From 3688d96c459a5847a49d14264c0398600379f8b9 Mon Sep 17 00:00:00 2001 From: Gilbert Ramirez Date: Sat, 2 Jan 1999 06:10:55 +0000 Subject: [PATCH] Added the iptrace (AIX's packet-capture tool) file format to wiretap. This necessitated a change in ethereal because iptrace supports multi-NIC packet capturing, including multi-datalink-type capturing. svn path=/trunk/; revision=145 --- file.c | 3 ++- file.h | 4 +++- packet.c | 14 ++++++++++++-- packet.h | 5 ++++- wiretap/ChangeLog | 2 ++ wiretap/Makefile.am | 1 + wiretap/Makefile.in | 8 +++++--- wiretap/README | 32 +++++++++++++++++++++++--------- wiretap/file.c | 12 +++++++++++- wiretap/wtap.h | 4 +++- 10 files changed, 66 insertions(+), 19 deletions(-) diff --git a/file.c b/file.c index f7d55c5070..8adee33cc1 100644 --- a/file.c +++ b/file.c @@ -1,7 +1,7 @@ /* file.c * File I/O routines * - * $Id: file.c,v 1.15 1998/12/29 04:05:35 gerald Exp $ + * $Id: file.c,v 1.16 1999/01/02 06:10:52 gram Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs @@ -330,6 +330,7 @@ pcap_dispatch_cb(u_char *user, const struct pcap_pkthdr *phdr, #endif fdata->abs_secs = phdr->ts.tv_sec; fdata->abs_usecs = phdr->ts.tv_usec; + fdata->lnk_t = phdr->pkt_encap; /* If we don't have the time stamp of the first packet, it's because this is the first packet. Save the time stamp of this packet as the time diff --git a/file.h b/file.h index dfd4db5e67..d0d613eae9 100644 --- a/file.h +++ b/file.h @@ -1,7 +1,7 @@ /* file.h * Definitions for file structures and routines * - * $Id: file.h,v 1.7 1998/11/17 04:28:47 gerald Exp $ + * $Id: file.h,v 1.8 1999/01/02 06:10:53 gram Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs @@ -88,6 +88,7 @@ typedef struct _capture_file { /* Taken from RFC 1761 */ +#ifndef WITH_WIRETAP typedef struct _snoop_file_hdr { guint32 magic1; guint32 magic2; @@ -103,6 +104,7 @@ typedef struct _snoop_frame_hdr { guint32 secs; guint32 usecs; } snoop_frame_hdr; +#endif int open_cap_file(char *, capture_file *); void close_cap_file(capture_file *, GtkWidget *, guint); diff --git a/packet.c b/packet.c index b368e134e1..3ddcfaee68 100644 --- a/packet.c +++ b/packet.c @@ -1,7 +1,7 @@ /* packet.c * Routines for packet disassembly * - * $Id: packet.c,v 1.15 1998/12/29 04:05:36 gerald Exp $ + * $Id: packet.c,v 1.16 1999/01/02 06:10:53 gram Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs @@ -310,6 +310,9 @@ dissect_packet(const u_char *pd, frame_data *fd, GtkTree *tree) GtkWidget *fh_tree, *ti; struct tm *tmp; time_t then; +#ifdef WITH_WIRETAP + guint32 lnk_t; +#endif /* Put in frame header information. */ if (check_col(fd, COL_ABS_TIME)) { @@ -354,7 +357,14 @@ dissect_packet(const u_char *pd, frame_data *fd, GtkTree *tree) } #ifdef WITH_WIRETAP - switch (cf.lnk_t) { + if (cf.lnk_t == WTAP_ENCAP_PER_PACKET) { + lnk_t = fd->lnk_t; + } + else { + lnk_t = cf.lnk_t; + } + + switch (lnk_t) { case WTAP_ENCAP_ETHERNET : dissect_eth(pd, fd, tree); break; diff --git a/packet.h b/packet.h index 2982fd75fa..90193e05dc 100644 --- a/packet.h +++ b/packet.h @@ -1,7 +1,7 @@ /* packet.h * Definitions for packet disassembly structures and routines * - * $Id: packet.h,v 1.29 1998/12/29 04:05:36 gerald Exp $ + * $Id: packet.h,v 1.30 1999/01/02 06:10:54 gram Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs @@ -79,6 +79,9 @@ typedef struct _frame_data { guint32 del_usecs; /* Delta microseconds */ long file_off; /* File offset */ column_info *cinfo; /* Column formatting information */ +#ifdef WITH_WIRETAP + int lnk_t; /* Per-packet encapsulation/data-link type */ +#endif } frame_data; typedef struct _packet_info { diff --git a/wiretap/ChangeLog b/wiretap/ChangeLog index 12ac9307c6..22b31183a9 100644 --- a/wiretap/ChangeLog +++ b/wiretap/ChangeLog @@ -1,3 +1,5 @@ +January 1, 1999 + Added iptrace file format. December 10, 1998 Proper timestamp calculations added to ngsniffer.c and lanalyzer.c diff --git a/wiretap/Makefile.am b/wiretap/Makefile.am index 576380a4b5..5a86399b8f 100644 --- a/wiretap/Makefile.am +++ b/wiretap/Makefile.am @@ -6,6 +6,7 @@ libwiretap_a_SOURCES = \ config.h \ debug.h \ file.c \ + iptrace.c \ lanalyzer.c \ lanalyzer.h \ libpcap.c \ diff --git a/wiretap/Makefile.in b/wiretap/Makefile.in index b747a3e77f..548e49f00f 100644 --- a/wiretap/Makefile.in +++ b/wiretap/Makefile.in @@ -74,6 +74,7 @@ libwiretap_a_SOURCES = \ config.h \ debug.h \ file.c \ + iptrace.c \ lanalyzer.c \ lanalyzer.h \ libpcap.c \ @@ -96,7 +97,7 @@ CPPFLAGS = @CPPFLAGS@ LDFLAGS = @LDFLAGS@ LIBS = @LIBS@ libwiretap_a_LIBADD = -libwiretap_a_OBJECTS = buffer.o file.o lanalyzer.o libpcap.o \ +libwiretap_a_OBJECTS = buffer.o file.o iptrace.o lanalyzer.o libpcap.o \ ngsniffer.o snoop.o wtap.o AR = ar CFLAGS = @CFLAGS@ @@ -111,8 +112,9 @@ DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST) TAR = tar GZIP = --best -DEP_FILES = .deps/buffer.P .deps/file.P .deps/lanalyzer.P \ -.deps/libpcap.P .deps/ngsniffer.P .deps/snoop.P .deps/wtap.P +DEP_FILES = .deps/buffer.P .deps/file.P .deps/iptrace.P \ +.deps/lanalyzer.P .deps/libpcap.P .deps/ngsniffer.P .deps/snoop.P \ +.deps/wtap.P SOURCES = $(libwiretap_a_SOURCES) OBJECTS = $(libwiretap_a_OBJECTS) diff --git a/wiretap/README b/wiretap/README index cfe0168720..f9071b0d4e 100644 --- a/wiretap/README +++ b/wiretap/README @@ -1,4 +1,4 @@ -$Id: README,v 1.4 1998/11/21 05:08:39 gram Exp $ +$Id: README,v 1.5 1999/01/02 06:10:55 gram Exp $ Wiretap is a library that is being developed as a future replacement for libpcap, the current standard Unix library for packet capturing. Libpcap is @@ -27,6 +27,10 @@ LAN's firewall. 5. I want to look into the possibility of compressing packet data when saved to a file, like Sniffer. +6. The packet-filter can be optimized for the host OS. Not all OSes have BPF; +SunOS has NIT and Solaris has DLPI, which both use the CMU/Stanford +packet-filter psuedomachine. RMON has another type of packet-filter syntax +which we could support. Currently, only #2 is available. Wiretap doesn't even do any filtering yet. It can only be used to read packet capture files. @@ -42,23 +46,33 @@ using the "libpcap" library's code to read it. Sniffer (uncompressed) ------- -The Sniffer format, at least for Token-Ring, is documented in the -Sniffer manual. Unfortunately, Sniffer manuals tend to document only -the format for the Sniffer model they document. Ethernet seems to work well, -though. If you have an ATM Sniffer file, both Guy and I would be *very* +The Sniffer format is documented in the Sniffer manual. Unfortunately, +Sniffer manuals tend to document only the format for the Sniffer model +they document. Token-Ring and ethernet seems to work well, though. +If you have an ATM Sniffer file, both Guy and I would be *very* interested in receiving a sample. (see 'AUTHORS' file for our e-mail -addresses) +addresses). When using LANE, the ATM Sniffer appears to record the emulated +LAN information; that is, only the ethernet or token-ring information is +stored in the trace file, not any information about ATM cells. LANalyzer --------- The LANalyzer format is available from http://www.novell.com. Search their -knowledge base for "Trace File Format". The code in wiretap so far only dumps -the packet data; I have yet to decode the timestamp for each packet. At least -I have the format for this, so it will be supported soon. +knowledge base for "Trace File Format". "snoop" ------- The Solaris 2.x "snoop" program's format is documented in RFC 1761. +"iptrace" +--------- +This is the capture program that comes with AIX 3.x and 4.x. It has an +undocumented, yet very simple, file format. The interesting thing about +iptrace is that it will record packets coming in from all network interfaces; +a single iptrace file can contain multiple datalink types. I have tested +iptrace on ethernet and token-ring; if you can provide an iptrace file with +any other datalink type, I would appreciate a copy. (with the output from +'ipreport' too, if possible). + Gilbert Ramirez diff --git a/wiretap/file.c b/wiretap/file.c index 5aee94034f..9ff7538b24 100644 --- a/wiretap/file.c +++ b/wiretap/file.c @@ -1,6 +1,6 @@ /* file.c * - * $Id: file.c,v 1.4 1998/11/15 05:29:09 guy Exp $ + * $Id: file.c,v 1.5 1999/01/02 06:10:55 gram Exp $ * * Wiretap Library * Copyright (c) 1998 by Gilbert Ramirez @@ -29,6 +29,7 @@ #include "ngsniffer.h" #include "libpcap.h" #include "snoop.h" +#include "iptrace.h" /* The open_file_* routines should return the WTAP_FILE_* type * that they are checking for if the file is successfully recognized @@ -65,6 +66,10 @@ wtap* wtap_open_offline(char *filename, int filetype) if ((wth->file_type = snoop_open(wth)) != WTAP_FILE_UNKNOWN) { goto success; } + /* WTAP_FILE_IPTRACE */ + if ((wth->file_type = iptrace_open(wth)) != WTAP_FILE_UNKNOWN) { + goto success; + } printf("failed\n"); /* WTAP_FILE_UNKNOWN */ @@ -93,6 +98,11 @@ wtap* wtap_open_offline(char *filename, int filetype) goto success; } break; + case WTAP_FILE_IPTRACE: + if ((wth->file_type = iptrace_open(wth)) != WTAP_FILE_UNKNOWN) { + goto success; + } + break; default: goto failure; } diff --git a/wiretap/wtap.h b/wiretap/wtap.h index eab1568d99..18c701bab0 100644 --- a/wiretap/wtap.h +++ b/wiretap/wtap.h @@ -1,6 +1,6 @@ /* wtap.h * - * $Id: wtap.h,v 1.8 1998/12/17 06:39:13 gram Exp $ + * $Id: wtap.h,v 1.9 1999/01/02 06:10:55 gram Exp $ * * Wiretap Library * Copyright (c) 1998 by Gilbert Ramirez @@ -32,6 +32,7 @@ #define WTAP_ENCAP_RAW_IP 6 #define WTAP_ENCAP_ARCNET 7 #define WTAP_ENCAP_ATM_RFC1483 8 +#define WTAP_ENCAP_PER_PACKET 9 /* File types that can be read by wiretap */ #define WTAP_FILE_UNKNOWN 0 @@ -74,6 +75,7 @@ struct wtap_pkthdr { struct timeval ts; guint32 caplen; guint32 len; + int pkt_encap; }; typedef void (*wtap_handler)(u_char*, const struct wtap_pkthdr*,