3 * $Id: iptrace.c,v 1.29 2000/05/19 23:06:51 gram Exp $
6 * Copyright (c) 1998 by Gilbert Ramirez <gram@xiexie.org>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #include "file_wrappers.h"
35 static int iptrace_read_1_0(wtap *wth, int *err);
36 static int iptrace_seek_read_1_0(wtap *wth, int seek_off,
37 union wtap_pseudo_header *pseudo_header, u_char *pd, int packet_size);
38 static int iptrace_read_2_0(wtap *wth, int *err);
39 static int iptrace_seek_read_2_0(wtap *wth, int seek_off,
40 union wtap_pseudo_header *pseudo_header, u_char *pd, int packet_size);
41 static int iptrace_read_rec_header(FILE_T fh, guint8 *header, int header_len,
43 static int iptrace_read_rec_data(FILE_T fh, guint8 *data_ptr, int packet_size,
45 static void get_atm_pseudo_header(union wtap_pseudo_header *pseudo_header,
47 static int wtap_encap_ift(unsigned int ift);
49 int iptrace_open(wtap *wth, int *err)
54 file_seek(wth->fh, 0, SEEK_SET);
56 errno = WTAP_ERR_CANT_READ;
57 bytes_read = file_read(name, 1, 11, wth->fh);
58 if (bytes_read != 11) {
59 *err = file_error(wth->fh);
64 wth->data_offset += 11;
67 if (strcmp(name, "iptrace 1.0") == 0) {
68 wth->file_type = WTAP_FILE_IPTRACE_1_0;
69 wth->subtype_read = iptrace_read_1_0;
70 wth->subtype_seek_read = iptrace_seek_read_1_0;
72 else if (strcmp(name, "iptrace 2.0") == 0) {
73 wth->file_type = WTAP_FILE_IPTRACE_2_0;
74 wth->subtype_read = iptrace_read_2_0;
75 wth->subtype_seek_read = iptrace_seek_read_2_0;
84 /***********************************************************
86 ***********************************************************/
88 /* iptrace 1.0, discovered through inspection */
90 /* 0-3 */ guint32 pkt_length; /* packet length + 0x16 */
91 /* 4-7 */ guint32 tv_sec; /* time stamp, seconds since the Epoch */
92 /* 8-11 */ guint32 junk1; /* ???, not time */
93 /* 12-15 */ char if_name[4]; /* null-terminated */
94 /* 16-27 */ char junk2[12]; /* ??? */
95 /* 28 */ guint8 if_type; /* BSD net/if_types.h */
96 /* 29 */ guint8 tx_flag; /* 0=receive, 1=transmit */
99 /* Read the next packet */
100 static int iptrace_read_1_0(wtap *wth, int *err)
107 iptrace_1_0_phdr pkt_hdr;
109 /* Read the descriptor data */
110 record_offset = wth->data_offset;
111 ret = iptrace_read_rec_header(wth->fh, header, 30, err);
113 /* Read error or EOF */
116 wth->data_offset += 30;
118 /* Read the packet data */
119 packet_size = pntohl(&header[0]) - 0x16;
120 buffer_assure_space( wth->frame_buffer, packet_size );
121 data_ptr = buffer_start_ptr( wth->frame_buffer );
122 if (iptrace_read_rec_data(wth->fh, data_ptr, packet_size, err) < 0)
123 return -1; /* Read error */
124 wth->data_offset += packet_size;
126 wth->phdr.len = packet_size;
127 wth->phdr.caplen = packet_size;
128 wth->phdr.ts.tv_sec = pntohl(&header[4]);
129 wth->phdr.ts.tv_usec = 0;
132 * Byte 28 of the frame header appears to be a BSD-style IFT_xxx
133 * value giving the type of the interface. Check out the
134 * <net/if_types.h> header file.
136 pkt_hdr.if_type = header[28];
137 wth->phdr.pkt_encap = wtap_encap_ift(pkt_hdr.if_type);
139 if (wth->phdr.pkt_encap == WTAP_ENCAP_UNKNOWN) {
140 g_message("iptrace: interface type IFT=0x%02x unknown or unsupported",
142 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
146 if ( wth->phdr.pkt_encap == WTAP_ENCAP_ATM_SNIFFER ) {
147 get_atm_pseudo_header(&wth->pseudo_header, header);
150 /* If the per-file encapsulation isn't known, set it to this
151 packet's encapsulation.
153 If it *is* known, and it isn't this packet's encapsulation,
154 set it to WTAP_ENCAP_PER_PACKET, as this file doesn't
155 have a single encapsulation for all packets in the file. */
156 if (wth->file_encap == WTAP_ENCAP_UNKNOWN)
157 wth->file_encap = wth->phdr.pkt_encap;
159 if (wth->file_encap != wth->phdr.pkt_encap)
160 wth->file_encap = WTAP_ENCAP_PER_PACKET;
163 return record_offset;
166 static int iptrace_seek_read_1_0(wtap *wth, int seek_off,
167 union wtap_pseudo_header *pseudo_header, u_char *pd, int packet_size)
170 int err; /* XXX - return this */
173 file_seek(wth->random_fh, seek_off, SEEK_SET);
175 /* Read the descriptor data */
176 ret = iptrace_read_rec_header(wth->random_fh, header, 30, &err);
178 /* Read error or EOF */
182 if ( wtap_encap_ift(header[28]) == WTAP_ENCAP_ATM_SNIFFER ) {
183 get_atm_pseudo_header(pseudo_header, header);
186 /* Read the packet data */
187 return iptrace_read_rec_data(wth->random_fh, pd, packet_size, &err);
190 /***********************************************************
192 ***********************************************************/
194 /* iptrace 2.0, discovered through inspection */
196 /* 0-3 */ guint32 pkt_length; /* packet length + 32 */
197 /* 4-7 */ guint32 tv_sec0; /* time stamp, seconds since the Epoch */
198 /* 8-11 */ guint32 junk1; /* ?? */
199 /* 12-15 */ char if_name[4]; /* null-terminated */
200 /* 16-27 */ char if_desc[12]; /* interface description. */
201 /* 28 */ guint8 if_type; /* BSD net/if_types.h */
202 /* 29 */ guint8 tx_flag; /* 0=receive, 1=transmit */
203 /* 30-31 */ guint16 junk3;
204 /* 32-35 */ guint32 tv_sec; /* time stamp, seconds since the Epoch */
205 /* 36-39 */ guint32 tv_nsec; /* nanoseconds since that second */
208 /* Read the next packet */
209 static int iptrace_read_2_0(wtap *wth, int *err)
216 iptrace_2_0_phdr pkt_hdr;
218 /* Read the descriptor data */
219 record_offset = wth->data_offset;
220 ret = iptrace_read_rec_header(wth->fh, header, 40, err);
222 /* Read error or EOF */
225 wth->data_offset += 40;
227 /* Read the packet data */
228 packet_size = pntohl(&header[0]) - 32;
229 buffer_assure_space( wth->frame_buffer, packet_size );
230 data_ptr = buffer_start_ptr( wth->frame_buffer );
231 if (iptrace_read_rec_data(wth->fh, data_ptr, packet_size, err) < 0)
232 return -1; /* Read error */
233 wth->data_offset += packet_size;
235 /* AIX saves time in nsec, not usec. It's easier to make iptrace
236 * files more Unix-compliant here than try to get the calling
237 * program to know when to use nsec or usec */
239 wth->phdr.len = packet_size;
240 wth->phdr.caplen = packet_size;
241 wth->phdr.ts.tv_sec = pntohl(&header[32]);
242 wth->phdr.ts.tv_usec = pntohl(&header[36]) / 1000;
245 * Byte 28 of the frame header appears to be a BSD-style IFT_xxx
246 * value giving the type of the interface. Check out the
247 * <net/if_types.h> header file.
249 pkt_hdr.if_type = header[28];
250 wth->phdr.pkt_encap = wtap_encap_ift(pkt_hdr.if_type);
252 if (wth->phdr.pkt_encap == WTAP_ENCAP_UNKNOWN) {
253 g_message("iptrace: interface type IFT=0x%02x unknown or unsupported",
255 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
259 if ( wth->phdr.pkt_encap == WTAP_ENCAP_ATM_SNIFFER ) {
260 get_atm_pseudo_header(&wth->pseudo_header, header);
263 /* If the per-file encapsulation isn't known, set it to this
264 packet's encapsulation.
266 If it *is* known, and it isn't this packet's encapsulation,
267 set it to WTAP_ENCAP_PER_PACKET, as this file doesn't
268 have a single encapsulation for all packets in the file. */
269 if (wth->file_encap == WTAP_ENCAP_UNKNOWN)
270 wth->file_encap = wth->phdr.pkt_encap;
272 if (wth->file_encap != wth->phdr.pkt_encap)
273 wth->file_encap = WTAP_ENCAP_PER_PACKET;
276 return record_offset;
279 static int iptrace_seek_read_2_0(wtap *wth, int seek_off,
280 union wtap_pseudo_header *pseudo_header, u_char *pd, int packet_size)
283 int err; /* XXX - return this */
286 file_seek(wth->random_fh, seek_off, SEEK_SET);
288 /* Read the descriptor data */
289 ret = iptrace_read_rec_header(wth->random_fh, header, 40, &err);
291 /* Read error or EOF */
295 if ( wtap_encap_ift(header[28]) == WTAP_ENCAP_ATM_SNIFFER ) {
296 get_atm_pseudo_header(pseudo_header, header);
299 /* Read the packet data */
300 return iptrace_read_rec_data(wth->random_fh, pd, packet_size, &err);
304 iptrace_read_rec_header(FILE_T fh, guint8 *header, int header_len, int *err)
308 errno = WTAP_ERR_CANT_READ;
309 bytes_read = file_read(header, 1, header_len, fh);
310 if (bytes_read != header_len) {
311 *err = file_error(fh);
314 if (bytes_read != 0) {
315 *err = WTAP_ERR_SHORT_READ;
324 iptrace_read_rec_data(FILE_T fh, guint8 *data_ptr, int packet_size, int *err)
328 errno = WTAP_ERR_CANT_READ;
329 bytes_read = file_read( data_ptr, 1, packet_size, fh );
331 if (bytes_read != packet_size) {
332 *err = file_error(fh);
334 *err = WTAP_ERR_SHORT_READ;
341 * Fill in the pseudo-header information we can; alas, "iptrace" doesn't
342 * tell us what type of traffic is in the packet - it was presumably
343 * run on a machine that was one of the endpoints of the connection, so
344 * in theory it could presumably have told us, but, for whatever reason,
345 * it failed to do so - perhaps the low-level mechanism that feeds the
346 * presumably-AAL5 frames to us doesn't have access to that information
347 * (e.g., because it's in the ATM driver, and the ATM driver merely knows
348 * that stuff on VPI/VCI X.Y should be handed up to some particular
349 * client, it doesn't know what that client is).
351 * We let our caller try to figure out what kind of traffic it is, either
352 * by guessing based on the VPI/VCI, guessing based on the header of the
353 * packet, seeing earlier traffic that set up the circuit and specified
354 * in some fashion what sort of traffic it is, or being told by the user.
357 get_atm_pseudo_header(union wtap_pseudo_header *pseudo_header, guint8 *header)
364 /* Rip apart the "x.y" text into Vpi/Vci numbers */
365 memcpy(if_text, &header[20], 8);
367 decimal = strchr(if_text, '.');
370 Vpi = strtoul(if_text, NULL, 10);
372 Vci = strtoul(decimal, NULL, 10);
374 pseudo_header->ngsniffer_atm.Vpi = Vpi;
375 pseudo_header->ngsniffer_atm.Vci = Vci;
378 * OK, which value means "DTE->DCE" and which value means
381 pseudo_header->ngsniffer_atm.channel = header[29];
383 /* We don't have this information */
384 pseudo_header->ngsniffer_atm.cells = 0;
385 pseudo_header->ngsniffer_atm.aal5t_u2u = 0;
386 pseudo_header->ngsniffer_atm.aal5t_len = 0;
387 pseudo_header->ngsniffer_atm.aal5t_chksum = 0;
389 /* Assume it's AAL5 traffic, but indicate that we don't know what
390 it is beyond that. */
391 pseudo_header->ngsniffer_atm.AppTrafType = ATT_AAL5|ATT_HL_UNKNOWN;
392 pseudo_header->ngsniffer_atm.AppHLType = AHLT_UNKNOWN;
395 /* Given an RFC1573 (SNMP ifType) interface type,
396 * return the appropriate Wiretap Encapsulation Type.
399 wtap_encap_ift(unsigned int ift)
402 static const int ift_encap[] = {
403 /* 0x0 */ WTAP_ENCAP_UNKNOWN, /* nothing */
404 /* 0x1 */ WTAP_ENCAP_UNKNOWN, /* IFT_OTHER */
405 /* 0x2 */ WTAP_ENCAP_UNKNOWN, /* IFT_1822 */
406 /* 0x3 */ WTAP_ENCAP_UNKNOWN, /* IFT_HDH1822 */
407 /* 0x4 */ WTAP_ENCAP_RAW_IP, /* IFT_X25DDN */
408 /* 0x5 */ WTAP_ENCAP_UNKNOWN, /* IFT_X25 */
409 /* 0x6 */ WTAP_ENCAP_ETHERNET, /* IFT_ETHER */
410 /* 0x7 */ WTAP_ENCAP_UNKNOWN, /* IFT_ISO88023 */
411 /* 0x8 */ WTAP_ENCAP_UNKNOWN, /* IFT_ISO88024 */
412 /* 0x9 */ WTAP_ENCAP_TR, /* IFT_ISO88025 */
413 /* 0xa */ WTAP_ENCAP_UNKNOWN, /* IFT_ISO88026 */
414 /* 0xb */ WTAP_ENCAP_UNKNOWN, /* IFT_STARLAN */
415 /* 0xc */ WTAP_ENCAP_RAW_IP, /* IFT_P10, IBM SP switch */
416 /* 0xd */ WTAP_ENCAP_UNKNOWN, /* IFT_P80 */
417 /* 0xe */ WTAP_ENCAP_UNKNOWN, /* IFT_HY */
418 /* 0xf */ WTAP_ENCAP_FDDI_BITSWAPPED, /* IFT_FDDI */
419 /* 0x10 */ WTAP_ENCAP_LAPB, /* IFT_LAPB */ /* no data to back this up */
420 /* 0x11 */ WTAP_ENCAP_UNKNOWN, /* IFT_SDLC */
421 /* 0x12 */ WTAP_ENCAP_UNKNOWN, /* IFT_T1 */
422 /* 0x13 */ WTAP_ENCAP_UNKNOWN, /* IFT_CEPT */
423 /* 0x14 */ WTAP_ENCAP_UNKNOWN, /* IFT_ISDNBASIC */
424 /* 0x15 */ WTAP_ENCAP_UNKNOWN, /* IFT_ISDNPRIMARY */
425 /* 0x16 */ WTAP_ENCAP_UNKNOWN, /* IFT_PTPSERIAL */
426 /* 0x17 */ WTAP_ENCAP_UNKNOWN, /* IFT_PPP */
427 /* 0x18 */ WTAP_ENCAP_RAW_IP, /* IFT_LOOP */
428 /* 0x19 */ WTAP_ENCAP_UNKNOWN, /* IFT_EON */
429 /* 0x1a */ WTAP_ENCAP_UNKNOWN, /* IFT_XETHER */
430 /* 0x1b */ WTAP_ENCAP_UNKNOWN, /* IFT_NSIP */
431 /* 0x1c */ WTAP_ENCAP_UNKNOWN, /* IFT_SLIP */
432 /* 0x1d */ WTAP_ENCAP_UNKNOWN, /* IFT_ULTRA */
433 /* 0x1e */ WTAP_ENCAP_UNKNOWN, /* IFT_DS3 */
434 /* 0x1f */ WTAP_ENCAP_UNKNOWN, /* IFT_SIP */
435 /* 0x20 */ WTAP_ENCAP_UNKNOWN, /* IFT_FRELAY */
436 /* 0x21 */ WTAP_ENCAP_UNKNOWN, /* IFT_RS232 */
437 /* 0x22 */ WTAP_ENCAP_UNKNOWN, /* IFT_PARA */
438 /* 0x23 */ WTAP_ENCAP_UNKNOWN, /* IFT_ARCNET */
439 /* 0x24 */ WTAP_ENCAP_UNKNOWN, /* IFT_ARCNETPLUS */
440 /* 0x25 */ WTAP_ENCAP_ATM_SNIFFER, /* IFT_ATM */
442 #define NUM_IFT_ENCAPS (sizeof ift_encap / sizeof ift_encap[0])
444 if (ift < NUM_IFT_ENCAPS) {
445 return ift_encap[ift];
448 return WTAP_ENCAP_UNKNOWN;