4 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version 2
9 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
26 #include "file_wrappers.h"
27 #include <wsutil/buffer.h>
31 #define IPTRACE_IFT_HF 0x3d /* Support for PERCS IP-HFI*/
32 #define IPTRACE_IFT_IB 0xc7 /* IP over Infiniband. Number by IANA */
34 static gboolean iptrace_read_1_0(wtap *wth, int *err, gchar **err_info,
36 static gboolean iptrace_seek_read_1_0(wtap *wth, gint64 seek_off,
37 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
39 static gboolean iptrace_read_2_0(wtap *wth, int *err, gchar **err_info,
41 static gboolean iptrace_seek_read_2_0(wtap *wth, gint64 seek_off,
42 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
44 static int iptrace_read_rec_header(FILE_T fh, guint8 *header, int header_len,
45 int *err, gchar **err_info);
46 static gboolean iptrace_read_rec_data(FILE_T fh, Buffer *buf,
47 struct wtap_pkthdr *phdr, int *err, gchar **err_info);
48 static void fill_in_pseudo_header(int encap,
49 union wtap_pseudo_header *pseudo_header, guint8 *header);
50 static int wtap_encap_ift(unsigned int ift);
52 int iptrace_open(wtap *wth, int *err, gchar **err_info)
57 errno = WTAP_ERR_CANT_READ;
58 bytes_read = file_read(name, 11, wth->fh);
59 if (bytes_read != 11) {
60 *err = file_error(wth->fh, err_info);
61 if (*err != 0 && *err != WTAP_ERR_SHORT_READ)
67 if (strcmp(name, "iptrace 1.0") == 0) {
68 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_IPTRACE_1_0;
69 wth->subtype_read = iptrace_read_1_0;
70 wth->subtype_seek_read = iptrace_seek_read_1_0;
71 wth->tsprecision = WTAP_FILE_TSPREC_SEC;
73 else if (strcmp(name, "iptrace 2.0") == 0) {
74 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_IPTRACE_2_0;
75 wth->subtype_read = iptrace_read_2_0;
76 wth->subtype_seek_read = iptrace_seek_read_2_0;
77 wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
86 /***********************************************************
88 ***********************************************************/
91 * iptrace 1.0, discovered through inspection
93 * Packet record contains:
95 * an initial header, with a length field and a time stamp, in
96 * seconds since the Epoch;
98 * data, with the specified length.
102 * a bunch of information about the packet;
104 * padding, at least for FDDI;
106 * the raw packet data.
109 /* 0-3 */ guint32 pkt_length; /* packet length + 0x16 */
110 /* 4-7 */ guint32 tv_sec; /* time stamp, seconds since the Epoch */
111 /* 8-11 */ guint32 junk1; /* ???, not time */
112 /* 12-15 */ char if_name[4]; /* null-terminated */
113 /* 16-27 */ char junk2[12]; /* ??? */
114 /* 28 */ guint8 if_type; /* BSD net/if_types.h */
115 /* 29 */ guint8 tx_flag; /* 0=receive, 1=transmit */
118 #define IPTRACE_1_0_PHDR_SIZE 30 /* initial header plus packet data */
119 #define IPTRACE_1_0_PDATA_SIZE 22 /* packet data */
122 iptrace_read_rec_1_0(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
123 int *err, gchar **err_info)
125 guint8 header[IPTRACE_1_0_PHDR_SIZE];
127 iptrace_1_0_phdr pkt_hdr;
130 ret = iptrace_read_rec_header(fh, header, IPTRACE_1_0_PHDR_SIZE,
133 /* Read error or EOF */
138 * Byte 28 of the frame header appears to be a BSD-style IFT_xxx
139 * value giving the type of the interface. Check out the
140 * <net/if_types.h> header file.
142 pkt_hdr.if_type = header[28];
143 phdr->pkt_encap = wtap_encap_ift(pkt_hdr.if_type);
144 if (phdr->pkt_encap == WTAP_ENCAP_UNKNOWN) {
145 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
146 *err_info = g_strdup_printf("iptrace: interface type IFT=0x%02x unknown or unsupported",
151 /* Read the packet metadata */
152 packet_size = pntoh32(&header[0]);
153 if (packet_size < IPTRACE_1_0_PDATA_SIZE) {
155 * Uh-oh, the record isn't big enough to even have a
156 * packet meta-data header.
158 *err = WTAP_ERR_BAD_FILE;
159 *err_info = g_strdup_printf("iptrace: file has a %u-byte record, too small to have even a packet meta-data header",
163 packet_size -= IPTRACE_1_0_PDATA_SIZE;
166 * AIX appears to put 3 bytes of padding in front of FDDI
167 * frames; strip that crap off.
169 if (phdr->pkt_encap == WTAP_ENCAP_FDDI_BITSWAPPED) {
171 * The packet size is really a record size and includes
174 if (packet_size < 3) {
176 * Uh-oh, the record isn't big enough to even have
179 *err = WTAP_ERR_BAD_FILE;
180 *err_info = g_strdup_printf("iptrace: file has a %u-byte record, too small to have even a packet meta-data header",
181 packet_size + IPTRACE_1_0_PDATA_SIZE);
189 if (!file_skip(fh, 3, err))
192 if (packet_size > WTAP_MAX_PACKET_SIZE) {
194 * Probably a corrupt capture file; don't blow up trying
195 * to allocate space for an immensely-large packet.
197 *err = WTAP_ERR_BAD_FILE;
198 *err_info = g_strdup_printf("iptrace: File has %u-byte packet, bigger than maximum of %u",
199 packet_size, WTAP_MAX_PACKET_SIZE);
203 phdr->rec_type = REC_TYPE_PACKET;
204 phdr->presence_flags = WTAP_HAS_TS;
205 phdr->len = packet_size;
206 phdr->caplen = packet_size;
207 phdr->ts.secs = pntoh32(&header[4]);
210 /* Fill in the pseudo-header. */
211 fill_in_pseudo_header(phdr->pkt_encap, &phdr->pseudo_header, header);
213 /* Get the packet data */
214 return iptrace_read_rec_data(fh, buf, phdr, err, err_info);
217 /* Read the next packet */
218 static gboolean iptrace_read_1_0(wtap *wth, int *err, gchar **err_info,
221 *data_offset = file_tell(wth->fh);
223 /* Read the packet */
224 if (!iptrace_read_rec_1_0(wth->fh, &wth->phdr, wth->frame_buffer,
226 /* Read error or EOF */
230 /* If the per-file encapsulation isn't known, set it to this
231 packet's encapsulation.
233 If it *is* known, and it isn't this packet's encapsulation,
234 set it to WTAP_ENCAP_PER_PACKET, as this file doesn't
235 have a single encapsulation for all packets in the file. */
236 if (wth->file_encap == WTAP_ENCAP_UNKNOWN)
237 wth->file_encap = wth->phdr.pkt_encap;
239 if (wth->file_encap != wth->phdr.pkt_encap)
240 wth->file_encap = WTAP_ENCAP_PER_PACKET;
246 static gboolean iptrace_seek_read_1_0(wtap *wth, gint64 seek_off,
247 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info)
249 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
252 /* Read the packet */
253 if (!iptrace_read_rec_1_0(wth->random_fh, phdr, buf, err, err_info)) {
255 *err = WTAP_ERR_SHORT_READ;
261 /***********************************************************
263 ***********************************************************/
266 * iptrace 2.0, discovered through inspection
268 * Packet record contains:
270 * an initial header, with a length field and a time stamp, in
271 * seconds since the Epoch;
273 * data, with the specified length.
277 * a bunch of information about the packet;
279 * padding, at least for FDDI;
281 * the raw packet data.
284 /* 0-3 */ guint32 pkt_length; /* packet length + 32 */
285 /* 4-7 */ guint32 tv_sec0; /* time stamp, seconds since the Epoch */
286 /* 8-11 */ guint32 junk1; /* ?? */
287 /* 12-15 */ char if_name[4]; /* null-terminated */
288 /* 16-27 */ char if_desc[12]; /* interface description. */
289 /* 28 */ guint8 if_type; /* BSD net/if_types.h */
290 /* 29 */ guint8 tx_flag; /* 0=receive, 1=transmit */
291 /* 30-31 */ guint16 junk3;
292 /* 32-35 */ guint32 tv_sec; /* time stamp, seconds since the Epoch */
293 /* 36-39 */ guint32 tv_nsec; /* nanoseconds since that second */
296 #define IPTRACE_2_0_PHDR_SIZE 40 /* initial header plus packet data */
297 #define IPTRACE_2_0_PDATA_SIZE 32 /* packet data */
300 iptrace_read_rec_2_0(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
301 int *err, gchar **err_info)
303 guint8 header[IPTRACE_2_0_PHDR_SIZE];
305 iptrace_2_0_phdr pkt_hdr;
308 ret = iptrace_read_rec_header(fh, header, IPTRACE_2_0_PHDR_SIZE,
311 /* Read error or EOF */
316 * Byte 28 of the frame header appears to be a BSD-style IFT_xxx
317 * value giving the type of the interface. Check out the
318 * <net/if_types.h> header file.
320 pkt_hdr.if_type = header[28];
321 phdr->pkt_encap = wtap_encap_ift(pkt_hdr.if_type);
324 * We used to error out if the interface type in iptrace was
325 * unknown/unhandled, but an iptrace may contain packets
326 * from a variety of interfaces, some known, and others
329 * It is better to display the data even for unknown interface
330 * types, isntead of erroring out. In the future, it would be
331 * nice to be able to flag which frames are shown as data
332 * because their interface type is unknown, and also present
333 * the interface type number to the user so that it can be
334 * reported easily back to the Wireshark developer.
336 * XXX - what types are there that are used in files but
337 * that we don't handle?
339 if (phdr->pkt_encap == WTAP_ENCAP_UNKNOWN) {
340 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
341 *err_info = g_strdup_printf("iptrace: interface type IFT=0x%02x unknown or unsupported",
347 /* Read the packet metadata */
348 packet_size = pntoh32(&header[0]);
349 if (packet_size < IPTRACE_2_0_PDATA_SIZE) {
351 * Uh-oh, the record isn't big enough to even have a
352 * packet meta-data header.
354 *err = WTAP_ERR_BAD_FILE;
355 *err_info = g_strdup_printf("iptrace: file has a %u-byte record, too small to have even a packet meta-data header",
359 packet_size -= IPTRACE_2_0_PDATA_SIZE;
362 * AIX appears to put 3 bytes of padding in front of FDDI
363 * frames; strip that crap off.
365 if (phdr->pkt_encap == WTAP_ENCAP_FDDI_BITSWAPPED) {
367 * The packet size is really a record size and includes
370 if (packet_size < 3) {
372 * Uh-oh, the record isn't big enough to even have
375 *err = WTAP_ERR_BAD_FILE;
376 *err_info = g_strdup_printf("iptrace: file has a %u-byte record, too small to have even a packet meta-data header",
377 packet_size + IPTRACE_2_0_PDATA_SIZE);
385 if (!file_skip(fh, 3, err))
388 if (packet_size > WTAP_MAX_PACKET_SIZE) {
390 * Probably a corrupt capture file; don't blow up trying
391 * to allocate space for an immensely-large packet.
393 *err = WTAP_ERR_BAD_FILE;
394 *err_info = g_strdup_printf("iptrace: File has %u-byte packet, bigger than maximum of %u",
395 packet_size, WTAP_MAX_PACKET_SIZE);
399 phdr->rec_type = REC_TYPE_PACKET;
400 phdr->presence_flags = WTAP_HAS_TS;
401 phdr->len = packet_size;
402 phdr->caplen = packet_size;
403 phdr->ts.secs = pntoh32(&header[32]);
404 phdr->ts.nsecs = pntoh32(&header[36]);
406 /* Fill in the pseudo_header. */
407 fill_in_pseudo_header(phdr->pkt_encap, &phdr->pseudo_header, header);
409 /* Get the packet data */
410 return iptrace_read_rec_data(fh, buf, phdr, err, err_info);
413 /* Read the next packet */
414 static gboolean iptrace_read_2_0(wtap *wth, int *err, gchar **err_info,
417 *data_offset = file_tell(wth->fh);
419 /* Read the packet */
420 if (!iptrace_read_rec_2_0(wth->fh, &wth->phdr, wth->frame_buffer,
422 /* Read error or EOF */
426 /* If the per-file encapsulation isn't known, set it to this
427 packet's encapsulation.
429 If it *is* known, and it isn't this packet's encapsulation,
430 set it to WTAP_ENCAP_PER_PACKET, as this file doesn't
431 have a single encapsulation for all packets in the file. */
432 if (wth->file_encap == WTAP_ENCAP_UNKNOWN)
433 wth->file_encap = wth->phdr.pkt_encap;
435 if (wth->file_encap != wth->phdr.pkt_encap)
436 wth->file_encap = WTAP_ENCAP_PER_PACKET;
442 static gboolean iptrace_seek_read_2_0(wtap *wth, gint64 seek_off,
443 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info)
445 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
448 /* Read the packet */
449 if (!iptrace_read_rec_2_0(wth->random_fh, phdr, buf, err, err_info)) {
451 *err = WTAP_ERR_SHORT_READ;
458 iptrace_read_rec_header(FILE_T fh, guint8 *header, int header_len, int *err,
463 errno = WTAP_ERR_CANT_READ;
464 bytes_read = file_read(header, header_len, fh);
465 if (bytes_read != header_len) {
466 *err = file_error(fh, err_info);
469 if (bytes_read != 0) {
470 *err = WTAP_ERR_SHORT_READ;
479 iptrace_read_rec_data(FILE_T fh, Buffer *buf, struct wtap_pkthdr *phdr,
480 int *err, gchar **err_info)
482 if (!wtap_read_packet_bytes(fh, buf, phdr->caplen, err, err_info))
485 if (phdr->pkt_encap == WTAP_ENCAP_ATM_PDUS) {
487 * Attempt to guess from the packet data, the VPI,
488 * and the VCI information about the type of traffic.
490 atm_guess_traffic_type(phdr, ws_buffer_start_ptr(buf));
497 * Fill in the pseudo-header information we can.
499 * For ATM traffic, "iptrace", alas, doesn't tell us what type of traffic
500 * is in the packet - it was presumably run on a machine that was one of
501 * the endpoints of the connection, so in theory it could presumably have
502 * told us, but, for whatever reason, it failed to do so - perhaps the
503 * low-level mechanism that feeds the presumably-AAL5 frames to us doesn't
504 * have access to that information (e.g., because it's in the ATM driver,
505 * and the ATM driver merely knows that stuff on VPI/VCI X.Y should be
506 * handed up to some particular client, it doesn't know what that client is).
508 * We let our caller try to figure out what kind of traffic it is, either
509 * by guessing based on the VPI/VCI, guessing based on the header of the
510 * packet, seeing earlier traffic that set up the circuit and specified
511 * in some fashion what sort of traffic it is, or being told by the user.
514 fill_in_pseudo_header(int encap, union wtap_pseudo_header *pseudo_header,
524 case WTAP_ENCAP_ATM_PDUS:
525 /* Rip apart the "x.y" text into Vpi/Vci numbers */
526 memcpy(if_text, &header[20], 8);
528 decimal = strchr(if_text, '.');
531 Vpi = (int)strtoul(if_text, NULL, 10);
533 Vci = (int)strtoul(decimal, NULL, 10);
537 * OK, which value means "DTE->DCE" and which value means
540 pseudo_header->atm.channel = header[29];
542 pseudo_header->atm.vpi = Vpi;
543 pseudo_header->atm.vci = Vci;
545 /* We don't have this information */
546 pseudo_header->atm.flags = 0;
547 pseudo_header->atm.cells = 0;
548 pseudo_header->atm.aal5t_u2u = 0;
549 pseudo_header->atm.aal5t_len = 0;
550 pseudo_header->atm.aal5t_chksum = 0;
553 case WTAP_ENCAP_ETHERNET:
554 /* We assume there's no FCS in this frame. */
555 pseudo_header->eth.fcs_len = 0;
560 /* Given an RFC1573 (SNMP ifType) interface type,
561 * return the appropriate Wiretap Encapsulation Type.
564 wtap_encap_ift(unsigned int ift)
567 static const int ift_encap[] = {
568 /* 0x0 */ WTAP_ENCAP_UNKNOWN, /* nothing */
569 /* 0x1 */ WTAP_ENCAP_UNKNOWN, /* IFT_OTHER */
570 /* 0x2 */ WTAP_ENCAP_UNKNOWN, /* IFT_1822 */
571 /* 0x3 */ WTAP_ENCAP_UNKNOWN, /* IFT_HDH1822 */
572 /* 0x4 */ WTAP_ENCAP_RAW_IP, /* IFT_X25DDN */
573 /* 0x5 */ WTAP_ENCAP_UNKNOWN, /* IFT_X25 */
574 /* 0x6 */ WTAP_ENCAP_ETHERNET, /* IFT_ETHER */
575 /* 0x7 */ WTAP_ENCAP_ETHERNET, /* IFT_ISO88023 */
576 /* 0x8 */ WTAP_ENCAP_UNKNOWN, /* IFT_ISO88024 */
577 /* 0x9 */ WTAP_ENCAP_TOKEN_RING, /* IFT_ISO88025 */
578 /* 0xa */ WTAP_ENCAP_UNKNOWN, /* IFT_ISO88026 */
579 /* 0xb */ WTAP_ENCAP_UNKNOWN, /* IFT_STARLAN */
580 /* 0xc */ WTAP_ENCAP_RAW_IP, /* IFT_P10, IBM SP switch */
581 /* 0xd */ WTAP_ENCAP_UNKNOWN, /* IFT_P80 */
582 /* 0xe */ WTAP_ENCAP_UNKNOWN, /* IFT_HY */
583 /* 0xf */ WTAP_ENCAP_FDDI_BITSWAPPED, /* IFT_FDDI */
584 /* 0x10 */ WTAP_ENCAP_LAPB, /* IFT_LAPB */ /* no data to back this up */
585 /* 0x11 */ WTAP_ENCAP_UNKNOWN, /* IFT_SDLC */
586 /* 0x12 */ WTAP_ENCAP_UNKNOWN, /* IFT_T1 */
587 /* 0x13 */ WTAP_ENCAP_UNKNOWN, /* IFT_CEPT */
588 /* 0x14 */ WTAP_ENCAP_UNKNOWN, /* IFT_ISDNBASIC */
589 /* 0x15 */ WTAP_ENCAP_UNKNOWN, /* IFT_ISDNPRIMARY */
590 /* 0x16 */ WTAP_ENCAP_UNKNOWN, /* IFT_PTPSERIAL */
591 /* 0x17 */ WTAP_ENCAP_UNKNOWN, /* IFT_PPP */
592 /* 0x18 */ WTAP_ENCAP_RAW_IP, /* IFT_LOOP */
593 /* 0x19 */ WTAP_ENCAP_UNKNOWN, /* IFT_EON */
594 /* 0x1a */ WTAP_ENCAP_UNKNOWN, /* IFT_XETHER */
595 /* 0x1b */ WTAP_ENCAP_UNKNOWN, /* IFT_NSIP */
596 /* 0x1c */ WTAP_ENCAP_UNKNOWN, /* IFT_SLIP */
597 /* 0x1d */ WTAP_ENCAP_UNKNOWN, /* IFT_ULTRA */
598 /* 0x1e */ WTAP_ENCAP_UNKNOWN, /* IFT_DS3 */
599 /* 0x1f */ WTAP_ENCAP_UNKNOWN, /* IFT_SIP */
600 /* 0x20 */ WTAP_ENCAP_UNKNOWN, /* IFT_FRELAY */
601 /* 0x21 */ WTAP_ENCAP_UNKNOWN, /* IFT_RS232 */
602 /* 0x22 */ WTAP_ENCAP_UNKNOWN, /* IFT_PARA */
603 /* 0x23 */ WTAP_ENCAP_UNKNOWN, /* IFT_ARCNET */
604 /* 0x24 */ WTAP_ENCAP_UNKNOWN, /* IFT_ARCNETPLUS */
605 /* 0x25 */ WTAP_ENCAP_ATM_PDUS, /* IFT_ATM */
607 #define NUM_IFT_ENCAPS (sizeof ift_encap / sizeof ift_encap[0])
609 if (ift < NUM_IFT_ENCAPS) {
610 return ift_encap[ift];
616 return WTAP_ENCAP_INFINIBAND;
619 /* Host Fabric Interface */
621 /* The HFI interface on AIX provides raw IP
622 in the packet trace. It's unclear if the HFI
623 can be configured for any other protocol, and if
624 any field in the iptrace header indicates what
625 that protocol is. For now, we are hard-coding
626 this as RAW_IP, but if we find another iptrace file
627 using HFI that provides another protocol, we will
628 have to figure out which field in the iptrace file
630 return WTAP_ENCAP_RAW_IP;
634 return WTAP_ENCAP_UNKNOWN;
git.samba.org / metze / wireshark / wip.git / blob