2009-02-16 07:24:04 +00:00
|
|
|
/* packetlogger.c
|
|
|
|
* Routines for opening Apple's (Bluetooth) PacketLogger file format captures
|
2009-05-31 05:55:15 +00:00
|
|
|
* Copyright 2008-2009, Stephen Fisher (see AUTHORS file)
|
2009-02-16 07:24:04 +00:00
|
|
|
*
|
|
|
|
* Wireshark - Network traffic analyzer
|
|
|
|
* By Gerald Combs <gerald@wireshark.org>
|
|
|
|
* Copyright 1998 Gerald Combs
|
|
|
|
*
|
|
|
|
* Based on commview.c, Linux's BlueZ-Gnome Analyzer program and hexdumps of
|
|
|
|
* the output files from Apple's PacketLogger tool.
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU General Public License
|
|
|
|
* as published by the Free Software Foundation; either version 2
|
|
|
|
* of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
|
|
|
|
* USA.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "config.h"
|
|
|
|
|
|
|
|
#include <glib.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <errno.h>
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
#include "wtap.h"
|
|
|
|
#include "wtap-int.h"
|
2014-07-15 23:40:46 +00:00
|
|
|
#include <wsutil/buffer.h>
|
2009-02-16 07:24:04 +00:00
|
|
|
#include "file_wrappers.h"
|
|
|
|
#include "packetlogger.h"
|
|
|
|
|
|
|
|
typedef struct packetlogger_header {
|
|
|
|
guint32 len;
|
|
|
|
guint64 ts;
|
|
|
|
} packetlogger_header_t;
|
|
|
|
|
2014-05-23 10:50:02 +00:00
|
|
|
static gboolean packetlogger_read(wtap *wth, int *err, gchar **err_info,
|
|
|
|
gint64 *data_offset);
|
|
|
|
static gboolean packetlogger_seek_read(wtap *wth, gint64 seek_off,
|
|
|
|
struct wtap_pkthdr *phdr,
|
|
|
|
Buffer *buf, int *err, gchar **err_info);
|
2009-02-16 07:24:04 +00:00
|
|
|
static gboolean packetlogger_read_header(packetlogger_header_t *pl_hdr,
|
2011-04-21 09:41:52 +00:00
|
|
|
FILE_T fh, int *err, gchar **err_info);
|
2013-06-17 21:18:47 +00:00
|
|
|
static gboolean packetlogger_read_packet(FILE_T fh, struct wtap_pkthdr *phdr,
|
|
|
|
Buffer *buf, int *err,
|
|
|
|
gchar **err_info);
|
2009-02-16 07:24:04 +00:00
|
|
|
|
2014-10-09 23:44:15 +00:00
|
|
|
wtap_open_return_val packetlogger_open(wtap *wth, int *err, gchar **err_info)
|
2009-02-16 07:24:04 +00:00
|
|
|
{
|
|
|
|
packetlogger_header_t pl_hdr;
|
2009-04-24 08:14:36 +00:00
|
|
|
guint8 type;
|
2009-02-16 07:24:04 +00:00
|
|
|
|
2014-05-09 05:18:49 +00:00
|
|
|
if(!packetlogger_read_header(&pl_hdr, wth->fh, err, err_info)) {
|
Do not call wtap_file_read_unknown_bytes() or
wtap_file_read_expected_bytes() from an open routine - open routines are
supposed to return -1 on error, 0 if the file doesn't appear to be a
file of the specified type, or 1 if the file does appear to be a file of
the specified type, but those macros will cause the caller to return
FALSE on errors (so that, even if there's an I/O error, it reports "the
file isn't a file of the specified type" rather than "we got an error
trying to read the file").
When doing reads in an open routine before we've concluded that the file
is probably of the right type, return 0, rather than -1, if we get
WTAP_ERR_SHORT_READ - if we don't have enough data to check whether a
file is of a given type, we should keep trying other types, not give up.
For reads done *after* we've concluded the file is probably of the right
type, if a read doesn't return the number of bytes we asked for, but
returns an error of 0, return WTAP_ERR_SHORT_READ - the file is
apparently cut short.
For NetMon and NetXRay/Windows Sniffer files, use a #define for the
magic number size, and use that for both magic numbers.
svn path=/trunk/; revision=46803
2012-12-27 12:19:25 +00:00
|
|
|
if (*err != 0 && *err != WTAP_ERR_SHORT_READ)
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
return WTAP_OPEN_NOT_MINE;
|
Do not call wtap_file_read_unknown_bytes() or
wtap_file_read_expected_bytes() from an open routine - open routines are
supposed to return -1 on error, 0 if the file doesn't appear to be a
file of the specified type, or 1 if the file does appear to be a file of
the specified type, but those macros will cause the caller to return
FALSE on errors (so that, even if there's an I/O error, it reports "the
file isn't a file of the specified type" rather than "we got an error
trying to read the file").
When doing reads in an open routine before we've concluded that the file
is probably of the right type, return 0, rather than -1, if we get
WTAP_ERR_SHORT_READ - if we don't have enough data to check whether a
file is of a given type, we should keep trying other types, not give up.
For reads done *after* we've concluded the file is probably of the right
type, if a read doesn't return the number of bytes we asked for, but
returns an error of 0, return WTAP_ERR_SHORT_READ - the file is
apparently cut short.
For NetMon and NetXRay/Windows Sniffer files, use a #define for the
magic number size, and use that for both magic numbers.
svn path=/trunk/; revision=46803
2012-12-27 12:19:25 +00:00
|
|
|
}
|
2010-04-17 10:09:52 +00:00
|
|
|
|
Add some higher-level file-read APIs and use them.
Add wtap_read_bytes(), which takes a FILE_T, a pointer, a byte count, an
error number pointer, and an error string pointer as arguments, and that
treats a short read of any sort, including a read that returns 0 bytes,
as a WTAP_ERR_SHORT_READ error, and that returns the error number and
string through its last two arguments.
Add wtap_read_bytes_or_eof(), which is similar, but that treats a read
that returns 0 bytes as an EOF, supplying an error number of 0 as an EOF
indication.
Use those in file readers; that simplifies the code and makes it less
likely that somebody will fail to supply the error number and error
string on a file read error.
Change-Id: Ia5dba2a6f81151e87b614461349d611cffc16210
Reviewed-on: https://code.wireshark.org/review/4512
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2014-10-07 01:00:57 +00:00
|
|
|
if (!wtap_read_bytes(wth->fh, &type, 1, err, err_info)) {
|
2014-10-07 19:49:14 +00:00
|
|
|
if (*err != WTAP_ERR_SHORT_READ)
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
return WTAP_OPEN_NOT_MINE;
|
Do not call wtap_file_read_unknown_bytes() or
wtap_file_read_expected_bytes() from an open routine - open routines are
supposed to return -1 on error, 0 if the file doesn't appear to be a
file of the specified type, or 1 if the file does appear to be a file of
the specified type, but those macros will cause the caller to return
FALSE on errors (so that, even if there's an I/O error, it reports "the
file isn't a file of the specified type" rather than "we got an error
trying to read the file").
When doing reads in an open routine before we've concluded that the file
is probably of the right type, return 0, rather than -1, if we get
WTAP_ERR_SHORT_READ - if we don't have enough data to check whether a
file is of a given type, we should keep trying other types, not give up.
For reads done *after* we've concluded the file is probably of the right
type, if a read doesn't return the number of bytes we asked for, but
returns an error of 0, return WTAP_ERR_SHORT_READ - the file is
apparently cut short.
For NetMon and NetXRay/Windows Sniffer files, use a #define for the
magic number size, and use that for both magic numbers.
svn path=/trunk/; revision=46803
2012-12-27 12:19:25 +00:00
|
|
|
}
|
2009-02-16 07:24:04 +00:00
|
|
|
|
|
|
|
/* Verify this file belongs to us */
|
2009-06-22 12:13:12 +00:00
|
|
|
if (!((8 <= pl_hdr.len) && (pl_hdr.len < 65536) &&
|
2010-07-14 20:24:38 +00:00
|
|
|
(type < 0x04 || type == 0xFB || type == 0xFC || type == 0xFE || type == 0xFF)))
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_NOT_MINE;
|
2009-02-16 07:24:04 +00:00
|
|
|
|
|
|
|
/* No file header. Reset the fh to 0 so we can read the first packet */
|
2014-05-09 05:18:49 +00:00
|
|
|
if (file_seek(wth->fh, 0, SEEK_SET, err) == -1)
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_ERROR;
|
2009-02-16 07:24:04 +00:00
|
|
|
|
|
|
|
/* Set up the pointers to the handlers for this file type */
|
2014-05-09 05:18:49 +00:00
|
|
|
wth->subtype_read = packetlogger_read;
|
|
|
|
wth->subtype_seek_read = packetlogger_seek_read;
|
2009-02-16 07:24:04 +00:00
|
|
|
|
2014-05-09 05:18:49 +00:00
|
|
|
wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_PACKETLOGGER;
|
|
|
|
wth->file_encap = WTAP_ENCAP_PACKETLOGGER;
|
2014-09-28 18:37:06 +00:00
|
|
|
wth->file_tsprec = WTAP_TSPREC_USEC;
|
2009-02-16 07:24:04 +00:00
|
|
|
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_MINE; /* Our kind of file */
|
2009-02-16 07:24:04 +00:00
|
|
|
}
|
|
|
|
|
2014-05-23 10:50:02 +00:00
|
|
|
static gboolean
|
2014-05-09 05:18:49 +00:00
|
|
|
packetlogger_read(wtap *wth, int *err, gchar **err_info, gint64 *data_offset)
|
2009-02-16 07:24:04 +00:00
|
|
|
{
|
2014-05-09 05:18:49 +00:00
|
|
|
*data_offset = file_tell(wth->fh);
|
2009-02-16 07:24:04 +00:00
|
|
|
|
2014-05-23 10:50:02 +00:00
|
|
|
return packetlogger_read_packet(wth->fh, &wth->phdr,
|
|
|
|
wth->frame_buffer, err, err_info);
|
2009-02-16 07:24:04 +00:00
|
|
|
}
|
|
|
|
|
2014-05-23 10:50:02 +00:00
|
|
|
static gboolean
|
2014-05-09 05:18:49 +00:00
|
|
|
packetlogger_seek_read(wtap *wth, gint64 seek_off, struct wtap_pkthdr *phdr,
|
2014-01-02 20:47:21 +00:00
|
|
|
Buffer *buf, int *err, gchar **err_info)
|
2009-02-16 07:24:04 +00:00
|
|
|
{
|
2014-05-09 05:18:49 +00:00
|
|
|
if(file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
|
2014-05-23 10:50:02 +00:00
|
|
|
return FALSE;
|
2009-02-16 07:24:04 +00:00
|
|
|
|
2014-05-09 05:18:49 +00:00
|
|
|
if(!packetlogger_read_packet(wth->random_fh, phdr, buf, err, err_info)) {
|
2009-02-16 07:24:04 +00:00
|
|
|
if(*err == 0)
|
|
|
|
*err = WTAP_ERR_SHORT_READ;
|
|
|
|
|
2014-05-23 10:50:02 +00:00
|
|
|
return FALSE;
|
2009-02-16 07:24:04 +00:00
|
|
|
}
|
2014-05-23 10:50:02 +00:00
|
|
|
return TRUE;
|
2009-02-16 07:24:04 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static gboolean
|
2011-04-21 09:41:52 +00:00
|
|
|
packetlogger_read_header(packetlogger_header_t *pl_hdr, FILE_T fh, int *err,
|
|
|
|
gchar **err_info)
|
2009-02-16 07:24:04 +00:00
|
|
|
{
|
Add some higher-level file-read APIs and use them.
Add wtap_read_bytes(), which takes a FILE_T, a pointer, a byte count, an
error number pointer, and an error string pointer as arguments, and that
treats a short read of any sort, including a read that returns 0 bytes,
as a WTAP_ERR_SHORT_READ error, and that returns the error number and
string through its last two arguments.
Add wtap_read_bytes_or_eof(), which is similar, but that treats a read
that returns 0 bytes as an EOF, supplying an error number of 0 as an EOF
indication.
Use those in file readers; that simplifies the code and makes it less
likely that somebody will fail to supply the error number and error
string on a file read error.
Change-Id: Ia5dba2a6f81151e87b614461349d611cffc16210
Reviewed-on: https://code.wireshark.org/review/4512
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2014-10-07 01:00:57 +00:00
|
|
|
if (!wtap_read_bytes_or_eof(fh, &pl_hdr->len, 4, err, err_info))
|
|
|
|
return FALSE;
|
|
|
|
if (!wtap_read_bytes(fh, &pl_hdr->ts, 8, err, err_info))
|
|
|
|
return FALSE;
|
2009-02-16 07:24:04 +00:00
|
|
|
|
|
|
|
/* Convert multi-byte values from big endian to host endian */
|
|
|
|
pl_hdr->len = GUINT32_FROM_BE(pl_hdr->len);
|
|
|
|
pl_hdr->ts = GUINT64_FROM_BE(pl_hdr->ts);
|
|
|
|
|
|
|
|
return TRUE;
|
|
|
|
}
|
2013-06-02 22:17:37 +00:00
|
|
|
|
|
|
|
static gboolean
|
2013-06-17 21:18:47 +00:00
|
|
|
packetlogger_read_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
|
|
|
|
int *err, gchar **err_info)
|
2013-06-02 22:17:37 +00:00
|
|
|
{
|
|
|
|
packetlogger_header_t pl_hdr;
|
|
|
|
|
|
|
|
if(!packetlogger_read_header(&pl_hdr, fh, err, err_info))
|
|
|
|
return FALSE;
|
|
|
|
|
|
|
|
if (pl_hdr.len < 8) {
|
|
|
|
*err = WTAP_ERR_BAD_FILE;
|
|
|
|
*err_info = g_strdup_printf("packetlogger: record length %u is too small", pl_hdr.len);
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
if (pl_hdr.len - 8 > WTAP_MAX_PACKET_SIZE) {
|
|
|
|
/*
|
|
|
|
* Probably a corrupt capture file; don't blow up trying
|
|
|
|
* to allocate space for an immensely-large packet.
|
|
|
|
*/
|
|
|
|
*err = WTAP_ERR_BAD_FILE;
|
|
|
|
*err_info = g_strdup_printf("packetlogger: File has %u-byte packet, bigger than maximum of %u",
|
|
|
|
pl_hdr.len - 8, WTAP_MAX_PACKET_SIZE);
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
2014-05-24 18:28:30 +00:00
|
|
|
phdr->rec_type = REC_TYPE_PACKET;
|
2013-06-02 22:17:37 +00:00
|
|
|
phdr->presence_flags = WTAP_HAS_TS;
|
|
|
|
|
|
|
|
phdr->len = pl_hdr.len - 8;
|
|
|
|
phdr->caplen = pl_hdr.len - 8;
|
|
|
|
|
|
|
|
phdr->ts.secs = (time_t) (pl_hdr.ts >> 32);
|
|
|
|
phdr->ts.nsecs = (int)((pl_hdr.ts & 0xFFFFFFFF) * 1000);
|
|
|
|
|
2013-06-17 21:18:47 +00:00
|
|
|
return wtap_read_packet_bytes(fh, buf, phdr->caplen, err, err_info);
|
2013-06-02 22:17:37 +00:00
|
|
|
}
|