[Oisf-devel] [PATCH 2/2] Add pcap-info alert format.
Victor Julien
victor at inliniac.net
Wed Oct 5 11:15:40 UTC 2011
On 10/04/2011 09:38 PM, Eric Leblond wrote:
> +TmEcode AlertPcapInfo (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
> +{
> + AlertPcapInfoThread *aft = (AlertPcapInfoThread *)data;
> + int i;
> +
> + SCMutexLock(&aft->file_ctx->fp_mutex);
> +
> + aft->file_ctx->alerts += p->alerts.cnt;
> + /** logging is useless if we don't have pcap number */
> + if (p->pcap_cnt != 0) {
> + for (i = 0; i < p->alerts.cnt; i++) {
> + PacketAlert *pa = &p->alerts.alerts[i];
> +
> + fprintf(aft->file_ctx->fp, "%ld:%d:%d:%d:%d:%d:%d:%d:0:0:%s\n",
> + p->pcap_cnt, pa->s->gid, pa->s->id,
> + pa->s->rev, pa->alert_msg ? 1 : 0,
> + p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0,
> + p->flowflags & FLOW_PKT_TOCLIENT ? 1 : 0,
> + pa->tx_id, pa->s->msg);
> + }
> + }
> +
> + SCMutexUnlock(&aft->file_ctx->fp_mutex);
> +
> + return TM_ECODE_OK;
> +}
This code is run for each packet. So you might want to do locking only
after checking for p->pcap_cnt != 0 && p->alerts.cnt > 0. This saves us
from doing a lock for most packets.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list