(http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1717)

This patch adds support for the Juniper NetScreen snoop output format. 
It takes a text-dump op the captured packets and parses the headers 
and hex-data. Since the snoop files on a Junpiper NetScreen can be saved 
to a tftp-server, this patch makes it quite easy to use the snoop 
function of the Juniper NetScreen firewalls.

/* XXX TODO:
 *
 * o  Create a wiki-page with instruction on how to make tracefiles
 *    on Juniper NetScreen devices. Also put a few examples up
 *    on the wiki (Done: wiki-page added 2007-08-03)
 *
 * o  Use the interface names to properly detect the encapsulation
 *    type (ie adsl packets are now not properly dissected)
 *    (Done: adsl packets are now correctly seen as PPP, 2007-08-03)
 *
 * o  Pass the interface names and the traffic direction to either
 *    the frame-structure, a pseudo-header or use PPI. This needs
 *    to be discussed on the dev-list first
 *    (Posted a message to wireshark-dev abou this 2007-08-03)
 *
 */


svn path=/trunk/; revision=22533

wiretap/Makefile.common

@@ -54,6 +54,7 @@ NONGENERATED_C_FILES = \
 	mpeg.c			\
 	mpeg-audio.c		\
 	netmon.c		\
+	netscreen.c		\
 	nettl.c			\
 	network_instruments.c	\
 	netxray.c		\
@@ -95,6 +96,7 @@ NONGENERATED_HEADER_FILES = \
 	mpeg.h			\
 	mpeg-audio.h		\
 	netmon.h		\
+	netscreen.h		\
 	nettl.h			\
 	network_instruments.h	\
 	netxray.h		\

wiretap/file_access.c

@@ -73,6 +73,7 @@
 #include "ber.h"
 #include "catapult_dct2000.h"
 #include "mpeg.h"
+#include "netscreen.h"
 
 
 
@@ -122,6 +123,11 @@ static wtap_open_routine_t open_routines_base[] = {
 	 * would be, for example, saved copies of a Telnet session
 	 * to some box.
 	 */
+
+	/* I put NetScreen *before* erf, because there were some
+	 * false positives with my test-files (Sake Blok, July 2007)
+	 */
+	netscreen_open, 
 	erf_open,
 	k12text_open,
 	etherpeek_open,
@@ -554,9 +560,13 @@ static const struct file_type_info dump_open_table_base[] = {
 	{ "MPEG", "mpeg", "*.mpeg;*.mpg;*.mp3", ".mpeg", FALSE,
 	  NULL, NULL },
 
-	  	/* WTAP_FILE_K12TEXT  */
+	/* WTAP_FILE_K12TEXT  */
 	{ "K12 text file", "k12text", "*.txt", ".txt", TRUE,
 	  k12text_dump_can_write_encap, k12text_dump_open },
+
+	/* WTAP_FILE_NETSCREEN */
+	{ "NetScreen snoop text file", "netscreen", "*.*", NULL, FALSE,
+	  NULL, NULL },
 };
 
 gint wtap_num_file_types = sizeof(dump_open_table_base) / sizeof(struct file_type_info);

wiretap/netscreen.c

@@ -0,0 +1,437 @@
+/* netscreen.c
+ *
+ * Juniper NetScreen snoop output parser
+ * Created by re-using a lot of code from cosine.c
+ * Copyright (c) 2007 by Sake Blok <sake@euronet.nl>
+ *
+ * Wiretap Library
+ * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+#include "wtap-int.h"
+#include "buffer.h"
+#include "netscreen.h"
+#include "file_wrappers.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+
+/* XXX TODO:
+ *
+ * o  Create a wiki-page with instruction on how to make tracefiles
+ *    on Juniper NetScreen devices. Also put a few examples up
+ *    on the wiki (Done: wiki-page added 2007-08-03)
+ *
+ * o  Use the interface names to properly detect the encapsulation
+ *    type (ie adsl packets are now not properly dissected)
+ *    (Done: adsl packets are now correctly seen as PPP, 2007-08-03)
+ *
+ * o  Pass the interface names and the traffic direction to either
+ *    the frame-structure, a pseudo-header or use PPI. This needs
+ *    to be discussed on the dev-list first
+ *    (Posted a message to wireshark-dev abou this 2007-08-03)
+ *
+ */
+
+
+
+static gboolean empty_line(const gchar *line);
+static gboolean info_line(const gchar *line);
+static gint64 netscreen_seek_next_packet(wtap *wth, int *err, char *hdr);
+static gboolean netscreen_check_file_type(wtap *wth, int *err);
+static gboolean netscreen_read(wtap *wth, int *err, gchar **err_info,
+	gint64 *data_offset);
+static gboolean netscreen_seek_read(wtap *wth, gint64 seek_off,
+	union wtap_pseudo_header *pseudo_header, guint8 *pd,
+	int len, int *err, gchar **err_info);
+static int parse_netscreen_rec_hdr(wtap *wth, const char *line,
+	char *cap_int, gboolean *cap_dir,
+	union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info);
+static int parse_netscreen_hex_dump(FILE_T fh, int pkt_len, guint8* buf,
+	int *err, gchar **err_info);
+static int parse_single_hex_dump_line(char* rec, guint8 *buf,
+	guint byte_offset);
+
+/* Returns TRUE if the line appears to be an empty line. Otherwise it
+   returns FALSE. */
+static gboolean empty_line(const gchar *line)
+{
+	while (*line) {
+		if (isspace((guchar)*line)) {
+			line++;
+			continue;
+		} else {
+			break;
+		}
+	}
+	if (*line == '\0')
+		return TRUE;
+	else
+		return FALSE;
+}
+
+/* Returns TRUE if the line appears to be a line with protocol info.
+   Otherwise it returns FALSE. */
+static gboolean info_line(const gchar *line)
+{
+	int i=NETSCREEN_SPACES_ON_INFO_LINE;
+	
+	while (i-- > 0) {
+		if (isspace((guchar)*line)) {
+			line++;
+			continue;
+		} else {
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+/* Seeks to the beginning of the next packet, and returns the
+   byte offset. Copy the header line to hdr. Returns -1 on failure,
+   and sets "*err" to the error and set hdr as NULL. */
+static gint64 netscreen_seek_next_packet(wtap *wth, int *err, char *hdr)
+{
+	gint64 cur_off;
+	char buf[NETSCREEN_LINE_LENGTH];
+
+	while (1) {
+		cur_off = file_tell(wth->fh);
+		if (cur_off == -1) {
+			/* Error */
+			*err = file_error(wth->fh);
+			hdr = NULL;
+			return -1;
+		}
+		if (file_gets(buf, sizeof(buf), wth->fh) != NULL) {
+			if (strstr(buf, NETSCREEN_REC_MAGIC_STR1) ||
+			    strstr(buf, NETSCREEN_REC_MAGIC_STR2)) {
+				strncpy(hdr, buf, NETSCREEN_LINE_LENGTH-1);
+				hdr[NETSCREEN_LINE_LENGTH-1] = '\0';
+				return cur_off;
+			}
+		} else {
+			if (file_eof(wth->fh)) {
+				/* We got an EOF. */
+				*err = 0;
+			} else {
+				/* We (presumably) got an error (there's no
+				   equivalent to "ferror()" in zlib, alas,
+				   so we don't have a wrapper to check for
+				   an error). */
+				*err = file_error(wth->fh);
+			}
+			break;
+		}
+	}
+	hdr = NULL;
+	return -1;
+}
+
+/* Look through the first part of a file to see if this is
+ * NetScreen snoop output.
+ *
+ * Returns TRUE if it is, FALSE if it isn't or if we get an I/O error;
+ * if we get an I/O error, "*err" will be set to a non-zero value.
+ */
+static gboolean netscreen_check_file_type(wtap *wth, int *err)
+{
+	char	buf[NETSCREEN_LINE_LENGTH];
+	guint	reclen, line;
+
+	buf[NETSCREEN_LINE_LENGTH-1] = '\0';
+
+	for (line = 0; line < NETSCREEN_HEADER_LINES_TO_CHECK; line++) {
+		if (file_gets(buf, NETSCREEN_LINE_LENGTH, wth->fh) != NULL) {
+
+			reclen = strlen(buf);
+			if (reclen < strlen(NETSCREEN_HDR_MAGIC_STR1) ||
+				reclen < strlen(NETSCREEN_HDR_MAGIC_STR2)) {
+				continue;
+			}
+
+			if (strstr(buf, NETSCREEN_HDR_MAGIC_STR1) ||
+			    strstr(buf, NETSCREEN_HDR_MAGIC_STR2)) {
+				return TRUE;
+			}
+		} else {
+			/* EOF or error. */
+			if (file_eof(wth->fh))
+				*err = 0;
+			else
+				*err = file_error(wth->fh);
+			return FALSE;
+		}
+	}
+	*err = 0;
+	return FALSE;
+}
+
+
+int netscreen_open(wtap *wth, int *err, gchar **err_info _U_)
+{
+
+	/* Look for a NetScreen snoop header line */
+	if (!netscreen_check_file_type(wth, err)) {
+		if (*err == 0)
+			return 0;
+		else
+			return -1;
+	}
+
+	if (file_seek(wth->fh, 0L, SEEK_SET, err) == -1)	/* rewind */
+		return -1;
+
+	wth->data_offset = 0;
+	wth->file_encap = WTAP_ENCAP_PER_PACKET;
+	wth->file_type = WTAP_FILE_NETSCREEN;
+	wth->snapshot_length = 0; /* not known */
+	wth->subtype_read = netscreen_read;
+	wth->subtype_seek_read = netscreen_seek_read;
+	wth->tsprecision = WTAP_FILE_TSPREC_DSEC;
+	
+	return 1;
+}
+
+/* Find the next packet and parse it; called from wtap_read(). */
+static gboolean netscreen_read(wtap *wth, int *err, gchar **err_info,
+    gint64 *data_offset)
+{
+	gint64		offset;
+	guint8		*buf;
+	int		pkt_len, caplen;
+	char		line[NETSCREEN_LINE_LENGTH];
+	char		cap_int[NETSCREEN_MAX_INT_NAME_LENGTH];
+	gboolean	cap_dir;
+
+	/* Find the next packet */
+	offset = netscreen_seek_next_packet(wth, err, line);
+	if (offset < 0)
+		return FALSE;
+
+	/* Parse the header */
+	pkt_len = parse_netscreen_rec_hdr(wth, line, cap_int, &cap_dir, 
+		&wth->pseudo_header, err, err_info);
+	if (pkt_len == -1)
+		return FALSE;
+
+	/* Make sure we have enough room for the packet */
+	buffer_assure_space(wth->frame_buffer, NETSCREEN_MAX_PACKET_LEN);
+	buf = buffer_start_ptr(wth->frame_buffer);
+
+	/* Convert the ASCII hex dump to binary data */
+	if ((caplen = parse_netscreen_hex_dump(wth->fh, pkt_len, buf, err,
+	    err_info)) == -1) {
+		return FALSE;
+	}
+
+	if (strncmp(cap_int, "adsl", 4) == 0) 
+		wth->phdr.pkt_encap = WTAP_ENCAP_PPP;
+	else if (strncmp(cap_int, "seri", 4) == 0)
+		wth->phdr.pkt_encap = WTAP_ENCAP_PPP;
+	else
+		wth->phdr.pkt_encap = WTAP_ENCAP_ETHERNET;
+
+	wth->data_offset = offset;
+	wth->phdr.caplen = caplen;
+	*data_offset = offset;
+	return TRUE;
+}
+
+/* Used to read packets in random-access fashion */
+static gboolean
+netscreen_seek_read (wtap *wth, gint64 seek_off,
+	union wtap_pseudo_header *pseudo_header, guint8 *pd, int len,
+	int *err, gchar **err_info)
+{
+	char		line[NETSCREEN_LINE_LENGTH];
+	char		cap_int[NETSCREEN_MAX_INT_NAME_LENGTH];
+	gboolean	cap_dir;
+
+	if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1) {
+		return FALSE;
+	}
+
+	if (file_gets(line, NETSCREEN_LINE_LENGTH, wth->random_fh) == NULL) {
+		*err = file_error(wth->random_fh);
+		if (*err == 0) {
+			*err = WTAP_ERR_SHORT_READ;
+		}
+		return FALSE;
+	}
+
+	if (parse_netscreen_rec_hdr(NULL, line, cap_int, &cap_dir, pseudo_header, 
+	   err, err_info) == -1) {
+		return FALSE;
+	}
+
+	return parse_netscreen_hex_dump(wth->random_fh, len, pd, err, err_info);
+}
+
+/* Parses a packet record header. There are a few possible formats:
+ * 
+ * XXX list extra formats here!
+6843828.0: trust(o) len=98:00121ebbd132->00600868d659/0800
+              192.168.1.1 -> 192.168.1.10/6
+              vhl=45, tos=00, id=37739, frag=0000, ttl=64 tlen=84
+              tcp:ports 2222->2333, seq=3452113890, ack=1540618280, flag=5018/ACK
+              00 60 08 68 d6 59 00 12 1e bb d1 32 08 00 45 00     .`.h.Y.....2..E.
+              00 54 93 6b 00 00 40 06 63 dd c0 a8 01 01 c0 a8     .T.k..@.c.......
+              01 0a 08 ae 09 1d cd c3 13 e2 5b d3 f8 28 50 18     ..........[..(P.
+              1f d4 79 21 00 00 e7 76 89 64 16 e2 19 0a 80 09     ..y!...v.d......
+              31 e7 04 28 04 58 f3 d9 b1 9f 3d 65 1a db d8 61     1..(.X....=e...a
+              2c 21 b6 d3 20 60 0c 8c 35 98 88 cf 20 91 0e a9     ,!...`..5.......
+              1d 0b                                               ..
+
+
+ */
+static int
+parse_netscreen_rec_hdr(wtap *wth, const char *line, char *cap_int, gboolean *cap_dir,
+    union wtap_pseudo_header *pseudo_header _U_, int *err, gchar **err_info)
+{
+	int	sec;
+	int	dsec, pkt_len;
+	char	direction[2];
+
+	if (sscanf(line, "%d.%d: %[a-z0-9](%[io]) len=%d:",
+		   &sec, &dsec, cap_int, direction, &pkt_len) != 5) {
+		*err = WTAP_ERR_BAD_RECORD;
+		*err_info = g_strdup("netscreen: Can't parse packet-header");
+		return -1;
+	}
+
+	*cap_dir = (direction[0] == 'o' ? NETSCREEN_EGRESS : NETSCREEN_INGRESS);
+
+	if (wth) {
+		wth->phdr.ts.secs  = sec;
+		wth->phdr.ts.nsecs = dsec * 100000000;
+		wth->phdr.len = pkt_len;
+	}
+
+	return pkt_len;
+}
+
+/* Converts ASCII hex dump to binary data. Returns the capture length.
+   If any error is encountered, -1 is returned. */
+static int
+parse_netscreen_hex_dump(FILE_T fh, int pkt_len, guint8* buf, int *err, gchar **err_info)
+{
+	gchar	line[NETSCREEN_LINE_LENGTH];
+	int	n, i = 0, offset = 0;
+
+	while(1) {
+		if (file_gets(line, NETSCREEN_LINE_LENGTH, fh) == NULL) {
+			*err = file_error(fh);
+			if (*err == 0) {
+				*err = WTAP_ERR_SHORT_READ;
+			}
+			return -1;
+		}
+
+		/* packeta are delimited with empty lines */
+		if (empty_line(line)) {
+			break;
+		}
+		
+		/* terminate the line before the ascii-data to prevent the 
+		 * parser from parsing one or more extra bytes from the 
+		 * ascii-data.
+		 * Check for longer lines to prevent wireless hexdumps to
+		 * be cut in the middle (they can have 14 extra spaces
+		 * before the hex-data)
+		 */
+		if(strlen(line) != 98) 
+			line[62] = '\0';
+		else
+			line[76] = '\0';
+
+		n = parse_single_hex_dump_line(line, buf, offset);
+
+		/* the smallest packet has a length of 6 bytes, if
+		 * the first hex-data is less then check whether 
+		 * it is a info-line and act accordingly
+		 */
+		if (offset == 0 && n < 6) {
+			if (info_line(line)) {
+				if (++i <= NETSCREEN_MAX_INFOLINES) {
+					continue;
+				}
+			} else {
+				*err = WTAP_ERR_BAD_RECORD;
+				*err_info = g_strdup("netscreen: cannot parse hex-data");
+				return -1;
+			}
+		}
+
+		/* If there is no more data and the line was not empty,
+		 * then there must be an error in the file
+		 */
+		if(n == -1) {
+			*err = WTAP_ERR_BAD_RECORD;
+			*err_info = g_strdup("netscreen: cannot parse hex-data");
+			return -1;
+		}
+
+		/* Adjust the offset to the data that was just added to the buffer */
+		offset += n;
+
+		/* If there was more hex-data than was announced in the len=x 
+		 * header, then then there must be an error in the file
+		 */
+		if(offset > pkt_len) {
+			*err = WTAP_ERR_BAD_RECORD;
+                        *err_info = g_strdup("netscreen: to much hex-data");
+                        return -1;
+		}
+	}
+	return offset;
+}
+
+
+/* Take a string representing one line from a hex dump and converts
+ * the text to binary data. We place the bytes in the buffer at the
+ * specified offset.
+ *
+ * Returns number of bytes successfully read, -1 if bad.  */
+static int
+parse_single_hex_dump_line(char* rec, guint8 *buf, guint byte_offset)
+{
+	int num_items_scanned, i;
+	unsigned int bytes[16];
+
+	num_items_scanned = sscanf(rec, "%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
+			       &bytes[0], &bytes[1], &bytes[2], &bytes[3],
+			       &bytes[4], &bytes[5], &bytes[6], &bytes[7],
+			       &bytes[8], &bytes[9], &bytes[10], &bytes[11],
+			       &bytes[12], &bytes[13], &bytes[14], &bytes[15]);
+	if (num_items_scanned == 0)
+		return -1;
+
+	if (num_items_scanned > 16)
+		num_items_scanned = 16;
+
+	for (i=0; i<num_items_scanned; i++) {
+		buf[byte_offset + i] = (guint8)bytes[i];
+	}
+
+	return num_items_scanned;
+}

wiretap/netscreen.h

@@ -0,0 +1,51 @@
+/* netscreen.h
+ *
+ * Juniper NetScreen snoop output parser
+ * Created by re-using a lot of code from cosine.c
+ * Copyright (c) 2007 by Sake Blok <sake@euronet.nl>
+ *
+ * Wiretap Library
+ * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ *
+ */
+
+#ifndef __W_NETSCREEN_H__
+#define __W_NETSCREEN_H__
+
+/* Magic text to check for NetScreen snoop output */
+#define NETSCREEN_HDR_MAGIC_STR1	"(i) len="
+#define NETSCREEN_HDR_MAGIC_STR2	"(o) len="
+
+/* Magic text for start of packet */
+#define NETSCREEN_REC_MAGIC_STR1	NETSCREEN_HDR_MAGIC_STR1
+#define NETSCREEN_REC_MAGIC_STR2	NETSCREEN_HDR_MAGIC_STR2
+
+#define NETSCREEN_LINE_LENGTH        	128
+#define NETSCREEN_HEADER_LINES_TO_CHECK	32
+#define NETSCREEN_MAX_INFOLINES		8
+#define NETSCREEN_SPACES_ON_INFO_LINE	14
+#define NETSCREEN_MAX_INT_NAME_LENGTH	16
+
+#define NETSCREEN_INGRESS		FALSE
+#define NETSCREEN_EGRESS		TRUE
+
+
+#define NETSCREEN_MAX_PACKET_LEN	65536
+
+int netscreen_open(wtap *wth, int *err, gchar **err_info);
+
+#endif

wiretap/wtap.h

@@ -246,6 +246,7 @@ extern "C" {
 #define WTAP_FILE_AIROPEEK_V9			45
 #define WTAP_FILE_MPEG				46
 #define WTAP_FILE_K12TEXT			47
+#define WTAP_FILE_NETSCREEN			48
 
 #define WTAP_NUM_FILE_TYPES			wtap_get_num_file_types()