3 Retrieve a packet from a wireshark/tshark core file
4 and save it in a packet-capture file.
7 # Copyright (C) 2013 by Gilbert Ramirez <gram@alumni.rice.edu>
9 # SPDX-License-Identifier: GPL-2.0-or-later
25 re_frame = re.compile(r"^#(?P<num>\d+) ")
26 re_func1 = re.compile(r"^#\d+\s+(?P<func>\w+) \(")
27 re_func2 = re.compile(r"^#\d+\s+0x[A-Fa-f\d]+ in (?P<func>\w+) \(")
29 def __init__(self, lines):
31 # In order; each item is the function name.
33 found_non_bt_frame = 0
37 m = self.re_frame.search(line)
39 # Skip the first frame that gdb shows,
40 # which is not part of the backtrace.
41 if not found_non_bt_frame:
42 found_non_bt_frame = 1
45 # Get the frame number and make sure it's
46 # what we expect it should be.
47 frame_num = int(m.group("num"))
48 if frame_num != frame_will_be:
49 sys.exit("Found frame %d instead of %d" % \
50 (frame_num, frame_will_be))
52 # Find the function name. XXX - need to handle '???'
53 n = self.re_func1.search(line)
55 n = self.re_func2.search(line)
58 func = n.group("func")
60 sys.exit("Function name not found in %s" % (line,))
63 self.frames.append(func)
70 def HasFunction(self, func):
71 return func in self.frames
73 def Frame(self, func):
74 return self.frames.index(func)
77 # Some values from wiretap; wiretap should be a shared
78 # libray and a Python module should be created for it so
79 # this program could just write a libpcap file directly.
80 WTAP_ENCAP_PER_PACKET = -1
81 WTAP_ENCAP_UNKNOWN = 0
82 WTAP_ENCAP_ETHERNET = 1
83 WTAP_ENCAP_TOKEN_RING = 2
87 WTAP_ENCAP_FDDI_BITSWAPPED = 6
90 WTAP_ENCAP_ATM_RFC1483 = 9
91 WTAP_ENCAP_LINUX_ATM_CLIP = 10
93 WTAP_ENCAP_ATM_SNIFFER = 12
95 WTAP_ENCAP_ASCEND = 14
98 WTAP_ENCAP_PPP_WITH_PHDR = 17
99 WTAP_ENCAP_IEEE_802_11 = 18
101 WTAP_ENCAP_FRELAY = 20
102 WTAP_ENCAP_CHDLC = 21
103 WTAP_ENCAP_CISCO_IOS = 22
104 WTAP_ENCAP_LOCALTALK = 23
105 WTAP_ENCAP_PRISM_HEADER = 24
106 WTAP_ENCAP_PFLOG = 25
107 WTAP_ENCAP_AIROPEEK = 26
108 WTAP_ENCAP_HHDLC = 27
109 # last WTAP_ENCAP_ value + 1
110 WTAP_NUM_ENCAP_TYPES = 28
114 WTAP_ENCAP_ETHERNET : 1,
115 WTAP_ENCAP_TOKEN_RING : 6,
116 WTAP_ENCAP_ARCNET : 7,
119 WTAP_ENCAP_FDDI_BITSWAPPED : 10,
120 WTAP_ENCAP_FDDI : 10,
121 WTAP_ENCAP_ATM_RFC1483 : 11,
122 WTAP_ENCAP_RAW_IP : 12,
123 WTAP_ENCAP_LINUX_ATM_CLIP : 16, # or 18, or 19...
124 WTAP_ENCAP_CHDLC : 104,
125 WTAP_ENCAP_IEEE_802_11 : 105,
126 WTAP_ENCAP_SLL : 113,
127 WTAP_ENCAP_LOCALTALK : 114,
128 WTAP_ENCAP_PFLOG : 117,
129 WTAP_ENCAP_CISCO_IOS : 118,
130 WTAP_ENCAP_PRISM_HEADER : 119,
131 WTAP_ENCAP_HHDLC : 121,
136 WTAP_ENCAP_UNKNOWN : "Unknown",
137 WTAP_ENCAP_ETHERNET : "Ethernet",
138 WTAP_ENCAP_TOKEN_RING : "Token-Ring",
139 WTAP_ENCAP_SLIP : "SLIP",
140 WTAP_ENCAP_PPP : "PPP",
141 WTAP_ENCAP_FDDI : "FDDI",
142 WTAP_ENCAP_FDDI_BITSWAPPED : "FDDI (Bitswapped)",
143 WTAP_ENCAP_RAW_IP : "Raw IP",
144 WTAP_ENCAP_ARCNET : "ARCNET",
145 WTAP_ENCAP_ATM_RFC1483 : "ATM RFC1483",
146 WTAP_ENCAP_LINUX_ATM_CLIP : "Linux ATM CLIP",
147 WTAP_ENCAP_LAPB : "LAPB",
148 WTAP_ENCAP_ATM_SNIFFER : "ATM Sniffer",
149 WTAP_ENCAP_NULL : "Null",
150 WTAP_ENCAP_ASCEND : "Ascend",
151 WTAP_ENCAP_LAPD : "LAPD",
152 WTAP_ENCAP_V120 : "V.120",
153 WTAP_ENCAP_PPP_WITH_PHDR : "PPP (with PHDR)",
154 WTAP_ENCAP_IEEE_802_11 : "IEEE 802.11",
155 WTAP_ENCAP_SLL : "SLL",
156 WTAP_ENCAP_FRELAY : "Frame Relay",
157 WTAP_ENCAP_CHDLC : "Cisco HDLC",
158 WTAP_ENCAP_CISCO_IOS : "Cisco IOS",
159 WTAP_ENCAP_LOCALTALK : "LocalTalk",
160 WTAP_ENCAP_PRISM_HEADER : "Prism Header",
161 WTAP_ENCAP_PFLOG : "PFLog",
162 WTAP_ENCAP_AIROPEEK : "AiroPeek",
163 WTAP_ENCAP_HHDLC : "HHDLC",
166 def wtap_to_pcap(wtap):
167 if not wtap_to_pcap_map.has_key(wtap):
168 sys.exit("Don't know how to convert wiretap encoding %d to libpcap." % \
171 return wtap_to_pcap_map[wtap]
174 def run_gdb(*commands):
175 if len(commands) == 0:
178 # Create a temporary file
179 fname = tempfile.mktemp()
181 fh = open(fname, "w")
183 sys.exit("Cannot open %s for writing: %s" % (fname, err))
185 # Put the commands in it
198 sys.exit("Cannot close %s: %s" % (fname, err))
202 cmd = "gdb --nw --quiet --command=%s %s %s" % (fname, exec_file, core_file)
204 print "Invoking %s" % (cmd,)
212 sys.exit("Cannot run gdb: %s" % (err,))
215 result = pipe.readlines()
222 sys.exit("gdb returned an exit value of %s" % (error,))
225 # Remove the temp file and return the results
232 def get_value_from_frame(frame_num, variable, fmt=""):
235 cmds.append("up %d" % (frame_num,))
237 cmds.append("print %s %s" % (fmt, variable))
238 lines = apply(run_gdb, cmds)
240 LOOKING_FOR_START = 0
242 state = LOOKING_FOR_START
250 if state == LOOKING_FOR_START:
254 if line[0:4] == "$1 =":
256 state = READING_VALUE
258 elif state == READING_VALUE:
263 def get_int_from_frame(frame_num, variable):
264 text = get_value_from_frame(frame_num, variable)
268 sys.exit("Could not convert '%s' to integer." % (text,))
272 def get_byte_array_from_frame(frame_num, variable, length):
275 cmds.append("up %d" % (frame_num,))
277 cmds.append("print %s" % (variable,))
278 cmds.append("x/%dxb %s" % (length, variable))
279 lines = apply(run_gdb, cmds)
285 LOOKING_FOR_START = 0
287 state = LOOKING_FOR_START
290 if state == LOOKING_FOR_START:
293 elif line[0:3] == "$1 ":
297 fields = line.split('\t')
298 if fields[0][-1] != ":":
299 print "Failed to parse byte array from gdb:"
303 for field in fields[1:]:
311 def make_cap_file(pkt_data, lnk_t):
313 pcap_lnk_t = wtap_to_pcap(lnk_t)
315 # Create a temporary file
316 fname = tempfile.mktemp()
318 fh = open(fname, "w")
320 sys.exit("Cannot open %s for writing: %s" % (fname, err))
324 # Put the hex dump in it
327 for byte in pkt_data:
328 if (offset % BYTES_IN_ROW) == 0:
329 print >> fh, "\n%08X " % (offset,),
330 print "\n%08X " % (offset,),
332 print >> fh, "%02X " % (byte,),
333 print "%02X " % (byte,),
346 sys.exit("Cannot close %s: %s" % (fname, err))
350 cmd = "text2pcap -q -l %s %s %s" % (pcap_lnk_t, fname, output_file)
351 # print "Command is %s" % (cmd,)
353 retval = os.system(cmd)
359 sys.exit("Cannot run text2pcap: %s" % (err,))
361 # Remove the temp file
368 print "%s created with %d bytes in packet, and %s encoding." % \
369 (output_file, len(pkt_data), wtap_name[lnk_t])
371 sys.exit("text2pcap did not run successfully.")
376 def try_frame(func_text, cap_len_text, lnk_t_text, data_text):
379 bt_text = run_gdb("bt")
380 bt = BackTrace(bt_text)
381 if not bt.HasFunction(func_text):
382 print "%s() not found in backtrace." % (func_text,)
385 print "%s() found in backtrace." % (func_text,)
387 # Figure out where the call to epan_dissect_run is.
388 frame_num = bt.Frame(func_text)
390 # Get the capture length
391 cap_len = get_int_from_frame(frame_num, cap_len_text)
393 # Get the encoding type
394 lnk_t = get_int_from_frame(frame_num, lnk_t_text)
396 # Get the packet data
397 pkt_data = get_byte_array_from_frame(frame_num, data_text, cap_len)
400 print "Length=%d" % (cap_len,)
401 print "Encoding=%d" % (lnk_t,)
402 print "Data (%d bytes) = %s" % (len(pkt_data), pkt_data)
403 make_cap_file(pkt_data, lnk_t)
407 if try_frame("epan_dissect_run",
408 "fd->cap_len", "fd->lnk_t", "data"):
410 elif try_frame("add_packet_to_packet_list",
411 "fdata->cap_len", "fdata->lnk_t", "buf"):
414 sys.exit("A packet cannot be pulled from this core.")
418 print "pkt-from-core.py [-v] -w capture_file executable-file (core-file or process-id)"
420 print "\tGiven an executable file and a core file, this tool"
421 print "\tuses gdb to retrieve the packet that was being dissected"
422 print "\tat the time wireshark/tshark stopped running. The packet"
423 print "\tis saved in the capture_file specified by the -w option."
425 print "\t-v : verbose"
437 opts, args = getopt.getopt(sys.argv[1:], optstring)
441 for opt, arg in opts:
451 if output_file == None:
462 if __name__ == '__main__':
466 # Editor modelines - http://www.wireshark.org/tools/modelines.html
470 # indent-tabs-mode: nil
473 # vi: set shiftwidth=4 expandtab:
474 # :indentSize=4:noTabs=true: