4 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
6 * File format support for ipfix file format
7 * Copyright (c) 2010 by Hadriel Kaplan <hadrielk@yahoo.com>
8 * with generous copying from other wiretaps, such as pcapng
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
25 /* File format reference:
27 * http://tools.ietf.org/rfc/rfc5655
28 * http://tools.ietf.org/rfc/rfc5101
30 * This wiretap is for an ipfix file format reader, per RFC 5655/5101.
31 * All "records" in the file are IPFIX messages, beginning with an IPFIX
32 * message header of 16 bytes as follows from RFC 5101:
34 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
35 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
36 | Version Number | Length |
37 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
39 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
41 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
42 | Observation Domain ID |
43 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
45 Figure F: IPFIX Message Header Format
47 * which is then followed by one or more "Sets": Data Sets, Template Sets,
48 * and Options Template Sets. Each Set then has one or more Records in
51 * All IPFIX files are recorded in big-endian form (network byte order),
52 * per the RFCs. That means if we're on a little-endian system, all
53 * hell will break loose if we don't g_ntohX.
55 * Since wireshark already has an IPFIX dissector (implemented in
56 * packet-netflow.c), this reader will just set that dissector upon
57 * reading each message. Thus, an IPFIX Message is treated as a packet
58 * as far as the dissector is concerned.
67 #include "file_wrappers.h"
71 #define ipfix_debug(...) g_warning(__VA_ARGS__)
73 #define ipfix_debug(...)
76 #define RECORDS_FOR_IPFIX_CHECK 20
79 ipfix_read(wtap *wth, int *err, gchar **err_info,
82 ipfix_seek_read(wtap *wth, gint64 seek_off,
83 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
85 #define IPFIX_VERSION 10
87 /* ipfix: message header */
88 typedef struct ipfix_message_header_s {
90 guint16 message_length;
91 guint32 export_time_secs;
92 guint32 sequence_number;
93 guint32 observation_id; /* might be 0 for none */
94 /* x bytes msg_body */
95 } ipfix_message_header_t;
96 #define IPFIX_MSG_HDR_SIZE 16
98 /* ipfix: common Set header for every Set type */
99 typedef struct ipfix_set_header_s {
102 /* x bytes set_body */
103 } ipfix_set_header_t;
104 #define IPFIX_SET_HDR_SIZE 4
107 /* Read IPFIX message header from file. Return true on success. Set *err to
108 * 0 on EOF, any other value for "real" errors (EOF is ok, since return
109 * value is still FALSE)
112 ipfix_read_message_header(ipfix_message_header_t *pfx_hdr, FILE_T fh, int *err, gchar **err_info)
114 if (!wtap_read_bytes_or_eof(fh, pfx_hdr, IPFIX_MSG_HDR_SIZE, err, err_info))
117 /* fix endianess, because IPFIX files are always big-endian */
118 pfx_hdr->version = g_ntohs(pfx_hdr->version);
119 pfx_hdr->message_length = g_ntohs(pfx_hdr->message_length);
120 pfx_hdr->export_time_secs = g_ntohl(pfx_hdr->export_time_secs);
121 pfx_hdr->sequence_number = g_ntohl(pfx_hdr->sequence_number);
122 pfx_hdr->observation_id = g_ntohl(pfx_hdr->observation_id);
124 /* is the version number one we expect? */
125 if (pfx_hdr->version != IPFIX_VERSION) {
126 /* Not an ipfix file. */
127 *err = WTAP_ERR_BAD_FILE;
128 *err_info = g_strdup_printf("ipfix: wrong version %d", pfx_hdr->version);
132 if (pfx_hdr->message_length < 16) {
133 *err = WTAP_ERR_BAD_FILE;
134 *err_info = g_strdup_printf("ipfix: message length %u is too short", pfx_hdr->message_length);
138 /* go back to before header */
139 if (file_seek(fh, 0 - IPFIX_MSG_HDR_SIZE, SEEK_CUR, err) == -1) {
140 ipfix_debug("ipfix_read: couldn't go back in file before header");
148 /* Read IPFIX message header from file and fill in the struct wtap_pkthdr
149 * for the packet, and, if that succeeds, read the packet data.
150 * Return true on success. Set *err to 0 on EOF, any other value for "real"
151 * errors (EOF is ok, since return value is still FALSE).
154 ipfix_read_message(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info)
156 ipfix_message_header_t msg_hdr;
158 if (!ipfix_read_message_header(&msg_hdr, fh, err, err_info))
161 * The maximum value of msg_hdr.message_length is 65535, which is
162 * less than WTAP_MAX_PACKET_SIZE will ever be, so we don't need
166 phdr->rec_type = REC_TYPE_PACKET;
167 phdr->presence_flags = WTAP_HAS_TS;
168 phdr->len = msg_hdr.message_length;
169 phdr->caplen = msg_hdr.message_length;
170 phdr->ts.secs = msg_hdr.export_time_secs;
173 return wtap_read_packet_bytes(fh, buf, msg_hdr.message_length, err, err_info);
178 /* classic wtap: open capture file. Return WTAP_OPEN_MINE on success,
179 * WTAP_OPEN_NOT_MINE on normal failure like malformed format,
180 * WTAP_OPEN_ERROR on bad error like file system
183 ipfix_open(wtap *wth, int *err, gchar **err_info)
185 gint i, n, records_for_ipfix_check = RECORDS_FOR_IPFIX_CHECK;
187 guint16 checked_len = 0;
188 ipfix_message_header_t msg_hdr;
189 ipfix_set_header_t set_hdr;
191 ipfix_debug("ipfix_open: opening file");
193 /* number of records to scan before deciding if this really is IPFIX */
194 if ((s = getenv("IPFIX_RECORDS_TO_CHECK")) != NULL) {
195 if ((n = atoi(s)) > 0 && n < 101) {
196 records_for_ipfix_check = n;
201 * IPFIX is a little hard because there's no magic number; we look at
202 * the first few records and see if they look enough like IPFIX
205 for (i = 0; i < records_for_ipfix_check; i++) {
206 /* read first message header to check version */
207 if (!ipfix_read_message_header(&msg_hdr, wth->fh, err, err_info)) {
208 ipfix_debug("ipfix_open: couldn't read message header #%d with err code #%d (%s)",
210 if (*err == WTAP_ERR_BAD_FILE) {
211 *err = 0; /* not actually an error in this case */
214 return WTAP_OPEN_NOT_MINE;
216 if (*err != 0 && *err != WTAP_ERR_SHORT_READ)
217 return WTAP_OPEN_ERROR; /* real failure */
220 /* we haven't seen enough to prove this is a ipfix file */
221 return WTAP_OPEN_NOT_MINE;
224 * If we got here, it's EOF and we haven't yet seen anything
225 * that doesn't look like an IPFIX record - i.e. everything
226 * we've seen looks like an IPFIX record - so we assume this
231 if (file_seek(wth->fh, IPFIX_MSG_HDR_SIZE, SEEK_CUR, err) == -1) {
232 ipfix_debug("ipfix_open: failed seek to next message in file, %d bytes away",
233 msg_hdr.message_length);
234 return WTAP_OPEN_NOT_MINE;
236 checked_len = IPFIX_MSG_HDR_SIZE;
238 /* check each Set in IPFIX Message for sanity */
239 while (checked_len < msg_hdr.message_length) {
240 if (!wtap_read_bytes(wth->fh, &set_hdr, IPFIX_SET_HDR_SIZE,
242 if (*err == WTAP_ERR_SHORT_READ) {
243 /* Not a valid IPFIX Set, so not an IPFIX file. */
244 ipfix_debug("ipfix_open: error %d reading set", *err);
245 return WTAP_OPEN_NOT_MINE;
248 /* A real I/O error; fail. */
249 return WTAP_OPEN_ERROR;
251 set_hdr.set_length = g_ntohs(set_hdr.set_length);
252 if ((set_hdr.set_length < IPFIX_SET_HDR_SIZE) ||
253 ((set_hdr.set_length + checked_len) > msg_hdr.message_length)) {
254 ipfix_debug("ipfix_open: found invalid set_length of %d",
256 return WTAP_OPEN_NOT_MINE;
259 if (file_seek(wth->fh, set_hdr.set_length - IPFIX_SET_HDR_SIZE,
260 SEEK_CUR, err) == -1)
262 ipfix_debug("ipfix_open: failed seek to next set in file, %d bytes away",
263 set_hdr.set_length - IPFIX_SET_HDR_SIZE);
264 return WTAP_OPEN_ERROR;
266 checked_len += set_hdr.set_length;
270 /* go back to beginning of file */
271 if (file_seek (wth->fh, 0, SEEK_SET, err) != 0)
273 return WTAP_OPEN_ERROR;
276 /* all's good, this is a IPFIX file */
277 wth->file_encap = WTAP_ENCAP_RAW_IPFIX;
278 wth->snapshot_length = 0;
279 wth->file_tsprec = WTAP_TSPREC_SEC;
280 wth->subtype_read = ipfix_read;
281 wth->subtype_seek_read = ipfix_seek_read;
282 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_IPFIX;
284 return WTAP_OPEN_MINE;
288 /* classic wtap: read packet */
290 ipfix_read(wtap *wth, int *err, gchar **err_info, gint64 *data_offset)
292 *data_offset = file_tell(wth->fh);
293 ipfix_debug("ipfix_read: data_offset is initially %" G_GINT64_MODIFIER "d", *data_offset);
295 if (!ipfix_read_message(wth->fh, &wth->phdr, wth->frame_buffer, err, err_info)) {
296 ipfix_debug("ipfix_read: couldn't read message header with code: %d\n, and error '%s'",
305 /* classic wtap: seek to file position and read packet */
307 ipfix_seek_read(wtap *wth, gint64 seek_off, struct wtap_pkthdr *phdr,
308 Buffer *buf, int *err, gchar **err_info)
310 /* seek to the right file position */
311 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1) {
312 ipfix_debug("ipfix_seek_read: couldn't read message header with code: %d\n, and error '%s'",
314 return FALSE; /* Seek error */
317 ipfix_debug("ipfix_seek_read: reading at offset %" G_GINT64_MODIFIER "u", seek_off);
319 if (!ipfix_read_message(wth->random_fh, phdr, buf, err, err_info)) {
320 ipfix_debug("ipfix_seek_read: couldn't read message header");
322 *err = WTAP_ERR_SHORT_READ;
329 * Editor modelines - http://www.wireshark.org/tools/modelines.html
334 * indent-tabs-mode: nil
337 * vi: set shiftwidth=4 tabstop=8 expandtab:
338 * :indentSize=4:tabSize=8:noTabs=true: