Merge branch 'master' of https://github.com/knielander/bro

I reworked this a bit:

    - Moved the globals into a new Pcap::* namespace, and renamed them
      slightly.

    - Moved the definitions of the globals into pcap/const.bif.

    - Also moved the existing 'snaplen' into Pcap::* and removed
      SnapLen() from the PktSrc API (it's really a pcap thing).

    - Likewise moved the existing functions precompile_pcap_filter,
      install_pcap_filter, and pcap_error, into Pcap::*.

    - Did some more refactoring for the pcap code.

* 'master' of https://github.com/knielander/bro:
  Refactored patch (removed options, less ambiguous name)
  Allow Bro to run in fanout mode.
  Allow libpcap buffer size to be set manually.
  Allow Bro to run in fanout mode.
  Allowed libpcap buffer size to be set via configuration.

CHANGES

@@ -1,8 +1,39 @@
 
+2.4-115 | 2015-08-30 21:57:35 -0700
+
+  * Enable Bro to leverage packet fanout mode on Linux. (Kris
+    Nielander).
+
+       ## Toggle whether to do packet fanout (Linux-only).
+       const Pcap::packet_fanout_enable = F &redef;
+
+       ## If packet fanout is enabled, the id to sue for it. This should be shared amongst
+       ## worker processes processing the same socket.
+       const Pcap::packet_fanout_id = 0 &redef;
+
+       ## If packet fanout is enabled, whether packets are to be defragmented before
+       ## fanout is applied.
+       const Pcap::packet_fanout_defrag = T &redef;
+
+  * Allow libpcap buffer size to be set via configuration. (Kris Nielander)
+
+       ## Number of Mbytes to provide as buffer space when capturing from live
+       ## interfaces.
+       const Pcap::bufsize = 128 &redef;
+
+  * Move the pcap-related script-level identifiers into the new Pcap
+    namespace. (Robin Sommer)
+
+        snaplen                  -> Pcap::snaplen
+        precompile_pcap_filter() -> Pcap::precompile_pcap_filter()
+        install_pcap_filter()    -> Pcap::install_pcap_filter()
+        pcap_error()             -> Pcap::pcap_error()
+
+
 2.4-108 | 2015-08-30 20:14:31 -0700
 
    * Update Base64 decoding.  (Jan Grashoefer)
-     
+
         - A new built-in function, decode_base64_conn() for Base64
           decoding. It works like decode_base64() but receives an
           additional connection argument that will be used for
@@ -20,7 +51,7 @@
 
   * Fix potential crash if TCP header was captured incompletely.
     (Robin Sommer)
-    
+
 2.4-103 | 2015-08-29 10:51:55 -0700
 
   * Make ASN.1 date/time parsing more robust. (Johanna Amann)

CMakeLists.txt

@@ -155,6 +155,7 @@ include(TestBigEndian)
 test_big_endian(WORDS_BIGENDIAN)
 include(CheckSymbolExists)
 check_symbol_exists(htonll arpa/inet.h HAVE_BYTEORDER_64)
+check_symbol_exists(PACKET_FANOUT linux/if_packet.h HAVE_PACKET_FANOUT)
 
 include(OSSpecific)
 include(CheckTypes)

NEWS

@@ -18,6 +18,13 @@ New Dependencies
 
 - Bro now requires Python instead of Perl to compile the source code.
 
+- The pcap buffer size can set through the new option Pcap::bufsize.
+
+- Bro can now leverage packet fanout mode on Linux through the new
+  options Pcap::packet_fanout_enable, Pcap::packet_fanout_id, and
+  Pcap::packet_fanout_defrag.
+
+
 New Functionality
 -----------------
 
@@ -38,6 +45,17 @@ New Functionality
     - pf_ring: Native PF_RING support.
     - redis:   An experimental log writer for Redis.
 
+Changed Functionality
+---------------------
+
+- Some script-level identifier have changed their names:
+
+      snaplen                  -> Pcap::snaplen
+      precompile_pcap_filter() -> Pcap::precompile_pcap_filter()
+      install_pcap_filter()    -> Pcap::install_pcap_filter()
+      pcap_error()             -> Pcap::pcap_error()
+
+
 Deprecated Functionality
 ------------------------
 

VERSION

@@ -1 +1 @@
-2.4-108
+2.4-115

bro-config.h.in

@@ -213,6 +213,9 @@
 /* Common IPv6 extension structure */
 #cmakedefine HAVE_IP6_EXT
 
+/* Linux packet fanout */
+#cmakedefine HAVE_PACKET_FANOUT
+
 /* String with host architecture (e.g., "linux-x86_64") */
 #define HOST_ARCHITECTURE "@HOST_ARCHITECTURE@"
 

scripts/base/frameworks/packet-filter/main.bro

@@ -138,7 +138,7 @@ redef enum PcapFilterID += {
 
 function test_filter(filter: string): bool
 	{
-	if ( ! precompile_pcap_filter(FilterTester, filter) )
+	if ( ! Pcap::precompile_pcap_filter(FilterTester, filter) )
 		{
 		# The given filter was invalid
 		# TODO: generate a notice.
@@ -273,7 +273,7 @@ function install(): bool
 		return F;
 
 	local ts = current_time();
-	if ( ! precompile_pcap_filter(DefaultPcapFilter, tmp_filter) )
+	if ( ! Pcap::precompile_pcap_filter(DefaultPcapFilter, tmp_filter) )
 		{
 		NOTICE([$note=Compile_Failure,
 		        $msg=fmt("Compiling packet filter failed"),
@@ -303,7 +303,7 @@ function install(): bool
 		}
 	info$filter = current_filter;
 
-	if ( ! install_pcap_filter(DefaultPcapFilter) )
+	if ( ! Pcap::install_pcap_filter(DefaultPcapFilter) )
 		{
 		# Installing the filter failed for some reason.
 		info$success = F;

scripts/base/init-bare.bro

@@ -3682,7 +3682,6 @@ export {
 	## (includes GRE tunnels).
 	const ip_tunnel_timeout = 24hrs &redef;
 } # end export
-module GLOBAL;
 
 module Reporter;
 export {
@@ -3701,10 +3700,29 @@ export {
 	## external harness and shouldn't output anything to the console.
 	const errors_to_stderr = T &redef;
 }
-module GLOBAL;
 
-## Number of bytes per packet to capture from live interfaces.
+module Pcap;
-const snaplen = 8192 &redef;
+export {
+	## Number of bytes per packet to capture from live interfaces.
+	const snaplen = 8192 &redef;
+
+	## Number of Mbytes to provide as buffer space when capturing from live
+	## interfaces. 
+	const bufsize = 128 &redef;
+
+	## Toggle whether to do packet fanout (Linux-only).
+	const packet_fanout_enable = F &redef;
+
+	## If packet fanout is enabled, the id to sue for it. This should be shared amongst
+	## worker processes processing the same socket.
+	const packet_fanout_id = 0 &redef;
+
+	## If packet fanout is enabled, whether packets are to be defragmented before
+	## fanout is applied.
+	const packet_fanout_defrag = T &redef;
+} # end export
+
+module GLOBAL;
 
 ## Seed for hashes computed internally for probabilistic data structures. Using
 ## the same value here will make the hashes compatible between independent Bro

src/Net.h

@@ -70,9 +70,6 @@ extern bool terminating;
 // True if the remote serializer is to be activated.
 extern bool using_communication;
 
-// Snaplen passed to libpcap.
-extern int snaplen;
-
 extern const Packet* current_pkt;
 extern int current_dispatched;
 extern double current_timestamp;

src/iosource/CMakeLists.txt

@@ -17,8 +17,6 @@ set(iosource_SRCS
     PktSrc.cc
 )
 
-bif_target(pcap.bif)
-
 bro_add_subdir_library(iosource ${iosource_SRCS})
 add_dependencies(bro_iosource generate_outputs)
 

src/iosource/PktSrc.cc

@@ -11,6 +11,8 @@
 #include "Net.h"
 #include "Sessions.h"
 
+#include "pcap/const.bif.h"
+
 using namespace iosource;
 
 PktSrc::Properties::Properties()
@@ -66,11 +68,6 @@ bool PktSrc::IsError() const
 	return ErrorMsg();
 	}
 
-int PktSrc::SnapLen() const
-	{
-	return snaplen; // That's a global. Change?
-	}
-
 bool PktSrc::IsLive() const
 	{
 	return props.is_live;
@@ -112,7 +109,7 @@ void PktSrc::Opened(const Properties& arg_props)
 		}
 
 	if ( props.is_live )
-		Info(fmt("listening on %s, capture length %d bytes\n", props.path.c_str(), SnapLen()));
+		Info(fmt("listening on %s\n", props.path.c_str()));
 
 	DBG_LOG(DBG_PKTIO, "Opened source %s", props.path.c_str());
 	}
@@ -325,7 +322,7 @@ bool PktSrc::PrecompileBPFFilter(int index, const std::string& filter)
 	// Compile filter.
 	BPF_Program* code = new BPF_Program();
 
-	if ( ! code->Compile(SnapLen(), LinkType(), filter.c_str(), Netmask(), errbuf, sizeof(errbuf)) )
+	if ( ! code->Compile(BifConst::Pcap::snaplen, LinkType(), filter.c_str(), Netmask(), errbuf, sizeof(errbuf)) )
 		{
 		string msg = fmt("cannot compile BPF filter \"%s\"", filter.c_str());
 

src/iosource/PktSrc.h

@@ -95,11 +95,6 @@ public:
 	 */
 	int HdrSize() const;
 
-	/**
-	 * Returns the snap length for this source.
-	 */
-	int SnapLen() const;
-
 	/**
 	 * In pseudo-realtime mode, returns the logical timestamp of the
 	 * current packet. Undefined if not running pseudo-realtime mode.

src/iosource/pcap/CMakeLists.txt

@@ -5,4 +5,6 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 
 bro_plugin_begin(Bro Pcap)
 bro_plugin_cc(Source.cc Dumper.cc Plugin.cc)
+bif_target(functions.bif)
+bif_target(const.bif)
 bro_plugin_end()

src/iosource/pcap/Dumper.cc

@@ -7,6 +7,8 @@
 #include "../PktSrc.h"
 #include "../../Net.h"
 
+#include "const.bif.h"
+
 using namespace iosource::pcap;
 
 PcapDumper::PcapDumper(const std::string& path, bool arg_append)
@@ -25,7 +27,8 @@ void PcapDumper::Open()
 	{
 	int linktype = -1;
 
-	pd = pcap_open_dead(DLT_EN10MB, snaplen);
+	pd = pcap_open_dead(DLT_EN10MB, BifConst::Pcap::snaplen);
+
 	if ( ! pd )
 		{
 		Error("error for pcap_open_dead");

src/iosource/pcap/Source.cc

@@ -7,10 +7,16 @@
 #include "Source.h"
 #include "iosource/Packet.h"
 
+#include "const.bif.h"
+
 #ifdef HAVE_PCAP_INT_H
 #include <pcap-int.h>
 #endif
 
+#ifdef HAVE_PACKET_FANOUT
+#include <linux/if_packet.h>
+#endif
+
 using namespace iosource::pcap;
 
 PcapSource::~PcapSource()
@@ -84,32 +90,64 @@ void PcapSource::OpenLive()
 		props.netmask = PktSrc::NETMASK_UNKNOWN;
 #endif
 
-	// We use the smallest time-out possible to return almost immediately if
+	pd = pcap_create(props.path.c_str(), errbuf);
-	// no packets are available. (We can't use set_nonblocking() as it's
-	// broken on FreeBSD: even when select() indicates that we can read
-	// something, we may get nothing if the store buffer hasn't filled up
-	// yet.)
-	pd = pcap_open_live(props.path.c_str(), SnapLen(), 1, 1, tmp_errbuf);
 
 	if ( ! pd )
 		{
-		Error(tmp_errbuf);
+		PcapError("pcap_create");
 		return;
 		}
 
-	// ### This needs autoconf'ing.
+	if ( pcap_set_snaplen(pd, BifConst::Pcap::snaplen) )
-#ifdef HAVE_PCAP_INT_H
+		{
-	Info(fmt("pcap bufsize = %d\n", ((struct pcap *) pd)->bufsize));
+		PcapError("pcap_set_snaplen");
-#endif
+		return;
+		}
+
+	if ( pcap_set_promisc(pd, 1) )
+		{
+		PcapError("pcap_set_promisc");
+		return;
+		}
+
+	// We use the smallest time-out possible to return almost immediately
+	// if no packets are available. (We can't use set_nonblocking() as
+	// it's broken on FreeBSD: even when select() indicates that we can
+	// read something, we may get nothing if the store buffer hasn't
+	// filled up yet.)
+	//
+	// TODO: The comment about FreeBSD is pretty old and may not apply
+	// anymore these days.
+	if ( pcap_set_timeout(pd, 1) )
+		{
+		PcapError("pcap_set_timeout");
+		return;
+		}
+
+	if ( pcap_set_buffer_size(pd, BifConst::Pcap::bufsize * 1024 * 1024) )
+		{
+		PcapError("pcap_set_buffer_size");
+		return;
+		}
+
+	if ( pcap_activate(pd) )
+		{
+		PcapError("pcap_activate");
+		return;
+		}
 
 #ifdef HAVE_LINUX
 	if ( pcap_setnonblock(pd, 1, tmp_errbuf) < 0 )
 		{
-		PcapError();
+		PcapError("pcap_setnonblock");
 		return;
 		}
 #endif
 
+#ifdef HAVE_PCAP_INT_H
+	Info(fmt("pcap bufsize = %d\n", ((struct pcap *) pd)->bufsize));
+#endif
+
 	props.selectable_fd = pcap_fileno(pd);
 
 	SetHdrSize();
@@ -118,6 +156,24 @@ void PcapSource::OpenLive()
 		// Was closed, couldn't get header size.
 		return;
 
+#ifdef HAVE_PACKET_FANOUT
+	// Turn on cluster mode for the device.
+	if ( BifConst::Pcap::packet_fanout_enable )
+		{
+		uint32_t packet_fanout_arg = (PACKET_FANOUT_HASH << 16)
+			| (BifConst::Pcap::packet_fanout_id & 0xffff);
+
+		if ( BifConst::Pcap::packet_fanout_defrag )
+			packet_fanout_arg |= (PACKET_FANOUT_FLAG_DEFRAG << 16);
+
+		if ( setsockopt(props.selectable_fd, SOL_PACKET, PACKET_FANOUT, &packet_fanout_arg, sizeof(packet_fanout_arg)) == -1 )
+			{
+			Error(fmt("packet fanout: %s", strerror(errno)));
+			return;
+			}
+		}
+#endif
+
 	props.is_live = true;
 
 	Opened(props);
@@ -257,12 +313,17 @@ void PcapSource::Statistics(Stats* s)
 		s->dropped = 0;
 	}
 
-void PcapSource::PcapError()
+void PcapSource::PcapError(const char* where)
 	{
+	string location;
+
+	if ( where )
+		location = fmt(" (%s)", where);
+
 	if ( pd )
-		Error(fmt("pcap_error: %s", pcap_geterr(pd)));
+		Error(fmt("pcap_error: %s%s", pcap_geterr(pd), location.c_str()));
 	else
-		Error("pcap_error: not open");
+		Error(fmt("pcap_error: not open%s", location.c_str()));
 
 	Close();
 	}

src/iosource/pcap/Source.h

@@ -28,7 +28,7 @@ protected:
 private:
 	void OpenLive();
 	void OpenOffline();
-	void PcapError();
+	void PcapError(const char* where = 0);
 	void SetHdrSize();
 
 	Properties props;

src/iosource/pcap/const.bif

@@ -0,0 +1,9 @@
+
+
+const Pcap::snaplen: count;
+const Pcap::bufsize: count;
+
+const Pcap::packet_fanout_enable: bool;
+const Pcap::packet_fanout_id: count;
+const Pcap::packet_fanout_defrag: bool;
+

src/iosource/pcap/functions.bif

@@ -1,4 +1,6 @@
 
+module Pcap;
+
 ## Precompiles a PCAP filter and binds it to a given identifier.
 ##
 ## id: The PCAP identifier to reference the filter *s* later on.
@@ -86,7 +88,7 @@ function install_pcap_filter%(id: PcapFilterID%): bool
 ##              install_dst_net_filter
 ##              uninstall_dst_addr_filter
 ##              uninstall_dst_net_filter
-function pcap_error%(%): string
+function error%(%): string
 	%{
 	const iosource::Manager::PktSrcList& pkt_srcs(iosource_mgr->GetPktSrcs());
 

src/main.cc

@@ -121,7 +121,6 @@ char* command_line_policy = 0;
 vector<string> params;
 set<string> requested_plugins;
 char* proc_status_file = 0;
-int snaplen = 0;	// this gets set from the scripting-layer's value
 
 OpaqueType* md5_type = 0;
 OpaqueType* sha1_type = 0;
@@ -989,8 +988,6 @@ int main(int argc, char** argv)
 			}
 		}
 
-	snaplen = internal_val("snaplen")->AsCount();
-
 	if ( dns_type != DNS_PRIME )
 		net_init(interfaces, read_files, writefile, do_watchdog);
 

testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log

@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2015-04-21-22-29-19
+#open	2015-08-31-04-50-43
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -46,7 +46,7 @@ scripts/base/init-bare.bro
     scripts/base/frameworks/files/magic/__load__.bro
   build/scripts/base/bif/__load__.bro
     build/scripts/base/bif/broxygen.bif.bro
-    build/scripts/base/bif/pcap.bif.bro
+    build/scripts/base/bif/functions.bif.bro
     build/scripts/base/bif/bloom-filter.bif.bro
     build/scripts/base/bif/cardinality-counter.bif.bro
     build/scripts/base/bif/top-k.bif.bro
@@ -128,4 +128,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2015-04-21-22-29-19
+#close	2015-08-31-04-50-43

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2015-04-21-22-29-27
+#open	2015-08-31-05-07-15
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -46,7 +46,7 @@ scripts/base/init-bare.bro
     scripts/base/frameworks/files/magic/__load__.bro
   build/scripts/base/bif/__load__.bro
     build/scripts/base/bif/broxygen.bif.bro
-    build/scripts/base/bif/pcap.bif.bro
+    build/scripts/base/bif/functions.bif.bro
     build/scripts/base/bif/bloom-filter.bif.bro
     build/scripts/base/bif/cardinality-counter.bif.bro
     build/scripts/base/bif/top-k.bif.bro
@@ -273,4 +273,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-checksum-offloading.bro
   scripts/base/misc/find-filtered-trace.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2015-04-21-22-29-27
+#close	2015-08-31-05-07-15

testing/btest/Baseline/plugins.hooks/output

@@ -220,7 +220,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1439244305.210087, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1440997649.720991, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -326,11 +326,13 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1439244305.210087, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1440997649.720991, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, )) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::install, <frame>, ()) -> <no result>
+0.000000   MetaHookPost  CallFunction(Pcap::install_pcap_filter, <frame>, (PacketFilter::DefaultPcapFilter)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Pcap::precompile_pcap_filter, <frame>, (PacketFilter::DefaultPcapFilter, ip or not ip)) -> <no result>
 0.000000   MetaHookPost  CallFunction(SumStats::add_observe_plugin_dependency, <frame>, (SumStats::STD_DEV, SumStats::VARIANCE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(SumStats::add_observe_plugin_dependency, <frame>, (SumStats::VARIANCE, SumStats::AVERAGE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, <frame>, (SumStats::AVERAGE, anonymous-function{ if (!SumStats::rv?$average) SumStats::rv$average = SumStats::valelseSumStats::rv$average += (SumStats::val - SumStats::rv$average) / (coerce SumStats::rv$num to double)})) -> <no result>
@@ -351,9 +353,7 @@
 0.000000   MetaHookPost  CallFunction(current_time, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(getenv, <null>, (CLUSTER_NODE)) -> <no result>
-0.000000   MetaHookPost  CallFunction(install_pcap_filter, <frame>, (PacketFilter::DefaultPcapFilter)) -> <no result>
 0.000000   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
-0.000000   MetaHookPost  CallFunction(precompile_pcap_filter, <frame>, (PacketFilter::DefaultPcapFilter, ip or not ip)) -> <no result>
 0.000000   MetaHookPost  CallFunction(reading_live_traffic, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(reading_traces, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(set_to_regex, <frame>, ({}, (^\.?|\.)(~~)$)) -> <no result>
@@ -453,6 +453,7 @@
 0.000000   MetaHookPost  LoadFile(./exec) -> -1
 0.000000   MetaHookPost  LoadFile(./file_analysis.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./files) -> -1
+0.000000   MetaHookPost  LoadFile(./functions.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./gridftp) -> -1
 0.000000   MetaHookPost  LoadFile(./hll_unique) -> -1
 0.000000   MetaHookPost  LoadFile(./hooks.bif.bro) -> -1
@@ -473,7 +474,6 @@
 0.000000   MetaHookPost  LoadFile(./netstats) -> -1
 0.000000   MetaHookPost  LoadFile(./non-cluster) -> -1
 0.000000   MetaHookPost  LoadFile(./patterns) -> -1
-0.000000   MetaHookPost  LoadFile(./pcap.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./plugins) -> -1
 0.000000   MetaHookPost  LoadFile(./polling) -> -1
 0.000000   MetaHookPost  LoadFile(./postprocessors) -> -1
@@ -812,7 +812,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1439244305.210087, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1440997649.720991, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -918,11 +918,13 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1439244305.210087, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1440997649.720991, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::build, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, ))
 0.000000   MetaHookPre   CallFunction(PacketFilter::install, <frame>, ())
+0.000000   MetaHookPre   CallFunction(Pcap::install_pcap_filter, <frame>, (PacketFilter::DefaultPcapFilter))
+0.000000   MetaHookPre   CallFunction(Pcap::precompile_pcap_filter, <frame>, (PacketFilter::DefaultPcapFilter, ip or not ip))
 0.000000   MetaHookPre   CallFunction(SumStats::add_observe_plugin_dependency, <frame>, (SumStats::STD_DEV, SumStats::VARIANCE))
 0.000000   MetaHookPre   CallFunction(SumStats::add_observe_plugin_dependency, <frame>, (SumStats::VARIANCE, SumStats::AVERAGE))
 0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, <frame>, (SumStats::AVERAGE, anonymous-function{ if (!SumStats::rv?$average) SumStats::rv$average = SumStats::valelseSumStats::rv$average += (SumStats::val - SumStats::rv$average) / (coerce SumStats::rv$num to double)}))
@@ -943,9 +945,7 @@
 0.000000   MetaHookPre   CallFunction(current_time, <frame>, ())
 0.000000   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
 0.000000   MetaHookPre   CallFunction(getenv, <null>, (CLUSTER_NODE))
-0.000000   MetaHookPre   CallFunction(install_pcap_filter, <frame>, (PacketFilter::DefaultPcapFilter))
 0.000000   MetaHookPre   CallFunction(network_time, <frame>, ())
-0.000000   MetaHookPre   CallFunction(precompile_pcap_filter, <frame>, (PacketFilter::DefaultPcapFilter, ip or not ip))
 0.000000   MetaHookPre   CallFunction(reading_live_traffic, <frame>, ())
 0.000000   MetaHookPre   CallFunction(reading_traces, <frame>, ())
 0.000000   MetaHookPre   CallFunction(set_to_regex, <frame>, ({}, (^\.?|\.)(~~)$))
@@ -1045,6 +1045,7 @@
 0.000000   MetaHookPre   LoadFile(./exec)
 0.000000   MetaHookPre   LoadFile(./file_analysis.bif.bro)
 0.000000   MetaHookPre   LoadFile(./files)
+0.000000   MetaHookPre   LoadFile(./functions.bif.bro)
 0.000000   MetaHookPre   LoadFile(./gridftp)
 0.000000   MetaHookPre   LoadFile(./hll_unique)
 0.000000   MetaHookPre   LoadFile(./hooks.bif.bro)
@@ -1065,7 +1066,6 @@
 0.000000   MetaHookPre   LoadFile(./netstats)
 0.000000   MetaHookPre   LoadFile(./non-cluster)
 0.000000   MetaHookPre   LoadFile(./patterns)
-0.000000   MetaHookPre   LoadFile(./pcap.bif.bro)
 0.000000   MetaHookPre   LoadFile(./plugins)
 0.000000   MetaHookPre   LoadFile(./polling)
 0.000000   MetaHookPre   LoadFile(./postprocessors)
@@ -1403,7 +1403,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1439244305.210087, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1440997649.720991, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1509,11 +1509,13 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1439244305.210087, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1440997649.720991, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Notice::want_pp()
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
 0.000000 | HookCallFunction PacketFilter::install()
+0.000000 | HookCallFunction Pcap::install_pcap_filter(PacketFilter::DefaultPcapFilter)
+0.000000 | HookCallFunction Pcap::precompile_pcap_filter(PacketFilter::DefaultPcapFilter, ip or not ip)
 0.000000 | HookCallFunction SumStats::add_observe_plugin_dependency(SumStats::STD_DEV, SumStats::VARIANCE)
 0.000000 | HookCallFunction SumStats::add_observe_plugin_dependency(SumStats::VARIANCE, SumStats::AVERAGE)
 0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::AVERAGE, anonymous-function{ if (!SumStats::rv?$average) SumStats::rv$average = SumStats::valelseSumStats::rv$average += (SumStats::val - SumStats::rv$average) / (coerce SumStats::rv$num to double)})
@@ -1534,9 +1536,7 @@
 0.000000 | HookCallFunction current_time()
 0.000000 | HookCallFunction filter_change_tracking()
 0.000000 | HookCallFunction getenv(CLUSTER_NODE)
-0.000000 | HookCallFunction install_pcap_filter(PacketFilter::DefaultPcapFilter)
 0.000000 | HookCallFunction network_time()
-0.000000 | HookCallFunction precompile_pcap_filter(PacketFilter::DefaultPcapFilter, ip or not ip)
 0.000000 | HookCallFunction reading_live_traffic()
 0.000000 | HookCallFunction reading_traces()
 0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$)

testing/btest/core/pcap/dynamic-filter.bro

@@ -13,20 +13,20 @@ event new_packet(c: connection, p: pkt_hdr)
 	print cnt, c$id;
 	
 	if ( cnt == 1 )
-		if ( ! install_pcap_filter(A) )
+		if ( ! Pcap::install_pcap_filter(A) )
 			print "error 3";
 
 	if ( cnt == 2 )
-		if ( ! install_pcap_filter(B) )
+		if ( ! Pcap::install_pcap_filter(B) )
 			print "error 4";
 	}
 
 event bro_init()
 	{
-	if ( ! precompile_pcap_filter(A, "port 80") )
+	if ( ! Pcap::precompile_pcap_filter(A, "port 80") )
 		print "error 1";
 	
-	if ( ! precompile_pcap_filter(B, "port 53") )
+	if ( ! Pcap::precompile_pcap_filter(B, "port 53") )
 		print "error 2";
 	}
 

testing/btest/core/pcap/filter-error.bro

@@ -9,8 +9,8 @@ redef enum PcapFilterID += { A };
 
 event bro_init()
 	{
-	if ( ! precompile_pcap_filter(A, "kaputt, too") )
+	if ( ! Pcap::precompile_pcap_filter(A, "kaputt, too") )
-		print "error", pcap_error();
+		print "error", Pcap::error();
 	}
 
 

testing/btest/core/pcap/input-error.bro

@@ -7,8 +7,8 @@ redef enum PcapFilterID += { A };
 
 event bro_init()
 	{
-	if ( ! precompile_pcap_filter(A, "kaputt, too") )
+	if ( ! Pcap::precompile_pcap_filter(A, "kaputt, too") )
-		print "error", pcap_error();
+		print "error", Pcap::error();
 	}