From 13938b08ad2397342083d62c2155335cb99ea052 Mon Sep 17 00:00:00 2001 From: Shannon Weyrick Date: Mon, 5 Apr 2021 16:37:31 -0400 Subject: [PATCH 1/3] control tcp reassembly frag options --- src/inputs/pcap/PcapInputStream.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/inputs/pcap/PcapInputStream.cpp b/src/inputs/pcap/PcapInputStream.cpp index 702b98c08..d5c250b87 100644 --- a/src/inputs/pcap/PcapInputStream.cpp +++ b/src/inputs/pcap/PcapInputStream.cpp @@ -66,7 +66,8 @@ PcapInputStream::PcapInputStream(const std::string &name) , _tcp_reassembly(_tcp_message_ready_cb, this, _tcp_connection_start_cb, - _tcp_connection_end_cb) + _tcp_connection_end_cb, + {true, 5, 100, 100}) { } From 53c4933eed5d765577c5bb925cea4048efc3dd33 Mon Sep 17 00:00:00 2001 From: Shannon Weyrick Date: Mon, 5 Apr 2021 20:50:18 -0400 Subject: [PATCH 2/3] capture config --- conanfile.txt | 1 + src/inputs/pcap/PcapInputStream.cpp | 13 ++++++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/conanfile.txt b/conanfile.txt index c4fc956e6..dc69654b9 100644 --- a/conanfile.txt +++ b/conanfile.txt @@ -14,6 +14,7 @@ catch2/2.13.4 [options] corrade:with_pluginmanager=True +pcapplusplus:immediate_mode=True [generators] cmake diff --git a/src/inputs/pcap/PcapInputStream.cpp b/src/inputs/pcap/PcapInputStream.cpp index d5c250b87..9862ad61c 100644 --- a/src/inputs/pcap/PcapInputStream.cpp +++ b/src/inputs/pcap/PcapInputStream.cpp @@ -67,7 +67,7 @@ PcapInputStream::PcapInputStream(const std::string &name) this, _tcp_connection_start_cb, _tcp_connection_end_cb, - {true, 5, 100, 100}) + {true, 5, 500, 1}) { } @@ -321,7 +321,14 @@ void PcapInputStream::_open_libpcap_iface(const std::string &bpfFilter) NOTE: the packet buffer timeout cannot be used to cause calls that read packets to return within a limited period of time, because, on some platforms, the packet buffer timeout isn't supported, and, on other platforms, the timer doesn't start until at least one packet arrives. This means that the packet buffer timeout should NOT be used, for example, in an interactive application to allow the packet capture loop to ``poll'' for user input periodically, as there's no guarantee that a call reading packets will return after the timeout expires even if no packets have arrived. The packet buffer timeout is set with pcap_set_timeout(). */ - config.packetBufferTimeoutMs = 100; + config.packetBufferTimeoutMs = 10; + /* + * @param[in] snapshotLength Snapshot length for capturing packets. Default value is 0 which means use the default value. + * A snapshot length of 262144 should be big enough for maximum-size Linux loopback packets (65549) and some USB packets + * captured with USBPcap (> 131072, < 262144). A snapshot length of 65535 should be sufficient, on most if not all networks, + * to capture all the data available from the packet. + */ + config.snapshotLength = 1000; // try to open device if (!_pcapDevice->open(config)) { @@ -417,4 +424,4 @@ void PcapInputStream::parse_host_spec() } } -} \ No newline at end of file +} From dcb8fb7fb4f7c1030064950df62c418414598b2a Mon Sep 17 00:00:00 2001 From: Shannon Weyrick Date: Tue, 6 Apr 2021 11:23:53 -0400 Subject: [PATCH 3/3] tweak frag config, optional pcap debug --- src/inputs/pcap/PcapInputStream.cpp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/inputs/pcap/PcapInputStream.cpp b/src/inputs/pcap/PcapInputStream.cpp index 9862ad61c..5a7a01def 100644 --- a/src/inputs/pcap/PcapInputStream.cpp +++ b/src/inputs/pcap/PcapInputStream.cpp @@ -15,6 +15,7 @@ #include #include #include +#include #pragma GCC diagnostic pop #include #include @@ -67,7 +68,7 @@ PcapInputStream::PcapInputStream(const std::string &name) this, _tcp_connection_start_cb, _tcp_connection_end_cb, - {true, 5, 500, 1}) + {true, 5, 500, 50}) { } @@ -92,6 +93,10 @@ void PcapInputStream::start() return; } + if (config_exists("debug")) { + pcpp::LoggerPP::getInstance().setAllModlesToLogLevel(pcpp::LoggerPP::LogLevel::Debug); + } + // live capture assert(config_exists("iface")); assert(config_exists("bpf"));