-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdaq_pcap_spooler.h
216 lines (168 loc) · 6.81 KB
/
daq_pcap_spooler.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
/*
** Based on Sourcefire External DAQ Module examples and some code from other DAQ Modules.
**
** Author: Eric Lauzon <[email protected]> 2012
**
** This program is free software; you can redistribute it and/or modify
** it under the terms of the GNU General Public License Version 2 as
** published by the Free Software Foundation. You may not use, modify or
** distribute this program under any other version of the GNU General
** Public License.
**
** This program is distributed in the hope that it will be useful,
** but WITHOUT ANY WARRANTY; without even the implied warranty of
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
** GNU General Public License for more details.
**
** You should have received a copy of the GNU General Public License
** along with this program; if not, write to the Free Software
** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA,
** or look on the Interweb!
*/
#ifndef _DAQ_PCAP_SPOOLER_H
#define _DAQ_PCAP_SPOOLER_H
#ifndef PATH_MAX
#define PATH_MAX 4096
#endif
/* Should we support other type of pcap out there ? */
#define TCPDUMP_MAGIC 0xa1b2c3d4
#define DAQ_PCAP_SPOOLER_VERSION 4
#define DAQ_PCAP_SPOOLER_CAPABILITIES (DAQ_CAPA_UNPRIV_START|DAQ_CAPA_BPF|DAQ_CAPA_BREAKLOOP);
#define DEFAULT_PCAP_SPOOLER_BLOCK_MULTIPLE 128
#define DEFAULT_PCAP_SPOOLER_FILE_PREFIX "daemonlogger.pcap"
#define DEFAULT_PCAP_SPOOLER_YAF_PREFIX "yaf_"
#define DEFAULT_PCAP_SPOOLER_SPOOL_DIRECTORY "/var/log/snort/log"
#define DEFAULT_PCAP_SPOOLER_ARCHIVE_DIRECTORY "/var/log/snort/archive"
#define DEFAULT_PCAP_SPOOLER_REFERENCE_FILE "/var/log/snort/PSRF"
#define DEFAULT_PCAP_SPOOLER_UPDATE_WINDOW 2000
/* Define your OPERATION_MODE here */
#define OPERATION_MODE_PCAP 0x0001
#define OPERATION_MODE_YAF 0x0002
/*
Include mockup structure so it also work fine on 64bit system.
*/
struct pcap_file_header {
u_int32_t magic;
u_short version_major;
u_short version_minor;
int32_t thiszone; /* gmt to local correction */
u_int32_t sigfigs; /* accuracy of timestamps */
u_int32_t snaplen; /* max length saved portion of each pkt */
u_int32_t linktype; /* data link type (LINKTYPE_*) */
};
struct pcap_pkthdr {
//struct timeval ts; /* time stamp */
u_int32_t timesec; /* fix some compilation issue */
u_int32_t timeusec; /* fix some compilation issue */
u_int32_t caplen; /* length of portion present */
u_int32_t len; /* length this packet (off wire) */
};
/*
Include mockup structure so it also work fine on 64bit system.
*/
typedef struct _PcapReference
{
char file_prefix[PATH_MAX];
char spooler_directory[PATH_MAX];
char archive_directory[PATH_MAX];
u_int32_t timestamp;
u_int32_t operation_mode; /* Check if we are re-run in the same operation mode */
u_int32_t serial; /* Used if running in YAF support mode */
off_t last_read_offset;
ssize_t saved_size;
} PcapReference;
typedef struct _pcap_spooler_context
{
/* Configuration Parameters */
u_int8_t enable_archive;
u_int8_t enable_debug;
u_int32_t block_size_read;
char *file_prefix;
char *spooler_directory;
char *archive_directory;
char *pcap_reference_file;
u_int32_t pcap_update_window;
u_int32_t operation_mode;
/* Configuration Parameters */
/* Contextual information */
DIR *spooler_dir;
PcapReference pcap_reference;
struct stat pcap_stat;
char pcap_file_temp_name[PATH_MAX];
char *read_buffer;
u_int32_t read_buffer_size;
u_int8_t bpf_recompile_filter;
char *bpf_filter_backup; /* used if */
u_int32_t current_timestamp;
int packet_reference_fd;
int pcap_fd;
u_int8_t has_PR;
u_int8_t has_PCAP;
u_int8_t read_full;
u_int32_t read_packet;
/* Contextual information */
/* Generic information */
struct sfbpf_program bpf_filter;
DAQ_Analysis_Func_t analysis_func;
DAQ_Stats_t stats;
DAQ_State state;
char errbuf[DAQ_ERRBUF_SIZE];
int snaplen;
int data_link_type;
/* Generic information */
} pcap_spooler_context;
/**
**
** DAQ FUNCTIONS PROTOTYPES
**
**/
static int pcap_spooler_daq_initialize(const DAQ_Config_t * config, void **ctxt_ptr, char *errbuf, size_t len);
static int pcap_spooler_daq_set_filter(void *handle, const char *filter);
static int pcap_spooler_daq_get_stats(void *handle, DAQ_Stats_t * stats);
static void pcap_spooler_daq_reset_stats(void *handle);
static int pcap_spooler_daq_start(void *handle);
static int pcap_spooler_daq_acquire(void *handle, int cnt, DAQ_Analysis_Func_t callback,DAQ_Meta_Func_t metaback, void *user);
static int pcap_spooler_daq_breakloop(void *handle);
static int pcap_spooler_daq_stop(void *handle);
static void pcap_spooler_daq_shutdown(void *handle);
static DAQ_State pcap_spooler_daq_check_status(void *handle);
static int pcap_spooler_daq_get_snaplen(void *handle);
static const char *pcap_spooler_daq_get_errbuf(void *handle);
static void pcap_spooler_daq_set_errbuf(void *handle, const char *string);
static uint32_t pcap_spooler_daq_get_capabilities(void *handle);
static int pcap_spooler_daq_get_datalink_type(void *handle);
/**
**
** DAQ FUNCTIONS PROTOTYPES
**
**/
/**
**
** PCAP SPOOLER FUNCTIONS PROTOTYPES
**
**/
static void pcap_spooler_debug_print(pcap_spooler_context *i_psctx,char *fmt,...);
static u_int32_t pcap_spooler_read_bulk(int fd,void *buffer, ssize_t read_size,ssize_t *r_read_size);
static u_int32_t pcap_spooler_write_pcap_reference(pcap_spooler_context *i_psctx);
static u_int32_t pcap_spooler_get_stat(int fd,struct stat *pr_stat);
static u_int32_t pcap_spooler_get_header(pcap_spooler_context *i_psctx);
static u_int32_t pcap_spooler_close_pcap(pcap_spooler_context *i_psctx);
static u_int32_t pcap_spooler_open_pcap(pcap_spooler_context *i_psctx);
static u_int32_t pcap_spooler_open_pcap_reference(pcap_spooler_context *i_psctx);
static u_int32_t pcap_spooler_create_pcap_reference(pcap_spooler_context *i_psctx);
static u_int32_t pcap_spooler_compare_pcap_reference(pcap_spooler_context *i_psctx);
static u_int32_t pcap_spooler_default(pcap_spooler_context *i_psctx);
static u_int32_t pcap_spooler_initialize(pcap_spooler_context *i_psctx);
static int pcap_spooler_parse_args(pcap_spooler_context *i_psctx,const DAQ_Config_t * config,void **ctxt_ptr);
static u_int32_t pcap_spooler_move_pcap(pcap_spooler_context *i_psctx);
static int pcap_spooler_directory_filter(const struct dirent *pcap_file_comp);
static u_int32_t pcap_spooler_monitor_directory(pcap_spooler_context *i_psctx);
static int pcap_spooler_daq_dummy_funct(void *,...);
static u_int32_t pcap_spooler_yaf_timestamp_to_utc(char *timestamp,time_t *out_utc);
static u_int32_t pcap_spooler_yaf_utc_to_timestamp(time_t in_utc,char *out_timestamp);
/**
**
** PCAP SPOOLER FUNCTIONS PROTOTYPES
**
**/
#endif /* _DAQ_PCAP_SPOOLER_H */