Add a dissector for Apple's PKTAP headers.
authorGuy Harris <guy@alum.mit.edu>
Tue, 1 Apr 2014 04:04:13 +0000 (21:04 -0700)
committerEvan Huus <eapache@gmail.com>
Tue, 1 Apr 2014 17:03:29 +0000 (17:03 +0000)
It automatically works for LINKTYPE_PKTAP and, by default, for
LINKTYPE_USER2; if any other dissector is specified for LINKTYPE_USER2,
that dissector overrides PKTAP.

Change-Id: Ic00ac8a81c6101e45d638d337aef42df3920da12
Reviewed-on: https://code.wireshark.org/review/903
Reviewed-by: Evan Huus <eapache@gmail.com>
epan/CMakeLists.txt
epan/dissectors/Makefile.common
epan/dissectors/packet-pktap.c [new file with mode: 0644]
epan/dissectors/packet-user_encap.c
wiretap/pcap-common.c
wiretap/wtap.c
wiretap/wtap.h

index 9da01bf1abbbe0fdbcc6ccd537bc17f2955fcc27..c5c49e537610a8071ef1bd154430998185192c43 100644 (file)
@@ -250,6 +250,7 @@ set(ASN1_DISSECTOR_SRC
        dissectors/packet-pkixproxy.c
        dissectors/packet-pkixqualified.c
        dissectors/packet-pkixtsp.c
+       dissectors/packet-pktap.c
        dissectors/packet-q932.c
        dissectors/packet-q932-ros.c
        dissectors/packet-qsig.c
index 67fa181a4dcfea1483b48f6c72878b92c89380b9..af5bf00a92c25c94b57fc2129ae3c83898724e37 100644 (file)
@@ -966,6 +966,7 @@ DISSECTOR_SRC = \
        packet-pgsql.c          \
        packet-pim.c            \
        packet-pingpongprotocol.c       \
+       packet-pktap.c          \
        packet-pktc.c           \
        packet-pktgen.c         \
        packet-pnrp.c           \
diff --git a/epan/dissectors/packet-pktap.c b/epan/dissectors/packet-pktap.c
new file mode 100644 (file)
index 0000000..5c08ab3
--- /dev/null
@@ -0,0 +1,300 @@
+/*
+ * packet-pktap.c
+ * Routines for dissecting Apple's PKTAP header
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 2007 Gerald Combs
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include "config.h"
+
+#include <glib.h>
+
+#include <epan/packet.h>
+#include <epan/expert.h>
+#include <epan/wmem/wmem.h>
+#include <wsutil/pint.h>
+
+#include <wiretap/wtap.h>
+
+#include "packet-frame.h"
+#include "packet-eth.h"
+
+/* Needed for wtap_pcap_encap_to_wtap_encap(). */
+#include <wiretap/pcap-encap.h>
+
+/*
+ * Apple's PKTAP header.
+ */
+
+/*
+ * Minimum header length.
+ *
+ * XXX - I'm assuming the header begins with a length field so that it
+ * can be transparently *extended*, not so that fields in the current
+ * header can be *omitted*.
+ */
+#define MIN_PKTAP_HDR_LEN      108
+
+/*
+ * Record types.
+ */
+#define PKT_REC_NONE   0       /* nothing follows the header */
+#define PKT_REC_PACKET 1       /* a packet follows the header */
+
+/* Protocol */
+static int proto_pktap = -1;
+
+static int hf_pktap_hdrlen = -1;
+static int hf_pktap_rectype = -1;
+static int hf_pktap_dlt = -1;
+static int hf_pktap_ifname = -1;
+static int hf_pktap_flags = -1;
+static int hf_pktap_pfamily = -1;
+static int hf_pktap_llhdrlen = -1;
+static int hf_pktap_lltrlrlen = -1;
+static int hf_pktap_pid = -1;
+static int hf_pktap_cmdname = -1;
+static int hf_pktap_svc_class = -1;
+static int hf_pktap_iftype = -1;
+static int hf_pktap_ifunit = -1;
+static int hf_pktap_epid = -1;
+static int hf_pktap_ecmdname = -1;
+
+static gint ett_pktap = -1;
+
+static expert_field ei_pktap_hdrlen_too_short = EI_INIT;
+
+static dissector_handle_t pktap_handle;
+
+/*
+ * XXX - these are little-endian in the captures I've seen, but Apple
+ * no longer make any big-endian machines (Macs use x86, iOS machines
+ * use ARM and run it little-endian), so that might be by definition
+ * or they might be host-endian.
+ *
+ * If a big-endian PKTAP file ever shows up, and it comes from a
+ * big-endian machine, presumably these are host-endian, and we need
+ * to just fetch the fields in host byte order here but byte-swap them
+ * to host byte order in libwiretap.
+ */
+
+void
+capture_pktap(const guchar *pd, int len, packet_counts *ld)
+{
+       guint32  hdrlen, rectype, dlt;
+
+       hdrlen = pletoh32(pd);
+       if (hdrlen < MIN_PKTAP_HDR_LEN || !BYTES_ARE_IN_FRAME(0, len, hdrlen)) {
+               ld->other++;
+               return;
+       }
+
+       rectype = pletoh32(pd+4);
+       if (rectype != PKT_REC_PACKET) {
+               ld->other++;
+               return;
+       }
+
+       dlt = pletoh32(pd+4);
+
+       /* XXX - We should probably combine this with capture_info.c:capture_info_packet() */
+       switch (dlt) {
+
+       case 1: /* DLT_EN10MB */
+               capture_eth(pd, hdrlen, len, ld);
+               return;
+
+       default:
+               break;
+       }
+
+       ld->other++;
+}
+
+static void
+dissect_pktap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
+{
+       proto_tree *pktap_tree = NULL;
+       proto_item *ti = NULL;
+       tvbuff_t *next_tvb;
+       int offset = 0;
+       guint32 pkt_len, rectype, dlt;
+
+       col_set_str(pinfo->cinfo, COL_PROTOCOL, "PKTAP");
+       col_clear(pinfo->cinfo, COL_INFO);
+
+       pkt_len = tvb_get_letohl(tvb, offset);
+       col_add_fstr(pinfo->cinfo, COL_INFO, "PKTAP, %u byte header", pkt_len);
+
+       /* Dissect the packet */
+       ti = proto_tree_add_item(tree, proto_pktap, tvb, offset, pkt_len, ENC_NA);
+       pktap_tree = proto_item_add_subtree(ti, ett_pktap);
+
+       proto_tree_add_item(pktap_tree, hf_pktap_hdrlen, tvb, offset, 4,
+           ENC_LITTLE_ENDIAN);
+       if (pkt_len < MIN_PKTAP_HDR_LEN) {
+               proto_tree_add_expert(tree, pinfo, &ei_pktap_hdrlen_too_short,
+                   tvb, offset, 4);
+               return;
+       }
+       offset += 4;
+
+       proto_tree_add_item(pktap_tree, hf_pktap_rectype, tvb, offset, 4,
+           ENC_LITTLE_ENDIAN);
+       rectype = tvb_get_letohl(tvb, offset);
+       offset += 4;
+       proto_tree_add_item(pktap_tree, hf_pktap_dlt, tvb, offset, 4,
+           ENC_LITTLE_ENDIAN);
+       dlt = tvb_get_letohl(tvb, offset);
+       offset += 4;
+       proto_tree_add_item(pktap_tree, hf_pktap_ifname, tvb, offset, 24,
+           ENC_ASCII|ENC_NA);
+       offset += 24;
+       proto_tree_add_item(pktap_tree, hf_pktap_flags, tvb, offset, 4,
+           ENC_LITTLE_ENDIAN);
+       offset += 4;
+       proto_tree_add_item(pktap_tree, hf_pktap_pfamily, tvb, offset, 4,
+           ENC_LITTLE_ENDIAN);
+       offset += 4;
+       proto_tree_add_item(pktap_tree, hf_pktap_llhdrlen, tvb, offset, 4,
+           ENC_LITTLE_ENDIAN);
+       offset += 4;
+       proto_tree_add_item(pktap_tree, hf_pktap_lltrlrlen, tvb, offset, 4,
+           ENC_LITTLE_ENDIAN);
+       offset += 4;
+       proto_tree_add_item(pktap_tree, hf_pktap_pid, tvb, offset, 4,
+           ENC_LITTLE_ENDIAN);
+       offset += 4;
+       proto_tree_add_item(pktap_tree, hf_pktap_cmdname, tvb, offset, 20,
+           ENC_UTF_8|ENC_NA);
+       offset += 20;
+       proto_tree_add_item(pktap_tree, hf_pktap_svc_class, tvb, offset, 4,
+           ENC_LITTLE_ENDIAN);
+       offset += 4;
+       proto_tree_add_item(pktap_tree, hf_pktap_iftype, tvb, offset, 2,
+           ENC_LITTLE_ENDIAN);
+       offset += 2;
+       proto_tree_add_item(pktap_tree, hf_pktap_ifunit, tvb, offset, 2,
+           ENC_LITTLE_ENDIAN);
+       offset += 2;
+       proto_tree_add_item(pktap_tree, hf_pktap_epid, tvb, offset, 4,
+           ENC_LITTLE_ENDIAN);
+       offset += 4;
+       proto_tree_add_item(pktap_tree, hf_pktap_ecmdname, tvb, offset, 20,
+           ENC_UTF_8|ENC_NA);
+       offset += 20;
+
+       if (rectype == PKT_REC_PACKET) {
+               next_tvb = tvb_new_subset_remaining(tvb, offset);
+               dissector_try_uint(wtap_encap_dissector_table,
+                   wtap_pcap_encap_to_wtap_encap(dlt), next_tvb, pinfo, tree);
+       }
+}
+
+void
+proto_register_pktap(void)
+{
+       static hf_register_info hf[] = {
+         { &hf_pktap_hdrlen,
+           { "Header length", "pktap.hdrlen",
+             FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } },
+         { &hf_pktap_rectype,
+           { "Record type", "pktap.rectype",
+             FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } },
+         { &hf_pktap_dlt,
+           { "DLT", "pktap.dlt",
+             FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } },
+         { &hf_pktap_ifname,   /* fixed length *and* null-terminated */
+           { "Interface name", "pktap.ifname",
+             FT_STRINGZ, BASE_NONE, NULL, 0x0, NULL, HFILL } },
+         { &hf_pktap_flags,
+           { "Flags", "pktap.flags",
+             FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL } },
+         { &hf_pktap_pfamily,
+           { "Protocol family", "pktap.pfamily",
+             FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } },
+         { &hf_pktap_llhdrlen,
+           { "Link-layer header length", "pktap.llhdrlen",
+             FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } },
+         { &hf_pktap_lltrlrlen,
+           { "Link-layer trailer length", "pktap.lltrlrlen",
+             FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } },
+         { &hf_pktap_pid,
+           { "Process ID", "pktap.pid",
+             FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } },
+         { &hf_pktap_cmdname,  /* fixed length *and* null-terminated */
+           { "Command name", "pktap.cmdname",
+             FT_STRINGZ, BASE_NONE, NULL, 0x0, NULL, HFILL } },
+         { &hf_pktap_svc_class,
+           { "Service class", "pktap.svc_class",
+             FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } },
+         { &hf_pktap_iftype,
+           { "Interface type", "pktap.iftype",
+             FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } },
+         { &hf_pktap_ifunit,
+           { "Interface unit", "pktap.ifunit",
+             FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } },
+         { &hf_pktap_epid,
+           { "Effective process ID", "pktap.epid",
+             FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } },
+         { &hf_pktap_ecmdname, /* fixed length *and* null-terminated */
+           { "Effective command name", "pktap.ecmdname",
+             FT_STRINGZ, BASE_NONE, NULL, 0x0, NULL, HFILL } },
+       };
+
+       static gint *ett[] = {
+               &ett_pktap,
+       };
+
+       static ei_register_info ei[] = {
+           { &ei_pktap_hdrlen_too_short,
+             { "pktap.hdrlen_too_short", PI_MALFORMED, PI_ERROR,
+               "Header length is too short", EXPFILL }},
+       };
+
+       expert_module_t* expert_pktap;
+
+       proto_pktap = proto_register_protocol("PKTAP packet header", "PKTAP",
+           "pktap");
+       proto_register_field_array(proto_pktap, hf, array_length(hf));
+       proto_register_subtree_array(ett, array_length(ett));
+       expert_pktap = expert_register_protocol(proto_pktap);
+       expert_register_field_array(expert_pktap, ei, array_length(ei));
+
+       pktap_handle = register_dissector("pktap", dissect_pktap, proto_pktap);
+}
+
+void
+proto_reg_handoff_pktap(void)
+{
+       dissector_add_uint("wtap_encap", WTAP_ENCAP_PKTAP, pktap_handle);
+}
+
+/*
+ * Editor modelines  -  http://www.wireshark.org/tools/modelines.html
+ *
+ * Local variables:
+ * c-basic-offset: 8
+ * tab-width: 8
+ * indent-tabs-mode: t
+ * End:
+ *
+ * vi: set shiftwidth=8 tabstop=8 noexpandtab:
+ * :indentSize=8:tabSize=8:noTabs=false:
+ */
index 00808ffa4e89f4a3657e0182eabebbc396d971b6..a62ef833735d392263e0542d0cbc4a4fb08d1b1b 100644 (file)
@@ -23,6 +23,8 @@
 
 #include "config.h"
 
+#include <stdio.h>
+
 #include <glib.h>
 #include <epan/packet.h>
 #include <epan/expert.h>
@@ -80,6 +82,11 @@ static guint num_encaps = 0;
 static uat_t* encaps_uat;
 static dissector_handle_t data_handle;
 
+/*
+ * Use this for DLT_USER2 if we don't have an encapsulation for it.
+ */
+static user_encap_t user2_encap;
+
 static void dissect_user(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree) {
     user_encap_t* encap = NULL;
     tvbuff_t* payload_tvb;
@@ -95,6 +102,14 @@ static void dissect_user(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree) {
     }
 
     item = proto_tree_add_item(tree,proto_user_encap,tvb,0,-1,ENC_NA);
+    if (!encap && pinfo->match_uint == WTAP_ENCAP_USER2) {
+        /*
+         * Special-case DLT_USER2 - Apple hijacked it for use as DLT_PKTAP.
+         * The user hasn't assigned anything to it, so default it to
+         * the PKTAP dissector.
+         */
+        encap = &user2_encap;
+    }
     if (!encap) {
         char* msg = wmem_strdup_printf(wmem_packet_scope(),
                                      "User encapsulation not handled: DLT=%d, "
@@ -192,6 +207,16 @@ void proto_reg_handoff_user_encap(void)
     user_encap_handle = find_dissector("user_dlt");
     data_handle = find_dissector("data");
 
+    user2_encap.encap = WTAP_ENCAP_USER2;
+    user2_encap.payload_proto_name = g_strdup("pktap");
+    user2_encap.payload_proto = find_dissector("pktap");
+    user2_encap.header_proto_name = g_strdup("");
+    user2_encap.header_proto = NULL;
+    user2_encap.trailer_proto_name = g_strdup("");
+    user2_encap.trailer_proto = NULL;
+    user2_encap.header_size = 0;
+    user2_encap.trailer_size = 0;
+
     for (i = WTAP_ENCAP_USER0 ; i <= WTAP_ENCAP_USER15; i++)
         dissector_add_uint("wtap_encap", i, user_encap_handle);
 
index 57c25a931f80e5ffa97bf1f449177c46ebe59617..a53fb47e670b971b899c1f3ef26d00692476aa80 100644 (file)
@@ -423,6 +423,10 @@ static const struct {
        { 255,          WTAP_ENCAP_BLUETOOTH_BREDR_BB },
        /* Bluetooth Low Energy Link Layer RF captures */
        { 256,          WTAP_ENCAP_BLUETOOTH_LE_LL_WITH_PHDR },
+
+       /* Apple PKTAP */
+       { 258,          WTAP_ENCAP_PKTAP },
+
        /*
         * To repeat:
         *
index 17a85b23130744790a140c85ed7656fd88910c69..e8212344967360734324b767a3385404cf61038c 100644 (file)
@@ -729,6 +729,9 @@ static struct encap_type_info encap_table_base[] = {
 
        /* WTAP_ENCAP_LOGCAT_LONG */
        { "logcat_long", "logcat_long" },
+
+       /* WTAP_ENCAP_PKTAP */
+       { "Apple PKTAP", "pktap" },
 };
 
 WS_DLL_LOCAL
index db18a2f3af00256151308731d7614255dae2c545..4b2f98112861a7354f7e734ccf4a55497a263fb2 100644 (file)
@@ -262,6 +262,7 @@ extern "C" {
 #define WTAP_ENCAP_LOGCAT_TIME                  169
 #define WTAP_ENCAP_LOGCAT_THREADTIME            170
 #define WTAP_ENCAP_LOGCAT_LONG                  171
+#define WTAP_ENCAP_PKTAP                        172
 /* After adding new item here, please also add new item to encap_table_base array */
 
 #define WTAP_NUM_ENCAP_TYPES                    wtap_get_num_encap_types()