5 * Copyright (c) 2000 by Mike Hall <mlh@io.com>
6 * Copyright (c) 2000 by Cisco Systems
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 #include "file_wrappers.h"
36 * This module reads the output from the Cisco Secure Intrustion Detection
37 * System iplogging facility. The term iplogging is misleading since this
38 * logger will only output TCP. There is no link layer information.
39 * Packet format is 4 byte timestamp (seconds since epoch), and a 4 byte size
40 * of data following for that packet.
42 * For a time there was an error in iplogging and the ip length, flags, and id
43 * were byteswapped. We will check for this and handle it before handing to
47 static gboolean csids_read(wtap *wth, int *err, gchar **err_info,
49 static gboolean csids_seek_read(wtap *wth, gint64 seek_off,
50 union wtap_pseudo_header *pseudo_header, guint8 *pd, int len,
51 int *err, gchar **err_info);
54 guint32 seconds; /* seconds since epoch */
55 guint16 zeropad; /* 2 byte zero'ed pads */
56 guint16 caplen; /* the capture length */
63 /* XXX - return -1 on I/O error and actually do something with 'err'. */
64 int csids_open(wtap *wth, int *err, gchar **err_info)
66 /* There is no file header. There is only a header for each packet
67 * so we read a packet header and compare the caplen with iplen. They
68 * should always be equal except with the wierd byteswap version.
70 * THIS IS BROKEN-- anytime the caplen is 0x0101 or 0x0202 up to 0x0505
71 * this will byteswap it. I need to fix this. XXX --mlh
74 int tmp,iplen,bytesRead;
76 gboolean byteswap = FALSE;
77 struct csids_header hdr;
80 /* check the file to make sure it is a csids file. */
81 bytesRead = file_read( &hdr, sizeof( struct csids_header), wth->fh );
82 if( bytesRead != sizeof( struct csids_header) ) {
83 *err = file_error( wth->fh, err_info );
90 if( hdr.zeropad != 0 || hdr.caplen == 0 ) {
93 hdr.seconds = pntohl( &hdr.seconds );
94 hdr.caplen = pntohs( &hdr.caplen );
95 bytesRead = file_read( &tmp, 2, wth->fh );
96 if( bytesRead != 2 ) {
97 *err = file_error( wth->fh, err_info );
104 bytesRead = file_read( &iplen, 2, wth->fh );
105 if( bytesRead != 2 ) {
106 *err = file_error( wth->fh, err_info );
113 iplen = pntohs(&iplen);
118 /* if iplen and hdr.caplen are equal, default to no byteswap. */
119 if( iplen > hdr.caplen ) {
120 /* maybe this is just a byteswapped version. the iplen ipflags */
121 /* and ipid are swapped. We cannot use the normal swaps because */
122 /* we don't know the host */
123 iplen = BSWAP16(iplen);
124 if( iplen <= hdr.caplen ) {
125 /* we know this format */
128 /* don't know this one */
135 /* no file header. So reset the fh to 0 so we can read the first packet */
136 if (file_seek(wth->fh, 0, SEEK_SET, err) == -1)
139 wth->data_offset = 0;
140 csids = (csids_t *)g_malloc(sizeof(csids_t));
141 wth->priv = (void *)csids;
142 csids->byteswapped = byteswap;
143 wth->file_encap = WTAP_ENCAP_RAW_IP;
144 wth->file_type = WTAP_FILE_CSIDS;
145 wth->snapshot_length = 0; /* not known */
146 wth->subtype_read = csids_read;
147 wth->subtype_seek_read = csids_seek_read;
148 wth->tsprecision = WTAP_FILE_TSPREC_SEC;
153 /* Find the next packet and parse it; called from wtap_read(). */
154 static gboolean csids_read(wtap *wth, int *err, gchar **err_info,
157 csids_t *csids = (csids_t *)wth->priv;
160 struct csids_header hdr;
162 *data_offset = wth->data_offset;
164 bytesRead = file_read( &hdr, sizeof( struct csids_header) , wth->fh );
165 if( bytesRead != sizeof( struct csids_header) ) {
166 *err = file_error( wth->fh, err_info );
167 if (*err == 0 && bytesRead != 0)
168 *err = WTAP_ERR_SHORT_READ;
171 hdr.seconds = pntohl(&hdr.seconds);
172 hdr.caplen = pntohs(&hdr.caplen);
174 wth->data_offset += sizeof( struct csids_header );
176 /* Make sure we have enough room for the packet */
177 buffer_assure_space(wth->frame_buffer, hdr.caplen);
178 buf = buffer_start_ptr(wth->frame_buffer);
180 bytesRead = file_read( buf, hdr.caplen, wth->fh );
181 if( bytesRead != hdr.caplen ) {
182 *err = file_error( wth->fh, err_info );
184 *err = WTAP_ERR_SHORT_READ;
188 wth->data_offset += hdr.caplen;
190 wth->phdr.len = hdr.caplen;
191 wth->phdr.caplen = hdr.caplen;
192 wth->phdr.ts.secs = hdr.seconds;
193 wth->phdr.ts.nsecs = 0;
195 if( csids->byteswapped ) {
196 PBSWAP16(buf); /* the ip len */
197 PBSWAP16(buf+2); /* ip id */
198 PBSWAP16(buf+4); /* ip flags and fragoff */
204 /* Used to read packets in random-access fashion */
206 csids_seek_read (wtap *wth,
208 union wtap_pseudo_header *pseudo_header _U_,
214 csids_t *csids = (csids_t *)wth->priv;
216 struct csids_header hdr;
218 if( file_seek( wth->random_fh, seek_off, SEEK_SET, err ) == -1 )
221 bytesRead = file_read( &hdr, sizeof( struct csids_header), wth->random_fh );
222 if( bytesRead != sizeof( struct csids_header) ) {
223 *err = file_error( wth->random_fh, err_info );
225 *err = WTAP_ERR_SHORT_READ;
229 hdr.seconds = pntohl(&hdr.seconds);
230 hdr.caplen = pntohs(&hdr.caplen);
232 if( len != hdr.caplen ) {
233 *err = WTAP_ERR_BAD_RECORD;
234 *err_info = g_strdup_printf("csids: record length %u doesn't match requested length %d",
239 bytesRead = file_read( pd, hdr.caplen, wth->random_fh );
240 if( bytesRead != hdr.caplen ) {
241 *err = file_error( wth->random_fh, err_info );
243 *err = WTAP_ERR_SHORT_READ;
248 if( csids->byteswapped ) {
249 PBSWAP16(pd); /* the ip len */
250 PBSWAP16(pd+2); /* ip id */
251 PBSWAP16(pd+4); /* ip flags and fragoff */