Added the iptrace (AIX's packet-capture tool) file format to wiretap.
This necessitated a change in ethereal because iptrace supports multi-NIC packet capturing, including multi-datalink-type capturing. svn path=/trunk/; revision=145
This commit is contained in:
parent
d1a7effcf9
commit
3688d96c45
3
file.c
3
file.c
|
@ -1,7 +1,7 @@
|
||||||
/* file.c
|
/* file.c
|
||||||
* File I/O routines
|
* File I/O routines
|
||||||
*
|
*
|
||||||
* $Id: file.c,v 1.15 1998/12/29 04:05:35 gerald Exp $
|
* $Id: file.c,v 1.16 1999/01/02 06:10:52 gram Exp $
|
||||||
*
|
*
|
||||||
* Ethereal - Network traffic analyzer
|
* Ethereal - Network traffic analyzer
|
||||||
* By Gerald Combs <gerald@zing.org>
|
* By Gerald Combs <gerald@zing.org>
|
||||||
|
@ -330,6 +330,7 @@ pcap_dispatch_cb(u_char *user, const struct pcap_pkthdr *phdr,
|
||||||
#endif
|
#endif
|
||||||
fdata->abs_secs = phdr->ts.tv_sec;
|
fdata->abs_secs = phdr->ts.tv_sec;
|
||||||
fdata->abs_usecs = phdr->ts.tv_usec;
|
fdata->abs_usecs = phdr->ts.tv_usec;
|
||||||
|
fdata->lnk_t = phdr->pkt_encap;
|
||||||
|
|
||||||
/* If we don't have the time stamp of the first packet, it's because this
|
/* If we don't have the time stamp of the first packet, it's because this
|
||||||
is the first packet. Save the time stamp of this packet as the time
|
is the first packet. Save the time stamp of this packet as the time
|
||||||
|
|
4
file.h
4
file.h
|
@ -1,7 +1,7 @@
|
||||||
/* file.h
|
/* file.h
|
||||||
* Definitions for file structures and routines
|
* Definitions for file structures and routines
|
||||||
*
|
*
|
||||||
* $Id: file.h,v 1.7 1998/11/17 04:28:47 gerald Exp $
|
* $Id: file.h,v 1.8 1999/01/02 06:10:53 gram Exp $
|
||||||
*
|
*
|
||||||
* Ethereal - Network traffic analyzer
|
* Ethereal - Network traffic analyzer
|
||||||
* By Gerald Combs <gerald@zing.org>
|
* By Gerald Combs <gerald@zing.org>
|
||||||
|
@ -88,6 +88,7 @@ typedef struct _capture_file {
|
||||||
|
|
||||||
/* Taken from RFC 1761 */
|
/* Taken from RFC 1761 */
|
||||||
|
|
||||||
|
#ifndef WITH_WIRETAP
|
||||||
typedef struct _snoop_file_hdr {
|
typedef struct _snoop_file_hdr {
|
||||||
guint32 magic1;
|
guint32 magic1;
|
||||||
guint32 magic2;
|
guint32 magic2;
|
||||||
|
@ -103,6 +104,7 @@ typedef struct _snoop_frame_hdr {
|
||||||
guint32 secs;
|
guint32 secs;
|
||||||
guint32 usecs;
|
guint32 usecs;
|
||||||
} snoop_frame_hdr;
|
} snoop_frame_hdr;
|
||||||
|
#endif
|
||||||
|
|
||||||
int open_cap_file(char *, capture_file *);
|
int open_cap_file(char *, capture_file *);
|
||||||
void close_cap_file(capture_file *, GtkWidget *, guint);
|
void close_cap_file(capture_file *, GtkWidget *, guint);
|
||||||
|
|
14
packet.c
14
packet.c
|
@ -1,7 +1,7 @@
|
||||||
/* packet.c
|
/* packet.c
|
||||||
* Routines for packet disassembly
|
* Routines for packet disassembly
|
||||||
*
|
*
|
||||||
* $Id: packet.c,v 1.15 1998/12/29 04:05:36 gerald Exp $
|
* $Id: packet.c,v 1.16 1999/01/02 06:10:53 gram Exp $
|
||||||
*
|
*
|
||||||
* Ethereal - Network traffic analyzer
|
* Ethereal - Network traffic analyzer
|
||||||
* By Gerald Combs <gerald@zing.org>
|
* By Gerald Combs <gerald@zing.org>
|
||||||
|
@ -310,6 +310,9 @@ dissect_packet(const u_char *pd, frame_data *fd, GtkTree *tree)
|
||||||
GtkWidget *fh_tree, *ti;
|
GtkWidget *fh_tree, *ti;
|
||||||
struct tm *tmp;
|
struct tm *tmp;
|
||||||
time_t then;
|
time_t then;
|
||||||
|
#ifdef WITH_WIRETAP
|
||||||
|
guint32 lnk_t;
|
||||||
|
#endif
|
||||||
|
|
||||||
/* Put in frame header information. */
|
/* Put in frame header information. */
|
||||||
if (check_col(fd, COL_ABS_TIME)) {
|
if (check_col(fd, COL_ABS_TIME)) {
|
||||||
|
@ -354,7 +357,14 @@ dissect_packet(const u_char *pd, frame_data *fd, GtkTree *tree)
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef WITH_WIRETAP
|
#ifdef WITH_WIRETAP
|
||||||
switch (cf.lnk_t) {
|
if (cf.lnk_t == WTAP_ENCAP_PER_PACKET) {
|
||||||
|
lnk_t = fd->lnk_t;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
lnk_t = cf.lnk_t;
|
||||||
|
}
|
||||||
|
|
||||||
|
switch (lnk_t) {
|
||||||
case WTAP_ENCAP_ETHERNET :
|
case WTAP_ENCAP_ETHERNET :
|
||||||
dissect_eth(pd, fd, tree);
|
dissect_eth(pd, fd, tree);
|
||||||
break;
|
break;
|
||||||
|
|
5
packet.h
5
packet.h
|
@ -1,7 +1,7 @@
|
||||||
/* packet.h
|
/* packet.h
|
||||||
* Definitions for packet disassembly structures and routines
|
* Definitions for packet disassembly structures and routines
|
||||||
*
|
*
|
||||||
* $Id: packet.h,v 1.29 1998/12/29 04:05:36 gerald Exp $
|
* $Id: packet.h,v 1.30 1999/01/02 06:10:54 gram Exp $
|
||||||
*
|
*
|
||||||
* Ethereal - Network traffic analyzer
|
* Ethereal - Network traffic analyzer
|
||||||
* By Gerald Combs <gerald@zing.org>
|
* By Gerald Combs <gerald@zing.org>
|
||||||
|
@ -79,6 +79,9 @@ typedef struct _frame_data {
|
||||||
guint32 del_usecs; /* Delta microseconds */
|
guint32 del_usecs; /* Delta microseconds */
|
||||||
long file_off; /* File offset */
|
long file_off; /* File offset */
|
||||||
column_info *cinfo; /* Column formatting information */
|
column_info *cinfo; /* Column formatting information */
|
||||||
|
#ifdef WITH_WIRETAP
|
||||||
|
int lnk_t; /* Per-packet encapsulation/data-link type */
|
||||||
|
#endif
|
||||||
} frame_data;
|
} frame_data;
|
||||||
|
|
||||||
typedef struct _packet_info {
|
typedef struct _packet_info {
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
|
January 1, 1999
|
||||||
|
Added iptrace file format.
|
||||||
|
|
||||||
December 10, 1998
|
December 10, 1998
|
||||||
Proper timestamp calculations added to ngsniffer.c and lanalyzer.c
|
Proper timestamp calculations added to ngsniffer.c and lanalyzer.c
|
||||||
|
|
|
@ -6,6 +6,7 @@ libwiretap_a_SOURCES = \
|
||||||
config.h \
|
config.h \
|
||||||
debug.h \
|
debug.h \
|
||||||
file.c \
|
file.c \
|
||||||
|
iptrace.c \
|
||||||
lanalyzer.c \
|
lanalyzer.c \
|
||||||
lanalyzer.h \
|
lanalyzer.h \
|
||||||
libpcap.c \
|
libpcap.c \
|
||||||
|
|
|
@ -74,6 +74,7 @@ libwiretap_a_SOURCES = \
|
||||||
config.h \
|
config.h \
|
||||||
debug.h \
|
debug.h \
|
||||||
file.c \
|
file.c \
|
||||||
|
iptrace.c \
|
||||||
lanalyzer.c \
|
lanalyzer.c \
|
||||||
lanalyzer.h \
|
lanalyzer.h \
|
||||||
libpcap.c \
|
libpcap.c \
|
||||||
|
@ -96,7 +97,7 @@ CPPFLAGS = @CPPFLAGS@
|
||||||
LDFLAGS = @LDFLAGS@
|
LDFLAGS = @LDFLAGS@
|
||||||
LIBS = @LIBS@
|
LIBS = @LIBS@
|
||||||
libwiretap_a_LIBADD =
|
libwiretap_a_LIBADD =
|
||||||
libwiretap_a_OBJECTS = buffer.o file.o lanalyzer.o libpcap.o \
|
libwiretap_a_OBJECTS = buffer.o file.o iptrace.o lanalyzer.o libpcap.o \
|
||||||
ngsniffer.o snoop.o wtap.o
|
ngsniffer.o snoop.o wtap.o
|
||||||
AR = ar
|
AR = ar
|
||||||
CFLAGS = @CFLAGS@
|
CFLAGS = @CFLAGS@
|
||||||
|
@ -111,8 +112,9 @@ DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
|
||||||
|
|
||||||
TAR = tar
|
TAR = tar
|
||||||
GZIP = --best
|
GZIP = --best
|
||||||
DEP_FILES = .deps/buffer.P .deps/file.P .deps/lanalyzer.P \
|
DEP_FILES = .deps/buffer.P .deps/file.P .deps/iptrace.P \
|
||||||
.deps/libpcap.P .deps/ngsniffer.P .deps/snoop.P .deps/wtap.P
|
.deps/lanalyzer.P .deps/libpcap.P .deps/ngsniffer.P .deps/snoop.P \
|
||||||
|
.deps/wtap.P
|
||||||
SOURCES = $(libwiretap_a_SOURCES)
|
SOURCES = $(libwiretap_a_SOURCES)
|
||||||
OBJECTS = $(libwiretap_a_OBJECTS)
|
OBJECTS = $(libwiretap_a_OBJECTS)
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
$Id: README,v 1.4 1998/11/21 05:08:39 gram Exp $
|
$Id: README,v 1.5 1999/01/02 06:10:55 gram Exp $
|
||||||
|
|
||||||
Wiretap is a library that is being developed as a future replacement for
|
Wiretap is a library that is being developed as a future replacement for
|
||||||
libpcap, the current standard Unix library for packet capturing. Libpcap is
|
libpcap, the current standard Unix library for packet capturing. Libpcap is
|
||||||
|
@ -27,6 +27,10 @@ LAN's firewall.
|
||||||
5. I want to look into the possibility of compressing packet data when saved
|
5. I want to look into the possibility of compressing packet data when saved
|
||||||
to a file, like Sniffer.
|
to a file, like Sniffer.
|
||||||
|
|
||||||
|
6. The packet-filter can be optimized for the host OS. Not all OSes have BPF;
|
||||||
|
SunOS has NIT and Solaris has DLPI, which both use the CMU/Stanford
|
||||||
|
packet-filter psuedomachine. RMON has another type of packet-filter syntax
|
||||||
|
which we could support.
|
||||||
|
|
||||||
Currently, only #2 is available. Wiretap doesn't even do any filtering yet. It
|
Currently, only #2 is available. Wiretap doesn't even do any filtering yet. It
|
||||||
can only be used to read packet capture files.
|
can only be used to read packet capture files.
|
||||||
|
@ -42,23 +46,33 @@ using the "libpcap" library's code to read it.
|
||||||
|
|
||||||
Sniffer (uncompressed)
|
Sniffer (uncompressed)
|
||||||
-------
|
-------
|
||||||
The Sniffer format, at least for Token-Ring, is documented in the
|
The Sniffer format is documented in the Sniffer manual. Unfortunately,
|
||||||
Sniffer manual. Unfortunately, Sniffer manuals tend to document only
|
Sniffer manuals tend to document only the format for the Sniffer model
|
||||||
the format for the Sniffer model they document. Ethernet seems to work well,
|
they document. Token-Ring and ethernet seems to work well, though.
|
||||||
though. If you have an ATM Sniffer file, both Guy and I would be *very*
|
If you have an ATM Sniffer file, both Guy and I would be *very*
|
||||||
interested in receiving a sample. (see 'AUTHORS' file for our e-mail
|
interested in receiving a sample. (see 'AUTHORS' file for our e-mail
|
||||||
addresses)
|
addresses). When using LANE, the ATM Sniffer appears to record the emulated
|
||||||
|
LAN information; that is, only the ethernet or token-ring information is
|
||||||
|
stored in the trace file, not any information about ATM cells.
|
||||||
|
|
||||||
LANalyzer
|
LANalyzer
|
||||||
---------
|
---------
|
||||||
The LANalyzer format is available from http://www.novell.com. Search their
|
The LANalyzer format is available from http://www.novell.com. Search their
|
||||||
knowledge base for "Trace File Format". The code in wiretap so far only dumps
|
knowledge base for "Trace File Format".
|
||||||
the packet data; I have yet to decode the timestamp for each packet. At least
|
|
||||||
I have the format for this, so it will be supported soon.
|
|
||||||
|
|
||||||
"snoop"
|
"snoop"
|
||||||
-------
|
-------
|
||||||
The Solaris 2.x "snoop" program's format is documented in RFC 1761.
|
The Solaris 2.x "snoop" program's format is documented in RFC 1761.
|
||||||
|
|
||||||
|
"iptrace"
|
||||||
|
---------
|
||||||
|
This is the capture program that comes with AIX 3.x and 4.x. It has an
|
||||||
|
undocumented, yet very simple, file format. The interesting thing about
|
||||||
|
iptrace is that it will record packets coming in from all network interfaces;
|
||||||
|
a single iptrace file can contain multiple datalink types. I have tested
|
||||||
|
iptrace on ethernet and token-ring; if you can provide an iptrace file with
|
||||||
|
any other datalink type, I would appreciate a copy. (with the output from
|
||||||
|
'ipreport' too, if possible).
|
||||||
|
|
||||||
Gilbert Ramirez
|
Gilbert Ramirez
|
||||||
<gram@verdict.uthscsa.edu>
|
<gram@verdict.uthscsa.edu>
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
/* file.c
|
/* file.c
|
||||||
*
|
*
|
||||||
* $Id: file.c,v 1.4 1998/11/15 05:29:09 guy Exp $
|
* $Id: file.c,v 1.5 1999/01/02 06:10:55 gram Exp $
|
||||||
*
|
*
|
||||||
* Wiretap Library
|
* Wiretap Library
|
||||||
* Copyright (c) 1998 by Gilbert Ramirez <gram@verdict.uthscsa.edu>
|
* Copyright (c) 1998 by Gilbert Ramirez <gram@verdict.uthscsa.edu>
|
||||||
|
@ -29,6 +29,7 @@
|
||||||
#include "ngsniffer.h"
|
#include "ngsniffer.h"
|
||||||
#include "libpcap.h"
|
#include "libpcap.h"
|
||||||
#include "snoop.h"
|
#include "snoop.h"
|
||||||
|
#include "iptrace.h"
|
||||||
|
|
||||||
/* The open_file_* routines should return the WTAP_FILE_* type
|
/* The open_file_* routines should return the WTAP_FILE_* type
|
||||||
* that they are checking for if the file is successfully recognized
|
* that they are checking for if the file is successfully recognized
|
||||||
|
@ -65,6 +66,10 @@ wtap* wtap_open_offline(char *filename, int filetype)
|
||||||
if ((wth->file_type = snoop_open(wth)) != WTAP_FILE_UNKNOWN) {
|
if ((wth->file_type = snoop_open(wth)) != WTAP_FILE_UNKNOWN) {
|
||||||
goto success;
|
goto success;
|
||||||
}
|
}
|
||||||
|
/* WTAP_FILE_IPTRACE */
|
||||||
|
if ((wth->file_type = iptrace_open(wth)) != WTAP_FILE_UNKNOWN) {
|
||||||
|
goto success;
|
||||||
|
}
|
||||||
|
|
||||||
printf("failed\n");
|
printf("failed\n");
|
||||||
/* WTAP_FILE_UNKNOWN */
|
/* WTAP_FILE_UNKNOWN */
|
||||||
|
@ -93,6 +98,11 @@ wtap* wtap_open_offline(char *filename, int filetype)
|
||||||
goto success;
|
goto success;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
case WTAP_FILE_IPTRACE:
|
||||||
|
if ((wth->file_type = iptrace_open(wth)) != WTAP_FILE_UNKNOWN) {
|
||||||
|
goto success;
|
||||||
|
}
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
/* wtap.h
|
/* wtap.h
|
||||||
*
|
*
|
||||||
* $Id: wtap.h,v 1.8 1998/12/17 06:39:13 gram Exp $
|
* $Id: wtap.h,v 1.9 1999/01/02 06:10:55 gram Exp $
|
||||||
*
|
*
|
||||||
* Wiretap Library
|
* Wiretap Library
|
||||||
* Copyright (c) 1998 by Gilbert Ramirez <gram@verdict.uthscsa.edu>
|
* Copyright (c) 1998 by Gilbert Ramirez <gram@verdict.uthscsa.edu>
|
||||||
|
@ -32,6 +32,7 @@
|
||||||
#define WTAP_ENCAP_RAW_IP 6
|
#define WTAP_ENCAP_RAW_IP 6
|
||||||
#define WTAP_ENCAP_ARCNET 7
|
#define WTAP_ENCAP_ARCNET 7
|
||||||
#define WTAP_ENCAP_ATM_RFC1483 8
|
#define WTAP_ENCAP_ATM_RFC1483 8
|
||||||
|
#define WTAP_ENCAP_PER_PACKET 9
|
||||||
|
|
||||||
/* File types that can be read by wiretap */
|
/* File types that can be read by wiretap */
|
||||||
#define WTAP_FILE_UNKNOWN 0
|
#define WTAP_FILE_UNKNOWN 0
|
||||||
|
@ -74,6 +75,7 @@ struct wtap_pkthdr {
|
||||||
struct timeval ts;
|
struct timeval ts;
|
||||||
guint32 caplen;
|
guint32 caplen;
|
||||||
guint32 len;
|
guint32 len;
|
||||||
|
int pkt_encap;
|
||||||
};
|
};
|
||||||
|
|
||||||
typedef void (*wtap_handler)(u_char*, const struct wtap_pkthdr*,
|
typedef void (*wtap_handler)(u_char*, const struct wtap_pkthdr*,
|
||||||
|
|
Loading…
Reference in New Issue