From a4fe97189784d74926e9956a9423d727a6f6d737 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 18 Sep 2009 13:53:53 +0200 Subject: [PATCH] Fix datalink retrieval for pcap file mode and nfq mode for use in unified2. --- src/alert-unified2-alert.c | 15 +++------------ src/decode.h | 14 +++++++++++++- src/source-nfq.c | 1 + src/source-pcap-file.c | 12 +++++++----- src/source-pcap.c | 6 +++--- src/source-pcap.h | 1 - 6 files changed, 27 insertions(+), 22 deletions(-) diff --git a/src/alert-unified2-alert.c b/src/alert-unified2-alert.c index a303c3a62f..af98a24e5e 100644 --- a/src/alert-unified2-alert.c +++ b/src/alert-unified2-alert.c @@ -234,7 +234,7 @@ int Unified2PacketTypeAlert (ThreadVars *t, Packet *p, void *data) Unified2Packet phdr; Unified2AlertFileHeader hdr; int ret, len; - char write_buffer[sizeof(Unified2AlertFileHeader) + sizeof(Unified2Packet) + IPV4_MAXPACKET_LEN] = ""; + char write_buffer[sizeof(Unified2AlertFileHeader) + sizeof(Unified2Packet) + IPV4_MAXPACKET_LEN]; if(p->pktlen > 0) len = (sizeof(Unified2AlertFileHeader) + sizeof(Unified2Packet)) - 4 + p->pktlen; @@ -257,23 +257,14 @@ int Unified2PacketTypeAlert (ThreadVars *t, Packet *p, void *data) } phdr.sensor_id = 0; - phdr.linktype = htonl(p->pcap_v.datalink); + phdr.linktype = htonl(p->datalink); phdr.event_id = 0; phdr.event_second = phdr.packet_second = htonl(p->ts.tv_sec); phdr.packet_microsecond = htonl(p->ts.tv_usec); phdr.packet_length = htonl(p->pktlen); memcpy(write_buffer+sizeof(Unified2AlertFileHeader),&phdr,sizeof(Unified2Packet) - 4); - - if(p->pktlen > 0 && p->pkt) - { - memcpy(write_buffer + sizeof(Unified2AlertFileHeader) + sizeof(Unified2Packet) - 4 , p->pkt, p->pktlen); - ret = fwrite(write_buffer,len, 1, aun->fp); - if (ret != 1) { - printf("Error: fwrite failed: %s\n", strerror(errno)); - return -1; - } - } + memcpy(write_buffer + sizeof(Unified2AlertFileHeader) + sizeof(Unified2Packet) - 4 , p->pkt, p->pktlen); ret = fwrite(write_buffer,len, 1, aun->fp); if (ret != 1) { diff --git a/src/decode.h b/src/decode.h index 302b2609c2..7c9ea6387a 100644 --- a/src/decode.h +++ b/src/decode.h @@ -213,9 +213,12 @@ typedef struct Packet_ NFQPacketVars nfq_v; #endif /* NFQ */ - /* libpcap vars */ + /** libpcap vars: shared by Pcap Live mode and Pcap File mode */ PcapPacketVars pcap_v; + /** data linktype in host order */ + int datalink; + /* storage */ uint8_t pkt[65536]; uint16_t pktlen; @@ -443,5 +446,14 @@ Packet *TunnelPktSetup(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, ui #define DLT_EN10MB 1 #endif +/* taken from pcap's bpf.h */ +#ifndef DLT_RAW +#ifdef __OpenBSD__ +#define DLT_RAW 14 /* raw IP */ +#else +#define DLT_RAW 12 /* raw IP */ +#endif +#endif + #endif /* __DECODE_H__ */ diff --git a/src/source-nfq.c b/src/source-nfq.c index 5dc4528b49..0e8287fd13 100644 --- a/src/source-nfq.c +++ b/src/source-nfq.c @@ -148,6 +148,7 @@ void NFQSetupPkt (Packet *p, void *data) gettimeofday(&p->ts, NULL); } + p->datalink = DLT_RAW; return; } diff --git a/src/source-pcap-file.c b/src/source-pcap-file.c index f5ba02d07c..8c5894b553 100644 --- a/src/source-pcap-file.c +++ b/src/source-pcap-file.c @@ -26,6 +26,7 @@ typedef struct PcapFileGlobalVars_ { pcap_t *pcap_handle; void (*Decoder)(ThreadVars *, DecodeThreadVars *, Packet *, u_int8_t *, u_int16_t, PacketQueue *); + int datalink; } PcapFileGlobalVars; typedef struct PcapFileThreadVars_ @@ -84,6 +85,7 @@ void PcapFileCallback(char *user, struct pcap_pkthdr *h, u_char *pkt) { p->ts.tv_sec = h->ts.tv_sec; p->ts.tv_usec = h->ts.tv_usec; TimeSet(&p->ts); + p->datalink = pcap_g.datalink; ptv->pkts++; ptv->bytes += h->caplen; @@ -128,9 +130,9 @@ int ReceivePcapFileThreadInit(ThreadVars *tv, void *initdata, void **data) { exit(1); } - int datalink = pcap_datalink(pcap_g.pcap_handle); - printf("TmModuleReceivePcapFileRegister: datalink %" PRId32 "\n", datalink); - switch(datalink) { + pcap_g.datalink = pcap_datalink(pcap_g.pcap_handle); + printf("TmModuleReceivePcapFileRegister: datalink %" PRId32 "\n", pcap_g.datalink); + switch(pcap_g.datalink) { case LINKTYPE_LINUX_SLL: pcap_g.Decoder = DecodeSll; break; @@ -141,8 +143,8 @@ int ReceivePcapFileThreadInit(ThreadVars *tv, void *initdata, void **data) { pcap_g.Decoder = DecodePPP; break; default: - printf("Error: datalink type %" PRId32 " not yet supported in module PcapFile.\n", datalink); - break; + printf("Error: datalink type %" PRId32 " not yet supported in module PcapFile.\n", pcap_g.datalink); + return -1; } ptv->tv = tv; diff --git a/src/source-pcap.c b/src/source-pcap.c index 1548feacfb..187153d450 100644 --- a/src/source-pcap.c +++ b/src/source-pcap.c @@ -98,7 +98,7 @@ void PcapCallback(char *user, struct pcap_pkthdr *h, u_char *pkt) { ptv->pkts++; ptv->bytes += h->caplen; - p->pcap_v.datalink = ptv->datalink; + p->datalink = ptv->datalink; p->pktlen = h->caplen; memcpy(p->pkt, pkt, p->pktlen); //printf("PcapCallback: p->pktlen: %" PRIu32 " (pkt %02x, p->pkt %02x)\n", p->pktlen, *pkt, *p->pkt); @@ -293,7 +293,7 @@ int DecodePcap(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) PerfCounterSetUI64(dtv->counter_max_pkt_size, tv->pca, p->pktlen); /* call the decoder */ - switch(p->pcap_v.datalink) { + switch(p->datalink) { case LINKTYPE_LINUX_SLL: DecodeSll(tv, dtv, p, p->pkt, p->pktlen, pq); break; @@ -304,7 +304,7 @@ int DecodePcap(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) DecodePPP(tv, dtv, p, p->pkt, p->pktlen, pq); break; default: - printf("Error: datalink type %" PRId32 " not yet supported in module DecodePcap.\n", p->pcap_v.datalink); + printf("Error: datalink type %" PRId32 " not yet supported in module DecodePcap.\n", p->datalink); break; } diff --git a/src/source-pcap.h b/src/source-pcap.h index 3059d18eb5..4b2f278eba 100644 --- a/src/source-pcap.h +++ b/src/source-pcap.h @@ -14,7 +14,6 @@ void TmModuleDecodePcapRegister (void); /* per packet Pcap vars */ typedef struct PcapPacketVars_ { - int datalink; /* datalink from libpcap */ } PcapPacketVars; #endif /* __SOURCE_PCAP_H__ */