search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dcerpc-nt: make use of cb_str_postprocess_options() in cb_byte_array_postprocess()
[wireshark-sm.git] / wiretap / ipfix.c
blob0c1dafb3743eb772edacbbf4c062f70d8b19f7c3
1 /* ipfix.c
2 *
3 * Wiretap Library
4 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
5 *
6 * File format support for ipfix file format
7 * Copyright (c) 2010 by Hadriel Kaplan <hadrielk@yahoo.com>
8 * with generous copying from other wiretaps, such as pcapng
9 *
10 * SPDX-License-Identifier: GPL-2.0-or-later
11 */
12
13 /* File format reference:
14 * RFC 5655 and 5101
15 * https://tools.ietf.org/rfc/rfc5655
16 * https://tools.ietf.org/rfc/rfc5101
17 *
18 * This wiretap is for an ipfix file format reader, per RFC 5655/5101.
19 * All "records" in the file are IPFIX messages, beginning with an IPFIX
20 * message header of 16 bytes as follows from RFC 5101:
21 0 1 2 3
22 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
23 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
24 | Version Number | Length |
25 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
26 | Export Time |
27 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
28 | Sequence Number |
29 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
30 | Observation Domain ID |
31 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
32
33 Figure F: IPFIX Message Header Format
34
35 * which is then followed by one or more "Sets": Data Sets, Template Sets,
36 * and Options Template Sets. Each Set then has one or more Records in
37 * it.
38 *
39 * All IPFIX files are recorded in big-endian form (network byte order),
40 * per the RFCs. That means if we're on a little-endian system, all
41 * hell will break loose if we don't g_ntohX.
42 *
43 * Since wireshark already has an IPFIX dissector (implemented in
44 * packet-netflow.c), this reader will just set that dissector upon
45 * reading each message. Thus, an IPFIX Message is treated as a packet
46 * as far as the dissector is concerned.
47 */
48
49 #include "config.h"
50
51 #define WS_LOG_DOMAIN LOG_DOMAIN_WIRETAP
52 #include "ipfix.h"
53
54 #include <stdlib.h>
55 #include <string.h>
56 #include "wtap-int.h"
57 #include "file_wrappers.h"
58
59 #include <wsutil/strtoi.h>
60 #include <wsutil/wslog.h>
61
62 #define RECORDS_FOR_IPFIX_CHECK 20
63
64 static bool
65 ipfix_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err,
66 char **err_info, int64_t *data_offset);
67 static bool
68 ipfix_seek_read(wtap *wth, int64_t seek_off,
69 wtap_rec *rec, Buffer *buf, int *err, char **err_info);
70
71 #define IPFIX_VERSION 10
72
73 /* ipfix: message header */
74 typedef struct ipfix_message_header_s {
75 uint16_t version;
76 uint16_t message_length;
77 uint32_t export_time_secs;
78 uint32_t sequence_number;
79 uint32_t observation_id; /* might be 0 for none */
80 /* x bytes msg_body */
81 } ipfix_message_header_t;
82 #define IPFIX_MSG_HDR_SIZE 16
83
84 /* ipfix: common Set header for every Set type */
85 typedef struct ipfix_set_header_s {
86 uint16_t set_type;
87 uint16_t set_length;
88 /* x bytes set_body */
89 } ipfix_set_header_t;
90 #define IPFIX_SET_HDR_SIZE 4
91
92
93 static int ipfix_file_type_subtype = -1;
94
95 void register_ipfix(void);
96
97 /* Read IPFIX message header from file. Return true on success. Set *err to
98 * 0 on EOF, any other value for "real" errors (EOF is ok, since return
99 * value is still false)
100 */
101 static bool
102 ipfix_read_message_header(ipfix_message_header_t *pfx_hdr, FILE_T fh, int *err, char **err_info)
103 {
104 if (!wtap_read_bytes_or_eof(fh, pfx_hdr, IPFIX_MSG_HDR_SIZE, err, err_info))
105 return false;
106
107 /* fix endianness, because IPFIX files are always big-endian */
108 pfx_hdr->version = g_ntohs(pfx_hdr->version);
109 pfx_hdr->message_length = g_ntohs(pfx_hdr->message_length);
110 pfx_hdr->export_time_secs = g_ntohl(pfx_hdr->export_time_secs);
111 pfx_hdr->sequence_number = g_ntohl(pfx_hdr->sequence_number);
112 pfx_hdr->observation_id = g_ntohl(pfx_hdr->observation_id);
113
114 /* is the version number one we expect? */
115 if (pfx_hdr->version != IPFIX_VERSION) {
116 /* Not an ipfix file. */
117 *err = WTAP_ERR_BAD_FILE;
118 *err_info = ws_strdup_printf("ipfix: wrong version %d", pfx_hdr->version);
119 return false;
120 }
121
122 if (pfx_hdr->message_length < 16) {
123 *err = WTAP_ERR_BAD_FILE;
124 *err_info = ws_strdup_printf("ipfix: message length %u is too short", pfx_hdr->message_length);
125 return false;
126 }
127
128 /* go back to before header */
129 if (file_seek(fh, 0 - IPFIX_MSG_HDR_SIZE, SEEK_CUR, err) == -1) {
130 ws_debug("couldn't go back in file before header");
131 return false;
132 }
133
134 return true;
135 }
136
137
138 /* Read IPFIX message header from file and fill in the struct wtap_rec
139 * for the packet, and, if that succeeds, read the packet data.
140 * Return true on success. Set *err to 0 on EOF, any other value for "real"
141 * errors (EOF is ok, since return value is still false).
142 */
143 static bool
144 ipfix_read_message(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, char **err_info)
145 {
146 ipfix_message_header_t msg_hdr;
147
148 if (!ipfix_read_message_header(&msg_hdr, fh, err, err_info))
149 return false;
150 /*
151 * The maximum value of msg_hdr.message_length is 65535, which is
152 * less than WTAP_MAX_PACKET_SIZE_STANDARD will ever be, so we don't need
153 * to check it.
154 */
155
156 rec->rec_type = REC_TYPE_PACKET;
157 rec->block = wtap_block_create(WTAP_BLOCK_PACKET);
158 rec->presence_flags = WTAP_HAS_TS;
159 rec->rec_header.packet_header.len = msg_hdr.message_length;
160 rec->rec_header.packet_header.caplen = msg_hdr.message_length;
161 rec->ts.secs = msg_hdr.export_time_secs;
162 rec->ts.nsecs = 0;
163
164 return wtap_read_packet_bytes(fh, buf, msg_hdr.message_length, err, err_info);
165 }
166
167
168
169 /* classic wtap: open capture file. Return WTAP_OPEN_MINE on success,
170 * WTAP_OPEN_NOT_MINE on normal failure like malformed format,
171 * WTAP_OPEN_ERROR on bad error like file system
172 */
173 wtap_open_return_val
174 ipfix_open(wtap *wth, int *err, char **err_info)
175 {
176 int i, n, records_for_ipfix_check = RECORDS_FOR_IPFIX_CHECK;
177 char *s;
178 uint16_t checked_len;
179 ipfix_message_header_t msg_hdr;
180 ipfix_set_header_t set_hdr;
181
182 ws_debug("opening file");
183
184 /* number of records to scan before deciding if this really is IPFIX */
185 if ((s = getenv("IPFIX_RECORDS_TO_CHECK")) != NULL) {
186 if (ws_strtoi32(s, NULL, &n) && n > 0 && n < 101) {
187 records_for_ipfix_check = n;
188 }
189 }
190
191 /*
192 * IPFIX is a little hard because there's no magic number; we look at
193 * the first few records and see if they look enough like IPFIX
194 * records.
195 */
196 for (i = 0; i < records_for_ipfix_check; i++) {
197 /* read first message header to check version */
198 if (!ipfix_read_message_header(&msg_hdr, wth->fh, err, err_info)) {
199 ws_debug("couldn't read message header #%d with err code #%d (%s)",
200 i, *err, *err_info);
201 if (*err == WTAP_ERR_BAD_FILE) {
202 *err = 0; /* not actually an error in this case */
203 g_free(*err_info);
204 *err_info = NULL;
205 return WTAP_OPEN_NOT_MINE;
206 }
207 if (*err != 0 && *err != WTAP_ERR_SHORT_READ)
208 return WTAP_OPEN_ERROR; /* real failure */
209 /* else it's EOF */
210 if (i < 1) {
211 /* we haven't seen enough to prove this is a ipfix file */
212 return WTAP_OPEN_NOT_MINE;
213 }
214 /*
215 * If we got here, it's EOF and we haven't yet seen anything
216 * that doesn't look like an IPFIX record - i.e. everything
217 * we've seen looks like an IPFIX record - so we assume this
218 * is an IPFIX file.
219 */
220 break;
221 }
222 if (file_seek(wth->fh, IPFIX_MSG_HDR_SIZE, SEEK_CUR, err) == -1) {
223 ws_debug("failed seek to next message in file, %d bytes away",
224 msg_hdr.message_length);
225 return WTAP_OPEN_NOT_MINE;
226 }
227 checked_len = IPFIX_MSG_HDR_SIZE;
228
229 /* check each Set in IPFIX Message for sanity */
230 while (checked_len < msg_hdr.message_length) {
231 if (!wtap_read_bytes(wth->fh, &set_hdr, IPFIX_SET_HDR_SIZE,
232 err, err_info)) {
233 if (*err == WTAP_ERR_SHORT_READ) {
234 /* Not a valid IPFIX Set, so not an IPFIX file. */
235 ws_debug("error %d reading set", *err);
236 return WTAP_OPEN_NOT_MINE;
237 }
238
239 /* A real I/O error; fail. */
240 return WTAP_OPEN_ERROR;
241 }
242 set_hdr.set_length = g_ntohs(set_hdr.set_length);
243 if ((set_hdr.set_length < IPFIX_SET_HDR_SIZE) ||
244 ((set_hdr.set_length + checked_len) > msg_hdr.message_length)) {
245 ws_debug("found invalid set_length of %d",
246 set_hdr.set_length);
247 return WTAP_OPEN_NOT_MINE;
248 }
249
250 if (file_seek(wth->fh, set_hdr.set_length - IPFIX_SET_HDR_SIZE,
251 SEEK_CUR, err) == -1)
252 {
253 ws_debug("failed seek to next set in file, %d bytes away",
254 set_hdr.set_length - IPFIX_SET_HDR_SIZE);
255 return WTAP_OPEN_ERROR;
256 }
257 checked_len += set_hdr.set_length;
258 }
259 }
260
261 /* go back to beginning of file */
262 if (file_seek (wth->fh, 0, SEEK_SET, err) != 0)
263 {
264 return WTAP_OPEN_ERROR;
265 }
266
267 /* all's good, this is a IPFIX file */
268 wth->file_encap = WTAP_ENCAP_RAW_IPFIX;
269 wth->snapshot_length = 0;
270 wth->file_tsprec = WTAP_TSPREC_SEC;
271 wth->subtype_read = ipfix_read;
272 wth->subtype_seek_read = ipfix_seek_read;
273 wth->file_type_subtype = ipfix_file_type_subtype;
274
275 /*
276 * Add an IDB; we don't know how many interfaces were
277 * involved, so we just say one interface, about which
278 * we only know the link-layer type, snapshot length,
279 * and time stamp resolution.
280 */
281 wtap_add_generated_idb(wth);
282
283 return WTAP_OPEN_MINE;
284 }
285
286
287 /* classic wtap: read packet */
288 static bool
289 ipfix_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err,
290 char **err_info, int64_t *data_offset)
291 {
292 *data_offset = file_tell(wth->fh);
293 ws_debug("offset is initially %" PRId64, *data_offset);
294
295 if (!ipfix_read_message(wth->fh, rec, buf, err, err_info)) {
296 ws_debug("couldn't read message header with code: %d\n, and error '%s'",
297 *err, *err_info);
298 return false;
299 }
300
301 return true;
302 }
303
304
305 /* classic wtap: seek to file position and read packet */
306 static bool
307 ipfix_seek_read(wtap *wth, int64_t seek_off, wtap_rec *rec,
308 Buffer *buf, int *err, char **err_info)
309 {
310 /* seek to the right file position */
311 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1) {
312 ws_debug("couldn't read message header with code: %d\n, and error '%s'",
313 *err, *err_info);
314 return false; /* Seek error */
315 }
316
317 ws_debug("reading at offset %" PRIu64, seek_off);
318
319 if (!ipfix_read_message(wth->random_fh, rec, buf, err, err_info)) {
320 ws_debug("couldn't read message header");
321 if (*err == 0)
322 *err = WTAP_ERR_SHORT_READ;
323 return false;
324 }
325 return true;
326 }
327
328 static const struct supported_block_type ipfix_blocks_supported[] = {
329 /*
330 * We support packet blocks, with no comments or other options.
331 */
332 { WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, NO_OPTIONS_SUPPORTED }
333 };
334
335 static const struct file_type_subtype_info ipfix_info = {
336 "IPFIX File Format", "ipfix", "pfx", "ipfix",
337 false, BLOCKS_SUPPORTED(ipfix_blocks_supported),
338 NULL, NULL, NULL
339 };
340
341 void register_ipfix(void)
342 {
343 ipfix_file_type_subtype = wtap_register_file_type_subtype(&ipfix_info);
344
345 /*
346 * Register name for backwards compatibility with the
347 * wtap_filetypes table in Lua.
348 */
349 wtap_register_backwards_compatibility_lua_name("IPFIX",
350 ipfix_file_type_subtype);
351 }
352
353 /*
354 * Editor modelines - https://www.wireshark.org/tools/modelines.html
355 *
356 * Local variables:
357 * c-basic-offset: 4
358 * tab-width: 8
359 * indent-tabs-mode: nil
360 * End:
361 *
362 * vi: set shiftwidth=4 tabstop=8 expandtab:
363 * :indentSize=4:tabSize=8:noTabs=true:
364 */
Metzes wireshark repo