osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity
wireshark/wiretap/erf.h

59 lines
1.3 KiB
C
Raw Permalink Normal View History

wiretap: Add header files to Doxygen Add @file markers for wiretap headers so that Doxygen will generate documentation for them.
2021-11-30 02:59:23 +00:00
/** @file
Use common indenting space in heading Change-Id: I47022f9c7d568ca6d9705ba63c669a980822818a Reviewed-on: https://code.wireshark.org/review/27229 Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-04-30 19:55:30 +00:00
*
* Copyright (c) 2003 Endace Technology Ltd, Hamilton, New Zealand.
* All rights reserved.
*
* This software and documentation has been developed by Endace Technology Ltd.
* along with the DAG PCI network capture cards. For further information please
HTTPS In Even More Places, update some links. Fall back on the Wayback Machine for some links. Change-Id: I6a44a2caaeb4fa521c2f08196e7c36069e3bb842 Reviewed-on: https://code.wireshark.org/review/34103 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2019-07-28 04:20:27 +00:00
* visit https://www.endace.com/.
Use common indenting space in heading Change-Id: I47022f9c7d568ca6d9705ba63c669a980822818a Reviewed-on: https://code.wireshark.org/review/27229 Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-04-30 19:55:30 +00:00
*
* SPDX-License-Identifier: BSD-3-Clause
*/
From Jesper Peterson: support for Endace ERF file format. svn path=/trunk/; revision=8272
2003-08-26 07:10:39 +00:00
#ifndef __W_ERF_H__
#define __W_ERF_H__
Fix wiretap headers to allow error-free ABI dumping. svn path=/trunk/; revision=37543
2011-06-04 21:20:57 +00:00
#include <glib.h>
#include <wiretap/wtap.h>
Export libwiretap symbols using WS_DLL_PUBLIC define TODO: hide flex-generated functions svn path=/trunk/; revision=47948
2013-02-28 19:35:59 +00:00
#include "ws_symbol_export.h"
Fix wiretap headers to allow error-free ABI dumping. svn path=/trunk/; revision=37543
2011-06-04 21:20:57 +00:00
ERF_TYPE_META write and comment support Support per-packet comments in ERF_TYPE_META through a new Anchor ID extension header with per-Host unique 48-bit Anchor ID which links an ERF_TYPE_META record with a packet record. There may be more than one Anchor ID associated with a packet, where they are grouped by Host ID extension header in the extension header list. Like other ERF_TYPE_META existing comments should not be overwritten and instead a new record generated. See erf_write_anchor_meta_update_phdr() for detailed comments on the extension header stack required. As Wireshark only supports one comment currently, use the one one with the latest metadata generation time (gen_time). Do this for capture comment too. Write various wtap metadata in periodic per-second ERF_TYPE_META records if non-WTAP_ENCAP_ERF or we have an updated capture comment. Refactor erf_dump to create fake ERF header first then follow common pseudoheadr and payload write code rather than two separate code paths. Support an ERF_HOST_ID environment variable to define Wireshark's Host ID when writing. Defaults to 0 for now. ERF dissector updates to support Anchor ID extension header with basic frame linking. Update ERF_TYPE_META naming and descriptions to official name (Provenance) Core changes: Add has_comment_changed to wtap_pkthdr, TRUE when a packet opt_comment has unsaved changes by the user. Add needs_reload to wtap_dumper which forces a full reload of the file on save, otherwise wireshark gets confused by additional packets being written. Change-Id: I0bb04411548c7bcd2d6ed82af689fbeed104546c Ping-Bug: 12303 Reviewed-on: https://code.wireshark.org/review/21873 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Stephen Donnelly <stephen.donnelly@endace.com> Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-01 08:34:25 +00:00
#define ERF_POPULATE_SUCCESS 1
#define ERF_POPULATE_ALREADY_POPULATED 0
#define ERF_POPULATE_FAILED -1
#define ERF_MAX_INTERFACES 4
ERF: split wiretap/erf.h into three files. wiretap/erf_record.h has declarations for records in ERF files and in LINKTYPE_ERF packets in pcap and pcapng files. wiretap/erf-common.h has declarations of routines to be called by pcap/pcapng reader code when processing LINKTYPE_ERF packets. wiretap/erf.h is what's left, for use by wiretap/erf.c and the code with the tables of file readers and writers. Change-Id: Ia982e79b14a025a80dcbc7c812fb3b2cdb9c6aaa Reviewed-on: https://code.wireshark.org/review/37021 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-02 04:02:00 +00:00
/*
* Private data for ERF files and LINKTYPE_ERF packets in pcap and pcapng.
*/
struct erf_private {
ERF: Add dissection and wiretap support for ERF_TYPE_META. ERF Dissector: Add dissection for ERF_TYPE_META, Host ID and Flow ID extension headers. Rename ERF extension header defines to ERF_EXT_HDR* and put in erf.h. The Flow ID extension header has an improved 32-bit Flow Hash with a Hash Type field describing what the hash was computed over. The Host ID extension header contains a 48-bit organizationally unique Host Identifier. Both extension headers contain the same 8-bit Source ID used for distinguishing records from multiple sources in the same file and for metadata linking to ERF_TYPE_META records. Host ID is used to identify the capturing host and can also be used to distinguish records from multiple hosts in the same file. ERF_TYPE_META records have a payload consisting of TLV metadata, divided into sections which define the context of the TLV tag. The dissector registers a field for each tag for each section type based on a template. ERF_TYPE_META records generally have a Host ID extension header used to link metadata to packet records with the same Host ID and Source ID. The associated Host ID can either be explicit on all records, or implicit where the Host ID extension header is only present on MetaERF records and other records are associated using only the Source ID in the Flow ID extension header. Includes per-record generated Source summary and frame linking. These have the 'correct' Host ID and Source IDs from either extension header, including applying the Implicit Host ID, and links to the most recent ERF_TYPE_META record. Relies on Wireshark doing more than one pass to associate the correct implicit Host ID tree items for records before the first ERF_TYPE_META record. The metadata is technically not associated at that point anyway. ERF Wiretap: Add per-HostID/per-SourceID wtap interfaces and basic ERF_TYPE_META support. Adds read support for displaying some fields of the 'first' ERF_TYPE_META record in the Capture File Properties screen. Concatenates and merges some summary fields to provide more useful information and attempt to combine ERF sources, streams and interfaces into wtap interfaces. Interface naming gracefully degrades when Host ID and Source ID are not present and is intended to be parseable for use by DAG software. Supports Implicit Host ID, but assumes it does not change. NOTE: Now only ERF interfaces that are present in the file are added. Only works with native ERF files for now. Written such that it is easily adapted for use by pcap dissector. Some support for setting REC_TYPE_FT_SPECIFIC_REPORT on MetaERF records. Disabled for now as this breaks pcapng_dump saving of ERF_TYPE_META and ft_specific_record_phdr clashes with erf_mc_phdr. Only when native ERF file (as uses wth->file_type_subtype). Register packet-erf as a dissector of WTAP_FILE_TYPE_SUBTYPE_ERF. Bug: 12303 Change-Id: I6a697cdc851319595da2852f3a977cef8a42431d Reviewed-on: https://code.wireshark.org/review/14510 Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com> Tested-by: Alexis La Goutte <alexis.lagoutte@gmail.com> Reviewed-by: Michael Mann <mmann78@netscape.net>
2016-03-11 03:44:16 +00:00
GHashTable* if_map;
ERF_TYPE_META write and comment support Support per-packet comments in ERF_TYPE_META through a new Anchor ID extension header with per-Host unique 48-bit Anchor ID which links an ERF_TYPE_META record with a packet record. There may be more than one Anchor ID associated with a packet, where they are grouped by Host ID extension header in the extension header list. Like other ERF_TYPE_META existing comments should not be overwritten and instead a new record generated. See erf_write_anchor_meta_update_phdr() for detailed comments on the extension header stack required. As Wireshark only supports one comment currently, use the one one with the latest metadata generation time (gen_time). Do this for capture comment too. Write various wtap metadata in periodic per-second ERF_TYPE_META records if non-WTAP_ENCAP_ERF or we have an updated capture comment. Refactor erf_dump to create fake ERF header first then follow common pseudoheadr and payload write code rather than two separate code paths. Support an ERF_HOST_ID environment variable to define Wireshark's Host ID when writing. Defaults to 0 for now. ERF dissector updates to support Anchor ID extension header with basic frame linking. Update ERF_TYPE_META naming and descriptions to official name (Provenance) Core changes: Add has_comment_changed to wtap_pkthdr, TRUE when a packet opt_comment has unsaved changes by the user. Add needs_reload to wtap_dumper which forces a full reload of the file on save, otherwise wireshark gets confused by additional packets being written. Change-Id: I0bb04411548c7bcd2d6ed82af689fbeed104546c Ping-Bug: 12303 Reviewed-on: https://code.wireshark.org/review/21873 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Stephen Donnelly <stephen.donnelly@endace.com> Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-01 08:34:25 +00:00
GHashTable* anchor_map;
ERF: Add dissection and wiretap support for ERF_TYPE_META. ERF Dissector: Add dissection for ERF_TYPE_META, Host ID and Flow ID extension headers. Rename ERF extension header defines to ERF_EXT_HDR* and put in erf.h. The Flow ID extension header has an improved 32-bit Flow Hash with a Hash Type field describing what the hash was computed over. The Host ID extension header contains a 48-bit organizationally unique Host Identifier. Both extension headers contain the same 8-bit Source ID used for distinguishing records from multiple sources in the same file and for metadata linking to ERF_TYPE_META records. Host ID is used to identify the capturing host and can also be used to distinguish records from multiple hosts in the same file. ERF_TYPE_META records have a payload consisting of TLV metadata, divided into sections which define the context of the TLV tag. The dissector registers a field for each tag for each section type based on a template. ERF_TYPE_META records generally have a Host ID extension header used to link metadata to packet records with the same Host ID and Source ID. The associated Host ID can either be explicit on all records, or implicit where the Host ID extension header is only present on MetaERF records and other records are associated using only the Source ID in the Flow ID extension header. Includes per-record generated Source summary and frame linking. These have the 'correct' Host ID and Source IDs from either extension header, including applying the Implicit Host ID, and links to the most recent ERF_TYPE_META record. Relies on Wireshark doing more than one pass to associate the correct implicit Host ID tree items for records before the first ERF_TYPE_META record. The metadata is technically not associated at that point anyway. ERF Wiretap: Add per-HostID/per-SourceID wtap interfaces and basic ERF_TYPE_META support. Adds read support for displaying some fields of the 'first' ERF_TYPE_META record in the Capture File Properties screen. Concatenates and merges some summary fields to provide more useful information and attempt to combine ERF sources, streams and interfaces into wtap interfaces. Interface naming gracefully degrades when Host ID and Source ID are not present and is intended to be parseable for use by DAG software. Supports Implicit Host ID, but assumes it does not change. NOTE: Now only ERF interfaces that are present in the file are added. Only works with native ERF files for now. Written such that it is easily adapted for use by pcap dissector. Some support for setting REC_TYPE_FT_SPECIFIC_REPORT on MetaERF records. Disabled for now as this breaks pcapng_dump saving of ERF_TYPE_META and ft_specific_record_phdr clashes with erf_mc_phdr. Only when native ERF file (as uses wth->file_type_subtype). Register packet-erf as a dissector of WTAP_FILE_TYPE_SUBTYPE_ERF. Bug: 12303 Change-Id: I6a697cdc851319595da2852f3a977cef8a42431d Reviewed-on: https://code.wireshark.org/review/14510 Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com> Tested-by: Alexis La Goutte <alexis.lagoutte@gmail.com> Reviewed-by: Michael Mann <mmann78@netscape.net>
2016-03-11 03:44:16 +00:00
guint64 implicit_host_id;
ERF_TYPE_META write and comment support Support per-packet comments in ERF_TYPE_META through a new Anchor ID extension header with per-Host unique 48-bit Anchor ID which links an ERF_TYPE_META record with a packet record. There may be more than one Anchor ID associated with a packet, where they are grouped by Host ID extension header in the extension header list. Like other ERF_TYPE_META existing comments should not be overwritten and instead a new record generated. See erf_write_anchor_meta_update_phdr() for detailed comments on the extension header stack required. As Wireshark only supports one comment currently, use the one one with the latest metadata generation time (gen_time). Do this for capture comment too. Write various wtap metadata in periodic per-second ERF_TYPE_META records if non-WTAP_ENCAP_ERF or we have an updated capture comment. Refactor erf_dump to create fake ERF header first then follow common pseudoheadr and payload write code rather than two separate code paths. Support an ERF_HOST_ID environment variable to define Wireshark's Host ID when writing. Defaults to 0 for now. ERF dissector updates to support Anchor ID extension header with basic frame linking. Update ERF_TYPE_META naming and descriptions to official name (Provenance) Core changes: Add has_comment_changed to wtap_pkthdr, TRUE when a packet opt_comment has unsaved changes by the user. Add needs_reload to wtap_dumper which forces a full reload of the file on save, otherwise wireshark gets confused by additional packets being written. Change-Id: I0bb04411548c7bcd2d6ed82af689fbeed104546c Ping-Bug: 12303 Reviewed-on: https://code.wireshark.org/review/21873 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Stephen Donnelly <stephen.donnelly@endace.com> Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-01 08:34:25 +00:00
guint64 capture_gentime;
guint64 host_gentime;
ERF: split wiretap/erf.h into three files. wiretap/erf_record.h has declarations for records in ERF files and in LINKTYPE_ERF packets in pcap and pcapng files. wiretap/erf-common.h has declarations of routines to be called by pcap/pcapng reader code when processing LINKTYPE_ERF packets. wiretap/erf.h is what's left, for use by wiretap/erf.c and the code with the tables of file readers and writers. Change-Id: Ia982e79b14a025a80dcbc7c812fb3b2cdb9c6aaa Reviewed-on: https://code.wireshark.org/review/37021 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
2020-05-02 04:02:00 +00:00
};
ERF: Add dissection and wiretap support for ERF_TYPE_META. ERF Dissector: Add dissection for ERF_TYPE_META, Host ID and Flow ID extension headers. Rename ERF extension header defines to ERF_EXT_HDR* and put in erf.h. The Flow ID extension header has an improved 32-bit Flow Hash with a Hash Type field describing what the hash was computed over. The Host ID extension header contains a 48-bit organizationally unique Host Identifier. Both extension headers contain the same 8-bit Source ID used for distinguishing records from multiple sources in the same file and for metadata linking to ERF_TYPE_META records. Host ID is used to identify the capturing host and can also be used to distinguish records from multiple hosts in the same file. ERF_TYPE_META records have a payload consisting of TLV metadata, divided into sections which define the context of the TLV tag. The dissector registers a field for each tag for each section type based on a template. ERF_TYPE_META records generally have a Host ID extension header used to link metadata to packet records with the same Host ID and Source ID. The associated Host ID can either be explicit on all records, or implicit where the Host ID extension header is only present on MetaERF records and other records are associated using only the Source ID in the Flow ID extension header. Includes per-record generated Source summary and frame linking. These have the 'correct' Host ID and Source IDs from either extension header, including applying the Implicit Host ID, and links to the most recent ERF_TYPE_META record. Relies on Wireshark doing more than one pass to associate the correct implicit Host ID tree items for records before the first ERF_TYPE_META record. The metadata is technically not associated at that point anyway. ERF Wiretap: Add per-HostID/per-SourceID wtap interfaces and basic ERF_TYPE_META support. Adds read support for displaying some fields of the 'first' ERF_TYPE_META record in the Capture File Properties screen. Concatenates and merges some summary fields to provide more useful information and attempt to combine ERF sources, streams and interfaces into wtap interfaces. Interface naming gracefully degrades when Host ID and Source ID are not present and is intended to be parseable for use by DAG software. Supports Implicit Host ID, but assumes it does not change. NOTE: Now only ERF interfaces that are present in the file are added. Only works with native ERF files for now. Written such that it is easily adapted for use by pcap dissector. Some support for setting REC_TYPE_FT_SPECIFIC_REPORT on MetaERF records. Disabled for now as this breaks pcapng_dump saving of ERF_TYPE_META and ft_specific_record_phdr clashes with erf_mc_phdr. Only when native ERF file (as uses wth->file_type_subtype). Register packet-erf as a dissector of WTAP_FILE_TYPE_SUBTYPE_ERF. Bug: 12303 Change-Id: I6a697cdc851319595da2852f3a977cef8a42431d Reviewed-on: https://code.wireshark.org/review/14510 Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com> Tested-by: Alexis La Goutte <alexis.lagoutte@gmail.com> Reviewed-by: Michael Mann <mmann78@netscape.net>
2016-03-11 03:44:16 +00:00
From Florent DROUIN: This is a replacement of the existing decoding of ERF files (Extensible Record Format from Endace). For the decoding of the ERF files, according to the "type of record" given in the ERF header, several decoders can be used. Up to now, the decoder is determined according to an environment variable, or with a kind of heuristic. And, all the treatment is done during the file extraction. The new architecture, will separate the ERF file decoding, and the ERF record decoding. The ERF records will be decoded with a specific dissector. This dissector can be configured with options, to replace the environment variable. http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1839 svn path=/trunk/; revision=23092
2007-10-08 11:41:21 +00:00
#define MIN_RECORDS_FOR_ERF_CHECK 3
#define RECORDS_FOR_ERF_CHECK 20
#define FCS_BITS 32
ERF_TYPE_META write and comment support Support per-packet comments in ERF_TYPE_META through a new Anchor ID extension header with per-Host unique 48-bit Anchor ID which links an ERF_TYPE_META record with a packet record. There may be more than one Anchor ID associated with a packet, where they are grouped by Host ID extension header in the extension header list. Like other ERF_TYPE_META existing comments should not be overwritten and instead a new record generated. See erf_write_anchor_meta_update_phdr() for detailed comments on the extension header stack required. As Wireshark only supports one comment currently, use the one one with the latest metadata generation time (gen_time). Do this for capture comment too. Write various wtap metadata in periodic per-second ERF_TYPE_META records if non-WTAP_ENCAP_ERF or we have an updated capture comment. Refactor erf_dump to create fake ERF header first then follow common pseudoheadr and payload write code rather than two separate code paths. Support an ERF_HOST_ID environment variable to define Wireshark's Host ID when writing. Defaults to 0 for now. ERF dissector updates to support Anchor ID extension header with basic frame linking. Update ERF_TYPE_META naming and descriptions to official name (Provenance) Core changes: Add has_comment_changed to wtap_pkthdr, TRUE when a packet opt_comment has unsaved changes by the user. Add needs_reload to wtap_dumper which forces a full reload of the file on save, otherwise wireshark gets confused by additional packets being written. Change-Id: I0bb04411548c7bcd2d6ed82af689fbeed104546c Ping-Bug: 12303 Reviewed-on: https://code.wireshark.org/review/21873 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Stephen Donnelly <stephen.donnelly@endace.com> Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-01 08:34:25 +00:00
/*Configurable through ERF_HOST_ID environment variable */
#define ERF_WS_DEFAULT_HOST_ID 0
From Florent Drouin: support for MTP2 in ERF type 5 (Multi-Channel HDLC) files svn path=/trunk/; revision=20838
2007-02-18 11:32:54 +00:00
Fix declared types of open routines. Change-Id: Ifa38dfec31ec5b03f00d6e077902184a9ae2ee0e Reviewed-on: https://code.wireshark.org/review/4583 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2014-10-10 01:04:16 +00:00
wtap_open_return_val erf_open(wtap *wth, int *err, gchar **err_info);
From Jesper Peterson: support for Endace ERF file format. svn path=/trunk/; revision=8272
2003-08-26 07:10:39 +00:00
#endif /* __W_ERF_H__ */
Add "Editor modelines"; Adjust whitespace as needed. Change-Id: Ic5a5acb0f36d3aa144edbfb1ae71097b18426db4 Reviewed-on: https://code.wireshark.org/review/6216 Reviewed-by: Bill Meier <wmeier@newsguy.com>
2015-01-02 00:45:22 +00:00
/*
HTTPS (almost) everywhere. Change all wireshark.org URLs to use https. Fix some broken links while we're at it. Change-Id: I161bf8eeca43b8027605acea666032da86f5ea1c Reviewed-on: https://code.wireshark.org/review/34089 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2019-07-26 18:43:17 +00:00
* Editor modelines - https://www.wireshark.org/tools/modelines.html
Add "Editor modelines"; Adjust whitespace as needed. Change-Id: Ic5a5acb0f36d3aa144edbfb1ae71097b18426db4 Reviewed-on: https://code.wireshark.org/review/6216 Reviewed-by: Bill Meier <wmeier@newsguy.com>
2015-01-02 00:45:22 +00:00
*
* Local variables:
* c-basic-offset: 8
* tab-width: 8
* indent-tabs-mode: t
* End:
*
* vi: set shiftwidth=8 tabstop=8 noexpandtab:
* :indentSize=8:tabSize=8:noTabs=false:
*/