suricata
log-pcap.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 
19 /**
20  * \file
21  *
22  * \author William Metcalf <William.Metcalf@gmail.com>
23  * \author Victor Julien <victor@inliniac.net>
24  *
25  * Pcap packet logging module.
26  */
27 
28 #include "suricata-common.h"
29 #include "util-fmemopen.h"
30 
31 #ifdef HAVE_LIBLZ4
32 #include <lz4frame.h>
33 #endif /* HAVE_LIBLZ4 */
34 
35 #if defined(HAVE_DIRENT_H) && defined(HAVE_FNMATCH_H)
36 #define INIT_RING_BUFFER
37 #include <dirent.h>
38 #include <fnmatch.h>
39 #endif
40 
41 #include "debug.h"
42 #include "detect.h"
43 #include "flow.h"
44 #include "conf.h"
45 
46 #include "threads.h"
47 #include "threadvars.h"
48 #include "tm-threads.h"
49 
50 #include "util-unittest.h"
51 #include "log-pcap.h"
52 #include "decode-ipv4.h"
53 
54 #include "util-error.h"
55 #include "util-debug.h"
56 #include "util-time.h"
57 #include "util-byte.h"
58 #include "util-misc.h"
59 #include "util-cpu.h"
60 #include "util-atomic.h"
61 
62 #include "source-pcap.h"
63 
64 #include "output.h"
65 
66 #include "queue.h"
67 
68 #define DEFAULT_LOG_FILENAME "pcaplog"
69 #define MODULE_NAME "PcapLog"
70 #define MIN_LIMIT 4 * 1024 * 1024
71 #define DEFAULT_LIMIT 100 * 1024 * 1024
72 #define DEFAULT_FILE_LIMIT 0
73 
74 #define LOGMODE_NORMAL 0
75 #define LOGMODE_SGUIL 1
76 #define LOGMODE_MULTI 2
77 
78 #define RING_BUFFER_MODE_DISABLED 0
79 #define RING_BUFFER_MODE_ENABLED 1
80 
81 #define TS_FORMAT_SEC 0
82 #define TS_FORMAT_USEC 1
83 
84 #define USE_STREAM_DEPTH_DISABLED 0
85 #define USE_STREAM_DEPTH_ENABLED 1
86 
87 #define HONOR_PASS_RULES_DISABLED 0
88 #define HONOR_PASS_RULES_ENABLED 1
89 
90 #define PCAP_SNAPLEN 262144
91 
92 SC_ATOMIC_DECLARE(uint32_t, thread_cnt);
93 
94 typedef struct PcapFileName_ {
95  char *filename;
96  char *dirname;
97 
98  /* Like a struct timeval, but with fixed size. This is only used when
99  * seeding the ring buffer on start. */
100  struct {
101  uint64_t secs;
102  uint32_t usecs;
103  };
104 
105  TAILQ_ENTRY(PcapFileName_) next; /**< Pointer to next Pcap File for tailq. */
106 } PcapFileName;
107 
108 typedef struct PcapLogProfileData_ {
109  uint64_t total;
110  uint64_t cnt;
111 } PcapLogProfileData;
112 
113 #define MAX_TOKS 9
114 #define MAX_FILENAMELEN 513
115 
116 enum PcapLogCompressionFormat {
117  PCAP_LOG_COMPRESSION_FORMAT_NONE,
118  PCAP_LOG_COMPRESSION_FORMAT_LZ4,
119 };
120 
121 typedef struct PcapLogCompressionData_ {
122  enum PcapLogCompressionFormat format;
123  uint8_t *buffer;
124  uint64_t buffer_size;
125 #ifdef HAVE_LIBLZ4
126  LZ4F_compressionContext_t lz4f_context;
127  LZ4F_preferences_t lz4f_prefs;
128 #endif /* HAVE_LIBLZ4 */
129  FILE *file;
130  uint8_t *pcap_buf;
131  uint64_t pcap_buf_size;
132  FILE *pcap_buf_wrapper;
133  uint64_t bytes_in_block;
134 } PcapLogCompressionData;
135 
136 /**
137  * PcapLog thread vars
138  *
139  * Used for storing file options.
140  */
141 typedef struct PcapLogData_ {
142  int use_stream_depth; /**< use stream depth i.e. ignore packets that reach limit */
143  int honor_pass_rules; /**< don't log if pass rules have matched */
144  int is_private; /**< TRUE if ctx is thread local */
145  SCMutex plog_lock;
146  uint64_t pkt_cnt; /**< total number of packets */
147  struct pcap_pkthdr *h; /**< pcap header struct */
148  char *filename; /**< current filename */
149  int mode; /**< normal or sguil */
150  int prev_day; /**< last day, for finding out when */
151  uint64_t size_current; /**< file current size */
152  uint64_t size_limit; /**< file size limit */
153  pcap_t *pcap_dead_handle; /**< pcap_dumper_t needs a handle */
154  pcap_dumper_t *pcap_dumper; /**< actually writes the packets */
155  uint64_t profile_data_size; /**< track in bytes how many bytes we wrote */
156  uint32_t file_cnt; /**< count of pcap files we currently have */
157  uint32_t max_files; /**< maximum files to use in ring buffer mode */
158 
159  PcapLogProfileData profile_lock;
160  PcapLogProfileData profile_write;
161  PcapLogProfileData profile_unlock;
162  PcapLogProfileData profile_handles; // open handles
163  PcapLogProfileData profile_close;
164  PcapLogProfileData profile_open;
165  PcapLogProfileData profile_rotate;
166 
167  TAILQ_HEAD(, PcapFileName_) pcap_file_list;
168 
169  uint32_t thread_number; /**< thread number, first thread is 1, second 2, etc */
170  int use_ringbuffer; /**< ring buffer mode enabled or disabled */
171  int timestamp_format; /**< timestamp format sec or usec */
172  char *prefix; /**< filename prefix */
173  const char *suffix; /**< filename suffix */
174  char dir[PATH_MAX]; /**< pcap log directory */
175  int reported;
176  int threads; /**< number of threads (only set in the global) */
177  char *filename_parts[MAX_TOKS];
178  int filename_part_cnt;
179 
180  PcapLogCompressionData compression;
181 } PcapLogData;
182 
183 typedef struct PcapLogThreadData_ {
184  PcapLogData *pcap_log;
185 } PcapLogThreadData;
186 
187 /* Pattern for extracting timestamp from pcap log files. */
188 static const char timestamp_pattern[] = ".*?(\\d+)(\\.(\\d+))?";
189 static pcre *pcre_timestamp_code = NULL;
190 static pcre_extra *pcre_timestamp_extra = NULL;
191 
192 /* global pcap data for when we're using multi mode. At exit we'll
193  * merge counters into this one and then report counters. */
194 static PcapLogData *g_pcap_data = NULL;
195 
196 static int PcapLogOpenFileCtx(PcapLogData *);
197 static int PcapLog(ThreadVars *, void *, const Packet *);
198 static TmEcode PcapLogDataInit(ThreadVars *, const void *, void **);
199 static TmEcode PcapLogDataDeinit(ThreadVars *, void *);
200 static void PcapLogFileDeInitCtx(OutputCtx *);
201 static OutputInitResult PcapLogInitCtx(ConfNode *);
202 static void PcapLogProfilingDump(PcapLogData *);
203 static int PcapLogCondition(ThreadVars *, const Packet *);
204 
205 void PcapLogRegister(void)
206 {
207  OutputRegisterPacketModule(LOGGER_PCAP, MODULE_NAME, "pcap-log",
208  PcapLogInitCtx, PcapLog, PcapLogCondition, PcapLogDataInit,
209  PcapLogDataDeinit, NULL);
210  PcapLogProfileSetup();
211  SC_ATOMIC_INIT(thread_cnt);
212  return;
213 }
214 
215 #define PCAPLOG_PROFILE_START \
216  uint64_t pcaplog_profile_ticks = UtilCpuGetTicks()
217 
218 #define PCAPLOG_PROFILE_END(prof) \
219  (prof).total += (UtilCpuGetTicks() - pcaplog_profile_ticks); \
220  (prof).cnt++
221 
222 static int PcapLogCondition(ThreadVars *tv, const Packet *p)
223 {
224  if (p->flags & PKT_PSEUDO_STREAM_END) {
225  return FALSE;
226  }
227  if (IS_TUNNEL_PKT(p) && !IS_TUNNEL_ROOT_PKT(p)) {
228  return FALSE;
229  }
230  return TRUE;
231 }
232 
233 /**
234  * \brief Function to close pcaplog file
235  *
236  * \param t Thread Variable containing input/output queue, cpu affinity etc.
237  * \param pl PcapLog thread variable.
238  */
239 static int PcapLogCloseFile(ThreadVars *t, PcapLogData *pl)
240 {
241  if (pl != NULL) {
242  PCAPLOG_PROFILE_START;
243 
244  if (pl->pcap_dumper != NULL) {
245  pcap_dump_close(pl->pcap_dumper);
246 #ifdef HAVE_LIBLZ4
247  PcapLogCompressionData *comp = &pl->compression;
248  if (comp->format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
249  /* pcap_dump_close() has closed its output ``file'',
250  * so we need to call fmemopen again. */
251 
252  comp->pcap_buf_wrapper = SCFmemopen(comp->pcap_buf,
253  comp->pcap_buf_size, "w");
254  if (comp->pcap_buf_wrapper == NULL) {
255  SCLogError(SC_ERR_FOPEN, "SCFmemopen failed: %s",
256  strerror(errno));
257  return TM_ECODE_FAILED;
258  }
259  }
260 #endif /* HAVE_LIBLZ4 */
261  }
262  pl->size_current = 0;
263  pl->pcap_dumper = NULL;
264 
265  if (pl->pcap_dead_handle != NULL)
266  pcap_close(pl->pcap_dead_handle);
267  pl->pcap_dead_handle = NULL;
268 
269 #ifdef HAVE_LIBLZ4
270  PcapLogCompressionData *comp = &pl->compression;
271  if (comp->format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
272  /* pcap_dump_close did not write any data because we call
273  * pcap_dump_flush() after every write when writing
274  * compressed output. */
275  uint64_t bytes_written = LZ4F_compressEnd(comp->lz4f_context,
276  comp->buffer, comp->buffer_size, NULL);
277  if (LZ4F_isError(bytes_written)) {
278  SCLogError(SC_ERR_PCAP_LOG_COMPRESS, "LZ4F_compressEnd: %s",
279  LZ4F_getErrorName(bytes_written));
280  return TM_ECODE_FAILED;
281  }
282  if (fwrite(comp->buffer, 1, bytes_written, comp->file) < bytes_written) {
283  SCLogError(SC_ERR_FWRITE, "fwrite failed: %s", strerror(errno));
284  return TM_ECODE_FAILED;
285  }
286  fclose(comp->file);
287  comp->bytes_in_block = 0;
288  }
289 #endif /* HAVE_LIBLZ4 */
290 
291  PCAPLOG_PROFILE_END(pl->profile_close);
292  }
293 
294  return 0;
295 }
296 
297 static void PcapFileNameFree(PcapFileName *pf)
298 {
299  if (pf != NULL) {
300  if (pf->filename != NULL) {
301  SCFree(pf->filename);
302  }
303  if (pf->dirname != NULL) {
304  SCFree(pf->dirname);
305  }
306  SCFree(pf);
307  }
308 
309  return;
310 }
311 
312 /**
313  * \brief Function to rotate pcaplog file
314  *
315  * \param t Thread Variable containing input/output queue, cpu affinity etc.
316  * \param pl PcapLog thread variable.
317  *
318  * \retval 0 on succces
319  * \retval -1 on failure
320  */
321 static int PcapLogRotateFile(ThreadVars *t, PcapLogData *pl)
322 {
323  PcapFileName *pf;
324  PcapFileName *pfnext;
325 
326  PCAPLOG_PROFILE_START;
327 
328  if (PcapLogCloseFile(t,pl) < 0) {
329  SCLogDebug("PcapLogCloseFile failed");
330  return -1;
331  }
332 
333  if (pl->use_ringbuffer == RING_BUFFER_MODE_ENABLED && pl->file_cnt >= pl->max_files) {
334  pf = TAILQ_FIRST(&pl->pcap_file_list);
335  SCLogDebug("Removing pcap file %s", pf->filename);
336 
337  if (remove(pf->filename) != 0) {
338  // VJ remove can fail because file is already gone
339  //LogWarning(SC_ERR_PCAP_FILE_DELETE_FAILED,
340  // "failed to remove log file %s: %s",
341  // pf->filename, strerror( errno ));
342  }
343 
344  /* Remove directory if Sguil mode and no files left in sguil dir */
345  if (pl->mode == LOGMODE_SGUIL) {
346  pfnext = TAILQ_NEXT(pf,next);
347 
348  if (strcmp(pf->dirname, pfnext->dirname) == 0) {
349  SCLogDebug("Current entry dir %s and next entry %s "
350  "are equal: not removing dir",
351  pf->dirname, pfnext->dirname);
352  } else {
353  SCLogDebug("current entry %s and %s are "
354  "not equal: removing dir",
355  pf->dirname, pfnext->dirname);
356 
357  if (remove(pf->dirname) != 0) {
358  SCLogWarning(SC_ERR_PCAP_FILE_DELETE_FAILED,
359  "failed to remove sguil log %s: %s",
360  pf->dirname, strerror( errno ));
361  }
362  }
363  }
364 
365  TAILQ_REMOVE(&pl->pcap_file_list, pf, next);
366  PcapFileNameFree(pf);
367  pl->file_cnt--;
368  }
369 
370  if (PcapLogOpenFileCtx(pl) < 0) {
371  SCLogError(SC_ERR_FOPEN, "opening new pcap log file failed");
372  return -1;
373  }
374  pl->file_cnt++;
375  SCLogDebug("file_cnt %u", pl->file_cnt);
376 
377  PCAPLOG_PROFILE_END(pl->profile_rotate);
378  return 0;
379 }
380 
381 static int PcapLogOpenHandles(PcapLogData *pl, const Packet *p)
382 {
383  PCAPLOG_PROFILE_START;
384 
385  SCLogDebug("Setting pcap-log link type to %u", p->datalink);
386 
387  if (pl->pcap_dead_handle == NULL) {
388  if ((pl->pcap_dead_handle = pcap_open_dead(p->datalink,
389  PCAP_SNAPLEN)) == NULL) {
390  SCLogDebug("Error opening dead pcap handle");
391  return TM_ECODE_FAILED;
392  }
393  }
394 
395  if (pl->pcap_dumper == NULL) {
396  if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_NONE) {
397  if ((pl->pcap_dumper = pcap_dump_open(pl->pcap_dead_handle,
398  pl->filename)) == NULL) {
399  SCLogInfo("Error opening dump file %s", pcap_geterr(pl->pcap_dead_handle));
400  return TM_ECODE_FAILED;
401  }
402  }
403 #ifdef HAVE_LIBLZ4
404  else if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
405  PcapLogCompressionData *comp = &pl->compression;
406  if ((pl->pcap_dumper = pcap_dump_fopen(pl->pcap_dead_handle,
407  comp->pcap_buf_wrapper)) == NULL) {
408  SCLogError(SC_ERR_OPENING_FILE, "Error opening dump file %s",
409  pcap_geterr(pl->pcap_dead_handle));
410  return TM_ECODE_FAILED;
411  }
412  comp->file = fopen(pl->filename, "w");
413  if (comp->file == NULL) {
414  SCLogError(SC_ERR_OPENING_FILE,
415  "Error opening file for compressed output: %s",
416  strerror(errno));
417  return TM_ECODE_FAILED;
418  }
419 
420  uint64_t bytes_written = LZ4F_compressBegin(comp->lz4f_context,
421  comp->buffer, comp->buffer_size, NULL);
422  if (LZ4F_isError(bytes_written)) {
423  SCLogError(SC_ERR_PCAP_LOG_COMPRESS, "LZ4F_compressBegin: %s",
424  LZ4F_getErrorName(bytes_written));
425  return TM_ECODE_FAILED;
426  }
427  if (fwrite(comp->buffer, 1, bytes_written, comp->file) < bytes_written) {
428  SCLogError(SC_ERR_FWRITE, "fwrite failed: %s", strerror(errno));
429  return TM_ECODE_FAILED;
430  }
431  }
432 #endif /* HAVE_LIBLZ4 */
433  }
434 
435  PCAPLOG_PROFILE_END(pl->profile_handles);
436  return TM_ECODE_OK;
437 }
438 
439 /** \internal
440  * \brief lock wrapper for main PcapLog() function
441  * NOTE: only meant for use in main PcapLog() function.
442  */
443 static void PcapLogLock(PcapLogData *pl)
444 {
445  if (!(pl->is_private)) {
446  PCAPLOG_PROFILE_START;
447  SCMutexLock(&pl->plog_lock);
448  PCAPLOG_PROFILE_END(pl->profile_lock);
449  }
450 }
451 
452 /** \internal
453  * \brief unlock wrapper for main PcapLog() function
454  * NOTE: only meant for use in main PcapLog() function.
455  */
456 static void PcapLogUnlock(PcapLogData *pl)
457 {
458  if (!(pl->is_private)) {
459  PCAPLOG_PROFILE_START;
460  SCMutexUnlock(&pl->plog_lock);
461  PCAPLOG_PROFILE_END(pl->profile_unlock);
462  }
463 }
464 
465 /**
466  * \brief Pcap logging main function
467  *
468  * \param t threadvar
469  * \param p packet
470  * \param thread_data thread module specific data
471  *
472  * \retval TM_ECODE_OK on succes
473  * \retval TM_ECODE_FAILED on serious error
474  */
475 static int PcapLog (ThreadVars *t, void *thread_data, const Packet *p)
476 {
477  size_t len;
478  int rotate = 0;
479  int ret = 0;
480 
481  PcapLogThreadData *td = (PcapLogThreadData *)thread_data;
482  PcapLogData *pl = td->pcap_log;
483 
484  if ((p->flags & PKT_PSEUDO_STREAM_END) ||
485  ((p->flags & PKT_STREAM_NOPCAPLOG) &&
486  (pl->use_stream_depth == USE_STREAM_DEPTH_ENABLED)) ||
487  (IS_TUNNEL_PKT(p) && !IS_TUNNEL_ROOT_PKT(p)) ||
488  (pl->honor_pass_rules && (p->flags & PKT_NOPACKET_INSPECTION)))
489  {
490  return TM_ECODE_OK;
491  }
492 
493  PcapLogLock(pl);
494 
495  pl->pkt_cnt++;
496  pl->h->ts.tv_sec = p->ts.tv_sec;
497  pl->h->ts.tv_usec = p->ts.tv_usec;
498  pl->h->caplen = GET_PKT_LEN(p);
499  pl->h->len = GET_PKT_LEN(p);
500  len = sizeof(*pl->h) + GET_PKT_LEN(p);
501 
502  if (pl->filename == NULL) {
503  ret = PcapLogOpenFileCtx(pl);
504  if (ret < 0) {
505  PcapLogUnlock(pl);
506  return TM_ECODE_FAILED;
507  }
508  SCLogDebug("Opening PCAP log file %s", pl->filename);
509  }
510 
511  if (pl->mode == LOGMODE_SGUIL) {
512  struct tm local_tm;
513  struct tm *tms = SCLocalTime(p->ts.tv_sec, &local_tm);
514  if (tms->tm_mday != pl->prev_day) {
515  rotate = 1;
516  pl->prev_day = tms->tm_mday;
517  }
518  }
519 
520  PcapLogCompressionData *comp = &pl->compression;
521  if (comp->format == PCAP_LOG_COMPRESSION_FORMAT_NONE) {
522  if ((pl->size_current + len) > pl->size_limit || rotate) {
523  if (PcapLogRotateFile(t,pl) < 0) {
524  PcapLogUnlock(pl);
525  SCLogDebug("rotation of pcap failed");
526  return TM_ECODE_FAILED;
527  }
528  }
529  }
530 #ifdef HAVE_LIBLZ4
531  else if (comp->format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
532  /* When writing compressed pcap logs, we have no way of knowing
533  * for sure whether adding this packet would cause the current
534  * file to exceed the size limit. Thus, we record the number of
535  * bytes that have been fed into lz4 since the last write, and
536  * act as if they would be written uncompressed. */
537 
538  if ((pl->size_current + comp->bytes_in_block + len) > pl->size_limit ||
539  rotate) {
540  if (PcapLogRotateFile(t,pl) < 0) {
541  PcapLogUnlock(pl);
542  SCLogDebug("rotation of pcap failed");
543  return TM_ECODE_FAILED;
544  }
545  }
546  }
547 #endif /* HAVE_LIBLZ4 */
548 
549  /* XXX pcap handles, nfq, pfring, can only have one link type ipfw? we do
550  * this here as we don't know the link type until we get our first packet */
551  if (pl->pcap_dead_handle == NULL || pl->pcap_dumper == NULL) {
552  if (PcapLogOpenHandles(pl, p) != TM_ECODE_OK) {
553  PcapLogUnlock(pl);
554  return TM_ECODE_FAILED;
555  }
556  }
557 
558  PCAPLOG_PROFILE_START;
559  pcap_dump((u_char *)pl->pcap_dumper, pl->h, GET_PKT_DATA(p));
560  if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_NONE) {
561  pl->size_current += len;
562  }
563 #ifdef HAVE_LIBLZ4
564  else if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
565  pcap_dump_flush(pl->pcap_dumper);
566  uint64_t in_size = (uint64_t)ftell(comp->pcap_buf_wrapper);
567  uint64_t out_size = LZ4F_compressUpdate(comp->lz4f_context,
568  comp->buffer, comp->buffer_size, comp->pcap_buf, in_size, NULL);
569  if (LZ4F_isError(len)) {
570  SCLogError(SC_ERR_PCAP_LOG_COMPRESS, "LZ4F_compressUpdate: %s",
571  LZ4F_getErrorName(len));
572  return TM_ECODE_FAILED;
573  }
574  if (fseek(pl->compression.pcap_buf_wrapper, 0, SEEK_SET) != 0) {
575  SCLogError(SC_ERR_FSEEK, "fseek failed: %s", strerror(errno));
576  return TM_ECODE_FAILED;
577  }
578  if (fwrite(comp->buffer, 1, out_size, comp->file) < out_size) {
579  SCLogError(SC_ERR_FWRITE, "fwrite failed: %s", strerror(errno));
580  return TM_ECODE_FAILED;
581  }
582  if (out_size > 0) {
583  pl->size_current += out_size;
584  comp->bytes_in_block = len;
585  } else {
586  comp->bytes_in_block += len;
587  }
588  }
589 #endif /* HAVE_LIBLZ4 */
590 
591  PCAPLOG_PROFILE_END(pl->profile_write);
592  pl->profile_data_size += len;
593 
594  SCLogDebug("pl->size_current %"PRIu64", pl->size_limit %"PRIu64,
595  pl->size_current, pl->size_limit);
596 
597  PcapLogUnlock(pl);
598  return TM_ECODE_OK;
599 }
600 
601 static PcapLogData *PcapLogDataCopy(const PcapLogData *pl)
602 {
603  BUG_ON(pl->mode != LOGMODE_MULTI);
604  PcapLogData *copy = SCCalloc(1, sizeof(*copy));
605  if (unlikely(copy == NULL)) {
606  return NULL;
607  }
608 
609  copy->h = SCCalloc(1, sizeof(*copy->h));
610  if (unlikely(copy->h == NULL)) {
611  SCFree(copy);
612  return NULL;
613  }
614 
615  copy->prefix = SCStrdup(pl->prefix);
616  if (unlikely(copy->prefix == NULL)) {
617  SCFree(copy->h);
618  SCFree(copy);
619  return NULL;
620  }
621 
622  copy->suffix = pl->suffix;
623 
624  /* settings TODO move to global cfg struct */
625  copy->is_private = TRUE;
626  copy->mode = pl->mode;
627  copy->max_files = pl->max_files;
628  copy->use_ringbuffer = pl->use_ringbuffer;
629  copy->timestamp_format = pl->timestamp_format;
630  copy->use_stream_depth = pl->use_stream_depth;
631  copy->size_limit = pl->size_limit;
632 
633  const PcapLogCompressionData *comp = &pl->compression;
634  PcapLogCompressionData *copy_comp = &copy->compression;
635  copy_comp->format = comp->format;
636 #ifdef HAVE_LIBLZ4
637  if (comp->format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
638  /* We need to allocate a new compression context and buffers for
639  * the copy. First copy the things that can simply be copied. */
640 
641  copy_comp->buffer_size = comp->buffer_size;
642  copy_comp->pcap_buf_size = comp->pcap_buf_size;
643  copy_comp->lz4f_prefs = comp->lz4f_prefs;
644 
645  /* Allocate the buffers. */
646 
647  copy_comp->buffer = SCMalloc(copy_comp->buffer_size);
648  if (copy_comp->buffer == NULL) {
649  SCLogError(SC_ERR_MEM_ALLOC, "SCMalloc failed: %s",
650  strerror(errno));
651  SCFree(copy->h);
652  SCFree(copy);
653  return NULL;
654  }
655  copy_comp->pcap_buf = SCMalloc(copy_comp->pcap_buf_size);
656  if (copy_comp->pcap_buf == NULL) {
657  SCLogError(SC_ERR_MEM_ALLOC, "SCMalloc failed: %s",
658  strerror(errno));
659  SCFree(copy_comp->buffer);
660  SCFree(copy->h);
661  SCFree(copy);
662  return NULL;
663  }
664  copy_comp->pcap_buf_wrapper = SCFmemopen(copy_comp->pcap_buf,
665  copy_comp->pcap_buf_size, "w");
666  if (copy_comp->pcap_buf_wrapper == NULL) {
667  SCLogError(SC_ERR_FOPEN, "SCFmemopen failed: %s", strerror(errno));
668  SCFree(copy_comp->buffer);
669  SCFree(copy_comp->pcap_buf);
670  SCFree(copy->h);
671  SCFree(copy);
672  return NULL;
673  }
674 
675  /* Initialize a new compression context. */
676 
677  LZ4F_errorCode_t errcode =
678  LZ4F_createCompressionContext(&copy_comp->lz4f_context, 1);
679  if (LZ4F_isError(errcode)) {
680  SCLogError(SC_ERR_PCAP_LOG_COMPRESS,
681  "LZ4F_createCompressionContext failed: %s",
682  LZ4F_getErrorName(errcode));
683  fclose(copy_comp->pcap_buf_wrapper);
684  SCFree(copy_comp->buffer);
685  SCFree(copy_comp->pcap_buf);
686  SCFree(copy->h);
687  SCFree(copy);
688  return NULL;
689  }
690 
691  /* Initialize the rest. */
692 
693  copy_comp->file = NULL;
694  copy_comp->bytes_in_block = 0;
695  }
696 #endif /* HAVE_LIBLZ4 */
697 
698  TAILQ_INIT(&copy->pcap_file_list);
699  SCMutexInit(&copy->plog_lock, NULL);
700 
701  strlcpy(copy->dir, pl->dir, sizeof(copy->dir));
702 
703  int i;
704  for (i = 0; i < pl->filename_part_cnt && i < MAX_TOKS; i++)
705  copy->filename_parts[i] = pl->filename_parts[i];
706  copy->filename_part_cnt = pl->filename_part_cnt;
707 
708  /* set thread number, first thread is 1 */
709  copy->thread_number = SC_ATOMIC_ADD(thread_cnt, 1);
710 
711  SCLogDebug("copied, returning %p", copy);
712  return copy;
713 }
714 
715 #ifdef INIT_RING_BUFFER
716 static int PcapLogGetTimeOfFile(const char *filename, uint64_t *secs,
717  uint32_t *usecs)
718 {
719  int pcre_ovecsize = 4 * 3;
720  int pcre_ovec[pcre_ovecsize];
721  char buf[PATH_MAX];
722 
723  int n = pcre_exec(pcre_timestamp_code, pcre_timestamp_extra,
724  filename, strlen(filename), 0, 0, pcre_ovec,
725  pcre_ovecsize);
726  if (n != 2 && n != 4) {
727  /* No match. */
728  return 0;
729  }
730 
731  if (n >= 2) {
732  /* Extract seconds. */
733  if (pcre_copy_substring(filename, pcre_ovec, pcre_ovecsize,
734  1, buf, sizeof(buf)) < 0) {
735  return 0;
736  }
737  if (ByteExtractStringUint64(secs, 10, 0, buf) < 0) {
738  return 0;
739  }
740  }
741  if (n == 4) {
742  /* Extract microseconds. */
743  if (pcre_copy_substring(filename, pcre_ovec, pcre_ovecsize,
744  3, buf, sizeof(buf)) < 0) {
745  return 0;
746  }
747  if (ByteExtractStringUint32(usecs, 10, 0, buf) < 0) {
748  return 0;
749  }
750  }
751 
752  return 1;
753 }
754 
755 static TmEcode PcapLogInitRingBuffer(PcapLogData *pl)
756 {
757  char pattern[PATH_MAX];
758 
759  SCLogInfo("Initializing PCAP ring buffer for %s/%s.",
760  pl->dir, pl->prefix);
761 
762  strlcpy(pattern, pl->dir, PATH_MAX);
763  if (pattern[strlen(pattern) - 1] != '/') {
764  strlcat(pattern, "/", PATH_MAX);
765  }
766  if (pl->mode == LOGMODE_MULTI) {
767  for (int i = 0; i < pl->filename_part_cnt; i++) {
768  char *part = pl->filename_parts[i];
769  if (part == NULL || strlen(part) == 0) {
770  continue;
771  }
772  if (part[0] != '%' || strlen(part) < 2) {
773  strlcat(pattern, part, PATH_MAX);
774  continue;
775  }
776  switch (part[1]) {
777  case 'i':
778  SCLogError(SC_ERR_INVALID_ARGUMENT,
779  "Thread ID not allowed inring buffer mode.");
780  return TM_ECODE_FAILED;
781  case 'n': {
782  char tmp[PATH_MAX];
783  snprintf(tmp, PATH_MAX, "%"PRIu32, pl->thread_number);
784  strlcat(pattern, tmp, PATH_MAX);
785  break;
786  }
787  case 't':
788  strlcat(pattern, "*", PATH_MAX);
789  break;
790  default:
791  SCLogError(SC_ERR_INVALID_ARGUMENT,
792  "Unsupported format character: %%%s", part);
793  return TM_ECODE_FAILED;
794  }
795  }
796  } else {
797  strlcat(pattern, pl->prefix, PATH_MAX);
798  strlcat(pattern, ".*", PATH_MAX);
799  }
800  strlcat(pattern, pl->suffix, PATH_MAX);
801 
802  char *basename = strrchr(pattern, '/');
803  *basename++ = '\0';
804 
805  /* Pattern is now just the directory name. */
806  DIR *dir = opendir(pattern);
807  if (dir == NULL) {
808  SCLogWarning(SC_ERR_DIR_OPEN, "Failed to open directory %s: %s",
809  pattern, strerror(errno));
810  return TM_ECODE_FAILED;
811  }
812 
813  for (;;) {
814  struct dirent *entry = readdir(dir);
815  if (entry == NULL) {
816  break;
817  }
818  if (fnmatch(basename, entry->d_name, 0) != 0) {
819  continue;
820  }
821 
822  uint64_t secs = 0;
823  uint32_t usecs = 0;
824 
825  if (!PcapLogGetTimeOfFile(entry->d_name, &secs, &usecs)) {
826  /* Failed to get time stamp out of file name. Not necessarily a
827  * failure as the file might just not be a pcap log file. */
828  continue;
829  }
830 
831  PcapFileName *pf = SCCalloc(sizeof(*pf), 1);
832  if (unlikely(pf == NULL)) {
833  goto fail;
834  }
835  char path[PATH_MAX];
836  if (snprintf(path, PATH_MAX, "%s/%s", pattern, entry->d_name) == PATH_MAX)
837  goto fail;
838 
839  if ((pf->filename = SCStrdup(path)) == NULL) {
840  goto fail;
841  }
842  if ((pf->dirname = SCStrdup(pattern)) == NULL) {
843  goto fail;
844  }
845  pf->secs = secs;
846  pf->usecs = usecs;
847 
848  if (TAILQ_EMPTY(&pl->pcap_file_list)) {
849  TAILQ_INSERT_TAIL(&pl->pcap_file_list, pf, next);
850  } else {
851  /* Ordered insert. */
852  PcapFileName *it = NULL;
853  TAILQ_FOREACH(it, &pl->pcap_file_list, next) {
854  if (pf->secs < it->secs) {
855  break;
856  } else if (pf->secs == it->secs && pf->usecs < it->usecs) {
857  break;
858  }
859  }
860  if (it == NULL) {
861  TAILQ_INSERT_TAIL(&pl->pcap_file_list, pf, next);
862  } else {
863  TAILQ_INSERT_BEFORE(it, pf, next);
864  }
865  }
866  pl->file_cnt++;
867  continue;
868 
869  fail:
870  if (pf != NULL) {
871  if (pf->filename != NULL) {
872  SCFree(pf->filename);
873  }
874  if (pf->dirname != NULL) {
875  SCFree(pf->dirname);
876  }
877  SCFree(pf);
878  }
879  break;
880  }
881 
882  if (pl->file_cnt > pl->max_files) {
883  PcapFileName *pf = TAILQ_FIRST(&pl->pcap_file_list);
884  while (pf != NULL && pl->file_cnt > pl->max_files) {
885  SCLogDebug("Removing PCAP file %s", pf->filename);
886  if (remove(pf->filename) != 0) {
887  SCLogWarning(SC_WARN_REMOVE_FILE,
888  "Failed to remove PCAP file %s: %s", pf->filename,
889  strerror(errno));
890  }
891  TAILQ_REMOVE(&pl->pcap_file_list, pf, next);
892  PcapFileNameFree(pf);
893  pf = TAILQ_FIRST(&pl->pcap_file_list);
894  pl->file_cnt--;
895  }
896  }
897 
898  closedir(dir);
899 
900  /* For some reason file count is initialized at one, instead of 0. */
901  SCLogNotice("Ring buffer initialized with %d files.", pl->file_cnt - 1);
902 
903  return TM_ECODE_OK;
904 }
905 #endif /* INIT_RING_BUFFER */
906 
907 static TmEcode PcapLogDataInit(ThreadVars *t, const void *initdata, void **data)
908 {
909  if (initdata == NULL) {
910  SCLogDebug("Error getting context for LogPcap. \"initdata\" argument NULL");
911  return TM_ECODE_FAILED;
912  }
913 
914  PcapLogData *pl = ((OutputCtx *)initdata)->data;
915 
916  PcapLogThreadData *td = SCCalloc(1, sizeof(*td));
917  if (unlikely(td == NULL))
918  return TM_ECODE_FAILED;
919 
920  if (pl->mode == LOGMODE_MULTI)
921  td->pcap_log = PcapLogDataCopy(pl);
922  else
923  td->pcap_log = pl;
924  BUG_ON(td->pcap_log == NULL);
925 
926  PcapLogLock(td->pcap_log);
927 
928  /** Use the Ouptut Context (file pointer and mutex) */
929  td->pcap_log->pkt_cnt = 0;
930  td->pcap_log->pcap_dead_handle = NULL;
931  td->pcap_log->pcap_dumper = NULL;
932  if (td->pcap_log->file_cnt < 1) {
933  td->pcap_log->file_cnt = 1;
934  }
935 
936  struct timeval ts;
937  memset(&ts, 0x00, sizeof(struct timeval));
938  TimeGet(&ts);
939  struct tm local_tm;
940  struct tm *tms = SCLocalTime(ts.tv_sec, &local_tm);
941  td->pcap_log->prev_day = tms->tm_mday;
942 
943  PcapLogUnlock(td->pcap_log);
944 
945  /* count threads in the global structure */
946  SCMutexLock(&pl->plog_lock);
947  pl->threads++;
948  SCMutexUnlock(&pl->plog_lock);
949 
950  *data = (void *)td;
951 
952  if (pl->max_files && (pl->mode == LOGMODE_MULTI || pl->threads == 1)) {
953 #ifdef INIT_RING_BUFFER
954  if (PcapLogInitRingBuffer(td->pcap_log) == TM_ECODE_FAILED) {
955  return TM_ECODE_FAILED;
956  }
957 #else
958  SCLogInfo("Unable to initialize ring buffer on this platform.");
959 #endif /* INIT_RING_BUFFER */
960  }
961 
962  return TM_ECODE_OK;
963 }
964 
965 static void StatsMerge(PcapLogData *dst, PcapLogData *src)
966 {
967  dst->profile_open.total += src->profile_open.total;
968  dst->profile_open.cnt += src->profile_open.cnt;
969 
970  dst->profile_close.total += src->profile_close.total;
971  dst->profile_close.cnt += src->profile_close.cnt;
972 
973  dst->profile_write.total += src->profile_write.total;
974  dst->profile_write.cnt += src->profile_write.cnt;
975 
976  dst->profile_rotate.total += src->profile_rotate.total;
977  dst->profile_rotate.cnt += src->profile_rotate.cnt;
978 
979  dst->profile_handles.total += src->profile_handles.total;
980  dst->profile_handles.cnt += src->profile_handles.cnt;
981 
982  dst->profile_lock.total += src->profile_lock.total;
983  dst->profile_lock.cnt += src->profile_lock.cnt;
984 
985  dst->profile_unlock.total += src->profile_unlock.total;
986  dst->profile_unlock.cnt += src->profile_unlock.cnt;
987 
988  dst->profile_data_size += src->profile_data_size;
989 }
990 
991 static void PcapLogDataFree(PcapLogData *pl)
992 {
993 
994  PcapFileName *pf;
995  while ((pf = TAILQ_FIRST(&pl->pcap_file_list)) != NULL) {
996  TAILQ_REMOVE(&pl->pcap_file_list, pf, next);
997  PcapFileNameFree(pf);
998  }
999  if (pl == g_pcap_data) {
1000  for (int i = 0; i < MAX_TOKS; i++) {
1001  if (pl->filename_parts[i] != NULL) {
1002  SCFree(pl->filename_parts[i]);
1003  }
1004  }
1005  }
1006  SCFree(pl->h);
1007  SCFree(pl->filename);
1008  SCFree(pl->prefix);
1009 
1010 #ifdef HAVE_LIBLZ4
1011  if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
1012  SCFree(pl->compression.buffer);
1013  fclose(pl->compression.pcap_buf_wrapper);
1014  SCFree(pl->compression.pcap_buf);
1015  LZ4F_errorCode_t errcode =
1016  LZ4F_freeCompressionContext(pl->compression.lz4f_context);
1017  if (LZ4F_isError(errcode)) {
1018  SCLogWarning(SC_ERR_MEM_ALLOC, "Error freeing lz4 context.");
1019  }
1020  }
1021 #endif /* HAVE_LIBLZ4 */
1022  SCFree(pl);
1023 }
1024 
1025 /**
1026  * \brief Thread deinit function.
1027  *
1028  * \param t Thread Variable containing input/output queue, cpu affinity etc.
1029  * \param data PcapLog thread data.
1030  * \retval TM_ECODE_OK on succces
1031  * \retval TM_ECODE_FAILED on failure
1032  */
1033 static TmEcode PcapLogDataDeinit(ThreadVars *t, void *thread_data)
1034 {
1035  PcapLogThreadData *td = (PcapLogThreadData *)thread_data;
1036  PcapLogData *pl = td->pcap_log;
1037 
1038  if (pl->pcap_dumper != NULL) {
1039  if (PcapLogCloseFile(t,pl) < 0) {
1040  SCLogDebug("PcapLogCloseFile failed");
1041  }
1042  }
1043 
1044  if (pl->mode == LOGMODE_MULTI) {
1045  SCMutexLock(&g_pcap_data->plog_lock);
1046  StatsMerge(g_pcap_data, pl);
1047  g_pcap_data->reported++;
1048  if (g_pcap_data->threads == g_pcap_data->reported)
1049  PcapLogProfilingDump(g_pcap_data);
1050  SCMutexUnlock(&g_pcap_data->plog_lock);
1051  } else {
1052  if (pl->reported == 0) {
1053  PcapLogProfilingDump(pl);
1054  pl->reported = 1;
1055  }
1056  }
1057 
1058  if (pl != g_pcap_data) {
1059  PcapLogDataFree(pl);
1060  }
1061 
1062  SCFree(td);
1063  return TM_ECODE_OK;
1064 }
1065 
1066 
1067 static int ParseFilename(PcapLogData *pl, const char *filename)
1068 {
1069  char *toks[MAX_TOKS] = { NULL };
1070  int tok = 0;
1071  char str[MAX_FILENAMELEN] = "";
1072  int s = 0;
1073  int i, x;
1074  char *p = NULL;
1075  size_t filename_len = 0;
1076 
1077  if (filename) {
1078  filename_len = strlen(filename);
1079  if (filename_len > (MAX_FILENAMELEN-1)) {
1080  SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid filename option. Max filename-length: %d",MAX_FILENAMELEN-1);
1081  goto error;
1082  }
1083 
1084  for (i = 0; i < (int)strlen(filename); i++) {
1085  if (tok >= MAX_TOKS) {
1086  SCLogError(SC_ERR_INVALID_ARGUMENT,
1087  "invalid filename option. Max 2 %%-sign options");
1088  goto error;
1089  }
1090 
1091  str[s++] = filename[i];
1092 
1093  if (filename[i] == '%') {
1094  str[s-1] = '\0';
1095  SCLogDebug("filename with %%-sign: %s", str);
1096 
1097  p = SCStrdup(str);
1098  if (p == NULL)
1099  goto error;
1100  toks[tok++] = p;
1101 
1102  s = 0;
1103 
1104  if (i+1 < (int)strlen(filename)) {
1105  if (tok >= MAX_TOKS) {
1106  SCLogError(SC_ERR_INVALID_ARGUMENT,
1107  "invalid filename option. Max 2 %%-sign options");
1108  goto error;
1109  }
1110 
1111  if (filename[i+1] != 'n' && filename[i+1] != 't' && filename[i+1] != 'i') {
1112  SCLogError(SC_ERR_INVALID_ARGUMENT,
1113  "invalid filename option. Valid %%-sign options: %%n, %%i and %%t");
1114  goto error;
1115  }
1116  str[0] = '%';
1117  str[1] = filename[i+1];
1118  str[2] = '\0';
1119  p = SCStrdup(str);
1120  if (p == NULL)
1121  goto error;
1122  toks[tok++] = p;
1123  i++;
1124  }
1125  }
1126  }
1127  if (s) {
1128  if (tok >= MAX_TOKS) {
1129  SCLogError(SC_ERR_INVALID_ARGUMENT,
1130  "invalid filename option. Max 3 %%-sign options");
1131  goto error;
1132 
1133  }
1134  str[s++] = '\0';
1135  p = SCStrdup(str);
1136  if (p == NULL)
1137  goto error;
1138  toks[tok++] = p;
1139  }
1140 
1141  /* finally, store tokens in the pl */
1142  for (i = 0; i < tok; i++) {
1143  if (toks[i] == NULL)
1144  goto error;
1145 
1146  SCLogDebug("toks[%d] %s", i, toks[i]);
1147  pl->filename_parts[i] = toks[i];
1148  }
1149  pl->filename_part_cnt = tok;
1150  }
1151  return 0;
1152 error:
1153  for (x = 0; x < MAX_TOKS; x++) {
1154  if (toks[x] != NULL)
1155  SCFree(toks[x]);
1156  }
1157  return -1;
1158 }
1159 
1160 /** \brief Fill in pcap logging struct from the provided ConfNode.
1161  * \param conf The configuration node for this output.
1162  * \retval output_ctx
1163  * */
1164 static OutputInitResult PcapLogInitCtx(ConfNode *conf)
1165 {
1166  OutputInitResult result = { NULL, false };
1167  const char *pcre_errbuf;
1168  int pcre_erroffset;
1169 
1170  PcapLogData *pl = SCMalloc(sizeof(PcapLogData));
1171  if (unlikely(pl == NULL)) {
1172  SCLogError(SC_ERR_MEM_ALLOC, "Failed to allocate Memory for PcapLogData");
1173  exit(EXIT_FAILURE);
1174  }
1175  memset(pl, 0, sizeof(PcapLogData));
1176 
1177  pl->h = SCMalloc(sizeof(*pl->h));
1178  if (pl->h == NULL) {
1179  SCLogError(SC_ERR_MEM_ALLOC,
1180  "Failed to allocate Memory for pcap header struct");
1181  exit(EXIT_FAILURE);
1182  }
1183 
1184  /* Set the defaults */
1185  pl->mode = LOGMODE_NORMAL;
1186  pl->max_files = DEFAULT_FILE_LIMIT;
1187  pl->use_ringbuffer = RING_BUFFER_MODE_DISABLED;
1188  pl->timestamp_format = TS_FORMAT_SEC;
1189  pl->use_stream_depth = USE_STREAM_DEPTH_DISABLED;
1190  pl->honor_pass_rules = HONOR_PASS_RULES_DISABLED;
1191 
1192  TAILQ_INIT(&pl->pcap_file_list);
1193 
1194  SCMutexInit(&pl->plog_lock, NULL);
1195 
1196  /* Initialize PCREs. */
1197  pcre_timestamp_code = pcre_compile(timestamp_pattern, 0, &pcre_errbuf,
1198  &pcre_erroffset, NULL);
1199  if (pcre_timestamp_code == NULL) {
1200  FatalError(SC_ERR_PCRE_COMPILE,
1201  "Failed to compile \"%s\" at offset %"PRIu32": %s",
1202  timestamp_pattern, pcre_erroffset, pcre_errbuf);
1203  }
1204  pcre_timestamp_extra = pcre_study(pcre_timestamp_code, 0, &pcre_errbuf);
1205  if (pcre_errbuf != NULL) {
1206  FatalError(SC_ERR_PCRE_STUDY, "Fail to study pcre: %s", pcre_errbuf);
1207  }
1208 
1209  /* conf params */
1210 
1211  const char *filename = NULL;
1212 
1213  if (conf != NULL) { /* To faciliate unit tests. */
1214  filename = ConfNodeLookupChildValue(conf, "filename");
1215  }
1216 
1217  if (filename == NULL)
1218  filename = DEFAULT_LOG_FILENAME;
1219 
1220  if ((pl->prefix = SCStrdup(filename)) == NULL) {
1221  exit(EXIT_FAILURE);
1222  }
1223 
1224  pl->suffix = "";
1225 
1226  if (filename) {
1227  if (ParseFilename(pl, filename) != 0)
1228  exit(EXIT_FAILURE);
1229  }
1230 
1231  pl->size_limit = DEFAULT_LIMIT;
1232  if (conf != NULL) {
1233  const char *s_limit = NULL;
1234  s_limit = ConfNodeLookupChildValue(conf, "limit");
1235  if (s_limit != NULL) {
1236  if (ParseSizeStringU64(s_limit, &pl->size_limit) < 0) {
1237  SCLogError(SC_ERR_INVALID_ARGUMENT,
1238  "Failed to initialize unified2 output, invalid limit: %s",
1239  s_limit);
1240  exit(EXIT_FAILURE);
1241  }
1242  if (pl->size_limit < 4096) {
1243  SCLogInfo("pcap-log \"limit\" value of %"PRIu64" assumed to be pre-1.2 "
1244  "style: setting limit to %"PRIu64"mb", pl->size_limit, pl->size_limit);
1245  uint64_t size = pl->size_limit * 1024 * 1024;
1246  pl->size_limit = size;
1247  } else if (pl->size_limit < MIN_LIMIT) {
1248  SCLogError(SC_ERR_INVALID_ARGUMENT,
1249  "Fail to initialize pcap-log output, limit less than "
1250  "allowed minimum.");
1251  exit(EXIT_FAILURE);
1252  }
1253  }
1254  }
1255 
1256  if (conf != NULL) {
1257  const char *s_mode = NULL;
1258  s_mode = ConfNodeLookupChildValue(conf, "mode");
1259  if (s_mode != NULL) {
1260  if (strcasecmp(s_mode, "sguil") == 0) {
1261  pl->mode = LOGMODE_SGUIL;
1262  } else if (strcasecmp(s_mode, "multi") == 0) {
1263  pl->mode = LOGMODE_MULTI;
1264  } else if (strcasecmp(s_mode, "normal") != 0) {
1265  SCLogError(SC_ERR_INVALID_ARGUMENT,
1266  "log-pcap: invalid mode \"%s\". Valid options: \"normal\", "
1267  "\"sguil\", or \"multi\" mode ", s_mode);
1268  exit(EXIT_FAILURE);
1269  }
1270  }
1271 
1272  const char *s_dir = NULL;
1273  s_dir = ConfNodeLookupChildValue(conf, "dir");
1274  if (s_dir == NULL) {
1275  s_dir = ConfNodeLookupChildValue(conf, "sguil-base-dir");
1276  }
1277  if (s_dir == NULL) {
1278  if (pl->mode == LOGMODE_SGUIL) {
1279  SCLogError(SC_ERR_LOGPCAP_SGUIL_BASE_DIR_MISSING,
1280  "log-pcap \"sguil\" mode requires \"sguil-base-dir\" "
1281  "option to be set.");
1282  exit(EXIT_FAILURE);
1283  } else {
1284  const char *log_dir = NULL;
1285  log_dir = ConfigGetLogDirectory();
1286 
1287  strlcpy(pl->dir,
1288  log_dir, sizeof(pl->dir));
1289  SCLogInfo("Using log dir %s", pl->dir);
1290  }
1291  } else {
1292  if (PathIsAbsolute(s_dir)) {
1293  strlcpy(pl->dir,
1294  s_dir, sizeof(pl->dir));
1295  } else {
1296  const char *log_dir = NULL;
1297  log_dir = ConfigGetLogDirectory();
1298 
1299  snprintf(pl->dir, sizeof(pl->dir), "%s/%s",
1300  log_dir, s_dir);
1301  }
1302 
1303  struct stat stat_buf;
1304  if (stat(pl->dir, &stat_buf) != 0) {
1305  SCLogError(SC_ERR_LOGDIR_CONFIG, "The sguil-base-dir directory \"%s\" "
1306  "supplied doesn't exist. Shutting down the engine",
1307  pl->dir);
1308  exit(EXIT_FAILURE);
1309  }
1310  SCLogInfo("Using log dir %s", pl->dir);
1311  }
1312 
1313  const char *compression_str = ConfNodeLookupChildValue(conf,
1314  "compression");
1315 
1316  PcapLogCompressionData *comp = &pl->compression;
1317  if (compression_str == NULL || strcmp(compression_str, "none") == 0) {
1318  comp->format = PCAP_LOG_COMPRESSION_FORMAT_NONE;
1319  comp->buffer = NULL;
1320  comp->buffer_size = 0;
1321  comp->file = NULL;
1322  comp->pcap_buf = NULL;
1323  comp->pcap_buf_size = 0;
1324  comp->pcap_buf_wrapper = NULL;
1325  } else if (strcmp(compression_str, "lz4") == 0) {
1326 #ifdef HAVE_LIBLZ4
1327  if (pl->mode == LOGMODE_SGUIL) {
1328  SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Compressed pcap "
1329  "logs are not possible in sguil mode");
1330  SCFree(pl->h);
1331  SCFree(pl);
1332  return result;
1333  }
1334  pl->compression.format = PCAP_LOG_COMPRESSION_FORMAT_LZ4;
1335 
1336  /* Use SCFmemopen so we can make pcap_dump write to a buffer. */
1337 
1338  comp->pcap_buf_size = sizeof(struct pcap_file_header) +
1339  sizeof(struct pcap_pkthdr) + PCAP_SNAPLEN;
1340  comp->pcap_buf = SCMalloc(comp->pcap_buf_size);
1341  if (comp->pcap_buf == NULL) {
1342  SCLogError(SC_ERR_MEM_ALLOC, "SCMalloc failed: %s",
1343  strerror(errno));
1344  exit(EXIT_FAILURE);
1345  }
1346  comp->pcap_buf_wrapper = SCFmemopen(comp->pcap_buf,
1347  comp->pcap_buf_size, "w");
1348  if (comp->pcap_buf_wrapper == NULL) {
1349  SCLogError(SC_ERR_FOPEN, "SCFmemopen failed: %s",
1350  strerror(errno));
1351  exit(EXIT_FAILURE);
1352  }
1353 
1354  /* Set lz4 preferences. */
1355 
1356  memset(&comp->lz4f_prefs, '\0', sizeof(comp->lz4f_prefs));
1357  comp->lz4f_prefs.frameInfo.blockSizeID = LZ4F_max4MB;
1358  comp->lz4f_prefs.frameInfo.blockMode = LZ4F_blockLinked;
1359  if (ConfNodeChildValueIsTrue(conf, "lz4-checksum")) {
1360  comp->lz4f_prefs.frameInfo.contentChecksumFlag = 1;
1361  }
1362  else {
1363  comp->lz4f_prefs.frameInfo.contentChecksumFlag = 0;
1364  }
1365  intmax_t lvl = 0;
1366  if (ConfGetChildValueInt(conf, "lz4-level", &lvl)) {
1367  if (lvl > 16) {
1368  lvl = 16;
1369  } else if (lvl < 0) {
1370  lvl = 0;
1371  }
1372  } else {
1373  lvl = 0;
1374  }
1375  comp->lz4f_prefs.compressionLevel = lvl;
1376 
1377  /* Allocate resources for lz4. */
1378 
1379  LZ4F_errorCode_t errcode =
1380  LZ4F_createCompressionContext(&pl->compression.lz4f_context, 1);
1381 
1382  if (LZ4F_isError(errcode)) {
1383  SCLogError(SC_ERR_PCAP_LOG_COMPRESS,
1384  "LZ4F_createCompressionContext failed: %s",
1385  LZ4F_getErrorName(errcode));
1386  exit(EXIT_FAILURE);
1387  }
1388 
1389  /* Calculate the size of the lz4 output buffer. */
1390 
1391  comp->buffer_size = LZ4F_compressBound(comp->pcap_buf_size,
1392  &comp->lz4f_prefs);
1393 
1394  comp->buffer = SCMalloc(comp->buffer_size);
1395  if (unlikely(comp->buffer == NULL)) {
1396  SCLogError(SC_ERR_MEM_ALLOC, "Failed to allocate memory for "
1397  "lz4 output buffer.");
1398  exit(EXIT_FAILURE);
1399  }
1400 
1401  comp->bytes_in_block = 0;
1402 
1403  /* Add the lz4 file extension to the log files. */
1404 
1405  pl->suffix = ".lz4";
1406 #else
1407  SCLogError(SC_ERR_INVALID_ARGUMENT, "lz4 compression was selected "
1408  "in pcap-log, but suricata was not compiled with lz4 "
1409  "support.");
1410  PcapLogDataFree(pl);
1411  return result;
1412 #endif /* HAVE_LIBLZ4 */
1413  }
1414  else {
1415  SCLogError(SC_ERR_INVALID_ARGUMENT, "Unsupported pcap-log "
1416  "compression format: %s", compression_str);
1417  PcapLogDataFree(pl);
1418  return result;
1419  }
1420 
1421  SCLogInfo("Selected pcap-log compression method: %s",
1422  compression_str ? compression_str : "none");
1423  }
1424 
1425  SCLogInfo("using %s logging", pl->mode == LOGMODE_SGUIL ?
1426  "Sguil compatible" : (pl->mode == LOGMODE_MULTI ? "multi" : "normal"));
1427 
1428  uint32_t max_file_limit = DEFAULT_FILE_LIMIT;
1429  if (conf != NULL) {
1430  const char *max_number_of_files_s = NULL;
1431  max_number_of_files_s = ConfNodeLookupChildValue(conf, "max-files");
1432  if (max_number_of_files_s != NULL) {
1433  if (ByteExtractStringUint32(&max_file_limit, 10, 0,
1434  max_number_of_files_s) == -1) {
1435  SCLogError(SC_ERR_INVALID_ARGUMENT, "Failed to initialize "
1436  "pcap-log output, invalid number of files limit: %s",
1437  max_number_of_files_s);
1438  exit(EXIT_FAILURE);
1439  } else if (max_file_limit < 1) {
1440  SCLogError(SC_ERR_INVALID_ARGUMENT,
1441  "Failed to initialize pcap-log output, limit less than "
1442  "allowed minimum.");
1443  exit(EXIT_FAILURE);
1444  } else {
1445  pl->max_files = max_file_limit;
1446  pl->use_ringbuffer = RING_BUFFER_MODE_ENABLED;
1447  }
1448  }
1449  }
1450 
1451  const char *ts_format = NULL;
1452  if (conf != NULL) { /* To faciliate unit tests. */
1453  ts_format = ConfNodeLookupChildValue(conf, "ts-format");
1454  }
1455  if (ts_format != NULL) {
1456  if (strcasecmp(ts_format, "usec") == 0) {
1457  pl->timestamp_format = TS_FORMAT_USEC;
1458  } else if (strcasecmp(ts_format, "sec") != 0) {
1459  SCLogError(SC_ERR_INVALID_ARGUMENT,
1460  "log-pcap ts_format specified %s is invalid must be"
1461  " \"sec\" or \"usec\"", ts_format);
1462  exit(EXIT_FAILURE);
1463  }
1464  }
1465 
1466  const char *use_stream_depth = NULL;
1467  if (conf != NULL) { /* To faciliate unit tests. */
1468  use_stream_depth = ConfNodeLookupChildValue(conf, "use-stream-depth");
1469  }
1470  if (use_stream_depth != NULL) {
1471  if (ConfValIsFalse(use_stream_depth)) {
1472  pl->use_stream_depth = USE_STREAM_DEPTH_DISABLED;
1473  } else if (ConfValIsTrue(use_stream_depth)) {
1474  pl->use_stream_depth = USE_STREAM_DEPTH_ENABLED;
1475  } else {
1476  SCLogError(SC_ERR_INVALID_ARGUMENT,
1477  "log-pcap use_stream_depth specified is invalid must be");
1478  exit(EXIT_FAILURE);
1479  }
1480  }
1481 
1482  const char *honor_pass_rules = NULL;
1483  if (conf != NULL) { /* To faciliate unit tests. */
1484  honor_pass_rules = ConfNodeLookupChildValue(conf, "honor-pass-rules");
1485  }
1486  if (honor_pass_rules != NULL) {
1487  if (ConfValIsFalse(honor_pass_rules)) {
1488  pl->honor_pass_rules = HONOR_PASS_RULES_DISABLED;
1489  } else if (ConfValIsTrue(honor_pass_rules)) {
1490  pl->honor_pass_rules = HONOR_PASS_RULES_ENABLED;
1491  } else {
1492  SCLogError(SC_ERR_INVALID_ARGUMENT,
1493  "log-pcap honor-pass-rules specified is invalid");
1494  exit(EXIT_FAILURE);
1495  }
1496  }
1497 
1498  /* create the output ctx and send it back */
1499 
1500  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
1501  if (unlikely(output_ctx == NULL)) {
1502  SCLogError(SC_ERR_MEM_ALLOC, "Failed to allocate memory for OutputCtx.");
1503  exit(EXIT_FAILURE);
1504  }
1505  output_ctx->data = pl;
1506  output_ctx->DeInit = PcapLogFileDeInitCtx;
1507  g_pcap_data = pl;
1508 
1509  result.ctx = output_ctx;
1510  result.ok = true;
1511  return result;
1512 }
1513 
1514 static void PcapLogFileDeInitCtx(OutputCtx *output_ctx)
1515 {
1516  if (output_ctx == NULL)
1517  return;
1518 
1519  PcapLogData *pl = output_ctx->data;
1520 
1521  PcapFileName *pf = NULL;
1522  TAILQ_FOREACH(pf, &pl->pcap_file_list, next) {
1523  SCLogDebug("PCAP files left at exit: %s\n", pf->filename);
1524  }
1525  PcapLogDataFree(pl);
1526  SCFree(output_ctx);
1527  return;
1528 }
1529 
1530 /**
1531  * \brief Read the config set the file pointer, open the file
1532  *
1533  * \param PcapLogData.
1534  *
1535  * \retval -1 if failure
1536  * \retval 0 if succesful
1537  */
1538 static int PcapLogOpenFileCtx(PcapLogData *pl)
1539 {
1540  char *filename = NULL;
1541 
1542  PCAPLOG_PROFILE_START;
1543 
1544  if (pl->filename != NULL)
1545  filename = pl->filename;
1546  else {
1547  filename = SCMalloc(PATH_MAX);
1548  if (unlikely(filename == NULL)) {
1549  return -1;
1550  }
1551  pl->filename = filename;
1552  }
1553 
1554  /** get the time so we can have a filename with seconds since epoch */
1555  struct timeval ts;
1556  memset(&ts, 0x00, sizeof(struct timeval));
1557  TimeGet(&ts);
1558 
1559  /* Place to store the name of our PCAP file */
1560  PcapFileName *pf = SCMalloc(sizeof(PcapFileName));
1561  if (unlikely(pf == NULL)) {
1562  return -1;
1563  }
1564  memset(pf, 0, sizeof(PcapFileName));
1565 
1566  if (pl->mode == LOGMODE_SGUIL) {
1567  struct tm local_tm;
1568  struct tm *tms = SCLocalTime(ts.tv_sec, &local_tm);
1569 
1570  char dirname[32], dirfull[PATH_MAX] = "";
1571 
1572  snprintf(dirname, sizeof(dirname), "%04d-%02d-%02d",
1573  tms->tm_year + 1900, tms->tm_mon + 1, tms->tm_mday);
1574 
1575  /* create the filename to use */
1576  int ret = snprintf(dirfull, sizeof(dirfull), "%s/%s", pl->dir, dirname);
1577  if (ret < 0 || (size_t)ret >= sizeof(dirfull)) {
1578  SCLogError(SC_ERR_SPRINTF,"failed to construct path");
1579  goto error;
1580  }
1581 
1582  /* if mkdir fails file open will fail, so deal with errors there */
1583  (void)SCMkDir(dirfull, 0700);
1584 
1585  if ((pf->dirname = SCStrdup(dirfull)) == NULL) {
1586  SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory for "
1587  "directory name");
1588  goto error;
1589  }
1590 
1591  int written;
1592  if (pl->timestamp_format == TS_FORMAT_SEC) {
1593  written = snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32 "%s",
1594  dirfull, pl->prefix, (uint32_t)ts.tv_sec, pl->suffix);
1595  } else {
1596  written = snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32 ".%" PRIu32 "%s",
1597  dirfull, pl->prefix, (uint32_t)ts.tv_sec,
1598  (uint32_t)ts.tv_usec, pl->suffix);
1599  }
1600  if (written == PATH_MAX) {
1601  SCLogError(SC_ERR_SPRINTF,"log-pcap path overflow");
1602  goto error;
1603  }
1604  } else if (pl->mode == LOGMODE_NORMAL) {
1605  int ret;
1606  /* create the filename to use */
1607  if (pl->timestamp_format == TS_FORMAT_SEC) {
1608  ret = snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32 "%s", pl->dir,
1609  pl->prefix, (uint32_t)ts.tv_sec, pl->suffix);
1610  } else {
1611  ret = snprintf(filename, PATH_MAX,
1612  "%s/%s.%" PRIu32 ".%" PRIu32 "%s", pl->dir, pl->prefix,
1613  (uint32_t)ts.tv_sec, (uint32_t)ts.tv_usec, pl->suffix);
1614  }
1615  if (ret < 0 || (size_t)ret >= PATH_MAX) {
1616  SCLogError(SC_ERR_SPRINTF,"failed to construct path");
1617  goto error;
1618  }
1619  } else if (pl->mode == LOGMODE_MULTI) {
1620  if (pl->filename_part_cnt > 0) {
1621  /* assemble filename from stored tokens */
1622 
1623  strlcpy(filename, pl->dir, PATH_MAX);
1624  strlcat(filename, "/", PATH_MAX);
1625 
1626  int i;
1627  for (i = 0; i < pl->filename_part_cnt; i++) {
1628  if (pl->filename_parts[i] == NULL ||strlen(pl->filename_parts[i]) == 0)
1629  continue;
1630 
1631  /* handle variables */
1632  if (pl->filename_parts[i][0] == '%') {
1633  char str[64] = "";
1634  if (strlen(pl->filename_parts[i]) < 2)
1635  continue;
1636 
1637  switch(pl->filename_parts[i][1]) {
1638  case 'n':
1639  snprintf(str, sizeof(str), "%u", pl->thread_number);
1640  break;
1641  case 'i':
1642  {
1643  long thread_id = SCGetThreadIdLong();
1644  snprintf(str, sizeof(str), "%"PRIu64, (uint64_t)thread_id);
1645  break;
1646  }
1647  case 't':
1648  /* create the filename to use */
1649  if (pl->timestamp_format == TS_FORMAT_SEC) {
1650  snprintf(str, sizeof(str), "%"PRIu32, (uint32_t)ts.tv_sec);
1651  } else {
1652  snprintf(str, sizeof(str), "%"PRIu32".%"PRIu32,
1653  (uint32_t)ts.tv_sec, (uint32_t)ts.tv_usec);
1654  }
1655  }
1656  strlcat(filename, str, PATH_MAX);
1657 
1658  /* copy the rest over */
1659  } else {
1660  strlcat(filename, pl->filename_parts[i], PATH_MAX);
1661  }
1662  }
1663  strlcat(filename, pl->suffix, PATH_MAX);
1664  } else {
1665  int ret;
1666  /* create the filename to use */
1667  if (pl->timestamp_format == TS_FORMAT_SEC) {
1668  ret = snprintf(filename, PATH_MAX, "%s/%s.%u.%" PRIu32 "%s",
1669  pl->dir, pl->prefix, pl->thread_number,
1670  (uint32_t)ts.tv_sec, pl->suffix);
1671  } else {
1672  ret = snprintf(filename, PATH_MAX,
1673  "%s/%s.%u.%" PRIu32 ".%" PRIu32 "%s", pl->dir,
1674  pl->prefix, pl->thread_number, (uint32_t)ts.tv_sec,
1675  (uint32_t)ts.tv_usec, pl->suffix);
1676  }
1677  if (ret < 0 || (size_t)ret >= PATH_MAX) {
1678  SCLogError(SC_ERR_SPRINTF,"failed to construct path");
1679  goto error;
1680  }
1681  }
1682  SCLogDebug("multi-mode: filename %s", filename);
1683  }
1684 
1685  if ((pf->filename = SCStrdup(pl->filename)) == NULL) {
1686  SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory. For filename");
1687  goto error;
1688  }
1689  SCLogDebug("Opening pcap file log %s", pf->filename);
1690  TAILQ_INSERT_TAIL(&pl->pcap_file_list, pf, next);
1691 
1692  PCAPLOG_PROFILE_END(pl->profile_open);
1693  return 0;
1694 
1695 error:
1696  PcapFileNameFree(pf);
1697  return -1;
1698 }
1699 
1700 static int profiling_pcaplog_enabled = 0;
1701 static int profiling_pcaplog_output_to_file = 0;
1702 static char *profiling_pcaplog_file_name = NULL;
1703 static const char *profiling_pcaplog_file_mode = "a";
1704 
1705 static void FormatNumber(uint64_t num, char *str, size_t size)
1706 {
1707  if (num < 1000UL)
1708  snprintf(str, size, "%"PRIu64, num);
1709  else if (num < 1000000UL)
1710  snprintf(str, size, "%3.1fk", (float)num/1000UL);
1711  else if (num < 1000000000UL)
1712  snprintf(str, size, "%3.1fm", (float)num/1000000UL);
1713  else
1714  snprintf(str, size, "%3.1fb", (float)num/1000000000UL);
1715 }
1716 
1717 static void ProfileReportPair(FILE *fp, const char *name, PcapLogProfileData *p)
1718 {
1719  char ticks_str[32] = "n/a";
1720  char cnt_str[32] = "n/a";
1721  char avg_str[32] = "n/a";
1722 
1723  FormatNumber((uint64_t)p->cnt, cnt_str, sizeof(cnt_str));
1724  FormatNumber((uint64_t)p->total, ticks_str, sizeof(ticks_str));
1725  if (p->cnt && p->total)
1726  FormatNumber((uint64_t)(p->total/p->cnt), avg_str, sizeof(avg_str));
1727 
1728  fprintf(fp, "%-28s %-10s %-10s %-10s\n", name, cnt_str, avg_str, ticks_str);
1729 }
1730 
1731 static void ProfileReport(FILE *fp, PcapLogData *pl)
1732 {
1733  ProfileReportPair(fp, "open", &pl->profile_open);
1734  ProfileReportPair(fp, "close", &pl->profile_close);
1735  ProfileReportPair(fp, "write", &pl->profile_write);
1736  ProfileReportPair(fp, "rotate (incl open/close)", &pl->profile_rotate);
1737  ProfileReportPair(fp, "handles", &pl->profile_handles);
1738  ProfileReportPair(fp, "lock", &pl->profile_lock);
1739  ProfileReportPair(fp, "unlock", &pl->profile_unlock);
1740 }
1741 
1742 static void FormatBytes(uint64_t num, char *str, size_t size)
1743 {
1744  if (num < 1000UL)
1745  snprintf(str, size, "%"PRIu64, num);
1746  else if (num < 1048576UL)
1747  snprintf(str, size, "%3.1fKiB", (float)num/1000UL);
1748  else if (num < 1073741824UL)
1749  snprintf(str, size, "%3.1fMiB", (float)num/1000000UL);
1750  else
1751  snprintf(str, size, "%3.1fGiB", (float)num/1000000000UL);
1752 }
1753 
1754 static void PcapLogProfilingDump(PcapLogData *pl)
1755 {
1756  FILE *fp = NULL;
1757 
1758  if (profiling_pcaplog_enabled == 0)
1759  return;
1760 
1761  if (profiling_pcaplog_output_to_file == 1) {
1762  fp = fopen(profiling_pcaplog_file_name, profiling_pcaplog_file_mode);
1763  if (fp == NULL) {
1764  SCLogError(SC_ERR_FOPEN, "failed to open %s: %s",
1765  profiling_pcaplog_file_name, strerror(errno));
1766  return;
1767  }
1768  } else {
1769  fp = stdout;
1770  }
1771 
1772  /* counters */
1773  fprintf(fp, "\n\nOperation Cnt Avg ticks Total ticks\n");
1774  fprintf(fp, "---------------------------- ---------- ---------- -----------\n");
1775 
1776  ProfileReport(fp, pl);
1777  uint64_t total = pl->profile_write.total + pl->profile_rotate.total +
1778  pl->profile_handles.total + pl->profile_open.total +
1779  pl->profile_close.total + pl->profile_lock.total +
1780  pl->profile_unlock.total;
1781 
1782  /* overall stats */
1783  fprintf(fp, "\nOverall: %"PRIu64" bytes written, average %d bytes per write.\n",
1784  pl->profile_data_size, pl->profile_write.cnt ?
1785  (int)(pl->profile_data_size / pl->profile_write.cnt) : 0);
1786  fprintf(fp, " PCAP data structure overhead: %"PRIuMAX" per write.\n",
1787  (uintmax_t)sizeof(struct pcap_pkthdr));
1788 
1789  /* print total bytes written */
1790  char bytes_str[32];
1791  FormatBytes(pl->profile_data_size, bytes_str, sizeof(bytes_str));
1792  fprintf(fp, " Size written: %s\n", bytes_str);
1793 
1794  /* ticks per MiB and GiB */
1795  uint64_t ticks_per_mib = 0, ticks_per_gib = 0;
1796  uint64_t mib = pl->profile_data_size/(1024*1024);
1797  if (mib)
1798  ticks_per_mib = total/mib;
1799  char ticks_per_mib_str[32] = "n/a";
1800  if (ticks_per_mib > 0)
1801  FormatNumber(ticks_per_mib, ticks_per_mib_str, sizeof(ticks_per_mib_str));
1802  fprintf(fp, " Ticks per MiB: %s\n", ticks_per_mib_str);
1803 
1804  uint64_t gib = pl->profile_data_size/(1024*1024*1024);
1805  if (gib)
1806  ticks_per_gib = total/gib;
1807  char ticks_per_gib_str[32] = "n/a";
1808  if (ticks_per_gib > 0)
1809  FormatNumber(ticks_per_gib, ticks_per_gib_str, sizeof(ticks_per_gib_str));
1810  fprintf(fp, " Ticks per GiB: %s\n", ticks_per_gib_str);
1811 
1812  if (fp != stdout)
1813  fclose(fp);
1814 }
1815 
1816 void PcapLogProfileSetup(void)
1817 {
1818  ConfNode *conf = ConfGetNode("profiling.pcap-log");
1819  if (conf != NULL && ConfNodeChildValueIsTrue(conf, "enabled")) {
1820  profiling_pcaplog_enabled = 1;
1821  SCLogInfo("pcap-log profiling enabled");
1822 
1823  const char *filename = ConfNodeLookupChildValue(conf, "filename");
1824  if (filename != NULL) {
1825  const char *log_dir;
1826  log_dir = ConfigGetLogDirectory();
1827 
1828  profiling_pcaplog_file_name = SCMalloc(PATH_MAX);
1829  if (unlikely(profiling_pcaplog_file_name == NULL)) {
1830  SCLogError(SC_ERR_MEM_ALLOC, "can't duplicate file name");
1831  exit(EXIT_FAILURE);
1832  }
1833 
1834  snprintf(profiling_pcaplog_file_name, PATH_MAX, "%s/%s", log_dir, filename);
1835 
1836  const char *v = ConfNodeLookupChildValue(conf, "append");
1837  if (v == NULL || ConfValIsTrue(v)) {
1838  profiling_pcaplog_file_mode = "a";
1839  } else {
1840  profiling_pcaplog_file_mode = "w";
1841  }
1842 
1843  profiling_pcaplog_output_to_file = 1;
1844  SCLogInfo("pcap-log profiling output goes to %s (mode %s)",
1845  profiling_pcaplog_file_name, profiling_pcaplog_file_mode);
1846  }
1847  }
1848 }
SC_ATOMIC_DECLARE
SC_ATOMIC_DECLARE(uint32_t, thread_cnt)
PcapLogData_::filename
char * filename
Definition: log-pcap.c:148
SCMutex
#define SCMutex
Definition: threads-debug.h:114
TAILQ_INSERT_BEFORE
#define TAILQ_INSERT_BEFORE(listelm, elm, field)
Definition: queue.h:405
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
PcapLogRegister
void PcapLogRegister(void)
Definition: log-pcap.c:205
USE_STREAM_DEPTH_ENABLED
#define USE_STREAM_DEPTH_ENABLED
Definition: log-pcap.c:85
PcapLogData_::profile_open
PcapLogProfileData profile_open
Definition: log-pcap.c:164
TAILQ_FIRST
#define TAILQ_FIRST(head)
Definition: queue.h:339
PcapLogProfileData_
Definition: log-pcap.c:108
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:350
PcapLogData_::h
struct pcap_pkthdr * h
Definition: log-pcap.c:147
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:587
IS_TUNNEL_ROOT_PKT
#define IS_TUNNEL_ROOT_PKT(p)
Definition: decode.h:885
PcapLogData_::prev_day
int prev_day
Definition: log-pcap.c:150
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
OutputCtx_
Definition: tm-modules.h:78
PCAPLOG_PROFILE_END
#define PCAPLOG_PROFILE_END(prof)
Definition: log-pcap.c:218
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:265
PcapLogData_::size_current
uint64_t size_current
Definition: log-pcap.c:151
FALSE
#define FALSE
Definition: suricata-common.h:34
PcapLogData_::mode
int mode
Definition: log-pcap.c:149
SCFmemopen
#define SCFmemopen
Definition: util-fmemopen.h:52
SCMkDir
#define SCMkDir(a, b)
Definition: util-path.h:29
MAX_TOKS
#define MAX_TOKS
Definition: log-pcap.c:113
PcapLogCompressionData_::buffer
uint8_t * buffer
Definition: log-pcap.c:123
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
PcapLogData_::pkt_cnt
uint64_t pkt_cnt
Definition: log-pcap.c:146
PcapLogCompressionData_::buffer_size
uint64_t buffer_size
Definition: log-pcap.c:124
PcapLogData_::profile_unlock
PcapLogProfileData profile_unlock
Definition: log-pcap.c:161
PcapFileName_::dirname
char * dirname
Definition: log-pcap.c:96
RING_BUFFER_MODE_ENABLED
#define RING_BUFFER_MODE_ENABLED
Definition: log-pcap.c:79
PcapLogCompressionData_::pcap_buf_wrapper
FILE * pcap_buf_wrapper
Definition: log-pcap.c:132
strlcat
size_t strlcat(char *, const char *src, size_t siz)
Definition: util-strlcatu.c:45
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:107
PcapLogData_::honor_pass_rules
int honor_pass_rules
Definition: log-pcap.c:143
IS_TUNNEL_PKT
#define IS_TUNNEL_PKT(p)
Definition: decode.h:882
src
uint16_t src
Definition: app-layer-dnp3.h:2652
ByteExtractStringUint32
int ByteExtractStringUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:244
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
PcapLogProfileData_::cnt
uint64_t cnt
Definition: log-pcap.c:110
PcapLogData_::pcap_dumper
pcap_dumper_t * pcap_dumper
Definition: log-pcap.c:154
PcapLogData_::profile_lock
PcapLogProfileData profile_lock
Definition: log-pcap.c:159
TAILQ_HEAD
#define TAILQ_HEAD(name, type)
Definition: queue.h:321
PcapFileName_::secs
uint64_t secs
Definition: log-pcap.c:101
PcapLogData_::file_cnt
uint32_t file_cnt
Definition: log-pcap.c:156
TRUE
#define TRUE
Definition: suricata-common.h:33
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
PcapLogProfileSetup
void PcapLogProfileSetup(void)
Definition: log-pcap.c:1816
PcapLogThreadData_
Definition: log-pcap.c:183
ConfNodeChildValueIsTrue
int ConfNodeChildValueIsTrue(const ConfNode *node, const char *key)
Test if a configuration node has a true value.
Definition: conf.c:888
PcapLogCompressionData_
Definition: log-pcap.c:121
OutputInitResult_
Definition: output.h:41
PcapLogData_::pcap_dead_handle
pcap_t * pcap_dead_handle
Definition: log-pcap.c:153
ParseSizeStringU64
int ParseSizeStringU64(const char *size, uint64_t *res)
Definition: util-misc.c:203
ByteExtractStringUint64
int ByteExtractStringUint64(uint64_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:239
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
Initialize the previously declared atomic variable and it&#39;s lock.
Definition: util-atomic.h:81
PcapLogData_
Definition: log-pcap.c:141
str
#define str(s)
Definition: suricata-common.h:256
dst
uint16_t dst
Definition: app-layer-dnp3.h:2651
SCCalloc
#define SCCalloc(nm, a)
Definition: util-mem.h:253
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:843
OutputRegisterPacketModule
void OutputRegisterPacketModule(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output module.
Definition: output.c:163
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
PcapFileName_::filename
char * filename
Definition: log-pcap.c:95
SCLocalTime
struct tm * SCLocalTime(time_t timep, struct tm *result)
Definition: util-time.c:240
Packet_::datalink
int datalink
Definition: decode.h:575
TimeGet
void TimeGet(struct timeval *tv)
Definition: util-time.c:146
PcapLogCompressionData
struct PcapLogCompressionData_ PcapLogCompressionData
OutputInitResult_::ok
bool ok
Definition: output.h:43
TAILQ_INIT
#define TAILQ_INIT(head)
Definition: queue.h:370
PcapLogCompressionData_::pcap_buf_size
uint64_t pcap_buf_size
Definition: log-pcap.c:131
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
PcapLogData_::use_stream_depth
int use_stream_depth
Definition: log-pcap.c:142
SCGetThreadIdLong
#define SCGetThreadIdLong(...)
Definition: threads.h:253
PcapLogCompressionData_::bytes_in_block
uint64_t bytes_in_block
Definition: log-pcap.c:133
TAILQ_REMOVE
#define TAILQ_REMOVE(head, elm, field)
Definition: queue.h:412
PcapLogProfileData
struct PcapLogProfileData_ PcapLogProfileData
PcapLogCompressionData_::file
FILE * file
Definition: log-pcap.c:129
ConfValIsFalse
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:591
PcapLogData_::is_private
int is_private
Definition: log-pcap.c:144
MIN_LIMIT
#define MIN_LIMIT
Definition: log-pcap.c:70
PKT_PSEUDO_STREAM_END
#define PKT_PSEUDO_STREAM_END
Definition: decode.h:1095
USE_STREAM_DEPTH_DISABLED
#define USE_STREAM_DEPTH_DISABLED
Definition: log-pcap.c:84
PKT_STREAM_NOPCAPLOG
#define PKT_STREAM_NOPCAPLOG
Definition: decode.h:1098
DEFAULT_FILE_LIMIT
#define DEFAULT_FILE_LIMIT
Definition: log-pcap.c:72
PathIsAbsolute
int PathIsAbsolute(const char *path)
Check if a path is absolute.
Definition: util-path.c:39
PcapLogData_::profile_close
PcapLogProfileData profile_close
Definition: log-pcap.c:163
SCMutexInit
#define SCMutexInit(mut, mutattrs)
Definition: threads-debug.h:116
Packet_
Definition: decode.h:408
LOGMODE_SGUIL
#define LOGMODE_SGUIL
Definition: log-pcap.c:75
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:281
PcapLogData_::profile_handles
PcapLogProfileData profile_handles
Definition: log-pcap.c:162
PcapLogData_::size_limit
uint64_t size_limit
Definition: log-pcap.c:152
PcapLogData_::profile_write
PcapLogProfileData profile_write
Definition: log-pcap.c:160
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:566
RING_BUFFER_MODE_DISABLED
#define RING_BUFFER_MODE_DISABLED
Definition: log-pcap.c:78
TAILQ_INSERT_TAIL
#define TAILQ_INSERT_TAIL(head, elm, field)
Definition: queue.h:385
HONOR_PASS_RULES_ENABLED
#define HONOR_PASS_RULES_ENABLED
Definition: log-pcap.c:88
ConfNode_
Definition: conf.h:32
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:42
ConfigGetLogDirectory
const char * ConfigGetLogDirectory()
Definition: util-conf.c:36
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
PcapLogThreadData
struct PcapLogThreadData_ PcapLogThreadData
PcapLogData_::max_files
uint32_t max_files
Definition: log-pcap.c:157
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:254
LOGMODE_MULTI
#define LOGMODE_MULTI
Definition: log-pcap.c:76
SCFree
#define SCFree(a)
Definition: util-mem.h:322
PcapLogThreadData_::pcap_log
PcapLogData * pcap_log
Definition: log-pcap.c:184
DEFAULT_LIMIT
#define DEFAULT_LIMIT
Definition: log-pcap.c:71
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:269
TAILQ_ENTRY
#define TAILQ_ENTRY(type)
Definition: queue.h:330
PcapLogCompressionData_::pcap_buf
uint8_t * pcap_buf
Definition: log-pcap.c:130
PcapLogData_::plog_lock
SCMutex plog_lock
Definition: log-pcap.c:145
PcapFileName_::usecs
uint32_t usecs
Definition: log-pcap.c:102
PcapLogData_::profile_rotate
PcapLogProfileData profile_rotate
Definition: log-pcap.c:165
PKT_NOPACKET_INSPECTION
#define PKT_NOPACKET_INSPECTION
Definition: decode.h:1087
OutputCtx_::data
void * data
Definition: tm-modules.h:81
FatalError
#define FatalError(x,...)
Definition: util-debug.h:559
PcapLogProfileData_::total
uint64_t total
Definition: log-pcap.c:109
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:176
TS_FORMAT_SEC
#define TS_FORMAT_SEC
Definition: log-pcap.c:81
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:226
LOGMODE_NORMAL
#define LOGMODE_NORMAL
Definition: log-pcap.c:74
ConfGetChildValueInt
int ConfGetChildValueInt(const ConfNode *base, const char *name, intmax_t *val)
Definition: conf.c:469
PcapLogCompressionFormat
PcapLogCompressionFormat
Definition: log-pcap.c:116
SCStrdup
#define SCStrdup(a)
Definition: util-mem.h:268
MAX_FILENAMELEN
#define MAX_FILENAMELEN
Definition: log-pcap.c:114
DEFAULT_LOG_FILENAME
#define DEFAULT_LOG_FILENAME
Definition: log-pcap.c:68
PcapLogCompressionData_::format
enum PcapLogCompressionFormat format
Definition: log-pcap.c:122
HONOR_PASS_RULES_DISABLED
#define HONOR_PASS_RULES_DISABLED
Definition: log-pcap.c:87
TAILQ_NEXT
#define TAILQ_NEXT(elm, field)
Definition: queue.h:341
PcapLogData_::profile_data_size
uint64_t profile_data_size
Definition: log-pcap.c:155
TAILQ_EMPTY
#define TAILQ_EMPTY(head)
Definition: queue.h:347
PCAP_SNAPLEN
#define PCAP_SNAPLEN
Definition: log-pcap.c:90
len
uint8_t len
Definition: app-layer-dnp3.h:2649
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
TS_FORMAT_USEC
#define TS_FORMAT_USEC
Definition: log-pcap.c:82
Packet_::ts
struct timeval ts
Definition: decode.h:452
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:225
Packet_::flags
uint32_t flags
Definition: decode.h:444
MODULE_NAME
#define MODULE_NAME
Definition: log-pcap.c:69
PcapFileName_
Definition: log-pcap.c:94
PCAPLOG_PROFILE_START
#define PCAPLOG_PROFILE_START
Definition: log-pcap.c:215