void reader_snf_start() { pcapFileHeader.linktype = DLT_EN10MB; pcapFileHeader.snaplen = MOLOCH_SNAPLEN; pcap_t *dpcap = pcap_open_dead(pcapFileHeader.linktype, pcapFileHeader.snaplen); int t; for (t = 0; t < MOLOCH_FILTER_MAX; t++) { if (config.bpfsNum[t]) { int i; if (bpf_programs[t]) { for (i = 0; i < config.bpfsNum[t]; i++) { pcap_freecode(&bpf_programs[t][i]); } } else { bpf_programs[t] = malloc(config.bpfsNum[t]*sizeof(struct bpf_program)); } for (i = 0; i < config.bpfsNum[t]; i++) { if (pcap_compile(dpcap, &bpf_programs[t][i], config.bpfs[t][i], 1, PCAP_NETMASK_UNKNOWN) == -1) { LOG("ERROR - Couldn't compile filter: '%s' with %s", config.bpfs[t][i], pcap_geterr(dpcap)); exit(1); } } moloch_reader_should_filter = reader_snf_should_filter; } } int i, r; for (i = 0; i < MAX_INTERFACES && config.interface[i]; i++) { for (r = 0; r < snfNumRings; r++) { char name[100]; snprintf(name, sizeof(name), "moloch-snf%d-%d", i, r); g_thread_new(name, &reader_snf_thread, rings[i][r]); } snf_start(handles[i]); } }
static int pcap_sink_open(struct rte_port_sink *port, const char *file_name, uint32_t max_n_pkts) { pcap_t *tx_pcap; pcap_dumper_t *pcap_dumper; /** Open a dead pcap handler for opening dumper file */ tx_pcap = pcap_open_dead(DLT_EN10MB, 65535); if (tx_pcap == NULL) { RTE_LOG(ERR, PORT, "Cannot open pcap dead handler\n"); return -1; } /* The dumper is created using the previous pcap_t reference */ pcap_dumper = pcap_dump_open(tx_pcap, file_name); if (pcap_dumper == NULL) { RTE_LOG(ERR, PORT, "Failed to open pcap file " "\"%s\" for writing\n", file_name); return -1; } port->dumper = pcap_dumper; port->max_pkts = max_n_pkts; port->pkt_index = 0; port->dump_finish = 0; RTE_LOG(INFO, PORT, "Ready to dump packets to file \"%s\"\n", file_name); return 0; }
int main (int argc, char ** argv) { struct bpf_program filter; pcap_t *pc; int i; if (argc != 2) { printf ("Usage: %s <expression>\n", argv[0]); return 1; } pc = pcap_open_dead(DLT_EN10MB, 1500); if (pcap_compile(pc, &filter, argv[1], 1, 0) != 0) { printf("error in active-filter expression: %s\n", pcap_geterr(pc)); return 1; } printf("/* precompiled expression: %s */\n\n" "static struct bpf_insn pktfilter_insns[] = {\n", argv[1]); for (i = 0; i < filter.bf_len; i++) { struct bpf_insn *in = &filter.bf_insns[i]; printf("\t{ .code = 0x%04x, .jt = 0x%02x, .jf = 0x%02x, .k = 0x%08x },\n", in->code, in->jt, in->jf, in->k); } printf("};\n\n" "static struct bpf_program pktfilter = {\n" "\t.bf_len = %d,\n" "\t.bf_insns = pktfilter_insns,\n" "};\n", filter.bf_len); return 0; }
int royparse_start(logerr_t* a_logerr) { logerr = a_logerr; if (opt_q) { pcap = pcap_open_dead(DLT_RAW, 65535); q_out = pcap_dump_open(pcap, opt_q); if (q_out == 0) { logerr("%s: %s\n", opt_q, strerror(errno)); exit(1); } } if (opt_r) { r_out = fopen(opt_r, "w"); if (r_out == 0) { logerr("%s: %s\n", opt_r, strerror(errno)); exit(1); } } else { r_out = stdout; } setbuf(r_out, 0); return 0; }
void init_pcap(struct sniffed_packet * packet) { char ftime[256]; time_t rawtime; struct tm *timeinfo; time (&rawtime); timeinfo = localtime(&rawtime); strftime(ftime, sizeof(ftime), "%Y-%m-%d_%H_%M_%S", timeinfo); sprintf(fname, "dump_%s_RFPI_%.2x_%.2x_%.2x_%.2x_%.2x.pcap", ftime, cli.RFPI[0], cli.RFPI[1], cli.RFPI[2], cli.RFPI[3], cli.RFPI[4]); LOG("### dumping to %s\n", fname); cli.pcap = pcap_open_dead(DLT_EN10MB, 73); if (!cli.pcap) { LOG("!!! couldn't pcap_open_dead(\"%s\")\n", fname); } cli.pcap_d = pcap_dump_open(cli.pcap, fname); if (!cli.pcap_d) { LOG("!!! couldn't pcap_dump_open(\"%s\")\n", fname); } }
int Generator::generatePackets(string inFileName, string outFileName) { pcap_t *p; pcap_dumper_t *out_file; int packetsSize, amount; if (!parseXmlAndCreateObjects(inFileName)) return 0; packetsSize = (int)packets.size(); p = pcap_open_dead(1, 65536); out_file = pcap_dump_open(p, outFileName.c_str()); for (int i = 0; i < packetsSize; i++) { amount = makeBytesVector(i); //funkcia vrati pocet, kolko ma byt podla xml vygenerovanych paketov (ch) bytesVector2BytesArray(); dumpToFile(p,out_file, amount); bytesVector.clear(); delete[] bytes; } return 1; }
static pcap_dumper_t* init_pcap_handler(const char *path) { pcap_t *handler; handler = pcap_open_dead(1, 65535); /* 不限制数据包的长度 */ return pcap_dump_open(handler, path); }
main(int argc, char **argv) { struct uld *uld; struct sk_buff *skb; int i; pcap_t *p; pcap_dumper_t *pd; struct pcap_pkthdr ph; char *ifname; ifname = NULL; if (argc == 2) { ifname = argv[1]; } uld = uld_open(ifname, 0, 0, 0, 0); if (uld == NULL) exit(1); p = pcap_open_dead(DLT_EN10MB, 65535); if (!p) fprintf(stderr, "pcap_open_dead failed\n"); pd = pcap_dump_open(p, "-"); if (!pd) fprintf(stderr, "pcap_dump_open failed\n"); for(;;) { skb = uld_skb_read(uld, 1); if (skb == NULL) continue; ph.ts.tv_sec = skb->tstamp.tv_sec; ph.ts.tv_usec = skb->tstamp.tv_nsec/1000; ph.len = ph.caplen = skb->len; pcap_dump((void *)pd, &ph, skb->data); pcap_dump_flush(pd); skb_free(skb); } }
bool GPcapFileWriter::doOpen() { if (fileName_ == "") { SET_ERR(GErr::FILE_NAME_NOT_SPECIFIED, "file name is not specified"); return false; } int dataLink = GPacket::dataLinkTypeToInt(dataLinkType_); pcap_ = pcap_open_dead(dataLink, snapLen_); if (pcap_ == nullptr) { SET_ERR(GErr::RETURN_NULL, QString("pcap_open_dead(%1, %2)) return null").arg(dataLink, snapLen_)); return false; } QString path = QFileInfo(fileName_).path(); QString fileName = QFileInfo(fileName_).fileName(); QDateTime now = QDateTime::currentDateTime(); QString newFileName = now.toString(fileName); if (path != "") { QDir dir; dir.mkpath(path); newFileName = path + QDir::separator() + newFileName; } pcap_dumper_ = pcap_dump_open(pcap_, qPrintable(newFileName)); if (pcap_dumper_ == nullptr) { SET_ERR(GErr::RETURN_NULL, QString("pcap_dump_open(, %1)) return null").arg(newFileName)); pcap_close(pcap_); pcap_ = nullptr; return false; } return true; }
init (void) { ADDCL(cl); ADDDBGCL(dl); desc = pcap_open_dead(DLT_EN10MB, 96); dumpfile = strdup(DEFAULT_DUMPFILE); }
/** * Startup method for the module */ void PCAPExporterPipe::performStart() { char errbuf[PCAP_ERRBUF_SIZE]; time(&last_check); if(last_check == (time_t) -1) THROWEXCEPTION("time() failed"); SignalHandler::getInstance().registerSignalHandler(SIGCHLD, this); SignalHandler::getInstance().registerSignalHandler(SIGPIPE, this); if(restartOnSignal) SignalHandler::getInstance().registerSignalHandler(SIGUSR2, this); dummy = pcap_open_dead(link_type, snaplen); if (!dummy) { THROWEXCEPTION("Could not open dummy device: %s", errbuf); } startProcess(); msg(MSG_INFO, "Started PCAPExporterPipe with the following parameters:"); if (fifoReaderCmd != ""){ msg(MSG_INFO, " - fifoReaderCmd = %s", fifoReaderCmd.c_str()); msg(MSG_INFO, " - fifoReaderPid = %d", fifoReaderPid); } else { THROWEXCEPTION("No fifoReaderCmd specified!"); } if (logFileName != ""){ msg(MSG_INFO, " - logfileBaseName = %s", logFileName.c_str()); msg(MSG_INFO, " - appenddate = %s", appenddate ? "true" : "false"); } else msg(MSG_ERROR, "No Logfile specified - dumping to stdout!"); msg(MSG_INFO, " - sigKillTimeout = %d" , sigKillTimeout); }
void reader_pfring_start() { int dlt_to_linktype(int dlt); pcapFileHeader.linktype = 1; pcapFileHeader.snaplen = MOLOCH_SNAPLEN; pcap_t *pcap = pcap_open_dead(pcapFileHeader.linktype, pcapFileHeader.snaplen); if (config.dontSaveBPFs) { int i; if (bpf_programs) { for (i = 0; i < config.dontSaveBPFsNum; i++) { pcap_freecode(&bpf_programs[i]); } } else { bpf_programs = malloc(config.dontSaveBPFsNum*sizeof(struct bpf_program)); } for (i = 0; i < config.dontSaveBPFsNum; i++) { if (pcap_compile(pcap, &bpf_programs[i], config.dontSaveBPFs[i], 0, PCAP_NETMASK_UNKNOWN) == -1) { LOG("ERROR - Couldn't compile filter: '%s' with %s", config.dontSaveBPFs[i], pcap_geterr(pcap)); exit(1); } } moloch_reader_should_filter = reader_pfring_should_filter; } pcap_close(pcap); int i; for (i = 0; i < MAX_INTERFACES && config.interface[i]; i++) { char name[100]; snprintf(name, sizeof(name), "moloch-pfring%d", i); g_thread_new(name, &reader_pfring_thread, rings[i]); } }
int main (int argc, char ** argv) { pcap_t *pc; /* Fake struct pcap so we can compile expr */ struct bpf_program filter; /* Filter program for link-active pkts */ u_int32_t netmask=0; int dflag = 3; if (argc == 4) { if (!strcmp (argv[1], "-d")) { dflag = atoi (argv[2]); argv += 2; argc -=2; } } if (argc != 2) { printf ("usage; %s [ -d <debug_level> ] expression\n", argv[0]); return 1; } pc = pcap_open_dead(DLT_PPP_PPPD, PPP_HDRLEN); if (pcap_compile(pc, &filter, argv[1], 1, netmask) == 0) { printf ("#\n# Expression: %s\n#\n", argv[1]); bpf_dump (&filter, dflag); return 0; } else { printf("error in active-filter expression: %s\n", pcap_geterr(pc)); } return 1; }
bool SnoopDump::doOpen() { m_pcap = pcap_open_dead(linkType, snoop::DEFAULT_SNAPLEN); if (m_pcap == NULL) { SET_ERROR(SnoopError, "error in pcap_open_dead return NULL", VERR_IN_PCAP_OPEN_DEAD); return false; } if (filePath == "") { SET_ERROR(VFileError, "file name not specified", VERR_FILENAME_NOT_SPECIFIED); return false; } QString _path = QFileInfo(filePath).path(); QString _fileName = QFileInfo(filePath).fileName(); VFile::createFolder(_path); if (_fileName == "") _fileName = DEFAULT_DUMP_FILE_NAME; QDateTime now = QDateTime::currentDateTime(); QString newFileName = qformat(qPrintable(_fileName), now.date().year(), now.date().month(), now.date().day(), now.time().hour(), now.time().minute(), now.time().second(), now.time().msec()); m_pcap_dumper = pcap_dump_open(m_pcap, qPrintable(_path + "/" + newFileName)); if (m_pcap_dumper == NULL) { SET_ERROR(SnoopError, pcap_geterr(m_pcap), VERR_IN_PCAP_DUMP_OPEN); return false; } return true; }
PacketHandler(const std::string& pcap_name) : pcap_writer(NULL), pcap_filename(pcap_name) { pcap = pcap_open_dead(DLT_EN10MB, MAX_CAPLEN); open_logs(); }
void PacketDumper::openDump(time_t when, int sampling_rate, unsigned int max_pkts_per_file, unsigned int max_sec_per_file) { char pcap_path[MAX_PATH], hour_path[64]; int len; time_t _when = when; if(dumper) return; sec_start = when; this->sampling_rate = sampling_rate; this->max_pkts_per_file = iface->getDumpTrafficMaxPktsPerFile(); this->max_sec_per_file = iface->getDumpTrafficMaxSecPerFile(); when -= when % 3600; /* Hourly directories */ strftime(hour_path, sizeof(hour_path), "%Y/%m/%d/%H", localtime(&when)); snprintf(pcap_path, sizeof(pcap_path), "%s/%d/pcap/%s", ntop->get_working_dir(), iface->get_id(), hour_path); ntop->fixPath(pcap_path); Utils::mkdir_tree(pcap_path); len = strlen(pcap_path); snprintf(&pcap_path[len], sizeof(pcap_path)-len-1, "/%u_%u.pcap", (unsigned int)when, file_id); if((dumper = pcap_dump_open(pcap_open_dead(iface_type, 16384 /* MTU */), pcap_path)) == NULL) ntop->getTrace()->traceEvent(TRACE_WARNING, "Unable to create pcap file %s", pcap_path); else { dump_end = _when + this->max_sec_per_file, num_dumped_packets = 0, file_id++; ntop->getTrace()->traceEvent(TRACE_INFO, "Created pcap dump %s [max pkts=%u][max duration=%u sec]", \ pcap_path, this->max_pkts_per_file, this->max_sec_per_file); } }
/* Called at the start on main thread or each time a new file is open on single thread */ void moloch_rules_recompile() { int t, r; if (deadPcap) pcap_close(deadPcap); deadPcap = pcap_open_dead(pcapFileHeader.linktype, pcapFileHeader.snaplen); MolochRule_t *rule; for (t = 0; t < MOLOCH_RULE_TYPE_NUM; t++) { for (r = 0; (rule = current.rules[t][r]); r++) { if (!rule->bpf) continue; pcap_freecode(&rule->bpfp); if (pcapFileHeader.linktype != 239) { if (pcap_compile(deadPcap, &rule->bpfp, rule->bpf, 1, PCAP_NETMASK_UNKNOWN) == -1) { LOGEXIT("ERROR - Couldn't compile filter %s: '%s' with %s", rule->filename, rule->bpf, pcap_geterr(deadPcap)); } } else { rule->bpfp.bf_len = 0; } } } }
int init_write_pkts_to_files(const char* out_fpath) { /*create hashtable*/ flow_seqid_hashmap = ht_kf_create(HASH_MAP_SIZE); if (flow_seqid_hashmap == NULL) { printf("FAIL: ht_kf_create flow_seqid_hashmap\n"); return -1; } int node_idx = 0; for (node_idx = 0; node_idx < NUM_SENDERS; ++node_idx) { pd[node_idx] = pcap_open_dead(DLT_EN10MB, 65535 /* snaplen */); if (pd[node_idx] == NULL) { return -1; } /* Create the output file. */ char fname[100]; snprintf(fname, 100, "%s/h%d.pcap", out_fpath, node_idx+1); pdumper[node_idx] = pcap_dump_open(pd[node_idx], fname); if (pdumper[node_idx] == NULL) { return -1; } snprintf(fname, 100, "%s/h%d_trace.csv", out_fpath, node_idx+1); fp[node_idx] = fopen(fname, "w"); if (fp[node_idx] == NULL) { return -1; } } return 0; }
int main(int argc, char **argv) { //Check whether user has entered enough arguments if(argc < 2) { printf("Usage: ./firewall mode [input pcap file] [output pcap file]\n", " Mode: 1/2\n"); } char errbuf[100]; int mode = atoi(argv[1]); //If mode = 1 then use the interfaces to capture packets if(mode == 1) { pid_t childPID; //Open the interface handlers in_handle = pcap_open_live(INT_IN,65536,1,0,errbuf); out_handle = pcap_open_live(INT_OUT,65536,1,0,errbuf); //Create two processes for two interfaces childPID = fork(); if(childPID >= 0) { //Associate the handlers with the interfaces if(childPID == 0) { capture_loop(in_handle, -1, (pcap_handler)parse_packet, NULL); } else { capture_loop(out_handle, -1, (pcap_handler)parse_packet_p, NULL); } } else { printf("\n Fork failed, quitting!!!!!!\n"); return 1; } } //Else open the input pcap file for the processing and write to output pcap file else { //Check for the valid arguments if(argc < 4) { printf("Usage: ./firewall mode [input pcap file] [output pcap file]\n", " Mode: 1/2\n"); } in_handle = pcap_open_offline(argv[2],errbuf); //802.3 = 1 - link type //open new pcap handler out_handle = pcap_open_dead(1,65536); //open the file with the handler dumper = pcap_dump_open(out_handle, argv[3]); //Process all the packets from the file capture_loop(in_handle, -1, (pcap_handler)parse_packet_file, (u_char*)dumper); } return 0; }
/** * Initialization routines for your monitor. * Allocate any global resources or initial values here. */ void monitor_init(void) { char *name; /* create a fake pcap device for the dumper */ pcap = pcap_open_dead(DLT_EN10MB, 65535); name = basename(cfg.prog_name); snprintf(outname, MAX_STR, OUT_FMT, cfg.log_dir, name); }
PhysicalMedium_pimpl(clockid_t clockidToUse, const char * nameIn, int mcastPort) : clockidToUse(clockidToUse) { struct epoll_event ev; int rv; u_char loop; tx.mcastsockfd = -1; ev.events = EPOLLIN; ev.data.ptr = &NetworkSimulator::getUnblocker(); state = STOPPED; name = strdup(nameIn); poller.epfd = epoll_create1(EPOLL_CLOEXEC); thread = -1; if (poller.epfd < 0) throw "epoll_create error"; rv = epoll_ctl(poller.epfd, EPOLL_CTL_ADD, NetworkSimulator::getUnblocker().getReadPipe(), &ev); if (rv < 0) throw "PhysicalMedium_pimpl: failed to add unblocker to poller"; /* * SIGEV_NONE is supposed to prevent signal delivery, but it doesn't. * Set signo to SIGSTOP to make the received signal obvious but * harmless. */ memset(&sev, 0, sizeof(sev)); sev.sigev_notify = SIGEV_NONE; sev.sigev_signo = SIGSTOP; if (timer_create(clockidToUse, &sev, &timer) == -1) { xlog(LOG_ERR, "timer_create fail (%d:%s)", errno, strerror(errno)); throw "PhysicalMedium_pimpl: failed to create timer"; } // Create multicast socket and disable loopback as we don't want // to receive the packets we have just transmitted. tx.mcastsockfd=socket(AF_INET, SOCK_DGRAM, 0); tx.mcastport = mcastPort; // Ensure IP_MULTICAST_LOOP is set so QEMU nodes that are // running locally can receive the multicast packet. loop = 1; setsockopt(tx.mcastsockfd, IPPROTO_IP, IP_MULTICAST_LOOP, &loop, sizeof(loop)); bzero(&tx.mcastGroupAddr,sizeof(tx.mcastGroupAddr)); tx.mcastGroupAddr.sin_family = AF_INET; tx.mcastGroupAddr.sin_addr.s_addr=inet_addr("224.1.1.1"); tx.mcastGroupAddr.sin_port=htons(tx.mcastport); memset(&stats, 0, sizeof(stats)); pcap.fake = pcap_open_dead(DLT_IEEE802_15_4_NOFCS, 65535); assert(pcap.fake); pcap.dumper = pcap_dump_open(pcap.fake, "./packets.pcap"); assert(pcap.dumper); }
void PacketWriter::init(const std::string& file_name, int link_type) { handle = pcap_open_dead(link_type, 65535); if(!handle) throw std::runtime_error("Error creating pcap handle"); dumper = pcap_dump_open(handle, file_name.c_str()); if(!dumper) { // RAII plx pcap_close(handle); throw std::runtime_error(pcap_geterr(handle)); } }
/* Setup filter resources */ static int pf_capture_setup(netio_desc_t *nio,void **opt, int argc,char *argv[]) { struct netio_filter_capture *c; int link_type; /* We must have a link type and a filename */ if (argc != 2) return(-1); /* Free resources if something has already been done */ pf_capture_free(nio,opt); /* Allocate structure to hold PCAP info */ if (!(c = malloc(sizeof(*c)))) return(-1); if (pthread_mutex_init(&c->lock,NULL)) { fprintf(stderr,"NIO %s: pthread_mutex_init failure (file %s)\n", nio->name,argv[0]); goto pcap_lock_err; } if ((link_type = pcap_datalink_name_to_val(argv[0])) == -1) { fprintf(stderr,"NIO %s: unknown link type %s, assuming Ethernet.\n", nio->name,argv[0]); link_type = DLT_EN10MB; } /* Open a dead pcap descriptor */ if (!(c->desc = pcap_open_dead(link_type,8192))) { fprintf(stderr,"NIO %s: pcap_open_dead failure\n",nio->name); goto pcap_open_err; } /* Open the output file */ if (!(c->dumper = pcap_dump_open(c->desc,argv[1]))) { fprintf(stderr,"NIO %s: pcap_dump_open failure (file %s)\n", nio->name,argv[0]); goto pcap_dump_err; } printf("NIO %s: capturing to file '%s'\n",nio->name,argv[1]); *opt = c; return(0); pcap_dump_err: pcap_close(c->desc); pcap_open_err: pthread_mutex_destroy(&c->lock); pcap_lock_err: free(c); return(-1); }
PcapFileOut::PcapFileOut(unsigned port, std::string filename) : PcapFileBase(port, filename) { pcap = pcap_open_dead(0, 0); if (pcap == nullptr) bm_fatal_error( std::string("Could not open file ") + filename + " for writing"); dumper = pcap_dump_open(pcap, filename.c_str()); if (dumper == nullptr) bm_fatal_error( std::string("Could not open file ") + filename + " for writing"); }
/* * Class: disy_jnipcap_Pcap * Method: openDead * Signature: (II)J */ JNIEXPORT jlong JNICALL Java_disy_jnipcap_Pcap_openDead (JNIEnv *env, jclass jcls, jint jlinktype, jint jsnaplen) { pcap_t *p = pcap_open_dead((int)jlinktype, (int)jsnaplen); if (p == NULL) return (jlong) NULL; if (mid_Pcap_init == NULL) { pcap_close (p); return (jlong) NULL; } return (jlong) p; }
void OfflinePacketFilter::init(const string& pcap_filter, int link_type, unsigned int snap_len) { handle_ = pcap_open_dead( link_type, snap_len ); if (pcap_compile(handle_, &filter_, pcap_filter.c_str(), 1, 0xffffffff) == -1) { throw invalid_pcap_filter(pcap_geterr(handle_)); } }
void PCAPExporterModule::performStart() { char errbuf[PCAP_ERRBUF_SIZE]; dummy = pcap_open_dead(link_type, snaplen); if (!dummy) { THROWEXCEPTION("Could not open dummy device: %s", errbuf); } dumper = pcap_dump_open(dummy, fileName.c_str()); if (!dumper) { THROWEXCEPTION("Could not open dump file: %s", errbuf); } }
void Foo::bar() { pcap_t* cap = pcap_open_dead(0, 32); if (cap) { std::cout << "got pcap" << std::endl; pcap_close(cap); } else { std::cout << "didn't get pcap" << std::endl; } }
/*- -- cap = pcap.open_dead([linktype, [snaplen]]) - linktype is one of the DLT numbers, and defaults to pcap.DLT.EN10MB. - snaplen is the maximum size of packet, and defaults to 65535 (also, a value of 0 is changed into 65535 internally, as tcpdump does). Open a pcap that doesn't read from either a live interface, or an offline pcap file. It can be used with cap:dump_open() to write a pcap file, or to compile a BPF program. */ static int lpcap_open_dead(lua_State *L) { int linktype = luaL_optint(L, 1, DLT_EN10MB); int snaplen = luaL_optint(L, 2, 0); pcap_t** cap = pushpcapopen(L); /* this is the value tcpdump uses, its way bigger than any known link size */ if(!snaplen) snaplen = 0xffff; *cap = pcap_open_dead(linktype, snaplen); return checkpcapopen(L, cap, "open dead failed for unknown reason"); }
void reader_libpcap_start() { int dlt_to_linktype(int dlt); //ALW - Bug: assumes all linktypes are the same pcapFileHeader.linktype = dlt_to_linktype(pcap_datalink(pcaps[0])) | pcap_datalink_ext(pcaps[0]); pcapFileHeader.snaplen = pcap_snapshot(pcaps[0]); pcap_t *dpcap = pcap_open_dead(pcapFileHeader.linktype, pcapFileHeader.snaplen); int t; for (t = 0; t < MOLOCH_FILTER_MAX; t++) { if (config.bpfsNum[t]) { int i; if (bpf_programs[t]) { for (i = 0; i < config.bpfsNum[t]; i++) { pcap_freecode(&bpf_programs[t][i]); } } else { bpf_programs[t] = malloc(config.bpfsNum[t]*sizeof(struct bpf_program)); } for (i = 0; i < config.bpfsNum[t]; i++) { if (pcap_compile(dpcap, &bpf_programs[t][i], config.bpfs[t][i], 1, PCAP_NETMASK_UNKNOWN) == -1) { LOG("ERROR - Couldn't compile filter: '%s' with %s", config.bpfs[t][i], pcap_geterr(dpcap)); exit(1); } } moloch_reader_should_filter = reader_libpcap_should_filter; } } int i; for (i = 0; i < MAX_INTERFACES && config.interface[i]; i++) { if (config.bpf) { struct bpf_program bpf; if (pcap_compile(pcaps[i], &bpf, config.bpf, 1, PCAP_NETMASK_UNKNOWN) == -1) { LOG("ERROR - Couldn't compile filter: '%s' with %s", config.bpf, pcap_geterr(pcaps[i])); exit(1); } if (pcap_setfilter(pcaps[i], &bpf) == -1) { LOG("ERROR - Couldn't set filter: '%s' with %s", config.bpf, pcap_geterr(pcaps[i])); exit(1); } } char name[100]; snprintf(name, sizeof(name), "moloch-pcap%d", i); g_thread_new(name, &reader_libpcap_thread, (gpointer)pcaps[i]); } }