pcap: add snaplen YAML variable

This patch introduces 'snaplen' a new YAML variable in the pcap section.
It can be set per-interface to force pcap capture snaplen. If not set
it defaults to interface MTU if MTU can be known via a ioctl call and to
full capture if not.

src/runmode-pcap.c

@@ -94,6 +94,7 @@ void *ParsePcapConfig(const char *iface)
     char *tmpctype;
     intmax_t value;
     int promisc = 0;
+    intmax_t snaplen = 0;
 
     if (unlikely(aconf == NULL)) {
         return NULL;
@@ -217,6 +218,14 @@ void *ParsePcapConfig(const char *iface)
         aconf->promisc = promisc;
     }
 
+    aconf->snaplen = 0;
+    if (ConfGetChildValueIntWithDefault(if_root, if_default, "snaplen", &snaplen) != 1) {
+        SCLogDebug("could not get snaplen or none specified");
+    } else {
+        aconf->snaplen = snaplen;
+    }
+
+
     return aconf;
 }
 

src/source-pcap.c

@@ -354,7 +354,7 @@ TmEcode ReceivePcapLoop(ThreadVars *tv, void *data, void *slot)
 TmEcode ReceivePcapThreadInit(ThreadVars *tv, void *initdata, void **data) {
     SCEnter();
     PcapIfaceConfig *pcapconfig = initdata;
-    int mtu;
+    int snaplen;
 
     if (initdata == NULL) {
         SCLogError(SC_ERR_INVALID_ARGUMENT, "initdata == NULL");
@@ -401,18 +401,22 @@ TmEcode ReceivePcapThreadInit(ThreadVars *tv, void *initdata, void **data) {
         SCReturnInt(TM_ECODE_FAILED);
     }
 
-    /* We only set snaplen if we can get the MTU */
+    if (pcapconfig->snaplen == 0) {
-    mtu = GetIfaceMTU(pcapconfig->iface);
+        /* We set snaplen if we can get the MTU */
-    if (mtu > 0) {
+        snaplen = GetIfaceMTU(pcapconfig->iface);
-        /* set Snaplen, Promisc, and Timeout. Must be called before pcap_activate */
+    } else {
-        int pcap_set_snaplen_r = pcap_set_snaplen(ptv->pcap_handle, mtu);
+        snaplen = pcapconfig->snaplen;
-        //printf("ReceivePcapThreadInit: pcap_set_snaplen(%p) returned %" PRId32 "\n", ptv->pcap_handle, pcap_set_snaplen_r);
+    }
+    if (snaplen > 0) {
+        /* set Snaplen. Must be called before pcap_activate */
+        int pcap_set_snaplen_r = pcap_set_snaplen(ptv->pcap_handle, snaplen);
         if (pcap_set_snaplen_r != 0) {
             SCLogError(SC_ERR_PCAP_SET_SNAPLEN, "Couldn't set snaplen, error: %s", pcap_geterr(ptv->pcap_handle));
             SCFree(ptv);
             pcapconfig->DerefFunc(pcapconfig);
             SCReturnInt(TM_ECODE_FAILED);
         }
+        SCLogInfo("Set snaplen to %d for '%s'", snaplen, pcapconfig->iface);
     }
 
     /* set Promisc, and Timeout. Must be called before pcap_activate */

src/source-pcap.h

@@ -51,6 +51,8 @@ typedef struct PcapIfaceConfig_
     int threads;
     /* socket buffer size */
     int buffer_size;
+    /* snapshot length */
+    int snaplen;
     /* promiscuous value */
     int promisc;
     /* BPF filter */

suricata.yaml.in

@@ -711,6 +711,9 @@ pcap:
     #threads: 16
     # set to no to disable promiscuous mode:
     #promisc: no
+    # set snaplen, if not set it defaults to MTU if MTU can be known
+    # via ioctl call and to full capture if not.
+    #snaplen: 1518
   # Put default values here
   - interface: default
     #checksum-checks: auto