2 Unix SMB/CIFS implementation.
3 Utility to extract pcap files from samba (log level 10) log files
5 Copyright (C) Jelmer Vernooij 2003
6 Thanks to Tim Potter for the genial idea
8 Portions (from capconvert.c) (C) Andrew Tridgell 1997
9 Portions (from text2pcap.c) (C) Ashok Narayanan 2001
12 Output NBSS(SMB) packets in hex and convert to pcap adding
15 log2pcap -h < samba.log | text2pcap -T 139,139 - samba.pcap
17 Output directly to pcap format without Eth headers or TCP
20 log2pcap samba.log samba.pcap
23 - Hex to text2pcap outputs are not properly parsed in Wireshark
24 the NBSS or SMB level. This is a bug.
25 - Writing directly to pcap format doesn't include sequence numbers
27 - Check if a packet is a response or request and set IP to/from
28 addresses accordingly. Currently all packets come from the same
29 dummy IP and go to the same dummy IP
30 - Add a message when done parsing about the number of pacekts
32 - Parse NBSS packet header data from log file
33 - Have correct IP and TCP checksums.
36 Samba log level 10 outputs a max of 512 bytes from the packet data
37 section. Packets larger than this will be truncated.
39 This program is free software; you can redistribute it and/or modify
40 it under the terms of the GNU General Public License as published by
41 the Free Software Foundation; either version 3 of the License, or
42 (at your option) any later version.
44 This program is distributed in the hope that it will be useful,
45 but WITHOUT ANY WARRANTY; without even the implied warranty of
46 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
47 GNU General Public License for more details.
49 You should have received a copy of the GNU General Public License
50 along with this program. If not, see <http://www.gnu.org/licenses/>.
54 #include "popt_common.h"
56 /* We don't care about the paranoid malloc checker in this standalone
65 #define itoa(a) ((a) < 0xa?'0'+(a):'A' + (a-0xa))
73 #define TCPDUMP_MAGIC 0xa1b2c3d4
75 /* tcpdump file format */
76 struct tcpdump_file_header {
86 struct tcpdump_packet {
96 uint16 identification;
106 static hdr_ip_t HDR_IP = {0x45, 0, 0, 0x3412, 0, 0, 0xff, 6, 0, 0x01010101, 0x02020202};
120 static hdr_tcp_t HDR_TCP = {139, 139, 0, 0, 0x50, 0, 0, 0, 0};
122 static void print_pcap_header(FILE *out)
124 struct tcpdump_file_header h;
125 h.magic = TCPDUMP_MAGIC;
130 h.snaplen = 102400; /* As long packets as possible */
131 h.linktype = 101; /* Raw IP */
132 fwrite(&h, sizeof(struct tcpdump_file_header), 1, out);
135 static void print_pcap_packet(FILE *out, unsigned char *data, long length,
139 struct tcpdump_packet p;
145 fwrite(&p, sizeof(struct tcpdump_packet), 1, out);
146 fwrite(data, sizeof(unsigned char), caplen, out);
149 static void print_hex_packet(FILE *out, unsigned char *data, long length)
152 while(cur < length) {
153 fprintf(out, "%06lX ", cur);
154 for(i = cur; i < length && i < cur + 16; i++) {
155 fprintf(out, "%02x ", data[i]);
163 static void print_netbios_packet(FILE *out, unsigned char *data, long length,
166 unsigned char *newdata; long offset = 0;
169 newlen = length+sizeof(HDR_IP)+sizeof(HDR_TCP);
170 newdata = (unsigned char *)malloc(newlen);
172 HDR_IP.packet_length = htons(newlen);
173 HDR_TCP.window = htons(0x2000);
174 HDR_TCP.source_port = HDR_TCP.dest_port = htons(139);
176 memcpy(newdata+offset, &HDR_IP, sizeof(HDR_IP));offset+=sizeof(HDR_IP);
177 memcpy(newdata+offset, &HDR_TCP, sizeof(HDR_TCP));offset+=sizeof(HDR_TCP);
178 memcpy(newdata+offset,data,length);
180 print_pcap_packet(out, newdata, newlen, actual_length+offset);
184 unsigned char *curpacket = NULL;
185 unsigned short curpacket_len = 0;
188 /* Read the log message produced by lib/util.c:show_msg() containing the:
194 * [2007/04/08 20:41:39, 5] lib/util.c:show_msg(516)
207 * smb_vwv[ 0]= 117 (0x75)
208 * smb_vwv[ 1]= 128 (0x80)
209 * smb_vwv[ 2]= 1 (0x1)
212 static void read_log_msg(FILE *in, unsigned char **_buffer,
213 unsigned short *buffersize, long *data_offset,
216 unsigned char *buffer;
218 assert(fscanf(in, " size=%hu\n", buffersize)); line_num++;
219 buffer = (unsigned char *)malloc(*buffersize+4); /* +4 for NBSS Header */
220 memset(buffer, 0, *buffersize+4);
221 /* NetBIOS Session Service */
224 memcpy(buffer+2, &buffersize, 2); /* TODO: need to copy as little-endian regardless of platform */
230 assert(fscanf(in, " smb_com=0x%x\n", &tmp)); buffer[smb_com] = tmp; line_num++;
231 assert(fscanf(in, " smb_rcls=%d\n", &tmp)); buffer[smb_rcls] = tmp; line_num++;
232 assert(fscanf(in, " smb_reh=%d\n", &tmp)); buffer[smb_reh] = tmp; line_num++;
233 assert(fscanf(in, " smb_err=%d\n", &tmp)); memcpy(buffer+smb_err, &tmp, 2); line_num++;
234 assert(fscanf(in, " smb_flg=%d\n", &tmp)); buffer[smb_flg] = tmp; line_num++;
235 assert(fscanf(in, " smb_flg2=%d\n", &tmp)); memcpy(buffer+smb_flg2, &tmp, 2); line_num++;
236 assert(fscanf(in, " smb_tid=%d\n", &tmp)); memcpy(buffer+smb_tid, &tmp, 2); line_num++;
237 assert(fscanf(in, " smb_pid=%d\n", &tmp)); memcpy(buffer+smb_pid, &tmp, 2); line_num++;
238 assert(fscanf(in, " smb_uid=%d\n", &tmp)); memcpy(buffer+smb_uid, &tmp, 2); line_num++;
239 assert(fscanf(in, " smb_mid=%d\n", &tmp)); memcpy(buffer+smb_mid, &tmp, 2); line_num++;
240 assert(fscanf(in, " smt_wct=%d\n", &tmp)); buffer[smb_wct] = tmp; line_num++;
241 for(i = 0; i < buffer[smb_wct]; i++) {
242 assert(fscanf(in, " smb_vwv[%*3d]=%*5d (0x%X)\n", &tmp)); line_num++;
243 memcpy(buffer+smb_vwv+i*2, &tmp, 2);
246 *data_offset = smb_vwv+buffer[smb_wct]*2;
247 assert(fscanf(in, " smb_bcc=%ld\n", data_length)); buffer[(*data_offset)] = *data_length; line_num++;
252 /* Read the log message produced by lib/util.c:dump_data() containing:
256 * [2007/04/08 20:41:39, 10] lib/util.c:dump_data(2243)
257 * [000] 00 55 00 6E 00 69 00 78 00 00 00 53 00 61 00 6D .U.n.i.x ...S.a.m
258 * [010] 00 62 00 61 00 20 00 33 00 2E 00 30 00 2E 00 32 .b.a. .3 ...0...2
259 * [020] 00 34 00 2D 00 49 00 73 00 69 00 6C 00 6F 00 6E .4.-.I.s .i.l.o.n
260 * [030] 00 20 00 4F 00 6E 00 65 00 46 00 53 00 20 00 76 . .O.n.e .F.S. .v
261 * [040] 00 34 00 2E 00 30 00 00 00 49 00 53 00 49 00 4C .4...0.. .I.S.I.L
262 * [050] 00 4F 00 4E 00 00 00 .O.N...
264 static long read_log_data(FILE *in, unsigned char *buffer, long data_length)
266 long i, addr; char real[2][16]; int ret;
268 for(i = 0; i < data_length; i++) {
271 /* Read and discard the ascii data after each line. */
272 assert(fscanf(in, " %8c %8c\n", real[0], real[1]) == 2);
274 ret = fscanf(in, " [%03lX]", &addr); line_num++;
277 fprintf(stderr, "%ld: Only first %ld bytes are logged, "
278 "packet trace will be incomplete\n", line_num, i-1);
283 if(!fscanf(in, "%02X", &tmp)) {
285 fprintf(stderr, "%ld: Log message formated incorrectly. "
286 "Only first %ld bytes are logged, packet trace will "
287 "be incomplete\n", line_num, i-1);
288 while ((tmp = getc(in)) != '\n');
294 /* Consume the newline so we don't increment num_lines twice */
295 while ((tmp = getc(in)) != '\n');
299 int main (int argc, char **argv)
301 const char *infile, *outfile;
306 long data_offset, data_length;
307 long data_bytes_read = 0;
309 struct poptOption long_options[] = {
311 { "quiet", 'q', POPT_ARG_NONE, &quiet, 0, "Be quiet, don't output warnings" },
312 { "hex", 'h', POPT_ARG_NONE, &hexformat, 0, "Output format readable by text2pcap" },
316 pc = poptGetContext(NULL, argc, (const char **) argv, long_options,
317 POPT_CONTEXT_KEEP_FIRST);
318 poptSetOtherOptionHelp(pc, "[<infile> [<outfile>]]");
321 while((opt = poptGetNextOpt(pc)) != -1) {
326 poptGetArg(pc); /* Drop argv[0], the program name */
328 infile = poptGetArg(pc);
331 in = fopen(infile, "r");
338 outfile = poptGetArg(pc);
341 out = fopen(outfile, "w+");
344 fprintf(stderr, "Can't find %s, using stdout...\n", outfile);
349 if(!outfile) out = stdout;
351 if(!hexformat)print_pcap_header(out);
354 fgets(buffer, sizeof(buffer), in); line_num++;
355 if(buffer[0] == '[') { /* Header */
356 if(strstr(buffer, "show_msg")) {
358 if(in_packet == 1)continue;
359 read_log_msg(in, &curpacket, &curpacket_len, &data_offset, &data_length);
360 } else if(in_packet && strstr(buffer, "dump_data")) {
361 data_bytes_read = read_log_data(in, curpacket+data_offset, data_length);
364 if(hexformat) print_hex_packet(out, curpacket, curpacket_len);
365 else print_netbios_packet(out, curpacket, curpacket_len, data_bytes_read+data_offset);