"event_type":"TYPE"
+PCAP fields
+~~~~~~~~~~~
+
+If Suricata is processing a pcap file, additional fields are added:
+
+::
+
+ "pcap_cnt": 123
+
+``pcap_cnt`` contains the packet number in the pcap. This can be used to look
+up a packet in Wireshark for example.
+
+::
+
+ "pcap_filename":"/path/to/file.pcap"
+
+``pcap_filename`` contains the file name and location of the pcap that
+generated the event.
+
+.. note:: the pcap fields are only available on "real" packets, and are
+ omitted from internal "pseudo" packets such as flow timeout
+ packets.
+
Event type: Alert
-----------------
#include "flow-var.h"
#include "flow-bit.h"
+#include "source-pcap-file.h"
+
#ifndef HAVE_LIBJANSSON
/** Handle the case where no JSON support is compiled in.
json_string(file_ctx->sensor_name));
}
+ if (file_ctx->is_pcap_offline) {
+ json_object_set_new(js, "pcap_filename", json_string(PcapFileGetFilename()));
+ }
+
if (file_ctx->prefix) {
MemBufferWriteRaw((*buffer), file_ctx->prefix, file_ctx->prefix_len);
}
json_ctx->include_metadata = true;
}
+ const char *pcapfile_s = ConfNodeLookupChildValue(conf, "pcap-file");
+ if (pcapfile_s != NULL && ConfValIsTrue(pcapfile_s)) {
+ json_ctx->file_ctx->is_pcap_offline =
+ (RunmodeGetCurrent() == RUNMODE_PCAP_FILE);
+ }
+
json_ctx->file_ctx->type = json_ctx->json_out;
}
+
SCLogDebug("returning output_ctx %p", output_ctx);
result.ctx = output_ctx;
#include "source-pcap-file-directory-helper.h"
#include "runmode-unix-socket.h"
#include "util-mem.h"
+#include "source-pcap-file.h"
static void GetTime(struct timespec *tm);
static void CopyTime(struct timespec *from, struct timespec *to);
#include "source-pcap-file-helper.h"
#include "util-checksum.h"
#include "util-profiling.h"
+#include "source-pcap-file.h"
extern int max_pending_packets;
extern PcapFileGlobalVars pcap_g;
SCReturn;
}
+char pcap_filename[PATH_MAX] = "unknown";
+
+const char *PcapFileGetFilename(void)
+{
+ return pcap_filename;
+}
+
/**
* \brief Main PCAP file reading Loop function
*/
int packet_q_len = 64;
int r;
TmEcode loop_result = TM_ECODE_OK;
+ strlcpy(pcap_filename, ptv->filename, sizeof(pcap_filename));
while (loop_result == TM_ECODE_OK) {
if (suricata_ctl_flags & SURICATA_STOP) {
void PcapIncreaseInvalidChecksum(void);
void PcapFileGlobalInit(void);
+const char *PcapFileGetFilename(void);
#endif /* __SOURCE_PCAP_FILE_H__ */
/* Set to true if the filename should not be timestamped. */
bool nostamp;
+ /* if set to true EVE will add a pcap file record */
+ bool is_pcap_offline;
+
/* Socket types may need to drop events to keep from blocking
* Suricata. */
uint64_t dropped;
projects / thirdparty / suricata.git / commitdiff
