3 * Copyright (c) 2000 by Gilbert Ramirez <gram@alumni.rice.edu>
5 * This program is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU General Public License
7 * as published by the Free Software Foundation; either version 2
8 * of the License, or (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 #include "file_wrappers.h"
31 Daniel Thompson (STMicroelectronics) <daniel.thompson@st.com>
35 +------+------+------+------+
36 | t3 | t2 | t1 | t0 | t = time_t
37 +------+------+------+------+
40 | 0x06 | Time step (short)
42 | ts | ts = time step (tenths of seconds)
46 | 0x05 | Time step (long)
47 +------+------+------+------+
48 | ts3 | ts2 | ts1 | ts0 | ts = time step (tenths of seconds)
49 +------+------+------+------+
52 | 0x04 | Receive deliminator (not seen in practice)
56 | 0x03 | Send deliminator (not seen in practice)
60 | 0x02 | Received data
62 | n1 | n0 | n = number of bytes following
70 | n1 | n0 | n = number of bytes following
76 #define PPPD_SENT_DATA 0x01
77 #define PPPD_RECV_DATA 0x02
78 #define PPPD_SEND_DELIM 0x03
79 #define PPPD_RECV_DELIM 0x04
80 #define PPPD_TIME_STEP_LONG 0x05
81 #define PPPD_TIME_STEP_SHORT 0x06
82 #define PPPD_RESET_TIME 0x07
84 /* this buffer must be at least (2*PPPD_MTU) + sizeof(ppp_header) +
85 * sizeof(lcp_header) + sizeof(ipcp_header). PPPD_MTU is *very* rarely
86 * larger than 1500 so this value is fine.
88 * It's less than WTAP_MAX_PACKET_SIZE, so we don't have to worry about
91 #define PPPD_BUF_SIZE 8192
98 static gboolean pppdump_read(wtap *wth, int *err, gchar **err_info,
100 static gboolean pppdump_seek_read(wtap *wth, gint64 seek_off,
101 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
104 * Information saved about a packet, during the initial sequential pass
105 * through the file, to allow us to later re-read it when randomly
108 * "offset" is the offset in the file of the first data chunk containing data
109 * from that packet; note that it may also contain data from previous
112 * "num_bytes_to_skip" is the number of bytes from previous packets in that
115 * "dir" is the direction of the packet.
119 gint64 num_bytes_to_skip;
124 * Information about a packet currently being processed. There is one of
125 * these for the sent packet being processed and one of these for the
126 * received packet being processed, as we could be in the middle of
127 * processing both a received packet and a sent packet.
129 * "dir" is the direction of the packet.
131 * "cnt" is the number of bytes of packet data we've accumulated.
133 * "esc" is TRUE if the next byte we see is escaped (and thus must be XORed
134 * with 0x20 before saving it), FALSE otherwise.
136 * "buf" is a buffer containing the packet data we've accumulated.
138 * "id_offset" is the offset in the file of the first data chunk
139 * containing data from the packet we're processing.
141 * "sd_offset" is the offset in the file of the first data byte from
142 * the packet we're processing - which isn't necessarily right after
143 * the header of the first data chunk, as we may already have assembled
144 * packets from that chunk.
146 * "cd_offset" is the offset in the file of the current data chunk we're
153 guint8 buf[PPPD_BUF_SIZE];
160 * This keeps state used while processing records.
162 * "timestamp" is the seconds portion of the current time stamp value,
163 * as updated from PPPD_RESET_TIME, PPPD_TIME_STEP_LONG, and
164 * PPPD_TIME_STEP_SHORT records. "tenths" is the tenths-of-seconds
167 * "spkt" and "rpkt" are "pkt_t" structures for the sent and received
168 * packets we're currently working on.
170 * "offset" is the current offset in the file.
172 * "num_bytes" and "pkt" are information saved when we finish accumulating
173 * the data for a packet, if the data chunk we're working on still has more
176 * "num_bytes" is the number of bytes of additional data remaining
177 * in the chunk after we've finished accumulating the data for the
180 * "pkt" is the "pkt_t" for the type of packet the data chunk is for
181 * (sent or received packet).
183 * "seek_state" is another state structure used while processing records
184 * when doing a seek-and-read. (That structure doesn't itself have a
185 * "seek_state" structure.)
187 * "pids" is a GPtrArray of pointers to "pkt_id" structures for all the
188 * packets we've seen during the initial sequential pass, to allow us to
189 * later retrieve them with random accesses.
191 * "pkt_cnt" is the number of packets we've seen up to this point in the
194 typedef struct _pppdump_t {
202 struct _pppdump_t *seek_state;
208 process_data(pppdump_t *state, FILE_T fh, pkt_t *pkt, int n, guint8 *pd,
209 int *err, gchar **err_info, pkt_id *pid);
212 collate(pppdump_t*, FILE_T fh, int *err, gchar **err_info, guint8 *pd,
213 int *num_bytes, direction_enum *direction, pkt_id *pid,
214 gint64 num_bytes_to_skip);
217 pppdump_close(wtap *wth);
220 init_state(pppdump_t *state)
223 state->num_bytes = 0;
226 state->spkt.dir = DIRECTION_SENT;
228 state->spkt.esc = FALSE;
229 state->spkt.id_offset = 0;
230 state->spkt.sd_offset = 0;
231 state->spkt.cd_offset = 0;
233 state->rpkt.dir = DIRECTION_RECV;
235 state->rpkt.esc = FALSE;
236 state->rpkt.id_offset = 0;
237 state->rpkt.sd_offset = 0;
238 state->rpkt.cd_offset = 0;
240 state->seek_state = NULL;
241 state->offset = 0x100000; /* to detect errors during development */
246 pppdump_open(wtap *wth, int *err, gchar **err_info)
248 guint8 buffer[6]; /* Looking for: 0x07 t3 t2 t1 t0 ID */
251 /* There is no file header, only packet records. Fortunately for us,
252 * timestamp records are separated from packet records, so we should
253 * find an "initial time stamp" (i.e., a "reset time" record, or
254 * record type 0x07) at the beginning of the file. We'll check for
255 * that, plus a valid record following the 0x07 and the four bytes
256 * representing the timestamp.
259 if (!wtap_read_bytes(wth->fh, buffer, sizeof(buffer),
261 if (*err != WTAP_ERR_SHORT_READ)
262 return WTAP_OPEN_ERROR;
263 return WTAP_OPEN_NOT_MINE;
266 if (buffer[0] == PPPD_RESET_TIME &&
267 (buffer[5] == PPPD_SENT_DATA ||
268 buffer[5] == PPPD_RECV_DATA ||
269 buffer[5] == PPPD_TIME_STEP_LONG ||
270 buffer[5] == PPPD_TIME_STEP_SHORT ||
271 buffer[5] == PPPD_RESET_TIME)) {
276 return WTAP_OPEN_NOT_MINE;
281 if (file_seek(wth->fh, 5, SEEK_SET, err) == -1)
282 return WTAP_OPEN_ERROR;
284 state = (pppdump_t *)g_malloc(sizeof(pppdump_t));
285 wth->priv = (void *)state;
286 state->timestamp = pntoh32(&buffer[1]);
292 wth->file_encap = WTAP_ENCAP_PPP_WITH_PHDR;
293 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_PPPDUMP;
295 wth->snapshot_length = PPPD_BUF_SIZE; /* just guessing */
296 wth->subtype_read = pppdump_read;
297 wth->subtype_seek_read = pppdump_seek_read;
298 wth->subtype_close = pppdump_close;
299 wth->file_tsprec = WTAP_TSPREC_DSEC;
301 state->seek_state = g_new(pppdump_t,1);
303 /* If we have a random stream open, we're going to be reading
304 the file randomly; set up a GPtrArray of pointers to
305 information about how to retrieve the data for each packet. */
306 if (wth->random_fh != NULL)
307 state->pids = g_ptr_array_new();
312 return WTAP_OPEN_MINE;
315 /* Set part of the struct wtap_pkthdr. */
317 pppdump_set_phdr(struct wtap_pkthdr *phdr, int num_bytes,
318 direction_enum direction)
320 phdr->rec_type = REC_TYPE_PACKET;
321 phdr->len = num_bytes;
322 phdr->caplen = num_bytes;
323 phdr->pkt_encap = WTAP_ENCAP_PPP_WITH_PHDR;
325 phdr->pseudo_header.p2p.sent = (direction == DIRECTION_SENT ? TRUE : FALSE);
328 /* Find the next packet and parse it; called from wtap_read(). */
330 pppdump_read(wtap *wth, int *err, gchar **err_info, gint64 *data_offset)
333 direction_enum direction;
338 state = (pppdump_t *)wth->priv;
340 /* If we have a random stream open, allocate a structure to hold
341 the information needed to read this packet's data again. */
342 if (wth->random_fh != NULL) {
343 pid = g_new(pkt_id, 1);
345 *err = errno; /* assume a malloc failed and set "errno" */
350 pid = NULL; /* sequential only */
352 ws_buffer_assure_space(wth->frame_buffer, PPPD_BUF_SIZE);
353 buf = ws_buffer_start_ptr(wth->frame_buffer);
355 if (!collate(state, wth->fh, err, err_info, buf, &num_bytes, &direction,
363 pid->dir = direction;
366 g_ptr_array_add(state->pids, pid);
367 /* The user's data_offset is not really an offset, but a packet number. */
368 *data_offset = state->pkt_cnt;
371 pppdump_set_phdr(&wth->phdr, num_bytes, direction);
372 wth->phdr.presence_flags = WTAP_HAS_TS;
373 wth->phdr.ts.secs = state->timestamp;
374 wth->phdr.ts.nsecs = state->tenths * 100000000;
379 /* Returns number of bytes copied for record, -1 if failure.
381 * This is modeled after pppdump.c, the utility to parse pppd log files; it
382 * comes with the ppp distribution.
385 process_data(pppdump_t *state, FILE_T fh, pkt_t *pkt, int n, guint8 *pd,
386 int *err, gchar **err_info, pkt_id *pid)
392 for (; num_bytes > 0; --num_bytes) {
395 *err = file_error(fh, err_info);
397 *err = WTAP_ERR_SHORT_READ;
405 * Flag Sequence for RFC 1662 HDLC-like
408 * As this is a raw trace of octets going
409 * over the wire, and that might include
410 * the login sequence, there is no
411 * guarantee that *only* PPP traffic
412 * appears in this file, so there is no
413 * guarantee that the first 0x7e we see is
414 * a start flag sequence, and therefore we
415 * cannot safely ignore all characters up
416 * to the first 0x7e, and therefore we
417 * might end up with some bogus PPP
422 * We've seen stuff before this,
423 * so this is the end of a frame.
424 * Make a frame out of that stuff.
428 num_written = pkt->cnt;
430 if (num_written <= 0) {
434 if (num_written > PPPD_BUF_SIZE) {
435 *err = WTAP_ERR_BAD_FILE;
436 *err_info = g_strdup_printf("pppdump: File has %u-byte packet, bigger than maximum of %u",
437 num_written, PPPD_BUF_SIZE);
441 memcpy(pd, pkt->buf, num_written);
444 * Remember the offset of the
445 * first record containing data
446 * for this packet, and how far
447 * into that record to skip to
448 * get to the beginning of the
449 * data for this packet; the number
450 * of bytes to skip into that record
451 * is the file offset of the first
452 * byte of this packet minus the
453 * file offset of the first byte of
454 * this record, minus 3 bytes for the
455 * header of this record (which, if
456 * we re-read this record, we will
457 * process, not skip).
460 pid->offset = pkt->id_offset;
461 pid->num_bytes_to_skip =
462 pkt->sd_offset - pkt->id_offset - 3;
463 g_assert(pid->num_bytes_to_skip >= 0);
469 * There's more data in this
471 * Set the initial data offset
472 * for the next packet.
474 pkt->id_offset = pkt->cd_offset;
475 pkt->sd_offset = state->offset;
478 * There is no more data in
480 * Thus, we don't have the
481 * initial data offset for
487 state->num_bytes = num_bytes;
495 * Control Escape octet for octet-stuffed
496 * RFC 1662 HDLC-like framing.
500 * Control Escape not preceded by
501 * Control Escape; discard it
502 * but XOR the next octet with
509 * Control Escape preceded by Control Escape;
510 * treat it as an ordinary character,
511 * by falling through.
517 * This character was preceded by
518 * Control Escape, so XOR it with
519 * 0x20, as per RFC 1662's octet-
520 * stuffed framing, and clear
521 * the flag saying that the
522 * character should be escaped.
528 if (pkt->cnt >= PPPD_BUF_SIZE) {
529 *err = WTAP_ERR_BAD_FILE;
530 *err_info = g_strdup_printf("pppdump: File has %u-byte packet, bigger than maximum of %u",
531 pkt->cnt - 1, PPPD_BUF_SIZE);
534 pkt->buf[pkt->cnt++] = c;
539 /* we could have run out of bytes to read */
543 /* Returns TRUE if packet data copied, FALSE if error occurred or EOF (no more records). */
545 collate(pppdump_t* state, FILE_T fh, int *err, gchar **err_info, guint8 *pd,
546 int *num_bytes, direction_enum *direction, pkt_id *pid,
547 gint64 num_bytes_to_skip)
552 int n, num_written = 0;
558 * Process any data left over in the current record when doing
559 * sequential processing.
561 if (state->num_bytes > 0) {
562 g_assert(num_bytes_to_skip == 0);
564 num_written = process_data(state, fh, pkt, state->num_bytes,
565 pd, err, err_info, pid);
567 if (num_written < 0) {
570 else if (num_written > 0) {
571 *num_bytes = num_written;
572 *direction = pkt->dir;
575 /* if 0 bytes written, keep processing */
578 * We didn't have any data left over, so the packet will
579 * start at the beginning of a record.
582 pid->num_bytes_to_skip = 0;
586 * That didn't get all the data for this packet, so process
587 * subsequent records.
589 start_offset = state->offset;
590 while ((id = file_getc(fh)) != EOF) {
595 pkt = id == PPPD_SENT_DATA ? &state->spkt : &state->rpkt;
598 * Save the offset of the beginning of
599 * the current record.
601 pkt->cd_offset = state->offset - 1;
604 * Get the length of the record.
606 byte0 = file_getc(fh);
610 byte1 = file_getc(fh);
614 n = (byte0 << 8) | byte1;
616 if (pkt->id_offset == 0) {
618 * We don't have the initial data
619 * offset for this packet, which
620 * means this is the first
621 * data record for that packet.
622 * Save the offset of the
623 * beginning of that record and
624 * the offset of the first data
625 * byte in the packet, which is
626 * the first data byte in the
629 pkt->id_offset = pkt->cd_offset;
630 pkt->sd_offset = state->offset;
636 g_assert(num_bytes_to_skip < n);
637 while (num_bytes_to_skip) {
638 if (file_getc(fh) == EOF)
644 num_written = process_data(state, fh, pkt, n,
645 pd, err, err_info, pid);
647 if (num_written < 0) {
650 else if (num_written > 0) {
651 *num_bytes = num_written;
652 *direction = pkt->dir;
655 /* if 0 bytes written, keep looping */
658 case PPPD_SEND_DELIM:
659 case PPPD_RECV_DELIM:
660 /* What can we do? */
663 case PPPD_RESET_TIME:
664 if (!wtap_read_bytes(fh, &time_long, sizeof(guint32), err, err_info))
666 state->offset += sizeof(guint32);
667 state->timestamp = pntoh32(&time_long);
671 case PPPD_TIME_STEP_LONG:
672 if (!wtap_read_bytes(fh, &time_long, sizeof(guint32), err, err_info))
674 state->offset += sizeof(guint32);
675 state->tenths += pntoh32(&time_long);
677 if (state->tenths >= 10) {
678 state->timestamp += state->tenths / 10;
679 state->tenths = state->tenths % 10;
684 case PPPD_TIME_STEP_SHORT:
685 if (!wtap_read_bytes(fh, &time_short, sizeof(guint8), err, err_info))
687 state->offset += sizeof(guint8);
688 state->tenths += time_short;
690 if (state->tenths >= 10) {
691 state->timestamp += state->tenths / 10;
692 state->tenths = state->tenths % 10;
699 *err = WTAP_ERR_BAD_FILE;
700 *err_info = g_strdup_printf("pppdump: bad ID byte 0x%02x", id);
707 *err = file_error(fh, err_info);
709 if (state->offset != start_offset) {
711 * We read at least one byte, so we were working
712 * on a record; an EOF means that record was
715 *err = WTAP_ERR_SHORT_READ;
723 /* Used to read packets in random-access fashion */
725 pppdump_seek_read(wtap *wth,
727 struct wtap_pkthdr *phdr,
734 direction_enum direction;
737 gint64 num_bytes_to_skip;
739 state = (pppdump_t *)wth->priv;
741 pid = (pkt_id *)g_ptr_array_index(state->pids, seek_off);
743 *err = WTAP_ERR_BAD_FILE; /* XXX - better error? */
744 *err_info = g_strdup("pppdump: PID not found for record");
748 if (file_seek(wth->random_fh, pid->offset, SEEK_SET, err) == -1)
751 init_state(state->seek_state);
752 state->seek_state->offset = pid->offset;
754 ws_buffer_assure_space(buf, PPPD_BUF_SIZE);
755 pd = ws_buffer_start_ptr(buf);
758 * We'll start reading at the first record containing data from
759 * this packet; however, that doesn't mean "collate()" will
760 * stop only when we've read that packet, as there might be
761 * data for packets going in the other direction as well, and
762 * we might finish processing one of those packets before we
763 * finish processing the packet we're reading.
765 * Therefore, we keep reading until we get a packet that's
766 * going in the direction we want.
768 num_bytes_to_skip = pid->num_bytes_to_skip;
770 if (!collate(state->seek_state, wth->random_fh, err, err_info,
771 pd, &num_bytes, &direction, NULL, num_bytes_to_skip))
773 num_bytes_to_skip = 0;
774 } while (direction != pid->dir);
776 pppdump_set_phdr(phdr, num_bytes, pid->dir);
782 pppdump_close(wtap *wth)
786 state = (pppdump_t *)wth->priv;
788 if (state->seek_state) { /* should always be TRUE */
789 g_free(state->seek_state);
794 for (i = 0; i < g_ptr_array_len(state->pids); i++) {
795 g_free(g_ptr_array_index(state->pids, i));
797 g_ptr_array_free(state->pids, TRUE);
802 * Editor modelines - http://www.wireshark.org/tools/modelines.html
807 * indent-tabs-mode: t
810 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
811 * :indentSize=8:tabSize=8:noTabs=false: