1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
|
/* iptrace.c
*
* $Id: iptrace.c,v 1.24 2000/01/22 06:22:37 guy Exp $
*
* Wiretap Library
* Copyright (c) 1998 by Gilbert Ramirez <gram@xiexie.org>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
*/
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include <stdlib.h>
#include <errno.h>
#include <time.h>
#include <string.h>
#include "wtap.h"
#include "file_wrappers.h"
#include "buffer.h"
#include "iptrace.h"
static int iptrace_read_1_0(wtap *wth, int *err);
static int iptrace_read_2_0(wtap *wth, int *err);
static int wtap_encap_ift(unsigned int ift);
static void get_atm_pseudo_header(wtap *wth, guint8 *header, guint8 *pd);
int iptrace_open(wtap *wth, int *err)
{
int bytes_read;
char name[12];
file_seek(wth->fh, 0, SEEK_SET);
wth->data_offset = 0;
errno = WTAP_ERR_CANT_READ;
bytes_read = file_read(name, 1, 11, wth->fh);
if (bytes_read != 11) {
*err = file_error(wth->fh);
if (*err != 0)
return -1;
return 0;
}
wth->data_offset += 11;
name[11] = 0;
if (strcmp(name, "iptrace 1.0") == 0) {
wth->file_type = WTAP_FILE_IPTRACE_1_0;
wth->subtype_read = iptrace_read_1_0;
}
else if (strcmp(name, "iptrace 2.0") == 0) {
wth->file_type = WTAP_FILE_IPTRACE_2_0;
wth->subtype_read = iptrace_read_2_0;
}
else {
return 0;
}
return 1;
}
/***********************************************************
* iptrace 1.0 *
***********************************************************/
/* iptrace 1.0, discovered through inspection */
typedef struct {
/* 0-3 */ guint32 pkt_length; /* packet length + 0x16 */
/* 4-7 */ guint32 tv_sec; /* time stamp, seconds since the Epoch */
/* 8-11 */ guint32 junk1; /* ???, not time */
/* 12-15 */ char if_name[4]; /* null-terminated */
/* 16-27 */ char junk2[12]; /* ??? */
/* 28 */ guint8 if_type; /* BSD net/if_types.h */
/* 29 */ guint8 tx_flag; /* 0=receive, 1=transmit */
} iptrace_1_0_phdr;
/* Read the next packet */
static int iptrace_read_1_0(wtap *wth, int *err)
{
int bytes_read;
int data_offset;
guint32 packet_size;
guint8 header[30];
guint8 *data_ptr;
iptrace_1_0_phdr pkt_hdr;
/* Read the descriptor data */
errno = WTAP_ERR_CANT_READ;
bytes_read = file_read(header, 1, 30, wth->fh);
if (bytes_read != 30) {
*err = file_error(wth->fh);
if (*err != 0)
return -1;
if (bytes_read != 0) {
*err = WTAP_ERR_SHORT_READ;
return -1;
}
return 0;
}
wth->data_offset += 30;
/* Read the packet data */
packet_size = pntohl(&header[0]) - 0x16;
buffer_assure_space( wth->frame_buffer, packet_size );
data_offset = wth->data_offset;
errno = WTAP_ERR_CANT_READ;
data_ptr = buffer_start_ptr( wth->frame_buffer );
bytes_read = file_read( data_ptr, 1, packet_size, wth->fh );
if (bytes_read != packet_size) {
*err = file_error(wth->fh);
if (*err == 0)
*err = WTAP_ERR_SHORT_READ;
return -1;
}
wth->data_offset += packet_size;
/* AIX saves time in nsec, not usec. It's easier to make iptrace
* files more Unix-compliant here than try to get the calling
* program to know when to use nsec or usec */
wth->phdr.len = packet_size;
wth->phdr.caplen = packet_size;
wth->phdr.ts.tv_sec = pntohl(&header[4]);
wth->phdr.ts.tv_usec = 0;
/*
* Byte 28 of the frame header appears to be a BSD-style IFT_xxx
* value giving the type of the interface. Check out the
* <net/if_types.h> header file.
*/
pkt_hdr.if_type = header[28];
wth->phdr.pkt_encap = wtap_encap_ift(pkt_hdr.if_type);
if (wth->phdr.pkt_encap == WTAP_ENCAP_UNKNOWN) {
g_message("iptrace: interface type IFT=0x%02x unknown or unsupported",
pkt_hdr.if_type);
*err = WTAP_ERR_UNSUPPORTED;
return -1;
}
if ( wth->phdr.pkt_encap == WTAP_ENCAP_ATM_SNIFFER ) {
get_atm_pseudo_header(wth, header, data_ptr);
}
/* If the per-file encapsulation isn't known, set it to this
packet's encapsulation.
If it *is* known, and it isn't this packet's encapsulation,
set it to WTAP_ENCAP_PER_PACKET, as this file doesn't
have a single encapsulation for all packets in the file. */
if (wth->file_encap == WTAP_ENCAP_UNKNOWN)
wth->file_encap = wth->phdr.pkt_encap;
else {
if (wth->file_encap != wth->phdr.pkt_encap)
wth->file_encap = WTAP_ENCAP_PER_PACKET;
}
return data_offset;
}
/***********************************************************
* iptrace 2.0 *
***********************************************************/
/* iptrace 2.0, discovered through inspection */
typedef struct {
/* 0-3 */ guint32 pkt_length; /* packet length + 32 */
/* 4-7 */ guint32 tv_sec0; /* time stamp, seconds since the Epoch */
/* 8-11 */ guint32 junk1; /* ?? */
/* 12-15 */ char if_name[4]; /* null-terminated */
/* 16-27 */ char if_desc[12]; /* interface description. */
/* 28 */ guint8 if_type; /* BSD net/if_types.h */
/* 29 */ guint8 tx_flag; /* 0=receive, 1=transmit */
/* 30-31 */ guint16 junk3;
/* 32-35 */ guint32 tv_sec; /* time stamp, seconds since the Epoch */
/* 36-39 */ guint32 tv_nsec; /* nanoseconds since that second */
} iptrace_2_0_phdr;
/* Read the next packet */
static int iptrace_read_2_0(wtap *wth, int *err)
{
int bytes_read;
int data_offset;
guint32 packet_size;
guint8 header[40];
guint8 *data_ptr;
iptrace_2_0_phdr pkt_hdr;
/* Read the descriptor data */
errno = WTAP_ERR_CANT_READ;
bytes_read = file_read(header, 1, 40, wth->fh);
if (bytes_read != 40) {
*err = file_error(wth->fh);
if (*err != 0)
return -1;
if (bytes_read != 0) {
*err = WTAP_ERR_SHORT_READ;
return -1;
}
return 0;
}
wth->data_offset += 40;
/* Read the packet data */
packet_size = pntohl(&header[0]) - 32;
buffer_assure_space( wth->frame_buffer, packet_size );
data_offset = wth->data_offset;
errno = WTAP_ERR_CANT_READ;
data_ptr = buffer_start_ptr( wth->frame_buffer );
bytes_read = file_read( data_ptr, 1, packet_size, wth->fh );
if (bytes_read != packet_size) {
*err = file_error(wth->fh);
if (*err == 0)
*err = WTAP_ERR_SHORT_READ;
return -1;
}
wth->data_offset += packet_size;
/* AIX saves time in nsec, not usec. It's easier to make iptrace
* files more Unix-compliant here than try to get the calling
* program to know when to use nsec or usec */
wth->phdr.len = packet_size;
wth->phdr.caplen = packet_size;
wth->phdr.ts.tv_sec = pntohl(&header[32]);
wth->phdr.ts.tv_usec = pntohl(&header[36]) / 1000;
/*
* Byte 28 of the frame header appears to be a BSD-style IFT_xxx
* value giving the type of the interface. Check out the
* <net/if_types.h> header file.
*/
pkt_hdr.if_type = header[28];
wth->phdr.pkt_encap = wtap_encap_ift(pkt_hdr.if_type);
if (wth->phdr.pkt_encap == WTAP_ENCAP_UNKNOWN) {
g_message("iptrace: interface type IFT=0x%02x unknown or unsupported",
pkt_hdr.if_type);
*err = WTAP_ERR_UNSUPPORTED;
return -1;
}
if ( wth->phdr.pkt_encap == WTAP_ENCAP_ATM_SNIFFER ) {
get_atm_pseudo_header(wth, header, data_ptr);
}
/* If the per-file encapsulation isn't known, set it to this
packet's encapsulation.
If it *is* known, and it isn't this packet's encapsulation,
set it to WTAP_ENCAP_PER_PACKET, as this file doesn't
have a single encapsulation for all packets in the file. */
if (wth->file_encap == WTAP_ENCAP_UNKNOWN)
wth->file_encap = wth->phdr.pkt_encap;
else {
if (wth->file_encap != wth->phdr.pkt_encap)
wth->file_encap = WTAP_ENCAP_PER_PACKET;
}
return data_offset;
}
/*
* Fill in the pseudo-header information we can; alas, "iptrace" doesn't
* tell us what type of traffic is in the packet - it was presumably
* run on a machine that was one of the endpoints of the connection, so
* in theory it could presumably have told us, but, for whatever reason,
* it failed to do so - perhaps the low-level mechanism that feeds the
* presumably-AAL5 frames to us doesn't have access to that information
* (e.g., because it's in the ATM driver, and the ATM driver merely knows
* that stuff on VPI/VCI X.Y should be handed up to some particular
* client, it doesn't know what that client is).
*
* We let our caller try to figure out what kind of traffic it is, either
* by guessing based on the VPI/VCI, guessing based on the header of the
* packet, seeing earlier traffic that set up the circuit and specified
* in some fashion what sort of traffic it is, or being told by the user.
*/
static void
get_atm_pseudo_header(wtap *wth, guint8 *header, guint8 *pd)
{
char if_text[9];
char *decimal;
int Vpi = 0;
int Vci = 0;
/* Rip apart the "x.y" text into Vpi/Vci numbers */
memcpy(if_text, &header[20], 8);
if_text[8] = '\0';
decimal = strchr(if_text, '.');
if (decimal) {
*decimal = '\0';
Vpi = strtoul(if_text, NULL, 10);
decimal++;
Vci = strtoul(decimal, NULL, 10);
}
wth->phdr.pseudo_header.ngsniffer_atm.Vpi = Vpi;
wth->phdr.pseudo_header.ngsniffer_atm.Vci = Vci;
/*
* OK, which value means "DTE->DCE" and which value means
* "DCE->DTE"?
*/
wth->phdr.pseudo_header.ngsniffer_atm.channel = header[29];
/* We don't have this information */
wth->phdr.pseudo_header.ngsniffer_atm.cells = 0;
wth->phdr.pseudo_header.ngsniffer_atm.aal5t_u2u = 0;
wth->phdr.pseudo_header.ngsniffer_atm.aal5t_len = 0;
wth->phdr.pseudo_header.ngsniffer_atm.aal5t_chksum = 0;
/* Assume it's AAL5 traffic, but indicate that we don't know what
it is beyond that. */
wth->phdr.pseudo_header.ngsniffer_atm.AppTrafType =
ATT_AAL5|ATT_HL_UNKNOWN;
wth->phdr.pseudo_header.ngsniffer_atm.AppHLType = AHLT_UNKNOWN;
}
/* Given an RFC1573 (SNMP ifType) interface type,
* return the appropriate Wiretap Encapsulation Type.
*/
static int
wtap_encap_ift(unsigned int ift)
{
static const int ift_encap[] = {
/* 0x0 */ WTAP_ENCAP_UNKNOWN, /* nothing */
/* 0x1 */ WTAP_ENCAP_UNKNOWN, /* IFT_OTHER */
/* 0x2 */ WTAP_ENCAP_UNKNOWN, /* IFT_1822 */
/* 0x3 */ WTAP_ENCAP_UNKNOWN, /* IFT_HDH1822 */
/* 0x4 */ WTAP_ENCAP_RAW_IP, /* IFT_X25DDN */
/* 0x5 */ WTAP_ENCAP_UNKNOWN, /* IFT_X25 */
/* 0x6 */ WTAP_ENCAP_ETHERNET, /* IFT_ETHER */
/* 0x7 */ WTAP_ENCAP_UNKNOWN, /* IFT_ISO88023 */
/* 0x8 */ WTAP_ENCAP_UNKNOWN, /* IFT_ISO88024 */
/* 0x9 */ WTAP_ENCAP_TR, /* IFT_ISO88025 */
/* 0xa */ WTAP_ENCAP_UNKNOWN, /* IFT_ISO88026 */
/* 0xb */ WTAP_ENCAP_UNKNOWN, /* IFT_STARLAN */
/* 0xc */ WTAP_ENCAP_UNKNOWN, /* IFT_P10 */
/* 0xd */ WTAP_ENCAP_UNKNOWN, /* IFT_P80 */
/* 0xe */ WTAP_ENCAP_UNKNOWN, /* IFT_HY */
/* 0xf */ WTAP_ENCAP_FDDI_BITSWAPPED, /* IFT_FDDI */
/* 0x10 */ WTAP_ENCAP_LAPB, /* IFT_LAPB */ /* no data to back this up */
/* 0x11 */ WTAP_ENCAP_UNKNOWN, /* IFT_SDLC */
/* 0x12 */ WTAP_ENCAP_UNKNOWN, /* IFT_T1 */
/* 0x13 */ WTAP_ENCAP_UNKNOWN, /* IFT_CEPT */
/* 0x14 */ WTAP_ENCAP_UNKNOWN, /* IFT_ISDNBASIC */
/* 0x15 */ WTAP_ENCAP_UNKNOWN, /* IFT_ISDNPRIMARY */
/* 0x16 */ WTAP_ENCAP_UNKNOWN, /* IFT_PTPSERIAL */
/* 0x17 */ WTAP_ENCAP_UNKNOWN, /* IFT_PPP */
/* 0x18 */ WTAP_ENCAP_RAW_IP, /* IFT_LOOP */
/* 0x19 */ WTAP_ENCAP_UNKNOWN, /* IFT_EON */
/* 0x1a */ WTAP_ENCAP_UNKNOWN, /* IFT_XETHER */
/* 0x1b */ WTAP_ENCAP_UNKNOWN, /* IFT_NSIP */
/* 0x1c */ WTAP_ENCAP_UNKNOWN, /* IFT_SLIP */
/* 0x1d */ WTAP_ENCAP_UNKNOWN, /* IFT_ULTRA */
/* 0x1e */ WTAP_ENCAP_UNKNOWN, /* IFT_DS3 */
/* 0x1f */ WTAP_ENCAP_UNKNOWN, /* IFT_SIP */
/* 0x20 */ WTAP_ENCAP_UNKNOWN, /* IFT_FRELAY */
/* 0x21 */ WTAP_ENCAP_UNKNOWN, /* IFT_RS232 */
/* 0x22 */ WTAP_ENCAP_UNKNOWN, /* IFT_PARA */
/* 0x23 */ WTAP_ENCAP_UNKNOWN, /* IFT_ARCNET */
/* 0x24 */ WTAP_ENCAP_UNKNOWN, /* IFT_ARCNETPLUS */
/* 0x25 */ WTAP_ENCAP_ATM_SNIFFER, /* IFT_ATM */
};
#define NUM_IFT_ENCAPS (sizeof ift_encap / sizeof ift_encap[0])
if (ift < NUM_IFT_ENCAPS) {
return ift_encap[ift];
}
else {
return WTAP_ENCAP_UNKNOWN;
}
}
|
