3 * Copyright (c) 2003 Endace Technology Ltd, Hamilton, New Zealand.
6 * This software and documentation has been developed by Endace Technology Ltd.
7 * along with the DAG PCI network capture cards. For further information please
8 * visit http://www.endace.com/.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions are met:
13 * 1. Redistributions of source code must retain the above copyright notice,
14 * this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
20 * 3. The name of Endace Technology Ltd may not be used to endorse or promote
21 * products derived from this software without specific prior written
24 * THIS SOFTWARE IS PROVIDED BY ENDACE TECHNOLOGY LTD ``AS IS'' AND ANY EXPRESS
25 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
26 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
27 * EVENT SHALL ENDACE TECHNOLOGY LTD BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
29 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
30 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
31 * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
39 * erf - Endace ERF (Extensible Record Format)
43 * http://www.endace.com/support/EndaceRecordFormat.pdf
54 #include "file_wrappers.h"
60 static int erf_read_header(FILE_T fh,
61 struct wtap_pkthdr *phdr,
62 union wtap_pseudo_header *pseudo_header,
63 erf_header_t *erf_header,
67 guint32 *packet_size);
68 static gboolean erf_read(wtap *wth, int *err, gchar **err_info,
70 static gboolean erf_seek_read(wtap *wth, gint64 seek_off,
71 union wtap_pseudo_header *pseudo_header, guchar *pd,
72 int length, int *err, gchar **err_info);
74 extern int erf_open(wtap *wth, int *err, gchar **err_info _U_)
76 int i, n, records_for_erf_check = RECORDS_FOR_ERF_CHECK;
79 erf_timestamp_t prevts,ts;
85 guint64 erf_ext_header;
90 memset(&prevts, 0, sizeof(prevts));
92 /* number of records to scan before deciding if this really is ERF */
93 if ((s = getenv("ERF_RECORDS_TO_CHECK")) != NULL) {
94 if ((n = atoi(s)) > 0 && n < 101) {
95 records_for_erf_check = n;
100 * ERF is a little hard because there's no magic number; we look at
101 * the first few records and see if they look enough like ERF
105 for (i = 0; i < records_for_erf_check; i++) { /* records_for_erf_check */
107 r = file_read(&header,1,sizeof(header),wth->fh);
110 if (r != sizeof(header)) {
111 if ((*err = file_error(wth->fh)) != 0) {
114 /* ERF header too short accept the file,
115 only if the very first records have been successfully checked */
116 if (i < MIN_RECORDS_FOR_ERF_CHECK) {
119 /* BREAK, the last record is too short, and will be ignored */
125 rlen=g_ntohs(header.rlen);
127 /* fail on invalid record type, invalid rlen, timestamps decreasing, or incrementing too far */
129 /* Test valid rlen >= 16 */
134 packet_size = rlen - (guint32)sizeof(header);
135 if (packet_size > WTAP_MAX_PACKET_SIZE) {
137 * Probably a corrupt capture file or a file that's not an ERF file
138 * but that passed earlier tests; don't blow up trying
139 * to allocate space for an immensely-large packet.
144 /* Skip PAD records, timestamps may not be set */
145 if ((header.type & 0x7F) == ERF_TYPE_PAD) {
146 if (file_seek(wth->fh, packet_size, SEEK_CUR, err) == -1) {
152 /* fail on invalid record type, decreasing timestamps or non-zero pad-bits */
153 /* Not all types within this range are decoded, but it is a first filter */
154 if ((header.type & 0x7F) == 0 || (header.type & 0x7F) > ERF_TYPE_MAX ) {
158 /* The ERF_TYPE_MAX is the PAD record, but the last used type is ERF_TYPE_INFINIBAND_LINK */
159 if ((header.type & 0x7F) > ERF_TYPE_INFINIBAND_LINK) {
163 if ((ts = pletohll(&header.ts)) < prevts) {
164 /* reassembled AALx records may not be in time order, also records are not in strict time order between physical interfaces, so allow 1 sec fudge */
165 if ( ((prevts-ts)>>32) > 1 ) {
170 /* Check to see if timestamp increment is > 1 week */
171 if ( (valid_prev) && (ts > prevts) && (((ts-prevts)>>32) > 3600*24*7) ) {
175 memcpy(&prevts, &ts, sizeof(prevts));
177 /* Read over the extension headers */
180 if (file_read(&erf_ext_header, 1, sizeof(erf_ext_header),wth->fh) != sizeof(erf_ext_header)) {
181 *err = file_error(wth->fh);
184 packet_size -= (guint32)sizeof(erf_ext_header);
185 memcpy(&type, &erf_ext_header, sizeof(type));
189 /* Read over MC or ETH subheader */
190 switch(header.type & 0x7F) {
191 case ERF_TYPE_MC_HDLC:
192 case ERF_TYPE_MC_RAW:
193 case ERF_TYPE_MC_ATM:
194 case ERF_TYPE_MC_RAW_CHANNEL:
195 case ERF_TYPE_MC_AAL5:
196 case ERF_TYPE_MC_AAL2:
197 case ERF_TYPE_COLOR_MC_HDLC_POS:
198 case ERF_TYPE_AAL2: /* not an MC type but has a similar 'AAL2 ext' header */
199 if (file_read(&mc_hdr,1,sizeof(mc_hdr),wth->fh) != sizeof(mc_hdr)) {
200 *err = file_error(wth->fh);
203 packet_size -= (guint32)sizeof(mc_hdr);
206 case ERF_TYPE_COLOR_ETH:
207 case ERF_TYPE_DSM_COLOR_ETH:
208 if (file_read(ð_hdr,1,sizeof(eth_hdr),wth->fh) != sizeof(eth_hdr)) {
209 *err = file_error(wth->fh);
212 packet_size -= (guint32)sizeof(eth_hdr);
218 /* The file_seek function do not return an error if the end of file
219 is reached whereas the record is truncated */
220 if (packet_size > WTAP_MAX_PACKET_SIZE) {
222 * Probably a corrupt capture file; don't blow up trying
223 * to allocate space for an immensely-large packet.
227 buffer=g_malloc(packet_size);
228 r = file_read(buffer, 1, packet_size, wth->fh);
231 if (r != packet_size) {
232 /* ERF record too short, accept the file,
233 only if the very first records have been successfully checked */
234 if (i < MIN_RECORDS_FOR_ERF_CHECK) {
241 } /* records_for_erf_check */
243 if (file_seek(wth->fh, 0L, SEEK_SET, err) == -1) { /* rewind */
247 wth->data_offset = 0;
249 /* This is an ERF file */
250 wth->file_type = WTAP_FILE_ERF;
251 wth->snapshot_length = 0; /* not available in header, only in frame */
254 * Use the encapsulation for ERF records.
256 wth->file_encap = WTAP_ENCAP_ERF;
258 wth->subtype_read = erf_read;
259 wth->subtype_seek_read = erf_seek_read;
260 wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
265 /* Read the next packet */
266 static gboolean erf_read(wtap *wth, int *err, gchar **err_info,
269 erf_header_t erf_header;
270 guint32 packet_size, bytes_read;
272 *data_offset = wth->data_offset;
275 if (!erf_read_header(wth->fh,
276 &wth->phdr, &wth->pseudo_header, &erf_header,
277 err, err_info, &bytes_read, &packet_size)) {
280 wth->data_offset += bytes_read;
282 buffer_assure_space(wth->frame_buffer, packet_size);
284 wtap_file_read_expected_bytes(buffer_start_ptr(wth->frame_buffer),
285 (gint32)(packet_size), wth->fh, err );
286 wth->data_offset += packet_size;
288 } while ( erf_header.type == ERF_TYPE_PAD );
293 static gboolean erf_seek_read(wtap *wth, gint64 seek_off,
294 union wtap_pseudo_header *pseudo_header, guchar *pd,
295 int length _U_, int *err, gchar **err_info)
297 erf_header_t erf_header;
300 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
304 if (!erf_read_header(wth->random_fh, NULL, pseudo_header, &erf_header,
305 err, err_info, NULL, &packet_size))
307 } while ( erf_header.type == ERF_TYPE_PAD );
309 wtap_file_read_expected_bytes(pd, (int)packet_size, wth->random_fh, err);
314 static int erf_read_header(FILE_T fh,
315 struct wtap_pkthdr *phdr,
316 union wtap_pseudo_header *pseudo_header,
317 erf_header_t *erf_header,
321 guint32 *packet_size)
325 guint64 erf_exhdr_sw;
329 int i = 0 , max = sizeof(pseudo_header->erf.ehdr_list)/sizeof(struct erf_ehdr);
331 wtap_file_read_expected_bytes(erf_header, sizeof(*erf_header), fh, err);
332 if (bytes_read != NULL) {
333 *bytes_read = sizeof(*erf_header);
336 *packet_size = g_ntohs(erf_header->rlen) - (guint32)sizeof(*erf_header);
338 if (*packet_size > WTAP_MAX_PACKET_SIZE) {
340 * Probably a corrupt capture file; don't blow up trying
341 * to allocate space for an immensely-large packet.
343 *err = WTAP_ERR_BAD_RECORD;
344 *err_info = g_strdup_printf("erf: File has %u-byte packet, bigger than maximum of %u",
345 *packet_size, WTAP_MAX_PACKET_SIZE);
350 guint64 ts = pletohll(&erf_header->ts);
352 phdr->ts.secs = (long) (ts >> 32);
353 ts = ((ts & 0xffffffff) * 1000 * 1000 * 1000);
354 ts += (ts & 0x80000000) << 1; /* rounding */
355 phdr->ts.nsecs = ((int) (ts >> 32));
356 if (phdr->ts.nsecs >= 1000000000) {
357 phdr->ts.nsecs -= 1000000000;
362 /* Copy the ERF pseudo header */
363 memset(&pseudo_header->erf, 0, sizeof(pseudo_header->erf));
364 pseudo_header->erf.phdr.ts = pletohll(&erf_header->ts);
365 pseudo_header->erf.phdr.type = erf_header->type;
366 pseudo_header->erf.phdr.flags = erf_header->flags;
367 pseudo_header->erf.phdr.rlen = g_ntohs(erf_header->rlen);
368 pseudo_header->erf.phdr.lctr = g_ntohs(erf_header->lctr);
369 pseudo_header->erf.phdr.wlen = g_ntohs(erf_header->wlen);
371 /* Copy the ERF extension header into the pseudo header */
372 type = erf_header->type;
374 wtap_file_read_expected_bytes(&erf_exhdr, sizeof(erf_exhdr), fh, err);
375 if (bytes_read != NULL)
376 *bytes_read += (guint32)sizeof(erf_exhdr);
377 *packet_size -= (guint32)sizeof(erf_exhdr);
378 skiplen += (guint32)sizeof(erf_exhdr);
379 erf_exhdr_sw = pntohll((guint64*) &(erf_exhdr[0]));
381 memcpy(&pseudo_header->erf.ehdr_list[i].ehdr, &erf_exhdr_sw, sizeof(erf_exhdr_sw));
386 switch (erf_header->type & 0x7F) {
389 case ERF_TYPE_RAW_LINK:
390 case ERF_TYPE_INFINIBAND:
391 case ERF_TYPE_INFINIBAND_LINK:
394 phdr->len = g_htons(erf_header->wlen);
395 phdr->caplen = g_htons(erf_header->wlen);
401 case ERF_TYPE_HDLC_POS:
402 case ERF_TYPE_COLOR_HDLC_POS:
403 case ERF_TYPE_DSM_COLOR_HDLC_POS:
409 case ERF_TYPE_COLOR_ETH:
410 case ERF_TYPE_DSM_COLOR_ETH:
411 wtap_file_read_expected_bytes(ð_hdr, sizeof(eth_hdr), fh, err);
412 if (bytes_read != NULL)
413 *bytes_read += (guint32)sizeof(eth_hdr);
414 *packet_size -= (guint32)sizeof(eth_hdr);
415 skiplen += (guint32)sizeof(eth_hdr);
416 pseudo_header->erf.subhdr.eth_hdr = g_htons(eth_hdr);
419 case ERF_TYPE_MC_HDLC:
420 case ERF_TYPE_MC_RAW:
421 case ERF_TYPE_MC_ATM:
422 case ERF_TYPE_MC_RAW_CHANNEL:
423 case ERF_TYPE_MC_AAL5:
424 case ERF_TYPE_MC_AAL2:
425 case ERF_TYPE_COLOR_MC_HDLC_POS:
426 case ERF_TYPE_AAL2: /* not an MC type but has a similar 'AAL2 ext' header */
427 wtap_file_read_expected_bytes(&mc_hdr, sizeof(mc_hdr), fh, err);
428 if (bytes_read != NULL)
429 *bytes_read += (guint32)sizeof(mc_hdr);
430 *packet_size -= (guint32)sizeof(mc_hdr);
431 skiplen += (guint32)sizeof(mc_hdr);
432 pseudo_header->erf.subhdr.mc_hdr = g_htonl(mc_hdr);
435 case ERF_TYPE_IP_COUNTER:
436 case ERF_TYPE_TCP_FLOW_COUNTER:
437 /* unsupported, continue with default: */
439 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
440 *err_info = g_strdup_printf("erf: unknown record encapsulation %u",
446 phdr->len = g_htons(erf_header->wlen);
447 phdr->caplen = MIN( g_htons(erf_header->wlen),
448 g_htons(erf_header->rlen) - (guint32)sizeof(*erf_header) - skiplen );