3 * $Id: iptrace.c,v 1.24 2000/01/22 06:22:37 guy Exp $
6 * Copyright (c) 1998 by Gilbert Ramirez <gram@xiexie.org>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #include "file_wrappers.h"
35 static int iptrace_read_1_0(wtap *wth, int *err);
36 static int iptrace_read_2_0(wtap *wth, int *err);
37 static int wtap_encap_ift(unsigned int ift);
38 static void get_atm_pseudo_header(wtap *wth, guint8 *header, guint8 *pd);
40 int iptrace_open(wtap *wth, int *err)
45 file_seek(wth->fh, 0, SEEK_SET);
47 errno = WTAP_ERR_CANT_READ;
48 bytes_read = file_read(name, 1, 11, wth->fh);
49 if (bytes_read != 11) {
50 *err = file_error(wth->fh);
55 wth->data_offset += 11;
58 if (strcmp(name, "iptrace 1.0") == 0) {
59 wth->file_type = WTAP_FILE_IPTRACE_1_0;
60 wth->subtype_read = iptrace_read_1_0;
62 else if (strcmp(name, "iptrace 2.0") == 0) {
63 wth->file_type = WTAP_FILE_IPTRACE_2_0;
64 wth->subtype_read = iptrace_read_2_0;
73 /***********************************************************
75 ***********************************************************/
77 /* iptrace 1.0, discovered through inspection */
79 /* 0-3 */ guint32 pkt_length; /* packet length + 0x16 */
80 /* 4-7 */ guint32 tv_sec; /* time stamp, seconds since the Epoch */
81 /* 8-11 */ guint32 junk1; /* ???, not time */
82 /* 12-15 */ char if_name[4]; /* null-terminated */
83 /* 16-27 */ char junk2[12]; /* ??? */
84 /* 28 */ guint8 if_type; /* BSD net/if_types.h */
85 /* 29 */ guint8 tx_flag; /* 0=receive, 1=transmit */
88 /* Read the next packet */
89 static int iptrace_read_1_0(wtap *wth, int *err)
96 iptrace_1_0_phdr pkt_hdr;
98 /* Read the descriptor data */
99 errno = WTAP_ERR_CANT_READ;
100 bytes_read = file_read(header, 1, 30, wth->fh);
101 if (bytes_read != 30) {
102 *err = file_error(wth->fh);
105 if (bytes_read != 0) {
106 *err = WTAP_ERR_SHORT_READ;
111 wth->data_offset += 30;
113 /* Read the packet data */
114 packet_size = pntohl(&header[0]) - 0x16;
115 buffer_assure_space( wth->frame_buffer, packet_size );
116 data_offset = wth->data_offset;
117 errno = WTAP_ERR_CANT_READ;
118 data_ptr = buffer_start_ptr( wth->frame_buffer );
119 bytes_read = file_read( data_ptr, 1, packet_size, wth->fh );
121 if (bytes_read != packet_size) {
122 *err = file_error(wth->fh);
124 *err = WTAP_ERR_SHORT_READ;
127 wth->data_offset += packet_size;
130 /* AIX saves time in nsec, not usec. It's easier to make iptrace
131 * files more Unix-compliant here than try to get the calling
132 * program to know when to use nsec or usec */
134 wth->phdr.len = packet_size;
135 wth->phdr.caplen = packet_size;
136 wth->phdr.ts.tv_sec = pntohl(&header[4]);
137 wth->phdr.ts.tv_usec = 0;
140 * Byte 28 of the frame header appears to be a BSD-style IFT_xxx
141 * value giving the type of the interface. Check out the
142 * <net/if_types.h> header file.
144 pkt_hdr.if_type = header[28];
145 wth->phdr.pkt_encap = wtap_encap_ift(pkt_hdr.if_type);
147 if (wth->phdr.pkt_encap == WTAP_ENCAP_UNKNOWN) {
148 g_message("iptrace: interface type IFT=0x%02x unknown or unsupported",
150 *err = WTAP_ERR_UNSUPPORTED;
154 if ( wth->phdr.pkt_encap == WTAP_ENCAP_ATM_SNIFFER ) {
155 get_atm_pseudo_header(wth, header, data_ptr);
158 /* If the per-file encapsulation isn't known, set it to this
159 packet's encapsulation.
161 If it *is* known, and it isn't this packet's encapsulation,
162 set it to WTAP_ENCAP_PER_PACKET, as this file doesn't
163 have a single encapsulation for all packets in the file. */
164 if (wth->file_encap == WTAP_ENCAP_UNKNOWN)
165 wth->file_encap = wth->phdr.pkt_encap;
167 if (wth->file_encap != wth->phdr.pkt_encap)
168 wth->file_encap = WTAP_ENCAP_PER_PACKET;
174 /***********************************************************
176 ***********************************************************/
178 /* iptrace 2.0, discovered through inspection */
180 /* 0-3 */ guint32 pkt_length; /* packet length + 32 */
181 /* 4-7 */ guint32 tv_sec0; /* time stamp, seconds since the Epoch */
182 /* 8-11 */ guint32 junk1; /* ?? */
183 /* 12-15 */ char if_name[4]; /* null-terminated */
184 /* 16-27 */ char if_desc[12]; /* interface description. */
185 /* 28 */ guint8 if_type; /* BSD net/if_types.h */
186 /* 29 */ guint8 tx_flag; /* 0=receive, 1=transmit */
187 /* 30-31 */ guint16 junk3;
188 /* 32-35 */ guint32 tv_sec; /* time stamp, seconds since the Epoch */
189 /* 36-39 */ guint32 tv_nsec; /* nanoseconds since that second */
192 /* Read the next packet */
193 static int iptrace_read_2_0(wtap *wth, int *err)
200 iptrace_2_0_phdr pkt_hdr;
202 /* Read the descriptor data */
203 errno = WTAP_ERR_CANT_READ;
204 bytes_read = file_read(header, 1, 40, wth->fh);
205 if (bytes_read != 40) {
206 *err = file_error(wth->fh);
209 if (bytes_read != 0) {
210 *err = WTAP_ERR_SHORT_READ;
215 wth->data_offset += 40;
217 /* Read the packet data */
218 packet_size = pntohl(&header[0]) - 32;
219 buffer_assure_space( wth->frame_buffer, packet_size );
220 data_offset = wth->data_offset;
221 errno = WTAP_ERR_CANT_READ;
222 data_ptr = buffer_start_ptr( wth->frame_buffer );
223 bytes_read = file_read( data_ptr, 1, packet_size, wth->fh );
225 if (bytes_read != packet_size) {
226 *err = file_error(wth->fh);
228 *err = WTAP_ERR_SHORT_READ;
231 wth->data_offset += packet_size;
234 /* AIX saves time in nsec, not usec. It's easier to make iptrace
235 * files more Unix-compliant here than try to get the calling
236 * program to know when to use nsec or usec */
238 wth->phdr.len = packet_size;
239 wth->phdr.caplen = packet_size;
240 wth->phdr.ts.tv_sec = pntohl(&header[32]);
241 wth->phdr.ts.tv_usec = pntohl(&header[36]) / 1000;
244 * Byte 28 of the frame header appears to be a BSD-style IFT_xxx
245 * value giving the type of the interface. Check out the
246 * <net/if_types.h> header file.
248 pkt_hdr.if_type = header[28];
249 wth->phdr.pkt_encap = wtap_encap_ift(pkt_hdr.if_type);
251 if (wth->phdr.pkt_encap == WTAP_ENCAP_UNKNOWN) {
252 g_message("iptrace: interface type IFT=0x%02x unknown or unsupported",
254 *err = WTAP_ERR_UNSUPPORTED;
258 if ( wth->phdr.pkt_encap == WTAP_ENCAP_ATM_SNIFFER ) {
259 get_atm_pseudo_header(wth, header, data_ptr);
262 /* If the per-file encapsulation isn't known, set it to this
263 packet's encapsulation.
265 If it *is* known, and it isn't this packet's encapsulation,
266 set it to WTAP_ENCAP_PER_PACKET, as this file doesn't
267 have a single encapsulation for all packets in the file. */
268 if (wth->file_encap == WTAP_ENCAP_UNKNOWN)
269 wth->file_encap = wth->phdr.pkt_encap;
271 if (wth->file_encap != wth->phdr.pkt_encap)
272 wth->file_encap = WTAP_ENCAP_PER_PACKET;
279 * Fill in the pseudo-header information we can; alas, "iptrace" doesn't
280 * tell us what type of traffic is in the packet - it was presumably
281 * run on a machine that was one of the endpoints of the connection, so
282 * in theory it could presumably have told us, but, for whatever reason,
283 * it failed to do so - perhaps the low-level mechanism that feeds the
284 * presumably-AAL5 frames to us doesn't have access to that information
285 * (e.g., because it's in the ATM driver, and the ATM driver merely knows
286 * that stuff on VPI/VCI X.Y should be handed up to some particular
287 * client, it doesn't know what that client is).
289 * We let our caller try to figure out what kind of traffic it is, either
290 * by guessing based on the VPI/VCI, guessing based on the header of the
291 * packet, seeing earlier traffic that set up the circuit and specified
292 * in some fashion what sort of traffic it is, or being told by the user.
295 get_atm_pseudo_header(wtap *wth, guint8 *header, guint8 *pd)
302 /* Rip apart the "x.y" text into Vpi/Vci numbers */
303 memcpy(if_text, &header[20], 8);
305 decimal = strchr(if_text, '.');
308 Vpi = strtoul(if_text, NULL, 10);
310 Vci = strtoul(decimal, NULL, 10);
312 wth->phdr.pseudo_header.ngsniffer_atm.Vpi = Vpi;
313 wth->phdr.pseudo_header.ngsniffer_atm.Vci = Vci;
316 * OK, which value means "DTE->DCE" and which value means
319 wth->phdr.pseudo_header.ngsniffer_atm.channel = header[29];
321 /* We don't have this information */
322 wth->phdr.pseudo_header.ngsniffer_atm.cells = 0;
323 wth->phdr.pseudo_header.ngsniffer_atm.aal5t_u2u = 0;
324 wth->phdr.pseudo_header.ngsniffer_atm.aal5t_len = 0;
325 wth->phdr.pseudo_header.ngsniffer_atm.aal5t_chksum = 0;
327 /* Assume it's AAL5 traffic, but indicate that we don't know what
328 it is beyond that. */
329 wth->phdr.pseudo_header.ngsniffer_atm.AppTrafType =
330 ATT_AAL5|ATT_HL_UNKNOWN;
331 wth->phdr.pseudo_header.ngsniffer_atm.AppHLType = AHLT_UNKNOWN;
334 /* Given an RFC1573 (SNMP ifType) interface type,
335 * return the appropriate Wiretap Encapsulation Type.
338 wtap_encap_ift(unsigned int ift)
341 static const int ift_encap[] = {
342 /* 0x0 */ WTAP_ENCAP_UNKNOWN, /* nothing */
343 /* 0x1 */ WTAP_ENCAP_UNKNOWN, /* IFT_OTHER */
344 /* 0x2 */ WTAP_ENCAP_UNKNOWN, /* IFT_1822 */
345 /* 0x3 */ WTAP_ENCAP_UNKNOWN, /* IFT_HDH1822 */
346 /* 0x4 */ WTAP_ENCAP_RAW_IP, /* IFT_X25DDN */
347 /* 0x5 */ WTAP_ENCAP_UNKNOWN, /* IFT_X25 */
348 /* 0x6 */ WTAP_ENCAP_ETHERNET, /* IFT_ETHER */
349 /* 0x7 */ WTAP_ENCAP_UNKNOWN, /* IFT_ISO88023 */
350 /* 0x8 */ WTAP_ENCAP_UNKNOWN, /* IFT_ISO88024 */
351 /* 0x9 */ WTAP_ENCAP_TR, /* IFT_ISO88025 */
352 /* 0xa */ WTAP_ENCAP_UNKNOWN, /* IFT_ISO88026 */
353 /* 0xb */ WTAP_ENCAP_UNKNOWN, /* IFT_STARLAN */
354 /* 0xc */ WTAP_ENCAP_UNKNOWN, /* IFT_P10 */
355 /* 0xd */ WTAP_ENCAP_UNKNOWN, /* IFT_P80 */
356 /* 0xe */ WTAP_ENCAP_UNKNOWN, /* IFT_HY */
357 /* 0xf */ WTAP_ENCAP_FDDI_BITSWAPPED, /* IFT_FDDI */
358 /* 0x10 */ WTAP_ENCAP_LAPB, /* IFT_LAPB */ /* no data to back this up */
359 /* 0x11 */ WTAP_ENCAP_UNKNOWN, /* IFT_SDLC */
360 /* 0x12 */ WTAP_ENCAP_UNKNOWN, /* IFT_T1 */
361 /* 0x13 */ WTAP_ENCAP_UNKNOWN, /* IFT_CEPT */
362 /* 0x14 */ WTAP_ENCAP_UNKNOWN, /* IFT_ISDNBASIC */
363 /* 0x15 */ WTAP_ENCAP_UNKNOWN, /* IFT_ISDNPRIMARY */
364 /* 0x16 */ WTAP_ENCAP_UNKNOWN, /* IFT_PTPSERIAL */
365 /* 0x17 */ WTAP_ENCAP_UNKNOWN, /* IFT_PPP */
366 /* 0x18 */ WTAP_ENCAP_RAW_IP, /* IFT_LOOP */
367 /* 0x19 */ WTAP_ENCAP_UNKNOWN, /* IFT_EON */
368 /* 0x1a */ WTAP_ENCAP_UNKNOWN, /* IFT_XETHER */
369 /* 0x1b */ WTAP_ENCAP_UNKNOWN, /* IFT_NSIP */
370 /* 0x1c */ WTAP_ENCAP_UNKNOWN, /* IFT_SLIP */
371 /* 0x1d */ WTAP_ENCAP_UNKNOWN, /* IFT_ULTRA */
372 /* 0x1e */ WTAP_ENCAP_UNKNOWN, /* IFT_DS3 */
373 /* 0x1f */ WTAP_ENCAP_UNKNOWN, /* IFT_SIP */
374 /* 0x20 */ WTAP_ENCAP_UNKNOWN, /* IFT_FRELAY */
375 /* 0x21 */ WTAP_ENCAP_UNKNOWN, /* IFT_RS232 */
376 /* 0x22 */ WTAP_ENCAP_UNKNOWN, /* IFT_PARA */
377 /* 0x23 */ WTAP_ENCAP_UNKNOWN, /* IFT_ARCNET */
378 /* 0x24 */ WTAP_ENCAP_UNKNOWN, /* IFT_ARCNETPLUS */
379 /* 0x25 */ WTAP_ENCAP_ATM_SNIFFER, /* IFT_ATM */
381 #define NUM_IFT_ENCAPS (sizeof ift_encap / sizeof ift_encap[0])
383 if (ift < NUM_IFT_ENCAPS) {
384 return ift_encap[ift];
387 return WTAP_ENCAP_UNKNOWN;