2001-02-22 22:03:31 +00:00
|
|
|
/* etherpeek.c
|
|
|
|
* Routines for opening etherpeek files
|
|
|
|
* Copyright (c) 2001, Daniel Thompson <d.thompson@gmx.net>
|
|
|
|
*
|
2001-12-05 07:19:11 +00:00
|
|
|
* $Id: etherpeek.c,v 1.7 2001/12/05 07:19:11 guy Exp $
|
2001-02-22 22:03:31 +00:00
|
|
|
*
|
|
|
|
* Wiretap Library
|
2001-11-13 23:55:44 +00:00
|
|
|
* Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
|
2001-02-22 22:03:31 +00:00
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU General Public License
|
|
|
|
* as published by the Free Software Foundation; either version 2
|
|
|
|
* of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
#include "config.h"
|
|
|
|
#endif
|
|
|
|
#include <errno.h>
|
|
|
|
#include <string.h>
|
|
|
|
#include "wtap-int.h"
|
|
|
|
#include "file_wrappers.h"
|
|
|
|
#include "buffer.h"
|
2001-03-09 06:34:59 +00:00
|
|
|
#include "etherpeek.h"
|
2001-02-22 22:03:31 +00:00
|
|
|
#ifdef HAVE_NETINET_IN_H
|
|
|
|
#include <netinet/in.h>
|
|
|
|
#endif
|
|
|
|
|
|
|
|
/* CREDITS
|
|
|
|
*
|
|
|
|
* This file decoder could not have been writen without examining how
|
|
|
|
* tcptrace (http://www.tcptrace.org/) handles etherpeek files.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* master header */
|
|
|
|
typedef struct etherpeek_master_header {
|
|
|
|
guint8 version;
|
|
|
|
guint8 status;
|
|
|
|
} etherpeek_master_header_t;
|
|
|
|
#define ETHERPEEK_MASTER_HDR_SIZE 2
|
|
|
|
|
|
|
|
/* secondary header (Mac V5,V6,V7) */
|
|
|
|
typedef struct etherpeek_m567_header {
|
|
|
|
guint32 filelength;
|
|
|
|
guint32 numPackets;
|
|
|
|
guint32 timeDate;
|
|
|
|
guint32 timeStart;
|
|
|
|
guint32 timeStop;
|
|
|
|
guint32 reserved[7];
|
|
|
|
} etherpeek_m567_header_t;
|
|
|
|
#define ETHERPEEK_M567_HDR_SIZE 48
|
|
|
|
|
|
|
|
/* full header */
|
|
|
|
typedef struct etherpeek_header {
|
|
|
|
etherpeek_master_header_t master;
|
|
|
|
union {
|
|
|
|
etherpeek_m567_header_t m567;
|
|
|
|
} secondary;
|
|
|
|
} etherpeek_header_t;
|
|
|
|
|
2001-12-05 07:19:11 +00:00
|
|
|
/*
|
|
|
|
* Packet header (Mac V5, V6).
|
|
|
|
*
|
|
|
|
* NOTE: the time stamp, although it's a 32-bit number, is only aligned
|
|
|
|
* on a 16-bit boundary. (Does this date back to 68K Macs? The 68000
|
|
|
|
* only required 16-bit alignment of 32-bit quantities, as did the 68010,
|
|
|
|
* and the 68020/68030/68040 required no alignment.)
|
|
|
|
*
|
|
|
|
* As such, we cannot declare this as a C structure, as compilers on
|
|
|
|
* most platforms will put 2 bytes of padding before the time stamp to
|
|
|
|
* align it on a 32-bit boundary.
|
|
|
|
*
|
|
|
|
* So, instead, we #define numbers as the offsets of the fields.
|
|
|
|
*/
|
|
|
|
#define ETHERPEEK_M56_LENGTH_OFFSET 0
|
|
|
|
#define ETHERPEEK_M56_SLICE_LENGTH_OFFSET 2
|
|
|
|
#define ETHERPEEK_M56_FLAGS_OFFSET 4
|
|
|
|
#define ETHERPEEK_M56_STATUS_OFFSET 5
|
|
|
|
#define ETHERPEEK_M56_TIMESTAMP_OFFSET 6
|
|
|
|
#define ETHERPEEK_M56_DESTNUM_OFFSET 10
|
|
|
|
#define ETHERPEEK_M56_SRCNUM_OFFSET 12
|
|
|
|
#define ETHERPEEK_M56_PROTONUM_OFFSET 14
|
|
|
|
#define ETHERPEEK_M56_PROTOSTR_OFFSET 16
|
|
|
|
#define ETHERPEEK_M56_PKT_SIZE 24
|
2001-02-22 22:03:31 +00:00
|
|
|
|
|
|
|
/* 64-bit time in micro seconds from the (Mac) epoch */
|
|
|
|
typedef struct etherpeek_utime {
|
|
|
|
guint32 upper;
|
|
|
|
guint32 lower;
|
|
|
|
} etherpeek_utime;
|
|
|
|
|
2001-12-05 07:19:11 +00:00
|
|
|
/*
|
|
|
|
* Packet header (Mac V7).
|
|
|
|
*
|
|
|
|
* This doesn't have the same alignment problem, but we do it with
|
|
|
|
* #defines anyway.
|
|
|
|
*/
|
|
|
|
#define ETHERPEEK_M7_PROTONUM_OFFSET 0
|
|
|
|
#define ETHERPEEK_M7_LENGTH_OFFSET 2
|
|
|
|
#define ETHERPEEK_M7_SLICE_LENGTH_OFFSET 4
|
|
|
|
#define ETHERPEEK_M7_FLAGS_OFFSET 6
|
|
|
|
#define ETHERPEEK_M7_STATUS_OFFSET 7
|
|
|
|
#define ETHERPEEK_M7_TIMESTAMP_UPPER_OFFSET 8
|
|
|
|
#define ETHERPEEK_M7_TIMESTAMP_LOWER_OFFSET 12
|
|
|
|
#define ETHERPEEK_M7_PKT_SIZE 16
|
2001-02-22 22:03:31 +00:00
|
|
|
|
|
|
|
typedef struct etherpeek_encap_lookup {
|
|
|
|
guint16 protoNum;
|
|
|
|
int encap;
|
|
|
|
} etherpeek_encap_lookup_t;
|
|
|
|
|
|
|
|
static const unsigned int mac2unix = 2082844800u;
|
|
|
|
static const etherpeek_encap_lookup_t etherpeek_encap[] = {
|
|
|
|
{ 1400, WTAP_ENCAP_ETHERNET }
|
|
|
|
};
|
|
|
|
#define NUM_ETHERPEEK_ENCAPS \
|
|
|
|
(sizeof (etherpeek_encap) / sizeof (etherpeek_encap[0]))
|
|
|
|
|
2001-10-04 08:30:36 +00:00
|
|
|
static gboolean etherpeek_read_m7(wtap *wth, int *err, long *data_offset);
|
|
|
|
static gboolean etherpeek_read_m56(wtap *wth, int *err, long *data_offset);
|
2001-02-22 22:03:31 +00:00
|
|
|
|
|
|
|
int etherpeek_open(wtap *wth, int *err)
|
|
|
|
{
|
|
|
|
etherpeek_header_t ep_hdr;
|
|
|
|
|
|
|
|
/* etherpeek files to not start with a magic value large enough
|
|
|
|
* to be unique hence we use the following algorithm to determine
|
|
|
|
* the type of an unknown file
|
|
|
|
* - populate the master header and reject file if there is no match
|
|
|
|
* - populate the secondary header and check that the reserved space
|
|
|
|
* is zero; there is an obvious flaw here so this algorithm will
|
|
|
|
* probably need to be revisiting when improving etherpeek
|
|
|
|
* support
|
|
|
|
*/
|
|
|
|
|
|
|
|
g_assert(sizeof(ep_hdr.master) == ETHERPEEK_MASTER_HDR_SIZE);
|
|
|
|
wtap_file_read_unknown_bytes(
|
|
|
|
&ep_hdr.master, sizeof(ep_hdr.master), wth->fh, err);
|
|
|
|
wth->data_offset += sizeof(ep_hdr.master);
|
|
|
|
|
|
|
|
/* switch on the file version */
|
|
|
|
switch (ep_hdr.master.version) {
|
|
|
|
case 5:
|
|
|
|
case 6:
|
|
|
|
case 7:
|
|
|
|
/* get the secondary header */
|
|
|
|
g_assert(sizeof(ep_hdr.secondary.m567) ==
|
|
|
|
ETHERPEEK_M567_HDR_SIZE);
|
|
|
|
wtap_file_read_unknown_bytes(
|
|
|
|
&ep_hdr.secondary.m567,
|
|
|
|
sizeof(ep_hdr.secondary.m567), wth->fh, err);
|
|
|
|
wth->data_offset += sizeof(ep_hdr.secondary.m567);
|
|
|
|
|
|
|
|
if ((0 != ep_hdr.secondary.m567.reserved[0]) ||
|
|
|
|
(0 != ep_hdr.secondary.m567.reserved[1]) ||
|
|
|
|
(0 != ep_hdr.secondary.m567.reserved[2]) ||
|
|
|
|
(0 != ep_hdr.secondary.m567.reserved[3])) {
|
|
|
|
/* still unknown */
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* we have a match for a Mac V5, V6 or V7,
|
|
|
|
* so it is worth preforming byte swaps
|
|
|
|
*/
|
|
|
|
ep_hdr.secondary.m567.filelength =
|
|
|
|
ntohl(ep_hdr.secondary.m567.filelength);
|
|
|
|
ep_hdr.secondary.m567.numPackets =
|
|
|
|
ntohl(ep_hdr.secondary.m567.numPackets);
|
|
|
|
ep_hdr.secondary.m567.timeDate =
|
|
|
|
ntohl(ep_hdr.secondary.m567.timeDate);
|
|
|
|
ep_hdr.secondary.m567.timeStart =
|
|
|
|
ntohl(ep_hdr.secondary.m567.timeStart);
|
|
|
|
ep_hdr.secondary.m567.timeStop =
|
|
|
|
ntohl(ep_hdr.secondary.m567.timeStop);
|
|
|
|
|
|
|
|
/* populate the pseudo header */
|
|
|
|
wth->pseudo_header.etherpeek.reference_time.tv_sec =
|
|
|
|
ep_hdr.secondary.m567.timeDate - mac2unix;
|
|
|
|
wth->pseudo_header.etherpeek.reference_time.tv_usec =
|
|
|
|
0;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* at this point we have recognised the file type and have populated
|
|
|
|
* the whole ep_hdr structure in host byte order
|
|
|
|
*/
|
|
|
|
|
|
|
|
switch (ep_hdr.master.version) {
|
|
|
|
case 5:
|
|
|
|
case 6:
|
|
|
|
wth->file_type = WTAP_FILE_ETHERPEEK_MAC_V56;
|
|
|
|
wth->subtype_read = etherpeek_read_m56;
|
|
|
|
wth->subtype_seek_read = wtap_def_seek_read;
|
|
|
|
break;
|
|
|
|
case 7:
|
|
|
|
wth->file_type = WTAP_FILE_ETHERPEEK_MAC_V7;
|
|
|
|
wth->subtype_read = etherpeek_read_m7;
|
|
|
|
wth->subtype_seek_read = wtap_def_seek_read;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
/* this is impossible */
|
|
|
|
g_assert_not_reached();
|
|
|
|
};
|
|
|
|
|
|
|
|
wth->file_encap = WTAP_ENCAP_PER_PACKET;
|
|
|
|
wth->snapshot_length = 16384; /* just guessing */
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2001-10-04 08:30:36 +00:00
|
|
|
static gboolean etherpeek_read_m7(wtap *wth, int *err, long *data_offset)
|
2001-02-22 22:03:31 +00:00
|
|
|
{
|
2001-12-05 07:19:11 +00:00
|
|
|
guchar ep_pkt[ETHERPEEK_M7_PKT_SIZE];
|
|
|
|
guint16 protoNum;
|
|
|
|
guint16 length;
|
|
|
|
guint16 sliceLength;
|
|
|
|
guint8 flags;
|
|
|
|
guint8 status;
|
|
|
|
etherpeek_utime timestamp;
|
2001-02-22 22:03:31 +00:00
|
|
|
double t;
|
2001-07-13 00:55:58 +00:00
|
|
|
unsigned int i;
|
2001-02-22 22:03:31 +00:00
|
|
|
|
2001-12-05 07:19:11 +00:00
|
|
|
wtap_file_read_expected_bytes(ep_pkt, sizeof(ep_pkt), wth->fh, err);
|
2001-02-22 22:03:31 +00:00
|
|
|
wth->data_offset += sizeof(ep_pkt);
|
|
|
|
|
2001-12-05 07:19:11 +00:00
|
|
|
/* Extract the fields from the packet */
|
|
|
|
protoNum = pntohs(&ep_pkt[ETHERPEEK_M7_PROTONUM_OFFSET]);
|
|
|
|
length = pntohs(&ep_pkt[ETHERPEEK_M7_LENGTH_OFFSET]);
|
|
|
|
sliceLength = pntohs(&ep_pkt[ETHERPEEK_M7_SLICE_LENGTH_OFFSET]);
|
|
|
|
flags = ep_pkt[ETHERPEEK_M7_FLAGS_OFFSET];
|
|
|
|
status = ep_pkt[ETHERPEEK_M7_STATUS_OFFSET];
|
|
|
|
timestamp.upper = pntohl(&ep_pkt[ETHERPEEK_M7_TIMESTAMP_UPPER_OFFSET]);
|
|
|
|
timestamp.lower = pntohl(&ep_pkt[ETHERPEEK_M7_TIMESTAMP_LOWER_OFFSET]);
|
2001-02-22 22:03:31 +00:00
|
|
|
|
|
|
|
/* force sliceLength to be the actual length of the packet */
|
2001-12-05 07:19:11 +00:00
|
|
|
if (0 == sliceLength) {
|
|
|
|
sliceLength = length;
|
2001-02-22 22:03:31 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* test for corrupt data */
|
2001-12-05 07:19:11 +00:00
|
|
|
if (sliceLength > WTAP_MAX_PACKET_SIZE) {
|
2001-02-22 22:03:31 +00:00
|
|
|
*err = WTAP_ERR_BAD_RECORD;
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
|
|
|
*data_offset = wth->data_offset;
|
|
|
|
|
|
|
|
/* read the frame data */
|
2001-12-05 07:19:11 +00:00
|
|
|
buffer_assure_space(wth->frame_buffer, sliceLength);
|
2001-02-22 22:03:31 +00:00
|
|
|
wtap_file_read_expected_bytes(buffer_start_ptr(wth->frame_buffer),
|
2001-12-05 07:19:11 +00:00
|
|
|
sliceLength, wth->fh, err);
|
|
|
|
wth->data_offset += sliceLength;
|
2001-02-22 22:03:31 +00:00
|
|
|
|
|
|
|
/* fill in packet header values */
|
2001-12-05 07:19:11 +00:00
|
|
|
wth->phdr.len = length;
|
|
|
|
wth->phdr.caplen = sliceLength;
|
2001-02-22 22:03:31 +00:00
|
|
|
|
2001-12-05 07:19:11 +00:00
|
|
|
t = (double) timestamp.lower +
|
|
|
|
(double) timestamp.upper * 4294967296.0;
|
2001-02-22 22:03:31 +00:00
|
|
|
t -= (double) mac2unix * 1000000.0;
|
|
|
|
wth->phdr.ts.tv_sec = (time_t) (t/1000000.0);
|
|
|
|
wth->phdr.ts.tv_usec = (guint32) (t - (double) wth->phdr.ts.tv_sec *
|
|
|
|
1000000.0);
|
|
|
|
wth->phdr.pkt_encap = WTAP_ENCAP_UNKNOWN;
|
|
|
|
for (i=0; i<NUM_ETHERPEEK_ENCAPS; i++) {
|
2001-12-05 07:19:11 +00:00
|
|
|
if (etherpeek_encap[i].protoNum == protoNum) {
|
2001-02-22 22:03:31 +00:00
|
|
|
wth->phdr.pkt_encap = etherpeek_encap[i].encap;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
2001-10-04 08:30:36 +00:00
|
|
|
static gboolean etherpeek_read_m56(wtap *wth, int *err, long *data_offset)
|
2001-02-22 22:03:31 +00:00
|
|
|
{
|
2001-12-05 07:19:11 +00:00
|
|
|
guchar ep_pkt[ETHERPEEK_M56_PKT_SIZE];
|
|
|
|
guint16 length;
|
|
|
|
guint16 sliceLength;
|
|
|
|
guint8 flags;
|
|
|
|
guint8 status;
|
|
|
|
guint32 timestamp;
|
|
|
|
guint16 destNum;
|
|
|
|
guint16 srcNum;
|
|
|
|
guint16 protoNum;
|
|
|
|
char protoStr[8];
|
2001-07-13 00:55:58 +00:00
|
|
|
unsigned int i;
|
2001-02-22 22:03:31 +00:00
|
|
|
|
2001-12-05 07:19:11 +00:00
|
|
|
wtap_file_read_expected_bytes(ep_pkt, sizeof(ep_pkt), wth->fh, err);
|
2001-02-22 22:03:31 +00:00
|
|
|
wth->data_offset += sizeof(ep_pkt);
|
|
|
|
|
2001-12-05 07:19:11 +00:00
|
|
|
/* Extract the fields from the packet */
|
|
|
|
length = pntohs(&ep_pkt[ETHERPEEK_M56_LENGTH_OFFSET]);
|
|
|
|
sliceLength = pntohs(&ep_pkt[ETHERPEEK_M56_SLICE_LENGTH_OFFSET]);
|
|
|
|
flags = ep_pkt[ETHERPEEK_M56_FLAGS_OFFSET];
|
|
|
|
status = ep_pkt[ETHERPEEK_M56_STATUS_OFFSET];
|
|
|
|
timestamp = pntohl(&ep_pkt[ETHERPEEK_M56_TIMESTAMP_OFFSET]);
|
|
|
|
destNum = pntohs(&ep_pkt[ETHERPEEK_M56_DESTNUM_OFFSET]);
|
|
|
|
srcNum = pntohs(&ep_pkt[ETHERPEEK_M56_SRCNUM_OFFSET]);
|
|
|
|
protoNum = pntohs(&ep_pkt[ETHERPEEK_M56_PROTONUM_OFFSET]);
|
|
|
|
memcpy(protoStr, &ep_pkt[ETHERPEEK_M56_PROTOSTR_OFFSET],
|
|
|
|
sizeof protoStr);
|
2001-02-22 22:03:31 +00:00
|
|
|
|
|
|
|
/* force sliceLength to be the actual length of the packet */
|
2001-12-05 07:19:11 +00:00
|
|
|
if (0 == sliceLength) {
|
|
|
|
sliceLength = length;
|
2001-02-22 22:03:31 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* test for corrupt data */
|
2001-12-05 07:19:11 +00:00
|
|
|
if (sliceLength > WTAP_MAX_PACKET_SIZE) {
|
2001-02-22 22:03:31 +00:00
|
|
|
*err = WTAP_ERR_BAD_RECORD;
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
|
|
|
*data_offset = wth->data_offset;
|
|
|
|
|
|
|
|
/* fill in packet header values */
|
2001-12-05 07:19:11 +00:00
|
|
|
wth->phdr.len = length;
|
|
|
|
wth->phdr.caplen = sliceLength;
|
2001-02-22 22:03:31 +00:00
|
|
|
/* timestamp is in milliseconds since reference_time */
|
|
|
|
wth->phdr.ts.tv_sec = wth->pseudo_header.etherpeek.
|
2001-12-05 07:19:11 +00:00
|
|
|
reference_time.tv_sec + (timestamp / 1000);
|
|
|
|
wth->phdr.ts.tv_usec = 1000 * (timestamp % 1000);
|
2001-02-22 22:03:31 +00:00
|
|
|
|
|
|
|
wth->phdr.pkt_encap = WTAP_ENCAP_UNKNOWN;
|
|
|
|
for (i=0; i<NUM_ETHERPEEK_ENCAPS; i++) {
|
2001-12-05 07:19:11 +00:00
|
|
|
if (etherpeek_encap[i].protoNum == protoNum) {
|
2001-02-22 22:03:31 +00:00
|
|
|
wth->phdr.pkt_encap = etherpeek_encap[i].encap;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return TRUE;
|
|
|
|
}
|