23374838686

Committed 21 Mar 2026 07:29AM UTC coverage: 59.341% (-20.0%) from 79.315%

Build # 23374838686

Build Type

Pull #15075

github

Committed by

web-flow

Commit Message

Merge 90b4e834f into 6587e363a

Pull Request Pull Request #15075: Stack 8001 v16.4

Coverage Stats

38 of 70 new or added lines in 10 files covered. (54.29%)

34165 existing lines in 563 files now uncovered.

119621 of 201584 relevant lines covered (59.34%)

650666.92 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

6.03

/src/runmode-pcap.c

/* Copyright (C) 2007-2022 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

#include "suricata-common.h"
#include "runmode-pcap.h"
#include "runmodes.h"
#include "output.h"

#include "util-conf.h"
#include "util-debug.h"
#include "util-time.h"
#include "util-cpu.h"
#include "util-device-private.h"
#include "util-runmodes.h"
#include "util-misc.h"
#include "util-byte.h"

const char *RunModeIdsGetDefaultMode(void)
{
    return "autofp";
}

int RunModeIdsPcapWorkers(void);

void RunModeIdsPcapRegister(void)
{
    RunModeRegisterNewRunMode(RUNMODE_PCAP_DEV, "single", "Single threaded pcap live mode",
            RunModeIdsPcapSingle, NULL);
    RunModeRegisterNewRunMode(RUNMODE_PCAP_DEV, "autofp",
            "Multi-threaded pcap live mode. Packets from each flow are assigned to a consistent "
            "detection thread",
            RunModeIdsPcapAutoFp, NULL);
    RunModeRegisterNewRunMode(RUNMODE_PCAP_DEV, "workers",
            "Workers pcap live mode, each thread does all"
            " tasks from acquisition to logging",
            RunModeIdsPcapWorkers, NULL);
}

static void PcapDerefConfig(void *conf)
{
    PcapIfaceConfig *pfp = (PcapIfaceConfig *)conf;
    /* Pcap config is used only once but cost of this low. */
    if (SC_ATOMIC_SUB(pfp->ref, 1) == 1) {
        SCFree(pfp);
    }
}

static void *ParsePcapConfig(const char *iface)
{
    const char *threadsstr = NULL;
    SCConfNode *if_root;
    SCConfNode *if_default = NULL;
    SCConfNode *pcap_node;
    PcapIfaceConfig *aconf = SCMalloc(sizeof(*aconf));
    const char *tmpbpf;
    const char *tmpctype;
    intmax_t value;
    int promisc = 0;
    intmax_t snaplen = 0;

    if (unlikely(aconf == NULL)) {
        return NULL;
    }

    if (iface == NULL) {
        SCFree(aconf);
        return NULL;
    }

    memset(aconf, 0x00, sizeof(*aconf));
    strlcpy(aconf->iface, iface, sizeof(aconf->iface));

    aconf->buffer_size = 0;
    /* If set command line option has precedence over config */
    if ((SCConfGetInt("pcap.buffer-size", &value)) == 1) {
        if (value >= 0 && value <= INT_MAX) {
            SCLogInfo("Pcap will use %d buffer size", (int)value);
            aconf->buffer_size = (int)value;
        } else {
            SCLogWarning("pcap.buffer-size "
                         "value of %" PRIiMAX " is invalid. Valid range is "
                         "0-2147483647",
                    value);
        }
    }

    aconf->checksum_mode = CHECKSUM_VALIDATION_AUTO;
    aconf->bpf_filter = NULL;
    if ((SCConfGet("bpf-filter", &tmpbpf)) == 1) {
        aconf->bpf_filter = tmpbpf;
    }

    SC_ATOMIC_INIT(aconf->ref);
    aconf->DerefFunc = PcapDerefConfig;
    aconf->threads = 1;

    /* Find initial node */
    pcap_node = SCConfGetNode("pcap");
    if (pcap_node == NULL) {
        SCLogInfo("Unable to find pcap config using default value");
        return aconf;
    }

    if_root = ConfFindDeviceConfig(pcap_node, iface);

    if_default = ConfFindDeviceConfig(pcap_node, "default");

    if (if_root == NULL && if_default == NULL) {
        SCLogInfo("Unable to find pcap config for "
                  "interface %s, using default value",
                  iface);
        return aconf;
    }

    /* If there is no setting for current interface use default one as main iface */
    if (if_root == NULL) {
        if_root = if_default;
        if_default = NULL;
    }

    if (SCConfGetChildValueWithDefault(if_root, if_default, "threads", &threadsstr) != 1) {
        aconf->threads = 1;
    } else {
        if (threadsstr != NULL) {
            if (StringParseUint16(&aconf->threads, 10, 0, (const char *)threadsstr) < 0) {
                SCLogWarning("Invalid value for "
                             "pcap.threads: %s, resetting to 1",
                        threadsstr);
                aconf->threads = 1;
            }
        }
    }
    if (aconf->threads == 0) {
        aconf->threads = 1;
    }
    (void) SC_ATOMIC_ADD(aconf->ref, aconf->threads);

    if (aconf->buffer_size == 0) {
        const char *s_limit = NULL;
        int ret;
        ret = SCConfGetChildValueWithDefault(if_root, if_default, "buffer-size", &s_limit);
        if (ret == 1 && s_limit) {
            uint64_t bsize = 0;

            if (ParseSizeStringU64(s_limit, &bsize) < 0) {
                SCLogError("Failed to parse pcap buffer size: %s", s_limit);
            } else {
                /* the string 2gb returns 2147483648 which is 1 to high
                 * for a int. */
                if (bsize == (uint64_t)((uint64_t)INT_MAX + (uint64_t)1))
                    bsize = (uint64_t)INT_MAX;

                if (bsize > INT_MAX) {
                    SCLogError("Failed to set pcap buffer size: 2gb max. %" PRIu64 " > %d", bsize,
                            INT_MAX);
                } else {
                    aconf->buffer_size = (int)bsize;
                }
            }
        }
    }

    if (aconf->bpf_filter == NULL) {
        /* set bpf filter if we have one */
        if (SCConfGetChildValueWithDefault(if_root, if_default, "bpf-filter", &tmpbpf) != 1) {
            SCLogDebug("could not get bpf or none specified");
        } else {
            aconf->bpf_filter = tmpbpf;
        }
    } else {
        SCLogInfo("BPF filter set from command line or via old 'bpf-filter' option.");
    }

    if (SCConfGetChildValueWithDefault(if_root, if_default, "checksum-checks", &tmpctype) == 1) {
        if (strcmp(tmpctype, "auto") == 0) {
            aconf->checksum_mode = CHECKSUM_VALIDATION_AUTO;
        } else if (SCConfValIsTrue(tmpctype)) {
            aconf->checksum_mode = CHECKSUM_VALIDATION_ENABLE;
        } else if (SCConfValIsFalse(tmpctype)) {
            aconf->checksum_mode = CHECKSUM_VALIDATION_DISABLE;
        } else {
            SCLogError("Invalid value for checksum-checks for %s", aconf->iface);
        }
    }

    aconf->promisc = LIBPCAP_PROMISC;
    if (SCConfGetChildValueBoolWithDefault(if_root, if_default, "promisc", &promisc) != 1) {
        SCLogDebug("could not get promisc or none specified");
    } else {
        aconf->promisc = promisc;
    }

    aconf->snaplen = 0;
    if (SCConfGetChildValueIntWithDefault(if_root, if_default, "snaplen", &snaplen) != 1) {
        SCLogDebug("could not get snaplen or none specified");
    } else if (snaplen < INT_MIN || snaplen > INT_MAX) {
        SCLogDebug("snaplen value is not in the accepted range");
    } else {
        aconf->snaplen = (int)snaplen;
    }

    return aconf;
}

static uint16_t PcapConfigGeThreadsCount(void *conf)
{
    PcapIfaceConfig *pfp = (PcapIfaceConfig *)conf;
    return pfp->threads;
}

/**
 * \brief Single thread version of the Pcap live processing.
 */
int RunModeIdsPcapSingle(void)
{
    int ret;
    const char *live_dev = NULL;

    SCEnter();

    TimeModeSetLive();

    (void)SCConfGet("pcap.single-pcap-dev", &live_dev);

    ret = RunModeSetLiveCaptureSingle(ParsePcapConfig,
                                    PcapConfigGeThreadsCount,
                                    "ReceivePcap",
                                    "DecodePcap", thread_name_single,
                                    live_dev);
    if (ret != 0) {
        FatalError("Runmode start failed");
    }

    SCLogDebug("RunModeIdsPcapSingle initialised");

    SCReturnInt(0);
}

/**
 * \brief RunModIdsPcapAutoFp set up the following thread packet handlers:
 *        - Receive thread (from pcap device)
 *        - Decode thread
 *        - Stream thread
 *        - Detect: If we have only 1 cpu, it will setup one Detect thread
 *                  If we have more than one, it will setup num_cpus - 1
 *                  starting from the second cpu available.
 *        - Outputs thread
 *        By default the threads will use the first cpu available
 *        except the Detection threads if we have more than one cpu.
 *
 * \retval 0 If all goes well. (If any problem is detected the engine will
 *           exit()).
 */
int RunModeIdsPcapAutoFp(void)
{
    int ret;
    const char *live_dev = NULL;

    SCEnter();
    TimeModeSetLive();

    (void)SCConfGet("pcap.single-pcap-dev", &live_dev);

    ret = RunModeSetLiveCaptureAutoFp(ParsePcapConfig, PcapConfigGeThreadsCount, "ReceivePcap",
            "DecodePcap", thread_name_autofp, live_dev);
    if (ret != 0) {
        FatalError("Runmode start failed");
    }

    SCLogDebug("RunModeIdsPcapAutoFp initialised");

    SCReturnInt(0);
}

/**
 * \brief Workers version of the PCAP LIVE processing.
 *
 * Start N threads with each thread doing all the work.
 *
 */
int RunModeIdsPcapWorkers(void)
{
    int ret;
    const char *live_dev = NULL;
    SCEnter();

    TimeModeSetLive();

    (void)SCConfGet("pcap.single-pcap-dev", &live_dev);

    ret = RunModeSetLiveCaptureWorkers(ParsePcapConfig, PcapConfigGeThreadsCount, "ReceivePcap",
            "DecodePcap", thread_name_workers, live_dev);
    if (ret != 0) {
        FatalError("Unable to start runmode");
    }

    SCLogDebug("RunModeIdsPcapWorkers initialised");

    SCReturnInt(0);
}

1	/* Copyright (C) 2007-2022 Open Information Security Foundation
2	*
3	* You can copy, redistribute or modify this Program under the terms of
4	* the GNU General Public License version 2 as published by the Free
5	* Software Foundation.
6	*
7	* This program is distributed in the hope that it will be useful,
8	* but WITHOUT ANY WARRANTY; without even the implied warranty of
9	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10	* GNU General Public License for more details.
11	*
12	* You should have received a copy of the GNU General Public License
13	* version 2 along with this program; if not, write to the Free Software
14	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15	* 02110-1301, USA.
16	*/
17
18	#include "suricata-common.h"
19	#include "runmode-pcap.h"
20	#include "runmodes.h"
21	#include "output.h"
22
23	#include "util-conf.h"
24	#include "util-debug.h"
25	#include "util-time.h"
26	#include "util-cpu.h"
27	#include "util-device-private.h"
28	#include "util-runmodes.h"
29	#include "util-misc.h"
30	#include "util-byte.h"
31
32	const char *RunModeIdsGetDefaultMode(void)
33	{	×
34	return "autofp";	×
35	}	×
36
37	int RunModeIdsPcapWorkers(void);
38
39	void RunModeIdsPcapRegister(void)
40	{	7✔
41	RunModeRegisterNewRunMode(RUNMODE_PCAP_DEV, "single", "Single threaded pcap live mode",	7✔
42	RunModeIdsPcapSingle, NULL);	7✔
43	RunModeRegisterNewRunMode(RUNMODE_PCAP_DEV, "autofp",	7✔
44	"Multi-threaded pcap live mode. Packets from each flow are assigned to a consistent "	7✔
45	"detection thread",	7✔
46	RunModeIdsPcapAutoFp, NULL);	7✔
47	RunModeRegisterNewRunMode(RUNMODE_PCAP_DEV, "workers",	7✔
48	"Workers pcap live mode, each thread does all"	7✔
49	" tasks from acquisition to logging",	7✔
50	RunModeIdsPcapWorkers, NULL);	7✔
51	}	7✔
52
53	static void PcapDerefConfig(void *conf)
UNCOV 54	{	×
UNCOV 55	PcapIfaceConfig pfp = (PcapIfaceConfig )conf;	×
56	/* Pcap config is used only once but cost of this low. */
UNCOV 57	if (SC_ATOMIC_SUB(pfp->ref, 1) == 1) {	×
UNCOV 58	SCFree(pfp);	×
UNCOV 59	}	×
UNCOV 60	}	×
61
62	static void ParsePcapConfig(const char iface)
UNCOV 63	{	×
UNCOV 64	const char *threadsstr = NULL;	×
UNCOV 65	SCConfNode *if_root;	×
UNCOV 66	SCConfNode *if_default = NULL;	×
UNCOV 67	SCConfNode *pcap_node;	×
UNCOV 68	PcapIfaceConfig aconf = SCMalloc(sizeof(aconf));	×
UNCOV 69	const char *tmpbpf;	×
UNCOV 70	const char *tmpctype;	×
UNCOV 71	intmax_t value;	×
UNCOV 72	int promisc = 0;	×
UNCOV 73	intmax_t snaplen = 0;	×
74
UNCOV 75	if (unlikely(aconf == NULL)) {	×
76	return NULL;	×
77	}	×
78
UNCOV 79	if (iface == NULL) {	×
80	SCFree(aconf);	×
81	return NULL;	×
82	}	×
83
UNCOV 84	memset(aconf, 0x00, sizeof(*aconf));	×
UNCOV 85	strlcpy(aconf->iface, iface, sizeof(aconf->iface));	×
86
UNCOV 87	aconf->buffer_size = 0;	×
88	/* If set command line option has precedence over config */
UNCOV 89	if ((SCConfGetInt("pcap.buffer-size", &value)) == 1) {	×
90	if (value >= 0 && value <= INT_MAX) {	×
91	SCLogInfo("Pcap will use %d buffer size", (int)value);	×
92	aconf->buffer_size = (int)value;	×
93	} else {	×
94	SCLogWarning("pcap.buffer-size "	×
95	"value of %" PRIiMAX " is invalid. Valid range is "	×
96	"0-2147483647",	×
97	value);	×
98	}	×
99	}	×
100
UNCOV 101	aconf->checksum_mode = CHECKSUM_VALIDATION_AUTO;	×
UNCOV 102	aconf->bpf_filter = NULL;	×
UNCOV 103	if ((SCConfGet("bpf-filter", &tmpbpf)) == 1) {	×
104	aconf->bpf_filter = tmpbpf;	×
105	}	×
106
UNCOV 107	SC_ATOMIC_INIT(aconf->ref);	×
UNCOV 108	aconf->DerefFunc = PcapDerefConfig;	×
UNCOV 109	aconf->threads = 1;	×
110
111	/* Find initial node */
UNCOV 112	pcap_node = SCConfGetNode("pcap");	×
UNCOV 113	if (pcap_node == NULL) {	×
114	SCLogInfo("Unable to find pcap config using default value");	×
115	return aconf;	×
116	}	×
117
UNCOV 118	if_root = ConfFindDeviceConfig(pcap_node, iface);	×
119
UNCOV 120	if_default = ConfFindDeviceConfig(pcap_node, "default");	×
121
UNCOV 122	if (if_root == NULL && if_default == NULL) {	×
123	SCLogInfo("Unable to find pcap config for "	×
124	"interface %s, using default value",	×
125	iface);	×
126	return aconf;	×
127	}	×
128
129	/* If there is no setting for current interface use default one as main iface */
UNCOV 130	if (if_root == NULL) {	×
131	if_root = if_default;	×
132	if_default = NULL;	×
133	}	×
134
UNCOV 135	if (SCConfGetChildValueWithDefault(if_root, if_default, "threads", &threadsstr) != 1) {	×
UNCOV 136	aconf->threads = 1;	×
UNCOV 137	} else {	×
138	if (threadsstr != NULL) {	×
139	if (StringParseUint16(&aconf->threads, 10, 0, (const char *)threadsstr) < 0) {	×
140	SCLogWarning("Invalid value for "	×
141	"pcap.threads: %s, resetting to 1",	×
142	threadsstr);	×
143	aconf->threads = 1;	×
144	}	×
145	}	×
146	}	×
UNCOV 147	if (aconf->threads == 0) {	×
148	aconf->threads = 1;	×
149	}	×
UNCOV 150	(void) SC_ATOMIC_ADD(aconf->ref, aconf->threads);	×
151
UNCOV 152	if (aconf->buffer_size == 0) {	×
UNCOV 153	const char *s_limit = NULL;	×
UNCOV 154	int ret;	×
UNCOV 155	ret = SCConfGetChildValueWithDefault(if_root, if_default, "buffer-size", &s_limit);	×
UNCOV 156	if (ret == 1 && s_limit) {	×
157	uint64_t bsize = 0;	×
158
159	if (ParseSizeStringU64(s_limit, &bsize) < 0) {	×
160	SCLogError("Failed to parse pcap buffer size: %s", s_limit);	×
161	} else {	×
162	/* the string 2gb returns 2147483648 which is 1 to high
163	* for a int. */
164	if (bsize == (uint64_t)((uint64_t)INT_MAX + (uint64_t)1))	×
165	bsize = (uint64_t)INT_MAX;	×
166
167	if (bsize > INT_MAX) {	×
168	SCLogError("Failed to set pcap buffer size: 2gb max. %" PRIu64 " > %d", bsize,	×
169	INT_MAX);	×
170	} else {	×
171	aconf->buffer_size = (int)bsize;	×
172	}	×
173	}	×
174	}	×
UNCOV 175	}	×
176
UNCOV 177	if (aconf->bpf_filter == NULL) {	×
178	/* set bpf filter if we have one */
UNCOV 179	if (SCConfGetChildValueWithDefault(if_root, if_default, "bpf-filter", &tmpbpf) != 1) {	×
UNCOV 180	SCLogDebug("could not get bpf or none specified");	×
UNCOV 181	} else {	×
182	aconf->bpf_filter = tmpbpf;	×
183	}	×
UNCOV 184	} else {	×
185	SCLogInfo("BPF filter set from command line or via old 'bpf-filter' option.");	×
186	}	×
187
UNCOV 188	if (SCConfGetChildValueWithDefault(if_root, if_default, "checksum-checks", &tmpctype) == 1) {	×
189	if (strcmp(tmpctype, "auto") == 0) {	×
190	aconf->checksum_mode = CHECKSUM_VALIDATION_AUTO;	×
191	} else if (SCConfValIsTrue(tmpctype)) {	×
192	aconf->checksum_mode = CHECKSUM_VALIDATION_ENABLE;	×
193	} else if (SCConfValIsFalse(tmpctype)) {	×
194	aconf->checksum_mode = CHECKSUM_VALIDATION_DISABLE;	×
195	} else {	×
196	SCLogError("Invalid value for checksum-checks for %s", aconf->iface);	×
197	}	×
198	}	×
199
UNCOV 200	aconf->promisc = LIBPCAP_PROMISC;	×
UNCOV 201	if (SCConfGetChildValueBoolWithDefault(if_root, if_default, "promisc", &promisc) != 1) {	×
UNCOV 202	SCLogDebug("could not get promisc or none specified");	×
UNCOV 203	} else {	×
204	aconf->promisc = promisc;	×
205	}	×
206
UNCOV 207	aconf->snaplen = 0;	×
UNCOV 208	if (SCConfGetChildValueIntWithDefault(if_root, if_default, "snaplen", &snaplen) != 1) {	×
UNCOV 209	SCLogDebug("could not get snaplen or none specified");	×
UNCOV 210	} else if (snaplen < INT_MIN \|\| snaplen > INT_MAX) {	×
211	SCLogDebug("snaplen value is not in the accepted range");	×
212	} else {	×
213	aconf->snaplen = (int)snaplen;	×
214	}	×
215
UNCOV 216	return aconf;	×
UNCOV 217	}	×
218
219	static uint16_t PcapConfigGeThreadsCount(void *conf)
UNCOV 220	{	×
UNCOV 221	PcapIfaceConfig pfp = (PcapIfaceConfig )conf;	×
UNCOV 222	return pfp->threads;	×
UNCOV 223	}	×
224
225	/**
226	* \brief Single thread version of the Pcap live processing.
227	*/
228	int RunModeIdsPcapSingle(void)
UNCOV 229	{	×
UNCOV 230	int ret;	×
UNCOV 231	const char *live_dev = NULL;	×
232
UNCOV 233	SCEnter();	×
234
UNCOV 235	TimeModeSetLive();	×
236
UNCOV 237	(void)SCConfGet("pcap.single-pcap-dev", &live_dev);	×
238
UNCOV 239	ret = RunModeSetLiveCaptureSingle(ParsePcapConfig,	×
UNCOV 240	PcapConfigGeThreadsCount,	×
UNCOV 241	"ReceivePcap",	×
UNCOV 242	"DecodePcap", thread_name_single,	×
UNCOV 243	live_dev);	×
UNCOV 244	if (ret != 0) {	×
245	FatalError("Runmode start failed");	×
246	}	×
247
UNCOV 248	SCLogDebug("RunModeIdsPcapSingle initialised");	×
249
UNCOV 250	SCReturnInt(0);	×
UNCOV 251	}	×
252
253	/**
254	* \brief RunModIdsPcapAutoFp set up the following thread packet handlers:
255	* - Receive thread (from pcap device)
256	* - Decode thread
257	* - Stream thread
258	* - Detect: If we have only 1 cpu, it will setup one Detect thread
259	* If we have more than one, it will setup num_cpus - 1
260	* starting from the second cpu available.
261	* - Outputs thread
262	* By default the threads will use the first cpu available
263	* except the Detection threads if we have more than one cpu.
264	*
265	* \retval 0 If all goes well. (If any problem is detected the engine will
266	* exit()).
267	*/
268	int RunModeIdsPcapAutoFp(void)
UNCOV 269	{	×
UNCOV 270	int ret;	×
UNCOV 271	const char *live_dev = NULL;	×
272
UNCOV 273	SCEnter();	×
UNCOV 274	TimeModeSetLive();	×
275
UNCOV 276	(void)SCConfGet("pcap.single-pcap-dev", &live_dev);	×
277
UNCOV 278	ret = RunModeSetLiveCaptureAutoFp(ParsePcapConfig, PcapConfigGeThreadsCount, "ReceivePcap",	×
UNCOV 279	"DecodePcap", thread_name_autofp, live_dev);	×
UNCOV 280	if (ret != 0) {	×
281	FatalError("Runmode start failed");	×
282	}	×
283
UNCOV 284	SCLogDebug("RunModeIdsPcapAutoFp initialised");	×
285
UNCOV 286	SCReturnInt(0);	×
UNCOV 287	}	×
288
289	/**
290	* \brief Workers version of the PCAP LIVE processing.
291	*
292	* Start N threads with each thread doing all the work.
293	*
294	*/
295	int RunModeIdsPcapWorkers(void)
296	{	×
297	int ret;	×
298	const char *live_dev = NULL;	×
299	SCEnter();	×
300
301	TimeModeSetLive();	×
302
303	(void)SCConfGet("pcap.single-pcap-dev", &live_dev);	×
304
305	ret = RunModeSetLiveCaptureWorkers(ParsePcapConfig, PcapConfigGeThreadsCount, "ReceivePcap",	×
306	"DecodePcap", thread_name_workers, live_dev);	×
307	if (ret != 0) {	×
308	FatalError("Unable to start runmode");	×
309	}	×
310
311	SCLogDebug("RunModeIdsPcapWorkers initialised");	×
312
313	SCReturnInt(0);	×
314	}	×

OISF / suricata / 23374838686

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous