| blob | 5d610a083cc6777f283c8ee58c64d3ce210394f2 |
1 /*
2 * Copyright (c) 2003 Endace Technology Ltd, Hamilton, New Zealand.
3 * All rights reserved.
4 *
5 * This software and documentation has been developed by Endace Technology Ltd.
6 * along with the DAG PCI network capture cards. For further information please
7 * visit http://www.endace.com/.
8 *
9 * SPDX-License-Identifier: BSD-3-Clause
10 */
12 /*
13 * erf - Endace ERF (Extensible Record Format)
14 *
15 * Rev A:
16 * http://web.archive.org/web/20050829051042/http://www.endace.com/support/EndaceRecordFormat.pdf
17 * Version 1:
18 * http://web.archive.org/web/20061111014023/http://www.endace.com/support/EndaceRecordFormat.pdf
19 * Version 8:
20 * https://gitlab.com/wireshark/wireshark/uploads/f694bfee494784425b6545892180a8b2/Endace_ERF_Types.pdf
21 * (bug #4484)
22 * Current version (version 21, as of 2023-03-28):
23 * https://www.endace.com/erf-extensible-record-format-types.pdf
24 *
25 * Note that version 17 drops descriptions of records for no-longer-supported
26 * DAG cards. Version 16 is probably the best version to use for those
27 * older record types, but it's not in any obvious location in the Wayback
28 * Machine.
29 */
33 #include <stdlib.h>
34 #include <string.h>
36 #include <glib.h>
38 #include <wsutil/crc32.h>
39 #include <wsutil/strtoi.h>
40 #include <wsutil/glib-compat.h>
53 };
75 static int populate_summary_info(erf_t *erf_priv, wtap *wth, union wtap_pseudo_header *pseudo_header, Buffer *buf, uint32_t packet_size, GPtrArray *anchor_mappings_to_update, int *err, char **err_info);
76 static int erf_update_anchors_from_header(erf_t *erf_priv, wtap_rec *rec, union wtap_pseudo_header *pseudo_header, uint64_t host_id, GPtrArray *anchor_mappings_to_update);
77 static int erf_get_source_from_header(union wtap_pseudo_header *pseudo_header, uint64_t *host_id, uint8_t *source_id);
78 static int erf_populate_interface(erf_t* erf_priv, wtap *wth, union wtap_pseudo_header *pseudo_header, uint64_t host_id, uint8_t source_id, uint8_t if_num, int *err, char **err_info);
98 static bool erf_dump_priv_compare_capture_comment(wtap_dumper *wdh, erf_dump_t *dump_priv,const union wtap_pseudo_header *pseudo_header, const uint8_t *pd);
99 static bool erf_comment_to_sections(wtap_dumper *wdh, uint16_t section_type, uint16_t section_id, char *comment, GPtrArray *sections);
103 static bool erf_write_meta_record(wtap_dumper *wdh, erf_dump_t *dump_priv, uint64_t timestamp, GPtrArray *sections, GArray *extra_ehdrs, int *err);
116 { 99, WTAP_ENCAP_ERF }, /*this type added so WTAP_ENCAP_ERF will work and then be treated at ERF->ERF*/
117 };
119 #define NUM_ERF_ENCAPS (sizeof erf_to_wtap_map / sizeof erf_to_wtap_map[0])
121 #define ERF_META_TAG_HEADERLEN 4
122 #define ERF_META_TAG_TOTAL_ALIGNED_LENGTH(taglength) ((((uint32_t)taglength + 0x3U) & ~0x3U) + ERF_META_TAG_HEADERLEN)
123 #define ERF_META_TAG_ALIGNED_LENGTH(taglength) ((((uint32_t)taglength + 0x3U) & ~0x3U))
124 #define ERF_PADDING_TO_8(len) ((8 - len % 8) % 8)
136 };
144 /*here because we could have captures from multiple hosts in the file*/
151 };
158 };
164 };
180 };
182 static bool erf_wtap_blocks_to_erf_sections(wtap_block_t block, GPtrArray *sections, uint16_t section_type, uint16_t section_id, wtap_block_foreach_func func);
195 }
202 (anchor_map_a->anchor_id & ERF_EXT_HDR_TYPE_ANCHOR_ID) == (anchor_map_b->anchor_id & ERF_EXT_HDR_TYPE_ANCHOR_ID);
203 }
211 }
214 }
217 {
222 }
225 {
229 }
232 {
239 }
243 }
246 {
258 }
262 /* everything else 0 by g_malloc0*/
265 }
269 {
273 erf_priv->anchor_map = g_hash_table_new_full(erf_anchor_mapping_hash, erf_anchor_mapping_equal, erf_anchor_mapping_destroy, NULL);
274 erf_priv->if_map = g_hash_table_new_full(erf_if_mapping_hash, erf_if_mapping_equal, erf_if_mapping_destroy, NULL);
280 }
283 {
285 {
289 }
292 }
298 }
301 }
304 }
309 }
311 }
318 }
320 }
327 }
329 }
336 /* Write final metadata record. There are some corner cases where we should
337 * do this (file <1 second, last record was ERF_TYPE_META with an out of date
338 * comment) and there is no harm doing this always if we have already written
339 * some metadata. */
344 erf_comment_to_sections(wdh, ERF_META_SECTION_CAPTURE, 0, dump_priv->user_comment_ptr, dump_priv->periodic_sections);
346 /* If we get here, metadata record was not found in the first ~1 sec
347 * but we have either a capture comment or a non-ERF file (see
348 * erf_dump_open) */
350 }
351 }
353 if (!erf_write_meta_record(wdh, dump_priv, dump_priv->prev_frame_ts, dump_priv->periodic_sections, dump_priv->periodic_extra_ehdrs, err)) ret = false;
354 }
356 /* Clean up */
358 /* Avoid double freeing by setting it to NULL*/
363 }
365 static void
367 {
369 }
373 {
378 erf_header_t header;
389 /* number of records to scan before deciding if this really is ERF */
393 }
394 }
396 /*
397 * ERF is a little hard because there's no magic number; we look at
398 * the first few records and see if they look enough like ERF
399 * records.
400 */
406 /* EOF - all records have been successfully checked, accept the file */
408 }
410 /* ERF header too short accept the file,
411 only if the very first records have been successfully checked */
415 /* BREAK, the last record is too short, and will be ignored */
417 }
420 }
421 }
425 /* fail on invalid record type, invalid rlen, timestamps decreasing, or incrementing too far */
427 /* Test valid rlen >= 16 */
430 }
434 /*
435 * Probably a corrupt capture file or a file that's not an ERF file
436 * but that passed earlier tests.
437 */
439 }
441 /* Skip PAD records, timestamps may not be set */
445 /* A real error */
447 }
448 /* ERF record too short, accept the file,
449 only if the very first records have been successfully checked */
452 }
453 }
455 }
457 /* ERF Type 0 is reserved for ancient legacy records which are not supported, probably not ERF */
460 }
462 /* fail on decreasing timestamps */
464 /* reassembled AALx records may not be in time order, also records are not in strict time order between physical interfaces, so allow 1 sec fudge */
467 }
468 }
470 /* Check to see if timestamp increment is > 1 year */
473 }
477 /* Read over the extension headers */
482 /* Extension header missing, not an ERF file */
484 }
486 }
491 }
494 /* Read over MC or ETH subheader */
506 /* Subheader missing, not an ERF file */
508 }
510 }
521 /* Subheader missing, not an ERF file */
523 }
525 }
532 }
536 /* A real error */
538 }
539 /* ERF record too short, accept the file,
540 only if the very first records have been successfully checked */
543 }
544 }
552 }
554 /* This is an ERF file */
558 /*
559 * Use the encapsulation for ERF records.
560 */
571 }
573 /* Read the next packet */
576 {
577 erf_header_t erf_header;
588 anchor_mappings_to_update)) {
591 }
596 }
598 /*
599 * If Provenance metadata record, frame buffer could hold the meta erf tags.
600 * It can also contain per packet comments which can be associated to another
601 * frame.
602 */
604 {
605 if (populate_summary_info((erf_t*) wth->priv, wth, &rec->rec_header.packet_header.pseudo_header, buf, packet_size, anchor_mappings_to_update, err, err_info) < 0) {
608 }
609 }
616 }
621 {
622 erf_header_t erf_header;
636 }
643 }
648 {
650 host_id,
651 anchor_id,
653 NULL
654 };
658 }
662 }
672 {
693 }
696 }
701 /*
702 * Probably a corrupt capture file; don't blow up trying
703 * to allocate space for an immensely-large packet.
704 */
709 }
712 /* If this isn't a pad record, it's a corrupt packet; bail out */
718 }
719 }
721 {
724 /*if ((erf_header->type & 0x7f) != ERF_TYPE_META || wth->file_type_subtype != file_type_subtype_erf) {*/
727 /*
728 * XXX: ERF_TYPE_META records should ideally be FT_SPECIFIC for display
729 * purposes, but currently ft_specific_record_phdr clashes with erf_mc_phdr
730 * and the pcapng dumper assumes it is a pcapng block type. Ideally we
731 * would register a block handler with pcapng and write out the closest
732 * pcapng block, or a custom block/Provenance record.
733 *
734 */
735 #if 0
737 /*
738 * TODO: how to identify, distinguish and timestamp events?
739 * What to do about ENCAP_ERF in pcap/pcapng? Filetype dissector is
740 * chosen by wth->file_type_subtype?
741 */
742 /* For now just treat all Provenance records as reports */
745 /* XXX: phdr ft_specific_record_phdr? */
746 }
747 #endif
756 }
759 }
761 /* Copy the ERF pseudo header */
770 /* Copy the ERF extension header into the pseudo header */
785 /*
786 * XXX: Only want first Source ID and Host ID, and want to preserve HID n SID 0 (see
787 * erf_populate_interface)
788 */
795 /* Fall through */
797 /* Source ID is present in both Flow ID and Host ID extension headers */
802 /* handled below*/
804 }
805 i++;
806 }
808 interface_id = erf_populate_interface((erf_t*) wth->priv, wth, pseudo_header, host_id, source_id, if_num, err, err_info);
811 }
814 /* Try to find comment links using Anchor ID. Done here after we found the first Host ID and have updated the implicit Host ID. */
826 #if 0
827 {
830 }
832 #endif
884 /* unsupported, continue with default: */
886 /* let the dissector dissect as unknown record type for forwards compatibility */
888 }
890 {
894 }
897 /*
898 * Probably a corrupt capture file; don't blow up trying
899 * to allocate space for an immensely-large packet.
900 */
905 }
908 }
911 {
916 }
918 }
920 static bool erf_write_phdr(wtap_dumper *wdh, int encap, const union wtap_pseudo_header *pseudo_header, int * err)
921 {
960 memcpy(&erf_subhdr[0], &pseudo_header->erf.subhdr.eth_hdr, sizeof pseudo_header->erf.subhdr.eth_hdr);
965 }
970 }
974 /*write out up to MAX_ERF_EHDR extension headers*/
981 i++;
985 }
991 }
998 /* Convert TimeVal to ERF timestamp */
999 dump_priv->gen_time = ((real_time / G_USEC_PER_SEC) << 32) + ((real_time % G_USEC_PER_SEC) << 32) / 1000 / 1000;
1000 }
1005 wtap_opttype_e option_type _U_,
1029 }
1035 }
1039 wtap_opttype_e option_type _U_,
1063 }
1069 }
1073 wtap_opttype_e option_type _U_,
1107 /* convert to relative ERF timestamp */
1129 {
1137 }
1138 }
1146 /* TODO: Don't know what to do with these yet */
1148 #if 0
1154 #endif
1156 #if 0
1159 /*value same format as pcapng (6-byte canonical, padded by write
1160 * function automatically to 32-bit boundary)*/
1164 #endif
1167 /* Fall through */
1172 }
1178 }
1189 }
1190 }
1192 /**
1193 * @brief Converts a wtap_block_t block to ERF metadata sections
1194 * @param block a wtap_block_t block
1195 * @param sections pointer to a GPtrArray containing pointers to sections
1196 * @param section_type the pre-specified section_type
1197 * @param section_id Section ID to assign
1198 * @param func a wtap_block_foreach_func call back function to specify
1199 * what needs to be done on the block
1200 * @return true if success, false if failed
1201 */
1202 static bool erf_wtap_blocks_to_erf_sections(wtap_block_t block, GPtrArray *sections, uint16_t section_type, uint16_t section_id, wtap_block_foreach_func func) {
1206 }
1220 }
1227 /* we only need to pad up to 32 bits*/
1240 }
1244 }
1246 static bool erf_meta_write_section(wtap_dumper *wdh, struct erf_meta_section *section_ptr, int *err) {
1262 }
1266 }
1269 wtap_block_t block;
1273 erf_wtap_blocks_to_erf_sections(block, sections, ERF_META_SECTION_CAPTURE, 0, erf_write_wtap_option_to_capture_tag);
1276 erf_wtap_blocks_to_erf_sections(block, sections, ERF_META_SECTION_HOST, 0, erf_write_wtap_option_to_host_tag);
1278 /*TODO: support >4 interfaces by using more Source IDs. Affects more than this
1279 * function as need more metadata records. Just dump them all out for now. */
1282 erf_wtap_blocks_to_erf_sections(block, sections, ERF_META_SECTION_INTERFACE, (int16_t)i+1, erf_write_wtap_option_to_interface_tag);
1283 }
1286 }
1288 static bool erf_comment_to_sections(wtap_dumper *wdh _U_, uint16_t section_type, uint16_t section_id, char *comment, GPtrArray *sections){
1294 /* Generate the section */
1300 /* Generate the comment tag */
1303 /* XXX: if the comment has been cleared write the empty string (which
1304 * conveniently is all a zero length tag which means the value is
1305 * invalidated) */
1312 /* Generate username tag */
1318 }
1325 }
1328 return (((uint64_t)g_rand_int(dump_priv->rand) << 32) | (uint64_t)g_rand_int(dump_priv->rand)) >> 16;
1329 }
1339 }
1340 #define erf_host_id_ext_hdr(host_id, source_id) erf_metaid_ext_hdr(ERF_EXT_HDR_TYPE_HOST_ID, host_id, source_id)
1341 #define erf_anchor_id_ext_hdr(anchor_id, flags) erf_metaid_ext_hdr(ERF_EXT_HDR_TYPE_ANCHOR_ID, anchor_id, flags)
1343 static inline bool erf_add_ext_hdr_to_list(uint64_t ext_hdr, uint64_t comparison_mask, GArray *extra_ehdrs) {
1344 /* check for existing Host ID in set and add */
1360 /* Check if we already have this Host ID extension header */
1363 }
1364 }
1366 /* set more flag on last extension header */
1369 }
1375 }
1385 /* set more flag on last extension header */
1387 g_array_index(extra_ehdrs, struct erf_ehdr, extra_ehdrs->len - 1).ehdr |= ERF_EHDR_MORE_EXTHDR_MASK;
1388 }
1393 }
1395 static bool erf_update_host_id_ext_hdrs_list(erf_dump_t *dump_priv, const union wtap_pseudo_header *pseudo_header, GArray *extra_ehdrs) {
1420 /* Don't add the wireshark Host ID Source ID 0 twice since we already add it to metadata records */
1425 /* XXX: Take the opportunity to update the implicit Host ID if we
1426 * don't know it yet. Ideally we should pass this through from the
1427 * reader as a custom option or similar. */
1431 }
1432 }
1433 }
1441 }
1444 i++;
1445 }
1447 /* Add Source ID with implicit Host ID if not found */
1449 uint64_t implicit_host_id = dump_priv->implicit_host_id == ERF_META_HOST_ID_IMPLICIT ? 0 : dump_priv->implicit_host_id;
1450 /* Don't add the wireshark Host ID Source ID 0 twice since we already add it to metadata records */
1452 if (!erf_add_ext_hdr_to_list(erf_host_id_ext_hdr(implicit_host_id, source_id), 0, extra_ehdrs)) return false;
1453 }
1456 }
1458 /**
1459 * Writes a metadata record with a randomly generated Anchor ID with the
1460 * user comment attached to its comment section, also updates the
1461 * modified frame header to include a Host ID extension header and
1462 * a Anchor ID extension header to link the records together.
1463 * @param wdh the wtap_dumper structure
1464 * @param dump_priv private data for the dump stream
1465 * @param rec record metadata from which to get user comment
1466 * @param mutable_hdr pseudo_header to update with Anchor ID for comment record
1467 * @param err the error value
1468 * @return A bool value to indicate whether the dump was successful
1469 */
1470 static bool erf_write_anchor_meta_update_phdr(wtap_dumper *wdh, erf_dump_t *dump_priv, const wtap_rec *rec, union wtap_pseudo_header *mutable_hdr, int *err) {
1488 uint64_t implicit_host_id = dump_priv->implicit_host_id == ERF_META_HOST_ID_IMPLICIT ? 0 : dump_priv->implicit_host_id;
1492 /*
1493 * There are 3 possible scenarios:
1494 * a. The record has a source Host ID but not our Host ID. We need to add our
1495 * Host ID extension header then our Anchor ID extension header.
1496 * b. The record already has our Host ID extension header on it. We should
1497 * insert the Anchor ID at the end of the list for that Host ID just
1498 * before the next Host ID extension header.
1499 * c. The record has no Host ID extension header at all. We need to add the Host ID
1500 * extension header making the Implicit Host ID explicit before we add our
1501 * one to avoid claiming the packet was captured by us.
1502 */
1504 /*
1505 * Extract information from the packet extension header stack
1506 * 1. original source Host ID extension header.
1507 * 2. Anchor ID extension header insertion point (see b., above).
1508 * 3. Flow ID extension header so we can add it for reference to the metadata
1509 * record.
1510 * 4. Enough information to generate an explicit Host ID extension header if
1511 * there wasn't one (see erf_get_source_from_header).
1512 */
1522 /* Set insertion point of anchor ID to be at end of Host ID list (i.e.
1523 * just before the next one). */
1529 }
1538 /*XXX: we only use this when making the implicit host id explicit,
1539 * otherwise we'd need to check the one in Host ID header too*/
1548 }
1552 }
1559 /* Don't need to add our own Host ID twice if it is the same as the implicit*/
1562 }
1564 /*
1565 * Update the packet record pseudo_header with Anchor ID and extension header(s)
1566 */
1571 /* Not enough extension header slots to add Anchor ID */
1574 }
1578 /* Set the more extension headers flag */
1582 }
1584 /* Generate the Anchor ID extension header */
1587 /* Either we can insert Anchor ID at the end of the list for our Host ID or we
1588 * need to append the Host ID(s) and Anchor ID */
1590 /* shuffle up any following extension headers FIRST - we know we have room now */
1593 }
1595 /* copy more extension headers bit from previous extension header */
1597 }
1600 /* No Host ID extension header found and we have an implicit Host ID which
1601 * we want to make explicit */
1603 /* XXX: it is important that we know the implicit Host ID here or we end
1604 * up semi-permentantly associating the packet with Host 0 (unknown), we should
1605 * pass it through from the reader. In theory we should be on the
1606 * original capture machine if we have no Host ID extension headers. */
1609 }
1612 /* Add our Host ID extension header */
1614 }
1616 /*Add the Anchor ID extension header */
1620 /*
1621 * Now construct the metadata Anchor record with the same Anchor ID
1622 */
1626 /* We need up to 4 extension headers on the Provenance metadata record */
1627 /*Required*/
1628 /* 1. Added by erf_write_meta_record: HostID exthdr to indicate this Anchor
1629 * record was generated by this host. Source ID 0 to avoid changing the
1630 * implicit Host ID. */
1632 /* 2. AnchorID exthdr with 'unique' per-host Anchor ID assigned by this host
1633 * (in this case Wireshark). Anchor definition flag set to 1 to indicate this
1634 * record contains a definition of the ID, in this case a comment on a single
1635 * packet. Tied to above extension header by ordering like a list */
1638 /*Helpful for indexing*/
1639 /* 3. HostID exthdr with the original Source (first Host ID extension header) of the packet record */
1642 /* Flow ID extension header from the packet record if we have one */
1644 /* 4. FlowID exthdr with Flow ID from the packet so a flow search will find the comment
1645 * record too. Must come here so the (redundant here) Source ID is scoped to the
1646 * correct Host ID. */
1647 /* Clear the stack type just in case something tries to assume we're an IP
1648 * packet without looking at the ERF type. Clear Source ID too just in case
1649 * we're trying to associate with the wrong Host ID. */
1650 erf_append_ext_hdr_to_list(flow_id_hdr & ~(ERF_EHDR_FLOW_ID_STACK_TYPE_MASK|ERF_EHDR_FLOW_ID_SOURCE_ID_MASK), meta_ehdrs);
1651 }
1653 /* Generate the metadata payload with the packet comment */
1654 /* XXX - can ERF have more than one comment? */
1656 if (WTAP_OPTTYPE_SUCCESS != wtap_block_get_nth_string_option_value(rec->block, OPT_COMMENT, 0, &pkt_comment)) {
1658 }
1659 erf_comment_to_sections(wdh, ERF_META_SECTION_INFO, 0x8000 /*local to record*/, pkt_comment, sections);
1661 /* Write the metadata record, but not the packet record as what we do depends
1662 * on the WTAP_ENCAP */
1663 ret = erf_write_meta_record(wdh, dump_priv, mutable_hdr->erf.phdr.ts, sections, meta_ehdrs, err);
1668 }
1670 static bool erf_write_meta_record(wtap_dumper *wdh, erf_dump_t *dump_priv, uint64_t timestamp, GPtrArray *sections, GArray *extra_ehdrs, int *err) {
1686 }
1695 /*
1696 * These will be appended to the first extension header in
1697 * other_header.erf.ehdr_list. There are a total of MAX_ERF_EHDR
1698 * extension headers in that array, so we can append no more than
1699 * MAX_ERF_EHDR - 1 extension headeers.
1700 */
1703 }
1704 /*padding to 8 byte alignment*/
1710 }
1718 /*Add our Host ID in Host ID extension header indicating we generated this
1719 * record. Source ID 0 to avoid affecting implicit Host ID. */
1721 /*Additional extension headers*/
1722 /*XXX: If we end up cutting the list short, erf_write_phdr will correct the
1723 * unterminated extension header list*/
1726 memcpy(&other_header.erf.ehdr_list[1], extra_ehdrs->data, sizeof(struct erf_ehdr) * num_extra_ehdrs);
1727 }
1729 /* Make sure we always write out rlen, regardless of what happens */
1734 /* Generation time */
1737 /* Section(s) */
1741 }
1745 }
1747 /* We wrote new packets, reloading is required */
1752 }
1773 }
1781 {
1791 /* Host ID extension header with Host ID 0 (unknown). For now use Source ID 1. */
1792 /* TODO: How to know if record was captured by this Wireshark? */
1795 /* Don't write anything bigger than we're willing to read. */
1799 }
1804 }
1806 /*
1807 * ERF doesn't have a per-file encapsulation type, and it
1808 * doesn't have a pcapng-style notion of interfaces that
1809 * support a per-interface encapsulation type. Therefore,
1810 * we can just use this particular packet's encapsulation
1811 * without checking whether it's the encapsulation for the
1812 * dump file (as there isn't an encapsulation for an ERF
1813 * file, unless you count WTAP_ENCAP_ERF as the encapsulation
1814 * for all files, but we add ERF metadata if a packet is
1815 * written with an encapsulation other than WTAP_ENCAP_ERF).
1816 *
1817 * We will check whether the encapsulation is something we
1818 * support later.
1819 */
1824 /* Non-ERF encapsulation; generate ERF metadata */
1829 /* We can only convert packet records. */
1833 }
1839 }
1841 /* Generate a fake header in other_phdr using data that we know*/
1843 /* Convert time erf timestamp format*/
1844 other_phdr.erf.phdr.ts = ((uint64_t) rec->ts.secs << 32) + (((uint64_t) rec->ts.nsecs <<32) / 1000 / 1000 / 1000);
1846 /* Support up to 4 interfaces */
1847 /* TODO: use multiple Source IDs and metadata records to support >4 interfaces */
1849 other_phdr.erf.phdr.flags |= 0x4; /*vlen flag set because we're creating variable length records*/
1853 /*now we work out rlen, accounting for all the different headers and missing fcs(eth)*/
1858 /* Either this packet doesn't include the FCS
1859 (pseudo_header->eth.fcs_len = 0), or we don't
1860 know whether it has an FCS (= -1). We have to
1861 synthesize an FCS.*/
1862 if(!(rec->rec_header.packet_header.caplen < rec->rec_header.packet_header.len)){ /*don't add FCS if packet has been snapped off*/
1867 }
1868 }
1871 /*we assume that it's missing a FCS checksum, make one up*/
1872 if(!(rec->rec_header.packet_header.caplen < rec->rec_header.packet_header.len)){ /*unless of course, the packet has been snapped off*/
1877 }
1881 }
1883 /* Add Host ID extension header with Host ID 0 (unknown). For now use Source ID 1. */
1889 if(rec->rec_header.packet_header.caplen < rec->rec_header.packet_header.len){ /*if packet has been snapped, we need to round down what we output*/
1894 }
1899 }
1906 // Update timestamp if changed.
1918 }
1922 other_phdr.erf.phdr.ts = ((uint64_t) rec->ts.secs << 32) + (((uint64_t) rec->ts.nsecs <<32) / 1000 / 1000 / 1000);
1924 }
1925 }
1927 /* We now have a (real or fake) ERF record */
1930 /* Accumulate Host ID/Source ID to put in updated periodic metadata */
1931 /* TODO: pass these through from read interface list instead? */
1932 /* Note: this includes the one we made for the fake ERF header */
1935 /* Insert new metadata record depending on whether the capture comment has
1936 * changed. Write metadata each second at boundaries. If there is metadata
1937 * write at the end of each of metadata records so we update the metadata. */
1939 /* Check whether the capture comment string has changed */
1940 /* Updates write_next_extra_meta */
1941 dump_priv->last_meta_periodic = erf_dump_priv_compare_capture_comment(wdh, dump_priv, pseudo_header, pd);
1944 /* Last frame was a periodic (non-comment) metadata record (and this frame is not), check if we
1945 * need to insert one to update metadata. */
1949 /* If we've seen metadata just insert the capture comment and not the
1950 * rest of the metadata */
1952 erf_comment_to_sections(wdh, ERF_META_SECTION_CAPTURE, 0, dump_priv->user_comment_ptr, dump_priv->periodic_sections);
1953 }
1955 if (!erf_write_meta_record(wdh, dump_priv, dump_priv->prev_frame_ts, dump_priv->periodic_sections, dump_priv->periodic_extra_ehdrs, err)) return false;
1957 /*TODO: clear accumulated existing extension headers here?*/
1958 }
1960 /* If we have seen a metadata record in the first ~1 second it
1961 * means that we are dealing with an ERF file with metadata already in them.
1962 * We don't want to write extra metadata if nothing has changed. We can't
1963 * trust the Wireshark representation since we massage the fields on
1964 * read. */
1965 /* restart searching for next meta record to update capture comment at */
1969 /* For compatibility, don't insert metadata for older ERF files with no changed metadata */
1972 /* If we get here, metadata record was not found in the first ~1 sec
1973 * but we have either a capture comment or a non-ERF file (see
1974 * erf_dump_open) */
1975 /* Start inserting metadata records from wtap data at second boundaries */
1978 }
1979 }
1981 /* At second boundaries insert either the updated comment (if we've seen some metadata records
1982 * already) or the full metadata */
1984 if (!erf_write_meta_record(wdh, dump_priv, (uint64_t)(rec->ts.secs) << 32, dump_priv->periodic_sections, dump_priv->periodic_extra_ehdrs, err)) return false;
1986 }
1987 }
1988 }
1990 /* If the packet user comment has changed, we need to
1991 * construct a new header with additional Host ID and Anchor ID
1992 * and insert a metadata record before that frame */
1993 /*XXX: The user may have changed the comment to cleared! */
1996 /* XXX: What about ERF-in-pcapng with existing comment (that wasn't
1997 * modified)? */
2002 }
2004 /* Always write the comment if non-ERF */
2006 }
2007 }
2009 /* Make sure we always write out rlen, regardless of what happens */
2014 if(!wtap_dump_file_write(wdh, pd, rec->rec_header.packet_header.caplen - round_down, err)) return false;
2016 /*add the 4 byte CRC if necessary*/
2019 }
2021 /*XXX: In the case of ENCAP_ERF, this pads the record to its original length, which is fine in most
2022 * cases. However with >MAX_ERF_EHDR unnecessary padding will be added, and
2023 * if the record was truncated this will be incorrectly treated as payload.
2024 * More than 8 extension headers is unusual though, only the first 8 are
2025 * written out anyway and fixing properly would require major refactor.*/
2026 /*records should be 8byte aligned, so we add padding to our calculated rlen */
2029 }
2035 }
2038 {
2047 }
2050 {
2062 /* Get the first capture comment string */
2064 /* Save a copy of it */
2066 /* XXX: If we have a capture comment or a non-ERF file assume we need to
2067 * write metadata unless we see existing metadata in the first second. */
2071 /* Read Host ID from environment variable */
2072 /* TODO: generate one from MAC address? */
2074 /* TODO: support both decimal and hex strings (base 0)? */
2077 }
2078 }
2081 }
2083 static int erf_get_source_from_header(union wtap_pseudo_header *pseudo_header, uint64_t *host_id, uint8_t *source_id)
2084 {
2103 /*
2104 * XXX: Only want first Source ID and Host ID, and want to preserve HID n SID 0 (see
2105 * erf_populate_interface)
2106 */
2113 /* Fall through */
2118 }
2125 }
2128 }
2130 int erf_populate_interface_from_header(erf_t *erf_priv, wtap *wth, union wtap_pseudo_header *pseudo_header, int *err, char **err_info)
2131 {
2143 return erf_populate_interface(erf_priv, wth, pseudo_header, host_id, source_id, if_num, err, err_info);
2144 }
2146 static struct erf_if_mapping* erf_find_interface_mapping(erf_t *erf_priv, uint64_t host_id, uint8_t source_id)
2147 {
2150 /* XXX: erf_priv should never be NULL here */
2158 }
2160 static void erf_set_interface_descr(wtap_block_t block, unsigned option_id, uint64_t host_id, uint8_t source_id, uint8_t if_num, const char *descr)
2161 {
2162 /* Source XXX,*/
2164 /* Host XXXXXXXXXXXX,*/
2170 /* Implicit Host ID defaults to 0 */
2173 }
2177 }
2181 }
2184 wtap_block_set_string_option_value_format(block, option_id, "%s (ERF%s%s Interface %d)", descr, hostid_buf, sourceid_buf, if_num);
2186 wtap_block_set_string_option_value_format(block, option_id, "Port %c (ERF%s%s Interface %d)", 'A'+if_num, hostid_buf, sourceid_buf, if_num);
2187 }
2188 }
2190 static int erf_update_anchors_from_header(erf_t *erf_priv, wtap_rec *rec, union wtap_pseudo_header *pseudo_header, uint64_t host_id, GPtrArray *anchor_mappings_to_update)
2191 {
2204 /* Start with the first Host ID that was found on the record
2205 * as the Anchor ID isn't required to be the first extension header' */
2220 {
2223 /*
2224 * Anchor definition flag is 0, attempt to associate a comment with this record
2225 * XXX: currently the comment count may be wrong on the first pass!
2226 */
2227 /* We may not have found the implicit Host ID yet, if so we are unlikely to find anything */
2232 /* XXX: we might have a comment that clears the comment (i.e.
2233 * empty string)! */
2236 }
2238 }
2239 }
2240 }
2243 /*
2244 * Anchor definition flag is 1, put the mapping in an array
2245 * which we will later update when we walk through
2246 * the metadata tags
2247 */
2248 /* Only Provenance record can contain the information we need */
2251 /* May be ERF_META_HOST_ID_IMPLICIT */
2255 }
2256 }
2258 }
2259 }
2263 }
2267 }
2270 }
2272 /**
2273 * @brief Update the implicit Host ID and Anchor Mapping information
2274 */
2276 {
2277 GHashTableIter iter;
2281 wtap_block_t int_data;
2296 /*
2297 * We need to update the descriptions of all the interfaces with no Host
2298 * ID to the correct Host ID.
2299 */
2302 /* Remove the implicit mappings from the mapping table */
2307 /* Check we don't have an existing interface that matches */
2311 /* Pull mapping for update */
2312 /* XXX: Can't add while iterating hash table so use list instead */
2316 /*
2317 * XXX: We have duplicate interfaces in this case, but not much else we
2318 * can do since we have already dissected the earlier packets. Expected
2319 * to be unusual as it reqires a mix of explicit and implicit Host ID
2320 * (e.g. FlowID extension header only) packets with the same effective
2321 * Host ID before the first ERF_TYPE_META record.
2322 */
2324 /*
2325 * Update the description of the ERF_META_HOST_ID_IMPLICIT interface(s)
2326 * for the first records in one pass mode. In 2 pass mode (Wireshark
2327 * initial open, TShark in 2 pass mode) we will update the interface
2328 * mapping for the frames on the second pass. Relatively consistent
2329 * with the dissector behaviour.
2330 *
2331 * TODO: Can we delete this interface on the second (or even first)
2332 * pass? Should we try to merge in other metadata?
2333 * Needs a wtap_block_copy() that supports overwriting and/or expose
2334 * custom option copy and do with wtap_block_foreach_option().
2335 */
2340 /* XXX: this is a pointer! */
2353 erf_set_interface_descr(int_data, OPT_IDB_NAME, implicit_host_id, if_map->source_id, (uint8_t) i, if_info->name);
2354 erf_set_interface_descr(int_data, OPT_IDB_DESCRIPTION, implicit_host_id, if_map->source_id, (uint8_t) i, if_info->descr);
2355 }
2356 }
2357 }
2358 }
2359 }
2361 /* Re-add the non-clashing items under the real implicit Host ID */
2371 /* XXX: this is a pointer! */
2373 erf_set_interface_descr(int_data, OPT_IDB_NAME, implicit_host_id, if_map->source_id, (uint8_t) i, if_info->name);
2374 erf_set_interface_descr(int_data, OPT_IDB_DESCRIPTION, implicit_host_id, if_map->source_id, (uint8_t) i, if_info->descr);
2375 }
2376 }
2379 /* g_hash_table_add() only exists since 2.32. */
2385 }
2387 /*
2388 * We also need to update the anchor comment mappings
2389 * to the correct Host ID.
2390 */
2393 /* Remove the implicit mappings from the mapping table */
2398 /* Check we don't have an existing anchor that matches */
2403 /*
2404 * XXX: Duplicate entry of anchor mapping, keep the one with newer
2405 * gen_time.
2406 */
2409 /* Pull mapping for update */
2410 /* XXX: Can't add while iterating hash table so use list instead */
2413 /* existing entry (if any) will be removed by g_hash_table_replace */
2414 }
2415 }
2416 }
2418 /* Re-add the non-clashing items under the real implicit Host ID */
2429 }
2432 }
2434 static int erf_populate_interface(erf_t *erf_priv, wtap *wth, union wtap_pseudo_header *pseudo_header, uint64_t host_id, uint8_t source_id, uint8_t if_num, int *err, char **err_info)
2435 {
2436 wtap_block_t int_data;
2444 }
2449 }
2454 }
2460 }
2463 /* Defaults to ERF_META_HOST_ID_IMPLICIT so we can update mapping later */
2466 /*
2467 * XXX: We assume there is only one Implicit Host ID. As a special case a first
2468 * Host ID extension header with Source ID 0 on a record does not change
2469 * the implicit Host ID. We respect this even though we support only one
2470 * Implicit Host ID.
2471 */
2474 }
2475 }
2481 /* g_hash_table_add() only exists since 2.32. */
2484 }
2486 /* Return the existing interface if we have it */
2489 }
2495 /* int_data.time_units_per_second = (1LL<<32); ERF format resolution is 2^-32, capture resolution is unknown */
2496 int_data_mand->time_units_per_second = 1000000000; /* XXX Since Wireshark only supports down to nanosecond resolution we have to dilute to this */
2500 /* XXX: if_IPv4addr opt 4 Interface network address and netmask.*/
2501 /* XXX: if_IPv6addr opt 5 Interface network address and prefix length (stored in the last byte).*/
2502 /* XXX: if_MACaddr opt 6 Interface Hardware MAC address (48 bits).*/
2503 /* XXX: if_EUIaddr opt 7 Interface Hardware EUI address (64 bits)*/
2504 /* XXX: if_speed opt 8 Interface speed (in bits per second)*/
2505 /* int_data.if_tsresol = 0xa0; ERF format resolution is 2^-32 = 0xa0, capture resolution is unknown */
2506 wtap_block_add_uint8_option(int_data, OPT_IDB_TSRESOL, 0x09); /* XXX Since Wireshark only supports down to nanosecond resolution we have to dilute to this */
2507 /* XXX: if_tzone 10 Time zone for GMT support (TODO: specify better). */
2508 /* XXX if_tsoffset; opt 14 A 64 bits integer value that specifies an offset (in seconds)...*/
2509 /* Interface statistics */
2520 }
2522 static uint32_t erf_meta_read_tag(struct erf_meta_tag* tag, uint8_t *tag_ptr, uint32_t remaining_len)
2523 {
2531 /* tagtype (2 bytes) */
2534 /* length (2 bytes) */
2541 }
2548 }
2550 static int populate_capture_host_info(erf_t *erf_priv, wtap *wth, union wtap_pseudo_header *pseudo_header _U_, struct erf_meta_read_state *state, int *err, char **err_info)
2551 {
2554 wtap_block_t shb_hdr;
2568 }
2573 }
2576 *err_info = ws_strdup_printf("erf: populate_capture_host_info called with wth->shb_hdrs NULL");
2578 }
2581 *err_info = ws_strdup_printf("erf: populate_capture_host_info called with wth->shb_hdrs->len 0");
2583 }
2585 /* XXX: wth->shb_hdr is already created by different layer, using directly for now. */
2586 /* XXX: Only one section header is supported at this time */
2589 while ((tagtotallength = erf_meta_read_tag(&tag, state->tag_ptr, state->remaining_len)) && !ERF_META_IS_SECTION(tag.type)) {
2592 {
2595 }
2599 {
2601 /*XXX: hack to make changing capture comment work since Wireshark only
2602 * displays one. For now just overwrite the comment as we won't
2603 * pick up all of them yet due to the gen_time check above */
2604 if (wtap_block_get_nth_string_option_value(shb_hdr, OPT_COMMENT, 0, &existing_comment) == WTAP_OPTTYPE_SUCCESS) {
2608 }
2610 }
2611 }
2612 }
2613 /* Fall through */
2615 {
2618 }
2644 /* TODO: dag_version? */
2645 /* TODO: could concatenate comment(s)? */
2652 }
2653 }
2655 }
2659 }
2661 /* Post processing */
2664 /*
2665 * If we have no app_name, we use "(Unknown applicaton)".
2666 *
2667 * If we have no app_version, this will just use app_name.
2668 */
2677 }
2679 /* For the hardware field show description followed by (model; cpu) */
2680 /* Build "Model; CPU" part */
2682 /* g_strjoin() would be nice to use here if the API didn't stop on the first NULL... */
2687 /* avoid double-free */
2691 /* avoid double-free */
2693 }
2694 }
2696 /* Combine into "Description (Model; CPU)" */
2699 wtap_block_set_string_option_value_format(shb_hdr, OPT_SHB_HARDWARE, "%s (%s)", descr, modelcpu);
2702 /*descr = NULL;*/
2703 }
2706 /*modelcpu = NULL;*/
2707 }
2709 /* Free the fields we didn't end up using */
2719 }
2722 }
2724 static int populate_module_info(erf_t *erf_priv _U_, wtap *wth, union wtap_pseudo_header *pseudo_header _U_, struct erf_meta_read_state *state, int *err, char **err_info)
2725 {
2734 }
2739 }
2743 }
2745 while ((tagtotallength = erf_meta_read_tag(&tag, state->tag_ptr, state->remaining_len)) && !ERF_META_IS_SECTION(tag.type)) {
2750 }
2753 /* XXX: this is generally per stream */
2756 }
2762 }
2766 }
2771 }
2773 static int populate_interface_info(erf_t *erf_priv, wtap *wth, union wtap_pseudo_header *pseudo_header, struct erf_meta_read_state *state, int *err, char **err_info)
2774 {
2780 if_filter_opt_t if_filter;
2788 }
2793 }
2798 }
2803 }
2805 /* Section ID of interface is defined to match ERF interface id. */
2807 /*
2808 * Get or create the interface (there can be multiple interfaces in
2809 * a Provenance record).
2810 */
2815 /* Check if the interface information is still uninitialized */
2820 /* First iterate tags, checking we aren't looking at a timing port */
2821 /*
2822 * XXX: we deliberately only do this logic here rather than the per-packet
2823 * population function so that if somehow we do see packets for an
2824 * 'invalid' port the interface will be created at that time.
2825 */
2826 while ((tagtotallength = erf_meta_read_tag(&tag, tag_ptr_tmp, remaining_len_tmp)) && !ERF_META_IS_SECTION(tag.type)) {
2829 /* This is a timing port, skip it from now on */
2830 /* XXX: should we skip all non-capture ports instead? */
2834 }
2838 }
2839 }
2843 }
2845 /* If the interface is valid but uninitialized, create it */
2847 interface_index = erf_populate_interface(erf_priv, wth, pseudo_header, state->if_map->host_id, state->if_map->source_id, (uint8_t) if_num, err, err_info);
2850 }
2851 }
2852 }
2854 /* Get the wiretap interface metadata */
2859 /* timing/unknown port */
2863 *err_info = ws_strdup_printf("erf: populate_interface_info got interface_index %d < 0 and != -2", interface_index);
2865 }
2866 }
2868 /*
2869 * Bail if already have interface metadata or no interface to associate with.
2870 * We also don't support metadata for >ERF_MAX_INTERFACES interfaces per Host + Source
2871 * as we only use interface ID.
2872 */
2876 if (state->if_map->interface_gentime > state->gen_time && state->if_map->interface_metadata & (1 << if_num))
2879 while ((tagtotallength = erf_meta_read_tag(&tag, state->tag_ptr, state->remaining_len)) && !ERF_META_IS_SECTION(tag.type)) {
2882 /* TODO: fall back to module "dev_name Port N"? */
2885 erf_set_interface_descr(int_data, OPT_IDB_NAME, state->if_map->host_id, state->if_map->source_id, (uint8_t) if_num, if_info->name);
2887 /* If we have no description, also copy to wtap if_description */
2889 erf_set_interface_descr(int_data, OPT_IDB_DESCRIPTION, state->if_map->host_id, state->if_map->source_id, (uint8_t) if_num, if_info->name);
2890 }
2891 }
2896 erf_set_interface_descr(int_data, OPT_IDB_DESCRIPTION, state->if_map->host_id, state->if_map->source_id, (uint8_t) if_num, if_info->descr);
2898 /* If we have no name, also copy to wtap if_name */
2900 erf_set_interface_descr(int_data, OPT_IDB_NAME, state->if_map->host_id, state->if_map->source_id, (uint8_t) if_num, if_info->descr);
2901 }
2902 }
2909 /*
2910 * XXX: We ignore this as Section ID must match the ERF ifid and
2911 * that is all we care about/have space for at the moment. if_num
2912 * is only really useful with >ERF_MAX_INTERFACES interfaces.
2913 */
2914 /* TODO: might want to put this number in description */
2920 }
2923 /* XXX: this generally per stream */
2927 }
2941 }
2945 }
2947 /* Post processing */
2948 /*
2949 * XXX: Assumes module defined first. It is higher in hierarchy so only set
2950 * if not already.
2951 */
2953 /*
2954 * XXX: Missing exposed existence/type-check. No way currently to check if
2955 * been set in the optionblock.
2956 */
2959 /* Duplicate because might use with multiple interfaces */
2963 /*
2964 * Don't set flag because stream is more specific than module.
2965 */
2967 /* TODO: display separately? Note that we could have multiple captures
2968 * from multiple hosts in the file */
2972 }
2973 }
2976 wtap_block_add_uint8_option(int_data, OPT_IDB_FCSLEN, (uint8_t) state->if_map->module_fcs_len);
2978 }
2983 }
2988 }
2990 static int populate_stream_info(erf_t *erf_priv _U_, wtap *wth, union wtap_pseudo_header *pseudo_header, struct erf_meta_read_state *state, int *err, char **err_info)
2991 {
2997 if_filter_opt_t if_filter;
3008 }
3013 }
3018 }
3023 }
3028 /*
3029 * XXX: We ignore parent section ID because it doesn't represent the
3030 * many-to-many relationship of interfaces and streams very well. The stream is
3031 * associated with all interfaces in the record that don't have a stream_num
3032 * that says otherwise.
3033 */
3036 /* Section ID of stream is supposed to match stream_num. */
3039 /* First iterate tags, looking for the stream number interfaces might associate with. */
3040 while ((tagtotallength = erf_meta_read_tag(&tag, tag_ptr_tmp, remaining_len_tmp)) && !ERF_META_IS_SECTION(tag.type)) {
3044 }
3045 }
3049 }
3050 }
3051 /* Otherwise assume the stream applies to all interfaces in the record */
3058 /* Check if we should be handling this interface */
3059 /* XXX: currently skips interfaces that are not in the record. */
3063 }
3068 }
3071 /* Get the wiretap interface metadata */
3075 }
3079 }
3081 while ((tagtotallength = erf_meta_read_tag(&tag, tag_ptr_tmp, remaining_len_tmp)) && !ERF_META_IS_SECTION(tag.type)) {
3085 /* Use the largest fcslen of matching streams */
3092 /* We already have an FCS length option; update it. */
3096 }
3100 /* We don't have an FCS length option; add it. */
3106 /* "shouldn't happen" */
3108 }
3109 }
3113 /* Use the largest snaplen of matching streams */
3119 }
3120 }
3123 /* Override only if not set */
3130 }
3134 }
3138 }
3139 }
3144 }
3146 static int populate_anchor_info(erf_t *erf_priv, wtap *wth, union wtap_pseudo_header *pseudo_header, struct erf_meta_read_state *state, GPtrArray *anchor_mappings_to_update, int *err, char **err_info) {
3156 }
3161 }
3166 }
3171 while ((tagtotallength = erf_meta_read_tag(&tag, state->tag_ptr, state->remaining_len)) && !ERF_META_IS_SECTION(tag.type)) {
3172 /* XXX:Always gets the first comment tag in the section */
3177 }
3181 }
3185 }
3193 lookup_result = (struct erf_anchor_mapping*)g_hash_table_lookup(erf_priv->anchor_map, mapping);
3195 /* Use the most recent comment, across all anchors associated with the
3196 * record. */
3202 }
3203 }
3205 /* !lookup_result */
3213 }
3214 }
3215 }
3220 }
3222 /* Populates the capture and interface information for display on the Capture File Properties */
3223 static int populate_summary_info(erf_t *erf_priv, wtap *wth, union wtap_pseudo_header *pseudo_header, Buffer *buf, uint32_t packet_size, GPtrArray *anchor_mappings_to_update, int *err, char **err_info)
3224 {
3239 }
3244 }
3249 }
3255 }
3261 /* g_hash_table_add() only exists since 2.32. */
3264 }
3270 /* Read until see next section tag */
3272 /*
3273 * Obtain the gen_time from the non-section at the beginning of the record
3274 */
3278 ) {
3281 /*
3282 * Since wireshark doesn't have a concept of different summary metadata
3283 * over time, skip the record if metadata is older than what we already have.
3284 */
3285 /* TODO: This doesn't work very well for some tags that map to
3286 * pcapng options where the pcapng specification only allows one
3287 * instance per block, which is the case for most options. The
3288 * only current exxceptions are:
3289 *
3290 * comments;
3291 * IPv4 and IPv6 addresses for an interface;
3292 * hash values for a packet;
3293 * custom options.
3294 *
3295 * For options where only one instance is allowed per block,
3296 * wtap_block_add_XXX_option() is currently used to add a new
3297 * instance of an option to a block that has no instance (it
3298 * fails if there's already an instance), and
3299 * wtap_block_set_XXX_optin() is currently used to change the
3300 * value of an option in a block that has one instance (it fails
3301 * if there isn't already an instance).
3302 *
3303 * For options where more than one instance is allowed per block,
3304 * wtap_block_add_XXX_option() is used to add a new instance to
3305 * a block, no matter how many instances it currently has, and
3306 * wtap_block_set_nth_XXX_option() is used to change the value
3307 * of the Nth instance of an option in a block (the block must
3308 * *have* an Nth instance).
3309 *
3310 * Currently we only particularly care about updating the capture comment
3311 * and a few counters anyway.
3312 */
3317 }
3318 }
3319 /*
3320 * Skip until we get to the next section tag (which could be the current tag
3321 * after an empty section or successful parsing).
3322 */
3323 /* adjust offset */
3327 }
3329 /*
3330 * We are now looking at the next section (and would have exited the loop
3331 * if we reached the end).
3332 */
3334 /* Update parent section. Implicit grouping is by a change in section except Interface and Stream. */
3336 if ((tag.type == ERF_META_SECTION_STREAM && state.sectiontype == ERF_META_SECTION_INTERFACE) ||
3338 /* do nothing */
3342 }
3343 }
3345 /* Update with new sectiontype */
3351 }
3353 /* Adjust offset to that of first tag in section */
3358 /*
3359 * Process parent section tag if present (which must be the first tag in
3360 * the section).
3361 */
3365 }
3366 }
3368 /* Skip empty sections (includes if above read fails) */
3371 }
3373 /*
3374 * Skip sections that don't apply to the general set of records
3375 * (extension point for per-packet/event metadata).
3376 * Unless we need to update the anchor info
3377 * in which case, read into it
3378 */
3381 /* TODO: do we care if it returns 0 or 1? */
3382 if (populate_anchor_info(erf_priv, wth, pseudo_header, &state, anchor_mappings_to_update, err, err_info) < 0) {
3384 }
3385 }
3387 }
3389 /*
3390 * Start at first tag in section, makes loop
3391 * simpler in called functions too. Also makes iterating after failure
3392 * much simpler.
3393 */
3397 /* TODO: do we care if it returns 0 or 1? */
3400 }
3403 /* TODO: do we care if it returns 0 or 1? */
3406 }
3409 /* TODO: do we care if it returns 0 or 1? */
3412 }
3415 /*
3416 * XXX: Treat streams specially in case the stream information appears
3417 * before the interface information, as we associate them to interface
3418 * data.
3419 */
3425 /* TODO: Not yet implemented */
3427 }
3428 }
3430 /* Process streams last */
3441 }
3443 }
3445 /* g_list_free_full() only exists since 2.28. */
3448 }
3450 /*
3451 * Update known metadata so we only examine the first set of metadata. Need to
3452 * do this here so can have interface and stream in same record.
3453 */
3457 }
3460 }
3463 wtap_block_t wtap_block;
3464 wtap_opttype_return_val ret;
3470 }
3476 }
3477 }
3480 }
3482 static bool erf_dump_priv_compare_capture_comment(wtap_dumper *wdh _U_, erf_dump_t *dump_priv, const union wtap_pseudo_header *pseudo_header, const uint8_t *pd){
3500 }
3502 /* Skip sections that don't apply to the general set of records */
3507 /* Found the Capture Section */
3509 }
3510 }
3514 /* XXX: Only compare the first comment tag */
3517 }
3519 }
3520 }
3521 }
3523 /* Read until we have the Capture section */
3526 }
3531 /* Also treat "" in ERF as equivalent to NULL as that is how we clear the comment on write. */
3533 /* Comments are different, we should write extra metadata record at the end of the list */
3538 /* We have a capture comment but there is no change, we don't
3539 * need to insert the 'changed' comment. This most likely happened
3540 * because we were looking at list of periodic records and got up to the
3541 * one where the comment was last set. */
3543 }
3544 /* Otherwise no effect on whether we need to write extra metadata record */
3545 }
3546 /* We didn't find a capture section (e.g. looking at a comment Anchor
3547 * record), or the comment hadn't changed. */
3550 /* Return whether we found any non-local metadata (i.e. whether the record has
3551 * metadata that is more than just packet 'comments') */
3553 }
3556 {
3560 /* XXX: Prevent double free by wtap_close() */
3562 }
3567 };
3580 };
3584 };
3587 /*
3588 * Per-file comments and application supported; section blocks
3589 * are used for that.
3590 * ERF files have only one section. (XXX - true?)
3591 */
3592 { WTAP_BLOCK_SECTION, ONE_BLOCK_SUPPORTED, OPTION_TYPES_SUPPORTED(section_block_options_supported) },
3594 /*
3595 * ERF supports multiple interfaces, with information, and
3596 * supports associating packets with interfaces. Interface
3597 * description blocks are used for that.
3598 */
3599 { WTAP_BLOCK_IF_ID_AND_INFO, MULTIPLE_BLOCKS_SUPPORTED, OPTION_TYPES_SUPPORTED(interface_block_options_supported) },
3601 /*
3602 * Name resolution is supported, but we don't support comments.
3603 */
3606 /*
3607 * ERF is a capture format, so it obviously supports packets.
3608 */
3609 { WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, OPTION_TYPES_SUPPORTED(packet_block_options_supported) }
3610 };
3616 };
3619 {
3622 /*
3623 * Register name for backwards compatibility with the
3624 * wtap_filetypes table in Lua.
3625 */
3627 }
3629 /*
3630 * Editor modelines - https://www.wireshark.org/tools/modelines.html
3631 *
3632 * Local Variables:
3633 * c-basic-offset: 2
3634 * tab-width: 8
3635 * indent-tabs-mode: nil
3636 * End:
3637 *
3638 * vi: set shiftwidth=2 tabstop=8 expandtab:
3639 * :indentSize=2:tabSize=8:noTabs=true:
3640 */