From 50a182194a20a9a733d637b83a35ab5f2876c63c Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Mon, 19 Feb 2018 17:30:36 +0100
Subject: [PATCH] eve: log pcap filename

---
 doc/userguide/output/eve/eve-json-format.rst | 23 ++++++++++++++++++++
 src/output-json.c                            | 13 +++++++++++
 src/source-pcap-file-directory-helper.c      |  1 +
 src/source-pcap-file-helper.c                |  9 ++++++++
 src/source-pcap-file.h                       |  1 +
 src/util-logopenfile.h                       |  3 +++
 6 files changed, 50 insertions(+)

diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst
index d6120ba74f..23429eea12 100644
--- a/doc/userguide/output/eve/eve-json-format.rst
+++ b/doc/userguide/output/eve/eve-json-format.rst
@@ -47,6 +47,29 @@ The common part has a field "event_type" to indicate the log type.
 
   "event_type":"TYPE"
 
+PCAP fields
+~~~~~~~~~~~
+
+If Suricata is processing a pcap file, additional fields are added:
+
+::
+
+    "pcap_cnt": 123
+
+``pcap_cnt`` contains the packet number in the pcap. This can be used to look
+up a packet in Wireshark for example.
+
+::
+
+    "pcap_filename":"/path/to/file.pcap"
+
+``pcap_filename`` contains the file name and location of the pcap that
+generated the event.
+
+.. note:: the pcap fields are only available on "real" packets, and are
+          omitted from internal "pseudo" packets such as flow timeout
+          packets.
+
 Event type: Alert
 -----------------
 
diff --git a/src/output-json.c b/src/output-json.c
index 6a65b0450e..2c6291a8e5 100644
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -63,6 +63,8 @@
 #include "flow-var.h"
 #include "flow-bit.h"
 
+#include "source-pcap-file.h"
+
 #ifndef HAVE_LIBJANSSON
 
 /** Handle the case where no JSON support is compiled in.
@@ -601,6 +603,10 @@ int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
                             json_string(file_ctx->sensor_name));
     }
 
+    if (file_ctx->is_pcap_offline) {
+        json_object_set_new(js, "pcap_filename", json_string(PcapFileGetFilename()));
+    }
+
     if (file_ctx->prefix) {
         MemBufferWriteRaw((*buffer), file_ctx->prefix, file_ctx->prefix_len);
     }
@@ -805,9 +811,16 @@ OutputInitResult OutputJsonInitCtx(ConfNode *conf)
             json_ctx->include_metadata = true;
         }
 
+        const char *pcapfile_s = ConfNodeLookupChildValue(conf, "pcap-file");
+        if (pcapfile_s != NULL && ConfValIsTrue(pcapfile_s)) {
+            json_ctx->file_ctx->is_pcap_offline =
+                (RunmodeGetCurrent() == RUNMODE_PCAP_FILE);
+        }
+
         json_ctx->file_ctx->type = json_ctx->json_out;
     }
 
+
     SCLogDebug("returning output_ctx %p", output_ctx);
 
     result.ctx = output_ctx;
diff --git a/src/source-pcap-file-directory-helper.c b/src/source-pcap-file-directory-helper.c
index d026c1f5b7..5a04b03945 100644
--- a/src/source-pcap-file-directory-helper.c
+++ b/src/source-pcap-file-directory-helper.c
@@ -26,6 +26,7 @@
 #include "source-pcap-file-directory-helper.h"
 #include "runmode-unix-socket.h"
 #include "util-mem.h"
+#include "source-pcap-file.h"
 
 static void GetTime(struct timespec *tm);
 static void CopyTime(struct timespec *from, struct timespec *to);
diff --git a/src/source-pcap-file-helper.c b/src/source-pcap-file-helper.c
index 6a5c0bffed..3e621ae7e5 100644
--- a/src/source-pcap-file-helper.c
+++ b/src/source-pcap-file-helper.c
@@ -26,6 +26,7 @@
 #include "source-pcap-file-helper.h"
 #include "util-checksum.h"
 #include "util-profiling.h"
+#include "source-pcap-file.h"
 
 extern int max_pending_packets;
 extern PcapFileGlobalVars pcap_g;
@@ -98,6 +99,13 @@ void PcapFileCallbackLoop(char *user, struct pcap_pkthdr *h, u_char *pkt)
     SCReturn;
 }
 
+char pcap_filename[PATH_MAX] = "unknown";
+
+const char *PcapFileGetFilename(void)
+{
+    return pcap_filename;
+}
+
 /**
  *  \brief Main PCAP file reading Loop function
  */
@@ -108,6 +116,7 @@ TmEcode PcapFileDispatch(PcapFileFileVars *ptv)
     int packet_q_len = 64;
     int r;
     TmEcode loop_result = TM_ECODE_OK;
+    strlcpy(pcap_filename, ptv->filename, sizeof(pcap_filename));
 
     while (loop_result == TM_ECODE_OK) {
         if (suricata_ctl_flags & SURICATA_STOP) {
diff --git a/src/source-pcap-file.h b/src/source-pcap-file.h
index 30a3c2ec69..d864fd7e87 100644
--- a/src/source-pcap-file.h
+++ b/src/source-pcap-file.h
@@ -30,6 +30,7 @@ void TmModuleDecodePcapFileRegister (void);
 void PcapIncreaseInvalidChecksum(void);
 
 void PcapFileGlobalInit(void);
+const char *PcapFileGetFilename(void);
 
 #endif /* __SOURCE_PCAP_FILE_H__ */
 
diff --git a/src/util-logopenfile.h b/src/util-logopenfile.h
index ae99ad8a56..26f6d8c9c3 100644
--- a/src/util-logopenfile.h
+++ b/src/util-logopenfile.h
@@ -125,6 +125,9 @@ typedef struct LogFileCtx_ {
     /* Set to true if the filename should not be timestamped. */
     bool nostamp;
 
+    /* if set to true EVE will add a pcap file record */
+    bool is_pcap_offline;
+
     /* Socket types may need to drop events to keep from blocking
      * Suricata. */
     uint64_t dropped;