suricata
source-erf-file.c
Go to the documentation of this file.
1 /* Copyright (C) 2010-2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Endace Technology Limited.
22  *
23  * Support for reading ERF files.
24  *
25  * Only ethernet supported at this time.
26  */
27 
28 #include "suricata-common.h"
29 #include "suricata.h"
30 #include "tm-threads.h"
31 #include "source-erf-file.h"
32 
33 #define DAG_TYPE_ETH 2
34 
35 typedef struct DagFlags_ {
36  uint8_t iface:2;
37  uint8_t vlen:1;
38  uint8_t trunc:1;
39  uint8_t rxerror:1;
40  uint8_t dserror:1;
41  uint8_t reserved:1;
42  uint8_t direction:1;
43 } DagFlags;
44 
45 typedef struct DagRecord_ {
46  uint64_t ts;
47  uint8_t type;
48  DagFlags flags;
49  uint16_t rlen;
50  uint16_t lctr;
51  uint16_t wlen;
52  uint16_t pad;
53 } __attribute__((packed)) DagRecord;
54 
55 typedef struct ErfFileThreadVars_ {
56  ThreadVars *tv;
57  TmSlot *slot;
58 
59  FILE *erf;
60 
61  uint32_t pkts;
62  uint64_t bytes;
63 } ErfFileThreadVars;
64 
65 static inline TmEcode ReadErfRecord(ThreadVars *, Packet *, void *);
66 TmEcode ReceiveErfFileLoop(ThreadVars *, void *, void *);
67 TmEcode ReceiveErfFileThreadInit(ThreadVars *, const void *, void **);
68 void ReceiveErfFileThreadExitStats(ThreadVars *, void *);
69 TmEcode ReceiveErfFileThreadDeinit(ThreadVars *, void *);
70 
71 static TmEcode DecodeErfFileThreadInit(ThreadVars *, const void *, void **);
72 static TmEcode DecodeErfFileThreadDeinit(ThreadVars *tv, void *data);
73 static TmEcode DecodeErfFile(ThreadVars *, Packet *, void *);
74 
75 /**
76  * \brief Register the ERF file receiver (reader) module.
77  */
78 void
79 TmModuleReceiveErfFileRegister(void)
80 {
81  tmm_modules[TMM_RECEIVEERFFILE].name = "ReceiveErfFile";
82  tmm_modules[TMM_RECEIVEERFFILE].ThreadInit = ReceiveErfFileThreadInit;
83  tmm_modules[TMM_RECEIVEERFFILE].Func = NULL;
84  tmm_modules[TMM_RECEIVEERFFILE].PktAcqLoop = ReceiveErfFileLoop;
85  tmm_modules[TMM_RECEIVEERFFILE].PktAcqBreakLoop = NULL;
86  tmm_modules[TMM_RECEIVEERFFILE].ThreadExitPrintStats =
87  ReceiveErfFileThreadExitStats;
88  tmm_modules[TMM_RECEIVEERFFILE].ThreadDeinit = NULL;
89  tmm_modules[TMM_RECEIVEERFFILE].RegisterTests = NULL;
90  tmm_modules[TMM_RECEIVEERFFILE].cap_flags = 0;
91  tmm_modules[TMM_RECEIVEERFFILE].flags = TM_FLAG_RECEIVE_TM;
92 }
93 
94 /**
95  * \brief Register the ERF file decoder module.
96  */
97 void
98 TmModuleDecodeErfFileRegister(void)
99 {
100  tmm_modules[TMM_DECODEERFFILE].name = "DecodeErfFile";
101  tmm_modules[TMM_DECODEERFFILE].ThreadInit = DecodeErfFileThreadInit;
102  tmm_modules[TMM_DECODEERFFILE].Func = DecodeErfFile;
103  tmm_modules[TMM_DECODEERFFILE].ThreadExitPrintStats = NULL;
104  tmm_modules[TMM_DECODEERFFILE].ThreadDeinit = DecodeErfFileThreadDeinit;
105  tmm_modules[TMM_DECODEERFFILE].RegisterTests = NULL;
106  tmm_modules[TMM_DECODEERFFILE].cap_flags = 0;
107  tmm_modules[TMM_DECODEERFFILE].flags = TM_FLAG_DECODE_TM;
108 }
109 
110 /**
111  * \brief ERF file reading loop.
112  */
113 TmEcode ReceiveErfFileLoop(ThreadVars *tv, void *data, void *slot)
114 {
115  Packet *p = NULL;
116  ErfFileThreadVars *etv = (ErfFileThreadVars *)data;
117 
118  etv->slot = ((TmSlot *)slot)->slot_next;
119 
120  while (1) {
121  if (suricata_ctl_flags & SURICATA_STOP) {
122  SCReturnInt(TM_ECODE_OK);
123  }
124 
125  /* Make sure we have at least one packet in the packet pool,
126  * to prevent us from alloc'ing packets at line rate. */
127  PacketPoolWait();
128 
129  p = PacketGetFromQueueOrAlloc();
130  if (unlikely(p == NULL)) {
131  SCLogError(SC_ERR_MEM_ALLOC, "Failed to allocate a packet.");
132  EngineStop();
133  SCReturnInt(TM_ECODE_FAILED);
134  }
135  PKT_SET_SRC(p, PKT_SRC_WIRE);
136 
137  if (ReadErfRecord(tv, p, data) != TM_ECODE_OK) {
138  TmqhOutputPacketpool(etv->tv, p);
139  EngineStop();
140  SCReturnInt(TM_ECODE_FAILED);
141  }
142 
143  if (TmThreadsSlotProcessPkt(etv->tv, etv->slot, p) != TM_ECODE_OK) {
144  EngineStop();
145  SCReturnInt(TM_ECODE_FAILED);
146  }
147  }
148  SCReturnInt(TM_ECODE_FAILED);
149 }
150 
151 static inline TmEcode ReadErfRecord(ThreadVars *tv, Packet *p, void *data)
152 {
153  SCEnter();
154 
155  ErfFileThreadVars *etv = (ErfFileThreadVars *)data;
156  DagRecord dr;
157 
158  int r = fread(&dr, sizeof(DagRecord), 1, etv->erf);
159  if (r < 1) {
160  if (feof(etv->erf)) {
161  SCLogInfo("End of ERF file reached");
162  }
163  else {
164  SCLogInfo("Error reading ERF record");
165  }
166  SCReturnInt(TM_ECODE_FAILED);
167  }
168  int rlen = SCNtohs(dr.rlen);
169  int wlen = SCNtohs(dr.wlen);
170  r = fread(GET_PKT_DATA(p), rlen - sizeof(DagRecord), 1, etv->erf);
171  if (r < 1) {
172  if (feof(etv->erf)) {
173  SCLogInfo("End of ERF file reached");
174  }
175  else {
176  SCLogInfo("Error reading ERF record");
177  }
178  SCReturnInt(TM_ECODE_FAILED);
179  }
180 
181  /* Only support ethernet at this time. */
182  if (dr.type != DAG_TYPE_ETH) {
183  SCLogError(SC_ERR_UNIMPLEMENTED,
184  "DAG record type %d not implemented.", dr.type);
185  SCReturnInt(TM_ECODE_FAILED);
186  }
187 
188  GET_PKT_LEN(p) = wlen;
189  p->datalink = LINKTYPE_ETHERNET;
190 
191  /* Convert ERF time to timeval - from libpcap. */
192  uint64_t ts = dr.ts;
193  p->ts.tv_sec = ts >> 32;
194  ts = (ts & 0xffffffffULL) * 1000000;
195  ts += 0x80000000; /* rounding */
196  p->ts.tv_usec = ts >> 32;
197  if (p->ts.tv_usec >= 1000000) {
198  p->ts.tv_usec -= 1000000;
199  p->ts.tv_sec++;
200  }
201 
202  etv->pkts++;
203  etv->bytes += wlen;
204 
205  SCReturnInt(TM_ECODE_OK);
206 }
207 
208 /**
209  * \brief Initialize the ERF receiver thread.
210  */
211 TmEcode
212 ReceiveErfFileThreadInit(ThreadVars *tv, const void *initdata, void **data)
213 {
214  SCEnter();
215 
216  if (initdata == NULL) {
217  SCLogError(SC_ERR_INVALID_ARGUMENT, "Error: No filename provided.");
218  SCReturnInt(TM_ECODE_FAILED);
219  }
220 
221  FILE *erf = fopen((const char *)initdata, "r");
222  if (erf == NULL) {
223  SCLogError(SC_ERR_FOPEN, "Failed to open %s: %s", (char *)initdata,
224  strerror(errno));
225  exit(EXIT_FAILURE);
226  }
227 
228  ErfFileThreadVars *etv = SCMalloc(sizeof(ErfFileThreadVars));
229  if (unlikely(etv == NULL)) {
230  SCLogError(SC_ERR_MEM_ALLOC, "Failed to allocate memory for ERF file thread vars.");
231  fclose(erf);
232  SCReturnInt(TM_ECODE_FAILED);
233  }
234  memset(etv, 0, sizeof(*etv));
235  etv->erf = erf;
236  etv->tv = tv;
237  *data = (void *)etv;
238 
239  SCLogInfo("Processing ERF file %s", (char *)initdata);
240 
241  SCReturnInt(TM_ECODE_OK);
242 }
243 
244 /**
245  * \brief Initialize the ERF decoder thread.
246  */
247 TmEcode
248 DecodeErfFileThreadInit(ThreadVars *tv, const void *initdata, void **data)
249 {
250  SCEnter();
251  DecodeThreadVars *dtv = NULL;
252  dtv = DecodeThreadVarsAlloc(tv);
253 
254  if (dtv == NULL)
255  SCReturnInt(TM_ECODE_FAILED);
256 
257  DecodeRegisterPerfCounters(dtv, tv);
258 
259  *data = (void *)dtv;
260 
261  SCReturnInt(TM_ECODE_OK);
262 }
263 
264 TmEcode DecodeErfFileThreadDeinit(ThreadVars *tv, void *data)
265 {
266  if (data != NULL)
267  DecodeThreadVarsFree(tv, data);
268  SCReturnInt(TM_ECODE_OK);
269 }
270 
271 /**
272  * \brief Decode the ERF file.
273  *
274  * This function ups the decoder counters and then passes the packet
275  * off to the ethernet decoder.
276  */
277 TmEcode
278 DecodeErfFile(ThreadVars *tv, Packet *p, void *data)
279 {
280  SCEnter();
281  DecodeThreadVars *dtv = (DecodeThreadVars *)data;
282 
283  BUG_ON(PKT_IS_PSEUDOPKT(p));
284 
285  /* Update counters. */
286  DecodeUpdatePacketCounters(tv, dtv, p);
287 
288  DecodeEthernet(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p));
289 
290  PacketDecodeFinalize(tv, dtv, p);
291 
292  SCReturnInt(TM_ECODE_OK);
293 }
294 
295 /**
296  * \brief Print some stats to the log at program exit.
297  *
298  * \param tv Pointer to ThreadVars.
299  * \param data Pointer to data, ErfFileThreadVars.
300  */
301 void
302 ReceiveErfFileThreadExitStats(ThreadVars *tv, void *data)
303 {
304  ErfFileThreadVars *etv = (ErfFileThreadVars *)data;
305 
306  SCLogInfo("Packets: %"PRIu32"; Bytes: %"PRIu64, etv->pkts, etv->bytes);
307 }
TmModule_::cap_flags
uint8_t cap_flags
Definition: tm-modules.h:67
TMM_RECEIVEERFFILE
@ TMM_RECEIVEERFFILE
Definition: tm-threads-common.h:48
tm-threads.h
DagRecord_::type
uint8_t type
Definition: source-erf-file.c:47
ts
uint64_t ts
Definition: source-erf-file.c:2
DagRecord_::lctr
uint16_t lctr
Definition: source-erf-file.c:50
DAG_TYPE_ETH
#define DAG_TYPE_ETH
Definition: source-erf-file.c:33
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1115
DagRecord_::ts
uint64_t ts
Definition: source-erf-file.c:46
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DagFlags_::trunc
uint8_t trunc
Definition: source-erf-file.c:38
ReceiveErfFileThreadExitStats
void ReceiveErfFileThreadExitStats(ThreadVars *, void *)
Print some stats to the log at program exit.
Definition: source-erf-file.c:302
DagRecord_::flags
DagFlags flags
Definition: source-erf-file.c:48
TmModuleDecodeErfFileRegister
void TmModuleDecodeErfFileRegister(void)
Register the ERF file decoder module.
Definition: source-erf-file.c:98
SURICATA_STOP
#define SURICATA_STOP
Definition: suricata.h:95
PacketDecodeFinalize
void PacketDecodeFinalize(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
Finalize decoding of a packet.
Definition: decode.c:118
TmqhOutputPacketpool
void TmqhOutputPacketpool(ThreadVars *t, Packet *p)
Definition: tmqh-packetpool.c:449
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:79
TmModule_::PktAcqLoop
TmEcode(* PktAcqLoop)(ThreadVars *, void *, void *)
Definition: tm-modules.h:54
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:78
TmModule_::ThreadDeinit
TmEcode(* ThreadDeinit)(ThreadVars *, void *)
Definition: tm-modules.h:49
Packet_::datalink
int datalink
Definition: decode.h:575
PKT_SET_SRC
#define PKT_SET_SRC(p, src_val)
Definition: decode.h:1118
DecodeRegisterPerfCounters
void DecodeRegisterPerfCounters(DecodeThreadVars *dtv, ThreadVars *tv)
Definition: decode.c:477
PKT_SRC_WIRE
@ PKT_SRC_WIRE
Definition: decode.h:49
DagFlags_::rxerror
uint8_t rxerror
Definition: source-erf-file.c:39
DagFlags_::direction
uint8_t direction
Definition: source-erf-file.c:42
TmModule_::PktAcqBreakLoop
TmEcode(* PktAcqBreakLoop)(ThreadVars *, void *)
Definition: tm-modules.h:57
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:226
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
TmModule_::Func
TmEcode(* Func)(ThreadVars *, Packet *, void *)
Definition: tm-modules.h:52
DagRecord_::rlen
uint16_t rlen
Definition: source-erf-file.c:49
DagFlags_
Definition: source-erf-file.c:35
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
ErfFileThreadVars
ErfFileThreadVars
Definition: source-erf-file.c:63
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:265
PacketPoolWait
void PacketPoolWait(void)
Definition: tmqh-packetpool.c:148
SC_ERR_FOPEN
@ SC_ERR_FOPEN
Definition: util-error.h:74
Packet_
Definition: decode.h:408
TM_FLAG_DECODE_TM
#define TM_FLAG_DECODE_TM
Definition: tm-modules.h:32
tmm_modules
TmModule tmm_modules[TMM_SIZE]
Definition: tm-modules.c:33
wlen
uint16_t wlen
Definition: source-erf-file.c:7
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:225
TmModule_::RegisterTests
void(* RegisterTests)(void)
Definition: tm-modules.h:65
TmSlot_
Definition: tm-threads.h:52
DagFlags
struct DagFlags_ DagFlags
TmEcode
TmEcode
Definition: tm-threads-common.h:77
TMM_DECODEERFFILE
@ TMM_DECODEERFFILE
Definition: tm-threads-common.h:49
TmModule_::name
const char * name
Definition: tm-modules.h:44
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:254
TM_FLAG_RECEIVE_TM
#define TM_FLAG_RECEIVE_TM
Definition: tm-modules.h:31
TmModuleReceiveErfFileRegister
void TmModuleReceiveErfFileRegister(void)
Register the ERF file receiver (reader) module.
Definition: source-erf-file.c:79
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
ReceiveErfFileThreadDeinit
TmEcode ReceiveErfFileThreadDeinit(ThreadVars *, void *)
__attribute__
struct DagRecord_ __attribute__((packed))
DNP3 application object header.
Definition: source-erf-file.c:53
DecodeThreadVarsFree
void DecodeThreadVarsFree(ThreadVars *tv, DecodeThreadVars *dtv)
Definition: decode.c:636
Packet_::ts
struct timeval ts
Definition: decode.h:452
SCNtohs
#define SCNtohs(x)
Definition: suricata-common.h:375
suricata-common.h
DagFlags_::dserror
uint8_t dserror
Definition: source-erf-file.c:40
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
TmModule_::ThreadInit
TmEcode(* ThreadInit)(ThreadVars *, const void *, void **)
Definition: tm-modules.h:47
EngineStop
void EngineStop(void)
make sure threads can stop the engine by calling this function. Purpose: pcap file mode needs to be a...
Definition: suricata.c:414
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
SC_ERR_UNIMPLEMENTED
@ SC_ERR_UNIMPLEMENTED
Definition: util-error.h:118
TmModule_::ThreadExitPrintStats
void(* ThreadExitPrintStats)(ThreadVars *, void *)
Definition: tm-modules.h:48
DagFlags_::vlen
uint8_t vlen
Definition: source-erf-file.c:37
DagRecord_::wlen
uint16_t wlen
Definition: source-erf-file.c:51
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:622
DagFlags_::reserved
uint8_t reserved
Definition: source-erf-file.c:41
source-erf-file.h
DecodeThreadVarsAlloc
DecodeThreadVars * DecodeThreadVarsAlloc(ThreadVars *tv)
Alloc and setup DecodeThreadVars.
Definition: decode.c:617
DagFlags_::iface
uint8_t iface
Definition: source-erf-file.c:36
DagRecord_
Definition: source-erf-file.c:45
SC_ERR_MEM_ALLOC
@ SC_ERR_MEM_ALLOC
Definition: util-error.h:31
suricata.h
DagRecord_::pad
uint16_t pad
Definition: source-erf-file.c:52
ReceiveErfFileThreadInit
TmEcode ReceiveErfFileThreadInit(ThreadVars *, const void *, void **)
Initialize the ERF receiver thread.
Definition: source-erf-file.c:212
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
ReceiveErfFileLoop
TmEcode ReceiveErfFileLoop(ThreadVars *, void *, void *)
ERF file reading loop.
Definition: source-erf-file.c:113
PacketGetFromQueueOrAlloc
Packet * PacketGetFromQueueOrAlloc(void)
Get a packet. We try to get a packet from the packetpool first, but if that is empty we alloc a packe...
Definition: decode.c:180
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:41
TmModule_::flags
uint8_t flags
Definition: tm-modules.h:70
DecodeUpdatePacketCounters
void DecodeUpdatePacketCounters(ThreadVars *tv, const DecodeThreadVars *dtv, const Packet *p)
Definition: decode.c:583
LINKTYPE_ETHERNET
#define LINKTYPE_ETHERNET
Definition: decode.h:1057
suricata_ctl_flags
volatile uint8_t suricata_ctl_flags
Definition: suricata.c:198
rlen
uint16_t rlen
Definition: source-erf-file.c:5