1 /**-*-C-*-**********************************************************************
5 * Utility to convert an ASCII hexdump into a libpcap-format capture file
7 * (c) Copyright 2001 Ashok Narayanan <ashokn@cisco.com>
9 * $Id: text2pcap.c,v 1.2 2001/05/21 03:17:14 guy Exp $
11 * Ethereal - Network traffic analyzer
12 * By Gerald Combs <gerald@ethereal.com>
13 * Copyright 1998 Gerald Combs
17 * This program is free software; you can redistribute it and/or
18 * modify it under the terms of the GNU General Public License
19 * as published by the Free Software Foundation; either version 2
20 * of the License, or (at your option) any later version.
22 * This program is distributed in the hope that it will be useful,
23 * but WITHOUT ANY WARRANTY; without even the implied warranty of
24 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25 * GNU General Public License for more details.
27 * You should have received a copy of the GNU General Public License
28 * along with this program; if not, write to the Free Software
29 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 *******************************************************************************/
33 /*******************************************************************************
35 * This utility reads in an ASCII hexdump of this common format:
37 * 00000000 00 E0 1E A7 05 6F 00 10 5A A0 B9 12 08 00 46 00 .....o..Z.....F.
38 * 00000010 03 68 00 00 00 00 0A 2E EE 33 0F 19 08 7F 0F 19 .h.......3...
\7f..
39 * 00000020 03 80 94 04 00 00 10 01 16 A2 0A 00 03 50 00 0C .............P..
40 * 00000030 01 01 0F 19 03 80 11 01 1E 61 00 0C 03 01 0F 19 .........a......
42 * Each bytestring line consists of an offset, one or more bytes, and
43 * text at the end. An offset is defined as a hex string of more than
44 * two characters. A byte is defined as a hex string of exactly two
45 * characters. The text at the end is ignored, as is any text before
46 * the offset. Bytes read from a bytestring line are added to the
47 * current packet only if all the following conditions are satisfied:
49 * - No text appears between the offset and the bytes (any bytes appearing after
50 * such text would be ignored)
52 * - The offset must be arithmetically correct, i.e. if the offset is 00000020, then
53 * exactly 32 bytes must have been read into this packet before this. If the offset
54 * is wrong, the packet is immediately terminated
56 * A packet start is signalled by a zero offset.
58 * Lines starting with #TEXT2PCAP are directives. These allow the user
59 * to embed instructions into the capture file which allows text2pcap
60 * to take some actions (e.g. specifying the encapsulation
61 * etc.). Currently no directives are implemented.
63 * Lines beginning with # which are not directives are ignored as
64 * comments. Currently all non-hexdump text is ignored by text2pcap;
65 * in the future, text processing may be added, but lines prefixed
66 * with '#' will still be ignored.
68 * The output is a libpcap packet containing Ethernet frames by
69 * default. This program takes options which allow the user to add
70 * dummy Ethernet, IP and UDP headers to the packets in order to allow
71 * dumps of L3 or higher protocols to be decoded.
73 * Considerable flexibility is built into this code to read hexdumps
74 * of slightly different formats. For example, any text prefixing the
75 * hexdump line is dropped (including mail forwarding '>'). The offset
76 * can be any hex number of four digits or greater.
78 * This converter cannot read a single packet greater than 64K. Packet
79 * snaplength is automatically set to 64K.
89 #include <sys/types.h>
93 #ifdef HAVE_NETINET_IN_H
94 # include <netinet/in.h>
114 #include "text2pcap.h"
116 /*--- Options --------------------------------------------------------------------*/
123 /* Dummy Ethernet header */
124 int hdr_ethernet = FALSE;
125 unsigned long hdr_ethernet_proto = 0;
127 /* Dummy IP header */
129 unsigned long hdr_ip_proto = 0;
131 /* Dummy UDP header */
133 unsigned long hdr_udp_dest = 0;
134 unsigned long hdr_udp_src = 0;
136 /*--- Local date -----------------------------------------------------------------*/
138 /* This is where we store the packet currently being built */
139 #define MAX_PACKET 64000
140 unsigned char packet_buf[MAX_PACKET];
141 unsigned long curr_offset = 0;
143 /* Number of packets read and written */
144 unsigned long num_packets_read = 0;
145 unsigned long num_packets_written = 0;
148 char *input_filename;
149 FILE *input_file = NULL;
151 char *output_filename;
152 FILE *output_file = NULL;
154 /* Offset base to parse */
155 unsigned long offset_base = 16;
159 /* ----- State machine -----------------------------------------------------------*/
161 /* Current state of parser */
163 INIT, /* Waiting for start of new packet */
164 START_OF_LINE, /* Starting from beginning of line */
165 READ_OFFSET, /* Just read the offset */
166 READ_BYTE, /* Just read a byte */
167 READ_TEXT, /* Just read text - ignore until EOL */
169 parser_state_t state = INIT;
171 const char *state_str[] = {"Init",
178 const char *token_str[] = {"",
186 /* ----- Skeleton Packet Headers --------------------------------------------------*/
189 unsigned char src_addr[6];
190 unsigned char dest_addr[6];
191 unsigned short l3pid;
194 hdr_ethernet_t HDR_ETHERNET = {
195 {0x01, 0x01, 0x01, 0x01, 0x01, 0x01},
196 {0x02, 0x02, 0x02, 0x02, 0x02, 0x02},
200 unsigned char ver_hdrlen;
202 unsigned short packet_length;
203 unsigned short identification;
205 unsigned char fragment;
207 unsigned char protocol;
208 unsigned short hdr_checksum;
209 unsigned long src_addr;
210 unsigned long dest_addr;
213 hdr_ip_t HDR_IP = {0x45, 0, 0, 0x3412, 0, 0, 0xff, 0, 0, 0x01010101, 0x02020202};
216 unsigned short source_port;
217 unsigned short dest_port;
218 unsigned short length;
219 unsigned short checksum;
222 hdr_udp_t HDR_UDP = {0, 0, 0, 0};
226 /*----------------------------------------------------------------------
227 * Stuff for writing a PCap file
229 #define PCAP_MAGIC 0xa1b2c3d4
231 /* "libpcap" file header (minus magic number). */
233 unsigned long magic; /* magic */
234 unsigned short version_major; /* major version number */
235 unsigned short version_minor; /* minor version number */
236 unsigned long thiszone; /* GMT to local correction */
237 unsigned long sigfigs; /* accuracy of timestamps */
238 unsigned long snaplen; /* max length of captured packets, in octets */
239 unsigned long network; /* data link type */
242 /* "libpcap" record header. */
244 unsigned long ts_sec; /* timestamp seconds */
245 unsigned long ts_usec; /* timestamp microseconds */
246 unsigned long incl_len; /* number of octets of packet saved in file */
247 unsigned long orig_len; /* actual length of packet */
250 /* Link-layer type; see net/bpf.h for details */
251 unsigned long pcap_link_type = 1; /* Default is DLT-EN10MB */
253 /*----------------------------------------------------------------------
254 * Parse a single hex number
255 * Will abort the program if it can't parse the number
256 * Pass in TRUE if this is an offset, FALSE if not
259 parse_num (char *str, int offset)
264 num = strtoul(str, &c, offset ? offset_base : 16);
266 fprintf(stderr, "FATAL ERROR: Bad hex number? [%s]\n", str);
272 /*----------------------------------------------------------------------
273 * Write this byte into current packet
276 write_byte (char *str)
280 num = parse_num(str, FALSE);
281 packet_buf[curr_offset] = num;
285 /*----------------------------------------------------------------------
286 * Compute one's complement checksum (from RFC1071)
288 static unsigned short
289 in_checksum (void *buf, unsigned long count)
291 unsigned long sum = 0;
292 unsigned short *addr = buf;
295 /* This is the inner loop */
296 sum += ntohs(* (unsigned short *) addr++);
300 /* Add left-over byte, if any */
302 sum += * (unsigned char *) addr;
304 /* Fold 32-bit sum to 16 bits */
306 sum = (sum & 0xffff) + (sum >> 16);
311 /*----------------------------------------------------------------------
312 * Write current packet out
315 write_current_packet (void)
320 int eth_trailer_length = 0;
321 struct pcaprec_hdr ph;
323 if (curr_offset > 0) {
324 /* Write the packet */
326 /* Compute packet length */
327 length = curr_offset;
328 if (hdr_udp) { length += sizeof(HDR_UDP); udp_length = length; }
329 if (hdr_ip) { length += sizeof(HDR_IP); ip_length = length; }
331 length += sizeof(HDR_ETHERNET);
334 eth_trailer_length = 60 - length;
339 /* Write PCap header */
340 ph.ts_sec = num_packets_written;
341 ph.ts_usec = num_packets_written;
342 ph.incl_len = length;
343 ph.orig_len = length;
344 fwrite(&ph, sizeof(ph), 1, output_file);
346 /* Write Ethernet header */
348 HDR_ETHERNET.l3pid = htons(hdr_ethernet_proto);
349 fwrite(&HDR_ETHERNET, sizeof(HDR_ETHERNET), 1, output_file);
352 /* Write IP header */
354 HDR_IP.packet_length = htons(ip_length);
355 HDR_IP.protocol = hdr_ip_proto;
356 HDR_IP.hdr_checksum = 0;
357 HDR_IP.hdr_checksum = in_checksum(&HDR_IP, sizeof(HDR_IP));
358 fwrite(&HDR_IP, sizeof(HDR_IP), 1, output_file);
361 /* Write UDP header */
363 HDR_UDP.source_port = htons(hdr_udp_src);
364 HDR_UDP.dest_port = htons(hdr_udp_dest);
365 HDR_UDP.length = htons(udp_length);
367 fwrite(&HDR_UDP, sizeof(HDR_UDP), 1, output_file);
371 fwrite(packet_buf, curr_offset, 1, output_file);
373 /* Write Ethernet trailer */
374 if (hdr_ethernet && eth_trailer_length > 0) {
375 memset(tempbuf, 0, eth_trailer_length);
376 fwrite(tempbuf, eth_trailer_length, 1, output_file);
380 fprintf(stderr, "Wrote packet of %lu bytes\n", curr_offset);
381 num_packets_written ++;
386 /*----------------------------------------------------------------------
387 * Write the PCap file header
390 write_file_header (void)
394 fh.magic = PCAP_MAGIC;
395 fh.version_major = 2;
396 fh.version_minor = 4;
400 fh.network = pcap_link_type;
402 fwrite(&fh, sizeof(fh), 1, output_file);
405 /*----------------------------------------------------------------------
409 start_new_packet (void)
412 fprintf(stderr, "Start new packet\n");
414 /* Write out the current packet, if required */
415 write_current_packet();
420 /*----------------------------------------------------------------------
421 * Process a directive
424 process_directive (char *str)
426 fprintf(stderr, "\n--- Directive [%s] currently unsupported ---\n", str+10);
430 /*----------------------------------------------------------------------
431 * Parse a single token (called from the scanner)
434 parse_token (token_t token, char *str)
439 * This is implemented as a simple state machine of five states.
440 * State transitions are caused by tokens being received from the
441 * scanner. The code should be self_documenting.
445 /* Sanitize - remove all '\r' */
447 if (str!=NULL) { while ((c = strchr(str, '\r')) != NULL) *c=' '; }
449 fprintf(stderr, "(%s, %s \"%s\") -> (",
450 state_str[state], token_str[token], str ? str : "");
455 /* ----- Waiting for new packet -------------------------------------------*/
459 process_directive(str);
462 num = parse_num(str, TRUE);
464 /* New packet starts here */
474 /* ----- Processing packet, start of new line -----------------------------*/
478 process_directive(str);
481 num = parse_num(str, TRUE);
483 /* New packet starts here */
486 } else if (num != curr_offset) {
487 /* Bad offset; switch to INIT state */
489 fprintf(stderr, "Inconsistent offset. Expecting %0lX, got %0lX. Ignoring rest of packet\n",
491 write_current_packet();
501 /* ----- Processing packet, read offset -----------------------------------*/
505 /* Record the byte */
515 state = START_OF_LINE;
522 /* ----- Processing packet, read byte -------------------------------------*/
526 /* Record the byte */
535 state = START_OF_LINE;
542 /* ----- Processing packet, read text -------------------------------------*/
546 state = START_OF_LINE;
554 fprintf(stderr, "FATAL ERROR: Bad state (%d)", state);
559 fprintf(stderr, ", %s)\n", state_str[state]);
563 /*----------------------------------------------------------------------
564 * Print helpstring and exit
567 help (char *progname)
571 "Usage: %s [-d] [-q] [-o h|o] [-l typenum] [-e l3pid] [-i proto] \n"
572 " [-u srcp destp] <input-filename> <output-filename>\n"
574 "where <input-filename> specifies input filename (use - for standard input)\n"
575 " <output-filename> specifies output filename (use - for standard output)\n"
577 "[options] are one or more of the following \n"
579 " -w filename : Write capfile to <filename>. Default is standard output\n"
580 " -h : Display this help message \n"
581 " -d : Generate detailed debug of parser states \n"
582 " -o hex|oct : Parse offsets as (h)ex or (o)ctal. Default is hex\n"
583 " -l typenum : Specify link-layer type number. Default is 1 (Ethernet). \n"
584 " See net/bpf.h for list of numbers.\n"
585 " -q : Generate no output at all (automatically turns off -d)\n"
586 " -e l3pid : Prepend dummy Ethernet II header with specified L3PID (in HEX)\n"
587 " Example: -e 0x800\n"
588 " -i proto : Prepend dummy IP header with specified IP protocol (in DECIMAL). \n"
589 " Automatically prepends Ethernet header as well. Example: -i 46\n"
590 " -u srcp destp: Prepend dummy UDP header with specified dest and source ports (in DECIMAL).\n"
591 " Automatically prepends Ethernet and IP headers as well\n"
599 /*----------------------------------------------------------------------
603 parse_options (int argc, char *argv[])
607 /* Scan CLI parameters */
608 while ((c = getopt(argc, argv, "dqr:w:e:i:l:o:u:")) != -1) {
610 case '?': help(argv[0]); break;
611 case 'h': help(argv[0]); break;
612 case 'd': if (!quiet) debug++; break;
613 case 'q': quiet = TRUE; debug = FALSE; break;
614 case 'l': pcap_link_type = atoi(optarg); break;
616 if (!optarg || (optarg[0]!='h' && optarg[0] != 'o')) {
617 fprintf(stderr, "Bad argument for '-e': %s\n",
618 optarg ? optarg : "");
621 offset_base = (optarg[0]=='o') ? 8 : 16;
625 if (!optarg || sscanf(optarg, "%0lx", &hdr_ethernet_proto) < 1) {
626 fprintf(stderr, "Bad argument for '-e': %s\n",
627 optarg ? optarg : "");
634 if (!optarg || sscanf(optarg, "%ld", &hdr_ip_proto) < 1) {
635 fprintf(stderr, "Bad argument for '-i': %s\n",
636 optarg ? optarg : "");
640 hdr_ethernet_proto = 0x800;
645 if (!optarg || sscanf(optarg, "%ld", &hdr_udp_src) < 1) {
646 fprintf(stderr, "Bad src port for '-u'\n");
649 if (optind >= argc || sscanf(argv[optind], "%ld", &hdr_udp_dest) < 1) {
650 fprintf(stderr, "Bad dest port for '-u'\n");
656 hdr_ethernet_proto = 0x800;
664 if (optind >= argc || argc-optind < 2) {
665 fprintf(stderr, "Must specify input and output filename\n");
669 if (strcmp(argv[optind], "-")) {
670 input_filename = strdup(argv[optind]);
671 input_file = fopen(input_filename, "rb");
673 fprintf(stderr, "Cannot open file [%s] for reading: %s\n",
674 input_filename, strerror(errno));
678 input_filename = "Standard input";
682 if (strcmp(argv[optind+1], "-")) {
683 output_filename = strdup(argv[optind+1]);
684 output_file = fopen(output_filename, "wb");
686 fprintf(stderr, "Cannot open file [%s] for writing: %s\n",
687 output_filename, strerror(errno));
691 output_filename = "Standard output";
692 output_file = stdout;
695 /* Some validation */
696 if (pcap_link_type != 1 && hdr_ethernet) {
697 fprintf(stderr, "Dummy headers (-e, -i, -u) cannot be specified with link type override (-l)\n");
701 /* Set up our variables */
704 input_filename = "Standard input";
707 output_file = stdout;
708 output_filename = "Standard output";
711 /* Display summary of our state */
713 fprintf(stderr, "Input from: %s\n", input_filename);
714 fprintf(stderr, "Output to: %s\n", output_filename);
716 if (hdr_ethernet) fprintf(stderr, "Generate dummy Ethernet header: Protocol: 0x%0lX\n",
718 if (hdr_ip) fprintf(stderr, "Generate dummy IP header: Protocol: %ld\n",
720 if (hdr_udp) fprintf(stderr, "Generate dummy UDP header: Source port: %ld. Dest port: %ld\n",
721 hdr_udp_src, hdr_udp_dest);
725 int main(int argc, char *argv[])
727 parse_options(argc, argv);
729 assert(input_file != NULL);
730 assert(output_file != NULL);
736 write_current_packet();
738 fprintf(stderr, "\n-------------------------\n");
740 fprintf(stderr, "Read %ld potential packets, wrote %ld packets\n",
741 num_packets_read, num_packets_written);