1999-01-18 21:34:54 +00:00
|
|
|
/* netmon.c
|
|
|
|
*
|
|
|
|
* Wiretap Library
|
2001-11-13 23:55:44 +00:00
|
|
|
* Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
|
2002-08-28 20:30:45 +00:00
|
|
|
*
|
2018-02-07 11:26:45 +00:00
|
|
|
* SPDX-License-Identifier: GPL-2.0-or-later
|
1999-01-18 21:34:54 +00:00
|
|
|
*/
|
2002-02-27 08:57:25 +00:00
|
|
|
|
1999-07-13 02:53:26 +00:00
|
|
|
#include "config.h"
|
Have the per-capture-file-type open routines "wtap_open_offline()" calls
return 1 on success, -1 if they got an error, and 0 if the file isn't of
the type that file is checking for, and supply an error code if they
return -1; have "wtap_open_offline()" use that error code. Also, have
the per-capture-file-type open routines treat errors accessing the file
as errors, and return -1, rather than just returning 0 so that we try
another file type.
Have the per-capture-file-type read routines "wtap_loop()" calls return
-1 and supply an error code on error (and not, as they did in some
cases, call "g_error()" and abort), and have "wtap_loop()", if the read
routine returned an error, return FALSE (and pass an error-code-pointer
argument onto the read routines, so they fill it in), and return TRUE on
success.
Add some new error codes for them to return.
Now that "wtap_loop()" can return a success/failure indication and an
error code, in "read_cap_file()" put up a message box if we get an error
reading the file, and return the error code.
Handle the additional errors we can get when opening a capture file.
If the attempt to open a capture file succeeds, but the attempt to read
it fails, don't treat that as a complete failure - we may have managed
to read some of the capture file, and we should display what we managed
to read.
svn path=/trunk/; revision=516
1999-08-19 05:31:38 +00:00
|
|
|
#include <errno.h>
|
1999-12-04 06:21:45 +00:00
|
|
|
#include <string.h>
|
2018-06-14 20:40:11 +00:00
|
|
|
#include <wsutil/unicode-utils.h>
|
2000-05-19 23:07:04 +00:00
|
|
|
#include "wtap-int.h"
|
2000-01-13 07:09:20 +00:00
|
|
|
#include "file_wrappers.h"
|
2002-08-13 03:26:30 +00:00
|
|
|
#include "atm.h"
|
2010-07-18 20:27:46 +00:00
|
|
|
#include "pcap-encap.h"
|
1999-01-18 21:34:54 +00:00
|
|
|
#include "netmon.h"
|
2002-08-13 03:26:30 +00:00
|
|
|
|
1999-01-18 21:34:54 +00:00
|
|
|
/* The file at
|
|
|
|
*
|
|
|
|
* ftp://ftp.microsoft.com/developr/drg/cifs/cifs/Bhfile.zip
|
|
|
|
*
|
|
|
|
* contains "STRUCT.H", which declares the typedef CAPTUREFILE_HEADER
|
2011-11-16 17:54:44 +00:00
|
|
|
* for the header of a Microsoft Network Monitor 1.x capture file.
|
|
|
|
*
|
|
|
|
* The help files for Network Monitor 3.x document the 2.x file format.
|
1999-01-18 21:34:54 +00:00
|
|
|
*/
|
|
|
|
|
1999-02-20 06:46:33 +00:00
|
|
|
/* Capture file header, *including* magic number, is padded to 128 bytes. */
|
1999-01-18 21:34:54 +00:00
|
|
|
#define CAPTUREFILE_HEADER_SIZE 128
|
|
|
|
|
Do not call wtap_file_read_unknown_bytes() or
wtap_file_read_expected_bytes() from an open routine - open routines are
supposed to return -1 on error, 0 if the file doesn't appear to be a
file of the specified type, or 1 if the file does appear to be a file of
the specified type, but those macros will cause the caller to return
FALSE on errors (so that, even if there's an I/O error, it reports "the
file isn't a file of the specified type" rather than "we got an error
trying to read the file").
When doing reads in an open routine before we've concluded that the file
is probably of the right type, return 0, rather than -1, if we get
WTAP_ERR_SHORT_READ - if we don't have enough data to check whether a
file is of a given type, we should keep trying other types, not give up.
For reads done *after* we've concluded the file is probably of the right
type, if a read doesn't return the number of bytes we asked for, but
returns an error of 0, return WTAP_ERR_SHORT_READ - the file is
apparently cut short.
For NetMon and NetXRay/Windows Sniffer files, use a #define for the
magic number size, and use that for both magic numbers.
svn path=/trunk/; revision=46803
2012-12-27 12:19:25 +00:00
|
|
|
/* Magic number size, for both 1.x and 2.x. */
|
|
|
|
#define MAGIC_SIZE 4
|
|
|
|
|
1999-05-12 21:40:07 +00:00
|
|
|
/* Magic number in Network Monitor 1.x files. */
|
Do not call wtap_file_read_unknown_bytes() or
wtap_file_read_expected_bytes() from an open routine - open routines are
supposed to return -1 on error, 0 if the file doesn't appear to be a
file of the specified type, or 1 if the file does appear to be a file of
the specified type, but those macros will cause the caller to return
FALSE on errors (so that, even if there's an I/O error, it reports "the
file isn't a file of the specified type" rather than "we got an error
trying to read the file").
When doing reads in an open routine before we've concluded that the file
is probably of the right type, return 0, rather than -1, if we get
WTAP_ERR_SHORT_READ - if we don't have enough data to check whether a
file is of a given type, we should keep trying other types, not give up.
For reads done *after* we've concluded the file is probably of the right
type, if a read doesn't return the number of bytes we asked for, but
returns an error of 0, return WTAP_ERR_SHORT_READ - the file is
apparently cut short.
For NetMon and NetXRay/Windows Sniffer files, use a #define for the
magic number size, and use that for both magic numbers.
svn path=/trunk/; revision=46803
2012-12-27 12:19:25 +00:00
|
|
|
static const char netmon_1_x_magic[MAGIC_SIZE] = {
|
2012-12-27 12:41:24 +00:00
|
|
|
'R', 'T', 'S', 'S'
|
1999-01-18 21:34:54 +00:00
|
|
|
};
|
|
|
|
|
1999-05-12 21:40:07 +00:00
|
|
|
/* Magic number in Network Monitor 2.x files. */
|
Do not call wtap_file_read_unknown_bytes() or
wtap_file_read_expected_bytes() from an open routine - open routines are
supposed to return -1 on error, 0 if the file doesn't appear to be a
file of the specified type, or 1 if the file does appear to be a file of
the specified type, but those macros will cause the caller to return
FALSE on errors (so that, even if there's an I/O error, it reports "the
file isn't a file of the specified type" rather than "we got an error
trying to read the file").
When doing reads in an open routine before we've concluded that the file
is probably of the right type, return 0, rather than -1, if we get
WTAP_ERR_SHORT_READ - if we don't have enough data to check whether a
file is of a given type, we should keep trying other types, not give up.
For reads done *after* we've concluded the file is probably of the right
type, if a read doesn't return the number of bytes we asked for, but
returns an error of 0, return WTAP_ERR_SHORT_READ - the file is
apparently cut short.
For NetMon and NetXRay/Windows Sniffer files, use a #define for the
magic number size, and use that for both magic numbers.
svn path=/trunk/; revision=46803
2012-12-27 12:19:25 +00:00
|
|
|
static const char netmon_2_x_magic[MAGIC_SIZE] = {
|
2012-12-27 12:41:24 +00:00
|
|
|
'G', 'M', 'B', 'U'
|
1999-05-12 21:40:07 +00:00
|
|
|
};
|
|
|
|
|
1999-01-18 21:34:54 +00:00
|
|
|
/* Network Monitor file header (minus magic number). */
|
|
|
|
struct netmon_hdr {
|
|
|
|
guint8 ver_minor; /* minor version number */
|
|
|
|
guint8 ver_major; /* major version number */
|
|
|
|
guint16 network; /* network type */
|
|
|
|
guint16 ts_year; /* year of capture start */
|
|
|
|
guint16 ts_month; /* month of capture start (January = 1) */
|
|
|
|
guint16 ts_dow; /* day of week of capture start (Sun = 0) */
|
|
|
|
guint16 ts_day; /* day of month of capture start */
|
|
|
|
guint16 ts_hour; /* hour of capture start */
|
|
|
|
guint16 ts_min; /* minute of capture start */
|
|
|
|
guint16 ts_sec; /* second of capture start */
|
|
|
|
guint16 ts_msec; /* millisecond of capture start */
|
|
|
|
guint32 frametableoffset; /* frame index table offset */
|
|
|
|
guint32 frametablelength; /* frame index table size */
|
|
|
|
guint32 userdataoffset; /* user data offset */
|
|
|
|
guint32 userdatalength; /* user data size */
|
|
|
|
guint32 commentdataoffset; /* comment data offset */
|
|
|
|
guint32 commentdatalength; /* comment data size */
|
2017-08-30 20:01:48 +00:00
|
|
|
guint32 processinfooffset; /* offset to process info structure */
|
|
|
|
guint32 processinfocount; /* number of process info structures */
|
1999-01-18 21:34:54 +00:00
|
|
|
guint32 networkinfooffset; /* offset to network info structure */
|
|
|
|
guint32 networkinfolength; /* length of network info structure */
|
|
|
|
};
|
|
|
|
|
1999-11-26 22:50:51 +00:00
|
|
|
/* Network Monitor 1.x record header; not defined in STRUCT.H, but deduced by
|
1999-01-18 21:34:54 +00:00
|
|
|
* looking at capture files. */
|
1999-05-12 21:40:07 +00:00
|
|
|
struct netmonrec_1_x_hdr {
|
1999-01-18 21:34:54 +00:00
|
|
|
guint32 ts_delta; /* time stamp - msecs since start of capture */
|
|
|
|
guint16 orig_len; /* actual length of packet */
|
|
|
|
guint16 incl_len; /* number of octets captured in file */
|
|
|
|
};
|
|
|
|
|
2011-11-16 17:54:44 +00:00
|
|
|
/*
|
|
|
|
* Network Monitor 2.x record header, as documented in NetMon 3.x's
|
|
|
|
* help files.
|
|
|
|
*/
|
1999-05-12 21:40:07 +00:00
|
|
|
struct netmonrec_2_x_hdr {
|
2011-11-17 09:03:09 +00:00
|
|
|
guint64 ts_delta; /* time stamp - usecs since start of capture */
|
1999-05-12 21:40:07 +00:00
|
|
|
guint32 orig_len; /* actual length of packet */
|
|
|
|
guint32 incl_len; /* number of octets captured in file */
|
|
|
|
};
|
|
|
|
|
2010-07-18 19:41:11 +00:00
|
|
|
/*
|
|
|
|
* Network Monitor 2.1 and later record trailers; documented in the Network
|
|
|
|
* Monitor 3.x help files, for 3.3 and later, although they don't clearly
|
|
|
|
* state how the trailer format changes from version to version.
|
|
|
|
*
|
|
|
|
* Some fields are multi-byte integers, but they're not aligned on their
|
|
|
|
* natural boundaries.
|
|
|
|
*/
|
|
|
|
struct netmonrec_2_1_trlr {
|
|
|
|
guint8 network[2]; /* network type for this packet */
|
|
|
|
};
|
|
|
|
|
|
|
|
struct netmonrec_2_2_trlr {
|
|
|
|
guint8 network[2]; /* network type for this packet */
|
|
|
|
guint8 process_info_index[4]; /* index into the process info table */
|
|
|
|
};
|
|
|
|
|
|
|
|
struct netmonrec_2_3_trlr {
|
|
|
|
guint8 network[2]; /* network type for this packet */
|
|
|
|
guint8 process_info_index[4]; /* index into the process info table */
|
|
|
|
guint8 utc_timestamp[8]; /* packet time stamp, as .1 us units since January 1, 1601, 00:00:00 UTC */
|
|
|
|
guint8 timezone_index; /* index of time zone information */
|
|
|
|
};
|
|
|
|
|
2017-08-25 19:29:17 +00:00
|
|
|
struct netmonrec_comment {
|
2018-06-15 01:21:16 +00:00
|
|
|
guint32 numFramePerComment; /* Currently, this is always set to 1. Each comment is attached to only one frame. */
|
|
|
|
guint32 frameOffset; /* Offset in the capture file table that indicates the beginning of the frame. Key used to match comment with frame */
|
2017-08-25 19:29:17 +00:00
|
|
|
guint8* title; /* Comment title */
|
|
|
|
guint32 descLength; /* Number of bytes in the comment description. Must be at least zero. */
|
2018-06-15 01:21:16 +00:00
|
|
|
guint8* description; /* Comment description */
|
2017-08-25 19:29:17 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
/* Just the first few fields of netmonrec_comment so it can be read sequentially from file */
|
|
|
|
struct netmonrec_comment_header {
|
|
|
|
guint32 numFramePerComment;
|
|
|
|
guint32 frameOffset;
|
|
|
|
guint32 titleLength;
|
|
|
|
};
|
|
|
|
|
2017-08-30 20:01:48 +00:00
|
|
|
union ip_address {
|
|
|
|
guint32 ipv4;
|
2017-10-26 08:50:00 +00:00
|
|
|
ws_in6_addr ipv6;
|
2017-08-30 20:01:48 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
struct netmonrec_process_info {
|
|
|
|
guint8* path; /* A Unicode string of length PathSize */
|
|
|
|
guint32 iconSize;
|
|
|
|
guint8* iconData;
|
|
|
|
guint32 pid;
|
|
|
|
guint16 localPort;
|
|
|
|
guint16 remotePort;
|
|
|
|
gboolean isIPv6;
|
|
|
|
union ip_address localAddr;
|
|
|
|
union ip_address remoteAddr;
|
|
|
|
};
|
|
|
|
|
2002-01-24 23:02:56 +00:00
|
|
|
/*
|
|
|
|
* The link-layer header on ATM packets.
|
|
|
|
*/
|
|
|
|
struct netmon_atm_hdr {
|
|
|
|
guint8 dest[6]; /* "Destination address" - what is it? */
|
|
|
|
guint8 src[6]; /* "Source address" - what is it? */
|
|
|
|
guint16 vpi; /* VPI */
|
|
|
|
guint16 vci; /* VCI */
|
|
|
|
};
|
|
|
|
|
2010-02-26 07:59:54 +00:00
|
|
|
typedef struct {
|
2017-08-25 19:29:17 +00:00
|
|
|
time_t start_secs;
|
|
|
|
guint32 start_nsecs;
|
|
|
|
guint8 version_major;
|
|
|
|
guint8 version_minor;
|
2010-02-26 07:59:54 +00:00
|
|
|
guint32 *frame_table;
|
2017-08-25 19:29:17 +00:00
|
|
|
guint32 frame_table_size;
|
|
|
|
GHashTable* comment_table;
|
2017-08-30 20:01:48 +00:00
|
|
|
GHashTable* process_info_table;
|
2017-08-25 19:29:17 +00:00
|
|
|
guint current_frame;
|
2010-02-26 07:59:54 +00:00
|
|
|
} netmon_t;
|
|
|
|
|
2018-06-14 20:40:11 +00:00
|
|
|
/*
|
|
|
|
* Maximum pathname length supported in the process table; the length
|
|
|
|
* is in a 32-bit field, so we impose a limit to prevent attempts to
|
|
|
|
* allocate too much memory.
|
|
|
|
*
|
|
|
|
* See
|
|
|
|
*
|
2019-07-27 22:53:22 +00:00
|
|
|
* https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file#maximum-path-length-limitation
|
2018-06-14 20:40:11 +00:00
|
|
|
*
|
|
|
|
* The NetMon 3.4 "Capture File Format" documentation says "PathSize must be
|
|
|
|
* greater than 0, and less than MAX_PATH (260 characters)", but, as per that
|
|
|
|
* link above, that limit has been raised in more recent systems.
|
|
|
|
*
|
|
|
|
* We pick a limit of 65536, as that should handle a path length of 32767
|
|
|
|
* UTF-16 octet pairs plus a trailing NUL octet pair.
|
|
|
|
*/
|
|
|
|
#define MATH_PROCINFO_PATH_SIZE 65536
|
|
|
|
|
2010-07-23 10:11:44 +00:00
|
|
|
/*
|
|
|
|
* XXX - at least in some NetMon 3.4 VPN captures, the per-packet
|
|
|
|
* link-layer type is 0, but the packets have Ethernet headers.
|
|
|
|
* We handle this by mapping 0 to WTAP_ENCAP_ETHERNET; should we,
|
|
|
|
* instead, use the per-file link-layer type?
|
|
|
|
*/
|
2010-07-18 19:41:11 +00:00
|
|
|
static const int netmon_encap[] = {
|
2010-07-23 10:11:44 +00:00
|
|
|
WTAP_ENCAP_ETHERNET,
|
2010-07-18 19:41:11 +00:00
|
|
|
WTAP_ENCAP_ETHERNET,
|
|
|
|
WTAP_ENCAP_TOKEN_RING,
|
|
|
|
WTAP_ENCAP_FDDI_BITSWAPPED,
|
|
|
|
WTAP_ENCAP_ATM_PDUS, /* NDIS WAN - this is what's used for ATM */
|
2011-05-03 09:14:56 +00:00
|
|
|
WTAP_ENCAP_UNKNOWN, /* NDIS LocalTalk, but format 2.x uses it for IP-over-IEEE 1394 */
|
2012-05-02 03:11:00 +00:00
|
|
|
WTAP_ENCAP_IEEE_802_11_NETMON,
|
2011-05-03 09:14:56 +00:00
|
|
|
/* NDIS "DIX", but format 2.x uses it for 802.11 */
|
|
|
|
WTAP_ENCAP_RAW_IP, /* NDIS ARCNET raw, but format 2.x uses it for "Tunneling interfaces" */
|
|
|
|
WTAP_ENCAP_RAW_IP, /* NDIS ARCNET 878.2, but format 2.x uses it for "Wireless WAN" */
|
|
|
|
WTAP_ENCAP_RAW_IP, /* NDIS ATM (no, this is NOT used for ATM); format 2.x uses it for "Raw IP Frames" */
|
2010-07-18 19:41:11 +00:00
|
|
|
WTAP_ENCAP_UNKNOWN, /* NDIS Wireless WAN */
|
|
|
|
WTAP_ENCAP_UNKNOWN /* NDIS IrDA */
|
|
|
|
};
|
|
|
|
#define NUM_NETMON_ENCAPS (sizeof netmon_encap / sizeof netmon_encap[0])
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Special link-layer types.
|
|
|
|
*/
|
2010-07-18 20:27:46 +00:00
|
|
|
#define NETMON_NET_PCAP_BASE 0xE000
|
2010-07-18 19:41:11 +00:00
|
|
|
#define NETMON_NET_NETEVENT 0xFFE0
|
|
|
|
#define NETMON_NET_NETWORK_INFO_EX 0xFFFB
|
|
|
|
#define NETMON_NET_PAYLOAD_HEADER 0xFFFC
|
|
|
|
#define NETMON_NET_NETWORK_INFO 0xFFFD
|
|
|
|
#define NETMON_NET_DNS_CACHE 0xFFFE
|
|
|
|
#define NETMON_NET_NETMON_FILTER 0xFFFF
|
|
|
|
|
2019-04-05 01:56:27 +00:00
|
|
|
static gboolean netmon_read(wtap *wth, wtap_rec *rec, Buffer *buf,
|
|
|
|
int *err, gchar **err_info, gint64 *data_offset);
|
2014-05-23 10:50:02 +00:00
|
|
|
static gboolean netmon_seek_read(wtap *wth, gint64 seek_off,
|
2018-02-09 00:19:12 +00:00
|
|
|
wtap_rec *rec, Buffer *buf, int *err, gchar **err_info);
|
2002-03-05 08:40:27 +00:00
|
|
|
static gboolean netmon_read_atm_pseudoheader(FILE_T fh,
|
2011-04-21 09:41:52 +00:00
|
|
|
union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info);
|
2017-08-25 19:29:17 +00:00
|
|
|
static void netmon_close(wtap *wth);
|
2018-02-09 00:19:12 +00:00
|
|
|
static gboolean netmon_dump(wtap_dumper *wdh, const wtap_rec *rec,
|
2014-12-18 00:02:50 +00:00
|
|
|
const guint8 *pd, int *err, gchar **err_info);
|
2020-10-14 01:48:46 +00:00
|
|
|
static gboolean netmon_dump_finish(wtap_dumper *wdh, int *err,
|
|
|
|
gchar **err_info);
|
Have the per-capture-file-type open routines "wtap_open_offline()" calls
return 1 on success, -1 if they got an error, and 0 if the file isn't of
the type that file is checking for, and supply an error code if they
return -1; have "wtap_open_offline()" use that error code. Also, have
the per-capture-file-type open routines treat errors accessing the file
as errors, and return -1, rather than just returning 0 so that we try
another file type.
Have the per-capture-file-type read routines "wtap_loop()" calls return
-1 and supply an error code on error (and not, as they did in some
cases, call "g_error()" and abort), and have "wtap_loop()", if the read
routine returned an error, return FALSE (and pass an error-code-pointer
argument onto the read routines, so they fill it in), and return TRUE on
success.
Add some new error codes for them to return.
Now that "wtap_loop()" can return a success/failure indication and an
error code, in "read_cap_file()" put up a message box if we get an error
reading the file, and return the error code.
Handle the additional errors we can get when opening a capture file.
If the attempt to open a capture file succeeds, but the attempt to read
it fails, don't treat that as a complete failure - we may have managed
to read some of the capture file, and we should display what we managed
to read.
svn path=/trunk/; revision=516
1999-08-19 05:31:38 +00:00
|
|
|
|
wiretap: register most built-in file types from its module.
Remove most of the built-in file types from the table in
wiretap/file_access.c and, instead, have the file types register
themselves, using wtap_register_file_type_subtypes().
This reduces the source code changes needed to add a new file type from
three (add the handler, add the file type to the table in file_access.c,
add a #define for the file type in wiretap/wtap.h) to one (add the
handler). (It also requires adding the handler's source file to
wiretap/CMakeLists.txt, but that's required in both cases.)
A few remain because the WTAP_FILE_TYPE_SUBTYPE_ #define is used
elsewhere; that needs to be fixed.
Fix the wiretap/CMakefile.txt file to scan k12text.l, as that now
contains a registration routine. In the process, avoid scanning files
that don't implement a file type and won't ever have a registration
routine.
Add a Lua routine to fetch the total number of file types; we use that
in some code to construct the wtap_filetypes table, which we need to do
in order to continue to have all the values that used to come from the
WTAP_FILE_TYPE_SUBTYPE_ types.
While we're at it, add modelines to a file that lacked them.
2021-02-14 08:34:10 +00:00
|
|
|
static int netmon_1_x_file_type_subtype = -1;
|
|
|
|
static int netmon_2_x_file_type_subtype = -1;
|
|
|
|
|
|
|
|
void register_netmon(void);
|
|
|
|
|
2018-06-14 20:40:11 +00:00
|
|
|
/*
|
|
|
|
* Convert a counted UTF-16 string, which is probably also null-terminated
|
|
|
|
* but is not guaranteed to be null-terminated (as it came from a file),
|
|
|
|
* to a null-terminated UTF-8 string.
|
|
|
|
*/
|
|
|
|
static guint8 *
|
|
|
|
utf_16_to_utf_8(const guint8 *in, guint32 length)
|
|
|
|
{
|
|
|
|
guint8 *result, *out;
|
2018-06-22 06:55:00 +00:00
|
|
|
gunichar2 uchar2;
|
2018-06-14 20:40:11 +00:00
|
|
|
gunichar uchar;
|
|
|
|
size_t n_bytes;
|
|
|
|
guint32 i;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Get the length of the resulting UTF-8 string, and validate
|
|
|
|
* the input string in the process.
|
|
|
|
*/
|
|
|
|
n_bytes = 0;
|
|
|
|
for (i = 0; i + 1 < length && (uchar2 = pletoh16(in + i)) != '\0';
|
|
|
|
i += 2) {
|
|
|
|
if (IS_LEAD_SURROGATE(uchar2)) {
|
|
|
|
/*
|
|
|
|
* Lead surrogate. Must be followed by a trail
|
|
|
|
* surrogate.
|
|
|
|
*/
|
2018-06-22 06:55:00 +00:00
|
|
|
gunichar2 lead_surrogate;
|
|
|
|
|
2018-06-14 20:40:11 +00:00
|
|
|
i += 2;
|
|
|
|
if (i + 1 >= length) {
|
|
|
|
/*
|
|
|
|
* Oops, string ends with a lead surrogate.
|
|
|
|
* Ignore this for now.
|
|
|
|
* XXX - insert "substitute" character?
|
|
|
|
* Report the error in some other fashion?
|
|
|
|
*/
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
lead_surrogate = uchar2;
|
|
|
|
uchar2 = pletoh16(in + i);
|
|
|
|
if (uchar2 == '\0') {
|
|
|
|
/*
|
|
|
|
* Oops, string ends with a lead surrogate.
|
|
|
|
* Ignore this for now.
|
|
|
|
* XXX - insert "substitute" character?
|
|
|
|
* Report the error in some other fashion?
|
|
|
|
*/
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (IS_TRAIL_SURROGATE(uchar2)) {
|
|
|
|
/* Trail surrogate. */
|
|
|
|
uchar = SURROGATE_VALUE(lead_surrogate, uchar2);
|
|
|
|
n_bytes += g_unichar_to_utf8(uchar, NULL);
|
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* Not a trail surrogate.
|
|
|
|
* Ignore the entire pair.
|
|
|
|
* XXX - insert "substitute" character?
|
|
|
|
* Report the error in some other fashion?
|
|
|
|
*/
|
|
|
|
;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if (IS_TRAIL_SURROGATE(uchar2)) {
|
|
|
|
/*
|
|
|
|
* Trail surrogate without a preceding
|
|
|
|
* lead surrogate. Ignore it.
|
|
|
|
* XXX - insert "substitute" character?
|
|
|
|
* Report the error in some other fashion?
|
|
|
|
*/
|
|
|
|
;
|
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* Non-surrogate; just count it.
|
|
|
|
*/
|
|
|
|
n_bytes += g_unichar_to_utf8(uchar2, NULL);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Now allocate a buffer big enough for the UTF-8 string plus a
|
|
|
|
* trailing NUL, and generate the string.
|
|
|
|
*/
|
|
|
|
result = (guint8 *)g_malloc(n_bytes + 1);
|
|
|
|
|
|
|
|
out = result;
|
|
|
|
for (i = 0; i + 1 < length && (uchar2 = pletoh16(in + i)) != '\0';
|
|
|
|
i += 2) {
|
|
|
|
if (IS_LEAD_SURROGATE(uchar2)) {
|
|
|
|
/*
|
|
|
|
* Lead surrogate. Must be followed by a trail
|
|
|
|
* surrogate.
|
|
|
|
*/
|
2018-06-22 06:55:00 +00:00
|
|
|
gunichar2 lead_surrogate;
|
|
|
|
|
2018-06-14 20:40:11 +00:00
|
|
|
i += 2;
|
|
|
|
if (i + 1 >= length) {
|
|
|
|
/*
|
|
|
|
* Oops, string ends with a lead surrogate.
|
|
|
|
* Ignore this for now.
|
|
|
|
* XXX - insert "substitute" character?
|
|
|
|
* Report the error in some other fashion?
|
|
|
|
*/
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
lead_surrogate = uchar2;
|
|
|
|
uchar2 = pletoh16(in + i);
|
|
|
|
if (uchar2 == '\0') {
|
|
|
|
/*
|
|
|
|
* Oops, string ends with a lead surrogate.
|
|
|
|
* Ignore this for now.
|
|
|
|
* XXX - insert "substitute" character?
|
|
|
|
* Report the error in some other fashion?
|
|
|
|
*/
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (IS_TRAIL_SURROGATE(uchar2)) {
|
|
|
|
/* Trail surrogate. */
|
|
|
|
uchar = SURROGATE_VALUE(lead_surrogate, uchar2);
|
|
|
|
out += g_unichar_to_utf8(uchar, out);
|
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* Not a trail surrogate.
|
|
|
|
* Ignore the entire pair.
|
|
|
|
* XXX - insert "substitute" character?
|
|
|
|
* Report the error in some other fashion?
|
|
|
|
*/
|
|
|
|
;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if (IS_TRAIL_SURROGATE(uchar2)) {
|
|
|
|
/*
|
|
|
|
* Trail surrogate without a preceding
|
|
|
|
* lead surrogate. Ignore it.
|
|
|
|
* XXX - insert "substitute" character?
|
|
|
|
* Report the error in some other fashion?
|
|
|
|
*/
|
|
|
|
;
|
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* Non-surrogate; just count it.
|
|
|
|
*/
|
|
|
|
out += g_unichar_to_utf8(uchar2, out);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
*out = '\0';
|
2018-06-15 00:38:55 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* XXX - if i < length, this means we were handed an odd
|
|
|
|
* number of bytes, so it was not a valid UTF-16 string.
|
|
|
|
*/
|
2018-06-14 20:40:11 +00:00
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2017-08-25 19:29:17 +00:00
|
|
|
static void netmonrec_comment_destroy(gpointer key) {
|
|
|
|
struct netmonrec_comment *comment = (struct netmonrec_comment*) key;
|
|
|
|
|
|
|
|
g_free(comment->title);
|
|
|
|
g_free(comment->description);
|
|
|
|
g_free(comment);
|
|
|
|
}
|
|
|
|
|
2017-08-30 20:01:48 +00:00
|
|
|
static void netmonrec_process_info_destroy(gpointer key) {
|
|
|
|
struct netmonrec_process_info *process_info = (struct netmonrec_process_info*) key;
|
|
|
|
|
|
|
|
g_free(process_info->path);
|
|
|
|
g_free(process_info->iconData);
|
|
|
|
g_free(process_info);
|
|
|
|
}
|
|
|
|
|
2014-10-09 23:44:15 +00:00
|
|
|
wtap_open_return_val netmon_open(wtap *wth, int *err, gchar **err_info)
|
1999-01-18 21:34:54 +00:00
|
|
|
{
|
Do not call wtap_file_read_unknown_bytes() or
wtap_file_read_expected_bytes() from an open routine - open routines are
supposed to return -1 on error, 0 if the file doesn't appear to be a
file of the specified type, or 1 if the file does appear to be a file of
the specified type, but those macros will cause the caller to return
FALSE on errors (so that, even if there's an I/O error, it reports "the
file isn't a file of the specified type" rather than "we got an error
trying to read the file").
When doing reads in an open routine before we've concluded that the file
is probably of the right type, return 0, rather than -1, if we get
WTAP_ERR_SHORT_READ - if we don't have enough data to check whether a
file is of a given type, we should keep trying other types, not give up.
For reads done *after* we've concluded the file is probably of the right
type, if a read doesn't return the number of bytes we asked for, but
returns an error of 0, return WTAP_ERR_SHORT_READ - the file is
apparently cut short.
For NetMon and NetXRay/Windows Sniffer files, use a #define for the
magic number size, and use that for both magic numbers.
svn path=/trunk/; revision=46803
2012-12-27 12:19:25 +00:00
|
|
|
char magic[MAGIC_SIZE];
|
1999-01-18 21:34:54 +00:00
|
|
|
struct netmon_hdr hdr;
|
Add to Wiretap the ability to write capture files; for now, it can only
write them in "libpcap" format, but the mechanism can have other formats
added.
When creating the temporary file for a capture, use "create_tempfile()",
to close a security hole opened by the fact that "tempnam()" creates a
temporary file, but doesn't open it, and we open the file with the name
it gives us - somebody could remove the file and plant a link to some
file, and, if as may well be the case when Ethereal is capturing
packets, it's running as "root", that means we write a capture on top of
that file.... (The aforementioned changes to Wiretap let you open a
capture file for writing given an file descriptor, "fdopen()"-style,
which this change requires.)
svn path=/trunk/; revision=509
1999-08-18 04:17:38 +00:00
|
|
|
int file_type;
|
1999-01-18 21:34:54 +00:00
|
|
|
struct tm tm;
|
2011-11-17 09:03:09 +00:00
|
|
|
guint32 frame_table_offset;
|
1999-11-26 22:50:51 +00:00
|
|
|
guint32 frame_table_length;
|
2001-08-25 03:18:48 +00:00
|
|
|
guint32 frame_table_size;
|
2000-03-22 09:52:21 +00:00
|
|
|
guint32 *frame_table;
|
2017-08-30 20:01:48 +00:00
|
|
|
guint32 comment_table_offset, process_info_table_offset;
|
|
|
|
guint32 comment_table_size, process_info_table_count;
|
|
|
|
GHashTable *comment_table, *process_info_table;
|
2017-08-25 19:29:17 +00:00
|
|
|
struct netmonrec_comment* comment_rec;
|
2017-08-30 20:01:48 +00:00
|
|
|
gint64 file_size = wtap_file_size(wth, err);
|
2018-03-13 17:15:25 +00:00
|
|
|
#if G_BYTE_ORDER == G_BIG_ENDIAN
|
2001-07-13 00:55:58 +00:00
|
|
|
unsigned int i;
|
2000-03-22 23:47:28 +00:00
|
|
|
#endif
|
2010-02-26 07:59:54 +00:00
|
|
|
netmon_t *netmon;
|
1999-01-18 21:34:54 +00:00
|
|
|
|
|
|
|
/* Read in the string that should be at the start of a Network
|
|
|
|
* Monitor file */
|
Add some higher-level file-read APIs and use them.
Add wtap_read_bytes(), which takes a FILE_T, a pointer, a byte count, an
error number pointer, and an error string pointer as arguments, and that
treats a short read of any sort, including a read that returns 0 bytes,
as a WTAP_ERR_SHORT_READ error, and that returns the error number and
string through its last two arguments.
Add wtap_read_bytes_or_eof(), which is similar, but that treats a read
that returns 0 bytes as an EOF, supplying an error number of 0 as an EOF
indication.
Use those in file readers; that simplifies the code and makes it less
likely that somebody will fail to supply the error number and error
string on a file read error.
Change-Id: Ia5dba2a6f81151e87b614461349d611cffc16210
Reviewed-on: https://code.wireshark.org/review/4512
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2014-10-07 01:00:57 +00:00
|
|
|
if (!wtap_read_bytes(wth->fh, magic, MAGIC_SIZE, err, err_info)) {
|
|
|
|
if (*err != WTAP_ERR_SHORT_READ)
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
return WTAP_OPEN_NOT_MINE;
|
1999-01-18 21:34:54 +00:00
|
|
|
}
|
|
|
|
|
Do not call wtap_file_read_unknown_bytes() or
wtap_file_read_expected_bytes() from an open routine - open routines are
supposed to return -1 on error, 0 if the file doesn't appear to be a
file of the specified type, or 1 if the file does appear to be a file of
the specified type, but those macros will cause the caller to return
FALSE on errors (so that, even if there's an I/O error, it reports "the
file isn't a file of the specified type" rather than "we got an error
trying to read the file").
When doing reads in an open routine before we've concluded that the file
is probably of the right type, return 0, rather than -1, if we get
WTAP_ERR_SHORT_READ - if we don't have enough data to check whether a
file is of a given type, we should keep trying other types, not give up.
For reads done *after* we've concluded the file is probably of the right
type, if a read doesn't return the number of bytes we asked for, but
returns an error of 0, return WTAP_ERR_SHORT_READ - the file is
apparently cut short.
For NetMon and NetXRay/Windows Sniffer files, use a #define for the
magic number size, and use that for both magic numbers.
svn path=/trunk/; revision=46803
2012-12-27 12:19:25 +00:00
|
|
|
if (memcmp(magic, netmon_1_x_magic, MAGIC_SIZE) != 0 &&
|
|
|
|
memcmp(magic, netmon_2_x_magic, MAGIC_SIZE) != 0) {
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_NOT_MINE;
|
1999-01-18 21:34:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Read the rest of the header. */
|
Add some higher-level file-read APIs and use them.
Add wtap_read_bytes(), which takes a FILE_T, a pointer, a byte count, an
error number pointer, and an error string pointer as arguments, and that
treats a short read of any sort, including a read that returns 0 bytes,
as a WTAP_ERR_SHORT_READ error, and that returns the error number and
string through its last two arguments.
Add wtap_read_bytes_or_eof(), which is similar, but that treats a read
that returns 0 bytes as an EOF, supplying an error number of 0 as an EOF
indication.
Use those in file readers; that simplifies the code and makes it less
likely that somebody will fail to supply the error number and error
string on a file read error.
Change-Id: Ia5dba2a6f81151e87b614461349d611cffc16210
Reviewed-on: https://code.wireshark.org/review/4512
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2014-10-07 01:00:57 +00:00
|
|
|
if (!wtap_read_bytes(wth->fh, &hdr, sizeof hdr, err, err_info))
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_ERROR;
|
1999-01-18 21:34:54 +00:00
|
|
|
|
1999-05-12 21:40:07 +00:00
|
|
|
switch (hdr.ver_major) {
|
|
|
|
|
|
|
|
case 1:
|
wiretap: register most built-in file types from its module.
Remove most of the built-in file types from the table in
wiretap/file_access.c and, instead, have the file types register
themselves, using wtap_register_file_type_subtypes().
This reduces the source code changes needed to add a new file type from
three (add the handler, add the file type to the table in file_access.c,
add a #define for the file type in wiretap/wtap.h) to one (add the
handler). (It also requires adding the handler's source file to
wiretap/CMakeLists.txt, but that's required in both cases.)
A few remain because the WTAP_FILE_TYPE_SUBTYPE_ #define is used
elsewhere; that needs to be fixed.
Fix the wiretap/CMakefile.txt file to scan k12text.l, as that now
contains a registration routine. In the process, avoid scanning files
that don't implement a file type and won't ever have a registration
routine.
Add a Lua routine to fetch the total number of file types; we use that
in some code to construct the wtap_filetypes table, which we need to do
in order to continue to have all the values that used to come from the
WTAP_FILE_TYPE_SUBTYPE_ types.
While we're at it, add modelines to a file that lacked them.
2021-02-14 08:34:10 +00:00
|
|
|
file_type = netmon_1_x_file_type_subtype;
|
1999-05-12 21:40:07 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
case 2:
|
wiretap: register most built-in file types from its module.
Remove most of the built-in file types from the table in
wiretap/file_access.c and, instead, have the file types register
themselves, using wtap_register_file_type_subtypes().
This reduces the source code changes needed to add a new file type from
three (add the handler, add the file type to the table in file_access.c,
add a #define for the file type in wiretap/wtap.h) to one (add the
handler). (It also requires adding the handler's source file to
wiretap/CMakeLists.txt, but that's required in both cases.)
A few remain because the WTAP_FILE_TYPE_SUBTYPE_ #define is used
elsewhere; that needs to be fixed.
Fix the wiretap/CMakefile.txt file to scan k12text.l, as that now
contains a registration routine. In the process, avoid scanning files
that don't implement a file type and won't ever have a registration
routine.
Add a Lua routine to fetch the total number of file types; we use that
in some code to construct the wtap_filetypes table, which we need to do
in order to continue to have all the values that used to come from the
WTAP_FILE_TYPE_SUBTYPE_ types.
While we're at it, add modelines to a file that lacked them.
2021-02-14 08:34:10 +00:00
|
|
|
file_type = netmon_2_x_file_type_subtype;
|
1999-05-12 21:40:07 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
Have the per-capture-file-type open routines "wtap_open_offline()" calls
return 1 on success, -1 if they got an error, and 0 if the file isn't of
the type that file is checking for, and supply an error code if they
return -1; have "wtap_open_offline()" use that error code. Also, have
the per-capture-file-type open routines treat errors accessing the file
as errors, and return -1, rather than just returning 0 so that we try
another file type.
Have the per-capture-file-type read routines "wtap_loop()" calls return
-1 and supply an error code on error (and not, as they did in some
cases, call "g_error()" and abort), and have "wtap_loop()", if the read
routine returned an error, return FALSE (and pass an error-code-pointer
argument onto the read routines, so they fill it in), and return TRUE on
success.
Add some new error codes for them to return.
Now that "wtap_loop()" can return a success/failure indication and an
error code, in "read_cap_file()" put up a message box if we get an error
reading the file, and return the error code.
Handle the additional errors we can get when opening a capture file.
If the attempt to open a capture file succeeds, but the attempt to read
it fails, don't treat that as a complete failure - we may have managed
to read some of the capture file, and we should display what we managed
to read.
svn path=/trunk/; revision=516
1999-08-19 05:31:38 +00:00
|
|
|
*err = WTAP_ERR_UNSUPPORTED;
|
2021-12-18 18:48:20 +00:00
|
|
|
*err_info = ws_strdup_printf("netmon: major version %u unsupported", hdr.ver_major);
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_ERROR;
|
1999-05-12 21:40:07 +00:00
|
|
|
}
|
|
|
|
|
2013-12-03 20:35:50 +00:00
|
|
|
hdr.network = pletoh16(&hdr.network);
|
1999-08-22 02:29:40 +00:00
|
|
|
if (hdr.network >= NUM_NETMON_ENCAPS
|
|
|
|
|| netmon_encap[hdr.network] == WTAP_ENCAP_UNKNOWN) {
|
2014-12-17 06:22:29 +00:00
|
|
|
*err = WTAP_ERR_UNSUPPORTED;
|
2021-12-18 18:48:20 +00:00
|
|
|
*err_info = ws_strdup_printf("netmon: network type %u unknown or unsupported",
|
Have the Wiretap open, read, and seek-and-read routines return, in
addition to an error code, an error info string, for
WTAP_ERR_UNSUPPORTED, WTAP_ERR_UNSUPPORTED_ENCAP, and
WTAP_ERR_BAD_RECORD errors. Replace the error messages logged with
"g_message()" for those errors with g_strdup()ed or g_strdup_printf()ed
strings returned as the error info string, and change the callers of
those routines to, for those errors, put the info string into the
printed message or alert box for the error.
Add messages for cases where those errors were returned without printing
an additional message.
Nobody uses the error code from "cf_read()" - "cf_read()" puts up the
alert box itself for failures; get rid of the error code, so it just
returns a success/failure indication.
Rename "file_read_error_message()" to "cf_read_error_message()", as it
handles read errors from Wiretap, and have it take an error info string
as an argument. (That handles a lot of the work of putting the info
string into the error message.)
Make some variables in "ascend-grammar.y" static.
Check the return value of "erf_read_header()" in "erf_seek_read()".
Get rid of an unused #define in "i4btrace.c".
svn path=/trunk/; revision=9852
2004-01-25 21:55:17 +00:00
|
|
|
hdr.network);
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_ERROR;
|
1999-01-18 21:34:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* This is a netmon file */
|
2014-05-09 05:18:49 +00:00
|
|
|
wth->file_type_subtype = file_type;
|
2020-12-21 02:30:28 +00:00
|
|
|
netmon = g_new0(netmon_t, 1);
|
2014-05-09 05:18:49 +00:00
|
|
|
wth->priv = (void *)netmon;
|
|
|
|
wth->subtype_read = netmon_read;
|
|
|
|
wth->subtype_seek_read = netmon_seek_read;
|
2017-08-25 19:29:17 +00:00
|
|
|
wth->subtype_close = netmon_close;
|
2009-12-09 03:27:12 +00:00
|
|
|
|
|
|
|
/* NetMon capture file formats v2.1+ use per-packet encapsulation types. NetMon 3 sets the value in
|
2020-10-10 23:42:05 +00:00
|
|
|
* the header to 1 (Ethernet) for backwards compatibility. */
|
2009-12-09 03:27:12 +00:00
|
|
|
if((hdr.ver_major == 2 && hdr.ver_minor >= 1) || hdr.ver_major > 2)
|
2014-05-09 05:18:49 +00:00
|
|
|
wth->file_encap = WTAP_ENCAP_PER_PACKET;
|
2009-12-09 03:27:12 +00:00
|
|
|
else
|
2014-05-09 05:18:49 +00:00
|
|
|
wth->file_encap = netmon_encap[hdr.network];
|
2009-12-09 03:27:12 +00:00
|
|
|
|
2014-05-09 05:18:49 +00:00
|
|
|
wth->snapshot_length = 0; /* not available in header */
|
1999-01-18 21:34:54 +00:00
|
|
|
/*
|
|
|
|
* Convert the time stamp to a "time_t" and a number of
|
|
|
|
* milliseconds.
|
|
|
|
*/
|
2013-12-03 20:35:50 +00:00
|
|
|
tm.tm_year = pletoh16(&hdr.ts_year) - 1900;
|
|
|
|
tm.tm_mon = pletoh16(&hdr.ts_month) - 1;
|
|
|
|
tm.tm_mday = pletoh16(&hdr.ts_day);
|
|
|
|
tm.tm_hour = pletoh16(&hdr.ts_hour);
|
|
|
|
tm.tm_min = pletoh16(&hdr.ts_min);
|
|
|
|
tm.tm_sec = pletoh16(&hdr.ts_sec);
|
1999-01-18 21:34:54 +00:00
|
|
|
tm.tm_isdst = -1;
|
2010-02-26 07:59:54 +00:00
|
|
|
netmon->start_secs = mktime(&tm);
|
1999-01-18 21:34:54 +00:00
|
|
|
/*
|
|
|
|
* XXX - what if "secs" is -1? Unlikely, but if the capture was
|
|
|
|
* done in a time zone that switches between standard and summer
|
|
|
|
* time sometime other than when we do, and thus the time was one
|
|
|
|
* that doesn't exist here because a switch from standard to summer
|
|
|
|
* time zips over it, it could happen.
|
|
|
|
*
|
|
|
|
* On the other hand, if the capture was done in a different time
|
|
|
|
* zone, this won't work right anyway; unfortunately, the time
|
|
|
|
* zone isn't stored in the capture file (why the hell didn't
|
|
|
|
* they stuff a FILETIME, which is the number of 100-nanosecond
|
|
|
|
* intervals since 1601-01-01 00:00:00 "UTC", there, instead
|
|
|
|
* of stuffing a SYSTEMTIME, which is time-zone-dependent, there?).
|
|
|
|
*/
|
2013-12-03 20:35:50 +00:00
|
|
|
netmon->start_nsecs = pletoh16(&hdr.ts_msec)*1000000;
|
1999-05-12 21:40:07 +00:00
|
|
|
|
2010-02-26 07:59:54 +00:00
|
|
|
netmon->version_major = hdr.ver_major;
|
2010-07-18 19:41:11 +00:00
|
|
|
netmon->version_minor = hdr.ver_minor;
|
1999-01-18 21:34:54 +00:00
|
|
|
|
2013-06-02 18:09:13 +00:00
|
|
|
/*
|
2017-08-25 19:29:17 +00:00
|
|
|
* Get the offset of the frame index table.
|
2013-06-02 18:09:13 +00:00
|
|
|
*/
|
2017-08-25 19:29:17 +00:00
|
|
|
frame_table_offset = pletoh32(&hdr.frametableoffset);
|
2013-06-02 18:09:13 +00:00
|
|
|
|
1999-01-18 21:34:54 +00:00
|
|
|
/*
|
2017-09-24 00:35:54 +00:00
|
|
|
* For NetMon 2.2 format and later, get the offset and length of
|
|
|
|
* the comment index table and process info table.
|
|
|
|
*
|
|
|
|
* For earlier versions, set them to zero; they appear to be
|
|
|
|
* uninitialized, so they're not necessarily zero.
|
1999-01-18 21:34:54 +00:00
|
|
|
*/
|
2017-09-24 00:35:54 +00:00
|
|
|
if ((netmon->version_major == 2 && netmon->version_minor >= 2) ||
|
|
|
|
netmon->version_major > 2) {
|
|
|
|
comment_table_offset = pletoh32(&hdr.commentdataoffset);
|
|
|
|
comment_table_size = pletoh32(&hdr.commentdatalength);
|
|
|
|
process_info_table_offset = pletoh32(&hdr.processinfooffset);
|
|
|
|
process_info_table_count = pletoh32(&hdr.processinfocount);
|
|
|
|
} else {
|
|
|
|
comment_table_offset = 0;
|
|
|
|
comment_table_size = 0;
|
|
|
|
process_info_table_offset = 0;
|
|
|
|
process_info_table_count = 0;
|
|
|
|
}
|
1999-01-18 21:34:54 +00:00
|
|
|
|
1999-11-26 22:50:51 +00:00
|
|
|
/*
|
|
|
|
* It appears that some NetMon 2.x files don't have the
|
|
|
|
* first packet starting exactly 128 bytes into the file.
|
|
|
|
*
|
2000-03-22 07:06:59 +00:00
|
|
|
* Furthermore, it also appears that there are "holes" in
|
|
|
|
* the file, i.e. frame N+1 doesn't always follow immediately
|
|
|
|
* after frame N.
|
|
|
|
*
|
|
|
|
* Therefore, we must read the frame table, and use the offsets
|
|
|
|
* in it as the offsets of the frames.
|
1999-11-26 22:50:51 +00:00
|
|
|
*/
|
2013-12-03 20:35:50 +00:00
|
|
|
frame_table_length = pletoh32(&hdr.frametablelength);
|
2009-04-22 03:07:37 +00:00
|
|
|
frame_table_size = frame_table_length / (guint32)sizeof (guint32);
|
2000-03-22 09:52:21 +00:00
|
|
|
if ((frame_table_size * sizeof (guint32)) != frame_table_length) {
|
2011-12-13 09:53:50 +00:00
|
|
|
*err = WTAP_ERR_BAD_FILE;
|
2021-12-18 18:48:20 +00:00
|
|
|
*err_info = ws_strdup_printf("netmon: frame table length is %u, which is not a multiple of the size of an entry",
|
Have the Wiretap open, read, and seek-and-read routines return, in
addition to an error code, an error info string, for
WTAP_ERR_UNSUPPORTED, WTAP_ERR_UNSUPPORTED_ENCAP, and
WTAP_ERR_BAD_RECORD errors. Replace the error messages logged with
"g_message()" for those errors with g_strdup()ed or g_strdup_printf()ed
strings returned as the error info string, and change the callers of
those routines to, for those errors, put the info string into the
printed message or alert box for the error.
Add messages for cases where those errors were returned without printing
an additional message.
Nobody uses the error code from "cf_read()" - "cf_read()" puts up the
alert box itself for failures; get rid of the error code, so it just
returns a success/failure indication.
Rename "file_read_error_message()" to "cf_read_error_message()", as it
handles read errors from Wiretap, and have it take an error info string
as an argument. (That handles a lot of the work of putting the info
string into the error message.)
Make some variables in "ascend-grammar.y" static.
Check the return value of "erf_read_header()" in "erf_seek_read()".
Get rid of an unused #define in "i4btrace.c".
svn path=/trunk/; revision=9852
2004-01-25 21:55:17 +00:00
|
|
|
frame_table_length);
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_ERROR;
|
2000-03-22 07:06:59 +00:00
|
|
|
}
|
2000-03-22 09:52:21 +00:00
|
|
|
if (frame_table_size == 0) {
|
2011-12-13 09:53:50 +00:00
|
|
|
*err = WTAP_ERR_BAD_FILE;
|
2021-12-18 18:48:20 +00:00
|
|
|
*err_info = ws_strdup_printf("netmon: frame table length is %u, which means it's less than one entry in size",
|
Have the Wiretap open, read, and seek-and-read routines return, in
addition to an error code, an error info string, for
WTAP_ERR_UNSUPPORTED, WTAP_ERR_UNSUPPORTED_ENCAP, and
WTAP_ERR_BAD_RECORD errors. Replace the error messages logged with
"g_message()" for those errors with g_strdup()ed or g_strdup_printf()ed
strings returned as the error info string, and change the callers of
those routines to, for those errors, put the info string into the
printed message or alert box for the error.
Add messages for cases where those errors were returned without printing
an additional message.
Nobody uses the error code from "cf_read()" - "cf_read()" puts up the
alert box itself for failures; get rid of the error code, so it just
returns a success/failure indication.
Rename "file_read_error_message()" to "cf_read_error_message()", as it
handles read errors from Wiretap, and have it take an error info string
as an argument. (That handles a lot of the work of putting the info
string into the error message.)
Make some variables in "ascend-grammar.y" static.
Check the return value of "erf_read_header()" in "erf_seek_read()".
Get rid of an unused #define in "i4btrace.c".
svn path=/trunk/; revision=9852
2004-01-25 21:55:17 +00:00
|
|
|
frame_table_length);
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_ERROR;
|
1999-11-26 22:50:51 +00:00
|
|
|
}
|
2011-12-13 01:49:27 +00:00
|
|
|
/*
|
|
|
|
* XXX - clamp the size of the frame table, so that we don't
|
|
|
|
* attempt to allocate a huge frame table and fail.
|
2011-12-13 06:45:16 +00:00
|
|
|
*
|
|
|
|
* Given that file offsets in the frame table are 32-bit,
|
|
|
|
* a NetMon file cannot be bigger than 2^32 bytes.
|
|
|
|
* Given that a NetMon 1.x-format packet header is 8 bytes,
|
|
|
|
* that means a NetMon file cannot have more than
|
|
|
|
* 512*2^20 packets. We'll pick that as the limit for
|
|
|
|
* now; it's 1/8th of a 32-bit address space, which is
|
|
|
|
* probably not going to exhaust the address space all by
|
|
|
|
* itself, and probably won't exhaust the backing store.
|
2011-12-13 01:49:27 +00:00
|
|
|
*/
|
2011-12-13 06:45:16 +00:00
|
|
|
if (frame_table_size > 512*1024*1024) {
|
2011-12-13 09:53:50 +00:00
|
|
|
*err = WTAP_ERR_BAD_FILE;
|
2021-12-18 18:48:20 +00:00
|
|
|
*err_info = ws_strdup_printf("netmon: frame table length is %u, which is larger than we support",
|
2011-12-13 01:49:27 +00:00
|
|
|
frame_table_length);
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_ERROR;
|
2011-12-13 01:49:27 +00:00
|
|
|
}
|
2014-05-09 05:18:49 +00:00
|
|
|
if (file_seek(wth->fh, frame_table_offset, SEEK_SET, err) == -1) {
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_ERROR;
|
2002-03-04 00:25:35 +00:00
|
|
|
}
|
2017-08-25 19:29:17 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Sanity check the comment table information before we bother to allocate
|
|
|
|
* large chunks of memory for the frame table
|
|
|
|
*/
|
|
|
|
if (comment_table_size > 0) {
|
|
|
|
/*
|
|
|
|
* XXX - clamp the size of the comment table, so that we don't
|
|
|
|
* attempt to allocate a huge comment table and fail.
|
|
|
|
*
|
|
|
|
* Just use same size requires as frame table
|
|
|
|
*/
|
|
|
|
if (comment_table_size > 512*1024*1024) {
|
|
|
|
*err = WTAP_ERR_BAD_FILE;
|
2021-12-18 18:48:20 +00:00
|
|
|
*err_info = ws_strdup_printf("netmon: comment table size is %u, which is larger than we support",
|
2017-08-25 19:29:17 +00:00
|
|
|
comment_table_size);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (comment_table_size < 17) {
|
|
|
|
*err = WTAP_ERR_BAD_FILE;
|
2021-12-18 18:48:20 +00:00
|
|
|
*err_info = ws_strdup_printf("netmon: comment table size is %u, which is too small to use",
|
2017-08-25 19:29:17 +00:00
|
|
|
comment_table_size);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
|
2017-08-30 20:01:48 +00:00
|
|
|
if (comment_table_offset > file_size) {
|
|
|
|
*err = WTAP_ERR_BAD_FILE;
|
2021-12-18 18:48:20 +00:00
|
|
|
*err_info = ws_strdup_printf("netmon: comment table offset (%u) is larger than file",
|
2017-08-30 20:01:48 +00:00
|
|
|
comment_table_offset);
|
2017-08-25 19:29:17 +00:00
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
2017-08-30 20:01:48 +00:00
|
|
|
}
|
2017-08-25 19:29:17 +00:00
|
|
|
|
2017-08-30 20:01:48 +00:00
|
|
|
/*
|
|
|
|
* Sanity check the process info table information before we bother to allocate
|
|
|
|
* large chunks of memory for the frame table
|
|
|
|
*/
|
|
|
|
if ((process_info_table_offset > 0) && (process_info_table_count > 0)) {
|
2017-08-25 19:29:17 +00:00
|
|
|
/*
|
2017-08-30 20:01:48 +00:00
|
|
|
* XXX - clamp the size of the process info table, so that we don't
|
|
|
|
* attempt to allocate a huge process info table and fail.
|
2017-08-25 19:29:17 +00:00
|
|
|
*/
|
2017-08-30 20:01:48 +00:00
|
|
|
if (process_info_table_count > 512*1024) {
|
|
|
|
*err = WTAP_ERR_BAD_FILE;
|
2021-12-18 18:48:20 +00:00
|
|
|
*err_info = ws_strdup_printf("netmon: process info table size is %u, which is larger than we support",
|
2017-08-30 20:01:48 +00:00
|
|
|
process_info_table_count);
|
2017-08-25 19:29:17 +00:00
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
2017-08-30 20:01:48 +00:00
|
|
|
|
|
|
|
if (process_info_table_offset > file_size) {
|
|
|
|
*err = WTAP_ERR_BAD_FILE;
|
2021-12-18 18:48:20 +00:00
|
|
|
*err_info = ws_strdup_printf("netmon: process info table offset (%u) is larger than file",
|
2017-08-30 20:01:48 +00:00
|
|
|
process_info_table_offset);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Return back to the frame table offset
|
|
|
|
*/
|
|
|
|
if (file_seek(wth->fh, frame_table_offset, SEEK_SET, err) == -1) {
|
|
|
|
return WTAP_OPEN_ERROR;
|
2017-08-25 19:29:17 +00:00
|
|
|
}
|
|
|
|
|
2017-08-30 20:01:48 +00:00
|
|
|
/*
|
|
|
|
* Sanity check the process info table information before we bother to allocate
|
|
|
|
* large chunks of memory for the frame table
|
|
|
|
*/
|
|
|
|
|
2013-06-01 06:48:37 +00:00
|
|
|
frame_table = (guint32 *)g_try_malloc(frame_table_length);
|
|
|
|
if (frame_table_length != 0 && frame_table == NULL) {
|
|
|
|
*err = ENOMEM; /* we assume we're out of memory */
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_ERROR;
|
2013-06-01 06:48:37 +00:00
|
|
|
}
|
Add some higher-level file-read APIs and use them.
Add wtap_read_bytes(), which takes a FILE_T, a pointer, a byte count, an
error number pointer, and an error string pointer as arguments, and that
treats a short read of any sort, including a read that returns 0 bytes,
as a WTAP_ERR_SHORT_READ error, and that returns the error number and
string through its last two arguments.
Add wtap_read_bytes_or_eof(), which is similar, but that treats a read
that returns 0 bytes as an EOF, supplying an error number of 0 as an EOF
indication.
Use those in file readers; that simplifies the code and makes it less
likely that somebody will fail to supply the error number and error
string on a file read error.
Change-Id: Ia5dba2a6f81151e87b614461349d611cffc16210
Reviewed-on: https://code.wireshark.org/review/4512
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2014-10-07 01:00:57 +00:00
|
|
|
if (!wtap_read_bytes(wth->fh, frame_table, frame_table_length,
|
|
|
|
err, err_info)) {
|
2005-05-30 21:08:16 +00:00
|
|
|
g_free(frame_table);
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_ERROR;
|
1999-11-26 22:50:51 +00:00
|
|
|
}
|
2010-02-26 07:59:54 +00:00
|
|
|
netmon->frame_table_size = frame_table_size;
|
|
|
|
netmon->frame_table = frame_table;
|
2000-03-22 09:52:21 +00:00
|
|
|
|
2017-08-25 19:29:17 +00:00
|
|
|
if (comment_table_size > 0) {
|
|
|
|
comment_table = g_hash_table_new_full(g_direct_hash, g_direct_equal, NULL, netmonrec_comment_destroy);
|
|
|
|
if (comment_table == NULL) {
|
2018-06-14 22:09:51 +00:00
|
|
|
*err = ENOMEM; /* we assume we're out of memory */
|
|
|
|
return WTAP_OPEN_ERROR;
|
2017-08-25 19:29:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Make sure the file contains the full comment section */
|
|
|
|
if (file_seek(wth->fh, comment_table_offset+comment_table_size, SEEK_SET, err) == -1) {
|
|
|
|
g_hash_table_destroy(comment_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (file_seek(wth->fh, comment_table_offset, SEEK_SET, err) == -1) {
|
|
|
|
/* Shouldn't fail... */
|
|
|
|
g_hash_table_destroy(comment_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
while (comment_table_size > 16) {
|
|
|
|
struct netmonrec_comment_header comment_header;
|
2018-06-15 01:21:16 +00:00
|
|
|
guint32 title_length;
|
2017-08-25 19:29:17 +00:00
|
|
|
guint32 desc_length;
|
2018-06-15 01:21:16 +00:00
|
|
|
guint8 *utf16_str;
|
2017-08-25 19:29:17 +00:00
|
|
|
|
|
|
|
/* Read the first 12 bytes of the structure */
|
|
|
|
if (!wtap_read_bytes(wth->fh, &comment_header, 12, err, err_info)) {
|
|
|
|
g_hash_table_destroy(comment_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
comment_table_size -= 12;
|
|
|
|
|
|
|
|
/* Make sure comment size is sane */
|
2018-06-15 04:07:52 +00:00
|
|
|
title_length = pletoh32(&comment_header.titleLength);
|
|
|
|
if (title_length == 0) {
|
2017-08-25 19:29:17 +00:00
|
|
|
*err = WTAP_ERR_BAD_FILE;
|
|
|
|
*err_info = g_strdup("netmon: comment title size can't be 0");
|
|
|
|
g_hash_table_destroy(comment_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
2018-06-15 04:07:52 +00:00
|
|
|
if (title_length > comment_table_size) {
|
2017-08-25 19:29:17 +00:00
|
|
|
*err = WTAP_ERR_BAD_FILE;
|
2021-12-18 18:48:20 +00:00
|
|
|
*err_info = ws_strdup_printf("netmon: comment title size is %u, which is larger than the amount remaining in the comment section (%u)",
|
2018-06-15 04:07:52 +00:00
|
|
|
title_length, comment_table_size);
|
2017-08-25 19:29:17 +00:00
|
|
|
g_hash_table_destroy(comment_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
|
2018-02-07 09:20:50 +00:00
|
|
|
comment_rec = g_new0(struct netmonrec_comment, 1);
|
2017-08-25 19:29:17 +00:00
|
|
|
comment_rec->numFramePerComment = pletoh32(&comment_header.numFramePerComment);
|
|
|
|
comment_rec->frameOffset = pletoh32(&comment_header.frameOffset);
|
|
|
|
|
|
|
|
g_hash_table_insert(comment_table, GUINT_TO_POINTER(comment_rec->frameOffset), comment_rec);
|
|
|
|
|
2018-06-15 01:21:16 +00:00
|
|
|
/*
|
|
|
|
* Read in the comment title.
|
|
|
|
*
|
|
|
|
* It is in UTF-16-encoded Unicode, and the title
|
|
|
|
* size is a count of octets, not octet pairs or
|
|
|
|
* Unicode characters.
|
|
|
|
*/
|
|
|
|
utf16_str = (guint8*)g_malloc(title_length);
|
|
|
|
if (!wtap_read_bytes(wth->fh, utf16_str, title_length,
|
|
|
|
err, err_info)) {
|
2017-08-25 19:29:17 +00:00
|
|
|
g_hash_table_destroy(comment_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
2018-06-15 01:21:16 +00:00
|
|
|
comment_table_size -= title_length;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Now convert it to UTF-8 for internal use.
|
|
|
|
*/
|
|
|
|
comment_rec->title = utf_16_to_utf_8(utf16_str,
|
|
|
|
title_length);
|
|
|
|
g_free(utf16_str);
|
2017-08-25 19:29:17 +00:00
|
|
|
|
|
|
|
if (comment_table_size < 4) {
|
|
|
|
*err = WTAP_ERR_BAD_FILE;
|
|
|
|
*err_info = g_strdup("netmon: corrupt comment section");
|
|
|
|
g_hash_table_destroy(comment_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!wtap_read_bytes(wth->fh, &desc_length, 4, err, err_info)) {
|
|
|
|
g_hash_table_destroy(comment_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
comment_table_size -= 4;
|
|
|
|
|
|
|
|
comment_rec->descLength = pletoh32(&desc_length);
|
|
|
|
if (comment_rec->descLength > 0) {
|
|
|
|
/* Make sure comment size is sane */
|
|
|
|
if (comment_rec->descLength > comment_table_size) {
|
|
|
|
*err = WTAP_ERR_BAD_FILE;
|
2021-12-18 18:48:20 +00:00
|
|
|
*err_info = ws_strdup_printf("netmon: comment description size is %u, which is larger than the amount remaining in the comment section (%u)",
|
2017-08-25 19:29:17 +00:00
|
|
|
comment_rec->descLength, comment_table_size);
|
|
|
|
g_hash_table_destroy(comment_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
comment_rec->description = (guint8*)g_malloc(comment_rec->descLength);
|
|
|
|
|
|
|
|
/* Read the comment description */
|
|
|
|
if (!wtap_read_bytes(wth->fh, comment_rec->description, comment_rec->descLength, err, err_info)) {
|
|
|
|
g_hash_table_destroy(comment_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
comment_table_size -= comment_rec->descLength;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
netmon->comment_table = comment_table;
|
|
|
|
}
|
|
|
|
|
2017-08-30 20:01:48 +00:00
|
|
|
if ((process_info_table_offset > 0) && (process_info_table_count > 0)) {
|
|
|
|
guint16 version;
|
|
|
|
|
2017-09-04 21:31:48 +00:00
|
|
|
/* Go to the process table offset */
|
|
|
|
if (file_seek(wth->fh, process_info_table_offset, SEEK_SET, err) == -1) {
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
|
2017-08-30 20:01:48 +00:00
|
|
|
process_info_table = g_hash_table_new_full(g_direct_hash, g_direct_equal, NULL, netmonrec_process_info_destroy);
|
|
|
|
if (process_info_table == NULL) {
|
|
|
|
*err = ENOMEM; /* we assume we're out of memory */
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Read the version (ignored for now) */
|
|
|
|
if (!wtap_read_bytes(wth->fh, &version, 2, err, err_info)) {
|
|
|
|
g_hash_table_destroy(process_info_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
while (process_info_table_count > 0)
|
|
|
|
{
|
|
|
|
struct netmonrec_process_info* process_info;
|
|
|
|
guint32 tmp32;
|
|
|
|
guint16 tmp16;
|
2018-06-14 20:40:11 +00:00
|
|
|
guint32 path_size;
|
|
|
|
guint8 *utf16_str;
|
2017-08-30 20:01:48 +00:00
|
|
|
|
|
|
|
process_info = g_new0(struct netmonrec_process_info, 1);
|
|
|
|
|
|
|
|
/* Read path */
|
|
|
|
if (!wtap_read_bytes(wth->fh, &tmp32, 4, err, err_info)) {
|
|
|
|
g_free(process_info);
|
|
|
|
g_hash_table_destroy(process_info_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
|
2018-06-14 20:40:11 +00:00
|
|
|
path_size = pletoh32(&tmp32);
|
|
|
|
if (path_size > MATH_PROCINFO_PATH_SIZE) {
|
2017-08-30 20:01:48 +00:00
|
|
|
*err = WTAP_ERR_BAD_FILE;
|
2021-12-18 18:48:20 +00:00
|
|
|
*err_info = ws_strdup_printf("netmon: Path size for process info record is %u, which is larger than allowed max value (%u)",
|
2018-06-14 20:40:11 +00:00
|
|
|
path_size, MATH_PROCINFO_PATH_SIZE);
|
2017-08-30 20:01:48 +00:00
|
|
|
g_free(process_info);
|
|
|
|
g_hash_table_destroy(process_info_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
|
2018-06-14 20:40:11 +00:00
|
|
|
/*
|
|
|
|
* Read in the path string.
|
2018-06-15 00:38:55 +00:00
|
|
|
*
|
|
|
|
* It is in UTF-16-encoded Unicode, and the path
|
|
|
|
* size is a count of octets, not octet pairs or
|
|
|
|
* Unicode characters.
|
2018-06-14 20:40:11 +00:00
|
|
|
*/
|
|
|
|
utf16_str = (guint8*)g_malloc(path_size);
|
|
|
|
if (!wtap_read_bytes(wth->fh, utf16_str, path_size,
|
|
|
|
err, err_info)) {
|
|
|
|
g_free(process_info);
|
|
|
|
g_hash_table_destroy(process_info_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Now convert it to UTF-8 for internal use.
|
|
|
|
*/
|
|
|
|
process_info->path = utf_16_to_utf_8(utf16_str,
|
|
|
|
path_size);
|
|
|
|
g_free(utf16_str);
|
|
|
|
|
2017-08-30 20:01:48 +00:00
|
|
|
/* Read icon (currently not saved) */
|
|
|
|
if (!wtap_read_bytes(wth->fh, &tmp32, 4, err, err_info)) {
|
|
|
|
g_free(process_info);
|
|
|
|
g_hash_table_destroy(process_info_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
process_info->iconSize = pletoh32(&tmp32);
|
|
|
|
|
|
|
|
/* XXX - skip the icon for now */
|
|
|
|
if (file_seek(wth->fh, process_info->iconSize, SEEK_CUR, err) == -1) {
|
|
|
|
g_free(process_info);
|
|
|
|
g_hash_table_destroy(process_info_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
process_info->iconSize = 0;
|
|
|
|
|
|
|
|
if (!wtap_read_bytes(wth->fh, &tmp32, 4, err, err_info)) {
|
|
|
|
g_free(process_info);
|
|
|
|
g_hash_table_destroy(process_info_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
process_info->pid = pletoh32(&tmp32);
|
|
|
|
|
|
|
|
/* XXX - Currently index process information by PID */
|
|
|
|
g_hash_table_insert(process_info_table, GUINT_TO_POINTER(process_info->pid), process_info);
|
|
|
|
|
|
|
|
/* Read local port */
|
|
|
|
if (!wtap_read_bytes(wth->fh, &tmp16, 2, err, err_info)) {
|
|
|
|
g_hash_table_destroy(process_info_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
process_info->localPort = pletoh16(&tmp16);
|
|
|
|
|
|
|
|
/* Skip padding */
|
|
|
|
if (!wtap_read_bytes(wth->fh, &tmp16, 2, err, err_info)) {
|
|
|
|
g_hash_table_destroy(process_info_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Read remote port */
|
|
|
|
if (!wtap_read_bytes(wth->fh, &tmp16, 2, err, err_info)) {
|
|
|
|
g_hash_table_destroy(process_info_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
process_info->remotePort = pletoh16(&tmp16);
|
|
|
|
|
|
|
|
/* Skip padding */
|
|
|
|
if (!wtap_read_bytes(wth->fh, &tmp16, 2, err, err_info)) {
|
|
|
|
g_hash_table_destroy(process_info_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Determine IP version */
|
|
|
|
if (!wtap_read_bytes(wth->fh, &tmp32, 4, err, err_info)) {
|
|
|
|
g_hash_table_destroy(process_info_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
process_info->isIPv6 = ((pletoh32(&tmp32) == 0) ? FALSE : TRUE);
|
|
|
|
|
|
|
|
if (process_info->isIPv6) {
|
|
|
|
if (!wtap_read_bytes(wth->fh, &process_info->localAddr.ipv6, 16, err, err_info)) {
|
|
|
|
g_hash_table_destroy(process_info_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
if (!wtap_read_bytes(wth->fh, &process_info->remoteAddr.ipv6, 16, err, err_info)) {
|
|
|
|
g_hash_table_destroy(process_info_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
guint8 ipbuffer[16];
|
|
|
|
if (!wtap_read_bytes(wth->fh, ipbuffer, 16, err, err_info)) {
|
|
|
|
g_hash_table_destroy(process_info_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
process_info->localAddr.ipv4 = pletoh32(ipbuffer);
|
|
|
|
|
|
|
|
if (!wtap_read_bytes(wth->fh, ipbuffer, 16, err, err_info)) {
|
|
|
|
g_hash_table_destroy(process_info_table);
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
process_info->remoteAddr.ipv4 = pletoh32(ipbuffer);
|
|
|
|
}
|
|
|
|
|
|
|
|
process_info_table_count--;
|
|
|
|
}
|
|
|
|
|
|
|
|
netmon->process_info_table = process_info_table;
|
|
|
|
}
|
|
|
|
|
2018-03-13 17:15:25 +00:00
|
|
|
#if G_BYTE_ORDER == G_BIG_ENDIAN
|
2000-03-22 09:52:21 +00:00
|
|
|
/*
|
|
|
|
* OK, now byte-swap the frame table.
|
|
|
|
*/
|
|
|
|
for (i = 0; i < frame_table_size; i++)
|
2013-12-03 20:35:50 +00:00
|
|
|
frame_table[i] = pletoh32(&frame_table[i]);
|
2000-03-22 09:52:21 +00:00
|
|
|
#endif
|
1999-11-26 22:50:51 +00:00
|
|
|
|
2000-03-22 07:06:59 +00:00
|
|
|
/* Set up to start reading at the first frame. */
|
2010-02-26 07:59:54 +00:00
|
|
|
netmon->current_frame = 0;
|
2011-11-16 17:54:44 +00:00
|
|
|
switch (netmon->version_major) {
|
1999-01-18 21:34:54 +00:00
|
|
|
|
2011-11-16 17:54:44 +00:00
|
|
|
case 1:
|
|
|
|
/*
|
|
|
|
* Version 1.x of the file format supports
|
|
|
|
* millisecond precision.
|
|
|
|
*/
|
2014-09-28 18:37:06 +00:00
|
|
|
wth->file_tsprec = WTAP_TSPREC_MSEC;
|
2011-11-16 17:54:44 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
case 2:
|
|
|
|
/*
|
|
|
|
* Version 1.x of the file format supports
|
|
|
|
* 100-nanosecond precision; we don't
|
|
|
|
* currently support that, so say
|
|
|
|
* "nanosecond precision" for now.
|
|
|
|
*/
|
2014-09-28 18:37:06 +00:00
|
|
|
wth->file_tsprec = WTAP_TSPREC_NSEC;
|
2011-11-16 17:54:44 +00:00
|
|
|
break;
|
|
|
|
}
|
2014-10-10 01:30:18 +00:00
|
|
|
return WTAP_OPEN_MINE;
|
1999-01-18 21:34:54 +00:00
|
|
|
}
|
|
|
|
|
2011-05-03 08:49:41 +00:00
|
|
|
static void
|
2018-02-09 00:19:12 +00:00
|
|
|
netmon_set_pseudo_header_info(wtap_rec *rec, Buffer *buf)
|
2011-05-03 08:49:41 +00:00
|
|
|
{
|
2018-02-09 00:19:12 +00:00
|
|
|
switch (rec->rec_header.packet_header.pkt_encap) {
|
2011-05-03 08:49:41 +00:00
|
|
|
|
|
|
|
case WTAP_ENCAP_ATM_PDUS:
|
|
|
|
/*
|
|
|
|
* Attempt to guess from the packet data, the VPI, and
|
2014-02-05 08:33:45 +00:00
|
|
|
* the VCI information about the type of traffic.
|
2011-05-03 08:49:41 +00:00
|
|
|
*/
|
2018-02-09 00:19:12 +00:00
|
|
|
atm_guess_traffic_type(rec, ws_buffer_start_ptr(buf));
|
2011-05-03 08:49:41 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
case WTAP_ENCAP_ETHERNET:
|
|
|
|
/*
|
|
|
|
* We assume there's no FCS in this frame.
|
|
|
|
*/
|
2018-02-09 00:19:12 +00:00
|
|
|
rec->rec_header.packet_header.pseudo_header.eth.fcs_len = 0;
|
2011-05-03 08:49:41 +00:00
|
|
|
break;
|
|
|
|
|
2012-05-02 03:11:00 +00:00
|
|
|
case WTAP_ENCAP_IEEE_802_11_NETMON:
|
2011-05-03 08:49:41 +00:00
|
|
|
/*
|
2021-04-02 07:45:57 +00:00
|
|
|
* The 802.11 metadata at the beginnning of the frame data
|
|
|
|
* is processed by a dissector, which fills in a pseudo-
|
|
|
|
* header and passes it to the 802.11 radio dissector,
|
|
|
|
* just as is done with other 802.11 radio metadata headers
|
|
|
|
* that are part of the packet data, such as radiotap.
|
2011-05-03 08:49:41 +00:00
|
|
|
*/
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-07-06 01:13:13 +00:00
|
|
|
typedef enum {
|
|
|
|
SUCCESS,
|
|
|
|
FAILURE,
|
|
|
|
RETRY
|
|
|
|
} process_record_retval;
|
|
|
|
|
|
|
|
static process_record_retval
|
2018-02-09 00:19:12 +00:00
|
|
|
netmon_process_record(wtap *wth, FILE_T fh, wtap_rec *rec,
|
2014-07-06 01:13:13 +00:00
|
|
|
Buffer *buf, int *err, gchar **err_info)
|
1999-01-18 21:34:54 +00:00
|
|
|
{
|
2014-05-09 05:18:49 +00:00
|
|
|
netmon_t *netmon = (netmon_t *)wth->priv;
|
2013-06-01 02:58:58 +00:00
|
|
|
int hdr_size = 0;
|
1999-05-12 21:40:07 +00:00
|
|
|
union {
|
|
|
|
struct netmonrec_1_x_hdr hdr_1_x;
|
|
|
|
struct netmonrec_2_x_hdr hdr_2_x;
|
|
|
|
} hdr;
|
2010-07-18 20:47:48 +00:00
|
|
|
gint64 delta = 0; /* signed - frame times can be before the nominal start */
|
2011-11-16 17:54:44 +00:00
|
|
|
gint64 t;
|
1999-01-18 21:34:54 +00:00
|
|
|
time_t secs;
|
2014-07-06 01:13:13 +00:00
|
|
|
int nsecs;
|
2013-06-01 02:58:58 +00:00
|
|
|
guint32 packet_size = 0;
|
|
|
|
guint32 orig_size = 0;
|
2014-07-06 01:13:13 +00:00
|
|
|
int trlr_size;
|
|
|
|
union {
|
|
|
|
struct netmonrec_2_1_trlr trlr_2_1;
|
|
|
|
struct netmonrec_2_2_trlr trlr_2_2;
|
|
|
|
struct netmonrec_2_3_trlr trlr_2_3;
|
|
|
|
} trlr;
|
|
|
|
guint16 network;
|
|
|
|
int pkt_encap;
|
2017-08-25 19:29:17 +00:00
|
|
|
struct netmonrec_comment* comment_rec = NULL;
|
2000-03-22 07:06:59 +00:00
|
|
|
|
1999-01-18 21:34:54 +00:00
|
|
|
/* Read record header. */
|
2000-03-22 07:06:59 +00:00
|
|
|
switch (netmon->version_major) {
|
1999-05-12 21:40:07 +00:00
|
|
|
|
|
|
|
case 1:
|
|
|
|
hdr_size = sizeof (struct netmonrec_1_x_hdr);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 2:
|
|
|
|
hdr_size = sizeof (struct netmonrec_2_x_hdr);
|
|
|
|
break;
|
|
|
|
}
|
Add some higher-level file-read APIs and use them.
Add wtap_read_bytes(), which takes a FILE_T, a pointer, a byte count, an
error number pointer, and an error string pointer as arguments, and that
treats a short read of any sort, including a read that returns 0 bytes,
as a WTAP_ERR_SHORT_READ error, and that returns the error number and
string through its last two arguments.
Add wtap_read_bytes_or_eof(), which is similar, but that treats a read
that returns 0 bytes as an EOF, supplying an error number of 0 as an EOF
indication.
Use those in file readers; that simplifies the code and makes it less
likely that somebody will fail to supply the error number and error
string on a file read error.
Change-Id: Ia5dba2a6f81151e87b614461349d611cffc16210
Reviewed-on: https://code.wireshark.org/review/4512
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2014-10-07 01:00:57 +00:00
|
|
|
if (!wtap_read_bytes_or_eof(fh, &hdr, hdr_size, err, err_info))
|
2014-07-06 02:25:47 +00:00
|
|
|
return FAILURE;
|
1999-01-18 21:34:54 +00:00
|
|
|
|
2000-03-22 07:06:59 +00:00
|
|
|
switch (netmon->version_major) {
|
1999-05-12 21:40:07 +00:00
|
|
|
|
|
|
|
case 1:
|
2013-12-03 20:35:50 +00:00
|
|
|
orig_size = pletoh16(&hdr.hdr_1_x.orig_len);
|
|
|
|
packet_size = pletoh16(&hdr.hdr_1_x.incl_len);
|
1999-05-12 21:40:07 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
case 2:
|
2013-12-03 20:35:50 +00:00
|
|
|
orig_size = pletoh32(&hdr.hdr_2_x.orig_len);
|
|
|
|
packet_size = pletoh32(&hdr.hdr_2_x.incl_len);
|
1999-05-12 21:40:07 +00:00
|
|
|
break;
|
|
|
|
}
|
Allow bigger snapshot lengths for D-Bus captures.
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-05 01:58:40 +00:00
|
|
|
if (packet_size > WTAP_MAX_PACKET_SIZE_STANDARD) {
|
1999-08-22 02:29:40 +00:00
|
|
|
/*
|
|
|
|
* Probably a corrupt capture file; don't blow up trying
|
|
|
|
* to allocate space for an immensely-large packet.
|
|
|
|
*/
|
2011-12-13 09:53:50 +00:00
|
|
|
*err = WTAP_ERR_BAD_FILE;
|
2021-12-18 18:48:20 +00:00
|
|
|
*err_info = ws_strdup_printf("netmon: File has %u-byte packet, bigger than maximum of %u",
|
Allow bigger snapshot lengths for D-Bus captures.
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-05 01:58:40 +00:00
|
|
|
packet_size, WTAP_MAX_PACKET_SIZE_STANDARD);
|
2014-07-06 02:25:47 +00:00
|
|
|
return FAILURE;
|
1999-08-22 02:29:40 +00:00
|
|
|
}
|
2002-01-24 23:02:56 +00:00
|
|
|
|
2018-02-09 00:19:12 +00:00
|
|
|
rec->rec_type = REC_TYPE_PACKET;
|
2021-08-30 02:12:13 +00:00
|
|
|
rec->block = wtap_block_create(WTAP_BLOCK_PACKET);
|
2014-05-24 18:28:30 +00:00
|
|
|
|
2002-01-24 23:02:56 +00:00
|
|
|
/*
|
|
|
|
* If this is an ATM packet, the first
|
|
|
|
* "sizeof (struct netmon_atm_hdr)" bytes have destination and
|
|
|
|
* source addresses (6 bytes - MAC addresses of some sort?)
|
|
|
|
* and the VPI and VCI; read them and generate the pseudo-header
|
|
|
|
* from them.
|
|
|
|
*/
|
2014-05-09 05:18:49 +00:00
|
|
|
switch (wth->file_encap) {
|
2003-10-01 07:11:49 +00:00
|
|
|
|
|
|
|
case WTAP_ENCAP_ATM_PDUS:
|
2002-01-24 23:02:56 +00:00
|
|
|
if (packet_size < sizeof (struct netmon_atm_hdr)) {
|
|
|
|
/*
|
|
|
|
* Uh-oh, the packet isn't big enough to even
|
|
|
|
* have a pseudo-header.
|
|
|
|
*/
|
2011-12-13 09:53:50 +00:00
|
|
|
*err = WTAP_ERR_BAD_FILE;
|
2021-12-18 18:48:20 +00:00
|
|
|
*err_info = ws_strdup_printf("netmon: ATM file has a %u-byte packet, too small to have even an ATM pseudo-header",
|
Have the Wiretap open, read, and seek-and-read routines return, in
addition to an error code, an error info string, for
WTAP_ERR_UNSUPPORTED, WTAP_ERR_UNSUPPORTED_ENCAP, and
WTAP_ERR_BAD_RECORD errors. Replace the error messages logged with
"g_message()" for those errors with g_strdup()ed or g_strdup_printf()ed
strings returned as the error info string, and change the callers of
those routines to, for those errors, put the info string into the
printed message or alert box for the error.
Add messages for cases where those errors were returned without printing
an additional message.
Nobody uses the error code from "cf_read()" - "cf_read()" puts up the
alert box itself for failures; get rid of the error code, so it just
returns a success/failure indication.
Rename "file_read_error_message()" to "cf_read_error_message()", as it
handles read errors from Wiretap, and have it take an error info string
as an argument. (That handles a lot of the work of putting the info
string into the error message.)
Make some variables in "ascend-grammar.y" static.
Check the return value of "erf_read_header()" in "erf_seek_read()".
Get rid of an unused #define in "i4btrace.c".
svn path=/trunk/; revision=9852
2004-01-25 21:55:17 +00:00
|
|
|
packet_size);
|
2014-07-06 02:25:47 +00:00
|
|
|
return FAILURE;
|
2002-01-24 23:02:56 +00:00
|
|
|
}
|
2018-02-09 00:19:12 +00:00
|
|
|
if (!netmon_read_atm_pseudoheader(fh, &rec->rec_header.packet_header.pseudo_header,
|
2011-04-21 09:41:52 +00:00
|
|
|
err, err_info))
|
2014-07-06 02:25:47 +00:00
|
|
|
return FAILURE; /* Read error */
|
2002-01-24 23:02:56 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Don't count the pseudo-header as part of the packet.
|
|
|
|
*/
|
2009-04-22 03:07:37 +00:00
|
|
|
orig_size -= (guint)sizeof (struct netmon_atm_hdr);
|
|
|
|
packet_size -= (guint)sizeof (struct netmon_atm_hdr);
|
2003-10-01 07:11:49 +00:00
|
|
|
break;
|
|
|
|
|
2011-05-03 08:22:25 +00:00
|
|
|
default:
|
2003-10-01 07:11:49 +00:00
|
|
|
break;
|
1999-01-18 21:34:54 +00:00
|
|
|
}
|
2002-01-24 23:02:56 +00:00
|
|
|
|
2000-03-22 07:06:59 +00:00
|
|
|
switch (netmon->version_major) {
|
1999-05-12 21:40:07 +00:00
|
|
|
|
|
|
|
case 1:
|
2010-07-21 16:25:59 +00:00
|
|
|
/*
|
|
|
|
* According to Paul Long, this offset is unsigned.
|
|
|
|
* It's 32 bits, so the maximum value will fit in
|
|
|
|
* a gint64 such as delta, even after multiplying
|
2011-11-16 17:54:44 +00:00
|
|
|
* it by 1000000.
|
2010-07-21 18:37:01 +00:00
|
|
|
*
|
2013-12-03 20:35:50 +00:00
|
|
|
* pletoh32() returns a guint32; we cast it to gint64
|
2010-07-21 18:37:01 +00:00
|
|
|
* before multiplying, so that the product doesn't
|
|
|
|
* overflow a guint32.
|
2010-07-21 16:25:59 +00:00
|
|
|
*/
|
2013-12-03 20:35:50 +00:00
|
|
|
delta = ((gint64)pletoh32(&hdr.hdr_1_x.ts_delta))*1000000;
|
1999-05-12 21:40:07 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
case 2:
|
2011-11-16 17:54:44 +00:00
|
|
|
/*
|
|
|
|
* OK, this is weird. Microsoft's documentation
|
|
|
|
* says this is in microseconds and is a 64-bit
|
|
|
|
* unsigned number, but it can be negative; they
|
|
|
|
* say what appears to amount to "treat it as an
|
|
|
|
* unsigned number, multiply it by 10, and then
|
|
|
|
* interpret the resulting 64-bit quantity as a
|
|
|
|
* signed number". That operation can turn a
|
|
|
|
* value with the uppermost bit 0 to a value with
|
|
|
|
* the uppermost bit 1, hence turning a large
|
|
|
|
* positive number-of-microseconds into a small
|
|
|
|
* negative number-of-100-nanosecond-increments.
|
|
|
|
*/
|
2013-12-03 20:35:50 +00:00
|
|
|
delta = pletoh64(&hdr.hdr_2_x.ts_delta)*10;
|
2011-11-16 17:54:44 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* OK, it's now a signed value in 100-nanosecond
|
|
|
|
* units. Now convert it to nanosecond units.
|
|
|
|
*/
|
|
|
|
delta *= 100;
|
1999-05-12 21:40:07 +00:00
|
|
|
break;
|
|
|
|
}
|
2011-11-16 17:54:44 +00:00
|
|
|
secs = 0;
|
|
|
|
t = netmon->start_nsecs + delta;
|
|
|
|
while (t < 0) {
|
|
|
|
/*
|
|
|
|
* Propagate a borrow into the seconds.
|
|
|
|
* The seconds is a time_t, and can be < 0
|
|
|
|
* (unlikely, as Windows didn't exist before
|
|
|
|
* January 1, 1970, 00:00:00 UTC), while the
|
|
|
|
* nanoseconds should be positive, as in
|
|
|
|
* "nanoseconds since the instant of time
|
|
|
|
* represented by the seconds".
|
|
|
|
*
|
|
|
|
* We do not want t to be negative, as, according
|
|
|
|
* to the C90 standard, "if either operand [of /
|
|
|
|
* or %] is negative, whether the result of the
|
|
|
|
* / operator is the largest integer less than or
|
|
|
|
* equal to the algebraic quotient or the smallest
|
|
|
|
* greater than or equal to the algebraic quotient
|
|
|
|
* is implementation-defined, as is the sign of
|
|
|
|
* the result of the % operator", and we want
|
|
|
|
* the result of the division and remainder
|
|
|
|
* operations to be the same on all platforms.
|
|
|
|
*/
|
|
|
|
t += 1000000000;
|
|
|
|
secs--;
|
|
|
|
}
|
|
|
|
secs += (time_t)(t/1000000000);
|
2014-07-06 01:13:13 +00:00
|
|
|
nsecs = (int)(t%1000000000);
|
2018-02-09 00:19:12 +00:00
|
|
|
rec->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
|
|
|
|
rec->ts.secs = netmon->start_secs + secs;
|
|
|
|
rec->ts.nsecs = nsecs;
|
|
|
|
rec->rec_header.packet_header.caplen = packet_size;
|
|
|
|
rec->rec_header.packet_header.len = orig_size;
|
2013-06-01 02:58:58 +00:00
|
|
|
|
2014-07-06 01:13:13 +00:00
|
|
|
/*
|
|
|
|
* Read the packet data.
|
|
|
|
*/
|
2018-02-09 00:19:12 +00:00
|
|
|
if (!wtap_read_packet_bytes(fh, buf, rec->rec_header.packet_header.caplen, err, err_info))
|
2014-07-06 02:25:47 +00:00
|
|
|
return FAILURE;
|
1999-05-12 21:40:07 +00:00
|
|
|
|
2014-07-06 01:13:13 +00:00
|
|
|
/*
|
|
|
|
* For version 2.1 and later, there's additional information
|
|
|
|
* after the frame data.
|
|
|
|
*/
|
2014-07-05 18:45:18 +00:00
|
|
|
if ((netmon->version_major == 2 && netmon->version_minor >= 1) ||
|
|
|
|
netmon->version_major > 2) {
|
2014-07-05 18:48:52 +00:00
|
|
|
if (netmon->version_major > 2) {
|
|
|
|
/*
|
2020-10-10 23:42:05 +00:00
|
|
|
* Assume 2.3 format, for now.
|
2014-07-05 18:48:52 +00:00
|
|
|
*/
|
2014-07-05 18:45:18 +00:00
|
|
|
trlr_size = (int)sizeof (struct netmonrec_2_3_trlr);
|
2014-07-05 18:48:52 +00:00
|
|
|
} else {
|
2014-07-05 18:45:18 +00:00
|
|
|
switch (netmon->version_minor) {
|
|
|
|
|
|
|
|
case 1:
|
|
|
|
trlr_size = (int)sizeof (struct netmonrec_2_1_trlr);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 2:
|
|
|
|
trlr_size = (int)sizeof (struct netmonrec_2_2_trlr);
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
trlr_size = (int)sizeof (struct netmonrec_2_3_trlr);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
Add some higher-level file-read APIs and use them.
Add wtap_read_bytes(), which takes a FILE_T, a pointer, a byte count, an
error number pointer, and an error string pointer as arguments, and that
treats a short read of any sort, including a read that returns 0 bytes,
as a WTAP_ERR_SHORT_READ error, and that returns the error number and
string through its last two arguments.
Add wtap_read_bytes_or_eof(), which is similar, but that treats a read
that returns 0 bytes as an EOF, supplying an error number of 0 as an EOF
indication.
Use those in file readers; that simplifies the code and makes it less
likely that somebody will fail to supply the error number and error
string on a file read error.
Change-Id: Ia5dba2a6f81151e87b614461349d611cffc16210
Reviewed-on: https://code.wireshark.org/review/4512
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2014-10-07 01:00:57 +00:00
|
|
|
if (!wtap_read_bytes(fh, &trlr, trlr_size, err, err_info))
|
2014-07-06 01:13:13 +00:00
|
|
|
return FAILURE;
|
2014-07-05 18:45:18 +00:00
|
|
|
|
|
|
|
network = pletoh16(trlr.trlr_2_1.network);
|
2017-09-04 14:16:49 +00:00
|
|
|
if ((network >= 0xE080) && (network <= 0xE08A)) {
|
|
|
|
/* These values "violate" the LINKTYPE_ media type values
|
|
|
|
* in Microsoft Analyzer and are considered a MAExportedMediaType,
|
|
|
|
* so they need their own WTAP_ types
|
|
|
|
*/
|
|
|
|
switch (network)
|
|
|
|
{
|
|
|
|
case 0xE080: // "WiFi Message"
|
2017-09-06 18:47:02 +00:00
|
|
|
pkt_encap = WTAP_ENCAP_IEEE_802_11;
|
|
|
|
break;
|
2017-09-04 14:16:49 +00:00
|
|
|
case 0xE081: // "Ndis Etw WiFi Channel Message"
|
|
|
|
case 0xE082: // "Fiddler Netmon Message"
|
|
|
|
case 0xE089: // "Pef Ndis Msg";
|
|
|
|
case 0xE08A: // "Pef Ndis Wifi Meta Msg";
|
|
|
|
*err = WTAP_ERR_UNSUPPORTED;
|
2021-12-18 18:48:20 +00:00
|
|
|
*err_info = ws_strdup_printf("netmon: network type %u unknown or unsupported", network);
|
2017-09-04 14:16:49 +00:00
|
|
|
return FAILURE;
|
|
|
|
case 0xE083:
|
|
|
|
pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_V4;
|
|
|
|
break;
|
|
|
|
case 0xE084:
|
|
|
|
pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_V6;
|
|
|
|
break;
|
|
|
|
case 0xE085:
|
|
|
|
pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_2V4;
|
|
|
|
break;
|
|
|
|
case 0xE086:
|
|
|
|
pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_2V6;
|
|
|
|
break;
|
|
|
|
case 0xE087:
|
|
|
|
pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_AUTH_V4;
|
|
|
|
break;
|
|
|
|
case 0xE088:
|
|
|
|
pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_AUTH_V6;
|
|
|
|
break;
|
2017-09-07 12:02:22 +00:00
|
|
|
default:
|
|
|
|
pkt_encap = WTAP_ENCAP_UNKNOWN;
|
|
|
|
break;
|
2017-09-04 14:16:49 +00:00
|
|
|
}
|
|
|
|
} else if ((network & 0xF000) == NETMON_NET_PCAP_BASE) {
|
2014-07-05 18:45:18 +00:00
|
|
|
/*
|
|
|
|
* Converted pcap file - the LINKTYPE_ value
|
|
|
|
* is the network value with 0xF000 masked off.
|
|
|
|
*/
|
|
|
|
network &= 0x0FFF;
|
|
|
|
pkt_encap = wtap_pcap_encap_to_wtap_encap(network);
|
|
|
|
if (pkt_encap == WTAP_ENCAP_UNKNOWN) {
|
2014-12-17 06:22:29 +00:00
|
|
|
*err = WTAP_ERR_UNSUPPORTED;
|
2021-12-18 18:48:20 +00:00
|
|
|
*err_info = ws_strdup_printf("netmon: converted pcap network type %u unknown or unsupported",
|
2014-07-05 18:45:18 +00:00
|
|
|
network);
|
2014-07-06 01:13:13 +00:00
|
|
|
return FAILURE;
|
2014-07-05 18:45:18 +00:00
|
|
|
}
|
|
|
|
} else if (network < NUM_NETMON_ENCAPS) {
|
|
|
|
/*
|
|
|
|
* Regular NetMon encapsulation.
|
|
|
|
*/
|
|
|
|
pkt_encap = netmon_encap[network];
|
|
|
|
if (pkt_encap == WTAP_ENCAP_UNKNOWN) {
|
2014-12-17 06:22:29 +00:00
|
|
|
*err = WTAP_ERR_UNSUPPORTED;
|
2021-12-18 18:48:20 +00:00
|
|
|
*err_info = ws_strdup_printf("netmon: network type %u unknown or unsupported",
|
2014-07-05 18:45:18 +00:00
|
|
|
network);
|
2014-07-06 01:13:13 +00:00
|
|
|
return FAILURE;
|
2014-07-05 18:45:18 +00:00
|
|
|
}
|
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* Special packet type for metadata.
|
|
|
|
*/
|
|
|
|
switch (network) {
|
|
|
|
|
|
|
|
case NETMON_NET_NETEVENT:
|
2014-07-06 01:13:13 +00:00
|
|
|
/*
|
|
|
|
* Event Tracing event.
|
|
|
|
*
|
2019-07-27 22:53:22 +00:00
|
|
|
* https://docs.microsoft.com/en-us/windows/win32/api/evntcons/ns-evntcons-event_header
|
2014-07-06 01:13:13 +00:00
|
|
|
*/
|
2017-08-29 01:40:31 +00:00
|
|
|
pkt_encap = WTAP_ENCAP_NETMON_NET_NETEVENT;
|
|
|
|
break;
|
2014-07-06 01:13:13 +00:00
|
|
|
|
2014-07-05 18:45:18 +00:00
|
|
|
case NETMON_NET_NETWORK_INFO_EX:
|
2014-07-06 01:13:13 +00:00
|
|
|
/*
|
|
|
|
* List of adapters on which the capture
|
|
|
|
* was done.
|
2018-01-09 00:38:10 +00:00
|
|
|
* XXX - this could be translated into pcapng
|
|
|
|
* blocks but for now, just treat as a frame.
|
2014-07-06 01:13:13 +00:00
|
|
|
*/
|
2017-08-31 16:45:46 +00:00
|
|
|
pkt_encap = WTAP_ENCAP_NETMON_NETWORK_INFO_EX;
|
|
|
|
break;
|
2014-07-06 01:13:13 +00:00
|
|
|
|
2014-07-05 18:45:18 +00:00
|
|
|
case NETMON_NET_PAYLOAD_HEADER:
|
2014-07-06 01:13:13 +00:00
|
|
|
/*
|
|
|
|
* Header for a fake frame constructed
|
|
|
|
* by reassembly.
|
|
|
|
*/
|
|
|
|
return RETRY;
|
|
|
|
|
2014-07-05 18:45:18 +00:00
|
|
|
case NETMON_NET_NETWORK_INFO:
|
2014-07-06 01:13:13 +00:00
|
|
|
/*
|
|
|
|
* List of adapters on which the capture
|
|
|
|
* was done.
|
|
|
|
*/
|
|
|
|
return RETRY;
|
|
|
|
|
2014-07-05 18:45:18 +00:00
|
|
|
case NETMON_NET_DNS_CACHE:
|
2014-07-06 01:13:13 +00:00
|
|
|
/*
|
|
|
|
* List of resolved IP addresses.
|
|
|
|
*/
|
|
|
|
return RETRY;
|
|
|
|
|
2014-07-05 18:45:18 +00:00
|
|
|
case NETMON_NET_NETMON_FILTER:
|
|
|
|
/*
|
2014-07-06 01:13:13 +00:00
|
|
|
* NetMon capture or display filter
|
|
|
|
* string.
|
2014-07-05 18:45:18 +00:00
|
|
|
*/
|
2017-08-31 16:45:46 +00:00
|
|
|
pkt_encap = WTAP_ENCAP_NETMON_NET_FILTER;
|
|
|
|
break;
|
2014-07-05 18:45:18 +00:00
|
|
|
|
|
|
|
default:
|
2014-12-17 06:22:29 +00:00
|
|
|
*err = WTAP_ERR_UNSUPPORTED;
|
2021-12-18 18:48:20 +00:00
|
|
|
*err_info = ws_strdup_printf("netmon: network type %u unknown or unsupported",
|
2014-07-05 18:45:18 +00:00
|
|
|
network);
|
2014-07-06 01:13:13 +00:00
|
|
|
return FAILURE;
|
2014-07-05 18:45:18 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-02-09 00:19:12 +00:00
|
|
|
rec->rec_header.packet_header.pkt_encap = pkt_encap;
|
2014-07-05 18:45:18 +00:00
|
|
|
if (netmon->version_major > 2 || netmon->version_minor > 2) {
|
|
|
|
guint64 d;
|
|
|
|
|
|
|
|
d = pletoh64(trlr.trlr_2_3.utc_timestamp);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Get the time as seconds and nanoseconds.
|
|
|
|
* and overwrite the time stamp obtained
|
|
|
|
* from the record header.
|
|
|
|
*/
|
2018-02-09 00:19:12 +00:00
|
|
|
if (!filetime_to_nstime(&rec->ts, d)) {
|
2015-04-20 20:41:07 +00:00
|
|
|
*err = WTAP_ERR_BAD_FILE;
|
2016-06-06 02:24:47 +00:00
|
|
|
*err_info = g_strdup("netmon: time stamp outside supported range");
|
2015-04-20 20:41:07 +00:00
|
|
|
return FAILURE;
|
|
|
|
}
|
2014-07-05 18:45:18 +00:00
|
|
|
}
|
|
|
|
}
|
2014-07-06 01:13:13 +00:00
|
|
|
|
2018-02-09 00:19:12 +00:00
|
|
|
netmon_set_pseudo_header_info(rec, buf);
|
2017-08-25 19:29:17 +00:00
|
|
|
|
|
|
|
/* If any header specific information is present, set it as pseudo header data
|
|
|
|
* and set the encapsulation type, so it can be handled to the netmon_header
|
|
|
|
* dissector for further processing
|
|
|
|
*/
|
|
|
|
if (netmon->comment_table != NULL) {
|
|
|
|
comment_rec = (struct netmonrec_comment*)g_hash_table_lookup(netmon->comment_table, GUINT_TO_POINTER(netmon->frame_table[netmon->current_frame-1]));
|
|
|
|
}
|
|
|
|
|
|
|
|
if (comment_rec != NULL) {
|
|
|
|
union wtap_pseudo_header temp_header;
|
|
|
|
|
|
|
|
/* These are the current encapsulation types that NetMon uses.
|
|
|
|
* Save them off so they can be copied to the NetMon pseudoheader
|
|
|
|
*/
|
2018-02-09 00:19:12 +00:00
|
|
|
switch (rec->rec_header.packet_header.pkt_encap)
|
2017-08-25 19:29:17 +00:00
|
|
|
{
|
|
|
|
case WTAP_ENCAP_ATM_PDUS:
|
2018-02-09 00:19:12 +00:00
|
|
|
memcpy(&temp_header.atm, &rec->rec_header.packet_header.pseudo_header.atm, sizeof(temp_header.atm));
|
2017-08-25 19:29:17 +00:00
|
|
|
break;
|
|
|
|
case WTAP_ENCAP_ETHERNET:
|
2018-02-09 00:19:12 +00:00
|
|
|
memcpy(&temp_header.eth, &rec->rec_header.packet_header.pseudo_header.eth, sizeof(temp_header.eth));
|
2017-08-25 19:29:17 +00:00
|
|
|
break;
|
|
|
|
case WTAP_ENCAP_IEEE_802_11_NETMON:
|
2018-02-09 00:19:12 +00:00
|
|
|
memcpy(&temp_header.ieee_802_11, &rec->rec_header.packet_header.pseudo_header.ieee_802_11, sizeof(temp_header.ieee_802_11));
|
2017-08-25 19:29:17 +00:00
|
|
|
break;
|
|
|
|
}
|
2018-02-09 00:19:12 +00:00
|
|
|
memset(&rec->rec_header.packet_header.pseudo_header.netmon, 0, sizeof(rec->rec_header.packet_header.pseudo_header.netmon));
|
2017-08-25 19:29:17 +00:00
|
|
|
|
|
|
|
/* Save the current encapsulation type to the NetMon pseudoheader */
|
2018-02-09 00:19:12 +00:00
|
|
|
rec->rec_header.packet_header.pseudo_header.netmon.sub_encap = rec->rec_header.packet_header.pkt_encap;
|
2017-08-25 19:29:17 +00:00
|
|
|
|
|
|
|
/* Copy the comment data */
|
2018-02-09 00:19:12 +00:00
|
|
|
rec->rec_header.packet_header.pseudo_header.netmon.title = comment_rec->title;
|
|
|
|
rec->rec_header.packet_header.pseudo_header.netmon.descLength = comment_rec->descLength;
|
|
|
|
rec->rec_header.packet_header.pseudo_header.netmon.description = comment_rec->description;
|
2017-08-25 19:29:17 +00:00
|
|
|
|
|
|
|
/* Copy the saved pseudoheaders to the netmon pseudoheader structure */
|
2018-02-09 00:19:12 +00:00
|
|
|
switch (rec->rec_header.packet_header.pkt_encap)
|
2017-08-25 19:29:17 +00:00
|
|
|
{
|
|
|
|
case WTAP_ENCAP_ATM_PDUS:
|
2018-02-09 00:19:12 +00:00
|
|
|
memcpy(&rec->rec_header.packet_header.pseudo_header.netmon.subheader.atm, &temp_header.atm, sizeof(temp_header.atm));
|
2017-08-25 19:29:17 +00:00
|
|
|
break;
|
|
|
|
case WTAP_ENCAP_ETHERNET:
|
2018-02-09 00:19:12 +00:00
|
|
|
memcpy(&rec->rec_header.packet_header.pseudo_header.netmon.subheader.eth, &temp_header.eth, sizeof(temp_header.eth));
|
2017-08-25 19:29:17 +00:00
|
|
|
break;
|
|
|
|
case WTAP_ENCAP_IEEE_802_11_NETMON:
|
2018-02-09 00:19:12 +00:00
|
|
|
memcpy(&rec->rec_header.packet_header.pseudo_header.netmon.subheader.ieee_802_11, &temp_header.ieee_802_11, sizeof(temp_header.ieee_802_11));
|
2017-08-25 19:29:17 +00:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Encapsulation type is now something that can be passed to netmon_header dissector */
|
2018-02-09 00:19:12 +00:00
|
|
|
rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_NETMON_HEADER;
|
2017-08-25 19:29:17 +00:00
|
|
|
}
|
|
|
|
|
2013-06-01 02:58:58 +00:00
|
|
|
return SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Read the next packet */
|
2019-04-05 01:56:27 +00:00
|
|
|
static gboolean netmon_read(wtap *wth, wtap_rec *rec, Buffer *buf,
|
|
|
|
int *err, gchar **err_info, gint64 *data_offset)
|
2013-06-01 02:58:58 +00:00
|
|
|
{
|
2014-05-09 05:18:49 +00:00
|
|
|
netmon_t *netmon = (netmon_t *)wth->priv;
|
2013-06-01 02:58:58 +00:00
|
|
|
gint64 rec_offset;
|
|
|
|
|
2014-07-06 01:13:13 +00:00
|
|
|
for (;;) {
|
|
|
|
/* Have we reached the end of the packet data? */
|
|
|
|
if (netmon->current_frame >= netmon->frame_table_size) {
|
|
|
|
*err = 0; /* it's just an EOF, not an error */
|
2014-05-23 10:50:02 +00:00
|
|
|
return FALSE;
|
2014-07-06 01:13:13 +00:00
|
|
|
}
|
2013-06-01 02:58:58 +00:00
|
|
|
|
2014-07-06 01:13:13 +00:00
|
|
|
/* Seek to the beginning of the current record, if we're
|
|
|
|
not there already (seeking to the current position
|
|
|
|
may still cause a seek and a read of the underlying file,
|
|
|
|
so we don't want to do it unconditionally).
|
|
|
|
|
|
|
|
Yes, the current record could be before the previous
|
|
|
|
record. At least some captures put the trailer record
|
|
|
|
with statistics as the first physical record in the
|
|
|
|
file, but set the frame table up so it's the last
|
|
|
|
record in sequence. */
|
|
|
|
rec_offset = netmon->frame_table[netmon->current_frame];
|
|
|
|
if (file_tell(wth->fh) != rec_offset) {
|
|
|
|
if (file_seek(wth->fh, rec_offset, SEEK_SET, err) == -1)
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
netmon->current_frame++;
|
2013-06-01 02:58:58 +00:00
|
|
|
|
2014-07-06 01:13:13 +00:00
|
|
|
*data_offset = file_tell(wth->fh);
|
2013-06-01 02:58:58 +00:00
|
|
|
|
2019-04-05 01:56:27 +00:00
|
|
|
switch (netmon_process_record(wth, wth->fh, rec, buf, err,
|
|
|
|
err_info)) {
|
2013-06-01 02:58:58 +00:00
|
|
|
|
2014-07-06 01:13:13 +00:00
|
|
|
case RETRY:
|
|
|
|
continue;
|
2013-06-01 02:58:58 +00:00
|
|
|
|
2014-07-06 01:13:13 +00:00
|
|
|
case SUCCESS:
|
|
|
|
return TRUE;
|
2013-06-01 02:58:58 +00:00
|
|
|
|
2014-07-06 01:13:13 +00:00
|
|
|
case FAILURE:
|
|
|
|
return FALSE;
|
|
|
|
}
|
2010-07-18 19:41:11 +00:00
|
|
|
}
|
2002-01-24 23:02:56 +00:00
|
|
|
}
|
1999-05-12 21:40:07 +00:00
|
|
|
|
2014-05-23 10:50:02 +00:00
|
|
|
static gboolean
|
2014-05-09 05:18:49 +00:00
|
|
|
netmon_seek_read(wtap *wth, gint64 seek_off,
|
2018-02-09 00:19:12 +00:00
|
|
|
wtap_rec *rec, Buffer *buf, int *err, gchar **err_info)
|
2002-01-24 23:02:56 +00:00
|
|
|
{
|
2014-05-09 05:18:49 +00:00
|
|
|
if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
|
2014-05-23 10:50:02 +00:00
|
|
|
return FALSE;
|
2002-01-24 23:02:56 +00:00
|
|
|
|
2018-02-09 00:19:12 +00:00
|
|
|
switch (netmon_process_record(wth, wth->random_fh, rec, buf, err,
|
2014-07-06 01:13:13 +00:00
|
|
|
err_info)) {
|
2013-06-01 02:58:58 +00:00
|
|
|
|
2014-07-06 01:33:00 +00:00
|
|
|
default:
|
2011-05-03 08:22:25 +00:00
|
|
|
/*
|
2013-06-01 02:58:58 +00:00
|
|
|
* This should not happen.
|
2011-05-03 08:22:25 +00:00
|
|
|
*/
|
2013-06-01 02:58:58 +00:00
|
|
|
*err = WTAP_ERR_BAD_FILE;
|
|
|
|
*err_info = g_strdup("netmon: saw metadata in netmon_seek_read");
|
2014-05-23 10:50:02 +00:00
|
|
|
return FALSE;
|
2013-06-01 02:58:58 +00:00
|
|
|
|
|
|
|
case SUCCESS:
|
2014-07-06 01:13:13 +00:00
|
|
|
return TRUE;
|
2013-06-01 02:58:58 +00:00
|
|
|
|
|
|
|
case FAILURE:
|
2014-05-23 10:50:02 +00:00
|
|
|
return FALSE;
|
2011-05-03 08:22:25 +00:00
|
|
|
}
|
2002-01-24 23:02:56 +00:00
|
|
|
}
|
|
|
|
|
2002-03-05 08:40:27 +00:00
|
|
|
static gboolean
|
2002-01-24 23:02:56 +00:00
|
|
|
netmon_read_atm_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header,
|
2011-04-21 09:41:52 +00:00
|
|
|
int *err, gchar **err_info)
|
2002-01-24 23:02:56 +00:00
|
|
|
{
|
|
|
|
struct netmon_atm_hdr atm_phdr;
|
Replace the "ngsniffer_atm" with an "atm" pseudo-header, which isn't
just an image of the ATM Sniffer data. This means that Ethereal doesn't
have to know any ATM Sniffer-specific details (that's all hidden in
Wiretap), and allows us to add to that pseudo-header fields, traffic
types, etc. unknown to ATM Sniffers.
Have Wiretap map VPI 0/VCI 5 to the signalling AAL - for some capture
files, this might not be necessary, as they may mark all signalling
traffic as such, but, on other platforms, we don't know the AAL, so we
assume AAL5 except for 0/5 traffic. Doing it in Wiretap lets us hide
those details from Ethereal (and lets Ethereal interpret 0/5 traffic as
non-signalling traffic, in case that happens to be what it is).
We may know that traffic is LANE, but not whether it's LE Control or
emulated 802.3/802.5; handle that case.
svn path=/trunk/; revision=5302
2002-04-30 08:48:27 +00:00
|
|
|
guint16 vpi, vci;
|
2002-01-24 23:02:56 +00:00
|
|
|
|
Add some higher-level file-read APIs and use them.
Add wtap_read_bytes(), which takes a FILE_T, a pointer, a byte count, an
error number pointer, and an error string pointer as arguments, and that
treats a short read of any sort, including a read that returns 0 bytes,
as a WTAP_ERR_SHORT_READ error, and that returns the error number and
string through its last two arguments.
Add wtap_read_bytes_or_eof(), which is similar, but that treats a read
that returns 0 bytes as an EOF, supplying an error number of 0 as an EOF
indication.
Use those in file readers; that simplifies the code and makes it less
likely that somebody will fail to supply the error number and error
string on a file read error.
Change-Id: Ia5dba2a6f81151e87b614461349d611cffc16210
Reviewed-on: https://code.wireshark.org/review/4512
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2014-10-07 01:00:57 +00:00
|
|
|
if (!wtap_read_bytes(fh, &atm_phdr, sizeof (struct netmon_atm_hdr),
|
|
|
|
err, err_info))
|
2002-03-05 08:40:27 +00:00
|
|
|
return FALSE;
|
2002-01-24 23:02:56 +00:00
|
|
|
|
2002-07-29 06:09:59 +00:00
|
|
|
vpi = g_ntohs(atm_phdr.vpi);
|
|
|
|
vci = g_ntohs(atm_phdr.vci);
|
2002-01-24 23:02:56 +00:00
|
|
|
|
Replace the "ngsniffer_atm" with an "atm" pseudo-header, which isn't
just an image of the ATM Sniffer data. This means that Ethereal doesn't
have to know any ATM Sniffer-specific details (that's all hidden in
Wiretap), and allows us to add to that pseudo-header fields, traffic
types, etc. unknown to ATM Sniffers.
Have Wiretap map VPI 0/VCI 5 to the signalling AAL - for some capture
files, this might not be necessary, as they may mark all signalling
traffic as such, but, on other platforms, we don't know the AAL, so we
assume AAL5 except for 0/5 traffic. Doing it in Wiretap lets us hide
those details from Ethereal (and lets Ethereal interpret 0/5 traffic as
non-signalling traffic, in case that happens to be what it is).
We may know that traffic is LANE, but not whether it's LE Control or
emulated 802.3/802.5; handle that case.
svn path=/trunk/; revision=5302
2002-04-30 08:48:27 +00:00
|
|
|
pseudo_header->atm.vpi = vpi;
|
|
|
|
pseudo_header->atm.vci = vci;
|
|
|
|
|
|
|
|
/* We don't have this information */
|
2003-01-10 04:04:42 +00:00
|
|
|
pseudo_header->atm.flags = 0;
|
Replace the "ngsniffer_atm" with an "atm" pseudo-header, which isn't
just an image of the ATM Sniffer data. This means that Ethereal doesn't
have to know any ATM Sniffer-specific details (that's all hidden in
Wiretap), and allows us to add to that pseudo-header fields, traffic
types, etc. unknown to ATM Sniffers.
Have Wiretap map VPI 0/VCI 5 to the signalling AAL - for some capture
files, this might not be necessary, as they may mark all signalling
traffic as such, but, on other platforms, we don't know the AAL, so we
assume AAL5 except for 0/5 traffic. Doing it in Wiretap lets us hide
those details from Ethereal (and lets Ethereal interpret 0/5 traffic as
non-signalling traffic, in case that happens to be what it is).
We may know that traffic is LANE, but not whether it's LE Control or
emulated 802.3/802.5; handle that case.
svn path=/trunk/; revision=5302
2002-04-30 08:48:27 +00:00
|
|
|
pseudo_header->atm.channel = 0;
|
|
|
|
pseudo_header->atm.cells = 0;
|
|
|
|
pseudo_header->atm.aal5t_u2u = 0;
|
|
|
|
pseudo_header->atm.aal5t_len = 0;
|
|
|
|
pseudo_header->atm.aal5t_chksum = 0;
|
2002-01-24 23:02:56 +00:00
|
|
|
|
2002-03-05 08:40:27 +00:00
|
|
|
return TRUE;
|
2002-01-24 23:02:56 +00:00
|
|
|
}
|
|
|
|
|
2002-06-04 21:55:38 +00:00
|
|
|
/* Throw away the frame table used by the sequential I/O stream. */
|
2000-03-22 07:06:59 +00:00
|
|
|
static void
|
2017-08-25 19:29:17 +00:00
|
|
|
netmon_close(wtap *wth)
|
2000-03-22 07:06:59 +00:00
|
|
|
{
|
2014-05-09 05:18:49 +00:00
|
|
|
netmon_t *netmon = (netmon_t *)wth->priv;
|
2010-02-26 07:59:54 +00:00
|
|
|
|
|
|
|
if (netmon->frame_table != NULL) {
|
|
|
|
g_free(netmon->frame_table);
|
|
|
|
netmon->frame_table = NULL;
|
2002-06-04 21:55:38 +00:00
|
|
|
}
|
2017-08-25 19:29:17 +00:00
|
|
|
|
|
|
|
if (netmon->comment_table != NULL) {
|
|
|
|
g_hash_table_destroy(netmon->comment_table);
|
|
|
|
netmon->comment_table = NULL;
|
|
|
|
}
|
2017-08-30 20:01:48 +00:00
|
|
|
|
|
|
|
if (netmon->process_info_table != NULL) {
|
|
|
|
g_hash_table_destroy(netmon->process_info_table);
|
|
|
|
netmon->process_info_table = NULL;
|
|
|
|
}
|
2002-06-04 21:55:38 +00:00
|
|
|
}
|
|
|
|
|
2010-02-26 07:59:54 +00:00
|
|
|
typedef struct {
|
wiretap: register most built-in file types from its module.
Remove most of the built-in file types from the table in
wiretap/file_access.c and, instead, have the file types register
themselves, using wtap_register_file_type_subtypes().
This reduces the source code changes needed to add a new file type from
three (add the handler, add the file type to the table in file_access.c,
add a #define for the file type in wiretap/wtap.h) to one (add the
handler). (It also requires adding the handler's source file to
wiretap/CMakeLists.txt, but that's required in both cases.)
A few remain because the WTAP_FILE_TYPE_SUBTYPE_ #define is used
elsewhere; that needs to be fixed.
Fix the wiretap/CMakefile.txt file to scan k12text.l, as that now
contains a registration routine. In the process, avoid scanning files
that don't implement a file type and won't ever have a registration
routine.
Add a Lua routine to fetch the total number of file types; we use that
in some code to construct the wtap_filetypes table, which we need to do
in order to continue to have all the values that used to come from the
WTAP_FILE_TYPE_SUBTYPE_ types.
While we're at it, add modelines to a file that lacked them.
2021-02-14 08:34:10 +00:00
|
|
|
gboolean is_v2;
|
2010-02-26 07:59:54 +00:00
|
|
|
gboolean got_first_record_time;
|
2013-11-09 10:38:02 +00:00
|
|
|
nstime_t first_record_time;
|
2010-02-26 07:59:54 +00:00
|
|
|
guint32 frame_table_offset;
|
|
|
|
guint32 *frame_table;
|
|
|
|
guint frame_table_index;
|
|
|
|
guint frame_table_size;
|
2011-11-17 20:17:36 +00:00
|
|
|
gboolean no_more_room; /* TRUE if no more records can be written */
|
2010-02-26 07:59:54 +00:00
|
|
|
} netmon_dump_t;
|
2000-03-22 07:06:59 +00:00
|
|
|
|
1999-12-04 05:14:39 +00:00
|
|
|
static const int wtap_encap[] = {
|
|
|
|
-1, /* WTAP_ENCAP_UNKNOWN -> unsupported */
|
|
|
|
1, /* WTAP_ENCAP_ETHERNET -> NDIS Ethernet */
|
2000-09-21 04:41:37 +00:00
|
|
|
2, /* WTAP_ENCAP_TOKEN_RING -> NDIS Token Ring */
|
1999-12-04 05:14:39 +00:00
|
|
|
-1, /* WTAP_ENCAP_SLIP -> unsupported */
|
|
|
|
-1, /* WTAP_ENCAP_PPP -> unsupported */
|
|
|
|
3, /* WTAP_ENCAP_FDDI -> NDIS FDDI */
|
|
|
|
3, /* WTAP_ENCAP_FDDI_BITSWAPPED -> NDIS FDDI */
|
|
|
|
-1, /* WTAP_ENCAP_RAW_IP -> unsupported */
|
|
|
|
-1, /* WTAP_ENCAP_ARCNET -> unsupported */
|
2011-12-22 09:22:35 +00:00
|
|
|
-1, /* WTAP_ENCAP_ARCNET_LINUX -> unsupported */
|
1999-12-04 05:14:39 +00:00
|
|
|
-1, /* WTAP_ENCAP_ATM_RFC1483 -> unsupported */
|
|
|
|
-1, /* WTAP_ENCAP_LINUX_ATM_CLIP -> unsupported */
|
|
|
|
-1, /* WTAP_ENCAP_LAPB -> unsupported*/
|
Rename WTAP_ENCAP_ATM_SNIFFER to WTAP_ENCAP_ATM_PDUS, as it's not just
used for the DOS-based ATM Sniffer. (That's not a great name, but I
couldn't think of a better one.)
Add a new WTAP_ENCAP_ATM_PDUS_UNTRUNCATED encapsulation type for capture
files where reassembled frames don't have trailers, such as the AAL5
trailer, chopped off. That's what at least some versions of the
Windows-based ATM Sniffer appear to have.
Map the ATM capture file type for NetXRay captures to
WTAP_ENCAP_ATM_PDUS_UNTRUNCATED, and put in stuff to fill in what we've
reverse-engineered, so far, for the pseudo-header; there's more that
needs to be done on it, e.g. getting the channel, AAL type, and traffic
type (or inferring them if they're not in the packet header).
svn path=/trunk/; revision=6840
2003-01-03 06:45:45 +00:00
|
|
|
4, /* WTAP_ENCAP_ATM_PDUS -> NDIS WAN (*NOT* ATM!) */
|
1999-12-04 05:14:39 +00:00
|
|
|
};
|
|
|
|
#define NUM_WTAP_ENCAPS (sizeof wtap_encap / sizeof wtap_encap[0])
|
|
|
|
|
1999-12-04 08:32:14 +00:00
|
|
|
/* Returns 0 if we could write the specified encapsulation type,
|
|
|
|
an error indication otherwise. */
|
wiretap: register most built-in file types from its module.
Remove most of the built-in file types from the table in
wiretap/file_access.c and, instead, have the file types register
themselves, using wtap_register_file_type_subtypes().
This reduces the source code changes needed to add a new file type from
three (add the handler, add the file type to the table in file_access.c,
add a #define for the file type in wiretap/wtap.h) to one (add the
handler). (It also requires adding the handler's source file to
wiretap/CMakeLists.txt, but that's required in both cases.)
A few remain because the WTAP_FILE_TYPE_SUBTYPE_ #define is used
elsewhere; that needs to be fixed.
Fix the wiretap/CMakefile.txt file to scan k12text.l, as that now
contains a registration routine. In the process, avoid scanning files
that don't implement a file type and won't ever have a registration
routine.
Add a Lua routine to fetch the total number of file types; we use that
in some code to construct the wtap_filetypes table, which we need to do
in order to continue to have all the values that used to come from the
WTAP_FILE_TYPE_SUBTYPE_ types.
While we're at it, add modelines to a file that lacked them.
2021-02-14 08:34:10 +00:00
|
|
|
static int netmon_dump_can_write_encap_1_x(int encap)
|
2012-01-14 10:31:25 +00:00
|
|
|
{
|
|
|
|
/*
|
|
|
|
* Per-packet encapsulations are *not* supported in NetMon 1.x
|
|
|
|
* format.
|
|
|
|
*/
|
|
|
|
if (encap < 0 || (unsigned) encap >= NUM_WTAP_ENCAPS || wtap_encap[encap] == -1)
|
2014-12-17 06:40:45 +00:00
|
|
|
return WTAP_ERR_UNWRITABLE_ENCAP;
|
2012-01-14 10:31:25 +00:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
wiretap: register most built-in file types from its module.
Remove most of the built-in file types from the table in
wiretap/file_access.c and, instead, have the file types register
themselves, using wtap_register_file_type_subtypes().
This reduces the source code changes needed to add a new file type from
three (add the handler, add the file type to the table in file_access.c,
add a #define for the file type in wiretap/wtap.h) to one (add the
handler). (It also requires adding the handler's source file to
wiretap/CMakeLists.txt, but that's required in both cases.)
A few remain because the WTAP_FILE_TYPE_SUBTYPE_ #define is used
elsewhere; that needs to be fixed.
Fix the wiretap/CMakefile.txt file to scan k12text.l, as that now
contains a registration routine. In the process, avoid scanning files
that don't implement a file type and won't ever have a registration
routine.
Add a Lua routine to fetch the total number of file types; we use that
in some code to construct the wtap_filetypes table, which we need to do
in order to continue to have all the values that used to come from the
WTAP_FILE_TYPE_SUBTYPE_ types.
While we're at it, add modelines to a file that lacked them.
2021-02-14 08:34:10 +00:00
|
|
|
static int netmon_dump_can_write_encap_2_x(int encap)
|
1999-12-04 05:14:39 +00:00
|
|
|
{
|
2011-11-17 09:03:09 +00:00
|
|
|
/*
|
|
|
|
* Per-packet encapsulations are supported in NetMon 2.1
|
|
|
|
* format.
|
|
|
|
*/
|
1999-12-04 08:32:14 +00:00
|
|
|
if (encap == WTAP_ENCAP_PER_PACKET)
|
2011-11-17 09:03:09 +00:00
|
|
|
return 0;
|
1999-12-04 05:14:39 +00:00
|
|
|
|
2001-10-25 20:29:24 +00:00
|
|
|
if (encap < 0 || (unsigned) encap >= NUM_WTAP_ENCAPS || wtap_encap[encap] == -1)
|
2014-12-17 06:40:45 +00:00
|
|
|
return WTAP_ERR_UNWRITABLE_ENCAP;
|
1999-12-04 05:14:39 +00:00
|
|
|
|
1999-12-04 08:32:14 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
|
|
|
|
failure */
|
wiretap: register most built-in file types from its module.
Remove most of the built-in file types from the table in
wiretap/file_access.c and, instead, have the file types register
themselves, using wtap_register_file_type_subtypes().
This reduces the source code changes needed to add a new file type from
three (add the handler, add the file type to the table in file_access.c,
add a #define for the file type in wiretap/wtap.h) to one (add the
handler). (It also requires adding the handler's source file to
wiretap/CMakeLists.txt, but that's required in both cases.)
A few remain because the WTAP_FILE_TYPE_SUBTYPE_ #define is used
elsewhere; that needs to be fixed.
Fix the wiretap/CMakefile.txt file to scan k12text.l, as that now
contains a registration routine. In the process, avoid scanning files
that don't implement a file type and won't ever have a registration
routine.
Add a Lua routine to fetch the total number of file types; we use that
in some code to construct the wtap_filetypes table, which we need to do
in order to continue to have all the values that used to come from the
WTAP_FILE_TYPE_SUBTYPE_ types.
While we're at it, add modelines to a file that lacked them.
2021-02-14 08:34:10 +00:00
|
|
|
static gboolean netmon_dump_open(wtap_dumper *wdh, gboolean is_v2,
|
|
|
|
int *err, gchar **err_info _U_)
|
1999-12-04 08:32:14 +00:00
|
|
|
{
|
2010-02-26 07:59:54 +00:00
|
|
|
netmon_dump_t *netmon;
|
|
|
|
|
1999-12-04 05:14:39 +00:00
|
|
|
/* We can't fill in all the fields in the file header, as we
|
|
|
|
haven't yet written any packets. As we'll have to rewrite
|
|
|
|
the header when we've written out all the packets, we just
|
|
|
|
skip over the header for now. */
|
2014-05-09 05:18:49 +00:00
|
|
|
if (wtap_dump_file_seek(wdh, CAPTUREFILE_HEADER_SIZE, SEEK_SET, err) == -1)
|
2002-03-04 00:25:35 +00:00
|
|
|
return FALSE;
|
1999-12-04 05:14:39 +00:00
|
|
|
|
2003-11-06 22:45:28 +00:00
|
|
|
wdh->subtype_write = netmon_dump;
|
2015-11-09 19:54:18 +00:00
|
|
|
wdh->subtype_finish = netmon_dump_finish;
|
2003-11-06 22:45:28 +00:00
|
|
|
|
2020-12-21 02:30:28 +00:00
|
|
|
netmon = g_new(netmon_dump_t, 1);
|
2010-02-26 07:59:54 +00:00
|
|
|
wdh->priv = (void *)netmon;
|
wiretap: register most built-in file types from its module.
Remove most of the built-in file types from the table in
wiretap/file_access.c and, instead, have the file types register
themselves, using wtap_register_file_type_subtypes().
This reduces the source code changes needed to add a new file type from
three (add the handler, add the file type to the table in file_access.c,
add a #define for the file type in wiretap/wtap.h) to one (add the
handler). (It also requires adding the handler's source file to
wiretap/CMakeLists.txt, but that's required in both cases.)
A few remain because the WTAP_FILE_TYPE_SUBTYPE_ #define is used
elsewhere; that needs to be fixed.
Fix the wiretap/CMakefile.txt file to scan k12text.l, as that now
contains a registration routine. In the process, avoid scanning files
that don't implement a file type and won't ever have a registration
routine.
Add a Lua routine to fetch the total number of file types; we use that
in some code to construct the wtap_filetypes table, which we need to do
in order to continue to have all the values that used to come from the
WTAP_FILE_TYPE_SUBTYPE_ types.
While we're at it, add modelines to a file that lacked them.
2021-02-14 08:34:10 +00:00
|
|
|
netmon->is_v2 = is_v2;
|
2010-02-26 07:59:54 +00:00
|
|
|
netmon->frame_table_offset = CAPTUREFILE_HEADER_SIZE;
|
|
|
|
netmon->got_first_record_time = FALSE;
|
|
|
|
netmon->frame_table = NULL;
|
|
|
|
netmon->frame_table_index = 0;
|
|
|
|
netmon->frame_table_size = 0;
|
2011-11-17 20:17:36 +00:00
|
|
|
netmon->no_more_room = FALSE;
|
1999-12-04 05:14:39 +00:00
|
|
|
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
wiretap: register most built-in file types from its module.
Remove most of the built-in file types from the table in
wiretap/file_access.c and, instead, have the file types register
themselves, using wtap_register_file_type_subtypes().
This reduces the source code changes needed to add a new file type from
three (add the handler, add the file type to the table in file_access.c,
add a #define for the file type in wiretap/wtap.h) to one (add the
handler). (It also requires adding the handler's source file to
wiretap/CMakeLists.txt, but that's required in both cases.)
A few remain because the WTAP_FILE_TYPE_SUBTYPE_ #define is used
elsewhere; that needs to be fixed.
Fix the wiretap/CMakefile.txt file to scan k12text.l, as that now
contains a registration routine. In the process, avoid scanning files
that don't implement a file type and won't ever have a registration
routine.
Add a Lua routine to fetch the total number of file types; we use that
in some code to construct the wtap_filetypes table, which we need to do
in order to continue to have all the values that used to come from the
WTAP_FILE_TYPE_SUBTYPE_ types.
While we're at it, add modelines to a file that lacked them.
2021-02-14 08:34:10 +00:00
|
|
|
static gboolean netmon_dump_open_1_x(wtap_dumper *wdh, int *err, gchar **err_info _U_)
|
|
|
|
{
|
|
|
|
return netmon_dump_open(wdh, 1, err, err_info);
|
|
|
|
}
|
|
|
|
|
|
|
|
static gboolean netmon_dump_open_2_x(wtap_dumper *wdh, int *err, gchar **err_info _U_)
|
|
|
|
{
|
|
|
|
return netmon_dump_open(wdh, 2, err, err_info);
|
|
|
|
}
|
|
|
|
|
1999-12-04 05:14:39 +00:00
|
|
|
/* Write a record for a packet to a dump file.
|
|
|
|
Returns TRUE on success, FALSE on failure. */
|
2018-02-09 00:19:12 +00:00
|
|
|
static gboolean netmon_dump(wtap_dumper *wdh, const wtap_rec *rec,
|
2014-12-18 00:02:50 +00:00
|
|
|
const guint8 *pd, int *err, gchar **err_info _U_)
|
1999-12-04 05:14:39 +00:00
|
|
|
{
|
2018-02-09 00:19:12 +00:00
|
|
|
const union wtap_pseudo_header *pseudo_header = &rec->rec_header.packet_header.pseudo_header;
|
2010-02-26 07:59:54 +00:00
|
|
|
netmon_dump_t *netmon = (netmon_dump_t *)wdh->priv;
|
1999-12-04 05:14:39 +00:00
|
|
|
struct netmonrec_1_x_hdr rec_1_x_hdr;
|
|
|
|
struct netmonrec_2_x_hdr rec_2_x_hdr;
|
2011-11-17 09:03:09 +00:00
|
|
|
void *hdrp;
|
|
|
|
size_t rec_size;
|
|
|
|
struct netmonrec_2_1_trlr rec_2_x_trlr;
|
2001-08-25 03:18:48 +00:00
|
|
|
size_t hdr_size;
|
2002-01-24 23:02:56 +00:00
|
|
|
struct netmon_atm_hdr atm_hdr;
|
|
|
|
int atm_hdrsize;
|
2011-11-16 17:54:44 +00:00
|
|
|
gint64 secs;
|
|
|
|
gint32 nsecs;
|
1999-12-04 05:14:39 +00:00
|
|
|
|
2014-05-24 18:28:30 +00:00
|
|
|
/* We can only write packet records. */
|
2018-02-09 00:19:12 +00:00
|
|
|
if (rec->rec_type != REC_TYPE_PACKET) {
|
2014-12-18 00:31:49 +00:00
|
|
|
*err = WTAP_ERR_UNWRITABLE_REC_TYPE;
|
2014-05-24 18:28:30 +00:00
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
wiretap: register most built-in file types from its module.
Remove most of the built-in file types from the table in
wiretap/file_access.c and, instead, have the file types register
themselves, using wtap_register_file_type_subtypes().
This reduces the source code changes needed to add a new file type from
three (add the handler, add the file type to the table in file_access.c,
add a #define for the file type in wiretap/wtap.h) to one (add the
handler). (It also requires adding the handler's source file to
wiretap/CMakeLists.txt, but that's required in both cases.)
A few remain because the WTAP_FILE_TYPE_SUBTYPE_ #define is used
elsewhere; that needs to be fixed.
Fix the wiretap/CMakefile.txt file to scan k12text.l, as that now
contains a registration routine. In the process, avoid scanning files
that don't implement a file type and won't ever have a registration
routine.
Add a Lua routine to fetch the total number of file types; we use that
in some code to construct the wtap_filetypes table, which we need to do
in order to continue to have all the values that used to come from the
WTAP_FILE_TYPE_SUBTYPE_ types.
While we're at it, add modelines to a file that lacked them.
2021-02-14 08:34:10 +00:00
|
|
|
if (netmon->is_v2) {
|
|
|
|
/* Don't write anything we're not willing to read. */
|
|
|
|
if (rec->rec_header.packet_header.caplen > WTAP_MAX_PACKET_SIZE_STANDARD) {
|
|
|
|
*err = WTAP_ERR_PACKET_TOO_LARGE;
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
} else {
|
2014-01-22 00:26:36 +00:00
|
|
|
/*
|
|
|
|
* The length fields are 16-bit, so there's a hard limit
|
|
|
|
* of 65535.
|
|
|
|
*/
|
2018-02-09 00:19:12 +00:00
|
|
|
if (rec->rec_header.packet_header.caplen > 65535) {
|
2014-01-22 00:26:36 +00:00
|
|
|
*err = WTAP_ERR_PACKET_TOO_LARGE;
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-11-17 09:03:09 +00:00
|
|
|
if (wdh->encap == WTAP_ENCAP_PER_PACKET) {
|
|
|
|
/*
|
|
|
|
* Is this network type supported?
|
|
|
|
*/
|
2018-02-09 00:19:12 +00:00
|
|
|
if (rec->rec_header.packet_header.pkt_encap < 0 ||
|
|
|
|
(unsigned) rec->rec_header.packet_header.pkt_encap >= NUM_WTAP_ENCAPS ||
|
|
|
|
wtap_encap[rec->rec_header.packet_header.pkt_encap] == -1) {
|
2011-11-17 09:03:09 +00:00
|
|
|
/*
|
|
|
|
* No. Fail.
|
|
|
|
*/
|
2014-12-17 06:40:45 +00:00
|
|
|
*err = WTAP_ERR_UNWRITABLE_ENCAP;
|
2011-11-17 09:03:09 +00:00
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Fill in the trailer with the network type.
|
|
|
|
*/
|
2018-02-09 00:19:12 +00:00
|
|
|
phtoles(rec_2_x_trlr.network, wtap_encap[rec->rec_header.packet_header.pkt_encap]);
|
2011-11-17 09:03:09 +00:00
|
|
|
}
|
|
|
|
|
2011-11-17 20:17:36 +00:00
|
|
|
/*
|
|
|
|
* Will the file offset of this frame fit in a 32-bit unsigned
|
|
|
|
* integer?
|
|
|
|
*/
|
|
|
|
if (netmon->no_more_room) {
|
|
|
|
/*
|
|
|
|
* No, so the file is too big for NetMon format to
|
|
|
|
* handle.
|
|
|
|
*/
|
|
|
|
*err = EFBIG;
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
2011-11-16 17:54:44 +00:00
|
|
|
/*
|
|
|
|
* NetMon files have a capture start time in the file header,
|
|
|
|
* and have times relative to that in the packet headers;
|
|
|
|
* pick the time of the first packet as the capture start
|
|
|
|
* time.
|
|
|
|
*
|
|
|
|
* That time has millisecond resolution, so chop any
|
|
|
|
* sub-millisecond part of the time stamp off.
|
|
|
|
*/
|
2000-05-10 22:16:31 +00:00
|
|
|
if (!netmon->got_first_record_time) {
|
2018-02-09 00:19:12 +00:00
|
|
|
netmon->first_record_time.secs = rec->ts.secs;
|
2011-11-16 17:54:44 +00:00
|
|
|
netmon->first_record_time.nsecs =
|
2018-02-09 00:19:12 +00:00
|
|
|
(rec->ts.nsecs/1000000)*1000000;
|
2000-05-10 22:16:31 +00:00
|
|
|
netmon->got_first_record_time = TRUE;
|
1999-12-04 05:14:39 +00:00
|
|
|
}
|
2002-08-28 20:30:45 +00:00
|
|
|
|
Rename WTAP_ENCAP_ATM_SNIFFER to WTAP_ENCAP_ATM_PDUS, as it's not just
used for the DOS-based ATM Sniffer. (That's not a great name, but I
couldn't think of a better one.)
Add a new WTAP_ENCAP_ATM_PDUS_UNTRUNCATED encapsulation type for capture
files where reassembled frames don't have trailers, such as the AAL5
trailer, chopped off. That's what at least some versions of the
Windows-based ATM Sniffer appear to have.
Map the ATM capture file type for NetXRay captures to
WTAP_ENCAP_ATM_PDUS_UNTRUNCATED, and put in stuff to fill in what we've
reverse-engineered, so far, for the pseudo-header; there's more that
needs to be done on it, e.g. getting the channel, AAL type, and traffic
type (or inferring them if they're not in the packet header).
svn path=/trunk/; revision=6840
2003-01-03 06:45:45 +00:00
|
|
|
if (wdh->encap == WTAP_ENCAP_ATM_PDUS)
|
2002-04-30 09:21:41 +00:00
|
|
|
atm_hdrsize = sizeof (struct netmon_atm_hdr);
|
2002-01-24 23:02:56 +00:00
|
|
|
else
|
|
|
|
atm_hdrsize = 0;
|
2018-02-09 00:19:12 +00:00
|
|
|
secs = (gint64)(rec->ts.secs - netmon->first_record_time.secs);
|
|
|
|
nsecs = rec->ts.nsecs - netmon->first_record_time.nsecs;
|
2011-11-16 17:54:44 +00:00
|
|
|
while (nsecs < 0) {
|
|
|
|
/*
|
|
|
|
* Propagate a borrow into the seconds.
|
|
|
|
* The seconds is a time_t, and can be < 0
|
|
|
|
* (unlikely, as neither UN*X nor DOS
|
|
|
|
* nor the original Mac System existed
|
|
|
|
* before January 1, 1970, 00:00:00 UTC),
|
|
|
|
* while the nanoseconds should be positive,
|
|
|
|
* as in "nanoseconds since the instant of time
|
|
|
|
* represented by the seconds".
|
|
|
|
*
|
|
|
|
* We do not want t to be negative, as, according
|
|
|
|
* to the C90 standard, "if either operand [of /
|
|
|
|
* or %] is negative, whether the result of the
|
|
|
|
* / operator is the largest integer less than or
|
|
|
|
* equal to the algebraic quotient or the smallest
|
|
|
|
* greater than or equal to the algebraic quotient
|
|
|
|
* is implementation-defined, as is the sign of
|
|
|
|
* the result of the % operator", and we want
|
|
|
|
* the result of the division and remainder
|
|
|
|
* operations to be the same on all platforms.
|
|
|
|
*/
|
|
|
|
nsecs += 1000000000;
|
|
|
|
secs--;
|
|
|
|
}
|
wiretap: register most built-in file types from its module.
Remove most of the built-in file types from the table in
wiretap/file_access.c and, instead, have the file types register
themselves, using wtap_register_file_type_subtypes().
This reduces the source code changes needed to add a new file type from
three (add the handler, add the file type to the table in file_access.c,
add a #define for the file type in wiretap/wtap.h) to one (add the
handler). (It also requires adding the handler's source file to
wiretap/CMakeLists.txt, but that's required in both cases.)
A few remain because the WTAP_FILE_TYPE_SUBTYPE_ #define is used
elsewhere; that needs to be fixed.
Fix the wiretap/CMakefile.txt file to scan k12text.l, as that now
contains a registration routine. In the process, avoid scanning files
that don't implement a file type and won't ever have a registration
routine.
Add a Lua routine to fetch the total number of file types; we use that
in some code to construct the wtap_filetypes table, which we need to do
in order to continue to have all the values that used to come from the
WTAP_FILE_TYPE_SUBTYPE_ types.
While we're at it, add modelines to a file that lacked them.
2021-02-14 08:34:10 +00:00
|
|
|
if (netmon->is_v2) {
|
2013-11-29 18:44:00 +00:00
|
|
|
rec_2_x_hdr.ts_delta = GUINT64_TO_LE(secs*1000000 + (nsecs + 500)/1000);
|
2018-02-09 00:19:12 +00:00
|
|
|
rec_2_x_hdr.orig_len = GUINT32_TO_LE(rec->rec_header.packet_header.len + atm_hdrsize);
|
|
|
|
rec_2_x_hdr.incl_len = GUINT32_TO_LE(rec->rec_header.packet_header.caplen + atm_hdrsize);
|
2011-11-17 09:03:09 +00:00
|
|
|
hdrp = &rec_2_x_hdr;
|
1999-12-04 05:14:39 +00:00
|
|
|
hdr_size = sizeof rec_2_x_hdr;
|
wiretap: register most built-in file types from its module.
Remove most of the built-in file types from the table in
wiretap/file_access.c and, instead, have the file types register
themselves, using wtap_register_file_type_subtypes().
This reduces the source code changes needed to add a new file type from
three (add the handler, add the file type to the table in file_access.c,
add a #define for the file type in wiretap/wtap.h) to one (add the
handler). (It also requires adding the handler's source file to
wiretap/CMakeLists.txt, but that's required in both cases.)
A few remain because the WTAP_FILE_TYPE_SUBTYPE_ #define is used
elsewhere; that needs to be fixed.
Fix the wiretap/CMakefile.txt file to scan k12text.l, as that now
contains a registration routine. In the process, avoid scanning files
that don't implement a file type and won't ever have a registration
routine.
Add a Lua routine to fetch the total number of file types; we use that
in some code to construct the wtap_filetypes table, which we need to do
in order to continue to have all the values that used to come from the
WTAP_FILE_TYPE_SUBTYPE_ types.
While we're at it, add modelines to a file that lacked them.
2021-02-14 08:34:10 +00:00
|
|
|
} else {
|
|
|
|
rec_1_x_hdr.ts_delta = GUINT32_TO_LE(secs*1000 + (nsecs + 500000)/1000000);
|
|
|
|
rec_1_x_hdr.orig_len = GUINT16_TO_LE(rec->rec_header.packet_header.len + atm_hdrsize);
|
|
|
|
rec_1_x_hdr.incl_len = GUINT16_TO_LE(rec->rec_header.packet_header.caplen + atm_hdrsize);
|
|
|
|
hdrp = &rec_1_x_hdr;
|
|
|
|
hdr_size = sizeof rec_1_x_hdr;
|
1999-12-04 05:14:39 +00:00
|
|
|
}
|
|
|
|
|
2011-11-17 09:03:09 +00:00
|
|
|
/*
|
|
|
|
* Keep track of the record size, as we need to update
|
|
|
|
* the current file offset.
|
|
|
|
*/
|
|
|
|
rec_size = 0;
|
|
|
|
|
2014-05-09 05:18:49 +00:00
|
|
|
if (!wtap_dump_file_write(wdh, hdrp, hdr_size, err))
|
1999-12-04 05:14:39 +00:00
|
|
|
return FALSE;
|
2011-11-17 09:03:09 +00:00
|
|
|
rec_size += hdr_size;
|
2002-01-24 23:02:56 +00:00
|
|
|
|
Rename WTAP_ENCAP_ATM_SNIFFER to WTAP_ENCAP_ATM_PDUS, as it's not just
used for the DOS-based ATM Sniffer. (That's not a great name, but I
couldn't think of a better one.)
Add a new WTAP_ENCAP_ATM_PDUS_UNTRUNCATED encapsulation type for capture
files where reassembled frames don't have trailers, such as the AAL5
trailer, chopped off. That's what at least some versions of the
Windows-based ATM Sniffer appear to have.
Map the ATM capture file type for NetXRay captures to
WTAP_ENCAP_ATM_PDUS_UNTRUNCATED, and put in stuff to fill in what we've
reverse-engineered, so far, for the pseudo-header; there's more that
needs to be done on it, e.g. getting the channel, AAL type, and traffic
type (or inferring them if they're not in the packet header).
svn path=/trunk/; revision=6840
2003-01-03 06:45:45 +00:00
|
|
|
if (wdh->encap == WTAP_ENCAP_ATM_PDUS) {
|
2002-01-24 23:02:56 +00:00
|
|
|
/*
|
|
|
|
* Write the ATM header.
|
|
|
|
* We supply all-zero destination and source addresses.
|
|
|
|
*/
|
|
|
|
memset(&atm_hdr.dest, 0, sizeof atm_hdr.dest);
|
|
|
|
memset(&atm_hdr.src, 0, sizeof atm_hdr.src);
|
2002-07-29 06:09:59 +00:00
|
|
|
atm_hdr.vpi = g_htons(pseudo_header->atm.vpi);
|
|
|
|
atm_hdr.vci = g_htons(pseudo_header->atm.vci);
|
2014-05-09 05:18:49 +00:00
|
|
|
if (!wtap_dump_file_write(wdh, &atm_hdr, sizeof atm_hdr, err))
|
2002-01-24 23:02:56 +00:00
|
|
|
return FALSE;
|
2011-11-17 09:03:09 +00:00
|
|
|
rec_size += sizeof atm_hdr;
|
2002-01-24 23:02:56 +00:00
|
|
|
}
|
|
|
|
|
2018-02-09 00:19:12 +00:00
|
|
|
if (!wtap_dump_file_write(wdh, pd, rec->rec_header.packet_header.caplen, err))
|
1999-12-04 05:14:39 +00:00
|
|
|
return FALSE;
|
2018-02-09 00:19:12 +00:00
|
|
|
rec_size += rec->rec_header.packet_header.caplen;
|
2011-11-17 09:03:09 +00:00
|
|
|
|
|
|
|
if (wdh->encap == WTAP_ENCAP_PER_PACKET) {
|
|
|
|
/*
|
|
|
|
* Write out the trailer.
|
|
|
|
*/
|
2014-05-09 05:18:49 +00:00
|
|
|
if (!wtap_dump_file_write(wdh, &rec_2_x_trlr,
|
2011-11-17 09:03:09 +00:00
|
|
|
sizeof rec_2_x_trlr, err))
|
|
|
|
return FALSE;
|
|
|
|
rec_size += sizeof rec_2_x_trlr;
|
|
|
|
}
|
1999-12-04 05:14:39 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Stash the file offset of this frame.
|
|
|
|
*/
|
2000-05-10 22:16:31 +00:00
|
|
|
if (netmon->frame_table_size == 0) {
|
1999-12-04 05:14:39 +00:00
|
|
|
/*
|
|
|
|
* Haven't yet allocated the buffer for the frame table.
|
|
|
|
*/
|
2012-06-02 14:13:14 +00:00
|
|
|
netmon->frame_table = (guint32 *)g_malloc(1024 * sizeof *netmon->frame_table);
|
2000-05-10 22:16:31 +00:00
|
|
|
netmon->frame_table_size = 1024;
|
1999-12-04 05:14:39 +00:00
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* We've allocated it; are we at the end?
|
|
|
|
*/
|
2000-05-10 22:16:31 +00:00
|
|
|
if (netmon->frame_table_index >= netmon->frame_table_size) {
|
1999-12-04 05:14:39 +00:00
|
|
|
/*
|
|
|
|
* Yes - double the size of the frame table.
|
|
|
|
*/
|
2000-05-10 22:16:31 +00:00
|
|
|
netmon->frame_table_size *= 2;
|
2012-06-02 14:13:14 +00:00
|
|
|
netmon->frame_table = (guint32 *)g_realloc(netmon->frame_table,
|
2000-05-10 22:16:31 +00:00
|
|
|
netmon->frame_table_size * sizeof *netmon->frame_table);
|
1999-12-04 05:14:39 +00:00
|
|
|
}
|
|
|
|
}
|
2011-11-17 20:17:36 +00:00
|
|
|
|
2000-05-10 22:16:31 +00:00
|
|
|
netmon->frame_table[netmon->frame_table_index] =
|
2013-11-29 18:44:00 +00:00
|
|
|
GUINT32_TO_LE(netmon->frame_table_offset);
|
2011-11-17 20:17:36 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Is this the last record we can write?
|
|
|
|
* I.e., will the frame table offset of the next record not fit
|
|
|
|
* in a 32-bit frame table offset entry?
|
|
|
|
*
|
|
|
|
* (We don't bother checking whether the number of frames
|
|
|
|
* will fit in a 32-bit value, as, even if each record were
|
|
|
|
* 1 byte, if there were more than 2^32-1 packets, the frame
|
|
|
|
* table offset of at least one of those packets will be >
|
|
|
|
* 2^32 - 1.)
|
|
|
|
*
|
|
|
|
* Note: this also catches the unlikely possibility that
|
|
|
|
* the record itself is > 2^32 - 1 bytes long.
|
|
|
|
*/
|
|
|
|
if ((guint64)netmon->frame_table_offset + rec_size > G_MAXUINT32) {
|
|
|
|
/*
|
|
|
|
* Yup, too big.
|
|
|
|
*/
|
|
|
|
netmon->no_more_room = TRUE;
|
|
|
|
}
|
2000-05-10 22:16:31 +00:00
|
|
|
netmon->frame_table_index++;
|
2011-11-17 09:03:09 +00:00
|
|
|
netmon->frame_table_offset += (guint32) rec_size;
|
1999-12-04 05:14:39 +00:00
|
|
|
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Finish writing to a dump file.
|
|
|
|
Returns TRUE on success, FALSE on failure. */
|
2020-10-14 01:48:46 +00:00
|
|
|
static gboolean netmon_dump_finish(wtap_dumper *wdh, int *err,
|
|
|
|
gchar **err_info _U_)
|
1999-12-04 05:14:39 +00:00
|
|
|
{
|
2010-02-26 07:59:54 +00:00
|
|
|
netmon_dump_t *netmon = (netmon_dump_t *)wdh->priv;
|
2001-08-25 03:18:48 +00:00
|
|
|
size_t n_to_write;
|
1999-12-04 05:14:39 +00:00
|
|
|
struct netmon_hdr file_hdr;
|
|
|
|
const char *magicp;
|
2001-08-25 03:18:48 +00:00
|
|
|
size_t magic_size;
|
1999-12-04 05:14:39 +00:00
|
|
|
struct tm *tm;
|
|
|
|
|
2000-05-10 22:16:31 +00:00
|
|
|
/* Write out the frame table. "netmon->frame_table_index" is
|
1999-12-04 05:14:39 +00:00
|
|
|
the number of entries we've put into it. */
|
2000-05-10 22:16:31 +00:00
|
|
|
n_to_write = netmon->frame_table_index * sizeof *netmon->frame_table;
|
2014-05-09 05:18:49 +00:00
|
|
|
if (!wtap_dump_file_write(wdh, netmon->frame_table, n_to_write, err))
|
1999-12-04 05:14:39 +00:00
|
|
|
return FALSE;
|
|
|
|
|
|
|
|
/* Now go fix up the file header. */
|
2014-05-09 05:18:49 +00:00
|
|
|
if (wtap_dump_file_seek(wdh, 0, SEEK_SET, err) == -1)
|
2013-03-17 09:20:13 +00:00
|
|
|
return FALSE;
|
1999-12-04 05:14:39 +00:00
|
|
|
memset(&file_hdr, '\0', sizeof file_hdr);
|
wiretap: register most built-in file types from its module.
Remove most of the built-in file types from the table in
wiretap/file_access.c and, instead, have the file types register
themselves, using wtap_register_file_type_subtypes().
This reduces the source code changes needed to add a new file type from
three (add the handler, add the file type to the table in file_access.c,
add a #define for the file type in wiretap/wtap.h) to one (add the
handler). (It also requires adding the handler's source file to
wiretap/CMakeLists.txt, but that's required in both cases.)
A few remain because the WTAP_FILE_TYPE_SUBTYPE_ #define is used
elsewhere; that needs to be fixed.
Fix the wiretap/CMakefile.txt file to scan k12text.l, as that now
contains a registration routine. In the process, avoid scanning files
that don't implement a file type and won't ever have a registration
routine.
Add a Lua routine to fetch the total number of file types; we use that
in some code to construct the wtap_filetypes table, which we need to do
in order to continue to have all the values that used to come from the
WTAP_FILE_TYPE_SUBTYPE_ types.
While we're at it, add modelines to a file that lacked them.
2021-02-14 08:34:10 +00:00
|
|
|
if (netmon->is_v2) {
|
1999-12-04 05:14:39 +00:00
|
|
|
magicp = netmon_2_x_magic;
|
|
|
|
magic_size = sizeof netmon_2_x_magic;
|
2007-06-05 17:17:22 +00:00
|
|
|
/*
|
|
|
|
* NetMon file version, for 2.x, is 2.0;
|
|
|
|
* for 3.0, it's 2.1.
|
2011-11-17 09:03:09 +00:00
|
|
|
*
|
|
|
|
* If the file encapsulation is WTAP_ENCAP_PER_PACKET,
|
|
|
|
* we need version 2.1.
|
|
|
|
*
|
|
|
|
* XXX - version 2.3 supports UTC time stamps; when
|
|
|
|
* should we use it? According to the file format
|
|
|
|
* documentation, NetMon 3.3 "cannot properly
|
|
|
|
* interpret" the UTC timestamp information; does
|
|
|
|
* that mean it ignores it and uses the local-time
|
|
|
|
* start time and time deltas, or mishandles them?
|
|
|
|
* Also, NetMon 3.1 and earlier can't read version
|
|
|
|
* 2.2, much less version 2.3.
|
2007-06-05 17:17:22 +00:00
|
|
|
*/
|
2001-01-25 21:47:23 +00:00
|
|
|
file_hdr.ver_major = 2;
|
2011-11-17 09:03:09 +00:00
|
|
|
file_hdr.ver_minor =
|
|
|
|
(wdh->encap == WTAP_ENCAP_PER_PACKET) ? 1 : 0;
|
wiretap: register most built-in file types from its module.
Remove most of the built-in file types from the table in
wiretap/file_access.c and, instead, have the file types register
themselves, using wtap_register_file_type_subtypes().
This reduces the source code changes needed to add a new file type from
three (add the handler, add the file type to the table in file_access.c,
add a #define for the file type in wiretap/wtap.h) to one (add the
handler). (It also requires adding the handler's source file to
wiretap/CMakeLists.txt, but that's required in both cases.)
A few remain because the WTAP_FILE_TYPE_SUBTYPE_ #define is used
elsewhere; that needs to be fixed.
Fix the wiretap/CMakefile.txt file to scan k12text.l, as that now
contains a registration routine. In the process, avoid scanning files
that don't implement a file type and won't ever have a registration
routine.
Add a Lua routine to fetch the total number of file types; we use that
in some code to construct the wtap_filetypes table, which we need to do
in order to continue to have all the values that used to come from the
WTAP_FILE_TYPE_SUBTYPE_ types.
While we're at it, add modelines to a file that lacked them.
2021-02-14 08:34:10 +00:00
|
|
|
} else {
|
|
|
|
magicp = netmon_1_x_magic;
|
|
|
|
magic_size = sizeof netmon_1_x_magic;
|
|
|
|
/* NetMon file version, for 1.x, is 1.1 */
|
|
|
|
file_hdr.ver_major = 1;
|
|
|
|
file_hdr.ver_minor = 1;
|
1999-12-04 05:14:39 +00:00
|
|
|
}
|
2014-05-09 05:18:49 +00:00
|
|
|
if (!wtap_dump_file_write(wdh, magicp, magic_size, err))
|
1999-12-04 05:14:39 +00:00
|
|
|
return FALSE;
|
|
|
|
|
2011-11-17 09:03:09 +00:00
|
|
|
if (wdh->encap == WTAP_ENCAP_PER_PACKET) {
|
|
|
|
/*
|
|
|
|
* We're writing NetMon 2.1 format, so the media
|
|
|
|
* type in the file header is irrelevant. Set it
|
|
|
|
* to 1, just as Network Monitor does.
|
|
|
|
*/
|
2013-11-29 18:44:00 +00:00
|
|
|
file_hdr.network = GUINT16_TO_LE(1);
|
2011-11-17 09:03:09 +00:00
|
|
|
} else
|
2013-11-29 18:44:00 +00:00
|
|
|
file_hdr.network = GUINT16_TO_LE(wtap_encap[wdh->encap]);
|
2005-08-24 21:31:56 +00:00
|
|
|
tm = localtime(&netmon->first_record_time.secs);
|
2002-05-04 10:00:18 +00:00
|
|
|
if (tm != NULL) {
|
2013-11-29 18:44:00 +00:00
|
|
|
file_hdr.ts_year = GUINT16_TO_LE(1900 + tm->tm_year);
|
|
|
|
file_hdr.ts_month = GUINT16_TO_LE(tm->tm_mon + 1);
|
|
|
|
file_hdr.ts_dow = GUINT16_TO_LE(tm->tm_wday);
|
|
|
|
file_hdr.ts_day = GUINT16_TO_LE(tm->tm_mday);
|
|
|
|
file_hdr.ts_hour = GUINT16_TO_LE(tm->tm_hour);
|
|
|
|
file_hdr.ts_min = GUINT16_TO_LE(tm->tm_min);
|
|
|
|
file_hdr.ts_sec = GUINT16_TO_LE(tm->tm_sec);
|
2002-05-04 10:00:18 +00:00
|
|
|
} else {
|
2013-11-29 18:44:00 +00:00
|
|
|
file_hdr.ts_year = GUINT16_TO_LE(1900 + 0);
|
|
|
|
file_hdr.ts_month = GUINT16_TO_LE(0 + 1);
|
|
|
|
file_hdr.ts_dow = GUINT16_TO_LE(0);
|
|
|
|
file_hdr.ts_day = GUINT16_TO_LE(0);
|
|
|
|
file_hdr.ts_hour = GUINT16_TO_LE(0);
|
|
|
|
file_hdr.ts_min = GUINT16_TO_LE(0);
|
|
|
|
file_hdr.ts_sec = GUINT16_TO_LE(0);
|
2002-05-04 10:00:18 +00:00
|
|
|
}
|
2013-11-29 18:44:00 +00:00
|
|
|
file_hdr.ts_msec = GUINT16_TO_LE(netmon->first_record_time.nsecs/1000000);
|
|
|
|
file_hdr.frametableoffset = GUINT32_TO_LE(netmon->frame_table_offset);
|
1999-12-04 05:14:39 +00:00
|
|
|
file_hdr.frametablelength =
|
2013-11-29 18:44:00 +00:00
|
|
|
GUINT32_TO_LE(netmon->frame_table_index * sizeof *netmon->frame_table);
|
2014-05-09 05:18:49 +00:00
|
|
|
if (!wtap_dump_file_write(wdh, &file_hdr, sizeof file_hdr, err))
|
1999-12-04 05:14:39 +00:00
|
|
|
return FALSE;
|
|
|
|
|
|
|
|
return TRUE;
|
|
|
|
}
|
2015-01-02 00:45:22 +00:00
|
|
|
|
wiretap: have file handlers advertise blocks and options supported.
Instead of a "supports name resolution" Boolean and bitflags for types of
comments supported, provide a list of block types that the file
type/subtype supports, with each block type having a list of options
supported. Indicate whether "supported" means "one instance" or
"multiple instances".
"Supports" doesn't just mean "can be written", it also means "could be
read".
Rename WTAP_BLOCK_IF_DESCRIPTION to WTAP_BLOCK_IF_ID_AND_INFO, to
indicate that it provides, in addition to information about the
interface, an ID (implicitly, in pcapng files, by its ordinal number)
that is associated with every packet in the file. Emphasize that in
comments - just because your capture file format can list the interfaces
on which a capture was done, that doesn't mean it supports this; it
doesn't do so if the file doesn't indicate, for every packet, on which
of those interfaces it was captured (I'm looking at *you*, Microsoft
Network Monitor...).
Use APIs to query that information to do what the "does this file
type/subtype support name resolution information", "does this file
type/subtype support all of these comment types", and "does this file
type/subtype support - and require - interface IDs" APIs did.
Provide backwards compatibility for Lua.
This allows us to eliminate the WTAP_FILE_TYPE_SUBTYPE_ values for IBM's
iptrace; do so.
2021-02-21 22:18:04 +00:00
|
|
|
static const struct supported_block_type netmon_1_x_blocks_supported[] = {
|
|
|
|
/*
|
|
|
|
* We support packet blocks, with no comments or other options.
|
|
|
|
*/
|
|
|
|
{ WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, NO_OPTIONS_SUPPORTED }
|
|
|
|
};
|
|
|
|
|
wiretap: register most built-in file types from its module.
Remove most of the built-in file types from the table in
wiretap/file_access.c and, instead, have the file types register
themselves, using wtap_register_file_type_subtypes().
This reduces the source code changes needed to add a new file type from
three (add the handler, add the file type to the table in file_access.c,
add a #define for the file type in wiretap/wtap.h) to one (add the
handler). (It also requires adding the handler's source file to
wiretap/CMakeLists.txt, but that's required in both cases.)
A few remain because the WTAP_FILE_TYPE_SUBTYPE_ #define is used
elsewhere; that needs to be fixed.
Fix the wiretap/CMakefile.txt file to scan k12text.l, as that now
contains a registration routine. In the process, avoid scanning files
that don't implement a file type and won't ever have a registration
routine.
Add a Lua routine to fetch the total number of file types; we use that
in some code to construct the wtap_filetypes table, which we need to do
in order to continue to have all the values that used to come from the
WTAP_FILE_TYPE_SUBTYPE_ types.
While we're at it, add modelines to a file that lacked them.
2021-02-14 08:34:10 +00:00
|
|
|
static const struct file_type_subtype_info netmon_1_x_info = {
|
|
|
|
"Microsoft NetMon 1.x", "netmon1", "cap", NULL,
|
wiretap: have file handlers advertise blocks and options supported.
Instead of a "supports name resolution" Boolean and bitflags for types of
comments supported, provide a list of block types that the file
type/subtype supports, with each block type having a list of options
supported. Indicate whether "supported" means "one instance" or
"multiple instances".
"Supports" doesn't just mean "can be written", it also means "could be
read".
Rename WTAP_BLOCK_IF_DESCRIPTION to WTAP_BLOCK_IF_ID_AND_INFO, to
indicate that it provides, in addition to information about the
interface, an ID (implicitly, in pcapng files, by its ordinal number)
that is associated with every packet in the file. Emphasize that in
comments - just because your capture file format can list the interfaces
on which a capture was done, that doesn't mean it supports this; it
doesn't do so if the file doesn't indicate, for every packet, on which
of those interfaces it was captured (I'm looking at *you*, Microsoft
Network Monitor...).
Use APIs to query that information to do what the "does this file
type/subtype support name resolution information", "does this file
type/subtype support all of these comment types", and "does this file
type/subtype support - and require - interface IDs" APIs did.
Provide backwards compatibility for Lua.
This allows us to eliminate the WTAP_FILE_TYPE_SUBTYPE_ values for IBM's
iptrace; do so.
2021-02-21 22:18:04 +00:00
|
|
|
TRUE, BLOCKS_SUPPORTED(netmon_1_x_blocks_supported),
|
wiretap: register most built-in file types from its module.
Remove most of the built-in file types from the table in
wiretap/file_access.c and, instead, have the file types register
themselves, using wtap_register_file_type_subtypes().
This reduces the source code changes needed to add a new file type from
three (add the handler, add the file type to the table in file_access.c,
add a #define for the file type in wiretap/wtap.h) to one (add the
handler). (It also requires adding the handler's source file to
wiretap/CMakeLists.txt, but that's required in both cases.)
A few remain because the WTAP_FILE_TYPE_SUBTYPE_ #define is used
elsewhere; that needs to be fixed.
Fix the wiretap/CMakefile.txt file to scan k12text.l, as that now
contains a registration routine. In the process, avoid scanning files
that don't implement a file type and won't ever have a registration
routine.
Add a Lua routine to fetch the total number of file types; we use that
in some code to construct the wtap_filetypes table, which we need to do
in order to continue to have all the values that used to come from the
WTAP_FILE_TYPE_SUBTYPE_ types.
While we're at it, add modelines to a file that lacked them.
2021-02-14 08:34:10 +00:00
|
|
|
netmon_dump_can_write_encap_1_x, netmon_dump_open_1_x, NULL
|
|
|
|
};
|
|
|
|
|
wiretap: have file handlers advertise blocks and options supported.
Instead of a "supports name resolution" Boolean and bitflags for types of
comments supported, provide a list of block types that the file
type/subtype supports, with each block type having a list of options
supported. Indicate whether "supported" means "one instance" or
"multiple instances".
"Supports" doesn't just mean "can be written", it also means "could be
read".
Rename WTAP_BLOCK_IF_DESCRIPTION to WTAP_BLOCK_IF_ID_AND_INFO, to
indicate that it provides, in addition to information about the
interface, an ID (implicitly, in pcapng files, by its ordinal number)
that is associated with every packet in the file. Emphasize that in
comments - just because your capture file format can list the interfaces
on which a capture was done, that doesn't mean it supports this; it
doesn't do so if the file doesn't indicate, for every packet, on which
of those interfaces it was captured (I'm looking at *you*, Microsoft
Network Monitor...).
Use APIs to query that information to do what the "does this file
type/subtype support name resolution information", "does this file
type/subtype support all of these comment types", and "does this file
type/subtype support - and require - interface IDs" APIs did.
Provide backwards compatibility for Lua.
This allows us to eliminate the WTAP_FILE_TYPE_SUBTYPE_ values for IBM's
iptrace; do so.
2021-02-21 22:18:04 +00:00
|
|
|
static const struct supported_block_type netmon_2_x_blocks_supported[] = {
|
|
|
|
/*
|
|
|
|
* We support packet blocks, with no comments or other options.
|
|
|
|
*/
|
|
|
|
{ WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, NO_OPTIONS_SUPPORTED }
|
|
|
|
};
|
|
|
|
|
wiretap: register most built-in file types from its module.
Remove most of the built-in file types from the table in
wiretap/file_access.c and, instead, have the file types register
themselves, using wtap_register_file_type_subtypes().
This reduces the source code changes needed to add a new file type from
three (add the handler, add the file type to the table in file_access.c,
add a #define for the file type in wiretap/wtap.h) to one (add the
handler). (It also requires adding the handler's source file to
wiretap/CMakeLists.txt, but that's required in both cases.)
A few remain because the WTAP_FILE_TYPE_SUBTYPE_ #define is used
elsewhere; that needs to be fixed.
Fix the wiretap/CMakefile.txt file to scan k12text.l, as that now
contains a registration routine. In the process, avoid scanning files
that don't implement a file type and won't ever have a registration
routine.
Add a Lua routine to fetch the total number of file types; we use that
in some code to construct the wtap_filetypes table, which we need to do
in order to continue to have all the values that used to come from the
WTAP_FILE_TYPE_SUBTYPE_ types.
While we're at it, add modelines to a file that lacked them.
2021-02-14 08:34:10 +00:00
|
|
|
static const struct file_type_subtype_info netmon_2_x_info = {
|
|
|
|
"Microsoft NetMon 2.x", "netmon2", "cap", NULL,
|
wiretap: have file handlers advertise blocks and options supported.
Instead of a "supports name resolution" Boolean and bitflags for types of
comments supported, provide a list of block types that the file
type/subtype supports, with each block type having a list of options
supported. Indicate whether "supported" means "one instance" or
"multiple instances".
"Supports" doesn't just mean "can be written", it also means "could be
read".
Rename WTAP_BLOCK_IF_DESCRIPTION to WTAP_BLOCK_IF_ID_AND_INFO, to
indicate that it provides, in addition to information about the
interface, an ID (implicitly, in pcapng files, by its ordinal number)
that is associated with every packet in the file. Emphasize that in
comments - just because your capture file format can list the interfaces
on which a capture was done, that doesn't mean it supports this; it
doesn't do so if the file doesn't indicate, for every packet, on which
of those interfaces it was captured (I'm looking at *you*, Microsoft
Network Monitor...).
Use APIs to query that information to do what the "does this file
type/subtype support name resolution information", "does this file
type/subtype support all of these comment types", and "does this file
type/subtype support - and require - interface IDs" APIs did.
Provide backwards compatibility for Lua.
This allows us to eliminate the WTAP_FILE_TYPE_SUBTYPE_ values for IBM's
iptrace; do so.
2021-02-21 22:18:04 +00:00
|
|
|
TRUE, BLOCKS_SUPPORTED(netmon_2_x_blocks_supported),
|
wiretap: register most built-in file types from its module.
Remove most of the built-in file types from the table in
wiretap/file_access.c and, instead, have the file types register
themselves, using wtap_register_file_type_subtypes().
This reduces the source code changes needed to add a new file type from
three (add the handler, add the file type to the table in file_access.c,
add a #define for the file type in wiretap/wtap.h) to one (add the
handler). (It also requires adding the handler's source file to
wiretap/CMakeLists.txt, but that's required in both cases.)
A few remain because the WTAP_FILE_TYPE_SUBTYPE_ #define is used
elsewhere; that needs to be fixed.
Fix the wiretap/CMakefile.txt file to scan k12text.l, as that now
contains a registration routine. In the process, avoid scanning files
that don't implement a file type and won't ever have a registration
routine.
Add a Lua routine to fetch the total number of file types; we use that
in some code to construct the wtap_filetypes table, which we need to do
in order to continue to have all the values that used to come from the
WTAP_FILE_TYPE_SUBTYPE_ types.
While we're at it, add modelines to a file that lacked them.
2021-02-14 08:34:10 +00:00
|
|
|
netmon_dump_can_write_encap_2_x, netmon_dump_open_2_x, NULL
|
|
|
|
};
|
|
|
|
|
|
|
|
void register_netmon(void)
|
|
|
|
{
|
2021-02-24 03:10:35 +00:00
|
|
|
netmon_1_x_file_type_subtype = wtap_register_file_type_subtype(&netmon_1_x_info);
|
|
|
|
netmon_2_x_file_type_subtype = wtap_register_file_type_subtype(&netmon_2_x_info);
|
wiretap: more work on file type/subtypes.
Provide a wiretap routine to get an array of all savable file
type/subtypes, sorted with pcap and pcapng at the top, followed by the
other types, sorted either by the name or the description.
Use that routine to list options for the -F flag for various commands
Rename wtap_get_savable_file_types_subtypes() to
wtap_get_savable_file_types_subtypes_for_file(), to indicate that it
provides an array of all file type/subtypes in which a given file can be
saved. Have it sort all types, other than the default type/subtype and,
if there is one, the "other" type (both of which are put at the top), by
the name or the description.
Don't allow wtap_register_file_type_subtypes() to override any existing
registrations; have them always register a new type. In that routine,
if there are any emply slots in the table, due to an entry being
unregistered, use it rather than allocating a new slot.
Don't allow unregistration of built-in types.
Rename the "dump open table" to the "file type/subtype table", as it has
entries for all types/subtypes, even if we can't write them.
Initialize that table in a routine that pre-allocates the GArray before
filling it with built-in types/subtypes, so it doesn't keep getting
reallocated.
Get rid of wtap_num_file_types_subtypes - it's just a copy of the size
of the GArray.
Don't have wtap_file_type_subtype_description() crash if handed an
file type/subtype that isn't a valid array index - just return NULL, as
we do with wtap_file_type_subtype_name().
In wtap_name_to_file_type_subtype(), don't use WTAP_FILE_TYPE_SUBTYPE_
names for the backwards-compatibility names - map those names to the
current names, and then look them up. This reduces the number of
uses of hardwired WTAP_FILE_TYPE_SUBTYPE_ values.
Clean up the type of wtap_module_count - it has no need to be a gulong.
Have built-in wiretap file handlers register names to be used for their
file type/subtypes, rather than building the table in init.lua.
Add a new Lua C function get_wtap_filetypes() to construct the
wtap_filetypes table, based on the registered names, and use it in
init.lua.
Add a #define WSLUA_INTERNAL_FUNCTION to register functions intended
only for internal use in init.lua, so they can be made available from
Lua without being documented.
Get rid of WTAP_NUM_FILE_TYPES_SUBTYPES - most code has no need to use
it, as it can just request arrays of types, and the space of
type/subtype codes can be sparse due to registration in any case, so
code has to be careful using it.
wtap_get_num_file_types_subtypes() is no longer used, so remove it. It
returns the number of elements in the file type/subtype array, which is
not necessarily the name of known file type/subtypes, as there may have
been some deregistered types, and those types do *not* get removed from
the array, they just get cleared so that they're available for future
allocation (we don't want the indices of any registered types to changes
if another type is deregistered, as those indicates are the type/subtype
values, so we can't shrink the array).
Clean up white space and remove some comments that shouldn't have been
added.
2021-02-17 06:24:47 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Register names for backwards compatibility with the
|
|
|
|
* wtap_filetypes table in Lua.
|
|
|
|
*/
|
|
|
|
wtap_register_backwards_compatibility_lua_name("NETMON_1_x",
|
|
|
|
netmon_1_x_file_type_subtype);
|
|
|
|
wtap_register_backwards_compatibility_lua_name("NETMON_2_x",
|
|
|
|
netmon_2_x_file_type_subtype);
|
wiretap: register most built-in file types from its module.
Remove most of the built-in file types from the table in
wiretap/file_access.c and, instead, have the file types register
themselves, using wtap_register_file_type_subtypes().
This reduces the source code changes needed to add a new file type from
three (add the handler, add the file type to the table in file_access.c,
add a #define for the file type in wiretap/wtap.h) to one (add the
handler). (It also requires adding the handler's source file to
wiretap/CMakeLists.txt, but that's required in both cases.)
A few remain because the WTAP_FILE_TYPE_SUBTYPE_ #define is used
elsewhere; that needs to be fixed.
Fix the wiretap/CMakefile.txt file to scan k12text.l, as that now
contains a registration routine. In the process, avoid scanning files
that don't implement a file type and won't ever have a registration
routine.
Add a Lua routine to fetch the total number of file types; we use that
in some code to construct the wtap_filetypes table, which we need to do
in order to continue to have all the values that used to come from the
WTAP_FILE_TYPE_SUBTYPE_ types.
While we're at it, add modelines to a file that lacked them.
2021-02-14 08:34:10 +00:00
|
|
|
}
|
|
|
|
|
2015-01-02 00:45:22 +00:00
|
|
|
/*
|
2019-07-26 18:43:17 +00:00
|
|
|
* Editor modelines - https://www.wireshark.org/tools/modelines.html
|
2015-01-02 00:45:22 +00:00
|
|
|
*
|
|
|
|
* Local variables:
|
|
|
|
* c-basic-offset: 8
|
|
|
|
* tab-width: 8
|
|
|
|
* indent-tabs-mode: t
|
|
|
|
* End:
|
|
|
|
*
|
|
|
|
* vi: set shiftwidth=8 tabstop=8 noexpandtab:
|
|
|
|
* :indentSize=8:tabSize=8:noTabs=false:
|
|
|
|
*/
|