pcap: add snaplen YAML variable

This patch introduces 'snaplen' a new YAML variable in the pcap section. It can be set per-interface to force pcap capture snaplen. If not set it defaults to interface MTU if MTU can be known via a ioctl call and to full capture if not.
13 years ago · 2f0927fe9b
parent e14a817fbd
commit 2f0927fe9b
4 changed files with 25 additions and 7 deletions
--- a/src/runmode-pcap.c
+++ b/src/runmode-pcap.c
@ -94,6 +94,7 @@ void *ParsePcapConfig(const char *iface)
    char *tmpctype;
    intmax_t value;
    int promisc = 0;
+    intmax_t snaplen = 0;

    if (unlikely(aconf == NULL)) {
        return NULL;
@ -217,6 +218,14 @@ void *ParsePcapConfig(const char *iface)
        aconf->promisc = promisc;
    }

+    aconf->snaplen = 0;
+    if (ConfGetChildValueIntWithDefault(if_root, if_default, "snaplen", &snaplen) != 1) {
+        SCLogDebug("could not get snaplen or none specified");
+    } else {
+        aconf->snaplen = snaplen;
+    }
+
+
    return aconf;
 }

--- a/src/source-pcap.c
+++ b/src/source-pcap.c
@ -354,7 +354,7 @@ TmEcode ReceivePcapLoop(ThreadVars *tv, void *data, void *slot)
 TmEcode ReceivePcapThreadInit(ThreadVars *tv, void *initdata, void **data) {
    SCEnter();
    PcapIfaceConfig *pcapconfig = initdata;
-    int mtu;
+    int snaplen;

    if (initdata == NULL) {
        SCLogError(SC_ERR_INVALID_ARGUMENT, "initdata == NULL");
@ -401,18 +401,22 @@ TmEcode ReceivePcapThreadInit(ThreadVars *tv, void *initdata, void **data) {
        SCReturnInt(TM_ECODE_FAILED);
    }

-    /* We only set snaplen if we can get the MTU */
-    mtu = GetIfaceMTU(pcapconfig->iface);
-    if (mtu > 0) {
-        /* set Snaplen, Promisc, and Timeout. Must be called before pcap_activate */
-        int pcap_set_snaplen_r = pcap_set_snaplen(ptv->pcap_handle, mtu);
-        //printf("ReceivePcapThreadInit: pcap_set_snaplen(%p) returned %" PRId32 "\n", ptv->pcap_handle, pcap_set_snaplen_r);
+    if (pcapconfig->snaplen == 0) {
+        /* We set snaplen if we can get the MTU */
+        snaplen = GetIfaceMTU(pcapconfig->iface);
+    } else {
+        snaplen = pcapconfig->snaplen;
+    }
+    if (snaplen > 0) {
+        /* set Snaplen. Must be called before pcap_activate */
+        int pcap_set_snaplen_r = pcap_set_snaplen(ptv->pcap_handle, snaplen);
        if (pcap_set_snaplen_r != 0) {
            SCLogError(SC_ERR_PCAP_SET_SNAPLEN, "Couldn't set snaplen, error: %s", pcap_geterr(ptv->pcap_handle));
            SCFree(ptv);
            pcapconfig->DerefFunc(pcapconfig);
            SCReturnInt(TM_ECODE_FAILED);
        }
+        SCLogInfo("Set snaplen to %d for '%s'", snaplen, pcapconfig->iface);
    }

    /* set Promisc, and Timeout. Must be called before pcap_activate */
--- a/src/source-pcap.h
+++ b/src/source-pcap.h
@ -51,6 +51,8 @@ typedef struct PcapIfaceConfig_
    int threads;
    /* socket buffer size */
    int buffer_size;
+    /* snapshot length */
+    int snaplen;
    /* promiscuous value */
    int promisc;
    /* BPF filter */
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -711,6 +711,9 @@ pcap:
    #threads: 16
    # set to no to disable promiscuous mode:
    #promisc: no
+    # set snaplen, if not set it defaults to MTU if MTU can be known
+    # via ioctl call and to full capture if not.
+    #snaplen: 1518
  # Put default values here
  - interface: default
    #checksum-checks: auto