Added wiretap support to read the Cisco Secure Intrusion Detection System IPLog format.

svn path=/trunk/; revision=2231

wiretap/Makefile.am

@@ -1,7 +1,7 @@
 # Makefile.am
 # Automake file for Wiretap
 #
-# $Id: Makefile.am,v 1.29 2000/07/26 08:03:57 guy Exp $
+# $Id: Makefile.am,v 1.30 2000/08/08 22:16:41 mhall Exp $
 #
 # Ethereal - Network traffic analyzer
 # By Gerald Combs <gerald@zing.org>
@@ -40,6 +40,8 @@ libwiretap_a_SOURCES = \
 	ascend-int.h		\
 	buffer.c		\
 	buffer.h		\
+	csids.c			\
+	csids.h			\
 	file.c			\
 	file_wrappers.c		\
 	file_wrappers.h		\

wiretap/Makefile.nmake

@@ -1,5 +1,5 @@
 #
-# $Id: Makefile.nmake,v 1.13 2000/05/29 20:11:31 guy Exp $
+# $Id: Makefile.nmake,v 1.14 2000/08/08 22:16:41 mhall Exp $
 #
 
 include ..\config.nmake
@@ -15,6 +15,7 @@ OBJECTS=ascend-grammar.obj \
 	ascend-scanner.obj \
 	ascend.obj \
 	buffer.obj \
+	csids.obj \
 	file.obj \
 	file_wrappers.obj \
 	i4btrace.obj \

wiretap/csids.c

@@ -0,0 +1,254 @@
+/* csids.c
+ *
+ * $Id: csids.c,v 1.1 2000/08/08 22:16:41 mhall Exp $
+ *
+ * Copyright (c) 2000 by Mike Hall <mlh@io.com>
+ * Copyright (c) 2000 by Cisco Systems
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ *
+ */
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+#include "wtap-int.h"
+#include "buffer.h"
+#include "csids.h"
+#include "file_wrappers.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+/* 
+ * This module reads the output from the Cisco Secure Intrustion Detection
+ * System iplogging facility. The term iplogging is misleading since this 
+ * logger will only output TCP. There is no link layer information. 
+ * Packet format is 4 byte timestamp (seconds since epoch), and a 4 byte size
+ * of data following for that packet.
+ *
+ * For a time there was an error in iplogging and the ip length, flags, and id
+ * were byteswapped. We will check for this and handle it before handing to ethereal.
+ *
+ */
+
+static int csids_read(wtap *wth, int *err);
+static int csids_seek_read(wtap *wth, int seek_off,
+	union wtap_pseudo_header *pseudo_header, guint8 *pd, int len);
+
+struct csids_header {
+  guint32 seconds; /* seconds since epoch */
+  guint32 caplen;  /* the capture length  */
+};
+
+/* XXX - return -1 on I/O error and actually do something with 'err'. */
+int csids_open(wtap *wth, int *err)
+{
+  /* There is no file header. There is only a header for each packet 
+   * so we read a packet header and compare the caplen with iplen. They 
+   * should always be equal except with the wierd byteswap version.
+   * 
+   * THIS IS BROKEN-- anytime the caplen is 0x0101 or 0x0202 up to 0x0505 
+   * this will byteswap it. I need to fix this. XXX --mlh 
+   */
+
+  int tmp,iplen,bytesRead;
+  
+  gboolean byteswap = FALSE;
+  struct csids_header hdr;
+  bytesRead=0;
+
+  file_seek(wth->fh, 0, SEEK_SET); 
+ 
+  /* check the file to make sure it is a csids file. */ 
+  bytesRead = file_read( &hdr, sizeof( struct csids_header) , 1, wth->fh );
+  if( bytesRead != sizeof( struct csids_header) ) {
+    *err = file_error( wth->fh );
+    if( *err != 0 ) {
+      return -1;
+    } else {
+      return 0;
+    }
+  }
+  hdr.seconds = pntohl( &hdr.seconds );
+  hdr.caplen = pntohl( &hdr.caplen );
+  bytesRead = file_read( &tmp, 2, 1, wth->fh );
+  if( bytesRead != 2 ) {
+    *err = file_error( wth->fh );
+    if( *err != 0 ) {
+      return -1;
+    } else {
+      return 0;
+    }
+  }
+  bytesRead = file_read( &iplen, 2, 1, wth->fh );
+  if( bytesRead != 2 ) {
+    *err = file_error( wth->fh );
+    if( *err != 0 ) {
+      return -1;
+    } else {
+      return 0;
+    }
+  }
+  iplen = pntohs(&iplen);
+  if( iplen != hdr.caplen ) {
+    /* maybe this is just a byteswapped version. the iplen ipflags */
+    /* and ipid are swapped. We cannot use the normal swaps because */
+    /* we don't know the host */
+    iplen = BSWAP16(iplen);
+    if( iplen == hdr.caplen ) {
+      /* we know this format */
+      byteswap = TRUE;
+    } else {
+      /* don't know this one */
+      return 0;
+    }
+  } else {
+    byteswap = FALSE;
+  } 
+
+  wth->data_offset = 0; 
+  wth->capture.csids = g_malloc(sizeof(csids_t));
+  wth->capture.csids->byteswapped = byteswap;
+  wth->file_encap = WTAP_ENCAP_RAW_IP; 
+  wth->file_type = WTAP_FILE_CSIDS; 
+  wth->snapshot_length = 16384; /* just guessing */ 
+  wth->subtype_read = csids_read; 
+  wth->subtype_seek_read = csids_seek_read; 
+
+  /* no file header. So reset the fh to 0 so we can read the first packet */
+  file_seek(wth->fh, 0, SEEK_SET); 
+
+  return 1;
+}
+
+/* Find the next packet and parse it; called from wtap_loop(). */
+static int csids_read(wtap *wth, int *err)
+{
+  guint8 *buf;
+  int bytesRead = 0;
+  struct csids_header hdr;
+  int packet_offset = wth->data_offset;
+
+  bytesRead = file_read( &hdr, sizeof( struct csids_header) , 1, wth->fh );
+  if( bytesRead != sizeof( struct csids_header) ) {
+    *err = file_error( wth->fh );
+    if( *err != 0 ) {
+      return -1;
+    } else {
+      return 0;
+    }
+  }
+  hdr.seconds = pntohl(&hdr.seconds);
+  hdr.caplen = pntohl(&hdr.caplen);
+
+  wth->data_offset += sizeof( struct csids_header );
+
+  /* Make sure we have enough room for the packet */
+  buffer_assure_space(wth->frame_buffer, hdr.caplen);
+  buf = buffer_start_ptr(wth->frame_buffer);
+  
+  bytesRead = file_read( buf, hdr.caplen, 1, wth->fh );
+  if( bytesRead != hdr.caplen ) {
+    *err = file_error( wth->fh );
+    if( *err != 0 ) {
+      return -1;
+    }       
+  }
+  
+  wth->data_offset += hdr.caplen;
+
+  wth->phdr.len = hdr.caplen;
+  wth->phdr.caplen = hdr.caplen;
+  wth->phdr.ts.tv_sec = hdr.seconds;
+  wth->phdr.ts.tv_usec = 0;
+  wth->phdr.pkt_encap = WTAP_ENCAP_RAW_IP;
+
+  if( wth->capture.csids->byteswapped == TRUE ) {
+    guint16* swap = (guint16*)buf;
+    *(++swap) = BSWAP16(*swap); /* the ip len */
+    *(++swap) = BSWAP16(*swap); /* ip id */
+    *(++swap) = BSWAP16(*swap); /* ip flags and fragoff */
+  }
+
+  /* This is a hack to fix the fact that have to atleast return 1 
+   * or we stop processing. csids has no file header. We recover from 
+   * this hack in csids_seek_read by checking the seek_off == 1 and 
+   * setting it back to 0.
+   */
+  return packet_offset ? packet_offset : 1;
+}
+
+/* Used to read packets in random-access fashion */
+static int
+csids_seek_read (wtap *wth,
+		 int seek_off,
+		 union wtap_pseudo_header *pseudo_header,
+		 guint8 *pd,
+		 int len)
+{
+  int err = 0;
+  int bytesRead = 0;
+  struct csids_header hdr;
+
+  /* hack to fix a problem with the way error checking is done. If the 
+   * the return value from csids_read is 0 for the first packet, then
+   * we stop there. So I return 1. But that messes up the offset for 
+   * the seek_off on this call. So if seek_off is 1 then make it 0 and 
+   * if it is not 1 leave it alone. --mlh 
+   */
+  int real_seek_off = seek_off;
+  if( real_seek_off == 1 ) {
+    real_seek_off = 0;
+  }
+
+  file_seek(wth->random_fh, real_seek_off , SEEK_SET);
+
+  bytesRead = file_read( &hdr, sizeof( struct csids_header) , 1, wth->random_fh );
+  if( bytesRead != sizeof( struct csids_header) ) {
+    err = file_error( wth->fh );
+    if( err != 0 ) {
+      return -1;
+    } else {
+      return 0;
+    }
+  }
+  hdr.seconds = pntohl(&hdr.seconds);
+  hdr.caplen = pntohl(&hdr.caplen);
+  
+  if( len != hdr.caplen ) {
+    return -1;
+  }
+
+  bytesRead = file_read( pd, hdr.caplen, 1, wth->random_fh );
+  if( bytesRead != hdr.caplen ) {
+    err = file_error( wth->fh );
+    if( err != 0 ) {
+      return -1;
+    }       
+  }
+
+  if( wth->capture.csids->byteswapped == TRUE ) {
+    guint16* swap = (guint16*)pd;
+    *(++swap) = BSWAP16(*swap); /* the ip len */
+    *(++swap) = BSWAP16(*swap); /* ip id */
+    *(++swap) = BSWAP16(*swap); /* ip flags and fragoff */
+  }
+  
+  return 0;
+}
+
+
+

wiretap/csids.h

@@ -0,0 +1,24 @@
+ /* csids.h
+ *
+ * $Id: csids.h,v 1.1 2000/08/08 22:16:42 mhall Exp $
+ *
+ * Copyright (c) 2000 by Mike Hall <mlh@io.com>
+ * Copyright (c) Cisco Systems
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ *
+ */
+
+int csids_open(wtap *wth, int *err);

wiretap/file.c

@@ -1,6 +1,6 @@
 /* file.c
  *
- * $Id: file.c,v 1.58 2000/07/31 04:48:54 guy Exp $
+ * $Id: file.c,v 1.59 2000/08/08 22:16:42 mhall Exp $
  *
  * Wiretap Library
  * Copyright (c) 1998 by Gilbert Ramirez <gram@xiexie.org>
@@ -50,6 +50,7 @@
 #include "netxray.h"
 #include "toshiba.h"
 #include "i4btrace.h"
+#include "csids.h"
 
 /* The open_file_* routines should return:
  *
@@ -94,6 +95,7 @@ static int (*open_routines[])(wtap *, int *) = {
 	ascend_open,
 	toshiba_open,
 	i4btrace_open,
+	csids_open,
 };
 
 #define	N_FILE_TYPES	(sizeof open_routines / sizeof open_routines[0])
@@ -322,6 +324,10 @@ const static struct file_type_info {
 	{ "I4B ISDN trace", NULL,
 	  NULL, NULL },
 
+        /* WTAP_FILE_CSIDS */
+        { "CSIDS IPLog", NULL,
+          NULL, NULL },
+
 };
 
 /* Name that should be somewhat descriptive. */

wiretap/wtap-int.h

@@ -1,6 +1,6 @@
 /* wtap-int.h
  *
- * $Id: wtap-int.h,v 1.3 2000/07/26 06:04:33 guy Exp $
+ * $Id: wtap-int.h,v 1.4 2000/08/08 22:16:42 mhall Exp $
  *
  * Wiretap Library
  * Copyright (c) 1998 by Gilbert Ramirez <gram@xiexie.org>
@@ -107,6 +107,9 @@ typedef struct {
 	int seek_add;
 } ascend_t;
 
+typedef struct {
+	gboolean byteswapped;
+} csids_t;
 
 typedef int (*subtype_read_func)(struct wtap*, int*);
 typedef int (*subtype_seek_read_func)(struct wtap*, int, union wtap_pseudo_header*,
@@ -132,6 +135,7 @@ struct wtap {
 		netmon_t		*netmon;
 		netxray_t		*netxray;
 		ascend_t		*ascend;
+		csids_t			*csids;
 	} capture;
 
 	subtype_read_func	subtype_read;

wiretap/wtap.h

@@ -1,6 +1,6 @@
 /* wtap.h
  *
- * $Id: wtap.h,v 1.75 2000/07/26 06:04:34 guy Exp $
+ * $Id: wtap.h,v 1.76 2000/08/08 22:16:42 mhall Exp $
  *
  * Wiretap Library
  * Copyright (c) 1998 by Gilbert Ramirez <gram@xiexie.org>
@@ -122,9 +122,10 @@
 #define WTAP_FILE_NETTL				19
 #define WTAP_FILE_TOSHIBA			20
 #define WTAP_FILE_I4BTRACE			21
+#define WTAP_FILE_CSIDS				22
 
 /* last WTAP_FILE_ value + 1 */
-#define WTAP_NUM_FILE_TYPES			22
+#define WTAP_NUM_FILE_TYPES			23
 
 /*
  * Maximum packet size we'll support.