-- Copyright (c) 2018-2023, OARC, Inc. -- All rights reserved. -- -- This file is part of dnsjit. -- -- dnsjit is free software: you can redistribute it and/or modify -- it under the terms of the GNU General Public License as published by -- the Free Software Foundation, either version 3 of the License, or -- (at your option) any later version. -- -- dnsjit is distributed in the hope that it will be useful, -- but WITHOUT ANY WARRANTY; without even the implied warranty of -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- GNU General Public License for more details. -- -- You should have received a copy of the GNU General Public License -- along with dnsjit. If not, see . -- dnsjit.input.zpcap -- Read input from a PCAP file that is compressed -- local input = require("dnsjit.input.zpcap").new() -- input:zstd() -- input:open("file.pcap.zst") -- input:receiver(filter_or_output) -- input:run() -- -- Read input from a PCAP file that is compressed and parse the PCAP without -- libpcap. -- After opening a file and reading the PCAP header, the attributes are -- populated. -- .SS Attributes -- .TP -- is_swapped -- Indicate if the byte order in the PCAP is in reverse order of the host. -- .TP -- is_nanosec -- Indicate if the time stamps are in nanoseconds or not. -- .TP -- magic_number -- Magic number. -- .TP -- version_major -- Major version number. -- .TP -- version_minor -- Minor version number. -- .TP -- thiszone -- GMT to local correction. -- .TP -- sigfigs -- Accuracy of timestamps. -- .TP -- snaplen -- Max length of captured packets, in octets. -- .TP -- network -- The link type found in the PCAP header, see https://www.tcpdump.org/linktypes.html . -- .TP -- linktype -- The data link type, mapped from -- .IR network . module(...,package.seeall) require("dnsjit.input.zpcap_h") local ffi = require("ffi") local C = ffi.C local t_name = "input_zpcap_t" local input_zpcap_t = ffi.typeof(t_name) local Zpcap = {} -- Create a new Zpcap input. function Zpcap.new() local self = { _receiver = nil, obj = input_zpcap_t(), } C.input_zpcap_init(self.obj) ffi.gc(self.obj, C.input_zpcap_destroy) return setmetatable(self, { __index = Zpcap }) end -- Return the Log object to control logging of this instance or module. function Zpcap:log() if self == nil then return C.input_zpcap_log() end return self.obj._log end -- Set the receiver to pass objects to. function Zpcap:receiver(o) self.obj.recv, self.obj.ctx = o:receive() self._receiver = o end -- Return the C functions and context for producing objects. function Zpcap:produce() return C.input_zpcap_producer(self.obj), self.obj end -- Use -- .B posix_fadvise() -- to indicate sequential reading (if supported), may increase performance. -- MUST be called before -- .BR open() . function Zpcap:fadvise_sequential() self.obj.use_fadvise = 1 end -- Use liblz4 to decompress the input file/data. function Zpcap:lz4() self.obj.compression = "input_zpcap_type_lz4" end -- Use libzstd to decompress the input file/data. function Zpcap:zstd() self.obj.compression = "input_zpcap_type_zstd" end -- Return true if support for selected compression library is built in. function Zpcap:have_support() if C.input_zpcap_have_support(self.obj) == 1 then return true end return false end -- Open a PCAP file for processing and read the PCAP header. -- Returns 0 on success. function Zpcap:open(file) return C.input_zpcap_open(self.obj, file) end -- Open a PCAP file for processing and read the PCAP header using a -- file descriptor, for example -- .B io.stdin -- or with -- .BR io.open() . -- Will not take ownership of the file descriptor. -- Returns 0 on success. function Zpcap:openfp(fp) return C.input_zpcap_openfp(self.obj, fp) end -- Start processing packets and send each packet read to the receiver. -- Returns 0 if all packets was read successfully. function Zpcap:run() return C.input_zpcap_run(self.obj) end -- Return the number of packets seen. function Zpcap:packets() return tonumber(self.obj.pkts) end -- dnsjit.input.fpcap (3) return Zpcap