wiretap: Adjust the pcapng systemd Journal length check.

Reduce the minimum systemd journal block size from 212 to 35. The larger minimum was based on the Journal Export Format file reader, but we don't need to be as strict here. Update some comments. Bug: 16734 Change-Id: Iad7227f29ff22f908e2fd49be0f11c9ad03fa7b9 Reviewed-on: https://code.wireshark.org/review/38035 Reviewed-by: Gerald Combs <gerald@wireshark.org> Petri-Dish: Gerald Combs <gerald@wireshark.org> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2020-08-02 14:56:05 -07:00 · 2020-08-02 14:56:05 -07:00 · e387a4752c
parent a4fe4e449b
commit e387a4752c
2 changed files with 9 additions and 4 deletions
--- a/wiretap/pcapng.c
+++ b/wiretap/pcapng.c
@ -134,12 +134,12 @@ typedef struct pcapng_name_resolution_block_s {
 #define MIN_SYSDIG_EVENT_SIZE    ((guint32)(MIN_BLOCK_SIZE + SYSDIG_EVENT_HEADER_SIZE))

 /*
- * We require __CURSOR + __REALTIME_TIMESTAMP + __MONOTONIC_TIMESTAMP in
- * systemd journal export entries, which is 200 bytes or so (203 on a test
- * system here).
+ * We require __REALTIME_TIMESTAMP in the Journal Export Format reader in
+ * order to set each packet timestamp. Require it here as well, although
+ * it's not strictly necessary.
 */
 #define SDJ__REALTIME_TIMESTAMP "__REALTIME_TIMESTAMP="
-#define MIN_SYSTEMD_JOURNAL_EXPORT_ENTRY_SIZE    200
+#define MIN_SYSTEMD_JOURNAL_EXPORT_ENTRY_SIZE    23 // "__REALTIME_TIMESTAMP=0\n"
 #define MIN_SYSTEMD_JOURNAL_EXPORT_BLOCK_SIZE    ((guint32)(MIN_SYSTEMD_JOURNAL_EXPORT_ENTRY_SIZE + MIN_BLOCK_SIZE))

 /* pcapng: common option header file encoding for every option type */
--- a/wiretap/systemd_journal.c
+++ b/wiretap/systemd_journal.c
@ -53,6 +53,11 @@ static gboolean systemd_journal_read_export_entry(FILE_T fh, wtap_rec *rec,
 #define MAX_EXPORT_ENTRY_LENGTH WTAP_MAX_PACKET_SIZE_STANDARD
 #define MAX_EXPORT_ENTRY_LINES 100

+// Strictly speaking, we only need __REALTIME_TIMESTAMP= since we use
+// that to set the packet timestamp. According to
+// https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html
+// __CURSOR= and __MONOTONIC_TIMESTAMP= should be present as well, so
+// check for them order to improve our heuristics.
 #define FLD__CURSOR "__CURSOR="
 #define FLD__REALTIME_TIMESTAMP "__REALTIME_TIMESTAMP="
 #define FLD__MONOTONIC_TIMESTAMP "__MONOTONIC_TIMESTAMP="