diff options
author | Sake Blok <sake@euronet.nl> | 2007-08-17 08:03:32 +0000 |
---|---|---|
committer | Sake Blok <sake@euronet.nl> | 2007-08-17 08:03:32 +0000 |
commit | 47ec0bead948443f243c38fa83bbed335189b81a (patch) | |
tree | 4b8b90c91f6734cf3856cb4407509687de834280 | |
parent | 2efdf99f2861f02af97a3eabd2c5253c1625102e (diff) |
(http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1717)
This patch adds support for the Juniper NetScreen snoop output format.
It takes a text-dump op the captured packets and parses the headers
and hex-data. Since the snoop files on a Junpiper NetScreen can be saved
to a tftp-server, this patch makes it quite easy to use the snoop
function of the Juniper NetScreen firewalls.
/* XXX TODO:
*
* o Create a wiki-page with instruction on how to make tracefiles
* on Juniper NetScreen devices. Also put a few examples up
* on the wiki (Done: wiki-page added 2007-08-03)
*
* o Use the interface names to properly detect the encapsulation
* type (ie adsl packets are now not properly dissected)
* (Done: adsl packets are now correctly seen as PPP, 2007-08-03)
*
* o Pass the interface names and the traffic direction to either
* the frame-structure, a pseudo-header or use PPI. This needs
* to be discussed on the dev-list first
* (Posted a message to wireshark-dev abou this 2007-08-03)
*
*/
svn path=/trunk/; revision=22533
-rw-r--r-- | wiretap/Makefile.common | 2 | ||||
-rw-r--r-- | wiretap/file_access.c | 12 | ||||
-rw-r--r-- | wiretap/netscreen.c | 437 | ||||
-rw-r--r-- | wiretap/netscreen.h | 51 | ||||
-rw-r--r-- | wiretap/wtap.h | 1 |
5 files changed, 502 insertions, 1 deletions
diff --git a/wiretap/Makefile.common b/wiretap/Makefile.common index 1c67f09826..7db8846269 100644 --- a/wiretap/Makefile.common +++ b/wiretap/Makefile.common @@ -54,6 +54,7 @@ NONGENERATED_C_FILES = \ mpeg.c \ mpeg-audio.c \ netmon.c \ + netscreen.c \ nettl.c \ network_instruments.c \ netxray.c \ @@ -95,6 +96,7 @@ NONGENERATED_HEADER_FILES = \ mpeg.h \ mpeg-audio.h \ netmon.h \ + netscreen.h \ nettl.h \ network_instruments.h \ netxray.h \ diff --git a/wiretap/file_access.c b/wiretap/file_access.c index 1d27d3df41..08ca94b442 100644 --- a/wiretap/file_access.c +++ b/wiretap/file_access.c @@ -73,6 +73,7 @@ #include "ber.h" #include "catapult_dct2000.h" #include "mpeg.h" +#include "netscreen.h" @@ -122,6 +123,11 @@ static wtap_open_routine_t open_routines_base[] = { * would be, for example, saved copies of a Telnet session * to some box. */ + + /* I put NetScreen *before* erf, because there were some + * false positives with my test-files (Sake Blok, July 2007) + */ + netscreen_open, erf_open, k12text_open, etherpeek_open, @@ -554,9 +560,13 @@ static const struct file_type_info dump_open_table_base[] = { { "MPEG", "mpeg", "*.mpeg;*.mpg;*.mp3", ".mpeg", FALSE, NULL, NULL }, - /* WTAP_FILE_K12TEXT */ + /* WTAP_FILE_K12TEXT */ { "K12 text file", "k12text", "*.txt", ".txt", TRUE, k12text_dump_can_write_encap, k12text_dump_open }, + + /* WTAP_FILE_NETSCREEN */ + { "NetScreen snoop text file", "netscreen", "*.*", NULL, FALSE, + NULL, NULL }, }; gint wtap_num_file_types = sizeof(dump_open_table_base) / sizeof(struct file_type_info); diff --git a/wiretap/netscreen.c b/wiretap/netscreen.c new file mode 100644 index 0000000000..2cc24c351d --- /dev/null +++ b/wiretap/netscreen.c @@ -0,0 +1,437 @@ +/* netscreen.c + * + * Juniper NetScreen snoop output parser + * Created by re-using a lot of code from cosine.c + * Copyright (c) 2007 by Sake Blok <sake@euronet.nl> + * + * Wiretap Library + * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif +#include "wtap-int.h" +#include "buffer.h" +#include "netscreen.h" +#include "file_wrappers.h" + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <ctype.h> + +/* XXX TODO: + * + * o Create a wiki-page with instruction on how to make tracefiles + * on Juniper NetScreen devices. Also put a few examples up + * on the wiki (Done: wiki-page added 2007-08-03) + * + * o Use the interface names to properly detect the encapsulation + * type (ie adsl packets are now not properly dissected) + * (Done: adsl packets are now correctly seen as PPP, 2007-08-03) + * + * o Pass the interface names and the traffic direction to either + * the frame-structure, a pseudo-header or use PPI. This needs + * to be discussed on the dev-list first + * (Posted a message to wireshark-dev abou this 2007-08-03) + * + */ + + + +static gboolean empty_line(const gchar *line); +static gboolean info_line(const gchar *line); +static gint64 netscreen_seek_next_packet(wtap *wth, int *err, char *hdr); +static gboolean netscreen_check_file_type(wtap *wth, int *err); +static gboolean netscreen_read(wtap *wth, int *err, gchar **err_info, + gint64 *data_offset); +static gboolean netscreen_seek_read(wtap *wth, gint64 seek_off, + union wtap_pseudo_header *pseudo_header, guint8 *pd, + int len, int *err, gchar **err_info); +static int parse_netscreen_rec_hdr(wtap *wth, const char *line, + char *cap_int, gboolean *cap_dir, + union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info); +static int parse_netscreen_hex_dump(FILE_T fh, int pkt_len, guint8* buf, + int *err, gchar **err_info); +static int parse_single_hex_dump_line(char* rec, guint8 *buf, + guint byte_offset); + +/* Returns TRUE if the line appears to be an empty line. Otherwise it + returns FALSE. */ +static gboolean empty_line(const gchar *line) +{ + while (*line) { + if (isspace((guchar)*line)) { + line++; + continue; + } else { + break; + } + } + if (*line == '\0') + return TRUE; + else + return FALSE; +} + +/* Returns TRUE if the line appears to be a line with protocol info. + Otherwise it returns FALSE. */ +static gboolean info_line(const gchar *line) +{ + int i=NETSCREEN_SPACES_ON_INFO_LINE; + + while (i-- > 0) { + if (isspace((guchar)*line)) { + line++; + continue; + } else { + return FALSE; + } + } + return TRUE; +} + +/* Seeks to the beginning of the next packet, and returns the + byte offset. Copy the header line to hdr. Returns -1 on failure, + and sets "*err" to the error and set hdr as NULL. */ +static gint64 netscreen_seek_next_packet(wtap *wth, int *err, char *hdr) +{ + gint64 cur_off; + char buf[NETSCREEN_LINE_LENGTH]; + + while (1) { + cur_off = file_tell(wth->fh); + if (cur_off == -1) { + /* Error */ + *err = file_error(wth->fh); + hdr = NULL; + return -1; + } + if (file_gets(buf, sizeof(buf), wth->fh) != NULL) { + if (strstr(buf, NETSCREEN_REC_MAGIC_STR1) || + strstr(buf, NETSCREEN_REC_MAGIC_STR2)) { + strncpy(hdr, buf, NETSCREEN_LINE_LENGTH-1); + hdr[NETSCREEN_LINE_LENGTH-1] = '\0'; + return cur_off; + } + } else { + if (file_eof(wth->fh)) { + /* We got an EOF. */ + *err = 0; + } else { + /* We (presumably) got an error (there's no + equivalent to "ferror()" in zlib, alas, + so we don't have a wrapper to check for + an error). */ + *err = file_error(wth->fh); + } + break; + } + } + hdr = NULL; + return -1; +} + +/* Look through the first part of a file to see if this is + * NetScreen snoop output. + * + * Returns TRUE if it is, FALSE if it isn't or if we get an I/O error; + * if we get an I/O error, "*err" will be set to a non-zero value. + */ +static gboolean netscreen_check_file_type(wtap *wth, int *err) +{ + char buf[NETSCREEN_LINE_LENGTH]; + guint reclen, line; + + buf[NETSCREEN_LINE_LENGTH-1] = '\0'; + + for (line = 0; line < NETSCREEN_HEADER_LINES_TO_CHECK; line++) { + if (file_gets(buf, NETSCREEN_LINE_LENGTH, wth->fh) != NULL) { + + reclen = strlen(buf); + if (reclen < strlen(NETSCREEN_HDR_MAGIC_STR1) || + reclen < strlen(NETSCREEN_HDR_MAGIC_STR2)) { + continue; + } + + if (strstr(buf, NETSCREEN_HDR_MAGIC_STR1) || + strstr(buf, NETSCREEN_HDR_MAGIC_STR2)) { + return TRUE; + } + } else { + /* EOF or error. */ + if (file_eof(wth->fh)) + *err = 0; + else + *err = file_error(wth->fh); + return FALSE; + } + } + *err = 0; + return FALSE; +} + + +int netscreen_open(wtap *wth, int *err, gchar **err_info _U_) +{ + + /* Look for a NetScreen snoop header line */ + if (!netscreen_check_file_type(wth, err)) { + if (*err == 0) + return 0; + else + return -1; + } + + if (file_seek(wth->fh, 0L, SEEK_SET, err) == -1) /* rewind */ + return -1; + + wth->data_offset = 0; + wth->file_encap = WTAP_ENCAP_PER_PACKET; + wth->file_type = WTAP_FILE_NETSCREEN; + wth->snapshot_length = 0; /* not known */ + wth->subtype_read = netscreen_read; + wth->subtype_seek_read = netscreen_seek_read; + wth->tsprecision = WTAP_FILE_TSPREC_DSEC; + + return 1; +} + +/* Find the next packet and parse it; called from wtap_read(). */ +static gboolean netscreen_read(wtap *wth, int *err, gchar **err_info, + gint64 *data_offset) +{ + gint64 offset; + guint8 *buf; + int pkt_len, caplen; + char line[NETSCREEN_LINE_LENGTH]; + char cap_int[NETSCREEN_MAX_INT_NAME_LENGTH]; + gboolean cap_dir; + + /* Find the next packet */ + offset = netscreen_seek_next_packet(wth, err, line); + if (offset < 0) + return FALSE; + + /* Parse the header */ + pkt_len = parse_netscreen_rec_hdr(wth, line, cap_int, &cap_dir, + &wth->pseudo_header, err, err_info); + if (pkt_len == -1) + return FALSE; + + /* Make sure we have enough room for the packet */ + buffer_assure_space(wth->frame_buffer, NETSCREEN_MAX_PACKET_LEN); + buf = buffer_start_ptr(wth->frame_buffer); + + /* Convert the ASCII hex dump to binary data */ + if ((caplen = parse_netscreen_hex_dump(wth->fh, pkt_len, buf, err, + err_info)) == -1) { + return FALSE; + } + + if (strncmp(cap_int, "adsl", 4) == 0) + wth->phdr.pkt_encap = WTAP_ENCAP_PPP; + else if (strncmp(cap_int, "seri", 4) == 0) + wth->phdr.pkt_encap = WTAP_ENCAP_PPP; + else + wth->phdr.pkt_encap = WTAP_ENCAP_ETHERNET; + + wth->data_offset = offset; + wth->phdr.caplen = caplen; + *data_offset = offset; + return TRUE; +} + +/* Used to read packets in random-access fashion */ +static gboolean +netscreen_seek_read (wtap *wth, gint64 seek_off, + union wtap_pseudo_header *pseudo_header, guint8 *pd, int len, + int *err, gchar **err_info) +{ + char line[NETSCREEN_LINE_LENGTH]; + char cap_int[NETSCREEN_MAX_INT_NAME_LENGTH]; + gboolean cap_dir; + + if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1) { + return FALSE; + } + + if (file_gets(line, NETSCREEN_LINE_LENGTH, wth->random_fh) == NULL) { + *err = file_error(wth->random_fh); + if (*err == 0) { + *err = WTAP_ERR_SHORT_READ; + } + return FALSE; + } + + if (parse_netscreen_rec_hdr(NULL, line, cap_int, &cap_dir, pseudo_header, + err, err_info) == -1) { + return FALSE; + } + + return parse_netscreen_hex_dump(wth->random_fh, len, pd, err, err_info); +} + +/* Parses a packet record header. There are a few possible formats: + * + * XXX list extra formats here! +6843828.0: trust(o) len=98:00121ebbd132->00600868d659/0800 + 192.168.1.1 -> 192.168.1.10/6 + vhl=45, tos=00, id=37739, frag=0000, ttl=64 tlen=84 + tcp:ports 2222->2333, seq=3452113890, ack=1540618280, flag=5018/ACK + 00 60 08 68 d6 59 00 12 1e bb d1 32 08 00 45 00 .`.h.Y.....2..E. + 00 54 93 6b 00 00 40 06 63 dd c0 a8 01 01 c0 a8 .T.k..@.c....... + 01 0a 08 ae 09 1d cd c3 13 e2 5b d3 f8 28 50 18 ..........[..(P. + 1f d4 79 21 00 00 e7 76 89 64 16 e2 19 0a 80 09 ..y!...v.d...... + 31 e7 04 28 04 58 f3 d9 b1 9f 3d 65 1a db d8 61 1..(.X....=e...a + 2c 21 b6 d3 20 60 0c 8c 35 98 88 cf 20 91 0e a9 ,!...`..5....... + 1d 0b .. + + + */ +static int +parse_netscreen_rec_hdr(wtap *wth, const char *line, char *cap_int, gboolean *cap_dir, + union wtap_pseudo_header *pseudo_header _U_, int *err, gchar **err_info) +{ + int sec; + int dsec, pkt_len; + char direction[2]; + + if (sscanf(line, "%d.%d: %[a-z0-9](%[io]) len=%d:", + &sec, &dsec, cap_int, direction, &pkt_len) != 5) { + *err = WTAP_ERR_BAD_RECORD; + *err_info = g_strdup("netscreen: Can't parse packet-header"); + return -1; + } + + *cap_dir = (direction[0] == 'o' ? NETSCREEN_EGRESS : NETSCREEN_INGRESS); + + if (wth) { + wth->phdr.ts.secs = sec; + wth->phdr.ts.nsecs = dsec * 100000000; + wth->phdr.len = pkt_len; + } + + return pkt_len; +} + +/* Converts ASCII hex dump to binary data. Returns the capture length. + If any error is encountered, -1 is returned. */ +static int +parse_netscreen_hex_dump(FILE_T fh, int pkt_len, guint8* buf, int *err, gchar **err_info) +{ + gchar line[NETSCREEN_LINE_LENGTH]; + int n, i = 0, offset = 0; + + while(1) { + if (file_gets(line, NETSCREEN_LINE_LENGTH, fh) == NULL) { + *err = file_error(fh); + if (*err == 0) { + *err = WTAP_ERR_SHORT_READ; + } + return -1; + } + + /* packeta are delimited with empty lines */ + if (empty_line(line)) { + break; + } + + /* terminate the line before the ascii-data to prevent the + * parser from parsing one or more extra bytes from the + * ascii-data. + * Check for longer lines to prevent wireless hexdumps to + * be cut in the middle (they can have 14 extra spaces + * before the hex-data) + */ + if(strlen(line) != 98) + line[62] = '\0'; + else + line[76] = '\0'; + + n = parse_single_hex_dump_line(line, buf, offset); + + /* the smallest packet has a length of 6 bytes, if + * the first hex-data is less then check whether + * it is a info-line and act accordingly + */ + if (offset == 0 && n < 6) { + if (info_line(line)) { + if (++i <= NETSCREEN_MAX_INFOLINES) { + continue; + } + } else { + *err = WTAP_ERR_BAD_RECORD; + *err_info = g_strdup("netscreen: cannot parse hex-data"); + return -1; + } + } + + /* If there is no more data and the line was not empty, + * then there must be an error in the file + */ + if(n == -1) { + *err = WTAP_ERR_BAD_RECORD; + *err_info = g_strdup("netscreen: cannot parse hex-data"); + return -1; + } + + /* Adjust the offset to the data that was just added to the buffer */ + offset += n; + + /* If there was more hex-data than was announced in the len=x + * header, then then there must be an error in the file + */ + if(offset > pkt_len) { + *err = WTAP_ERR_BAD_RECORD; + *err_info = g_strdup("netscreen: to much hex-data"); + return -1; + } + } + return offset; +} + + +/* Take a string representing one line from a hex dump and converts + * the text to binary data. We place the bytes in the buffer at the + * specified offset. + * + * Returns number of bytes successfully read, -1 if bad. */ +static int +parse_single_hex_dump_line(char* rec, guint8 *buf, guint byte_offset) +{ + int num_items_scanned, i; + unsigned int bytes[16]; + + num_items_scanned = sscanf(rec, "%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x", + &bytes[0], &bytes[1], &bytes[2], &bytes[3], + &bytes[4], &bytes[5], &bytes[6], &bytes[7], + &bytes[8], &bytes[9], &bytes[10], &bytes[11], + &bytes[12], &bytes[13], &bytes[14], &bytes[15]); + if (num_items_scanned == 0) + return -1; + + if (num_items_scanned > 16) + num_items_scanned = 16; + + for (i=0; i<num_items_scanned; i++) { + buf[byte_offset + i] = (guint8)bytes[i]; + } + + return num_items_scanned; +} diff --git a/wiretap/netscreen.h b/wiretap/netscreen.h new file mode 100644 index 0000000000..983e1373f3 --- /dev/null +++ b/wiretap/netscreen.h @@ -0,0 +1,51 @@ +/* netscreen.h + * + * Juniper NetScreen snoop output parser + * Created by re-using a lot of code from cosine.c + * Copyright (c) 2007 by Sake Blok <sake@euronet.nl> + * + * Wiretap Library + * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + */ + +#ifndef __W_NETSCREEN_H__ +#define __W_NETSCREEN_H__ + +/* Magic text to check for NetScreen snoop output */ +#define NETSCREEN_HDR_MAGIC_STR1 "(i) len=" +#define NETSCREEN_HDR_MAGIC_STR2 "(o) len=" + +/* Magic text for start of packet */ +#define NETSCREEN_REC_MAGIC_STR1 NETSCREEN_HDR_MAGIC_STR1 +#define NETSCREEN_REC_MAGIC_STR2 NETSCREEN_HDR_MAGIC_STR2 + +#define NETSCREEN_LINE_LENGTH 128 +#define NETSCREEN_HEADER_LINES_TO_CHECK 32 +#define NETSCREEN_MAX_INFOLINES 8 +#define NETSCREEN_SPACES_ON_INFO_LINE 14 +#define NETSCREEN_MAX_INT_NAME_LENGTH 16 + +#define NETSCREEN_INGRESS FALSE +#define NETSCREEN_EGRESS TRUE + + +#define NETSCREEN_MAX_PACKET_LEN 65536 + +int netscreen_open(wtap *wth, int *err, gchar **err_info); + +#endif diff --git a/wiretap/wtap.h b/wiretap/wtap.h index d3fde5fe6e..e6fd162651 100644 --- a/wiretap/wtap.h +++ b/wiretap/wtap.h @@ -246,6 +246,7 @@ extern "C" { #define WTAP_FILE_AIROPEEK_V9 45 #define WTAP_FILE_MPEG 46 #define WTAP_FILE_K12TEXT 47 +#define WTAP_FILE_NETSCREEN 48 #define WTAP_NUM_FILE_TYPES wtap_get_num_file_types() |