bpf support for pcap modes

16 years ago · ba46c16aac
parent 424ff432ec
commit ba46c16aac
5 changed files with 101 additions and 3 deletions
--- a/src/source-pcap-file.c
+++ b/src/source-pcap-file.c
@ -10,7 +10,7 @@
 #include <pcap/pcap.h>
 #else
 #include <pcap.h>
-#endif
+#endif /* LIBPCAP_VERSION_MAJOR */

 #include "suricata-common.h"
 #include "suricata.h"
@ -23,11 +23,14 @@
 #include "source-pcap-file.h"
 #include "util-time.h"
 #include "util-debug.h"
+#include "conf.h"
+

 typedef struct PcapFileGlobalVars_ {
    pcap_t *pcap_handle;
    void (*Decoder)(ThreadVars *, DecodeThreadVars *, Packet *, u_int8_t *, u_int16_t, PacketQueue *);
    int datalink;
+    struct bpf_program filter;
 } PcapFileGlobalVars;

 typedef struct PcapFileThreadVars_
@ -114,6 +117,9 @@ TmEcode ReceivePcapFile(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
 }

 TmEcode ReceivePcapFileThreadInit(ThreadVars *tv, void *initdata, void **data) {
+
+    char *tmpbpfstring;
+
    if (initdata == NULL) {
        printf("ReceivePcapFileThreadInit error: initdata == NULL\n");
        return TM_ECODE_FAILED;
@ -132,6 +138,22 @@ TmEcode ReceivePcapFileThreadInit(ThreadVars *tv, void *initdata, void **data) {
        exit(1);
    }

+    if (ConfGet("bpf-filter", &tmpbpfstring) != 1) {
+        SCLogInfo("could not get bpf or none specified");
+    } else {
+        SCLogInfo("using bpf-filter %s", tmpbpfstring);
+
+        if(pcap_compile(pcap_g.pcap_handle,&pcap_g.filter,tmpbpfstring,1,0) < 0) {
+            SCLogError(SC_ERR_BPF,"bpf compilation error %s",pcap_geterr(pcap_g.pcap_handle));
+            exit(1);
+        }
+
+        if(pcap_setfilter(pcap_g.pcap_handle,&pcap_g.filter) < 0) {
+            SCLogError(SC_ERR_BPF,"could not set bpf filter %s",pcap_geterr(pcap_g.pcap_handle));
+            exit(1);
+        }
+    }
+
    pcap_g.datalink = pcap_datalink(pcap_g.pcap_handle);
    printf("TmModuleReceivePcapFileRegister: datalink %" PRId32 "\n", pcap_g.datalink);
    switch(pcap_g.datalink)	{
--- a/src/source-pcap.c
+++ b/src/source-pcap.c
@ -16,6 +16,7 @@
 #include "tm-modules.h"
 #include "tm-threads.h"
 #include "source-pcap.h"
+#include "conf.h"
 #include "util-debug.h"

 /**
@ -26,6 +27,9 @@ typedef struct PcapThreadVars_
    /* thread specific handle */
    pcap_t *pcap_handle;

+    /* thread specific bpf */
+    struct bpf_program filter;
+
    /* data link type for the thread */
    int datalink;

@ -159,6 +163,9 @@ TmEcode ReceivePcap(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) {
 */
 #if LIBPCAP_VERSION_MAJOR == 1
 TmEcode ReceivePcapThreadInit(ThreadVars *tv, void *initdata, void **data) {
+
+    char *tmpbpfstring;
+
    if (initdata == NULL) {
        printf("ReceivePcapThreadInit error: initdata == NULL\n");
        return TM_ECODE_FAILED;
@ -212,6 +219,23 @@ TmEcode ReceivePcapThreadInit(ThreadVars *tv, void *initdata, void **data) {
        exit(1);
    }

+    /* set bpf filter if we have one */
+    if (ConfGet("bpf-filter", &tmpbpfstring) != 1) {
+        SCLogInfo("could not get bpf or none specified");
+    } else {
+        SCLogInfo("using bpf-filter %s", tmpbpfstring);
+
+        if(pcap_compile(ptv->pcap_handle,&ptv->filter,tmpbpfstring,1,0) < 0) {
+            SCLogError(SC_ERR_BPF,"bpf compilation error %s",pcap_geterr(ptv->pcap_handle));
+            exit(1);
+        }
+
+        if(pcap_setfilter(ptv->pcap_handle,&ptv->filter) < 0) {
+            SCLogError(SC_ERR_BPF,"could not set bpf filter %s",pcap_geterr(ptv->pcap_handle));
+            exit(1);
+        }
+    }
+
    ptv->datalink = pcap_datalink(ptv->pcap_handle);

    *data = (void *)ptv;
@ -219,6 +243,9 @@ TmEcode ReceivePcapThreadInit(ThreadVars *tv, void *initdata, void **data) {
 }
 #else /* implied LIBPCAP_VERSION_MAJOR == 0 */
 TmEcode ReceivePcapThreadInit(ThreadVars *tv, void *initdata, void **data) {
+
+    char *tmpbpfstring;
+
    if (initdata == NULL) {
        printf("ReceivePcapThreadInit error: initdata == NULL\n");
        return TM_ECODE_FAILED;
@ -242,6 +269,24 @@ TmEcode ReceivePcapThreadInit(ThreadVars *tv, void *initdata, void **data) {
        exit(1);
    }

+    /* set bpf filter if we have one */
+    if (ConfGet("bpf-filter", &tmpbpfstring) != 1) {
+        SCLogInfo("could not get bpf or none specified");
+    } else {
+        SCLogInfo("using bpf-filter %s", tmpbpfstring);
+
+        if(pcap_compile(ptv->pcap_handle,&ptv->filter,tmpbpfstring,1,0) < 0) {
+            SCLogError(SC_ERR_BPF,"bpf compilation error %s",pcap_geterr(ptv->pcap_handle));
+            exit(1);
+        }
+
+        if(pcap_setfilter(ptv->pcap_handle,&ptv->filter) < 0) {
+            SCLogError(SC_ERR_BPF,"could not set bpf filter %s",pcap_geterr(ptv->pcap_handle));
+            exit(1);
+        }
+    }
+
+
    ptv->datalink = pcap_datalink(ptv->pcap_handle);

    *data = (void *)ptv;
--- a/src/suricata.c
+++ b/src/suricata.c
@ -304,6 +304,9 @@ void usage(const char *progname)
    printf("\t--fatal-unittests            : enable fatal failure on unittest error\n");
 #endif /* UNITTESTS */
    printf("\t--init-errors-fatal          : enable fatal failure on signature init error\n");
+    printf("\t--dump-config                : show the running configuration\n");
+    printf("\t--pfring-int <dev>           : run in pfring mode\n");
+    printf("\t--pfring-clusterid <id>      : pfring cluster id to use for flow pinning\n");
    printf("\n");
    printf("\nTo run the engine with default configuration on "
            "interface eth0 with signature file \"signatures.rules\", run the "
@ -320,6 +323,9 @@ int main(int argc, char **argv)
    char *sig_file = NULL;
    char *nfq_id = NULL;
    char *conf_filename = NULL;
+    char *bpf_filter = NULL;
+    uint32_t bpf_len = 0;
+    int tmpindex = 0;
 #ifdef UNITTESTS
    char *regex_arg = NULL;
 #endif
@ -500,6 +506,30 @@ int main(int argc, char **argv)
        }
    }

+    /* attempt to parse remaining args as bpf filter */
+    tmpindex = optind;
+    while(argv[tmpindex] != NULL) {
+        bpf_len+=strlen(argv[tmpindex]) + 1;
+        tmpindex++;
+    }
+    bpf_filter= malloc(bpf_len);
+
+    tmpindex = optind;
+    while(argv[tmpindex] != NULL) {
+        strlcat(bpf_filter, argv[tmpindex],bpf_len);
+        if(argv[tmpindex + 1] != NULL) {
+            strlcat(bpf_filter," ", bpf_len);
+        }
+        tmpindex++;
+    }
+
+    if(strlen(bpf_filter) > 0) {
+        if (ConfSet("bpf-filter", bpf_filter, 0) != 1) {
+            fprintf(stderr, "ERROR: Failed to set bpf filter.\n");
+            exit(EXIT_FAILURE);
+        }
+    }
+
    SCLogInfo("This is %s version %s", PROG_NAME, PROG_VER);
    UtilCpuPrintSummary();

--- a/src/util-error.c
+++ b/src/util-error.c
@ -86,7 +86,7 @@ const char * SCErrorToString(SCError err)
        CASE_CODE (SC_WARN_IPFW_SETSOCKOPT);
        CASE_CODE (SC_WARN_IPFW_UNBIND);
        CASE_CODE (SC_ERR_MULTIPLE_RUN_MODE);
-
+        CASE_CODE (SC_ERR_BPF);
        default:
            return "UNKNOWN_ERROR";
    }
--- a/src/util-error.h
+++ b/src/util-error.h
@ -106,7 +106,8 @@ typedef enum {
    SC_REPUTATION_INVALID_TYPE,
    SC_ERR_UNKNOWN_PROTOCOL,
    SC_ERR_UNKNOWN_RUN_MODE,
-    SC_ERR_MULTIPLE_RUN_MODE
+    SC_ERR_MULTIPLE_RUN_MODE,
+    SC_ERR_BPF,
 } SCError;

 const char *SCErrorToString(SCError);