2 * Copyright (c) 2003 Endace Technology Ltd, Hamilton, New Zealand.
5 * This software and documentation has been developed by Endace Technology Ltd.
6 * along with the DAG PCI network capture cards. For further information please
7 * visit http://www.endace.com/.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions are met:
12 * 1. Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. The name of Endace Technology Ltd may not be used to endorse or promote
20 * products derived from this software without specific prior written
23 * THIS SOFTWARE IS PROVIDED BY ENDACE TECHNOLOGY LTD ``AS IS'' AND ANY EXPRESS
24 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
25 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
26 * EVENT SHALL ENDACE TECHNOLOGY LTD BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
27 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
28 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
29 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
30 * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
31 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
32 * POSSIBILITY OF SUCH DAMAGE.
38 * erf - Endace ERF (Extensible Record Format)
42 * http://www.endace.com/support/EndaceRecordFormat.pdf
52 #include <wsutil/crc32.c>
55 #include "file_wrappers.h"
60 static int erf_read_header(FILE_T fh,
61 struct wtap_pkthdr *phdr,
62 union wtap_pseudo_header *pseudo_header,
63 erf_header_t *erf_header,
67 guint32 *packet_size);
68 static gboolean erf_read(wtap *wth, int *err, gchar **err_info,
70 static gboolean erf_seek_read(wtap *wth, gint64 seek_off,
71 union wtap_pseudo_header *pseudo_header, guint8 *pd,
72 int length, int *err, gchar **err_info);
77 } erf_to_wtap_map[] = {
78 { ERF_TYPE_HDLC_POS, WTAP_ENCAP_CHDLC },
79 { ERF_TYPE_HDLC_POS, WTAP_ENCAP_HHDLC },
80 { ERF_TYPE_HDLC_POS, WTAP_ENCAP_CHDLC_WITH_PHDR },
81 { ERF_TYPE_HDLC_POS, WTAP_ENCAP_PPP },
82 { ERF_TYPE_HDLC_POS, WTAP_ENCAP_FRELAY },
83 { ERF_TYPE_HDLC_POS, WTAP_ENCAP_MTP2 },
84 { ERF_TYPE_ETH, WTAP_ENCAP_ETHERNET },
85 { 99, WTAP_ENCAP_ERF }, /*this type added so WTAP_ENCAP_ERF will work and then be treated at ERF->ERF*/
88 #define NUM_ERF_ENCAPS (sizeof erf_to_wtap_map / sizeof erf_to_wtap_map[0])
90 extern int erf_open(wtap *wth, int *err, gchar **err_info)
92 int i, n, records_for_erf_check = RECORDS_FOR_ERF_CHECK;
95 erf_timestamp_t prevts,ts;
101 guint64 erf_ext_header;
106 memset(&prevts, 0, sizeof(prevts));
108 /* number of records to scan before deciding if this really is ERF */
109 if ((s = getenv("ERF_RECORDS_TO_CHECK")) != NULL) {
110 if ((n = atoi(s)) > 0 && n < 101) {
111 records_for_erf_check = n;
116 * ERF is a little hard because there's no magic number; we look at
117 * the first few records and see if they look enough like ERF
121 for (i = 0; i < records_for_erf_check; i++) { /* records_for_erf_check */
123 r = file_read(&header,sizeof(header),wth->fh);
126 if (r != sizeof(header)) {
127 if ((*err = file_error(wth->fh, err_info)) != 0) {
130 /* ERF header too short accept the file,
131 only if the very first records have been successfully checked */
132 if (i < MIN_RECORDS_FOR_ERF_CHECK) {
135 /* BREAK, the last record is too short, and will be ignored */
141 rlen=g_ntohs(header.rlen);
143 /* fail on invalid record type, invalid rlen, timestamps decreasing, or incrementing too far */
145 /* Test valid rlen >= 16 */
150 packet_size = rlen - (guint32)sizeof(header);
151 if (packet_size > WTAP_MAX_PACKET_SIZE) {
153 * Probably a corrupt capture file or a file that's not an ERF file
154 * but that passed earlier tests; don't blow up trying
155 * to allocate space for an immensely-large packet.
160 /* Skip PAD records, timestamps may not be set */
161 if ((header.type & 0x7F) == ERF_TYPE_PAD) {
162 if (file_seek(wth->fh, packet_size, SEEK_CUR, err) == -1) {
168 /* fail on invalid record type, decreasing timestamps or non-zero pad-bits */
169 /* Not all types within this range are decoded, but it is a first filter */
170 if ((header.type & 0x7F) == 0 || (header.type & 0x7F) > ERF_TYPE_MAX ) {
174 /* The ERF_TYPE_MAX is the PAD record, but the last used type is ERF_TYPE_INFINIBAND_LINK */
175 if ((header.type & 0x7F) > ERF_TYPE_INFINIBAND_LINK) {
179 if ((ts = pletohll(&header.ts)) < prevts) {
180 /* reassembled AALx records may not be in time order, also records are not in strict time order between physical interfaces, so allow 1 sec fudge */
181 if ( ((prevts-ts)>>32) > 1 ) {
186 /* Check to see if timestamp increment is > 1 week */
187 if ( (valid_prev) && (ts > prevts) && (((ts-prevts)>>32) > 3600*24*7) ) {
191 memcpy(&prevts, &ts, sizeof(prevts));
193 /* Read over the extension headers */
196 if (file_read(&erf_ext_header, sizeof(erf_ext_header),wth->fh) != sizeof(erf_ext_header)) {
197 *err = file_error(wth->fh, err_info);
200 packet_size -= (guint32)sizeof(erf_ext_header);
201 memcpy(&type, &erf_ext_header, sizeof(type));
205 /* Read over MC or ETH subheader */
206 switch(header.type & 0x7F) {
207 case ERF_TYPE_MC_HDLC:
208 case ERF_TYPE_MC_RAW:
209 case ERF_TYPE_MC_ATM:
210 case ERF_TYPE_MC_RAW_CHANNEL:
211 case ERF_TYPE_MC_AAL5:
212 case ERF_TYPE_MC_AAL2:
213 case ERF_TYPE_COLOR_MC_HDLC_POS:
214 case ERF_TYPE_AAL2: /* not an MC type but has a similar 'AAL2 ext' header */
215 if (file_read(&mc_hdr,sizeof(mc_hdr),wth->fh) != sizeof(mc_hdr)) {
216 *err = file_error(wth->fh, err_info);
219 packet_size -= (guint32)sizeof(mc_hdr);
222 case ERF_TYPE_COLOR_ETH:
223 case ERF_TYPE_DSM_COLOR_ETH:
224 if (file_read(ð_hdr,sizeof(eth_hdr),wth->fh) != sizeof(eth_hdr)) {
225 *err = file_error(wth->fh, err_info);
228 packet_size -= (guint32)sizeof(eth_hdr);
234 /* The file_seek function do not return an error if the end of file
235 is reached whereas the record is truncated */
236 if (packet_size > WTAP_MAX_PACKET_SIZE) {
238 * Probably a corrupt capture file; don't blow up trying
239 * to allocate space for an immensely-large packet.
243 buffer=g_malloc(packet_size);
244 r = file_read(buffer, packet_size, wth->fh);
247 if (r != packet_size) {
248 /* ERF record too short, accept the file,
249 only if the very first records have been successfully checked */
250 if (i < MIN_RECORDS_FOR_ERF_CHECK) {
257 } /* records_for_erf_check */
259 if (file_seek(wth->fh, 0L, SEEK_SET, err) == -1) { /* rewind */
263 wth->data_offset = 0;
265 /* This is an ERF file */
266 wth->file_type = WTAP_FILE_ERF;
267 wth->snapshot_length = 0; /* not available in header, only in frame */
270 * Use the encapsulation for ERF records.
272 wth->file_encap = WTAP_ENCAP_ERF;
274 wth->subtype_read = erf_read;
275 wth->subtype_seek_read = erf_seek_read;
276 wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
281 /* Read the next packet */
282 static gboolean erf_read(wtap *wth, int *err, gchar **err_info,
285 erf_header_t erf_header;
286 guint32 packet_size, bytes_read;
288 *data_offset = wth->data_offset;
291 if (!erf_read_header(wth->fh,
292 &wth->phdr, &wth->pseudo_header, &erf_header,
293 err, err_info, &bytes_read, &packet_size)) {
296 wth->data_offset += bytes_read;
298 buffer_assure_space(wth->frame_buffer, packet_size);
300 wtap_file_read_expected_bytes(buffer_start_ptr(wth->frame_buffer),
301 (gint32)(packet_size), wth->fh, err, err_info);
302 wth->data_offset += packet_size;
304 } while ( erf_header.type == ERF_TYPE_PAD );
309 static gboolean erf_seek_read(wtap *wth, gint64 seek_off,
310 union wtap_pseudo_header *pseudo_header, guint8 *pd,
311 int length _U_, int *err, gchar **err_info)
313 erf_header_t erf_header;
316 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
320 if (!erf_read_header(wth->random_fh, NULL, pseudo_header, &erf_header,
321 err, err_info, NULL, &packet_size))
323 } while ( erf_header.type == ERF_TYPE_PAD );
325 wtap_file_read_expected_bytes(pd, (int)packet_size, wth->random_fh, err,
331 static int erf_read_header(FILE_T fh,
332 struct wtap_pkthdr *phdr,
333 union wtap_pseudo_header *pseudo_header,
334 erf_header_t *erf_header,
338 guint32 *packet_size)
342 guint64 erf_exhdr_sw;
346 int i = 0 , max = sizeof(pseudo_header->erf.ehdr_list)/sizeof(struct erf_ehdr);
348 wtap_file_read_expected_bytes(erf_header, sizeof(*erf_header), fh, err,
350 if (bytes_read != NULL) {
351 *bytes_read = sizeof(*erf_header);
354 *packet_size = g_ntohs(erf_header->rlen) - (guint32)sizeof(*erf_header);
356 if (*packet_size > WTAP_MAX_PACKET_SIZE) {
358 * Probably a corrupt capture file; don't blow up trying
359 * to allocate space for an immensely-large packet.
361 *err = WTAP_ERR_BAD_RECORD;
362 *err_info = g_strdup_printf("erf: File has %u-byte packet, bigger than maximum of %u",
363 *packet_size, WTAP_MAX_PACKET_SIZE);
368 guint64 ts = pletohll(&erf_header->ts);
370 phdr->ts.secs = (long) (ts >> 32);
371 ts = ((ts & 0xffffffff) * 1000 * 1000 * 1000);
372 ts += (ts & 0x80000000) << 1; /* rounding */
373 phdr->ts.nsecs = ((int) (ts >> 32));
374 if (phdr->ts.nsecs >= 1000000000) {
375 phdr->ts.nsecs -= 1000000000;
380 /* Copy the ERF pseudo header */
381 memset(&pseudo_header->erf, 0, sizeof(pseudo_header->erf));
382 pseudo_header->erf.phdr.ts = pletohll(&erf_header->ts);
383 pseudo_header->erf.phdr.type = erf_header->type;
384 pseudo_header->erf.phdr.flags = erf_header->flags;
385 pseudo_header->erf.phdr.rlen = g_ntohs(erf_header->rlen);
386 pseudo_header->erf.phdr.lctr = g_ntohs(erf_header->lctr);
387 pseudo_header->erf.phdr.wlen = g_ntohs(erf_header->wlen);
389 /* Copy the ERF extension header into the pseudo header */
390 type = erf_header->type;
392 wtap_file_read_expected_bytes(&erf_exhdr, sizeof(erf_exhdr), fh, err,
394 if (bytes_read != NULL)
395 *bytes_read += (guint32)sizeof(erf_exhdr);
396 *packet_size -= (guint32)sizeof(erf_exhdr);
397 skiplen += (guint32)sizeof(erf_exhdr);
398 erf_exhdr_sw = pntohll(erf_exhdr);
400 memcpy(&pseudo_header->erf.ehdr_list[i].ehdr, &erf_exhdr_sw, sizeof(erf_exhdr_sw));
405 switch (erf_header->type & 0x7F) {
408 case ERF_TYPE_RAW_LINK:
409 case ERF_TYPE_INFINIBAND:
410 case ERF_TYPE_INFINIBAND_LINK:
413 phdr->len = g_htons(erf_header->wlen);
414 phdr->caplen = g_htons(erf_header->wlen);
420 case ERF_TYPE_HDLC_POS:
421 case ERF_TYPE_COLOR_HDLC_POS:
422 case ERF_TYPE_DSM_COLOR_HDLC_POS:
428 case ERF_TYPE_COLOR_ETH:
429 case ERF_TYPE_DSM_COLOR_ETH:
430 wtap_file_read_expected_bytes(ð_hdr, sizeof(eth_hdr), fh, err,
432 if (bytes_read != NULL)
433 *bytes_read += (guint32)sizeof(eth_hdr);
434 *packet_size -= (guint32)sizeof(eth_hdr);
435 skiplen += (guint32)sizeof(eth_hdr);
436 pseudo_header->erf.subhdr.eth_hdr = g_htons(eth_hdr);
439 case ERF_TYPE_MC_HDLC:
440 case ERF_TYPE_MC_RAW:
441 case ERF_TYPE_MC_ATM:
442 case ERF_TYPE_MC_RAW_CHANNEL:
443 case ERF_TYPE_MC_AAL5:
444 case ERF_TYPE_MC_AAL2:
445 case ERF_TYPE_COLOR_MC_HDLC_POS:
446 case ERF_TYPE_AAL2: /* not an MC type but has a similar 'AAL2 ext' header */
447 wtap_file_read_expected_bytes(&mc_hdr, sizeof(mc_hdr), fh, err,
449 if (bytes_read != NULL)
450 *bytes_read += (guint32)sizeof(mc_hdr);
451 *packet_size -= (guint32)sizeof(mc_hdr);
452 skiplen += (guint32)sizeof(mc_hdr);
453 pseudo_header->erf.subhdr.mc_hdr = g_htonl(mc_hdr);
456 case ERF_TYPE_IP_COUNTER:
457 case ERF_TYPE_TCP_FLOW_COUNTER:
458 /* unsupported, continue with default: */
460 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
461 *err_info = g_strdup_printf("erf: unknown record encapsulation %u",
467 phdr->len = g_htons(erf_header->wlen);
468 phdr->caplen = MIN( g_htons(erf_header->wlen),
469 g_htons(erf_header->rlen) - (guint32)sizeof(*erf_header) - skiplen );
474 static int wtap_wtap_encap_to_erf_encap(int encap)
477 for(i = 0; i < NUM_ERF_ENCAPS; i++){
478 if(erf_to_wtap_map[i].wtap_encap_value == encap)
479 return erf_to_wtap_map[i].erf_encap_value;
484 static gboolean erf_write_phdr(wtap_dumper *wdh, int encap, const union wtap_pseudo_header *pseudo_header, int * err)
486 guint8 erf_hdr[sizeof(struct erf_mc_phdr)];
487 guint8 erf_subhdr[((sizeof(struct erf_mc_hdr) > sizeof(struct erf_eth_hdr))?
488 sizeof(struct erf_mc_hdr) : sizeof(struct erf_eth_hdr))];
489 guint8 ehdr[8*MAX_ERF_EHDR];
491 size_t subhdr_size = 0;
496 memset(&erf_hdr, 0, sizeof(erf_hdr));
497 pletonll(&erf_hdr[0], pseudo_header->erf.phdr.ts);
498 erf_hdr[8] = pseudo_header->erf.phdr.type;
499 erf_hdr[9] = pseudo_header->erf.phdr.flags;
500 phtons(&erf_hdr[10], pseudo_header->erf.phdr.rlen);
501 phtons(&erf_hdr[12], pseudo_header->erf.phdr.lctr);
502 phtons(&erf_hdr[14], pseudo_header->erf.phdr.wlen);
503 size = sizeof(struct erf_phdr);
505 switch(pseudo_header->erf.phdr.type & 0x7F) {
506 case ERF_TYPE_MC_HDLC:
507 case ERF_TYPE_MC_RAW:
508 case ERF_TYPE_MC_ATM:
509 case ERF_TYPE_MC_RAW_CHANNEL:
510 case ERF_TYPE_MC_AAL5:
511 case ERF_TYPE_MC_AAL2:
512 case ERF_TYPE_COLOR_MC_HDLC_POS:
513 phtonl(&erf_subhdr[0], pseudo_header->erf.subhdr.mc_hdr);
514 subhdr_size += (int)sizeof(struct erf_mc_hdr);
517 case ERF_TYPE_COLOR_ETH:
518 case ERF_TYPE_DSM_COLOR_ETH:
519 phtons(&erf_subhdr[0], pseudo_header->erf.subhdr.eth_hdr);
520 subhdr_size += (int)sizeof(struct erf_eth_hdr);
530 if (!wtap_dump_file_write(wdh, erf_hdr, size, err))
532 wdh->bytes_dumped += size;
534 /*write out up to MAX_ERF_EHDR extension headers*/
535 if((pseudo_header->erf.phdr.type & 0x80) != 0){ /*we have extension headers*/
537 phtonll(ehdr+(i*8), pseudo_header->erf.ehdr_list[i].ehdr);
538 if(i == MAX_ERF_EHDR-1) ehdr[i*8] = ehdr[i*8] & 0x7F;
540 }while((ehdr[0] & 0x80) != 0 && i < MAX_ERF_EHDR);
541 if (!wtap_dump_file_write(wdh, ehdr, MAX_ERF_EHDR*i, err))
543 wdh->bytes_dumped += MAX_ERF_EHDR*i;
546 if(!wtap_dump_file_write(wdh, erf_subhdr, subhdr_size, err))
548 wdh->bytes_dumped += subhdr_size;
553 static gboolean erf_dump(
555 const struct wtap_pkthdr *phdr,
556 const union wtap_pseudo_header *pseudo_header,
560 union wtap_pseudo_header other_phdr;
563 gint64 alignbytes = 0;
566 gboolean must_add_crc = FALSE;
567 guint32 crc32 = 0x00000000;
569 if(wdh->encap == WTAP_ENCAP_PER_PACKET){
570 encap = phdr->pkt_encap;
577 alignbytes = wdh->bytes_dumped + pseudo_header->erf.phdr.rlen;
579 if(!erf_write_phdr(wdh, encap, pseudo_header, err)) return FALSE;
581 if(!wtap_dump_file_write(wdh, pd, phdr->caplen, err)) return FALSE;
582 wdh->bytes_dumped += phdr->caplen;
584 while(wdh->bytes_dumped < alignbytes){
585 if(!wtap_dump_file_write(wdh, "", 1, err)) return FALSE;
588 must_add_crc = TRUE; /* XXX - not if this came from an ERF file with an FCS! */
590 default: /*deal with generic wtap format*/
591 /*generate a fake header in other_phdr using data that we know*/
592 /*covert time erf timestamp format*/
593 other_phdr.erf.phdr.ts = ((guint64) phdr->ts.secs << 32) + (((guint64) phdr->ts.nsecs <<32) / 1000 / 1000 / 1000);
594 newencap = other_phdr.erf.phdr.type = wtap_wtap_encap_to_erf_encap(encap);
595 other_phdr.erf.phdr.flags = 0x4; /*vlen flag set because we're creating variable length records*/
596 other_phdr.erf.phdr.lctr = 0;
597 /*now we work out rlen, accounting for all the different headers and missing fcs(eth)*/
598 other_phdr.erf.phdr.rlen = phdr->caplen+16;
599 other_phdr.erf.phdr.wlen = phdr->len;
600 switch(other_phdr.erf.phdr.type){
602 other_phdr.erf.phdr.rlen += 2; /*2 bytes for erf eth_type*/
603 if (pseudo_header->eth.fcs_len != 4) {
604 /* Either this packet doesn't include the FCS
605 (pseudo_header->eth.fcs_len = 0), or we don't
606 know whether it has an FCS (= -1). We have to
609 if(!(phdr->caplen < phdr->len)){ /*don't add FCS if packet has been snapped off*/
610 crc32 = crc32_ccitt_seed(pd, phdr->caplen, 0xFFFFFFFF);
611 other_phdr.erf.phdr.rlen += 4; /*4 bytes for added checksum*/
612 other_phdr.erf.phdr.wlen += 4;
617 case ERF_TYPE_HDLC_POS:
618 /*we assume that it's missing a FCS checksum, make one up*/
619 if(!(phdr->caplen < phdr->len)){ /*unless of course, the packet has been snapped off*/
620 crc32 = crc32_ccitt_seed(pd, phdr->caplen, 0xFFFFFFFF);
621 other_phdr.erf.phdr.rlen += 4; /*4 bytes for added checksum*/
622 other_phdr.erf.phdr.wlen += 4;
623 must_add_crc = TRUE; /* XXX - these never have an FCS? */
630 alignbytes = (8 - (other_phdr.erf.phdr.rlen % 8)) % 8; /*calculate how much padding will be required */
631 if(phdr->caplen < phdr->len){ /*if packet has been snapped, we need to round down what we output*/
632 round_down = (8 - alignbytes) % 8;
633 other_phdr.erf.phdr.rlen -= round_down;
635 other_phdr.erf.phdr.rlen += (gint16)alignbytes;
638 if(!erf_write_phdr(wdh, WTAP_ENCAP_ERF, &other_phdr, err)) return FALSE;
639 if(!wtap_dump_file_write(wdh, pd, phdr->caplen - round_down, err)) return FALSE;
640 wdh->bytes_dumped += phdr->caplen - round_down;
642 /*add the 4 byte CRC if necessary*/
644 if(!wtap_dump_file_write(wdh, &crc32, 4, err)) return FALSE;
645 wdh->bytes_dumped += 4;
647 /*records should be 8byte aligned, so we add padding*/
649 for(i = (gint16)alignbytes; i > 0; i--){
650 if(!wtap_dump_file_write(wdh, "", 1, err)) return FALSE;
661 int erf_dump_can_write_encap(int encap)
664 if(encap == WTAP_ENCAP_PER_PACKET)
667 if (wtap_wtap_encap_to_erf_encap(encap) == -1)
668 return WTAP_ERR_UNSUPPORTED_ENCAP;
673 int erf_dump_open(wtap_dumper *wdh, int *err)
675 wdh->subtype_write = erf_dump;
676 wdh->subtype_close = NULL;
678 switch(wdh->file_type){
680 wdh->tsprecision = WTAP_FILE_TSPREC_NSEC;
683 *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE;