suricata
log-pcap.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 
19 /**
20  * \file
21  *
22  * \author William Metcalf <William.Metcalf@gmail.com>
23  * \author Victor Julien <victor@inliniac.net>
24  *
25  * Pcap packet logging module.
26  */
27 
28 #include "suricata-common.h"
29 #include "util-fmemopen.h"
30 
31 #ifdef HAVE_LIBLZ4
32 #include <lz4frame.h>
33 #endif /* HAVE_LIBLZ4 */
34 
35 #if defined(HAVE_DIRENT_H) && defined(HAVE_FNMATCH_H)
36 #define INIT_RING_BUFFER
37 #include <dirent.h>
38 #include <fnmatch.h>
39 #endif
40 
41 #include "debug.h"
42 #include "detect.h"
43 #include "flow.h"
44 #include "conf.h"
45 
46 #include "threads.h"
47 #include "threadvars.h"
48 #include "tm-threads.h"
49 
50 #include "util-unittest.h"
51 #include "log-pcap.h"
52 #include "decode-ipv4.h"
53 
54 #include "util-error.h"
55 #include "util-debug.h"
56 #include "util-time.h"
57 #include "util-byte.h"
58 #include "util-misc.h"
59 #include "util-cpu.h"
60 #include "util-atomic.h"
61 
62 #include "source-pcap.h"
63 
64 #include "output.h"
65 
66 #include "queue.h"
67 
68 #define DEFAULT_LOG_FILENAME "pcaplog"
69 #define MODULE_NAME "PcapLog"
70 #define MIN_LIMIT 4 * 1024 * 1024
71 #define DEFAULT_LIMIT 100 * 1024 * 1024
72 #define DEFAULT_FILE_LIMIT 0
73 
74 #define LOGMODE_NORMAL 0
75 #define LOGMODE_SGUIL 1
76 #define LOGMODE_MULTI 2
77 
78 #define RING_BUFFER_MODE_DISABLED 0
79 #define RING_BUFFER_MODE_ENABLED 1
80 
81 #define TS_FORMAT_SEC 0
82 #define TS_FORMAT_USEC 1
83 
84 #define USE_STREAM_DEPTH_DISABLED 0
85 #define USE_STREAM_DEPTH_ENABLED 1
86 
87 #define HONOR_PASS_RULES_DISABLED 0
88 #define HONOR_PASS_RULES_ENABLED 1
89 
90 #define PCAP_SNAPLEN 262144
91 
92 SC_ATOMIC_DECLARE(uint32_t, thread_cnt);
93 
94 typedef struct PcapFileName_ {
95  char *filename;
96  char *dirname;
97 
98  /* Like a struct timeval, but with fixed size. This is only used when
99  * seeding the ring buffer on start. */
100  struct {
101  uint64_t secs;
102  uint32_t usecs;
103  };
104 
105  TAILQ_ENTRY(PcapFileName_) next; /**< Pointer to next Pcap File for tailq. */
106 } PcapFileName;
107 
108 typedef struct PcapLogProfileData_ {
109  uint64_t total;
110  uint64_t cnt;
112 
113 #define MAX_TOKS 9
114 #define MAX_FILENAMELEN 513
115 
119 };
120 
121 typedef struct PcapLogCompressionData_ {
123  uint8_t *buffer;
124  uint64_t buffer_size;
125 #ifdef HAVE_LIBLZ4
126  LZ4F_compressionContext_t lz4f_context;
127  LZ4F_preferences_t lz4f_prefs;
128 #endif /* HAVE_LIBLZ4 */
129  FILE *file;
130  uint8_t *pcap_buf;
131  uint64_t pcap_buf_size;
133  uint64_t bytes_in_block;
135 
136 /**
137  * PcapLog thread vars
138  *
139  * Used for storing file options.
140  */
141 typedef struct PcapLogData_ {
142  int use_stream_depth; /**< use stream depth i.e. ignore packets that reach limit */
143  int honor_pass_rules; /**< don't log if pass rules have matched */
144  int is_private; /**< TRUE if ctx is thread local */
146  uint64_t pkt_cnt; /**< total number of packets */
147  struct pcap_pkthdr *h; /**< pcap header struct */
148  char *filename; /**< current filename */
149  int mode; /**< normal or sguil */
150  int prev_day; /**< last day, for finding out when */
151  uint64_t size_current; /**< file current size */
152  uint64_t size_limit; /**< file size limit */
153  pcap_t *pcap_dead_handle; /**< pcap_dumper_t needs a handle */
154  pcap_dumper_t *pcap_dumper; /**< actually writes the packets */
155  uint64_t profile_data_size; /**< track in bytes how many bytes we wrote */
156  uint32_t file_cnt; /**< count of pcap files we currently have */
157  uint32_t max_files; /**< maximum files to use in ring buffer mode */
158 
166 
167  TAILQ_HEAD(, PcapFileName_) pcap_file_list;
168 
169  uint32_t thread_number; /**< thread number, first thread is 1, second 2, etc */
170  int use_ringbuffer; /**< ring buffer mode enabled or disabled */
171  int timestamp_format; /**< timestamp format sec or usec */
172  char *prefix; /**< filename prefix */
173  const char *suffix; /**< filename suffix */
174  char dir[PATH_MAX]; /**< pcap log directory */
175  int reported;
176  int threads; /**< number of threads (only set in the global) */
177  char *filename_parts[MAX_TOKS];
178  int filename_part_cnt;
179 
180  PcapLogCompressionData compression;
181 } PcapLogData;
182 
183 typedef struct PcapLogThreadData_ {
186 
187 /* Pattern for extracting timestamp from pcap log files. */
188 static const char timestamp_pattern[] = ".*?(\\d+)(\\.(\\d+))?";
189 static pcre *pcre_timestamp_code = NULL;
190 static pcre_extra *pcre_timestamp_extra = NULL;
191 
192 /* global pcap data for when we're using multi mode. At exit we'll
193  * merge counters into this one and then report counters. */
194 static PcapLogData *g_pcap_data = NULL;
195 
196 static int PcapLogOpenFileCtx(PcapLogData *);
197 static int PcapLog(ThreadVars *, void *, const Packet *);
198 static TmEcode PcapLogDataInit(ThreadVars *, const void *, void **);
199 static TmEcode PcapLogDataDeinit(ThreadVars *, void *);
200 static void PcapLogFileDeInitCtx(OutputCtx *);
201 static OutputInitResult PcapLogInitCtx(ConfNode *);
202 static void PcapLogProfilingDump(PcapLogData *);
203 static int PcapLogCondition(ThreadVars *, const Packet *);
204 
205 void PcapLogRegister(void)
206 {
208  PcapLogInitCtx, PcapLog, PcapLogCondition, PcapLogDataInit,
209  PcapLogDataDeinit, NULL);
211  SC_ATOMIC_INIT(thread_cnt);
212  return;
213 }
214 
215 #define PCAPLOG_PROFILE_START \
216  uint64_t pcaplog_profile_ticks = UtilCpuGetTicks()
217 
218 #define PCAPLOG_PROFILE_END(prof) \
219  (prof).total += (UtilCpuGetTicks() - pcaplog_profile_ticks); \
220  (prof).cnt++
221 
222 static int PcapLogCondition(ThreadVars *tv, const Packet *p)
223 {
224  if (p->flags & PKT_PSEUDO_STREAM_END) {
225  return FALSE;
226  }
227  if (IS_TUNNEL_PKT(p) && !IS_TUNNEL_ROOT_PKT(p)) {
228  return FALSE;
229  }
230  return TRUE;
231 }
232 
233 /**
234  * \brief Function to close pcaplog file
235  *
236  * \param t Thread Variable containing input/output queue, cpu affinity etc.
237  * \param pl PcapLog thread variable.
238  */
239 static int PcapLogCloseFile(ThreadVars *t, PcapLogData *pl)
240 {
241  if (pl != NULL) {
243 
244  if (pl->pcap_dumper != NULL) {
245  pcap_dump_close(pl->pcap_dumper);
246 #ifdef HAVE_LIBLZ4
247  PcapLogCompressionData *comp = &pl->compression;
249  /* pcap_dump_close() has closed its output ``file'',
250  * so we need to call fmemopen again. */
251 
252  comp->pcap_buf_wrapper = SCFmemopen(comp->pcap_buf,
253  comp->pcap_buf_size, "w");
254  if (comp->pcap_buf_wrapper == NULL) {
255  SCLogError(SC_ERR_FOPEN, "SCFmemopen failed: %s",
256  strerror(errno));
257  return TM_ECODE_FAILED;
258  }
259  }
260 #endif /* HAVE_LIBLZ4 */
261  }
262  pl->size_current = 0;
263  pl->pcap_dumper = NULL;
264 
265  if (pl->pcap_dead_handle != NULL)
266  pcap_close(pl->pcap_dead_handle);
267  pl->pcap_dead_handle = NULL;
268 
269 #ifdef HAVE_LIBLZ4
270  PcapLogCompressionData *comp = &pl->compression;
272  /* pcap_dump_close did not write any data because we call
273  * pcap_dump_flush() after every write when writing
274  * compressed output. */
275  uint64_t bytes_written = LZ4F_compressEnd(comp->lz4f_context,
276  comp->buffer, comp->buffer_size, NULL);
277  if (LZ4F_isError(bytes_written)) {
278  SCLogError(SC_ERR_PCAP_LOG_COMPRESS, "LZ4F_compressEnd: %s",
279  LZ4F_getErrorName(bytes_written));
280  return TM_ECODE_FAILED;
281  }
282  if (fwrite(comp->buffer, 1, bytes_written, comp->file) < bytes_written) {
283  SCLogError(SC_ERR_FWRITE, "fwrite failed: %s", strerror(errno));
284  return TM_ECODE_FAILED;
285  }
286  fclose(comp->file);
287  comp->bytes_in_block = 0;
288  }
289 #endif /* HAVE_LIBLZ4 */
290 
292  }
293 
294  return 0;
295 }
296 
297 static void PcapFileNameFree(PcapFileName *pf)
298 {
299  if (pf != NULL) {
300  if (pf->filename != NULL) {
301  SCFree(pf->filename);
302  }
303  if (pf->dirname != NULL) {
304  SCFree(pf->dirname);
305  }
306  SCFree(pf);
307  }
308 
309  return;
310 }
311 
312 /**
313  * \brief Function to rotate pcaplog file
314  *
315  * \param t Thread Variable containing input/output queue, cpu affinity etc.
316  * \param pl PcapLog thread variable.
317  *
318  * \retval 0 on succces
319  * \retval -1 on failure
320  */
321 static int PcapLogRotateFile(ThreadVars *t, PcapLogData *pl)
322 {
323  PcapFileName *pf;
324  PcapFileName *pfnext;
325 
327 
328  if (PcapLogCloseFile(t,pl) < 0) {
329  SCLogDebug("PcapLogCloseFile failed");
330  return -1;
331  }
332 
333  if (pl->use_ringbuffer == RING_BUFFER_MODE_ENABLED && pl->file_cnt >= pl->max_files) {
334  pf = TAILQ_FIRST(&pl->pcap_file_list);
335  SCLogDebug("Removing pcap file %s", pf->filename);
336 
337  if (remove(pf->filename) != 0) {
338  // VJ remove can fail because file is already gone
339  //LogWarning(SC_ERR_PCAP_FILE_DELETE_FAILED,
340  // "failed to remove log file %s: %s",
341  // pf->filename, strerror( errno ));
342  }
343 
344  /* Remove directory if Sguil mode and no files left in sguil dir */
345  if (pl->mode == LOGMODE_SGUIL) {
346  pfnext = TAILQ_NEXT(pf,next);
347 
348  if (strcmp(pf->dirname, pfnext->dirname) == 0) {
349  SCLogDebug("Current entry dir %s and next entry %s "
350  "are equal: not removing dir",
351  pf->dirname, pfnext->dirname);
352  } else {
353  SCLogDebug("current entry %s and %s are "
354  "not equal: removing dir",
355  pf->dirname, pfnext->dirname);
356 
357  if (remove(pf->dirname) != 0) {
359  "failed to remove sguil log %s: %s",
360  pf->dirname, strerror( errno ));
361  }
362  }
363  }
364 
365  TAILQ_REMOVE(&pl->pcap_file_list, pf, next);
366  PcapFileNameFree(pf);
367  pl->file_cnt--;
368  }
369 
370  if (PcapLogOpenFileCtx(pl) < 0) {
371  SCLogError(SC_ERR_FOPEN, "opening new pcap log file failed");
372  return -1;
373  }
374  pl->file_cnt++;
375  SCLogDebug("file_cnt %u", pl->file_cnt);
376 
378  return 0;
379 }
380 
381 static int PcapLogOpenHandles(PcapLogData *pl, const Packet *p)
382 {
384 
385  SCLogDebug("Setting pcap-log link type to %u", p->datalink);
386 
387  if (pl->pcap_dead_handle == NULL) {
388  if ((pl->pcap_dead_handle = pcap_open_dead(p->datalink,
389  PCAP_SNAPLEN)) == NULL) {
390  SCLogDebug("Error opening dead pcap handle");
391  return TM_ECODE_FAILED;
392  }
393  }
394 
395  if (pl->pcap_dumper == NULL) {
396  if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_NONE) {
397  if ((pl->pcap_dumper = pcap_dump_open(pl->pcap_dead_handle,
398  pl->filename)) == NULL) {
399  SCLogInfo("Error opening dump file %s", pcap_geterr(pl->pcap_dead_handle));
400  return TM_ECODE_FAILED;
401  }
402  }
403 #ifdef HAVE_LIBLZ4
404  else if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
405  PcapLogCompressionData *comp = &pl->compression;
406  if ((pl->pcap_dumper = pcap_dump_fopen(pl->pcap_dead_handle,
407  comp->pcap_buf_wrapper)) == NULL) {
408  SCLogError(SC_ERR_OPENING_FILE, "Error opening dump file %s",
409  pcap_geterr(pl->pcap_dead_handle));
410  return TM_ECODE_FAILED;
411  }
412  comp->file = fopen(pl->filename, "w");
413  if (comp->file == NULL) {
415  "Error opening file for compressed output: %s",
416  strerror(errno));
417  return TM_ECODE_FAILED;
418  }
419 
420  uint64_t bytes_written = LZ4F_compressBegin(comp->lz4f_context,
421  comp->buffer, comp->buffer_size, NULL);
422  if (LZ4F_isError(bytes_written)) {
423  SCLogError(SC_ERR_PCAP_LOG_COMPRESS, "LZ4F_compressBegin: %s",
424  LZ4F_getErrorName(bytes_written));
425  return TM_ECODE_FAILED;
426  }
427  if (fwrite(comp->buffer, 1, bytes_written, comp->file) < bytes_written) {
428  SCLogError(SC_ERR_FWRITE, "fwrite failed: %s", strerror(errno));
429  return TM_ECODE_FAILED;
430  }
431  }
432 #endif /* HAVE_LIBLZ4 */
433  }
434 
436  return TM_ECODE_OK;
437 }
438 
439 /** \internal
440  * \brief lock wrapper for main PcapLog() function
441  * NOTE: only meant for use in main PcapLog() function.
442  */
443 static void PcapLogLock(PcapLogData *pl)
444 {
445  if (!(pl->is_private)) {
447  SCMutexLock(&pl->plog_lock);
449  }
450 }
451 
452 /** \internal
453  * \brief unlock wrapper for main PcapLog() function
454  * NOTE: only meant for use in main PcapLog() function.
455  */
456 static void PcapLogUnlock(PcapLogData *pl)
457 {
458  if (!(pl->is_private)) {
460  SCMutexUnlock(&pl->plog_lock);
462  }
463 }
464 
465 /**
466  * \brief Pcap logging main function
467  *
468  * \param t threadvar
469  * \param p packet
470  * \param data thread module specific data
471  * \param pq pre-packet-queue
472  * \param postpq post-packet-queue
473  *
474  * \retval TM_ECODE_OK on succes
475  * \retval TM_ECODE_FAILED on serious error
476  */
477 static int PcapLog (ThreadVars *t, void *thread_data, const Packet *p)
478 {
479  size_t len;
480  int rotate = 0;
481  int ret = 0;
482 
483  PcapLogThreadData *td = (PcapLogThreadData *)thread_data;
484  PcapLogData *pl = td->pcap_log;
485 
486  if ((p->flags & PKT_PSEUDO_STREAM_END) ||
487  ((p->flags & PKT_STREAM_NOPCAPLOG) &&
489  (IS_TUNNEL_PKT(p) && !IS_TUNNEL_ROOT_PKT(p)) ||
491  {
492  return TM_ECODE_OK;
493  }
494 
495  PcapLogLock(pl);
496 
497  pl->pkt_cnt++;
498  pl->h->ts.tv_sec = p->ts.tv_sec;
499  pl->h->ts.tv_usec = p->ts.tv_usec;
500  pl->h->caplen = GET_PKT_LEN(p);
501  pl->h->len = GET_PKT_LEN(p);
502  len = sizeof(*pl->h) + GET_PKT_LEN(p);
503 
504  if (pl->filename == NULL) {
505  ret = PcapLogOpenFileCtx(pl);
506  if (ret < 0) {
507  PcapLogUnlock(pl);
508  return TM_ECODE_FAILED;
509  }
510  SCLogDebug("Opening PCAP log file %s", pl->filename);
511  }
512 
513  if (pl->mode == LOGMODE_SGUIL) {
514  struct tm local_tm;
515  struct tm *tms = SCLocalTime(p->ts.tv_sec, &local_tm);
516  if (tms->tm_mday != pl->prev_day) {
517  rotate = 1;
518  pl->prev_day = tms->tm_mday;
519  }
520  }
521 
522  PcapLogCompressionData *comp = &pl->compression;
524  if ((pl->size_current + len) > pl->size_limit || rotate) {
525  if (PcapLogRotateFile(t,pl) < 0) {
526  PcapLogUnlock(pl);
527  SCLogDebug("rotation of pcap failed");
528  return TM_ECODE_FAILED;
529  }
530  }
531  }
532 #ifdef HAVE_LIBLZ4
533  else if (comp->format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
534  /* When writing compressed pcap logs, we have no way of knowing
535  * for sure whether adding this packet would cause the current
536  * file to exceed the size limit. Thus, we record the number of
537  * bytes that have been fed into lz4 since the last write, and
538  * act as if they would be written uncompressed. */
539 
540  if ((pl->size_current + comp->bytes_in_block + len) > pl->size_limit ||
541  rotate) {
542  if (PcapLogRotateFile(t,pl) < 0) {
543  PcapLogUnlock(pl);
544  SCLogDebug("rotation of pcap failed");
545  return TM_ECODE_FAILED;
546  }
547  }
548  }
549 #endif /* HAVE_LIBLZ4 */
550 
551  /* XXX pcap handles, nfq, pfring, can only have one link type ipfw? we do
552  * this here as we don't know the link type until we get our first packet */
553  if (pl->pcap_dead_handle == NULL || pl->pcap_dumper == NULL) {
554  if (PcapLogOpenHandles(pl, p) != TM_ECODE_OK) {
555  PcapLogUnlock(pl);
556  return TM_ECODE_FAILED;
557  }
558  }
559 
561  pcap_dump((u_char *)pl->pcap_dumper, pl->h, GET_PKT_DATA(p));
562  if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_NONE) {
563  pl->size_current += len;
564  }
565 #ifdef HAVE_LIBLZ4
566  else if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
567  pcap_dump_flush(pl->pcap_dumper);
568  uint64_t in_size = (uint64_t)ftell(comp->pcap_buf_wrapper);
569  uint64_t out_size = LZ4F_compressUpdate(comp->lz4f_context,
570  comp->buffer, comp->buffer_size, comp->pcap_buf, in_size, NULL);
571  if (LZ4F_isError(len)) {
572  SCLogError(SC_ERR_PCAP_LOG_COMPRESS, "LZ4F_compressUpdate: %s",
573  LZ4F_getErrorName(len));
574  return TM_ECODE_FAILED;
575  }
576  if (fseek(pl->compression.pcap_buf_wrapper, 0, SEEK_SET) != 0) {
577  SCLogError(SC_ERR_FSEEK, "fseek failed: %s", strerror(errno));
578  return TM_ECODE_FAILED;
579  }
580  if (fwrite(comp->buffer, 1, out_size, comp->file) < out_size) {
581  SCLogError(SC_ERR_FWRITE, "fwrite failed: %s", strerror(errno));
582  return TM_ECODE_FAILED;
583  }
584  if (out_size > 0) {
585  pl->size_current += out_size;
586  comp->bytes_in_block = len;
587  } else {
588  comp->bytes_in_block += len;
589  }
590  }
591 #endif /* HAVE_LIBLZ4 */
592 
594  pl->profile_data_size += len;
595 
596  SCLogDebug("pl->size_current %"PRIu64", pl->size_limit %"PRIu64,
597  pl->size_current, pl->size_limit);
598 
599  PcapLogUnlock(pl);
600  return TM_ECODE_OK;
601 }
602 
603 static PcapLogData *PcapLogDataCopy(const PcapLogData *pl)
604 {
605  BUG_ON(pl->mode != LOGMODE_MULTI);
606  PcapLogData *copy = SCCalloc(1, sizeof(*copy));
607  if (unlikely(copy == NULL)) {
608  return NULL;
609  }
610 
611  copy->h = SCCalloc(1, sizeof(*copy->h));
612  if (unlikely(copy->h == NULL)) {
613  SCFree(copy);
614  return NULL;
615  }
616 
617  copy->prefix = SCStrdup(pl->prefix);
618  if (unlikely(copy->prefix == NULL)) {
619  SCFree(copy->h);
620  SCFree(copy);
621  return NULL;
622  }
623 
624  copy->suffix = pl->suffix;
625 
626  /* settings TODO move to global cfg struct */
627  copy->is_private = TRUE;
628  copy->mode = pl->mode;
629  copy->max_files = pl->max_files;
630  copy->use_ringbuffer = pl->use_ringbuffer;
631  copy->timestamp_format = pl->timestamp_format;
633  copy->size_limit = pl->size_limit;
634 
635  const PcapLogCompressionData *comp = &pl->compression;
636  PcapLogCompressionData *copy_comp = &copy->compression;
637  copy_comp->format = comp->format;
638 #ifdef HAVE_LIBLZ4
640  /* We need to allocate a new compression context and buffers for
641  * the copy. First copy the things that can simply be copied. */
642 
643  copy_comp->buffer_size = comp->buffer_size;
644  copy_comp->pcap_buf_size = comp->pcap_buf_size;
645  copy_comp->lz4f_prefs = comp->lz4f_prefs;
646 
647  /* Allocate the buffers. */
648 
649  copy_comp->buffer = SCMalloc(copy_comp->buffer_size);
650  if (copy_comp->buffer == NULL) {
651  SCLogError(SC_ERR_MEM_ALLOC, "SCMalloc failed: %s",
652  strerror(errno));
653  return NULL;
654  }
655  copy_comp->pcap_buf = SCMalloc(copy_comp->pcap_buf_size);
656  if (copy_comp->pcap_buf == NULL) {
657  SCLogError(SC_ERR_MEM_ALLOC, "SCMalloc failed: %s",
658  strerror(errno));
659  SCFree(copy_comp->buffer);
660  return NULL;
661  }
662  copy_comp->pcap_buf_wrapper = SCFmemopen(copy_comp->pcap_buf,
663  copy_comp->pcap_buf_size, "w");
664  if (copy_comp->pcap_buf_wrapper == NULL) {
665  SCLogError(SC_ERR_FOPEN, "SCFmemopen failed: %s", strerror(errno));
666  SCFree(copy_comp->buffer);
667  SCFree(copy_comp->pcap_buf);
668  return NULL;
669  }
670 
671  /* Initialize a new compression context. */
672 
673  LZ4F_errorCode_t errcode =
674  LZ4F_createCompressionContext(&copy_comp->lz4f_context, 1);
675  if (LZ4F_isError(errcode)) {
677  "LZ4F_createCompressionContext failed: %s",
678  LZ4F_getErrorName(errcode));
679  fclose(copy_comp->pcap_buf_wrapper);
680  SCFree(copy_comp->buffer);
681  SCFree(copy_comp->pcap_buf);
682  return NULL;
683  }
684 
685  /* Initialize the rest. */
686 
687  copy_comp->file = NULL;
688  copy_comp->bytes_in_block = 0;
689  }
690 #endif /* HAVE_LIBLZ4 */
691 
692  TAILQ_INIT(&copy->pcap_file_list);
693  SCMutexInit(&copy->plog_lock, NULL);
694 
695  strlcpy(copy->dir, pl->dir, sizeof(copy->dir));
696 
697  int i;
698  for (i = 0; i < pl->filename_part_cnt && i < MAX_TOKS; i++)
699  copy->filename_parts[i] = pl->filename_parts[i];
700  copy->filename_part_cnt = pl->filename_part_cnt;
701 
702  /* set thread number, first thread is 1 */
703  copy->thread_number = SC_ATOMIC_ADD(thread_cnt, 1);
704 
705  SCLogDebug("copied, returning %p", copy);
706  return copy;
707 }
708 
709 #ifdef INIT_RING_BUFFER
710 static int PcapLogGetTimeOfFile(const char *filename, uint64_t *secs,
711  uint32_t *usecs)
712 {
713  int pcre_ovecsize = 4 * 3;
714  int pcre_ovec[pcre_ovecsize];
715  char buf[PATH_MAX];
716 
717  int n = pcre_exec(pcre_timestamp_code, pcre_timestamp_extra,
718  filename, strlen(filename), 0, 0, pcre_ovec,
719  pcre_ovecsize);
720  if (n != 2 && n != 4) {
721  /* No match. */
722  return 0;
723  }
724 
725  if (n >= 2) {
726  /* Extract seconds. */
727  if (pcre_copy_substring(filename, pcre_ovec, pcre_ovecsize,
728  1, buf, sizeof(buf)) < 0) {
729  return 0;
730  }
731  if (ByteExtractStringUint64(secs, 10, 0, buf) < 0) {
732  return 0;
733  }
734  }
735  if (n == 4) {
736  /* Extract microseconds. */
737  if (pcre_copy_substring(filename, pcre_ovec, pcre_ovecsize,
738  3, buf, sizeof(buf)) < 0) {
739  return 0;
740  }
741  if (ByteExtractStringUint32(usecs, 10, 0, buf) < 0) {
742  return 0;
743  }
744  }
745 
746  return 1;
747 }
748 
749 static TmEcode PcapLogInitRingBuffer(PcapLogData *pl)
750 {
751  char pattern[PATH_MAX];
752 
753  SCLogInfo("Initializing PCAP ring buffer for %s/%s.",
754  pl->dir, pl->prefix);
755 
756  strlcpy(pattern, pl->dir, PATH_MAX);
757  if (pattern[strlen(pattern) - 1] != '/') {
758  strlcat(pattern, "/", PATH_MAX);
759  }
760  if (pl->mode == LOGMODE_MULTI) {
761  for (int i = 0; i < pl->filename_part_cnt; i++) {
762  char *part = pl->filename_parts[i];
763  if (part == NULL || strlen(part) == 0) {
764  continue;
765  }
766  if (part[0] != '%' || strlen(part) < 2) {
767  strlcat(pattern, part, PATH_MAX);
768  continue;
769  }
770  switch (part[1]) {
771  case 'i':
773  "Thread ID not allowed inring buffer mode.");
774  return TM_ECODE_FAILED;
775  case 'n': {
776  char tmp[PATH_MAX];
777  snprintf(tmp, PATH_MAX, "%"PRIu32, pl->thread_number);
778  strlcat(pattern, tmp, PATH_MAX);
779  break;
780  }
781  case 't':
782  strlcat(pattern, "*", PATH_MAX);
783  break;
784  default:
786  "Unsupported format character: %%%s", part);
787  return TM_ECODE_FAILED;
788  }
789  }
790  } else {
791  strlcat(pattern, pl->prefix, PATH_MAX);
792  strlcat(pattern, ".*", PATH_MAX);
793  }
794  strlcat(pattern, pl->suffix, PATH_MAX);
795 
796  char *basename = strrchr(pattern, '/');
797  *basename++ = '\0';
798 
799  /* Pattern is now just the directory name. */
800  DIR *dir = opendir(pattern);
801  if (dir == NULL) {
802  SCLogWarning(SC_ERR_DIR_OPEN, "Failed to open directory %s: %s",
803  pattern, strerror(errno));
804  return TM_ECODE_FAILED;
805  }
806 
807  for (;;) {
808  struct dirent *entry = readdir(dir);
809  if (entry == NULL) {
810  break;
811  }
812  if (fnmatch(basename, entry->d_name, 0) != 0) {
813  continue;
814  }
815 
816  uint64_t secs = 0;
817  uint32_t usecs = 0;
818 
819  if (!PcapLogGetTimeOfFile(entry->d_name, &secs, &usecs)) {
820  /* Failed to get time stamp out of file name. Not necessarily a
821  * failure as the file might just not be a pcap log file. */
822  continue;
823  }
824 
825  PcapFileName *pf = SCCalloc(sizeof(*pf), 1);
826  if (unlikely(pf == NULL)) {
827  goto fail;
828  }
829  char path[PATH_MAX];
830  if (snprintf(path, PATH_MAX, "%s/%s", pattern, entry->d_name) == PATH_MAX)
831  goto fail;
832 
833  if ((pf->filename = SCStrdup(path)) == NULL) {
834  goto fail;
835  }
836  if ((pf->dirname = SCStrdup(pattern)) == NULL) {
837  goto fail;
838  }
839  pf->secs = secs;
840  pf->usecs = usecs;
841 
842  if (TAILQ_EMPTY(&pl->pcap_file_list)) {
843  TAILQ_INSERT_TAIL(&pl->pcap_file_list, pf, next);
844  } else {
845  /* Ordered insert. */
846  PcapFileName *it = NULL;
847  TAILQ_FOREACH(it, &pl->pcap_file_list, next) {
848  if (pf->secs < it->secs) {
849  break;
850  } else if (pf->secs == it->secs && pf->usecs < it->usecs) {
851  break;
852  }
853  }
854  if (it == NULL) {
855  TAILQ_INSERT_TAIL(&pl->pcap_file_list, pf, next);
856  } else {
857  TAILQ_INSERT_BEFORE(it, pf, next);
858  }
859  }
860  pl->file_cnt++;
861  continue;
862 
863  fail:
864  if (pf != NULL) {
865  if (pf->filename != NULL) {
866  SCFree(pf->filename);
867  }
868  if (pf->dirname != NULL) {
869  SCFree(pf->dirname);
870  }
871  SCFree(pf);
872  }
873  break;
874  }
875 
876  if (pl->file_cnt > pl->max_files) {
877  PcapFileName *pf = TAILQ_FIRST(&pl->pcap_file_list);
878  while (pf != NULL && pl->file_cnt > pl->max_files) {
879  SCLogDebug("Removing PCAP file %s", pf->filename);
880  if (remove(pf->filename) != 0) {
882  "Failed to remove PCAP file %s: %s", pf->filename,
883  strerror(errno));
884  }
885  TAILQ_REMOVE(&pl->pcap_file_list, pf, next);
886  PcapFileNameFree(pf);
887  pf = TAILQ_FIRST(&pl->pcap_file_list);
888  pl->file_cnt--;
889  }
890  }
891 
892  closedir(dir);
893 
894  /* For some reason file count is initialized at one, instead of 0. */
895  SCLogNotice("Ring buffer initialized with %d files.", pl->file_cnt - 1);
896 
897  return TM_ECODE_OK;
898 }
899 #endif /* INIT_RING_BUFFER */
900 
901 static TmEcode PcapLogDataInit(ThreadVars *t, const void *initdata, void **data)
902 {
903  if (initdata == NULL) {
904  SCLogDebug("Error getting context for LogPcap. \"initdata\" argument NULL");
905  return TM_ECODE_FAILED;
906  }
907 
908  PcapLogData *pl = ((OutputCtx *)initdata)->data;
909 
910  PcapLogThreadData *td = SCCalloc(1, sizeof(*td));
911  if (unlikely(td == NULL))
912  return TM_ECODE_FAILED;
913 
914  if (pl->mode == LOGMODE_MULTI)
915  td->pcap_log = PcapLogDataCopy(pl);
916  else
917  td->pcap_log = pl;
918  BUG_ON(td->pcap_log == NULL);
919 
920  PcapLogLock(td->pcap_log);
921 
922  /** Use the Ouptut Context (file pointer and mutex) */
923  td->pcap_log->pkt_cnt = 0;
924  td->pcap_log->pcap_dead_handle = NULL;
925  td->pcap_log->pcap_dumper = NULL;
926  if (td->pcap_log->file_cnt < 1) {
927  td->pcap_log->file_cnt = 1;
928  }
929 
930  struct timeval ts;
931  memset(&ts, 0x00, sizeof(struct timeval));
932  TimeGet(&ts);
933  struct tm local_tm;
934  struct tm *tms = SCLocalTime(ts.tv_sec, &local_tm);
935  td->pcap_log->prev_day = tms->tm_mday;
936 
937  PcapLogUnlock(td->pcap_log);
938 
939  /* count threads in the global structure */
940  SCMutexLock(&pl->plog_lock);
941  pl->threads++;
942  SCMutexUnlock(&pl->plog_lock);
943 
944  *data = (void *)td;
945 
946  if (pl->max_files && (pl->mode == LOGMODE_MULTI || pl->threads == 1)) {
947 #ifdef INIT_RING_BUFFER
948  if (PcapLogInitRingBuffer(td->pcap_log) == TM_ECODE_FAILED) {
949  return TM_ECODE_FAILED;
950  }
951 #else
952  SCLogInfo("Unable to initialize ring buffer on this platform.");
953 #endif /* INIT_RING_BUFFER */
954  }
955 
956  return TM_ECODE_OK;
957 }
958 
959 static void StatsMerge(PcapLogData *dst, PcapLogData *src)
960 {
961  dst->profile_open.total += src->profile_open.total;
962  dst->profile_open.cnt += src->profile_open.cnt;
963 
964  dst->profile_close.total += src->profile_close.total;
965  dst->profile_close.cnt += src->profile_close.cnt;
966 
967  dst->profile_write.total += src->profile_write.total;
968  dst->profile_write.cnt += src->profile_write.cnt;
969 
971  dst->profile_rotate.cnt += src->profile_rotate.cnt;
972 
974  dst->profile_handles.cnt += src->profile_handles.cnt;
975 
976  dst->profile_lock.total += src->profile_lock.total;
977  dst->profile_lock.cnt += src->profile_lock.cnt;
978 
980  dst->profile_unlock.cnt += src->profile_unlock.cnt;
981 
983 }
984 
985 static void PcapLogDataFree(PcapLogData *pl)
986 {
987 
988  PcapFileName *pf;
989  while ((pf = TAILQ_FIRST(&pl->pcap_file_list)) != NULL) {
990  TAILQ_REMOVE(&pl->pcap_file_list, pf, next);
991  PcapFileNameFree(pf);
992  }
993  if (pl == g_pcap_data) {
994  for (int i = 0; i < MAX_TOKS; i++) {
995  if (pl->filename_parts[i] != NULL) {
996  SCFree(pl->filename_parts[i]);
997  }
998  }
999  }
1000  SCFree(pl->h);
1001  SCFree(pl->filename);
1002  SCFree(pl->prefix);
1003 
1004 #ifdef HAVE_LIBLZ4
1005  if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_LZ4) {
1006  SCFree(pl->compression.buffer);
1007  fclose(pl->compression.pcap_buf_wrapper);
1008  SCFree(pl->compression.pcap_buf);
1009  LZ4F_errorCode_t errcode =
1010  LZ4F_freeCompressionContext(pl->compression.lz4f_context);
1011  if (LZ4F_isError(errcode)) {
1012  SCLogWarning(SC_ERR_MEM_ALLOC, "Error freeing lz4 context.");
1013  }
1014  }
1015 #endif /* HAVE_LIBLZ4 */
1016  SCFree(pl);
1017 }
1018 
1019 /**
1020  * \brief Thread deinit function.
1021  *
1022  * \param t Thread Variable containing input/output queue, cpu affinity etc.
1023  * \param data PcapLog thread data.
1024  * \retval TM_ECODE_OK on succces
1025  * \retval TM_ECODE_FAILED on failure
1026  */
1027 static TmEcode PcapLogDataDeinit(ThreadVars *t, void *thread_data)
1028 {
1029  PcapLogThreadData *td = (PcapLogThreadData *)thread_data;
1030  PcapLogData *pl = td->pcap_log;
1031 
1032  if (pl->pcap_dumper != NULL) {
1033  if (PcapLogCloseFile(t,pl) < 0) {
1034  SCLogDebug("PcapLogCloseFile failed");
1035  }
1036  }
1037 
1038  if (pl->mode == LOGMODE_MULTI) {
1039  SCMutexLock(&g_pcap_data->plog_lock);
1040  StatsMerge(g_pcap_data, pl);
1041  g_pcap_data->reported++;
1042  if (g_pcap_data->threads == g_pcap_data->reported)
1043  PcapLogProfilingDump(g_pcap_data);
1044  SCMutexUnlock(&g_pcap_data->plog_lock);
1045  } else {
1046  if (pl->reported == 0) {
1047  PcapLogProfilingDump(pl);
1048  pl->reported = 1;
1049  }
1050  }
1051 
1052  if (pl != g_pcap_data) {
1053  PcapLogDataFree(pl);
1054  }
1055 
1056  SCFree(td);
1057  return TM_ECODE_OK;
1058 }
1059 
1060 
1061 static int ParseFilename(PcapLogData *pl, const char *filename)
1062 {
1063  char *toks[MAX_TOKS] = { NULL };
1064  int tok = 0;
1065  char str[MAX_FILENAMELEN] = "";
1066  int s = 0;
1067  int i, x;
1068  char *p = NULL;
1069  size_t filename_len = 0;
1070 
1071  if (filename) {
1072  filename_len = strlen(filename);
1073  if (filename_len > (MAX_FILENAMELEN-1)) {
1074  SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid filename option. Max filename-length: %d",MAX_FILENAMELEN-1);
1075  goto error;
1076  }
1077 
1078  for (i = 0; i < (int)strlen(filename); i++) {
1079  if (tok >= MAX_TOKS) {
1081  "invalid filename option. Max 2 %%-sign options");
1082  goto error;
1083  }
1084 
1085  str[s++] = filename[i];
1086 
1087  if (filename[i] == '%') {
1088  str[s-1] = '\0';
1089  SCLogDebug("filename with %%-sign: %s", str);
1090 
1091  p = SCStrdup(str);
1092  if (p == NULL)
1093  goto error;
1094  toks[tok++] = p;
1095 
1096  s = 0;
1097 
1098  if (i+1 < (int)strlen(filename)) {
1099  if (tok >= MAX_TOKS) {
1101  "invalid filename option. Max 2 %%-sign options");
1102  goto error;
1103  }
1104 
1105  if (filename[i+1] != 'n' && filename[i+1] != 't' && filename[i+1] != 'i') {
1107  "invalid filename option. Valid %%-sign options: %%n, %%i and %%t");
1108  goto error;
1109  }
1110  str[0] = '%';
1111  str[1] = filename[i+1];
1112  str[2] = '\0';
1113  p = SCStrdup(str);
1114  if (p == NULL)
1115  goto error;
1116  toks[tok++] = p;
1117  i++;
1118  }
1119  }
1120  }
1121  if (s) {
1122  if (tok >= MAX_TOKS) {
1124  "invalid filename option. Max 3 %%-sign options");
1125  goto error;
1126 
1127  }
1128  str[s++] = '\0';
1129  p = SCStrdup(str);
1130  if (p == NULL)
1131  goto error;
1132  toks[tok++] = p;
1133  }
1134 
1135  /* finally, store tokens in the pl */
1136  for (i = 0; i < tok; i++) {
1137  if (toks[i] == NULL)
1138  goto error;
1139 
1140  SCLogDebug("toks[%d] %s", i, toks[i]);
1141  pl->filename_parts[i] = toks[i];
1142  }
1143  pl->filename_part_cnt = tok;
1144  }
1145  return 0;
1146 error:
1147  for (x = 0; x < MAX_TOKS; x++) {
1148  if (toks[x] != NULL)
1149  SCFree(toks[x]);
1150  }
1151  return -1;
1152 }
1153 
1154 /** \brief Fill in pcap logging struct from the provided ConfNode.
1155  * \param conf The configuration node for this output.
1156  * \retval output_ctx
1157  * */
1158 static OutputInitResult PcapLogInitCtx(ConfNode *conf)
1159 {
1160  OutputInitResult result = { NULL, false };
1161  const char *pcre_errbuf;
1162  int pcre_erroffset;
1163 
1164  PcapLogData *pl = SCMalloc(sizeof(PcapLogData));
1165  if (unlikely(pl == NULL)) {
1166  SCLogError(SC_ERR_MEM_ALLOC, "Failed to allocate Memory for PcapLogData");
1167  exit(EXIT_FAILURE);
1168  }
1169  memset(pl, 0, sizeof(PcapLogData));
1170 
1171  pl->h = SCMalloc(sizeof(*pl->h));
1172  if (pl->h == NULL) {
1174  "Failed to allocate Memory for pcap header struct");
1175  exit(EXIT_FAILURE);
1176  }
1177 
1178  /* Set the defaults */
1179  pl->mode = LOGMODE_NORMAL;
1181  pl->use_ringbuffer = RING_BUFFER_MODE_DISABLED;
1182  pl->timestamp_format = TS_FORMAT_SEC;
1185 
1186  TAILQ_INIT(&pl->pcap_file_list);
1187 
1188  SCMutexInit(&pl->plog_lock, NULL);
1189 
1190  /* Initialize PCREs. */
1191  pcre_timestamp_code = pcre_compile(timestamp_pattern, 0, &pcre_errbuf,
1192  &pcre_erroffset, NULL);
1193  if (pcre_timestamp_code == NULL) {
1195  "Failed to compile \"%s\" at offset %"PRIu32": %s",
1196  timestamp_pattern, pcre_erroffset, pcre_errbuf);
1197  }
1198  pcre_timestamp_extra = pcre_study(pcre_timestamp_code, 0, &pcre_errbuf);
1199  if (pcre_errbuf != NULL) {
1200  FatalError(SC_ERR_PCRE_STUDY, "Fail to study pcre: %s", pcre_errbuf);
1201  }
1202 
1203  /* conf params */
1204 
1205  const char *filename = NULL;
1206 
1207  if (conf != NULL) { /* To faciliate unit tests. */
1208  filename = ConfNodeLookupChildValue(conf, "filename");
1209  }
1210 
1211  if (filename == NULL)
1212  filename = DEFAULT_LOG_FILENAME;
1213 
1214  if ((pl->prefix = SCStrdup(filename)) == NULL) {
1215  exit(EXIT_FAILURE);
1216  }
1217 
1218  pl->suffix = "";
1219 
1220  if (filename) {
1221  if (ParseFilename(pl, filename) != 0)
1222  exit(EXIT_FAILURE);
1223  }
1224 
1225  pl->size_limit = DEFAULT_LIMIT;
1226  if (conf != NULL) {
1227  const char *s_limit = NULL;
1228  s_limit = ConfNodeLookupChildValue(conf, "limit");
1229  if (s_limit != NULL) {
1230  if (ParseSizeStringU64(s_limit, &pl->size_limit) < 0) {
1232  "Failed to initialize unified2 output, invalid limit: %s",
1233  s_limit);
1234  exit(EXIT_FAILURE);
1235  }
1236  if (pl->size_limit < 4096) {
1237  SCLogInfo("pcap-log \"limit\" value of %"PRIu64" assumed to be pre-1.2 "
1238  "style: setting limit to %"PRIu64"mb", pl->size_limit, pl->size_limit);
1239  uint64_t size = pl->size_limit * 1024 * 1024;
1240  pl->size_limit = size;
1241  } else if (pl->size_limit < MIN_LIMIT) {
1243  "Fail to initialize pcap-log output, limit less than "
1244  "allowed minimum.");
1245  exit(EXIT_FAILURE);
1246  }
1247  }
1248  }
1249 
1250  if (conf != NULL) {
1251  const char *s_mode = NULL;
1252  s_mode = ConfNodeLookupChildValue(conf, "mode");
1253  if (s_mode != NULL) {
1254  if (strcasecmp(s_mode, "sguil") == 0) {
1255  pl->mode = LOGMODE_SGUIL;
1256  } else if (strcasecmp(s_mode, "multi") == 0) {
1257  pl->mode = LOGMODE_MULTI;
1258  } else if (strcasecmp(s_mode, "normal") != 0) {
1260  "log-pcap: invalid mode \"%s\". Valid options: \"normal\", "
1261  "\"sguil\", or \"multi\" mode ", s_mode);
1262  exit(EXIT_FAILURE);
1263  }
1264  }
1265 
1266  const char *s_dir = NULL;
1267  s_dir = ConfNodeLookupChildValue(conf, "dir");
1268  if (s_dir == NULL) {
1269  s_dir = ConfNodeLookupChildValue(conf, "sguil-base-dir");
1270  }
1271  if (s_dir == NULL) {
1272  if (pl->mode == LOGMODE_SGUIL) {
1274  "log-pcap \"sguil\" mode requires \"sguil-base-dir\" "
1275  "option to be set.");
1276  exit(EXIT_FAILURE);
1277  } else {
1278  const char *log_dir = NULL;
1279  log_dir = ConfigGetLogDirectory();
1280 
1281  strlcpy(pl->dir,
1282  log_dir, sizeof(pl->dir));
1283  SCLogInfo("Using log dir %s", pl->dir);
1284  }
1285  } else {
1286  if (PathIsAbsolute(s_dir)) {
1287  strlcpy(pl->dir,
1288  s_dir, sizeof(pl->dir));
1289  } else {
1290  const char *log_dir = NULL;
1291  log_dir = ConfigGetLogDirectory();
1292 
1293  snprintf(pl->dir, sizeof(pl->dir), "%s/%s",
1294  log_dir, s_dir);
1295  }
1296 
1297  struct stat stat_buf;
1298  if (stat(pl->dir, &stat_buf) != 0) {
1299  SCLogError(SC_ERR_LOGDIR_CONFIG, "The sguil-base-dir directory \"%s\" "
1300  "supplied doesn't exist. Shutting down the engine",
1301  pl->dir);
1302  exit(EXIT_FAILURE);
1303  }
1304  SCLogInfo("Using log dir %s", pl->dir);
1305  }
1306 
1307  const char *compression_str = ConfNodeLookupChildValue(conf,
1308  "compression");
1309 
1310  PcapLogCompressionData *comp = &pl->compression;
1311  if (compression_str == NULL || strcmp(compression_str, "none") == 0) {
1313  comp->buffer = NULL;
1314  comp->buffer_size = 0;
1315  comp->file = NULL;
1316  comp->pcap_buf = NULL;
1317  comp->pcap_buf_size = 0;
1318  comp->pcap_buf_wrapper = NULL;
1319  } else if (strcmp(compression_str, "lz4") == 0) {
1320 #ifdef HAVE_LIBLZ4
1321  if (pl->mode == LOGMODE_SGUIL) {
1322  SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Compressed pcap "
1323  "logs are not possible in sguil mode");
1324  SCFree(pl->h);
1325  SCFree(pl);
1326  return result;
1327  }
1328  pl->compression.format = PCAP_LOG_COMPRESSION_FORMAT_LZ4;
1329 
1330  /* Use SCFmemopen so we can make pcap_dump write to a buffer. */
1331 
1332  comp->pcap_buf_size = sizeof(struct pcap_file_header) +
1333  sizeof(struct pcap_pkthdr) + PCAP_SNAPLEN;
1334  comp->pcap_buf = SCMalloc(comp->pcap_buf_size);
1335  if (comp->pcap_buf == NULL) {
1336  SCLogError(SC_ERR_MEM_ALLOC, "SCMalloc failed: %s",
1337  strerror(errno));
1338  exit(EXIT_FAILURE);
1339  }
1340  comp->pcap_buf_wrapper = SCFmemopen(comp->pcap_buf,
1341  comp->pcap_buf_size, "w");
1342  if (comp->pcap_buf_wrapper == NULL) {
1343  SCLogError(SC_ERR_FOPEN, "SCFmemopen failed: %s",
1344  strerror(errno));
1345  exit(EXIT_FAILURE);
1346  }
1347 
1348  /* Set lz4 preferences. */
1349 
1350  memset(&comp->lz4f_prefs, '\0', sizeof(comp->lz4f_prefs));
1351  comp->lz4f_prefs.frameInfo.blockSizeID = LZ4F_max4MB;
1352  comp->lz4f_prefs.frameInfo.blockMode = LZ4F_blockLinked;
1353  if (ConfNodeChildValueIsTrue(conf, "lz4-checksum")) {
1354  comp->lz4f_prefs.frameInfo.contentChecksumFlag = 1;
1355  }
1356  else {
1357  comp->lz4f_prefs.frameInfo.contentChecksumFlag = 0;
1358  }
1359  intmax_t lvl = 0;
1360  if (ConfGetChildValueInt(conf, "lz4-level", &lvl)) {
1361  if (lvl > 16) {
1362  lvl = 16;
1363  } else if (lvl < 0) {
1364  lvl = 0;
1365  }
1366  } else {
1367  lvl = 0;
1368  }
1369  comp->lz4f_prefs.compressionLevel = lvl;
1370 
1371  /* Allocate resources for lz4. */
1372 
1373  LZ4F_errorCode_t errcode =
1374  LZ4F_createCompressionContext(&pl->compression.lz4f_context, 1);
1375 
1376  if (LZ4F_isError(errcode)) {
1378  "LZ4F_createCompressionContext failed: %s",
1379  LZ4F_getErrorName(errcode));
1380  exit(EXIT_FAILURE);
1381  }
1382 
1383  /* Calculate the size of the lz4 output buffer. */
1384 
1385  comp->buffer_size = LZ4F_compressBound(comp->pcap_buf_size,
1386  &comp->lz4f_prefs);
1387 
1388  comp->buffer = SCMalloc(comp->buffer_size);
1389  if (unlikely(comp->buffer == NULL)) {
1390  SCLogError(SC_ERR_MEM_ALLOC, "Failed to allocate memory for "
1391  "lz4 output buffer.");
1392  exit(EXIT_FAILURE);
1393  }
1394 
1395  comp->bytes_in_block = 0;
1396 
1397  /* Add the lz4 file extension to the log files. */
1398 
1399  pl->suffix = ".lz4";
1400 #else
1401  SCLogError(SC_ERR_INVALID_ARGUMENT, "lz4 compression was selected "
1402  "in pcap-log, but suricata was not compiled with lz4 "
1403  "support.");
1404  PcapLogDataFree(pl);
1405  return result;
1406 #endif /* HAVE_LIBLZ4 */
1407  }
1408  else {
1409  SCLogError(SC_ERR_INVALID_ARGUMENT, "Unsupported pcap-log "
1410  "compression format: %s", compression_str);
1411  PcapLogDataFree(pl);
1412  return result;
1413  }
1414 
1415  SCLogInfo("Selected pcap-log compression method: %s", compression_str);
1416  }
1417 
1418  SCLogInfo("using %s logging", pl->mode == LOGMODE_SGUIL ?
1419  "Sguil compatible" : (pl->mode == LOGMODE_MULTI ? "multi" : "normal"));
1420 
1421  uint32_t max_file_limit = DEFAULT_FILE_LIMIT;
1422  if (conf != NULL) {
1423  const char *max_number_of_files_s = NULL;
1424  max_number_of_files_s = ConfNodeLookupChildValue(conf, "max-files");
1425  if (max_number_of_files_s != NULL) {
1426  if (ByteExtractStringUint32(&max_file_limit, 10, 0,
1427  max_number_of_files_s) == -1) {
1428  SCLogError(SC_ERR_INVALID_ARGUMENT, "Failed to initialize "
1429  "pcap-log output, invalid number of files limit: %s",
1430  max_number_of_files_s);
1431  exit(EXIT_FAILURE);
1432  } else if (max_file_limit < 1) {
1434  "Failed to initialize pcap-log output, limit less than "
1435  "allowed minimum.");
1436  exit(EXIT_FAILURE);
1437  } else {
1438  pl->max_files = max_file_limit;
1439  pl->use_ringbuffer = RING_BUFFER_MODE_ENABLED;
1440  }
1441  }
1442  }
1443 
1444  const char *ts_format = NULL;
1445  if (conf != NULL) { /* To faciliate unit tests. */
1446  ts_format = ConfNodeLookupChildValue(conf, "ts-format");
1447  }
1448  if (ts_format != NULL) {
1449  if (strcasecmp(ts_format, "usec") == 0) {
1450  pl->timestamp_format = TS_FORMAT_USEC;
1451  } else if (strcasecmp(ts_format, "sec") != 0) {
1453  "log-pcap ts_format specified %s is invalid must be"
1454  " \"sec\" or \"usec\"", ts_format);
1455  exit(EXIT_FAILURE);
1456  }
1457  }
1458 
1459  const char *use_stream_depth = NULL;
1460  if (conf != NULL) { /* To faciliate unit tests. */
1461  use_stream_depth = ConfNodeLookupChildValue(conf, "use-stream-depth");
1462  }
1463  if (use_stream_depth != NULL) {
1464  if (ConfValIsFalse(use_stream_depth)) {
1466  } else if (ConfValIsTrue(use_stream_depth)) {
1468  } else {
1470  "log-pcap use_stream_depth specified is invalid must be");
1471  exit(EXIT_FAILURE);
1472  }
1473  }
1474 
1475  const char *honor_pass_rules = NULL;
1476  if (conf != NULL) { /* To faciliate unit tests. */
1477  honor_pass_rules = ConfNodeLookupChildValue(conf, "honor-pass-rules");
1478  }
1479  if (honor_pass_rules != NULL) {
1480  if (ConfValIsFalse(honor_pass_rules)) {
1482  } else if (ConfValIsTrue(honor_pass_rules)) {
1484  } else {
1486  "log-pcap honor-pass-rules specified is invalid");
1487  exit(EXIT_FAILURE);
1488  }
1489  }
1490 
1491  /* create the output ctx and send it back */
1492 
1493  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
1494  if (unlikely(output_ctx == NULL)) {
1495  SCLogError(SC_ERR_MEM_ALLOC, "Failed to allocate memory for OutputCtx.");
1496  exit(EXIT_FAILURE);
1497  }
1498  output_ctx->data = pl;
1499  output_ctx->DeInit = PcapLogFileDeInitCtx;
1500  g_pcap_data = pl;
1501 
1502  result.ctx = output_ctx;
1503  result.ok = true;
1504  return result;
1505 }
1506 
1507 static void PcapLogFileDeInitCtx(OutputCtx *output_ctx)
1508 {
1509  if (output_ctx == NULL)
1510  return;
1511 
1512  PcapLogData *pl = output_ctx->data;
1513 
1514  PcapFileName *pf = NULL;
1515  TAILQ_FOREACH(pf, &pl->pcap_file_list, next) {
1516  SCLogDebug("PCAP files left at exit: %s\n", pf->filename);
1517  }
1518  PcapLogDataFree(pl);
1519  SCFree(output_ctx);
1520  return;
1521 }
1522 
1523 /**
1524  * \brief Read the config set the file pointer, open the file
1525  *
1526  * \param PcapLogData.
1527  *
1528  * \retval -1 if failure
1529  * \retval 0 if succesful
1530  */
1531 static int PcapLogOpenFileCtx(PcapLogData *pl)
1532 {
1533  char *filename = NULL;
1534 
1536 
1537  if (pl->filename != NULL)
1538  filename = pl->filename;
1539  else {
1540  filename = SCMalloc(PATH_MAX);
1541  if (unlikely(filename == NULL)) {
1542  return -1;
1543  }
1544  pl->filename = filename;
1545  }
1546 
1547  /** get the time so we can have a filename with seconds since epoch */
1548  struct timeval ts;
1549  memset(&ts, 0x00, sizeof(struct timeval));
1550  TimeGet(&ts);
1551 
1552  /* Place to store the name of our PCAP file */
1553  PcapFileName *pf = SCMalloc(sizeof(PcapFileName));
1554  if (unlikely(pf == NULL)) {
1555  return -1;
1556  }
1557  memset(pf, 0, sizeof(PcapFileName));
1558 
1559  if (pl->mode == LOGMODE_SGUIL) {
1560  struct tm local_tm;
1561  struct tm *tms = SCLocalTime(ts.tv_sec, &local_tm);
1562 
1563  char dirname[32], dirfull[PATH_MAX] = "";
1564 
1565  snprintf(dirname, sizeof(dirname), "%04d-%02d-%02d",
1566  tms->tm_year + 1900, tms->tm_mon + 1, tms->tm_mday);
1567 
1568  /* create the filename to use */
1569  int ret = snprintf(dirfull, sizeof(dirfull), "%s/%s", pl->dir, dirname);
1570  if (ret < 0 || (size_t)ret >= sizeof(dirfull)) {
1571  SCLogError(SC_ERR_SPRINTF,"failed to construct path");
1572  goto error;
1573  }
1574 
1575  /* if mkdir fails file open will fail, so deal with errors there */
1576  (void)SCMkDir(dirfull, 0700);
1577 
1578  if ((pf->dirname = SCStrdup(dirfull)) == NULL) {
1579  SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory for "
1580  "directory name");
1581  goto error;
1582  }
1583 
1584  int written;
1585  if (pl->timestamp_format == TS_FORMAT_SEC) {
1586  written = snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32 "%s",
1587  dirfull, pl->prefix, (uint32_t)ts.tv_sec, pl->suffix);
1588  } else {
1589  written = snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32 ".%" PRIu32 "%s",
1590  dirfull, pl->prefix, (uint32_t)ts.tv_sec,
1591  (uint32_t)ts.tv_usec, pl->suffix);
1592  }
1593  if (written == PATH_MAX) {
1594  SCLogError(SC_ERR_SPRINTF,"log-pcap path overflow");
1595  goto error;
1596  }
1597  } else if (pl->mode == LOGMODE_NORMAL) {
1598  int ret;
1599  /* create the filename to use */
1600  if (pl->timestamp_format == TS_FORMAT_SEC) {
1601  ret = snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32 "%s", pl->dir,
1602  pl->prefix, (uint32_t)ts.tv_sec, pl->suffix);
1603  } else {
1604  ret = snprintf(filename, PATH_MAX,
1605  "%s/%s.%" PRIu32 ".%" PRIu32 "%s", pl->dir, pl->prefix,
1606  (uint32_t)ts.tv_sec, (uint32_t)ts.tv_usec, pl->suffix);
1607  }
1608  if (ret < 0 || (size_t)ret >= PATH_MAX) {
1609  SCLogError(SC_ERR_SPRINTF,"failed to construct path");
1610  goto error;
1611  }
1612  } else if (pl->mode == LOGMODE_MULTI) {
1613  if (pl->filename_part_cnt > 0) {
1614  /* assemble filename from stored tokens */
1615 
1616  strlcpy(filename, pl->dir, PATH_MAX);
1617  strlcat(filename, "/", PATH_MAX);
1618 
1619  int i;
1620  for (i = 0; i < pl->filename_part_cnt; i++) {
1621  if (pl->filename_parts[i] == NULL ||strlen(pl->filename_parts[i]) == 0)
1622  continue;
1623 
1624  /* handle variables */
1625  if (pl->filename_parts[i][0] == '%') {
1626  char str[64] = "";
1627  if (strlen(pl->filename_parts[i]) < 2)
1628  continue;
1629 
1630  switch(pl->filename_parts[i][1]) {
1631  case 'n':
1632  snprintf(str, sizeof(str), "%u", pl->thread_number);
1633  break;
1634  case 'i':
1635  {
1636  long thread_id = SCGetThreadIdLong();
1637  snprintf(str, sizeof(str), "%"PRIu64, (uint64_t)thread_id);
1638  break;
1639  }
1640  case 't':
1641  /* create the filename to use */
1642  if (pl->timestamp_format == TS_FORMAT_SEC) {
1643  snprintf(str, sizeof(str), "%"PRIu32, (uint32_t)ts.tv_sec);
1644  } else {
1645  snprintf(str, sizeof(str), "%"PRIu32".%"PRIu32,
1646  (uint32_t)ts.tv_sec, (uint32_t)ts.tv_usec);
1647  }
1648  }
1649  strlcat(filename, str, PATH_MAX);
1650 
1651  /* copy the rest over */
1652  } else {
1653  strlcat(filename, pl->filename_parts[i], PATH_MAX);
1654  }
1655  }
1656  strlcat(filename, pl->suffix, PATH_MAX);
1657  } else {
1658  int ret;
1659  /* create the filename to use */
1660  if (pl->timestamp_format == TS_FORMAT_SEC) {
1661  ret = snprintf(filename, PATH_MAX, "%s/%s.%u.%" PRIu32 "%s",
1662  pl->dir, pl->prefix, pl->thread_number,
1663  (uint32_t)ts.tv_sec, pl->suffix);
1664  } else {
1665  ret = snprintf(filename, PATH_MAX,
1666  "%s/%s.%u.%" PRIu32 ".%" PRIu32 "%s", pl->dir,
1667  pl->prefix, pl->thread_number, (uint32_t)ts.tv_sec,
1668  (uint32_t)ts.tv_usec, pl->suffix);
1669  }
1670  if (ret < 0 || (size_t)ret >= PATH_MAX) {
1671  SCLogError(SC_ERR_SPRINTF,"failed to construct path");
1672  goto error;
1673  }
1674  }
1675  SCLogDebug("multi-mode: filename %s", filename);
1676  }
1677 
1678  if ((pf->filename = SCStrdup(pl->filename)) == NULL) {
1679  SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory. For filename");
1680  goto error;
1681  }
1682  SCLogDebug("Opening pcap file log %s", pf->filename);
1683  TAILQ_INSERT_TAIL(&pl->pcap_file_list, pf, next);
1684 
1686  return 0;
1687 
1688 error:
1689  PcapFileNameFree(pf);
1690  return -1;
1691 }
1692 
1693 static int profiling_pcaplog_enabled = 0;
1694 static int profiling_pcaplog_output_to_file = 0;
1695 static char *profiling_pcaplog_file_name = NULL;
1696 static const char *profiling_pcaplog_file_mode = "a";
1697 
1698 static void FormatNumber(uint64_t num, char *str, size_t size)
1699 {
1700  if (num < 1000UL)
1701  snprintf(str, size, "%"PRIu64, num);
1702  else if (num < 1000000UL)
1703  snprintf(str, size, "%3.1fk", (float)num/1000UL);
1704  else if (num < 1000000000UL)
1705  snprintf(str, size, "%3.1fm", (float)num/1000000UL);
1706  else
1707  snprintf(str, size, "%3.1fb", (float)num/1000000000UL);
1708 }
1709 
1710 static void ProfileReportPair(FILE *fp, const char *name, PcapLogProfileData *p)
1711 {
1712  char ticks_str[32] = "n/a";
1713  char cnt_str[32] = "n/a";
1714  char avg_str[32] = "n/a";
1715 
1716  FormatNumber((uint64_t)p->cnt, cnt_str, sizeof(cnt_str));
1717  FormatNumber((uint64_t)p->total, ticks_str, sizeof(ticks_str));
1718  if (p->cnt && p->total)
1719  FormatNumber((uint64_t)(p->total/p->cnt), avg_str, sizeof(avg_str));
1720 
1721  fprintf(fp, "%-28s %-10s %-10s %-10s\n", name, cnt_str, avg_str, ticks_str);
1722 }
1723 
1724 static void ProfileReport(FILE *fp, PcapLogData *pl)
1725 {
1726  ProfileReportPair(fp, "open", &pl->profile_open);
1727  ProfileReportPair(fp, "close", &pl->profile_close);
1728  ProfileReportPair(fp, "write", &pl->profile_write);
1729  ProfileReportPair(fp, "rotate (incl open/close)", &pl->profile_rotate);
1730  ProfileReportPair(fp, "handles", &pl->profile_handles);
1731  ProfileReportPair(fp, "lock", &pl->profile_lock);
1732  ProfileReportPair(fp, "unlock", &pl->profile_unlock);
1733 }
1734 
1735 static void FormatBytes(uint64_t num, char *str, size_t size)
1736 {
1737  if (num < 1000UL)
1738  snprintf(str, size, "%"PRIu64, num);
1739  else if (num < 1048576UL)
1740  snprintf(str, size, "%3.1fKiB", (float)num/1000UL);
1741  else if (num < 1073741824UL)
1742  snprintf(str, size, "%3.1fMiB", (float)num/1000000UL);
1743  else
1744  snprintf(str, size, "%3.1fGiB", (float)num/1000000000UL);
1745 }
1746 
1747 static void PcapLogProfilingDump(PcapLogData *pl)
1748 {
1749  FILE *fp = NULL;
1750 
1751  if (profiling_pcaplog_enabled == 0)
1752  return;
1753 
1754  if (profiling_pcaplog_output_to_file == 1) {
1755  fp = fopen(profiling_pcaplog_file_name, profiling_pcaplog_file_mode);
1756  if (fp == NULL) {
1757  SCLogError(SC_ERR_FOPEN, "failed to open %s: %s",
1758  profiling_pcaplog_file_name, strerror(errno));
1759  return;
1760  }
1761  } else {
1762  fp = stdout;
1763  }
1764 
1765  /* counters */
1766  fprintf(fp, "\n\nOperation Cnt Avg ticks Total ticks\n");
1767  fprintf(fp, "---------------------------- ---------- ---------- -----------\n");
1768 
1769  ProfileReport(fp, pl);
1770  uint64_t total = pl->profile_write.total + pl->profile_rotate.total +
1773  pl->profile_unlock.total;
1774 
1775  /* overall stats */
1776  fprintf(fp, "\nOverall: %"PRIu64" bytes written, average %d bytes per write.\n",
1778  (int)(pl->profile_data_size / pl->profile_write.cnt) : 0);
1779  fprintf(fp, " PCAP data structure overhead: %"PRIuMAX" per write.\n",
1780  (uintmax_t)sizeof(struct pcap_pkthdr));
1781 
1782  /* print total bytes written */
1783  char bytes_str[32];
1784  FormatBytes(pl->profile_data_size, bytes_str, sizeof(bytes_str));
1785  fprintf(fp, " Size written: %s\n", bytes_str);
1786 
1787  /* ticks per MiB and GiB */
1788  uint64_t ticks_per_mib = 0, ticks_per_gib = 0;
1789  uint64_t mib = pl->profile_data_size/(1024*1024);
1790  if (mib)
1791  ticks_per_mib = total/mib;
1792  char ticks_per_mib_str[32] = "n/a";
1793  if (ticks_per_mib > 0)
1794  FormatNumber(ticks_per_mib, ticks_per_mib_str, sizeof(ticks_per_mib_str));
1795  fprintf(fp, " Ticks per MiB: %s\n", ticks_per_mib_str);
1796 
1797  uint64_t gib = pl->profile_data_size/(1024*1024*1024);
1798  if (gib)
1799  ticks_per_gib = total/gib;
1800  char ticks_per_gib_str[32] = "n/a";
1801  if (ticks_per_gib > 0)
1802  FormatNumber(ticks_per_gib, ticks_per_gib_str, sizeof(ticks_per_gib_str));
1803  fprintf(fp, " Ticks per GiB: %s\n", ticks_per_gib_str);
1804 
1805  if (fp != stdout)
1806  fclose(fp);
1807 }
1808 
1810 {
1811  ConfNode *conf = ConfGetNode("profiling.pcap-log");
1812  if (conf != NULL && ConfNodeChildValueIsTrue(conf, "enabled")) {
1813  profiling_pcaplog_enabled = 1;
1814  SCLogInfo("pcap-log profiling enabled");
1815 
1816  const char *filename = ConfNodeLookupChildValue(conf, "filename");
1817  if (filename != NULL) {
1818  const char *log_dir;
1819  log_dir = ConfigGetLogDirectory();
1820 
1821  profiling_pcaplog_file_name = SCMalloc(PATH_MAX);
1822  if (unlikely(profiling_pcaplog_file_name == NULL)) {
1823  SCLogError(SC_ERR_MEM_ALLOC, "can't duplicate file name");
1824  exit(EXIT_FAILURE);
1825  }
1826 
1827  snprintf(profiling_pcaplog_file_name, PATH_MAX, "%s/%s", log_dir, filename);
1828 
1829  const char *v = ConfNodeLookupChildValue(conf, "append");
1830  if (v == NULL || ConfValIsTrue(v)) {
1831  profiling_pcaplog_file_mode = "a";
1832  } else {
1833  profiling_pcaplog_file_mode = "w";
1834  }
1835 
1836  profiling_pcaplog_output_to_file = 1;
1837  SCLogInfo("pcap-log profiling output goes to %s (mode %s)",
1838  profiling_pcaplog_file_name, profiling_pcaplog_file_mode);
1839  }
1840  }
1841 }
SC_ATOMIC_DECLARE(uint32_t, thread_cnt)
char * filename
Definition: log-pcap.c:148
#define TAILQ_INSERT_BEFORE(listelm, elm, field)
Definition: queue.h:405
#define SCLogDebug(...)
Definition: util-debug.h:335
void PcapLogRegister(void)
Definition: log-pcap.c:205
#define USE_STREAM_DEPTH_ENABLED
Definition: log-pcap.c:85
PcapLogProfileData profile_open
Definition: log-pcap.c:164
#define TAILQ_FIRST(head)
Definition: queue.h:339
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:350
struct pcap_pkthdr * h
Definition: log-pcap.c:147
struct HtpBodyChunk_ * next
#define IS_TUNNEL_ROOT_PKT(p)
Definition: decode.h:897
int prev_day
Definition: log-pcap.c:150
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
#define PCAPLOG_PROFILE_END(prof)
Definition: log-pcap.c:218
#define BUG_ON(x)
uint64_t size_current
Definition: log-pcap.c:151
#define FALSE
#define SCFmemopen
Definition: util-fmemopen.h:52
#define SCMkDir(a, b)
Definition: util-path.h:29
#define MAX_TOKS
Definition: log-pcap.c:113
#define unlikely(expr)
Definition: util-optimize.h:35
uint64_t pkt_cnt
Definition: log-pcap.c:146
PcapLogProfileData profile_unlock
Definition: log-pcap.c:161
char * dirname
Definition: log-pcap.c:96
#define RING_BUFFER_MODE_ENABLED
Definition: log-pcap.c:79
size_t strlcat(char *, const char *src, size_t siz)
Definition: util-strlcatu.c:45
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:108
int honor_pass_rules
Definition: log-pcap.c:143
#define IS_TUNNEL_PKT(p)
Definition: decode.h:894
uint16_t src
int ByteExtractStringUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:196
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
pcap_dumper_t * pcap_dumper
Definition: log-pcap.c:154
PcapLogProfileData profile_lock
Definition: log-pcap.c:159
#define TAILQ_HEAD(name, type)
Definition: queue.h:321
uint64_t secs
Definition: log-pcap.c:101
uint32_t file_cnt
Definition: log-pcap.c:156
#define TRUE
void PcapLogProfileSetup(void)
Definition: log-pcap.c:1809
int ConfNodeChildValueIsTrue(const ConfNode *node, const char *key)
Test if a configuration node has a true value.
Definition: conf.c:888
pcap_t * pcap_dead_handle
Definition: log-pcap.c:153
int ParseSizeStringU64(const char *size, uint64_t *res)
Definition: util-misc.c:203
int ByteExtractStringUint64(uint64_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:191
#define SC_ATOMIC_INIT(name)
Initialize the previously declared atomic variable and it&#39;s lock.
Definition: util-atomic.h:82
#define str(s)
uint16_t dst
#define SCCalloc(nm, a)
Definition: util-mem.h:205
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:843
void OutputRegisterPacketModule(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output module.
Definition: output.c:160
#define SCMutexUnlock(mut)
char * filename
Definition: log-pcap.c:95
struct tm * SCLocalTime(time_t timep, struct tm *result)
Definition: util-time.c:232
int datalink
Definition: decode.h:579
#define SCMutexInit(mut, mutattr)
void TimeGet(struct timeval *tv)
Definition: util-time.c:138
struct PcapLogCompressionData_ PcapLogCompressionData
#define TAILQ_INIT(head)
Definition: queue.h:370
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
int use_stream_depth
Definition: log-pcap.c:142
#define SCGetThreadIdLong(...)
Definition: threads.h:255
#define TAILQ_REMOVE(head, elm, field)
Definition: queue.h:412
struct PcapLogProfileData_ PcapLogProfileData
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:591
int is_private
Definition: log-pcap.c:144
#define MIN_LIMIT
Definition: log-pcap.c:70
#define PKT_PSEUDO_STREAM_END
Definition: decode.h:1102
#define USE_STREAM_DEPTH_DISABLED
Definition: log-pcap.c:84
#define PKT_STREAM_NOPCAPLOG
Definition: decode.h:1105
#define DEFAULT_FILE_LIMIT
Definition: log-pcap.c:72
int PathIsAbsolute(const char *path)
Check if a path is absolute.
Definition: util-path.c:39
PcapLogProfileData profile_close
Definition: log-pcap.c:163
#define LOGMODE_SGUIL
Definition: log-pcap.c:75
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:281
PcapLogProfileData profile_handles
Definition: log-pcap.c:162
uint64_t size_limit
Definition: log-pcap.c:152
PcapLogProfileData profile_write
Definition: log-pcap.c:160
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:566
#define RING_BUFFER_MODE_DISABLED
Definition: log-pcap.c:78
#define TAILQ_INSERT_TAIL(head, elm, field)
Definition: queue.h:385
#define HONOR_PASS_RULES_ENABLED
Definition: log-pcap.c:88
Definition: conf.h:32
OutputCtx * ctx
Definition: output.h:42
const char * ConfigGetLogDirectory()
Definition: util-conf.c:36
#define SCMalloc(a)
Definition: util-mem.h:174
struct PcapLogThreadData_ PcapLogThreadData
uint32_t max_files
Definition: log-pcap.c:157
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:254
#define LOGMODE_MULTI
Definition: log-pcap.c:76
#define SCFree(a)
Definition: util-mem.h:236
PcapLogData * pcap_log
Definition: log-pcap.c:184
#define DEFAULT_LIMIT
Definition: log-pcap.c:71
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:269
#define TAILQ_ENTRY(type)
Definition: queue.h:330
SCMutex plog_lock
Definition: log-pcap.c:145
uint32_t usecs
Definition: log-pcap.c:102
PcapLogProfileData profile_rotate
Definition: log-pcap.c:165
#define PKT_NOPACKET_INSPECTION
Definition: decode.h:1094
#define SCMutex
void * data
Definition: tm-modules.h:81
#define FatalError(x,...)
Definition: util-debug.h:539
#define SCMutexLock(mut)
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:176
#define TS_FORMAT_SEC
Definition: log-pcap.c:81
#define GET_PKT_DATA(p)
Definition: decode.h:224
#define LOGMODE_NORMAL
Definition: log-pcap.c:74
int ConfGetChildValueInt(const ConfNode *base, const char *name, intmax_t *val)
Definition: conf.c:469
PcapLogCompressionFormat
Definition: log-pcap.c:116
#define SCStrdup(a)
Definition: util-mem.h:220
#define MAX_FILENAMELEN
Definition: log-pcap.c:114
#define DEFAULT_LOG_FILENAME
Definition: log-pcap.c:68
enum PcapLogCompressionFormat format
Definition: log-pcap.c:122
#define HONOR_PASS_RULES_DISABLED
Definition: log-pcap.c:87
#define TAILQ_NEXT(elm, field)
Definition: queue.h:341
uint64_t profile_data_size
Definition: log-pcap.c:155
#define TAILQ_EMPTY(head)
Definition: queue.h:347
#define PCAP_SNAPLEN
Definition: log-pcap.c:90
uint8_t len
Per thread variable structure.
Definition: threadvars.h:57
#define TS_FORMAT_USEC
Definition: log-pcap.c:82
struct timeval ts
Definition: decode.h:450
#define GET_PKT_LEN(p)
Definition: decode.h:223
uint32_t flags
Definition: decode.h:442
#define MODULE_NAME
Definition: log-pcap.c:69
#define PCAPLOG_PROFILE_START
Definition: log-pcap.c:215