2 * $Id: network_instruments.c,v 1.7 2004/01/25 21:55:16 guy Exp $
5 /***************************************************************************
6 NetworkInstruments.c - description
8 begin : Wed Oct 29 2003
9 copyright : (C) 2003 by root
10 email : scotte[AT}netinst.com
11 ***************************************************************************/
13 /***************************************************************************
15 * This program is free software; you can redistribute it and/or modify *
16 * it under the terms of the GNU General Public License as published by *
17 * the Free Software Foundation; either version 2 of the License, or *
18 * (at your option) any later version. *
20 ***************************************************************************/
30 #include "file_wrappers.h"
32 #include "network_instruments.h"
34 static const char network_instruments_magic[] = {"ObserverPktBufferVersion=09.00"};
35 static const int true_magic_length = 17;
37 static const guint32 observer_packet_magic = 0x88888888;
39 static const int observer_encap[] = {
43 #define NUM_OBSERVER_ENCAPS (sizeof observer_encap / sizeof observer_encap[0])
45 #define OBSERVER_UNDEFINED 0xFF
46 #define OBSERVER_ETHERNET 0x00
47 #define OBSERVER_TOKENRING 0x01
48 #define OBSERVER_FDDI 0x02
49 static const int from_wtap_encap[] = {
54 #define NUM_FROM_WTAP_ENCAPS (sizeof from_wtap_encap / sizeof observer_encap[0])
56 #define CAPTUREFILE_HEADER_SIZE sizeof(capture_file_header)
58 #define INFORMATION_TYPE_ALIAS_LIST 0x01
59 #define INFORMATION_TYPE_COMMENT 0x02
62 * The time in Observer files is in nanoseconds since midnight, January 1,
63 * 2000, 00:00:00 local time.
65 * We want the seconds portion to be seconds since midnight, January 1,
68 * To do that, we add the number of seconds between midnight, January 1,
69 * 2000, 00:00:00 local time and midnight, January 1, 1970, 00:00:00 GMT.
70 * (That gets the wrong answer if the time zone is being read in a different
71 * time zone, but there's not much we can do about that.)
73 static gboolean have_time_offset;
74 static time_t seconds1970to2000;
76 static void init_time_offset(void)
78 if (!have_time_offset) {
79 struct tm midnight_2000_01_01;
82 * Get the number of seconds between midnight, January 1,
83 * 2000, 00:00:00 local time - that's just the UNIX
84 * time stamp for 2000-01-01 00:00:00 local time.
86 midnight_2000_01_01.tm_year = 2000 - 1900;
87 midnight_2000_01_01.tm_mon = 0;
88 midnight_2000_01_01.tm_mday = 1;
89 midnight_2000_01_01.tm_hour = 0;
90 midnight_2000_01_01.tm_min = 0;
91 midnight_2000_01_01.tm_sec = 0;
92 midnight_2000_01_01.tm_isdst = -1;
93 seconds1970to2000 = mktime(&midnight_2000_01_01);
94 have_time_offset = TRUE;
98 static gboolean fill_time_struct(guint64 ns_since2000, observer_time* time_conversion);
99 static gboolean observer_read(wtap *wth, int *err, gchar **err_info,
101 static gboolean observer_seek_read(wtap *wth, long seek_off,
102 union wtap_pseudo_header *pseudo_header, guchar *pd, int length,
103 int *err, gchar **err_info);
104 static gboolean observer_dump_close(wtap_dumper *wdh, int *err);
105 static gboolean observer_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
106 const union wtap_pseudo_header *pseudo_header, const guchar *pd, int *err);
108 int network_instruments_open(wtap *wth, int *err, gchar **err_info)
112 capture_file_header file_header;
113 packet_entry_header packet_header;
115 errno = WTAP_ERR_CANT_READ;
117 /* Read in the buffer file header */
118 bytes_read = file_read(&file_header, sizeof file_header, 1, wth->fh);
119 if (bytes_read != sizeof file_header) {
120 *err = file_error(wth->fh);
126 /* check the magic number */
127 if (memcmp(file_header.observer_version, network_instruments_magic, true_magic_length)!=0) {
131 /* check the version */
132 if (strncmp(network_instruments_magic, file_header.observer_version, 30)!=0) {
133 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
134 *err_info = g_strdup_printf("Observer: unsupported file version %s", file_header.observer_version);
138 /* get to the first packet */
139 file_header.offset_to_first_packet =
140 GUINT16_FROM_LE(file_header.offset_to_first_packet);
141 if (file_seek(wth->fh, file_header.offset_to_first_packet, SEEK_SET,
148 /* pull off the packet header */
149 bytes_read = file_read(&packet_header, sizeof packet_header, 1, wth->fh);
150 if (bytes_read != sizeof packet_header) {
151 *err = file_error(wth->fh);
157 /* check the packet's magic number; the magic number is all 8's,
158 so the byte order doesn't matter */
159 if (packet_header.packet_magic != observer_packet_magic) {
160 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
161 *err_info = g_strdup_printf("Observer: unsupported packet version %ul", packet_header.packet_magic);
165 /* Check the data link type. */
166 if (packet_header.network_type >= NUM_OBSERVER_ENCAPS) {
167 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
168 *err_info = g_strdup_printf("observer: network type %u unknown or unsupported", packet_header.network_type);
171 wth->file_encap = observer_encap[packet_header.network_type];
173 wth->file_type = WTAP_FILE_NETWORK_INSTRUMENTS_V9;
175 /* set up the rest of the capture parameters */
176 wth->subtype_read = observer_read;
177 wth->subtype_seek_read = observer_seek_read;
178 wth->subtype_close = NULL;
179 wth->subtype_sequential_close = NULL;
180 wth->snapshot_length = 0;
182 /* reset the pointer to the first packet */
183 if (file_seek(wth->fh, file_header.offset_to_first_packet, SEEK_SET,
189 wth->data_offset = file_header.offset_to_first_packet;
196 /* reads the next packet */
197 static gboolean observer_read(wtap *wth, int *err, gchar **err_info,
202 long seconds, useconds;
204 packet_entry_header packet_header;
206 observer_time packet_time;
208 *data_offset = wth->data_offset;
210 /* pull off the packet header */
211 bytes_read = file_read(&packet_header, sizeof packet_header, 1, wth->fh);
212 if (bytes_read != sizeof packet_header) {
213 *err = file_error(wth->fh);
218 wth->data_offset += bytes_read;
220 /* check the packet's magic number; the magic number is all 8's,
221 so the byte order doesn't matter */
222 if (packet_header.packet_magic != observer_packet_magic) {
223 *err = WTAP_ERR_BAD_RECORD;
224 *err_info = g_strdup("Observer: bad record");
228 /* convert from observer time to wiretap time */
229 packet_header.nano_seconds_since_2000 =
230 GUINT64_FROM_LE(packet_header.nano_seconds_since_2000);
231 fill_time_struct(packet_header.nano_seconds_since_2000, &packet_time);
232 useconds = (long)(packet_time.useconds_from_1970 - ((guint64)packet_time.seconds_from_1970)*1000000);
233 seconds = (long)packet_time.seconds_from_1970;
235 /* set-up the packet header */
236 packet_header.network_size =
237 GUINT16_FROM_LE(packet_header.network_size);
238 packet_header.captured_size =
239 GUINT16_FROM_LE(packet_header.captured_size);
240 wth->phdr.pkt_encap = observer_encap[packet_header.network_type];
241 wth->phdr.len = packet_header.network_size-4; /* neglect frame markers for wiretap */
242 wth->phdr.caplen = MIN(packet_header.captured_size, wth->phdr.len);
243 wth->phdr.ts.tv_sec = seconds;
244 wth->phdr.ts.tv_usec = useconds;
246 /* get to the frame data */
247 packet_header.offset_to_frame =
248 GUINT16_FROM_LE(packet_header.offset_to_frame);
249 if (packet_header.offset_to_frame < sizeof(packet_header)) {
250 *err = WTAP_ERR_BAD_RECORD;
251 *err_info = g_strdup_printf("Observer: bad record (offset to frame %u < %lu)",
252 packet_header.offset_to_frame,
253 (unsigned long)sizeof(packet_header));
256 seek_increment = packet_header.offset_to_frame - sizeof(packet_header);
257 if(seek_increment>0) {
258 if (file_seek(wth->fh, seek_increment, SEEK_CUR, err) == -1)
261 wth->data_offset += seek_increment;
263 /* set-up the packet buffer */
264 buffer_assure_space(wth->frame_buffer, packet_header.captured_size);
265 wtap_file_read_expected_bytes(buffer_start_ptr(wth->frame_buffer), packet_header.captured_size, wth->fh, err);
266 wth->data_offset += packet_header.captured_size;
268 /* update the pseudo header */
269 switch (wth->file_encap) {
271 case WTAP_ENCAP_ETHERNET:
272 /* There is no FCS in the frame */
273 wth->pseudo_header.eth.fcs_len = 0;
280 /* reads a packet at an offset */
281 static gboolean observer_seek_read(wtap *wth, long seek_off,
282 union wtap_pseudo_header *pseudo_header, guchar *pd, int length,
283 int *err, gchar **err_info)
285 packet_entry_header packet_header;
289 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
292 /* pull off the packet header */
293 bytes_read = file_read(&packet_header, sizeof packet_header, 1, wth->random_fh);
294 if (bytes_read != sizeof packet_header) {
295 *err = file_error(wth->fh);
301 /* check the packets magic number */
302 if (packet_header.packet_magic != observer_packet_magic) {
303 *err = WTAP_ERR_BAD_RECORD;
304 *err_info = g_strdup("Observer: bad magic number for record in observer_seek_read");
308 /* read in the packet */
309 bytes_read = file_read(pd, 1, length, wth->random_fh);
310 if (bytes_read != length) {
311 *err = file_error(wth->fh);
315 /* update the pseudo header */
316 switch (wth->file_encap) {
318 case WTAP_ENCAP_ETHERNET:
319 /* There is no FCS in the frame */
320 pseudo_header->eth.fcs_len = 0;
327 gboolean fill_time_struct(guint64 ns_since2000, observer_time* time_conversion)
329 time_conversion->ns_since2000 = ns_since2000;
330 time_conversion->us_since2000 = ns_since2000/1000;
331 time_conversion->sec_since2000 = ns_since2000/1000000000;
333 time_conversion->seconds_from_1970 = (time_t) (seconds1970to2000 + time_conversion->sec_since2000);
334 time_conversion->useconds_from_1970 = ((guint64)seconds1970to2000*1000000)+time_conversion->us_since2000;
339 /* Returns 0 if we could write the specified encapsulation type,
340 an error indication otherwise. */
341 int network_instruments_dump_can_write_encap(int encap)
343 /* Per-packet encapsulations aren't supported. */
344 if (encap == WTAP_ENCAP_PER_PACKET)
345 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
347 if (encap < 0 || (unsigned) encap > NUM_FROM_WTAP_ENCAPS || from_wtap_encap[encap] == OBSERVER_UNDEFINED)
348 return WTAP_ERR_UNSUPPORTED_ENCAP;
353 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
355 gboolean network_instruments_dump_open(wtap_dumper *wdh, gboolean cant_seek, int *err)
357 capture_file_header file_header;
358 tlv_header comment_header;
360 struct tm *current_time;
364 *err = WTAP_ERR_CANT_WRITE_TO_PIPE;
368 wdh->subtype_write = observer_dump;
369 wdh->subtype_close = observer_dump_close;
371 wdh->dump.niobserver = g_malloc(sizeof(niobserver_dump_t));
372 wdh->dump.niobserver->packet_count = 0;
373 wdh->dump.niobserver->network_type = from_wtap_encap[wdh->encap];
375 /* create the file comment */
377 current_time = localtime(&system_time);
378 memset(&comment, 0x00, sizeof(comment));
379 sprintf(comment, "This capture was saved from Ethereal on %s", asctime(current_time));
381 /* create the file header */
382 if (fseek(wdh->fh, 0, SEEK_SET) == -1) {
386 memset(&file_header, 0x00, sizeof(capture_file_header));
387 strcpy(file_header.observer_version, network_instruments_magic);
388 file_header.offset_to_first_packet = sizeof(capture_file_header) + sizeof(tlv_header) + strlen(comment);
389 file_header.extra_information_present = 0x01; /* actually the number of information elements */
390 if(!fwrite(&file_header, sizeof(capture_file_header), 1, wdh->fh)) {
395 /* create the comment entry */
396 comment_header.type = INFORMATION_TYPE_COMMENT;
397 comment_header.length = sizeof(tlv_header) + strlen(comment);
398 if(!fwrite(&comment_header, sizeof(tlv_header), 1, wdh->fh)) {
402 if(!fwrite(&comment, sizeof(char), strlen(comment), wdh->fh)) {
412 /* Write a record for a packet to a dump file.
413 Returns TRUE on success, FALSE on failure. */
414 static gboolean observer_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
415 const union wtap_pseudo_header *pseudo_header _U_, const guchar *pd,
418 niobserver_dump_t *niobserver = wdh->dump.niobserver;
419 packet_entry_header packet_header;
421 guint64 capture_nanoseconds = 0;
423 if(phdr->ts.tv_sec<(long)seconds1970to2000)
424 if(phdr->ts.tv_sec<0)
425 capture_nanoseconds = 0;
427 capture_nanoseconds = phdr->ts.tv_sec;
429 capture_nanoseconds = phdr->ts.tv_sec - seconds1970to2000;
430 capture_nanoseconds = ((capture_nanoseconds*1000000) + (guint64)phdr->ts.tv_usec)*1000;
432 memset(&packet_header, 0x00, sizeof(packet_entry_header));
433 packet_header.packet_magic = GUINT32_TO_LE(observer_packet_magic);
434 packet_header.network_speed = GUINT32_TO_LE(1000000);
435 packet_header.captured_size = GUINT16_TO_LE((guint16)phdr->caplen);
436 packet_header.network_size = GUINT16_TO_LE((guint16)(phdr->len+4));
437 packet_header.offset_to_frame = GUINT16_TO_LE(sizeof(packet_entry_header));
438 packet_header.offset_to_next_packet = GUINT16_TO_LE(sizeof(packet_entry_header) + phdr->caplen);
439 packet_header.network_type = niobserver->network_type;
440 packet_header.flags = 0x00;
441 packet_header.extra_information = 0x00;
442 packet_header.packet_type = 0x00;
443 packet_header.packet_number = GUINT64_TO_LE(niobserver->packet_count);
444 packet_header.original_packet_number = GUINT64_TO_LE(niobserver->packet_count);
445 niobserver->packet_count++;
446 packet_header.nano_seconds_since_2000 = GUINT64_TO_LE(capture_nanoseconds);
448 nwritten = fwrite(&packet_header, sizeof(packet_header), 1, wdh->fh);
450 if (nwritten == 0 && ferror(wdh->fh))
453 *err = WTAP_ERR_SHORT_WRITE;
457 nwritten = fwrite(pd, 1, phdr->caplen, wdh->fh);
458 if (nwritten != phdr->caplen) {
459 if (nwritten == 0 && ferror(wdh->fh))
462 *err = WTAP_ERR_SHORT_WRITE;
469 /* just returns TRUE, there is no clean up needed */
470 static gboolean observer_dump_close(wtap_dumper *wdh _U_, int *err _U_)