diff --git a/CHANGES b/CHANGES index f96a0682b3..da263a7dcd 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,11 @@ +3.1.0-dev.297 | 2019-12-05 11:57:12 -0700 + + * GH-700: add packet_sources() BIF + + Provides access to properties of packet sources, like interface or pcap + file name. (Jon Siwek, Corelight) + 3.1.0-dev.295 | 2019-12-04 14:43:27 -0700 * Use new Zeek Logo instead of Bro Eyes on README.md (Dev Bali, Corelight) diff --git a/VERSION b/VERSION index ffc3693cb7..f0100d01b9 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.1.0-dev.295 +3.1.0-dev.297 diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 7447ba853f..5a6f0a47ae 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -120,6 +120,22 @@ type mime_match: record { ## :zeek:see:`file_magic` type mime_matches: vector of mime_match; +## Properties of an I/O packet source being read by Zeek. +type PacketSource: record { + ## Whether the packet source is a live interface or offline pcap file. + live: bool; + ## The interface name for a live interface or filesystem path of + ## an offline pcap file. + path: string; + ## The data link-layer type of the packet source. + link_type: int; + ## The netmask assoicated with the source or ``NETMASK_UNKNOWN``. + netmask: count; +}; + +## A list of packet sources being read by Zeek. +type PacketSourceList: vector of PacketSource; + ## A connection's transport-layer protocol. Note that Zeek uses the term ## "connection" broadly, using flow semantics for ICMP and UDP. type transport_proto: enum { diff --git a/src/zeek.bif b/src/zeek.bif index 4b1aec875d..d9f6f610cc 100644 --- a/src/zeek.bif +++ b/src/zeek.bif @@ -23,6 +23,7 @@ #include "file_analysis/Manager.h" #include "iosource/Manager.h" #include "iosource/Packet.h" +#include "IntrusivePtr.h" using namespace std; @@ -1884,7 +1885,7 @@ function type_name%(t: any%): string ## ## Returns: True if reading traffic from a network interface. ## -## .. zeek:see:: reading_traces +## .. zeek:see:: reading_traces packet_sources function reading_live_traffic%(%): bool %{ return val_mgr->GetBool(reading_live); @@ -1895,12 +1896,33 @@ function reading_live_traffic%(%): bool ## ## Returns: True if reading traffic from a network trace. ## -## .. zeek:see:: reading_live_traffic +## .. zeek:see:: reading_live_traffic packet_sources function reading_traces%(%): bool %{ return val_mgr->GetBool(reading_traces); %} +## Returns: a list of packet sources being read by Zeek. +## +## .. zeek:seek:: reading_live_traffic reading_traces +function packet_sources%(%): PacketSourceList + %{ + auto ps_type = internal_type("PacketSource")->AsRecordType(); + auto psl_type = internal_type("PacketSourceList")->AsVectorType(); + auto rval = make_intrusive(psl_type); + + for ( const auto& ps : iosource_mgr->GetPktSrcs() ) + { + auto r = make_intrusive(ps_type); + r->Assign(0, val_mgr->GetBool(ps->IsLive())); + r->Assign(1, new StringVal(ps->Path())); + r->Assign(2, val_mgr->GetInt(ps->LinkType())); + r->Assign(3, val_mgr->GetCount(ps->Netmask())); + rval->Assign(rval->Size(), r.detach()); + } + + return rval.detach(); + %} ## Generates a table of the size of all global variables. The table index is ## the variable name and the value is the variable size in bytes. diff --git a/testing/btest/Baseline/bifs.packet_sources/out b/testing/btest/Baseline/bifs.packet_sources/out new file mode 100644 index 0000000000..ce47345d99 --- /dev/null +++ b/testing/btest/Baseline/bifs.packet_sources/out @@ -0,0 +1 @@ +[[live=F, path=/Users/jsiwek/pro/zeek/zeek/testing/btest/Traces/http/get.trace, link_type=1, netmask=4294967295]] diff --git a/testing/btest/bifs/packet_sources.zeek b/testing/btest/bifs/packet_sources.zeek new file mode 100644 index 0000000000..f6ae5aac5a --- /dev/null +++ b/testing/btest/bifs/packet_sources.zeek @@ -0,0 +1,7 @@ +# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT >out +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out + +event zeek_init() + { + print packet_sources(); + }