Add file rolling support to the dump module#42
Open
ssam18 wants to merge 1 commit into
Open
Conversation
The dump module can now roll its pcap output files based on a file size limit or a packet count limit. Two new variables named roll-size and roll-pkts control this, and rolled files get a numeric suffix appended to the configured filename. The TX and RX output files are tracked and rolled independently. New cmocka unit tests cover the rolling behavior along with the existing single file output path. Fixes issue snort3#29.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds optional rolling of the pcap files written by the dump module, as requested in #29. Since the module is a library loaded into the host application, reopening files on a signal like logrotate expects did not seem like a good fit, so the rolling is handled internally through DAQ variables. The new roll-size variable takes a limit in MiB and the new roll-pkts variable takes a packet count, and the current file is rolled as soon as either limit is reached. Rolled files keep the configured name with a numeric suffix, so inline-out.pcap becomes inline-out.pcap.1 and so on, while the TX and RX files are tracked and rolled separately. The duplicated dumper open code in dump_daq_start was pulled into a helper that the roll path reuses, which also fixed a small leak where a failed RX open left the TX dumper unclosed. I added a cmocka based unit test that stacks the dump module on a mock source module and verifies packet counts and file sizes in the generated files, covering the receive and inject paths as well as rejection of invalid variable values. The README was updated to document the new variables.