Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add Pcap::file_done event

Browse source 
It signals when a pcap file is done being processed.
This commit is contained in:
Jon Siwek 2020-02-03 19:35:10 -08:00
parent 4fbcca04e8
commit 7c124881cd
4 changed files with 18 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/event.bif
View file

@ -851,3 +851,8 @@ event new_event%(name: string, params: call_argument_vector%);
## Shows an IP address anonymization mapping. ## Shows an IP address anonymization mapping.
event anonymization_mapping%(orig: addr, mapped: addr%); event anonymization_mapping%(orig: addr, mapped: addr%);
## An event that signals a pcap file is done being processed.
##
## path: the filesystem path of the pcap file
event Pcap::file_done%(path: string%);

5
src/iosource/pcap/Source.cc
View file

@ -6,6 +6,8 @@
#include "iosource/Packet.h" #include "iosource/Packet.h"
#include "iosource/BPF_Program.h" #include "iosource/BPF_Program.h"
#include "Event.h"
#include "pcap.bif.h" #include "pcap.bif.h"
#ifdef HAVE_PCAP_INT_H #ifdef HAVE_PCAP_INT_H
@ -47,6 +49,9 @@ void PcapSource::Close()
last_data = nullptr; last_data = nullptr;
Closed(); Closed();
if ( Pcap::file_done )
mgr.QueueEventFast(Pcap::file_done, {new StringVal(props.path)});
} }
void PcapSource::OpenLive() void PcapSource::OpenLive()

1
testing/btest/Baseline/core.pcap_file_done/out Normal file
View file

@ -0,0 +1 @@
pcap file done, /home/jon/pro/zeek/zeek/testing/btest/Traces/http/get.trace

7
testing/btest/core/pcap_file_done.zeek Normal file
View file

@ -0,0 +1,7 @@
# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT >out
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
event Pcap::file_done(path: string)
{
print "pcap file done", path;
}