mirror of
https://github.com/zeek/zeek.git
synced 2025-10-09 01:58:20 +00:00
Add command-line option to write unprocessed packets to a file
This commit also changes the PcapDumper to automatically flush after every called to Dump(). This is because pcap_dump has an internal buffer of some sort that only writes to the file after a set amount of bytes. When using the new option on a low-traffic network, it might be a while before you see any packets written since it has to overcome that buffer limit first.
This commit is contained in:
Tim Wojtulewicz
parent
fe932944c4
commit
92b84a00f9
6 changed files with 35 additions and 9 deletions
|
|
@ -4,6 +4,7 @@
|
|||
|
||||
#include "zeek/RunState.h"
|
||||
#include "zeek/Stats.h"
|
||||
#include "zeek/iosource/Manager.h"
|
||||
#include "zeek/iosource/PktDumper.h"
|
||||
#include "zeek/packet_analysis/Analyzer.h"
|
||||
#include "zeek/packet_analysis/Dispatcher.h"
|
||||
|
|
@ -24,7 +25,7 @@ Manager::~Manager()
|
|||
delete pkt_filter;
|
||||
}
|
||||
|
||||
void Manager::InitPostScript()
|
||||
void Manager::InitPostScript(const std::string& unprocessed_output_file)
|
||||
{
|
||||
// Instantiate objects for all available analyzers
|
||||
for ( const auto& analyzerComponent : GetComponents() )
|
||||
|
|
@ -49,6 +50,10 @@ void Manager::InitPostScript()
|
|||
unknown_sampling_threshold = id::find_val("UnknownProtocol::sampling_threshold")->AsCount();
|
||||
unknown_sampling_duration = id::find_val("UnknownProtocol::sampling_duration")->AsInterval();
|
||||
unknown_first_bytes_count = id::find_val("UnknownProtocol::first_bytes_count")->AsCount();
|
||||
|
||||
if ( ! unprocessed_output_file.empty() )
|
||||
// This gets automatically cleaned up by iosource_mgr. No need to delete it locally.
|
||||
unprocessed_dumper = iosource_mgr->OpenPktDumper(unprocessed_output_file, true);
|
||||
}
|
||||
|
||||
void Manager::Done() { }
|
||||
|
|
@ -114,6 +119,9 @@ void Manager::ProcessPacket(Packet* packet)
|
|||
|
||||
plugin_mgr->HookUnprocessedPacket(packet);
|
||||
|
||||
if ( unprocessed_dumper )
|
||||
unprocessed_dumper->Dump(packet);
|
||||
|
||||
total_not_processed++;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -18,6 +18,11 @@ namespace detail
|
|||
class PacketProfiler;
|
||||
}
|
||||
|
||||
namespace iosource
|
||||
{
|
||||
class PktDumper;
|
||||
}
|
||||
|
||||
namespace packet_analysis
|
||||
{
|
||||
|
||||
|
|
@ -40,8 +45,12 @@ public:
|
|||
/**
|
||||
* Second-stage initialization of the manager. This is called late
|
||||
* during Zeek's initialization after any scripts are processed.
|
||||
*
|
||||
* @param unprocessed_output_file A path to a file where unprocessed
|
||||
* packets will be written. This can be an empty string to disable
|
||||
* writing packets.
|
||||
*/
|
||||
void InitPostScript();
|
||||
void InitPostScript(const std::string& unprocessed_output_file);
|
||||
|
||||
/**
|
||||
* Finished the manager's operations.
|
||||
|
|
@ -172,6 +181,7 @@ private:
|
|||
uint64_t unknown_first_bytes_count = 0;
|
||||
|
||||
uint64_t total_not_processed = 0;
|
||||
iosource::PktDumper* unprocessed_dumper = nullptr;
|
||||
};
|
||||
|
||||
} // namespace packet_analysis
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue