diff --git a/CHANGES b/CHANGES index 493022a847..ddd4cd0f1d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,8 +1,39 @@ +2.4-115 | 2015-08-30 21:57:35 -0700 + + * Enable Bro to leverage packet fanout mode on Linux. (Kris + Nielander). + + ## Toggle whether to do packet fanout (Linux-only). + const Pcap::packet_fanout_enable = F &redef; + + ## If packet fanout is enabled, the id to sue for it. This should be shared amongst + ## worker processes processing the same socket. + const Pcap::packet_fanout_id = 0 &redef; + + ## If packet fanout is enabled, whether packets are to be defragmented before + ## fanout is applied. + const Pcap::packet_fanout_defrag = T &redef; + + * Allow libpcap buffer size to be set via configuration. (Kris Nielander) + + ## Number of Mbytes to provide as buffer space when capturing from live + ## interfaces. + const Pcap::bufsize = 128 &redef; + + * Move the pcap-related script-level identifiers into the new Pcap + namespace. (Robin Sommer) + + snaplen -> Pcap::snaplen + precompile_pcap_filter() -> Pcap::precompile_pcap_filter() + install_pcap_filter() -> Pcap::install_pcap_filter() + pcap_error() -> Pcap::pcap_error() + + 2.4-108 | 2015-08-30 20:14:31 -0700 * Update Base64 decoding. (Jan Grashoefer) - + - A new built-in function, decode_base64_conn() for Base64 decoding. It works like decode_base64() but receives an additional connection argument that will be used for @@ -20,7 +51,7 @@ * Fix potential crash if TCP header was captured incompletely. (Robin Sommer) - + 2.4-103 | 2015-08-29 10:51:55 -0700 * Make ASN.1 date/time parsing more robust. (Johanna Amann) diff --git a/CMakeLists.txt b/CMakeLists.txt index 2a3251d111..bf55696eb6 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -155,6 +155,7 @@ include(TestBigEndian) test_big_endian(WORDS_BIGENDIAN) include(CheckSymbolExists) check_symbol_exists(htonll arpa/inet.h HAVE_BYTEORDER_64) +check_symbol_exists(PACKET_FANOUT linux/if_packet.h HAVE_PACKET_FANOUT) include(OSSpecific) include(CheckTypes) diff --git a/NEWS b/NEWS index 7822b15455..e3c97f68f0 100644 --- a/NEWS +++ b/NEWS @@ -18,6 +18,13 @@ New Dependencies - Bro now requires Python instead of Perl to compile the source code. +- The pcap buffer size can set through the new option Pcap::bufsize. + +- Bro can now leverage packet fanout mode on Linux through the new + options Pcap::packet_fanout_enable, Pcap::packet_fanout_id, and + Pcap::packet_fanout_defrag. + + New Functionality ----------------- @@ -38,6 +45,17 @@ New Functionality - pf_ring: Native PF_RING support. - redis: An experimental log writer for Redis. +Changed Functionality +--------------------- + +- Some script-level identifier have changed their names: + + snaplen -> Pcap::snaplen + precompile_pcap_filter() -> Pcap::precompile_pcap_filter() + install_pcap_filter() -> Pcap::install_pcap_filter() + pcap_error() -> Pcap::pcap_error() + + Deprecated Functionality ------------------------ diff --git a/VERSION b/VERSION index f11a86a9b2..8a586d4dd2 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4-108 +2.4-115 diff --git a/bro-config.h.in b/bro-config.h.in index 755a9eee98..fd24a1fe30 100644 --- a/bro-config.h.in +++ b/bro-config.h.in @@ -213,6 +213,9 @@ /* Common IPv6 extension structure */ #cmakedefine HAVE_IP6_EXT +/* Linux packet fanout */ +#cmakedefine HAVE_PACKET_FANOUT + /* String with host architecture (e.g., "linux-x86_64") */ #define HOST_ARCHITECTURE "@HOST_ARCHITECTURE@" diff --git a/scripts/base/frameworks/packet-filter/main.bro b/scripts/base/frameworks/packet-filter/main.bro index b0a6f144e3..8a9cb4eb98 100644 --- a/scripts/base/frameworks/packet-filter/main.bro +++ b/scripts/base/frameworks/packet-filter/main.bro @@ -138,7 +138,7 @@ redef enum PcapFilterID += { function test_filter(filter: string): bool { - if ( ! precompile_pcap_filter(FilterTester, filter) ) + if ( ! Pcap::precompile_pcap_filter(FilterTester, filter) ) { # The given filter was invalid # TODO: generate a notice. @@ -273,7 +273,7 @@ function install(): bool return F; local ts = current_time(); - if ( ! precompile_pcap_filter(DefaultPcapFilter, tmp_filter) ) + if ( ! Pcap::precompile_pcap_filter(DefaultPcapFilter, tmp_filter) ) { NOTICE([$note=Compile_Failure, $msg=fmt("Compiling packet filter failed"), @@ -303,7 +303,7 @@ function install(): bool } info$filter = current_filter; - if ( ! install_pcap_filter(DefaultPcapFilter) ) + if ( ! Pcap::install_pcap_filter(DefaultPcapFilter) ) { # Installing the filter failed for some reason. info$success = F; diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 40f518b682..8b133f568c 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3682,7 +3682,6 @@ export { ## (includes GRE tunnels). const ip_tunnel_timeout = 24hrs &redef; } # end export -module GLOBAL; module Reporter; export { @@ -3701,10 +3700,29 @@ export { ## external harness and shouldn't output anything to the console. const errors_to_stderr = T &redef; } -module GLOBAL; -## Number of bytes per packet to capture from live interfaces. -const snaplen = 8192 &redef; +module Pcap; +export { + ## Number of bytes per packet to capture from live interfaces. + const snaplen = 8192 &redef; + + ## Number of Mbytes to provide as buffer space when capturing from live + ## interfaces. + const bufsize = 128 &redef; + + ## Toggle whether to do packet fanout (Linux-only). + const packet_fanout_enable = F &redef; + + ## If packet fanout is enabled, the id to sue for it. This should be shared amongst + ## worker processes processing the same socket. + const packet_fanout_id = 0 &redef; + + ## If packet fanout is enabled, whether packets are to be defragmented before + ## fanout is applied. + const packet_fanout_defrag = T &redef; +} # end export + +module GLOBAL; ## Seed for hashes computed internally for probabilistic data structures. Using ## the same value here will make the hashes compatible between independent Bro diff --git a/src/Net.h b/src/Net.h index d19bd9083c..370f08a3ca 100644 --- a/src/Net.h +++ b/src/Net.h @@ -70,9 +70,6 @@ extern bool terminating; // True if the remote serializer is to be activated. extern bool using_communication; -// Snaplen passed to libpcap. -extern int snaplen; - extern const Packet* current_pkt; extern int current_dispatched; extern double current_timestamp; diff --git a/src/iosource/CMakeLists.txt b/src/iosource/CMakeLists.txt index b1de9bddaf..27c42e9a40 100644 --- a/src/iosource/CMakeLists.txt +++ b/src/iosource/CMakeLists.txt @@ -17,8 +17,6 @@ set(iosource_SRCS PktSrc.cc ) -bif_target(pcap.bif) - bro_add_subdir_library(iosource ${iosource_SRCS}) add_dependencies(bro_iosource generate_outputs) diff --git a/src/iosource/PktSrc.cc b/src/iosource/PktSrc.cc index f44aae77c5..e4cbfe31e9 100644 --- a/src/iosource/PktSrc.cc +++ b/src/iosource/PktSrc.cc @@ -11,6 +11,8 @@ #include "Net.h" #include "Sessions.h" +#include "pcap/const.bif.h" + using namespace iosource; PktSrc::Properties::Properties() @@ -66,11 +68,6 @@ bool PktSrc::IsError() const return ErrorMsg(); } -int PktSrc::SnapLen() const - { - return snaplen; // That's a global. Change? - } - bool PktSrc::IsLive() const { return props.is_live; @@ -112,7 +109,7 @@ void PktSrc::Opened(const Properties& arg_props) } if ( props.is_live ) - Info(fmt("listening on %s, capture length %d bytes\n", props.path.c_str(), SnapLen())); + Info(fmt("listening on %s\n", props.path.c_str())); DBG_LOG(DBG_PKTIO, "Opened source %s", props.path.c_str()); } @@ -325,7 +322,7 @@ bool PktSrc::PrecompileBPFFilter(int index, const std::string& filter) // Compile filter. BPF_Program* code = new BPF_Program(); - if ( ! code->Compile(SnapLen(), LinkType(), filter.c_str(), Netmask(), errbuf, sizeof(errbuf)) ) + if ( ! code->Compile(BifConst::Pcap::snaplen, LinkType(), filter.c_str(), Netmask(), errbuf, sizeof(errbuf)) ) { string msg = fmt("cannot compile BPF filter \"%s\"", filter.c_str()); diff --git a/src/iosource/PktSrc.h b/src/iosource/PktSrc.h index bf4c811dca..7d05a5583f 100644 --- a/src/iosource/PktSrc.h +++ b/src/iosource/PktSrc.h @@ -95,11 +95,6 @@ public: */ int HdrSize() const; - /** - * Returns the snap length for this source. - */ - int SnapLen() const; - /** * In pseudo-realtime mode, returns the logical timestamp of the * current packet. Undefined if not running pseudo-realtime mode. diff --git a/src/iosource/pcap/CMakeLists.txt b/src/iosource/pcap/CMakeLists.txt index 1c57bb6ac9..cf9f577760 100644 --- a/src/iosource/pcap/CMakeLists.txt +++ b/src/iosource/pcap/CMakeLists.txt @@ -5,4 +5,6 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI bro_plugin_begin(Bro Pcap) bro_plugin_cc(Source.cc Dumper.cc Plugin.cc) +bif_target(functions.bif) +bif_target(const.bif) bro_plugin_end() diff --git a/src/iosource/pcap/Dumper.cc b/src/iosource/pcap/Dumper.cc index 5bea6231f7..20e36420c6 100644 --- a/src/iosource/pcap/Dumper.cc +++ b/src/iosource/pcap/Dumper.cc @@ -7,6 +7,8 @@ #include "../PktSrc.h" #include "../../Net.h" +#include "const.bif.h" + using namespace iosource::pcap; PcapDumper::PcapDumper(const std::string& path, bool arg_append) @@ -25,7 +27,8 @@ void PcapDumper::Open() { int linktype = -1; - pd = pcap_open_dead(DLT_EN10MB, snaplen); + pd = pcap_open_dead(DLT_EN10MB, BifConst::Pcap::snaplen); + if ( ! pd ) { Error("error for pcap_open_dead"); diff --git a/src/iosource/pcap/Source.cc b/src/iosource/pcap/Source.cc index 2af21bf9b4..98be670e7a 100644 --- a/src/iosource/pcap/Source.cc +++ b/src/iosource/pcap/Source.cc @@ -7,10 +7,16 @@ #include "Source.h" #include "iosource/Packet.h" +#include "const.bif.h" + #ifdef HAVE_PCAP_INT_H #include #endif +#ifdef HAVE_PACKET_FANOUT +#include +#endif + using namespace iosource::pcap; PcapSource::~PcapSource() @@ -84,32 +90,64 @@ void PcapSource::OpenLive() props.netmask = PktSrc::NETMASK_UNKNOWN; #endif - // We use the smallest time-out possible to return almost immediately if - // no packets are available. (We can't use set_nonblocking() as it's - // broken on FreeBSD: even when select() indicates that we can read - // something, we may get nothing if the store buffer hasn't filled up - // yet.) - pd = pcap_open_live(props.path.c_str(), SnapLen(), 1, 1, tmp_errbuf); + pd = pcap_create(props.path.c_str(), errbuf); if ( ! pd ) { - Error(tmp_errbuf); + PcapError("pcap_create"); return; } - // ### This needs autoconf'ing. -#ifdef HAVE_PCAP_INT_H - Info(fmt("pcap bufsize = %d\n", ((struct pcap *) pd)->bufsize)); -#endif + if ( pcap_set_snaplen(pd, BifConst::Pcap::snaplen) ) + { + PcapError("pcap_set_snaplen"); + return; + } + + if ( pcap_set_promisc(pd, 1) ) + { + PcapError("pcap_set_promisc"); + return; + } + + // We use the smallest time-out possible to return almost immediately + // if no packets are available. (We can't use set_nonblocking() as + // it's broken on FreeBSD: even when select() indicates that we can + // read something, we may get nothing if the store buffer hasn't + // filled up yet.) + // + // TODO: The comment about FreeBSD is pretty old and may not apply + // anymore these days. + if ( pcap_set_timeout(pd, 1) ) + { + PcapError("pcap_set_timeout"); + return; + } + + if ( pcap_set_buffer_size(pd, BifConst::Pcap::bufsize * 1024 * 1024) ) + { + PcapError("pcap_set_buffer_size"); + return; + } + + if ( pcap_activate(pd) ) + { + PcapError("pcap_activate"); + return; + } #ifdef HAVE_LINUX if ( pcap_setnonblock(pd, 1, tmp_errbuf) < 0 ) { - PcapError(); + PcapError("pcap_setnonblock"); return; } #endif +#ifdef HAVE_PCAP_INT_H + Info(fmt("pcap bufsize = %d\n", ((struct pcap *) pd)->bufsize)); +#endif + props.selectable_fd = pcap_fileno(pd); SetHdrSize(); @@ -118,6 +156,24 @@ void PcapSource::OpenLive() // Was closed, couldn't get header size. return; +#ifdef HAVE_PACKET_FANOUT + // Turn on cluster mode for the device. + if ( BifConst::Pcap::packet_fanout_enable ) + { + uint32_t packet_fanout_arg = (PACKET_FANOUT_HASH << 16) + | (BifConst::Pcap::packet_fanout_id & 0xffff); + + if ( BifConst::Pcap::packet_fanout_defrag ) + packet_fanout_arg |= (PACKET_FANOUT_FLAG_DEFRAG << 16); + + if ( setsockopt(props.selectable_fd, SOL_PACKET, PACKET_FANOUT, &packet_fanout_arg, sizeof(packet_fanout_arg)) == -1 ) + { + Error(fmt("packet fanout: %s", strerror(errno))); + return; + } + } +#endif + props.is_live = true; Opened(props); @@ -257,12 +313,17 @@ void PcapSource::Statistics(Stats* s) s->dropped = 0; } -void PcapSource::PcapError() +void PcapSource::PcapError(const char* where) { + string location; + + if ( where ) + location = fmt(" (%s)", where); + if ( pd ) - Error(fmt("pcap_error: %s", pcap_geterr(pd))); + Error(fmt("pcap_error: %s%s", pcap_geterr(pd), location.c_str())); else - Error("pcap_error: not open"); + Error(fmt("pcap_error: not open%s", location.c_str())); Close(); } diff --git a/src/iosource/pcap/Source.h b/src/iosource/pcap/Source.h index f627e30afa..f3c193d855 100644 --- a/src/iosource/pcap/Source.h +++ b/src/iosource/pcap/Source.h @@ -28,7 +28,7 @@ protected: private: void OpenLive(); void OpenOffline(); - void PcapError(); + void PcapError(const char* where = 0); void SetHdrSize(); Properties props; diff --git a/src/iosource/pcap/const.bif b/src/iosource/pcap/const.bif new file mode 100644 index 0000000000..8b6d0b9017 --- /dev/null +++ b/src/iosource/pcap/const.bif @@ -0,0 +1,9 @@ + + +const Pcap::snaplen: count; +const Pcap::bufsize: count; + +const Pcap::packet_fanout_enable: bool; +const Pcap::packet_fanout_id: count; +const Pcap::packet_fanout_defrag: bool; + diff --git a/src/iosource/pcap.bif b/src/iosource/pcap/functions.bif similarity index 98% rename from src/iosource/pcap.bif rename to src/iosource/pcap/functions.bif index ee4e1e6c06..e36c374a3c 100644 --- a/src/iosource/pcap.bif +++ b/src/iosource/pcap/functions.bif @@ -1,4 +1,6 @@ +module Pcap; + ## Precompiles a PCAP filter and binds it to a given identifier. ## ## id: The PCAP identifier to reference the filter *s* later on. @@ -86,7 +88,7 @@ function install_pcap_filter%(id: PcapFilterID%): bool ## install_dst_net_filter ## uninstall_dst_addr_filter ## uninstall_dst_net_filter -function pcap_error%(%): string +function error%(%): string %{ const iosource::Manager::PktSrcList& pkt_srcs(iosource_mgr->GetPktSrcs()); diff --git a/src/main.cc b/src/main.cc index 64acb408ea..67b53f222e 100644 --- a/src/main.cc +++ b/src/main.cc @@ -121,7 +121,6 @@ char* command_line_policy = 0; vector params; set requested_plugins; char* proc_status_file = 0; -int snaplen = 0; // this gets set from the scripting-layer's value OpaqueType* md5_type = 0; OpaqueType* sha1_type = 0; @@ -989,8 +988,6 @@ int main(int argc, char** argv) } } - snaplen = internal_val("snaplen")->AsCount(); - if ( dns_type != DNS_PRIME ) net_init(interfaces, read_files, writefile, do_watchdog); diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 6d9df86baa..4d1f2037a4 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2015-04-21-22-29-19 +#open 2015-08-31-04-50-43 #fields name #types string scripts/base/init-bare.bro @@ -46,7 +46,7 @@ scripts/base/init-bare.bro scripts/base/frameworks/files/magic/__load__.bro build/scripts/base/bif/__load__.bro build/scripts/base/bif/broxygen.bif.bro - build/scripts/base/bif/pcap.bif.bro + build/scripts/base/bif/functions.bif.bro build/scripts/base/bif/bloom-filter.bif.bro build/scripts/base/bif/cardinality-counter.bif.bro build/scripts/base/bif/top-k.bif.bro @@ -128,4 +128,4 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro scripts/policy/misc/loaded-scripts.bro scripts/base/utils/paths.bro -#close 2015-04-21-22-29-19 +#close 2015-08-31-04-50-43 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 5e2f3b9f4f..6a240c88ad 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2015-04-21-22-29-27 +#open 2015-08-31-05-07-15 #fields name #types string scripts/base/init-bare.bro @@ -46,7 +46,7 @@ scripts/base/init-bare.bro scripts/base/frameworks/files/magic/__load__.bro build/scripts/base/bif/__load__.bro build/scripts/base/bif/broxygen.bif.bro - build/scripts/base/bif/pcap.bif.bro + build/scripts/base/bif/functions.bif.bro build/scripts/base/bif/bloom-filter.bif.bro build/scripts/base/bif/cardinality-counter.bif.bro build/scripts/base/bif/top-k.bif.bro @@ -273,4 +273,4 @@ scripts/base/init-default.bro scripts/base/misc/find-checksum-offloading.bro scripts/base/misc/find-filtered-trace.bro scripts/policy/misc/loaded-scripts.bro -#close 2015-04-21-22-29-27 +#close 2015-08-31-05-07-15 diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index feb78d8c56..94e0db8667 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -220,7 +220,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1439244305.210087, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1440997649.720991, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Communication::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Conn::LOG)) -> @@ -326,11 +326,13 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1439244305.210087, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1440997649.720991, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::build, , ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::combine_filters, , (ip or not ip, and, )) -> 0.000000 MetaHookPost CallFunction(PacketFilter::install, , ()) -> +0.000000 MetaHookPost CallFunction(Pcap::install_pcap_filter, , (PacketFilter::DefaultPcapFilter)) -> +0.000000 MetaHookPost CallFunction(Pcap::precompile_pcap_filter, , (PacketFilter::DefaultPcapFilter, ip or not ip)) -> 0.000000 MetaHookPost CallFunction(SumStats::add_observe_plugin_dependency, , (SumStats::STD_DEV, SumStats::VARIANCE)) -> 0.000000 MetaHookPost CallFunction(SumStats::add_observe_plugin_dependency, , (SumStats::VARIANCE, SumStats::AVERAGE)) -> 0.000000 MetaHookPost CallFunction(SumStats::register_observe_plugin, , (SumStats::AVERAGE, anonymous-function{ if (!SumStats::rv?$average) SumStats::rv$average = SumStats::valelseSumStats::rv$average += (SumStats::val - SumStats::rv$average) / (coerce SumStats::rv$num to double)})) -> @@ -351,9 +353,7 @@ 0.000000 MetaHookPost CallFunction(current_time, , ()) -> 0.000000 MetaHookPost CallFunction(filter_change_tracking, , ()) -> 0.000000 MetaHookPost CallFunction(getenv, , (CLUSTER_NODE)) -> -0.000000 MetaHookPost CallFunction(install_pcap_filter, , (PacketFilter::DefaultPcapFilter)) -> 0.000000 MetaHookPost CallFunction(network_time, , ()) -> -0.000000 MetaHookPost CallFunction(precompile_pcap_filter, , (PacketFilter::DefaultPcapFilter, ip or not ip)) -> 0.000000 MetaHookPost CallFunction(reading_live_traffic, , ()) -> 0.000000 MetaHookPost CallFunction(reading_traces, , ()) -> 0.000000 MetaHookPost CallFunction(set_to_regex, , ({}, (^\.?|\.)(~~)$)) -> @@ -453,6 +453,7 @@ 0.000000 MetaHookPost LoadFile(./exec) -> -1 0.000000 MetaHookPost LoadFile(./file_analysis.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./files) -> -1 +0.000000 MetaHookPost LoadFile(./functions.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./gridftp) -> -1 0.000000 MetaHookPost LoadFile(./hll_unique) -> -1 0.000000 MetaHookPost LoadFile(./hooks.bif.bro) -> -1 @@ -473,7 +474,6 @@ 0.000000 MetaHookPost LoadFile(./netstats) -> -1 0.000000 MetaHookPost LoadFile(./non-cluster) -> -1 0.000000 MetaHookPost LoadFile(./patterns) -> -1 -0.000000 MetaHookPost LoadFile(./pcap.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./plugins) -> -1 0.000000 MetaHookPost LoadFile(./polling) -> -1 0.000000 MetaHookPost LoadFile(./postprocessors) -> -1 @@ -812,7 +812,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1439244305.210087, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1440997649.720991, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Communication::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Conn::LOG)) @@ -918,11 +918,13 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1439244305.210087, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1440997649.720991, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) 0.000000 MetaHookPre CallFunction(PacketFilter::build, , ()) 0.000000 MetaHookPre CallFunction(PacketFilter::combine_filters, , (ip or not ip, and, )) 0.000000 MetaHookPre CallFunction(PacketFilter::install, , ()) +0.000000 MetaHookPre CallFunction(Pcap::install_pcap_filter, , (PacketFilter::DefaultPcapFilter)) +0.000000 MetaHookPre CallFunction(Pcap::precompile_pcap_filter, , (PacketFilter::DefaultPcapFilter, ip or not ip)) 0.000000 MetaHookPre CallFunction(SumStats::add_observe_plugin_dependency, , (SumStats::STD_DEV, SumStats::VARIANCE)) 0.000000 MetaHookPre CallFunction(SumStats::add_observe_plugin_dependency, , (SumStats::VARIANCE, SumStats::AVERAGE)) 0.000000 MetaHookPre CallFunction(SumStats::register_observe_plugin, , (SumStats::AVERAGE, anonymous-function{ if (!SumStats::rv?$average) SumStats::rv$average = SumStats::valelseSumStats::rv$average += (SumStats::val - SumStats::rv$average) / (coerce SumStats::rv$num to double)})) @@ -943,9 +945,7 @@ 0.000000 MetaHookPre CallFunction(current_time, , ()) 0.000000 MetaHookPre CallFunction(filter_change_tracking, , ()) 0.000000 MetaHookPre CallFunction(getenv, , (CLUSTER_NODE)) -0.000000 MetaHookPre CallFunction(install_pcap_filter, , (PacketFilter::DefaultPcapFilter)) 0.000000 MetaHookPre CallFunction(network_time, , ()) -0.000000 MetaHookPre CallFunction(precompile_pcap_filter, , (PacketFilter::DefaultPcapFilter, ip or not ip)) 0.000000 MetaHookPre CallFunction(reading_live_traffic, , ()) 0.000000 MetaHookPre CallFunction(reading_traces, , ()) 0.000000 MetaHookPre CallFunction(set_to_regex, , ({}, (^\.?|\.)(~~)$)) @@ -1045,6 +1045,7 @@ 0.000000 MetaHookPre LoadFile(./exec) 0.000000 MetaHookPre LoadFile(./file_analysis.bif.bro) 0.000000 MetaHookPre LoadFile(./files) +0.000000 MetaHookPre LoadFile(./functions.bif.bro) 0.000000 MetaHookPre LoadFile(./gridftp) 0.000000 MetaHookPre LoadFile(./hll_unique) 0.000000 MetaHookPre LoadFile(./hooks.bif.bro) @@ -1065,7 +1066,6 @@ 0.000000 MetaHookPre LoadFile(./netstats) 0.000000 MetaHookPre LoadFile(./non-cluster) 0.000000 MetaHookPre LoadFile(./patterns) -0.000000 MetaHookPre LoadFile(./pcap.bif.bro) 0.000000 MetaHookPre LoadFile(./plugins) 0.000000 MetaHookPre LoadFile(./polling) 0.000000 MetaHookPre LoadFile(./postprocessors) @@ -1403,7 +1403,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1439244305.210087, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1440997649.720991, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG) @@ -1509,11 +1509,13 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1439244305.210087, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1440997649.720991, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Notice::want_pp() 0.000000 | HookCallFunction PacketFilter::build() 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, ) 0.000000 | HookCallFunction PacketFilter::install() +0.000000 | HookCallFunction Pcap::install_pcap_filter(PacketFilter::DefaultPcapFilter) +0.000000 | HookCallFunction Pcap::precompile_pcap_filter(PacketFilter::DefaultPcapFilter, ip or not ip) 0.000000 | HookCallFunction SumStats::add_observe_plugin_dependency(SumStats::STD_DEV, SumStats::VARIANCE) 0.000000 | HookCallFunction SumStats::add_observe_plugin_dependency(SumStats::VARIANCE, SumStats::AVERAGE) 0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::AVERAGE, anonymous-function{ if (!SumStats::rv?$average) SumStats::rv$average = SumStats::valelseSumStats::rv$average += (SumStats::val - SumStats::rv$average) / (coerce SumStats::rv$num to double)}) @@ -1534,9 +1536,7 @@ 0.000000 | HookCallFunction current_time() 0.000000 | HookCallFunction filter_change_tracking() 0.000000 | HookCallFunction getenv(CLUSTER_NODE) -0.000000 | HookCallFunction install_pcap_filter(PacketFilter::DefaultPcapFilter) 0.000000 | HookCallFunction network_time() -0.000000 | HookCallFunction precompile_pcap_filter(PacketFilter::DefaultPcapFilter, ip or not ip) 0.000000 | HookCallFunction reading_live_traffic() 0.000000 | HookCallFunction reading_traces() 0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$) diff --git a/testing/btest/core/pcap/dynamic-filter.bro b/testing/btest/core/pcap/dynamic-filter.bro index 012858fa65..c1b48155c1 100644 --- a/testing/btest/core/pcap/dynamic-filter.bro +++ b/testing/btest/core/pcap/dynamic-filter.bro @@ -13,20 +13,20 @@ event new_packet(c: connection, p: pkt_hdr) print cnt, c$id; if ( cnt == 1 ) - if ( ! install_pcap_filter(A) ) + if ( ! Pcap::install_pcap_filter(A) ) print "error 3"; if ( cnt == 2 ) - if ( ! install_pcap_filter(B) ) + if ( ! Pcap::install_pcap_filter(B) ) print "error 4"; } event bro_init() { - if ( ! precompile_pcap_filter(A, "port 80") ) + if ( ! Pcap::precompile_pcap_filter(A, "port 80") ) print "error 1"; - if ( ! precompile_pcap_filter(B, "port 53") ) + if ( ! Pcap::precompile_pcap_filter(B, "port 53") ) print "error 2"; } diff --git a/testing/btest/core/pcap/filter-error.bro b/testing/btest/core/pcap/filter-error.bro index 1d7b6516db..10270ed53f 100644 --- a/testing/btest/core/pcap/filter-error.bro +++ b/testing/btest/core/pcap/filter-error.bro @@ -9,8 +9,8 @@ redef enum PcapFilterID += { A }; event bro_init() { - if ( ! precompile_pcap_filter(A, "kaputt, too") ) - print "error", pcap_error(); + if ( ! Pcap::precompile_pcap_filter(A, "kaputt, too") ) + print "error", Pcap::error(); } diff --git a/testing/btest/core/pcap/input-error.bro b/testing/btest/core/pcap/input-error.bro index 2a0787c832..44788b3391 100644 --- a/testing/btest/core/pcap/input-error.bro +++ b/testing/btest/core/pcap/input-error.bro @@ -7,8 +7,8 @@ redef enum PcapFilterID += { A }; event bro_init() { - if ( ! precompile_pcap_filter(A, "kaputt, too") ) - print "error", pcap_error(); + if ( ! Pcap::precompile_pcap_filter(A, "kaputt, too") ) + print "error", Pcap::error(); }