5 /***************************************************************************
6 network_instruments.c - description
8 begin : Wed Oct 29 2003
9 copyright : (C) 2003 by root
10 email : scotte[AT}netinst.com
11 ***************************************************************************/
13 /***************************************************************************
15 * This program is free software; you can redistribute it and/or modify *
16 * it under the terms of the GNU General Public License as published by *
17 * the Free Software Foundation; either version 2 of the License, or *
18 * (at your option) any later version. *
20 ***************************************************************************/
30 #include "file_wrappers.h"
32 #include "network_instruments.h"
34 static const char network_instruments_magic[] = {"ObserverPktBufferVersion=15.00"};
35 static const int true_magic_length = 17;
37 static const guint32 observer_packet_magic = 0x88888888;
40 * This structure is used to keep state when writing files. An instance is
41 * allocated for each file, and its address is stored in the wtap_dumper.priv
48 } observer_dump_private_state;
51 * Some time offsets are calculated in advance here, when the first Observer
52 * file is opened for reading or writing, and are then used to adjust frame
53 * timestamps as they are read or written.
55 * The Wiretap API expects timestamps in nanoseconds relative to
56 * January 1, 1970, 00:00:00 GMT (the Wiretap epoch).
58 * Observer versions before 13.10 encode frame timestamps in nanoseconds
59 * relative to January 1, 2000, 00:00:00 local time (the Observer epoch).
60 * Versions 13.10 and later switch over to GMT encoding. Which encoding was used
61 * when saving the file is identified via the time format TLV following
64 * Unfortunately, even though Observer versions before 13.10 saved in local
65 * time, they didn't include the timezone from which the frames were captured,
66 * so converting to GMT correctly from all timezones is impossible. So an
67 * assumption is made that the file is being read from within the same timezone
68 * that it was written.
70 * All code herein is normalized to versions 13.10 and later, special casing for
71 * versions earlier. In other words, timestamps are worked with as if
72 * they are GMT-encoded, and adjustments from local time are made only if
73 * the source file warrants it.
75 * All destination files are saved in GMT format.
77 static const time_t ansi_to_observer_epoch_offset = 946684800;
78 static time_t gmt_to_localtime_offset = (time_t) -1;
80 static void init_gmt_to_localtime_offset(void)
82 if (gmt_to_localtime_offset == (time_t) -1) {
83 time_t ansi_epoch_plus_one_day = 86400;
88 * Compute the local time zone offset as the number of seconds west
89 * of GMT. There's no obvious cross-platform API for querying this
90 * directly. As a workaround, GMT and local tm structures are populated
91 * relative to the ANSI time_t epoch (plus one day to ensure that
92 * local time stays after 1970/1/1 00:00:00). They are then converted
93 * back to time_t as if they were both local times, resulting in the
94 * time zone offset being the difference between them.
96 gmt_tm = *gmtime(&ansi_epoch_plus_one_day);
97 local_tm = *localtime(&ansi_epoch_plus_one_day);
98 local_tm.tm_isdst = 0;
99 gmt_to_localtime_offset = mktime(&gmt_tm) - mktime(&local_tm);
103 static gboolean observer_read(wtap *wth, int *err, gchar **err_info,
104 gint64 *data_offset);
105 static gboolean observer_seek_read(wtap *wth, gint64 seek_off,
106 union wtap_pseudo_header *pseudo_header, guint8 *pd, int length,
107 int *err, gchar **err_info);
108 static int read_packet_header(FILE_T fh, packet_entry_header *packet_header,
109 int *err, gchar **err_info);
110 static int read_packet_data(FILE_T fh, int offset_to_frame, int current_offset_from_packet_header,
111 guint8 *pd, int length, int *err, char **err_info);
112 static gboolean skip_to_next_packet(wtap *wth, int offset_to_next_packet,
113 int current_offset_from_packet_header, int *err, char **err_info);
114 static gboolean observer_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
115 const union wtap_pseudo_header *pseudo_header, const guint8 *pd, int *err);
116 static gint observer_to_wtap_encap(int observer_encap);
117 static gint wtap_to_observer_encap(int wtap_encap);
119 int network_instruments_open(wtap *wth, int *err, gchar **err_info)
123 capture_file_header file_header;
128 packet_entry_header packet_header;
129 observer_dump_private_state * private_state = NULL;
131 errno = WTAP_ERR_CANT_READ;
134 /* read in the buffer file header */
135 bytes_read = file_read(&file_header, sizeof file_header, wth->fh);
136 if (bytes_read != sizeof file_header) {
137 *err = file_error(wth->fh, err_info);
142 offset += bytes_read;
143 CAPTURE_FILE_HEADER_FROM_LE_IN_PLACE(file_header);
145 /* check if version info is present */
146 if (memcmp(file_header.observer_version, network_instruments_magic, true_magic_length)!=0) {
150 /* initialize the private state */
151 private_state = (observer_dump_private_state *) g_malloc(sizeof(observer_dump_private_state));
152 private_state->time_format = TIME_INFO_LOCAL;
153 wth->priv = (void *) private_state;
155 /* get the location of the first packet */
156 /* v15 and newer uses high byte offset, in previous versions it will be 0 */
157 header_offset = file_header.offset_to_first_packet + ((int)(file_header.offset_to_first_packet_high_byte)<<16);
159 /* process extra information */
160 for (i = 0; i < file_header.number_of_information_elements; i++) {
161 /* for safety break if we've reached the first packet */
162 if (offset >= header_offset)
165 /* read the TLV header */
166 bytes_read = file_read(&tlvh, sizeof tlvh, wth->fh);
167 if (bytes_read != sizeof tlvh) {
168 *err = file_error(wth->fh, err_info);
170 *err = WTAP_ERR_SHORT_READ;
173 offset += bytes_read;
174 TLV_HEADER_FROM_LE_IN_PLACE(tlvh);
176 if (tlvh.length < sizeof tlvh) {
177 *err = WTAP_ERR_BAD_RECORD;
178 *err_info = g_strdup_printf("Observer: bad record (TLV length %u < %lu)",
179 tlvh.length, (unsigned long)sizeof tlvh);
183 /* process (or skip over) the current TLV */
185 case INFORMATION_TYPE_TIME_INFO:
186 bytes_read = file_read(&private_state->time_format, sizeof private_state->time_format, wth->fh);
187 if (bytes_read != sizeof private_state->time_format) {
188 *err = file_error(wth->fh, err_info);
190 *err = WTAP_ERR_SHORT_READ;
193 private_state->time_format = GUINT32_FROM_LE(private_state->time_format);
194 offset += bytes_read;
197 seek_increment = tlvh.length - (int)sizeof tlvh;
198 if (seek_increment > 0) {
199 if (file_seek(wth->fh, seek_increment, SEEK_CUR, err) == -1)
202 offset += seek_increment;
206 /* get to the first packet */
207 if (header_offset < offset) {
208 *err = WTAP_ERR_BAD_RECORD;
209 *err_info = g_strdup_printf("Observer: bad record (offset to first packet %d < %d)",
210 header_offset, offset);
213 seek_increment = header_offset - offset;
214 if (seek_increment > 0) {
215 if (file_seek(wth->fh, seek_increment, SEEK_CUR, err) == -1)
219 /* pull off the packet header */
220 bytes_read = file_read(&packet_header, sizeof packet_header, wth->fh);
221 if (bytes_read != sizeof packet_header) {
222 *err = file_error(wth->fh, err_info);
227 PACKET_ENTRY_HEADER_FROM_LE_IN_PLACE(packet_header);
229 /* check the packet's magic number */
230 if (packet_header.packet_magic != observer_packet_magic) {
231 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
232 *err_info = g_strdup_printf("Observer: unsupported packet version %ul", packet_header.packet_magic);
236 /* check the data link type */
237 if (observer_to_wtap_encap(packet_header.network_type) == WTAP_ENCAP_UNKNOWN) {
238 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
239 *err_info = g_strdup_printf("Observer: network type %u unknown or unsupported", packet_header.network_type);
242 wth->file_encap = observer_to_wtap_encap(packet_header.network_type);
244 /* set up the rest of the capture parameters */
245 private_state->packet_count = 0;
246 private_state->network_type = wtap_to_observer_encap(wth->file_encap);
247 wth->subtype_read = observer_read;
248 wth->subtype_seek_read = observer_seek_read;
249 wth->subtype_close = NULL;
250 wth->subtype_sequential_close = NULL;
251 wth->snapshot_length = 0; /* not available in header */
252 wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
253 wth->file_type = WTAP_FILE_NETWORK_INSTRUMENTS;
255 /* reset the pointer to the first packet */
256 if (file_seek(wth->fh, header_offset, SEEK_SET,
259 wth->data_offset = header_offset;
261 init_gmt_to_localtime_offset();
266 /* Reads the next packet. */
267 static gboolean observer_read(wtap *wth, int *err, gchar **err_info,
271 int offset_from_packet_header = 0;
272 packet_entry_header packet_header;
274 /* skip records other than data records */
276 *data_offset = wth->data_offset;
278 /* process the packet header, including TLVs */
279 bytes_consumed = read_packet_header(wth->fh, &packet_header, err,
281 if (bytes_consumed <= 0)
282 return FALSE; /* EOF or error */
284 wth->data_offset += bytes_consumed;
286 if (packet_header.packet_type == PACKET_TYPE_DATA_PACKET)
289 /* skip to next packet */
290 offset_from_packet_header = (int) (wth->data_offset - *data_offset);
291 if (!skip_to_next_packet(wth, packet_header.offset_to_next_packet,
292 offset_from_packet_header, err, err_info)) {
293 return FALSE; /* EOF or error */
297 /* neglect frame markers for wiretap */
298 if (packet_header.network_size < 4) {
299 *err = WTAP_ERR_BAD_RECORD;
300 *err_info = g_strdup_printf("Observer: bad record: Packet length %u < 4",
301 packet_header.network_size);
305 /* set the wiretap packet header fields */
306 wth->phdr.pkt_encap = observer_to_wtap_encap(packet_header.network_type);
307 if(wth->file_encap == WTAP_ENCAP_FIBRE_CHANNEL_FC2_WITH_FRAME_DELIMS) {
308 wth->phdr.len = packet_header.network_size;
309 wth->phdr.caplen = packet_header.captured_size;
311 wth->phdr.len = packet_header.network_size - 4;
312 wth->phdr.caplen = MIN(packet_header.captured_size, wth->phdr.len);
315 /* set the wiretap timestamp, assuming for the moment that Observer encoded it in GMT */
316 wth->phdr.ts.secs = (time_t) ((packet_header.nano_seconds_since_2000 / 1000000000) + ansi_to_observer_epoch_offset);
317 wth->phdr.ts.nsecs = (int) (packet_header.nano_seconds_since_2000 % 1000000000);
319 /* adjust to local time, if necessary, also accounting for DST if the frame
320 was captured while it was in effect */
321 if (((observer_dump_private_state*)wth->priv)->time_format == TIME_INFO_LOCAL)
323 struct tm daylight_tm;
324 struct tm standard_tm;
327 /* the Observer timestamp was encoded as local time, so add a
328 correction from local time to GMT */
329 wth->phdr.ts.secs += gmt_to_localtime_offset;
331 /* perform a DST adjustment if necessary */
332 standard_tm = *localtime(&wth->phdr.ts.secs);
333 if (standard_tm.tm_isdst > 0) {
334 daylight_tm = standard_tm;
335 standard_tm.tm_isdst = 0;
336 dst_offset = mktime(&standard_tm) - mktime(&daylight_tm);
337 wth->phdr.ts.secs -= dst_offset;
341 /* update the pseudo header */
342 switch (wth->file_encap) {
343 case WTAP_ENCAP_ETHERNET:
344 /* There is no FCS in the frame */
345 wth->pseudo_header.eth.fcs_len = 0;
349 /* set-up the packet buffer */
350 buffer_assure_space(wth->frame_buffer, packet_header.captured_size);
352 /* read the frame data */
353 offset_from_packet_header = (int) (wth->data_offset - *data_offset);
354 bytes_consumed = read_packet_data(wth->fh, packet_header.offset_to_frame,
355 offset_from_packet_header, buffer_start_ptr(wth->frame_buffer),
356 packet_header.captured_size, err, err_info);
357 if (bytes_consumed < 0) {
360 wth->data_offset += bytes_consumed;
362 /* skip over any extra bytes following the frame data */
363 offset_from_packet_header = (int) (wth->data_offset - *data_offset);
364 if (!skip_to_next_packet(wth, packet_header.offset_to_next_packet,
365 offset_from_packet_header, err, err_info)) {
372 /* Reads a packet at an offset. */
373 static gboolean observer_seek_read(wtap *wth, gint64 seek_off,
374 union wtap_pseudo_header *pseudo_header, guint8 *pd, int length,
375 int *err, gchar **err_info)
377 packet_entry_header packet_header;
380 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
383 /* process the packet header, including TLVs */
384 offset = read_packet_header(wth->random_fh, &packet_header, err,
387 return FALSE; /* EOF or error */
389 /* update the pseudo header */
390 switch (wth->file_encap) {
392 case WTAP_ENCAP_ETHERNET:
393 /* There is no FCS in the frame */
394 pseudo_header->eth.fcs_len = 0;
398 /* read the frame data */
399 if (!read_packet_data(wth->random_fh, packet_header.offset_to_frame,
400 offset, pd, length, err, err_info))
407 read_packet_header(FILE_T fh, packet_entry_header *packet_header, int *err,
418 /* pull off the packet header */
419 bytes_read = file_read(packet_header, sizeof *packet_header, fh);
420 if (bytes_read != sizeof *packet_header) {
421 *err = file_error(fh, err_info);
426 offset += bytes_read;
427 PACKET_ENTRY_HEADER_FROM_LE_IN_PLACE(*packet_header);
429 /* check the packet's magic number */
430 if (packet_header->packet_magic != observer_packet_magic) {
433 * Some files are zero-padded at the end. There is no warning of this
434 * in the previous packet header information, such as setting
435 * offset_to_next_packet to zero. So detect this situation by treating
436 * an all-zero header as a sentinel. Return EOF when it is encountered,
437 * rather than treat it as a bad record.
439 for (i = 0; i < sizeof *packet_header; i++) {
440 if (((guint8*) packet_header)[i] != 0)
443 if (i == sizeof *packet_header) {
448 *err = WTAP_ERR_BAD_RECORD;
449 *err_info = g_strdup_printf("Observer: bad record: Invalid magic number 0x%08x",
450 packet_header->packet_magic);
454 /* process extra information */
455 for (i = 0; i < packet_header->number_of_information_elements; i++) {
456 /* read the TLV header */
457 bytes_read = file_read(&tlvh, sizeof tlvh, fh);
458 if (bytes_read != sizeof tlvh) {
459 *err = file_error(fh, err_info);
461 *err = WTAP_ERR_SHORT_READ;
464 offset += bytes_read;
465 TLV_HEADER_FROM_LE_IN_PLACE(tlvh);
467 if (tlvh.length < sizeof tlvh) {
468 *err = WTAP_ERR_BAD_RECORD;
469 *err_info = g_strdup_printf("Observer: bad record (TLV length %u < %lu)",
470 tlvh.length, (unsigned long)sizeof tlvh);
474 /* skip the TLV data */
475 seek_increment = tlvh.length - (int)sizeof tlvh;
476 if (seek_increment > 0) {
477 if (file_seek(fh, seek_increment, SEEK_CUR, err) == -1)
480 offset += seek_increment;
487 read_packet_data(FILE_T fh, int offset_to_frame, int current_offset_from_packet_header, guint8 *pd,
488 int length, int *err, char **err_info)
491 int bytes_consumed = 0;
493 /* validate offsets */
494 if (offset_to_frame < current_offset_from_packet_header) {
495 *err = WTAP_ERR_BAD_RECORD;
496 *err_info = g_strdup_printf("Observer: bad record (offset to packet data %d < %d)",
497 offset_to_frame, current_offset_from_packet_header);
501 /* skip to the packet data */
502 seek_increment = offset_to_frame - current_offset_from_packet_header;
503 if (seek_increment > 0) {
504 if (file_seek(fh, seek_increment, SEEK_CUR, err) == -1) {
507 bytes_consumed += seek_increment;
510 /* read in the packet data */
511 wtap_file_read_expected_bytes(pd, length, fh, err, err_info);
512 bytes_consumed += length;
514 return bytes_consumed;
518 skip_to_next_packet(wtap *wth, int offset_to_next_packet, int current_offset_from_packet_header, int *err,
523 /* validate offsets */
524 if (offset_to_next_packet < current_offset_from_packet_header) {
525 *err = WTAP_ERR_BAD_RECORD;
526 *err_info = g_strdup_printf("Observer: bad record (offset to next packet %d < %d)",
527 offset_to_next_packet, current_offset_from_packet_header);
531 /* skip to the next packet header */
532 seek_increment = offset_to_next_packet - current_offset_from_packet_header;
533 if (seek_increment > 0) {
534 if (file_seek(wth->fh, seek_increment, SEEK_CUR, err) == -1)
536 wth->data_offset += seek_increment;
542 /* Returns 0 if we could write the specified encapsulation type,
543 an error indication otherwise. */
544 int network_instruments_dump_can_write_encap(int encap)
546 /* per-packet encapsulations aren't supported */
547 if (encap == WTAP_ENCAP_PER_PACKET)
548 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
550 if (encap < 0 || (wtap_to_observer_encap(encap) == OBSERVER_UNDEFINED))
551 return WTAP_ERR_UNSUPPORTED_ENCAP;
556 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
558 gboolean network_instruments_dump_open(wtap_dumper *wdh, int *err)
560 observer_dump_private_state * private_state = NULL;
561 capture_file_header file_header;
563 tlv_header comment_header;
564 tlv_time_info time_header;
566 size_t comment_length;
567 struct tm * current_time;
570 /* initialize the private state */
571 private_state = (observer_dump_private_state *) g_malloc(sizeof(observer_dump_private_state));
572 private_state->packet_count = 0;
573 private_state->network_type = wtap_to_observer_encap(wdh->encap);
574 private_state->time_format = TIME_INFO_GMT;
576 /* populate the fields of wdh */
577 wdh->priv = (void *) private_state;
578 wdh->subtype_write = observer_dump;
580 /* initialize the file header */
581 memset(&file_header, 0x00, sizeof(file_header));
582 g_strlcpy(file_header.observer_version, network_instruments_magic, 31);
583 file_header.offset_to_first_packet = (guint16)sizeof(file_header);
584 file_header.offset_to_first_packet_high_byte = 0;
586 /* create the file comment TLV */
589 current_time = localtime(&system_time);
590 memset(&comment, 0x00, sizeof(comment));
591 g_snprintf(comment, 64, "This capture was saved from Wireshark on %s", asctime(current_time));
592 comment_length = strlen(comment);
594 comment_header.type = INFORMATION_TYPE_COMMENT;
595 comment_header.length = (guint16) (sizeof(comment_header) + comment_length);
597 /* update the file header to account for the comment TLV */
598 file_header.number_of_information_elements++;
599 file_header.offset_to_first_packet += comment_header.length;
602 /* create the timestamp encoding TLV */
604 time_header.type = INFORMATION_TYPE_TIME_INFO;
605 time_header.length = (guint16) (sizeof(time_header));
606 time_header.time_format = TIME_INFO_GMT;
608 /* update the file header to account for the timestamp encoding TLV */
609 file_header.number_of_information_elements++;
610 file_header.offset_to_first_packet += time_header.length;
613 /* write the file header, swapping any multibyte fields first */
614 CAPTURE_FILE_HEADER_TO_LE_IN_PLACE(file_header);
615 if (!wtap_dump_file_write(wdh, &file_header, sizeof(file_header), err)) {
618 wdh->bytes_dumped += sizeof(file_header);
620 /* write the comment TLV */
622 TLV_HEADER_TO_LE_IN_PLACE(comment_header);
623 if (!wtap_dump_file_write(wdh, &comment_header, sizeof(comment_header), err)) {
626 wdh->bytes_dumped += sizeof(comment_header);
628 if (!wtap_dump_file_write(wdh, &comment, comment_length, err)) {
631 wdh->bytes_dumped += comment_length;
634 /* write the time info TLV */
636 TLV_TIME_INFO_TO_LE_IN_PLACE(time_header);
637 if (!wtap_dump_file_write(wdh, &time_header, sizeof(time_header), err)) {
640 wdh->bytes_dumped += sizeof(time_header);
643 init_gmt_to_localtime_offset();
648 /* Write a record for a packet to a dump file.
649 Returns TRUE on success, FALSE on failure. */
650 static gboolean observer_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
651 const union wtap_pseudo_header *pseudo_header _U_, const guint8 *pd,
654 observer_dump_private_state * private_state = NULL;
655 packet_entry_header packet_header;
656 guint64 seconds_since_2000;
658 /* convert the number of seconds since epoch from ANSI-relative to
660 if (phdr->ts.secs < ansi_to_observer_epoch_offset) {
661 if(phdr->ts.secs > (time_t) 0) {
662 seconds_since_2000 = phdr->ts.secs;
664 seconds_since_2000 = (time_t) 0;
667 seconds_since_2000 = phdr->ts.secs - ansi_to_observer_epoch_offset;
670 /* populate the fields of the packet header */
671 private_state = (observer_dump_private_state *) wdh->priv;
673 memset(&packet_header, 0x00, sizeof(packet_header));
674 packet_header.packet_magic = observer_packet_magic;
675 packet_header.network_speed = 1000000;
676 packet_header.captured_size = (guint16) phdr->caplen;
677 packet_header.network_size = (guint16) (phdr->len + 4);
678 packet_header.offset_to_frame = sizeof(packet_header);
679 /* XXX - what if this doesn't fit in 16 bits? It's not guaranteed to... */
680 packet_header.offset_to_next_packet = (guint16)sizeof(packet_header) + phdr->caplen;
681 packet_header.network_type = private_state->network_type;
682 packet_header.flags = 0x00;
683 packet_header.number_of_information_elements = 0;
684 packet_header.packet_type = PACKET_TYPE_DATA_PACKET;
685 packet_header.packet_number = private_state->packet_count;
686 packet_header.original_packet_number = packet_header.packet_number;
687 packet_header.nano_seconds_since_2000 = seconds_since_2000 * 1000000000 + phdr->ts.nsecs;
689 private_state->packet_count++;
691 /* write the packet header */
692 PACKET_ENTRY_HEADER_TO_LE_IN_PLACE(packet_header);
693 if (!wtap_dump_file_write(wdh, &packet_header, sizeof(packet_header), err)) {
696 wdh->bytes_dumped += sizeof(packet_header);
698 /* write the packet data */
699 if (!wtap_dump_file_write(wdh, pd, phdr->caplen, err)) {
702 wdh->bytes_dumped += phdr->caplen;
707 static gint observer_to_wtap_encap(int observer_encap)
709 switch(observer_encap) {
710 case OBSERVER_ETHERNET:
711 return WTAP_ENCAP_ETHERNET;
712 case OBSERVER_TOKENRING:
713 return WTAP_ENCAP_TOKEN_RING;
714 case OBSERVER_FIBRE_CHANNEL:
715 return WTAP_ENCAP_FIBRE_CHANNEL_FC2_WITH_FRAME_DELIMS;
716 case OBSERVER_UNDEFINED:
717 return WTAP_ENCAP_UNKNOWN;
719 return WTAP_ENCAP_UNKNOWN;
722 static gint wtap_to_observer_encap(int wtap_encap)
725 case WTAP_ENCAP_ETHERNET:
726 return OBSERVER_ETHERNET;
727 case WTAP_ENCAP_TOKEN_RING:
728 return OBSERVER_TOKENRING;
729 case WTAP_ENCAP_FIBRE_CHANNEL_FC2_WITH_FRAME_DELIMS:
730 return OBSERVER_FIBRE_CHANNEL;
731 case WTAP_ENCAP_UNKNOWN:
732 return OBSERVER_UNDEFINED;
734 return OBSERVER_UNDEFINED;