3 * Copyright (c) 2000 by Mike Hall <mlh@io.com>
4 * Copyright (c) 2000 by Cisco Systems
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version 2
9 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 #include "file_wrappers.h"
30 * This module reads the output from the Cisco Secure Intrusion Detection
31 * System iplogging facility. The term iplogging is misleading since this
32 * logger will only output TCP. There is no link layer information.
33 * Packet format is 4 byte timestamp (seconds since epoch), and a 4 byte size
34 * of data following for that packet.
36 * For a time there was an error in iplogging and the ip length, flags, and id
37 * were byteswapped. We will check for this and handle it before handing to
45 static gboolean csids_read(wtap *wth, int *err, gchar **err_info,
47 static gboolean csids_seek_read(wtap *wth, gint64 seek_off,
48 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
49 static gboolean csids_read_packet(FILE_T fh, csids_t *csids,
50 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
53 guint32 seconds; /* seconds since epoch */
54 guint16 zeropad; /* 2 byte zero'ed pads */
55 guint16 caplen; /* the capture length */
58 wtap_open_return_val csids_open(wtap *wth, int *err, gchar **err_info)
60 /* There is no file header. There is only a header for each packet
61 * so we read a packet header and compare the caplen with iplen. They
62 * should always be equal except with the weird byteswap version.
64 * THIS IS BROKEN-- anytime the caplen is 0x0101 or 0x0202 up to 0x0505
65 * this will byteswap it. I need to fix this. XXX --mlh
70 gboolean byteswap = FALSE;
71 struct csids_header hdr;
74 /* check the file to make sure it is a csids file. */
75 if( !wtap_read_bytes( wth->fh, &hdr, sizeof( struct csids_header), err, err_info ) ) {
76 if( *err != WTAP_ERR_SHORT_READ ) {
77 return WTAP_OPEN_ERROR;
79 return WTAP_OPEN_NOT_MINE;
81 if( hdr.zeropad != 0 || hdr.caplen == 0 ) {
82 return WTAP_OPEN_NOT_MINE;
84 hdr.seconds = pntoh32( &hdr.seconds );
85 hdr.caplen = pntoh16( &hdr.caplen );
86 if( !wtap_read_bytes( wth->fh, &tmp, 2, err, err_info ) ) {
87 if( *err != WTAP_ERR_SHORT_READ ) {
88 return WTAP_OPEN_ERROR;
90 return WTAP_OPEN_NOT_MINE;
92 if( !wtap_read_bytes(wth->fh, &iplen, 2, err, err_info ) ) {
93 if( *err != WTAP_ERR_SHORT_READ ) {
94 return WTAP_OPEN_ERROR;
96 return WTAP_OPEN_NOT_MINE;
98 iplen = pntoh16(&iplen);
101 return WTAP_OPEN_NOT_MINE;
103 /* if iplen and hdr.caplen are equal, default to no byteswap. */
104 if( iplen > hdr.caplen ) {
105 /* maybe this is just a byteswapped version. the iplen ipflags */
106 /* and ipid are swapped. We cannot use the normal swaps because */
107 /* we don't know the host */
108 iplen = GUINT16_SWAP_LE_BE(iplen);
109 if( iplen <= hdr.caplen ) {
110 /* we know this format */
113 /* don't know this one */
114 return WTAP_OPEN_NOT_MINE;
120 /* no file header. So reset the fh to 0 so we can read the first packet */
121 if (file_seek(wth->fh, 0, SEEK_SET, err) == -1)
122 return WTAP_OPEN_ERROR;
124 csids = (csids_t *)g_malloc(sizeof(csids_t));
125 wth->priv = (void *)csids;
126 csids->byteswapped = byteswap;
127 wth->file_encap = WTAP_ENCAP_RAW_IP;
128 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_CSIDS;
129 wth->snapshot_length = 0; /* not known */
130 wth->subtype_read = csids_read;
131 wth->subtype_seek_read = csids_seek_read;
132 wth->file_tsprec = WTAP_TSPREC_SEC;
134 return WTAP_OPEN_MINE;
137 /* Find the next packet and parse it; called from wtap_read(). */
138 static gboolean csids_read(wtap *wth, int *err, gchar **err_info,
141 csids_t *csids = (csids_t *)wth->priv;
143 *data_offset = file_tell(wth->fh);
145 return csids_read_packet( wth->fh, csids, &wth->phdr, wth->frame_buffer,
149 /* Used to read packets in random-access fashion */
151 csids_seek_read(wtap *wth,
153 struct wtap_pkthdr *phdr,
158 csids_t *csids = (csids_t *)wth->priv;
160 if( file_seek( wth->random_fh, seek_off, SEEK_SET, err ) == -1 )
163 if( !csids_read_packet( wth->random_fh, csids, phdr, buf, err, err_info ) ) {
165 *err = WTAP_ERR_SHORT_READ;
172 csids_read_packet(FILE_T fh, csids_t *csids, struct wtap_pkthdr *phdr,
173 Buffer *buf, int *err, gchar **err_info)
175 struct csids_header hdr;
178 if( !wtap_read_bytes_or_eof( fh, &hdr, sizeof( struct csids_header), err, err_info ) )
180 hdr.seconds = pntoh32(&hdr.seconds);
181 hdr.caplen = pntoh16(&hdr.caplen);
183 * The maximum value of hdr.caplen is 65535, which is less than
184 * WTAP_MAX_PACKET_SIZE will ever be, so we don't need to check
188 phdr->rec_type = REC_TYPE_PACKET;
189 phdr->presence_flags = WTAP_HAS_TS;
190 phdr->len = hdr.caplen;
191 phdr->caplen = hdr.caplen;
192 phdr->ts.secs = hdr.seconds;
195 if( !wtap_read_packet_bytes( fh, buf, phdr->caplen, err, err_info ) )
198 pd = ws_buffer_start_ptr( buf );
199 if( csids->byteswapped ) {
200 if( phdr->caplen >= 2 ) {
201 PBSWAP16(pd); /* the ip len */
202 if( phdr->caplen >= 4 ) {
203 PBSWAP16(pd+2); /* ip id */
204 if( phdr->caplen >= 6 )
205 PBSWAP16(pd+4); /* ip flags and fragoff */
214 * Editor modelines - http://www.wireshark.org/tools/modelines.html
219 * indent-tabs-mode: nil
222 * vi: set shiftwidth=2 tabstop=8 expandtab:
223 * :indentSize=2:tabSize=8:noTabs=true: