log/pcap and eve/alert: get pcap filename to support multi mode

This patch adds a function to get the current pcap file name that will be used to current packet. This patch also updates EVE alerts to add pcap output filename when pcap capture is done in multi or normal mode.
4 years ago · faab853685
parent 2317fd83ef
commit faab853685
3 changed files with 29 additions and 0 deletions
--- a/src/log-pcap.c
+++ b/src/log-pcap.c
@ -112,6 +112,8 @@ typedef struct PcapFileName_ {
    TAILQ_ENTRY(PcapFileName_) next; /**< Pointer to next Pcap File for tailq. */
 } PcapFileName;

+thread_local char *pcap_file_thread = NULL;
+
 typedef struct PcapLogProfileData_ {
    uint64_t total;
    uint64_t cnt;
@ -1103,6 +1105,14 @@ static TmEcode PcapLogDataInit(ThreadVars *t, const void *initdata, void **data)
 #endif /* INIT_RING_BUFFER */
    }

+    if (pl->mode == LOGMODE_MULTI) {
+        PcapLogOpenFileCtx(td->pcap_log);
+    } else {
+        if (pl->filename == NULL) {
+            PcapLogOpenFileCtx(pl);
+        }
+    }
+
    return TM_ECODE_OK;
 }

@ -1854,6 +1864,9 @@ static int PcapLogOpenFileCtx(PcapLogData *pl)
    SCLogDebug("Opening pcap file log %s", pf->filename);
    TAILQ_INSERT_TAIL(&pl->pcap_file_list, pf, next);

+    if (pl->mode == LOGMODE_MULTI || pl->mode == LOGMODE_NORMAL) {
+        pcap_file_thread = pl->filename;
+    }
    PCAPLOG_PROFILE_END(pl->profile_open);
    return 0;

@ -1862,6 +1875,15 @@ error:
    return -1;
 }

+char *PcapLogGetFilename(void)
+{
+    /* return pcap filename per thread */
+    if (pcap_file_thread != NULL) {
+        return pcap_file_thread;
+    }
+    return NULL;
+}
+
 static int profiling_pcaplog_enabled = 0;
 static int profiling_pcaplog_output_to_file = 0;
 static char *profiling_pcaplog_file_name = NULL;
--- a/src/log-pcap.h
+++ b/src/log-pcap.h
@ -32,5 +32,6 @@

 void PcapLogRegister(void);
 void PcapLogProfileSetup(void);
+char *PcapLogGetFilename(void);

 #endif /* __LOG_PCAP_H__ */
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@ -54,6 +54,7 @@
 #include "util-classification-config.h"
 #include "util-syslog.h"
 #include "util-logopenfile.h"
+#include "log-pcap.h"

 #include "output.h"
 #include "output-json.h"
@ -774,6 +775,11 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
            EvePacket(p, jb, 0);
        }

+        char *pcap_filename = PcapLogGetFilename();
+        if (pcap_filename != NULL) {
+            jb_set_string(jb, "capture_file", pcap_filename);
+        }
+
        OutputJsonBuilderBuffer(jb, aft->ctx);
        jb_free(jb);
    }