6 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
8 * File format support for ipfix file format
9 * Copyright (c) 2010 by Hadriel Kaplan <hadrielk@yahoo.com>
10 * with generous copying from other wiretaps, such as pcapng
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 /* File format reference:
29 * http://tools.ietf.org/rfc/rfc5655
30 * http://tools.ietf.org/rfc/rfc5101
32 * This wiretap is for an ipfix file format reader, per RFC 5655/5101.
33 * All "records" in the file are IPFIX messages, beginning with an IPFIX
34 * message header of 16 bytes as follows from RFC 5101:
36 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
37 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
38 | Version Number | Length |
39 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
41 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
43 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
44 | Observation Domain ID |
45 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
47 Figure F: IPFIX Message Header Format
49 * which is then followed by one or more "Sets": Data Sets, Template Sets,
50 * and Options Template Sets. Each Set then has one or more Records in
53 * All IPFIX files are recorded in big-endian form (network byte order),
54 * per the RFCs. That means if we're on a little-endian system, all
55 * hell will break loose if we don't g_ntohX.
57 * Since wireshark already has an IPFIX dissector (implemented in
58 * packet-netflow.c), this reader will just set that dissector upon
59 * reading each message. Thus, an IPFIX Message is treated as a packet
60 * as far as the dissector is concerned.
71 #include "file_wrappers.h"
74 #include "pcap-common.h"
75 #include "pcap-encap.h"
79 #define ipfix_debug0(str) g_warning(str)
80 #define ipfix_debug1(str,p1) g_warning(str,p1)
81 #define ipfix_debug2(str,p1,p2) g_warning(str,p1,p2)
82 #define ipfix_debug3(str,p1,p2,p3) g_warning(str,p1,p2,p3)
84 #define ipfix_debug0(str)
85 #define ipfix_debug1(str,p1)
86 #define ipfix_debug2(str,p1,p2)
87 #define ipfix_debug3(str,p1,p2,p3)
90 #define RECORDS_FOR_IPFIX_CHECK 20
93 ipfix_read(wtap *wth, int *err, gchar **err_info,
96 ipfix_seek_read(wtap *wth, gint64 seek_off,
97 union wtap_pseudo_header *pseudo_header, guchar *pd, int length,
98 int *err, gchar **err_info);
100 ipfix_close(wtap *wth);
102 #define IPFIX_VERSION 10
104 /* ipfix: message header */
105 typedef struct ipfix_message_header_s {
107 guint16 message_length;
108 guint32 export_time_secs;
109 guint32 sequence_number;
110 guint32 observation_id; /* might be 0 for none */
111 /* x bytes msg_body */
112 } ipfix_message_header_t;
113 #define IPFIX_MSG_HDR_SIZE 16
115 /* ipfix: common Set header for every Set type */
116 typedef struct ipfix_set_header_s {
119 /* x bytes set_body */
120 } ipfix_set_header_t;
121 #define IPFIX_SET_HDR_SIZE 4
124 /* Read IPFIX message header from file. Return true on success. Set *err to
125 * 0 on EOF, any other value for "real" errors (EOF is ok, since return
126 * value is still FALSE)
129 ipfix_read_message_header(ipfix_message_header_t *pfx_hdr, FILE_T fh, int *err, gchar **err_info)
131 wtap_file_read_expected_bytes(pfx_hdr, IPFIX_MSG_HDR_SIZE, fh, err, err_info); /* macro which does a return if read fails */
133 /* fix endianess, because IPFIX files are always big-endian */
134 pfx_hdr->version = g_ntohs(pfx_hdr->version);
135 pfx_hdr->message_length = g_ntohs(pfx_hdr->message_length);
136 pfx_hdr->export_time_secs = g_ntohl(pfx_hdr->export_time_secs);
137 pfx_hdr->sequence_number = g_ntohl(pfx_hdr->sequence_number);
138 pfx_hdr->observation_id = g_ntohl(pfx_hdr->observation_id);
140 /* is the version number one we expect? */
141 if (pfx_hdr->version != IPFIX_VERSION) {
142 /* Not an ipfix file. */
143 *err = WTAP_ERR_BAD_RECORD;
144 *err_info = g_strdup_printf("ipfix: wrong version %d", pfx_hdr->version);
148 if (pfx_hdr->message_length < 16) {
149 *err = WTAP_ERR_BAD_RECORD;
150 *err_info = g_strdup_printf("ipfix: message length %u is too short", pfx_hdr->message_length);
154 /* go back to before header */
155 if (file_seek(fh, 0 - IPFIX_MSG_HDR_SIZE, SEEK_CUR, err) == -1) {
156 ipfix_debug0("ipfix_read: couldn't go back in file before header");
165 /* classic wtap: open capture file. Return 1 on success, 0 on normal failure
166 * like malformed format, -1 on bad error like file system
169 ipfix_open(wtap *wth, int *err, gchar **err_info)
171 gint i, n, records_for_ipfix_check = RECORDS_FOR_IPFIX_CHECK;
173 guint16 checked_len = 0;
174 ipfix_message_header_t msg_hdr;
175 ipfix_set_header_t set_hdr;
177 ipfix_debug0("ipfix_open: opening file");
179 /* number of records to scan before deciding if this really is IPFIX */
180 if ((s = getenv("IPFIX_RECORDS_TO_CHECK")) != NULL) {
181 if ((n = atoi(s)) > 0 && n < 101) {
182 records_for_ipfix_check = n;
187 * IPFIX is a little hard because there's no magic number; we look at
188 * the first few records and see if they look enough like IPFIX
191 for (i = 0; i < records_for_ipfix_check; i++) {
192 /* read first message header to check version */
193 if (!ipfix_read_message_header(&msg_hdr, wth->fh, err, err_info)) {
194 ipfix_debug3("ipfix_open: couldn't read message header #%d with err code #%d (%s)",
196 if (*err == WTAP_ERR_BAD_RECORD) {
197 *err = 0; /* not actually an error in this case */
203 return -1; /* real failure */
206 /* we haven't seen enough to prove this is a ipfix file */
209 /* if we got here, it's EOF and we think it's an ipfix file */
212 if (file_seek(wth->fh, IPFIX_MSG_HDR_SIZE, SEEK_CUR, err) == -1) {
213 ipfix_debug1("ipfix_open: failed seek to next message in file, %d bytes away",
214 msg_hdr.message_length);
217 checked_len = IPFIX_MSG_HDR_SIZE;
219 /* check each Set in IPFIX Message for sanity */
220 while (checked_len < msg_hdr.message_length) {
221 wtap_file_read_expected_bytes(&set_hdr, IPFIX_SET_HDR_SIZE, wth->fh, err, err_info);
222 set_hdr.set_length = g_ntohs(set_hdr.set_length);
223 if ((set_hdr.set_length < IPFIX_SET_HDR_SIZE) ||
224 ((set_hdr.set_length + checked_len) > msg_hdr.message_length)) {
225 ipfix_debug1("ipfix_open: found invalid set_length of %d",
230 if (file_seek(wth->fh, set_hdr.set_length - IPFIX_SET_HDR_SIZE,
231 SEEK_CUR, err) == -1)
233 ipfix_debug1("ipfix_open: failed seek to next set in file, %d bytes away",
234 set_hdr.set_length - IPFIX_SET_HDR_SIZE);
237 checked_len += set_hdr.set_length;
241 /* all's good, this is a IPFIX file */
242 wth->file_encap = WTAP_ENCAP_RAW_IPFIX;
243 wth->snapshot_length = 0;
244 wth->tsprecision = WTAP_FILE_TSPREC_SEC;
245 wth->subtype_read = ipfix_read;
246 wth->subtype_seek_read = ipfix_seek_read;
247 wth->subtype_close = ipfix_close;
248 wth->file_type = WTAP_FILE_IPFIX;
250 /* go back to beginning of file */
251 if (file_seek (wth->fh, 0, SEEK_SET, err) != 0)
259 /* classic wtap: read packet */
261 ipfix_read(wtap *wth, int *err, gchar **err_info, gint64 *data_offset)
263 ipfix_message_header_t msg_hdr;
265 ipfix_debug1("ipfix_read: wth->data_offset is initially %" G_GINT64_MODIFIER "u", wth->data_offset);
266 *data_offset = wth->data_offset;
268 if (!ipfix_read_message_header(&msg_hdr, wth->fh, err, err_info)) {
269 ipfix_debug2("ipfix_read: couldn't read message header with code: %d\n, and error '%s'",
274 buffer_assure_space(wth->frame_buffer, msg_hdr.message_length);
275 wtap_file_read_expected_bytes(buffer_start_ptr(wth->frame_buffer),
276 msg_hdr.message_length, wth->fh, err, err_info);
278 wth->phdr.len = msg_hdr.message_length;
279 wth->phdr.caplen = msg_hdr.message_length;
280 wth->phdr.ts.secs = 0;
281 wth->phdr.ts.nsecs = 0;
283 /*ipfix_debug2("Read length: %u Packet length: %u", msg_hdr.message_length, wth->phdr.caplen);*/
284 wth->data_offset += msg_hdr.message_length;
285 ipfix_debug1("ipfix_read: wth->data_offset is finally %" G_GINT64_MODIFIER "u", wth->data_offset);
291 /* classic wtap: seek to file position and read packet */
293 ipfix_seek_read(wtap *wth, gint64 seek_off,
294 union wtap_pseudo_header *pseudo_header, guchar *pd, int length _U_,
295 int *err, gchar **err_info)
297 ipfix_message_header_t msg_hdr;
299 (void) pseudo_header; /* avoids compiler warning about unused variable */
301 /* seek to the right file position */
302 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1) {
303 ipfix_debug2("ipfix_seek_read: couldn't read message header with code: %d\n, and error '%s'",
305 return FALSE; /* Seek error */
308 ipfix_debug1("ipfix_seek_read: reading at offset %" G_GINT64_MODIFIER "u", seek_off);
310 if (!ipfix_read_message_header(&msg_hdr, wth->random_fh, err, err_info)) {
311 ipfix_debug0("ipfix_read: couldn't read message header");
315 if(length != (int)msg_hdr.message_length) {
316 *err = WTAP_ERR_BAD_RECORD;
317 *err_info = g_strdup_printf("ipfix: record length %u doesn't match requested length %d",
318 msg_hdr.message_length, length);
319 ipfix_debug1("ipfix_seek_read: %s", *err_info);
323 wtap_file_read_expected_bytes(pd, length, wth->random_fh, err, err_info);
329 /* classic wtap: close capture file */
331 ipfix_close(wtap *wth _U_)
333 ipfix_debug0("ipfix_close: closing file");