/src/wireshark/wiretap/nettl.c
Line | Count | Source |
1 | | /* nettl.c |
2 | | * |
3 | | * Wiretap Library |
4 | | * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu> |
5 | | * |
6 | | * Enhancements by Mark C. Brown <mbrown@hp.com> |
7 | | * Copyright (C) 2003, 2005 Hewlett-Packard Development Company, L.P. |
8 | | * |
9 | | * SPDX-License-Identifier: GPL-2.0-or-later |
10 | | */ |
11 | | |
12 | | #include "config.h" |
13 | | #include "nettl.h" |
14 | | |
15 | | #include <stdlib.h> |
16 | | #include <string.h> |
17 | | |
18 | | #include <wsutil/pint.h> |
19 | | |
20 | | #include "wtap_module.h" |
21 | | #include "file_wrappers.h" |
22 | | |
23 | | |
24 | | /* |
25 | | * HP-UX nettl |
26 | | * |
27 | | * nettl is used on HP-UX to trace various streams based subsystems. Wiretap |
28 | | * can read nettl files containing IP frames (NS_LS_IP subsystem) and LAPB |
29 | | * frames (SX25L2 subsystem). It has been tested with files generated on |
30 | | * HP-UX 9.04 and 10.20. |
31 | | * Use the following commands to generate a trace : |
32 | | * # IP capture. 0x30000000 means PDU in and PDU out : |
33 | | * nettl -tn 0x30000000 -e NS_LS_IP -f tracefile |
34 | | * # X25 capture. You must specify an interface : |
35 | | * nettl -tn 0x30000000 -e SX25l2 -d /dev/x25_0 -f tracefile |
36 | | * # stop capture. subsystem is NS_LS_IP or SX25L2 : |
37 | | * nettl -tf -e subsystem |
38 | | * |
39 | | * One may be able to specify "-tn pduin pduout" rather than |
40 | | * "-tn 0x30000000"; the nettl man page for HP-UX 10.30 implies that it |
41 | | * should work. |
42 | | * |
43 | | * There is also basic support for nettl files containing NS_LS_DRIVER, |
44 | | * NS_LS_TCP, NS_LS_UDP, NS_LS_LOOPBACK, unknown type 0xb9, and NS_LS_ICMP. |
45 | | * However, NS_LS_ICMP will not be decoded since WTAP lacks a raw ICMP |
46 | | * encapsulation type. |
47 | | */ |
48 | | |
49 | | /* HP nettl file header */ |
50 | | |
51 | | /* Magic number size */ |
52 | 0 | #define MAGIC_SIZE 12 |
53 | | |
54 | | /* HP-UX 9.x */ |
55 | | static const uint8_t nettl_magic_hpux9[MAGIC_SIZE] = { |
56 | | 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0xD0, 0x00 |
57 | | }; |
58 | | /* HP-UX 10.x and 11.x */ |
59 | | static const uint8_t nettl_magic_hpux10[MAGIC_SIZE] = { |
60 | | 0x54, 0x52, 0x00, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 |
61 | | }; |
62 | | |
63 | 0 | #define FILE_HDR_SIZE 128 |
64 | 0 | #define NETTL_FILENAME_SIZE 56 |
65 | | |
66 | | struct nettl_file_hdr { |
67 | | uint8_t magic[MAGIC_SIZE]; |
68 | | char file_name[NETTL_FILENAME_SIZE]; |
69 | | char tz[20]; |
70 | | char host_name[9]; |
71 | | char os_vers[9]; |
72 | | uint8_t os_v; |
73 | | uint8_t xxa[8]; |
74 | | char model[11]; |
75 | | uint16_t unknown; /* just padding to 128 bytes? */ |
76 | | }; |
77 | | |
78 | | /* HP nettl record header */ |
79 | | /* see /usr/include/sys/netdiag1.h for hints */ |
80 | | struct nettlrec_hdr { |
81 | | uint16_t hdr_len; |
82 | | uint16_t subsys; |
83 | | uint32_t devid; |
84 | | uint8_t xxa[4]; |
85 | | uint32_t kind; |
86 | | uint8_t xxb[16]; |
87 | | uint32_t caplen; |
88 | | uint32_t length; |
89 | | uint32_t sec; |
90 | | uint32_t usec; |
91 | | uint32_t pid; |
92 | | uint8_t xxc[8]; |
93 | | uint32_t uid; |
94 | | /* Other stuff might be here, but isn't always here */ |
95 | | }; |
96 | | |
97 | | /* |
98 | | * This is what we treat as the minimum size of a record header. |
99 | | * It is *not* necessarily the same as sizeof(struct nettlrec_hdr), |
100 | | * because it doesn't include any padding added to the structure. |
101 | | */ |
102 | 0 | #define NETTL_REC_HDR_LEN 64 |
103 | | |
104 | | /* HP nettl record header for the SX25L2 subsystem - The FCS is not included |
105 | | in the file. */ |
106 | | struct nettlrec_sx25l2_hdr { |
107 | | uint8_t xxa[8]; |
108 | | uint8_t from_dce; |
109 | | uint8_t xxb[55]; |
110 | | uint8_t caplen[2]; |
111 | | uint8_t length[2]; |
112 | | uint8_t xxc[4]; |
113 | | uint8_t sec[4]; |
114 | | uint8_t usec[4]; |
115 | | uint8_t xxd[4]; |
116 | | }; |
117 | | |
118 | | /* NL_LS_DRIVER : |
119 | | The following shows what the header and subheader looks like for NS_LS_DRIVER |
120 | | The capture was taken on HPUX11 and for a 100baseT interface. |
121 | | |
122 | | 000080 00 44 00 0b 00 00 00 02 00 00 00 00 20 00 00 00 |
123 | | 000090 00 00 00 00 00 00 04 06 00 00 00 00 00 00 00 00 |
124 | | 0000a0 00 00 00 74 00 00 00 74 3c e3 76 19 00 06 34 63 |
125 | | 0000b0 ff ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff |
126 | | 0000c0 00 00 00 00 00 00 01 02 00 5c 00 5c ff ff ff ff |
127 | | 0000d0 3c e3 76 19 00 06 34 5a 00 0b 00 14 <here starts the MAC header> |
128 | | |
129 | | Each entry starts with 0x0044000b |
130 | | |
131 | | The values 0x005c at position 0x0000c8 and 0x0000ca matches the number of |
132 | | bytes in the packet up to the next entry, which starts with 0x00440b again. |
133 | | These are the captured and real and captured length of the packet. |
134 | | |
135 | | The values 0x00000074 at positions 0x0000a0 and 0x0000a4 seems to indicate |
136 | | the same number as positions 0x0000c8 and 0x0000ca but added with 24. |
137 | | Perhaps we have here two layers of headers. |
138 | | The first layer is fixed and consists of all the bytes from 0x000084 up to and |
139 | | including 0x0000c3 which is a generic header for all packets captured from any |
140 | | device. This header might be of fixed size 64 bytes (although the first two |
141 | | bytes appear to be the length of that header, in big-endian format) and there |
142 | | might be something in it which indicates the type of the next header which is |
143 | | link type specific. Following this header there is another header for the |
144 | | 100baseT interface which in this case is 24 bytes long spanning positions |
145 | | 0x0000c4 to 0x0000db. |
146 | | |
147 | | In another capture, claimed to be taken on an HP-UX 8 box, but with a |
148 | | file header suggesting it was taken on HP-UX 10.20, the header for |
149 | | NS_LS_DRIVER looks like: |
150 | | |
151 | | 000080 00 40 00 0b ff ff ff ff 00 00 00 00 00 00 00 00 |
152 | | 000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
153 | | 0000a0 00 00 00 51 00 00 00 51 42 02 5e bf 00 0e ab 7c |
154 | | 0000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
155 | | 0000c0 00 02 01 00 00 3b 00 3b ff ff ff ff 42 02 5e bf |
156 | | 0000d0 00 0e 8e 44 00 0b <here starts the MAC header> |
157 | | |
158 | | When someone reports that the loading of the captures breaks, we can |
159 | | compare this header above with what he/she got to learn how to |
160 | | distinguish between different types of link specific headers. |
161 | | |
162 | | |
163 | | For now, the subheader for 100baseT seems to be |
164 | | 4-5 captured length |
165 | | 6-7 actual length |
166 | | 8-11 unknown |
167 | | 12-15 secs |
168 | | 16-19 usecs |
169 | | 20-21 unknown |
170 | | */ |
171 | | struct nettlrec_ns_ls_drv_eth_hdr { |
172 | | uint8_t xxa[4]; |
173 | | uint8_t caplen[2]; |
174 | | uint8_t length[2]; |
175 | | uint8_t xxb[4]; |
176 | | uint8_t sec[4]; |
177 | | uint8_t usec[4]; |
178 | | uint8_t xxc[2]; |
179 | | }; |
180 | | |
181 | | /* |
182 | | * This is the size of an NS_LS_DRV_ETH header; it is *not* necessarily |
183 | | * the same as sizeof(struct nettlrec_ns_ls_drv_eth_hdr), because it |
184 | | * doesn't include any padding added to the structure. |
185 | | */ |
186 | 0 | #define NS_LS_DRV_ETH_HDR_LEN 22 |
187 | | |
188 | | /* header is followed by data and once again the total length (2 bytes) ! */ |
189 | | |
190 | | typedef struct { |
191 | | bool is_hpux_11; |
192 | | } nettl_t; |
193 | | |
194 | | static bool nettl_read(wtap *wth, wtap_rec *rec, |
195 | | int *err, char **err_info, int64_t *data_offset); |
196 | | static bool nettl_seek_read(wtap *wth, int64_t seek_off, wtap_rec *rec, |
197 | | int *err, char **err_info); |
198 | | static bool nettl_read_rec(wtap *wth, FILE_T fh, wtap_rec *rec, |
199 | | int *err, char **err_info); |
200 | | static bool nettl_dump(wtap_dumper *wdh, const wtap_rec *rec, |
201 | | int *err, char **err_info); |
202 | | |
203 | | static int nettl_file_type_subtype = -1; |
204 | | |
205 | | void register_nettl(void); |
206 | | |
207 | | wtap_open_return_val nettl_open(wtap *wth, int *err, char **err_info) |
208 | 0 | { |
209 | 0 | struct nettl_file_hdr file_hdr; |
210 | 0 | uint16_t dummy[2]; |
211 | 0 | int subsys; |
212 | 0 | nettl_t *nettl; |
213 | |
|
214 | 0 | memset(&file_hdr, 0, sizeof(file_hdr)); |
215 | | |
216 | | /* Read in the string that should be at the start of a HP file */ |
217 | 0 | if (!wtap_read_bytes(wth->fh, file_hdr.magic, MAGIC_SIZE, err, err_info)) { |
218 | 0 | if (*err != WTAP_ERR_SHORT_READ) |
219 | 0 | return WTAP_OPEN_ERROR; |
220 | 0 | return WTAP_OPEN_NOT_MINE; |
221 | 0 | } |
222 | | |
223 | 0 | if (memcmp(file_hdr.magic, nettl_magic_hpux9, MAGIC_SIZE) && |
224 | 0 | memcmp(file_hdr.magic, nettl_magic_hpux10, MAGIC_SIZE)) { |
225 | 0 | return WTAP_OPEN_NOT_MINE; |
226 | 0 | } |
227 | | |
228 | | /* Read the rest of the file header */ |
229 | 0 | if (!wtap_read_bytes(wth->fh, file_hdr.file_name, FILE_HDR_SIZE - MAGIC_SIZE, |
230 | 0 | err, err_info)) |
231 | 0 | return WTAP_OPEN_ERROR; |
232 | | |
233 | | /* This is an nettl file */ |
234 | 0 | wth->file_type_subtype = nettl_file_type_subtype; |
235 | 0 | wth->subtype_read = nettl_read; |
236 | 0 | wth->subtype_seek_read = nettl_seek_read; |
237 | 0 | wth->snapshot_length = 0; /* not available */ |
238 | | |
239 | | /* read the first header to take a guess at the file encap */ |
240 | 0 | if (!wtap_read_bytes_or_eof(wth->fh, dummy, 4, err, err_info)) { |
241 | 0 | if (*err == 0) { |
242 | | /* EOF, so no records */ |
243 | 0 | return WTAP_OPEN_NOT_MINE; |
244 | 0 | } |
245 | 0 | return WTAP_OPEN_ERROR; |
246 | 0 | } |
247 | | |
248 | 0 | subsys = g_ntohs(dummy[1]); |
249 | 0 | switch (subsys) { |
250 | 0 | case NETTL_SUBSYS_HPPB_FDDI : |
251 | 0 | case NETTL_SUBSYS_EISA_FDDI : |
252 | 0 | case NETTL_SUBSYS_PCI_FDDI : |
253 | 0 | case NETTL_SUBSYS_HSC_FDDI : |
254 | 0 | wth->file_encap = WTAP_ENCAP_NETTL_FDDI; |
255 | 0 | break; |
256 | 0 | case NETTL_SUBSYS_TOKEN : |
257 | 0 | case NETTL_SUBSYS_PCI_TR : |
258 | 0 | wth->file_encap = WTAP_ENCAP_NETTL_TOKEN_RING; |
259 | 0 | break; |
260 | 0 | case NETTL_SUBSYS_NS_LS_IP : |
261 | 0 | case NETTL_SUBSYS_NS_LS_LOOPBACK : |
262 | 0 | case NETTL_SUBSYS_NS_LS_TCP : |
263 | 0 | case NETTL_SUBSYS_NS_LS_UDP : |
264 | 0 | case NETTL_SUBSYS_NS_LS_IPV6 : |
265 | 0 | wth->file_encap = WTAP_ENCAP_NETTL_RAW_IP; |
266 | 0 | break; |
267 | 0 | case NETTL_SUBSYS_NS_LS_ICMP : |
268 | 0 | wth->file_encap = WTAP_ENCAP_NETTL_RAW_ICMP; |
269 | 0 | break; |
270 | 0 | case NETTL_SUBSYS_NS_LS_ICMPV6 : |
271 | 0 | wth->file_encap = WTAP_ENCAP_NETTL_RAW_ICMPV6; |
272 | 0 | break; |
273 | 0 | case NETTL_SUBSYS_NS_LS_TELNET : |
274 | 0 | wth->file_encap = WTAP_ENCAP_NETTL_RAW_TELNET; |
275 | 0 | break; |
276 | 0 | default: |
277 | | /* If this assumption is bad, the read will catch it */ |
278 | 0 | wth->file_encap = WTAP_ENCAP_NETTL_ETHERNET; |
279 | 0 | } |
280 | | |
281 | 0 | if (file_seek(wth->fh, FILE_HDR_SIZE, SEEK_SET, err) == -1) { |
282 | 0 | return WTAP_OPEN_ERROR; |
283 | 0 | } |
284 | 0 | wth->file_tsprec = WTAP_TSPREC_USEC; |
285 | 0 | nettl = g_new(nettl_t,1); |
286 | 0 | wth->priv = (void *)nettl; |
287 | 0 | if (file_hdr.os_vers[2] == '1' && file_hdr.os_vers[3] == '1') |
288 | 0 | nettl->is_hpux_11 = true; |
289 | 0 | else |
290 | 0 | nettl->is_hpux_11 = false; |
291 | |
|
292 | 0 | return WTAP_OPEN_MINE; |
293 | 0 | } |
294 | | |
295 | | /* Read the next packet */ |
296 | | static bool nettl_read(wtap *wth, wtap_rec *rec, |
297 | | int *err, char **err_info, int64_t *data_offset) |
298 | 0 | { |
299 | | /* Read record. */ |
300 | 0 | *data_offset = file_tell(wth->fh); |
301 | 0 | if (!nettl_read_rec(wth, wth->fh, rec, err, err_info)) { |
302 | | /* Read error or EOF */ |
303 | 0 | return false; |
304 | 0 | } |
305 | | |
306 | | /* |
307 | | * If the per-file encapsulation isn't known, set it to this |
308 | | * packet's encapsulation. |
309 | | * |
310 | | * If it *is* known, and it isn't this packet's encapsulation, |
311 | | * set it to WTAP_ENCAP_PER_PACKET, as this file doesn't |
312 | | * have a single encapsulation for all packets in the file. |
313 | | */ |
314 | 0 | if (wth->file_encap == WTAP_ENCAP_UNKNOWN) |
315 | 0 | wth->file_encap = rec->rec_header.packet_header.pkt_encap; |
316 | 0 | else { |
317 | 0 | if (wth->file_encap != rec->rec_header.packet_header.pkt_encap) |
318 | 0 | wth->file_encap = WTAP_ENCAP_PER_PACKET; |
319 | 0 | } |
320 | |
|
321 | 0 | return true; |
322 | 0 | } |
323 | | |
324 | | static bool |
325 | | nettl_seek_read(wtap *wth, int64_t seek_off, wtap_rec *rec, |
326 | | int *err, char **err_info) |
327 | 0 | { |
328 | 0 | if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1) |
329 | 0 | return false; |
330 | | |
331 | | /* Read record. */ |
332 | 0 | if (!nettl_read_rec(wth, wth->random_fh, rec, err, err_info)) { |
333 | | /* Read error or EOF */ |
334 | 0 | if (*err == 0) { |
335 | | /* EOF means "short read" in random-access mode */ |
336 | 0 | *err = WTAP_ERR_SHORT_READ; |
337 | 0 | } |
338 | 0 | return false; |
339 | 0 | } |
340 | 0 | return true; |
341 | 0 | } |
342 | | |
343 | | static bool |
344 | | nettl_read_rec(wtap *wth, FILE_T fh, wtap_rec *rec, int *err, char **err_info) |
345 | 0 | { |
346 | 0 | union wtap_pseudo_header *pseudo_header = &rec->rec_header.packet_header.pseudo_header; |
347 | 0 | nettl_t *nettl = (nettl_t *)wth->priv; |
348 | 0 | bool fddihack = false; |
349 | 0 | struct nettlrec_hdr rec_hdr; |
350 | 0 | uint16_t hdr_len; |
351 | 0 | struct nettlrec_ns_ls_drv_eth_hdr drv_eth_hdr; |
352 | 0 | uint32_t length, caplen; |
353 | 0 | int subsys; |
354 | 0 | unsigned padlen; |
355 | 0 | int datalen; |
356 | 0 | uint8_t dummyc[16]; |
357 | 0 | int bytes_to_read; |
358 | 0 | const uint8_t *pd; |
359 | |
|
360 | 0 | if (!wtap_read_bytes_or_eof(fh, &rec_hdr.hdr_len, sizeof rec_hdr.hdr_len, |
361 | 0 | err, err_info)) |
362 | 0 | return false; |
363 | 0 | hdr_len = g_ntohs(rec_hdr.hdr_len); |
364 | 0 | if (hdr_len < NETTL_REC_HDR_LEN) { |
365 | 0 | *err = WTAP_ERR_BAD_FILE; |
366 | 0 | *err_info = ws_strdup_printf("nettl: record header length %u too short", |
367 | 0 | hdr_len); |
368 | 0 | return false; |
369 | 0 | } |
370 | 0 | if (!wtap_read_bytes(fh, &rec_hdr.subsys, NETTL_REC_HDR_LEN - 2, |
371 | 0 | err, err_info)) |
372 | 0 | return false; |
373 | 0 | subsys = g_ntohs(rec_hdr.subsys); |
374 | 0 | hdr_len -= NETTL_REC_HDR_LEN; |
375 | | /* Skip the rest of the header. */ |
376 | 0 | if (!wtap_read_bytes(fh, NULL, hdr_len, err, err_info)) |
377 | 0 | return false; |
378 | | |
379 | 0 | wtap_setup_packet_rec(rec, wth->file_encap); |
380 | 0 | rec->block = wtap_block_create(WTAP_BLOCK_PACKET); |
381 | |
|
382 | 0 | if ( (pntohu32(&rec_hdr.kind) & NETTL_HDR_PDU_MASK) == 0 ) { |
383 | | /* not actually a data packet (PDU) trace record */ |
384 | 0 | rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_NETTL_RAW_IP; |
385 | 0 | length = pntohu32(&rec_hdr.length); |
386 | 0 | caplen = pntohu32(&rec_hdr.caplen); |
387 | 0 | padlen = 0; |
388 | 0 | } else switch (subsys) { |
389 | 0 | case NETTL_SUBSYS_LAN100 : |
390 | 0 | case NETTL_SUBSYS_EISA100BT : |
391 | 0 | case NETTL_SUBSYS_BASE100 : |
392 | 0 | case NETTL_SUBSYS_GSC100BT : |
393 | 0 | case NETTL_SUBSYS_PCI100BT : |
394 | 0 | case NETTL_SUBSYS_SPP100BT : |
395 | 0 | case NETTL_SUBSYS_100VG : |
396 | 0 | case NETTL_SUBSYS_GELAN : |
397 | 0 | case NETTL_SUBSYS_BTLAN : |
398 | 0 | case NETTL_SUBSYS_INTL100 : |
399 | 0 | case NETTL_SUBSYS_IGELAN : |
400 | 0 | case NETTL_SUBSYS_IETHER : |
401 | 0 | case NETTL_SUBSYS_IXGBE : |
402 | 0 | case NETTL_SUBSYS_HSSN : |
403 | 0 | case NETTL_SUBSYS_IGSSN : |
404 | 0 | case NETTL_SUBSYS_ICXGBE : |
405 | 0 | case NETTL_SUBSYS_IEXGBE : |
406 | 0 | case NETTL_SUBSYS_IOCXGBE : |
407 | 0 | case NETTL_SUBSYS_IQXGBE : |
408 | 0 | case NETTL_SUBSYS_HPPB_FDDI : |
409 | 0 | case NETTL_SUBSYS_EISA_FDDI : |
410 | 0 | case NETTL_SUBSYS_PCI_FDDI : |
411 | 0 | case NETTL_SUBSYS_HSC_FDDI : |
412 | 0 | case NETTL_SUBSYS_TOKEN : |
413 | 0 | case NETTL_SUBSYS_PCI_TR : |
414 | 0 | case NETTL_SUBSYS_NS_LS_IP : |
415 | 0 | case NETTL_SUBSYS_NS_LS_LOOPBACK : |
416 | 0 | case NETTL_SUBSYS_NS_LS_TCP : |
417 | 0 | case NETTL_SUBSYS_NS_LS_UDP : |
418 | 0 | case NETTL_SUBSYS_HP_APAPORT : |
419 | 0 | case NETTL_SUBSYS_HP_APALACP : |
420 | 0 | case NETTL_SUBSYS_NS_LS_IPV6 : |
421 | 0 | case NETTL_SUBSYS_NS_LS_ICMPV6 : |
422 | 0 | case NETTL_SUBSYS_NS_LS_ICMP : |
423 | 0 | case NETTL_SUBSYS_NS_LS_TELNET : |
424 | 0 | case NETTL_SUBSYS_NS_LS_SCTP : |
425 | 0 | if( (subsys == NETTL_SUBSYS_NS_LS_IP) |
426 | 0 | || (subsys == NETTL_SUBSYS_NS_LS_LOOPBACK) |
427 | 0 | || (subsys == NETTL_SUBSYS_NS_LS_UDP) |
428 | 0 | || (subsys == NETTL_SUBSYS_NS_LS_TCP) |
429 | 0 | || (subsys == NETTL_SUBSYS_NS_LS_SCTP) |
430 | 0 | || (subsys == NETTL_SUBSYS_NS_LS_IPV6)) { |
431 | 0 | rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_NETTL_RAW_IP; |
432 | 0 | } else if (subsys == NETTL_SUBSYS_NS_LS_ICMP) { |
433 | 0 | rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_NETTL_RAW_ICMP; |
434 | 0 | } else if (subsys == NETTL_SUBSYS_NS_LS_ICMPV6) { |
435 | 0 | rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_NETTL_RAW_ICMPV6; |
436 | 0 | } else if (subsys == NETTL_SUBSYS_NS_LS_TELNET) { |
437 | 0 | rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_NETTL_RAW_TELNET; |
438 | 0 | } else if( (subsys == NETTL_SUBSYS_HPPB_FDDI) |
439 | 0 | || (subsys == NETTL_SUBSYS_EISA_FDDI) |
440 | 0 | || (subsys == NETTL_SUBSYS_PCI_FDDI) |
441 | 0 | || (subsys == NETTL_SUBSYS_HSC_FDDI) ) { |
442 | 0 | rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_NETTL_FDDI; |
443 | 0 | } else if( (subsys == NETTL_SUBSYS_PCI_TR) |
444 | 0 | || (subsys == NETTL_SUBSYS_TOKEN) ) { |
445 | 0 | rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_NETTL_TOKEN_RING; |
446 | 0 | } else { |
447 | 0 | rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_NETTL_ETHERNET; |
448 | 0 | } |
449 | |
|
450 | 0 | length = pntohu32(&rec_hdr.length); |
451 | 0 | caplen = pntohu32(&rec_hdr.caplen); |
452 | | |
453 | | /* HPPB FDDI has different inbound vs outbound trace records */ |
454 | 0 | if (subsys == NETTL_SUBSYS_HPPB_FDDI) { |
455 | 0 | if (pntohu32(&rec_hdr.kind) == NETTL_HDR_PDUIN) { |
456 | | /* inbound is very strange... |
457 | | there are an extra 3 bytes after the DSAP and SSAP |
458 | | for SNAP frames ??? |
459 | | */ |
460 | 0 | fddihack=true; |
461 | 0 | padlen = 0; |
462 | 0 | } else { |
463 | | /* outbound appears to have variable padding */ |
464 | 0 | if (!wtap_read_bytes(fh, dummyc, 9, err, err_info)) |
465 | 0 | return false; |
466 | | /* padding is usually either a total 11 or 16 bytes??? */ |
467 | 0 | padlen = (int)dummyc[8]; |
468 | 0 | if (!wtap_read_bytes(fh, NULL, padlen, err, err_info)) |
469 | 0 | return false; |
470 | 0 | padlen += 9; |
471 | 0 | } |
472 | 0 | } else if ( (subsys == NETTL_SUBSYS_PCI_FDDI) |
473 | 0 | || (subsys == NETTL_SUBSYS_EISA_FDDI) |
474 | 0 | || (subsys == NETTL_SUBSYS_HSC_FDDI) ) { |
475 | | /* other flavor FDDI cards have an extra 3 bytes of padding */ |
476 | 0 | if (!wtap_read_bytes(fh, NULL, 3, err, err_info)) |
477 | 0 | return false; |
478 | 0 | padlen = 3; |
479 | 0 | } else if (subsys == NETTL_SUBSYS_NS_LS_LOOPBACK) { |
480 | | /* LOOPBACK has an extra 26 bytes of padding */ |
481 | 0 | if (!wtap_read_bytes(fh, NULL, 26, err, err_info)) |
482 | 0 | return false; |
483 | 0 | padlen = 26; |
484 | 0 | } else if (subsys == NETTL_SUBSYS_NS_LS_SCTP) { |
485 | | /* |
486 | | * SCTP 8 byte header that we will ignore... |
487 | | * 32 bit integer defines format |
488 | | * 1 = Log |
489 | | * 2 = ASCII |
490 | | * 3 = Binary (PDUs should be Binary format) |
491 | | * 32 bit integer defines type |
492 | | * 1 = Inbound |
493 | | * 2 = Outbound |
494 | | */ |
495 | 0 | if (!wtap_read_bytes(fh, NULL, 8, err, err_info)) |
496 | 0 | return false; |
497 | 0 | padlen = 8; |
498 | 0 | } else { |
499 | 0 | padlen = 0; |
500 | 0 | } |
501 | 0 | break; |
502 | | |
503 | 0 | case NETTL_SUBSYS_NS_LS_DRIVER : |
504 | | /* XXX we don't know how to identify this as ethernet frames, so |
505 | | we assume everything is. We will crash and burn for anything else */ |
506 | | /* for encapsulated 100baseT we do this */ |
507 | 0 | rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_NETTL_ETHERNET; |
508 | 0 | if (!wtap_read_bytes(fh, &drv_eth_hdr, NS_LS_DRV_ETH_HDR_LEN, |
509 | 0 | err, err_info)) |
510 | 0 | return false; |
511 | | |
512 | 0 | length = pntohu16(&drv_eth_hdr.length); |
513 | 0 | caplen = pntohu16(&drv_eth_hdr.caplen); |
514 | | /* |
515 | | * XXX - is there a length field that would give the length |
516 | | * of this header, so that we don't have to check for |
517 | | * nettl files from HP-UX 11? |
518 | | * |
519 | | * And what are the extra two bytes? |
520 | | */ |
521 | 0 | if (nettl->is_hpux_11) { |
522 | 0 | if (!wtap_read_bytes(fh, NULL, 2, err, err_info)) |
523 | 0 | return false; |
524 | 0 | } |
525 | 0 | padlen = 0; |
526 | 0 | break; |
527 | | |
528 | 0 | case NETTL_SUBSYS_SX25L2: |
529 | 0 | case NETTL_SUBSYS_SX25L3: |
530 | | /* |
531 | | * XXX - is the 24-byte padding actually a header with |
532 | | * packet lengths, time stamps, etc., just as is the case |
533 | | * for NETTL_SUBSYS_NS_LS_DRIVER? It might be |
534 | | * |
535 | | * uint8_t caplen[2]; |
536 | | * uint8_t length[2]; |
537 | | * uint8_t xxc[4]; |
538 | | * uint8_t sec[4]; |
539 | | * uint8_t usec[4]; |
540 | | * uint8_t xxd[4]; |
541 | | * |
542 | | * or something such as that - if it has 4 bytes before that |
543 | | * (making it 24 bytes), it'd be like struct |
544 | | * nettlrec_ns_ls_drv_eth_hdr but with 2 more bytes at the end. |
545 | | * |
546 | | * And is "from_dce" at xxa[0] in the nettlrec_hdr structure? |
547 | | */ |
548 | 0 | rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_NETTL_X25; |
549 | 0 | length = pntohu32(&rec_hdr.length); |
550 | 0 | caplen = pntohu32(&rec_hdr.caplen); |
551 | 0 | padlen = 24; /* sizeof (struct nettlrec_sx25l2_hdr) - NETTL_REC_HDR_LEN + 4 */ |
552 | 0 | if (!wtap_read_bytes(fh, NULL, padlen, err, err_info)) |
553 | 0 | return false; |
554 | 0 | break; |
555 | | |
556 | 0 | default: |
557 | | /* We're going to assume it's ethernet if we don't recognize the |
558 | | subsystem -- We'll probably spew junks and core if it isn't... */ |
559 | 0 | wth->file_encap = WTAP_ENCAP_PER_PACKET; |
560 | 0 | rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_NETTL_ETHERNET; |
561 | 0 | length = pntohu32(&rec_hdr.length); |
562 | 0 | caplen = pntohu32(&rec_hdr.caplen); |
563 | 0 | padlen = 0; |
564 | 0 | break; |
565 | 0 | } |
566 | | |
567 | 0 | if (length < padlen) { |
568 | 0 | *err = WTAP_ERR_BAD_FILE; |
569 | 0 | *err_info = ws_strdup_printf("nettl: packet length %u in record header too short, less than %u", |
570 | 0 | length, padlen); |
571 | 0 | return false; |
572 | 0 | } |
573 | 0 | rec->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN; |
574 | 0 | rec->rec_header.packet_header.len = length - padlen; |
575 | 0 | if (caplen < padlen) { |
576 | 0 | *err = WTAP_ERR_BAD_FILE; |
577 | 0 | *err_info = ws_strdup_printf("nettl: captured length %u in record header too short, less than %u", |
578 | 0 | caplen, padlen); |
579 | 0 | return false; |
580 | 0 | } |
581 | 0 | datalen = caplen - padlen; |
582 | 0 | rec->rec_header.packet_header.caplen = datalen; |
583 | 0 | rec->ts.secs = pntohu32(&rec_hdr.sec); |
584 | 0 | rec->ts.nsecs = pntohu32(&rec_hdr.usec) * 1000; |
585 | |
|
586 | 0 | pseudo_header->nettl.subsys = subsys; |
587 | 0 | pseudo_header->nettl.devid = pntohu32(&rec_hdr.devid); |
588 | 0 | pseudo_header->nettl.kind = pntohu32(&rec_hdr.kind); |
589 | 0 | pseudo_header->nettl.pid = pntohu32(&rec_hdr.pid); |
590 | 0 | pseudo_header->nettl.uid = pntohu32(&rec_hdr.uid); |
591 | |
|
592 | 0 | if (rec->rec_header.packet_header.caplen > WTAP_MAX_PACKET_SIZE_STANDARD) { |
593 | | /* |
594 | | * Probably a corrupt capture file; don't blow up trying |
595 | | * to allocate space for an immensely-large packet. |
596 | | */ |
597 | 0 | *err = WTAP_ERR_BAD_FILE; |
598 | 0 | *err_info = ws_strdup_printf("nettl: File has %u-byte packet, bigger than maximum of %u", |
599 | 0 | rec->rec_header.packet_header.caplen, WTAP_MAX_PACKET_SIZE_STANDARD); |
600 | 0 | return false; |
601 | 0 | } |
602 | | |
603 | | /* |
604 | | * Read the packet data. |
605 | | */ |
606 | 0 | ws_buffer_assure_space(&rec->data, datalen); |
607 | 0 | if (fddihack) { |
608 | | /* read in FC, dest, src, DSAP and SSAP */ |
609 | 0 | bytes_to_read = 15; |
610 | 0 | if (bytes_to_read > datalen) |
611 | 0 | bytes_to_read = datalen; |
612 | 0 | if (!wtap_read_bytes_buffer(fh, &rec->data, bytes_to_read, err, err_info)) |
613 | 0 | return false; |
614 | 0 | datalen -= bytes_to_read; |
615 | 0 | if (datalen == 0) { |
616 | | /* There's nothing past the FC, dest, src, DSAP and SSAP */ |
617 | 0 | return true; |
618 | 0 | } |
619 | 0 | pd = ws_buffer_start_ptr(&rec->data); |
620 | 0 | if (pd[13] == 0xAA) { |
621 | | /* it's SNAP, have to eat 3 bytes??? */ |
622 | 0 | bytes_to_read = 3; |
623 | 0 | if (bytes_to_read > datalen) |
624 | 0 | bytes_to_read = datalen; |
625 | 0 | if (!wtap_read_bytes(fh, NULL, bytes_to_read, err, err_info)) |
626 | 0 | return false; |
627 | 0 | datalen -= bytes_to_read; |
628 | 0 | if (datalen == 0) { |
629 | | /* There's nothing past the FC, dest, src, DSAP, SSAP, and 3 bytes to eat */ |
630 | 0 | return true; |
631 | 0 | } |
632 | 0 | } |
633 | 0 | if (!wtap_read_bytes_buffer(fh, &rec->data, datalen, err, err_info)) |
634 | 0 | return false; |
635 | 0 | } else { |
636 | 0 | if (!wtap_read_bytes_buffer(fh, &rec->data, datalen, err, err_info)) |
637 | 0 | return false; |
638 | 0 | } |
639 | | |
640 | 0 | return true; |
641 | 0 | } |
642 | | |
643 | | /* Returns 0 if we could write the specified encapsulation type, |
644 | | an error indication otherwise. nettl files are WTAP_ENCAP_UNKNOWN |
645 | | when they are first opened, so we allow that for tshark read/write. |
646 | | */ |
647 | | |
648 | | static int nettl_dump_can_write_encap(int encap) |
649 | 0 | { |
650 | |
|
651 | 0 | switch (encap) { |
652 | 0 | case WTAP_ENCAP_ETHERNET: |
653 | 0 | case WTAP_ENCAP_FDDI_BITSWAPPED: |
654 | 0 | case WTAP_ENCAP_TOKEN_RING: |
655 | 0 | case WTAP_ENCAP_NETTL_ETHERNET: |
656 | 0 | case WTAP_ENCAP_NETTL_FDDI: |
657 | 0 | case WTAP_ENCAP_NETTL_TOKEN_RING: |
658 | 0 | case WTAP_ENCAP_NETTL_RAW_IP: |
659 | 0 | case WTAP_ENCAP_NETTL_RAW_ICMP: |
660 | 0 | case WTAP_ENCAP_NETTL_RAW_ICMPV6: |
661 | 0 | case WTAP_ENCAP_NETTL_RAW_TELNET: |
662 | | /* |
663 | | case WTAP_ENCAP_NETTL_X25: |
664 | | */ |
665 | 0 | case WTAP_ENCAP_PER_PACKET: |
666 | 0 | case WTAP_ENCAP_UNKNOWN: |
667 | 0 | case WTAP_ENCAP_NETTL_UNKNOWN: |
668 | 0 | return 0; |
669 | 0 | default: |
670 | 0 | return WTAP_ERR_UNWRITABLE_ENCAP; |
671 | 0 | } |
672 | 0 | } |
673 | | |
674 | | |
675 | | /* Returns true on success, false on failure; |
676 | | sets "*err" to an error code on failure */ |
677 | | static bool nettl_dump_open(wtap_dumper *wdh, int *err, char **err_info _U_) |
678 | 0 | { |
679 | 0 | struct nettl_file_hdr file_hdr; |
680 | | |
681 | | /* This is a nettl file */ |
682 | 0 | wdh->subtype_write = nettl_dump; |
683 | | |
684 | | /* Write the file header. */ |
685 | 0 | memset(&file_hdr,0,sizeof(file_hdr)); |
686 | 0 | memcpy(file_hdr.magic,nettl_magic_hpux10,sizeof(file_hdr.magic)); |
687 | 0 | (void) g_strlcpy(file_hdr.file_name,"/tmp/wireshark.TRC000",NETTL_FILENAME_SIZE); |
688 | 0 | (void) g_strlcpy(file_hdr.tz,"UTC",20); |
689 | 0 | (void) g_strlcpy(file_hdr.host_name,"",9); |
690 | 0 | (void) g_strlcpy(file_hdr.os_vers,"B.11.11",9); |
691 | 0 | file_hdr.os_v=0x55; |
692 | 0 | (void) g_strlcpy(file_hdr.model,"9000/800",11); |
693 | 0 | file_hdr.unknown=g_htons(0x406); |
694 | 0 | if (!wtap_dump_file_write(wdh, &file_hdr, sizeof file_hdr, err)) |
695 | 0 | return false; |
696 | | |
697 | 0 | return true; |
698 | 0 | } |
699 | | |
700 | | /* Write a record for a packet to a dump file. |
701 | | Returns true on success, false on failure. */ |
702 | | static bool nettl_dump(wtap_dumper *wdh, const wtap_rec *rec, |
703 | | int *err, char **err_info _U_) |
704 | 0 | { |
705 | 0 | const union wtap_pseudo_header *pseudo_header = &rec->rec_header.packet_header.pseudo_header; |
706 | 0 | struct nettlrec_hdr rec_hdr; |
707 | 0 | uint8_t dummyc[24]; |
708 | | |
709 | | /* We can only write packet records. */ |
710 | 0 | if (rec->rec_type != REC_TYPE_PACKET) { |
711 | 0 | *err = WTAP_ERR_UNWRITABLE_REC_TYPE; |
712 | 0 | *err_info = wtap_unwritable_rec_type_err_string(rec); |
713 | 0 | return false; |
714 | 0 | } |
715 | | |
716 | | /* Don't write anything we're not willing to read. */ |
717 | 0 | if (rec->rec_header.packet_header.caplen > WTAP_MAX_PACKET_SIZE_STANDARD) { |
718 | 0 | *err = WTAP_ERR_PACKET_TOO_LARGE; |
719 | 0 | return false; |
720 | 0 | } |
721 | | |
722 | 0 | memset(&rec_hdr,0,sizeof(rec_hdr)); |
723 | | /* HP-UX 11.X header should be 68 bytes */ |
724 | 0 | rec_hdr.hdr_len = g_htons(sizeof(rec_hdr) + 4); |
725 | 0 | rec_hdr.kind = g_htonl(NETTL_HDR_PDUIN); |
726 | | /* |
727 | | * Probably interpreted as signed in other programs that read it. |
728 | | * Maybe HPE will decide to make it unsigned, which could probably |
729 | | * be made to work once the last 32-bit UN*X is gone and time_t |
730 | | * is universally 64-bit. |
731 | | */ |
732 | 0 | if (rec->ts.secs < 0 || rec->ts.secs > INT32_MAX) { |
733 | 0 | *err = WTAP_ERR_TIME_STAMP_NOT_SUPPORTED; |
734 | 0 | return false; |
735 | 0 | } |
736 | 0 | rec_hdr.sec = g_htonl((uint32_t)rec->ts.secs); |
737 | 0 | rec_hdr.usec = g_htonl(rec->ts.nsecs/1000); |
738 | 0 | rec_hdr.caplen = g_htonl(rec->rec_header.packet_header.caplen); |
739 | 0 | rec_hdr.length = g_htonl(rec->rec_header.packet_header.len); |
740 | 0 | rec_hdr.devid = -1; |
741 | 0 | rec_hdr.pid = -1; |
742 | 0 | rec_hdr.uid = -1; |
743 | |
|
744 | 0 | switch (rec->rec_header.packet_header.pkt_encap) { |
745 | | |
746 | 0 | case WTAP_ENCAP_NETTL_FDDI: |
747 | | /* account for pad bytes */ |
748 | 0 | rec_hdr.caplen = g_htonl(rec->rec_header.packet_header.caplen + 3); |
749 | 0 | rec_hdr.length = g_htonl(rec->rec_header.packet_header.len + 3); |
750 | | /* fall through and fill the rest of the fields */ |
751 | | /* FALL THROUGH */ |
752 | 0 | case WTAP_ENCAP_NETTL_ETHERNET: |
753 | 0 | case WTAP_ENCAP_NETTL_TOKEN_RING: |
754 | 0 | case WTAP_ENCAP_NETTL_RAW_IP: |
755 | 0 | case WTAP_ENCAP_NETTL_RAW_ICMP: |
756 | 0 | case WTAP_ENCAP_NETTL_RAW_ICMPV6: |
757 | 0 | case WTAP_ENCAP_NETTL_RAW_TELNET: |
758 | 0 | case WTAP_ENCAP_NETTL_UNKNOWN: |
759 | 0 | rec_hdr.subsys = g_htons(pseudo_header->nettl.subsys); |
760 | 0 | rec_hdr.devid = g_htonl(pseudo_header->nettl.devid); |
761 | 0 | rec_hdr.kind = g_htonl(pseudo_header->nettl.kind); |
762 | 0 | rec_hdr.pid = g_htonl(pseudo_header->nettl.pid); |
763 | 0 | rec_hdr.uid = g_htons(pseudo_header->nettl.uid); |
764 | 0 | break; |
765 | | |
766 | 0 | case WTAP_ENCAP_RAW_IP: |
767 | 0 | rec_hdr.subsys = g_htons(NETTL_SUBSYS_NS_LS_IP); |
768 | 0 | break; |
769 | | |
770 | 0 | case WTAP_ENCAP_ETHERNET: |
771 | 0 | rec_hdr.subsys = g_htons(NETTL_SUBSYS_BTLAN); |
772 | 0 | break; |
773 | | |
774 | 0 | case WTAP_ENCAP_FDDI_BITSWAPPED: |
775 | 0 | rec_hdr.subsys = g_htons(NETTL_SUBSYS_PCI_FDDI); |
776 | | /* account for pad bytes */ |
777 | 0 | rec_hdr.caplen = g_htonl(rec->rec_header.packet_header.caplen + 3); |
778 | 0 | rec_hdr.length = g_htonl(rec->rec_header.packet_header.len + 3); |
779 | 0 | break; |
780 | | |
781 | 0 | case WTAP_ENCAP_TOKEN_RING: |
782 | 0 | rec_hdr.subsys = g_htons(NETTL_SUBSYS_PCI_TR); |
783 | 0 | break; |
784 | | #if 0 |
785 | | case WTAP_ENCAP_NETTL_X25: |
786 | | rec_hdr.caplen = g_htonl(rec->rec_header.packet_header.caplen + 24); |
787 | | rec_hdr.length = g_htonl(rec->rec_header.packet_header.len + 24); |
788 | | rec_hdr.subsys = g_htons(pseudo_header->nettl.subsys); |
789 | | rec_hdr.devid = g_htonl(pseudo_header->nettl.devid); |
790 | | rec_hdr.kind = g_htonl(pseudo_header->nettl.kind); |
791 | | rec_hdr.pid = g_htonl(pseudo_header->nettl.pid); |
792 | | rec_hdr.uid = g_htons(pseudo_header->nettl.uid); |
793 | | break; |
794 | | #endif |
795 | 0 | default: |
796 | | /* found one we don't support */ |
797 | 0 | *err = WTAP_ERR_UNWRITABLE_ENCAP; |
798 | 0 | return false; |
799 | 0 | } |
800 | | |
801 | 0 | if (!wtap_dump_file_write(wdh, &rec_hdr, sizeof(rec_hdr), err)) |
802 | 0 | return false; |
803 | | |
804 | | /* Write out 4 extra bytes of unknown stuff for HP-UX11 |
805 | | * header format. |
806 | | */ |
807 | 0 | memset(dummyc, 0, sizeof dummyc); |
808 | 0 | if (!wtap_dump_file_write(wdh, dummyc, 4, err)) |
809 | 0 | return false; |
810 | | |
811 | 0 | if ((rec->rec_header.packet_header.pkt_encap == WTAP_ENCAP_FDDI_BITSWAPPED) || |
812 | 0 | (rec->rec_header.packet_header.pkt_encap == WTAP_ENCAP_NETTL_FDDI)) { |
813 | | /* add those weird 3 bytes of padding */ |
814 | 0 | if (!wtap_dump_file_write(wdh, dummyc, 3, err)) |
815 | 0 | return false; |
816 | 0 | } |
817 | | /* |
818 | | } else if (rec->rec_header.packet_header.pkt_encap == WTAP_ENCAP_NETTL_X25) { |
819 | | if (!wtap_dump_file_write(wdh, dummyc, 24, err)) |
820 | | return false; |
821 | | } |
822 | | */ |
823 | | |
824 | | /* write actual PDU data */ |
825 | | |
826 | 0 | if (!wtap_dump_file_write(wdh, ws_buffer_start_ptr(&rec->data), rec->rec_header.packet_header.caplen, err)) |
827 | 0 | return false; |
828 | | |
829 | 0 | return true; |
830 | 0 | } |
831 | | |
832 | | static const struct supported_block_type nettl_blocks_supported[] = { |
833 | | /* |
834 | | * We support packet blocks, with no comments or other options. |
835 | | */ |
836 | | { WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, NO_OPTIONS_SUPPORTED } |
837 | | }; |
838 | | |
839 | | static const struct file_type_subtype_info nettl_info = { |
840 | | "HP-UX nettl trace", "nettl", "trc0", "trc1", |
841 | | false, BLOCKS_SUPPORTED(nettl_blocks_supported), |
842 | | nettl_dump_can_write_encap, nettl_dump_open, NULL |
843 | | }; |
844 | | |
845 | | void register_nettl(void) |
846 | 14 | { |
847 | 14 | nettl_file_type_subtype = wtap_register_file_type_subtype(&nettl_info); |
848 | | |
849 | | /* |
850 | | * Register name for backwards compatibility with the |
851 | | * wtap_filetypes table in Lua. |
852 | | */ |
853 | 14 | wtap_register_backwards_compatibility_lua_name("NETTL", |
854 | 14 | nettl_file_type_subtype); |
855 | 14 | } |
856 | | |
857 | | /* |
858 | | * Editor modelines - https://www.wireshark.org/tools/modelines.html |
859 | | * |
860 | | * Local variables: |
861 | | * c-basic-offset: 4 |
862 | | * tab-width: 8 |
863 | | * indent-tabs-mode: nil |
864 | | * End: |
865 | | * |
866 | | * vi: set shiftwidth=4 tabstop=8 expandtab: |
867 | | * :indentSize=4:tabSize=8:noTabs=true: |
868 | | */ |