From 9787a5734a75c813891ea1eba9ef8998e91ad9b2 Mon Sep 17 00:00:00 2001 From: Bill Meier Date: Wed, 20 Oct 2010 00:36:53 +0000 Subject: From Hadriel Kaplan: IPFIX file format support. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5242 svn path=/trunk/; revision=34576 --- wiretap/AUTHORS | 11 +- wiretap/CMakeLists.txt | 1 + wiretap/Makefile.common | 2 + wiretap/file_access.c | 12 +- wiretap/ipfix.c | 326 ++++++++++++++++++++++++++++++++++++++++++++++++ wiretap/ipfix.h | 30 +++++ wiretap/wtap.c | 3 + wiretap/wtap.h | 2 + 8 files changed, 378 insertions(+), 9 deletions(-) create mode 100644 wiretap/ipfix.c create mode 100644 wiretap/ipfix.h (limited to 'wiretap') diff --git a/wiretap/AUTHORS b/wiretap/AUTHORS index 79b4b7166b..8f3b9fd027 100644 --- a/wiretap/AUTHORS +++ b/wiretap/AUTHORS @@ -26,8 +26,9 @@ Martijn Schipper Jeff Morriss Niels Koot Rolf Fiedler -James Fields -Kevin Johnson -Yoshihiro Oyama -Robert Long -Clay Jones +James Fields +Kevin Johnson +Yoshihiro Oyama +Robert Long +Clay Jones +Hadriel Kaplan diff --git a/wiretap/CMakeLists.txt b/wiretap/CMakeLists.txt index 6d416d2a0f..c42d95e8ba 100644 --- a/wiretap/CMakeLists.txt +++ b/wiretap/CMakeLists.txt @@ -44,6 +44,7 @@ set(WIRETAP_FILES file_wrappers.c hcidump.c i4btrace.c + ipfix.c iptrace.c iseries.c jpeg_jfif.c diff --git a/wiretap/Makefile.common b/wiretap/Makefile.common index 0a4de5d6b0..55ab781368 100644 --- a/wiretap/Makefile.common +++ b/wiretap/Makefile.common @@ -50,6 +50,7 @@ NONGENERATED_C_FILES = \ file_wrappers.c \ hcidump.c \ i4btrace.c \ + ipfix.c \ iptrace.c \ iseries.c \ jpeg_jfif.c \ @@ -100,6 +101,7 @@ NONGENERATED_HEADER_FILES = \ hcidump.h \ i4btrace.h \ i4b_trace.h \ + ipfix.h \ iptrace.h \ iseries.h \ jpeg_jfif.h \ diff --git a/wiretap/file_access.c b/wiretap/file_access.c index 44d63a7f19..afbed01a0e 100644 --- a/wiretap/file_access.c +++ b/wiretap/file_access.c @@ -83,6 +83,7 @@ #include "daintree-sna.h" #include "netscaler.h" #include "jpeg_jfif.h" +#include "ipfix.h" /* The open_file_* routines should return: @@ -145,6 +146,7 @@ static wtap_open_routine_t open_routines_base[] = { */ netscreen_open, erf_open, + ipfix_open, k12text_open, etherpeek_open, pppdump_open, @@ -598,7 +600,7 @@ static const struct file_type_info dump_open_table_base[] = { /* WTAP_FILE_BTSNOOP */ { "Symbian OS btsnoop", "btsnoop", "*.log", ".log", FALSE, btsnoop_dump_can_write_encap, btsnoop_dump_open_h4 }, - + /* WTAP_FILE_X2E_XORAYA */ { NULL, NULL, NULL, NULL, FALSE, NULL, NULL }, @@ -625,6 +627,9 @@ static const struct file_type_info dump_open_table_base[] = { /* WTAP_FILE_JPEG_JFIF */ { "JPEG/JFIF", "jpeg", "*.jpg;*.jpeg;*.jfif", ".jpg", FALSE, NULL, NULL }, + /* WTAP_FILE_IPFIX */ + { "IPFIX File Format", "ipfix", "*.pfx;*.ipfix", NULL, FALSE, + NULL, NULL } }; gint wtap_num_file_types = sizeof(dump_open_table_base) / sizeof(struct file_type_info); @@ -1024,9 +1029,8 @@ static FILE_T wtap_dump_file_fdopen(wtap_dumper *wdh _U_, int fd) #endif /* internally writing raw bytes (compressed or not) */ -gboolean -wtap_dump_file_write(wtap_dumper *wdh, const void *buf, size_t bufsize, - int *err) +gboolean wtap_dump_file_write(wtap_dumper *wdh, const void *buf, size_t bufsize, + int *err) { size_t nwritten; #ifdef HAVE_LIBZ diff --git a/wiretap/ipfix.c b/wiretap/ipfix.c new file mode 100644 index 0000000000..5e15c1f1bc --- /dev/null +++ b/wiretap/ipfix.c @@ -0,0 +1,326 @@ +/* ipfix.c + * + * $Id$ + * + * Wiretap Library + * Copyright (c) 1998 by Gilbert Ramirez + * + * File format support for ipfix file format + * Copyright (c) 2010 by Hadriel Kaplan + * with generous copying from other wiretaps, such as pcapng + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +/* File format reference: + * RFC 5655 and 5101 + * http://tools.ietf.org/rfc/rfc5655 + * http://tools.ietf.org/rfc/rfc5101 + * + * This wiretap is for an ipfix file format reader, per RFC 5655/5101. + * All "records" in the file are IPFIX messages, beginning with an IPFIX + * message header of 16 bytes as follows from RFC 5101: + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Version Number | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Export Time | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Sequence Number | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Observation Domain ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Figure F: IPFIX Message Header Format + + * which is then followed by one or more "Sets": Data Sets, Template Sets, + * and Options Template Sets. Each Set then has one or more Records in + * it. + * + * All IPFIX files are recorded in big-endian form (network byte order), + * per the RFCs. That means if we're on a little-endian system, all + * hell will break loose if we don't g_ntohX. + * + * Since wireshark already has an IPFIX dissector (implemented in + * packet-netflow.c), this reader will just set that dissector upon + * reading each message. Thus, an IPFIX Message is treated as a packet + * as far as the dissector is concerned. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include +#include +#include +#include "wtap-int.h" +#include "file_wrappers.h" +#include "buffer.h" +#include "libpcap.h" +#include "pcap-common.h" +#include "pcap-encap.h" +#include "ipfix.h" + +#if 0 +#define ipfix_debug0(str) g_warning(str) +#define ipfix_debug1(str,p1) g_warning(str,p1) +#define ipfix_debug2(str,p1,p2) g_warning(str,p1,p2) +#define ipfix_debug3(str,p1,p2,p3) g_warning(str,p1,p2,p3) +#else +#define ipfix_debug0(str) +#define ipfix_debug1(str,p1) +#define ipfix_debug2(str,p1,p2) +#define ipfix_debug3(str,p1,p2,p3) +#endif + +static gboolean +ipfix_read(wtap *wth, int *err, gchar **err_info, + gint64 *data_offset); +static gboolean +ipfix_seek_read(wtap *wth, gint64 seek_off, + union wtap_pseudo_header *pseudo_header, guchar *pd, int length, + int *err, gchar **err_info); +static void +ipfix_close(wtap *wth); + +#define IPFIX_VERSION 10 + +/* ipfix: message header */ +typedef struct ipfix_message_header_s { + guint16 version; + guint16 message_length; + guint32 export_time_secs; + guint32 sequence_number; + guint32 observation_id; /* might be 0 for none */ + /* x bytes msg_body */ +} ipfix_message_header_t; +#define IPFIX_MSG_HDR_SIZE 16 + +/* ipfix: common Set header for every Set type */ +typedef struct ipfix_set_header_s { + guint16 set_type; + guint16 set_length; + /* x bytes set_body */ +} ipfix_set_header_t; +#define IPFIX_SET_HDR_SIZE 4 + + +/* Read IPFIX message header from file. Return true on success. Set *err to + * 0 on EOF, any other value for "real" errors (EOF is ok, since return + * value is still FALSE) + */ + static gboolean +ipfix_read_message_header(ipfix_message_header_t *pfx_hdr, FILE_T fh, int *err, gchar **err_info) +{ + wtap_file_read_expected_bytes(pfx_hdr, IPFIX_MSG_HDR_SIZE, fh, err); + + /* fix endianess, because IPFIX files are always big-endian */ + pfx_hdr->version = g_ntohs(pfx_hdr->version); + pfx_hdr->message_length = g_ntohs(pfx_hdr->message_length); + pfx_hdr->export_time_secs = g_ntohl(pfx_hdr->export_time_secs); + pfx_hdr->sequence_number = g_ntohl(pfx_hdr->sequence_number); + pfx_hdr->observation_id = g_ntohl(pfx_hdr->observation_id); + + /* is the version number one we expect? */ + if (pfx_hdr->version != IPFIX_VERSION) { + /* Not an ipfix file. */ + *err = WTAP_ERR_BAD_RECORD; + return FALSE; + } + + if (pfx_hdr->message_length < 16) { + *err_info = g_strdup_printf("ipfix: message length %u is too short", pfx_hdr->message_length); + *err = WTAP_ERR_BAD_RECORD; + return FALSE; + } + + /* go back to before header */ + if (file_seek(fh, 0 - IPFIX_MSG_HDR_SIZE, SEEK_CUR, err) == -1) { + ipfix_debug0("ipfix_read: couldn't go back in file before header"); + return FALSE; + } + + return TRUE; +} + + + +/* classic wtap: open capture file. Return 1 on success, 0 on normal failure + * like malformed format, -1 on bad error like file system + */ +int +ipfix_open(wtap *wth, int *err, gchar **err_info) +{ + gint i, n, records_for_ipfix_check = RECORDS_FOR_IPFIX_CHECK; + gchar *s; + guint16 checked_len = 0; + ipfix_message_header_t msg_hdr; + ipfix_set_header_t set_hdr; + + ipfix_debug0("ipfix_open: opening file"); + + /* number of records to scan before deciding if this really is ERF */ + if ((s = getenv("IPFIX_RECORDS_TO_CHECK")) != NULL) { + if ((n = atoi(s)) > 0 && n < 101) { + records_for_ipfix_check = n; + } + } + + /* + * IPFIX is a little hard because there's no magic number; we look at + * the first few records and see if they look enough like IPFIX + * records. + */ + for (i = 0; i < records_for_ipfix_check; i++) { + /* read first message header to check version */ + if (!ipfix_read_message_header(&msg_hdr, wth->fh, err, err_info)) { + ipfix_debug2("ipfix_open: couldn't read message header #%d with err code #%d", + i, *err); + if (*err == WTAP_ERR_BAD_RECORD) return 0; + if (*err != 0) return -1; /* real failure */ + /* else it's EOF */ + if (i < 1) { + /* we haven't seen enough to prove this is a ipfix file */ + return 0; + } + /* if we got here, it's EOF and we think it's an ipfix file */ + break; + } + if (file_seek(wth->fh, IPFIX_MSG_HDR_SIZE, SEEK_CUR, err) == -1) { + ipfix_debug1("ipfix_open: failed seek to next message in file, %d bytes away", + msg_hdr.message_length); + return 0; + } + checked_len = IPFIX_MSG_HDR_SIZE; + + /* check each Set in IPFIX Message for sanity */ + while (checked_len < msg_hdr.message_length) { + wtap_file_read_expected_bytes(&set_hdr, IPFIX_SET_HDR_SIZE, wth->fh, err); + set_hdr.set_length = g_ntohs(set_hdr.set_length); + if ((set_hdr.set_length < IPFIX_SET_HDR_SIZE) || + ((set_hdr.set_length + checked_len) > msg_hdr.message_length)) { + ipfix_debug1("ipfix_open: found invalid set_length of %d", + set_hdr.set_length); + return 0; + } + + if (file_seek(wth->fh, set_hdr.set_length - IPFIX_SET_HDR_SIZE, + SEEK_CUR, err) == -1) + { + ipfix_debug1("ipfix_open: failed seek to next set in file, %d bytes away", + set_hdr.set_length - IPFIX_SET_HDR_SIZE); + return 0; + } + checked_len += set_hdr.set_length; + } + } + + /* all's good, this is a IPFIX file */ + wth->file_encap = WTAP_ENCAP_RAW_IPFIX; + wth->snapshot_length = 0; + wth->tsprecision = WTAP_FILE_TSPREC_SEC; + wth->subtype_read = ipfix_read; + wth->subtype_seek_read = ipfix_seek_read; + wth->subtype_close = ipfix_close; + wth->file_type = WTAP_FILE_IPFIX; + + /* go back to beginning of file */ + if (file_seek (wth->fh, 0, SEEK_SET, err) != 0) + { + return -1; + } + return 1; +} + + +/* classic wtap: read packet */ +static gboolean +ipfix_read(wtap *wth, int *err, gchar **err_info, gint64 *data_offset) +{ + ipfix_message_header_t msg_hdr; + + ipfix_debug1("ipfix_read: wth->data_offset is initially %" G_GINT64_MODIFIER "u", wth->data_offset); + *data_offset = wth->data_offset; + + if (!ipfix_read_message_header(&msg_hdr, wth->fh, err, err_info)) { + ipfix_debug2("ipfix_read: couldn't read message header with code: %d\n, and error '%s'", + *err, *err_info); + return FALSE; + } + + buffer_assure_space(wth->frame_buffer, msg_hdr.message_length); + wtap_file_read_expected_bytes(buffer_start_ptr(wth->frame_buffer), + msg_hdr.message_length, wth->fh, err); + + wth->phdr.len = msg_hdr.message_length; + wth->phdr.caplen = msg_hdr.message_length; + wth->phdr.ts.secs = 0; + wth->phdr.ts.nsecs = 0; + + /*ipfix_debug2("Read length: %u Packet length: %u", msg_hdr.message_length, wth->phdr.caplen);*/ + wth->data_offset += msg_hdr.message_length; + ipfix_debug1("ipfix_read: wth->data_offset is finally %" G_GINT64_MODIFIER "u", wth->data_offset); + + return TRUE; +} + + +/* classic wtap: seek to file position and read packet */ +static gboolean +ipfix_seek_read(wtap *wth, gint64 seek_off, + union wtap_pseudo_header *pseudo_header, guchar *pd, int length _U_, + int *err, gchar **err_info) +{ + ipfix_message_header_t msg_hdr; + + (void) pseudo_header; /* avoids compiler warning about unused variable */ + + /* seek to the right file position */ + if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1) { + ipfix_debug2("ipfix_seek_read: couldn't read message header with code: %d\n, and error '%s'", + *err, *err_info); + return FALSE; /* Seek error */ + } + + ipfix_debug1("ipfix_seek_read: reading at offset %" G_GINT64_MODIFIER "u", seek_off); + + if (!ipfix_read_message_header(&msg_hdr, wth->random_fh, err, err_info)) { + ipfix_debug0("ipfix_read: couldn't read message header"); + return FALSE; + } + + if(length != (int)msg_hdr.message_length) { + *err = WTAP_ERR_BAD_RECORD; + *err_info = g_strdup_printf("ipfix: record length %u doesn't match requested length %d", + msg_hdr.message_length, length); + ipfix_debug1("ipfix_seek_read: %s", *err_info); + return FALSE; + } + + wtap_file_read_expected_bytes(pd, length, wth->random_fh, err); + + return TRUE; +} + + +/* classic wtap: close capture file */ +static void +ipfix_close(wtap *wth _U_) +{ + ipfix_debug0("ipfix_close: closing file"); +} + diff --git a/wiretap/ipfix.h b/wiretap/ipfix.h new file mode 100644 index 0000000000..0f891a48fe --- /dev/null +++ b/wiretap/ipfix.h @@ -0,0 +1,30 @@ +/* ipfix.h + * + * $Id$ + * + * Wiretap Library + * Copyright (c) 2010 by Hadriel Kaplan + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +#ifndef __W_IPFIX_H__ +#define __W_IPFIX_H__ + +#define RECORDS_FOR_IPFIX_CHECK 20 + +int ipfix_open(wtap *wth, int *err, gchar **err_info); + +#endif diff --git a/wiretap/wtap.c b/wiretap/wtap.c index a48ceb813b..ea2193f5fe 100644 --- a/wiretap/wtap.c +++ b/wiretap/wtap.c @@ -477,6 +477,9 @@ static struct encap_type_info encap_table_base[] = { /* WTAP_ENCAP_IEEE802_15_4_NOFCS */ { "IEEE 802.15.4 Wireless PAN with FCS not present", "wpan-nofcs" }, + + /* WTAP_ENCAP_RAW_IPFIX */ + { "IPFIX", "ipfix" } }; gint wtap_num_encap_types = sizeof(encap_table_base) / sizeof(struct encap_type_info); diff --git a/wiretap/wtap.h b/wiretap/wtap.h index 3a9261a1f3..e4ccc5efba 100644 --- a/wiretap/wtap.h +++ b/wiretap/wtap.h @@ -217,6 +217,7 @@ extern "C" { #define WTAP_ENCAP_SOCKETCAN 125 #define WTAP_ENCAP_IEEE802_11_NETMON_RADIO 126 #define WTAP_ENCAP_IEEE802_15_4_NOFCS 127 +#define WTAP_ENCAP_RAW_IPFIX 128 #define WTAP_NUM_ENCAP_TYPES wtap_get_num_encap_types() @@ -283,6 +284,7 @@ extern "C" { #define WTAP_FILE_NETSCALER_1_0 57 #define WTAP_FILE_NETSCALER_2_0 58 #define WTAP_FILE_JPEG_JFIF 59 +#define WTAP_FILE_IPFIX 60 #define WTAP_NUM_FILE_TYPES wtap_get_num_file_types() -- cgit v1.2.3