Merge remote-tracking branch 'origin/topic/awelzel/pcap-reading-configurable-buffer'

* origin/topic/awelzel/pcap-reading-configurable-buffer: iosource/pcap: Support configurable buffer size util/setvbuf: Respect buf argument
2025-10-02 14:48:21 +00:00 · 2023-10-11 15:20:17 +02:00 · 2023-10-11 15:20:17 +02:00 · 94a8cf2a09
commit 94a8cf2a09
parent ffc35d90ba 7fac5837c3
10 changed files with 64 additions and 3 deletions
--- a/3
+++ b/3
@ -121,6 +121,9 @@ Changed Functionality
 - Parameter lists for functions, events and hooks now use commas instead of
  semicolons in error messages or when printing such functions.
 - The IO buffer size used for PCAP file reading is now always 128kb. This
  new default can be changed via ``Pcap::bufsize_offline_bytes``.
 Removed Functionality
 ---------------------
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -5286,6 +5286,11 @@ export {
 	## interfaces.
 	const bufsize = 128 &redef;
 	## Number of bytes to use for buffering file read operations when reading
 	## from a PCAP file. Setting this to 0 uses operating system defaults
 	## as chosen by fopen().
 	const bufsize_offline_bytes = 128 * 1024 &redef;
 	## Default timeout for packet sources without file descriptors.
 	##
 	## For libpcap based packet sources that do not provide a usable
--- a/src/iosource/pcap/Source.cc
+++ b/src/iosource/pcap/Source.cc
@ -10,6 +10,8 @@
 #include <pcap-int.h>
 #endif
 #include <stdio.h>
 #include "zeek/Event.h"
 #include "zeek/iosource/BPF_Program.h"
 #include "zeek/iosource/Packet.h"
@ -176,10 +178,42 @@ void PcapSource::OpenOffline()
 	{
 	char errbuf[PCAP_ERRBUF_SIZE];
-	pd = pcap_open_offline(props.path.c_str(), errbuf);
+	FILE* f = nullptr;
 	if ( props.path == "-" )
 		{
 		f = stdin;
 		}
 	else
 		{
 		if ( f = fopen(props.path.c_str(), "rb"); ! f )
 			{
 			Error(util::fmt("unable to open %s: %s", props.path.c_str(), strerror(errno)));
 			return;
 			}
 		// Setup file IO buffering with a bufsize_offline_bytes sized
 		// buffer if set, otherwise use what fopen() took as the default.
 		if ( BifConst::Pcap::bufsize_offline_bytes != 0 )
 			{
 			iobuf.resize(BifConst::Pcap::bufsize_offline_bytes);
 			if ( util::detail::setvbuf(f, iobuf.data(), _IOFBF, iobuf.size()) != 0 )
 				{
 				Error(util::fmt("unable to setvbuf %s: %s", props.path.c_str(), strerror(errno)));
 				fclose(f);
 				return;
 				}
 			}
 		}
 	// pcap_fopen_offline() takes ownership of f on success and
 	// pcap_close() elsewhere should close it, too.
 	pd = pcap_fopen_offline(f, errbuf);
 	if ( ! pd )
 		{
 		if ( f != stdin )
 			fclose(f);
 		Error(errbuf);
 		return;
 		}
--- a/src/iosource/pcap/Source.h
+++ b/src/iosource/pcap/Source.h
@ -4,6 +4,7 @@
 #include <sys/types.h> // for u_char
 #include <unistd.h>
 #include <vector>
 extern "C"
 	{
@ -44,6 +45,9 @@ private:
 	pcap_t* pd;
 	struct pcap_stat prev_pstat = {0};
 	// Buffer provided to setvbuf() when reading from a PCAP file.
 	std::vector<char> iobuf;
 	};
 	} // namespace zeek::iosource::pcap
--- a/src/iosource/pcap/pcap.bif
+++ b/src/iosource/pcap/pcap.bif
@ -3,6 +3,7 @@ module Pcap;
 const snaplen: count;
 const bufsize: count;
 const bufsize_offline_bytes: count;
 const non_fd_timeout: interval;
 %%{
--- a/src/util.cc
+++ b/src/util.cc
@ -1025,7 +1025,7 @@ void set_thread_name(const char* name, pthread_t tid)
 int setvbuf(FILE* stream, char* buf, int type, size_t size)
 	{
 #ifndef _MSC_VER
-	return ::setvbuf(stream, NULL, type, size);
+	return ::setvbuf(stream, buf, type, size);
 #else
 	// TODO: this turns off buffering altogether because Windows wants us to pass a valid
 	// buffer and length if we're going to pass one of the other modes. We need to
--- a/testing/btest/Baseline/core.pcap.input-error/output2
+++ b/testing/btest/Baseline/core.pcap.input-error/output2
@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 fatal error: problem with interface NO_SUCH_INTERFACE 
-fatal error: problem with trace file NO_SUCH_TRACE (NO_SUCH_TRACE: No such file or directory)
+fatal error: problem with trace file NO_SUCH_TRACE (unable to open NO_SUCH_TRACE: No such file or directory)
--- a/testing/btest/Baseline/core.pcap.wrong-format/output
+++ b/testing/btest/Baseline/core.pcap.wrong-format/output
@ -0,0 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 fatal error: problem with trace file not-a.pcap (unknown file format)
--- a/testing/btest/Baseline/core.pcap.wrong-format/output2
+++ b/testing/btest/Baseline/core.pcap.wrong-format/output2
@ -0,0 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 fatal error: problem with trace file - (unknown file format)
--- a/testing/btest/core/pcap/wrong-format.zeek
+++ b/testing/btest/core/pcap/wrong-format.zeek
@ -0,0 +1,10 @@
 # @TEST-REQUIRES: test "${ZEEK_USE_CPP}" != "1"
 # @TEST-EXEC-FAIL: zeek -b -r not-a.pcap >output 2>&1
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC-FAIL: cat not-a.pcap | zeek -b -r - >output2 2>&1
 # @TEST-EXEC: btest-diff output2
@TEST-START-FILE ./not-a.pcap
 %PDF-1.5
 This isn't an actual pdf file, and neither a PCAP.
@TEST-END-FILE
		`@ -0,0 +1,2 @@`
							`### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.`
							`fatal error: problem with trace file not-a.pcap (unknown file format)`
		`@ -0,0 +1,2 @@`
							`### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.`
							`fatal error: problem with trace file - (unknown file format)`