3 * $Id: csids.c,v 1.3 2000/08/31 16:44:47 gram Exp $
5 * Copyright (c) 2000 by Mike Hall <mlh@io.com>
6 * Copyright (c) 2000 by Cisco Systems
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 #include "file_wrappers.h"
36 * This module reads the output from the Cisco Secure Intrustion Detection
37 * System iplogging facility. The term iplogging is misleading since this
38 * logger will only output TCP. There is no link layer information.
39 * Packet format is 4 byte timestamp (seconds since epoch), and a 4 byte size
40 * of data following for that packet.
42 * For a time there was an error in iplogging and the ip length, flags, and id
43 * were byteswapped. We will check for this and handle it before handing to ethereal.
47 static int csids_read(wtap *wth, int *err);
48 static int csids_seek_read(wtap *wth, int seek_off,
49 union wtap_pseudo_header *pseudo_header, guint8 *pd, int len);
52 guint32 seconds; /* seconds since epoch */
53 guint16 zeropad; /* 2 byte zero'ed pads */
54 guint16 caplen; /* the capture length */
57 /* XXX - return -1 on I/O error and actually do something with 'err'. */
58 int csids_open(wtap *wth, int *err)
60 /* There is no file header. There is only a header for each packet
61 * so we read a packet header and compare the caplen with iplen. They
62 * should always be equal except with the wierd byteswap version.
64 * THIS IS BROKEN-- anytime the caplen is 0x0101 or 0x0202 up to 0x0505
65 * this will byteswap it. I need to fix this. XXX --mlh
68 int tmp,iplen,bytesRead;
70 gboolean byteswap = FALSE;
71 struct csids_header hdr;
74 file_seek(wth->fh, 0, SEEK_SET);
76 /* check the file to make sure it is a csids file. */
77 bytesRead = file_read( &hdr, 1, sizeof( struct csids_header), wth->fh );
78 if( bytesRead != sizeof( struct csids_header) ) {
79 *err = file_error( wth->fh );
86 if( hdr.zeropad != 0 ) {
89 hdr.seconds = pntohl( &hdr.seconds );
90 hdr.caplen = pntohs( &hdr.caplen );
91 bytesRead = file_read( &tmp, 1, 2, wth->fh );
92 if( bytesRead != 2 ) {
93 *err = file_error( wth->fh );
100 bytesRead = file_read( &iplen, 1, 2, wth->fh );
101 if( bytesRead != 2 ) {
102 *err = file_error( wth->fh );
109 iplen = pntohs(&iplen);
110 /* if iplen and hdr.caplen are equal, default to no byteswap. */
111 if( iplen > hdr.caplen ) {
112 /* maybe this is just a byteswapped version. the iplen ipflags */
113 /* and ipid are swapped. We cannot use the normal swaps because */
114 /* we don't know the host */
115 iplen = BSWAP16(iplen);
116 if( iplen <= hdr.caplen ) {
117 /* we know this format */
120 /* don't know this one */
127 wth->data_offset = 0;
128 wth->capture.csids = g_malloc(sizeof(csids_t));
129 wth->capture.csids->byteswapped = byteswap;
130 wth->file_encap = WTAP_ENCAP_RAW_IP;
131 wth->file_type = WTAP_FILE_CSIDS;
132 wth->snapshot_length = 16384; /* just guessing */
133 wth->subtype_read = csids_read;
134 wth->subtype_seek_read = csids_seek_read;
136 /* no file header. So reset the fh to 0 so we can read the first packet */
137 file_seek(wth->fh, 0, SEEK_SET);
142 /* Find the next packet and parse it; called from wtap_loop(). */
143 static int csids_read(wtap *wth, int *err)
147 struct csids_header hdr;
148 int packet_offset = wth->data_offset;
150 bytesRead = file_read( &hdr, 1, sizeof( struct csids_header) , wth->fh );
151 if( bytesRead != sizeof( struct csids_header) ) {
152 *err = file_error( wth->fh );
159 hdr.seconds = pntohl(&hdr.seconds);
160 hdr.caplen = pntohs(&hdr.caplen);
162 wth->data_offset += sizeof( struct csids_header );
164 /* Make sure we have enough room for the packet */
165 buffer_assure_space(wth->frame_buffer, hdr.caplen);
166 buf = buffer_start_ptr(wth->frame_buffer);
168 bytesRead = file_read( buf, 1, hdr.caplen, wth->fh );
169 if( bytesRead != hdr.caplen ) {
170 *err = file_error( wth->fh );
176 wth->data_offset += hdr.caplen;
178 wth->phdr.len = hdr.caplen;
179 wth->phdr.caplen = hdr.caplen;
180 wth->phdr.ts.tv_sec = hdr.seconds;
181 wth->phdr.ts.tv_usec = 0;
182 wth->phdr.pkt_encap = WTAP_ENCAP_RAW_IP;
184 if( wth->capture.csids->byteswapped == TRUE ) {
185 guint16* swap = (guint16*)buf;
186 *(++swap) = BSWAP16(*swap); /* the ip len */
187 *(++swap) = BSWAP16(*swap); /* ip id */
188 *(++swap) = BSWAP16(*swap); /* ip flags and fragoff */
191 /* This is a hack to fix the fact that have to atleast return 1
192 * or we stop processing. csids has no file header. We recover from
193 * this hack in csids_seek_read by checking the seek_off == 1 and
194 * setting it back to 0.
196 return packet_offset ? packet_offset : 1;
199 /* Used to read packets in random-access fashion */
201 csids_seek_read (wtap *wth,
203 union wtap_pseudo_header *pseudo_header,
209 struct csids_header hdr;
211 /* hack to fix a problem with the way error checking is done. If the
212 * the return value from csids_read is 0 for the first packet, then
213 * we stop there. So I return 1. But that messes up the offset for
214 * the seek_off on this call. So if seek_off is 1 then make it 0 and
215 * if it is not 1 leave it alone. --mlh
217 int real_seek_off = seek_off;
218 if( real_seek_off == 1 ) {
222 file_seek(wth->random_fh, real_seek_off , SEEK_SET);
224 bytesRead = file_read( &hdr, 1, sizeof( struct csids_header) , wth->random_fh );
225 if( bytesRead != sizeof( struct csids_header) ) {
226 err = file_error( wth->fh );
233 hdr.seconds = pntohl(&hdr.seconds);
234 hdr.caplen = pntohs(&hdr.caplen);
236 if( len != hdr.caplen ) {
240 bytesRead = file_read( pd, 1, hdr.caplen, wth->random_fh );
241 if( bytesRead != hdr.caplen ) {
242 err = file_error( wth->fh );
248 if( wth->capture.csids->byteswapped == TRUE ) {
249 guint16* swap = (guint16*)pd;
250 *(++swap) = BSWAP16(*swap); /* the ip len */
251 *(++swap) = BSWAP16(*swap); /* ip id */
252 *(++swap) = BSWAP16(*swap); /* ip flags and fragoff */