source-pcap-file-helper.h

Go to the documentation of this file.

/* Copyright (C) 2007-2020 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */
 
/**
 * \file
 *
 * \author Danny Browning <danny.browning@protectwise.com>
 */
 
#include "suricata-common.h"
#include "tm-threads.h"
#include "util-atomic.h"
 
#ifndef SURICATA_SOURCE_PCAP_FILE_HELPER_H
#define SURICATA_SOURCE_PCAP_FILE_HELPER_H
 
typedef enum {
    PCAP_FILE_DELETE_NONE = 0,
    PCAP_FILE_DELETE_ALWAYS,
    PCAP_FILE_DELETE_NON_ALERTS
} PcapFileDeleteMode;
 
typedef struct PcapFileGlobalVars_ {
    uint64_t cnt; /** packet counter */
    ChecksumValidationMode conf_checksum_mode;
    ChecksumValidationMode checksum_mode;
    SC_ATOMIC_DECLARE(unsigned int, invalid_checksums);
    uint32_t read_buffer_size;
} PcapFileGlobalVars;
 
/**
 * Data that is shared amongst File, Directory, and Thread level vars
 */
typedef struct PcapFileSharedVars_
{
    char *bpf_string;
 
    uint32_t tenant_id;
 
    struct timespec last_processed;
 
    PcapFileDeleteMode delete_mode;
 
    ThreadVars *tv;
    TmSlot *slot;
 
    /* counters */
    uint64_t pkts;
    uint64_t bytes;
    uint64_t files;
 
    uint8_t done;
    uint32_t errs;
 
    /** callback result -- set if one of the thread module failed. */
    int cb_result;
} PcapFileSharedVars;
 
/**
 * Data specific to a single pcap file
 */
typedef struct PcapFileFileVars_
{
    char *filename;
    pcap_t *pcap_handle;
 
    int datalink;
    struct bpf_program filter;
 
    PcapFileSharedVars *shared;
 
    SC_ATOMIC_DECLARE(uint64_t, alerts_count);
    /* Reference count for outstanding users (e.g., pseudo packets created
     * during shutdown/timeout handling). Ensures the per-file state is not
     * cleaned up or the file deleted before all dependent processing that may
     * still raise alerts has completed. */
    SC_ATOMIC_DECLARE(uint32_t, ref_cnt);
    bool cleanup_requested;
 
    /* fields used to get the first packet's timestamp early,
     * so it can be used to setup the time subsys. */
    const u_char *first_pkt_data;
    struct pcap_pkthdr *first_pkt_hdr;
    struct timeval first_pkt_ts;
 
    /** flex array member for the libc io read buffer. Size controlled by
     * PcapFileGlobalVars::read_buffer_size. */
#if defined(HAVE_SETVBUF) && defined(OS_LINUX)
    char buffer[];
#endif
} PcapFileFileVars;
 
/**
 * Dispatch a file for processing, where the information necessary to process that
 * file is as PcapFileFileVars object.
 * @param ptv PcapFileFileVars object to be processed
 * @return
 */
TmEcode PcapFileDispatch(PcapFileFileVars *ptv);
 
/**
 * From a PcapFileFileVars, prepare the filename for processing by setting
 * pcap_handle, datalink, and filter
 * @param pfv PcapFileFileVars object to populate
 * @return
 */
TmEcode InitPcapFile(PcapFileFileVars *pfv);
 
/**
 * Cleanup resources associated with a PcapFileFileVars object.
 * @param pfv Object to be cleaned up
 */
void CleanupPcapFileFileVars(PcapFileFileVars *pfv);
 
/**
 * Determine if a datalink type is valid, setting a decoder function if valid.
 * @param datalink Datalink type to validate
 * @param decoder Pointer to decoder to set if valid
 * @return TM_ECODE_OK if valid datalink type and decoder has been set.
 */
TmEcode ValidateLinkType(int datalink, DecoderFunc *decoder);
 
const char *PcapFileGetFilename(void);
 
bool PcapFileShouldDeletePcapFile(PcapFileFileVars *pfv);
 
void PcapFileFinalizePacket(PcapFileFileVars *pfv);
 
PcapFileDeleteMode PcapFileParseDeleteMode(void);
 
void PcapFileAddAlertCount(PcapFileFileVars *pfv, uint16_t alert_count);
 
void PcapFileReleasePseudoPacket(Packet *p);
 
void PcapFileSetCurrentPfv(PcapFileFileVars *pfv);
PcapFileFileVars *PcapFileGetCurrentPfv(void);
 
void PcapFileInstallCaptureHooks(void);
 
#ifdef UNITTESTS
void SourcePcapFileHelperRegisterTests(void);
#endif
 
#endif /* SURICATA_SOURCE_PCAP_FILE_HELPER_H */