From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Sat, 8 Jun 2024 14:37:14 +0000 (-0400)
Subject: output: Add linktype name
X-Git-Tag: suricata-8.0.0-beta1~159
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a8b9965f69eb32146c3547468e2973df68e1cb25;p=thirdparty%2Fsuricata.git

output: Add linktype name

Issue: 6954

This commit adds the linktype name to the output stream. The name is
determined from the pcap utility function pcap_datalink_val_to_name
---

diff --git a/etc/schema.json b/etc/schema.json
index 54d90219ab..0bf065684d 100644
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -3573,6 +3573,10 @@
             "properties": {
                 "linktype": {
                     "type": "integer"
+                },
+                "linktype_name": {
+                    "type": "string",
+                    "description": "the descriptive name of the linktype"
                 }
             },
             "additionalProperties": false
diff --git a/src/output-json.c b/src/output-json.c
index b6ce328cab..72bf2b9772 100644
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -428,8 +428,16 @@ void EvePacket(const Packet *p, JsonBuilder *js, uint32_t max_length)
         return;
     }
     if (!jb_set_uint(js, "linktype", p->datalink)) {
+        jb_close(js);
         return;
     }
+
+    const char *dl_name = DatalinkValueToName(p->datalink);
+
+    // Intentionally ignore the return value from jb_set_string and proceed
+    // so the jb object is closed
+    (void)jb_set_string(js, "linktype_name", dl_name == NULL ? "n/a" : dl_name);
+
     jb_close(js);
 }