pcap: add snaplen YAML variable

This patch introduces 'snaplen' a new YAML variable in the pcap section.
It can be set per-interface to force pcap capture snaplen. If not set
it defaults to interface MTU if MTU can be known via a ioctl call and to
full capture if not.

diff --git a/src/runmode-pcap.c b/src/runmode-pcap.c
index 634d4e0e4e2e6bf7b3d43da1b8d99b09917b99d6..08d8d1a717854f409b42a981584ae87d4f371c4a 100644 (file)
--- a/src/runmode-pcap.c
+++ b/src/runmode-pcap.c
@@ -94,6 +94,7 @@ void *ParsePcapConfig(const char *iface)
     char *tmpctype;
     intmax_t value;
     int promisc = 0;
+    intmax_t snaplen = 0;
 
     if (unlikely(aconf == NULL)) {
         return NULL;
@@ -217,6 +218,14 @@ void *ParsePcapConfig(const char *iface)
         aconf->promisc = promisc;
     }
 
+    aconf->snaplen = 0;
+    if (ConfGetChildValueIntWithDefault(if_root, if_default, "snaplen", &snaplen) != 1) {
+        SCLogDebug("could not get snaplen or none specified");
+    } else {
+        aconf->snaplen = snaplen;
+    }
+
+
     return aconf;
 }
 

diff --git a/src/source-pcap.c b/src/source-pcap.c
index 2567b2c5d020ba6495f4efc51c996a2f2b5f68e5..6c05249d8d92a2f6c73fb6b061be1ac635f9d6f5 100644 (file)
--- a/src/source-pcap.c
+++ b/src/source-pcap.c
@@ -354,7 +354,7 @@ TmEcode ReceivePcapLoop(ThreadVars *tv, void *data, void *slot)
 TmEcode ReceivePcapThreadInit(ThreadVars *tv, void *initdata, void **data) {
     SCEnter();
     PcapIfaceConfig *pcapconfig = initdata;
-    int mtu;
+    int snaplen;
 
     if (initdata == NULL) {
         SCLogError(SC_ERR_INVALID_ARGUMENT, "initdata == NULL");
@@ -401,18 +401,22 @@ TmEcode ReceivePcapThreadInit(ThreadVars *tv, void *initdata, void **data) {
         SCReturnInt(TM_ECODE_FAILED);
     }
 
-    /* We only set snaplen if we can get the MTU */
-    mtu = GetIfaceMTU(pcapconfig->iface);
-    if (mtu > 0) {
-        /* set Snaplen, Promisc, and Timeout. Must be called before pcap_activate */
-        int pcap_set_snaplen_r = pcap_set_snaplen(ptv->pcap_handle, mtu);
-        //printf("ReceivePcapThreadInit: pcap_set_snaplen(%p) returned %" PRId32 "\n", ptv->pcap_handle, pcap_set_snaplen_r);
+    if (pcapconfig->snaplen == 0) {
+        /* We set snaplen if we can get the MTU */
+        snaplen = GetIfaceMTU(pcapconfig->iface);
+    } else {
+        snaplen = pcapconfig->snaplen;
+    }
+    if (snaplen > 0) {
+        /* set Snaplen. Must be called before pcap_activate */
+        int pcap_set_snaplen_r = pcap_set_snaplen(ptv->pcap_handle, snaplen);
         if (pcap_set_snaplen_r != 0) {
             SCLogError(SC_ERR_PCAP_SET_SNAPLEN, "Couldn't set snaplen, error: %s", pcap_geterr(ptv->pcap_handle));
             SCFree(ptv);
             pcapconfig->DerefFunc(pcapconfig);
             SCReturnInt(TM_ECODE_FAILED);
         }
+        SCLogInfo("Set snaplen to %d for '%s'", snaplen, pcapconfig->iface);
     }
 
     /* set Promisc, and Timeout. Must be called before pcap_activate */

diff --git a/src/source-pcap.h b/src/source-pcap.h
index 08d8a37e575fe36638fb0c20875de95169610250..c81d82f3825475012831fc7a9853a05ce9513654 100644 (file)
--- a/src/source-pcap.h
+++ b/src/source-pcap.h
@@ -51,6 +51,8 @@ typedef struct PcapIfaceConfig_
     int threads;
     /* socket buffer size */
     int buffer_size;
+    /* snapshot length */
+    int snaplen;
     /* promiscuous value */
     int promisc;
     /* BPF filter */

diff --git a/suricata.yaml.in b/suricata.yaml.in
index 08e283a183976550c05ee15e9feceecd0b2963c1..73f7cd2b206d915c5fca986dc7a1d297e6732115 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -711,6 +711,9 @@ pcap:
     #threads: 16
     # set to no to disable promiscuous mode:
     #promisc: no
+    # set snaplen, if not set it defaults to MTU if MTU can be known
+    # via ioctl call and to full capture if not.
+    #snaplen: 1518
   # Put default values here
   - interface: default
     #checksum-checks: auto