diff options
author | guy <guy@f5534014-38df-0310-8fa8-9805f1628bb7> | 2002-11-09 07:31:17 +0000 |
---|---|---|
committer | guy <guy@f5534014-38df-0310-8fa8-9805f1628bb7> | 2002-11-09 07:31:17 +0000 |
commit | 3c4203b15c6cdd53e48ea6de81ff4c61968e067a (patch) | |
tree | 3b1b8b2d33975e82e9d4622efd3c821a2aa521a6 /wiretap | |
parent | 789c016d2061b0653bb335070b11b510714de9f4 (diff) |
Attempt to handle REC_HEADER2 records in major version 2 DOS Sniffer
captures.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@6591 f5534014-38df-0310-8fa8-9805f1628bb7
Diffstat (limited to 'wiretap')
-rw-r--r-- | wiretap/ngsniffer.c | 184 |
1 files changed, 128 insertions, 56 deletions
diff --git a/wiretap/ngsniffer.c b/wiretap/ngsniffer.c index e914994783..0cbc8b7be0 100644 --- a/wiretap/ngsniffer.c +++ b/wiretap/ngsniffer.c @@ -1,6 +1,6 @@ /* ngsniffer.c * - * $Id: ngsniffer.c,v 1.88 2002/11/01 08:18:36 guy Exp $ + * $Id: ngsniffer.c,v 1.89 2002/11/09 07:31:17 guy Exp $ * * Wiretap Library * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu> @@ -294,6 +294,10 @@ static double Usec[] = { 15.0, 0.838096, 15.0, 0.5, 2.0, 1.0, 0.1 }; static int process_header_records(wtap *wth, int *err, gint16 version, gboolean *is_router); +static int process_rec_header2_v2(wtap *wth, unsigned char *buffer, + guint16 length, int *err); +static int process_rec_header2_v4(wtap *wth, unsigned char *buffer, + guint16 length, gboolean *is_router, int *err); static gboolean ngsniffer_read(wtap *wth, int *err, long *data_offset); static gboolean ngsniffer_seek_read(wtap *wth, long seek_off, union wtap_pseudo_header *pseudo_header, guchar *pd, int packet_size, @@ -532,7 +536,7 @@ process_header_records(wtap *wth, int *err, gint16 version, gboolean *is_router) the last 2 are "reserved" and are thrown away */ guint16 type, length; int bytes_to_read; - unsigned char buffer[32]; + unsigned char buffer[256]; *is_router = FALSE; for (;;) { @@ -580,21 +584,21 @@ process_header_records(wtap *wth, int *err, gint16 version, gboolean *is_router) length = pletohs(record_length); /* - * Is this a version 4 capture, is this a REC_HEADER2 - * record, and do we not yet know the encapsulation - * type (i.e., is this is an "Internetwork analyzer" - * capture? + * Do we not yet know the encapsulation type (i.e., is + * this is an "Internetwork analyzer" capture?), and + * is this a REC_HEADER2 record? + * + * If so, it appears to specify the particular type + * of network we're on. * * If so, the 5th byte of the record appears to specify * the particular type of network we're on. */ - if (version == 4 && type == REC_HEADER2 && - wth->file_encap == WTAP_ENCAP_PER_PACKET) { + if (wth->file_encap == WTAP_ENCAP_PER_PACKET && + type == REC_HEADER2) { /* - * Yes, get the first 32 bytes of the record - * data. (The record appears to have only - * 8 bytes of data in all the captures I've - * seen.) + * Yes, get the first up-to-256 bytes of the + * record data. */ bytes_to_read = MIN(length, sizeof buffer); bytes_read = file_read(buffer, 1, bytes_to_read, @@ -606,6 +610,22 @@ process_header_records(wtap *wth, int *err, gint16 version, gboolean *is_router) return -1; } } + + switch (version) { + + case 2: + if (process_rec_header2_v2(wth, buffer, + length, err) < 0) + return -1; + break; + + case 4: + if (process_rec_header2_v4(wth, buffer, + length, is_router, err) < 0) + return -1; + break; + } + /* * Skip the rest of the record. */ @@ -615,50 +635,6 @@ process_header_records(wtap *wth, int *err, gint16 version, gboolean *is_router) return -1; } - /* - * The X.25 captures I've seen have a type of - * NET_HDLC; however, I've seen both PPP and - * ISDN captures with a type of NET_ROUTER. - * - * For now, we interpret NET_HDLC as X.25 (LAPB) - * and NET_ROUTER as "per-packet encapsulation". - * We remember that we saw NET_ROUTER, though, - * as it appears that we can infer whether - * a packet is PPP or ISDN based on the - * channel number subfield of the frame error - * status bits - if it's 0, it's PPP, otherwise - * it's ISDN and the channel number indicates - * which channel it is. - */ - switch (buffer[4]) { - - case NET_HDLC: - wth->file_encap = WTAP_ENCAP_LAPB; - break; - - case NET_FRAME_RELAY: - wth->file_encap = WTAP_ENCAP_FRELAY; - break; - - case NET_ROUTER: - wth->file_encap = WTAP_ENCAP_PER_PACKET; - *is_router = TRUE; - break; - - case NET_PPP: - wth->file_encap = WTAP_ENCAP_PPP_WITH_PHDR; - break; - - default: - /* - * Reject these until we can figure them - * out. - */ - g_message("ngsniffer: WAN network subtype %u unknown or unsupported", - buffer[4]); - *err = WTAP_ERR_UNSUPPORTED_ENCAP; - return -1; - } } else { /* Nope, just skip over the data. */ if (file_seek(wth->fh, length, SEEK_CUR, err) == -1) @@ -668,6 +644,102 @@ process_header_records(wtap *wth, int *err, gint16 version, gboolean *is_router) } } +static int +process_rec_header2_v2(wtap *wth, unsigned char *buffer, guint16 length, + int *err) +{ + static const char x_25_str[] = "HDLC\nX.25\n"; + + /* + * There appears to be a string in a REC_HEADER2 record, with + * a list of protocols. In one X.25 capture I've seen, the + * string was "HDLC\nX.25\nCLNP\nISO_TP\nSESS\nPRES\nVTP\nACSE". + * Presumably CLNP and everything else is per-packet, but + * we assume "HDLC\nX.25\n" indicates that it's an X.25 capture. + */ + if (length < sizeof x_25_str - 1) { + /* + * There's not enough data to compare. + */ + g_message("ngsniffer: WAN capture has too-short protocol list"); + *err = WTAP_ERR_UNSUPPORTED_ENCAP; + return -1; + } + + if (strncmp(buffer, x_25_str, sizeof x_25_str - 1) == 0) { + /* + * X.25. + */ + wth->file_encap = WTAP_ENCAP_LAPB; + } else { + g_message("ngsniffer: WAN capture protocol string %.*s unknown", + length, buffer); + *err = WTAP_ERR_UNSUPPORTED_ENCAP; + return -1; + } + return 0; +} + +static int +process_rec_header2_v4(wtap *wth, unsigned char *buffer, guint16 length, + gboolean *is_router, int *err) +{ + /* + * The 5th byte of the REC_HEADER2 record appears to be a + * network type. + */ + if (length < 5) { + /* + * There is no 5th byte; give up. + */ + g_message("ngsniffer: WAN capture has no network subtype"); + *err = WTAP_ERR_UNSUPPORTED_ENCAP; + return -1; + } + + /* + * The X.25 captures I've seen have a type of NET_HDLC; + * however, I've seen both PPP and ISDN captures with a + * type of NET_ROUTER. + * + * For now, we interpret NET_HDLC as X.25 (LAPB) and NET_ROUTER + * as "per-packet encapsulation". We remember that we saw + * NET_ROUTER, though, as it appears that we can infer whether + * a packet is PPP or ISDN based on the channel number subfield + * of the frame error status bits - if it's 0, it's PPP, otherwise + * it's ISDN and the channel number indicates which channel it is. + */ + switch (buffer[4]) { + + case NET_HDLC: + wth->file_encap = WTAP_ENCAP_LAPB; + break; + + case NET_FRAME_RELAY: + wth->file_encap = WTAP_ENCAP_FRELAY; + break; + + case NET_ROUTER: + wth->file_encap = WTAP_ENCAP_PER_PACKET; + *is_router = TRUE; + break; + + case NET_PPP: + wth->file_encap = WTAP_ENCAP_PPP_WITH_PHDR; + break; + + default: + /* + * Reject these until we can figure them out. + */ + g_message("ngsniffer: WAN network subtype %u unknown or unsupported", + buffer[4]); + *err = WTAP_ERR_UNSUPPORTED_ENCAP; + return -1; + } + return 0; +} + /* Read the next packet */ static gboolean ngsniffer_read(wtap *wth, int *err, long *data_offset) { |