aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix datalink retrieval for pcap file mode and nfq mode for use in unified2.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 16 years ago
parent c8308222c1
commit a4fe971897
6 changed files with 27 additions and 22 deletions
Show Stats Download Patch File Download Diff File

13
src/alert-unified2-alert.c
Unescape Escape View File

@ -234,7 +234,7 @@ int Unified2PacketTypeAlert (ThreadVars *t, Packet *p, void *data)
Unified2Packet phdr; Unified2Packet phdr;
Unified2AlertFileHeader hdr; Unified2AlertFileHeader hdr;
int ret, len; int ret, len;
char write_buffer[sizeof(Unified2AlertFileHeader) + sizeof(Unified2Packet) + IPV4_MAXPACKET_LEN] = ""; char write_buffer[sizeof(Unified2AlertFileHeader) + sizeof(Unified2Packet) + IPV4_MAXPACKET_LEN];
if(p->pktlen > 0) if(p->pktlen > 0)
len = (sizeof(Unified2AlertFileHeader) + sizeof(Unified2Packet)) - 4 + p->pktlen; len = (sizeof(Unified2AlertFileHeader) + sizeof(Unified2Packet)) - 4 + p->pktlen;
@ -257,23 +257,14 @@ int Unified2PacketTypeAlert (ThreadVars *t, Packet *p, void *data)
} }
phdr.sensor_id = 0; phdr.sensor_id = 0;
phdr.linktype = htonl(p->pcap_v.datalink); phdr.linktype = htonl(p->datalink);
phdr.event_id = 0; phdr.event_id = 0;
phdr.event_second = phdr.packet_second = htonl(p->ts.tv_sec); phdr.event_second = phdr.packet_second = htonl(p->ts.tv_sec);
phdr.packet_microsecond = htonl(p->ts.tv_usec); phdr.packet_microsecond = htonl(p->ts.tv_usec);
phdr.packet_length = htonl(p->pktlen); phdr.packet_length = htonl(p->pktlen);
memcpy(write_buffer+sizeof(Unified2AlertFileHeader),&phdr,sizeof(Unified2Packet) - 4); memcpy(write_buffer+sizeof(Unified2AlertFileHeader),&phdr,sizeof(Unified2Packet) - 4);
if(p->pktlen > 0 && p->pkt)
{
memcpy(write_buffer + sizeof(Unified2AlertFileHeader) + sizeof(Unified2Packet) - 4 , p->pkt, p->pktlen); memcpy(write_buffer + sizeof(Unified2AlertFileHeader) + sizeof(Unified2Packet) - 4 , p->pkt, p->pktlen);
ret = fwrite(write_buffer,len, 1, aun->fp);
if (ret != 1) {
printf("Error: fwrite failed: %s\n", strerror(errno));
return -1;
}
}
ret = fwrite(write_buffer,len, 1, aun->fp); ret = fwrite(write_buffer,len, 1, aun->fp);
if (ret != 1) { if (ret != 1) {

14
src/decode.h
Unescape Escape View File

@ -213,9 +213,12 @@ typedef struct Packet_
NFQPacketVars nfq_v; NFQPacketVars nfq_v;
#endif /* NFQ */ #endif /* NFQ */
/* libpcap vars */ /** libpcap vars: shared by Pcap Live mode and Pcap File mode */
PcapPacketVars pcap_v; PcapPacketVars pcap_v;
/** data linktype in host order */
int datalink;
/* storage */ /* storage */
uint8_t pkt[65536]; uint8_t pkt[65536];
uint16_t pktlen; uint16_t pktlen;
@ -443,5 +446,14 @@ Packet *TunnelPktSetup(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, ui
#define DLT_EN10MB 1 #define DLT_EN10MB 1
#endif #endif
/* taken from pcap's bpf.h */
#ifndef DLT_RAW
#ifdef __OpenBSD__
#define DLT_RAW 14 /* raw IP */
#else
#define DLT_RAW 12 /* raw IP */
#endif
#endif
#endif /* __DECODE_H__ */ #endif /* __DECODE_H__ */

1
src/source-nfq.c
Unescape Escape View File

@ -148,6 +148,7 @@ void NFQSetupPkt (Packet *p, void *data)
gettimeofday(&p->ts, NULL); gettimeofday(&p->ts, NULL);
} }
p->datalink = DLT_RAW;
return; return;
} }

12
src/source-pcap-file.c
Unescape Escape View File

@ -26,6 +26,7 @@
typedef struct PcapFileGlobalVars_ { typedef struct PcapFileGlobalVars_ {
pcap_t *pcap_handle; pcap_t *pcap_handle;
void (*Decoder)(ThreadVars *, DecodeThreadVars *, Packet *, u_int8_t *, u_int16_t, PacketQueue *); void (*Decoder)(ThreadVars *, DecodeThreadVars *, Packet *, u_int8_t *, u_int16_t, PacketQueue *);
int datalink;
} PcapFileGlobalVars; } PcapFileGlobalVars;
typedef struct PcapFileThreadVars_ typedef struct PcapFileThreadVars_
@ -84,6 +85,7 @@ void PcapFileCallback(char *user, struct pcap_pkthdr *h, u_char *pkt) {
p->ts.tv_sec = h->ts.tv_sec; p->ts.tv_sec = h->ts.tv_sec;
p->ts.tv_usec = h->ts.tv_usec; p->ts.tv_usec = h->ts.tv_usec;
TimeSet(&p->ts); TimeSet(&p->ts);
p->datalink = pcap_g.datalink;
ptv->pkts++; ptv->pkts++;
ptv->bytes += h->caplen; ptv->bytes += h->caplen;
@ -128,9 +130,9 @@ int ReceivePcapFileThreadInit(ThreadVars *tv, void *initdata, void **data) {
exit(1); exit(1);
} }
int datalink = pcap_datalink(pcap_g.pcap_handle); pcap_g.datalink = pcap_datalink(pcap_g.pcap_handle);
printf("TmModuleReceivePcapFileRegister: datalink %" PRId32 "\n", datalink); printf("TmModuleReceivePcapFileRegister: datalink %" PRId32 "\n", pcap_g.datalink);
switch(datalink) { switch(pcap_g.datalink) {
case LINKTYPE_LINUX_SLL: case LINKTYPE_LINUX_SLL:
pcap_g.Decoder = DecodeSll; pcap_g.Decoder = DecodeSll;
break; break;
@ -141,8 +143,8 @@ int ReceivePcapFileThreadInit(ThreadVars *tv, void *initdata, void **data) {
pcap_g.Decoder = DecodePPP; pcap_g.Decoder = DecodePPP;
break; break;
default: default:
printf("Error: datalink type %" PRId32 " not yet supported in module PcapFile.\n", datalink); printf("Error: datalink type %" PRId32 " not yet supported in module PcapFile.\n", pcap_g.datalink);
break; return -1;
} }
ptv->tv = tv; ptv->tv = tv;

6
src/source-pcap.c
Unescape Escape View File

@ -98,7 +98,7 @@ void PcapCallback(char *user, struct pcap_pkthdr *h, u_char *pkt) {
ptv->pkts++; ptv->pkts++;
ptv->bytes += h->caplen; ptv->bytes += h->caplen;
p->pcap_v.datalink = ptv->datalink; p->datalink = ptv->datalink;
p->pktlen = h->caplen; p->pktlen = h->caplen;
memcpy(p->pkt, pkt, p->pktlen); memcpy(p->pkt, pkt, p->pktlen);
//printf("PcapCallback: p->pktlen: %" PRIu32 " (pkt %02x, p->pkt %02x)\n", p->pktlen, *pkt, *p->pkt); //printf("PcapCallback: p->pktlen: %" PRIu32 " (pkt %02x, p->pkt %02x)\n", p->pktlen, *pkt, *p->pkt);
@ -293,7 +293,7 @@ int DecodePcap(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
PerfCounterSetUI64(dtv->counter_max_pkt_size, tv->pca, p->pktlen); PerfCounterSetUI64(dtv->counter_max_pkt_size, tv->pca, p->pktlen);
/* call the decoder */ /* call the decoder */
switch(p->pcap_v.datalink) { switch(p->datalink) {
case LINKTYPE_LINUX_SLL: case LINKTYPE_LINUX_SLL:
DecodeSll(tv, dtv, p, p->pkt, p->pktlen, pq); DecodeSll(tv, dtv, p, p->pkt, p->pktlen, pq);
break; break;
@ -304,7 +304,7 @@ int DecodePcap(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
DecodePPP(tv, dtv, p, p->pkt, p->pktlen, pq); DecodePPP(tv, dtv, p, p->pkt, p->pktlen, pq);
break; break;
default: default:
printf("Error: datalink type %" PRId32 " not yet supported in module DecodePcap.\n", p->pcap_v.datalink); printf("Error: datalink type %" PRId32 " not yet supported in module DecodePcap.\n", p->datalink);
break; break;
} }

1
src/source-pcap.h
Unescape Escape View File

@ -14,7 +14,6 @@ void TmModuleDecodePcapRegister (void);
/* per packet Pcap vars */ /* per packet Pcap vars */
typedef struct PcapPacketVars_ typedef struct PcapPacketVars_
{ {
int datalink; /* datalink from libpcap */
} PcapPacketVars; } PcapPacketVars;
#endif /* __SOURCE_PCAP_H__ */ #endif /* __SOURCE_PCAP_H__ */

Write Preview
Loading…
Cancel
Save