Don't read in the whole pcap file when importing
Still not amazingly fast (about 500 packets per second in my tests), but now it won't eat all your ram and start crashing things when given a large file. Requires an upgrade to PacketFu containing pull request 5.unstable
parent
24e6131ad7
commit
04858220f2
|
@ -2205,14 +2205,20 @@ class DBManager
|
|||
|
||||
data = ""
|
||||
::File.open(filename, 'rb') do |f|
|
||||
data = f.read(f.stat.size)
|
||||
data = f.read(4)
|
||||
end
|
||||
|
||||
case data[0,4]
|
||||
when "PK\x03\x04"
|
||||
data = Zip::ZipFile.open(filename)
|
||||
when "\xd4\xc3\xb2\xa1", "\xa1\xb2\xc3\xd4"
|
||||
data = PacketFu::PcapFile.new.readfile(filename)
|
||||
data = PacketFu::PcapFile.new(:filename => filename)
|
||||
else
|
||||
::File.open(filename, 'rb') do |f|
|
||||
sz = f.stat.size
|
||||
print_status("Reading in #{sz} bytes")
|
||||
data = f.read(sz)
|
||||
end
|
||||
end
|
||||
if block
|
||||
import(args.merge(:data => data)) { |type,data| yield type,data }
|
||||
|
@ -2260,7 +2266,10 @@ class DBManager
|
|||
end
|
||||
|
||||
if data and data.kind_of? PacketFu::PcapFile
|
||||
raise DBImportError.new("The pcap file provided is empty.") if data.body.empty?
|
||||
# Don't check for emptiness here because unlike other formats, we
|
||||
# haven't read any actual data in yet, only magic bytes to discover
|
||||
# that this is indeed a pcap file.
|
||||
#raise DBImportError.new("The pcap file provided is empty.") if data.body.empty?
|
||||
@import_filedata ||= {}
|
||||
@import_filedata[:type] = "Libpcap Packet Capture"
|
||||
return :libpcap
|
||||
|
@ -2458,7 +2467,7 @@ class DBManager
|
|||
filename = args[:filename]
|
||||
wspace = args[:wspace] || workspace
|
||||
|
||||
data = PacketFu::PcapFile.new.readfile(filename)
|
||||
data = PacketFu::PcapFile.new(:filename => filename)
|
||||
import_libpcap(args.merge(:data => data))
|
||||
end
|
||||
|
||||
|
@ -2478,7 +2487,7 @@ class DBManager
|
|||
seen_hosts = {}
|
||||
decoded_packets = 0
|
||||
last_count = 0
|
||||
data.body.map {|p| p.data}.each do |p|
|
||||
data.read_packet_bytes do |p|
|
||||
if (decoded_packets >= last_count + 1000) and block
|
||||
yield(:pcap_count, decoded_packets)
|
||||
last_count = decoded_packets
|
||||
|
|
Loading…
Reference in New Issue