3 * Copyright (c) 2000 by Mike Hall <mlh@io.com>
4 * Copyright (c) 2000 by Cisco Systems
6 * SPDX-License-Identifier: GPL-2.0+
12 #include "file_wrappers.h"
18 * This module reads the output from the Cisco Secure Intrusion Detection
19 * System iplogging facility. The term iplogging is misleading since this
20 * logger will only output TCP. There is no link layer information.
21 * Packet format is 4 byte timestamp (seconds since epoch), and a 4 byte size
22 * of data following for that packet.
24 * For a time there was an error in iplogging and the ip length, flags, and id
25 * were byteswapped. We will check for this and handle it before handing to
33 static gboolean csids_read(wtap *wth, int *err, gchar **err_info,
35 static gboolean csids_seek_read(wtap *wth, gint64 seek_off,
36 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
37 static gboolean csids_read_packet(FILE_T fh, csids_t *csids,
38 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
41 guint32 seconds; /* seconds since epoch */
42 guint16 zeropad; /* 2 byte zero'ed pads */
43 guint16 caplen; /* the capture length */
46 wtap_open_return_val csids_open(wtap *wth, int *err, gchar **err_info)
48 /* There is no file header. There is only a header for each packet
49 * so we read a packet header and compare the caplen with iplen. They
50 * should always be equal except with the weird byteswap version.
52 * THIS IS BROKEN-- anytime the caplen is 0x0101 or 0x0202 up to 0x0505
53 * this will byteswap it. I need to fix this. XXX --mlh
58 gboolean byteswap = FALSE;
59 struct csids_header hdr;
62 /* check the file to make sure it is a csids file. */
63 if( !wtap_read_bytes( wth->fh, &hdr, sizeof( struct csids_header), err, err_info ) ) {
64 if( *err != WTAP_ERR_SHORT_READ ) {
65 return WTAP_OPEN_ERROR;
67 return WTAP_OPEN_NOT_MINE;
69 if( hdr.zeropad != 0 || hdr.caplen == 0 ) {
70 return WTAP_OPEN_NOT_MINE;
72 hdr.seconds = pntoh32( &hdr.seconds );
73 hdr.caplen = pntoh16( &hdr.caplen );
74 if( !wtap_read_bytes( wth->fh, &tmp, 2, err, err_info ) ) {
75 if( *err != WTAP_ERR_SHORT_READ ) {
76 return WTAP_OPEN_ERROR;
78 return WTAP_OPEN_NOT_MINE;
80 if( !wtap_read_bytes(wth->fh, &iplen, 2, err, err_info ) ) {
81 if( *err != WTAP_ERR_SHORT_READ ) {
82 return WTAP_OPEN_ERROR;
84 return WTAP_OPEN_NOT_MINE;
86 iplen = pntoh16(&iplen);
89 return WTAP_OPEN_NOT_MINE;
91 /* if iplen and hdr.caplen are equal, default to no byteswap. */
92 if( iplen > hdr.caplen ) {
93 /* maybe this is just a byteswapped version. the iplen ipflags */
94 /* and ipid are swapped. We cannot use the normal swaps because */
95 /* we don't know the host */
96 iplen = GUINT16_SWAP_LE_BE(iplen);
97 if( iplen <= hdr.caplen ) {
98 /* we know this format */
101 /* don't know this one */
102 return WTAP_OPEN_NOT_MINE;
108 /* no file header. So reset the fh to 0 so we can read the first packet */
109 if (file_seek(wth->fh, 0, SEEK_SET, err) == -1)
110 return WTAP_OPEN_ERROR;
112 csids = (csids_t *)g_malloc(sizeof(csids_t));
113 wth->priv = (void *)csids;
114 csids->byteswapped = byteswap;
115 wth->file_encap = WTAP_ENCAP_RAW_IP;
116 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_CSIDS;
117 wth->snapshot_length = 0; /* not known */
118 wth->subtype_read = csids_read;
119 wth->subtype_seek_read = csids_seek_read;
120 wth->file_tsprec = WTAP_TSPREC_SEC;
122 return WTAP_OPEN_MINE;
125 /* Find the next packet and parse it; called from wtap_read(). */
126 static gboolean csids_read(wtap *wth, int *err, gchar **err_info,
129 csids_t *csids = (csids_t *)wth->priv;
131 *data_offset = file_tell(wth->fh);
133 return csids_read_packet( wth->fh, csids, &wth->phdr, wth->frame_buffer,
137 /* Used to read packets in random-access fashion */
139 csids_seek_read(wtap *wth,
141 struct wtap_pkthdr *phdr,
146 csids_t *csids = (csids_t *)wth->priv;
148 if( file_seek( wth->random_fh, seek_off, SEEK_SET, err ) == -1 )
151 if( !csids_read_packet( wth->random_fh, csids, phdr, buf, err, err_info ) ) {
153 *err = WTAP_ERR_SHORT_READ;
160 csids_read_packet(FILE_T fh, csids_t *csids, struct wtap_pkthdr *phdr,
161 Buffer *buf, int *err, gchar **err_info)
163 struct csids_header hdr;
166 if( !wtap_read_bytes_or_eof( fh, &hdr, sizeof( struct csids_header), err, err_info ) )
168 hdr.seconds = pntoh32(&hdr.seconds);
169 hdr.caplen = pntoh16(&hdr.caplen);
171 * The maximum value of hdr.caplen is 65535, which is less than
172 * WTAP_MAX_PACKET_SIZE_STANDARD will ever be, so we don't need to check
176 phdr->rec_type = REC_TYPE_PACKET;
177 phdr->presence_flags = WTAP_HAS_TS;
178 phdr->len = hdr.caplen;
179 phdr->caplen = hdr.caplen;
180 phdr->ts.secs = hdr.seconds;
183 if( !wtap_read_packet_bytes( fh, buf, phdr->caplen, err, err_info ) )
186 pd = ws_buffer_start_ptr( buf );
187 if( csids->byteswapped ) {
188 if( phdr->caplen >= 2 ) {
189 PBSWAP16(pd); /* the ip len */
190 if( phdr->caplen >= 4 ) {
191 PBSWAP16(pd+2); /* ip id */
192 if( phdr->caplen >= 6 )
193 PBSWAP16(pd+4); /* ip flags and fragoff */
202 * Editor modelines - http://www.wireshark.org/tools/modelines.html
207 * indent-tabs-mode: nil
210 * vi: set shiftwidth=2 tabstop=8 expandtab:
211 * :indentSize=2:tabSize=8:noTabs=true: