suricata
log-pcap.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 
19 /**
20  * \file
21  *
22  * \author William Metcalf <William.Metcalf@gmail.com>
23  * \author Victor Julien <victor@inliniac.net>
24  *
25  * Pcap packet logging module.
26  */
27 
28 #include "suricata-common.h"
29 #include "util-fmemopen.h"
30 
31 #ifdef HAVE_LIBLZ4
32 #include <lz4frame.h>
33 #endif /* HAVE_LIBLZ4 */
34 
35 #if defined(HAVE_DIRENT_H) && defined(HAVE_FNMATCH_H)
36 #define INIT_RING_BUFFER
37 #include <dirent.h>
38 #include <fnmatch.h>
39 #endif
40 
41 #include "debug.h"
42 #include "detect.h"
43 #include "flow.h"
44 #include "conf.h"
45 
46 #include "threads.h"
47 #include "threadvars.h"
48 #include "tm-threads.h"
49 
50 #include "util-unittest.h"
51 #include "log-pcap.h"
52 #include "decode-ipv4.h"
53 
54 #include "util-error.h"
55 #include "util-debug.h"
56 #include "util-time.h"
57 #include "util-byte.h"
58 #include "util-misc.h"
59 #include "util-cpu.h"
60 #include "util-atomic.h"
61 
62 #include "source-pcap.h"
63 
64 #include "output.h"
65 
66 #include "queue.h"
67 
68 #define DEFAULT_LOG_FILENAME "pcaplog"
69 #define MODULE_NAME "PcapLog"
70 #define MIN_LIMIT 4 * 1024 * 1024
71 #define DEFAULT_LIMIT 100 * 1024 * 1024
72 #define DEFAULT_FILE_LIMIT 0
73 
74 #define LOGMODE_NORMAL 0
75 #define LOGMODE_SGUIL 1
76 #define LOGMODE_MULTI 2
77 
78 #define RING_BUFFER_MODE_DISABLED 0
79 #define RING_BUFFER_MODE_ENABLED 1
80 
81 #define TS_FORMAT_SEC 0
82 #define TS_FORMAT_USEC 1
83 
84 #define USE_STREAM_DEPTH_DISABLED 0
85 #define USE_STREAM_DEPTH_ENABLED 1
86 
87 #define HONOR_PASS_RULES_DISABLED 0
88 #define HONOR_PASS_RULES_ENABLED 1
89 
90 #define PCAP_SNAPLEN 262144
91 
92 SC_ATOMIC_DECLARE(uint32_t, thread_cnt);
93 
94 typedef struct PcapFileName_ {
95  char *filename;
96  char *dirname;
97 
98  /* Like a struct timeval, but with fixed size. This is only used when
99  * seeding the ring buffer on start. */
100  struct {
101  uint64_t secs;
102  uint32_t usecs;
103  };
104 
105  TAILQ_ENTRY(PcapFileName_) next; /**< Pointer to next Pcap File for tailq. */
107 
108 typedef struct PcapLogProfileData_ {
109  uint64_t total;
110  uint64_t cnt;
112 
113 #define MAX_TOKS 9
114 #define MAX_FILENAMELEN 513
115 
119 };
120 
121 typedef struct PcapLogCompressionData_ {
123  uint8_t *buffer;
124  uint64_t buffer_size;
125 #ifdef HAVE_LIBLZ4
126  LZ4F_compressionContext_t lz4f_context;
127  LZ4F_preferences_t lz4f_prefs;
128 #endif /* HAVE_LIBLZ4 */
129  FILE *file;
130  uint8_t *pcap_buf;
131  uint64_t pcap_buf_size;
133  uint64_t bytes_in_block;
135 
136 /**
137  * PcapLog thread vars
138  *
139  * Used for storing file options.
140  */
141 typedef struct PcapLogData_ {
142  int use_stream_depth; /**< use stream depth i.e. ignore packets that reach limit */
143  int honor_pass_rules; /**< don't log if pass rules have matched */
144  int is_private; /**< TRUE if ctx is thread local */
146  uint64_t pkt_cnt; /**< total number of packets */
147  struct pcap_pkthdr *h; /**< pcap header struct */
148  char *filename; /**< current filename */
149  int mode; /**< normal or sguil */
150  int prev_day; /**< last day, for finding out when */
151  uint64_t size_current; /**< file current size */
152  uint64_t size_limit; /**< file size limit */
153  pcap_t *pcap_dead_handle; /**< pcap_dumper_t needs a handle */
154  pcap_dumper_t *pcap_dumper; /**< actually writes the packets */
155  uint64_t profile_data_size; /**< track in bytes how many bytes we wrote */
156  uint32_t file_cnt; /**< count of pcap files we currently have */
157  uint32_t max_files; /**< maximum files to use in ring buffer mode */
158 
166 
167  TAILQ_HEAD(, PcapFileName_) pcap_file_list;
168 
169  uint32_t thread_number; /**< thread number, first thread is 1, second 2, etc */
170  int use_ringbuffer; /**< ring buffer mode enabled or disabled */
171  int timestamp_format; /**< timestamp format sec or usec */
172  char *prefix; /**< filename prefix */
173  const char *suffix; /**< filename suffix */
174  char dir[PATH_MAX]; /**< pcap log directory */
175  int reported;
176  int threads; /**< number of threads (only set in the global) */
177  char *filename_parts[MAX_TOKS];
178  int filename_part_cnt;
179 
180  PcapLogCompressionData compression;
182 
183 typedef struct PcapLogThreadData_ {
186 
187 /* Pattern for extracting timestamp from pcap log files. */
188 static const char timestamp_pattern[] = ".*?(\\d+)(\\.(\\d+))?";
189 static pcre *pcre_timestamp_code = NULL;
190 static pcre_extra *pcre_timestamp_extra = NULL;
191 
192 /* global pcap data for when we're using multi mode. At exit we'll
193  * merge counters into this one and then report counters. */
194 static PcapLogData *g_pcap_data = NULL;
195 
196 static int PcapLogOpenFileCtx(PcapLogData *);
197 static int PcapLog(ThreadVars *, void *, const Packet *);
198 static TmEcode PcapLogDataInit(ThreadVars *, const void *, void **);
199 static TmEcode PcapLogDataDeinit(ThreadVars *, void *);
200 static void PcapLogFileDeInitCtx(OutputCtx *);
201 static OutputInitResult PcapLogInitCtx(ConfNode *);
202 static void PcapLogProfilingDump(PcapLogData *);
203 static int PcapLogCondition(ThreadVars *, const Packet *);
204 
205 void PcapLogRegister(void)
206 {
208  PcapLogInitCtx, PcapLog, PcapLogCondition, PcapLogDataInit,
209  PcapLogDataDeinit, NULL);
211  SC_ATOMIC_INIT(thread_cnt);
212  SC_ATOMIC_SET(thread_cnt, 1); /* first id is 1 */
213  return;
214 }
215 
216 #define PCAPLOG_PROFILE_START \
217  uint64_t pcaplog_profile_ticks = UtilCpuGetTicks()
218 
219 #define PCAPLOG_PROFILE_END(prof) \
220  (prof).total += (UtilCpuGetTicks() - pcaplog_profile_ticks); \
221  (prof).cnt++
222 
223 static int PcapLogCondition(ThreadVars *tv, const Packet *p)
224 {
225  if (p->flags & PKT_PSEUDO_STREAM_END) {
226  return FALSE;
227  }
228  if (IS_TUNNEL_PKT(p) && !IS_TUNNEL_ROOT_PKT(p)) {
229  return FALSE;
230  }
231  return TRUE;
232 }
233 
234 /**
235  * \brief Function to close pcaplog file
236  *
237  * \param t Thread Variable containing input/output queue, cpu affinity etc.
238  * \param pl PcapLog thread variable.
239  */
240 static int PcapLogCloseFile(ThreadVars *t, PcapLogData *pl)
241 {
242  if (pl != NULL) {
244 
245  if (pl->pcap_dumper != NULL) {
246  pcap_dump_close(pl->pcap_dumper);
247 #ifdef HAVE_LIBLZ4
248  PcapLogCompressionData *comp = &pl->compression;
250  /* pcap_dump_close() has closed its output ``file'',
251  * so we need to call fmemopen again. */
252 
253  comp->pcap_buf_wrapper = SCFmemopen(comp->pcap_buf,
254  comp->pcap_buf_size, "w");
255  if (comp->pcap_buf_wrapper == NULL) {
256  SCLogError(SC_ERR_FOPEN, "SCFmemopen failed: %s",
257  strerror(errno));
258  return TM_ECODE_FAILED;
259  }
260  }
261 #endif /* HAVE_LIBLZ4 */
262  }
263  pl->size_current = 0;
264  pl->pcap_dumper = NULL;
265 
266  if (pl->pcap_dead_handle != NULL)
267  pcap_close(pl->pcap_dead_handle);
268  pl->pcap_dead_handle = NULL;
269 
270 #ifdef HAVE_LIBLZ4
271  PcapLogCompressionData *comp = &pl->compression;
273  /* pcap_dump_close did not write any data because we call
274  * pcap_dump_flush() after every write when writing
275  * compressed output. */
276  uint64_t bytes_written = LZ4F_compressEnd(comp->lz4f_context,
277  comp->buffer, comp->buffer_size, NULL);
278  if (LZ4F_isError(bytes_written)) {
279  SCLogError(SC_ERR_PCAP_LOG_COMPRESS, "LZ4F_compressEnd: %s",
280  LZ4F_getErrorName(bytes_written));
281  return TM_ECODE_FAILED;
282  }
283  if (fwrite(comp->buffer, 1, bytes_written, comp->file) < bytes_written) {
284  SCLogError(SC_ERR_FWRITE, "fwrite failed: %s", strerror(errno));
285  return TM_ECODE_FAILED;
286  }
287  fclose(comp->file);
288  comp->bytes_in_block = 0;
289  }
290 #endif /* HAVE_LIBLZ4 */
291 
293  }
294 
295  return 0;
296 }
297 
298 static void PcapFileNameFree(PcapFileName *pf)
299 {
300  if (pf != NULL) {
301  if (pf->filename != NULL) {
302  SCFree(pf->filename);
303  }
304  if (pf->dirname != NULL) {
305  SCFree(pf->dirname);
306  }
307  SCFree(pf);
308  }
309 
310  return;
311 }
312 
313 /**
314  * \brief Function to rotate pcaplog file
315  *
316  * \param t Thread Variable containing input/output queue, cpu affinity etc.
317  * \param pl PcapLog thread variable.
318  *
319  * \retval 0 on succces
320  * \retval -1 on failure
321  */
322 static int PcapLogRotateFile(ThreadVars *t, PcapLogData *pl)
323 {
324  PcapFileName *pf;
325  PcapFileName *pfnext;
326 
328 
329  if (PcapLogCloseFile(t,pl) < 0) {
330  SCLogDebug("PcapLogCloseFile failed");
331  return -1;
332  }
333 
334  if (pl->use_ringbuffer == RING_BUFFER_MODE_ENABLED && pl->file_cnt >= pl->max_files) {
335  pf = TAILQ_FIRST(&pl->pcap_file_list);
336  SCLogDebug("Removing pcap file %s", pf->filename);
337 
338  if (remove(pf->filename) != 0) {
339  // VJ remove can fail because file is already gone
340  //LogWarning(SC_ERR_PCAP_FILE_DELETE_FAILED,
341  // "failed to remove log file %s: %s",
342  // pf->filename, strerror( errno ));
343  }
344 
345  /* Remove directory if Sguil mode and no files left in sguil dir */
346  if (pl->mode == LOGMODE_SGUIL) {
347  pfnext = TAILQ_NEXT(pf,next);
348 
349  if (strcmp(pf->dirname, pfnext->dirname) == 0) {
350  SCLogDebug("Current entry dir %s and next entry %s "
351  "are equal: not removing dir",
352  pf->dirname, pfnext->dirname);
353  } else {
354  SCLogDebug("current entry %s and %s are "
355  "not equal: removing dir",
356  pf->dirname, pfnext->dirname);
357 
358  if (remove(pf->dirname) != 0) {
360  "failed to remove sguil log %s: %s",
361  pf->dirname, strerror( errno ));
362  }
363  }
364  }
365 
366  TAILQ_REMOVE(&pl->pcap_file_list, pf, next);
367  PcapFileNameFree(pf);
368  pl->file_cnt--;
369  }
370 
371  if (PcapLogOpenFileCtx(pl) < 0) {
372  SCLogError(SC_ERR_FOPEN, "opening new pcap log file failed");
373  return -1;
374  }
375  pl->file_cnt++;
376  SCLogDebug("file_cnt %u", pl->file_cnt);
377 
379  return 0;
380 }
381 
382 static int PcapLogOpenHandles(PcapLogData *pl, const Packet *p)
383 {
385 
386  SCLogDebug("Setting pcap-log link type to %u", p->datalink);
387 
388  if (pl->pcap_dead_handle == NULL) {
389  if ((pl->pcap_dead_handle = pcap_open_dead(p->datalink,
390  PCAP_SNAPLEN)) == NULL) {
391  SCLogDebug("Error opening dead pcap handle");
392  return TM_ECODE_FAILED;
393  }
394  }
395 
396  if (pl->pcap_dumper == NULL) {
397  if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_NONE) {
398  if ((pl->pcap_dumper = pcap_dump_open(pl->pcap_dead_handle,
399  pl->filename)) == NULL) {
400  SCLogInfo("Error opening dump file %s", pcap_geterr(pl->pcap_dead_handle));
401  return TM_ECODE_FAILED;
402  }
403  }
404 #ifdef HAVE_LIBLZ4
405  else if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
406  PcapLogCompressionData *comp = &pl->compression;
407  if ((pl->pcap_dumper = pcap_dump_fopen(pl->pcap_dead_handle,
408  comp->pcap_buf_wrapper)) == NULL) {
409  SCLogError(SC_ERR_OPENING_FILE, "Error opening dump file %s",
410  pcap_geterr(pl->pcap_dead_handle));
411  return TM_ECODE_FAILED;
412  }
413  comp->file = fopen(pl->filename, "w");
414  if (comp->file == NULL) {
416  "Error opening file for compressed output: %s",
417  strerror(errno));
418  return TM_ECODE_FAILED;
419  }
420 
421  uint64_t bytes_written = LZ4F_compressBegin(comp->lz4f_context,
422  comp->buffer, comp->buffer_size, NULL);
423  if (LZ4F_isError(bytes_written)) {
424  SCLogError(SC_ERR_PCAP_LOG_COMPRESS, "LZ4F_compressBegin: %s",
425  LZ4F_getErrorName(bytes_written));
426  return TM_ECODE_FAILED;
427  }
428  if (fwrite(comp->buffer, 1, bytes_written, comp->file) < bytes_written) {
429  SCLogError(SC_ERR_FWRITE, "fwrite failed: %s", strerror(errno));
430  return TM_ECODE_FAILED;
431  }
432  }
433 #endif /* HAVE_LIBLZ4 */
434  }
435 
437  return TM_ECODE_OK;
438 }
439 
440 /** \internal
441  * \brief lock wrapper for main PcapLog() function
442  * NOTE: only meant for use in main PcapLog() function.
443  */
444 static void PcapLogLock(PcapLogData *pl)
445 {
446  if (!(pl->is_private)) {
448  SCMutexLock(&pl->plog_lock);
450  }
451 }
452 
453 /** \internal
454  * \brief unlock wrapper for main PcapLog() function
455  * NOTE: only meant for use in main PcapLog() function.
456  */
457 static void PcapLogUnlock(PcapLogData *pl)
458 {
459  if (!(pl->is_private)) {
461  SCMutexUnlock(&pl->plog_lock);
463  }
464 }
465 
466 /**
467  * \brief Pcap logging main function
468  *
469  * \param t threadvar
470  * \param p packet
471  * \param thread_data thread module specific data
472  *
473  * \retval TM_ECODE_OK on succes
474  * \retval TM_ECODE_FAILED on serious error
475  */
476 static int PcapLog (ThreadVars *t, void *thread_data, const Packet *p)
477 {
478  size_t len;
479  int rotate = 0;
480  int ret = 0;
481 
482  PcapLogThreadData *td = (PcapLogThreadData *)thread_data;
483  PcapLogData *pl = td->pcap_log;
484 
485  if ((p->flags & PKT_PSEUDO_STREAM_END) ||
486  ((p->flags & PKT_STREAM_NOPCAPLOG) &&
488  (IS_TUNNEL_PKT(p) && !IS_TUNNEL_ROOT_PKT(p)) ||
490  {
491  return TM_ECODE_OK;
492  }
493 
494  PcapLogLock(pl);
495 
496  pl->pkt_cnt++;
497  pl->h->ts.tv_sec = p->ts.tv_sec;
498  pl->h->ts.tv_usec = p->ts.tv_usec;
499  pl->h->caplen = GET_PKT_LEN(p);
500  pl->h->len = GET_PKT_LEN(p);
501  len = sizeof(*pl->h) + GET_PKT_LEN(p);
502 
503  if (pl->filename == NULL) {
504  ret = PcapLogOpenFileCtx(pl);
505  if (ret < 0) {
506  PcapLogUnlock(pl);
507  return TM_ECODE_FAILED;
508  }
509  SCLogDebug("Opening PCAP log file %s", pl->filename);
510  }
511 
512  if (pl->mode == LOGMODE_SGUIL) {
513  struct tm local_tm;
514  struct tm *tms = SCLocalTime(p->ts.tv_sec, &local_tm);
515  if (tms->tm_mday != pl->prev_day) {
516  rotate = 1;
517  pl->prev_day = tms->tm_mday;
518  }
519  }
520 
521  PcapLogCompressionData *comp = &pl->compression;
523  if ((pl->size_current + len) > pl->size_limit || rotate) {
524  if (PcapLogRotateFile(t,pl) < 0) {
525  PcapLogUnlock(pl);
526  SCLogDebug("rotation of pcap failed");
527  return TM_ECODE_FAILED;
528  }
529  }
530  }
531 #ifdef HAVE_LIBLZ4
532  else if (comp->format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
533  /* When writing compressed pcap logs, we have no way of knowing
534  * for sure whether adding this packet would cause the current
535  * file to exceed the size limit. Thus, we record the number of
536  * bytes that have been fed into lz4 since the last write, and
537  * act as if they would be written uncompressed. */
538 
539  if ((pl->size_current + comp->bytes_in_block + len) > pl->size_limit ||
540  rotate) {
541  if (PcapLogRotateFile(t,pl) < 0) {
542  PcapLogUnlock(pl);
543  SCLogDebug("rotation of pcap failed");
544  return TM_ECODE_FAILED;
545  }
546  }
547  }
548 #endif /* HAVE_LIBLZ4 */
549 
550  /* XXX pcap handles, nfq, pfring, can only have one link type ipfw? we do
551  * this here as we don't know the link type until we get our first packet */
552  if (pl->pcap_dead_handle == NULL || pl->pcap_dumper == NULL) {
553  if (PcapLogOpenHandles(pl, p) != TM_ECODE_OK) {
554  PcapLogUnlock(pl);
555  return TM_ECODE_FAILED;
556  }
557  }
558 
560  pcap_dump((u_char *)pl->pcap_dumper, pl->h, GET_PKT_DATA(p));
561  if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_NONE) {
562  pl->size_current += len;
563  }
564 #ifdef HAVE_LIBLZ4
565  else if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
566  pcap_dump_flush(pl->pcap_dumper);
567  uint64_t in_size = (uint64_t)ftell(comp->pcap_buf_wrapper);
568  uint64_t out_size = LZ4F_compressUpdate(comp->lz4f_context,
569  comp->buffer, comp->buffer_size, comp->pcap_buf, in_size, NULL);
570  if (LZ4F_isError(len)) {
571  SCLogError(SC_ERR_PCAP_LOG_COMPRESS, "LZ4F_compressUpdate: %s",
572  LZ4F_getErrorName(len));
573  return TM_ECODE_FAILED;
574  }
575  if (fseek(pl->compression.pcap_buf_wrapper, 0, SEEK_SET) != 0) {
576  SCLogError(SC_ERR_FSEEK, "fseek failed: %s", strerror(errno));
577  return TM_ECODE_FAILED;
578  }
579  if (fwrite(comp->buffer, 1, out_size, comp->file) < out_size) {
580  SCLogError(SC_ERR_FWRITE, "fwrite failed: %s", strerror(errno));
581  return TM_ECODE_FAILED;
582  }
583  if (out_size > 0) {
584  pl->size_current += out_size;
585  comp->bytes_in_block = len;
586  } else {
587  comp->bytes_in_block += len;
588  }
589  }
590 #endif /* HAVE_LIBLZ4 */
591 
593  pl->profile_data_size += len;
594 
595  SCLogDebug("pl->size_current %"PRIu64", pl->size_limit %"PRIu64,
596  pl->size_current, pl->size_limit);
597 
598  PcapLogUnlock(pl);
599  return TM_ECODE_OK;
600 }
601 
602 static PcapLogData *PcapLogDataCopy(const PcapLogData *pl)
603 {
604  BUG_ON(pl->mode != LOGMODE_MULTI);
605  PcapLogData *copy = SCCalloc(1, sizeof(*copy));
606  if (unlikely(copy == NULL)) {
607  return NULL;
608  }
609 
610  copy->h = SCCalloc(1, sizeof(*copy->h));
611  if (unlikely(copy->h == NULL)) {
612  SCFree(copy);
613  return NULL;
614  }
615 
616  copy->prefix = SCStrdup(pl->prefix);
617  if (unlikely(copy->prefix == NULL)) {
618  SCFree(copy->h);
619  SCFree(copy);
620  return NULL;
621  }
622 
623  copy->suffix = pl->suffix;
624 
625  /* settings TODO move to global cfg struct */
626  copy->is_private = TRUE;
627  copy->mode = pl->mode;
628  copy->max_files = pl->max_files;
629  copy->use_ringbuffer = pl->use_ringbuffer;
630  copy->timestamp_format = pl->timestamp_format;
632  copy->size_limit = pl->size_limit;
633 
634  const PcapLogCompressionData *comp = &pl->compression;
635  PcapLogCompressionData *copy_comp = &copy->compression;
636  copy_comp->format = comp->format;
637 #ifdef HAVE_LIBLZ4
639  /* We need to allocate a new compression context and buffers for
640  * the copy. First copy the things that can simply be copied. */
641 
642  copy_comp->buffer_size = comp->buffer_size;
643  copy_comp->pcap_buf_size = comp->pcap_buf_size;
644  copy_comp->lz4f_prefs = comp->lz4f_prefs;
645 
646  /* Allocate the buffers. */
647 
648  copy_comp->buffer = SCMalloc(copy_comp->buffer_size);
649  if (copy_comp->buffer == NULL) {
650  SCLogError(SC_ERR_MEM_ALLOC, "SCMalloc failed: %s",
651  strerror(errno));
652  SCFree(copy->h);
653  SCFree(copy);
654  return NULL;
655  }
656  copy_comp->pcap_buf = SCMalloc(copy_comp->pcap_buf_size);
657  if (copy_comp->pcap_buf == NULL) {
658  SCLogError(SC_ERR_MEM_ALLOC, "SCMalloc failed: %s",
659  strerror(errno));
660  SCFree(copy_comp->buffer);
661  SCFree(copy->h);
662  SCFree(copy);
663  return NULL;
664  }
665  copy_comp->pcap_buf_wrapper = SCFmemopen(copy_comp->pcap_buf,
666  copy_comp->pcap_buf_size, "w");
667  if (copy_comp->pcap_buf_wrapper == NULL) {
668  SCLogError(SC_ERR_FOPEN, "SCFmemopen failed: %s", strerror(errno));
669  SCFree(copy_comp->buffer);
670  SCFree(copy_comp->pcap_buf);
671  SCFree(copy->h);
672  SCFree(copy);
673  return NULL;
674  }
675 
676  /* Initialize a new compression context. */
677 
678  LZ4F_errorCode_t errcode =
679  LZ4F_createCompressionContext(&copy_comp->lz4f_context, 1);
680  if (LZ4F_isError(errcode)) {
682  "LZ4F_createCompressionContext failed: %s",
683  LZ4F_getErrorName(errcode));
684  fclose(copy_comp->pcap_buf_wrapper);
685  SCFree(copy_comp->buffer);
686  SCFree(copy_comp->pcap_buf);
687  SCFree(copy->h);
688  SCFree(copy);
689  return NULL;
690  }
691 
692  /* Initialize the rest. */
693 
694  copy_comp->file = NULL;
695  copy_comp->bytes_in_block = 0;
696  }
697 #endif /* HAVE_LIBLZ4 */
698 
699  TAILQ_INIT(&copy->pcap_file_list);
700  SCMutexInit(&copy->plog_lock, NULL);
701 
702  strlcpy(copy->dir, pl->dir, sizeof(copy->dir));
703 
704  int i;
705  for (i = 0; i < pl->filename_part_cnt && i < MAX_TOKS; i++)
706  copy->filename_parts[i] = pl->filename_parts[i];
707  copy->filename_part_cnt = pl->filename_part_cnt;
708 
709  /* set thread number, first thread is 1 */
710  copy->thread_number = SC_ATOMIC_ADD(thread_cnt, 1);
711 
712  SCLogDebug("copied, returning %p", copy);
713  return copy;
714 }
715 
716 #ifdef INIT_RING_BUFFER
717 static int PcapLogGetTimeOfFile(const char *filename, uint64_t *secs,
718  uint32_t *usecs)
719 {
720  int pcre_ovecsize = 4 * 3;
721  int pcre_ovec[pcre_ovecsize];
722  char buf[PATH_MAX];
723 
724  int n = pcre_exec(pcre_timestamp_code, pcre_timestamp_extra,
725  filename, strlen(filename), 0, 0, pcre_ovec,
726  pcre_ovecsize);
727  if (n != 2 && n != 4) {
728  /* No match. */
729  return 0;
730  }
731 
732  if (n >= 2) {
733  /* Extract seconds. */
734  if (pcre_copy_substring(filename, pcre_ovec, pcre_ovecsize,
735  1, buf, sizeof(buf)) < 0) {
736  return 0;
737  }
738  if (StringParseUint64(secs, 10, 0, buf) < 0) {
739  return 0;
740  }
741  }
742  if (n == 4) {
743  /* Extract microseconds. */
744  if (pcre_copy_substring(filename, pcre_ovec, pcre_ovecsize,
745  3, buf, sizeof(buf)) < 0) {
746  return 0;
747  }
748  if (StringParseUint32(usecs, 10, 0, buf) < 0) {
749  return 0;
750  }
751  }
752 
753  return 1;
754 }
755 
756 static TmEcode PcapLogInitRingBuffer(PcapLogData *pl)
757 {
758  char pattern[PATH_MAX];
759 
760  SCLogInfo("Initializing PCAP ring buffer for %s/%s.",
761  pl->dir, pl->prefix);
762 
763  strlcpy(pattern, pl->dir, PATH_MAX);
764  if (pattern[strlen(pattern) - 1] != '/') {
765  strlcat(pattern, "/", PATH_MAX);
766  }
767  if (pl->mode == LOGMODE_MULTI) {
768  for (int i = 0; i < pl->filename_part_cnt; i++) {
769  char *part = pl->filename_parts[i];
770  if (part == NULL || strlen(part) == 0) {
771  continue;
772  }
773  if (part[0] != '%' || strlen(part) < 2) {
774  strlcat(pattern, part, PATH_MAX);
775  continue;
776  }
777  switch (part[1]) {
778  case 'i':
780  "Thread ID not allowed inring buffer mode.");
781  return TM_ECODE_FAILED;
782  case 'n': {
783  char tmp[PATH_MAX];
784  snprintf(tmp, PATH_MAX, "%"PRIu32, pl->thread_number);
785  strlcat(pattern, tmp, PATH_MAX);
786  break;
787  }
788  case 't':
789  strlcat(pattern, "*", PATH_MAX);
790  break;
791  default:
793  "Unsupported format character: %%%s", part);
794  return TM_ECODE_FAILED;
795  }
796  }
797  } else {
798  strlcat(pattern, pl->prefix, PATH_MAX);
799  strlcat(pattern, ".*", PATH_MAX);
800  }
801  strlcat(pattern, pl->suffix, PATH_MAX);
802 
803  char *basename = strrchr(pattern, '/');
804  *basename++ = '\0';
805 
806  /* Pattern is now just the directory name. */
807  DIR *dir = opendir(pattern);
808  if (dir == NULL) {
809  SCLogWarning(SC_ERR_DIR_OPEN, "Failed to open directory %s: %s",
810  pattern, strerror(errno));
811  return TM_ECODE_FAILED;
812  }
813 
814  for (;;) {
815  struct dirent *entry = readdir(dir);
816  if (entry == NULL) {
817  break;
818  }
819  if (fnmatch(basename, entry->d_name, 0) != 0) {
820  continue;
821  }
822 
823  uint64_t secs = 0;
824  uint32_t usecs = 0;
825 
826  if (!PcapLogGetTimeOfFile(entry->d_name, &secs, &usecs)) {
827  /* Failed to get time stamp out of file name. Not necessarily a
828  * failure as the file might just not be a pcap log file. */
829  continue;
830  }
831 
832  PcapFileName *pf = SCCalloc(sizeof(*pf), 1);
833  if (unlikely(pf == NULL)) {
834  goto fail;
835  }
836  char path[PATH_MAX];
837  if (snprintf(path, PATH_MAX, "%s/%s", pattern, entry->d_name) == PATH_MAX)
838  goto fail;
839 
840  if ((pf->filename = SCStrdup(path)) == NULL) {
841  goto fail;
842  }
843  if ((pf->dirname = SCStrdup(pattern)) == NULL) {
844  goto fail;
845  }
846  pf->secs = secs;
847  pf->usecs = usecs;
848 
849  if (TAILQ_EMPTY(&pl->pcap_file_list)) {
850  TAILQ_INSERT_TAIL(&pl->pcap_file_list, pf, next);
851  } else {
852  /* Ordered insert. */
853  PcapFileName *it = NULL;
854  TAILQ_FOREACH(it, &pl->pcap_file_list, next) {
855  if (pf->secs < it->secs) {
856  break;
857  } else if (pf->secs == it->secs && pf->usecs < it->usecs) {
858  break;
859  }
860  }
861  if (it == NULL) {
862  TAILQ_INSERT_TAIL(&pl->pcap_file_list, pf, next);
863  } else {
864  TAILQ_INSERT_BEFORE(it, pf, next);
865  }
866  }
867  pl->file_cnt++;
868  continue;
869 
870  fail:
871  if (pf != NULL) {
872  if (pf->filename != NULL) {
873  SCFree(pf->filename);
874  }
875  if (pf->dirname != NULL) {
876  SCFree(pf->dirname);
877  }
878  SCFree(pf);
879  }
880  break;
881  }
882 
883  if (pl->file_cnt > pl->max_files) {
884  PcapFileName *pf = TAILQ_FIRST(&pl->pcap_file_list);
885  while (pf != NULL && pl->file_cnt > pl->max_files) {
886  SCLogDebug("Removing PCAP file %s", pf->filename);
887  if (remove(pf->filename) != 0) {
889  "Failed to remove PCAP file %s: %s", pf->filename,
890  strerror(errno));
891  }
892  TAILQ_REMOVE(&pl->pcap_file_list, pf, next);
893  PcapFileNameFree(pf);
894  pf = TAILQ_FIRST(&pl->pcap_file_list);
895  pl->file_cnt--;
896  }
897  }
898 
899  closedir(dir);
900 
901  /* For some reason file count is initialized at one, instead of 0. */
902  SCLogNotice("Ring buffer initialized with %d files.", pl->file_cnt - 1);
903 
904  return TM_ECODE_OK;
905 }
906 #endif /* INIT_RING_BUFFER */
907 
908 static TmEcode PcapLogDataInit(ThreadVars *t, const void *initdata, void **data)
909 {
910  if (initdata == NULL) {
911  SCLogDebug("Error getting context for LogPcap. \"initdata\" argument NULL");
912  return TM_ECODE_FAILED;
913  }
914 
915  PcapLogData *pl = ((OutputCtx *)initdata)->data;
916 
917  PcapLogThreadData *td = SCCalloc(1, sizeof(*td));
918  if (unlikely(td == NULL))
919  return TM_ECODE_FAILED;
920 
921  if (pl->mode == LOGMODE_MULTI)
922  td->pcap_log = PcapLogDataCopy(pl);
923  else
924  td->pcap_log = pl;
925  BUG_ON(td->pcap_log == NULL);
926 
927  PcapLogLock(td->pcap_log);
928 
929  /** Use the Ouptut Context (file pointer and mutex) */
930  td->pcap_log->pkt_cnt = 0;
931  td->pcap_log->pcap_dead_handle = NULL;
932  td->pcap_log->pcap_dumper = NULL;
933  if (td->pcap_log->file_cnt < 1) {
934  td->pcap_log->file_cnt = 1;
935  }
936 
937  struct timeval ts;
938  memset(&ts, 0x00, sizeof(struct timeval));
939  TimeGet(&ts);
940  struct tm local_tm;
941  struct tm *tms = SCLocalTime(ts.tv_sec, &local_tm);
942  td->pcap_log->prev_day = tms->tm_mday;
943 
944  PcapLogUnlock(td->pcap_log);
945 
946  /* count threads in the global structure */
947  SCMutexLock(&pl->plog_lock);
948  pl->threads++;
949  SCMutexUnlock(&pl->plog_lock);
950 
951  *data = (void *)td;
952 
953  if (pl->max_files && (pl->mode == LOGMODE_MULTI || pl->threads == 1)) {
954 #ifdef INIT_RING_BUFFER
955  if (PcapLogInitRingBuffer(td->pcap_log) == TM_ECODE_FAILED) {
956  return TM_ECODE_FAILED;
957  }
958 #else
959  SCLogInfo("Unable to initialize ring buffer on this platform.");
960 #endif /* INIT_RING_BUFFER */
961  }
962 
963  return TM_ECODE_OK;
964 }
965 
966 static void StatsMerge(PcapLogData *dst, PcapLogData *src)
967 {
968  dst->profile_open.total += src->profile_open.total;
969  dst->profile_open.cnt += src->profile_open.cnt;
970 
971  dst->profile_close.total += src->profile_close.total;
972  dst->profile_close.cnt += src->profile_close.cnt;
973 
974  dst->profile_write.total += src->profile_write.total;
975  dst->profile_write.cnt += src->profile_write.cnt;
976 
977  dst->profile_rotate.total += src->profile_rotate.total;
978  dst->profile_rotate.cnt += src->profile_rotate.cnt;
979 
980  dst->profile_handles.total += src->profile_handles.total;
981  dst->profile_handles.cnt += src->profile_handles.cnt;
982 
983  dst->profile_lock.total += src->profile_lock.total;
984  dst->profile_lock.cnt += src->profile_lock.cnt;
985 
986  dst->profile_unlock.total += src->profile_unlock.total;
987  dst->profile_unlock.cnt += src->profile_unlock.cnt;
988 
989  dst->profile_data_size += src->profile_data_size;
990 }
991 
992 static void PcapLogDataFree(PcapLogData *pl)
993 {
994 
995  PcapFileName *pf;
996  while ((pf = TAILQ_FIRST(&pl->pcap_file_list)) != NULL) {
997  TAILQ_REMOVE(&pl->pcap_file_list, pf, next);
998  PcapFileNameFree(pf);
999  }
1000  if (pl == g_pcap_data) {
1001  for (int i = 0; i < MAX_TOKS; i++) {
1002  if (pl->filename_parts[i] != NULL) {
1003  SCFree(pl->filename_parts[i]);
1004  }
1005  }
1006  }
1007  SCFree(pl->h);
1008  SCFree(pl->filename);
1009  SCFree(pl->prefix);
1010 
1011 #ifdef HAVE_LIBLZ4
1012  if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
1013  SCFree(pl->compression.buffer);
1014  fclose(pl->compression.pcap_buf_wrapper);
1015  SCFree(pl->compression.pcap_buf);
1016  LZ4F_errorCode_t errcode =
1017  LZ4F_freeCompressionContext(pl->compression.lz4f_context);
1018  if (LZ4F_isError(errcode)) {
1019  SCLogWarning(SC_ERR_MEM_ALLOC, "Error freeing lz4 context.");
1020  }
1021  }
1022 #endif /* HAVE_LIBLZ4 */
1023  SCFree(pl);
1024 }
1025 
1026 /**
1027  * \brief Thread deinit function.
1028  *
1029  * \param t Thread Variable containing input/output queue, cpu affinity etc.
1030  * \param data PcapLog thread data.
1031  * \retval TM_ECODE_OK on succces
1032  * \retval TM_ECODE_FAILED on failure
1033  */
1034 static TmEcode PcapLogDataDeinit(ThreadVars *t, void *thread_data)
1035 {
1036  PcapLogThreadData *td = (PcapLogThreadData *)thread_data;
1037  PcapLogData *pl = td->pcap_log;
1038 
1039  if (pl->pcap_dumper != NULL) {
1040  if (PcapLogCloseFile(t,pl) < 0) {
1041  SCLogDebug("PcapLogCloseFile failed");
1042  }
1043  }
1044 
1045  if (pl->mode == LOGMODE_MULTI) {
1046  SCMutexLock(&g_pcap_data->plog_lock);
1047  StatsMerge(g_pcap_data, pl);
1048  g_pcap_data->reported++;
1049  if (g_pcap_data->threads == g_pcap_data->reported)
1050  PcapLogProfilingDump(g_pcap_data);
1051  SCMutexUnlock(&g_pcap_data->plog_lock);
1052  } else {
1053  if (pl->reported == 0) {
1054  PcapLogProfilingDump(pl);
1055  pl->reported = 1;
1056  }
1057  }
1058 
1059  if (pl != g_pcap_data) {
1060  PcapLogDataFree(pl);
1061  }
1062 
1063  SCFree(td);
1064  return TM_ECODE_OK;
1065 }
1066 
1067 
1068 static int ParseFilename(PcapLogData *pl, const char *filename)
1069 {
1070  char *toks[MAX_TOKS] = { NULL };
1071  int tok = 0;
1072  char str[MAX_FILENAMELEN] = "";
1073  int s = 0;
1074  int i, x;
1075  char *p = NULL;
1076  size_t filename_len = 0;
1077 
1078  if (filename) {
1079  filename_len = strlen(filename);
1080  if (filename_len > (MAX_FILENAMELEN-1)) {
1081  SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid filename option. Max filename-length: %d",MAX_FILENAMELEN-1);
1082  goto error;
1083  }
1084 
1085  for (i = 0; i < (int)strlen(filename); i++) {
1086  if (tok >= MAX_TOKS) {
1088  "invalid filename option. Max 2 %%-sign options");
1089  goto error;
1090  }
1091 
1092  str[s++] = filename[i];
1093 
1094  if (filename[i] == '%') {
1095  str[s-1] = '\0';
1096  SCLogDebug("filename with %%-sign: %s", str);
1097 
1098  p = SCStrdup(str);
1099  if (p == NULL)
1100  goto error;
1101  toks[tok++] = p;
1102 
1103  s = 0;
1104 
1105  if (i+1 < (int)strlen(filename)) {
1106  if (tok >= MAX_TOKS) {
1108  "invalid filename option. Max 2 %%-sign options");
1109  goto error;
1110  }
1111 
1112  if (filename[i+1] != 'n' && filename[i+1] != 't' && filename[i+1] != 'i') {
1114  "invalid filename option. Valid %%-sign options: %%n, %%i and %%t");
1115  goto error;
1116  }
1117  str[0] = '%';
1118  str[1] = filename[i+1];
1119  str[2] = '\0';
1120  p = SCStrdup(str);
1121  if (p == NULL)
1122  goto error;
1123  toks[tok++] = p;
1124  i++;
1125  }
1126  }
1127  }
1128  if (s) {
1129  if (tok >= MAX_TOKS) {
1131  "invalid filename option. Max 3 %%-sign options");
1132  goto error;
1133 
1134  }
1135  str[s++] = '\0';
1136  p = SCStrdup(str);
1137  if (p == NULL)
1138  goto error;
1139  toks[tok++] = p;
1140  }
1141 
1142  /* finally, store tokens in the pl */
1143  for (i = 0; i < tok; i++) {
1144  if (toks[i] == NULL)
1145  goto error;
1146 
1147  SCLogDebug("toks[%d] %s", i, toks[i]);
1148  pl->filename_parts[i] = toks[i];
1149  }
1150  pl->filename_part_cnt = tok;
1151  }
1152  return 0;
1153 error:
1154  for (x = 0; x < MAX_TOKS; x++) {
1155  if (toks[x] != NULL)
1156  SCFree(toks[x]);
1157  }
1158  return -1;
1159 }
1160 
1161 /** \brief Fill in pcap logging struct from the provided ConfNode.
1162  * \param conf The configuration node for this output.
1163  * \retval output_ctx
1164  * */
1165 static OutputInitResult PcapLogInitCtx(ConfNode *conf)
1166 {
1167  OutputInitResult result = { NULL, false };
1168  const char *pcre_errbuf;
1169  int pcre_erroffset;
1170 
1171  PcapLogData *pl = SCMalloc(sizeof(PcapLogData));
1172  if (unlikely(pl == NULL)) {
1173  SCLogError(SC_ERR_MEM_ALLOC, "Failed to allocate Memory for PcapLogData");
1174  exit(EXIT_FAILURE);
1175  }
1176  memset(pl, 0, sizeof(PcapLogData));
1177 
1178  pl->h = SCMalloc(sizeof(*pl->h));
1179  if (pl->h == NULL) {
1181  "Failed to allocate Memory for pcap header struct");
1182  exit(EXIT_FAILURE);
1183  }
1184 
1185  /* Set the defaults */
1186  pl->mode = LOGMODE_NORMAL;
1188  pl->use_ringbuffer = RING_BUFFER_MODE_DISABLED;
1189  pl->timestamp_format = TS_FORMAT_SEC;
1192 
1193  TAILQ_INIT(&pl->pcap_file_list);
1194 
1195  SCMutexInit(&pl->plog_lock, NULL);
1196 
1197  /* Initialize PCREs. */
1198  pcre_timestamp_code = pcre_compile(timestamp_pattern, 0, &pcre_errbuf,
1199  &pcre_erroffset, NULL);
1200  if (pcre_timestamp_code == NULL) {
1202  "Failed to compile \"%s\" at offset %"PRIu32": %s",
1203  timestamp_pattern, pcre_erroffset, pcre_errbuf);
1204  }
1205  pcre_timestamp_extra = pcre_study(pcre_timestamp_code, 0, &pcre_errbuf);
1206  if (pcre_errbuf != NULL) {
1207  FatalError(SC_ERR_PCRE_STUDY, "Fail to study pcre: %s", pcre_errbuf);
1208  }
1209 
1210  /* conf params */
1211 
1212  const char *filename = NULL;
1213 
1214  if (conf != NULL) { /* To faciliate unit tests. */
1215  filename = ConfNodeLookupChildValue(conf, "filename");
1216  }
1217 
1218  if (filename == NULL)
1219  filename = DEFAULT_LOG_FILENAME;
1220 
1221  if ((pl->prefix = SCStrdup(filename)) == NULL) {
1222  exit(EXIT_FAILURE);
1223  }
1224 
1225  pl->suffix = "";
1226 
1227  if (filename) {
1228  if (ParseFilename(pl, filename) != 0)
1229  exit(EXIT_FAILURE);
1230  }
1231 
1232  pl->size_limit = DEFAULT_LIMIT;
1233  if (conf != NULL) {
1234  const char *s_limit = NULL;
1235  s_limit = ConfNodeLookupChildValue(conf, "limit");
1236  if (s_limit != NULL) {
1237  if (ParseSizeStringU64(s_limit, &pl->size_limit) < 0) {
1239  "Failed to initialize pcap output, invalid limit: %s",
1240  s_limit);
1241  exit(EXIT_FAILURE);
1242  }
1243  if (pl->size_limit < 4096) {
1244  SCLogInfo("pcap-log \"limit\" value of %"PRIu64" assumed to be pre-1.2 "
1245  "style: setting limit to %"PRIu64"mb", pl->size_limit, pl->size_limit);
1246  uint64_t size = pl->size_limit * 1024 * 1024;
1247  pl->size_limit = size;
1248  } else if (pl->size_limit < MIN_LIMIT) {
1250  "Fail to initialize pcap-log output, limit less than "
1251  "allowed minimum.");
1252  exit(EXIT_FAILURE);
1253  }
1254  }
1255  }
1256 
1257  if (conf != NULL) {
1258  const char *s_mode = NULL;
1259  s_mode = ConfNodeLookupChildValue(conf, "mode");
1260  if (s_mode != NULL) {
1261  if (strcasecmp(s_mode, "sguil") == 0) {
1262  pl->mode = LOGMODE_SGUIL;
1263  } else if (strcasecmp(s_mode, "multi") == 0) {
1264  pl->mode = LOGMODE_MULTI;
1265  } else if (strcasecmp(s_mode, "normal") != 0) {
1267  "log-pcap: invalid mode \"%s\". Valid options: \"normal\", "
1268  "\"sguil\", or \"multi\" mode ", s_mode);
1269  exit(EXIT_FAILURE);
1270  }
1271  }
1272 
1273  const char *s_dir = NULL;
1274  s_dir = ConfNodeLookupChildValue(conf, "dir");
1275  if (s_dir == NULL) {
1276  s_dir = ConfNodeLookupChildValue(conf, "sguil-base-dir");
1277  }
1278  if (s_dir == NULL) {
1279  if (pl->mode == LOGMODE_SGUIL) {
1281  "log-pcap \"sguil\" mode requires \"sguil-base-dir\" "
1282  "option to be set.");
1283  exit(EXIT_FAILURE);
1284  } else {
1285  const char *log_dir = NULL;
1286  log_dir = ConfigGetLogDirectory();
1287 
1288  strlcpy(pl->dir,
1289  log_dir, sizeof(pl->dir));
1290  SCLogInfo("Using log dir %s", pl->dir);
1291  }
1292  } else {
1293  if (PathIsAbsolute(s_dir)) {
1294  strlcpy(pl->dir,
1295  s_dir, sizeof(pl->dir));
1296  } else {
1297  const char *log_dir = NULL;
1298  log_dir = ConfigGetLogDirectory();
1299 
1300  snprintf(pl->dir, sizeof(pl->dir), "%s/%s",
1301  log_dir, s_dir);
1302  }
1303 
1304  struct stat stat_buf;
1305  if (stat(pl->dir, &stat_buf) != 0) {
1306  SCLogError(SC_ERR_LOGDIR_CONFIG, "The sguil-base-dir directory \"%s\" "
1307  "supplied doesn't exist. Shutting down the engine",
1308  pl->dir);
1309  exit(EXIT_FAILURE);
1310  }
1311  SCLogInfo("Using log dir %s", pl->dir);
1312  }
1313 
1314  const char *compression_str = ConfNodeLookupChildValue(conf,
1315  "compression");
1316 
1317  PcapLogCompressionData *comp = &pl->compression;
1318  if (compression_str == NULL || strcmp(compression_str, "none") == 0) {
1320  comp->buffer = NULL;
1321  comp->buffer_size = 0;
1322  comp->file = NULL;
1323  comp->pcap_buf = NULL;
1324  comp->pcap_buf_size = 0;
1325  comp->pcap_buf_wrapper = NULL;
1326  } else if (strcmp(compression_str, "lz4") == 0) {
1327 #ifdef HAVE_LIBLZ4
1328  if (pl->mode == LOGMODE_SGUIL) {
1329  SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Compressed pcap "
1330  "logs are not possible in sguil mode");
1331  SCFree(pl->h);
1332  SCFree(pl);
1333  return result;
1334  }
1335  pl->compression.format = PCAP_LOG_COMPRESSION_FORMAT_LZ4;
1336 
1337  /* Use SCFmemopen so we can make pcap_dump write to a buffer. */
1338 
1339  comp->pcap_buf_size = sizeof(struct pcap_file_header) +
1340  sizeof(struct pcap_pkthdr) + PCAP_SNAPLEN;
1341  comp->pcap_buf = SCMalloc(comp->pcap_buf_size);
1342  if (comp->pcap_buf == NULL) {
1343  SCLogError(SC_ERR_MEM_ALLOC, "SCMalloc failed: %s",
1344  strerror(errno));
1345  exit(EXIT_FAILURE);
1346  }
1347  comp->pcap_buf_wrapper = SCFmemopen(comp->pcap_buf,
1348  comp->pcap_buf_size, "w");
1349  if (comp->pcap_buf_wrapper == NULL) {
1350  SCLogError(SC_ERR_FOPEN, "SCFmemopen failed: %s",
1351  strerror(errno));
1352  exit(EXIT_FAILURE);
1353  }
1354 
1355  /* Set lz4 preferences. */
1356 
1357  memset(&comp->lz4f_prefs, '\0', sizeof(comp->lz4f_prefs));
1358  comp->lz4f_prefs.frameInfo.blockSizeID = LZ4F_max4MB;
1359  comp->lz4f_prefs.frameInfo.blockMode = LZ4F_blockLinked;
1360  if (ConfNodeChildValueIsTrue(conf, "lz4-checksum")) {
1361  comp->lz4f_prefs.frameInfo.contentChecksumFlag = 1;
1362  }
1363  else {
1364  comp->lz4f_prefs.frameInfo.contentChecksumFlag = 0;
1365  }
1366  intmax_t lvl = 0;
1367  if (ConfGetChildValueInt(conf, "lz4-level", &lvl)) {
1368  if (lvl > 16) {
1369  lvl = 16;
1370  } else if (lvl < 0) {
1371  lvl = 0;
1372  }
1373  } else {
1374  lvl = 0;
1375  }
1376  comp->lz4f_prefs.compressionLevel = lvl;
1377 
1378  /* Allocate resources for lz4. */
1379 
1380  LZ4F_errorCode_t errcode =
1381  LZ4F_createCompressionContext(&pl->compression.lz4f_context, 1);
1382 
1383  if (LZ4F_isError(errcode)) {
1385  "LZ4F_createCompressionContext failed: %s",
1386  LZ4F_getErrorName(errcode));
1387  exit(EXIT_FAILURE);
1388  }
1389 
1390  /* Calculate the size of the lz4 output buffer. */
1391 
1392  comp->buffer_size = LZ4F_compressBound(comp->pcap_buf_size,
1393  &comp->lz4f_prefs);
1394 
1395  comp->buffer = SCMalloc(comp->buffer_size);
1396  if (unlikely(comp->buffer == NULL)) {
1397  SCLogError(SC_ERR_MEM_ALLOC, "Failed to allocate memory for "
1398  "lz4 output buffer.");
1399  exit(EXIT_FAILURE);
1400  }
1401 
1402  comp->bytes_in_block = 0;
1403 
1404  /* Add the lz4 file extension to the log files. */
1405 
1406  pl->suffix = ".lz4";
1407 #else
1408  SCLogError(SC_ERR_INVALID_ARGUMENT, "lz4 compression was selected "
1409  "in pcap-log, but suricata was not compiled with lz4 "
1410  "support.");
1411  PcapLogDataFree(pl);
1412  return result;
1413 #endif /* HAVE_LIBLZ4 */
1414  }
1415  else {
1416  SCLogError(SC_ERR_INVALID_ARGUMENT, "Unsupported pcap-log "
1417  "compression format: %s", compression_str);
1418  PcapLogDataFree(pl);
1419  return result;
1420  }
1421 
1422  SCLogInfo("Selected pcap-log compression method: %s",
1423  compression_str ? compression_str : "none");
1424  }
1425 
1426  SCLogInfo("using %s logging", pl->mode == LOGMODE_SGUIL ?
1427  "Sguil compatible" : (pl->mode == LOGMODE_MULTI ? "multi" : "normal"));
1428 
1429  uint32_t max_file_limit = DEFAULT_FILE_LIMIT;
1430  if (conf != NULL) {
1431  const char *max_number_of_files_s = NULL;
1432  max_number_of_files_s = ConfNodeLookupChildValue(conf, "max-files");
1433  if (max_number_of_files_s != NULL) {
1434  if (StringParseUint32(&max_file_limit, 10, 0,
1435  max_number_of_files_s) == -1) {
1436  SCLogError(SC_ERR_INVALID_ARGUMENT, "Failed to initialize "
1437  "pcap-log output, invalid number of files limit: %s",
1438  max_number_of_files_s);
1439  exit(EXIT_FAILURE);
1440  } else if (max_file_limit < 1) {
1442  "Failed to initialize pcap-log output, limit less than "
1443  "allowed minimum.");
1444  exit(EXIT_FAILURE);
1445  } else {
1446  pl->max_files = max_file_limit;
1447  pl->use_ringbuffer = RING_BUFFER_MODE_ENABLED;
1448  }
1449  }
1450  }
1451 
1452  const char *ts_format = NULL;
1453  if (conf != NULL) { /* To faciliate unit tests. */
1454  ts_format = ConfNodeLookupChildValue(conf, "ts-format");
1455  }
1456  if (ts_format != NULL) {
1457  if (strcasecmp(ts_format, "usec") == 0) {
1458  pl->timestamp_format = TS_FORMAT_USEC;
1459  } else if (strcasecmp(ts_format, "sec") != 0) {
1461  "log-pcap ts_format specified %s is invalid must be"
1462  " \"sec\" or \"usec\"", ts_format);
1463  exit(EXIT_FAILURE);
1464  }
1465  }
1466 
1467  const char *use_stream_depth = NULL;
1468  if (conf != NULL) { /* To faciliate unit tests. */
1469  use_stream_depth = ConfNodeLookupChildValue(conf, "use-stream-depth");
1470  }
1471  if (use_stream_depth != NULL) {
1472  if (ConfValIsFalse(use_stream_depth)) {
1474  } else if (ConfValIsTrue(use_stream_depth)) {
1476  } else {
1478  "log-pcap use_stream_depth specified is invalid must be");
1479  exit(EXIT_FAILURE);
1480  }
1481  }
1482 
1483  const char *honor_pass_rules = NULL;
1484  if (conf != NULL) { /* To faciliate unit tests. */
1485  honor_pass_rules = ConfNodeLookupChildValue(conf, "honor-pass-rules");
1486  }
1487  if (honor_pass_rules != NULL) {
1488  if (ConfValIsFalse(honor_pass_rules)) {
1490  } else if (ConfValIsTrue(honor_pass_rules)) {
1492  } else {
1494  "log-pcap honor-pass-rules specified is invalid");
1495  exit(EXIT_FAILURE);
1496  }
1497  }
1498 
1499  /* create the output ctx and send it back */
1500 
1501  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
1502  if (unlikely(output_ctx == NULL)) {
1503  SCLogError(SC_ERR_MEM_ALLOC, "Failed to allocate memory for OutputCtx.");
1504  exit(EXIT_FAILURE);
1505  }
1506  output_ctx->data = pl;
1507  output_ctx->DeInit = PcapLogFileDeInitCtx;
1508  g_pcap_data = pl;
1509 
1510  result.ctx = output_ctx;
1511  result.ok = true;
1512  return result;
1513 }
1514 
1515 static void PcapLogFileDeInitCtx(OutputCtx *output_ctx)
1516 {
1517  if (output_ctx == NULL)
1518  return;
1519 
1520  PcapLogData *pl = output_ctx->data;
1521 
1522  PcapFileName *pf = NULL;
1523  TAILQ_FOREACH(pf, &pl->pcap_file_list, next) {
1524  SCLogDebug("PCAP files left at exit: %s\n", pf->filename);
1525  }
1526  PcapLogDataFree(pl);
1527  SCFree(output_ctx);
1528  return;
1529 }
1530 
1531 /**
1532  * \brief Read the config set the file pointer, open the file
1533  *
1534  * \param PcapLogData.
1535  *
1536  * \retval -1 if failure
1537  * \retval 0 if succesful
1538  */
1539 static int PcapLogOpenFileCtx(PcapLogData *pl)
1540 {
1541  char *filename = NULL;
1542 
1544 
1545  if (pl->filename != NULL)
1546  filename = pl->filename;
1547  else {
1548  filename = SCMalloc(PATH_MAX);
1549  if (unlikely(filename == NULL)) {
1550  return -1;
1551  }
1552  pl->filename = filename;
1553  }
1554 
1555  /** get the time so we can have a filename with seconds since epoch */
1556  struct timeval ts;
1557  memset(&ts, 0x00, sizeof(struct timeval));
1558  TimeGet(&ts);
1559 
1560  /* Place to store the name of our PCAP file */
1561  PcapFileName *pf = SCMalloc(sizeof(PcapFileName));
1562  if (unlikely(pf == NULL)) {
1563  return -1;
1564  }
1565  memset(pf, 0, sizeof(PcapFileName));
1566 
1567  if (pl->mode == LOGMODE_SGUIL) {
1568  struct tm local_tm;
1569  struct tm *tms = SCLocalTime(ts.tv_sec, &local_tm);
1570 
1571  char dirname[32], dirfull[PATH_MAX] = "";
1572 
1573  snprintf(dirname, sizeof(dirname), "%04d-%02d-%02d",
1574  tms->tm_year + 1900, tms->tm_mon + 1, tms->tm_mday);
1575 
1576  /* create the filename to use */
1577  int ret = snprintf(dirfull, sizeof(dirfull), "%s/%s", pl->dir, dirname);
1578  if (ret < 0 || (size_t)ret >= sizeof(dirfull)) {
1579  SCLogError(SC_ERR_SPRINTF,"failed to construct path");
1580  goto error;
1581  }
1582 
1583  /* if mkdir fails file open will fail, so deal with errors there */
1584  (void)SCMkDir(dirfull, 0700);
1585 
1586  if ((pf->dirname = SCStrdup(dirfull)) == NULL) {
1587  SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory for "
1588  "directory name");
1589  goto error;
1590  }
1591 
1592  int written;
1593  if (pl->timestamp_format == TS_FORMAT_SEC) {
1594  written = snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32 "%s",
1595  dirfull, pl->prefix, (uint32_t)ts.tv_sec, pl->suffix);
1596  } else {
1597  written = snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32 ".%" PRIu32 "%s",
1598  dirfull, pl->prefix, (uint32_t)ts.tv_sec,
1599  (uint32_t)ts.tv_usec, pl->suffix);
1600  }
1601  if (written == PATH_MAX) {
1602  SCLogError(SC_ERR_SPRINTF,"log-pcap path overflow");
1603  goto error;
1604  }
1605  } else if (pl->mode == LOGMODE_NORMAL) {
1606  int ret;
1607  /* create the filename to use */
1608  if (pl->timestamp_format == TS_FORMAT_SEC) {
1609  ret = snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32 "%s", pl->dir,
1610  pl->prefix, (uint32_t)ts.tv_sec, pl->suffix);
1611  } else {
1612  ret = snprintf(filename, PATH_MAX,
1613  "%s/%s.%" PRIu32 ".%" PRIu32 "%s", pl->dir, pl->prefix,
1614  (uint32_t)ts.tv_sec, (uint32_t)ts.tv_usec, pl->suffix);
1615  }
1616  if (ret < 0 || (size_t)ret >= PATH_MAX) {
1617  SCLogError(SC_ERR_SPRINTF,"failed to construct path");
1618  goto error;
1619  }
1620  } else if (pl->mode == LOGMODE_MULTI) {
1621  if (pl->filename_part_cnt > 0) {
1622  /* assemble filename from stored tokens */
1623 
1624  strlcpy(filename, pl->dir, PATH_MAX);
1625  strlcat(filename, "/", PATH_MAX);
1626 
1627  int i;
1628  for (i = 0; i < pl->filename_part_cnt; i++) {
1629  if (pl->filename_parts[i] == NULL ||strlen(pl->filename_parts[i]) == 0)
1630  continue;
1631 
1632  /* handle variables */
1633  if (pl->filename_parts[i][0] == '%') {
1634  char str[64] = "";
1635  if (strlen(pl->filename_parts[i]) < 2)
1636  continue;
1637 
1638  switch(pl->filename_parts[i][1]) {
1639  case 'n':
1640  snprintf(str, sizeof(str), "%u", pl->thread_number);
1641  break;
1642  case 'i':
1643  {
1644  long thread_id = SCGetThreadIdLong();
1645  snprintf(str, sizeof(str), "%"PRIu64, (uint64_t)thread_id);
1646  break;
1647  }
1648  case 't':
1649  /* create the filename to use */
1650  if (pl->timestamp_format == TS_FORMAT_SEC) {
1651  snprintf(str, sizeof(str), "%"PRIu32, (uint32_t)ts.tv_sec);
1652  } else {
1653  snprintf(str, sizeof(str), "%"PRIu32".%"PRIu32,
1654  (uint32_t)ts.tv_sec, (uint32_t)ts.tv_usec);
1655  }
1656  }
1657  strlcat(filename, str, PATH_MAX);
1658 
1659  /* copy the rest over */
1660  } else {
1661  strlcat(filename, pl->filename_parts[i], PATH_MAX);
1662  }
1663  }
1664  strlcat(filename, pl->suffix, PATH_MAX);
1665  } else {
1666  int ret;
1667  /* create the filename to use */
1668  if (pl->timestamp_format == TS_FORMAT_SEC) {
1669  ret = snprintf(filename, PATH_MAX, "%s/%s.%u.%" PRIu32 "%s",
1670  pl->dir, pl->prefix, pl->thread_number,
1671  (uint32_t)ts.tv_sec, pl->suffix);
1672  } else {
1673  ret = snprintf(filename, PATH_MAX,
1674  "%s/%s.%u.%" PRIu32 ".%" PRIu32 "%s", pl->dir,
1675  pl->prefix, pl->thread_number, (uint32_t)ts.tv_sec,
1676  (uint32_t)ts.tv_usec, pl->suffix);
1677  }
1678  if (ret < 0 || (size_t)ret >= PATH_MAX) {
1679  SCLogError(SC_ERR_SPRINTF,"failed to construct path");
1680  goto error;
1681  }
1682  }
1683  SCLogDebug("multi-mode: filename %s", filename);
1684  }
1685 
1686  if ((pf->filename = SCStrdup(pl->filename)) == NULL) {
1687  SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory. For filename");
1688  goto error;
1689  }
1690  SCLogDebug("Opening pcap file log %s", pf->filename);
1691  TAILQ_INSERT_TAIL(&pl->pcap_file_list, pf, next);
1692 
1694  return 0;
1695 
1696 error:
1697  PcapFileNameFree(pf);
1698  return -1;
1699 }
1700 
1701 static int profiling_pcaplog_enabled = 0;
1702 static int profiling_pcaplog_output_to_file = 0;
1703 static char *profiling_pcaplog_file_name = NULL;
1704 static const char *profiling_pcaplog_file_mode = "a";
1705 
1706 static void FormatNumber(uint64_t num, char *str, size_t size)
1707 {
1708  if (num < 1000UL)
1709  snprintf(str, size, "%"PRIu64, num);
1710  else if (num < 1000000UL)
1711  snprintf(str, size, "%3.1fk", (float)num/1000UL);
1712  else if (num < 1000000000UL)
1713  snprintf(str, size, "%3.1fm", (float)num/1000000UL);
1714  else
1715  snprintf(str, size, "%3.1fb", (float)num/1000000000UL);
1716 }
1717 
1718 static void ProfileReportPair(FILE *fp, const char *name, PcapLogProfileData *p)
1719 {
1720  char ticks_str[32] = "n/a";
1721  char cnt_str[32] = "n/a";
1722  char avg_str[32] = "n/a";
1723 
1724  FormatNumber((uint64_t)p->cnt, cnt_str, sizeof(cnt_str));
1725  FormatNumber((uint64_t)p->total, ticks_str, sizeof(ticks_str));
1726  if (p->cnt && p->total)
1727  FormatNumber((uint64_t)(p->total/p->cnt), avg_str, sizeof(avg_str));
1728 
1729  fprintf(fp, "%-28s %-10s %-10s %-10s\n", name, cnt_str, avg_str, ticks_str);
1730 }
1731 
1732 static void ProfileReport(FILE *fp, PcapLogData *pl)
1733 {
1734  ProfileReportPair(fp, "open", &pl->profile_open);
1735  ProfileReportPair(fp, "close", &pl->profile_close);
1736  ProfileReportPair(fp, "write", &pl->profile_write);
1737  ProfileReportPair(fp, "rotate (incl open/close)", &pl->profile_rotate);
1738  ProfileReportPair(fp, "handles", &pl->profile_handles);
1739  ProfileReportPair(fp, "lock", &pl->profile_lock);
1740  ProfileReportPair(fp, "unlock", &pl->profile_unlock);
1741 }
1742 
1743 static void FormatBytes(uint64_t num, char *str, size_t size)
1744 {
1745  if (num < 1000UL)
1746  snprintf(str, size, "%"PRIu64, num);
1747  else if (num < 1048576UL)
1748  snprintf(str, size, "%3.1fKiB", (float)num/1000UL);
1749  else if (num < 1073741824UL)
1750  snprintf(str, size, "%3.1fMiB", (float)num/1000000UL);
1751  else
1752  snprintf(str, size, "%3.1fGiB", (float)num/1000000000UL);
1753 }
1754 
1755 static void PcapLogProfilingDump(PcapLogData *pl)
1756 {
1757  FILE *fp = NULL;
1758 
1759  if (profiling_pcaplog_enabled == 0)
1760  return;
1761 
1762  if (profiling_pcaplog_output_to_file == 1) {
1763  fp = fopen(profiling_pcaplog_file_name, profiling_pcaplog_file_mode);
1764  if (fp == NULL) {
1765  SCLogError(SC_ERR_FOPEN, "failed to open %s: %s",
1766  profiling_pcaplog_file_name, strerror(errno));
1767  return;
1768  }
1769  } else {
1770  fp = stdout;
1771  }
1772 
1773  /* counters */
1774  fprintf(fp, "\n\nOperation Cnt Avg ticks Total ticks\n");
1775  fprintf(fp, "---------------------------- ---------- ---------- -----------\n");
1776 
1777  ProfileReport(fp, pl);
1778  uint64_t total = pl->profile_write.total + pl->profile_rotate.total +
1781  pl->profile_unlock.total;
1782 
1783  /* overall stats */
1784  fprintf(fp, "\nOverall: %"PRIu64" bytes written, average %d bytes per write.\n",
1786  (int)(pl->profile_data_size / pl->profile_write.cnt) : 0);
1787  fprintf(fp, " PCAP data structure overhead: %"PRIuMAX" per write.\n",
1788  (uintmax_t)sizeof(struct pcap_pkthdr));
1789 
1790  /* print total bytes written */
1791  char bytes_str[32];
1792  FormatBytes(pl->profile_data_size, bytes_str, sizeof(bytes_str));
1793  fprintf(fp, " Size written: %s\n", bytes_str);
1794 
1795  /* ticks per MiB and GiB */
1796  uint64_t ticks_per_mib = 0, ticks_per_gib = 0;
1797  uint64_t mib = pl->profile_data_size/(1024*1024);
1798  if (mib)
1799  ticks_per_mib = total/mib;
1800  char ticks_per_mib_str[32] = "n/a";
1801  if (ticks_per_mib > 0)
1802  FormatNumber(ticks_per_mib, ticks_per_mib_str, sizeof(ticks_per_mib_str));
1803  fprintf(fp, " Ticks per MiB: %s\n", ticks_per_mib_str);
1804 
1805  uint64_t gib = pl->profile_data_size/(1024*1024*1024);
1806  if (gib)
1807  ticks_per_gib = total/gib;
1808  char ticks_per_gib_str[32] = "n/a";
1809  if (ticks_per_gib > 0)
1810  FormatNumber(ticks_per_gib, ticks_per_gib_str, sizeof(ticks_per_gib_str));
1811  fprintf(fp, " Ticks per GiB: %s\n", ticks_per_gib_str);
1812 
1813  if (fp != stdout)
1814  fclose(fp);
1815 }
1816 
1818 {
1819  ConfNode *conf = ConfGetNode("profiling.pcap-log");
1820  if (conf != NULL && ConfNodeChildValueIsTrue(conf, "enabled")) {
1821  profiling_pcaplog_enabled = 1;
1822  SCLogInfo("pcap-log profiling enabled");
1823 
1824  const char *filename = ConfNodeLookupChildValue(conf, "filename");
1825  if (filename != NULL) {
1826  const char *log_dir;
1827  log_dir = ConfigGetLogDirectory();
1828 
1829  profiling_pcaplog_file_name = SCMalloc(PATH_MAX);
1830  if (unlikely(profiling_pcaplog_file_name == NULL)) {
1831  SCLogError(SC_ERR_MEM_ALLOC, "can't duplicate file name");
1832  exit(EXIT_FAILURE);
1833  }
1834 
1835  snprintf(profiling_pcaplog_file_name, PATH_MAX, "%s/%s", log_dir, filename);
1836 
1837  const char *v = ConfNodeLookupChildValue(conf, "append");
1838  if (v == NULL || ConfValIsTrue(v)) {
1839  profiling_pcaplog_file_mode = "a";
1840  } else {
1841  profiling_pcaplog_file_mode = "w";
1842  }
1843 
1844  profiling_pcaplog_output_to_file = 1;
1845  SCLogInfo("pcap-log profiling output goes to %s (mode %s)",
1846  profiling_pcaplog_file_name, profiling_pcaplog_file_mode);
1847  }
1848  }
1849 }
SC_ERR_FWRITE
@ SC_ERR_FWRITE
Definition: util-error.h:129
util-byte.h
PcapLogCompressionData_::pcap_buf_size
uint64_t pcap_buf_size
Definition: log-pcap.c:131
ConfGetChildValueInt
int ConfGetChildValueInt(const ConfNode *base, const char *name, intmax_t *val)
Definition: conf.c:469
tm-threads.h
PcapLogData
struct PcapLogData_ PcapLogData
PcapLogProfileData_
Definition: log-pcap.c:108
len
uint8_t len
Definition: app-layer-dnp3.h:2
ts
uint64_t ts
Definition: source-erf-file.c:54
SC_ERR_PCRE_COMPILE
@ SC_ERR_PCRE_COMPILE
Definition: util-error.h:35
source-pcap.h
PcapLogThreadData
struct PcapLogThreadData_ PcapLogThreadData
ConfNodeChildValueIsTrue
int ConfNodeChildValueIsTrue(const ConfNode *node, const char *key)
Test if a configuration node has a true value.
Definition: conf.c:888
util-fmemopen.h
TAILQ_INIT
#define TAILQ_INIT(head)
Definition: queue.h:370
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
Definition: util-atomic.h:286
USE_STREAM_DEPTH_DISABLED
#define USE_STREAM_DEPTH_DISABLED
Definition: log-pcap.c:84
PcapFileName_::secs
uint64_t secs
Definition: log-pcap.c:101
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:355
PcapLogData_::pcap_dumper
pcap_dumper_t * pcap_dumper
Definition: log-pcap.c:154
TS_FORMAT_SEC
#define TS_FORMAT_SEC
Definition: log-pcap.c:81
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
ParseSizeStringU64
int ParseSizeStringU64(const char *size, uint64_t *res)
Definition: util-misc.c:203
PcapFileName_::usecs
uint32_t usecs
Definition: log-pcap.c:102
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
PcapLogData_::filename
char * filename
Definition: log-pcap.c:148
HONOR_PASS_RULES_ENABLED
#define HONOR_PASS_RULES_ENABLED
Definition: log-pcap.c:88
Packet_::flags
uint32_t flags
Definition: decode.h:446
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:176
DEFAULT_LOG_FILENAME
#define DEFAULT_LOG_FILENAME
Definition: log-pcap.c:68
threads.h
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:304
RING_BUFFER_MODE_ENABLED
#define RING_BUFFER_MODE_ENABLED
Definition: log-pcap.c:79
PcapLogData_::mode
int mode
Definition: log-pcap.c:149
SC_ERR_PCAP_FILE_DELETE_FAILED
@ SC_ERR_PCAP_FILE_DELETE_FAILED
Definition: util-error.h:226
IS_TUNNEL_ROOT_PKT
#define IS_TUNNEL_ROOT_PKT(p)
Definition: decode.h:877
TAILQ_EMPTY
#define TAILQ_EMPTY(head)
Definition: queue.h:347
PcapLogData_::pkt_cnt
uint64_t pkt_cnt
Definition: log-pcap.c:146
HONOR_PASS_RULES_DISABLED
#define HONOR_PASS_RULES_DISABLED
Definition: log-pcap.c:87
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:350
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
PcapLogData_::use_stream_depth
int use_stream_depth
Definition: log-pcap.c:142
PcapLogCompressionData_::format
enum PcapLogCompressionFormat format
Definition: log-pcap.c:122
PcapLogProfileData
struct PcapLogProfileData_ PcapLogProfileData
PcapLogData_::profile_handles
PcapLogProfileData profile_handles
Definition: log-pcap.c:162
LOGMODE_MULTI
#define LOGMODE_MULTI
Definition: log-pcap.c:76
TAILQ_INSERT_TAIL
#define TAILQ_INSERT_TAIL(head, elm, field)
Definition: queue.h:385
PcapLogRegister
void PcapLogRegister(void)
Definition: log-pcap.c:205
SCFmemopen
#define SCFmemopen
Definition: util-fmemopen.h:52
PcapLogCompressionData_::buffer
uint8_t * buffer
Definition: log-pcap.c:123
DEFAULT_LIMIT
#define DEFAULT_LIMIT
Definition: log-pcap.c:71
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:79
PcapLogData_::pcap_dead_handle
pcap_t * pcap_dead_handle
Definition: log-pcap.c:153
util-unittest.h
PcapLogData_::size_current
uint64_t size_current
Definition: log-pcap.c:151
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:566
PcapLogData_::profile_rotate
PcapLogProfileData profile_rotate
Definition: log-pcap.c:165
OutputCtx_::data
void * data
Definition: tm-modules.h:81
PcapLogCompressionData_
Definition: log-pcap.c:121
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:78
PCAPLOG_PROFILE_END
#define PCAPLOG_PROFILE_END(prof)
Definition: log-pcap.c:219
OutputCtx_
Definition: tm-modules.h:78
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
PcapLogCompressionData_::bytes_in_block
uint64_t bytes_in_block
Definition: log-pcap.c:133
TAILQ_ENTRY
#define TAILQ_ENTRY(type)
Definition: queue.h:330
Packet_::datalink
int datalink
Definition: decode.h:577
PcapLogData_::size_limit
uint64_t size_limit
Definition: log-pcap.c:152
PcapLogProfileData_::cnt
uint64_t cnt
Definition: log-pcap.c:110
PcapLogData_::max_files
uint32_t max_files
Definition: log-pcap.c:157
PcapLogCompressionData_::file
FILE * file
Definition: log-pcap.c:129
TAILQ_REMOVE
#define TAILQ_REMOVE(head, elm, field)
Definition: queue.h:412
util-debug.h
TAILQ_FIRST
#define TAILQ_FIRST(head)
Definition: queue.h:339
util-error.h
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:42
PCAP_LOG_COMPRESSION_FORMAT_NONE
@ PCAP_LOG_COMPRESSION_FORMAT_NONE
Definition: log-pcap.c:117
strlcat
size_t strlcat(char *, const char *src, size_t siz)
Definition: util-strlcatu.c:45
util-cpu.h
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
PKT_PSEUDO_STREAM_END
#define PKT_PSEUDO_STREAM_END
Definition: decode.h:1088
PCAP_LOG_COMPRESSION_FORMAT_LZ4
@ PCAP_LOG_COMPRESSION_FORMAT_LZ4
Definition: log-pcap.c:118
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:228
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PcapLogProfileData_::total
uint64_t total
Definition: log-pcap.c:109
util-atomic.h
util-time.h
OutputInitResult_::ok
bool ok
Definition: output.h:43
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
TRUE
#define TRUE
Definition: suricata-common.h:33
PcapFileName_::dirname
char * dirname
Definition: log-pcap.c:96
PcapLogData_::file_cnt
uint32_t file_cnt
Definition: log-pcap.c:156
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:282
FALSE
#define FALSE
Definition: suricata-common.h:34
SC_ERR_FOPEN
@ SC_ERR_FOPEN
Definition: util-error.h:74
Packet_
Definition: decode.h:411
SC_ERR_SPRINTF
@ SC_ERR_SPRINTF
Definition: util-error.h:42
SCLocalTime
struct tm * SCLocalTime(time_t timep, struct tm *result)
Definition: util-time.c:270
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:227
conf.h
DEFAULT_FILE_LIMIT
#define DEFAULT_FILE_LIMIT
Definition: log-pcap.c:72
StringParseUint64
int StringParseUint64(uint64_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:308
TmEcode
TmEcode
Definition: tm-threads-common.h:77
RING_BUFFER_MODE_DISABLED
#define RING_BUFFER_MODE_DISABLED
Definition: log-pcap.c:78
PCAP_SNAPLEN
#define PCAP_SNAPLEN
Definition: log-pcap.c:90
PcapLogData_::plog_lock
SCMutex plog_lock
Definition: log-pcap.c:145
PcapLogData_::h
struct pcap_pkthdr * h
Definition: log-pcap.c:147
IS_TUNNEL_PKT
#define IS_TUNNEL_PKT(p)
Definition: decode.h:874
queue.h
SC_ERR_PCRE_STUDY
@ SC_ERR_PCRE_STUDY
Definition: util-error.h:36
PcapLogCompressionData_::pcap_buf
uint8_t * pcap_buf
Definition: log-pcap.c:130
SC_WARN_REMOVE_FILE
@ SC_WARN_REMOVE_FILE
Definition: util-error.h:325
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:217
SC_ERR_INVALID_YAML_CONF_ENTRY
@ SC_ERR_INVALID_YAML_CONF_ENTRY
Definition: util-error.h:169
SC_ERR_LOGPCAP_SGUIL_BASE_DIR_MISSING
@ SC_ERR_LOGPCAP_SGUIL_BASE_DIR_MISSING
Definition: util-error.h:217
PcapLogData_::prev_day
int prev_day
Definition: log-pcap.c:150
SCMutexInit
#define SCMutexInit(mut, mutattrs)
Definition: threads-debug.h:116
PCAPLOG_PROFILE_START
#define PCAPLOG_PROFILE_START
Definition: log-pcap.c:216
log-pcap.h
SCGetThreadIdLong
#define SCGetThreadIdLong(...)
Definition: threads.h:261
PcapLogData_::honor_pass_rules
int honor_pass_rules
Definition: log-pcap.c:143
decode-ipv4.h
StringParseUint32
int StringParseUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:313
PcapLogData_::profile_open
PcapLogProfileData profile_open
Definition: log-pcap.c:164
PcapLogData_::profile_lock
PcapLogProfileData profile_lock
Definition: log-pcap.c:159
OutputInitResult_
Definition: output.h:41
LOGGER_PCAP
@ LOGGER_PCAP
Definition: suricata-common.h:486
Packet_::ts
struct timeval ts
Definition: decode.h:454
suricata-common.h
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
LOGMODE_NORMAL
#define LOGMODE_NORMAL
Definition: log-pcap.c:74
PKT_STREAM_NOPCAPLOG
#define PKT_STREAM_NOPCAPLOG
Definition: decode.h:1091
PcapLogData_::profile_data_size
uint64_t profile_data_size
Definition: log-pcap.c:155
TAILQ_NEXT
#define TAILQ_NEXT(elm, field)
Definition: queue.h:341
PathIsAbsolute
int PathIsAbsolute(const char *path)
Check if a path is absolute.
Definition: util-path.c:39
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
PcapLogProfileSetup
void PcapLogProfileSetup(void)
Definition: log-pcap.c:1817
SCMkDir
#define SCMkDir(a, b)
Definition: util-path.h:29
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
FatalError
#define FatalError(x,...)
Definition: util-debug.h:532
PcapLogCompressionData_::buffer_size
uint64_t buffer_size
Definition: log-pcap.c:124
SC_ERR_FSEEK
@ SC_ERR_FSEEK
Definition: util-error.h:344
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
OutputRegisterPacketModule
void OutputRegisterPacketModule(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output module.
Definition: output.c:171
PcapLogThreadData_
Definition: log-pcap.c:183
threadvars.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SC_ERR_PCAP_LOG_COMPRESS
@ SC_ERR_PCAP_LOG_COMPRESS
Definition: util-error.h:343
PcapFileName_::filename
char * filename
Definition: log-pcap.c:95
str
#define str(s)
Definition: suricata-common.h:273
MAX_TOKS
#define MAX_TOKS
Definition: log-pcap.c:113
PcapLogCompressionData
struct PcapLogCompressionData_ PcapLogCompressionData
ConfigGetLogDirectory
const char * ConfigGetLogDirectory()
Definition: util-conf.c:36
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:244
MODULE_NAME
#define MODULE_NAME
Definition: log-pcap.c:69
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
SC_ATOMIC_DECLARE
SC_ATOMIC_DECLARE(uint32_t, thread_cnt)
PcapLogCompressionData_::pcap_buf_wrapper
FILE * pcap_buf_wrapper
Definition: log-pcap.c:132
src
uint16_t src
Definition: app-layer-dnp3.h:5
PcapFileName_
Definition: log-pcap.c:94
ConfValIsFalse
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:591
TAILQ_HEAD
#define TAILQ_HEAD(name, type)
Definition: queue.h:321
PcapLogData_::profile_unlock
PcapLogProfileData profile_unlock
Definition: log-pcap.c:161
TimeGet
void TimeGet(struct timeval *tv)
Definition: util-time.c:153
USE_STREAM_DEPTH_ENABLED
#define USE_STREAM_DEPTH_ENABLED
Definition: log-pcap.c:85
SC_ERR_MEM_ALLOC
@ SC_ERR_MEM_ALLOC
Definition: util-error.h:31
PcapLogData_::profile_close
PcapLogProfileData profile_close
Definition: log-pcap.c:163
PKT_NOPACKET_INSPECTION
#define PKT_NOPACKET_INSPECTION
Definition: decode.h:1080
PcapFileName
struct PcapFileName_ PcapFileName
MIN_LIMIT
#define MIN_LIMIT
Definition: log-pcap.c:70
dst
uint16_t dst
Definition: app-layer-dnp3.h:4
util-misc.h
PcapLogData_
Definition: log-pcap.c:141
flow.h
PcapLogThreadData_::pcap_log
PcapLogData * pcap_log
Definition: log-pcap.c:184
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:232
TAILQ_INSERT_BEFORE
#define TAILQ_INSERT_BEFORE(listelm, elm, field)
Definition: queue.h:405
PcapLogData_::profile_write
PcapLogProfileData profile_write
Definition: log-pcap.c:160
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
TS_FORMAT_USEC
#define TS_FORMAT_USEC
Definition: log-pcap.c:82
SC_ERR_DIR_OPEN
@ SC_ERR_DIR_OPEN
Definition: util-error.h:324
SC_ERR_LOGDIR_CONFIG
@ SC_ERR_LOGDIR_CONFIG
Definition: util-error.h:146
SCMutex
#define SCMutex
Definition: threads-debug.h:114
PcapLogData_::is_private
int is_private
Definition: log-pcap.c:144
LOGMODE_SGUIL
#define LOGMODE_SGUIL
Definition: log-pcap.c:75
MAX_FILENAMELEN
#define MAX_FILENAMELEN
Definition: log-pcap.c:114
SC_ERR_OPENING_FILE
@ SC_ERR_OPENING_FILE
Definition: util-error.h:70
debug.h
output.h
PcapLogCompressionFormat
PcapLogCompressionFormat
Definition: log-pcap.c:116
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:843