Ethereal-dev: [Ethereal-dev] PATCH: ethereal file reader

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Daniel Thompson <d.thompson@xxxxxxx>
Date: 22 Feb 2001 20:40:17 +0000
Hi Folks.

Attached is a patch to provide limited etherpeek file format support to
ethereal. It provides read only support for macintosh formats V5, 6 & 7.
If you are happy with its quality please commit it to CVS at this point
(the patch is for 0.8.15 - let me know if it does not apply cleanly to
the wavefront).

Note that this code has not been heavily tested as I do not have very
many packet captures to test it with (one V7 file in fact). If anyone
has any etherpeek captures lying around then let me know, I don't like
providing such sparsely tested code but ...

    Cheers

    Daniel
    --xx--

-- 
Daniel Thompson (Merlin) <d.thompson@xxxxxxx>

How many dull people does it take to change a light bulb?    One.

diff -Naur ethereal-0.8.15/wiretap/Makefile.am ethereal/wiretap/Makefile.am
--- ethereal-0.8.15/wiretap/Makefile.am	Tue Sep 19 18:22:09 2000
+++ ethereal/wiretap/Makefile.am	Sat Feb  3 09:41:23 2001
@@ -42,6 +42,8 @@
 	buffer.h		\
 	csids.c			\
 	csids.h			\
+	etherpeek.c             \
+	etherpeek.h             \
 	file.c			\
 	file_wrappers.c		\
 	file_wrappers.h		\
diff -Naur ethereal-0.8.15/wiretap/etherpeek.c ethereal/wiretap/etherpeek.c
--- ethereal-0.8.15/wiretap/etherpeek.c	Thu Jan  1 01:00:00 1970
+++ ethereal/wiretap/etherpeek.c	Thu Feb 22 20:19:56 2001
@@ -0,0 +1,314 @@
+/* etherpeek.c
+ * Routines for opening etherpeek files
+ * Copyright (c) 2001, Daniel Thompson <d.thompson@xxxxxxx>
+ *
+ * $Id: $
+ *
+ * Wiretap Library
+ * Copyright (c) 1998 by Gilbert Ramirez <gram@xxxxxxxxxx>
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+#include <errno.h>
+#include <string.h>
+#include "wtap-int.h"
+#include "file_wrappers.h"
+#include "buffer.h"
+#include "snoop.h"
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+
+/* CREDITS
+ *
+ * This file decoder could not have been writen without examining how
+ * tcptrace (http://www.tcptrace.org/) handles etherpeek files.
+ */
+
+/* master header */
+typedef struct etherpeek_master_header {
+	guint8  version;
+	guint8  status;
+} etherpeek_master_header_t;
+#define ETHERPEEK_MASTER_HDR_SIZE 2
+
+/* secondary header (Mac V5,V6,V7) */
+typedef struct etherpeek_m567_header {
+	guint32 filelength;
+	guint32 numPackets;
+	guint32 timeDate;
+	guint32 timeStart;
+	guint32 timeStop;
+	guint32 reserved[7];
+} etherpeek_m567_header_t;
+#define ETHERPEEK_M567_HDR_SIZE 48
+
+/* full header */
+typedef struct etherpeek_header {
+	etherpeek_master_header_t master;
+	union {
+		etherpeek_m567_header_t m567;
+	} secondary;
+} etherpeek_header_t;
+
+/* packet header (Mac V5, V6) */
+typedef struct etherpeek_m56_packet {
+	guint16 length;
+	guint16 sliceLength;
+	guint8  flags;
+	guint8  status;
+	guint32 timestamp;
+	guint16 destNum;
+	guint16 srcNum;
+	guint16 protoNum;
+	char    protoStr[8];
+} etherpeek_m56_packet_t;
+#define ETHERPEEK_M56_PKT_SIZE 24
+
+/* 64-bit time in micro seconds from the (Mac) epoch */
+typedef struct etherpeek_utime {
+	guint32 upper;
+	guint32 lower;
+} etherpeek_utime;
+
+/* packet header (Mac V7) */
+typedef struct etherpeek_m7_packet {
+	guint16 protoNum;
+	guint16 length;
+	guint16 sliceLength;
+	guint8  flags;
+	guint8  status;
+	etherpeek_utime
+	        timestamp;
+} etherpeek_m7_packet_t;
+#define ETHERPEEK_M7_PKT_SIZE 16
+
+typedef struct etherpeek_encap_lookup {
+	guint16 protoNum;
+	int     encap;
+} etherpeek_encap_lookup_t;
+
+static const unsigned int mac2unix = 2082844800u;
+static const etherpeek_encap_lookup_t etherpeek_encap[] = {
+	{ 1400, WTAP_ENCAP_ETHERNET }
+};
+#define NUM_ETHERPEEK_ENCAPS \
+	(sizeof (etherpeek_encap) / sizeof (etherpeek_encap[0]))
+
+static gboolean etherpeek_read_m7(wtap *wth, int *err, int *data_offset);
+static gboolean etherpeek_read_m56(wtap *wth, int *err, int *data_offset);
+
+int etherpeek_open(wtap *wth, int *err)
+{
+	etherpeek_header_t ep_hdr;
+
+	/* etherpeek files to not start with a magic value large enough
+	 * to be unique hence we use the following algorithm to determine
+	 * the type of an unknown file
+	 *  - populate the master header and reject file if there is no match
+	 *  - populate the secondary header and check that the reserved space
+	 *      is zero; there is an obvious flaw here so this algorithm will
+	 *      probably need to be revisiting when improving etherpeek
+	 *      support
+	 */
+	
+	file_seek(wth->fh, 0, SEEK_SET);
+	wth->data_offset = 0;
+
+	g_assert(sizeof(ep_hdr.master) == ETHERPEEK_MASTER_HDR_SIZE);
+	wtap_file_read_unknown_bytes(
+		&ep_hdr.master, sizeof(ep_hdr.master), wth->fh, err);
+	wth->data_offset += sizeof(ep_hdr.master);
+
+	/* switch on the file version */
+	switch (ep_hdr.master.version) {
+		case 5:
+		case 6:
+		case 7:
+			/* get the secondary header */
+			g_assert(sizeof(ep_hdr.secondary.m567) ==
+			        ETHERPEEK_M567_HDR_SIZE);
+			wtap_file_read_unknown_bytes(
+				&ep_hdr.secondary.m567,
+				sizeof(ep_hdr.secondary.m567), wth->fh, err);
+			wth->data_offset += sizeof(ep_hdr.secondary.m567);
+			
+			if ((0 != ep_hdr.secondary.m567.reserved[0]) ||
+			    (0 != ep_hdr.secondary.m567.reserved[1]) ||
+			    (0 != ep_hdr.secondary.m567.reserved[2]) ||
+			    (0 != ep_hdr.secondary.m567.reserved[3])) {
+				/* still unknown */
+				return 0;
+			}
+
+			/* we have a match for a Mac V5, V6 or V7,
+			 * so it is worth preforming byte swaps
+			 */
+			ep_hdr.secondary.m567.filelength =
+				ntohl(ep_hdr.secondary.m567.filelength);
+			ep_hdr.secondary.m567.numPackets =
+				ntohl(ep_hdr.secondary.m567.numPackets);
+			ep_hdr.secondary.m567.timeDate =
+				ntohl(ep_hdr.secondary.m567.timeDate);
+			ep_hdr.secondary.m567.timeStart =
+				ntohl(ep_hdr.secondary.m567.timeStart);
+			ep_hdr.secondary.m567.timeStop =
+				ntohl(ep_hdr.secondary.m567.timeStop);
+
+			/* populate the pseudo header */
+			wth->pseudo_header.etherpeek.reference_time.tv_sec  =
+				ep_hdr.secondary.m567.timeDate - mac2unix;
+			wth->pseudo_header.etherpeek.reference_time.tv_usec =
+				0;
+			break;
+		default:
+			return 0;
+	}
+
+	/* at this point we have recognised the file type and have populated
+	 * the whole ep_hdr structure in host byte order
+	 */
+	
+	switch (ep_hdr.master.version) {
+		case 5:
+		case 6:
+			wth->file_type = WTAP_FILE_ETHERPEEK_MAC_V56;
+			wth->subtype_read = etherpeek_read_m56;
+			wth->subtype_seek_read = wtap_def_seek_read;
+			break;
+		case 7:
+			wth->file_type = WTAP_FILE_ETHERPEEK_MAC_V7;
+			wth->subtype_read = etherpeek_read_m7;
+			wth->subtype_seek_read = wtap_def_seek_read;
+			break;
+		default:
+			/* this is impossible */
+			g_assert_not_reached();
+	};
+
+	wth->file_encap	       = WTAP_ENCAP_PER_PACKET;
+	wth->snapshot_length   = 16384; /* just guessing */
+
+	return 1;
+}
+
+static gboolean etherpeek_read_m7(wtap *wth, int *err, int *data_offset)
+{
+	etherpeek_m7_packet_t ep_pkt;
+	double  t;
+	int i;
+
+	g_assert(sizeof(ep_pkt) == ETHERPEEK_M7_PKT_SIZE);
+	wtap_file_read_expected_bytes(&ep_pkt, sizeof(ep_pkt), wth->fh, err);
+	wth->data_offset += sizeof(ep_pkt);
+
+	/* byte swaps */
+	ep_pkt.protoNum = ntohs(ep_pkt.protoNum);
+	ep_pkt.length = ntohs(ep_pkt.length);
+	ep_pkt.sliceLength = ntohs(ep_pkt.sliceLength);
+	ep_pkt.timestamp.upper = ntohl(ep_pkt.timestamp.upper);
+	ep_pkt.timestamp.lower = ntohl(ep_pkt.timestamp.lower);
+
+	/* force sliceLength to be the actual length of the packet */
+	if (0 == ep_pkt.sliceLength) {
+		ep_pkt.sliceLength = ep_pkt.length;
+	}
+
+	/* test for corrupt data */
+	if (ep_pkt.sliceLength > WTAP_MAX_PACKET_SIZE) {
+		*err = WTAP_ERR_BAD_RECORD;
+		return FALSE;
+	}
+
+	*data_offset = wth->data_offset;
+
+	/* read the frame data */
+	buffer_assure_space(wth->frame_buffer, ep_pkt.sliceLength);
+	wtap_file_read_expected_bytes(buffer_start_ptr(wth->frame_buffer),
+	                              ep_pkt.sliceLength, wth->fh, err);
+	wth->data_offset += ep_pkt.sliceLength;
+	
+	/* fill in packet header values */
+	wth->phdr.len    = ep_pkt.length;
+	wth->phdr.caplen = ep_pkt.sliceLength;
+	
+	t =  (double) ep_pkt.timestamp.lower +
+	     (double) ep_pkt.timestamp.upper * 4294967296.0;
+	t -= (double) mac2unix * 1000000.0;
+	wth->phdr.ts.tv_sec  = (time_t)  (t/1000000.0);
+	wth->phdr.ts.tv_usec = (guint32) (t - (double) wth->phdr.ts.tv_sec *
+	                                               1000000.0);
+	wth->phdr.pkt_encap = WTAP_ENCAP_UNKNOWN;
+	for (i=0; i<NUM_ETHERPEEK_ENCAPS; i++) {
+		if (etherpeek_encap[i].protoNum == ep_pkt.protoNum) {
+			wth->phdr.pkt_encap = etherpeek_encap[i].encap;
+		}
+	}
+
+	return TRUE;
+}
+
+static gboolean etherpeek_read_m56(wtap *wth, int *err, int *data_offset)
+{
+	etherpeek_m56_packet_t ep_pkt;
+	int i;
+
+	g_assert(sizeof(ep_pkt) == ETHERPEEK_M56_PKT_SIZE);
+	wtap_file_read_expected_bytes(&ep_pkt, sizeof(ep_pkt), wth->fh, err);
+	wth->data_offset += sizeof(ep_pkt);
+
+	/* byte swaps */
+	ep_pkt.length = ntohs(ep_pkt.length);
+	ep_pkt.sliceLength = ntohs(ep_pkt.sliceLength);
+	ep_pkt.timestamp = ntohl(ep_pkt.timestamp);
+	ep_pkt.destNum = ntohs(ep_pkt.destNum);
+	ep_pkt.srcNum = ntohs(ep_pkt.srcNum);
+	ep_pkt.protoNum = ntohs(ep_pkt.protoNum);
+
+	/* force sliceLength to be the actual length of the packet */
+	if (0 == ep_pkt.sliceLength) {
+		ep_pkt.sliceLength = ep_pkt.length;
+	}
+
+	/* test for corrupt data */
+	if (ep_pkt.sliceLength > WTAP_MAX_PACKET_SIZE) {
+		*err = WTAP_ERR_BAD_RECORD;
+		return FALSE;
+	}
+
+	*data_offset = wth->data_offset;
+
+	/* fill in packet header values */
+	wth->phdr.len        = ep_pkt.length;
+	wth->phdr.caplen     = ep_pkt.sliceLength;
+	/* timestamp is in milliseconds since reference_time */
+	wth->phdr.ts.tv_sec  = wth->pseudo_header.etherpeek.
+		reference_time.tv_sec + (ep_pkt.timestamp / 1000);
+	wth->phdr.ts.tv_usec = 1000 * (ep_pkt.timestamp % 1000);
+	
+	wth->phdr.pkt_encap = WTAP_ENCAP_UNKNOWN;
+	for (i=0; i<NUM_ETHERPEEK_ENCAPS; i++) {
+		if (etherpeek_encap[i].protoNum == ep_pkt.protoNum) {
+			wth->phdr.pkt_encap = etherpeek_encap[i].encap;
+		}
+	}
+
+	return TRUE;
+}
diff -Naur ethereal-0.8.15/wiretap/etherpeek.h ethereal/wiretap/etherpeek.h
--- ethereal-0.8.15/wiretap/etherpeek.h	Thu Jan  1 01:00:00 1970
+++ ethereal/wiretap/etherpeek.h	Sat Feb  3 09:37:25 2001
@@ -0,0 +1,29 @@
+/* etherpeek.h
+ *
+ * $Id: snoop.h,v 1.8 2000/08/11 13:32:34 deniel Exp $
+ *
+ * Wiretap Library
+ * Copyright (c) 1998 by Gilbert Ramirez <gram@xxxxxxxxxx>
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ *
+ */
+
+#ifndef __W_ETHERPEEK_H__
+#define __W_ETHERPEEK_H__
+
+int etherpeek_open(wtap *wth, int *err);
+
+#endif
diff -Naur ethereal-0.8.15/wiretap/file.c ethereal/wiretap/file.c
--- ethereal-0.8.15/wiretap/file.c	Tue Sep 19 18:22:09 2000
+++ ethereal/wiretap/file.c	Sat Feb  3 09:50:09 2001
@@ -59,6 +59,7 @@
 #include "i4btrace.h"
 #include "csids.h"
 #include "pppdump.h"
+#include "etherpeek.h"
 
 /* The open_file_* routines should return:
  *
@@ -96,6 +97,7 @@
 	radcom_open,
 	nettl_open,
 	pppdump_open,
+	etherpeek_open,
 
 	/* Files whose magic headers are in text *somewhere* in the
 	 * file (usually because the trace is just a saved copy of
@@ -345,6 +347,13 @@
         { "pppd log (pppdump format)", NULL,
           NULL, NULL },
 
+	/* WTAP_FILE_ETHERPEEK_MAC_V56 */
+	{ "Etherpeek trace (Macintosh V5 & V6)", NULL,
+	  NULL, NULL },
+
+	/* WTAP_FILE_ETHERPEEK_MAC_V7 */
+	{ "Etherpeek trace (Macintosh V7)", NULL,
+	  NULL, NULL },
 };
 
 /* Name that should be somewhat descriptive. */
diff -Naur ethereal-0.8.15/wiretap/wtap.h ethereal/wiretap/wtap.h
--- ethereal-0.8.15/wiretap/wtap.h	Mon Jan  8 22:18:22 2001
+++ ethereal/wiretap/wtap.h	Thu Feb 22 20:18:56 2001
@@ -129,9 +129,11 @@
 #define WTAP_FILE_I4BTRACE			22
 #define WTAP_FILE_CSIDS				23
 #define WTAP_FILE_PPPDUMP			24
+#define WTAP_FILE_ETHERPEEK_MAC_V56		25
+#define WTAP_FILE_ETHERPEEK_MAC_V7		26
 
 /* last WTAP_FILE_ value + 1 */
-#define WTAP_NUM_FILE_TYPES			25
+#define WTAP_NUM_FILE_TYPES			27
 
 /*
  * Maximum packet size we'll support.
@@ -189,6 +191,10 @@
 	guint32	task;			/* Task number */
 };
 
+/* Packet "pseudo_header" for etherpeek capture files. */
+struct etherpeek_phdr {
+	struct timeval reference_time;
+};
 
 struct p2p_phdr {
 	gboolean	sent; /* TRUE=sent, FALSE=received */
@@ -251,6 +257,7 @@
 	struct x25_phdr			x25;
 	struct ngsniffer_atm_phdr	ngsniffer_atm;
 	struct ascend_phdr		ascend;
+	struct etherpeek_phdr           etherpeek;
 	struct p2p_phdr			p2p;
 };