3 * Copyright (c) 2003 Endace Technology Ltd, Hamilton, New Zealand.
6 * This software and documentation has been developed by Endace Technology Ltd.
7 * along with the DAG PCI network capture cards. For further information please
8 * visit http://www.endace.com/.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions are met:
13 * 1. Redistributions of source code must retain the above copyright notice,
14 * this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
20 * 3. The name of Endace Technology Ltd may not be used to endorse or promote
21 * products derived from this software without specific prior written
24 * THIS SOFTWARE IS PROVIDED BY ENDACE TECHNOLOGY LTD ``AS IS'' AND ANY EXPRESS
25 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
26 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
27 * EVENT SHALL ENDACE TECHNOLOGY LTD BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
29 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
30 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
31 * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
35 * $Id: erf.c,v 1.3 2003/09/19 04:08:11 guy Exp $
39 * erf - Endace ERF (Extensible Record Format)
50 #include "file_wrappers.h"
55 typedef guint32 atm_hdr_t;
57 static int erf_read_header(
59 struct wtap_pkthdr *phdr,
60 union wtap_pseudo_header *pseudo_header,
61 erf_header_t *erf_header,
65 guint32 *packet_size);
66 static gboolean erf_read(wtap *wth, int *err, long *data_offset);
67 static gboolean erf_seek_read(wtap *wth, long seek_off,
68 union wtap_pseudo_header *pseudo_header, guchar *pd,
69 int length, int *err);
70 static void erf_close(wtap *wth);
71 static int erf_encap_to_wtap_encap(erf_t *erf, guint8 erf_encap);
72 static void erf_guess_atm_traffic_type(
77 union wtap_pseudo_header *pseudo_header);
79 int erf_open(wtap *wth, int *err)
83 guint32 records_for_erf_check = RECORDS_FOR_ERF_CHECK;
84 guint32 atm_encap = WTAP_ENCAP_ATM_PDUS;
85 gboolean is_rawatm = FALSE;
86 gboolean is_ppp = FALSE;
88 erf_timestamp_t prevts;
90 memset(&prevts, 0, sizeof(prevts));
92 if ((s = getenv("ERF_ATM_ENCAP")) != NULL) {
93 if (!strcmp(s, "sunatm")) {
94 atm_encap = WTAP_ENCAP_ATM_PDUS;
96 if (!strcmp(s, "sunraw")) {
97 atm_encap = WTAP_ENCAP_ATM_PDUS;
100 if (!strcmp(s, "rfc1483")) {
101 atm_encap = WTAP_ENCAP_ATM_RFC1483;
105 /* number of records to scan before deciding if this really is ERF (dflt=3) */
106 if ((s = getenv("ERF_RECORDS_TO_CHECK")) != NULL) {
107 if ((n = atoi(s)) > 0 && n < 101) {
108 records_for_erf_check = n;
112 /* ERF is a little hard because there's no magic number */
114 for (i = 0; i < records_for_erf_check; i++) {
120 if (file_read(&header,1,sizeof(header),wth->fh) != sizeof(header)) {
121 if ((*err = file_error(wth->fh)) != 0)
127 packet_size = g_ntohs(header.rlen) - sizeof(header);
129 /* fail on invalid record type, decreasing timestamps or non-zero pad-bits */
130 if (header.type == 0 || header.type > TYPE_AAL5 ||
131 (header.flags & 0xc0) != 0) {
136 if ((ts = pletohll(&header.ts)) < prevts) {
137 /* reassembled AAL5 records may not be in time order, so allow 1 sec fudge */
138 if (header.type != TYPE_AAL5 || ((prevts-ts)>>32) > 1) {
143 ts[0] = pletohl(&header.ts[0]); /* frac */
144 ts[1] = pletohl(&header.ts[1]); /* sec */
145 if ((ts[1] < prevts[1]) ||
146 (ts[1] == prevts[1] && ts[0] < prevts[0])) {
147 /* reassembled AAL5 records may not be in time order, so allow 1 sec fudge */
148 if (header.type != TYPE_AAL5 || (prevts[1]-ts[1]) > 1) {
153 memcpy(&prevts, &ts, sizeof(prevts));
155 if (common_type == 0) {
156 common_type = header.type;
158 if (common_type > 0 && common_type != header.type) {
162 if (header.type == TYPE_HDLC_POS && !is_ppp) {
164 if (file_read(&chdlc_hdr,1,sizeof(chdlc_hdr),wth->fh) != sizeof(chdlc_hdr)) {
165 *err = file_error(wth->fh);
167 packet_size -= sizeof(chdlc_hdr);
168 if (g_ntohs(chdlc_hdr) == 0xff03) {
173 if (file_seek(wth->fh, packet_size, SEEK_CUR, err) == -1) {
178 if (file_seek(wth->fh, 0L, SEEK_SET, err) == -1) { /* rewind */
182 wth->data_offset = 0;
184 /* This is an ERF file */
185 wth->file_type = WTAP_FILE_ERF;
186 wth->snapshot_length = 0; /* not available in header, only in frame */
187 wth->capture.erf = g_malloc(sizeof(erf_t));
188 wth->capture.erf->is_ppp = is_ppp;
189 if (common_type == TYPE_AAL5) {
190 wth->capture.erf->atm_encap = WTAP_ENCAP_ATM_PDUS_UNTRUNCATED;
191 wth->capture.erf->is_rawatm = FALSE;
193 wth->capture.erf->atm_encap = atm_encap;
194 wth->capture.erf->is_rawatm = is_rawatm;
198 * Really want WTAP_ENCAP_PER_PACKET here but that severely limits
199 * the number of output formats we can write to. If all the records
200 * tested in the loop above were the same encap then use that one,
201 * otherwise use WTAP_ENCAP_PER_PACKET.
205 ? WTAP_ENCAP_PER_PACKET
206 : erf_encap_to_wtap_encap(wth->capture.erf, common_type));
208 wth->subtype_read = erf_read;
209 wth->subtype_seek_read = erf_seek_read;
210 wth->subtype_close = erf_close;
215 /* Read the next packet */
216 static gboolean erf_read(wtap *wth, int *err, long *data_offset)
218 erf_header_t erf_header;
219 guint32 packet_size, bytes_read;
222 *data_offset = wth->data_offset;
224 if (!erf_read_header(
226 &wth->phdr, &wth->pseudo_header, &erf_header, wth->capture.erf,
227 err, &bytes_read, &packet_size)) {
230 wth->data_offset += bytes_read;
232 buffer_assure_space(wth->frame_buffer, packet_size+(wth->capture.erf->is_rawatm?(sizeof(atm_hdr_t)+1):0));
234 if (wth->capture.erf->is_rawatm) {
235 wtap_file_read_expected_bytes(
236 buffer_start_ptr(wth->frame_buffer), (gint32)sizeof(atm_hdr_t), wth->fh, err
238 wth->data_offset += sizeof(atm_hdr_t);
239 packet_size -= sizeof(atm_hdr_t);
240 offset += sizeof(atm_hdr_t)+1;
243 wtap_file_read_expected_bytes(
244 buffer_start_ptr(wth->frame_buffer)+offset, (gint32)packet_size, wth->fh, err
246 wth->data_offset += packet_size;
248 erf_guess_atm_traffic_type(
249 erf_header.type, wth->capture.erf,
250 buffer_start_ptr(wth->frame_buffer), packet_size, &wth->pseudo_header
256 static gboolean erf_seek_read(wtap *wth, long seek_off,
257 union wtap_pseudo_header *pseudo_header, guchar *pd,
258 int length, int *err)
260 erf_header_t erf_header;
264 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
267 erf_read_header(wth->random_fh, NULL, pseudo_header, &erf_header, wth->capture.erf, err, NULL, &packet_size);
269 if (wth->capture.erf->is_rawatm) {
270 wtap_file_read_expected_bytes(pd, (int)sizeof(atm_hdr_t), wth->random_fh, err);
271 packet_size -= sizeof(atm_hdr_t);
272 offset += sizeof(atm_hdr_t)+1;
275 wtap_file_read_expected_bytes(pd+offset, (int)packet_size, wth->random_fh, err);
277 erf_guess_atm_traffic_type(erf_header.type, wth->capture.erf, pd, length, pseudo_header);
282 static void erf_close(wtap *wth)
284 g_free(wth->capture.erf);
287 static int erf_read_header(
289 struct wtap_pkthdr *phdr,
290 union wtap_pseudo_header *pseudo_header,
291 erf_header_t *erf_header,
295 guint32 *packet_size)
297 guint32 rec_size, skip;
299 wtap_file_read_expected_bytes(erf_header, sizeof(*erf_header), fh, err);
300 if (bytes_read != NULL) {
301 *bytes_read = sizeof(*erf_header);
304 rec_size = g_ntohs(erf_header->rlen);
305 *packet_size = rec_size - sizeof(*erf_header);
306 skip = 0; /* # bytes of payload to ignore */
308 if (*packet_size > WTAP_MAX_PACKET_SIZE) {
310 * Probably a corrupt capture file; don't blow up trying
311 * to allocate space for an immensely-large packet.
313 g_message("erf: File has %u-byte packet, bigger than maximum of %u",
314 *packet_size, WTAP_MAX_PACKET_SIZE);
315 *err = WTAP_ERR_BAD_RECORD;
321 guint64 ts = pletohll(&erf_header->ts);
323 phdr->ts.tv_sec = ts >> 32;
324 ts = ((ts & 0xffffffff) * 1000 * 1000);
325 ts += (ts & 0x80000000) << 1; /* rounding */
326 phdr->ts.tv_usec = ts >> 32;
327 if (phdr->ts.tv_usec >= 1000000) {
328 phdr->ts.tv_usec -= 1000000;
329 phdr->ts.tv_sec += 1;
332 phdr->ts.tv_sec = pletohl(&erf_header->ts[1]);
334 (unsigned long)((pletohl(&erf_header->ts[0])*1000000.0)/0xffffffffUL);
338 switch (erf_header->type) {
344 if (erf_header->type == TYPE_AAL5) {
345 phdr->caplen = phdr->len = *packet_size - sizeof(atm_hdr_t);
347 phdr->caplen = ATM_SLEN(erf_header, NULL);
348 phdr->len = ATM_WLEN(erf_header, NULL);
352 if (erf->atm_encap == WTAP_ENCAP_ATM_PDUS || erf->atm_encap == WTAP_ENCAP_ATM_PDUS_UNTRUNCATED) {
353 memset(&pseudo_header->atm, 0, sizeof(pseudo_header->atm));
354 if (erf->is_rawatm) {
355 pseudo_header->atm.flags = ATM_RAW_CELL;
357 phdr->caplen += sizeof(atm_hdr_t)+1;
358 phdr->len += sizeof(atm_hdr_t)+1;
363 wtap_file_read_expected_bytes(&atm_hdr, sizeof(atm_hdr), fh, err);
364 if (bytes_read != NULL) {
365 *bytes_read += sizeof(atm_hdr);
367 *packet_size -= sizeof(atm_hdr);
369 atm_hdr = g_ntohl(atm_hdr);
371 pseudo_header->atm.vpi = ((atm_hdr & 0x0ff00000) >> 20);
372 pseudo_header->atm.vci = ((atm_hdr & 0x000ffff0) >> 4);
373 pseudo_header->atm.channel = (erf_header->flags & 0x03);
381 phdr->caplen = ETHERNET_SLEN(erf_header, erf);
382 phdr->len = ETHERNET_WLEN(erf_header, erf);
388 phdr->caplen = HDLC_SLEN(erf_header, erf);
389 phdr->len = HDLC_WLEN(erf_header, erf);
391 memset(&pseudo_header->p2p, 0, sizeof(pseudo_header->p2p));
392 pseudo_header->p2p.sent = ((erf_header->flags & 0x01) ? TRUE : FALSE);
395 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
400 phdr->pkt_encap = erf_encap_to_wtap_encap(erf, erf_header->type);
404 if (file_seek(fh, skip, SEEK_CUR, err) == -1) {
407 if (bytes_read != NULL) {
410 *packet_size -= skip;
416 static int erf_encap_to_wtap_encap(erf_t *erf, guint8 erf_encap)
418 int wtap_encap = WTAP_ENCAP_UNKNOWN;
423 wtap_encap = erf->atm_encap;
426 wtap_encap = WTAP_ENCAP_ETHERNET;
429 wtap_encap = (erf->is_ppp ? WTAP_ENCAP_PPP : WTAP_ENCAP_CHDLC);
438 static void erf_guess_atm_traffic_type(
439 guint8 type, erf_t *erf, guchar *pd, int length, union wtap_pseudo_header *pseudo_header)
441 if (!erf->is_rawatm &&
442 (type == TYPE_ATM || type == TYPE_AAL5) &&
443 (erf->atm_encap == WTAP_ENCAP_ATM_PDUS ||
444 erf->atm_encap == WTAP_ENCAP_ATM_PDUS_UNTRUNCATED)) {
445 atm_guess_traffic_type(pd, length, pseudo_header);
447 if (type == TYPE_AAL5) {
448 pseudo_header->atm.aal = AAL_5;
449 pseudo_header->atm.type = TRAF_UNKNOWN;
450 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;