Merge pull request #42 from space-jam-/add-pcap-match-dupes

Add an option to support duplicate matches in pcap-match
cisco · Mar 19, 2021 · 35d73eb · 35d73eb
2 parents 291409b + e9842b1
commit 35d73eb
Showing 1 changed file with 20 additions and 7 deletions.
diff --git a/tools/exact-pcap-match.c b/tools/exact-pcap-match.c
@@ -48,6 +48,7 @@ struct
     ch_word max_ref;
     ch_word max_inp;
     bool verbose;
+    ch_word max_dupes;
 } options;
 
 typedef struct
@@ -143,8 +144,6 @@ int snprint_packet (char* out, int max, bool expcap, pcap_pkthdr_t* pkt_hdr,
 
 int main (int argc, char** argv)
 {
-    ch_word result = -1;
-
     signal (SIGHUP, signal_handler);
     signal (SIGINT, signal_handler);
     signal (SIGPIPE, signal_handler);
@@ -162,6 +161,7 @@ int main (int argc, char** argv)
     ch_opt_addii (CH_OPTION_OPTIONAL, 'M', "max-ref", "Max items in the reference file to match  (<0 means all)", &options.max_ref, -1);
     ch_opt_addii (CH_OPTION_OPTIONAL, 'm', "max-inp", "Max items in input file to match (<0 means all)", &options.max_inp, -1);
     ch_opt_addii (CH_OPTION_OPTIONAL, 'n', "num-chars", "Number of bytes from matched packets to output (<0 means all)", &options.num, 64);
+    ch_opt_addii (CH_OPTION_OPTIONAL, 'd', "max-dupes", "Maximum number of duplicate matches allowed for a single packet (default is 0).", &options.max_dupes, 0);
     ch_opt_addbi (CH_OPTION_FLAG, 'v', "verbose", "Printout verbose output", &options.verbose, false);
     ch_opt_parse (argc, argv);
     ch_log_info("Starting PCAP Matcher\n");
@@ -333,15 +333,29 @@ int main (int argc, char** argv)
         /* Look for this packet in the hash map */
         const int64_t caplen = expcap ? inp_hdr->caplen - sizeof(expcap_pktftr_t) : inp_hdr->caplen;
         ch_hash_map_it hmit = hash_map_get_first (hmap, inp_buff.pkt, caplen);
-        if (!hmit.key){
+        if(hmit.key)
+        {
+            ch_word num_matches = 0;
+            value_t* val = (value_t*) hmit.value;
+            while(val->matched_once && num_matches < options.max_dupes)
+            {
+                hmit = hash_map_get_next(hmit);
+                val = (value_t*) hmit.value;
+                num_matches++;
+            }
+        }
+
+        value_t* val = (value_t*) hmit.value;
+        if (!hmit.key || val->matched_once)
+        {
             total_lost++;
-            if (fd_inp_miss > 0)
+            if (fd_inp_miss > 0){
                 dprint_packet (fd_inp_miss, expcap, inp_hdr, inp_buff.ftr, inp_buff.pkt, true, true);
+            }
             continue;
         }
 
         total_matched++;
-        value_t* val = (value_t*) hmit.value;
         char* ref_pkt = (char*) hmit.key;
         pcap_pkthdr_t* ref_hdr = &val->pkt_hdr;
         expcap_pktftr_t* ref_ftr = &val->pkt_ftr;
@@ -434,6 +448,5 @@ int main (int argc, char** argv)
     }
 
     ch_log_info("PCAP matcher, finished\n");
-    return result;
-
+    return 0;
 }