From 7bcbc57401df4d6c1066acc22fdc099dafb9b9c4 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Mon, 12 Oct 2020 12:47:23 -0400
Subject: [PATCH 1/7] New bif to wrap pcap_findalldevs

---
 scripts/base/init-bare.zeek | 17 ++++++++++++
 src/iosource/pcap/pcap.bif  | 55 +++++++++++++++++++++++++++++++++++++
 2 files changed, 72 insertions(+)

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index b7a2b1b80c..e040e7710f 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -4976,6 +4976,23 @@ export {
 	## Number of Mbytes to provide as buffer space when capturing from live
 	## interfaces.
 	const bufsize = 128 &redef;
+
+	## The definition of a "pcap interface".
+	type Interface: record {
+		name: string;
+		description: string &optional;
+		addrs: set[addr];
+		is_loopback: bool;
+		
+		extended_flags: bool &default=F;
+		# If the "extended_flags" field is set to T, then these next two 
+		# flags will have valid settings.  Otherwise, the following
+		# two fields are explicitly false.
+		is_up: bool &default=F;
+		is_running: bool &default=F;
+	};
+
+	type Interfaces: set[Pcap::Interface];
 } # end export
 
 module DCE_RPC;
diff --git a/src/iosource/pcap/pcap.bif b/src/iosource/pcap/pcap.bif
index 5655a8fac9..c4b050761d 100644
--- a/src/iosource/pcap/pcap.bif
+++ b/src/iosource/pcap/pcap.bif
@@ -1,10 +1,14 @@
 
 module Pcap;
 
+type Interface: record;
+
 const snaplen: count;
 const bufsize: count;
 
 %%{
+#include "pcap.h"
+
 #include "iosource/Manager.h"
 %%}
 
@@ -102,3 +106,54 @@ function error%(%): string
 
 	return zeek::make_intrusive<zeek::StringVal>("no error");
 	%}
+
+function findalldevs%(%): Pcap::Interfaces
+	%{
+	pcap_if_t *alldevs, *d;
+	char errbuf[PCAP_ERRBUF_SIZE];
+
+	int ret = pcap_findalldevs(&alldevs, errbuf);
+
+	static auto ifaces_type = id::find_type<TableType>("Pcap::Interfaces");
+	auto pcap_interfaces = make_intrusive<TableVal>(ifaces_type);
+
+	int i=0;
+	RecordVal *r;
+	static auto iface_type = id::find_type<RecordType>("Pcap::Interface");
+	for ( d=alldevs; d; d=d->next )
+		{
+		auto r = make_intrusive<RecordVal>(iface_type);
+
+		r->Assign(0, make_intrusive<StringVal>(d->name));
+		if ( d->description )
+			r->Assign(1, make_intrusive<StringVal>(d->description));
+
+		auto addrs = make_intrusive<ListVal>(TYPE_ADDR);
+		for ( auto addr = d->addresses; addr != NULL; addr = addr->next ) 
+			{
+			if ( addr->addr->sa_family == AF_INET ) 
+				{
+				IPAddr a(reinterpret_cast<struct sockaddr_in *>(addr->addr)->sin_addr);
+				addrs->Append(make_intrusive<AddrVal>(a));
+				}
+			else if ( addr->addr->sa_family == AF_INET6 )
+				{
+				IPAddr a(reinterpret_cast<struct sockaddr_in6 *>(addr->addr)->sin6_addr);
+				addrs->Append(make_intrusive<AddrVal>(a));
+				}
+			}
+		r->Assign(2, addrs->ToSetVal());
+		r->Assign(3, val_mgr->Bool(d->flags & PCAP_IF_LOOPBACK));
+#ifdef PCAP_IF_UP
+		r->Assign(4, val_mgr->True(); // <-- "extended" vals set.
+		r->Assign(5, val_mgr->Bool(d->flags & PCAP_IF_UP));
+		r->Assign(6, val_mgr->Bool(d->flags & PCAP_IF_RUNNING));
+#endif
+		
+		pcap_interfaces->Assign(std::move(r), 0);
+		}
+
+	pcap_freealldevs(alldevs);
+	return pcap_interfaces;
+	%}
+

From 36d75a02964c0dd059341072f599564c6f3d43a8 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Mon, 12 Oct 2020 12:59:40 -0400
Subject: [PATCH 2/7] I accidentally missed a paren

---
 src/iosource/pcap/pcap.bif | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/iosource/pcap/pcap.bif b/src/iosource/pcap/pcap.bif
index c4b050761d..3428e6895f 100644
--- a/src/iosource/pcap/pcap.bif
+++ b/src/iosource/pcap/pcap.bif
@@ -145,7 +145,7 @@ function findalldevs%(%): Pcap::Interfaces
 		r->Assign(2, addrs->ToSetVal());
 		r->Assign(3, val_mgr->Bool(d->flags & PCAP_IF_LOOPBACK));
 #ifdef PCAP_IF_UP
-		r->Assign(4, val_mgr->True(); // <-- "extended" vals set.
+		r->Assign(4, val_mgr->True()); // <-- "extended" vals set.
 		r->Assign(5, val_mgr->Bool(d->flags & PCAP_IF_UP));
 		r->Assign(6, val_mgr->Bool(d->flags & PCAP_IF_RUNNING));
 #endif

From e532991bf299468263971dc9d5a2770b479a8fbb Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Tue, 13 Oct 2020 08:09:58 -0400
Subject: [PATCH 3/7] Update src/iosource/pcap/pcap.bif

Co-authored-by: Jon Siwek <jsiwek@corelight.com>
---
 src/iosource/pcap/pcap.bif | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/iosource/pcap/pcap.bif b/src/iosource/pcap/pcap.bif
index 3428e6895f..d40c4531e8 100644
--- a/src/iosource/pcap/pcap.bif
+++ b/src/iosource/pcap/pcap.bif
@@ -1,7 +1,6 @@
 
 module Pcap;
 
-type Interface: record;
 
 const snaplen: count;
 const bufsize: count;
@@ -156,4 +155,3 @@ function findalldevs%(%): Pcap::Interfaces
 	pcap_freealldevs(alldevs);
 	return pcap_interfaces;
 	%}
-

From dfa21d54c893939e892812a637a924fa89af8f5f Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Tue, 13 Oct 2020 08:12:20 -0400
Subject: [PATCH 4/7] Update scripts/base/init-bare.zeek

Co-authored-by: Jon Siwek <jsiwek@corelight.com>
---
 scripts/base/init-bare.zeek | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index e040e7710f..277bab9cc0 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -4979,9 +4979,14 @@ export {
 
 	## The definition of a "pcap interface".
 	type Interface: record {
+		## The interface/device name.
 		name: string;
+		## A human-readable description of the device.
 		description: string &optional;
+		## The network addresses associated with the device.
 		addrs: set[addr];
+		## Whether the device is a loopback interface.  E.g. addresses
+		## of ``127.0.0.1`` or ``[::1]`` are used by loopback interfaces.
 		is_loopback: bool;
 		
 		extended_flags: bool &default=F;

From 928faeaad34d40d298a61e08550c209f8f867058 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Tue, 13 Oct 2020 08:12:50 -0400
Subject: [PATCH 5/7] Update src/iosource/pcap/pcap.bif

Co-authored-by: Jon Siwek <jsiwek@corelight.com>
---
 src/iosource/pcap/pcap.bif | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/iosource/pcap/pcap.bif b/src/iosource/pcap/pcap.bif
index d40c4531e8..382a059961 100644
--- a/src/iosource/pcap/pcap.bif
+++ b/src/iosource/pcap/pcap.bif
@@ -149,7 +149,7 @@ function findalldevs%(%): Pcap::Interfaces
 		r->Assign(6, val_mgr->Bool(d->flags & PCAP_IF_RUNNING));
 #endif
 		
-		pcap_interfaces->Assign(std::move(r), 0);
+		pcap_interfaces->Assign(std::move(r), nullptr);
 		}
 
 	pcap_freealldevs(alldevs);

From 5d6800f6bd4b5427008742d95cf469d80ebe42a3 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Tue, 13 Oct 2020 08:12:57 -0400
Subject: [PATCH 6/7] Update src/iosource/pcap/pcap.bif

Co-authored-by: Jon Siwek <jsiwek@corelight.com>
---
 src/iosource/pcap/pcap.bif | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/iosource/pcap/pcap.bif b/src/iosource/pcap/pcap.bif
index 382a059961..089c77779b 100644
--- a/src/iosource/pcap/pcap.bif
+++ b/src/iosource/pcap/pcap.bif
@@ -116,8 +116,6 @@ function findalldevs%(%): Pcap::Interfaces
 	static auto ifaces_type = id::find_type<TableType>("Pcap::Interfaces");
 	auto pcap_interfaces = make_intrusive<TableVal>(ifaces_type);
 
-	int i=0;
-	RecordVal *r;
 	static auto iface_type = id::find_type<RecordType>("Pcap::Interface");
 	for ( d=alldevs; d; d=d->next )
 		{

From 92eb7c10da20423fe30e6c5065a7be8e407b5e74 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Tue, 13 Oct 2020 08:35:45 -0400
Subject: [PATCH 7/7] Finishing changes from code review.

---
 scripts/base/init-bare.zeek | 10 ++++------
 src/iosource/pcap/pcap.bif  | 16 +++++++++++-----
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 277bab9cc0..b5a629d9ad 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -4989,12 +4989,10 @@ export {
 		## of ``127.0.0.1`` or ``[::1]`` are used by loopback interfaces.
 		is_loopback: bool;
 		
-		extended_flags: bool &default=F;
-		# If the "extended_flags" field is set to T, then these next two 
-		# flags will have valid settings.  Otherwise, the following
-		# two fields are explicitly false.
-		is_up: bool &default=F;
-		is_running: bool &default=F;
+		## Whether the device is up.  Not set when that info is unavailable.
+		is_up: bool &optional;
+		## Whether the device is running.  Not set when that info is unavailable.
+		is_running: bool &optional;
 	};
 
 	type Interfaces: set[Pcap::Interface];
diff --git a/src/iosource/pcap/pcap.bif b/src/iosource/pcap/pcap.bif
index 089c77779b..b694330bc7 100644
--- a/src/iosource/pcap/pcap.bif
+++ b/src/iosource/pcap/pcap.bif
@@ -111,11 +111,17 @@ function findalldevs%(%): Pcap::Interfaces
 	pcap_if_t *alldevs, *d;
 	char errbuf[PCAP_ERRBUF_SIZE];
 
-	int ret = pcap_findalldevs(&alldevs, errbuf);
-
 	static auto ifaces_type = id::find_type<TableType>("Pcap::Interfaces");
 	auto pcap_interfaces = make_intrusive<TableVal>(ifaces_type);
 
+	int ret = pcap_findalldevs(&alldevs, errbuf);
+	if ( ret == PCAP_ERROR )
+		{
+		emit_builtin_error(util::fmt("Error calling pcap_findalldevs: %s", errbuf));
+		// Return an empty set in case of failure.
+		return pcap_interfaces;
+		}
+
 	static auto iface_type = id::find_type<RecordType>("Pcap::Interface");
 	for ( d=alldevs; d; d=d->next )
 		{
@@ -142,9 +148,9 @@ function findalldevs%(%): Pcap::Interfaces
 		r->Assign(2, addrs->ToSetVal());
 		r->Assign(3, val_mgr->Bool(d->flags & PCAP_IF_LOOPBACK));
 #ifdef PCAP_IF_UP
-		r->Assign(4, val_mgr->True()); // <-- "extended" vals set.
-		r->Assign(5, val_mgr->Bool(d->flags & PCAP_IF_UP));
-		r->Assign(6, val_mgr->Bool(d->flags & PCAP_IF_RUNNING));
+		// These didn't become available until libpcap 1.6.1
+		r->Assign(4, val_mgr->Bool(d->flags & PCAP_IF_UP));
+		r->Assign(5, val_mgr->Bool(d->flags & PCAP_IF_RUNNING));
 #endif
 		
 		pcap_interfaces->Assign(std::move(r), nullptr);