mirror of
https://github.com/zeek/zeek.git
synced 2025-10-15 13:08:20 +00:00
8d2d867a65
This commit includes renaming a number of methods prefixed with bro_ to be prefixed with zeek_.
104 lines
3 KiB
C++
104 lines
3 KiB
C++
|
|
module Pcap;
|
|
|
|
const snaplen: count;
|
|
const bufsize: count;
|
|
|
|
%%{
|
|
#include "iosource/Manager.h"
|
|
%%}
|
|
|
|
## Precompiles a PCAP filter and binds it to a given identifier.
|
|
##
|
|
## id: The PCAP identifier to reference the filter *s* later on.
|
|
##
|
|
## s: The PCAP filter. See ``man tcpdump`` for valid expressions.
|
|
##
|
|
## Returns: True if *s* is valid and precompiles successfully.
|
|
##
|
|
## .. zeek:see:: Pcap::install_pcap_filter
|
|
## install_src_addr_filter
|
|
## install_src_net_filter
|
|
## uninstall_src_addr_filter
|
|
## uninstall_src_net_filter
|
|
## install_dst_addr_filter
|
|
## install_dst_net_filter
|
|
## uninstall_dst_addr_filter
|
|
## uninstall_dst_net_filter
|
|
## Pcap::error
|
|
function precompile_pcap_filter%(id: PcapFilterID, s: string%): bool
|
|
%{
|
|
if ( id->AsEnum() >= 100 )
|
|
{
|
|
// We use a vector as underlying data structure for fast
|
|
// lookups and limit the ID space so that that doesn't grow too
|
|
// large.
|
|
zeek::emit_builtin_error(
|
|
zeek::util::fmt("PCAP filter ids must remain below 100 (is %" PRId64 ")", id->AsInt()));
|
|
return zeek::val_mgr->False();
|
|
}
|
|
|
|
bool success = true;
|
|
|
|
zeek::iosource::PktSrc* ps = zeek::iosource_mgr->GetPktSrc();
|
|
if ( ps && ! ps->PrecompileFilter(id->ForceAsInt(), s->CheckString()) )
|
|
success = false;
|
|
|
|
return zeek::val_mgr->Bool(success);
|
|
%}
|
|
|
|
## Installs a PCAP filter that has been precompiled with
|
|
## :zeek:id:`Pcap::precompile_pcap_filter`.
|
|
##
|
|
## id: The PCAP filter id of a precompiled filter.
|
|
##
|
|
## Returns: True if the filter associated with *id* has been installed
|
|
## successfully.
|
|
##
|
|
## .. zeek:see:: Pcap::precompile_pcap_filter
|
|
## install_src_addr_filter
|
|
## install_src_net_filter
|
|
## uninstall_src_addr_filter
|
|
## uninstall_src_net_filter
|
|
## install_dst_addr_filter
|
|
## install_dst_net_filter
|
|
## uninstall_dst_addr_filter
|
|
## uninstall_dst_net_filter
|
|
## Pcap::error
|
|
function Pcap::install_pcap_filter%(id: PcapFilterID%): bool
|
|
%{
|
|
bool success = true;
|
|
|
|
zeek::iosource::PktSrc* ps = zeek::iosource_mgr->GetPktSrc();
|
|
if ( ps && ! ps->SetFilter(id->ForceAsInt()) )
|
|
success = false;
|
|
|
|
return zeek::val_mgr->Bool(success);
|
|
%}
|
|
|
|
## Returns a string representation of the last PCAP error.
|
|
##
|
|
## Returns: A descriptive error message of the PCAP function that failed.
|
|
##
|
|
## .. zeek:see:: Pcap::precompile_pcap_filter
|
|
## Pcap::install_pcap_filter
|
|
## install_src_addr_filter
|
|
## install_src_net_filter
|
|
## uninstall_src_addr_filter
|
|
## uninstall_src_net_filter
|
|
## install_dst_addr_filter
|
|
## install_dst_net_filter
|
|
## uninstall_dst_addr_filter
|
|
## uninstall_dst_net_filter
|
|
function error%(%): string
|
|
%{
|
|
zeek::iosource::PktSrc* ps = zeek::iosource_mgr->GetPktSrc();
|
|
if ( ps )
|
|
{
|
|
const char* err = ps->ErrorMsg();
|
|
if ( *err )
|
|
return zeek::make_intrusive<zeek::StringVal>(err);
|
|
}
|
|
|
|
return zeek::make_intrusive<zeek::StringVal>("no error");
|
|
%}
|