5 /***************************************************************************
6 NetworkInstruments.c - description
8 begin : Wed Oct 29 2003
9 copyright : (C) 2003 by root
10 email : scotte[AT}netinst.com
11 ***************************************************************************/
13 /***************************************************************************
15 * This program is free software; you can redistribute it and/or modify *
16 * it under the terms of the GNU General Public License as published by *
17 * the Free Software Foundation; either version 2 of the License, or *
18 * (at your option) any later version. *
20 ***************************************************************************/
30 #include "file_wrappers.h"
32 #include "network_instruments.h"
34 static const char network_instruments_magic[] = {"ObserverPktBufferVersion=09.00"};
35 static const int true_magic_length = 17;
37 static const guint32 observer_packet_magic = 0x88888888;
39 static const int observer_encap[] = {
43 #define NUM_OBSERVER_ENCAPS (sizeof observer_encap / sizeof observer_encap[0])
45 static const int from_wtap_encap[] = {
50 #define NUM_FROM_WTAP_ENCAPS (sizeof from_wtap_encap / sizeof observer_encap[0])
52 #define CAPTUREFILE_HEADER_SIZE sizeof(capture_file_header)
55 * The time in Observer files is in nanoseconds since midnight, January 1,
56 * 2000, 00:00:00 local time.
58 * We want the seconds portion to be seconds since midnight, January 1,
61 * To do that, we add the number of seconds between midnight, January 1,
62 * 2000, 00:00:00 local time and midnight, January 1, 1970, 00:00:00 GMT.
63 * (That gets the wrong answer if the time zone is being read in a different
64 * time zone, but there's not much we can do about that.)
66 static gboolean have_time_offset;
67 static time_t seconds1970to2000;
69 static void init_time_offset(void)
71 if (!have_time_offset) {
72 struct tm midnight_2000_01_01;
75 * Get the number of seconds between midnight, January 1,
76 * 2000, 00:00:00 local time - that's just the UNIX
77 * time stamp for 2000-01-01 00:00:00 local time.
79 midnight_2000_01_01.tm_year = 2000 - 1900;
80 midnight_2000_01_01.tm_mon = 0;
81 midnight_2000_01_01.tm_mday = 1;
82 midnight_2000_01_01.tm_hour = 0;
83 midnight_2000_01_01.tm_min = 0;
84 midnight_2000_01_01.tm_sec = 0;
85 midnight_2000_01_01.tm_isdst = -1;
86 seconds1970to2000 = mktime(&midnight_2000_01_01);
87 have_time_offset = TRUE;
91 static gboolean observer_read(wtap *wth, int *err, gchar **err_info,
93 static gboolean observer_seek_read(wtap *wth, gint64 seek_off,
94 union wtap_pseudo_header *pseudo_header, guchar *pd, int length,
95 int *err, gchar **err_info);
96 static int read_packet_header(FILE_T fh, packet_entry_header *packet_header,
97 int *err, gchar **err_info);
98 static gboolean read_packet_data(FILE_T fh, int offset_to_frame, int offset,
99 guint8 *pd, int length, int *err, char **err_info);
100 static gboolean skip_to_next_packet(wtap *wth, int offset,
101 int offset_to_next_packet, int *err, char **err_info);
102 static gboolean observer_dump_close(wtap_dumper *wdh, int *err);
103 static gboolean observer_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
104 const union wtap_pseudo_header *pseudo_header, const guchar *pd, int *err);
106 int network_instruments_open(wtap *wth, int *err, gchar **err_info)
110 capture_file_header file_header;
114 packet_entry_header packet_header;
116 errno = WTAP_ERR_CANT_READ;
119 /* Read in the buffer file header */
120 bytes_read = file_read(&file_header, sizeof file_header, 1, wth->fh);
121 if (bytes_read != sizeof file_header) {
122 *err = file_error(wth->fh);
127 offset += bytes_read;
129 /* check the magic number */
130 if (memcmp(file_header.observer_version, network_instruments_magic, true_magic_length)!=0) {
134 /* check the version */
135 if (strncmp(network_instruments_magic, file_header.observer_version, 30)!=0) {
136 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
137 *err_info = g_strdup_printf("Observer: unsupported file version %s", file_header.observer_version);
141 /* process extra information */
142 for (i = 0; i < file_header.number_of_information_elements; i++) {
143 /* read the TLV header */
144 bytes_read = file_read(&tlvh, sizeof tlvh, 1, wth->fh);
145 if (bytes_read != sizeof tlvh) {
146 *err = file_error(wth->fh);
148 *err = WTAP_ERR_SHORT_READ;
151 offset += bytes_read;
153 tlvh.length = GUINT16_FROM_LE(tlvh.length);
154 if (tlvh.length < sizeof tlvh) {
155 *err = WTAP_ERR_BAD_RECORD;
156 *err_info = g_strdup_printf("Observer: bad record (TLV length %u < %lu)",
157 tlvh.length, (unsigned long)sizeof tlvh);
161 /* skip the TLV data */
162 seek_increment = tlvh.length - sizeof tlvh;
163 if (seek_increment > 0) {
164 if (file_seek(wth->fh, seek_increment, SEEK_CUR, err) == -1)
167 offset += seek_increment;
170 /* get to the first packet */
171 file_header.offset_to_first_packet =
172 GUINT16_FROM_LE(file_header.offset_to_first_packet);
173 if (file_header.offset_to_first_packet < offset) {
174 *err = WTAP_ERR_BAD_RECORD;
175 *err_info = g_strdup_printf("Observer: bad record (offset to first packet %d < %d)",
176 file_header.offset_to_first_packet, offset);
179 seek_increment = file_header.offset_to_first_packet - offset;
180 if (seek_increment > 0) {
181 if (file_seek(wth->fh, seek_increment, SEEK_CUR, err) == -1)
185 /* pull off the packet header */
186 bytes_read = file_read(&packet_header, sizeof packet_header, 1, wth->fh);
187 if (bytes_read != sizeof packet_header) {
188 *err = file_error(wth->fh);
194 /* check the packet's magic number; the magic number is all 8's,
195 so the byte order doesn't matter */
196 if (packet_header.packet_magic != observer_packet_magic) {
197 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
198 *err_info = g_strdup_printf("Observer: unsupported packet version %ul", packet_header.packet_magic);
202 /* Check the data link type. */
203 if (packet_header.network_type >= NUM_OBSERVER_ENCAPS) {
204 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
205 *err_info = g_strdup_printf("Observer: network type %u unknown or unsupported", packet_header.network_type);
208 wth->file_encap = observer_encap[packet_header.network_type];
210 wth->file_type = WTAP_FILE_NETWORK_INSTRUMENTS_V9;
212 /* set up the rest of the capture parameters */
213 wth->subtype_read = observer_read;
214 wth->subtype_seek_read = observer_seek_read;
215 wth->subtype_close = NULL;
216 wth->subtype_sequential_close = NULL;
217 wth->snapshot_length = 0; /* not available in header */
218 wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
220 /* reset the pointer to the first packet */
221 if (file_seek(wth->fh, file_header.offset_to_first_packet, SEEK_SET,
224 wth->data_offset = file_header.offset_to_first_packet;
231 /* reads the next packet */
232 static gboolean observer_read(wtap *wth, int *err, gchar **err_info,
236 packet_entry_header packet_header;
239 * Skip records other than data records.
242 *data_offset = wth->data_offset;
244 /* process the packet header, including TLVs */
245 offset = read_packet_header(wth->fh, &packet_header, err,
248 return FALSE; /* EOF or error */
250 wth->data_offset += offset;
252 if (packet_header.packet_type == PACKET_TYPE_DATA_PACKET)
255 /* skip to next packet */
256 packet_header.offset_to_next_packet =
257 GUINT16_FROM_LE(packet_header.offset_to_next_packet);
258 if (!skip_to_next_packet(wth, offset,
259 packet_header.offset_to_next_packet, err, err_info))
260 return FALSE; /* EOF or error */
263 /* set-up the packet header */
264 packet_header.network_size =
265 GUINT16_FROM_LE(packet_header.network_size);
266 /* neglect frame markers for wiretap */
267 if (packet_header.network_size < 4) {
268 *err = WTAP_ERR_BAD_RECORD;
269 *err_info = g_strdup_printf("Observer: bad record: Packet length %u < 4",
270 packet_header.network_size);
273 packet_header.network_size -= 4;
274 packet_header.captured_size =
275 GUINT16_FROM_LE(packet_header.captured_size);
276 wth->phdr.pkt_encap = observer_encap[packet_header.network_type];
277 wth->phdr.len = packet_header.network_size;
278 wth->phdr.caplen = MIN(packet_header.captured_size, wth->phdr.len);
279 packet_header.nano_seconds_since_2000 =
280 GUINT64_FROM_LE(packet_header.nano_seconds_since_2000);
282 (time_t) (packet_header.nano_seconds_since_2000/1000000000 + seconds1970to2000);
283 wth->phdr.ts.nsecs = (int) (packet_header.nano_seconds_since_2000%1000000000);
285 /* set-up the packet buffer */
286 buffer_assure_space(wth->frame_buffer, packet_header.captured_size);
289 if (!read_packet_data(wth->fh, packet_header.offset_to_frame, offset,
290 buffer_start_ptr(wth->frame_buffer), packet_header.captured_size,
293 wth->data_offset += packet_header.captured_size;
294 offset += packet_header.captured_size;
296 /* update the pseudo header */
297 switch (wth->file_encap) {
299 case WTAP_ENCAP_ETHERNET:
300 /* There is no FCS in the frame */
301 wth->pseudo_header.eth.fcs_len = 0;
308 /* reads a packet at an offset */
309 static gboolean observer_seek_read(wtap *wth, gint64 seek_off,
310 union wtap_pseudo_header *pseudo_header, guchar *pd, int length,
311 int *err, gchar **err_info)
313 packet_entry_header packet_header;
316 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
319 /* process the packet header, including TLVs */
320 offset = read_packet_header(wth->random_fh, &packet_header, err,
323 return FALSE; /* EOF or error */
326 if (!read_packet_data(wth->random_fh, packet_header.offset_to_frame,
327 offset, pd, length, err, err_info))
330 /* update the pseudo header */
331 switch (wth->file_encap) {
333 case WTAP_ENCAP_ETHERNET:
334 /* There is no FCS in the frame */
335 pseudo_header->eth.fcs_len = 0;
343 read_packet_header(FILE_T fh, packet_entry_header *packet_header, int *err,
354 /* pull off the packet header */
355 bytes_read = file_read(packet_header, sizeof *packet_header, 1, fh);
356 if (bytes_read != sizeof *packet_header) {
357 *err = file_error(fh);
362 offset += bytes_read;
364 /* check the packet's magic number; the magic number is all 8's,
365 so the byte order doesn't matter */
366 if (packet_header->packet_magic != observer_packet_magic) {
367 *err = WTAP_ERR_BAD_RECORD;
368 *err_info = g_strdup_printf("Observer: bad record: Invalid magic number 0x%08x",
369 GUINT32_FROM_LE(packet_header->packet_magic));
373 /* process extra information */
374 for (i = 0; i < packet_header->number_of_information_elements; i++) {
375 /* read the TLV header */
376 bytes_read = file_read(&tlvh, sizeof tlvh, 1, fh);
377 if (bytes_read != sizeof tlvh) {
378 *err = file_error(fh);
380 *err = WTAP_ERR_SHORT_READ;
383 offset += bytes_read;
385 tlvh.length = GUINT16_FROM_LE(tlvh.length);
386 if (tlvh.length < sizeof tlvh) {
387 *err = WTAP_ERR_BAD_RECORD;
388 *err_info = g_strdup_printf("Observer: bad record (TLV length %u < %lu)",
389 tlvh.length, (unsigned long)sizeof tlvh);
393 /* skip the TLV data */
394 seek_increment = tlvh.length - sizeof tlvh;
395 if (seek_increment > 0) {
396 if (file_seek(fh, seek_increment, SEEK_CUR, err) == -1)
399 offset += seek_increment;
402 packet_header->offset_to_frame =
403 GUINT16_FROM_LE(packet_header->offset_to_frame);
409 read_packet_data(FILE_T fh, int offset_to_frame, int offset, guint8 *pd,
410 int length, int *err, char **err_info)
414 /* get to the packet data */
415 if (offset_to_frame < offset) {
416 *err = WTAP_ERR_BAD_RECORD;
417 *err_info = g_strdup_printf("Observer: bad record (offset to packet data %d < %d)",
418 offset_to_frame, offset);
421 seek_increment = offset_to_frame - offset;
422 if (seek_increment > 0) {
423 if (file_seek(fh, seek_increment, SEEK_CUR, err) == -1)
427 /* read in the packet */
428 wtap_file_read_expected_bytes(pd, length, fh, err);
433 skip_to_next_packet(wtap *wth, int offset, int offset_to_next_packet, int *err,
438 if (offset_to_next_packet < offset) {
439 *err = WTAP_ERR_BAD_RECORD;
440 *err_info = g_strdup_printf("Observer: bad record (offset to next packet %d < %d)",
441 offset_to_next_packet, offset);
444 seek_increment = offset_to_next_packet - offset;
445 if (seek_increment > 0) {
446 if (file_seek(wth->fh, seek_increment, SEEK_CUR, err) == -1)
449 wth->data_offset += seek_increment;
453 /* Returns 0 if we could write the specified encapsulation type,
454 an error indication otherwise. */
455 int network_instruments_dump_can_write_encap(int encap)
457 /* Per-packet encapsulations aren't supported. */
458 if (encap == WTAP_ENCAP_PER_PACKET)
459 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
461 if (encap < 0 || (unsigned) encap >= NUM_FROM_WTAP_ENCAPS || from_wtap_encap[encap] == OBSERVER_UNDEFINED)
462 return WTAP_ERR_UNSUPPORTED_ENCAP;
467 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
469 gboolean network_instruments_dump_open(wtap_dumper *wdh, gboolean cant_seek, int *err)
471 capture_file_header file_header;
472 tlv_header comment_header;
474 struct tm *current_time;
478 *err = WTAP_ERR_CANT_WRITE_TO_PIPE;
482 wdh->subtype_write = observer_dump;
483 wdh->subtype_close = observer_dump_close;
485 wdh->dump.niobserver = g_malloc(sizeof(niobserver_dump_t));
486 wdh->dump.niobserver->packet_count = 0;
487 wdh->dump.niobserver->network_type = from_wtap_encap[wdh->encap];
489 /* create the file comment */
491 current_time = localtime(&system_time);
492 memset(&comment, 0x00, sizeof(comment));
493 sprintf(comment, "This capture was saved from Wireshark on %s", asctime(current_time));
495 /* create the file header */
496 if (fseek(wdh->fh, 0, SEEK_SET) == -1) {
500 memset(&file_header, 0x00, sizeof(capture_file_header));
501 strcpy(file_header.observer_version, network_instruments_magic);
502 file_header.offset_to_first_packet = sizeof(capture_file_header) + sizeof(tlv_header) + strlen(comment);
503 file_header.offset_to_first_packet = GUINT16_TO_LE(file_header.offset_to_first_packet);
504 file_header.number_of_information_elements = 1;
505 if(!fwrite(&file_header, sizeof(capture_file_header), 1, wdh->fh)) {
510 /* create the comment entry */
511 comment_header.type = GUINT16_TO_LE(INFORMATION_TYPE_COMMENT);
512 comment_header.length = sizeof(tlv_header) + strlen(comment);
513 comment_header.length = GUINT16_TO_LE(comment_header.length);
514 if(!fwrite(&comment_header, sizeof(tlv_header), 1, wdh->fh)) {
518 if(!fwrite(&comment, sizeof(char), strlen(comment), wdh->fh)) {
528 /* Write a record for a packet to a dump file.
529 Returns TRUE on success, FALSE on failure. */
530 static gboolean observer_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
531 const union wtap_pseudo_header *pseudo_header _U_, const guchar *pd,
534 niobserver_dump_t *niobserver = wdh->dump.niobserver;
535 packet_entry_header packet_header;
537 guint64 capture_nanoseconds;
539 if (phdr->ts.secs < seconds1970to2000) {
540 if (phdr->ts.secs < 0)
541 capture_nanoseconds = 0;
543 capture_nanoseconds = phdr->ts.secs;
545 capture_nanoseconds = phdr->ts.secs - seconds1970to2000;
546 capture_nanoseconds = capture_nanoseconds*1000000000 + phdr->ts.nsecs;
548 memset(&packet_header, 0x00, sizeof(packet_entry_header));
549 packet_header.packet_magic = GUINT32_TO_LE(observer_packet_magic);
550 packet_header.network_speed = GUINT32_TO_LE(1000000);
551 packet_header.captured_size = GUINT16_TO_LE((guint16)phdr->caplen);
552 packet_header.network_size = GUINT16_TO_LE((guint16)(phdr->len+4));
553 packet_header.offset_to_frame = GUINT16_TO_LE(sizeof(packet_entry_header));
554 packet_header.offset_to_next_packet = GUINT16_TO_LE(sizeof(packet_entry_header) + phdr->caplen);
555 packet_header.network_type = niobserver->network_type;
556 packet_header.flags = 0x00;
557 packet_header.number_of_information_elements = 0;
558 packet_header.packet_type = PACKET_TYPE_DATA_PACKET;
559 packet_header.packet_number = GUINT64_TO_LE(niobserver->packet_count);
560 packet_header.original_packet_number = GUINT64_TO_LE(niobserver->packet_count);
561 niobserver->packet_count++;
562 packet_header.nano_seconds_since_2000 = GUINT64_TO_LE(capture_nanoseconds);
564 nwritten = fwrite(&packet_header, sizeof(packet_header), 1, wdh->fh);
566 if (nwritten == 0 && ferror(wdh->fh))
569 *err = WTAP_ERR_SHORT_WRITE;
573 nwritten = fwrite(pd, 1, phdr->caplen, wdh->fh);
574 if (nwritten != phdr->caplen) {
575 if (nwritten == 0 && ferror(wdh->fh))
578 *err = WTAP_ERR_SHORT_WRITE;
585 /* just returns TRUE, there is no clean up needed */
586 static gboolean observer_dump_close(wtap_dumper *wdh _U_, int *err _U_)