6 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
30 #include "file_wrappers.h"
35 static gboolean iptrace_read_1_0(wtap *wth, int *err, gchar **err_info,
37 static gboolean iptrace_seek_read_1_0(wtap *wth, gint64 seek_off,
38 union wtap_pseudo_header *pseudo_header, guint8 *pd, int packet_size,
39 int *err, gchar **err_info);
41 static gboolean iptrace_read_2_0(wtap *wth, int *err, gchar **err_info,
43 static gboolean iptrace_seek_read_2_0(wtap *wth, gint64 seek_off,
44 union wtap_pseudo_header *pseudo_header, guint8 *pd, int packet_size,
45 int *err, gchar **err_info);
47 static int iptrace_read_rec_header(FILE_T fh, guint8 *header, int header_len,
48 int *err, gchar **err_info);
49 static gboolean iptrace_read_rec_data(FILE_T fh, guint8 *data_ptr,
50 int packet_size, int *err, gchar **err_info);
51 static void fill_in_pseudo_header(int encap, const guint8 *pd, guint32 len,
52 union wtap_pseudo_header *pseudo_header, guint8 *header);
53 static int wtap_encap_ift(unsigned int ift);
55 int iptrace_open(wtap *wth, int *err, gchar **err_info)
60 errno = WTAP_ERR_CANT_READ;
61 bytes_read = file_read(name, 11, wth->fh);
62 if (bytes_read != 11) {
63 *err = file_error(wth->fh, err_info);
68 wth->data_offset += 11;
71 if (strcmp(name, "iptrace 1.0") == 0) {
72 wth->file_type = WTAP_FILE_IPTRACE_1_0;
73 wth->subtype_read = iptrace_read_1_0;
74 wth->subtype_seek_read = iptrace_seek_read_1_0;
75 wth->tsprecision = WTAP_FILE_TSPREC_SEC;
77 else if (strcmp(name, "iptrace 2.0") == 0) {
78 wth->file_type = WTAP_FILE_IPTRACE_2_0;
79 wth->subtype_read = iptrace_read_2_0;
80 wth->subtype_seek_read = iptrace_seek_read_2_0;
81 wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
90 /***********************************************************
92 ***********************************************************/
95 * iptrace 1.0, discovered through inspection
97 * Packet record contains:
99 * an initial header, with a length field and a time stamp, in
100 * seconds since the Epoch;
102 * data, with the specified length.
106 * a bunch of information about the packet;
108 * padding, at least for FDDI;
110 * the raw packet data.
113 /* 0-3 */ guint32 pkt_length; /* packet length + 0x16 */
114 /* 4-7 */ guint32 tv_sec; /* time stamp, seconds since the Epoch */
115 /* 8-11 */ guint32 junk1; /* ???, not time */
116 /* 12-15 */ char if_name[4]; /* null-terminated */
117 /* 16-27 */ char junk2[12]; /* ??? */
118 /* 28 */ guint8 if_type; /* BSD net/if_types.h */
119 /* 29 */ guint8 tx_flag; /* 0=receive, 1=transmit */
122 #define IPTRACE_1_0_PHDR_SIZE 30 /* initial header plus packet data */
123 #define IPTRACE_1_0_PDATA_SIZE 22 /* packet data */
125 /* Read the next packet */
126 static gboolean iptrace_read_1_0(wtap *wth, int *err, gchar **err_info,
131 guint8 header[IPTRACE_1_0_PHDR_SIZE];
133 iptrace_1_0_phdr pkt_hdr;
134 guint8 fddi_padding[3];
136 /* Read the descriptor data */
137 *data_offset = wth->data_offset;
138 ret = iptrace_read_rec_header(wth->fh, header, IPTRACE_1_0_PHDR_SIZE,
141 /* Read error or EOF */
144 wth->data_offset += IPTRACE_1_0_PHDR_SIZE;
147 * Byte 28 of the frame header appears to be a BSD-style IFT_xxx
148 * value giving the type of the interface. Check out the
149 * <net/if_types.h> header file.
151 pkt_hdr.if_type = header[28];
152 wth->phdr.pkt_encap = wtap_encap_ift(pkt_hdr.if_type);
154 /* Read the packet data */
155 packet_size = pntohl(&header[0]);
156 if (packet_size < IPTRACE_1_0_PDATA_SIZE) {
158 * Uh-oh, the record isn't big enough to even have a
159 * packet meta-data header.
161 *err = WTAP_ERR_BAD_FILE;
162 *err_info = g_strdup_printf("iptrace: file has a %u-byte record, too small to have even a packet meta-data header",
166 packet_size -= IPTRACE_1_0_PDATA_SIZE;
169 * AIX appears to put 3 bytes of padding in front of FDDI
170 * frames; strip that crap off.
172 if (wth->phdr.pkt_encap == WTAP_ENCAP_FDDI_BITSWAPPED) {
174 * The packet size is really a record size and includes
177 if (packet_size < 3) {
179 * Uh-oh, the record isn't big enough to even have
182 *err = WTAP_ERR_BAD_FILE;
183 *err_info = g_strdup_printf("iptrace: file has a %u-byte record, too small to have even a packet meta-data header",
184 packet_size + IPTRACE_1_0_PDATA_SIZE);
188 wth->data_offset += 3;
193 if (!iptrace_read_rec_data(wth->fh, fddi_padding, 3, err,
195 return FALSE; /* Read error */
197 if (packet_size > WTAP_MAX_PACKET_SIZE) {
199 * Probably a corrupt capture file; don't blow up trying
200 * to allocate space for an immensely-large packet.
202 *err = WTAP_ERR_BAD_FILE;
203 *err_info = g_strdup_printf("iptrace: File has %u-byte packet, bigger than maximum of %u",
204 packet_size, WTAP_MAX_PACKET_SIZE);
208 buffer_assure_space( wth->frame_buffer, packet_size );
209 data_ptr = buffer_start_ptr( wth->frame_buffer );
210 if (!iptrace_read_rec_data(wth->fh, data_ptr, packet_size, err,
212 return FALSE; /* Read error */
213 wth->data_offset += packet_size;
215 wth->phdr.presence_flags = WTAP_HAS_TS;
216 wth->phdr.len = packet_size;
217 wth->phdr.caplen = packet_size;
218 wth->phdr.ts.secs = pntohl(&header[4]);
219 wth->phdr.ts.nsecs = 0;
221 if (wth->phdr.pkt_encap == WTAP_ENCAP_UNKNOWN) {
222 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
223 *err_info = g_strdup_printf("iptrace: interface type IFT=0x%02x unknown or unsupported",
228 /* Fill in the pseudo-header. */
229 fill_in_pseudo_header(wth->phdr.pkt_encap, data_ptr, wth->phdr.caplen,
230 &wth->pseudo_header, header);
232 /* If the per-file encapsulation isn't known, set it to this
233 packet's encapsulation.
235 If it *is* known, and it isn't this packet's encapsulation,
236 set it to WTAP_ENCAP_PER_PACKET, as this file doesn't
237 have a single encapsulation for all packets in the file. */
238 if (wth->file_encap == WTAP_ENCAP_UNKNOWN)
239 wth->file_encap = wth->phdr.pkt_encap;
241 if (wth->file_encap != wth->phdr.pkt_encap)
242 wth->file_encap = WTAP_ENCAP_PER_PACKET;
248 static gboolean iptrace_seek_read_1_0(wtap *wth, gint64 seek_off,
249 union wtap_pseudo_header *pseudo_header, guint8 *pd, int packet_size,
250 int *err, gchar **err_info)
253 guint8 header[IPTRACE_1_0_PHDR_SIZE];
255 guint8 fddi_padding[3];
257 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
260 /* Read the descriptor data */
261 ret = iptrace_read_rec_header(wth->random_fh, header,
262 IPTRACE_1_0_PHDR_SIZE, err, err_info);
264 /* Read error or EOF */
266 /* EOF means "short read" in random-access mode */
267 *err = WTAP_ERR_SHORT_READ;
273 * Get the interface type.
275 pkt_encap = wtap_encap_ift(header[28]);
278 * AIX appears to put 3 bytes of padding in front of FDDI
279 * frames; strip that crap off.
281 if (pkt_encap == WTAP_ENCAP_FDDI_BITSWAPPED) {
285 if (!iptrace_read_rec_data(wth->random_fh, fddi_padding, 3,
287 return FALSE; /* Read error */
290 /* Get the packet data */
291 if (!iptrace_read_rec_data(wth->random_fh, pd, packet_size, err,
295 /* Fill in the pseudo_header. */
296 fill_in_pseudo_header(pkt_encap, pd, packet_size, pseudo_header,
302 /***********************************************************
304 ***********************************************************/
307 * iptrace 2.0, discovered through inspection
309 * Packet record contains:
311 * an initial header, with a length field and a time stamp, in
312 * seconds since the Epoch;
314 * data, with the specified length.
318 * a bunch of information about the packet;
320 * padding, at least for FDDI;
322 * the raw packet data.
325 /* 0-3 */ guint32 pkt_length; /* packet length + 32 */
326 /* 4-7 */ guint32 tv_sec0; /* time stamp, seconds since the Epoch */
327 /* 8-11 */ guint32 junk1; /* ?? */
328 /* 12-15 */ char if_name[4]; /* null-terminated */
329 /* 16-27 */ char if_desc[12]; /* interface description. */
330 /* 28 */ guint8 if_type; /* BSD net/if_types.h */
331 /* 29 */ guint8 tx_flag; /* 0=receive, 1=transmit */
332 /* 30-31 */ guint16 junk3;
333 /* 32-35 */ guint32 tv_sec; /* time stamp, seconds since the Epoch */
334 /* 36-39 */ guint32 tv_nsec; /* nanoseconds since that second */
337 #define IPTRACE_2_0_PHDR_SIZE 40 /* initial header plus packet data */
338 #define IPTRACE_2_0_PDATA_SIZE 32 /* packet data */
340 /* Read the next packet */
341 static gboolean iptrace_read_2_0(wtap *wth, int *err, gchar **err_info,
346 guint8 header[IPTRACE_2_0_PHDR_SIZE];
348 iptrace_2_0_phdr pkt_hdr;
349 guint8 fddi_padding[3];
351 /* Read the descriptor data */
352 *data_offset = wth->data_offset;
353 ret = iptrace_read_rec_header(wth->fh, header, IPTRACE_2_0_PHDR_SIZE,
356 /* Read error or EOF */
359 wth->data_offset += IPTRACE_2_0_PHDR_SIZE;
362 * Byte 28 of the frame header appears to be a BSD-style IFT_xxx
363 * value giving the type of the interface. Check out the
364 * <net/if_types.h> header file.
366 pkt_hdr.if_type = header[28];
367 wth->phdr.pkt_encap = wtap_encap_ift(pkt_hdr.if_type);
369 /* Read the packet data */
370 packet_size = pntohl(&header[0]);
371 if (packet_size < IPTRACE_2_0_PDATA_SIZE) {
373 * Uh-oh, the record isn't big enough to even have a
374 * packet meta-data header.
376 *err = WTAP_ERR_BAD_FILE;
377 *err_info = g_strdup_printf("iptrace: file has a %u-byte record, too small to have even a packet meta-data header",
381 packet_size -= IPTRACE_2_0_PDATA_SIZE;
384 * AIX appears to put 3 bytes of padding in front of FDDI
385 * frames; strip that crap off.
387 if (wth->phdr.pkt_encap == WTAP_ENCAP_FDDI_BITSWAPPED) {
389 * The packet size is really a record size and includes
392 if (packet_size < 3) {
394 * Uh-oh, the record isn't big enough to even have
397 *err = WTAP_ERR_BAD_FILE;
398 *err_info = g_strdup_printf("iptrace: file has a %u-byte record, too small to have even a packet meta-data header",
399 packet_size + IPTRACE_2_0_PDATA_SIZE);
403 wth->data_offset += 3;
408 if (!iptrace_read_rec_data(wth->fh, fddi_padding, 3, err,
410 return FALSE; /* Read error */
412 if (packet_size > WTAP_MAX_PACKET_SIZE) {
414 * Probably a corrupt capture file; don't blow up trying
415 * to allocate space for an immensely-large packet.
417 *err = WTAP_ERR_BAD_FILE;
418 *err_info = g_strdup_printf("iptrace: File has %u-byte packet, bigger than maximum of %u",
419 packet_size, WTAP_MAX_PACKET_SIZE);
423 buffer_assure_space( wth->frame_buffer, packet_size );
424 data_ptr = buffer_start_ptr( wth->frame_buffer );
425 if (!iptrace_read_rec_data(wth->fh, data_ptr, packet_size, err,
427 return FALSE; /* Read error */
428 wth->data_offset += packet_size;
430 wth->phdr.presence_flags = WTAP_HAS_TS;
431 wth->phdr.len = packet_size;
432 wth->phdr.caplen = packet_size;
433 wth->phdr.ts.secs = pntohl(&header[32]);
434 wth->phdr.ts.nsecs = pntohl(&header[36]);
436 if (wth->phdr.pkt_encap == WTAP_ENCAP_UNKNOWN) {
437 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
438 *err_info = g_strdup_printf("iptrace: interface type IFT=0x%02x unknown or unsupported",
443 /* Fill in the pseudo-header. */
444 fill_in_pseudo_header(wth->phdr.pkt_encap, data_ptr, wth->phdr.caplen,
445 &wth->pseudo_header, header);
447 /* If the per-file encapsulation isn't known, set it to this
448 packet's encapsulation.
450 If it *is* known, and it isn't this packet's encapsulation,
451 set it to WTAP_ENCAP_PER_PACKET, as this file doesn't
452 have a single encapsulation for all packets in the file. */
453 if (wth->file_encap == WTAP_ENCAP_UNKNOWN)
454 wth->file_encap = wth->phdr.pkt_encap;
456 if (wth->file_encap != wth->phdr.pkt_encap)
457 wth->file_encap = WTAP_ENCAP_PER_PACKET;
463 static gboolean iptrace_seek_read_2_0(wtap *wth, gint64 seek_off,
464 union wtap_pseudo_header *pseudo_header, guint8 *pd, int packet_size,
465 int *err, gchar **err_info)
468 guint8 header[IPTRACE_2_0_PHDR_SIZE];
470 guint8 fddi_padding[3];
472 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
475 /* Read the descriptor data */
476 ret = iptrace_read_rec_header(wth->random_fh, header,
477 IPTRACE_2_0_PHDR_SIZE, err, err_info);
479 /* Read error or EOF */
481 /* EOF means "short read" in random-access mode */
482 *err = WTAP_ERR_SHORT_READ;
488 * Get the interface type.
490 pkt_encap = wtap_encap_ift(header[28]);
493 * AIX appears to put 3 bytes of padding in front of FDDI
494 * frames; strip that crap off.
496 if (pkt_encap == WTAP_ENCAP_FDDI_BITSWAPPED) {
500 if (!iptrace_read_rec_data(wth->random_fh, fddi_padding, 3,
502 return FALSE; /* Read error */
505 /* Get the packet data */
506 if (!iptrace_read_rec_data(wth->random_fh, pd, packet_size, err,
510 /* Fill in the pseudo-header. */
511 fill_in_pseudo_header(pkt_encap, pd, packet_size, pseudo_header,
518 iptrace_read_rec_header(FILE_T fh, guint8 *header, int header_len, int *err,
523 errno = WTAP_ERR_CANT_READ;
524 bytes_read = file_read(header, header_len, fh);
525 if (bytes_read != header_len) {
526 *err = file_error(fh, err_info);
529 if (bytes_read != 0) {
530 *err = WTAP_ERR_SHORT_READ;
539 iptrace_read_rec_data(FILE_T fh, guint8 *data_ptr, int packet_size, int *err,
544 errno = WTAP_ERR_CANT_READ;
545 bytes_read = file_read( data_ptr, packet_size, fh );
547 if (bytes_read != packet_size) {
548 *err = file_error(fh, err_info);
550 *err = WTAP_ERR_SHORT_READ;
557 * Fill in the pseudo-header information we can.
559 * For ATM traffic, "iptrace", alas, doesn't tell us what type of traffic
560 * is in the packet - it was presumably run on a machine that was one of
561 * the endpoints of the connection, so in theory it could presumably have
562 * told us, but, for whatever reason, it failed to do so - perhaps the
563 * low-level mechanism that feeds the presumably-AAL5 frames to us doesn't
564 * have access to that information (e.g., because it's in the ATM driver,
565 * and the ATM driver merely knows that stuff on VPI/VCI X.Y should be
566 * handed up to some particular client, it doesn't know what that client is).
568 * We let our caller try to figure out what kind of traffic it is, either
569 * by guessing based on the VPI/VCI, guessing based on the header of the
570 * packet, seeing earlier traffic that set up the circuit and specified
571 * in some fashion what sort of traffic it is, or being told by the user.
574 fill_in_pseudo_header(int encap, const guint8 *pd, guint32 len,
575 union wtap_pseudo_header *pseudo_header, guint8 *header)
584 case WTAP_ENCAP_ATM_PDUS:
585 /* Rip apart the "x.y" text into Vpi/Vci numbers */
586 memcpy(if_text, &header[20], 8);
588 decimal = strchr(if_text, '.');
591 Vpi = (int)strtoul(if_text, NULL, 10);
593 Vci = (int)strtoul(decimal, NULL, 10);
597 * OK, which value means "DTE->DCE" and which value means
600 pseudo_header->atm.channel = header[29];
602 pseudo_header->atm.vpi = Vpi;
603 pseudo_header->atm.vci = Vci;
606 * Attempt to guess from the packet data, the VPI,
607 * and the VCI information about the type of traffic.
609 atm_guess_traffic_type(pd, len, pseudo_header);
611 /* We don't have this information */
612 pseudo_header->atm.flags = 0;
613 pseudo_header->atm.cells = 0;
614 pseudo_header->atm.aal5t_u2u = 0;
615 pseudo_header->atm.aal5t_len = 0;
616 pseudo_header->atm.aal5t_chksum = 0;
619 case WTAP_ENCAP_ETHERNET:
620 /* We assume there's no FCS in this frame. */
621 pseudo_header->eth.fcs_len = 0;
626 /* Given an RFC1573 (SNMP ifType) interface type,
627 * return the appropriate Wiretap Encapsulation Type.
630 wtap_encap_ift(unsigned int ift)
633 static const int ift_encap[] = {
634 /* 0x0 */ WTAP_ENCAP_UNKNOWN, /* nothing */
635 /* 0x1 */ WTAP_ENCAP_UNKNOWN, /* IFT_OTHER */
636 /* 0x2 */ WTAP_ENCAP_UNKNOWN, /* IFT_1822 */
637 /* 0x3 */ WTAP_ENCAP_UNKNOWN, /* IFT_HDH1822 */
638 /* 0x4 */ WTAP_ENCAP_RAW_IP, /* IFT_X25DDN */
639 /* 0x5 */ WTAP_ENCAP_UNKNOWN, /* IFT_X25 */
640 /* 0x6 */ WTAP_ENCAP_ETHERNET, /* IFT_ETHER */
641 /* 0x7 */ WTAP_ENCAP_ETHERNET, /* IFT_ISO88023 */
642 /* 0x8 */ WTAP_ENCAP_UNKNOWN, /* IFT_ISO88024 */
643 /* 0x9 */ WTAP_ENCAP_TOKEN_RING, /* IFT_ISO88025 */
644 /* 0xa */ WTAP_ENCAP_UNKNOWN, /* IFT_ISO88026 */
645 /* 0xb */ WTAP_ENCAP_UNKNOWN, /* IFT_STARLAN */
646 /* 0xc */ WTAP_ENCAP_RAW_IP, /* IFT_P10, IBM SP switch */
647 /* 0xd */ WTAP_ENCAP_UNKNOWN, /* IFT_P80 */
648 /* 0xe */ WTAP_ENCAP_UNKNOWN, /* IFT_HY */
649 /* 0xf */ WTAP_ENCAP_FDDI_BITSWAPPED, /* IFT_FDDI */
650 /* 0x10 */ WTAP_ENCAP_LAPB, /* IFT_LAPB */ /* no data to back this up */
651 /* 0x11 */ WTAP_ENCAP_UNKNOWN, /* IFT_SDLC */
652 /* 0x12 */ WTAP_ENCAP_UNKNOWN, /* IFT_T1 */
653 /* 0x13 */ WTAP_ENCAP_UNKNOWN, /* IFT_CEPT */
654 /* 0x14 */ WTAP_ENCAP_UNKNOWN, /* IFT_ISDNBASIC */
655 /* 0x15 */ WTAP_ENCAP_UNKNOWN, /* IFT_ISDNPRIMARY */
656 /* 0x16 */ WTAP_ENCAP_UNKNOWN, /* IFT_PTPSERIAL */
657 /* 0x17 */ WTAP_ENCAP_UNKNOWN, /* IFT_PPP */
658 /* 0x18 */ WTAP_ENCAP_RAW_IP, /* IFT_LOOP */
659 /* 0x19 */ WTAP_ENCAP_UNKNOWN, /* IFT_EON */
660 /* 0x1a */ WTAP_ENCAP_UNKNOWN, /* IFT_XETHER */
661 /* 0x1b */ WTAP_ENCAP_UNKNOWN, /* IFT_NSIP */
662 /* 0x1c */ WTAP_ENCAP_UNKNOWN, /* IFT_SLIP */
663 /* 0x1d */ WTAP_ENCAP_UNKNOWN, /* IFT_ULTRA */
664 /* 0x1e */ WTAP_ENCAP_UNKNOWN, /* IFT_DS3 */
665 /* 0x1f */ WTAP_ENCAP_UNKNOWN, /* IFT_SIP */
666 /* 0x20 */ WTAP_ENCAP_UNKNOWN, /* IFT_FRELAY */
667 /* 0x21 */ WTAP_ENCAP_UNKNOWN, /* IFT_RS232 */
668 /* 0x22 */ WTAP_ENCAP_UNKNOWN, /* IFT_PARA */
669 /* 0x23 */ WTAP_ENCAP_UNKNOWN, /* IFT_ARCNET */
670 /* 0x24 */ WTAP_ENCAP_UNKNOWN, /* IFT_ARCNETPLUS */
671 /* 0x25 */ WTAP_ENCAP_ATM_PDUS, /* IFT_ATM */
673 #define NUM_IFT_ENCAPS (sizeof ift_encap / sizeof ift_encap[0])
675 if (ift < NUM_IFT_ENCAPS) {
676 return ift_encap[ift];
679 return WTAP_ENCAP_UNKNOWN;