| blob | 61cbec9c48229f78f09da5596328d4d0e12406a1 |
1 /***************************************************************************
2 observer.c - description
3 -------------------
4 begin : Wed Oct 29 2003
5 copyright : (C) 2003 by root
6 email : scotte[AT}netinst.com
7 ***************************************************************************/
9 /***************************************************************************
10 * *
11 * SPDX-License-Identifier: GPL-2.0-or-later *
12 * *
13 ***************************************************************************/
18 #include <stdlib.h>
19 #include <string.h>
22 #include <wsutil/802_11-utils.h>
29 /*
30 * This structure is used to keep state when writing files. An instance is
31 * allocated for each file, and its address is stored in the wtap_dumper.priv
32 * pointer field.
33 */
40 /*
41 * Some time offsets are calculated in advance here, when the first Observer
42 * file is opened for reading or writing, and are then used to adjust frame
43 * timestamps as they are read or written.
44 *
45 * The Wiretap API expects timestamps in nanoseconds relative to
46 * January 1, 1970, 00:00:00 GMT (the Wiretap epoch).
47 *
48 * Observer versions before 13.10 encode frame timestamps in nanoseconds
49 * relative to January 1, 2000, 00:00:00 local time (the Observer epoch).
50 * Versions 13.10 and later switch over to GMT encoding. Which encoding was used
51 * when saving the file is identified via the time format TLV following
52 * the file header.
53 *
54 * Unfortunately, even though Observer versions before 13.10 saved in local
55 * time, they didn't include the timezone from which the frames were captured,
56 * so converting to GMT correctly from all timezones is impossible. So an
57 * assumption is made that the file is being read from within the same timezone
58 * that it was written.
59 *
60 * All code herein is normalized to versions 13.10 and later, special casing for
61 * versions earlier. In other words, timestamps are worked with as if
62 * they are GMT-encoded, and adjustments from local time are made only if
63 * the source file warrants it.
64 *
65 * All destination files are saved in GMT format.
66 */
71 {
78 /*
79 * Compute the local time zone offset as the number of seconds west
80 * of GMT. There's no obvious cross-platform API for querying this
81 * directly. As a workaround, GMT and local tm structures are populated
82 * relative to the ANSI time_t epoch (plus one day to ensure that
83 * local time stays after 1970/1/1 00:00:00). They are then converted
84 * back to time_t as if they were both local times, resulting in the
85 * time zone offset being the difference between them.
86 */
97 }
99 }
110 static int read_packet_data(FILE_T fh, int offset_to_frame, int current_offset_from_packet_header,
124 {
126 capture_file_header file_header;
129 tlv_header tlvh;
131 packet_entry_header packet_header;
137 /* read in the buffer file header */
143 }
147 /* check if version info is present */
150 }
152 /* get the location of the first packet */
153 /* v15 and newer uses high byte offset, in previous versions it will be 0 */
154 header_offset = file_header.offset_to_first_packet + ((unsigned)(file_header.offset_to_first_packet_high_byte)<<16);
157 /*
158 * The packet data begins before the file header ends.
159 */
161 *err_info = ws_strdup_printf("Observer: The first packet begins in the middle of the file header");
163 }
165 /* initialize the private state */
170 /* process extra information */
174 /*
175 * Make sure reading the TLV header won't put us in the middle
176 * of the packet data.
177 */
179 /*
180 * We're at or past the point where the packet data begins,
181 * but we have the IE header to read.
182 */
186 }
188 /* read the TLV header */
199 }
202 /*
203 * Make sure reading the TLV data won't put us in the middle
204 * of the packet data.
205 */
207 /*
208 * We're at or past the point where the packet data begins,
209 * but we have the IE data to read.
210 */
214 }
217 /* process (or skip over) the current TLV */
226 }
238 }
240 }
241 }
243 /* get to the first packet */
248 }
250 /*
251 * We assume that all packets in a file have the same network type,
252 * whether they're data or expert information packets, and thus
253 * we can attempt to determine the network type by reading the
254 * first packet.
255 *
256 * If that's *not* the case, we need to use WTAP_ENCAP_PER_PACKET.
257 *
258 * Read the packet header. Don't assume there *is* a packet;
259 * if there isn't, report that as a bad file. (If we use
260 * WTAP_ENCAP_PER_PACKET, we don't need to handle that case, as
261 * we don't need to read the first packet.
262 */
266 /*
267 * EOF, so there *are* no records.
268 */
270 *err_info = ws_strdup_printf("Observer: No records in the file, so we can't determine the link-layer type");
271 }
273 }
276 /* check the packet's magic number */
279 *err_info = ws_strdup_printf("Observer: unsupported packet version %ul", packet_header.packet_magic);
281 }
283 /* check the data link type */
286 *err_info = ws_strdup_printf("Observer: network type %u unknown or unsupported", packet_header.network_type);
288 }
291 /* set up the rest of the capture parameters */
302 /* reset the pointer to the first packet */
311 }
313 /*
314 * Add an IDB; we don't know how many interfaces were
315 * involved, so we just say one interface, about which
316 * we only know the link-layer type, snapshot length,
317 * and time stamp resolution.
318 */
322 }
324 /* Reads the next packet. */
327 {
330 packet_entry_header packet_header;
332 /* skip records other than data records */
336 /* process the packet header, including TLVs */
337 header_bytes_consumed = read_packet_header(wth, wth->fh, &rec->rec_header.packet_header.pseudo_header, &packet_header, err,
338 err_info);
345 /* skip to next packet */
349 }
350 }
355 /* read the frame data */
361 }
363 /* skip over any extra bytes following the frame data */
367 }
370 }
372 /* Reads a packet at an offset. */
375 {
377 packet_entry_header packet_header;
384 /* process the packet header, including TLVs */
386 err_info);
393 /* read the frame data */
398 }
401 }
403 static int
406 {
409 tlv_header tlvh;
410 tlv_wireless_info wireless_header;
414 /* pull off the packet header */
420 }
424 /* check the packet's magic number */
427 /*
428 * Some files are zero-padded at the end. There is no warning of this
429 * in the previous packet header information, such as setting
430 * offset_to_next_packet to zero. So detect this situation by treating
431 * an all-zero header as a sentinel. Return EOF when it is encountered,
432 * rather than treat it as a bad record.
433 */
437 }
441 }
447 }
449 /* initialize the pseudo header */
452 /* There is no FCS in the frame */
461 /* Updated below */
463 }
465 /* process extra information */
469 /* read the TLV header */
480 }
483 /* process (or skip over) the current TLV */
491 }
495 /* set decryption status */
496 /* XXX - what other bits are there in conditions? */
497 pseudo_header->ieee_802_11.decrypted = (wireless_header.conditions & WIRELESS_WEP_SUCCESS) != 0;
505 /*
506 * We don't know they PHY, but we do have the data rate;
507 * try to guess the PHY based on the data rate and channel.
508 */
510 /* 11b */
514 /* 11a or 11g, depending on the band. */
516 /* 11g */
520 /* 11a */
524 }
525 }
530 /* skip the TLV data */
534 }
536 }
537 }
540 }
542 static bool
545 {
546 /* set the wiretap record metadata fields */
555 /*
556 * XXX - what are those 4 bytes?
557 *
558 * The comment in the code said "neglect frame markers for wiretap",
559 * but in the captures I've seen, there's no actual data corresponding
560 * to them that might be a "frame marker".
561 *
562 * Instead, the packets had a network_size 4 bytes larger than the
563 * captured_size; does the network_size include the CRC, even
564 * though it's not included in a capture? If so, most other
565 * network analyzers that have a "network size" and a "captured
566 * size" don't include the CRC in the "network size" if they
567 * don't include the CRC in a full-length captured packet; the
568 * "captured size" is less than the "network size" only if a
569 * user-specified "snapshot length" caused the packet to be
570 * sliced at a particular point.
571 *
572 * That's the model that wiretap and Wireshark/TShark use, so
573 * we implement that model here.
574 */
580 }
583 rec->rec_header.packet_header.caplen = MIN(packet_header->captured_size, rec->rec_header.packet_header.len);
584 }
585 /*
586 * The maximum value of packet_header->captured_size is 65535, which
587 * is less than WTAP_MAX_PACKET_SIZE_STANDARD will ever be, so we don't need
588 * to check it.
589 */
591 /* set the wiretap timestamp, assuming for the moment that Observer encoded it in GMT */
592 rec->ts.secs = (time_t) ((packet_header->nano_seconds_since_2000 / 1000000000) + ansi_to_observer_epoch_offset);
595 /* adjust to local time, if necessary, also accounting for DST if the frame
596 was captured while it was in effect */
598 {
604 /* the Observer timestamp was encoded as local time, so add a
605 correction from local time to GMT */
608 /* perform a DST adjustment if necessary */
617 }
618 }
619 }
622 }
624 static int
625 read_packet_data(FILE_T fh, int offset_to_frame, int current_offset_from_packet_header, Buffer *buf,
627 {
631 /* validate offsets */
637 }
639 /* skip to the packet data */
644 }
646 }
648 /* read in the packet data */
654 }
656 static bool
657 skip_to_next_packet(wtap *wth, int offset_to_next_packet, int current_offset_from_packet_header, int *err,
659 {
662 /* validate offsets */
668 }
670 /* skip to the next packet header */
675 }
678 }
680 /* Returns 0 if we could write the specified encapsulation type,
681 an error indication otherwise. */
683 {
684 /* per-packet encapsulations aren't supported */
692 }
694 /* Returns true on success, false on failure; sets "*err" to an error code on
695 failure. */
698 {
700 capture_file_header file_header;
703 tlv_header comment_header;
706 tlv_header time_info_header;
707 tlv_time_info time_info;
711 /* initialize the private state */
717 /* populate the fields of wdh */
721 /* initialize the file header */
726 /* create the file comment TLV */
727 {
733 else
740 /* update the file header to account for the comment TLV */
743 }
745 /* create the timestamp encoding TLV */
746 {
751 /* update the file header to account for the timestamp encoding TLV */
754 }
756 /* Store the offset to the first packet */
760 /* write the file header, swapping any multibyte fields first */
764 }
766 /* write the comment TLV */
767 {
771 }
775 }
776 }
778 /* write the time info TLV */
779 {
783 }
788 }
789 }
796 }
799 }
801 /* Write a record for a packet to a dump file.
802 Returns true on success, false on failure. */
806 {
808 packet_entry_header packet_header;
811 /* We can only write packet records. */
815 }
817 /*
818 * Make sure this packet doesn't have a link-layer type that
819 * differs from the one for the file.
820 */
824 }
826 /* The captured size field is 16 bits, so there's a hard limit of
827 65535. */
831 }
833 /* convert the number of seconds since epoch from ANSI-relative to
834 Observer-relative */
840 }
843 }
845 /* populate the fields of the packet header */
854 /* XXX - what if this doesn't fit in 16 bits? It's not guaranteed to... */
855 packet_header.offset_to_next_packet = (uint16_t)sizeof(packet_header) + rec->rec_header.packet_header.caplen;
866 /* write the packet header */
870 }
872 /* write the packet data */
875 }
878 }
881 {
893 }
895 }
898 {
908 }
910 }
913 /*
914 * We support packet blocks, with no comments or other options.
915 */
917 };
923 };
926 {
929 /*
930 * We now call this file format just "observer", but we allow
931 * it to be referred to as "niobserver" for backwards
932 * compatibility.
933 *
934 * Register "niobserver" for that purpose.
935 */
938 /*
939 * Register name for backwards compatibility with the
940 * wtap_filetypes table in Lua.
941 */
943 observer_file_type_subtype);
944 }
946 /*
947 * Editor modelines - https://www.wireshark.org/tools/modelines.html
948 *
949 * Local variables:
950 * c-basic-offset: 4
951 * tab-width: 8
952 * indent-tabs-mode: nil
953 * End:
954 *
955 * vi: set shiftwidth=4 tabstop=8 expandtab:
956 * :indentSize=4:tabSize=8:noTabs=true:
957 */