suricata
source-pcap-file-helper.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Danny Browning <danny.browning@protectwise.com>
22  *
23  * File based pcap packet acquisition support
24  */
25 
26 #include "source-pcap-file-helper.h"
27 #include "util-checksum.h"
28 #include "util-profiling.h"
29 #include "source-pcap-file.h"
30 
31 extern int max_pending_packets;
32 extern PcapFileGlobalVars pcap_g;
33 
34 static void PcapFileCallbackLoop(char *user, struct pcap_pkthdr *h, u_char *pkt);
35 
36 void CleanupPcapFileFileVars(PcapFileFileVars *pfv)
37 {
38  if (pfv != NULL) {
39  if (pfv->pcap_handle != NULL) {
40  pcap_close(pfv->pcap_handle);
41  pfv->pcap_handle = NULL;
42  }
43  if (pfv->filename != NULL) {
44  if (pfv->shared != NULL && pfv->shared->should_delete) {
45  SCLogDebug("Deleting pcap file %s", pfv->filename);
46  if (unlink(pfv->filename) != 0) {
47  SCLogWarning(SC_ERR_PCAP_FILE_DELETE_FAILED,
48  "Failed to delete %s", pfv->filename);
49  }
50  }
51  SCFree(pfv->filename);
52  pfv->filename = NULL;
53  }
54  pfv->shared = NULL;
55  SCFree(pfv);
56  }
57 }
58 
59 void PcapFileCallbackLoop(char *user, struct pcap_pkthdr *h, u_char *pkt)
60 {
61  SCEnter();
62 
63  PcapFileFileVars *ptv = (PcapFileFileVars *)user;
64  Packet *p = PacketGetFromQueueOrAlloc();
65 
66  if (unlikely(p == NULL)) {
67  SCReturn;
68  }
69  PACKET_PROFILING_TMM_START(p, TMM_RECEIVEPCAPFILE);
70 
71  PKT_SET_SRC(p, PKT_SRC_WIRE);
72  p->ts.tv_sec = h->ts.tv_sec;
73  p->ts.tv_usec = h->ts.tv_usec;
74  SCLogDebug("p->ts.tv_sec %"PRIuMAX"", (uintmax_t)p->ts.tv_sec);
75  p->datalink = ptv->datalink;
76  p->pcap_cnt = ++pcap_g.cnt;
77 
78  p->pcap_v.tenant_id = ptv->shared->tenant_id;
79  ptv->shared->pkts++;
80  ptv->shared->bytes += h->caplen;
81 
82  if (unlikely(PacketCopyData(p, pkt, h->caplen))) {
83  TmqhOutputPacketpool(ptv->shared->tv, p);
84  PACKET_PROFILING_TMM_END(p, TMM_RECEIVEPCAPFILE);
85  SCReturn;
86  }
87 
88  /* We only check for checksum disable */
89  if (pcap_g.checksum_mode == CHECKSUM_VALIDATION_DISABLE) {
90  p->flags |= PKT_IGNORE_CHECKSUM;
91  } else if (pcap_g.checksum_mode == CHECKSUM_VALIDATION_AUTO) {
92  if (ChecksumAutoModeCheck(ptv->shared->pkts, p->pcap_cnt,
93  SC_ATOMIC_GET(pcap_g.invalid_checksums))) {
94  pcap_g.checksum_mode = CHECKSUM_VALIDATION_DISABLE;
95  p->flags |= PKT_IGNORE_CHECKSUM;
96  }
97  }
98 
99  PACKET_PROFILING_TMM_END(p, TMM_RECEIVEPCAPFILE);
100 
101  if (TmThreadsSlotProcessPkt(ptv->shared->tv, ptv->shared->slot, p) != TM_ECODE_OK) {
102  pcap_breakloop(ptv->pcap_handle);
103  ptv->shared->cb_result = TM_ECODE_FAILED;
104  }
105 
106  SCReturn;
107 }
108 
109 char pcap_filename[PATH_MAX] = "unknown";
110 
111 const char *PcapFileGetFilename(void)
112 {
113  return pcap_filename;
114 }
115 
116 /**
117  * \brief Main PCAP file reading Loop function
118  */
119 TmEcode PcapFileDispatch(PcapFileFileVars *ptv)
120 {
121  SCEnter();
122 
123  int packet_q_len = 64;
124  int r;
125  TmEcode loop_result = TM_ECODE_OK;
126  strlcpy(pcap_filename, ptv->filename, sizeof(pcap_filename));
127 
128  while (loop_result == TM_ECODE_OK) {
129  if (suricata_ctl_flags & SURICATA_STOP) {
130  SCReturnInt(TM_ECODE_OK);
131  }
132 
133  /* make sure we have at least one packet in the packet pool, to prevent
134  * us from alloc'ing packets at line rate */
135  PacketPoolWait();
136 
137  /* Right now we just support reading packets one at a time. */
138  r = pcap_dispatch(ptv->pcap_handle, packet_q_len,
139  (pcap_handler)PcapFileCallbackLoop, (u_char *)ptv);
140  if (unlikely(r == -1)) {
141  SCLogError(SC_ERR_PCAP_DISPATCH, "error code %" PRId32 " %s for %s",
142  r, pcap_geterr(ptv->pcap_handle), ptv->filename);
143  if (ptv->shared->cb_result == TM_ECODE_FAILED) {
144  SCReturnInt(TM_ECODE_FAILED);
145  }
146  loop_result = TM_ECODE_DONE;
147  } else if (unlikely(r == 0)) {
148  SCLogInfo("pcap file %s end of file reached (pcap err code %" PRId32 ")",
149  ptv->filename, r);
150  ptv->shared->files++;
151  loop_result = TM_ECODE_DONE;
152  } else if (ptv->shared->cb_result == TM_ECODE_FAILED) {
153  SCLogError(SC_ERR_PCAP_DISPATCH,
154  "Pcap callback PcapFileCallbackLoop failed for %s", ptv->filename);
155  loop_result = TM_ECODE_FAILED;
156  }
157  StatsSyncCountersIfSignalled(ptv->shared->tv);
158  }
159 
160  SCReturnInt(loop_result);
161 }
162 
163 TmEcode InitPcapFile(PcapFileFileVars *pfv)
164 {
165  char errbuf[PCAP_ERRBUF_SIZE] = "";
166 
167  if(unlikely(pfv->filename == NULL)) {
168  SCLogError(SC_ERR_INVALID_ARGUMENT, "Filename was null");
169  SCReturnInt(TM_ECODE_FAILED);
170  }
171 
172  pfv->pcap_handle = pcap_open_offline(pfv->filename, errbuf);
173  if (pfv->pcap_handle == NULL) {
174  SCLogError(SC_ERR_FOPEN, "%s", errbuf);
175  SCReturnInt(TM_ECODE_FAILED);
176  }
177 
178  if (pfv->shared != NULL && pfv->shared->bpf_string != NULL) {
179  SCLogInfo("using bpf-filter \"%s\"", pfv->shared->bpf_string);
180 
181  if (pcap_compile(pfv->pcap_handle, &pfv->filter, pfv->shared->bpf_string, 1, 0) < 0) {
182  SCLogError(SC_ERR_BPF, "bpf compilation error %s for %s",
183  pcap_geterr(pfv->pcap_handle), pfv->filename);
184  SCReturnInt(TM_ECODE_FAILED);
185  }
186 
187  if (pcap_setfilter(pfv->pcap_handle, &pfv->filter) < 0) {
188  SCLogError(SC_ERR_BPF,"could not set bpf filter %s for %s",
189  pcap_geterr(pfv->pcap_handle), pfv->filename);
190  SCReturnInt(TM_ECODE_FAILED);
191  }
192  }
193 
194  pfv->datalink = pcap_datalink(pfv->pcap_handle);
195  SCLogDebug("datalink %" PRId32 "", pfv->datalink);
196 
197  Decoder temp;
198  TmEcode validated = ValidateLinkType(pfv->datalink, &temp);
199  SCReturnInt(validated);
200 }
201 
202 TmEcode ValidateLinkType(int datalink, Decoder *decoder)
203 {
204  switch (datalink) {
205  case LINKTYPE_LINUX_SLL:
206  *decoder = DecodeSll;
207  break;
208  case LINKTYPE_ETHERNET:
209  *decoder = DecodeEthernet;
210  break;
211  case LINKTYPE_PPP:
212  *decoder = DecodePPP;
213  break;
214  case LINKTYPE_IPV4:
215  case LINKTYPE_RAW:
216  case LINKTYPE_RAW2:
217  case LINKTYPE_GRE_OVER_IP:
218  *decoder = DecodeRaw;
219  break;
220  case LINKTYPE_NULL:
221  *decoder = DecodeNull;
222  break;
223 
224  default:
225  SCLogError(
226  SC_ERR_UNIMPLEMENTED,
227  "datalink type %" PRId32 " not (yet) supported in module PcapFile.",
228  datalink
229  );
230  SCReturnInt(TM_ECODE_FAILED);
231  }
232 
233  SCReturnInt(TM_ECODE_OK);
234 }
235 /* eof */
InitPcapFile
TmEcode InitPcapFile(PcapFileFileVars *pfv)
Definition: source-pcap-file-helper.c:163
PcapFileSharedVars_::tv
ThreadVars * tv
Definition: source-pcap-file-helper.h:50
PcapFileSharedVars_::bpf_string
char * bpf_string
Definition: source-pcap-file-helper.h:42
PcapFileGlobalVars_::checksum_mode
ChecksumValidationMode checksum_mode
Definition: source-pcap-file-helper.h:33
CleanupPcapFileFileVars
void CleanupPcapFileFileVars(PcapFileFileVars *pfv)
Definition: source-pcap-file-helper.c:36
PcapFileFileVars_::datalink
int datalink
Definition: source-pcap-file-helper.h:73
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
PcapFileSharedVars_::pkts
uint64_t pkts
Definition: source-pcap-file-helper.h:54
PcapFileFileVars_::pcap_handle
pcap_t * pcap_handle
Definition: source-pcap-file-helper.h:71
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
LINKTYPE_LINUX_SLL
#define LINKTYPE_LINUX_SLL
Definition: decode.h:1071
DecodePPP
int DecodePPP(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint32_t len, PacketQueue *pq)
Definition: decode-ppp.c:43
PcapFileFileVars_::shared
PcapFileSharedVars * shared
Definition: source-pcap-file-helper.h:76
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DecodeRaw
int DecodeRaw(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint32_t len, PacketQueue *pq)
Definition: decode-raw.c:46
LINKTYPE_IPV4
#define LINKTYPE_IPV4
Definition: decode.h:1077
PcapFileFileVars_::filter
struct bpf_program filter
Definition: source-pcap-file-helper.h:74
PcapFileFileVars_::filename
char * filename
Definition: source-pcap-file-helper.h:70
suricata_ctl_flags
volatile uint8_t suricata_ctl_flags
Definition: suricata.c:201
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:561
DecodeNull
int DecodeNull(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint32_t len, PacketQueue *pq)
Definition: decode-null.c:48
PacketGetFromQueueOrAlloc
Packet * PacketGetFromQueueOrAlloc(void)
Get a packet. We try to get a packet from the packetpool first, but if that is empty we alloc a packe...
Definition: decode.c:177
PKT_SET_SRC
#define PKT_SET_SRC(p, src_val)
Definition: decode.h:1132
ChecksumAutoModeCheck
int ChecksumAutoModeCheck(uint64_t thread_count, uint64_t iface_count, uint64_t iface_fail)
Check if the number of invalid checksums indicate checksum offloading in place.
Definition: util-checksum.c:70
Decoder
int(* Decoder)(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Definition: source-pcap-file-helper.h:79
LINKTYPE_PPP
#define LINKTYPE_PPP
Definition: decode.h:1072
LINKTYPE_NULL
#define LINKTYPE_NULL
Definition: decode.h:1069
PcapFileGlobalVars_::cnt
uint64_t cnt
Definition: source-pcap-file-helper.h:31
SURICATA_STOP
#define SURICATA_STOP
Definition: suricata.h:95
PcapFileSharedVars_::bytes
uint64_t bytes
Definition: source-pcap-file-helper.h:55
PcapFileSharedVars_::tenant_id
uint32_t tenant_id
Definition: source-pcap-file-helper.h:44
TmqhOutputPacketpool
void TmqhOutputPacketpool(ThreadVars *t, Packet *p)
Definition: tmqh-packetpool.c:449
PcapFileSharedVars_::slot
TmSlot * slot
Definition: source-pcap-file-helper.h:51
PcapFileSharedVars_::should_delete
bool should_delete
Definition: source-pcap-file-helper.h:48
max_pending_packets
int max_pending_packets
Definition: suricata.c:215
Packet_::datalink
int datalink
Definition: decode.h:574
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint32_t len, PacketQueue *pq)
Definition: decode-ethernet.c:41
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
PACKET_PROFILING_TMM_END
#define PACKET_PROFILING_TMM_END(p, id)
Definition: util-profiling.h:158
PcapFileDispatch
TmEcode PcapFileDispatch(PcapFileFileVars *ptv)
Main PCAP file reading Loop function.
Definition: source-pcap-file-helper.c:119
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
PACKET_PROFILING_TMM_START
#define PACKET_PROFILING_TMM_START(p, id)
Definition: util-profiling.h:150
PKT_IGNORE_CHECKSUM
#define PKT_IGNORE_CHECKSUM
Definition: decode.h:1099
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
Packet_
Definition: decode.h:407
LINKTYPE_RAW
#define LINKTYPE_RAW
Definition: decode.h:1073
LINKTYPE_GRE_OVER_IP
#define LINKTYPE_GRE_OVER_IP
Definition: decode.h:1078
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:281
DecodeSll
int DecodeSll(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint32_t len, PacketQueue *pq)
Definition: decode-sll.c:39
PacketPoolWait
void PacketPoolWait(void)
Definition: tmqh-packetpool.c:148
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:254
PcapPacketVars_::tenant_id
uint32_t tenant_id
Definition: source-pcap.h:37
SCFree
#define SCFree(a)
Definition: util-mem.h:322
LINKTYPE_RAW2
#define LINKTYPE_RAW2
Definition: decode.h:1076
pcap_filename
char pcap_filename[PATH_MAX]
Definition: source-pcap-file-helper.c:109
PcapFileSharedVars_::cb_result
int cb_result
Definition: source-pcap-file-helper.h:62
PcapFileGetFilename
const char * PcapFileGetFilename(void)
Definition: source-pcap-file-helper.c:111
StatsSyncCountersIfSignalled
#define StatsSyncCountersIfSignalled(tv)
Definition: counters.h:136
SC_ATOMIC_GET
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:192
LINKTYPE_ETHERNET
#define LINKTYPE_ETHERNET
Definition: decode.h:1070
SCReturn
#define SCReturn
Definition: util-debug.h:339
Packet_::ts
struct timeval ts
Definition: decode.h:451
PcapFileGlobalVars_
Definition: source-pcap-file-helper.h:30
pcap_g
PcapFileGlobalVars pcap_g
Definition: source-pcap-file.c:34
PcapFileFileVars_
Definition: source-pcap-file-helper.h:68
Packet_::flags
uint32_t flags
Definition: decode.h:443
ValidateLinkType
TmEcode ValidateLinkType(int datalink, Decoder *decoder)
Definition: source-pcap-file-helper.c:202
PcapFileSharedVars_::files
uint64_t files
Definition: source-pcap-file-helper.h:56
Packet_::pcap_v
PcapPacketVars pcap_v
Definition: decode.h:480
PacketCopyData
int PacketCopyData(Packet *p, uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:259