/* sunscreen.c * * Wiretap Library * Copyright (c) 1998 by Gilbert Ramirez * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * */ #ifdef HAVE_CONFIG_H #include "config.h" #endif #include #include #include "wtap-int.h" #include "file_wrappers.h" #include "buffer.h" #include "sunscreen.h" #ifdef HAVE_NETINET_IN_H #include #endif /* Magic number in "sunscreen" files. */ #define LOGMAGIC "SunScreen new log\n\n" /* 20 bytes including NUL */ #define LOGMAGICLEN (sizeof LOGMAGIC) /* logfile version number */ #define LOGFILE_VERSION 0x0000012c #define LOGFILE_VERSION_LEN (sizeof LOGFILE_VERSION) /* for record header */ #define SCREEN_LOG_MARKER 0x54869523 /* for record header tyoe */ #define LOG_TYPE_PACKET 1 #define LOG_TYPE_TCP_SESSION 2 #define LOG_TYPE_UDP_SESSION 3 #define LOG_TYPE_IP_SESSION 4 #define LOG_TYPE_XTND 8 /* auth/app level extensions */ /* "sunscreen" file header (minus magic number). */ struct sunscreen_file_header { char filemagic[LOGMAGICLEN]; uint32_t version; }; static gboolean sunscreen_read(wtap *wth, int *err, int *data_offset); static int sunscreen_seek_read(wtap *wth, int seek_off, union wtap_pseudo_header *pseudo_header, u_char *pd, int length); static int sunscreen_read_atm_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header, int *err); static int sunscreen_read_rec_data(FILE_T fh, u_char *pd, int length, int *err); static gboolean sunscreen_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr, const union wtap_pseudo_header *pseudo_header, const u_char *pd, int *err); int sunscreen_open(wtap *wth, int *err) { int bytes_read; struct sunscreen_file_header filehead; // char magic[LOGMAGICLEN]; struct sunscreenrec_hdr hdr; static const int sunscreen_encap[] = { WTAP_ENCAP_ETHERNET, /* IEEE 802.3 */ WTAP_ENCAP_UNKNOWN, /* IEEE 802.4 Token Bus */ WTAP_ENCAP_TOKEN_RING, WTAP_ENCAP_UNKNOWN, /* IEEE 802.6 Metro Net */ WTAP_ENCAP_ETHERNET, WTAP_ENCAP_UNKNOWN, /* HDLC */ WTAP_ENCAP_UNKNOWN, /* Character Synchronous, e.g. bisync */ WTAP_ENCAP_UNKNOWN, /* IBM Channel-to-Channel */ WTAP_ENCAP_FDDI_BITSWAPPED, WTAP_ENCAP_UNKNOWN, /* Other */ WTAP_ENCAP_UNKNOWN, /* Frame Relay LAPF */ WTAP_ENCAP_UNKNOWN, /* Multi-protocol over Frame Relay */ WTAP_ENCAP_UNKNOWN, /* Character Async (e.g., SLIP and PPP?) */ WTAP_ENCAP_UNKNOWN, /* X.25 Classical IP */ WTAP_ENCAP_UNKNOWN, /* software loopback */ WTAP_ENCAP_UNKNOWN, /* not defined in "dlpi.h" */ WTAP_ENCAP_UNKNOWN, /* Fibre Channel */ WTAP_ENCAP_UNKNOWN, /* ATM */ WTAP_ENCAP_ATM_SNIFFER, /* ATM Classical IP */ WTAP_ENCAP_UNKNOWN, /* X.25 LAPB */ WTAP_ENCAP_UNKNOWN, /* ISDN */ WTAP_ENCAP_UNKNOWN, /* HIPPI */ WTAP_ENCAP_UNKNOWN, /* 100VG-AnyLAN Ethernet */ WTAP_ENCAP_UNKNOWN, /* 100VG-AnyLAN Token Ring */ WTAP_ENCAP_UNKNOWN, /* "ISO 8802/3 and Ethernet" */ WTAP_ENCAP_UNKNOWN, /* 100BaseT (but that's just Ethernet) */ }; #define NUM_SUNSCREEN_ENCAPS (sizeof sunscreen_encap / sizeof sunscreen_encap[0]) /* Read in file header data struct */ errno = WTAP_ERR_CANT_READ; bytes_read = file_read(&filehead, 1, sizeof filehead , wth->fh); if (bytes_read != sizeof filehead) { *err = file_error(wth->fh); if (*err != 0) return -1; return 0; } wth->data_offset += sizeof filehead; if (memcmp(filehead.filemagic, LOGMAGIC, LOGMAGICLEN) != 0 ) { printf("logmagic\n"); return 0; } /* now check the version */ /* if (memcmp(filehead.version, LOGFILE_VERSION, LOGFILE_VERSION_LEN) != 0 ) { printf("version\n"); return 0; } */ wth->data_offset += sizeof filehead; /* unlike the 'snoop' template, there is nothing more in the file header. just move on to the data crunching ... */ /* This is a sunscreen file */ wth->file_type = WTAP_FILE_SUNSCREEN; wth->subtype_read = sunscreen_read; wth->subtype_seek_read = sunscreen_seek_read; wth->file_encap = WTAP_ENCAP_ETHERNET; // wth->file_encap = sunscreen_encap[hdr.network]; wth->snapshot_length = 16384; /* XXX - not available in header */ return 1; } /* Read the next packet */ static gboolean sunscreen_read(wtap *wth, int *err, int *data_offset) { guint32 rec_size = 0; guint32 packet_size = 0; guint32 orig_size = 0; int bytes_read; struct sunscreenrec_hdr hdr; char padbuf[4]; int padbytes; int bytes_to_read; /* add the following so we can handle each case */ /* are there memory management issues with all this stuff around ?? */ struct screen_packet pr; /* sunscreen packet */ struct screen_tcp_session tsr; /* TCP session record */ struct screen_udp_session usr; /* UDP session record */ struct screen_ip_session isr; /* IP session record */ struct screen_xtnd xr; /* XTND record */ /* Read record header. */ printf(" read record header initialize\n"); errno = WTAP_ERR_CANT_READ; bytes_read = file_read(&hdr, 1, sizeof hdr, wth->fh); printf(" read record header initialize, %d bytes read\n", bytes_read); if (bytes_read != sizeof hdr) { *err = file_error(wth->fh); printf("bytes_read != sizeof hdr\n"); if (*err == 0 && bytes_read != 0) { *err = WTAP_ERR_SHORT_READ; printf("*err == 0 && bytes_read != 0\n"); } printf(" read record header error ...\n"); return FALSE; } wth->data_offset += sizeof hdr; printf("read record data offset moved to: %d\n", wth->data_offset); /* we have grabbed up the header - it is now time to make sure that it is of the correct type: type code LOG_TYPE_PACKET 1 LOG_TYPE_TCP_SESSION 2 LOG_TYPE_UDP_SESSION 3 LOG_TYPE_IP_SESSION 4 LOG_TYPE_XTND 8 the only type that contains enough data for our use is the LOG_TYPE_PACKET. For now we select the data type, read it in to adjust offset, and move on. idea - sort out and inject directly into mysql:snort for further sorting and analysis.. */ switch (ntohs(hdr.type)) { case LOG_TYPE_PACKET: bytes_read = file_read(&pr, 1, sizeof pr, wth->fh); if (bytes_read != sizeof pr) { *err = file_error(wth->fh); if (*err ==0 && bytes_read != 0) { *err = WTAP_ERR_SHORT_READ; } return FALSE; } wth->data_offset += sizeof pr; break; case LOG_TYPE_TCP_SESSION: bytes_read = file_read(&tsr, 1, sizeof tsr, wth->fh); if (bytes_read != sizeof tsr) { *err = file_error(wth->fh); if (*err ==0 && bytes_read != 0) { *err = WTAP_ERR_SHORT_READ; } return FALSE; } printf(">> SKIP TCP_SESSION <<\n\n"); wth->data_offset += sizeof tsr; break; case LOG_TYPE_UDP_SESSION: bytes_read = file_read(&usr, 1, sizeof usr, wth->fh); if (bytes_read != sizeof usr) { *err = file_error(wth->fh); if (*err ==0 && bytes_read != 0) { *err = WTAP_ERR_SHORT_READ; } return FALSE; } printf(">> SKIP UDP_SESSION << \n\n"); wth->data_offset += sizeof usr; break; case LOG_TYPE_IP_SESSION: bytes_read = file_read(&isr, 1, sizeof isr, wth->fh); if (bytes_read != sizeof isr) { *err = file_error(wth->fh); if (*err ==0 && bytes_read != 0) { *err = WTAP_ERR_SHORT_READ; } return FALSE; } printf(">> SKIP UDP_SESSION <<\n\n"); wth->data_offset += sizeof isr; break; case LOG_TYPE_XTND: bytes_read = file_read(&xr, 1, sizeof xr, wth->fh); if (bytes_read != sizeof xr) { *err = file_error(wth->fh); if (*err ==0 && bytes_read != 0) { *err = WTAP_ERR_SHORT_READ; } return FALSE; } printf(">> SKIP XTND_SESSION << \n\n"); wth->data_offset += sizeof xr; break; default: /* we should never get here */ *err = WTAP_ERR_UNSUPPORTED_ENCAP; printf("\n bad case in header type: %x \n", ntohs(hdr.type)); return FALSE; break; } /* we now know what type of packet we are dealing with. if it is not a LOG_TYPE_PACKET, check for padding and bail. if so, crunch along as usual. */ if ( (ntohs(hdr.type)) == LOG_TYPE_PACKET ) { printf("---------- sunscreen_read()\n"); printf("log type PACKET\n"); printf("pack len: %d\n", pr.pktlen); printf("save len: %d\n", pr.savelen); printf("time sec: %d\n", pr.time_sec); printf("time usec: %d:\n", pr.time_usec); printf("interface: %c\n", pr.intfc); printf("mac type: %d\n", pr.mac_type); printf("mac length: %d \n", pr.mac_length); printf("why: \n", pr.why); printf("----------\n"); printf("rec size: %d\t, orig size: %d\t, packet size: %d\n", hdr.length, pr.pktlen, pr.savelen); rec_size = ntohl(hdr.length); /* includes packet + descript + pad */ orig_size = ntohl(pr.pktlen); /* actual length of packet */ packet_size = ntohl(pr.savelen); /* saved length */ if (packet_size > WTAP_MAX_PACKET_SIZE) { /* * Probably a corrupt capture file; don't blow up trying * to allocate space for an immensely-large packet. */ g_message("sunscreen: File has %u-byte packet, bigger than maximum of %u", packet_size, WTAP_MAX_PACKET_SIZE); *err = WTAP_ERR_BAD_RECORD; return FALSE; } *data_offset = wth->data_offset; buffer_assure_space(wth->frame_buffer, packet_size); if (sunscreen_read_rec_data(wth->fh, buffer_start_ptr(wth->frame_buffer), packet_size, err) < 0) return FALSE; /* Read error */ wth->data_offset += packet_size; wth->phdr.ts.tv_sec = ntohl(pr.time_sec); wth->phdr.ts.tv_usec = ntohl(pr.time_usec); wth->phdr.caplen = packet_size; wth->phdr.len = orig_size; wth->phdr.pkt_encap = wth->file_encap; } /* end of LOG_TYPE_PACKET if */ /* * Skip over the padding (don't "fseek()", as the standard * I/O library on some platforms discards buffered data if * you do that, which means it does a lot more reads). * There's probably not much padding (it's probably padded only * to a 4-byte boundary), so we probably need only do one read. */ padbytes = ((sizeof hdr + packet_size) % 4); while (padbytes != 0) { bytes_to_read = padbytes; if (bytes_to_read > (int)sizeof padbuf) bytes_to_read = sizeof padbuf; errno = WTAP_ERR_CANT_READ; bytes_read = file_read(padbuf, 1, bytes_to_read, wth->fh); if (bytes_read != bytes_to_read) { *err = file_error(wth->fh); if (*err == 0) *err = WTAP_ERR_SHORT_READ; return FALSE; } wth->data_offset += bytes_read; padbytes -= bytes_read; } printf("caplen: %d, len: %d, offset: %d, padding: %d \n", wth->phdr.caplen,wth->phdr.len, wth->data_offset, padbytes); return TRUE; } static int sunscreen_seek_read(wtap *wth, int seek_off, union wtap_pseudo_header *pseudo_header, u_char *pd, int length) { int ret; int err; /* XXX - return this */ printf("sunscreen_seek_read\n"); file_seek(wth->random_fh, seek_off, SEEK_SET); if (wth->file_encap == WTAP_ENCAP_ATM_SNIFFER) { ret = sunscreen_read_atm_pseudoheader(wth->random_fh, pseudo_header, &err); if (ret < 0) { /* Read error */ printf("sunscreen seek read error\n"); return ret; } } /* * Read the packet data. */ printf("sunscreen seek read offset at %d", seek_off); return sunscreen_read_rec_data(wth->random_fh, pd, length, &err); } static int sunscreen_read_atm_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header, int *err) { char atm_phdr[4]; int bytes_read; errno = WTAP_ERR_CANT_READ; bytes_read = file_read(atm_phdr, 1, 4, fh); if (bytes_read != 4) { *err = file_error(fh); if (*err == 0) *err = WTAP_ERR_SHORT_READ; return -1; } pseudo_header->ngsniffer_atm.channel = (atm_phdr[0] & 0x80) ? 1 : 0; pseudo_header->ngsniffer_atm.Vpi = atm_phdr[1]; pseudo_header->ngsniffer_atm.Vci = pntohs(&atm_phdr[2]); /* We don't have this information */ pseudo_header->ngsniffer_atm.cells = 0; pseudo_header->ngsniffer_atm.aal5t_u2u = 0; pseudo_header->ngsniffer_atm.aal5t_len = 0; pseudo_header->ngsniffer_atm.aal5t_chksum = 0; /* * Assume it's AAL5; we know nothing more about it. * * For what it's worth, in one "atmsnoop" capture, * the lower 7 bits of the first byte of the header * were 0x05 for ILMI traffic, 0x06 for Signalling * AAL traffic, and 0x02 for at least some RFC 1483-style * LLC multiplexed traffic. */ pseudo_header->ngsniffer_atm.AppTrafType = ATT_AAL5|ATT_HL_UNKNOWN; pseudo_header->ngsniffer_atm.AppHLType = AHLT_UNKNOWN; return 0; } static int sunscreen_read_rec_data(FILE_T fh, u_char *pd, int length, int *err) { int bytes_read; errno = WTAP_ERR_CANT_READ; bytes_read = file_read(pd, 1, length, fh); printf("sunscreen-read_rec_data: %d bytes read given %d\n", bytes_read, length); if (bytes_read != length) { *err = file_error(fh); if (*err == 0) *err = WTAP_ERR_SHORT_READ; return -1; } return 0; } static const int wtap_encap[] = { -1, /* WTAP_ENCAP_UNKNOWN -> unsupported */ 0x04, /* WTAP_ENCAP_ETHERNET -> DL_ETHER */ 0x02, /* WTAP_ENCAP_TOKEN_RING -> DL_TPR */ -1, /* WTAP_ENCAP_SLIP -> unsupported */ -1, /* WTAP_ENCAP_PPP -> unsupported */ 0x08, /* WTAP_ENCAP_FDDI -> DL_FDDI */ 0x08, /* WTAP_ENCAP_FDDI_BITSWAPPED -> DL_FDDI */ -1, /* WTAP_ENCAP_RAW_IP -> unsupported */ -1, /* WTAP_ENCAP_ARCNET -> unsupported */ -1, /* WTAP_ENCAP_ATM_RFC1483 -> unsupported */ -1, /* WTAP_ENCAP_LINUX_ATM_CLIP -> unsupported */ -1, /* WTAP_ENCAP_LAPB -> unsupported*/ -1, /* WTAP_ENCAP_ATM_SNIFFER -> unsupported */ 0 /* WTAP_ENCAP_NULL -> DLT_NULL */ }; #define NUM_WTAP_ENCAPS (sizeof wtap_encap / sizeof wtap_encap[0]) /* Returns 0 if we could write the specified encapsulation type, an error indication otherwise. */ int sunscreen_dump_can_write_encap(int filetype, int encap) { /* Per-packet encapsulations aren't supported. */ if (encap == WTAP_ENCAP_PER_PACKET) return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED; if (encap < 0 || encap >= (int)NUM_WTAP_ENCAPS || wtap_encap[encap] == -1 ) // if (encap < 0 || encap >= NUM_WTAP_ENCAPS || wtap_encap[encap] == -1) return WTAP_ERR_UNSUPPORTED_ENCAP; return 0; } /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on failure */ gboolean sunscreen_dump_open(wtap_dumper *wdh, int *err) { struct sunscreen_file_header file_hdr; int nwritten; /* This is a sunscreen file */ wdh->subtype_write = sunscreen_dump; wdh->subtype_close = NULL; printf("sunscreen_dump_open\n"); /* Write the file header. */ nwritten = fwrite(&LOGMAGIC, 1, sizeof LOGMAGIC, wdh->fh); if (nwritten != sizeof LOGMAGIC) { if (nwritten < 0) *err = errno; else *err = WTAP_ERR_SHORT_WRITE; return FALSE; } /* current sunscreen format is 3.x */ file_hdr.version = htonl(LOGFILE_VERSION); // file_hdr.network = htonl(wtap_encap[wdh->encap]); this may be a problem later ... nwritten = fwrite(&file_hdr, 1, sizeof file_hdr, wdh->fh); if (nwritten != sizeof file_hdr) { if (nwritten < 0) *err = errno; else *err = WTAP_ERR_SHORT_WRITE; return FALSE; } return TRUE; } /* Write a record for a packet to a dump file. Returns TRUE on success, FALSE on failure. */ static gboolean sunscreen_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr, const union wtap_pseudo_header *pseudo_header, const u_char *pd, int *err) { struct sunscreen_newdata_record rec_hdr; /* here we put the metawrapper around the screen_packet type */ int nwritten; int reclen; int padlen; static char zeroes[4]; /* Record length = header length plus data length... */ reclen = sizeof rec_hdr + phdr->caplen; /* ... plus enough bytes to pad it to a 4-byte boundary. */ padlen = ((reclen + 3) & ~3) - reclen; reclen += padlen; rec_hdr.orig_len = htonl(phdr->len); rec_hdr.include_len = htonl(phdr->caplen); rec_hdr.rec_len = htonl(reclen); rec_hdr.cum_drops = 0; rec_hdr.time_sec = htonl(phdr->ts.tv_sec); rec_hdr.time_usec = htonl(phdr->ts.tv_usec); nwritten = fwrite(&rec_hdr, 1, sizeof rec_hdr, wdh->fh); if (nwritten != sizeof rec_hdr) { if (nwritten < 0) *err = errno; else *err = WTAP_ERR_SHORT_WRITE; return FALSE; } printf(" --packet write start in sunscreen_dump--\n"); printf("packet orig len: %d\n", rec_hdr.orig_len); printf("packet include len: %d\n", rec_hdr.include_len); printf("packet record len: %d\n", rec_hdr.rec_len); printf("packet time sec: %d\n", rec_hdr.time_sec); printf("packet time usec: %d\n", rec_hdr.time_usec); printf("packet padlen: %d\n", padlen); printf(" --packet write end in sunscreen_dump--\n"); nwritten = fwrite(pd, 1, phdr->caplen, wdh->fh); if (nwritten != (int)phdr->caplen) { if (nwritten < 0) *err = errno; else *err = WTAP_ERR_SHORT_WRITE; return FALSE; } /* Now write the padding. */ nwritten = fwrite(zeroes, 1, padlen, wdh->fh); if (nwritten != padlen) { if (nwritten < 0) *err = errno; else *err = WTAP_ERR_SHORT_WRITE; return FALSE; } return TRUE; }