/src/suricata7/src/runmode-pcap.c

Source
/* Copyright (C) 2007-2022 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

#include "suricata-common.h"
#include "runmode-pcap.h"
#include "runmodes.h"
#include "output.h"

#include "util-conf.h"
#include "util-debug.h"
#include "util-time.h"
#include "util-cpu.h"
#include "util-device.h"
#include "util-runmodes.h"
#include "util-misc.h"
#include "util-byte.h"

const char *RunModeIdsGetDefaultMode(void)
{
    return "autofp";
}

int RunModeIdsPcapWorkers(void);

void RunModeIdsPcapRegister(void)
{
    RunModeRegisterNewRunMode(RUNMODE_PCAP_DEV, "single", "Single threaded pcap live mode",
            RunModeIdsPcapSingle, NULL);
    RunModeRegisterNewRunMode(RUNMODE_PCAP_DEV, "autofp",
            "Multi-threaded pcap live mode. Packets from each flow are assigned to a consistent "
            "detection thread",
            RunModeIdsPcapAutoFp, NULL);
    RunModeRegisterNewRunMode(RUNMODE_PCAP_DEV, "workers",
            "Workers pcap live mode, each thread does all"
            " tasks from acquisition to logging",
            RunModeIdsPcapWorkers, NULL);

    return;
}

static void PcapDerefConfig(void *conf)
{
    PcapIfaceConfig *pfp = (PcapIfaceConfig *)conf;
    /* Pcap config is used only once but cost of this low. */
    if (SC_ATOMIC_SUB(pfp->ref, 1) == 1) {
        SCFree(pfp);
    }
}

static void *ParsePcapConfig(const char *iface)
{
    const char *threadsstr = NULL;
    ConfNode *if_root;
    ConfNode *if_default = NULL;
    ConfNode *pcap_node;
    PcapIfaceConfig *aconf = SCMalloc(sizeof(*aconf));
    const char *tmpbpf;
    const char *tmpctype;
    intmax_t value;
    int promisc = 0;
    intmax_t snaplen = 0;

    if (unlikely(aconf == NULL)) {
        return NULL;
    }

    if (iface == NULL) {
        SCFree(aconf);
        return NULL;
    }

    memset(aconf, 0x00, sizeof(*aconf));
    strlcpy(aconf->iface, iface, sizeof(aconf->iface));

    aconf->buffer_size = 0;
    /* If set command line option has precedence over config */
    if ((ConfGetInt("pcap.buffer-size", &value)) == 1) {
        if (value >= 0 && value <= INT_MAX) {
            SCLogInfo("Pcap will use %d buffer size", (int)value);
            aconf->buffer_size = value;
        } else {
            SCLogWarning("pcap.buffer-size "
                         "value of %" PRIiMAX " is invalid. Valid range is "
                         "0-2147483647",
                    value);
        }
    }

    aconf->checksum_mode = CHECKSUM_VALIDATION_AUTO;
    aconf->bpf_filter = NULL;
    if ((ConfGet("bpf-filter", &tmpbpf)) == 1) {
        aconf->bpf_filter = tmpbpf;
    }

    SC_ATOMIC_INIT(aconf->ref);
    aconf->DerefFunc = PcapDerefConfig;
    aconf->threads = 1;

    /* Find initial node */
    pcap_node = ConfGetNode("pcap");
    if (pcap_node == NULL) {
        SCLogInfo("Unable to find pcap config using default value");
        return aconf;
    }

    if_root = ConfFindDeviceConfig(pcap_node, iface);

    if_default = ConfFindDeviceConfig(pcap_node, "default");

    if (if_root == NULL && if_default == NULL) {
        SCLogInfo("Unable to find pcap config for "
                  "interface %s, using default value",
                  iface);
        return aconf;
    }

    /* If there is no setting for current interface use default one as main iface */
    if (if_root == NULL) {
        if_root = if_default;
        if_default = NULL;
    }

    if (ConfGetChildValueWithDefault(if_root, if_default, "threads", &threadsstr) != 1) {
        aconf->threads = 1;
    } else {
        if (threadsstr != NULL) {
            if (StringParseInt32(&aconf->threads, 10, 0, (const char *)threadsstr) < 0) {
                SCLogWarning("Invalid value for "
                             "pcap.threads: %s, resetting to 1",
                        threadsstr);
                aconf->threads = 1;
            }
        }
    }
    if (aconf->threads == 0) {
        aconf->threads = 1;
    }
    (void) SC_ATOMIC_ADD(aconf->ref, aconf->threads);

    if (aconf->buffer_size == 0) {
        const char *s_limit = NULL;
        int ret;
        ret = ConfGetChildValueWithDefault(if_root, if_default, "buffer-size", &s_limit);
        if (ret == 1 && s_limit) {
            uint64_t bsize = 0;

            if (ParseSizeStringU64(s_limit, &bsize) < 0) {
                SCLogError("Failed to parse pcap buffer size: %s", s_limit);
            } else {
                /* the string 2gb returns 2147483648 which is 1 to high
                 * for a int. */
                if (bsize == (uint64_t)((uint64_t)INT_MAX + (uint64_t)1))
                    bsize = (uint64_t)INT_MAX;

                if (bsize > INT_MAX) {
                    SCLogError("Failed to set pcap buffer size: 2gb max. %" PRIu64 " > %d", bsize,
                            INT_MAX);
                } else {
                    aconf->buffer_size = (int)bsize;
                }
            }
        }
    }

    if (aconf->bpf_filter == NULL) {
        /* set bpf filter if we have one */
        if (ConfGetChildValueWithDefault(if_root, if_default, "bpf-filter", &tmpbpf) != 1) {
            SCLogDebug("could not get bpf or none specified");
        } else {
            aconf->bpf_filter = tmpbpf;
        }
    } else {
        SCLogInfo("BPF filter set from command line or via old 'bpf-filter' option.");
    }

    if (ConfGetChildValueWithDefault(if_root, if_default, "checksum-checks", &tmpctype) == 1) {
        if (strcmp(tmpctype, "auto") == 0) {
            aconf->checksum_mode = CHECKSUM_VALIDATION_AUTO;
        } else if (ConfValIsTrue(tmpctype)) {
            aconf->checksum_mode = CHECKSUM_VALIDATION_ENABLE;
        } else if (ConfValIsFalse(tmpctype)) {
            aconf->checksum_mode = CHECKSUM_VALIDATION_DISABLE;
        } else {
            SCLogError("Invalid value for checksum-checks for %s", aconf->iface);
        }
    }

    aconf->promisc = LIBPCAP_PROMISC;
    if (ConfGetChildValueBoolWithDefault(if_root, if_default, "promisc", &promisc) != 1) {
        SCLogDebug("could not get promisc or none specified");
    } else {
        aconf->promisc = promisc;
    }

    aconf->snaplen = 0;
    if (ConfGetChildValueIntWithDefault(if_root, if_default, "snaplen", &snaplen) != 1) {
        SCLogDebug("could not get snaplen or none specified");
    } else {
        aconf->snaplen = snaplen;
    }

    return aconf;
}

static int PcapConfigGeThreadsCount(void *conf)
{
    PcapIfaceConfig *pfp = (PcapIfaceConfig *)conf;
    return pfp->threads;
}

/**
 * \brief Single thread version of the Pcap live processing.
 */
int RunModeIdsPcapSingle(void)
{
    int ret;
    const char *live_dev = NULL;

    SCEnter();

    TimeModeSetLive();

    (void)ConfGet("pcap.single-pcap-dev", &live_dev);

    ret = RunModeSetLiveCaptureSingle(ParsePcapConfig,
                                    PcapConfigGeThreadsCount,
                                    "ReceivePcap",
                                    "DecodePcap", thread_name_single,
                                    live_dev);
    if (ret != 0) {
        FatalError("Runmode start failed");
    }

    SCLogDebug("RunModeIdsPcapSingle initialised");

    SCReturnInt(0);
}

/**
 * \brief RunModIdsPcapAutoFp set up the following thread packet handlers:
 *        - Receive thread (from pcap device)
 *        - Decode thread
 *        - Stream thread
 *        - Detect: If we have only 1 cpu, it will setup one Detect thread
 *                  If we have more than one, it will setup num_cpus - 1
 *                  starting from the second cpu available.
 *        - Outputs thread
 *        By default the threads will use the first cpu available
 *        except the Detection threads if we have more than one cpu.
 *
 * \retval 0 If all goes well. (If any problem is detected the engine will
 *           exit()).
 */
int RunModeIdsPcapAutoFp(void)
{
    int ret;
    const char *live_dev = NULL;

    SCEnter();
    TimeModeSetLive();

    (void) ConfGet("pcap.single-pcap-dev", &live_dev);

    ret = RunModeSetLiveCaptureAutoFp(ParsePcapConfig, PcapConfigGeThreadsCount, "ReceivePcap",
            "DecodePcap", thread_name_autofp, live_dev);
    if (ret != 0) {
        FatalError("Runmode start failed");
    }

    SCLogDebug("RunModeIdsPcapAutoFp initialised");

    SCReturnInt(0);
}

/**
 * \brief Workers version of the PCAP LIVE processing.
 *
 * Start N threads with each thread doing all the work.
 *
 */
int RunModeIdsPcapWorkers(void)
{
    int ret;
    const char *live_dev = NULL;
    SCEnter();

    TimeModeSetLive();

    (void) ConfGet("pcap.single-pcap-dev", &live_dev);

    ret = RunModeSetLiveCaptureWorkers(ParsePcapConfig, PcapConfigGeThreadsCount, "ReceivePcap",
            "DecodePcap", thread_name_workers, live_dev);
    if (ret != 0) {
        FatalError("Unable to start runmode");
    }

    SCLogDebug("RunModeIdsPcapWorkers initialised");

    SCReturnInt(0);
}

Coverage Report

Created: 2025-12-31 06:43

Line	Count	Source
1		/* Copyright (C) 2007-2022 Open Information Security Foundation
2		*
3		* You can copy, redistribute or modify this Program under the terms of
4		* the GNU General Public License version 2 as published by the Free
5		* Software Foundation.
6		*
7		* This program is distributed in the hope that it will be useful,
8		* but WITHOUT ANY WARRANTY; without even the implied warranty of
9		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10		* GNU General Public License for more details.
11		*
12		* You should have received a copy of the GNU General Public License
13		* version 2 along with this program; if not, write to the Free Software
14		* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15		* 02110-1301, USA.
16		*/
17
18		#include "suricata-common.h"
19		#include "runmode-pcap.h"
20		#include "runmodes.h"
21		#include "output.h"
22
23		#include "util-conf.h"
24		#include "util-debug.h"
25		#include "util-time.h"
26		#include "util-cpu.h"
27		#include "util-device.h"
28		#include "util-runmodes.h"
29		#include "util-misc.h"
30		#include "util-byte.h"
31
32		const char *RunModeIdsGetDefaultMode(void)
33	0	{
34	0	return "autofp";
35	0	}
36
37		int RunModeIdsPcapWorkers(void);
38
39		void RunModeIdsPcapRegister(void)
40	37	{
41	37	RunModeRegisterNewRunMode(RUNMODE_PCAP_DEV, "single", "Single threaded pcap live mode",
42	37	RunModeIdsPcapSingle, NULL);
43	37	RunModeRegisterNewRunMode(RUNMODE_PCAP_DEV, "autofp",
44	37	"Multi-threaded pcap live mode. Packets from each flow are assigned to a consistent "
45	37	"detection thread",
46	37	RunModeIdsPcapAutoFp, NULL);
47	37	RunModeRegisterNewRunMode(RUNMODE_PCAP_DEV, "workers",
48	37	"Workers pcap live mode, each thread does all"
49	37	" tasks from acquisition to logging",
50	37	RunModeIdsPcapWorkers, NULL);
51
52	37	return;
53	37	}
54
55		static void PcapDerefConfig(void *conf)
56	0	{
57	0	PcapIfaceConfig pfp = (PcapIfaceConfig )conf;
58		/* Pcap config is used only once but cost of this low. */
59	0	if (SC_ATOMIC_SUB(pfp->ref, 1) == 1) {
60	0	SCFree(pfp);
61	0	}
62	0	}
63
64		static void ParsePcapConfig(const char iface)
65	0	{
66	0	const char *threadsstr = NULL;
67	0	ConfNode *if_root;
68	0	ConfNode *if_default = NULL;
69	0	ConfNode *pcap_node;
70	0	PcapIfaceConfig aconf = SCMalloc(sizeof(aconf));
71	0	const char *tmpbpf;
72	0	const char *tmpctype;
73	0	intmax_t value;
74	0	int promisc = 0;
75	0	intmax_t snaplen = 0;
76
77	0	if (unlikely(aconf == NULL)) {
78	0	return NULL;
79	0	}
80
81	0	if (iface == NULL) {
82	0	SCFree(aconf);
83	0	return NULL;
84	0	}
85
86	0	memset(aconf, 0x00, sizeof(*aconf));
87	0	strlcpy(aconf->iface, iface, sizeof(aconf->iface));
88
89	0	aconf->buffer_size = 0;
90		/* If set command line option has precedence over config */
91	0	if ((ConfGetInt("pcap.buffer-size", &value)) == 1) {
92	0	if (value >= 0 && value <= INT_MAX) {
93	0	SCLogInfo("Pcap will use %d buffer size", (int)value);
94	0	aconf->buffer_size = value;
95	0	} else {
96	0	SCLogWarning("pcap.buffer-size "
97	0	"value of %" PRIiMAX " is invalid. Valid range is "
98	0	"0-2147483647",
99	0	value);
100	0	}
101	0	}
102
103	0	aconf->checksum_mode = CHECKSUM_VALIDATION_AUTO;
104	0	aconf->bpf_filter = NULL;
105	0	if ((ConfGet("bpf-filter", &tmpbpf)) == 1) {
106	0	aconf->bpf_filter = tmpbpf;
107	0	}
108
109	0	SC_ATOMIC_INIT(aconf->ref);
110	0	aconf->DerefFunc = PcapDerefConfig;
111	0	aconf->threads = 1;
112
113		/* Find initial node */
114	0	pcap_node = ConfGetNode("pcap");
115	0	if (pcap_node == NULL) {
116	0	SCLogInfo("Unable to find pcap config using default value");
117	0	return aconf;
118	0	}
119
120	0	if_root = ConfFindDeviceConfig(pcap_node, iface);
121
122	0	if_default = ConfFindDeviceConfig(pcap_node, "default");
123
124	0	if (if_root == NULL && if_default == NULL) {
125	0	SCLogInfo("Unable to find pcap config for "
126	0	"interface %s, using default value",
127	0	iface);
128	0	return aconf;
129	0	}
130
131		/* If there is no setting for current interface use default one as main iface */
132	0	if (if_root == NULL) {
133	0	if_root = if_default;
134	0	if_default = NULL;
135	0	}
136
137	0	if (ConfGetChildValueWithDefault(if_root, if_default, "threads", &threadsstr) != 1) {
138	0	aconf->threads = 1;
139	0	} else {
140	0	if (threadsstr != NULL) {
141	0	if (StringParseInt32(&aconf->threads, 10, 0, (const char *)threadsstr) < 0) {
142	0	SCLogWarning("Invalid value for "
143	0	"pcap.threads: %s, resetting to 1",
144	0	threadsstr);
145	0	aconf->threads = 1;
146	0	}
147	0	}
148	0	}
149	0	if (aconf->threads == 0) {
150	0	aconf->threads = 1;
151	0	}
152	0	(void) SC_ATOMIC_ADD(aconf->ref, aconf->threads);
153
154	0	if (aconf->buffer_size == 0) {
155	0	const char *s_limit = NULL;
156	0	int ret;
157	0	ret = ConfGetChildValueWithDefault(if_root, if_default, "buffer-size", &s_limit);
158	0	if (ret == 1 && s_limit) {
159	0	uint64_t bsize = 0;
160
161	0	if (ParseSizeStringU64(s_limit, &bsize) < 0) {
162	0	SCLogError("Failed to parse pcap buffer size: %s", s_limit);
163	0	} else {
164		/* the string 2gb returns 2147483648 which is 1 to high
165		* for a int. */
166	0	if (bsize == (uint64_t)((uint64_t)INT_MAX + (uint64_t)1))
167	0	bsize = (uint64_t)INT_MAX;
168
169	0	if (bsize > INT_MAX) {
170	0	SCLogError("Failed to set pcap buffer size: 2gb max. %" PRIu64 " > %d", bsize,
171	0	INT_MAX);
172	0	} else {
173	0	aconf->buffer_size = (int)bsize;
174	0	}
175	0	}
176	0	}
177	0	}
178
179	0	if (aconf->bpf_filter == NULL) {
180		/* set bpf filter if we have one */
181	0	if (ConfGetChildValueWithDefault(if_root, if_default, "bpf-filter", &tmpbpf) != 1) {
182	0	SCLogDebug("could not get bpf or none specified");
183	0	} else {
184	0	aconf->bpf_filter = tmpbpf;
185	0	}
186	0	} else {
187	0	SCLogInfo("BPF filter set from command line or via old 'bpf-filter' option.");
188	0	}
189
190	0	if (ConfGetChildValueWithDefault(if_root, if_default, "checksum-checks", &tmpctype) == 1) {
191	0	if (strcmp(tmpctype, "auto") == 0) {
192	0	aconf->checksum_mode = CHECKSUM_VALIDATION_AUTO;
193	0	} else if (ConfValIsTrue(tmpctype)) {
194	0	aconf->checksum_mode = CHECKSUM_VALIDATION_ENABLE;
195	0	} else if (ConfValIsFalse(tmpctype)) {
196	0	aconf->checksum_mode = CHECKSUM_VALIDATION_DISABLE;
197	0	} else {
198	0	SCLogError("Invalid value for checksum-checks for %s", aconf->iface);
199	0	}
200	0	}
201
202	0	aconf->promisc = LIBPCAP_PROMISC;
203	0	if (ConfGetChildValueBoolWithDefault(if_root, if_default, "promisc", &promisc) != 1) {
204	0	SCLogDebug("could not get promisc or none specified");
205	0	} else {
206	0	aconf->promisc = promisc;
207	0	}
208
209	0	aconf->snaplen = 0;
210	0	if (ConfGetChildValueIntWithDefault(if_root, if_default, "snaplen", &snaplen) != 1) {
211	0	SCLogDebug("could not get snaplen or none specified");
212	0	} else {
213	0	aconf->snaplen = snaplen;
214	0	}
215
216	0	return aconf;
217	0	}
218
219		static int PcapConfigGeThreadsCount(void *conf)
220	0	{
221	0	PcapIfaceConfig pfp = (PcapIfaceConfig )conf;
222	0	return pfp->threads;
223	0	}
224
225		/**
226		* \brief Single thread version of the Pcap live processing.
227		*/
228		int RunModeIdsPcapSingle(void)
229	0	{
230	0	int ret;
231	0	const char *live_dev = NULL;
232
233	0	SCEnter();
234
235	0	TimeModeSetLive();
236
237	0	(void)ConfGet("pcap.single-pcap-dev", &live_dev);
238
239	0	ret = RunModeSetLiveCaptureSingle(ParsePcapConfig,
240	0	PcapConfigGeThreadsCount,
241	0	"ReceivePcap",
242	0	"DecodePcap", thread_name_single,
243	0	live_dev);
244	0	if (ret != 0) {
245	0	FatalError("Runmode start failed");
246	0	}
247
248	0	SCLogDebug("RunModeIdsPcapSingle initialised");
249
250	0	SCReturnInt(0);
251	0	}
252
253		/**
254		* \brief RunModIdsPcapAutoFp set up the following thread packet handlers:
255		* - Receive thread (from pcap device)
256		* - Decode thread
257		* - Stream thread
258		* - Detect: If we have only 1 cpu, it will setup one Detect thread
259		* If we have more than one, it will setup num_cpus - 1
260		* starting from the second cpu available.
261		* - Outputs thread
262		* By default the threads will use the first cpu available
263		* except the Detection threads if we have more than one cpu.
264		*
265		* \retval 0 If all goes well. (If any problem is detected the engine will
266		* exit()).
267		*/
268		int RunModeIdsPcapAutoFp(void)
269	0	{
270	0	int ret;
271	0	const char *live_dev = NULL;
272
273	0	SCEnter();
274	0	TimeModeSetLive();
275
276	0	(void) ConfGet("pcap.single-pcap-dev", &live_dev);
277
278	0	ret = RunModeSetLiveCaptureAutoFp(ParsePcapConfig, PcapConfigGeThreadsCount, "ReceivePcap",
279	0	"DecodePcap", thread_name_autofp, live_dev);
280	0	if (ret != 0) {
281	0	FatalError("Runmode start failed");
282	0	}
283
284	0	SCLogDebug("RunModeIdsPcapAutoFp initialised");
285
286	0	SCReturnInt(0);
287	0	}
288
289		/**
290		* \brief Workers version of the PCAP LIVE processing.
291		*
292		* Start N threads with each thread doing all the work.
293		*
294		*/
295		int RunModeIdsPcapWorkers(void)
296	0	{
297	0	int ret;
298	0	const char *live_dev = NULL;
299	0	SCEnter();
300
301	0	TimeModeSetLive();
302
303	0	(void) ConfGet("pcap.single-pcap-dev", &live_dev);
304
305	0	ret = RunModeSetLiveCaptureWorkers(ParsePcapConfig, PcapConfigGeThreadsCount, "ReceivePcap",
306	0	"DecodePcap", thread_name_workers, live_dev);
307	0	if (ret != 0) {
308	0	FatalError("Unable to start runmode");
309	0	}
310
311	0	SCLogDebug("RunModeIdsPcapWorkers initialised");
312
313	0	SCReturnInt(0);
314	0	}