mirror of
https://github.com/zeek/zeek.git
synced 2025-10-15 21:18:20 +00:00
c72d191ab5
That way it can be reused more easily. This also avoid having to
change the serialization structure for packets, which is a problem as
external sources of packets (via Broccoli) wouldn't have the new
attributes available to send.
Also moving Packet.{h,cc} and Layer2.{h,cc} into iosource/, and
removing header size from properties that packet sources have to
provide, as we can now compute that easily from the link type.
Plus some more cleanup.
116 lines
2.1 KiB
C++
116 lines
2.1 KiB
C++
// See the file "COPYING" in the main distribution directory for copyright.
|
|
|
|
#include <sys/stat.h>
|
|
#include <errno.h>
|
|
|
|
#include "Dumper.h"
|
|
#include "../PktSrc.h"
|
|
#include "../../Net.h"
|
|
|
|
using namespace iosource::pcap;
|
|
|
|
PcapDumper::PcapDumper(const std::string& path, bool arg_append)
|
|
{
|
|
append = arg_append;
|
|
props.path = path;
|
|
dumper = 0;
|
|
pd = 0;
|
|
}
|
|
|
|
PcapDumper::~PcapDumper()
|
|
{
|
|
}
|
|
|
|
void PcapDumper::Open()
|
|
{
|
|
int linktype = -1;
|
|
|
|
pd = pcap_open_dead(DLT_EN10MB, snaplen);
|
|
if ( ! pd )
|
|
{
|
|
Error("error for pcap_open_dead");
|
|
return;
|
|
}
|
|
|
|
if ( props.path.empty() )
|
|
{
|
|
Error("no filename given");
|
|
return;
|
|
}
|
|
|
|
struct stat s;
|
|
int exists = 0;
|
|
|
|
if ( append )
|
|
{
|
|
// See if output file already exists (and is non-empty).
|
|
exists = stat(props.path.c_str(), &s); ;
|
|
|
|
if ( exists < 0 && errno != ENOENT )
|
|
{
|
|
Error(fmt("can't stat file %s: %s", props.path.c_str(), strerror(errno)));
|
|
return;
|
|
}
|
|
}
|
|
|
|
if ( ! append || exists < 0 || s.st_size == 0 )
|
|
{
|
|
// Open new file.
|
|
dumper = pcap_dump_open(pd, props.path.c_str());
|
|
if ( ! dumper )
|
|
{
|
|
Error(pcap_geterr(pd));
|
|
return;
|
|
}
|
|
}
|
|
|
|
else
|
|
{
|
|
// Old file and we need to append, which, unfortunately,
|
|
// is not supported by libpcap. So, we have to hack a
|
|
// little bit, knowing that pcap_dumpter_t is, in fact,
|
|
// a FILE ... :-(
|
|
dumper = (pcap_dumper_t*) fopen(props.path.c_str(), "a");
|
|
if ( ! dumper )
|
|
{
|
|
Error(fmt("can't open dump %s: %s", props.path.c_str(), strerror(errno)));
|
|
return;
|
|
}
|
|
}
|
|
|
|
props.open_time = network_time;
|
|
props.hdr_size = Packet::GetLinkHeaderSize(pcap_datalink(pd));
|
|
Opened(props);
|
|
}
|
|
|
|
void PcapDumper::Close()
|
|
{
|
|
if ( ! dumper )
|
|
return;
|
|
|
|
pcap_dump_close(dumper);
|
|
pcap_close(pd);
|
|
dumper = 0;
|
|
pd = 0;
|
|
|
|
Closed();
|
|
}
|
|
|
|
bool PcapDumper::Dump(const Packet* pkt)
|
|
{
|
|
if ( ! dumper )
|
|
return false;
|
|
|
|
// Reconstitute the pcap_pkthdr.
|
|
const struct pcap_pkthdr phdr = {
|
|
.ts = pkt->ts, .caplen = pkt->cap_len, .len = pkt->len
|
|
};
|
|
|
|
pcap_dump((u_char*) dumper, &phdr, pkt->data);
|
|
return true;
|
|
}
|
|
|
|
iosource::PktDumper* PcapDumper::Instantiate(const std::string& path, bool append)
|
|
{
|
|
return new PcapDumper(path, append);
|
|
}
|