3 * $Id: iptrace.c,v 1.47 2003/01/10 04:04:41 guy Exp $
6 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
30 #include "file_wrappers.h"
35 static gboolean iptrace_read_1_0(wtap *wth, int *err, long *data_offset);
36 static gboolean iptrace_seek_read_1_0(wtap *wth, long seek_off,
37 union wtap_pseudo_header *pseudo_header, guchar *pd, int packet_size,
40 static gboolean iptrace_read_2_0(wtap *wth, int *err, long *data_offset);
41 static gboolean iptrace_seek_read_2_0(wtap *wth, long seek_off,
42 union wtap_pseudo_header *pseudo_header, guchar *pd, int packet_size,
45 static int iptrace_read_rec_header(FILE_T fh, guint8 *header, int header_len,
47 static gboolean iptrace_read_rec_data(FILE_T fh, guint8 *data_ptr,
48 int packet_size, int *err);
49 static void get_atm_pseudo_header(const guint8 *pd, guint32 len,
50 union wtap_pseudo_header *pseudo_header, guint8 *header);
51 static int wtap_encap_ift(unsigned int ift);
53 int iptrace_open(wtap *wth, int *err)
58 errno = WTAP_ERR_CANT_READ;
59 bytes_read = file_read(name, 1, 11, wth->fh);
60 if (bytes_read != 11) {
61 *err = file_error(wth->fh);
66 wth->data_offset += 11;
69 if (strcmp(name, "iptrace 1.0") == 0) {
70 wth->file_type = WTAP_FILE_IPTRACE_1_0;
71 wth->subtype_read = iptrace_read_1_0;
72 wth->subtype_seek_read = iptrace_seek_read_1_0;
74 else if (strcmp(name, "iptrace 2.0") == 0) {
75 wth->file_type = WTAP_FILE_IPTRACE_2_0;
76 wth->subtype_read = iptrace_read_2_0;
77 wth->subtype_seek_read = iptrace_seek_read_2_0;
86 /***********************************************************
88 ***********************************************************/
91 * iptrace 1.0, discovered through inspection
93 * Packet record contains:
95 * an initial header, with a length field and a time stamp, in
96 * seconds since the Epoch;
98 * data, with the specified length.
102 * a bunch of information about the packet;
104 * padding, at least for FDDI;
106 * the raw packet data.
109 /* 0-3 */ guint32 pkt_length; /* packet length + 0x16 */
110 /* 4-7 */ guint32 tv_sec; /* time stamp, seconds since the Epoch */
111 /* 8-11 */ guint32 junk1; /* ???, not time */
112 /* 12-15 */ char if_name[4]; /* null-terminated */
113 /* 16-27 */ char junk2[12]; /* ??? */
114 /* 28 */ guint8 if_type; /* BSD net/if_types.h */
115 /* 29 */ guint8 tx_flag; /* 0=receive, 1=transmit */
118 #define IPTRACE_1_0_PHDR_SIZE 30 /* initial header plus packet data */
119 #define IPTRACE_1_0_PDATA_SIZE 22 /* packet data */
121 /* Read the next packet */
122 static gboolean iptrace_read_1_0(wtap *wth, int *err, long *data_offset)
126 guint8 header[IPTRACE_1_0_PHDR_SIZE];
128 iptrace_1_0_phdr pkt_hdr;
129 char fddi_padding[3];
131 /* Read the descriptor data */
132 *data_offset = wth->data_offset;
133 ret = iptrace_read_rec_header(wth->fh, header, IPTRACE_1_0_PHDR_SIZE,
136 /* Read error or EOF */
139 wth->data_offset += IPTRACE_1_0_PHDR_SIZE;
142 * Byte 28 of the frame header appears to be a BSD-style IFT_xxx
143 * value giving the type of the interface. Check out the
144 * <net/if_types.h> header file.
146 pkt_hdr.if_type = header[28];
147 wth->phdr.pkt_encap = wtap_encap_ift(pkt_hdr.if_type);
149 /* Read the packet data */
150 packet_size = pntohl(&header[0]) - IPTRACE_1_0_PDATA_SIZE;
153 * AIX appears to put 3 bytes of padding in front of FDDI
154 * frames; strip that crap off.
156 if (wth->phdr.pkt_encap == WTAP_ENCAP_FDDI_BITSWAPPED) {
158 * The packet size is really a record size and includes
162 wth->data_offset += 3;
167 if (!iptrace_read_rec_data(wth->fh, fddi_padding, 3, err))
168 return FALSE; /* Read error */
171 buffer_assure_space( wth->frame_buffer, packet_size );
172 data_ptr = buffer_start_ptr( wth->frame_buffer );
173 if (!iptrace_read_rec_data(wth->fh, data_ptr, packet_size, err))
174 return FALSE; /* Read error */
175 wth->data_offset += packet_size;
177 wth->phdr.len = packet_size;
178 wth->phdr.caplen = packet_size;
179 wth->phdr.ts.tv_sec = pntohl(&header[4]);
180 wth->phdr.ts.tv_usec = 0;
182 if (wth->phdr.pkt_encap == WTAP_ENCAP_UNKNOWN) {
183 g_message("iptrace: interface type IFT=0x%02x unknown or unsupported",
185 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
189 if (wth->phdr.pkt_encap == WTAP_ENCAP_ATM_PDUS) {
190 get_atm_pseudo_header(data_ptr, wth->phdr.caplen,
191 &wth->pseudo_header, header);
194 /* If the per-file encapsulation isn't known, set it to this
195 packet's encapsulation.
197 If it *is* known, and it isn't this packet's encapsulation,
198 set it to WTAP_ENCAP_PER_PACKET, as this file doesn't
199 have a single encapsulation for all packets in the file. */
200 if (wth->file_encap == WTAP_ENCAP_UNKNOWN)
201 wth->file_encap = wth->phdr.pkt_encap;
203 if (wth->file_encap != wth->phdr.pkt_encap)
204 wth->file_encap = WTAP_ENCAP_PER_PACKET;
210 static gboolean iptrace_seek_read_1_0(wtap *wth, long seek_off,
211 union wtap_pseudo_header *pseudo_header, guchar *pd, int packet_size,
215 guint8 header[IPTRACE_1_0_PHDR_SIZE];
217 char fddi_padding[3];
219 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
222 /* Read the descriptor data */
223 ret = iptrace_read_rec_header(wth->random_fh, header,
224 IPTRACE_1_0_PHDR_SIZE, err);
226 /* Read error or EOF */
228 /* EOF means "short read" in random-access mode */
229 *err = WTAP_ERR_SHORT_READ;
235 * Get the interface type.
237 pkt_encap = wtap_encap_ift(header[28]);
240 * AIX appears to put 3 bytes of padding in front of FDDI
241 * frames; strip that crap off.
243 if (pkt_encap == WTAP_ENCAP_FDDI_BITSWAPPED) {
247 if (!iptrace_read_rec_data(wth->random_fh, fddi_padding, 3, err))
248 return FALSE; /* Read error */
251 /* Get the packet data */
252 if (!iptrace_read_rec_data(wth->random_fh, pd, packet_size, err))
255 /* Get the ATM pseudo-header, if this is ATM traffic. */
256 if (pkt_encap == WTAP_ENCAP_ATM_PDUS)
257 get_atm_pseudo_header(pd, packet_size, pseudo_header, header);
262 /***********************************************************
264 ***********************************************************/
267 * iptrace 2.0, discovered through inspection
269 * Packet record contains:
271 * an initial header, with a length field and a time stamp, in
272 * seconds since the Epoch;
274 * data, with the specified length.
278 * a bunch of information about the packet;
280 * padding, at least for FDDI;
282 * the raw packet data.
285 /* 0-3 */ guint32 pkt_length; /* packet length + 32 */
286 /* 4-7 */ guint32 tv_sec0; /* time stamp, seconds since the Epoch */
287 /* 8-11 */ guint32 junk1; /* ?? */
288 /* 12-15 */ char if_name[4]; /* null-terminated */
289 /* 16-27 */ char if_desc[12]; /* interface description. */
290 /* 28 */ guint8 if_type; /* BSD net/if_types.h */
291 /* 29 */ guint8 tx_flag; /* 0=receive, 1=transmit */
292 /* 30-31 */ guint16 junk3;
293 /* 32-35 */ guint32 tv_sec; /* time stamp, seconds since the Epoch */
294 /* 36-39 */ guint32 tv_nsec; /* nanoseconds since that second */
297 #define IPTRACE_2_0_PHDR_SIZE 40 /* initial header plus packet data */
298 #define IPTRACE_2_0_PDATA_SIZE 32 /* packet data */
300 /* Read the next packet */
301 static gboolean iptrace_read_2_0(wtap *wth, int *err, long *data_offset)
305 guint8 header[IPTRACE_2_0_PHDR_SIZE];
307 iptrace_2_0_phdr pkt_hdr;
308 char fddi_padding[3];
310 /* Read the descriptor data */
311 *data_offset = wth->data_offset;
312 ret = iptrace_read_rec_header(wth->fh, header, IPTRACE_2_0_PHDR_SIZE,
315 /* Read error or EOF */
318 wth->data_offset += IPTRACE_2_0_PHDR_SIZE;
321 * Byte 28 of the frame header appears to be a BSD-style IFT_xxx
322 * value giving the type of the interface. Check out the
323 * <net/if_types.h> header file.
325 pkt_hdr.if_type = header[28];
326 wth->phdr.pkt_encap = wtap_encap_ift(pkt_hdr.if_type);
328 /* Read the packet data */
329 packet_size = pntohl(&header[0]) - IPTRACE_2_0_PDATA_SIZE;
332 * AIX appears to put 3 bytes of padding in front of FDDI
333 * frames; strip that crap off.
335 if (wth->phdr.pkt_encap == WTAP_ENCAP_FDDI_BITSWAPPED) {
337 * The packet size is really a record size and includes
341 wth->data_offset += 3;
346 if (!iptrace_read_rec_data(wth->fh, fddi_padding, 3, err))
347 return FALSE; /* Read error */
350 buffer_assure_space( wth->frame_buffer, packet_size );
351 data_ptr = buffer_start_ptr( wth->frame_buffer );
352 if (!iptrace_read_rec_data(wth->fh, data_ptr, packet_size, err))
353 return FALSE; /* Read error */
354 wth->data_offset += packet_size;
356 /* AIX saves time in nsec, not usec. It's easier to make iptrace
357 * files more Unix-compliant here than try to get the calling
358 * program to know when to use nsec or usec */
360 wth->phdr.len = packet_size;
361 wth->phdr.caplen = packet_size;
362 wth->phdr.ts.tv_sec = pntohl(&header[32]);
363 wth->phdr.ts.tv_usec = pntohl(&header[36]) / 1000;
365 if (wth->phdr.pkt_encap == WTAP_ENCAP_UNKNOWN) {
366 g_message("iptrace: interface type IFT=0x%02x unknown or unsupported",
368 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
372 if (wth->phdr.pkt_encap == WTAP_ENCAP_ATM_PDUS) {
373 get_atm_pseudo_header(data_ptr, wth->phdr.caplen,
374 &wth->pseudo_header, header);
377 /* If the per-file encapsulation isn't known, set it to this
378 packet's encapsulation.
380 If it *is* known, and it isn't this packet's encapsulation,
381 set it to WTAP_ENCAP_PER_PACKET, as this file doesn't
382 have a single encapsulation for all packets in the file. */
383 if (wth->file_encap == WTAP_ENCAP_UNKNOWN)
384 wth->file_encap = wth->phdr.pkt_encap;
386 if (wth->file_encap != wth->phdr.pkt_encap)
387 wth->file_encap = WTAP_ENCAP_PER_PACKET;
393 static gboolean iptrace_seek_read_2_0(wtap *wth, long seek_off,
394 union wtap_pseudo_header *pseudo_header, guchar *pd, int packet_size,
398 guint8 header[IPTRACE_2_0_PHDR_SIZE];
400 char fddi_padding[3];
402 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
405 /* Read the descriptor data */
406 ret = iptrace_read_rec_header(wth->random_fh, header,
407 IPTRACE_2_0_PHDR_SIZE, err);
409 /* Read error or EOF */
411 /* EOF means "short read" in random-access mode */
412 *err = WTAP_ERR_SHORT_READ;
418 * Get the interface type.
420 pkt_encap = wtap_encap_ift(header[28]);
423 * AIX appears to put 3 bytes of padding in front of FDDI
424 * frames; strip that crap off.
426 if (pkt_encap == WTAP_ENCAP_FDDI_BITSWAPPED) {
430 if (!iptrace_read_rec_data(wth->random_fh, fddi_padding, 3, err))
431 return FALSE; /* Read error */
434 /* Get the packet data */
435 if (!iptrace_read_rec_data(wth->random_fh, pd, packet_size, err))
438 /* Get the ATM pseudo-header, if this is ATM traffic. */
439 if (pkt_encap == WTAP_ENCAP_ATM_PDUS)
440 get_atm_pseudo_header(pd, packet_size, pseudo_header, header);
446 iptrace_read_rec_header(FILE_T fh, guint8 *header, int header_len, int *err)
450 errno = WTAP_ERR_CANT_READ;
451 bytes_read = file_read(header, 1, header_len, fh);
452 if (bytes_read != header_len) {
453 *err = file_error(fh);
456 if (bytes_read != 0) {
457 *err = WTAP_ERR_SHORT_READ;
466 iptrace_read_rec_data(FILE_T fh, guint8 *data_ptr, int packet_size, int *err)
470 errno = WTAP_ERR_CANT_READ;
471 bytes_read = file_read( data_ptr, 1, packet_size, fh );
473 if (bytes_read != packet_size) {
474 *err = file_error(fh);
476 *err = WTAP_ERR_SHORT_READ;
483 * Fill in the pseudo-header information we can; alas, "iptrace" doesn't
484 * tell us what type of traffic is in the packet - it was presumably
485 * run on a machine that was one of the endpoints of the connection, so
486 * in theory it could presumably have told us, but, for whatever reason,
487 * it failed to do so - perhaps the low-level mechanism that feeds the
488 * presumably-AAL5 frames to us doesn't have access to that information
489 * (e.g., because it's in the ATM driver, and the ATM driver merely knows
490 * that stuff on VPI/VCI X.Y should be handed up to some particular
491 * client, it doesn't know what that client is).
493 * We let our caller try to figure out what kind of traffic it is, either
494 * by guessing based on the VPI/VCI, guessing based on the header of the
495 * packet, seeing earlier traffic that set up the circuit and specified
496 * in some fashion what sort of traffic it is, or being told by the user.
499 get_atm_pseudo_header(const guint8 *pd, guint32 len,
500 union wtap_pseudo_header *pseudo_header, guint8 *header)
507 /* Rip apart the "x.y" text into Vpi/Vci numbers */
508 memcpy(if_text, &header[20], 8);
510 decimal = strchr(if_text, '.');
513 Vpi = strtoul(if_text, NULL, 10);
515 Vci = strtoul(decimal, NULL, 10);
519 * OK, which value means "DTE->DCE" and which value means
522 pseudo_header->atm.channel = header[29];
524 pseudo_header->atm.vpi = Vpi;
525 pseudo_header->atm.vci = Vci;
528 * Attempt to guess from the packet data, the VPI, and the VCI
529 * information about the type of traffic.
531 atm_guess_traffic_type(pd, len, pseudo_header);
533 /* We don't have this information */
534 pseudo_header->atm.flags = 0;
535 pseudo_header->atm.cells = 0;
536 pseudo_header->atm.aal5t_u2u = 0;
537 pseudo_header->atm.aal5t_len = 0;
538 pseudo_header->atm.aal5t_chksum = 0;
541 /* Given an RFC1573 (SNMP ifType) interface type,
542 * return the appropriate Wiretap Encapsulation Type.
545 wtap_encap_ift(unsigned int ift)
548 static const int ift_encap[] = {
549 /* 0x0 */ WTAP_ENCAP_UNKNOWN, /* nothing */
550 /* 0x1 */ WTAP_ENCAP_UNKNOWN, /* IFT_OTHER */
551 /* 0x2 */ WTAP_ENCAP_UNKNOWN, /* IFT_1822 */
552 /* 0x3 */ WTAP_ENCAP_UNKNOWN, /* IFT_HDH1822 */
553 /* 0x4 */ WTAP_ENCAP_RAW_IP, /* IFT_X25DDN */
554 /* 0x5 */ WTAP_ENCAP_UNKNOWN, /* IFT_X25 */
555 /* 0x6 */ WTAP_ENCAP_ETHERNET, /* IFT_ETHER */
556 /* 0x7 */ WTAP_ENCAP_ETHERNET, /* IFT_ISO88023 */
557 /* 0x8 */ WTAP_ENCAP_UNKNOWN, /* IFT_ISO88024 */
558 /* 0x9 */ WTAP_ENCAP_TOKEN_RING, /* IFT_ISO88025 */
559 /* 0xa */ WTAP_ENCAP_UNKNOWN, /* IFT_ISO88026 */
560 /* 0xb */ WTAP_ENCAP_UNKNOWN, /* IFT_STARLAN */
561 /* 0xc */ WTAP_ENCAP_RAW_IP, /* IFT_P10, IBM SP switch */
562 /* 0xd */ WTAP_ENCAP_UNKNOWN, /* IFT_P80 */
563 /* 0xe */ WTAP_ENCAP_UNKNOWN, /* IFT_HY */
564 /* 0xf */ WTAP_ENCAP_FDDI_BITSWAPPED, /* IFT_FDDI */
565 /* 0x10 */ WTAP_ENCAP_LAPB, /* IFT_LAPB */ /* no data to back this up */
566 /* 0x11 */ WTAP_ENCAP_UNKNOWN, /* IFT_SDLC */
567 /* 0x12 */ WTAP_ENCAP_UNKNOWN, /* IFT_T1 */
568 /* 0x13 */ WTAP_ENCAP_UNKNOWN, /* IFT_CEPT */
569 /* 0x14 */ WTAP_ENCAP_UNKNOWN, /* IFT_ISDNBASIC */
570 /* 0x15 */ WTAP_ENCAP_UNKNOWN, /* IFT_ISDNPRIMARY */
571 /* 0x16 */ WTAP_ENCAP_UNKNOWN, /* IFT_PTPSERIAL */
572 /* 0x17 */ WTAP_ENCAP_UNKNOWN, /* IFT_PPP */
573 /* 0x18 */ WTAP_ENCAP_RAW_IP, /* IFT_LOOP */
574 /* 0x19 */ WTAP_ENCAP_UNKNOWN, /* IFT_EON */
575 /* 0x1a */ WTAP_ENCAP_UNKNOWN, /* IFT_XETHER */
576 /* 0x1b */ WTAP_ENCAP_UNKNOWN, /* IFT_NSIP */
577 /* 0x1c */ WTAP_ENCAP_UNKNOWN, /* IFT_SLIP */
578 /* 0x1d */ WTAP_ENCAP_UNKNOWN, /* IFT_ULTRA */
579 /* 0x1e */ WTAP_ENCAP_UNKNOWN, /* IFT_DS3 */
580 /* 0x1f */ WTAP_ENCAP_UNKNOWN, /* IFT_SIP */
581 /* 0x20 */ WTAP_ENCAP_UNKNOWN, /* IFT_FRELAY */
582 /* 0x21 */ WTAP_ENCAP_UNKNOWN, /* IFT_RS232 */
583 /* 0x22 */ WTAP_ENCAP_UNKNOWN, /* IFT_PARA */
584 /* 0x23 */ WTAP_ENCAP_UNKNOWN, /* IFT_ARCNET */
585 /* 0x24 */ WTAP_ENCAP_UNKNOWN, /* IFT_ARCNETPLUS */
586 /* 0x25 */ WTAP_ENCAP_ATM_PDUS, /* IFT_ATM */
588 #define NUM_IFT_ENCAPS (sizeof ift_encap / sizeof ift_encap[0])
590 if (ift < NUM_IFT_ENCAPS) {
591 return ift_encap[ift];
594 return WTAP_ENCAP_UNKNOWN;