diff options
| -rw-r--r-- | doc/text2pcap.adoc | 63 | ||||
| -rw-r--r-- | docbook/release-notes.adoc | 3 | ||||
| -rw-r--r-- | text2pcap.c | 99 |
3 files changed, 124 insertions, 41 deletions
diff --git a/doc/text2pcap.adoc b/doc/text2pcap.adoc index f499cd56bd..874dc3bf72 100644 --- a/doc/text2pcap.adoc +++ b/doc/text2pcap.adoc @@ -17,6 +17,7 @@ text2pcap - Generate a capture file from an ASCII hexdump of packets [ *-b* 2|8|16|64 ] [ *-D* ] [ *-e* <l3pid> ] +[ *-E* <encapsulation type> ] [ *-F* <file format> ] [ *-h* ] [ *-i* <proto> ] @@ -147,13 +148,14 @@ and hex encoding: The regex is compiled with multiline support, and it is recommended to use the anchors '^' and '$' for best results. -*Text2pcap* also allows the user to read in dumps of -application-level data, by inserting dummy L2, L3 and L4 headers -before each packet. The user can elect to insert Ethernet headers, -Ethernet and IP, or Ethernet, IP and UDP/TCP/SCTP headers before each -packet. This allows Wireshark or any other full-packet decoder to -handle these dumps. These encapsulation options can be used in both -hexdump mode and regex mode. +*Text2pcap* also allows the user to read in dumps of application-level +data and insert dummy L2, L3 and L4 headers before each packet. This allows +Wireshark or any other full-packet decoder to handle these dumps. +If the encapsulation type is Ethernet, the user can elect to insert Ethernet +headers, Ethernet and IP, or Ethernet, IP and UDP/TCP/SCTP headers before +each packet. The fake headers can also be used with the Raw IP, Raw IPv4, +or Raw IPv6 encapsulations, with the Ethernet header omitted. These +encapsulation options can be used in both hexdump mode and regex mode. When <__infile__> or <__outfile__> are '-', standard input or standard output, respectively, are used. @@ -182,11 +184,16 @@ in hexdump mode. -D:: + -- -The text before the packet may start either with an I or O indicating that -the packet is inbound or outbound. This is used when generating dummy headers. -The indication is only stored if the output format supports it (e.g. pcapng.) +Indicates that the text before each input packet may start either with an I +or O indicating that the packet is inbound or outbound. If both this flag +and the __t__ flag are used, the directional indicator is expected before +the time code. This parameter has no effect in regex mode, where the presence of the `<dir>` capturing group determines whether direction indicators are expected. + +Direction indication is stored in the packet headers if the output format +supports it (e.g. pcapng), and is also used when generating dummy headers +to swap the source and destination addresses and ports as appropriate. -- -e <l3pid>:: @@ -198,13 +205,26 @@ for the Ethernet header in hex. Use this option if your dump has Layer encapsulation. Example: __-e 0x806__ to specify an ARP packet. For IP packets, instead of generating a fake Ethernet header you can -also use __-l 101__ to indicate a raw IP packet to Wireshark. Note that -__-l 101__ does not work for any non-IP Layer 3 packet (e.g. ARP), -whereas generating a dummy Ethernet header with __-e__ works for any -sort of L3 packet. +also use __-E rawip__ or __-l 101__ to indicate raw IP encapsulation. +Note that raw IP encapsulation does not work for any non-IP Layer 3 packet +(e.g. ARP), whereas generating a dummy Ethernet header with __-e__ works +for any sort of L3 packet. +-- + +-E <encapsulation type>:: ++ +-- +Sets the packet encapsulation type of the output capture file. +*text2pcap -E* provides a list of the available types; note that not +all file formats support all encapsulation types. The default type is +ether (Ethernet). + +*NOTE:* This sets the encapsulation type of the output file, but does +not translate the packet headers or add additional headers. It is used +to specify the encapsulation that matches the input data. -- --F <file format>:: +-F <file format>:: + -- Sets the file format of the output capture file. *Text2pcap* can write @@ -232,15 +252,14 @@ https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml for the complete list of assigned internet protocol numbers. -- --l:: +-l <typenum>:: + -- -Specify the link-layer header type of this packet. Default is Ethernet -(1). See https://www.tcpdump.org/linktypes.html for the complete list -of possible encapsulations. Note that this option should be used if -your dump is a complete hex dump of an encapsulated packet and you wish -to specify the exact type of encapsulation. Example: __-l 7__ for ARCNet -packets encapsulated BSD-style. +Sets the packet encapsulation type of the output capture file, using +pcap link-layer header type numbers. Default is Ethernet (1). +See https://www.tcpdump.org/linktypes.html for the complete list +of possible encapsulations. +Example: __-l 7__ for ARCNet packets encapsulated BSD-style. -- -m <max-packet>:: diff --git a/docbook/release-notes.adoc b/docbook/release-notes.adoc index 38f3884360..e783472e5e 100644 --- a/docbook/release-notes.adoc +++ b/docbook/release-notes.adoc @@ -62,6 +62,9 @@ They previously shipped with Npcap 1.55. ** text2pcap supports writing the output file in all the capture file formats that wiretap library supports, using the same "-F" option as editcap, mergecap, and tshark. +** text2pcap supports selecting the encapsulation type of the output file + format using the wiretap library short names with an "-E" option, similiar + to the "-T" option of editcap. ** text2pcap has been updated to use the new logging output options and the "-d" flag has been removed. The "debug" log level corresponds to the old "-d" flag, and the "noisy" log level corresponds to using "-d" multiple times. diff --git a/text2pcap.c b/text2pcap.c index 627cbef61a..0d6718d638 100644 --- a/text2pcap.c +++ b/text2pcap.c @@ -86,6 +86,7 @@ #include <glib.h> #include <wsutil/str_util.h> +#include <wsutil/strnatcmp.h> #include <wsutil/wslog.h> #include <wsutil/ws_getopt.h> @@ -162,9 +163,6 @@ static char *output_filename; static wtap_dumper* wdh; -/* Encapsulation type; see wiretap/wtap.h for details */ -static guint32 wtap_encap_type = 1; /* Default is WTAP_ENCAP_ETHERNET */ - /*---------------------------------------------------------------------- * Print usage string and exit */ @@ -214,11 +212,13 @@ print_usage (FILE *output) "Output:\n" " -F <capture type> set the output file type; default is pcap.\n" " an empty \"-F\" option will list the file types.\n" - " -l <typenum> link-layer type number; default is 1 (Ethernet). See\n" + " -E <encap type> set the output file encapsulation type; default is\n" + " ether (Ethernet). An empty \"-E\" option will list\n" + " the encapsulation types.\n" + " -l <typenum> set the output file encapsulation type via link-layer\n" + " type number; default is 1 (Ethernet). See\n" " https://www.tcpdump.org/linktypes.html for a list of\n" - " numbers. Use this option if your dump is a complete\n" - " hex dump of an encapsulated packet and you wish to\n" - " specify the exact type of encapsulation.\n" + " numbers.\n" " Example: -l 7 for ARCNet packets.\n" " -m <max-packet> max packet length in output; default is %d\n" " -n use pcapng instead of pcap as output format.\n" @@ -289,16 +289,62 @@ set_hdr_ip_proto(guint8 ip_proto) static void list_capture_types(void) { - GArray *writable_type_subtypes; + GArray *writable_type_subtypes; - cmdarg_err("The available capture file types for the \"-F\" flag are:\n"); - writable_type_subtypes = wtap_get_writable_file_types_subtypes(FT_SORT_BY_NAME); - for (guint i = 0; i < writable_type_subtypes->len; i++) { - int ft = g_array_index(writable_type_subtypes, int, i); - fprintf(stderr, " %s - %s\n", wtap_file_type_subtype_name(ft), + cmdarg_err("The available capture file types for the \"-F\" flag are:\n"); + writable_type_subtypes = wtap_get_writable_file_types_subtypes(FT_SORT_BY_NAME); + for (guint i = 0; i < writable_type_subtypes->len; i++) { + int ft = g_array_index(writable_type_subtypes, int, i); + fprintf(stderr, " %s - %s\n", wtap_file_type_subtype_name(ft), wtap_file_type_subtype_description(ft)); - } - g_array_free(writable_type_subtypes, TRUE); + } + g_array_free(writable_type_subtypes, TRUE); +} + +struct string_elem { + const char *sstr; /* The short string */ + const char *lstr; /* The long string */ +}; + +static gint +string_nat_compare(gconstpointer a, gconstpointer b) +{ + return ws_ascii_strnatcmp(((const struct string_elem *)a)->sstr, + ((const struct string_elem *)b)->sstr); +} + +static void +string_elem_print(gpointer data, gpointer stream_ptr) +{ + fprintf((FILE *) stream_ptr, " %s - %s\n", + ((struct string_elem *)data)->sstr, + ((struct string_elem *)data)->lstr); +} + +static void +list_encap_types(void) { + int i; + struct string_elem *encaps; + GSList *list = NULL; + + encaps = g_new(struct string_elem, wtap_get_num_encap_types()); + cmdarg_err("The available encapsulation types for the \"-E\" flag are:\n"); + for (i = 0; i < wtap_get_num_encap_types(); i++) { + /* Exclude wtap encapsulations that require a pseudo header, + * because we won't setup one from the text we import and + * wiretap doesn't allow us to write 'raw' frames + */ + if (!wtap_encap_requires_phdr(i)) { + encaps[i].sstr = wtap_encap_name(i); + if (encaps[i].sstr != NULL) { + encaps[i].lstr = wtap_encap_description(i); + list = g_slist_insert_sorted(list, &encaps[i], string_nat_compare); + } + } + } + g_slist_foreach(list, string_elem_print, stderr); + g_slist_free(list); + g_free(encaps); } /*---------------------------------------------------------------------- @@ -319,6 +365,7 @@ parse_options(int argc, char *argv[], text_import_info_t * const info, wtap_dump /* Link-layer type; see https://www.tcpdump.org/linktypes.html for details */ guint32 pcap_link_type = 1; /* Default is LINKTYPE_ETHERNET */ int file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_UNKNOWN; + int wtap_encap_type = WTAP_ENCAP_ETHERNET; int err; char* err_info; GError* gerror = NULL; @@ -333,7 +380,7 @@ parse_options(int argc, char *argv[], text_import_info_t * const info, wtap_dump ws_init_version_info("Text2pcap (Wireshark)", NULL, NULL, NULL); /* Scan CLI parameters */ - while ((c = ws_getopt_long(argc, argv, "hqab:De:F:i:l:m:nN:o:u:P:r:s:S:t:T:v4:6:", long_options, NULL)) != -1) { + while ((c = ws_getopt_long(argc, argv, "hqab:De:E:F:i:l:m:nN:o:u:P:r:s:S:t:T:v4:6:", long_options, NULL)) != -1) { switch (c) { case 'h': show_help_header("Generate a capture file from an ASCII hexdump of packets."); @@ -343,7 +390,10 @@ parse_options(int argc, char *argv[], text_import_info_t * const info, wtap_dump case 'q': quiet = TRUE; break; case 'a': info->hexdump.identify_ascii = TRUE; break; case 'D': info->hexdump.has_direction = TRUE; break; - case 'l': pcap_link_type = (guint32)strtol(ws_optarg, NULL, 0); break; + case 'l': + pcap_link_type = (guint32)strtol(ws_optarg, NULL, 0); + wtap_encap_type = wtap_pcap_encap_to_wtap_encap(pcap_link_type); + break; case 'm': max_offset = (guint32)strtol(ws_optarg, NULL, 0); break; case 'n': file_type_subtype = wtap_pcapng_file_type_subtype(); break; case 'N': interface_name = ws_optarg; break; @@ -391,6 +441,15 @@ parse_options(int argc, char *argv[], text_import_info_t * const info, wtap_dump } break; + case 'E': + wtap_encap_type = wtap_name_to_encap(ws_optarg); + if (wtap_encap_type < 0) { + cmdarg_err("\"%s\" isn't a valid encapsulation type", ws_optarg); + list_encap_types(); + return INVALID_OPTION; + } + break; + case 'F': file_type_subtype = wtap_name_to_file_type_subtype(ws_optarg); if (file_type_subtype < 0) { @@ -649,6 +708,10 @@ parse_options(int argc, char *argv[], text_import_info_t * const info, wtap_dump case '?': switch(ws_optopt) { + case 'E': + list_encap_types(); + return INVALID_OPTION; + break; case 'F': list_capture_types(); return INVALID_OPTION; @@ -712,8 +775,6 @@ parse_options(int argc, char *argv[], text_import_info_t * const info, wtap_dump hdr_ip = TRUE; } - wtap_encap_type = wtap_pcap_encap_to_wtap_encap(pcap_link_type); - if (hdr_export_pdu && wtap_encap_type != WTAP_ENCAP_WIRESHARK_UPPER_PDU) { cmdarg_err("Export PDU (-P) requires WIRESHARK_UPPER_PDU link type (252)"); return INVALID_OPTION; |