wiretap/erf.c

   1 /*
   2 *
   3 * Copyright (c) 2003 Endace Technology Ltd, Hamilton, New Zealand.
   4 * All rights reserved.
   5 *
   6 * This software and documentation has been developed by Endace Technology Ltd.
   7 * along with the DAG PCI network capture cards. For further information please
   8 * visit http://www.endace.com/.
   9 *
  10 * Redistribution and use in source and binary forms, with or without
  11 * modification, are permitted provided that the following conditions are met:
  12 *
  13 *  1. Redistributions of source code must retain the above copyright notice,
  14 *  this list of conditions and the following disclaimer.
  15 *
  16 *  2. Redistributions in binary form must reproduce the above copyright
  17 *  notice, this list of conditions and the following disclaimer in the
  18 *  documentation and/or other materials provided with the distribution.
  19 *
  20 *  3. The name of Endace Technology Ltd may not be used to endorse or promote
  21 *  products derived from this software without specific prior written
  22 *  permission.
  23 *
  24 * THIS SOFTWARE IS PROVIDED BY ENDACE TECHNOLOGY LTD ``AS IS'' AND ANY EXPRESS
  25 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  26 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
  27 * EVENT SHALL ENDACE TECHNOLOGY LTD BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  29 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
  30 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
  31 * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  32 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  33 * POSSIBILITY OF SUCH DAMAGE.
  34 *
  35 * $Id$
  36 */
  37
  38 /*
  39  * erf - Endace ERF (Extensible Record Format)
  40  *
  41  * See
  42  *
  43  *      http://www.endace.com/support/EndaceRecordFormat.pdf
  44  */
  45
  46 #ifdef HAVE_CONFIG_H
  47 #include "config.h"
  48 #endif
  49
  50 #include <stdlib.h>
  51 #include <string.h>
  52
  53 #include "wtap-int.h"
  54 #include "file_wrappers.h"
  55 #include "buffer.h"
  56 #include "atm.h"
  57 #include "erf.h"
  58
  59 typedef guint32 atm_hdr_t;
  60
  61 static int erf_read_header(
  62                 FILE_T fh,
  63                 struct wtap_pkthdr *phdr,
  64                 union wtap_pseudo_header *pseudo_header,
  65                 erf_header_t *erf_header,
  66                 erf_t *erf,
  67                 int *err,
  68                 gchar **err_info,
  69                 guint32 *bytes_read,
  70                 guint32 *packet_size);
  71 static gboolean erf_read(wtap *wth, int *err, gchar **err_info,
  72                 long *data_offset);
  73 static gboolean erf_seek_read(wtap *wth, long seek_off,
  74                 union wtap_pseudo_header *pseudo_header, guchar *pd,
  75                 int length, int *err, gchar **err_info);
  76 static void erf_close(wtap *wth);
  77 static int erf_encap_to_wtap_encap(erf_t *erf, guint8 erf_encap);
  78 static void erf_set_pseudo_header(
  79                 guint8 type,
  80                 erf_t *erf,
  81                 guchar *pd,
  82                 int length,
  83                 union wtap_pseudo_header *pseudo_header);
  84
  85 int erf_open(wtap *wth, int *err, gchar **err_info _U_)
  86 {
  87         guint32 i, n;
  88         char *s;
  89         guint32 records_for_erf_check = RECORDS_FOR_ERF_CHECK;
  90         guint32 atm_encap = WTAP_ENCAP_ATM_PDUS;
  91         gboolean is_rawatm = FALSE;
  92         gboolean is_ppp = FALSE;
  93         int common_type = 0;
  94         erf_timestamp_t prevts;
  95
  96         memset(&prevts, 0, sizeof(prevts));
  97
  98         if ((s = getenv("ERF_ATM_ENCAP")) != NULL) {
  99                 if (!strcmp(s, "sunatm")) {
 100                         atm_encap = WTAP_ENCAP_ATM_PDUS;
 101                 } else
 102                 if (!strcmp(s, "sunraw")) {
 103                         atm_encap = WTAP_ENCAP_ATM_PDUS;
 104                         is_rawatm = TRUE;
 105                 } else
 106                 if (!strcmp(s, "rfc1483")) {
 107                         atm_encap = WTAP_ENCAP_ATM_RFC1483;
 108                 }
 109         }
 110
 111         /* number of records to scan before deciding if this really is ERF (dflt=3) */
 112         if ((s = getenv("ERF_RECORDS_TO_CHECK")) != NULL) {
 113                 if ((n = atoi(s)) > 0 && n < 101) {
 114                         records_for_erf_check = n;
 115                 }
 116         }
 117
 118         /* ERF is a little hard because there's no magic number */
 119
 120         for (i = 0; i < records_for_erf_check; i++) {
 121
 122                 erf_header_t header;
 123                 guint32 packet_size;
 124                 erf_timestamp_t ts;
 125
 126                 if (file_read(&header,1,sizeof(header),wth->fh) != sizeof(header)) {
 127                         if ((*err = file_error(wth->fh)) != 0)
 128                                 return -1;
 129                         else
 130                                 break; /* eof */
 131                 }
 132
 133                 packet_size = g_ntohs(header.rlen) - sizeof(header);
 134
 135                 /* fail on invalid record type, decreasing timestamps or non-zero pad-bits */
 136                 if (header.type == 0 || header.type > TYPE_AAL5 ||
 137                     (header.flags & 0xc0) != 0) {
 138                         return 0;
 139                 }
 140
 141 #ifdef G_HAVE_GINT64
 142                 if ((ts = pletohll(&header.ts)) < prevts) {
 143                         /* reassembled AAL5 records may not be in time order, so allow 1 sec fudge */
 144                         if (header.type != TYPE_AAL5 || ((prevts-ts)>>32) > 1) {
 145                                 return 0;
 146                         }
 147                 }
 148 #else
 149                 ts[0] = pletohl(&header.ts[0]); /* frac */
 150                 ts[1] = pletohl(&header.ts[1]); /* sec */
 151                 if ((ts[1] < prevts[1]) ||
 152                                 (ts[1] == prevts[1] && ts[0] < prevts[0])) {
 153                         /* reassembled AAL5 records may not be in time order, so allow 1 sec fudge */
 154                         if (header.type != TYPE_AAL5 || (prevts[1]-ts[1]) > 1) {
 155                                 return 0;
 156                         }
 157                 }
 158 #endif
 159                 memcpy(&prevts, &ts, sizeof(prevts));
 160
 161                 if (common_type == 0) {
 162                         common_type = header.type;
 163                 } else
 164                 if (common_type > 0 && common_type != header.type) {
 165                         common_type = -1;
 166                 }
 167
 168                 if (header.type == TYPE_HDLC_POS && !is_ppp) {
 169                         guint16 chdlc_hdr;
 170                         if (file_read(&chdlc_hdr,1,sizeof(chdlc_hdr),wth->fh) != sizeof(chdlc_hdr)) {
 171                                 *err = file_error(wth->fh);
 172                         }
 173                         packet_size -= sizeof(chdlc_hdr);
 174                         if (g_ntohs(chdlc_hdr) == 0xff03) {
 175                                 is_ppp = TRUE;
 176                         }
 177                 }
 178
 179                 if (file_seek(wth->fh, packet_size, SEEK_CUR, err) == -1) {
 180                         return -1;
 181                 }
 182         }
 183
 184         if (file_seek(wth->fh, 0L, SEEK_SET, err) == -1) {      /* rewind */
 185                 return -1;
 186         }
 187
 188         wth->data_offset = 0;
 189
 190         /* This is an ERF file */
 191         wth->file_type = WTAP_FILE_ERF;
 192         wth->snapshot_length = 0;       /* not available in header, only in frame */
 193         wth->capture.erf = g_malloc(sizeof(erf_t));
 194         wth->capture.erf->is_ppp = is_ppp;
 195         if (common_type == TYPE_AAL5) {
 196                 wth->capture.erf->atm_encap = WTAP_ENCAP_ATM_PDUS_UNTRUNCATED;
 197                 wth->capture.erf->is_rawatm = FALSE;
 198         } else {
 199                 wth->capture.erf->atm_encap = atm_encap;
 200                 wth->capture.erf->is_rawatm = is_rawatm;
 201         }
 202
 203         /*
 204          * Really want WTAP_ENCAP_PER_PACKET here but that severely limits
 205          * the number of output formats we can write to. If all the records
 206          * tested in the loop above were the same encap then use that one,
 207          * otherwise use WTAP_ENCAP_PER_PACKET.
 208          */
 209         wth->file_encap =
 210                 (common_type < 0
 211                         ? WTAP_ENCAP_PER_PACKET
 212                         : erf_encap_to_wtap_encap(wth->capture.erf, (guint8) common_type));
 213
 214         wth->subtype_read = erf_read;
 215         wth->subtype_seek_read = erf_seek_read;
 216         wth->subtype_close = erf_close;
 217
 218         return 1;
 219 }
 220
 221 /* Read the next packet */
 222 static gboolean erf_read(wtap *wth, int *err, gchar **err_info,
 223     long *data_offset)
 224 {
 225         erf_header_t erf_header;
 226         guint32 packet_size, bytes_read;
 227         gint32 offset = 0;
 228
 229         *data_offset = wth->data_offset;
 230
 231         if (!erf_read_header(
 232                         wth->fh,
 233                         &wth->phdr, &wth->pseudo_header, &erf_header, wth->capture.erf,
 234                         err, err_info, &bytes_read, &packet_size)) {
 235                 return FALSE;
 236         }
 237         wth->data_offset += bytes_read;
 238
 239         buffer_assure_space(wth->frame_buffer, packet_size+(wth->capture.erf->is_rawatm?(sizeof(atm_hdr_t)+1):0));
 240
 241         if (wth->capture.erf->is_rawatm) {
 242                 wtap_file_read_expected_bytes(
 243                         buffer_start_ptr(wth->frame_buffer), (gint32)sizeof(atm_hdr_t), wth->fh, err
 244                 );
 245                 wth->data_offset += sizeof(atm_hdr_t);
 246                 packet_size -= sizeof(atm_hdr_t);
 247                 offset += sizeof(atm_hdr_t)+1;
 248         }
 249
 250         wtap_file_read_expected_bytes(
 251                 buffer_start_ptr(wth->frame_buffer)+offset, (gint32)packet_size, wth->fh, err
 252         );
 253         wth->data_offset += packet_size;
 254
 255         erf_set_pseudo_header(
 256                         erf_header.type, wth->capture.erf,
 257                         buffer_start_ptr(wth->frame_buffer), packet_size, &wth->pseudo_header
 258         );
 259
 260         return TRUE;
 261 }
 262
 263 static gboolean erf_seek_read(wtap *wth, long seek_off,
 264                 union wtap_pseudo_header *pseudo_header, guchar *pd,
 265                 int length, int *err, gchar **err_info)
 266 {
 267         erf_header_t erf_header;
 268         guint32 packet_size;
 269         int offset = 0;
 270
 271         if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
 272                 return FALSE;
 273
 274         if (!erf_read_header(wth->random_fh, NULL, pseudo_header, &erf_header,
 275             wth->capture.erf, err, err_info, NULL, &packet_size))
 276                 return FALSE;
 277
 278         if (wth->capture.erf->is_rawatm) {
 279                 wtap_file_read_expected_bytes(pd, (int)sizeof(atm_hdr_t), wth->random_fh, err);
 280                 packet_size -= sizeof(atm_hdr_t);
 281                 offset += sizeof(atm_hdr_t)+1;
 282         }
 283
 284         wtap_file_read_expected_bytes(pd+offset, (int)packet_size, wth->random_fh, err);
 285
 286         erf_set_pseudo_header(erf_header.type, wth->capture.erf, pd, length, pseudo_header);
 287
 288         return TRUE;
 289 }
 290
 291 static void erf_close(wtap *wth)
 292 {
 293     g_free(wth->capture.erf);
 294 }
 295
 296 static int erf_read_header(
 297         FILE_T fh,
 298         struct wtap_pkthdr *phdr,
 299         union wtap_pseudo_header *pseudo_header,
 300         erf_header_t *erf_header,
 301         erf_t *erf,
 302         int *err,
 303         gchar **err_info,
 304         guint32 *bytes_read,
 305         guint32 *packet_size)
 306 {
 307         guint32 rec_size, skip;
 308
 309         wtap_file_read_expected_bytes(erf_header, sizeof(*erf_header), fh, err);
 310         if (bytes_read != NULL) {
 311                 *bytes_read = sizeof(*erf_header);
 312         }
 313
 314         rec_size = g_ntohs(erf_header->rlen);
 315         *packet_size = rec_size - sizeof(*erf_header);
 316         skip = 0; /* # bytes of payload to ignore */
 317
 318         if (*packet_size > WTAP_MAX_PACKET_SIZE) {
 319                 /*
 320                  * Probably a corrupt capture file; don't blow up trying
 321                  * to allocate space for an immensely-large packet.
 322                  */
 323                 *err = WTAP_ERR_BAD_RECORD;
 324                 *err_info = g_strdup_printf("erf: File has %u-byte packet, bigger than maximum of %u",
 325                     *packet_size, WTAP_MAX_PACKET_SIZE);
 326                 return FALSE;
 327         }
 328
 329         if (phdr != NULL ) {
 330 #ifdef G_HAVE_GINT64
 331                 guint64 ts = pletohll(&erf_header->ts);
 332
 333                 phdr->ts.secs = (long) (ts >> 32);
 334                 ts = ((ts & 0xffffffff) * 1000 * 1000);
 335                 ts += (ts & 0x80000000) << 1; /* rounding */
 336                 phdr->ts.nsecs = ((long) (ts >> 32)) * 1000;
 337                 if (phdr->ts.nsecs >= 1000000000) {
 338                         phdr->ts.nsecs -= 1000000000;
 339                         phdr->ts.secs += 1;
 340                 }
 341 #else
 342                 phdr->ts.tv_sec = pletohl(&erf_header->ts[1]);
 343                 phdr->ts.tv_usec =
 344                         (unsigned long)((pletohl(&erf_header->ts[0])*1000000.0)/0xffffffffUL);
 345 #endif
 346         }
 347
 348         switch (erf_header->type) {
 349
 350         case TYPE_ATM:
 351         case TYPE_AAL5:
 352                 if (phdr != NULL) {
 353                         if (erf_header->type == TYPE_AAL5) {
 354                                 phdr->caplen = phdr->len = *packet_size - sizeof(atm_hdr_t);
 355                         } else {
 356                                 phdr->caplen = ATM_SLEN(erf_header, NULL);
 357                                 phdr->len = ATM_WLEN(erf_header, NULL);
 358                         }
 359                 }
 360
 361                 if (erf->atm_encap == WTAP_ENCAP_ATM_PDUS || erf->atm_encap == WTAP_ENCAP_ATM_PDUS_UNTRUNCATED) {
 362                         memset(&pseudo_header->atm, 0, sizeof(pseudo_header->atm));
 363                         if (erf->is_rawatm) {
 364                                 pseudo_header->atm.flags = ATM_RAW_CELL;
 365                                 if (phdr != NULL) {
 366                                         phdr->caplen += sizeof(atm_hdr_t)+1;
 367                                         phdr->len += sizeof(atm_hdr_t)+1;
 368                                 }
 369                         } else {
 370                                 atm_hdr_t atm_hdr;
 371
 372                                 wtap_file_read_expected_bytes(&atm_hdr, sizeof(atm_hdr), fh, err);
 373                                 if (bytes_read != NULL) {
 374                                         *bytes_read += sizeof(atm_hdr);
 375                                 }
 376                                 *packet_size -= sizeof(atm_hdr);
 377
 378                                 atm_hdr = g_ntohl(atm_hdr);
 379
 380                                 pseudo_header->atm.vpi = ((atm_hdr & 0x0ff00000) >> 20);
 381                                 pseudo_header->atm.vci = ((atm_hdr & 0x000ffff0) >>  4);
 382                                 pseudo_header->atm.channel = (erf_header->flags & 0x03);
 383                         }
 384                 } else {
 385                         skip = 4;
 386                 }
 387                 break;
 388         case TYPE_ETH:
 389                 if (phdr != NULL) {
 390                         phdr->caplen = ETHERNET_SLEN(erf_header, erf);
 391                         phdr->len = ETHERNET_WLEN(erf_header, erf);
 392                 }
 393                 skip = 2;
 394                 break;
 395         case TYPE_HDLC_POS:
 396                 if (phdr != NULL) {
 397                         phdr->caplen = HDLC_SLEN(erf_header, erf);
 398                         phdr->len = HDLC_WLEN(erf_header, erf);
 399                 }
 400                 memset(&pseudo_header->p2p, 0, sizeof(pseudo_header->p2p));
 401                 pseudo_header->p2p.sent = ((erf_header->flags & 0x01) ? TRUE : FALSE);
 402                 break;
 403         default:
 404                 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
 405                 *err_info = g_strdup_printf("erf: unknown record encapsulation %u",
 406                     erf_header->type);
 407                 return FALSE;
 408         }
 409
 410         if (phdr != NULL) {
 411                 phdr->pkt_encap = erf_encap_to_wtap_encap(erf, erf_header->type);
 412         }
 413
 414         if (skip > 0) {
 415                 if (file_seek(fh, skip, SEEK_CUR, err) == -1) {
 416                         return FALSE;
 417                 }
 418                 if (bytes_read != NULL) {
 419                         *bytes_read += skip;
 420                 }
 421                 *packet_size -= skip;
 422         }
 423
 424         return TRUE;
 425 }
 426
 427 static int erf_encap_to_wtap_encap(erf_t *erf, guint8 erf_encap)
 428 {
 429         int wtap_encap = WTAP_ENCAP_UNKNOWN;
 430
 431         switch (erf_encap) {
 432         case TYPE_ATM:
 433         case TYPE_AAL5:
 434                 wtap_encap = erf->atm_encap;
 435                 break;
 436         case TYPE_ETH:
 437                 wtap_encap = WTAP_ENCAP_ETHERNET;
 438                 break;
 439         case TYPE_HDLC_POS:
 440                 wtap_encap = (erf->is_ppp ? WTAP_ENCAP_PPP : WTAP_ENCAP_CHDLC);
 441                 break;
 442         default:
 443                 break;
 444         }
 445
 446         return wtap_encap;
 447 }
 448
 449 static void erf_set_pseudo_header(
 450         guint8 type, erf_t *erf, guchar *pd, int length, union wtap_pseudo_header *pseudo_header)
 451 {
 452         if (type == TYPE_ETH) {
 453                 /*
 454                  * We don't know whether there's an FCS in this frame or not.
 455                  */
 456                 pseudo_header->eth.fcs_len = -1;
 457         } else
 458         if (!erf->is_rawatm &&
 459                         (type == TYPE_ATM || type == TYPE_AAL5) &&
 460                         (erf->atm_encap == WTAP_ENCAP_ATM_PDUS ||
 461                          erf->atm_encap == WTAP_ENCAP_ATM_PDUS_UNTRUNCATED)) {
 462                 atm_guess_traffic_type(pd, length, pseudo_header);
 463         } else
 464         if (type == TYPE_AAL5) {
 465                 pseudo_header->atm.aal = AAL_5;
 466                 pseudo_header->atm.type = TRAF_UNKNOWN;
 467                 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
 468         }
 469 }