Add base64 encoding and snap length support (#410)

sysdig-CLA-1.0-signed-off-by: Yue Feng <ztz5651483@gmail.com> falco-CLA-1.0-signed-off-by: Yue Feng <ztz5651483@gmail.com>
2025-09-05 08:40:52 +00:00 · 2018-09-26 03:44:09 +08:00
parent fc70c635d1
commit 6b82ecfa79
2 changed files with 46 additions and 4 deletions
--- a/userspace/engine/formats.cpp
+++ b/userspace/engine/formats.cpp
@@ -116,7 +116,27 @@ int falco_formats::format_event (lua_State *ls)

 		if(s_json_output)
 		{
+			switch(s_inspector->get_buffer_format())
+			{
+				case sinsp_evt::PF_NORMAL:
 					s_inspector->set_buffer_format(sinsp_evt::PF_JSON);
+					break;
+				case sinsp_evt::PF_EOLS:
+					s_inspector->set_buffer_format(sinsp_evt::PF_JSONEOLS);
+					break;
+				case sinsp_evt::PF_HEX:
+					s_inspector->set_buffer_format(sinsp_evt::PF_JSONHEX);
+					break;
+				case sinsp_evt::PF_HEXASCII:
+					s_inspector->set_buffer_format(sinsp_evt::PF_JSONHEXASCII);
+					break;
+				case sinsp_evt::PF_BASE64:
+					s_inspector->set_buffer_format(sinsp_evt::PF_JSONBASE64);
+					break;
+				default:
+					// do nothing
+					break;
+			}
 			s_formatters->tostring(evt, sformat, &json_line);

 			// The formatted string might have a leading newline. If it does, remove it.
@@ -124,8 +144,6 @@ int falco_formats::format_event (lua_State *ls)
 			{
 				json_line.erase(0, 1);
 			}
-
-			s_inspector->set_buffer_format(sinsp_evt::PF_NORMAL);
 		}
 	}
 	catch (sinsp_exception& e)
--- a/userspace/falco/falco.cpp
+++ b/userspace/falco/falco.cpp
@@ -70,6 +70,8 @@ static void usage()
 	   " -h, --help                    Print this page\n"
 	   " -c                            Configuration file (default " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ")\n"
 	   " -A                            Monitor all events, including those with EF_DROP_FALCO flag.\n"
+	   " -b, --print-base64            Print data buffers in base64. This is useful for encoding\n"
+	   "                               binary data that needs to be used over media designed to\n"
 	   " -d, --daemon                  Run as a daemon\n"
 	   " -D <pattern>                  Disable any rules matching the regex <pattern>. Can be specified multiple times.\n"
 	   "                               Can not be specified with -t.\n"
@@ -115,6 +117,10 @@ static void usage()
           "                               from multiple files/directories.\n"
 	   " -s <stats_file>               If specified, write statistics related to falco's reading/processing of events\n"
 	   "                               to this file. (Only useful in live mode).\n"
+	   " -S <len>, --snaplen=<len>\n"
+	   "                  		   Capture the first <len> bytes of each I/O buffer.\n"
+	   "                   		   By default, the first 80 bytes are captured. Use this\n"
+	   "                   		   option with caution, it can generate huge trace files.\n"
 	   " -T <tag>                      Disable any rules with a tag=<tag>. Can be specified multiple times.\n"
 	   "                               Can not be specified with -t.\n"
 	   " -t <tag>                      Only run those rules with a tag=<tag>. Can be specified multiple times.\n"
@@ -293,6 +299,7 @@ int falco_init(int argc, char **argv)
 {
 	int result = EXIT_SUCCESS;
 	sinsp* inspector = NULL;
+	sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL;
 	falco_engine *engine = NULL;
 	falco_outputs *outputs = NULL;
 	int op;
@@ -313,6 +320,7 @@ int falco_init(int argc, char **argv)
 	string* k8s_api_cert = 0;
 	string* mesos_api = 0;
 	string output_format = "";
+	uint32_t snaplen = 0;
 	bool replace_container_info = false;
 	int duration_to_tot = 0;
 	bool print_ignored_events = false;
@@ -341,6 +349,7 @@ int falco_init(int argc, char **argv)
 		{"option", required_argument, 0, 'o'},
 		{"print", required_argument, 0, 'p' },
 		{"pidfile", required_argument, 0, 'P' },
+		{"snaplen", required_argument, 0, 'S' },
 		{"unbuffered", no_argument, 0, 'U' },
 		{"version", no_argument, 0, 0 },
 		{"validate", required_argument, 0, 'V' },
@@ -362,7 +371,7 @@ int falco_init(int argc, char **argv)
 		// Parse the args
 		//
 		while((op = getopt_long(argc, argv,
-                                        "hc:AdD:e:ik:K:Ll:m:M:o:P:p:r:s:T:t:UvV:w:",
+                                        "hc:AbdD:e:ik:K:Ll:m:M:o:P:p:r:S:s:T:t:UvV:w:",
                                        long_options, &long_index)) != -1)
 		{
 			switch(op)
@@ -376,6 +385,9 @@ int falco_init(int argc, char **argv)
 			case 'A':
 				all_events = true;
 				break;
+			case 'b':
+				event_buffer_format = sinsp_evt::PF_BASE64;
+				break;
 			case 'd':
 				daemon = true;
 				break;
@@ -444,6 +456,9 @@ int falco_init(int argc, char **argv)
 			case 'r':
 				falco_configuration::read_rules_file_directory(string(optarg), rules_filenames);
 				break;
+			case 'S':
+				snaplen = atoi(optarg);
+				break;
 			case 's':
 				stats_filename = optarg;
 				break;
@@ -482,6 +497,15 @@ int falco_init(int argc, char **argv)
 		}

 		inspector = new sinsp();
+		inspector->set_buffer_format(event_buffer_format);
+
+		//
+		// If required, set the snaplen
+		//
+		if(snaplen != 0)
+		{
+			inspector->set_snaplen(snaplen);
+		}

 		if(print_ignored_events)
 		{