];
784  snprintf(tmp, PATH_MAX, "%"PRIu32, pl->thread_number);
785  strlcat(pattern, tmp, PATH_MAX);
786  break;
787  }
788  case 't':
789  strlcat(pattern, "*", PATH_MAX);
790  break;
791  default:
793  "Unsupported format character: %%%s", part);
794  return TM_ECODE_FAILED;
795  }
796  }
797  } else {
798  strlcat(pattern, pl->prefix, PATH_MAX);
799  strlcat(pattern, ".*", PATH_MAX);
800  }
801  strlcat(pattern, pl->suffix, PATH_MAX);
802 
803  char *basename = strrchr(pattern, '/');
804  *basename++ = '\0';
805 
806  /* Pattern is now just the directory name. */
807  DIR *dir = opendir(pattern);
808  if (dir == NULL) {
809  SCLogWarning(SC_ERR_DIR_OPEN, "Failed to open directory %s: %s",
810  pattern, strerror(errno));
811  return TM_ECODE_FAILED;
812  }
813 
814  for (;;) {
815  struct dirent *entry = readdir(dir);
816  if (entry == NULL) {
817  break;
818  }
819  if (fnmatch(basename, entry->d_name, 0) != 0) {
820  continue;
821  }
822 
823  uint64_t secs = 0;
824  uint32_t usecs = 0;
825 
826  if (!PcapLogGetTimeOfFile(entry->d_name, &secs, &usecs)) {
827  /* Failed to get time stamp out of file name. Not necessarily a
828  * failure as the file might just not be a pcap log file. */
829  continue;
830  }
831 
832  PcapFileName *pf = SCCalloc(sizeof(*pf), 1);
833  if (unlikely(pf == NULL)) {
834  goto fail;
835  }
836  char path[PATH_MAX];
837  if (snprintf(path, PATH_MAX, "%s/%s", pattern, entry->d_name) == PATH_MAX)
838  goto fail;
839 
840  if ((pf->filename = SCStrdup(path)) == NULL) {
841  goto fail;
842  }
843  if ((pf->dirname = SCStrdup(pattern)) == NULL) {
844  goto fail;
845  }
846  pf->secs = secs;
847  pf->usecs = usecs;
848 
849  if (TAILQ_EMPTY(&pl->pcap_file_list)) {
850  TAILQ_INSERT_TAIL(&pl->pcap_file_list, pf, next);
851  } else {
852  /* Ordered insert. */
853  PcapFileName *it = NULL;
854  TAILQ_FOREACH(it, &pl->pcap_file_list, next) {
855  if (pf->secs < it->secs) {
856  break;
857  } else if (pf->secs == it->secs && pf->usecs < it->usecs) {
858  break;
859  }
860  }
861  if (it == NULL) {
862  TAILQ_INSERT_TAIL(&pl->pcap_file_list, pf, next);
863  } else {
864  TAILQ_INSERT_BEFORE(it, pf, next);
865  }
866  }
867  pl->file_cnt++;
868  continue;
869 
870  fail:
871  if (pf != NULL) {
872  if (pf->filename != NULL) {
873  SCFree(pf->filename);
874  }
875  if (pf->dirname != NULL) {
876  SCFree(pf->dirname);
877  }
878  SCFree(pf);
879  }
880  break;
881  }
882 
883  if (pl->file_cnt > pl->max_files) {
884  PcapFileName *pf = TAILQ_FIRST(&pl->pcap_file_list);
885  while (pf != NULL && pl->file_cnt > pl->max_files) {
886  SCLogDebug("Removing PCAP file %s", pf->filename);
887  if (remove(pf->filename) != 0) {
889  "Failed to remove PCAP file %s: %s", pf->filename,
890  strerror(errno));
891  }
892  TAILQ_REMOVE(&pl->pcap_file_list, pf, next);
893  PcapFileNameFree(pf);
894  pf = TAILQ_FIRST(&pl->pcap_file_list);
895  pl->file_cnt--;
896  }
897  }
898 
899  closedir(dir);
900 
901  /* For some reason file count is initialized at one, instead of 0. */
902  SCLogNotice("Ring buffer initialized with %d files.", pl->file_cnt - 1);
903 
904  return TM_ECODE_OK;
905 }
906 #endif /* INIT_RING_BUFFER */
907 
908 static TmEcode PcapLogDataInit(ThreadVars *t, const void *initdata, void **data)
909 {
910  if (initdata == NULL) {
911  SCLogDebug("Error getting context for LogPcap. \"initdata\" argument NULL");
912  return TM_ECODE_FAILED;
913  }
914 
915  PcapLogData *pl = ((OutputCtx *)initdata)->data;
916 
917  PcapLogThreadData *td = SCCalloc(1, sizeof(*td));
918  if (unlikely(td == NULL))
919  return TM_ECODE_FAILED;
920 
921  if (pl->mode == LOGMODE_MULTI)
922  td->pcap_log = PcapLogDataCopy(pl);
923  else
924  td->pcap_log = pl;
925  BUG_ON(td->pcap_log == NULL);
926 
927  PcapLogLock(td->pcap_log);
928 
929  /** Use the Ouptut Context (file pointer and mutex) */
930  td->pcap_log->pkt_cnt = 0;
931  td->pcap_log->pcap_dead_handle = NULL;
932  td->pcap_log->pcap_dumper = NULL;
933  if (td->pcap_log->file_cnt < 1) {
934  td->pcap_log->file_cnt = 1;
935  }
936 
937  struct timeval ts;
938  memset(&ts, 0x00, sizeof(struct timeval));
939  TimeGet(&ts);
940  struct tm local_tm;
941  struct tm *tms = SCLocalTime(ts.tv_sec, &local_tm);
942  td->pcap_log->prev_day = tms->tm_mday;
943 
944  PcapLogUnlock(td->pcap_log);
945 
946  /* count threads in the global structure */
947  SCMutexLock(&pl->plog_lock);
948  pl->threads++;
949  SCMutexUnlock(&pl->plog_lock);
950 
951  *data = (void *)td;
952 
953  if (pl->max_files && (pl->mode == LOGMODE_MULTI || pl->threads == 1)) {
954 #ifdef INIT_RING_BUFFER
955  if (PcapLogInitRingBuffer(td->pcap_log) == TM_ECODE_FAILED) {
956  return TM_ECODE_FAILED;
957  }
958 #else
959  SCLogInfo("Unable to initialize ring buffer on this platform.");
960 #endif /* INIT_RING_BUFFER */
961  }
962 
963  return TM_ECODE_OK;
964 }
965 
966 static void StatsMerge(PcapLogData *dst, PcapLogData *src)
967 {
968  dst->profile_open.total += src->profile_open.total;
969  dst->profile_open.cnt += src->profile_open.cnt;
970 
971  dst->profile_close.total += src->profile_close.total;
972  dst->profile_close.cnt += src->profile_close.cnt;
973 
974  dst->profile_write.total += src->profile_write.total;
975  dst->profile_write.cnt += src->profile_write.cnt;
976 
977  dst->profile_rotate.total += src->profile_rotate.total;
978  dst->profile_rotate.cnt += src->profile_rotate.cnt;
979 
980  dst->profile_handles.total += src->profile_handles.total;
981  dst->profile_handles.cnt += src->profile_handles.cnt;
982 
983  dst->profile_lock.total += src->profile_lock.total;
984  dst->profile_lock.cnt += src->profile_lock.cnt;
985 
986  dst->profile_unlock.total += src->profile_unlock.total;
987  dst->profile_unlock.cnt += src->profile_unlock.cnt;
988 
989  dst->profile_data_size += src->profile_data_size;
990 }
991 
992 static void PcapLogDataFree(PcapLogData *pl)
993 {
994 
995  PcapFileName *pf;
996  while ((pf = TAILQ_FIRST(&pl->pcap_file_list)) != NULL) {
997  TAILQ_REMOVE(&pl->pcap_file_list, pf, next);
998  PcapFileNameFree(pf);
999  }
1000  if (pl == g_pcap_data) {
1001  for (int i = 0; i < MAX_TOKS; i++) {
1002  if (pl->filename_parts[i] != NULL) {
1003  SCFree(pl->filename_parts[i]);
1004  }
1005  }
1006  }
1007  SCFree(pl->h);
1008  SCFree(pl->filename);
1009  SCFree(pl->prefix);
1010 
1011 #ifdef HAVE_LIBLZ4
1012  if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
1013  SCFree(pl->compression.buffer);
1014  fclose(pl->compression.pcap_buf_wrapper);
1015  SCFree(pl->compression.pcap_buf);
1016  LZ4F_errorCode_t errcode =
1017  LZ4F_freeCompressionContext(pl->compression.lz4f_context);
1018  if (LZ4F_isError(errcode)) {
1019  SCLogWarning(SC_ERR_MEM_ALLOC, "Error freeing lz4 context.");
1020  }
1021  }
1022 #endif /* HAVE_LIBLZ4 */
1023  SCFree(pl);
1024 }
1025 
1026 /**
1027  * \brief Thread deinit function.
1028  *
1029  * \param t Thread Variable containing input/output queue, cpu affinity etc.
1030  * \param data PcapLog thread data.
1031  * \retval TM_ECODE_OK on succces
1032  * \retval TM_ECODE_FAILED on failure
1033  */
1034 static TmEcode PcapLogDataDeinit(ThreadVars *t, void *thread_data)
1035 {
1036  PcapLogThreadData *td = (PcapLogThreadData *)thread_data;
1037  PcapLogData *pl = td->pcap_log;
1038 
1039  if (pl->pcap_dumper != NULL) {
1040  if (PcapLogCloseFile(t,pl) < 0) {
1041  SCLogDebug("PcapLogCloseFile failed");
1042  }
1043  }
1044 
1045  if (pl->mode == LOGMODE_MULTI) {
1046  SCMutexLock(&g_pcap_data->plog_lock);
1047  StatsMerge(g_pcap_data, pl);
1048  g_pcap_data->reported++;
1049  if (g_pcap_data->threads == g_pcap_data->reported)
1050  PcapLogProfilingDump(g_pcap_data);
1051  SCMutexUnlock(&g_pcap_data->plog_lock);
1052  } else {
1053  if (pl->reported == 0) {
1054  PcapLogProfilingDump(pl);
1055  pl->reported = 1;
1056  }
1057  }
1058 
1059  if (pl != g_pcap_data) {
1060  PcapLogDataFree(pl);
1061  }
1062 
1063  SCFree(td);
1064  return TM_ECODE_OK;
1065 }
1066 
1067 
1068 static int ParseFilename(PcapLogData *pl, const char *filename)
1069 {
1070  char *toks[MAX_TOKS] = { NULL };
1071  int tok = 0;
1072  char str[MAX_FILENAMELEN] = "";
1073  int s = 0;
1074  int i, x;
1075  char *p = NULL;
1076  size_t filename_len = 0;
1077 
1078  if (filename) {
1079  filename_len = strlen(filename);
1080  if (filename_len > (MAX_FILENAMELEN-1)) {
1081  SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid filename option. Max filename-length: %d",MAX_FILENAMELEN-1);
1082  goto error;
1083  }
1084 
1085  for (i = 0; i < (int)strlen(filename); i++) {
1086  if (tok >= MAX_TOKS) {
1088  "invalid filename option. Max 2 %%-sign options");
1089  goto error;
1090  }
1091 
1092  str[s++] = filename[i];
1093 
1094  if (filename[i] == '%') {
1095  str[s-1] = '\0';
1096  SCLogDebug("filename with %%-sign: %s", str);
1097 
1098  p = SCStrdup(str);
1099  if (p == NULL)
1100  goto error;
1101  toks[tok++] = p;
1102 
1103  s = 0;
1104 
1105  if (i+1 < (int)strlen(filename)) {
1106  if (tok >= MAX_TOKS) {
1108  "invalid filename option. Max 2 %%-sign options");
1109  goto error;
1110  }
1111 
1112  if (filename[i+1] != 'n' && filename[i+1] != 't' && filename[i+1] != 'i') {
1114  "invalid filename option. Valid %%-sign options: %%n, %%i and %%t");
1115  goto error;
1116  }
1117  str[0] = '%';
1118  str[1] = filename[i+1];
1119  str[2] = '\0';
1120  p = SCStrdup(str);
1121  if (p == NULL)
1122  goto error;
1123  toks[tok++] = p;
1124  i++;
1125  }
1126  }
1127  }
1128  if (s) {
1129  if (tok >= MAX_TOKS) {
1131  "invalid filename option. Max 3 %%-sign options");
1132  goto error;
1133 
1134  }
1135  str[s++] = '\0';
1136  p = SCStrdup(str);
1137  if (p == NULL)
1138  goto error;
1139  toks[tok++] = p;
1140  }
1141 
1142  /* finally, store tokens in the pl */
1143  for (i = 0; i < tok; i++) {
1144  if (toks[i] == NULL)
1145  goto error;
1146 
1147  SCLogDebug("toks[%d] %s", i, toks[i]);
1148  pl->filename_parts[i] = toks[i];
1149  }
1150  pl->filename_part_cnt = tok;
1151  }
1152  return 0;
1153 error:
1154  for (x = 0; x < MAX_TOKS; x++) {
1155  if (toks[x] != NULL)
1156  SCFree(toks[x]);
1157  }
1158  return -1;
1159 }
1160 
1161 /** \brief Fill in pcap logging struct from the provided ConfNode.
1162  * \param conf The configuration node for this output.
1163  * \retval output_ctx
1164  * */
1165 static OutputInitResult PcapLogInitCtx(ConfNode *conf)
1166 {
1167  OutputInitResult result = { NULL, false };
1168  const char *pcre_errbuf;
1169  int pcre_erroffset;
1170 
1171  PcapLogData *pl = SCMalloc(sizeof(PcapLogData));
1172  if (unlikely(pl == NULL)) {
1173  FatalError(SC_ERR_FATAL, "Failed to allocate Memory for PcapLogData");
1174  }
1175  memset(pl, 0, sizeof(PcapLogData));
1176 
1177  pl->h = SCMalloc(sizeof(*pl->h));
1178  if (pl->h == NULL) {
1180  "Failed to allocate Memory for pcap header struct");
1181  }
1182 
1183  /* Set the defaults */
1184  pl->mode = LOGMODE_NORMAL;
1186  pl->use_ringbuffer = RING_BUFFER_MODE_DISABLED;
1187  pl->timestamp_format = TS_FORMAT_SEC;
1190 
1191  TAILQ_INIT(&pl->pcap_file_list);
1192 
1193  SCMutexInit(&pl->plog_lock, NULL);
1194 
1195  /* Initialize PCREs. */
1196  pcre_timestamp_code = pcre_compile(timestamp_pattern, 0, &pcre_errbuf,
1197  &pcre_erroffset, NULL);
1198  if (pcre_timestamp_code == NULL) {
1200  "Failed to compile \"%s\" at offset %"PRIu32": %s",
1201  timestamp_pattern, pcre_erroffset, pcre_errbuf);
1202  }
1203  pcre_timestamp_extra = pcre_study(pcre_timestamp_code, 0, &pcre_errbuf);
1204  if (pcre_errbuf != NULL) {
1205  FatalError(SC_ERR_PCRE_STUDY, "Fail to study pcre: %s", pcre_errbuf);
1206  }
1207 
1208  /* conf params */
1209 
1210  const char *filename = NULL;
1211 
1212  if (conf != NULL) { /* To faciliate unit tests. */
1213  filename = ConfNodeLookupChildValue(conf, "filename");
1214  }
1215 
1216  if (filename == NULL)
1217  filename = DEFAULT_LOG_FILENAME;
1218 
1219  if ((pl->prefix = SCStrdup(filename)) == NULL) {
1220  exit(EXIT_FAILURE);
1221  }
1222 
1223  pl->suffix = "";
1224 
1225  if (filename) {
1226  if (ParseFilename(pl, filename) != 0)
1227  exit(EXIT_FAILURE);
1228  }
1229 
1230  pl->size_limit = DEFAULT_LIMIT;
1231  if (conf != NULL) {
1232  const char *s_limit = NULL;
1233  s_limit = ConfNodeLookupChildValue(conf, "limit");
1234  if (s_limit != NULL) {
1235  if (ParseSizeStringU64(s_limit, &pl->size_limit) < 0) {
1237  "Failed to initialize pcap output, invalid limit: %s",
1238  s_limit);
1239  exit(EXIT_FAILURE);
1240  }
1241  if (pl->size_limit < 4096) {
1242  SCLogInfo("pcap-log \"limit\" value of %"PRIu64" assumed to be pre-1.2 "
1243  "style: setting limit to %"PRIu64"mb", pl->size_limit, pl->size_limit);
1244  uint64_t size = pl->size_limit * 1024 * 1024;
1245  pl->size_limit = size;
1246  } else if (pl->size_limit < MIN_LIMIT) {
1248  "Fail to initialize pcap-log output, limit less than "
1249  "allowed minimum.");
1250  }
1251  }
1252  }
1253 
1254  if (conf != NULL) {
1255  const char *s_mode = NULL;
1256  s_mode = ConfNodeLookupChildValue(conf, "mode");
1257  if (s_mode != NULL) {
1258  if (strcasecmp(s_mode, "sguil") == 0) {
1259  pl->mode = LOGMODE_SGUIL;
1260  } else if (strcasecmp(s_mode, "multi") == 0) {
1261  pl->mode = LOGMODE_MULTI;
1262  } else if (strcasecmp(s_mode, "normal") != 0) {
1264  "log-pcap: invalid mode \"%s\". Valid options: \"normal\", "
1265  "\"sguil\", or \"multi\" mode ", s_mode);
1266  exit(EXIT_FAILURE);
1267  }
1268  }
1269 
1270  const char *s_dir = NULL;
1271  s_dir = ConfNodeLookupChildValue(conf, "dir");
1272  if (s_dir == NULL) {
1273  s_dir = ConfNodeLookupChildValue(conf, "sguil-base-dir");
1274  }
1275  if (s_dir == NULL) {
1276  if (pl->mode == LOGMODE_SGUIL) {
1278  "log-pcap \"sguil\" mode requires \"sguil-base-dir\" "
1279  "option to be set.");
1280  } else {
1281  const char *log_dir = NULL;
1282  log_dir = ConfigGetLogDirectory();
1283 
1284  strlcpy(pl->dir,
1285  log_dir, sizeof(pl->dir));
1286  SCLogInfo("Using log dir %s", pl->dir);
1287  }
1288  } else {
1289  if (PathIsAbsolute(s_dir)) {
1290  strlcpy(pl->dir,
1291  s_dir, sizeof(pl->dir));
1292  } else {
1293  const char *log_dir = NULL;
1294  log_dir = ConfigGetLogDirectory();
1295 
1296  snprintf(pl->dir, sizeof(pl->dir), "%s/%s",
1297  log_dir, s_dir);
1298  }
1299 
1300  struct stat stat_buf;
1301  if (stat(pl->dir, &stat_buf) != 0) {
1302  SCLogError(SC_ERR_LOGDIR_CONFIG, "The sguil-base-dir directory \"%s\" "
1303  "supplied doesn't exist. Shutting down the engine",
1304  pl->dir);
1305  exit(EXIT_FAILURE);
1306  }
1307  SCLogInfo("Using log dir %s", pl->dir);
1308  }
1309 
1310  const char *compression_str = ConfNodeLookupChildValue(conf,
1311  "compression");
1312 
1313  PcapLogCompressionData *comp = &pl->compression;
1314  if (compression_str == NULL || strcmp(compression_str, "none") == 0) {
1316  comp->buffer = NULL;
1317  comp->buffer_size = 0;
1318  comp->file = NULL;
1319  comp->pcap_buf = NULL;
1320  comp->pcap_buf_size = 0;
1321  comp->pcap_buf_wrapper = NULL;
1322  } else if (strcmp(compression_str, "lz4") == 0) {
1323 #ifdef HAVE_LIBLZ4
1324  if (pl->mode == LOGMODE_SGUIL) {
1325  SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Compressed pcap "
1326  "logs are not possible in sguil mode");
1327  SCFree(pl->h);
1328  SCFree(pl);
1329  return result;
1330  }
1331  pl->compression.format = PCAP_LOG_COMPRESSION_FORMAT_LZ4;
1332 
1333  /* Use SCFmemopen so we can make pcap_dump write to a buffer. */
1334 
1335  comp->pcap_buf_size = sizeof(struct pcap_file_header) +
1336  sizeof(struct pcap_pkthdr) + PCAP_SNAPLEN;
1337  comp->pcap_buf = SCMalloc(comp->pcap_buf_size);
1338  if (comp->pcap_buf == NULL) {
1339  SCLogError(SC_ERR_MEM_ALLOC, "SCMalloc failed: %s",
1340  strerror(errno));
1341  exit(EXIT_FAILURE);
1342  }
1343  comp->pcap_buf_wrapper = SCFmemopen(comp->pcap_buf,
1344  comp->pcap_buf_size, "w");
1345  if (comp->pcap_buf_wrapper == NULL) {
1346  SCLogError(SC_ERR_FOPEN, "SCFmemopen failed: %s",
1347  strerror(errno));
1348  exit(EXIT_FAILURE);
1349  }
1350 
1351  /* Set lz4 preferences. */
1352 
1353  memset(&comp->lz4f_prefs, '\0', sizeof(comp->lz4f_prefs));
1354  comp->lz4f_prefs.frameInfo.blockSizeID = LZ4F_max4MB;
1355  comp->lz4f_prefs.frameInfo.blockMode = LZ4F_blockLinked;
1356  if (ConfNodeChildValueIsTrue(conf, "lz4-checksum")) {
1357  comp->lz4f_prefs.frameInfo.contentChecksumFlag = 1;
1358  }
1359  else {
1360  comp->lz4f_prefs.frameInfo.contentChecksumFlag = 0;
1361  }
1362  intmax_t lvl = 0;
1363  if (ConfGetChildValueInt(conf, "lz4-level", &lvl)) {
1364  if (lvl > 16) {
1365  lvl = 16;
1366  } else if (lvl < 0) {
1367  lvl = 0;
1368  }
1369  } else {
1370  lvl = 0;
1371  }
1372  comp->lz4f_prefs.compressionLevel = lvl;
1373 
1374  /* Allocate resources for lz4. */
1375 
1376  LZ4F_errorCode_t errcode =
1377  LZ4F_createCompressionContext(&pl->compression.lz4f_context, 1);
1378 
1379  if (LZ4F_isError(errcode)) {
1381  "LZ4F_createCompressionContext failed: %s",
1382  LZ4F_getErrorName(errcode));
1383  exit(EXIT_FAILURE);
1384  }
1385 
1386  /* Calculate the size of the lz4 output buffer. */
1387 
1388  comp->buffer_size = LZ4F_compressBound(comp->pcap_buf_size,
1389  &comp->lz4f_prefs);
1390 
1391  comp->buffer = SCMalloc(comp->buffer_size);
1392  if (unlikely(comp->buffer == NULL)) {
1393  FatalError(SC_ERR_FATAL, "Failed to allocate memory for "
1394  "lz4 output buffer.");
1395  }
1396 
1397  comp->bytes_in_block = 0;
1398 
1399  /* Add the lz4 file extension to the log files. */
1400 
1401  pl->suffix = ".lz4";
1402 #else
1403  SCLogError(SC_ERR_INVALID_ARGUMENT, "lz4 compression was selected "
1404  "in pcap-log, but suricata was not compiled with lz4 "
1405  "support.");
1406  PcapLogDataFree(pl);
1407  return result;
1408 #endif /* HAVE_LIBLZ4 */
1409  }
1410  else {
1411  SCLogError(SC_ERR_INVALID_ARGUMENT, "Unsupported pcap-log "
1412  "compression format: %s", compression_str);
1413  PcapLogDataFree(pl);
1414  return result;
1415  }
1416 
1417  SCLogInfo("Selected pcap-log compression method: %s",
1418  compression_str ? compression_str : "none");
1419  }
1420 
1421  SCLogInfo("using %s logging", pl->mode == LOGMODE_SGUIL ?
1422  "Sguil compatible" : (pl->mode == LOGMODE_MULTI ? "multi" : "normal"));
1423 
1424  uint32_t max_file_limit = DEFAULT_FILE_LIMIT;
1425  if (conf != NULL) {
1426  const char *max_number_of_files_s = NULL;
1427  max_number_of_files_s = ConfNodeLookupChildValue(conf, "max-files");
1428  if (max_number_of_files_s != NULL) {
1429  if (StringParseUint32(&max_file_limit, 10, 0,
1430  max_number_of_files_s) == -1) {
1431  SCLogError(SC_ERR_INVALID_ARGUMENT, "Failed to initialize "
1432  "pcap-log output, invalid number of files limit: %s",
1433  max_number_of_files_s);
1434  exit(EXIT_FAILURE);
1435  } else if (max_file_limit < 1) {
1437  "Failed to initialize pcap-log output, limit less than "
1438  "allowed minimum.");
1439  } else {
1440  pl->max_files = max_file_limit;
1441  pl->use_ringbuffer = RING_BUFFER_MODE_ENABLED;
1442  }
1443  }
1444  }
1445 
1446  const char *ts_format = NULL;
1447  if (conf != NULL) { /* To faciliate unit tests. */
1448  ts_format = ConfNodeLookupChildValue(conf, "ts-format");
1449  }
1450  if (ts_format != NULL) {
1451  if (strcasecmp(ts_format, "usec") == 0) {
1452  pl->timestamp_format = TS_FORMAT_USEC;
1453  } else if (strcasecmp(ts_format, "sec") != 0) {
1455  "log-pcap ts_format specified %s is invalid must be"
1456  " \"sec\" or \"usec\"", ts_format);
1457  exit(EXIT_FAILURE);
1458  }
1459  }
1460 
1461  const char *use_stream_depth = NULL;
1462  if (conf != NULL) { /* To faciliate unit tests. */
1463  use_stream_depth = ConfNodeLookupChildValue(conf, "use-stream-depth");
1464  }
1465  if (use_stream_depth != NULL) {
1466  if (ConfValIsFalse(use_stream_depth)) {
1468  } else if (ConfValIsTrue(use_stream_depth)) {
1470  } else {
1472  "log-pcap use_stream_depth specified is invalid must be");
1473  }
1474  }
1475 
1476  const char *honor_pass_rules = NULL;
1477  if (conf != NULL) { /* To faciliate unit tests. */
1478  honor_pass_rules = ConfNodeLookupChildValue(conf, "honor-pass-rules");
1479  }
1480  if (honor_pass_rules != NULL) {
1481  if (ConfValIsFalse(honor_pass_rules)) {
1483  } else if (ConfValIsTrue(honor_pass_rules)) {
1485  } else {
1487  "log-pcap honor-pass-rules specified is invalid");
1488  }
1489  }
1490 
1491  /* create the output ctx and send it back */
1492 
1493  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
1494  if (unlikely(output_ctx == NULL)) {
1495  FatalError(SC_ERR_FATAL, "Failed to allocate memory for OutputCtx.");
1496  }
1497  output_ctx->data = pl;
1498  output_ctx->DeInit = PcapLogFileDeInitCtx;
1499  g_pcap_data = pl;
1500 
1501  result.ctx = output_ctx;
1502  result.ok = true;
1503  return result;
1504 }
1505 
1506 static void PcapLogFileDeInitCtx(OutputCtx *output_ctx)
1507 {
1508  if (output_ctx == NULL)
1509  return;
1510 
1511  PcapLogData *pl = output_ctx->data;
1512 
1513  PcapFileName *pf = NULL;
1514  TAILQ_FOREACH(pf, &pl->pcap_file_list, next) {
1515  SCLogDebug("PCAP files left at exit: %s\n", pf->filename);
1516  }
1517  PcapLogDataFree(pl);
1518  SCFree(output_ctx);
1519  return;
1520 }
1521 
1522 /**
1523  * \brief Read the config set the file pointer, open the file
1524  *
1525  * \param PcapLogData.
1526  *
1527  * \retval -1 if failure
1528  * \retval 0 if succesful
1529  */
1530 static int PcapLogOpenFileCtx(PcapLogData *pl)
1531 {
1532  char *filename = NULL;
1533 
1535 
1536  if (pl->filename != NULL)
1537  filename = pl->filename;
1538  else {
1539  filename = SCMalloc(PATH_MAX);
1540  if (unlikely(filename == NULL)) {
1541  return -1;
1542  }
1543  pl->filename = filename;
1544  }
1545 
1546  /** get the time so we can have a filename with seconds since epoch */
1547  struct timeval ts;
1548  memset(&ts, 0x00, sizeof(struct timeval));
1549  TimeGet(&ts);
1550 
1551  /* Place to store the name of our PCAP file */
1552  PcapFileName *pf = SCMalloc(sizeof(PcapFileName));
1553  if (unlikely(pf == NULL)) {
1554  return -1;
1555  }
1556  memset(pf, 0, sizeof(PcapFileName));
1557 
1558  if (pl->mode == LOGMODE_SGUIL) {
1559  struct tm local_tm;
1560  struct tm *tms = SCLocalTime(ts.tv_sec, &local_tm);
1561 
1562  char dirname[32], dirfull[PATH_MAX] = "";
1563 
1564  snprintf(dirname, sizeof(dirname), "%04d-%02d-%02d",
1565  tms->tm_year + 1900, tms->tm_mon + 1, tms->tm_mday);
1566 
1567  /* create the filename to use */
1568  int ret = snprintf(dirfull, sizeof(dirfull), "%s/%s", pl->dir, dirname);
1569  if (ret < 0 || (size_t)ret >= sizeof(dirfull)) {
1570  SCLogError(SC_ERR_SPRINTF,"failed to construct path");
1571  goto error;
1572  }
1573 
1574  /* if mkdir fails file open will fail, so deal with errors there */
1575  (void)SCMkDir(dirfull, 0700);
1576 
1577  if ((pf->dirname = SCStrdup(dirfull)) == NULL) {
1578  SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory for "
1579  "directory name");
1580  goto error;
1581  }
1582 
1583  int written;
1584  if (pl->timestamp_format == TS_FORMAT_SEC) {
1585  written = snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32 "%s",
1586  dirfull, pl->prefix, (uint32_t)ts.tv_sec, pl->suffix);
1587  } else {
1588  written = snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32 ".%" PRIu32 "%s",
1589  dirfull, pl->prefix, (uint32_t)ts.tv_sec,
1590  (uint32_t)ts.tv_usec, pl->suffix);
1591  }
1592  if (written == PATH_MAX) {
1593  SCLogError(SC_ERR_SPRINTF,"log-pcap path overflow");
1594  goto error;
1595  }
1596  } else if (pl->mode == LOGMODE_NORMAL) {
1597  int ret;
1598  /* create the filename to use */
1599  if (pl->timestamp_format == TS_FORMAT_SEC) {
1600  ret = snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32 "%s", pl->dir,
1601  pl->prefix, (uint32_t)ts.tv_sec, pl->suffix);
1602  } else {
1603  ret = snprintf(filename, PATH_MAX,
1604  "%s/%s.%" PRIu32 ".%" PRIu32 "%s", pl->dir, pl->prefix,
1605  (uint32_t)ts.tv_sec, (uint32_t)ts.tv_usec, pl->suffix);
1606  }
1607  if (ret < 0 || (size_t)ret >= PATH_MAX) {
1608  SCLogError(SC_ERR_SPRINTF,"failed to construct path");
1609  goto error;
1610  }
1611  } else if (pl->mode == LOGMODE_MULTI) {
1612  if (pl->filename_part_cnt > 0) {
1613  /* assemble filename from stored tokens */
1614 
1615  strlcpy(filename, pl->dir, PATH_MAX);
1616  strlcat(filename, "/", PATH_MAX);
1617 
1618  int i;
1619  for (i = 0; i < pl->filename_part_cnt; i++) {
1620  if (pl->filename_parts[i] == NULL ||strlen(pl->filename_parts[i]) == 0)
1621  continue;
1622 
1623  /* handle variables */
1624  if (pl->filename_parts[i][0] == '%') {
1625  char str[64] = "";
1626  if (strlen(pl->filename_parts[i]) < 2)
1627  continue;
1628 
1629  switch(pl->filename_parts[i][1]) {
1630  case 'n':
1631  snprintf(str, sizeof(str), "%u", pl->thread_number);
1632  break;
1633  case 'i':
1634  {
1635  long thread_id = SCGetThreadIdLong();
1636  snprintf(str, sizeof(str), "%"PRIu64, (uint64_t)thread_id);
1637  break;
1638  }
1639  case 't':
1640  /* create the filename to use */
1641  if (pl->timestamp_format == TS_FORMAT_SEC) {
1642  snprintf(str, sizeof(str), "%"PRIu32, (uint32_t)ts.tv_sec);
1643  } else {
1644  snprintf(str, sizeof(str), "%"PRIu32".%"PRIu32,
1645  (uint32_t)ts.tv_sec, (uint32_t)ts.tv_usec);
1646  }
1647  }
1648  strlcat(filename, str, PATH_MAX);
1649 
1650  /* copy the rest over */
1651  } else {
1652  strlcat(filename, pl->filename_parts[i], PATH_MAX);
1653  }
1654  }
1655  strlcat(filename, pl->suffix, PATH_MAX);
1656  } else {
1657  int ret;
1658  /* create the filename to use */
1659  if (pl->timestamp_format == TS_FORMAT_SEC) {
1660  ret = snprintf(filename, PATH_MAX, "%s/%s.%u.%" PRIu32 "%s",
1661  pl->dir, pl->prefix, pl->thread_number,
1662  (uint32_t)ts.tv_sec, pl->suffix);
1663  } else {
1664  ret = snprintf(filename, PATH_MAX,
1665  "%s/%s.%u.%" PRIu32 ".%" PRIu32 "%s", pl->dir,
1666  pl->prefix, pl->thread_number, (uint32_t)ts.tv_sec,
1667  (uint32_t)ts.tv_usec, pl->suffix);
1668  }
1669  if (ret < 0 || (size_t)ret >= PATH_MAX) {
1670  SCLogError(SC_ERR_SPRINTF,"failed to construct path");
1671  goto error;
1672  }
1673  }
1674  SCLogDebug("multi-mode: filename %s", filename);
1675  }
1676 
1677  if ((pf->filename = SCStrdup(pl->filename)) == NULL) {
1678  SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory. For filename");
1679  goto error;
1680  }
1681  SCLogDebug("Opening pcap file log %s", pf->filename);
1682  TAILQ_INSERT_TAIL(&pl->pcap_file_list, pf, next);
1683 
1685  return 0;
1686 
1687 error:
1688  PcapFileNameFree(pf);
1689  return -1;
1690 }
1691 
1692 static int profiling_pcaplog_enabled = 0;
1693 static int profiling_pcaplog_output_to_file = 0;
1694 static char *profiling_pcaplog_file_name = NULL;
1695 static const char *profiling_pcaplog_file_mode = "a";
1696 
1697 static void FormatNumber(uint64_t num, char *str, size_t size)
1698 {
1699  if (num < 1000UL)
1700  snprintf(str, size, "%"PRIu64, num);
1701  else if (num < 1000000UL)
1702  snprintf(str, size, "%3.1fk", (float)num/1000UL);
1703  else if (num < 1000000000UL)
1704  snprintf(str, size, "%3.1fm", (float)num/1000000UL);
1705  else
1706  snprintf(str, size, "%3.1fb", (float)num/1000000000UL);
1707 }
1708 
1709 static void ProfileReportPair(FILE *fp, const char *name, PcapLogProfileData *p)
1710 {
1711  char ticks_str[32] = "n/a";
1712  char cnt_str[32] = "n/a";
1713  char avg_str[32] = "n/a";
1714 
1715  FormatNumber((uint64_t)p->cnt, cnt_str, sizeof(cnt_str));
1716  FormatNumber((uint64_t)p->total, ticks_str, sizeof(ticks_str));
1717  if (p->cnt && p->total)
1718  FormatNumber((uint64_t)(p->total/p->cnt), avg_str, sizeof(avg_str));
1719 
1720  fprintf(fp, "%-28s %-10s %-10s %-10s\n", name, cnt_str, avg_str, ticks_str);
1721 }
1722 
1723 static void ProfileReport(FILE *fp, PcapLogData *pl)
1724 {
1725  ProfileReportPair(fp, "open", &pl->profile_open);
1726  ProfileReportPair(fp, "close", &pl->profile_close);
1727  ProfileReportPair(fp, "write", &pl->profile_write);
1728  ProfileReportPair(fp, "rotate (incl open/close)", &pl->profile_rotate);
1729  ProfileReportPair(fp, "handles", &pl->profile_handles);
1730  ProfileReportPair(fp, "lock", &pl->profile_lock);
1731  ProfileReportPair(fp, "unlock", &pl->profile_unlock);
1732 }
1733 
1734 static void FormatBytes(uint64_t num, char *str, size_t size)
1735 {
1736  if (num < 1000UL)
1737  snprintf(str, size, "%"PRIu64, num);
1738  else if (num < 1048576UL)
1739  snprintf(str, size, "%3.1fKiB", (float)num/1000UL);
1740  else if (num < 1073741824UL)
1741  snprintf(str, size, "%3.1fMiB", (float)num/1000000UL);
1742  else
1743  snprintf(str, size, "%3.1fGiB", (float)num/1000000000UL);
1744 }
1745 
1746 static void PcapLogProfilingDump(PcapLogData *pl)
1747 {
1748  FILE *fp = NULL;
1749 
1750  if (profiling_pcaplog_enabled == 0)
1751  return;
1752 
1753  if (profiling_pcaplog_output_to_file == 1) {
1754  fp = fopen(profiling_pcaplog_file_name, profiling_pcaplog_file_mode);
1755  if (fp == NULL) {
1756  SCLogError(SC_ERR_FOPEN, "failed to open %s: %s",
1757  profiling_pcaplog_file_name, strerror(errno));
1758  return;
1759  }
1760  } else {
1761  fp = stdout;
1762  }
1763 
1764  /* counters */
1765  fprintf(fp, "\n\nOperation Cnt Avg ticks Total ticks\n");
1766  fprintf(fp, "---------------------------- ---------- ---------- -----------\n");
1767 
1768  ProfileReport(fp, pl);
1769  uint64_t total = pl->profile_write.total + pl->profile_rotate.total +
1772  pl->profile_unlock.total;
1773 
1774  /* overall stats */
1775  fprintf(fp, "\nOverall: %"PRIu64" bytes written, average %d bytes per write.\n",
1777  (int)(pl->profile_data_size / pl->profile_write.cnt) : 0);
1778  fprintf(fp, " PCAP data structure overhead: %"PRIuMAX" per write.\n",
1779  (uintmax_t)sizeof(struct pcap_pkthdr));
1780 
1781  /* print total bytes written */
1782  char bytes_str[32];
1783  FormatBytes(pl->profile_data_size, bytes_str, sizeof(bytes_str));
1784  fprintf(fp, " Size written: %s\n", bytes_str);
1785 
1786  /* ticks per MiB and GiB */
1787  uint64_t ticks_per_mib = 0, ticks_per_gib = 0;
1788  uint64_t mib = pl->profile_data_size/(1024*1024);
1789  if (mib)
1790  ticks_per_mib = total/mib;
1791  char ticks_per_mib_str[32] = "n/a";
1792  if (ticks_per_mib > 0)
1793  FormatNumber(ticks_per_mib, ticks_per_mib_str, sizeof(ticks_per_mib_str));
1794  fprintf(fp, " Ticks per MiB: %s\n", ticks_per_mib_str);
1795 
1796  uint64_t gib = pl->profile_data_size/(1024*1024*1024);
1797  if (gib)
1798  ticks_per_gib = total/gib;
1799  char ticks_per_gib_str[32] = "n/a";
1800  if (ticks_per_gib > 0)
1801  FormatNumber(ticks_per_gib, ticks_per_gib_str, sizeof(ticks_per_gib_str));
1802  fprintf(fp, " Ticks per GiB: %s\n", ticks_per_gib_str);
1803 
1804  if (fp != stdout)
1805  fclose(fp);
1806 }
1807 
1809 {
1810  ConfNode *conf = ConfGetNode("profiling.pcap-log");
1811  if (conf != NULL && ConfNodeChildValueIsTrue(conf, "enabled")) {
1812  profiling_pcaplog_enabled = 1;
1813  SCLogInfo("pcap-log profiling enabled");
1814 
1815  const char *filename = ConfNodeLookupChildValue(conf, "filename");
1816  if (filename != NULL) {
1817  const char *log_dir;
1818  log_dir = ConfigGetLogDirectory();
1819 
1820  profiling_pcaplog_file_name = SCMalloc(PATH_MAX);
1821  if (unlikely(profiling_pcaplog_file_name == NULL)) {
1822  FatalError(SC_ERR_FATAL, "can't duplicate file name");
1823  }
1824 
1825  snprintf(profiling_pcaplog_file_name, PATH_MAX, "%s/%s", log_dir, filename);
1826 
1827  const char *v = ConfNodeLookupChildValue(conf, "append");
1828  if (v == NULL || ConfValIsTrue(v)) {
1829  profiling_pcaplog_file_mode = "a";
1830  } else {
1831  profiling_pcaplog_file_mode = "w";
1832  }
1833 
1834  profiling_pcaplog_output_to_file = 1;
1835  SCLogInfo("pcap-log profiling output goes to %s (mode %s)",
1836  profiling_pcaplog_file_name, profiling_pcaplog_file_mode);
1837  }
1838  }
1839 }
SC_ERR_FWRITE
@ SC_ERR_FWRITE
Definition: util-error.h:129
util-byte.h
PcapLogCompressionData_::pcap_buf_size
uint64_t pcap_buf_size
Definition: log-pcap.c:131
ConfGetChildValueInt
int ConfGetChildValueInt(const ConfNode *base, const char *name, intmax_t *val)
Definition: conf.c:468
tm-threads.h
PcapLogData
struct PcapLogData_ PcapLogData
PcapLogProfileData_
Definition: log-pcap.c:108
len
uint8_t len
Definition: app-layer-dnp3.h:2
ts
uint64_t ts
Definition: source-erf-file.c:54
SC_ERR_PCRE_COMPILE
@ SC_ERR_PCRE_COMPILE
Definition: util-error.h:35
source-pcap.h
PcapLogThreadData
struct PcapLogThreadData_ PcapLogThreadData
ConfNodeChildValueIsTrue
int ConfNodeChildValueIsTrue(const ConfNode *node, const char *key)
Test if a configuration node has a true value.
Definition: conf.c:887
util-fmemopen.h
TAILQ_INIT
#define TAILQ_INIT(head)
Definition: queue.h:370
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
Definition: util-atomic.h:315
USE_STREAM_DEPTH_DISABLED
#define USE_STREAM_DEPTH_DISABLED
Definition: log-pcap.c:84
PcapFileName_::secs
uint64_t secs
Definition: log-pcap.c:101
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:387
PcapLogData_::pcap_dumper
pcap_dumper_t * pcap_dumper
Definition: log-pcap.c:154
TS_FORMAT_SEC
#define TS_FORMAT_SEC
Definition: log-pcap.c:81
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
ParseSizeStringU64
int ParseSizeStringU64(const char *size, uint64_t *res)
Definition: util-misc.c:202
PcapFileName_::usecs
uint32_t usecs
Definition: log-pcap.c:102
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
PcapLogData_::filename
char * filename
Definition: log-pcap.c:148
HONOR_PASS_RULES_ENABLED
#define HONOR_PASS_RULES_ENABLED
Definition: log-pcap.c:88
Packet_::flags
uint32_t flags
Definition: decode.h:449
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:175
DEFAULT_LOG_FILENAME
#define DEFAULT_LOG_FILENAME
Definition: log-pcap.c:68
threads.h
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:333
RING_BUFFER_MODE_ENABLED
#define RING_BUFFER_MODE_ENABLED
Definition: log-pcap.c:79
PcapLogData_::mode
int mode
Definition: log-pcap.c:149
SC_ERR_PCAP_FILE_DELETE_FAILED
@ SC_ERR_PCAP_FILE_DELETE_FAILED
Definition: util-error.h:226
IS_TUNNEL_ROOT_PKT
#define IS_TUNNEL_ROOT_PKT(p)
Definition: decode.h:897
TAILQ_EMPTY
#define TAILQ_EMPTY(head)
Definition: queue.h:347
PcapLogData_::pkt_cnt
uint64_t pkt_cnt
Definition: log-pcap.c:146
HONOR_PASS_RULES_DISABLED
#define HONOR_PASS_RULES_DISABLED
Definition: log-pcap.c:87
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:350
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
PcapLogData_::use_stream_depth
int use_stream_depth
Definition: log-pcap.c:142
PcapLogCompressionData_::format
enum PcapLogCompressionFormat format
Definition: log-pcap.c:122
PcapLogProfileData
struct PcapLogProfileData_ PcapLogProfileData
PcapLogData_::profile_handles
PcapLogProfileData profile_handles
Definition: log-pcap.c:162
LOGMODE_MULTI
#define LOGMODE_MULTI
Definition: log-pcap.c:76
TAILQ_INSERT_TAIL
#define TAILQ_INSERT_TAIL(head, elm, field)
Definition: queue.h:385
PcapLogRegister
void PcapLogRegister(void)
Definition: log-pcap.c:205
SCFmemopen
#define SCFmemopen
Definition: util-fmemopen.h:52
PcapLogCompressionData_::buffer
uint8_t * buffer
Definition: log-pcap.c:123
DEFAULT_LIMIT
#define DEFAULT_LIMIT
Definition: log-pcap.c:71
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:81
PcapLogData_::pcap_dead_handle
pcap_t * pcap_dead_handle
Definition: log-pcap.c:153
util-unittest.h
PcapLogData_::size_current
uint64_t size_current
Definition: log-pcap.c:151
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:565
PcapLogData_::profile_rotate
PcapLogProfileData profile_rotate
Definition: log-pcap.c:165
OutputCtx_::data
void * data
Definition: tm-modules.h:81
PcapLogCompressionData_
Definition: log-pcap.c:121
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
PCAPLOG_PROFILE_END
#define PCAPLOG_PROFILE_END(prof)
Definition: log-pcap.c:219
OutputCtx_
Definition: tm-modules.h:78
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
PcapLogCompressionData_::bytes_in_block
uint64_t bytes_in_block
Definition: log-pcap.c:133
TAILQ_ENTRY
#define TAILQ_ENTRY(type)
Definition: queue.h:330
Packet_::datalink
int datalink
Definition: decode.h:583
PcapLogData_::size_limit
uint64_t size_limit
Definition: log-pcap.c:152
PcapLogProfileData_::cnt
uint64_t cnt
Definition: log-pcap.c:110
PcapLogData_::max_files
uint32_t max_files
Definition: log-pcap.c:157
PcapLogCompressionData_::file
FILE * file
Definition: log-pcap.c:129
TAILQ_REMOVE
#define TAILQ_REMOVE(head, elm, field)
Definition: queue.h:412
util-debug.h
TAILQ_FIRST
#define TAILQ_FIRST(head)
Definition: queue.h:339
util-error.h
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:44
PCAP_LOG_COMPRESSION_FORMAT_NONE
@ PCAP_LOG_COMPRESSION_FORMAT_NONE
Definition: log-pcap.c:117
strlcat
size_t strlcat(char *, const char *src, size_t siz)
Definition: util-strlcatu.c:45
util-cpu.h
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
PKT_PSEUDO_STREAM_END
#define PKT_PSEUDO_STREAM_END
Definition: decode.h:1110
PCAP_LOG_COMPRESSION_FORMAT_LZ4
@ PCAP_LOG_COMPRESSION_FORMAT_LZ4
Definition: log-pcap.c:118
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:231
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PcapLogProfileData_::total
uint64_t total
Definition: log-pcap.c:109
util-atomic.h
util-time.h
OutputInitResult_::ok
bool ok
Definition: output.h:45
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
TRUE
#define TRUE
Definition: suricata-common.h:33
PcapFileName_::dirname
char * dirname
Definition: log-pcap.c:96
PcapLogData_::file_cnt
uint32_t file_cnt
Definition: log-pcap.c:156
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:282
FALSE
#define FALSE
Definition: suricata-common.h:34
SC_ERR_FOPEN
@ SC_ERR_FOPEN
Definition: util-error.h:74
Packet_
Definition: decode.h:414
SC_ERR_SPRINTF
@ SC_ERR_SPRINTF
Definition: util-error.h:42
SCLocalTime
struct tm * SCLocalTime(time_t timep, struct tm *result)
Definition: util-time.c:270
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:230
conf.h
DEFAULT_FILE_LIMIT
#define DEFAULT_FILE_LIMIT
Definition: log-pcap.c:72
StringParseUint64
int StringParseUint64(uint64_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:308
TmEcode
TmEcode
Definition: tm-threads-common.h:79
RING_BUFFER_MODE_DISABLED
#define RING_BUFFER_MODE_DISABLED
Definition: log-pcap.c:78
PCAP_SNAPLEN
#define PCAP_SNAPLEN
Definition: log-pcap.c:90
PcapLogData_::plog_lock
SCMutex plog_lock
Definition: log-pcap.c:145
PcapLogData_::h
struct pcap_pkthdr * h
Definition: log-pcap.c:147
IS_TUNNEL_PKT
#define IS_TUNNEL_PKT(p)
Definition: decode.h:894
queue.h
SC_ERR_PCRE_STUDY
@ SC_ERR_PCRE_STUDY
Definition: util-error.h:36
PcapLogCompressionData_::pcap_buf
uint8_t * pcap_buf
Definition: log-pcap.c:130
SC_WARN_REMOVE_FILE
@ SC_WARN_REMOVE_FILE
Definition: util-error.h:325
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:217
SC_ERR_INVALID_YAML_CONF_ENTRY
@ SC_ERR_INVALID_YAML_CONF_ENTRY
Definition: util-error.h:169
PcapLogData_::prev_day
int prev_day
Definition: log-pcap.c:150
SCMutexInit
#define SCMutexInit(mut, mutattrs)
Definition: threads-debug.h:116
PCAPLOG_PROFILE_START
#define PCAPLOG_PROFILE_START
Definition: log-pcap.c:216
log-pcap.h
SCGetThreadIdLong
#define SCGetThreadIdLong(...)
Definition: threads.h:257
PcapLogData_::honor_pass_rules
int honor_pass_rules
Definition: log-pcap.c:143
decode-ipv4.h
StringParseUint32
int StringParseUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:313
PcapLogData_::profile_open
PcapLogProfileData profile_open
Definition: log-pcap.c:164
PcapLogData_::profile_lock
PcapLogProfileData profile_lock
Definition: log-pcap.c:159
OutputInitResult_
Definition: output.h:43
LOGGER_PCAP
@ LOGGER_PCAP
Definition: suricata-common.h:491
Packet_::ts
struct timeval ts
Definition: decode.h:457
suricata-common.h
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
LOGMODE_NORMAL
#define LOGMODE_NORMAL
Definition: log-pcap.c:74
PKT_STREAM_NOPCAPLOG
#define PKT_STREAM_NOPCAPLOG
Definition: decode.h:1113
PcapLogData_::profile_data_size
uint64_t profile_data_size
Definition: log-pcap.c:155
TAILQ_NEXT
#define TAILQ_NEXT(elm, field)
Definition: queue.h:341
PathIsAbsolute
int PathIsAbsolute(const char *path)
Check if a path is absolute.
Definition: util-path.c:45
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
PcapLogProfileSetup
void PcapLogProfileSetup(void)
Definition: log-pcap.c:1808
SCMkDir
#define SCMkDir(a, b)
Definition: util-path.h:29
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
FatalError
#define FatalError(x,...)
Definition: util-debug.h:532
PcapLogCompressionData_::buffer_size
uint64_t buffer_size
Definition: log-pcap.c:124
SC_ERR_FSEEK
@ SC_ERR_FSEEK
Definition: util-error.h:344
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
OutputRegisterPacketModule
void OutputRegisterPacketModule(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output module.
Definition: output.c:174
PcapLogThreadData_
Definition: log-pcap.c:183
threadvars.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SC_ERR_PCAP_LOG_COMPRESS
@ SC_ERR_PCAP_LOG_COMPRESS
Definition: util-error.h:343
PcapFileName_::filename
char * filename
Definition: log-pcap.c:95
str
#define str(s)
Definition: suricata-common.h:273
MAX_TOKS
#define MAX_TOKS
Definition: log-pcap.c:113
PcapLogCompressionData
struct PcapLogCompressionData_ PcapLogCompressionData
ConfigGetLogDirectory
const char * ConfigGetLogDirectory()
Definition: util-conf.c:35
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:244
MODULE_NAME
#define MODULE_NAME
Definition: log-pcap.c:69
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
SC_ATOMIC_DECLARE
SC_ATOMIC_DECLARE(uint32_t, thread_cnt)
SC_ERR_FATAL
@ SC_ERR_FATAL
Definition: util-error.h:203
PcapLogCompressionData_::pcap_buf_wrapper
FILE * pcap_buf_wrapper
Definition: log-pcap.c:132
src
uint16_t src
Definition: app-layer-dnp3.h:5
PcapFileName_
Definition: log-pcap.c:94
ConfValIsFalse
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:590
TAILQ_HEAD
#define TAILQ_HEAD(name, type)
Definition: queue.h:321
PcapLogData_::profile_unlock
PcapLogProfileData profile_unlock
Definition: log-pcap.c:161
TimeGet
void TimeGet(struct timeval *tv)
Definition: util-time.c:153
USE_STREAM_DEPTH_ENABLED
#define USE_STREAM_DEPTH_ENABLED
Definition: log-pcap.c:85
SC_ERR_MEM_ALLOC
@ SC_ERR_MEM_ALLOC
Definition: util-error.h:31
PcapLogData_::profile_close
PcapLogProfileData profile_close
Definition: log-pcap.c:163
PKT_NOPACKET_INSPECTION
#define PKT_NOPACKET_INSPECTION
Definition: decode.h:1102
PcapFileName
struct PcapFileName_ PcapFileName
MIN_LIMIT
#define MIN_LIMIT
Definition: log-pcap.c:70
dst
uint16_t dst
Definition: app-layer-dnp3.h:4
util-misc.h
PcapLogData_
Definition: log-pcap.c:141
flow.h
PcapLogThreadData_::pcap_log
PcapLogData * pcap_log
Definition: log-pcap.c:184
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:232
TAILQ_INSERT_BEFORE
#define TAILQ_INSERT_BEFORE(listelm, elm, field)
Definition: queue.h:405
PcapLogData_::profile_write
PcapLogProfileData profile_write
Definition: log-pcap.c:160
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
TS_FORMAT_USEC
#define TS_FORMAT_USEC
Definition: log-pcap.c:82
SC_ERR_DIR_OPEN
@ SC_ERR_DIR_OPEN
Definition: util-error.h:324
SC_ERR_LOGDIR_CONFIG
@ SC_ERR_LOGDIR_CONFIG
Definition: util-error.h:146
SCMutex
#define SCMutex
Definition: threads-debug.h:114
PcapLogData_::is_private
int is_private
Definition: log-pcap.c:144
LOGMODE_SGUIL
#define LOGMODE_SGUIL
Definition: log-pcap.c:75
MAX_FILENAMELEN
#define MAX_FILENAMELEN
Definition: log-pcap.c:114
SC_ERR_OPENING_FILE
@ SC_ERR_OPENING_FILE
Definition: util-error.h:70
debug.h
output.h
PcapLogCompressionFormat
PcapLogCompressionFormat
Definition: log-pcap.c:116
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:842