suricata
source-pcap-file-helper.c
Go to the documentation of this file.
1/* Copyright (C) 2007-2020 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * \author Danny Browning <danny.browning@protectwise.com>
22 *
23 * File based pcap packet acquisition support
24 */
25
26#include "source-pcap-file-helper.h"
27#include "suricata.h"
28#include "util-datalink.h"
29#include "util-checksum.h"
30#include "util-profiling.h"
31#include "source-pcap-file.h"
32#include "util-exception-policy.h"
33
34extern uint32_t max_pending_packets;
35extern PcapFileGlobalVars pcap_g;
36
37static void PcapFileCallbackLoop(char *user, struct pcap_pkthdr *h, u_char *pkt);
38
39void CleanupPcapFileFileVars(PcapFileFileVars *pfv)
40{
41 if (pfv != NULL) {
42 if (pfv->pcap_handle != NULL) {
43 pcap_close(pfv->pcap_handle);
44 pfv->pcap_handle = NULL;
45 }
46 if (pfv->filename != NULL) {
47 if (pfv->shared != NULL && pfv->shared->should_delete) {
48 SCLogDebug("Deleting pcap file %s", pfv->filename);
49 if (unlink(pfv->filename) != 0) {
50 SCLogWarning("Failed to delete %s: %s", pfv->filename, strerror(errno));
51 }
52 }
53 SCFree(pfv->filename);
54 pfv->filename = NULL;
55 }
56 pfv->shared = NULL;
57 SCFree(pfv);
58 }
59}
60
61void PcapFileCallbackLoop(char *user, struct pcap_pkthdr *h, u_char *pkt)
62{
63 SCEnter();
64#ifdef DEBUG
65 if (unlikely((pcap_g.cnt + 1ULL) == g_eps_pcap_packet_loss)) {
66 SCLogNotice("skipping packet %" PRIu64, g_eps_pcap_packet_loss);
67 pcap_g.cnt++;
68 SCReturn;
69 }
70#endif
71 PcapFileFileVars *ptv = (PcapFileFileVars *)user;
72 Packet *p = PacketGetFromQueueOrAlloc();
73
74 if (unlikely(p == NULL)) {
75 SCReturn;
76 }
77 PACKET_PROFILING_TMM_START(p, TMM_RECEIVEPCAPFILE);
78
79 PKT_SET_SRC(p, PKT_SRC_WIRE);
80 p->ts = SCTIME_FROM_TIMEVAL_UNTRUSTED(&h->ts);
81 SCLogDebug("p->ts.tv_sec %" PRIuMAX "", (uintmax_t)SCTIME_SECS(p->ts));
82 p->datalink = ptv->datalink;
83 p->pcap_cnt = ++pcap_g.cnt;
84
85 p->pcap_v.tenant_id = ptv->shared->tenant_id;
86 ptv->shared->pkts++;
87 ptv->shared->bytes += h->caplen;
88
89 if (unlikely(PacketCopyData(p, pkt, h->caplen))) {
90 TmqhOutputPacketpool(ptv->shared->tv, p);
91 PACKET_PROFILING_TMM_END(p, TMM_RECEIVEPCAPFILE);
92 SCReturn;
93 }
94
95 /* We only check for checksum disable */
96 if (pcap_g.checksum_mode == CHECKSUM_VALIDATION_DISABLE) {
97 p->flags |= PKT_IGNORE_CHECKSUM;
98 } else if (pcap_g.checksum_mode == CHECKSUM_VALIDATION_AUTO) {
99 if (ChecksumAutoModeCheck(ptv->shared->pkts, p->pcap_cnt,
100 SC_ATOMIC_GET(pcap_g.invalid_checksums))) {
101 pcap_g.checksum_mode = CHECKSUM_VALIDATION_DISABLE;
102 p->flags |= PKT_IGNORE_CHECKSUM;
103 }
104 }
105
106 PACKET_PROFILING_TMM_END(p, TMM_RECEIVEPCAPFILE);
107
108 if (TmThreadsSlotProcessPkt(ptv->shared->tv, ptv->shared->slot, p) != TM_ECODE_OK) {
109 pcap_breakloop(ptv->pcap_handle);
110 ptv->shared->cb_result = TM_ECODE_FAILED;
111 }
112
113 SCReturn;
114}
115
116char pcap_filename[PATH_MAX] = "unknown";
117
118const char *PcapFileGetFilename(void)
119{
120 return pcap_filename;
121}
122
123/**
124 * \brief Main PCAP file reading Loop function
125 */
126TmEcode PcapFileDispatch(PcapFileFileVars *ptv)
127{
128 SCEnter();
129
130 /* initialize all the thread's initial timestamp */
131 if (likely(ptv->first_pkt_hdr != NULL)) {
132 TmThreadsInitThreadsTimestamp(SCTIME_FROM_TIMEVAL(&ptv->first_pkt_ts));
133 PcapFileCallbackLoop((char *)ptv, ptv->first_pkt_hdr,
134 (u_char *)ptv->first_pkt_data);
135 ptv->first_pkt_hdr = NULL;
136 ptv->first_pkt_data = NULL;
137 }
138
139 int packet_q_len = 64;
140 TmEcode loop_result = TM_ECODE_OK;
141 strlcpy(pcap_filename, ptv->filename, sizeof(pcap_filename));
142
143 while (loop_result == TM_ECODE_OK) {
144 if (suricata_ctl_flags & SURICATA_STOP) {
145 SCReturnInt(TM_ECODE_OK);
146 }
147
148 /* make sure we have at least one packet in the packet pool, to prevent
149 * us from alloc'ing packets at line rate */
150 PacketPoolWait();
151
152 /* Right now we just support reading packets one at a time. */
153 int r = pcap_dispatch(ptv->pcap_handle, packet_q_len,
154 (pcap_handler)PcapFileCallbackLoop, (u_char *)ptv);
155 if (unlikely(r == -1)) {
156 SCLogError("error code %" PRId32 " %s for %s", r, pcap_geterr(ptv->pcap_handle),
157 ptv->filename);
158 if (ptv->shared->cb_result == TM_ECODE_FAILED) {
159 SCReturnInt(TM_ECODE_FAILED);
160 }
161 loop_result = TM_ECODE_DONE;
162 } else if (unlikely(r == 0)) {
163 SCLogInfo("pcap file %s end of file reached (pcap err code %" PRId32 ")",
164 ptv->filename, r);
165 ptv->shared->files++;
166 loop_result = TM_ECODE_DONE;
167 } else if (ptv->shared->cb_result == TM_ECODE_FAILED) {
168 SCLogError("Pcap callback PcapFileCallbackLoop failed for %s", ptv->filename);
169 loop_result = TM_ECODE_FAILED;
170 }
171 StatsSyncCountersIfSignalled(ptv->shared->tv);
172 }
173
174 SCReturnInt(loop_result);
175}
176
177/** \internal
178 * \brief get the timestamp of the first packet and rewind
179 * \param pfv pcap file variables for storing the timestamp
180 * \retval bool true on success, false on error
181 */
182static bool PeekFirstPacketTimestamp(PcapFileFileVars *pfv)
183{
184 int r = pcap_next_ex(pfv->pcap_handle, &pfv->first_pkt_hdr, &pfv->first_pkt_data);
185 if (r <= 0 || pfv->first_pkt_hdr == NULL) {
186 SCLogError("failed to get first packet timestamp. pcap_next_ex(): %d", r);
187 return false;
188 }
189 /* timestamp in pfv->first_pkt_hdr may not be 'struct timeval' so
190 * do a manual copy of the members. */
191 pfv->first_pkt_ts.tv_sec = pfv->first_pkt_hdr->ts.tv_sec;
192 pfv->first_pkt_ts.tv_usec = pfv->first_pkt_hdr->ts.tv_usec;
193 return true;
194}
195
196TmEcode InitPcapFile(PcapFileFileVars *pfv)
197{
198 char errbuf[PCAP_ERRBUF_SIZE] = "";
199
200 if(unlikely(pfv->filename == NULL)) {
201 SCLogError("Filename was null");
202 SCReturnInt(TM_ECODE_FAILED);
203 }
204
205 pfv->pcap_handle = pcap_open_offline(pfv->filename, errbuf);
206 if (pfv->pcap_handle == NULL) {
207 SCLogError("%s", errbuf);
208 SCReturnInt(TM_ECODE_FAILED);
209 }
210
211#if defined(HAVE_SETVBUF) && defined(OS_LINUX)
212 if (pcap_g.read_buffer_size > 0) {
213 errno = 0;
214 if (setvbuf(pcap_file(pfv->pcap_handle), pfv->buffer, _IOFBF, pcap_g.read_buffer_size) <
215 0) {
216 SCLogWarning("Failed to setvbuf on PCAP file handle: %s", strerror(errno));
217 }
218 }
219#endif
220
221 if (pfv->shared != NULL && pfv->shared->bpf_string != NULL) {
222 SCLogInfo("using bpf-filter \"%s\"", pfv->shared->bpf_string);
223
224 if (pcap_compile(pfv->pcap_handle, &pfv->filter, pfv->shared->bpf_string, 1, 0) < 0) {
225 SCLogError("bpf compilation error %s for %s", pcap_geterr(pfv->pcap_handle),
226 pfv->filename);
227 SCReturnInt(TM_ECODE_FAILED);
228 }
229
230 if (pcap_setfilter(pfv->pcap_handle, &pfv->filter) < 0) {
231 SCLogError("could not set bpf filter %s for %s", pcap_geterr(pfv->pcap_handle),
232 pfv->filename);
233 pcap_freecode(&pfv->filter);
234 SCReturnInt(TM_ECODE_FAILED);
235 }
236 pcap_freecode(&pfv->filter);
237 }
238
239 pfv->datalink = pcap_datalink(pfv->pcap_handle);
240 SCLogDebug("datalink %" PRId32 "", pfv->datalink);
241 DatalinkSetGlobalType(pfv->datalink);
242
243 if (!PeekFirstPacketTimestamp(pfv))
244 SCReturnInt(TM_ECODE_FAILED);
245
246 DecoderFunc UnusedFnPtr;
247 TmEcode validated = ValidateLinkType(pfv->datalink, &UnusedFnPtr);
248 SCReturnInt(validated);
249}
250
251TmEcode ValidateLinkType(int datalink, DecoderFunc *DecoderFn)
252{
253 switch (datalink) {
254 case LINKTYPE_LINUX_SLL2:
255 *DecoderFn = DecodeSll2;
256 break;
257 case LINKTYPE_LINUX_SLL:
258 *DecoderFn = DecodeSll;
259 break;
260 case LINKTYPE_ETHERNET:
261 *DecoderFn = DecodeEthernet;
262 break;
263 case LINKTYPE_PPP:
264 *DecoderFn = DecodePPP;
265 break;
266 case LINKTYPE_IPV4:
267 case LINKTYPE_IPV6:
268 case LINKTYPE_RAW:
269 case LINKTYPE_RAW2:
270 case LINKTYPE_GRE_OVER_IP:
271 *DecoderFn = DecodeRaw;
272 break;
273 case LINKTYPE_NULL:
274 *DecoderFn = DecodeNull;
275 break;
276 case LINKTYPE_CISCO_HDLC:
277 *DecoderFn = DecodeCHDLC;
278 break;
279
280 default:
281 SCLogError(
282 "datalink type %" PRId32 " not (yet) supported in module PcapFile.", datalink);
283 SCReturnInt(TM_ECODE_FAILED);
284 }
285
286 SCReturnInt(TM_ECODE_OK);
287}
StatsSyncCountersIfSignalled
void StatsSyncCountersIfSignalled(ThreadVars *tv)
Definition counters.c:450
DecodeCHDLC
int DecodeCHDLC(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition decode-chdlc.c:42
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition decode-ethernet.c:42
DecodeNull
int DecodeNull(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition decode-null.c:51
DecodePPP
int DecodePPP(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition decode-ppp.c:174
DecodeRaw
int DecodeRaw(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition decode-raw.c:42
DecodeSll2
int DecodeSll2(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition decode-sll2.c:40
DecodeSll
int DecodeSll(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition decode-sll.c:41
CHECKSUM_VALIDATION_AUTO
@ CHECKSUM_VALIDATION_AUTO
Definition decode.h:45
CHECKSUM_VALIDATION_DISABLE
@ CHECKSUM_VALIDATION_DISABLE
Definition decode.h:43
PKT_SET_SRC
#define PKT_SET_SRC(p, src_val)
Definition decode.h:1325
DecoderFunc
int(* DecoderFunc)(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition decode.h:1180
PKT_SRC_WIRE
@ PKT_SRC_WIRE
Definition decode.h:52
PKT_IGNORE_CHECKSUM
#define PKT_IGNORE_CHECKSUM
Definition decode.h:1282
max_pending_packets
uint32_t max_pending_packets
Definition suricata.c:183
PacketGetFromQueueOrAlloc
Packet * PacketGetFromQueueOrAlloc(void)
Get a packet. We try to get a packet from the packetpool first, but if that is empty we alloc a packe...
Definition decode.c:293
PacketCopyData
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition decode.c:377
InitPcapFile
TmEcode InitPcapFile(PcapFileFileVars *pfv)
Definition source-pcap-file-helper.c:196
PcapFileGetFilename
const char * PcapFileGetFilename(void)
Definition source-pcap-file-helper.c:118
ValidateLinkType
TmEcode ValidateLinkType(int datalink, DecoderFunc *DecoderFn)
Definition source-pcap-file-helper.c:251
PcapFileDispatch
TmEcode PcapFileDispatch(PcapFileFileVars *ptv)
Main PCAP file reading Loop function.
Definition source-pcap-file-helper.c:126
CleanupPcapFileFileVars
void CleanupPcapFileFileVars(PcapFileFileVars *pfv)
Definition source-pcap-file-helper.c:39
pcap_g
PcapFileGlobalVars pcap_g
Definition source-pcap-file.c:38
pcap_filename
char pcap_filename[PATH_MAX]
Definition source-pcap-file-helper.c:116
Packet_
Definition decode.h:501
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition decode.h:626
Packet_::ts
SCTime_t ts
Definition decode.h:555
Packet_::datalink
int datalink
Definition decode.h:639
Packet_::pcap_v
PcapPacketVars pcap_v
Definition decode.h:587
Packet_::flags
uint32_t flags
Definition decode.h:544
PcapFileFileVars_
Definition source-pcap-file-helper.h:70
PcapFileFileVars_::pcap_handle
pcap_t * pcap_handle
Definition source-pcap-file-helper.h:72
PcapFileFileVars_::first_pkt_ts
struct timeval first_pkt_ts
Definition source-pcap-file-helper.h:83
PcapFileFileVars_::shared
PcapFileSharedVars * shared
Definition source-pcap-file-helper.h:77
PcapFileFileVars_::first_pkt_hdr
struct pcap_pkthdr * first_pkt_hdr
Definition source-pcap-file-helper.h:82
PcapFileFileVars_::filename
char * filename
Definition source-pcap-file-helper.h:71
PcapFileFileVars_::first_pkt_data
const u_char * first_pkt_data
Definition source-pcap-file-helper.h:81
PcapFileFileVars_::datalink
int datalink
Definition source-pcap-file-helper.h:74
PcapFileFileVars_::filter
struct bpf_program filter
Definition source-pcap-file-helper.h:75
PcapFileGlobalVars_
Definition source-pcap-file-helper.h:30
PcapFileGlobalVars_::read_buffer_size
uint32_t read_buffer_size
Definition source-pcap-file-helper.h:35
PcapFileGlobalVars_::checksum_mode
ChecksumValidationMode checksum_mode
Definition source-pcap-file-helper.h:33
PcapFileGlobalVars_::cnt
uint64_t cnt
Definition source-pcap-file-helper.h:31
PcapFileSharedVars_::tenant_id
uint32_t tenant_id
Definition source-pcap-file-helper.h:45
PcapFileSharedVars_::slot
TmSlot * slot
Definition source-pcap-file-helper.h:52
PcapFileSharedVars_::bpf_string
char * bpf_string
Definition source-pcap-file-helper.h:43
PcapFileSharedVars_::should_delete
bool should_delete
Definition source-pcap-file-helper.h:49
PcapFileSharedVars_::cb_result
int cb_result
Definition source-pcap-file-helper.h:63
PcapFileSharedVars_::tv
ThreadVars * tv
Definition source-pcap-file-helper.h:51
PcapFileSharedVars_::pkts
uint64_t pkts
Definition source-pcap-file-helper.h:55
PcapFileSharedVars_::bytes
uint64_t bytes
Definition source-pcap-file-helper.h:56
PcapPacketVars_::tenant_id
uint32_t tenant_id
Definition source-pcap.h:37
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition util-strlcpyu.c:43
suricata_ctl_flags
volatile uint8_t suricata_ctl_flags
Definition suricata.c:172
SURICATA_STOP
#define SURICATA_STOP
Definition suricata.h:94
TMM_RECEIVEPCAPFILE
@ TMM_RECEIVEPCAPFILE
Definition tm-threads-common.h:39
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition tm-threads-common.h:82
TM_ECODE_OK
@ TM_ECODE_OK
Definition tm-threads-common.h:81
TM_ECODE_DONE
@ TM_ECODE_DONE
Definition tm-threads-common.h:83
TmThreadsInitThreadsTimestamp
void TmThreadsInitThreadsTimestamp(const SCTime_t ts)
Definition tm-threads.c:2342
PacketPoolWait
void PacketPoolWait(void)
Definition tmqh-packetpool.c:71
TmqhOutputPacketpool
void TmqhOutputPacketpool(ThreadVars *t, Packet *p)
Definition tmqh-packetpool.c:305
SC_ATOMIC_GET
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition util-atomic.h:375
ChecksumAutoModeCheck
int ChecksumAutoModeCheck(uint64_t thread_count, uint64_t iface_count, uint64_t iface_fail)
Check if the number of invalid checksums indicate checksum offloading in place.
Definition util-checksum.c:69
SCEnter
#define SCEnter(...)
Definition util-debug.h:277
SCLogDebug
#define SCLogDebug(...)
Definition util-debug.h:275
SCReturnInt
#define SCReturnInt(x)
Definition util-debug.h:281
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition util-debug.h:243
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition util-debug.h:255
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition util-debug.h:225
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition util-debug.h:267
SCReturn
#define SCReturn
Definition util-debug.h:279
SCFree
#define SCFree(p)
Definition util-mem.h:61
likely
#define likely(expr)
Definition util-optimize.h:32
unlikely
#define unlikely(expr)
Definition util-optimize.h:35
PACKET_PROFILING_TMM_END
#define PACKET_PROFILING_TMM_END(p, id)
Definition util-profiling.h:139
PACKET_PROFILING_TMM_START
#define PACKET_PROFILING_TMM_START(p, id)
Definition util-profiling.h:131
SCTIME_SECS
#define SCTIME_SECS(t)
Definition util-time.h:57
SCTIME_FROM_TIMEVAL_UNTRUSTED
#define SCTIME_FROM_TIMEVAL_UNTRUSTED(tv)
variant to deal with potentially bad timestamps, like from pcap files
Definition util-time.h:85
SCTIME_FROM_TIMEVAL
#define SCTIME_FROM_TIMEVAL(tv)
Definition util-time.h:79