static QUERY(sniff_status_show) {
char *uid = *(va_arg(ap, char **));
session_t *s = session_find(uid);
struct pcap_stat stats;
if (!s)
return -1;
if (!s->connected)
return 0;
if (!s->priv) {
debug_error("sniff_status_show() s->priv NULL\n");
return -1;
}
/* Device: DEVICE (PROMISC?) */
/* some stats */
memset(&stats, 0, sizeof(struct pcap_stat));
if (pcap_stats(GET_DEV(s), &stats) == -1) {
debug_error("sniff_status_show() pcap_stats() failed\n");
return -1;
}
debug("pcap_stats() recv: %d drop: %d ifdrop: %d\n", stats.ps_recv, stats.ps_drop, stats.ps_ifdrop);
print("sniff_pkt_rcv", session_name(s), ekg_itoa(stats.ps_recv));
print("sniff_pkt_drop", session_name(s), ekg_itoa(stats.ps_drop));
print("sniff_conn_db", session_name(s), ekg_itoa(list_count(tcp_connections)));
return 0;
}
/**
* \brief This function prints stats to the screen at exit.
* \param tv pointer to ThreadVars
* \param data pointer that gets cast into PcapThreadVars for ptv
*/
void ReceivePcapThreadExitStats(ThreadVars *tv, void *data)
{
SCEnter();
PcapThreadVars *ptv = (PcapThreadVars *)data;
struct pcap_stat pcap_s;
if (pcap_stats(ptv->pcap_handle, &pcap_s) < 0) {
SCLogError(SC_ERR_STAT,"(%s) Failed to get pcap_stats: %s", tv->name, pcap_geterr(ptv->pcap_handle));
SCLogInfo("(%s) Packets %" PRIu32 ", bytes %" PRIu64 "", tv->name, ptv->pkts, ptv->bytes);
return;
} else {
SCLogInfo("(%s) Packets %" PRIu32 ", bytes %" PRIu64 "", tv->name, ptv->pkts, ptv->bytes);
/* these numbers are not entirely accurate as ps_recv contains packets that are still waiting to be processed at exit.
* ps_drop only contains packets dropped by the driver and not any packets dropped by the interface.
* Additionally see http://tracker.icir.org/bro/ticket/18
*
* Note: ps_recv includes dropped packets and should be considered total.
* Unless we start to look at ps_ifdrop which isn't supported everywhere.
*/
SCLogInfo("(%s) Pcap Total:%" PRIu64 " Recv:%" PRIu64 " Drop:%" PRIu64 " (%02.1f%%).", tv->name,
(uint64_t)pcap_s.ps_recv, (uint64_t)pcap_s.ps_recv - (uint64_t)pcap_s.ps_drop, (uint64_t)pcap_s.ps_drop,
(((float)(uint64_t)pcap_s.ps_drop)/(float)(uint64_t)pcap_s.ps_recv)*100);
return;
}
}
static int input_pcap_close(struct input *i) {
struct input_pcap_priv *priv = i->priv;
if (priv->type == input_pcap_type_interface) {
struct pcap_stat ps;
char *iface = PTYPE_STRING_GETVAL(priv->tpriv.iface.p_interface);
if (!pcap_stats(priv->p, &ps)) {
pomlog(POMLOG_INFO "interface %s stats : %u pkts received, %u pkts dropped by pcap, %u pkts dropped by the interface", iface, ps.ps_recv, ps.ps_drop, ps.ps_ifdrop);
}
}
if (priv->p) {
pcap_close(priv->p);
priv->p = NULL;
}
priv->datalink_proto = NULL;
priv->align_offset = 0;
priv->skip_offset = 0;
if (priv->type == input_pcap_type_dir) {
struct input_pcap_dir_priv *dp = &priv->tpriv.dir;
while (dp->files) {
struct input_pcap_dir_file *tmp = dp->files;
dp->files = tmp->next;
free(tmp->full_path);
free(tmp);
}
}
return POM_OK;
}
/*
* zero the statistics.
* since the stats from the kernel are not modifiable
* we have to keep a delta to subtract from them to have
* the count of the packets since the last call of stats_wipe()
*/
void stats_wipe(void)
{
struct pcap_stat ps;
DEBUG_MSG("stats_wipe");
/* wipe top and botto half statistics */
memset(&GBL_STATS->bh, 0, sizeof(struct half_stats));
memset(&GBL_STATS->th, 0, sizeof(struct half_stats));
/* now the global stats */
pcap_stats(GBL_IFACE->pcap, &ps);
/* XXX - fix this with libpcap 0.8.2 */
#ifndef OS_LINUX
GBL_STATS->ps_recv_delta += ps.ps_recv;
GBL_STATS->ps_drop_delta += ps.ps_drop;
GBL_STATS->ps_sent_delta += GBL_STATS->ps_sent;
GBL_STATS->bs_sent_delta += GBL_STATS->bs_sent;
#endif
GBL_STATS->ps_recv = 0;
GBL_STATS->ps_drop = 0;
GBL_STATS->ps_ifdrop = 0;
GBL_STATS->ps_sent = 0;
GBL_STATS->bs_sent = 0;
GBL_STATS->queue_max = 0;
GBL_STATS->queue_curr = 0;
}
void PcapLiveDevice::getStatistics(pcap_stat& stats)
{
if(pcap_stats(m_PcapDescriptor, &stats) < 0)
{
LOG_ERROR("Error getting statistics from live device '%s'", m_Name);
}
}
int daemon_getstats(pcap_t *fp)
{
char sendbuf[RPCAP_NETBUF_SIZE]; // temporary buffer in which data to be sent is buffered
int sendbufidx= 0; // index which keeps the number of bytes currently buffered
struct pcap_stat stats; // local statistics
struct rpcap_stats *netstats; // statistics sent on the network
if ( sock_bufferize(NULL, sizeof(struct rpcap_header), NULL, &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf) == -1)
goto error;
rpcap_createhdr( (struct rpcap_header *) sendbuf, RPCAP_MSG_STATS_REPLY, 0, (uint16) sizeof(struct rpcap_stats));
netstats= (struct rpcap_stats *) &sendbuf[sendbufidx];
if ( sock_bufferize(NULL, sizeof(struct rpcap_stats), NULL, &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf) == -1)
goto error;
if (pcap_stats(fp, &stats) )
goto error;
netstats->ifdrop= htonl(stats.ps_ifdrop);
netstats->ifrecv= htonl(stats.ps_recv);
netstats->krnldrop= htonl(stats.ps_drop);
netstats->svrcapt= htonl(fp->md.TotCapt);
// Send the packet
if ( sock_send(fp->rmt_sockctrl, sendbuf, sendbufidx, fp->errbuf) == -1)
goto error;
return 0;
error:
rpcap_senderror(fp->rmt_sockctrl, fp->errbuf, PCAP_ERR_GETSTATS, fakeerrbuf);
return -1;
}
/* routine is executed on exit */
void program_ending(int signo)
{
struct pcap_stat stat;
if (pd != NULL && pcap_file(pd) == NULL) {
(void)fflush(stdout);
putc('\n', stderr);
if (pcap_stats(pd, &stat) < 0)
(void)fprintf(stderr, "pcap_stats: %s\n",
pcap_geterr(pd));
else {
(void)fprintf(stderr, "%d packets received by filter\n",
stat.ps_recv);
(void)fprintf(stderr, "%d packets dropped by kernel\n",
stat.ps_drop);
}
}
printf("\n");
printf("ip packet count = %d\n", ip_packet_count);
printf("arp packet count = %d\n", arp_packet_count);
printf("icmp packet count = %d\n", icmp_packet_count)
printf("broadcast packet count = %d\n", broadcast_packet_count);
exit(0);
}
static ERL_NIF_TERM
nif_pcap_stats(ErlNifEnv *env, int argc, const ERL_NIF_TERM argv[])
{
EWPCAP_STATE *ep = NULL;
struct pcap_stat ps = {0};
if (!enif_get_resource(env, argv[0], EWPCAP_RESOURCE, (void **)&ep)
|| ep->p == NULL)
return enif_make_badarg(env);
if (pcap_stats(ep->p, &ps))
return enif_make_tuple2(env,
atom_error,
enif_make_string(env, pcap_geterr(ep->p), ERL_NIF_LATIN1));
return enif_make_tuple2(env,
atom_ok,
enif_make_tuple5(env,
atom_ewpcap_stat,
enif_make_uint(env, ps.ps_recv),
enif_make_uint(env, ps.ps_drop),
enif_make_uint(env, ps.ps_ifdrop),
#ifdef WIN32
enif_make_uint(env, ps.bs_capt)
#else
enif_make_uint(env, 0)
#endif
));
}
static void pcaprr_daq_reset_stats(void *handle)
{
Pcaprr_Context_t *context = (Pcaprr_Context_t *) handle;
struct pcap_stat ps;
int i;
unsigned int recv = 0, drop = 0;
memset(&context->stats, 0, sizeof(DAQ_Stats_t));
if (!context->handle)
return;
memset(&ps, 0, sizeof(struct pcap_stat));
if (context->handle && context->device)
{
for (i = 0 ; i < context->handle_count ; i++) {
if (context->handle[i] && (pcap_stats(context->handle[i], &ps) == 0) ) {
recv += ps.ps_recv;
drop += ps.ps_drop;
}
}
context->base_recv = context->wrap_recv = recv;
context->base_drop = context->wrap_drop = drop;
}
}
/** Query libpcap to see if it dropped any packets
*
* We need to check to see if libpcap dropped any packets and if it did, we need to stop stats output for long
* enough for inaccurate statistics to be cleared out.
*
* @param in pcap handle to check.
* @param interval time between checks (used for debug output)
* @return 0, no drops, -1 we couldn't check, -2 dropped because of buffer exhaustion, -3 dropped because of NIC.
*/
static int rs_check_pcap_drop(fr_pcap_t *in, int interval) {
int ret = 0;
struct pcap_stat pstats;
if (pcap_stats(in->handle, &pstats) != 0) {
ERROR("%s failed retrieving pcap stats: %s", in->name, pcap_geterr(in->handle));
return -1;
}
INFO("\t%s%*s: %.3lf/s", in->name, (int) (10 - strlen(in->name)), "",
((double) (pstats.ps_recv - in->pstats.ps_recv)) / interval);
if (pstats.ps_drop - in->pstats.ps_drop > 0) {
ERROR("%s dropped %i packets: Buffer exhaustion", in->name, pstats.ps_drop - in->pstats.ps_drop);
ret = -2;
}
if (pstats.ps_ifdrop - in->pstats.ps_ifdrop > 0) {
ERROR("%s dropped %i packets: Interface", in->name, pstats.ps_ifdrop - in->pstats.ps_ifdrop);
ret = -3;
}
in->pstats = pstats;
return ret;
}
u_int PcapInterface::getNumDroppedPackets() {
struct pcap_stat pcapStat;
if(pcap_handle && (pcap_stats(pcap_handle, &pcapStat) >= 0)) {
return(pcapStat.ps_drop);
} else
return(0);
}
void do_stats(void) {
struct pcap_stat ps;
if (cfg.mode != sniff) return;
if (cfg.verbose == 0 ) return;
if (pcap_stats(cfg.pcap,&ps)<0) {fprintf(stderr,"pcap_stat error\n"); return;}
fprintf(stderr,"received : %u\n", ps.ps_recv);
fprintf(stderr,"dropped: %u\n", ps.ps_drop);
}
void update_stats(void)
{
int error = pcap_stats(descr, &stats);
if (error == -1)
{
pcap_perror(descr, "pcap_stats()");
clean_exit(1);
}
}
static void
tcpeek_listener_stat_json(int soc, const char *method) {
struct tcpeek_filter *filter;
struct tcpeek_stat *stat;
char success[128], failure[128], buf[512];
int isrefresh = 0, isfirst = 1;
pthread_mutex_lock(&g.session.mutex);
send(soc, "[", 1, 0);
lnklist_iter_init(g.filter);
while(lnklist_iter_hasnext(g.filter)) {
filter = lnklist_iter_next(g.filter);
if(!filter->stat) {
continue;
}
if(strisequal(method, "REFRESH")) {
isrefresh = 1;
}
stat = filter->stat;
snprintf(success, sizeof(success), "{\"total\":%u,\"dupsyn\":%u,\"dupsynack\":%u}",
stat[0].success.total - (isrefresh ? stat[1].success.total : 0),
stat[0].success.dupsyn - (isrefresh ? stat[1].success.dupsyn : 0),
stat[0].success.dupsynack - (isrefresh ? stat[1].success.dupsynack : 0)
);
if(strisequal(method, "REFRESH")) {
snprintf(failure, sizeof(failure), "{\"total\":%u,\"timeout\":%u,\"reject\":%u}",
stat[0].failure.total - (isrefresh ? stat[1].failure.total : 0),
stat[0].failure.timeout - (isrefresh ? stat[1].failure.timeout : 0),
(stat[0].failure.reject - (isrefresh ? stat[1].failure.reject : 0)) + (stat[0].failure.unreach - (isrefresh ? stat[1].failure.unreach : 0))
);
}
else {
snprintf(failure, sizeof(failure), "{\"total\":%u,\"timeout\":%u,\"reject\":%u, \"unreach\":%u}",
stat[0].failure.total - (isrefresh ? stat[1].failure.total : 0),
stat[0].failure.timeout - (isrefresh ? stat[1].failure.timeout : 0),
stat[0].failure.reject - (isrefresh ? stat[1].failure.reject : 0),
stat[0].failure.unreach - (isrefresh ? stat[1].failure.unreach : 0)
);
}
snprintf(buf, sizeof(buf), "%s{\"%s\":{\"success\":%s,\"failure\":%s}}", isfirst ? "" : ",", filter->name, success, failure);
send(soc, buf, strlen(buf), 0);
if(strisequal(method, "REFRESH")) {
memcpy(&stat[1], &stat[0], sizeof(struct tcpeek_stat));
}
if(isfirst) isfirst = 0;
}
if(!strisequal(method, "REFRESH")) {
struct pcap_stat ps;
memset(&ps, 0, sizeof(ps));
pcap_stats(g.pcap.pcap, &ps);
snprintf(buf, sizeof(buf), ",{\"pcap\":{\"stats\":{\"recv\":%u,\"drop\":%u,\"ifdrop\":%u}}}", ps.ps_recv, ps.ps_drop, ps.ps_ifdrop);
send(soc, buf, strlen(buf), 0);
}
send(soc, "]", 1, 0);
pthread_mutex_unlock(&g.session.mutex);
}
void close(int sig) {
struct pcap_stat ps;
fprintf(stderr, "SIGINT caught!\n");
if (fout) fclose(fout);
pcap_stats(capt, &ps);
fprintf(stderr, "%d packets received\n", ps.ps_recv);
fprintf(stderr, "%d packets dropped\n", ps.ps_drop);
exit(1);
}
static inline void PcapDumpCounters(PcapThreadVars *ptv)
{
struct pcap_stat pcap_s;
if (likely((pcap_stats(ptv->pcap_handle, &pcap_s) >= 0))) {
StatsSetUI64(ptv->tv, ptv->capture_kernel_packets, pcap_s.ps_recv);
StatsSetUI64(ptv->tv, ptv->capture_kernel_drops, pcap_s.ps_drop);
(void) SC_ATOMIC_SET(ptv->livedev->drop, pcap_s.ps_drop);
StatsSetUI64(ptv->tv, ptv->capture_kernel_ifdrops, pcap_s.ps_ifdrop);
}
}
void doStat() {
struct pcap_stat stat;
memset(&stat,0,sizeof(struct pcap_stat));
if (pcap_stats(handle,&stat)==-1) {
printf("error stat\n");
}
ps_drop=stat.ps_drop;
ps_ifdrop=stat.ps_ifdrop;
ps_recv=stat.ps_recv;
}
void
log_pcap_stats(void)
{
struct pcap_stat pstat;
if (pcap_stats(hpcap, &pstat) < 0)
logmsg(LOG_WARNING, "Reading stats: %s", pcap_geterr(hpcap));
else
logmsg(LOG_NOTICE,
"%u packets received, %u/%u dropped (kernel/pflogd)",
pstat.ps_recv, pstat.ps_drop, packets_dropped);
}
static uint64_t pcap_get_dropped_packets(libtrace_t *trace)
{
struct pcap_stat stats;
if (pcap_stats(DATA(trace)->input.pcap,&stats)==-1) {
char *errmsg = pcap_geterr(DATA(trace)->input.pcap);
trace_set_err(trace,TRACE_ERR_UNSUPPORTED,
"Failed to retreive stats: %s\n",
errmsg ? errmsg : "Unknown pcap error");
return ~0;
}
return stats.ps_drop;
}
std::string get_pcap_stats() {
std::stringstream output_buffer;
struct pcap_stat current_pcap_stats;
if (pcap_stats(descr, ¤t_pcap_stats) == 0) {
output_buffer<<"PCAP statistics"<<"\n"<<"Received packets: "<<current_pcap_stats.ps_recv<<"\n"
<<"Dropped packets: "<<current_pcap_stats.ps_drop
<<" ("<<int((double)current_pcap_stats.ps_drop/current_pcap_stats.ps_recv*100)<<"%)"<<"\n"
<<"Dropped by driver or interface: "<<current_pcap_stats.ps_ifdrop<<"\n";
}
return output_buffer.str();
}
static PyObject * p_stats (PyObject *self, PyObject *args)
{
pcap_t * ppcap;
if (!PyArg_ParseTuple(args, "l", (long int*)&ppcap)) return NULL;
pcap_stat ps;
int rv = pcap_stats(ppcap, &ps);
if (rv != 0)
{
PyErr_SetString(PyExc_RuntimeError, pcap_geterr(ppcap));
return NULL;
}
return Py_BuildValue("ll", (long)ps.ps_recv, (long)ps.ps_drop);
}
void print_pcap_stats(FILE * fp, struct pcap_config *p)
{
struct pcap_stat ps;
if (pcap_stats(p->descr, &ps) < 0) {
fprintf(stderr, "error when pcap_stat()\n");
fprintf(fp, "error when pcap_stat()\n");
return;
}
fprintf(fp, "packets recieved= %d\n", ps.ps_recv);
fprintf(fp, "packets dropped = %d\n", ps.ps_drop);
return;
}
static int input_pcap_interface_perf_dropped(uint64_t *value, void *priv) {
struct input_pcap_priv *p = priv;
if (!p || !p->p) {
*value = 0;
return POM_OK;
}
struct pcap_stat ps;
if (!pcap_stats(p->p, &ps))
*value = ps.ps_drop;
return POM_OK;
}
void showStats(int signal) {
struct config* config_node = config;
while (config_node) {
struct module* mod = config_node->modules;
while (mod) {
struct pcap_stat stats;
if (pcap_stats(mod->pcap_handle, &stats) == 0) {
fprintf(stderr, "Received %u packets.\n", stats.ps_recv);
fprintf(stderr, "Dropped %u packets.\n", stats.ps_drop);
};
mod = mod->next;
};
config_node = config_node->next;
};
};
void CaptureReader::print_statistic(std::ostream& out) const
{
struct pcap_stat stat={0,0,0};
if(pcap_stats(handle, &stat) == 0)
{
out << "Statistics from interface: " << source << '\n'
<< " packets received by filtration: " << stat.ps_recv << '\n'
<< " packets dropped by kernel : " << stat.ps_drop << '\n'
<< " packets dropped by interface : " << stat.ps_ifdrop;
}
else
{
throw PcapError("pcap_stats", pcap_geterr(handle));
}
}
/* Handles a variety of signals being received */
void sig_handler (int signo) {
struct pcap_stat pstats;
extern FILE *json_fd;
extern pcap_t *handle; /* packet capture handle */
extern pcap_dumper_t *output_handle;
extern struct bpf_program fp; /* compiled filter program (expression) */
switch (signo) {
/* Placeholder, will use this for some debugging */
case SIGUSR1:
// This is where code goes :)
break;
/* Someone has ctrl-c'd the process.... deal */
case SIGINT:
// Get some stats on the session
if(!(pcap_stats(handle, &pstats))) {
printf("Processed %i%% Of Packets\n",
(int) (( (float)((float)pstats.ps_recv - (float)pstats.ps_drop) / (float) pstats.ps_recv) * 100) );
printf("Received: %i\n", pstats.ps_recv);
printf("Dropped: %i\n", pstats.ps_drop);
}
/* Stop the pcap loop */
pcap_breakloop(handle);
// Close File Pointers
fclose(json_fd);
// No checking because accoring to the man page, they don't return anything useful o_O
pcap_freecode(&fp);
pcap_close(handle);
if(output_handle != NULL) {
pcap_dump_close(output_handle);
}
exit(1);
break;
default:
printf("Caught signal: %i\n", signo);
exit(0);
}
}
int reader_libpcapfile_stats(MolochReaderStats_t *stats)
{
struct pcap_stat ps;
if (!pcap) {
stats->dropped = 0;
stats->total = 0;
return 1;
}
int rc = pcap_stats (pcap, &ps);
if (rc)
return rc;
stats->dropped = ps.ps_drop;
stats->total = ps.ps_recv;
return 0;
}
void push_stats()
{
time_t now = time(NULL);
if (config.acct_type == ACCT_PM) {
if (config.dev) {
if (pcap_stats(glob_pcapt, &ps) < 0) Log(LOG_INFO, "\npcap_stats: %s\n", pcap_geterr(glob_pcapt));
Log(LOG_NOTICE, "\n%s: (%u) %u packets received by filter\n", config.dev, now, ps.ps_recv);
Log(LOG_NOTICE, "%s: (%u) %u packets dropped by kernel\n", config.dev, now, ps.ps_drop);
}
}
else if (config.acct_type == ACCT_NF || config.acct_type == ACCT_SF)
print_status_table(now, XFLOW_STATUS_TABLE_SZ);
signal(SIGUSR1, push_stats);
}
PyObject *
captureObject_stats(captureObject *self, PyObject *args)
{
struct pcap_stat stats;
if (! PyArg_ParseTuple(args, ":stats"))
return NULL;
if (pcap_stats(self->pcap, &stats))
{
PyErr_SetString(ErrorObject, pcap_geterr(self->pcap));
return NULL;
}
return Py_BuildValue("iii", stats.ps_recv, stats.ps_drop, stats.ps_ifdrop);
}
/* include cleanup */
void
cleanup(int signo)
{
struct pcap_stat stat;
putc('\n', stdout);
if (verbose) {
if (pcap_stats(pd, &stat) < 0)
err_quit("pcap_stats: %s\n", pcap_geterr(pd));
printf("%d packets received by filter\n", stat.ps_recv);
printf("%d packets dropped by kernel\n", stat.ps_drop);
}
exit(0);
}
