log/pcap: add buffer timeout

author Scott Jordan <scottfgjordan@gmail.com>

Thu, 3 Feb 2022 20:18:11 +0000 (15:18 -0500)

committer Victor Julien <vjulien@oisf.net>

Thu, 26 May 2022 11:33:33 +0000 (13:33 +0200)
author Scott Jordan <scottfgjordan@gmail.com>
Thu, 3 Feb 2022 20:18:11 +0000 (15:18 -0500)
committer Victor Julien <vjulien@oisf.net>
Thu, 26 May 2022 11:33:33 +0000 (13:33 +0200)
diff --git a/src/log-pcap.c b/src/log-pcap.c

index fee617073efe9d7ce0dac788064913a66079b276..ebd99342ab8195e5f92978c5f533d617d5947866 100644 (file)
--- a/src/log-pcap.c
+++ b/src/log-pcap.c
@@ -96,6 +96,7 @@ typedef enum LogModeConditionalType_ {
  #define HONOR_PASS_RULES_ENABLED        1
  
  #define PCAP_SNAPLEN                    262144
+#define PCAP_BUFFER_TIMEOUT             1000000 // microseconds
  
  SC_ATOMIC_DECLARE(uint32_t, thread_cnt);
  
@@ -188,6 +189,7 @@ typedef struct PcapLogData_ {
      int threads;                /**< number of threads (only set in the global) */
      char *filename_parts[MAX_TOKS];
      int filename_part_cnt;
+    struct timeval last_pcap_dump;
  
      PcapLogCompressionData compression;
  } PcapLogData;
@@ -514,6 +516,8 @@ static void PcapLogUnlock(PcapLogData *pl)
  static inline int PcapWrite(
          PcapLogData *pl, PcapLogCompressionData *comp, uint8_t *data, size_t len)
  {
+    struct timeval current_dump;
+    gettimeofday(&current_dump, NULL);
      pcap_dump((u_char *)pl->pcap_dumper, pl->h, data);
      if (pl->compression.format == PCAP_LOG_COMPRESSION_FORMAT_NONE) {
          pl->size_current += len;
@@ -544,6 +548,10 @@ static inline int PcapWrite(
          }
      }
  #endif /* HAVE_LIBLZ4 */
+    if (TimeDifferenceMicros(pl->last_pcap_dump, current_dump) >= PCAP_BUFFER_TIMEOUT) {
+        pcap_dump_flush(pl->pcap_dumper);
+    }
+    pl->last_pcap_dump = current_dump;
      return TM_ECODE_OK;
  }
  
diff --git a/src/util-time.c b/src/util-time.c

index 31864353112e8e8493148ccb1c458a25d20e16ee..dacd01d8d5e976cde0ddfb6eae9a9f816acbf214 100644 (file)
--- a/src/util-time.c
+++ b/src/util-time.c
@@ -647,3 +647,8 @@ uint64_t SCTimespecAsEpochMillis(const struct timespec* ts)
  {
      return ts->tv_sec * 1000L + ts->tv_nsec / 1000000L;
  }
+
+uint64_t TimeDifferenceMicros(struct timeval t0, struct timeval t1)
+{
+    return (uint64_t)(t1.tv_sec - t0.tv_sec) * 1000000 + (t1.tv_usec - t1.tv_usec);
+}
diff --git a/src/util-time.h b/src/util-time.h

index 501a2ebc3fe202eab2c7be12457ad98a5f41161f..f33e094affb73974c0779718031e5533a9cd775c 100644 (file)
--- a/src/util-time.h
+++ b/src/util-time.h
@@ -68,6 +68,7 @@ int SCTimeToStringPattern (time_t epoch, const char *pattern, char *str,
  uint64_t SCParseTimeSizeString (const char *str);
  uint64_t SCGetSecondsUntil (const char *str, time_t epoch);
  uint64_t SCTimespecAsEpochMillis(const struct timespec *ts);
+uint64_t TimeDifferenceMicros(struct timeval t0, struct timeval t1);
  
  #endif /* __UTIL_TIME_H__ */
author	Scott Jordan <scottfgjordan@gmail.com>
	Thu, 3 Feb 2022 20:18:11 +0000 (15:18 -0500)
committer	Victor Julien <vjulien@oisf.net>
	Thu, 26 May 2022 11:33:33 +0000 (13:33 +0200)
src/log-pcap.c		patch \| blob \| blame \| history
src/util-time.c		patch \| blob \| blame \| history
src/util-time.h		patch \| blob \| blame \| history