Fix datalink retrieval for pcap file mode and nfq mode for use in unified2.

16 years ago · a4fe971897
parent c8308222c1
commit a4fe971897
6 changed files with 27 additions and 22 deletions
--- a/src/alert-unified2-alert.c
+++ b/src/alert-unified2-alert.c
@ -234,7 +234,7 @@ int Unified2PacketTypeAlert (ThreadVars *t, Packet *p, void *data)
    Unified2Packet phdr;
    Unified2AlertFileHeader hdr;
    int ret, len;
-    char write_buffer[sizeof(Unified2AlertFileHeader) + sizeof(Unified2Packet) + IPV4_MAXPACKET_LEN] = "";
+    char write_buffer[sizeof(Unified2AlertFileHeader) + sizeof(Unified2Packet) + IPV4_MAXPACKET_LEN];

    if(p->pktlen > 0)
        len = (sizeof(Unified2AlertFileHeader) + sizeof(Unified2Packet)) - 4 + p->pktlen;
@ -257,23 +257,14 @@ int Unified2PacketTypeAlert (ThreadVars *t, Packet *p, void *data)
    }

    phdr.sensor_id = 0;
-    phdr.linktype = htonl(p->pcap_v.datalink);
+    phdr.linktype = htonl(p->datalink);
    phdr.event_id = 0;
    phdr.event_second = phdr.packet_second = htonl(p->ts.tv_sec);
    phdr.packet_microsecond = htonl(p->ts.tv_usec);
    phdr.packet_length = htonl(p->pktlen);

    memcpy(write_buffer+sizeof(Unified2AlertFileHeader),&phdr,sizeof(Unified2Packet) - 4);
-
-    if(p->pktlen > 0 && p->pkt)
-    {
-        memcpy(write_buffer + sizeof(Unified2AlertFileHeader) + sizeof(Unified2Packet) - 4 , p->pkt, p->pktlen);
-        ret = fwrite(write_buffer,len, 1, aun->fp);
-        if (ret != 1) {
-            printf("Error: fwrite failed: %s\n", strerror(errno));
-            return -1;
-        }
-    }
+    memcpy(write_buffer + sizeof(Unified2AlertFileHeader) + sizeof(Unified2Packet) - 4 , p->pkt, p->pktlen);

    ret = fwrite(write_buffer,len, 1, aun->fp);
    if (ret != 1) {
--- a/src/decode.h
+++ b/src/decode.h
@ -213,9 +213,12 @@ typedef struct Packet_
    NFQPacketVars nfq_v;
 #endif /* NFQ */

-    /* libpcap vars */
+    /** libpcap vars: shared by Pcap Live mode and Pcap File mode */
    PcapPacketVars pcap_v;

+    /** data linktype in host order */
+    int datalink;
+
    /* storage */
    uint8_t pkt[65536];
    uint16_t pktlen;
@ -443,5 +446,14 @@ Packet *TunnelPktSetup(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, ui
 #define DLT_EN10MB 1
 #endif

+/* taken from pcap's bpf.h */
+#ifndef DLT_RAW
+#ifdef __OpenBSD__
+#define DLT_RAW     14  /* raw IP */
+#else
+#define DLT_RAW     12  /* raw IP */
+#endif
+#endif
+
 #endif /* __DECODE_H__ */

--- a/src/source-nfq.c
+++ b/src/source-nfq.c
@ -148,6 +148,7 @@ void NFQSetupPkt (Packet *p, void *data)
        gettimeofday(&p->ts, NULL);
    }

+    p->datalink = DLT_RAW;
    return;
 }

--- a/src/source-pcap-file.c
+++ b/src/source-pcap-file.c
@ -26,6 +26,7 @@
 typedef struct PcapFileGlobalVars_ {
    pcap_t *pcap_handle;
    void (*Decoder)(ThreadVars *, DecodeThreadVars *, Packet *, u_int8_t *, u_int16_t, PacketQueue *);
+    int datalink;
 } PcapFileGlobalVars;

 typedef struct PcapFileThreadVars_
@ -84,6 +85,7 @@ void PcapFileCallback(char *user, struct pcap_pkthdr *h, u_char *pkt) {
    p->ts.tv_sec = h->ts.tv_sec;
    p->ts.tv_usec = h->ts.tv_usec;
    TimeSet(&p->ts);
+    p->datalink = pcap_g.datalink;

    ptv->pkts++;
    ptv->bytes += h->caplen;
@ -128,9 +130,9 @@ int ReceivePcapFileThreadInit(ThreadVars *tv, void *initdata, void **data) {
        exit(1);
    }

-    int datalink = pcap_datalink(pcap_g.pcap_handle);
-    printf("TmModuleReceivePcapFileRegister: datalink %" PRId32 "\n", datalink);
-    switch(datalink)	{
+    pcap_g.datalink = pcap_datalink(pcap_g.pcap_handle);
+    printf("TmModuleReceivePcapFileRegister: datalink %" PRId32 "\n", pcap_g.datalink);
+    switch(pcap_g.datalink)	{
        case LINKTYPE_LINUX_SLL:
            pcap_g.Decoder = DecodeSll;
            break;
@ -141,8 +143,8 @@ int ReceivePcapFileThreadInit(ThreadVars *tv, void *initdata, void **data) {
            pcap_g.Decoder = DecodePPP;
            break;
        default:
-            printf("Error: datalink type %" PRId32 " not yet supported in module PcapFile.\n", datalink);
-            break;
+            printf("Error: datalink type %" PRId32 " not yet supported in module PcapFile.\n", pcap_g.datalink);
+            return -1;
    }

    ptv->tv = tv;
--- a/src/source-pcap.c
+++ b/src/source-pcap.c
@ -98,7 +98,7 @@ void PcapCallback(char *user, struct pcap_pkthdr *h, u_char *pkt) {
    ptv->pkts++;
    ptv->bytes += h->caplen;

-    p->pcap_v.datalink = ptv->datalink;
+    p->datalink = ptv->datalink;
    p->pktlen = h->caplen;
    memcpy(p->pkt, pkt, p->pktlen);
    //printf("PcapCallback: p->pktlen: %" PRIu32 " (pkt %02x, p->pkt %02x)\n", p->pktlen, *pkt, *p->pkt);
@ -293,7 +293,7 @@ int DecodePcap(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
    PerfCounterSetUI64(dtv->counter_max_pkt_size, tv->pca, p->pktlen);

    /* call the decoder */
-    switch(p->pcap_v.datalink)    {
+    switch(p->datalink) {
        case LINKTYPE_LINUX_SLL:
            DecodeSll(tv, dtv, p, p->pkt, p->pktlen, pq);
            break;
@ -304,7 +304,7 @@ int DecodePcap(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
            DecodePPP(tv, dtv, p, p->pkt, p->pktlen, pq);
            break;
        default:
-            printf("Error: datalink type %" PRId32 " not yet supported in module DecodePcap.\n", p->pcap_v.datalink);
+            printf("Error: datalink type %" PRId32 " not yet supported in module DecodePcap.\n", p->datalink);
            break;
    }

--- a/src/source-pcap.h
+++ b/src/source-pcap.h
@ -14,7 +14,6 @@ void TmModuleDecodePcapRegister (void);
 /* per packet Pcap vars */
 typedef struct PcapPacketVars_
 {
-    int datalink; /* datalink from libpcap */
 } PcapPacketVars;

 #endif /* __SOURCE_PCAP_H__ */