From 889e0d5cb6a4e082e13d71c88c0fe40a4e8f8d2d Mon Sep 17 00:00:00 2001 From: Guy Harris Date: Tue, 27 Oct 2020 20:06:26 -0700 Subject: Add a new record type REC_TYPE_SYSTEMD_JOURNAL. Systemd journal entries aren't file-type-specific; they're found in both systemd journal entry blocks in pcapng files and in systemd journal export files. Give it a record type, for use with both file types. This fixes #16955. It also means that you can open a systemd journal export file and save it as a pcapng file. --- wiretap/pcapng.c | 31 +++++++++++++++---------------- wiretap/systemd_journal.c | 5 ++--- wiretap/wtap.h | 6 ++++++ 3 files changed, 23 insertions(+), 19 deletions(-) (limited to 'wiretap') diff --git a/wiretap/pcapng.c b/wiretap/pcapng.c index d5c7fde82a..1f8b68330a 100644 --- a/wiretap/pcapng.c +++ b/wiretap/pcapng.c @@ -2519,9 +2519,8 @@ pcapng_read_systemd_journal_export_block(wtap *wth, FILE_T fh, pcapng_block_head return FALSE; } - wblock->rec->rec_type = REC_TYPE_FT_SPECIFIC_EVENT; - wblock->rec->rec_header.ft_specific_header.record_type = BLOCK_TYPE_SYSTEMD_JOURNAL; - wblock->rec->rec_header.ft_specific_header.record_len = entry_length; + wblock->rec->rec_type = REC_TYPE_SYSTEMD_JOURNAL; + wblock->rec->rec_header.systemd_journal_header.record_len = entry_length; wblock->rec->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN; wblock->rec->tsprec = WTAP_TSPREC_USEC; @@ -3863,23 +3862,23 @@ pcapng_write_systemd_journal_export_block(wtap_dumper *wdh, const wtap_rec *rec, guint32 pad_len; /* Don't write anything we're not willing to read. */ - if (rec->rec_header.ft_specific_header.record_len > WTAP_MAX_PACKET_SIZE_STANDARD) { + if (rec->rec_header.systemd_journal_header.record_len > WTAP_MAX_PACKET_SIZE_STANDARD) { *err = WTAP_ERR_PACKET_TOO_LARGE; return FALSE; } - if (rec->rec_header.ft_specific_header.record_len % 4) { - pad_len = 4 - (rec->rec_header.ft_specific_header.record_len % 4); + if (rec->rec_header.systemd_journal_header.record_len % 4) { + pad_len = 4 - (rec->rec_header.systemd_journal_header.record_len % 4); } else { pad_len = 0; } /* write systemd journal export block header */ bh.block_type = BLOCK_TYPE_SYSTEMD_JOURNAL; - bh.block_total_length = (guint32)sizeof(bh) + rec->rec_header.ft_specific_header.record_len + pad_len + 4; + bh.block_total_length = (guint32)sizeof(bh) + rec->rec_header.systemd_journal_header.record_len + pad_len + 4; pcapng_debug("%s: writing %u bytes, %u padded", G_STRFUNC, - rec->rec_header.ft_specific_header.record_len, + rec->rec_header.systemd_journal_header.record_len, bh.block_total_length); if (!wtap_dump_file_write(wdh, &bh, sizeof bh, err)) @@ -3887,9 +3886,9 @@ pcapng_write_systemd_journal_export_block(wtap_dumper *wdh, const wtap_rec *rec, wdh->bytes_dumped += sizeof bh; /* write entry data */ - if (!wtap_dump_file_write(wdh, pd, rec->rec_header.ft_specific_header.record_len, err)) + if (!wtap_dump_file_write(wdh, pd, rec->rec_header.systemd_journal_header.record_len, err)) return FALSE; - wdh->bytes_dumped += rec->rec_header.ft_specific_header.record_len; + wdh->bytes_dumped += rec->rec_header.systemd_journal_header.record_len; /* write padding (if any) */ if (pad_len != 0) { @@ -4824,12 +4823,6 @@ static gboolean pcapng_dump(wtap_dumper *wdh, case REC_TYPE_FT_SPECIFIC_EVENT: case REC_TYPE_FT_SPECIFIC_REPORT: - if (rec->rec_header.ft_specific_header.record_type == WTAP_FILE_TYPE_SUBTYPE_SYSTEMD_JOURNAL) { - if (!pcapng_write_systemd_journal_export_block(wdh, rec, pd, err)) { - return FALSE; - } - return TRUE; - } #ifdef HAVE_PLUGINS /* * Do we have a handler for this block type? @@ -4855,6 +4848,12 @@ static gboolean pcapng_dump(wtap_dumper *wdh, } break; + case REC_TYPE_SYSTEMD_JOURNAL: + if (!pcapng_write_systemd_journal_export_block(wdh, rec, pd, err)) { + return FALSE; + } + break; + default: /* We don't support writing this record type. */ *err = WTAP_ERR_UNWRITABLE_REC_TYPE; diff --git a/wiretap/systemd_journal.c b/wiretap/systemd_journal.c index c247bd5411..4414404199 100644 --- a/wiretap/systemd_journal.c +++ b/wiretap/systemd_journal.c @@ -225,10 +225,9 @@ systemd_journal_read_export_entry(FILE_T fh, wtap_rec *rec, Buffer *buf, int *er return FALSE; } - rec->rec_type = REC_TYPE_FT_SPECIFIC_EVENT; + rec->rec_type = REC_TYPE_SYSTEMD_JOURNAL; rec->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN; - rec->rec_header.ft_specific_header.record_type = WTAP_FILE_TYPE_SUBTYPE_SYSTEMD_JOURNAL; - rec->rec_header.ft_specific_header.record_len = (guint32) fld_end; + rec->rec_header.systemd_journal_header.record_len = (guint32) fld_end; return TRUE; } diff --git a/wiretap/wtap.h b/wiretap/wtap.h index 6c64dd5e57..e01b30c461 100644 --- a/wiretap/wtap.h +++ b/wiretap/wtap.h @@ -1296,6 +1296,7 @@ union wtap_pseudo_header { #define REC_TYPE_FT_SPECIFIC_EVENT 1 /**< file-type-specific event */ #define REC_TYPE_FT_SPECIFIC_REPORT 2 /**< file-type-specific report */ #define REC_TYPE_SYSCALL 3 /**< system call */ +#define REC_TYPE_SYSTEMD_JOURNAL 4 /**< systemd journal entry */ typedef struct { guint32 caplen; /* data length in the file */ @@ -1402,6 +1403,10 @@ typedef struct { /* ... Event ... */ } wtap_syscall_header; +typedef struct { + guint32 record_len; /* length of the record */ +} wtap_systemd_journal_header; + typedef struct { guint rec_type; /* what type of record is this? */ guint32 presence_flags; /* what stuff do we have? */ @@ -1411,6 +1416,7 @@ typedef struct { wtap_packet_header packet_header; wtap_ft_specific_header ft_specific_header; wtap_syscall_header syscall_header; + wtap_systemd_journal_header systemd_journal_header; } rec_header; /* * XXX - this should become a full set of options. -- cgit v1.2.3