log/pcap and eve/alert: get pcap filename to support multi mode

This patch adds a function to get the current pcap file name that
will be used to current packet. This patch also  updates EVE
alerts to add pcap output filename when pcap capture is done in
multi or normal mode.

diff --git a/src/log-pcap.c b/src/log-pcap.c
index f3f3a9b475b2e1ad9a3411f111aa040e6552b0b8..631031e080bb5b64c67f614e5754e509ca915956 100644 (file)
--- a/src/log-pcap.c
+++ b/src/log-pcap.c
@@ -112,6 +112,8 @@ typedef struct PcapFileName_ {
     TAILQ_ENTRY(PcapFileName_) next; /**< Pointer to next Pcap File for tailq. */
 } PcapFileName;
 
+thread_local char *pcap_file_thread = NULL;
+
 typedef struct PcapLogProfileData_ {
     uint64_t total;
     uint64_t cnt;
@@ -1103,6 +1105,14 @@ static TmEcode PcapLogDataInit(ThreadVars *t, const void *initdata, void **data)
 #endif /* INIT_RING_BUFFER */
     }
 
+    if (pl->mode == LOGMODE_MULTI) {
+        PcapLogOpenFileCtx(td->pcap_log);
+    } else {
+        if (pl->filename == NULL) {
+            PcapLogOpenFileCtx(pl);
+        }
+    }
+
     return TM_ECODE_OK;
 }
 
@@ -1854,6 +1864,9 @@ static int PcapLogOpenFileCtx(PcapLogData *pl)
     SCLogDebug("Opening pcap file log %s", pf->filename);
     TAILQ_INSERT_TAIL(&pl->pcap_file_list, pf, next);
 
+    if (pl->mode == LOGMODE_MULTI || pl->mode == LOGMODE_NORMAL) {
+        pcap_file_thread = pl->filename;
+    }
     PCAPLOG_PROFILE_END(pl->profile_open);
     return 0;
 
@@ -1862,6 +1875,15 @@ error:
     return -1;
 }
 
+char *PcapLogGetFilename(void)
+{
+    /* return pcap filename per thread */
+    if (pcap_file_thread != NULL) {
+        return pcap_file_thread;
+    }
+    return NULL;
+}
+
 static int profiling_pcaplog_enabled = 0;
 static int profiling_pcaplog_output_to_file = 0;
 static char *profiling_pcaplog_file_name = NULL;

diff --git a/src/log-pcap.h b/src/log-pcap.h
index ebfe305f44cb3ab16fba9b7414168d5807cb5591..731a365b854c731ecbcde3e09f93674544c1c5ee 100644 (file)
--- a/src/log-pcap.h
+++ b/src/log-pcap.h
@@ -32,5 +32,6 @@
 
 void PcapLogRegister(void);
 void PcapLogProfileSetup(void);
+char *PcapLogGetFilename(void);
 
 #endif /* __LOG_PCAP_H__ */

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 6e90f8ab06980bd86cf4a51e94f482be169dcd2a..3e0f69e8a91668e82bf87e28ffe45e9f6465b4cd 100644 (file)
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -54,6 +54,7 @@
 #include "util-classification-config.h"
 #include "util-syslog.h"
 #include "util-logopenfile.h"
+#include "log-pcap.h"
 
 #include "output.h"
 #include "output-json.h"
@@ -774,6 +775,11 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
             EvePacket(p, jb, 0);
         }
 
+        char *pcap_filename = PcapLogGetFilename();
+        if (pcap_filename != NULL) {
+            jb_set_string(jb, "capture_file", pcap_filename);
+        }
+
         OutputJsonBuilderBuffer(jb, aft->ctx);
         jb_free(jb);
     }