epan/dissectors/file-pcap.c

   1 /* file-pcap.c
   2  * Routines for PCAP File Format
   3  * http://www.tcpdump.org/manpages/pcap-savefile.5.html
   4  *
   5  * Copyright 2015, Michal Labedzki for Tieto Corporation
   6  *
   7  * Wireshark - Network traffic analyzer
   8  * By Gerald Combs <gerald@wireshark.org>
   9  * Copyright 1998 Gerald Combs
  10  *
  11  * SPDX-License-Identifier: GPL-2.0-or-later
  12  */
  13
  14 #include "config.h"
  15
  16 #include <epan/packet.h>
  17 #include <epan/prefs.h>
  18 #include <epan/expert.h>
  19 #include <epan/exceptions.h>
  20 #include <epan/show_exception.h>
  21 #include <epan/wmem/wmem.h>
  22
  23 #include <epan/dissectors/packet-pcap_pktdata.h>
  24
  25 static int proto_pcap = -1;
  26
  27 static dissector_handle_t pcap_pktdata_handle;
  28
  29 static int hf_pcap_header = -1;
  30 static int hf_pcap_header_magic_number = -1;
  31 static int hf_pcap_header_version_major = -1;
  32 static int hf_pcap_header_version_minor = -1;
  33 static int hf_pcap_header_this_zone = -1;
  34 static int hf_pcap_header_sigfigs = -1;
  35 static int hf_pcap_header_snapshot_length = -1;
  36 static int hf_pcap_header_link_type = -1;
  37 static int hf_pcap_packet = -1;
  38 static int hf_pcap_packet_timestamp = -1;
  39 static int hf_pcap_packet_timestamp_sec = -1;
  40 static int hf_pcap_packet_timestamp_usec = -1;
  41 static int hf_pcap_packet_included_length = -1;
  42 static int hf_pcap_packet_origin_length = -1;
  43 static int hf_pcap_packet_data = -1;
  44
  45 static expert_field ei_pcap_inc_larger_than_orig = EI_INIT;
  46 static expert_field ei_pcap_inc_larger_than_snap = EI_INIT;
  47
  48 static gint ett_pcap = -1;
  49 static gint ett_pcap_header = -1;
  50 static gint ett_pcap_packet = -1;
  51 static gint ett_pcap_packet_data = -1;
  52 static gint ett_pcap_timestamp = -1;
  53
  54 static gboolean pref_dissect_next_layer = FALSE;
  55
  56 void proto_register_file_pcap(void);
  57 void proto_reg_handoff_file_pcap(void);
  58
  59 #define MAGIC_NUMBER_SIZE    4
  60
  61 static int
  62 dissect_pcap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
  63 {
  64     static const guint8 pcap_big_endian_magic[MAGIC_NUMBER_SIZE] = {
  65         0xa1, 0xb2, 0xc3, 0xd4
  66     };
  67     static const guint8 pcap_little_endian_magic[MAGIC_NUMBER_SIZE] = {
  68         0xd4, 0xc3, 0xb2, 0xa1
  69     };
  70     static const guint8 pcap_nsec_big_endian_magic[MAGIC_NUMBER_SIZE] = {
  71         0xa1, 0xb2, 0x3c, 0xd4
  72     };
  73     static const guint8 pcap_nsec_little_endian_magic[MAGIC_NUMBER_SIZE] = {
  74         0xd4, 0x3c, 0xb2, 0xa1
  75     };
  76     volatile gint    offset = 0;
  77     proto_tree      *main_tree;
  78     proto_item      *main_item;
  79     proto_tree      *header_tree;
  80     proto_item      *header_item;
  81     proto_item      *magic_number_item;
  82     proto_tree      *packet_tree;
  83     proto_item      *packet_item;
  84     proto_tree      *timestamp_tree;
  85     proto_item      *timestamp_item;
  86     proto_tree      *packet_data_tree;
  87     proto_item      *packet_data_item;
  88     proto_item      *inc_len_item;
  89     volatile guint32 encoding;
  90     volatile guint   timestamp_scale_factor;
  91     const char      *magic;
  92     guint32          snap_length;
  93     guint32          origin_length;
  94     guint32          length;
  95     guint32          link_type;
  96     volatile guint32 frame_number = 1;
  97     nstime_t         timestamp;
  98
  99     if (tvb_memeql(tvb, 0, pcap_big_endian_magic, MAGIC_NUMBER_SIZE) == 0) {
 100         encoding = ENC_BIG_ENDIAN;
 101         timestamp_scale_factor = 1000;
 102         magic = "Big-endian";
 103     } else if (tvb_memeql(tvb, 0, pcap_little_endian_magic, MAGIC_NUMBER_SIZE) == 0) {
 104         encoding = ENC_LITTLE_ENDIAN;
 105         timestamp_scale_factor = 1000;
 106         magic = "Little-endian";
 107     } else if (tvb_memeql(tvb, 0, pcap_nsec_big_endian_magic, MAGIC_NUMBER_SIZE) == 0) {
 108         encoding = ENC_BIG_ENDIAN;
 109         timestamp_scale_factor = 1;
 110         magic = "Big-endian, nanosecond resolution";
 111     } else if (tvb_memeql(tvb, 0, pcap_nsec_little_endian_magic, MAGIC_NUMBER_SIZE) == 0) {
 112         encoding = ENC_LITTLE_ENDIAN;
 113         timestamp_scale_factor = 1;
 114         magic = "Little-endian, nanosecond resolution";
 115     } else {
 116         /*
 117          * Not one of the magic numbers we recognize.
 118          * XXX - add them?
 119          */
 120         return 0;
 121     }
 122
 123     main_item = proto_tree_add_item(tree, proto_pcap, tvb, offset, -1, ENC_NA);
 124     main_tree = proto_item_add_subtree(main_item, ett_pcap);
 125
 126     header_item = proto_tree_add_item(main_tree, hf_pcap_header    , tvb, offset, 24, ENC_NA);
 127     header_tree = proto_item_add_subtree(header_item, ett_pcap_header);
 128
 129     magic_number_item = proto_tree_add_item(header_tree, hf_pcap_header_magic_number, tvb, offset, 4, ENC_NA);
 130     proto_item_append_text(magic_number_item, " (%s)", magic);
 131     offset += 4;
 132
 133     proto_tree_add_item(header_tree, hf_pcap_header_version_major, tvb, offset, 2, encoding);
 134     offset += 2;
 135
 136     proto_tree_add_item(header_tree, hf_pcap_header_version_minor, tvb, offset, 2, encoding);
 137     offset += 2;
 138
 139     proto_tree_add_item(header_tree, hf_pcap_header_this_zone, tvb, offset, 4, encoding);
 140     offset += 4;
 141
 142     proto_tree_add_item(header_tree, hf_pcap_header_sigfigs, tvb, offset, 4, encoding);
 143     offset += 4;
 144
 145     proto_tree_add_item_ret_uint(header_tree, hf_pcap_header_snapshot_length, tvb, offset, 4, encoding, &snap_length);
 146     offset += 4;
 147
 148     proto_tree_add_item(header_tree, hf_pcap_header_link_type, tvb, offset, 4, encoding);
 149     link_type = tvb_get_guint32(tvb, offset, encoding);
 150     offset += 4;
 151
 152     while (offset < (gint) tvb_reported_length(tvb)) {
 153         packet_item = proto_tree_add_item(main_tree, hf_pcap_packet, tvb, offset, 4 * 4, ENC_NA);
 154         packet_tree = proto_item_add_subtree(packet_item, ett_pcap_packet);
 155         proto_item_append_text(packet_item, " %u", frame_number);
 156
 157         timestamp.secs = tvb_get_guint32(tvb, offset, encoding);
 158         timestamp.nsecs = tvb_get_guint32(tvb, offset + 4, encoding) * timestamp_scale_factor;
 159
 160         timestamp_item = proto_tree_add_time(packet_tree, hf_pcap_packet_timestamp, tvb, offset, 8, &timestamp);
 161         timestamp_tree = proto_item_add_subtree(timestamp_item, ett_pcap_timestamp);
 162
 163         proto_tree_add_item(timestamp_tree, hf_pcap_packet_timestamp_sec, tvb, offset, 4, encoding);
 164         offset += 4;
 165
 166         proto_tree_add_item(timestamp_tree, hf_pcap_packet_timestamp_usec, tvb, offset, 4, encoding);
 167         offset += 4;
 168
 169         inc_len_item = proto_tree_add_item_ret_uint(packet_tree, hf_pcap_packet_included_length, tvb, offset, 4, encoding, &length);
 170         offset += 4;
 171
 172         proto_tree_add_item_ret_uint(packet_tree, hf_pcap_packet_origin_length, tvb, offset, 4, encoding, &origin_length);
 173         offset += 4;
 174
 175         if (length > snap_length)
 176         {
 177             expert_add_info(pinfo, inc_len_item,
 178                     &ei_pcap_inc_larger_than_snap);
 179         }
 180
 181         if (length > origin_length) {
 182             expert_add_info(pinfo, inc_len_item,
 183                     &ei_pcap_inc_larger_than_orig);
 184             break;
 185         }
 186
 187         packet_data_item = proto_tree_add_item(packet_tree, hf_pcap_packet_data, tvb, offset, length, ENC_NA);
 188         packet_data_tree = proto_item_add_subtree(packet_data_item, ett_pcap_packet_data);
 189
 190         pinfo->num = frame_number;
 191         pinfo->abs_ts = timestamp;
 192
 193         if (pref_dissect_next_layer) {
 194             TRY {
 195                 call_dissector_with_data(pcap_pktdata_handle, tvb_new_subset_length_caplen(tvb, offset, length, origin_length), pinfo, packet_data_tree, &link_type);
 196             }
 197             CATCH_BOUNDS_ERRORS {
 198                 show_exception(tvb, pinfo, packet_data_tree, EXCEPT_CODE, GET_MESSAGE);
 199             }
 200             ENDTRY;
 201         }
 202         offset += length;
 203
 204         proto_item_set_len(packet_item, 4 * 4 + length);
 205         frame_number += 1;
 206     }
 207
 208     return offset;
 209 }
 210
 211 static gboolean
 212 dissect_pcap_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
 213 {
 214     return dissect_pcap(tvb, pinfo, tree, NULL) > 0;
 215 }
 216
 217 void
 218 proto_register_file_pcap(void)
 219 {
 220     module_t         *module;
 221     expert_module_t  *expert_pcap;
 222
 223     static hf_register_info hf[] = {
 224         { &hf_pcap_header,
 225             { "Header",                                    "pcap.header",
 226             FT_NONE, BASE_NONE, NULL, 0x00,
 227             NULL, HFILL }
 228         },
 229         { &hf_pcap_header_magic_number,
 230             { "Magic Number",                              "pcap.header.magic_number",
 231             FT_BYTES, BASE_NONE, NULL, 0x00,
 232             NULL, HFILL }
 233         },
 234         { &hf_pcap_header_version_major,
 235             { "Version Major",                             "pcap.header.version.major",
 236             FT_UINT16, BASE_DEC, NULL, 0x00,
 237             NULL, HFILL }
 238         },
 239         { &hf_pcap_header_version_minor,
 240             { "Version Minor",                             "pcap.header.version.minor",
 241             FT_UINT16, BASE_DEC, NULL, 0x00,
 242             NULL, HFILL }
 243         },
 244         { &hf_pcap_header_this_zone,
 245             { "This Zone",                                 "pcap.header.this_zone",
 246             FT_INT32, BASE_DEC, NULL, 0x00,
 247             NULL, HFILL }
 248         },
 249         { &hf_pcap_header_sigfigs,
 250             { "Sigfigs",                                   "pcap.header.sigfigs",
 251             FT_UINT32, BASE_DEC, NULL, 0x00,
 252             NULL, HFILL }
 253         },
 254         { &hf_pcap_header_snapshot_length,
 255             { "Snapshot Length",                           "pcap.header.snapshot_length",
 256             FT_UINT32, BASE_DEC, NULL, 0x00,
 257             NULL, HFILL }
 258         },
 259         { &hf_pcap_header_link_type,
 260             { "Link Type",                                 "pcap.header.link_type",
 261             FT_UINT32, BASE_DEC_HEX, VALS(link_type_vals), 0x00,
 262             NULL, HFILL }
 263         },
 264         { &hf_pcap_packet,
 265             { "Packet",                                    "pcap.packet",
 266             FT_NONE, BASE_NONE, NULL, 0x00,
 267             NULL, HFILL }
 268         },
 269         { &hf_pcap_packet_timestamp,
 270             { "Timestamp",                             "pcap.packet.timestamp",
 271             FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x00,
 272             NULL, HFILL }
 273         },
 274         { &hf_pcap_packet_timestamp_sec,
 275             { "Timestamp sec",                             "pcap.packet.timestamp.sec",
 276             FT_UINT32, BASE_DEC, NULL, 0x00,
 277             NULL, HFILL }
 278         },
 279         { &hf_pcap_packet_timestamp_usec,
 280             { "Timestamp usec",                            "pcap.packet.timestamp.usec",
 281             FT_UINT32, BASE_DEC, NULL, 0x00,
 282             NULL, HFILL }
 283         },
 284         { &hf_pcap_packet_included_length,
 285             { "Included Length",                           "pcap.packet.included_length",
 286             FT_UINT32, BASE_DEC, NULL, 0x00,
 287             NULL, HFILL }
 288         },
 289         { &hf_pcap_packet_origin_length,
 290             { "Origin Length",                             "pcap.packet.origin_length",
 291             FT_UINT32, BASE_DEC, NULL, 0x00,
 292             NULL, HFILL }
 293         },
 294         { &hf_pcap_packet_data,
 295             { "Data",                                      "pcap.packet.data",
 296             FT_NONE, BASE_NONE, NULL, 0x00,
 297             NULL, HFILL }
 298         },
 299     };
 300
 301     static ei_register_info ei[] = {
 302         { &ei_pcap_inc_larger_than_orig,
 303             { "pcap.inc_len_larger_than_orig_len", PI_MALFORMED, PI_ERROR,
 304                 "included length is larger than original length",
 305                 EXPFILL }},
 306         { &ei_pcap_inc_larger_than_snap,
 307             { "pcap.inc_len_larger_than_snap_len", PI_PROTOCOL, PI_WARN,
 308                 "included length is larger than snapshot length",
 309                 EXPFILL }}
 310     };
 311
 312     static gint *ett[] = {
 313         &ett_pcap,
 314         &ett_pcap_header,
 315         &ett_pcap_packet,
 316         &ett_pcap_packet_data,
 317         &ett_pcap_timestamp
 318     };
 319
 320     proto_pcap = proto_register_protocol("PCAP File Format", "File-PCAP", "file-pcap");
 321     proto_register_field_array(proto_pcap, hf, array_length(hf));
 322     proto_register_subtree_array(ett, array_length(ett));
 323     expert_pcap = expert_register_protocol(proto_pcap);
 324     expert_register_field_array(expert_pcap, ei, array_length(ei));
 325
 326     register_dissector("file-pcap", dissect_pcap, proto_pcap);
 327
 328     module = prefs_register_protocol(proto_pcap, NULL);
 329     prefs_register_static_text_preference(module, "version",
 330             "PCAP version: >=2.4",
 331             "Version of file-format supported by this dissector.");
 332
 333     prefs_register_bool_preference(module, "dissect_next_layer",
 334             "Dissect next layer",
 335             "Dissect next layer",
 336             &pref_dissect_next_layer);
 337 }
 338
 339 void
 340 proto_reg_handoff_file_pcap(void)
 341 {
 342     heur_dissector_add("wtap_file", dissect_pcap_heur, "PCAP File", "pcap_wtap", proto_pcap, HEURISTIC_ENABLE);
 343     pcap_pktdata_handle = find_dissector_add_dependency("pcap_pktdata", proto_pcap);
 344 }
 345
 346 /*
 347  * Editor modelines  -  http://www.wireshark.org/tools/modelines.html
 348  *
 349  * Local variables:
 350  * c-basic-offset: 4
 351  * tab-width: 8
 352  * indent-tabs-mode: nil
 353  * End:
 354  *
 355  * vi: set shiftwidth=4 tabstop=8 expandtab:
 356  * :indentSize=4:tabSize=8:noTabs=true:
 357  */