diff options
Diffstat (limited to 'wiretap/erf.c')
| -rw-r--r-- | wiretap/erf.c | 3640 |
1 files changed, 3640 insertions, 0 deletions
diff --git a/wiretap/erf.c b/wiretap/erf.c new file mode 100644 index 00000000..c4770ff3 --- /dev/null +++ b/wiretap/erf.c @@ -0,0 +1,3640 @@ +/* + * Copyright (c) 2003 Endace Technology Ltd, Hamilton, New Zealand. + * All rights reserved. + * + * This software and documentation has been developed by Endace Technology Ltd. + * along with the DAG PCI network capture cards. For further information please + * visit http://www.endace.com/. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +/* + * erf - Endace ERF (Extensible Record Format) + * + * Rev A: + * http://web.archive.org/web/20050829051042/http://www.endace.com/support/EndaceRecordFormat.pdf + * Version 1: + * http://web.archive.org/web/20061111014023/http://www.endace.com/support/EndaceRecordFormat.pdf + * Version 8: + * https://gitlab.com/wireshark/wireshark/uploads/f694bfee494784425b6545892180a8b2/Endace_ERF_Types.pdf + * (bug #4484) + * Current version (version 21, as of 2023-03-28): + * https://www.endace.com/erf-extensible-record-format-types.pdf + * + * Note that version 17 drops descriptions of records for no-longer-supported + * DAG cards. Version 16 is probably the best version to use for those + * older record types, but it's not in any obvious location in the Wayback + * Machine. + */ + +#include "config.h" + +#include <stdlib.h> +#include <string.h> + +#include <glib.h> + +#include <wsutil/crc32.h> +#include <wsutil/strtoi.h> +#include <wsutil/glib-compat.h> + +#include "wtap-int.h" +#include "file_wrappers.h" +#include "erf.h" +#include "erf_record.h" +#include "erf-common.h" + +struct erf_anchor_mapping { + guint64 host_id; + guint64 anchor_id; + guint64 gen_time; + gchar *comment; +}; + +static const guint erf_header_size = (guint)sizeof(erf_header_t); +static const guint erf_mc_header_size = (guint)sizeof(erf_mc_header_t); +static const guint erf_eth_hdr_size = (guint)sizeof(erf_eth_header_t); + + +static gboolean erf_read_header(wtap *wth, FILE_T fh, + wtap_rec *rec, + erf_header_t *erf_header, + int *err, + gchar **err_info, + guint32 *bytes_read, + guint32 *packet_size, + GPtrArray *anchor_mappings_to_update); +static gboolean erf_read(wtap *wth, wtap_rec *rec, Buffer *buf, + int *err, gchar **err_info, gint64 *data_offset); +static gboolean erf_seek_read(wtap *wth, gint64 seek_off, + wtap_rec *rec, Buffer *buf, + int *err, gchar **err_info); +static void erf_close(wtap *wth); + +static int populate_summary_info(erf_t *erf_priv, wtap *wth, union wtap_pseudo_header *pseudo_header, Buffer *buf, guint32 packet_size, GPtrArray *anchor_mappings_to_update, int *err, gchar **err_info); +static int erf_update_anchors_from_header(erf_t *erf_priv, wtap_rec *rec, union wtap_pseudo_header *pseudo_header, guint64 host_id, GPtrArray *anchor_mappings_to_update); +static int erf_get_source_from_header(union wtap_pseudo_header *pseudo_header, guint64 *host_id, guint8 *source_id); +static int erf_populate_interface(erf_t* erf_priv, wtap *wth, union wtap_pseudo_header *pseudo_header, guint64 host_id, guint8 source_id, guint8 if_num, int *err, gchar **err_info); + +typedef struct { + gboolean write_next_extra_meta; + gboolean last_meta_periodic; + guint64 host_id; + guint64 implicit_host_id; + guint64 prev_frame_ts; + guint8 prev_erf_type; + guint64 gen_time; + time_t first_frame_time_sec; + time_t prev_inserted_time_sec; + gchar* user_comment_ptr; + GPtrArray* periodic_sections; + GArray *periodic_extra_ehdrs; + GRand *rand; +} erf_dump_t; + +static erf_dump_t* erf_dump_priv_create(void); +static void erf_dump_priv_free(erf_dump_t *dump_priv); +static gboolean erf_dump_priv_compare_capture_comment(wtap_dumper *wdh, erf_dump_t *dump_priv,const union wtap_pseudo_header *pseudo_header, const guint8 *pd); +static gboolean erf_comment_to_sections(wtap_dumper *wdh, guint16 section_type, guint16 section_id, gchar *comment, GPtrArray *sections); +static gboolean erf_wtap_info_to_sections(wtap_dumper *wdh, GPtrArray *sections); +static gboolean get_user_comment_string(wtap_dumper *wdh, gchar** user_comment_ptr); + +static gboolean erf_write_meta_record(wtap_dumper *wdh, erf_dump_t *dump_priv, guint64 timestamp, GPtrArray *sections, GArray *extra_ehdrs, int *err); + +static const struct { + int erf_encap_value; + int wtap_encap_value; +} erf_to_wtap_map[] = { + { ERF_TYPE_HDLC_POS, WTAP_ENCAP_CHDLC }, + { ERF_TYPE_HDLC_POS, WTAP_ENCAP_HHDLC }, + { ERF_TYPE_HDLC_POS, WTAP_ENCAP_CHDLC_WITH_PHDR }, + { ERF_TYPE_HDLC_POS, WTAP_ENCAP_PPP }, + { ERF_TYPE_HDLC_POS, WTAP_ENCAP_FRELAY }, + { ERF_TYPE_HDLC_POS, WTAP_ENCAP_MTP2 }, + { ERF_TYPE_ETH, WTAP_ENCAP_ETHERNET }, + { 99, WTAP_ENCAP_ERF }, /*this type added so WTAP_ENCAP_ERF will work and then be treated at ERF->ERF*/ +}; + +#define NUM_ERF_ENCAPS (sizeof erf_to_wtap_map / sizeof erf_to_wtap_map[0]) + +#define ERF_META_TAG_HEADERLEN 4 +#define ERF_META_TAG_TOTAL_ALIGNED_LENGTH(taglength) ((((guint32)taglength + 0x3U) & ~0x3U) + ERF_META_TAG_HEADERLEN) +#define ERF_META_TAG_ALIGNED_LENGTH(taglength) ((((guint32)taglength + 0x3U) & ~0x3U)) +#define ERF_PADDING_TO_8(len) ((8 - len % 8) % 8) + +struct erf_if_info { + int if_index; + gchar *name; + gchar *descr; + int stream_num; + struct { + guint filter:1; + guint fcs_len:1; + guint snaplen:1; + } set_flags; +}; + +struct erf_if_mapping { + guint64 host_id; + guint8 source_id; + struct erf_if_info interfaces[4]; + + gchar *module_filter_str; + /*here because we could have captures from multiple hosts in the file*/ + gchar *capture_filter_str; + gint8 module_fcs_len; + guint32 module_snaplen; + int interface_metadata; + guint64 interface_gentime; + guint64 module_gentime; +}; + +struct erf_meta_section { + guint16 type; + guint16 section_id; + guint16 section_length; + GPtrArray *tags; +}; + +struct erf_meta_tag { + guint16 type; + guint16 length; + guint8 *value; +}; + +struct erf_meta_read_state { + guint8 *tag_ptr; + guint32 remaining_len; + + struct erf_if_mapping *if_map; + + guint16 sectiontype; + guint16 sectionid; + guint16 parentsectiontype; + guint16 parentsectionid; + + guint64 gen_time; + + int interface_metadata; +}; + +static gboolean erf_wtap_blocks_to_erf_sections(wtap_block_t block, GPtrArray *sections, guint16 section_type, guint16 section_id, wtap_block_foreach_func func); + +static guint32 erf_meta_read_tag(struct erf_meta_tag*, guint8*, guint32); + +static int erf_file_type_subtype = -1; + +void register_erf(void); + +static guint erf_anchor_mapping_hash(gconstpointer key) { + const struct erf_anchor_mapping *anchor_map = (const struct erf_anchor_mapping*) key; + + return ((guint32)anchor_map->host_id ^ (guint32)anchor_map->anchor_id); + +} + +static gboolean erf_anchor_mapping_equal(gconstpointer a, gconstpointer b) { + const struct erf_anchor_mapping *anchor_map_a = (const struct erf_anchor_mapping*) a ; + const struct erf_anchor_mapping *anchor_map_b = (const struct erf_anchor_mapping*) b ; + + return (anchor_map_a->host_id) == (anchor_map_b->host_id) && + (anchor_map_a->anchor_id & ERF_EXT_HDR_TYPE_ANCHOR_ID) == (anchor_map_b->anchor_id & ERF_EXT_HDR_TYPE_ANCHOR_ID); +} + +static void erf_anchor_mapping_destroy(gpointer key) { + struct erf_anchor_mapping *anchor_map = (struct erf_anchor_mapping*) key; + + if(anchor_map->comment != NULL) { + g_free(anchor_map->comment); + anchor_map->comment = NULL; + } + g_free(anchor_map); + anchor_map = NULL; +} + +static gboolean erf_if_mapping_equal(gconstpointer a, gconstpointer b) +{ + const struct erf_if_mapping *if_map_a = (const struct erf_if_mapping*) a; + const struct erf_if_mapping *if_map_b = (const struct erf_if_mapping*) b; + + return if_map_a->source_id == if_map_b->source_id && if_map_a->host_id == if_map_b->host_id; +} + +static guint erf_if_mapping_hash(gconstpointer key) +{ + const struct erf_if_mapping *if_map = (const struct erf_if_mapping*) key; + + return (((guint) if_map->host_id) << 16) | if_map->source_id; +} + +static void erf_if_mapping_destroy(gpointer key) +{ + int i = 0; + struct erf_if_mapping *if_map = (struct erf_if_mapping*) key; + + for (i = 0; i < 4; i++) { + g_free(if_map->interfaces[i].name); + g_free(if_map->interfaces[i].descr); + } + + g_free(if_map->module_filter_str); + g_free(if_map); +} + +static struct erf_if_mapping* erf_if_mapping_create(guint64 host_id, guint8 source_id) +{ + int i = 0; + struct erf_if_mapping *if_map = NULL; + + if_map = g_new0(struct erf_if_mapping, 1); + + if_map->host_id = host_id; + if_map->source_id = source_id; + + for (i = 0; i < 4; i++) { + if_map->interfaces[i].if_index = -1; + if_map->interfaces[i].stream_num = -1; + } + + if_map->module_fcs_len = -1; + if_map->module_snaplen = (guint32) -1; + /* everything else 0 by g_malloc0*/ + + return if_map; +} + + +erf_t *erf_priv_create(void) +{ + erf_t *erf_priv; + + erf_priv = g_new(erf_t, 1); + erf_priv->anchor_map = g_hash_table_new_full(erf_anchor_mapping_hash, erf_anchor_mapping_equal, erf_anchor_mapping_destroy, NULL); + erf_priv->if_map = g_hash_table_new_full(erf_if_mapping_hash, erf_if_mapping_equal, erf_if_mapping_destroy, NULL); + erf_priv->implicit_host_id = ERF_META_HOST_ID_IMPLICIT; + erf_priv->capture_gentime = 0; + erf_priv->host_gentime = 0; + + return erf_priv; +} + +erf_t* erf_priv_free(erf_t* erf_priv) +{ + if (erf_priv) + { + g_hash_table_destroy(erf_priv->anchor_map); + g_hash_table_destroy(erf_priv->if_map); + g_free(erf_priv); + } + + return NULL; +} + +static void erf_dump_priv_free(erf_dump_t *dump_priv) { + if(dump_priv) { + if(dump_priv->periodic_sections) { + g_ptr_array_free(dump_priv->periodic_sections, TRUE); + } + if(dump_priv->periodic_extra_ehdrs) { + g_array_free(dump_priv->periodic_extra_ehdrs, TRUE); + } + if(dump_priv->user_comment_ptr) { + g_free(dump_priv->user_comment_ptr); + } + + g_free(dump_priv->rand); + + g_free(dump_priv); + } + +} + +static void erf_meta_section_free(gpointer data) { + struct erf_meta_section *section_ptr = (struct erf_meta_section*) data; + if (section_ptr) { + g_ptr_array_free(section_ptr->tags, TRUE); + section_ptr->tags = NULL; + } + g_free(section_ptr); +} + +static void erf_meta_tag_free(gpointer data) { + struct erf_meta_tag *tag_ptr = (struct erf_meta_tag*) data; + if (tag_ptr) { + g_free(tag_ptr->value); + tag_ptr->value = NULL; + } + g_free(tag_ptr); +} + + +static gboolean erf_dump_finish(struct wtap_dumper *wdh, int *err, gchar **err_info _U_) { + erf_dump_t *dump_priv = (erf_dump_t*)wdh->priv; + gboolean ret = TRUE; + + /* Write final metadata record. There are some corner cases where we should + * do this (file <1 second, last record was ERF_TYPE_META with an out of date + * comment) and there is no harm doing this always if we have already written + * some metadata. */ + if(dump_priv->write_next_extra_meta) { + if (!dump_priv->periodic_sections) { + dump_priv->periodic_sections = g_ptr_array_new_with_free_func(erf_meta_section_free); + if (dump_priv->prev_erf_type == ERF_TYPE_META && dump_priv->last_meta_periodic) { + erf_comment_to_sections(wdh, ERF_META_SECTION_CAPTURE, 0, dump_priv->user_comment_ptr, dump_priv->periodic_sections); + } else { + /* If we get here, metadata record was not found in the first ~1 sec + * but we have either a capture comment or a non-ERF file (see + * erf_dump_open) */ + erf_wtap_info_to_sections(wdh, dump_priv->periodic_sections); + } + } + + if (!erf_write_meta_record(wdh, dump_priv, dump_priv->prev_frame_ts, dump_priv->periodic_sections, dump_priv->periodic_extra_ehdrs, err)) ret = FALSE; + } + + /* Clean up */ + erf_dump_priv_free(dump_priv); + /* Avoid double freeing by setting it to NULL*/ + wdh->priv = NULL; + + return ret; + +} + +static void +erf_free_data(gpointer data, gpointer user_data _U_) +{ + g_free(data); +} + + +extern wtap_open_return_val erf_open(wtap *wth, int *err, gchar **err_info) +{ + int i, n, records_for_erf_check = RECORDS_FOR_ERF_CHECK; + int valid_prev = 0; + char *s; + erf_timestamp_t prevts,ts; + erf_header_t header; + guint32 mc_hdr; + struct erf_eth_hdr eth_hdr; + guint32 packet_size; + guint16 rlen; + guint64 erf_ext_header; + guint erf_ext_header_size = (guint)sizeof(erf_ext_header); + guint8 type; + + prevts = 0; + + /* number of records to scan before deciding if this really is ERF */ + if ((s = getenv("ERF_RECORDS_TO_CHECK")) != NULL) { + if (ws_strtoi32(s, NULL, &n) && n >= 0 && n < 101) { + records_for_erf_check = n; + } + } + + /* + * ERF is a little hard because there's no magic number; we look at + * the first few records and see if they look enough like ERF + * records. + */ + + for (i = 0; i < records_for_erf_check; i++) { /* records_for_erf_check */ + + if (!wtap_read_bytes_or_eof(wth->fh,&header,erf_header_size,err,err_info)) { + if (*err == 0) { + /* EOF - all records have been successfully checked, accept the file */ + break; + } + if (*err == WTAP_ERR_SHORT_READ) { + /* ERF header too short accept the file, + only if the very first records have been successfully checked */ + if (i < MIN_RECORDS_FOR_ERF_CHECK) { + return WTAP_OPEN_NOT_MINE; + } else { + /* BREAK, the last record is too short, and will be ignored */ + break; + } + } else { + return WTAP_OPEN_ERROR; + } + } + + rlen=g_ntohs(header.rlen); + + /* fail on invalid record type, invalid rlen, timestamps decreasing, or incrementing too far */ + + /* Test valid rlen >= 16 */ + if (rlen < 16) { + return WTAP_OPEN_NOT_MINE; + } + + packet_size = rlen - erf_header_size; + if (packet_size > WTAP_MAX_PACKET_SIZE_STANDARD) { + /* + * Probably a corrupt capture file or a file that's not an ERF file + * but that passed earlier tests. + */ + return WTAP_OPEN_NOT_MINE; + } + + /* Skip PAD records, timestamps may not be set */ + if ((header.type & 0x7F) == ERF_TYPE_PAD) { + if (!wtap_read_bytes(wth->fh, NULL, packet_size, err, err_info)) { + if (*err != WTAP_ERR_SHORT_READ) { + /* A real error */ + return WTAP_OPEN_ERROR; + } + /* ERF record too short, accept the file, + only if the very first records have been successfully checked */ + if (i < MIN_RECORDS_FOR_ERF_CHECK) { + return WTAP_OPEN_NOT_MINE; + } + } + continue; + } + + /* ERF Type 0 is reserved for ancient legacy records which are not supported, probably not ERF */ + if ((header.type & 0x7F) == 0) { + return WTAP_OPEN_NOT_MINE; + } + + /* fail on decreasing timestamps */ + if ((ts = pletoh64(&header.ts)) < prevts) { + /* reassembled AALx records may not be in time order, also records are not in strict time order between physical interfaces, so allow 1 sec fudge */ + if ( ((prevts-ts)>>32) > 1 ) { + return WTAP_OPEN_NOT_MINE; + } + } + + /* Check to see if timestamp increment is > 1 year */ + if ( (valid_prev) && (ts > prevts) && (((ts-prevts)>>32) > 3600*24*365) ) { + return WTAP_OPEN_NOT_MINE; + } + + prevts = ts; + + /* Read over the extension headers */ + type = header.type; + while (type & 0x80){ + if (!wtap_read_bytes(wth->fh,&erf_ext_header,erf_ext_header_size,err,err_info)) { + if (*err == WTAP_ERR_SHORT_READ) { + /* Extension header missing, not an ERF file */ + return WTAP_OPEN_NOT_MINE; + } + return WTAP_OPEN_ERROR; + } + if (packet_size < erf_ext_header_size) + return WTAP_OPEN_NOT_MINE; + packet_size -= erf_ext_header_size; + memcpy(&type, &erf_ext_header, sizeof(type)); + } + + + /* Read over MC or ETH subheader */ + switch(header.type & 0x7F) { + case ERF_TYPE_MC_HDLC: + case ERF_TYPE_MC_RAW: + case ERF_TYPE_MC_ATM: + case ERF_TYPE_MC_RAW_CHANNEL: + case ERF_TYPE_MC_AAL5: + case ERF_TYPE_MC_AAL2: + case ERF_TYPE_COLOR_MC_HDLC_POS: + case ERF_TYPE_AAL2: /* not an MC type but has a similar 'AAL2 ext' header */ + if (!wtap_read_bytes(wth->fh,&mc_hdr,erf_mc_header_size,err,err_info)) { + if (*err == WTAP_ERR_SHORT_READ) { + /* Subheader missing, not an ERF file */ + return WTAP_OPEN_NOT_MINE; + } + return WTAP_OPEN_ERROR; + } + if (packet_size < erf_mc_header_size) + return WTAP_OPEN_NOT_MINE; + packet_size -= erf_mc_header_size; + break; + case ERF_TYPE_ETH: + case ERF_TYPE_COLOR_ETH: + case ERF_TYPE_DSM_COLOR_ETH: + case ERF_TYPE_COLOR_HASH_ETH: + if (!wtap_read_bytes(wth->fh,ð_hdr,erf_eth_hdr_size,err,err_info)) { + if (*err == WTAP_ERR_SHORT_READ) { + /* Subheader missing, not an ERF file */ + return WTAP_OPEN_NOT_MINE; + } + return WTAP_OPEN_ERROR; + } + if (packet_size < erf_eth_hdr_size) + return WTAP_OPEN_NOT_MINE; + packet_size -= erf_eth_hdr_size; + break; + default: + break; + } + + if (!wtap_read_bytes(wth->fh, NULL, packet_size, err, err_info)) { + if (*err != WTAP_ERR_SHORT_READ) { + /* A real error */ + return WTAP_OPEN_ERROR; + } + /* ERF record too short, accept the file, + only if the very first records have been successfully checked */ + if (i < MIN_RECORDS_FOR_ERF_CHECK) { + return WTAP_OPEN_NOT_MINE; + } + } + + valid_prev = 1; + + } /* records_for_erf_check */ + + if (file_seek(wth->fh, 0L, SEEK_SET, err) == -1) { /* rewind */ + return WTAP_OPEN_ERROR; + } + + /* This is an ERF file */ + wth->file_type_subtype = erf_file_type_subtype; + wth->snapshot_length = 0; /* not available in header, only in frame */ + + /* + * Use the encapsulation for ERF records. + */ + wth->file_encap = WTAP_ENCAP_ERF; + + wth->subtype_read = erf_read; + wth->subtype_seek_read = erf_seek_read; + wth->subtype_close = erf_close; + wth->file_tsprec = WTAP_TSPREC_NSEC; + + wth->priv = erf_priv_create(); + + return WTAP_OPEN_MINE; +} + +/* Read the next packet */ +static gboolean erf_read(wtap *wth, wtap_rec *rec, Buffer *buf, + int *err, gchar **err_info, gint64 *data_offset) +{ + erf_header_t erf_header; + guint32 packet_size, bytes_read; + GPtrArray *anchor_mappings_to_update; + + *data_offset = file_tell(wth->fh); + + anchor_mappings_to_update = g_ptr_array_new_with_free_func(erf_anchor_mapping_destroy); + + do { + if (!erf_read_header(wth, wth->fh, rec, &erf_header, + err, err_info, &bytes_read, &packet_size, + anchor_mappings_to_update)) { + g_ptr_array_free(anchor_mappings_to_update, TRUE); + return FALSE; + } + + if (!wtap_read_packet_bytes(wth->fh, buf, packet_size, err, err_info)) { + g_ptr_array_free(anchor_mappings_to_update, TRUE); + return FALSE; + } + + /* + * If Provenance metadata record, frame buffer could hold the meta erf tags. + * It can also contain per packet comments which can be associated to another + * frame. + */ + if ((erf_header.type & 0x7F) == ERF_TYPE_META && packet_size > 0) + { + if (populate_summary_info((erf_t*) wth->priv, wth, &rec->rec_header.packet_header.pseudo_header, buf, packet_size, anchor_mappings_to_update, err, err_info) < 0) { + g_ptr_array_free(anchor_mappings_to_update, TRUE); + return FALSE; + } + } + + } while ( erf_header.type == ERF_TYPE_PAD ); + + g_ptr_array_free(anchor_mappings_to_update, TRUE); + + return TRUE; +} + +static gboolean erf_seek_read(wtap *wth, gint64 seek_off, + wtap_rec *rec, Buffer *buf, + int *err, gchar **err_info) +{ + erf_header_t erf_header; + guint32 packet_size; + GPtrArray *anchor_mappings_to_update; + + if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1) + return FALSE; + + anchor_mappings_to_update = g_ptr_array_new_with_free_func(erf_anchor_mapping_destroy); + + do { + if (!erf_read_header(wth, wth->random_fh, rec, &erf_header, + err, err_info, NULL, &packet_size, anchor_mappings_to_update)) { + g_ptr_array_free(anchor_mappings_to_update, TRUE); + return FALSE; + } + } while ( erf_header.type == ERF_TYPE_PAD ); + + g_ptr_array_free(anchor_mappings_to_update, TRUE); + + return wtap_read_packet_bytes(wth->random_fh, buf, packet_size, + err, err_info); +} + +static struct erf_anchor_mapping* erf_find_anchor_mapping(erf_t *priv, + guint64 host_id, + guint64 anchor_id) +{ + struct erf_anchor_mapping mapping = { + host_id, + anchor_id, + 0, + NULL + }; + + if (!priv) { + return NULL; + } + + return (struct erf_anchor_mapping*)g_hash_table_lookup(priv->anchor_map, &mapping); + +} + +static gboolean erf_read_header(wtap *wth, FILE_T fh, + wtap_rec *rec, + erf_header_t *erf_header, + int *err, + gchar **err_info, + guint32 *bytes_read, + guint32 *packet_size, + GPtrArray *anchor_mappings_to_update) +{ + union wtap_pseudo_header *pseudo_header = &rec->rec_header.packet_header.pseudo_header; + guint8 erf_exhdr[8]; + guint64 erf_exhdr_sw; + guint8 type = 0; + guint32 mc_hdr; + guint32 aal2_hdr; + struct wtap_erf_eth_hdr eth_hdr; + guint32 skiplen = 0; + int i = 0; + int max = sizeof(pseudo_header->erf.ehdr_list)/sizeof(struct erf_ehdr); + erf_t *priv = (erf_t*)wth->priv; + int interface_id; + + guint64 host_id = ERF_META_HOST_ID_IMPLICIT; + guint8 source_id = 0; + guint8 if_num = 0; + gboolean host_id_found = FALSE; + + if (!wtap_read_bytes_or_eof(fh, erf_header, sizeof(*erf_header), err, err_info)) { + return FALSE; + } + if (bytes_read != NULL) { + *bytes_read = sizeof(*erf_header); + } + + *packet_size = g_ntohs(erf_header->rlen) - (guint32)sizeof(*erf_header); + + if (*packet_size > WTAP_MAX_PACKET_SIZE_STANDARD) { + /* + * Probably a corrupt capture file; don't blow up trying + * to allocate space for an immensely-large packet. + */ + *err = WTAP_ERR_BAD_FILE; + *err_info = ws_strdup_printf("erf: File has %u-byte packet, bigger than maximum of %u", + *packet_size, WTAP_MAX_PACKET_SIZE_STANDARD); + return FALSE; + } + + if (*packet_size == 0) { + /* If this isn't a pad record, it's a corrupt packet; bail out */ + if ((erf_header->type & 0x7F) != ERF_TYPE_PAD) { + *err = WTAP_ERR_BAD_FILE; + *err_info = g_strdup("erf: File has 0 byte packet"); + + return FALSE; + } + } + + { + guint64 ts = pletoh64(&erf_header->ts); + + /*if ((erf_header->type & 0x7f) != ERF_TYPE_META || wth->file_type_subtype != file_type_subtype_erf) {*/ + rec->rec_type = REC_TYPE_PACKET; + rec->block = wtap_block_create(WTAP_BLOCK_PACKET); + /* + * XXX: ERF_TYPE_META records should ideally be FT_SPECIFIC for display + * purposes, but currently ft_specific_record_phdr clashes with erf_mc_phdr + * and the pcapng dumper assumes it is a pcapng block type. Ideally we + * would register a block handler with pcapng and write out the closest + * pcapng block, or a custom block/Provenance record. + * + */ +#if 0 + } else { + /* + * TODO: how to identify, distinguish and timestamp events? + * What to do about ENCAP_ERF in pcap/pcapng? Filetype dissector is + * chosen by wth->file_type_subtype? + */ + /* For now just treat all Provenance records as reports */ + rec->rec_type = REC_TYPE_FT_SPECIFIC_REPORT; + rec->block = wtap_block_create(WTAP_BLOCK_FT_SPECIFIC_REPORT); + /* XXX: phdr ft_specific_record_phdr? */ + } +#endif + rec->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN|WTAP_HAS_INTERFACE_ID; + rec->ts.secs = (long) (ts >> 32); + ts = ((ts & 0xffffffff) * 1000 * 1000 * 1000); + ts += (ts & 0x80000000) << 1; /* rounding */ + rec->ts.nsecs = ((int) (ts >> 32)); + if (rec->ts.nsecs >= 1000000000) { + rec->ts.nsecs -= 1000000000; + rec->ts.secs += 1; + } + + if_num = erf_header->flags & 0x03; + } + + /* Copy the ERF pseudo header */ + memset(&pseudo_header->erf, 0, sizeof(pseudo_header->erf)); + pseudo_header->erf.phdr.ts = pletoh64(&erf_header->ts); + pseudo_header->erf.phdr.type = erf_header->type; + pseudo_header->erf.phdr.flags = erf_header->flags; + pseudo_header->erf.phdr.rlen = g_ntohs(erf_header->rlen); + pseudo_header->erf.phdr.lctr = g_ntohs(erf_header->lctr); + pseudo_header->erf.phdr.wlen = g_ntohs(erf_header->wlen); + + /* Copy the ERF extension header into the pseudo header */ + type = erf_header->type; + while (type & 0x80){ + if (!wtap_read_bytes(fh, &erf_exhdr, sizeof(erf_exhdr), + err, err_info)) + return FALSE; + if (bytes_read != NULL) + *bytes_read += (guint32)sizeof(erf_exhdr); + *packet_size -= (guint32)sizeof(erf_exhdr); + skiplen += (guint32)sizeof(erf_exhdr); + erf_exhdr_sw = pntoh64(erf_exhdr); + if (i < max) + memcpy(&pseudo_header->erf.ehdr_list[i].ehdr, &erf_exhdr_sw, sizeof(erf_exhdr_sw)); + type = erf_exhdr[0]; + + /* + * XXX: Only want first Source ID and Host ID, and want to preserve HID n SID 0 (see + * erf_populate_interface) + */ + switch (type & 0x7FU) { + case ERF_EXT_HDR_TYPE_HOST_ID: + if (!host_id_found) + host_id = erf_exhdr_sw & ERF_EHDR_HOST_ID_MASK; + + host_id_found = TRUE; + /* Fall through */ + case ERF_EXT_HDR_TYPE_FLOW_ID: + /* Source ID is present in both Flow ID and Host ID extension headers */ + if (!source_id) + source_id = (erf_exhdr_sw >> 48) & 0xff; + break; + case ERF_EXT_HDR_TYPE_ANCHOR_ID: + /* handled below*/ + break; + } + i++; + } + + interface_id = erf_populate_interface((erf_t*) wth->priv, wth, pseudo_header, host_id, source_id, if_num, err, err_info); + if (interface_id < 0) { + return FALSE; + } + rec->rec_header.packet_header.interface_id = (guint) interface_id; + + /* Try to find comment links using Anchor ID. Done here after we found the first Host ID and have updated the implicit Host ID. */ + erf_update_anchors_from_header(priv, rec, pseudo_header, host_id, anchor_mappings_to_update); + + switch (erf_header->type & 0x7F) { + case ERF_TYPE_IPV4: + case ERF_TYPE_IPV6: + case ERF_TYPE_RAW_LINK: + case ERF_TYPE_INFINIBAND: + case ERF_TYPE_INFINIBAND_LINK: + case ERF_TYPE_META: + case ERF_TYPE_OPA_SNC: + case ERF_TYPE_OPA_9B: +#if 0 + { + rec->rec_header.packet_header.len = g_htons(erf_header->wlen); + rec->rec_header.packet_header.caplen = g_htons(erf_header->wlen); + } + return TRUE; +#endif + break; + case ERF_TYPE_PAD: + case ERF_TYPE_HDLC_POS: + case ERF_TYPE_COLOR_HDLC_POS: + case ERF_TYPE_DSM_COLOR_HDLC_POS: + case ERF_TYPE_COLOR_HASH_POS: + case ERF_TYPE_ATM: + case ERF_TYPE_AAL5: + break; + + case ERF_TYPE_ETH: + case ERF_TYPE_COLOR_ETH: + case ERF_TYPE_DSM_COLOR_ETH: + case ERF_TYPE_COLOR_HASH_ETH: + if (!wtap_read_bytes(fh, ð_hdr, sizeof(eth_hdr), err, err_info)) + return FALSE; + if (bytes_read != NULL) + *bytes_read += (guint32)sizeof(eth_hdr); + *packet_size -= (guint32)sizeof(eth_hdr); + skiplen += (guint32)sizeof(eth_hdr); + pseudo_header->erf.subhdr.eth_hdr = eth_hdr; + break; + + case ERF_TYPE_MC_HDLC: + case ERF_TYPE_MC_RAW: + case ERF_TYPE_MC_ATM: + case ERF_TYPE_MC_RAW_CHANNEL: + case ERF_TYPE_MC_AAL5: + case ERF_TYPE_MC_AAL2: + case ERF_TYPE_COLOR_MC_HDLC_POS: + if (!wtap_read_bytes(fh, &mc_hdr, sizeof(mc_hdr), err, err_info)) + return FALSE; + if (bytes_read != NULL) + *bytes_read += (guint32)sizeof(mc_hdr); + *packet_size -= (guint32)sizeof(mc_hdr); + skiplen += (guint32)sizeof(mc_hdr); + pseudo_header->erf.subhdr.mc_hdr = g_ntohl(mc_hdr); + break; + + case ERF_TYPE_AAL2: + if (!wtap_read_bytes(fh, &aal2_hdr, sizeof(aal2_hdr), err, err_info)) + return FALSE; + if (bytes_read != NULL) + *bytes_read += (guint32)sizeof(aal2_hdr); + *packet_size -= (guint32)sizeof(aal2_hdr); + skiplen += (guint32)sizeof(aal2_hdr); + pseudo_header->erf.subhdr.aal2_hdr = g_ntohl(aal2_hdr); + break; + + case ERF_TYPE_IP_COUNTER: + case ERF_TYPE_TCP_FLOW_COUNTER: + /* unsupported, continue with default: */ + default: + /* let the dissector dissect as unknown record type for forwards compatibility */ + break; + } + + { + rec->rec_header.packet_header.len = g_ntohs(erf_header->wlen); + rec->rec_header.packet_header.caplen = MIN( g_ntohs(erf_header->wlen), + g_ntohs(erf_header->rlen) - (guint32)sizeof(*erf_header) - skiplen ); + } + + if (*packet_size > WTAP_MAX_PACKET_SIZE_STANDARD) { + /* + * Probably a corrupt capture file; don't blow up trying + * to allocate space for an immensely-large packet. + */ + *err = WTAP_ERR_BAD_FILE; + *err_info = ws_strdup_printf("erf: File has %u-byte packet, bigger than maximum of %u", + *packet_size, WTAP_MAX_PACKET_SIZE_STANDARD); + return FALSE; + } + + return TRUE; +} + +static int wtap_wtap_encap_to_erf_encap(int encap) +{ + unsigned int i; + for(i = 0; i < NUM_ERF_ENCAPS; i++){ + if(erf_to_wtap_map[i].wtap_encap_value == encap) + return erf_to_wtap_map[i].erf_encap_value; + } + return -1; +} + +static gboolean erf_write_phdr(wtap_dumper *wdh, int encap, const union wtap_pseudo_header *pseudo_header, int * err) +{ + guint8 erf_hdr[sizeof(struct erf_mc_phdr)]; + guint8 erf_subhdr[sizeof(union erf_subhdr)]; + guint8 ehdr[8*MAX_ERF_EHDR]; + size_t size = 0; + size_t subhdr_size = 0; + int i = 0; + guint8 has_more = 0; + + switch(encap){ + case WTAP_ENCAP_ERF: + memset(&erf_hdr, 0, sizeof(erf_hdr)); + phtolell(&erf_hdr[0], pseudo_header->erf.phdr.ts); + erf_hdr[8] = pseudo_header->erf.phdr.type; + erf_hdr[9] = pseudo_header->erf.phdr.flags; + phtons(&erf_hdr[10], pseudo_header->erf.phdr.rlen); + phtons(&erf_hdr[12], pseudo_header->erf.phdr.lctr); + phtons(&erf_hdr[14], pseudo_header->erf.phdr.wlen); + size = sizeof(struct erf_phdr); + + switch(pseudo_header->erf.phdr.type & 0x7F) { + case ERF_TYPE_MC_HDLC: + case ERF_TYPE_MC_RAW: + case ERF_TYPE_MC_ATM: + case ERF_TYPE_MC_RAW_CHANNEL: + case ERF_TYPE_MC_AAL5: + case ERF_TYPE_MC_AAL2: + case ERF_TYPE_COLOR_MC_HDLC_POS: + phtonl(&erf_subhdr[0], pseudo_header->erf.subhdr.mc_hdr); + subhdr_size += (int)sizeof(struct erf_mc_hdr); + break; + case ERF_TYPE_AAL2: + phtonl(&erf_subhdr[0], pseudo_header->erf.subhdr.aal2_hdr); + subhdr_size += (int)sizeof(struct erf_aal2_hdr); + break; + case ERF_TYPE_ETH: + case ERF_TYPE_COLOR_ETH: + case ERF_TYPE_DSM_COLOR_ETH: + case ERF_TYPE_COLOR_HASH_ETH: + memcpy(&erf_subhdr[0], &pseudo_header->erf.subhdr.eth_hdr, sizeof pseudo_header->erf.subhdr.eth_hdr); + subhdr_size += erf_eth_hdr_size; + break; + default: + break; + } + break; + default: + return FALSE; + + } + if (!wtap_dump_file_write(wdh, erf_hdr, size, err)) + return FALSE; + + /*write out up to MAX_ERF_EHDR extension headers*/ + has_more = pseudo_header->erf.phdr.type & 0x80; + if(has_more){ /*we have extension headers*/ + do{ + phtonll(ehdr+(i*8), pseudo_header->erf.ehdr_list[i].ehdr); + if(i == MAX_ERF_EHDR-1) ehdr[i*8] = ehdr[i*8] & 0x7F; + has_more = ehdr[i*8] & 0x80; + i++; + }while(has_more && i < MAX_ERF_EHDR); + if (!wtap_dump_file_write(wdh, ehdr, 8*i, err)) + return FALSE; + } + + if(!wtap_dump_file_write(wdh, erf_subhdr, subhdr_size, err)) + return FALSE; + + return TRUE; +} + + +static void erf_dump_priv_init_gen_time(erf_dump_t *dump_priv) { + gint64 real_time; + + real_time = g_get_real_time(); + /* Convert TimeVal to ERF timestamp */ + dump_priv->gen_time = ((real_time / G_USEC_PER_SEC) << 32) + ((real_time % G_USEC_PER_SEC) << 32) / 1000 / 1000; +} + + +static gboolean erf_write_wtap_option_to_capture_tag(wtap_block_t block _U_, + guint option_id, + wtap_opttype_e option_type _U_, + wtap_optval_t *optval, + void* user_data) { + + struct erf_meta_section *section_ptr = (struct erf_meta_section*) user_data; + struct erf_meta_tag *tag_ptr = NULL; + + tag_ptr = g_new0(struct erf_meta_tag, 1); + + switch(option_id) { + case OPT_SHB_USERAPPL: + tag_ptr->type = ERF_META_TAG_app_name; + tag_ptr->value = (guint8*)g_strdup(optval->stringval); + tag_ptr->length = (guint16)strlen((char*)tag_ptr->value); + break; + case OPT_COMMENT: + tag_ptr->type = ERF_META_TAG_comment; + tag_ptr->value = (guint8*)g_strdup(optval->stringval); + tag_ptr->length = (guint16)strlen((char*)tag_ptr->value); + break; + default: + erf_meta_tag_free(tag_ptr); + tag_ptr = NULL; + break; + } + + if (tag_ptr) + g_ptr_array_add(section_ptr->tags, tag_ptr); + + return TRUE; /* we always succeed */ +} + +static gboolean erf_write_wtap_option_to_host_tag(wtap_block_t block _U_, + guint option_id, + wtap_opttype_e option_type _U_, + wtap_optval_t *optval, + void* user_data) { + + struct erf_meta_section *section_ptr = (struct erf_meta_section*) user_data; + struct erf_meta_tag *tag_ptr = NULL; + + tag_ptr = g_new0(struct erf_meta_tag, 1); + + switch(option_id) { + case OPT_SHB_HARDWARE: + tag_ptr->type = ERF_META_TAG_cpu; + tag_ptr->value = (guint8*)g_strdup(optval->stringval); + tag_ptr->length = (guint16)strlen((char*)tag_ptr->value); + break; + case OPT_SHB_OS: + tag_ptr->type = ERF_META_TAG_os; + tag_ptr->value = (guint8*)g_strdup(optval->stringval); + tag_ptr->length = (guint16)strlen((char*)tag_ptr->value); + break; + default: + erf_meta_tag_free(tag_ptr); + tag_ptr = NULL; + break; + } + + if (tag_ptr) + g_ptr_array_add(section_ptr->tags, tag_ptr); + + return TRUE; /* we always succeed */ +} + +static gboolean erf_write_wtap_option_to_interface_tag(wtap_block_t block _U_, + guint option_id, + wtap_opttype_e option_type _U_, + wtap_optval_t *optval, + void* user_data) { + + struct erf_meta_section *section_ptr = (struct erf_meta_section*) user_data; + struct erf_meta_tag *tag_ptr = NULL; + + tag_ptr = g_new0(struct erf_meta_tag, 1); + + switch(option_id) { + case OPT_COMMENT: + tag_ptr->type = ERF_META_TAG_comment; + tag_ptr->value = (guint8*)g_strdup(optval->stringval); + tag_ptr->length = (guint16)strlen((char*)tag_ptr->value); + break; + case OPT_IDB_NAME: + tag_ptr->type = ERF_META_TAG_name; + tag_ptr->value = (guint8*)g_strdup(optval->stringval); + tag_ptr->length = (guint16)strlen((char*)tag_ptr->value); + break; + case OPT_IDB_DESCRIPTION: + tag_ptr->type = ERF_META_TAG_descr; + tag_ptr->value = (guint8*)g_strdup(optval->stringval); + tag_ptr->length = (guint16)strlen((char*)tag_ptr->value); + break; + case OPT_IDB_OS: + tag_ptr->type = ERF_META_TAG_os; + tag_ptr->value = (guint8*)g_strdup(optval->stringval); + tag_ptr->length = (guint16)strlen((char*)tag_ptr->value); + break; + case OPT_IDB_TSOFFSET: + tag_ptr->type = ERF_META_TAG_ts_offset; + tag_ptr->length = 8; + tag_ptr->value = (guint8*)g_malloc(sizeof(optval->uint64val)); + /* convert to relative ERF timestamp */ + phtolell(tag_ptr->value, optval->uint64val << 32); + break; + case OPT_IDB_SPEED: + tag_ptr->type = ERF_META_TAG_if_speed; + tag_ptr->length = 8; + tag_ptr->value = (guint8*)g_malloc(sizeof(optval->uint64val)); + phtonll(tag_ptr->value, optval->uint64val); + break; + case OPT_IDB_IP4ADDR: + tag_ptr->type = ERF_META_TAG_if_ipv4; + tag_ptr->length = 4; + tag_ptr->value = (guint8*)g_malloc(sizeof(optval->ipv4val)); + memcpy(tag_ptr->value, &optval->ipv4val, sizeof(optval->ipv4val)); + break; + case OPT_IDB_IP6ADDR: + tag_ptr->type = ERF_META_TAG_if_ipv6; + tag_ptr->length = 16; + tag_ptr->value = (guint8*)g_malloc(sizeof(optval->ipv6val)); + memcpy(tag_ptr->value, &optval->ipv6val, sizeof(optval->ipv6val)); + break; + case OPT_IDB_FILTER: + { + if_filter_opt_t *filter; + filter = &optval->if_filterval; + tag_ptr->type = 0xF800; + if(filter->type == if_filter_pcap) { + tag_ptr->type = ERF_META_TAG_filter; + tag_ptr->value = (guint8*)g_strdup(filter->data.filter_str); + tag_ptr->length = (guint16)strlen((char*)tag_ptr->value); + } + } + break; + case OPT_IDB_FCSLEN: + tag_ptr->type = ERF_META_TAG_fcs_len; + tag_ptr->length = 4; + tag_ptr->value = (guint8*)g_malloc(tag_ptr->length); + phtonl(tag_ptr->value, (guint32)optval->uint8val); + break; + /* TODO: Don't know what to do with these yet */ + case OPT_IDB_EUIADDR: +#if 0 + tag_ptr->type = ERF_META_TAG_if_eui; + tag_ptr->length = 8; + tag_ptr->value = (guint8*)g_malloc(sizeof(optval->eui64val)); + memcpy(tag_ptr->value, &optval->euival, sizeof(optval->eui64val)); + break; +#endif + case OPT_IDB_MACADDR: +#if 0 + tag_ptr->type = ERF_META_TAG_if_mac; + tag_ptr->length = 6; + /*value same format as pcapng (6-byte canonical, padded by write + * function automatically to 32-bit boundary)*/ + tag_ptr->value = (guint8*)g_malloc(sizeof(optval->macval)); + memcpy(tag_ptr->value, &optval->macval, sizeof(optval->macval)); + break; +#endif + case OPT_IDB_TSRESOL: + case OPT_IDB_TZONE: + /* Fall through */ + default: + erf_meta_tag_free(tag_ptr); + tag_ptr = NULL; + break; + } + + if (tag_ptr) + g_ptr_array_add(section_ptr->tags, tag_ptr); + + return TRUE; /* we always succeed */ +} + +static void erf_populate_section_length_by_tags(struct erf_meta_section *section_ptr) { + guint i = 0; + struct erf_meta_tag *tag_ptr; + + section_ptr->section_length = 8; + + for(;i < section_ptr->tags->len; i++) { + tag_ptr = (struct erf_meta_tag*)g_ptr_array_index(section_ptr->tags, i); + section_ptr->section_length += ERF_META_TAG_TOTAL_ALIGNED_LENGTH(tag_ptr->length); + } +} + +/** + * @brief Converts a wtap_block_t block to ERF metadata sections + * @param block a wtap_block_t block + * @param sections pointer to a GPtrArray containing pointers to sections + * @param section_type the pre-specified section_type + * @param section_id Section ID to assign + * @param func a wtap_block_foreach_func call back function to specify + * what needs to be done on the block + * @return TRUE if success, FALSE if failed + */ +static gboolean erf_wtap_blocks_to_erf_sections(wtap_block_t block, GPtrArray *sections, guint16 section_type, guint16 section_id, wtap_block_foreach_func func) { + + if(!block || !sections || !func) { + return FALSE; + } + + struct erf_meta_section *section_ptr; + + section_ptr = g_new(struct erf_meta_section, 1); + section_ptr->tags = g_ptr_array_new_with_free_func(erf_meta_tag_free); + section_ptr->type = section_type; + section_ptr->section_id = section_id; + + wtap_block_foreach_option(block, func, (void*)section_ptr); + erf_populate_section_length_by_tags(section_ptr); + g_ptr_array_add(sections, section_ptr); + + return TRUE; +} + + +static gboolean erf_meta_write_tag(wtap_dumper *wdh, struct erf_meta_tag *tag_ptr, int *err) { + + guint16 data[2]; + guint pad = 0; + /* we only need to pad up to 32 bits*/ + guint32 padbuf = 0; + + pad = ERF_META_TAG_ALIGNED_LENGTH(tag_ptr->length) - tag_ptr->length; + data[0] = g_htons(tag_ptr->type); + data[1] = g_htons(tag_ptr->length); + + if(!wtap_dump_file_write(wdh, data, sizeof(data), err)) return FALSE; + + if(!wtap_dump_file_write(wdh, tag_ptr->value, tag_ptr->length, err)) return FALSE; + + if(pad) { + if(!wtap_dump_file_write(wdh, &padbuf, pad, err)) return FALSE; + } + + return TRUE; + +} + +static gboolean erf_meta_write_section(wtap_dumper *wdh, struct erf_meta_section *section_ptr, int *err) { + + struct erf_meta_tag *tag_ptr; + guint i; + guint16 data[4]; + + data[0] = g_htons(section_ptr->type); + data[1] = g_htons(4); /*section header length*/ + data[2] = g_htons(section_ptr->section_id); + data[3] = g_htons(section_ptr->section_length); + + if(!wtap_dump_file_write(wdh, data, sizeof(data), err)) return FALSE; + + for(i = 0; i < section_ptr->tags->len; i++) { + tag_ptr = (struct erf_meta_tag*)g_ptr_array_index(section_ptr->tags, i); + if(!erf_meta_write_tag(wdh, tag_ptr, err)) return FALSE; + } + + return TRUE; + +} + +static gboolean erf_wtap_info_to_sections(wtap_dumper *wdh, GPtrArray *sections) { + wtap_block_t block; + guint i = 0; + + block = g_array_index(wdh->shb_hdrs, wtap_block_t, 0); + erf_wtap_blocks_to_erf_sections(block, sections, ERF_META_SECTION_CAPTURE, 0, erf_write_wtap_option_to_capture_tag); + + block = g_array_index(wdh->shb_hdrs, wtap_block_t, 0); + erf_wtap_blocks_to_erf_sections(block, sections, ERF_META_SECTION_HOST, 0, erf_write_wtap_option_to_host_tag); + + /*TODO: support >4 interfaces by using more Source IDs. Affects more than this + * function as need more metadata records. Just dump them all out for now. */ + for(i = 0; i < wdh->interface_data->len; i++) { + block = g_array_index(wdh->interface_data, wtap_block_t, i); + erf_wtap_blocks_to_erf_sections(block, sections, ERF_META_SECTION_INTERFACE, (gint16)i+1, erf_write_wtap_option_to_interface_tag); + } + + return TRUE; +} + +static gboolean erf_comment_to_sections(wtap_dumper *wdh _U_, guint16 section_type, guint16 section_id, gchar *comment, GPtrArray *sections){ + struct erf_meta_section *section_ptr; + struct erf_meta_tag *comment_tag_ptr = NULL; + struct erf_meta_tag *user_tag_ptr = NULL; + const gchar *user = NULL; + + /* Generate the section */ + section_ptr = g_new(struct erf_meta_section, 1); + section_ptr->type = section_type; + section_ptr->section_id = section_id; + section_ptr->tags = g_ptr_array_new_with_free_func(erf_meta_tag_free); + + /* Generate the comment tag */ + comment_tag_ptr = g_new(struct erf_meta_tag, 1); + comment_tag_ptr->type = ERF_META_TAG_comment; + /* XXX: if the comment has been cleared write the empty string (which + * conveniently is all a zero length tag which means the value is + * invalidated) */ + comment_tag_ptr->value = (guint8*)g_strdup(comment ? comment : ""); + comment_tag_ptr->length = (guint16)strlen((char*)comment_tag_ptr->value); + g_ptr_array_add(section_ptr->tags, comment_tag_ptr); + + user = g_get_user_name(); + if (user) { + /* Generate username tag */ + user_tag_ptr = g_new(struct erf_meta_tag, 1); + user_tag_ptr->type = ERF_META_TAG_user; + user_tag_ptr->value = (guint8*)g_strdup(user); + user_tag_ptr->length = (guint16)strlen((char*)user_tag_ptr->value); + g_ptr_array_add(section_ptr->tags, user_tag_ptr); + } + + erf_populate_section_length_by_tags(section_ptr); + + g_ptr_array_add(sections, section_ptr); + + return TRUE; +} + +static guint64 erf_get_random_anchor_id(erf_dump_t *dump_priv) { + return (((guint64)g_rand_int(dump_priv->rand) << 32) | (guint64)g_rand_int(dump_priv->rand)) >> 16; +} + +static guint64 erf_metaid_ext_hdr(guint8 exthdr_type, guint64 id, guint8 srcid_flags) { + guint64 ext_hdr; + + ext_hdr = id & ERF_EHDR_HOST_ID_MASK; + ext_hdr |= ((guint64)srcid_flags) << 48; + ext_hdr |= ((guint64)exthdr_type) << 56; + + return ext_hdr; +} +#define erf_host_id_ext_hdr(host_id, source_id) erf_metaid_ext_hdr(ERF_EXT_HDR_TYPE_HOST_ID, host_id, source_id) +#define erf_anchor_id_ext_hdr(anchor_id, flags) erf_metaid_ext_hdr(ERF_EXT_HDR_TYPE_ANCHOR_ID, anchor_id, flags) + +static inline gboolean erf_add_ext_hdr_to_list(guint64 ext_hdr, guint64 comparison_mask, GArray *extra_ehdrs) { + /* check for existing Host ID in set and add */ + guint i = 0; + struct erf_ehdr ehdr_tmp; + struct erf_ehdr *ehdr_ptr = NULL; + + if (!extra_ehdrs) + return FALSE; + + ext_hdr = ext_hdr & ~ERF_EHDR_MORE_EXTHDR_MASK; + if (comparison_mask == 0) + comparison_mask = G_MAXUINT64; + + comparison_mask &= ~ERF_EHDR_MORE_EXTHDR_MASK; + + for (i = 0; i < extra_ehdrs->len; i++) { + ehdr_ptr = &g_array_index(extra_ehdrs, struct erf_ehdr, i); + /* Check if we already have this Host ID extension header */ + if (ext_hdr == (ehdr_ptr->ehdr & comparison_mask)) { + return TRUE; + } + } + + /* set more flag on last extension header */ + if (ehdr_ptr) { + ehdr_ptr->ehdr |= ERF_EHDR_MORE_EXTHDR_MASK; + } + + ehdr_tmp.ehdr = ext_hdr; /*more flag already cleared above*/ + g_array_append_val(extra_ehdrs, ehdr_tmp); + + return TRUE; +} + +static inline gboolean erf_append_ext_hdr_to_list(guint64 ext_hdr, GArray *extra_ehdrs) { + struct erf_ehdr ehdr_tmp; + + if (!extra_ehdrs) + return FALSE; + + ehdr_tmp.ehdr = ext_hdr & ~ERF_EHDR_MORE_EXTHDR_MASK; + + /* set more flag on last extension header */ + if (extra_ehdrs->len) { + g_array_index(extra_ehdrs, struct erf_ehdr, extra_ehdrs->len - 1).ehdr |= ERF_EHDR_MORE_EXTHDR_MASK; + } + + g_array_append_val(extra_ehdrs, ehdr_tmp); + + return TRUE; +} + +static gboolean erf_update_host_id_ext_hdrs_list(erf_dump_t *dump_priv, const union wtap_pseudo_header *pseudo_header, GArray *extra_ehdrs) { + guint8 type; + guint8 erf_type; + int has_more; + guint64 hdr; + int i = 0; + guint8 source_id = 0; + guint64 host_id = 0; + gboolean host_id_found = FALSE; + + if (!extra_ehdrs) + return FALSE; + + erf_type = pseudo_header->erf.phdr.type & 0x7f; + has_more = pseudo_header->erf.phdr.type & 0x80; + + while (has_more && i < MAX_ERF_EHDR) { + hdr = pseudo_header->erf.ehdr_list[i].ehdr; + type = (guint8) (hdr >> 56); + + switch (type & 0x7f) { + case ERF_EXT_HDR_TYPE_HOST_ID: + host_id = hdr & ERF_EHDR_HOST_ID_MASK; + source_id = (hdr >> 48) & 0xff; + + /* Don't add the wireshark Host ID Source ID 0 twice since we already add it to metadata records */ + if (host_id != dump_priv->host_id || source_id != 0) + if (!erf_add_ext_hdr_to_list(hdr, 0, extra_ehdrs)) return FALSE; + + if (!host_id_found) { + /* XXX: Take the opportunity to update the implicit Host ID if we + * don't know it yet. Ideally we should pass this through from the + * reader as a custom option or similar. */ + if (erf_type == ERF_TYPE_META && ((hdr >> 48) & 0xff) > 0) { + if (dump_priv->implicit_host_id == ERF_META_HOST_ID_IMPLICIT) { + dump_priv->implicit_host_id = host_id; + } + } + } + + host_id_found = TRUE; + break; + case ERF_EXT_HDR_TYPE_FLOW_ID: + if (source_id == 0) /* If no Host ID extension header use the first Source ID only */ + source_id = (hdr >> 48) & 0xff; + break; + } + + has_more = type & 0x80; + i++; + } + + /* Add Source ID with implicit Host ID if not found */ + if (!host_id_found) { + guint64 implicit_host_id = dump_priv->implicit_host_id == ERF_META_HOST_ID_IMPLICIT ? 0 : dump_priv->implicit_host_id; + /* Don't add the wireshark Host ID Source ID 0 twice since we already add it to metadata records */ + if (implicit_host_id != dump_priv->host_id || source_id != 0) + if (!erf_add_ext_hdr_to_list(erf_host_id_ext_hdr(implicit_host_id, source_id), 0, extra_ehdrs)) return FALSE; + } + + return TRUE; +} + +/** + * Writes a metadata record with a randomly generated Anchor ID with the + * user comment attached to its comment section, also updates the + * modified frame header to include a Host ID extension header and + * a Anchor ID extension header to link the records together. + * @param wdh the wtap_dumper structure + * @param dump_priv private data for the dump stream + * @param rec record metadata from which to get user comment + * @param mutable_hdr pseudo_header to update with Anchor ID for comment record + * @param err the error value + * @return A gboolean value to indicate whether the dump was successful + */ +static gboolean erf_write_anchor_meta_update_phdr(wtap_dumper *wdh, erf_dump_t *dump_priv, const wtap_rec *rec, union wtap_pseudo_header *mutable_hdr, int *err) { + GArray *meta_ehdrs; + GPtrArray* sections = NULL; + guint8 has_more; + guint8 i = 0; + guint8 ext_hdr_count = 0; + guint8 j = 0; + guint64 host_id_src_hdr = ERF_META_HOST_ID_IMPLICIT; + guint64 host_id_own_hdr = erf_host_id_ext_hdr(dump_priv->host_id, 0); + guint64 flow_id_hdr = 0; + guint64 anchor_id_hdr = 0; + gboolean found_host_id = FALSE; + gboolean found_own_host_id = FALSE; + gboolean found_flow_id = FALSE; + gint new_ext_hdrs = 0; + guint8 insert_idx = 0; + guint8 source_id = 0; + gboolean ret = FALSE; + guint64 implicit_host_id = dump_priv->implicit_host_id == ERF_META_HOST_ID_IMPLICIT ? 0 : dump_priv->implicit_host_id; + gchar *pkt_comment; + + + /* + * There are 3 possible scenarios: + * a. The record has a source Host ID but not our Host ID. We need to add our + * Host ID extension header then our Anchor ID extension header. + * b. The record already has our Host ID extension header on it. We should + * insert the Anchor ID at the end of the list for that Host ID just + * before the next Host ID extension header. + * c. The record has no Host ID extension header at all. We need to add the Host ID + * extension header making the Implicit Host ID explicit before we add our + * one to avoid claiming the packet was captured by us. + */ + + /* + * Extract information from the packet extension header stack + * 1. original source Host ID extension header. + * 2. Anchor ID extension header insertion point (see b., above). + * 3. Flow ID extension header so we can add it for reference to the metadata + * record. + * 4. Enough information to generate an explicit Host ID extension header if + * there wasn't one (see erf_get_source_from_header). + */ + + has_more = mutable_hdr->erf.phdr.type & 0x80; + + while (has_more && (i < MAX_ERF_EHDR)) { + guint64 hdr = mutable_hdr->erf.ehdr_list[i].ehdr; + guint8 type = (guint8) (hdr >> 56); + + switch (type & 0x7f) { + case ERF_EXT_HDR_TYPE_HOST_ID: + /* Set insertion point of anchor ID to be at end of Host ID list (i.e. + * just before the next one). */ + if (found_own_host_id && !insert_idx) + insert_idx = i; + + if ((hdr & ERF_EHDR_HOST_ID_MASK) == dump_priv->host_id){ + found_own_host_id = TRUE; + } + + if (!found_host_id) + host_id_src_hdr = hdr; + + found_host_id = TRUE; + break; + + case ERF_EXT_HDR_TYPE_FLOW_ID: + /*XXX: we only use this when making the implicit host id explicit, + * otherwise we'd need to check the one in Host ID header too*/ + if (source_id == 0) + source_id = (guint8)(hdr >> 48); + + if (!found_flow_id) + flow_id_hdr = hdr; + + found_flow_id = TRUE; + break; + } + + has_more = type & 0x80; + i += 1; + } + + ext_hdr_count = i; + + if (!insert_idx) + insert_idx = i; + + /* Don't need to add our own Host ID twice if it is the same as the implicit*/ + if (!found_host_id && implicit_host_id == dump_priv->host_id) { + found_own_host_id = TRUE; + } + + /* + * Update the packet record pseudo_header with Anchor ID and extension header(s) + */ + new_ext_hdrs = 1 /*anchor id*/ + (found_own_host_id?0:1) + (found_host_id?0:1); + + if(ext_hdr_count + new_ext_hdrs > MAX_ERF_EHDR + || mutable_hdr->erf.phdr.rlen + new_ext_hdrs * 8 > 65535) { + /* Not enough extension header slots to add Anchor ID */ + *err = WTAP_ERR_PACKET_TOO_LARGE; + return FALSE; + } + + mutable_hdr->erf.phdr.rlen += new_ext_hdrs * 8; + + /* Set the more extension headers flag */ + mutable_hdr->erf.phdr.type |= 0x80; + if (insert_idx > 0) { + mutable_hdr->erf.ehdr_list[insert_idx-1].ehdr |= ERF_EHDR_MORE_EXTHDR_MASK; + } + + /* Generate the Anchor ID extension header */ + anchor_id_hdr = erf_anchor_id_ext_hdr(erf_get_random_anchor_id(dump_priv), 0); + + /* Either we can insert Anchor ID at the end of the list for our Host ID or we + * need to append the Host ID(s) and Anchor ID */ + if (insert_idx < ext_hdr_count) { + /* shuffle up any following extension headers FIRST - we know we have room now */ + for (j = ext_hdr_count; j > insert_idx; j--) { + mutable_hdr->erf.ehdr_list[j].ehdr = mutable_hdr->erf.ehdr_list[j-1].ehdr; + } + + /* copy more extension headers bit from previous extension header */ + anchor_id_hdr |= ERF_EHDR_MORE_EXTHDR_MASK; + } + + if(!found_host_id) { + /* No Host ID extension header found and we have an implicit Host ID which + * we want to make explicit */ + + /* XXX: it is important that we know the implicit Host ID here or we end + * up semi-permentantly associating the packet with Host 0 (unknown), we should + * pass it through from the reader. In theory we should be on the + * original capture machine if we have no Host ID extension headers. */ + host_id_src_hdr = erf_host_id_ext_hdr(implicit_host_id, source_id); + mutable_hdr->erf.ehdr_list[insert_idx++].ehdr = ERF_EHDR_SET_MORE_EXTHDR(host_id_src_hdr); + } + + if(!found_own_host_id) { + /* Add our Host ID extension header */ + mutable_hdr->erf.ehdr_list[insert_idx++].ehdr = ERF_EHDR_SET_MORE_EXTHDR(host_id_own_hdr); + } + + /*Add the Anchor ID extension header */ + mutable_hdr->erf.ehdr_list[insert_idx].ehdr = anchor_id_hdr; + + + /* + * Now construct the metadata Anchor record with the same Anchor ID + */ + + meta_ehdrs = g_array_new(FALSE, FALSE, sizeof(struct erf_ehdr)); + + /* We need up to 4 extension headers on the Provenance metadata record */ + /*Required*/ + /* 1. Added by erf_write_meta_record: HostID exthdr to indicate this Anchor + * record was generated by this host. Source ID 0 to avoid changing the + * implicit Host ID. */ + + /* 2. AnchorID exthdr with 'unique' per-host Anchor ID assigned by this host + * (in this case Wireshark). Anchor definition flag set to 1 to indicate this + * record contains a definition of the ID, in this case a comment on a single + * packet. Tied to above extension header by ordering like a list */ + erf_append_ext_hdr_to_list(anchor_id_hdr | ERF_EHDR_ANCHOR_ID_DEFINITION_MASK, meta_ehdrs); + + /*Helpful for indexing*/ + /* 3. HostID exthdr with the original Source (first Host ID extension header) of the packet record */ + erf_append_ext_hdr_to_list(host_id_src_hdr, meta_ehdrs); + + /* Flow ID extension header from the packet record if we have one */ + if (found_flow_id) { + /* 4. FlowID exthdr with Flow ID from the packet so a flow search will find the comment + * record too. Must come here so the (redundant here) Source ID is scoped to the + * correct Host ID. */ + /* Clear the stack type just in case something tries to assume we're an IP + * packet without looking at the ERF type. Clear Source ID too just in case + * we're trying to associate with the wrong Host ID. */ + erf_append_ext_hdr_to_list(flow_id_hdr & ~(ERF_EHDR_FLOW_ID_STACK_TYPE_MASK|ERF_EHDR_FLOW_ID_SOURCE_ID_MASK), meta_ehdrs); + } + + /* Generate the metadata payload with the packet comment */ + /* XXX - can ERF have more than one comment? */ + sections = g_ptr_array_new_with_free_func(erf_meta_section_free); + if (WTAP_OPTTYPE_SUCCESS != wtap_block_get_nth_string_option_value(rec->block, OPT_COMMENT, 0, &pkt_comment)) { + pkt_comment = NULL; + } + erf_comment_to_sections(wdh, ERF_META_SECTION_INFO, 0x8000 /*local to record*/, pkt_comment, sections); + + /* Write the metadata record, but not the packet record as what we do depends + * on the WTAP_ENCAP */ + ret = erf_write_meta_record(wdh, dump_priv, mutable_hdr->erf.phdr.ts, sections, meta_ehdrs, err); + g_ptr_array_free(sections, TRUE); + g_array_free(meta_ehdrs, TRUE); + + return ret; +} + +static gboolean erf_write_meta_record(wtap_dumper *wdh, erf_dump_t *dump_priv, guint64 timestamp, GPtrArray *sections, GArray *extra_ehdrs, int *err) { + union wtap_pseudo_header other_header; + struct erf_meta_tag gen_time_tag; + struct erf_meta_section *section_ptr; + guint total_wlen = 0; + guint total_rlen = 0; + gint64 alignbytes = 0; + guint i; + guint num_extra_ehdrs = 0; + + if(!sections || sections->len <= 0) + return FALSE; + + for(i = 0; i < sections->len; i++) { + section_ptr = (struct erf_meta_section*)g_ptr_array_index(sections, i); + total_wlen += section_ptr->section_length; + } + + gen_time_tag.type = ERF_META_TAG_gen_time; + gen_time_tag.length = 8U; + gen_time_tag.value = (guint8*)&dump_priv->gen_time; + total_wlen += gen_time_tag.length + 4; + + total_rlen = total_wlen + 24; /* 24 is the header + extension header length */ + if (extra_ehdrs) { + /* + * These will be appended to the first extension header in + * other_header.erf.ehdr_list. There are a total of MAX_ERF_EHDR + * extension headers in that array, so we can append no more than + * MAX_ERF_EHDR - 1 extension headeers. + */ + num_extra_ehdrs = MIN(extra_ehdrs->len, MAX_ERF_EHDR - 1); + total_rlen += num_extra_ehdrs * 8; + } + /*padding to 8 byte alignment*/ + total_rlen += ERF_PADDING_TO_8(total_rlen); + + if(total_rlen > 65535) { + *err = WTAP_ERR_PACKET_TOO_LARGE; + return FALSE; + } + + other_header.erf.phdr.ts = timestamp; + other_header.erf.phdr.type = ERF_TYPE_META | 0x80; + other_header.erf.phdr.flags = 0x04; /* Varying record length */ + other_header.erf.phdr.lctr = 0; + other_header.erf.phdr.wlen = (guint16)total_wlen; + other_header.erf.phdr.rlen = (guint16)total_rlen; + /*Add our Host ID in Host ID extension header indicating we generated this + * record. Source ID 0 to avoid affecting implicit Host ID. */ + other_header.erf.ehdr_list[0].ehdr = erf_host_id_ext_hdr(dump_priv->host_id, 0); + /*Additional extension headers*/ + /*XXX: If we end up cutting the list short, erf_write_phdr will correct the + * unterminated extension header list*/ + if (num_extra_ehdrs > 0) { + other_header.erf.ehdr_list[0].ehdr |= ERF_EHDR_MORE_EXTHDR_MASK; + memcpy(&other_header.erf.ehdr_list[1], extra_ehdrs->data, sizeof(struct erf_ehdr) * num_extra_ehdrs); + } + + /* Make sure we always write out rlen, regardless of what happens */ + alignbytes = wdh->bytes_dumped + other_header.erf.phdr.rlen; + + if(!erf_write_phdr(wdh, WTAP_ENCAP_ERF, &other_header, err)) return FALSE; + + /* Generation time */ + erf_meta_write_tag(wdh, &gen_time_tag, err); + + /* Section(s) */ + for(i = 0; i < sections->len; i++) { + section_ptr = (struct erf_meta_section*)g_ptr_array_index(sections, i); + erf_meta_write_section(wdh, section_ptr, err); + } + + while(wdh->bytes_dumped < alignbytes){ + if(!wtap_dump_file_write(wdh, "", 1, err)) return FALSE; + } + + /* We wrote new packets, reloading is required */ + wdh->needs_reload = TRUE; + + return TRUE; + +} + +static erf_dump_t *erf_dump_priv_create(void) { + erf_dump_t *dump_priv; + + dump_priv = g_new(erf_dump_t, 1); + dump_priv->write_next_extra_meta = FALSE; + dump_priv->last_meta_periodic = FALSE; + dump_priv->gen_time = 0; + dump_priv->host_id = ERF_WS_DEFAULT_HOST_ID; + dump_priv->implicit_host_id = ERF_META_HOST_ID_IMPLICIT; + dump_priv->first_frame_time_sec = 0; + dump_priv->prev_inserted_time_sec = 0; + dump_priv->prev_frame_ts = 0; + dump_priv->prev_erf_type = 0; + dump_priv->user_comment_ptr = NULL; + dump_priv->periodic_sections = NULL; + dump_priv->periodic_extra_ehdrs = g_array_new(FALSE, FALSE, sizeof(struct erf_ehdr)); + dump_priv->rand = g_rand_new(); + + return dump_priv; +} + +static gboolean erf_dump( + wtap_dumper *wdh, + const wtap_rec *rec, + const guint8 *pd, + int *err, + gchar **err_info _U_) +{ + const union wtap_pseudo_header *pseudo_header = &rec->rec_header.packet_header.pseudo_header; + union wtap_pseudo_header other_phdr; + int erf_type; + gint64 alignbytes = 0; + guint padbytes = 0; + int round_down = 0; + gboolean must_add_crc = FALSE; + guint32 crc32 = 0x00000000; + erf_dump_t *dump_priv = (erf_dump_t*)wdh->priv; + /* Host ID extension header with Host ID 0 (unknown). For now use Source ID 1. */ + /* TODO: How to know if record was captured by this Wireshark? */ + guint64 non_erf_host_id_ehdr = erf_host_id_ext_hdr(0, 1); + + /* Don't write anything bigger than we're willing to read. */ + if(rec->rec_header.packet_header.caplen > WTAP_MAX_PACKET_SIZE_STANDARD) { + *err = WTAP_ERR_PACKET_TOO_LARGE; + return FALSE; + } + + if(!dump_priv->gen_time) { + erf_dump_priv_init_gen_time(dump_priv); + dump_priv->first_frame_time_sec = rec->ts.secs; + } + + /* + * ERF doesn't have a per-file encapsulation type, and it + * doesn't have a pcapng-style notion of interfaces that + * support a per-interface encapsulation type. Therefore, + * we can just use this particular packet's encapsulation + * without checking whether it's the encapsulation for the + * dump file (as there isn't an encapsulation for an ERF + * file, unless you count WTAP_ENCAP_ERF as the encapsulation + * for all files, but we add ERF metadata if a packet is + * written with an encapsulation other than WTAP_ENCAP_ERF). + * + * We will check whether the encapsulation is something we + * support later. + */ + if (rec->rec_header.packet_header.pkt_encap != WTAP_ENCAP_ERF) { + unsigned int total_rlen;; + unsigned int total_wlen; + + /* Non-ERF encapsulation; generate ERF metadata */ + + total_rlen = rec->rec_header.packet_header.caplen+16; + total_wlen = rec->rec_header.packet_header.len; + + /* We can only convert packet records. */ + if (rec->rec_type != REC_TYPE_PACKET) { + *err = WTAP_ERR_UNWRITABLE_REC_TYPE; + return FALSE; + } + + erf_type = wtap_wtap_encap_to_erf_encap(rec->rec_header.packet_header.pkt_encap); + if (erf_type == -1) { + *err = WTAP_ERR_UNWRITABLE_ENCAP; + return FALSE; + } + + /* Generate a fake header in other_phdr using data that we know*/ + memset(&other_phdr, 0, sizeof(union wtap_pseudo_header)); + /* Convert time erf timestamp format*/ + other_phdr.erf.phdr.ts = ((guint64) rec->ts.secs << 32) + (((guint64) rec->ts.nsecs <<32) / 1000 / 1000 / 1000); + other_phdr.erf.phdr.type = (guint8)erf_type; + /* Support up to 4 interfaces */ + /* TODO: use multiple Source IDs and metadata records to support >4 interfaces */ + other_phdr.erf.phdr.flags = rec->rec_header.packet_header.interface_id % ERF_MAX_INTERFACES; + other_phdr.erf.phdr.flags |= 0x4; /*vlen flag set because we're creating variable length records*/ + + other_phdr.erf.phdr.lctr = 0; + + /*now we work out rlen, accounting for all the different headers and missing fcs(eth)*/ + switch(other_phdr.erf.phdr.type & 0x7F){ + case ERF_TYPE_ETH: + total_rlen += 2; /*2 bytes for erf eth_type*/ + if (pseudo_header->eth.fcs_len != 4) { + /* Either this packet doesn't include the FCS + (pseudo_header->eth.fcs_len = 0), or we don't + know whether it has an FCS (= -1). We have to + synthesize an FCS.*/ + if(!(rec->rec_header.packet_header.caplen < rec->rec_header.packet_header.len)){ /*don't add FCS if packet has been snapped off*/ + crc32 = crc32_ccitt_seed(pd, rec->rec_header.packet_header.caplen, 0xFFFFFFFF); + total_rlen += 4; /*4 bytes for added checksum*/ + total_wlen += 4; + must_add_crc = TRUE; + } + } + break; + case ERF_TYPE_HDLC_POS: + /*we assume that it's missing a FCS checksum, make one up*/ + if(!(rec->rec_header.packet_header.caplen < rec->rec_header.packet_header.len)){ /*unless of course, the packet has been snapped off*/ + crc32 = crc32_ccitt_seed(pd, rec->rec_header.packet_header.caplen, 0xFFFFFFFF); + total_rlen += 4; /*4 bytes for added checksum*/ + total_wlen += 4; + must_add_crc = TRUE; /* XXX - these never have an FCS? */ + } + break; + default: + break; + } + + /* Add Host ID extension header with Host ID 0 (unknown). For now use Source ID 1. */ + other_phdr.erf.phdr.type |= 0x80; + other_phdr.erf.ehdr_list[0].ehdr = non_erf_host_id_ehdr; + total_rlen += 8; + + padbytes = ERF_PADDING_TO_8(total_rlen); /*calculate how much padding will be required */ + if(rec->rec_header.packet_header.caplen < rec->rec_header.packet_header.len){ /*if packet has been snapped, we need to round down what we output*/ + round_down = (8 - padbytes) % 8; + total_rlen -= round_down; + }else{ + total_rlen += padbytes; + } + + if (total_rlen > G_MAXUINT16 || total_wlen > G_MAXUINT16) { + *err = WTAP_ERR_PACKET_TOO_LARGE; + return FALSE; + } + + other_phdr.erf.phdr.rlen = (guint16)total_rlen; + other_phdr.erf.phdr.wlen = (guint16)total_wlen; + + pseudo_header = &other_phdr; + } else if (rec->presence_flags & WTAP_HAS_TS) { + // Update timestamp if changed. + time_t secs; + int nsecs; + guint64 ts = pseudo_header->erf.phdr.ts; + + secs = (long) (ts >> 32); + ts = ((ts & 0xffffffff) * 1000 * 1000 * 1000); + ts += (ts & 0x80000000) << 1; /* rounding */ + nsecs = ((int) (ts >> 32)); + if (nsecs >= 1000000000) { + nsecs -= 1000000000; + secs += 1; + } + + if (secs != rec->ts.secs || nsecs != rec->ts.nsecs) { + other_phdr = *pseudo_header; + other_phdr.erf.phdr.ts = ((guint64) rec->ts.secs << 32) + (((guint64) rec->ts.nsecs <<32) / 1000 / 1000 / 1000); + pseudo_header = &other_phdr; + } + } + + /* We now have a (real or fake) ERF record */ + erf_type = pseudo_header->erf.phdr.type & 0x7FU; + + /* Accumulate Host ID/Source ID to put in updated periodic metadata */ + /* TODO: pass these through from read interface list instead? */ + /* Note: this includes the one we made for the fake ERF header */ + erf_update_host_id_ext_hdrs_list(dump_priv, pseudo_header, dump_priv->periodic_extra_ehdrs); + + /* Insert new metadata record depending on whether the capture comment has + * changed. Write metadata each second at boundaries. If there is metadata + * write at the end of each of metadata records so we update the metadata. */ + if (erf_type == ERF_TYPE_META) { + /* Check whether the capture comment string has changed */ + /* Updates write_next_extra_meta */ + dump_priv->last_meta_periodic = erf_dump_priv_compare_capture_comment(wdh, dump_priv, pseudo_header, pd); + } else { /* don't want to insert a new metadata record while looking at another */ + if (dump_priv->prev_erf_type == ERF_TYPE_META && dump_priv->last_meta_periodic) { + /* Last frame was a periodic (non-comment) metadata record (and this frame is not), check if we + * need to insert one to update metadata. */ + + if(dump_priv->write_next_extra_meta) { + if (!dump_priv->periodic_sections) { + /* If we've seen metadata just insert the capture comment and not the + * rest of the metadata */ + dump_priv->periodic_sections = g_ptr_array_new_with_free_func(erf_meta_section_free); + erf_comment_to_sections(wdh, ERF_META_SECTION_CAPTURE, 0, dump_priv->user_comment_ptr, dump_priv->periodic_sections); + } + + if (!erf_write_meta_record(wdh, dump_priv, dump_priv->prev_frame_ts, dump_priv->periodic_sections, dump_priv->periodic_extra_ehdrs, err)) return FALSE; + dump_priv->prev_inserted_time_sec = rec->ts.secs; + /*TODO: clear accumulated existing extension headers here?*/ + } + + /* If we have seen a metadata record in the first ~1 second it + * means that we are dealing with an ERF file with metadata already in them. + * We don't want to write extra metadata if nothing has changed. We can't + * trust the Wireshark representation since we massage the fields on + * read. */ + /* restart searching for next meta record to update capture comment at */ + dump_priv->write_next_extra_meta = FALSE; + } else if (rec->ts.secs > dump_priv->first_frame_time_sec + 1 + && dump_priv->prev_inserted_time_sec != rec->ts.secs) { + /* For compatibility, don't insert metadata for older ERF files with no changed metadata */ + if (dump_priv->write_next_extra_meta) { + if (!dump_priv->periodic_sections) { + /* If we get here, metadata record was not found in the first ~1 sec + * but we have either a capture comment or a non-ERF file (see + * erf_dump_open) */ + /* Start inserting metadata records from wtap data at second boundaries */ + dump_priv->periodic_sections = g_ptr_array_new_with_free_func(erf_meta_section_free); + erf_wtap_info_to_sections(wdh, dump_priv->periodic_sections); + } + } + + /* At second boundaries insert either the updated comment (if we've seen some metadata records + * already) or the full metadata */ + if (dump_priv->periodic_sections) { + if (!erf_write_meta_record(wdh, dump_priv, (guint64)(rec->ts.secs) << 32, dump_priv->periodic_sections, dump_priv->periodic_extra_ehdrs, err)) return FALSE; + dump_priv->prev_inserted_time_sec = rec->ts.secs; + } + } + } + + /* If the packet user comment has changed, we need to + * construct a new header with additional Host ID and Anchor ID + * and insert a metadata record before that frame */ + /*XXX: The user may have changed the comment to cleared! */ + if(rec->block_was_modified) { + if (rec->rec_header.packet_header.pkt_encap == WTAP_ENCAP_ERF) { + /* XXX: What about ERF-in-pcapng with existing comment (that wasn't + * modified)? */ + if(rec->block_was_modified) { + memmove(&other_phdr, pseudo_header, sizeof(union wtap_pseudo_header)); + if(!erf_write_anchor_meta_update_phdr(wdh, dump_priv, rec, &other_phdr, err)) return FALSE; + pseudo_header = &other_phdr; + } + } else { + /* Always write the comment if non-ERF */ + if(!erf_write_anchor_meta_update_phdr(wdh, dump_priv, rec, &other_phdr, err)) return FALSE; + } + } + + /* Make sure we always write out rlen, regardless of what happens */ + alignbytes = wdh->bytes_dumped + pseudo_header->erf.phdr.rlen; + + if(!erf_write_phdr(wdh, WTAP_ENCAP_ERF, pseudo_header, err)) return FALSE; + + if(!wtap_dump_file_write(wdh, pd, rec->rec_header.packet_header.caplen - round_down, err)) return FALSE; + + /*add the 4 byte CRC if necessary*/ + if(must_add_crc){ + if(!wtap_dump_file_write(wdh, &crc32, 4, err)) return FALSE; + } + + /*XXX: In the case of ENCAP_ERF, this pads the record to its original length, which is fine in most + * cases. However with >MAX_ERF_EHDR unnecessary padding will be added, and + * if the record was truncated this will be incorrectly treated as payload. + * More than 8 extension headers is unusual though, only the first 8 are + * written out anyway and fixing properly would require major refactor.*/ + /*records should be 8byte aligned, so we add padding to our calculated rlen */ + while(wdh->bytes_dumped < alignbytes){ + if(!wtap_dump_file_write(wdh, "", 1, err)) return FALSE; + } + + dump_priv->prev_erf_type = pseudo_header->erf.phdr.type & 0x7FU; + dump_priv->prev_frame_ts = pseudo_header->erf.phdr.ts; + + return TRUE; +} + +static int erf_dump_can_write_encap(int encap) +{ + + if(encap == WTAP_ENCAP_PER_PACKET) + return 0; + + if (wtap_wtap_encap_to_erf_encap(encap) == -1) + return WTAP_ERR_UNWRITABLE_ENCAP; + + return 0; +} + +static int erf_dump_open(wtap_dumper *wdh, int *err _U_, gchar **err_info _U_) +{ + erf_dump_t *dump_priv; + gchar *s; + guint64 host_id; + char *first_shb_comment = NULL; + + dump_priv = erf_dump_priv_create(); + + wdh->subtype_write = erf_dump; + wdh->priv = dump_priv; + wdh->subtype_finish = erf_dump_finish; + + /* Get the first capture comment string */ + get_user_comment_string(wdh, &first_shb_comment); + /* Save a copy of it */ + dump_priv->user_comment_ptr = g_strdup(first_shb_comment); + /* XXX: If we have a capture comment or a non-ERF file assume we need to + * write metadata unless we see existing metadata in the first second. */ + if (dump_priv->user_comment_ptr || wdh->file_encap != WTAP_ENCAP_ERF) + dump_priv->write_next_extra_meta = TRUE; + + /* Read Host ID from environment variable */ + /* TODO: generate one from MAC address? */ + if ((s = getenv("ERF_HOST_ID")) != NULL) { + /* TODO: support both decimal and hex strings (base 0)? */ + if (ws_hexstrtou64(s, NULL, &host_id)) { + dump_priv->host_id = host_id & ERF_EHDR_HOST_ID_MASK; + } + } + + return TRUE; +} + +static int erf_get_source_from_header(union wtap_pseudo_header *pseudo_header, guint64 *host_id, guint8 *source_id) +{ + guint8 type; + guint8 has_more; + guint64 hdr; + int i = 0; + gboolean host_id_found = FALSE; + + if (!pseudo_header || !host_id || !source_id) + return -1; + + *host_id = ERF_META_HOST_ID_IMPLICIT; + *source_id = 0; + + has_more = pseudo_header->erf.phdr.type & 0x80; + + while (has_more && (i < MAX_ERF_EHDR)) { + hdr = pseudo_header->erf.ehdr_list[i].ehdr; + type = (guint8) (hdr >> 56); + + /* + * XXX: Only want first Source ID and Host ID, and want to preserve HID n SID 0 (see + * erf_populate_interface) + */ + switch (type & 0x7f) { + case ERF_EXT_HDR_TYPE_HOST_ID: + if (!host_id_found) + *host_id = hdr & ERF_EHDR_HOST_ID_MASK; + + host_id_found = TRUE; + /* Fall through */ + case ERF_EXT_HDR_TYPE_FLOW_ID: + if (*source_id == 0) + *source_id = (hdr >> 48) & 0xff; + break; + } + + if (host_id_found) + break; + + has_more = type & 0x80; + i += 1; + } + + return 0; +} + +int erf_populate_interface_from_header(erf_t *erf_priv, wtap *wth, union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info) +{ + guint64 host_id; + guint8 source_id; + guint8 if_num; + + if (!pseudo_header) + return -1; + + if_num = pseudo_header->erf.phdr.flags & 0x03; + + erf_get_source_from_header(pseudo_header, &host_id, &source_id); + + return erf_populate_interface(erf_priv, wth, pseudo_header, host_id, source_id, if_num, err, err_info); +} + +static struct erf_if_mapping* erf_find_interface_mapping(erf_t *erf_priv, guint64 host_id, guint8 source_id) +{ + struct erf_if_mapping if_map_lookup; + + /* XXX: erf_priv should never be NULL here */ + if (!erf_priv) + return NULL; + + if_map_lookup.host_id = host_id; + if_map_lookup.source_id = source_id; + + return (struct erf_if_mapping*) g_hash_table_lookup(erf_priv->if_map, &if_map_lookup); +} + +static void erf_set_interface_descr(wtap_block_t block, guint option_id, guint64 host_id, guint8 source_id, guint8 if_num, const gchar *descr) +{ + /* Source XXX,*/ + char sourceid_buf[16]; + /* Host XXXXXXXXXXXX,*/ + char hostid_buf[24]; + + sourceid_buf[0] = '\0'; + hostid_buf[0] = '\0'; + + /* Implicit Host ID defaults to 0 */ + if (host_id == ERF_META_HOST_ID_IMPLICIT) { + host_id = 0; + } + + if (host_id > 0) { + snprintf(hostid_buf, sizeof(hostid_buf), " Host %012" PRIx64 ",", host_id); + } + + if (source_id > 0) { + snprintf(sourceid_buf, sizeof(sourceid_buf), " Source %u,", source_id); + } + + if (descr) { + wtap_block_set_string_option_value_format(block, option_id, "%s (ERF%s%s Interface %d)", descr, hostid_buf, sourceid_buf, if_num); + } else { + wtap_block_set_string_option_value_format(block, option_id, "Port %c (ERF%s%s Interface %d)", 'A'+if_num, hostid_buf, sourceid_buf, if_num); + } +} + +static int erf_update_anchors_from_header(erf_t *erf_priv, wtap_rec *rec, union wtap_pseudo_header *pseudo_header, guint64 host_id, GPtrArray *anchor_mappings_to_update) +{ + guint8 type; + guint8 has_more; + guint64 hdr; + guint64 comment_gen_time = 0; + guint64 host_id_current; + guint64 anchor_id_current = 0; + int i = 0; + gchar *comment = NULL; + + if (!rec || !pseudo_header) + return -1; + + /* Start with the first Host ID that was found on the record + * as the Anchor ID isn't required to be the first extension header' */ + host_id_current = host_id == ERF_META_HOST_ID_IMPLICIT ? erf_priv->implicit_host_id : host_id; + + has_more = pseudo_header->erf.phdr.type & 0x80; + + while (has_more && (i < MAX_ERF_EHDR)) { + hdr = pseudo_header->erf.ehdr_list[i].ehdr; + type = (guint8) (hdr >> 56); + + switch (type & 0x7f) { + case ERF_EXT_HDR_TYPE_HOST_ID: + host_id_current = hdr & ERF_EHDR_HOST_ID_MASK; + break; + + case ERF_EXT_HDR_TYPE_ANCHOR_ID: + { + anchor_id_current = hdr & ERF_EHDR_ANCHOR_ID_MASK; + if (!(ERF_ANCHOR_ID_IS_DEFINITION(hdr))) { + /* + * Anchor definition flag is 0, attempt to associate a comment with this record + * XXX: currently the comment count may be wrong on the first pass! + */ + /* We may not have found the implicit Host ID yet, if so we are unlikely to find anything */ + struct erf_anchor_mapping* lookup_result; + lookup_result = erf_find_anchor_mapping(erf_priv, host_id_current, anchor_id_current); + if (lookup_result) { + if (lookup_result->gen_time > comment_gen_time) { + /* XXX: we might have a comment that clears the comment (i.e. + * empty string)! */ + if (lookup_result->comment && lookup_result->comment[0] != '\0') { + comment = lookup_result->comment; + } + comment_gen_time = lookup_result->gen_time; + } + } + } + else { + if (anchor_mappings_to_update && (pseudo_header->erf.phdr.type & 0x7f) == ERF_TYPE_META) { + /* + * Anchor definition flag is 1, put the mapping in an array + * which we will later update when we walk through + * the metadata tags + */ + /* Only Provenance record can contain the information we need */ + struct erf_anchor_mapping *mapping_ptr = + g_new0(struct erf_anchor_mapping, 1); + /* May be ERF_META_HOST_ID_IMPLICIT */ + mapping_ptr->host_id = host_id_current; + mapping_ptr->anchor_id = anchor_id_current; + g_ptr_array_add(anchor_mappings_to_update, mapping_ptr); + } + } + break; + } + } + + has_more = type & 0x80; + i += 1; + } + + if (comment) { + wtap_block_add_string_option(rec->block, OPT_COMMENT, comment, strlen(comment)); + } + + return 0; +} + +/** + * @brief Update the implicit Host ID and Anchor Mapping information + */ +static int erf_update_implicit_host_id(erf_t *erf_priv, wtap *wth, guint64 implicit_host_id) +{ + GHashTableIter iter; + gpointer iter_value; + GList* implicit_list = NULL; + GList* item = NULL; + wtap_block_t int_data; + struct erf_if_mapping* if_map = NULL; + struct erf_if_mapping* if_map_other = NULL; + struct erf_if_info* if_info = NULL; + struct erf_anchor_mapping* anchor_mapping = NULL; + struct erf_anchor_mapping* anchor_mapping_other = NULL; + gchar *oldstr = NULL; + char portstr_buf[16]; + int i; + + if (!erf_priv) + return -1; + + erf_priv->implicit_host_id = implicit_host_id; + + /* + * We need to update the descriptions of all the interfaces with no Host + * ID to the correct Host ID. + */ + g_hash_table_iter_init(&iter, erf_priv->if_map); + + /* Remove the implicit mappings from the mapping table */ + while (g_hash_table_iter_next(&iter, &iter_value, NULL)) { + if_map = (struct erf_if_mapping*) iter_value; + + if (if_map->host_id == ERF_META_HOST_ID_IMPLICIT) { + /* Check we don't have an existing interface that matches */ + if_map_other = erf_find_interface_mapping(erf_priv, implicit_host_id, if_map->source_id); + + if (!if_map_other) { + /* Pull mapping for update */ + /* XXX: Can't add while iterating hash table so use list instead */ + g_hash_table_iter_steal(&iter); + implicit_list = g_list_prepend(implicit_list, if_map); + } else { + /* + * XXX: We have duplicate interfaces in this case, but not much else we + * can do since we have already dissected the earlier packets. Expected + * to be unusual as it reqires a mix of explicit and implicit Host ID + * (e.g. FlowID extension header only) packets with the same effective + * Host ID before the first ERF_TYPE_META record. + */ + + /* + * Update the description of the ERF_META_HOST_ID_IMPLICIT interface(s) + * for the first records in one pass mode. In 2 pass mode (Wireshark + * initial open, TShark in 2 pass mode) we will update the interface + * mapping for the frames on the second pass. Relatively consistent + * with the dissector behaviour. + * + * TODO: Can we delete this interface on the second (or even first) + * pass? Should we try to merge in other metadata? + * Needs a wtap_block_copy() that supports overwriting and/or expose + * custom option copy and do with wtap_block_foreach_option(). + */ + for (i = 0; i < 4; i++) { + if_info = &if_map->interfaces[i]; + + if (if_info->if_index >= 0) { + /* XXX: this is a pointer! */ + int_data = g_array_index(wth->interface_data, wtap_block_t, if_info->if_index); + + snprintf(portstr_buf, sizeof(portstr_buf), "Port %c", 'A'+i); + + oldstr = if_info->name; + if_info->name = g_strconcat(oldstr ? oldstr : portstr_buf, " [unmatched implicit]", NULL); + g_free(oldstr); /* probably null, but g_free doesn't care */ + + oldstr = if_info->descr; + if_info->descr = g_strconcat(oldstr ? oldstr : portstr_buf, " [unmatched implicit]", NULL); + g_free(oldstr); + + erf_set_interface_descr(int_data, OPT_IDB_NAME, implicit_host_id, if_map->source_id, (guint8) i, if_info->name); + erf_set_interface_descr(int_data, OPT_IDB_DESCRIPTION, implicit_host_id, if_map->source_id, (guint8) i, if_info->descr); + } + } + } + } + } + + /* Re-add the non-clashing items under the real implicit Host ID */ + if (implicit_list) { + item = implicit_list; + do { + if_map = (struct erf_if_mapping*) item->data; + + for (i = 0; i < 4; i++) { + if_info = &if_map->interfaces[i]; + + if (if_info->if_index >= 0) { + /* XXX: this is a pointer! */ + int_data = g_array_index(wth->interface_data, wtap_block_t, if_info->if_index); + erf_set_interface_descr(int_data, OPT_IDB_NAME, implicit_host_id, if_map->source_id, (guint8) i, if_info->name); + erf_set_interface_descr(int_data, OPT_IDB_DESCRIPTION, implicit_host_id, if_map->source_id, (guint8) i, if_info->descr); + } + } + + if_map->host_id = implicit_host_id; + /* g_hash_table_add() only exists since 2.32. */ + g_hash_table_replace(erf_priv->if_map, if_map, if_map); + } while ((item = g_list_next(item))); + + g_list_free(implicit_list); + implicit_list = NULL; + } + + /* + * We also need to update the anchor comment mappings + * to the correct Host ID. + */ + g_hash_table_iter_init(&iter, erf_priv->anchor_map); + + /* Remove the implicit mappings from the mapping table */ + while (g_hash_table_iter_next(&iter, &iter_value, NULL)) { + anchor_mapping = (struct erf_anchor_mapping*) iter_value; + + if (anchor_mapping->host_id == ERF_META_HOST_ID_IMPLICIT) { + /* Check we don't have an existing anchor that matches */ + anchor_mapping_other = erf_find_anchor_mapping(erf_priv, implicit_host_id, + anchor_mapping->anchor_id); + + if (anchor_mapping_other && anchor_mapping_other->gen_time >= anchor_mapping->gen_time) { + /* + * XXX: Duplicate entry of anchor mapping, keep the one with newer + * gen_time. + */ + g_hash_table_iter_remove(&iter); + } else { + /* Pull mapping for update */ + /* XXX: Can't add while iterating hash table so use list instead */ + g_hash_table_iter_steal(&iter); + implicit_list = g_list_prepend(implicit_list, anchor_mapping); + /* existing entry (if any) will be removed by g_hash_table_replace */ + } + } + } + + /* Re-add the non-clashing items under the real implicit Host ID */ + if (implicit_list) { + item = implicit_list; + do { + anchor_mapping = (struct erf_anchor_mapping*) item->data; + anchor_mapping->host_id = implicit_host_id; + g_hash_table_replace(erf_priv->anchor_map, anchor_mapping, anchor_mapping); + } while ((item = g_list_next(item))); + + g_list_free(implicit_list); + implicit_list = NULL; + } + + return 0; +} + +static int erf_populate_interface(erf_t *erf_priv, wtap *wth, union wtap_pseudo_header *pseudo_header, guint64 host_id, guint8 source_id, guint8 if_num, int *err, gchar **err_info) +{ + wtap_block_t int_data; + wtapng_if_descr_mandatory_t* int_data_mand; + struct erf_if_mapping* if_map = NULL; + + if (!wth) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: erf_populate_interface called with wth NULL"); + return -1; + } + if (!pseudo_header) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: erf_populate_interface called with pseudo_header NULL"); + return -1; + } + if (!erf_priv) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: erf_populate_interface called with erf_priv NULL"); + return -1; + } + if (if_num > 3) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: erf_populate_interface called with if_num %u > 3", + if_num); + return -1; + } + + if (host_id == ERF_META_HOST_ID_IMPLICIT) { + /* Defaults to ERF_META_HOST_ID_IMPLICIT so we can update mapping later */ + host_id = erf_priv->implicit_host_id; + } else if ((pseudo_header->erf.phdr.type & 0x7f) == ERF_TYPE_META) { + /* + * XXX: We assume there is only one Implicit Host ID. As a special case a first + * Host ID extension header with Source ID 0 on a record does not change + * the implicit Host ID. We respect this even though we support only one + * Implicit Host ID. + */ + if (erf_priv->implicit_host_id == ERF_META_HOST_ID_IMPLICIT && source_id > 0) { + erf_update_implicit_host_id(erf_priv, wth, host_id); + } + } + + if_map = erf_find_interface_mapping(erf_priv, host_id, source_id); + + if (!if_map) { + if_map = erf_if_mapping_create(host_id, source_id); + /* g_hash_table_add() only exists since 2.32. */ + g_hash_table_replace(erf_priv->if_map, if_map, if_map); + + } + + /* Return the existing interface if we have it */ + if (if_map->interfaces[if_num].if_index >= 0) { + return if_map->interfaces[if_num].if_index; + } + + int_data = wtap_block_create(WTAP_BLOCK_IF_ID_AND_INFO); + int_data_mand = (wtapng_if_descr_mandatory_t*)wtap_block_get_mandatory_data(int_data); + + int_data_mand->wtap_encap = WTAP_ENCAP_ERF; + /* int_data.time_units_per_second = (1LL<<32); ERF format resolution is 2^-32, capture resolution is unknown */ + int_data_mand->time_units_per_second = 1000000000; /* XXX Since Wireshark only supports down to nanosecond resolution we have to dilute to this */ + int_data_mand->tsprecision = WTAP_TSPREC_NSEC; + int_data_mand->snap_len = 65535; /* ERF max length */ + + /* XXX: if_IPv4addr opt 4 Interface network address and netmask.*/ + /* XXX: if_IPv6addr opt 5 Interface network address and prefix length (stored in the last byte).*/ + /* XXX: if_MACaddr opt 6 Interface Hardware MAC address (48 bits).*/ + /* XXX: if_EUIaddr opt 7 Interface Hardware EUI address (64 bits)*/ + /* XXX: if_speed opt 8 Interface speed (in bits per second)*/ + /* int_data.if_tsresol = 0xa0; ERF format resolution is 2^-32 = 0xa0, capture resolution is unknown */ + wtap_block_add_uint8_option(int_data, OPT_IDB_TSRESOL, 0x09); /* XXX Since Wireshark only supports down to nanosecond resolution we have to dilute to this */ + /* XXX: if_tzone 10 Time zone for GMT support (TODO: specify better). */ + /* XXX if_tsoffset; opt 14 A 64 bits integer value that specifies an offset (in seconds)...*/ + /* Interface statistics */ + int_data_mand->num_stat_entries = 0; + int_data_mand->interface_statistics = NULL; + + erf_set_interface_descr(int_data, OPT_IDB_NAME, host_id, source_id, if_num, NULL); + erf_set_interface_descr(int_data, OPT_IDB_DESCRIPTION, host_id, source_id, if_num, NULL); + + if_map->interfaces[if_num].if_index = (int) wth->interface_data->len; + wtap_add_idb(wth, int_data); + + return if_map->interfaces[if_num].if_index; +} + +static guint32 erf_meta_read_tag(struct erf_meta_tag* tag, guint8 *tag_ptr, guint32 remaining_len) +{ + guint16 tagtype; + guint16 taglength; + guint32 tagtotallength; + + if (!tag_ptr || !tag || remaining_len < ERF_META_TAG_HEADERLEN) + return 0; + + /* tagtype (2 bytes) */ + tagtype = pntoh16(&tag_ptr[0]); + + /* length (2 bytes) */ + taglength = pntoh16(&tag_ptr[2]); + + tagtotallength = ERF_META_TAG_TOTAL_ALIGNED_LENGTH(taglength); + + if (remaining_len < tagtotallength) { + return 0; + } + + tag->type = tagtype; + tag->length = taglength; + tag->value = &tag_ptr[4]; + + return tagtotallength; +} + +static int populate_capture_host_info(erf_t *erf_priv, wtap *wth, union wtap_pseudo_header *pseudo_header _U_, struct erf_meta_read_state *state, int *err, gchar **err_info) +{ + struct erf_meta_tag tag = {0, 0, NULL}; + + wtap_block_t shb_hdr; + char* tmp; + gchar* app_name = NULL; + gchar* app_version = NULL; + gchar* model = NULL; + gchar* descr = NULL; + gchar* cpu = NULL; + gchar* modelcpu = NULL; + guint32 tagtotallength; + + if (!wth) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: populate_capture_host_info called with wth NULL"); + return -1; + } + if (!state) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: populate_capture_host_info called with state NULL"); + return -1; + } + if (!wth->shb_hdrs) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: populate_capture_host_info called with wth->shb_hdrs NULL"); + return -1; + } + if (wth->shb_hdrs->len == 0) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: populate_capture_host_info called with wth->shb_hdrs->len 0"); + return -1; + } + + /* XXX: wth->shb_hdr is already created by different layer, using directly for now. */ + /* XXX: Only one section header is supported at this time */ + shb_hdr = g_array_index(wth->shb_hdrs, wtap_block_t, 0); + + while ((tagtotallength = erf_meta_read_tag(&tag, state->tag_ptr, state->remaining_len)) && !ERF_META_IS_SECTION(tag.type)) { + switch (state->sectiontype) { + case ERF_META_SECTION_CAPTURE: + { + if (erf_priv->capture_gentime > state->gen_time) { + return 0; + } + + switch (tag.type) { + case ERF_META_TAG_comment: + { + gchar *existing_comment = NULL; + /*XXX: hack to make changing capture comment work since Wireshark only + * displays one. For now just overwrite the comment as we won't + * pick up all of them yet due to the gen_time check above */ + if (wtap_block_get_nth_string_option_value(shb_hdr, OPT_COMMENT, 0, &existing_comment) == WTAP_OPTTYPE_SUCCESS) { + wtap_block_set_nth_string_option_value(shb_hdr, OPT_COMMENT, 0, tag.value, tag.length); + } else { + wtap_block_add_string_option(shb_hdr, OPT_COMMENT, tag.value, tag.length); + } + break; + } + } + } + /* Fall through */ + case ERF_META_SECTION_HOST: + { + if (erf_priv->host_gentime > state->gen_time) { + return 0; + } + + switch (tag.type) { + case ERF_META_TAG_model: + g_free(model); + model = g_strndup((gchar*) tag.value, tag.length); + break; + case ERF_META_TAG_cpu: + g_free(cpu); + cpu = g_strndup((gchar*) tag.value, tag.length); + break; + case ERF_META_TAG_descr: + g_free(descr); + descr = g_strndup((gchar*) tag.value, tag.length); + break; + case ERF_META_TAG_os: + wtap_block_set_string_option_value(shb_hdr, OPT_SHB_OS, tag.value, tag.length); + break; + case ERF_META_TAG_app_name: + g_free(app_name); + app_name = g_strndup((gchar*) tag.value, tag.length); + break; + case ERF_META_TAG_app_version: + g_free(app_version); + app_version = g_strndup((gchar*) tag.value, tag.length); + break; + /* TODO: dag_version? */ + /* TODO: could concatenate comment(s)? */ + case ERF_META_TAG_filter: + g_free(state->if_map->capture_filter_str); + state->if_map->capture_filter_str = g_strndup((gchar*) tag.value, tag.length); + break; + default: + break; + } + } + break; + } + + state->tag_ptr += tagtotallength; + state->remaining_len -= tagtotallength; + } + + /* Post processing */ + + if (app_name || app_version) { + /* + * If we have no app_name, we use "(Unknown applicaton)". + * + * If we have no app_version, this will just use app_name. + */ + tmp = g_strjoin(" ", app_name ? app_name : "(Unknown application)", app_version, NULL); + wtap_block_set_string_option_value(shb_hdr, OPT_SHB_USERAPPL, tmp, strlen(tmp)); + g_free(tmp); + + g_free(app_name); + g_free(app_version); + app_name = NULL; + app_version = NULL; + } + + /* For the hardware field show description followed by (model; cpu) */ + /* Build "Model; CPU" part */ + if (model || cpu) { + /* g_strjoin() would be nice to use here if the API didn't stop on the first NULL... */ + if (model && cpu) { + modelcpu = g_strconcat(model, "; ", cpu, NULL); + } else if (cpu) { + modelcpu = cpu; + /* avoid double-free */ + cpu = NULL; + } else { + modelcpu = model; + /* avoid double-free */ + model = NULL; + } + } + + /* Combine into "Description (Model; CPU)" */ + if (state->sectiontype == ERF_META_SECTION_HOST && descr) { + if (modelcpu) { + wtap_block_set_string_option_value_format(shb_hdr, OPT_SHB_HARDWARE, "%s (%s)", descr, modelcpu); + } else { + wtap_block_set_string_option_value(shb_hdr, OPT_SHB_HARDWARE, descr, strlen(descr)); + /*descr = NULL;*/ + } + } else if (modelcpu) { + wtap_block_set_string_option_value(shb_hdr, OPT_SHB_HARDWARE, modelcpu, strlen(modelcpu)); + /*modelcpu = NULL;*/ + } + + /* Free the fields we didn't end up using */ + g_free(modelcpu); + g_free(model); + g_free(descr); + g_free(cpu); + + if (state->sectiontype == ERF_META_SECTION_CAPTURE) { + erf_priv->capture_gentime = state->gen_time; + } else { + erf_priv->host_gentime = state->gen_time; + } + + return 1; +} + +static int populate_module_info(erf_t *erf_priv _U_, wtap *wth, union wtap_pseudo_header *pseudo_header _U_, struct erf_meta_read_state *state, int *err, gchar **err_info) +{ + struct erf_meta_tag tag = {0, 0, NULL}; + + guint32 tagtotallength; + + if (!wth) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: populate_module_info called with wth NULL"); + return -1; + } + if (!state) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: populate_module_info called with stat NULL"); + return -1; + } + + if (state->if_map->module_gentime > state->gen_time) { + return 0; + } + + while ((tagtotallength = erf_meta_read_tag(&tag, state->tag_ptr, state->remaining_len)) && !ERF_META_IS_SECTION(tag.type)) { + switch (tag.type) { + case ERF_META_TAG_fcs_len: + if (tag.length >= 4) { + state->if_map->module_fcs_len = (gint8) pntoh32(tag.value); + } + break; + case ERF_META_TAG_snaplen: + /* XXX: this is generally per stream */ + if (tag.length >= 4) { + state->if_map->module_snaplen = pntoh32(tag.value); + } + break; + case ERF_META_TAG_filter: + g_free(state->if_map->module_filter_str); + state->if_map->module_filter_str = g_strndup((gchar*) tag.value, tag.length); + break; + } + + state->tag_ptr += tagtotallength; + state->remaining_len -= tagtotallength; + } + + state->if_map->module_gentime = state->gen_time; + + return 1; +} + +static int populate_interface_info(erf_t *erf_priv, wtap *wth, union wtap_pseudo_header *pseudo_header, struct erf_meta_read_state *state, int *err, gchar **err_info) +{ + struct erf_meta_tag tag = {0, 0, NULL}; + guint32 tagtotallength; + int interface_index = -1; + wtap_block_t int_data = NULL; + wtapng_if_descr_mandatory_t* int_data_mand = NULL; + if_filter_opt_t if_filter; + guint32 if_num = 0; + struct erf_if_info* if_info = NULL; + + if (!wth) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: populate_interface_info called with wth NULL"); + return -1; + } + if (!state) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: populate_interface_info called with state NULL"); + return -1; + } + if (!pseudo_header) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: populate_interface_info called with pseudo_header NULL"); + return -1; + } + if (!state->if_map) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: populate_interface_info called with state->if_map NULL"); + return -1; + } + + /* Section ID of interface is defined to match ERF interface id. */ + if_num = state->sectionid - 1; + /* + * Get or create the interface (there can be multiple interfaces in + * a Provenance record). + */ + if (if_num < 4) { /* Note: -1u > 4*/ + if_info = &state->if_map->interfaces[if_num]; + interface_index = if_info->if_index; + + /* Check if the interface information is still uninitialized */ + if (interface_index == -1) { + guint8 *tag_ptr_tmp = state->tag_ptr; + guint32 remaining_len_tmp = state->remaining_len; + + /* First iterate tags, checking we aren't looking at a timing port */ + /* + * XXX: we deliberately only do this logic here rather than the per-packet + * population function so that if somehow we do see packets for an + * 'invalid' port the interface will be created at that time. + */ + while ((tagtotallength = erf_meta_read_tag(&tag, tag_ptr_tmp, remaining_len_tmp)) && !ERF_META_IS_SECTION(tag.type)) { + if (tag.type == ERF_META_TAG_if_port_type) { + if (tag.length >= 4 && pntoh32(tag.value) == 2) { + /* This is a timing port, skip it from now on */ + /* XXX: should we skip all non-capture ports instead? */ + + if_info->if_index = -2; + interface_index = -2; + } + } else if (tag.type == ERF_META_TAG_stream_num) { + if (tag.length >= 4) { + if_info->stream_num = (gint32) pntoh32(tag.value); + } + } + + tag_ptr_tmp += tagtotallength; + remaining_len_tmp -= tagtotallength; + } + + /* If the interface is valid but uninitialized, create it */ + if (interface_index == -1) { + interface_index = erf_populate_interface(erf_priv, wth, pseudo_header, state->if_map->host_id, state->if_map->source_id, (guint8) if_num, err, err_info); + if (interface_index == -1) { + return -1; + } + } + } + + /* Get the wiretap interface metadata */ + if (interface_index >= 0) { + int_data = g_array_index(wth->interface_data, wtap_block_t, interface_index); + int_data_mand = (wtapng_if_descr_mandatory_t*)wtap_block_get_mandatory_data(int_data); + } else if (interface_index == -2) { + /* timing/unknown port */ + return 0; + } else { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: populate_interface_info got interface_index %d < 0 and != -2", interface_index); + return -1; + } + } + + /* + * Bail if already have interface metadata or no interface to associate with. + * We also don't support metadata for >4 interfaces per Host + Source + * as we only use interface ID. + */ + if (!int_data) + return 0; + + if (state->if_map->interface_gentime > state->gen_time && state->if_map->interface_metadata & (1 << if_num)) + return 0; + + while ((tagtotallength = erf_meta_read_tag(&tag, state->tag_ptr, state->remaining_len)) && !ERF_META_IS_SECTION(tag.type)) { + switch (tag.type) { + case ERF_META_TAG_name: + /* TODO: fall back to module "dev_name Port N"? */ + if (!if_info->name) { + if_info->name = g_strndup((gchar*) tag.value, tag.length); + erf_set_interface_descr(int_data, OPT_IDB_NAME, state->if_map->host_id, state->if_map->source_id, (guint8) if_num, if_info->name); + + /* If we have no description, also copy to wtap if_description */ + if (!if_info->descr) { + erf_set_interface_descr(int_data, OPT_IDB_DESCRIPTION, state->if_map->host_id, state->if_map->source_id, (guint8) if_num, if_info->name); + } + } + break; + case ERF_META_TAG_descr: + if (!if_info->descr) { + if_info->descr = g_strndup((gchar*) tag.value, tag.length); + erf_set_interface_descr(int_data, OPT_IDB_DESCRIPTION, state->if_map->host_id, state->if_map->source_id, (guint8) if_num, if_info->descr); + + /* If we have no name, also copy to wtap if_name */ + if (!if_info->name) { + erf_set_interface_descr(int_data, OPT_IDB_NAME, state->if_map->host_id, state->if_map->source_id, (guint8) if_num, if_info->descr); + } + } + break; + case ERF_META_TAG_if_speed: + if (tag.length >= 8) + wtap_block_add_uint64_option(int_data, OPT_IDB_SPEED, pntoh64(tag.value)); + break; + case ERF_META_TAG_if_num: + /* + * XXX: We ignore this as Section ID must match the ERF ifid and + * that is all we care about/have space for at the moment. if_num + * is only really useful with >4 interfaces. + */ + /* TODO: might want to put this number in description */ + break; + case ERF_META_TAG_fcs_len: + if (tag.length >= 4) { + wtap_block_add_uint8_option(int_data, OPT_IDB_FCSLEN, (guint8) pntoh32(tag.value)); + if_info->set_flags.fcs_len = 1; + } + break; + case ERF_META_TAG_snaplen: + /* XXX: this generally per stream */ + if (tag.length >= 4) { + int_data_mand->snap_len = pntoh32(tag.value); + if_info->set_flags.snaplen = 1; + } + break; + case ERF_META_TAG_comment: + wtap_block_add_string_option(int_data, OPT_COMMENT, tag.value, tag.length); + break; + case ERF_META_TAG_filter: + if_filter.type = if_filter_pcap; + if_filter.data.filter_str = g_strndup((gchar*) tag.value, tag.length); + wtap_block_add_if_filter_option(int_data, OPT_IDB_FILTER, &if_filter); + g_free(if_filter.data.filter_str); + if_info->set_flags.filter = 1; + break; + default: + break; + } + + state->tag_ptr += tagtotallength; + state->remaining_len -= tagtotallength; + } + + /* Post processing */ + /* + * XXX: Assumes module defined first. It is higher in hierarchy so only set + * if not already. + */ + + /* + * XXX: Missing exposed existence/type-check. No way currently to check if + * been set in the optionblock. + */ + if (!if_info->set_flags.filter) { + if (state->if_map->module_filter_str) { + /* Duplicate because might use with multiple interfaces */ + if_filter.type = if_filter_pcap; + if_filter.data.filter_str = state->if_map->module_filter_str; + wtap_block_add_if_filter_option(int_data, OPT_IDB_FILTER, &if_filter); + /* + * Don't set flag because stream is more specific than module. + */ + } else if (state->if_map->capture_filter_str) { + /* TODO: display separately? Note that we could have multiple captures + * from multiple hosts in the file */ + if_filter.type = if_filter_pcap; + if_filter.data.filter_str = state->if_map->capture_filter_str; + wtap_block_add_if_filter_option(int_data, OPT_IDB_FILTER, &if_filter); + } + } + + if (state->if_map->module_fcs_len != -1 && !if_info->set_flags.fcs_len) { + wtap_block_add_uint8_option(int_data, OPT_IDB_FCSLEN, (guint8) state->if_map->module_fcs_len); + if_info->set_flags.fcs_len = 1; + } + + if (state->if_map->module_snaplen != (guint32) -1 && !if_info->set_flags.snaplen) { + int_data_mand->snap_len = pntoh32(tag.value); + if_info->set_flags.snaplen = 1; + } + + state->interface_metadata |= 1 << if_num; + + return 1; +} + +static int populate_stream_info(erf_t *erf_priv _U_, wtap *wth, union wtap_pseudo_header *pseudo_header, struct erf_meta_read_state *state, int *err, gchar **err_info) +{ + struct erf_meta_tag tag = {0, 0, NULL}; + guint32 tagtotallength; + int interface_index = -1; + wtap_block_t int_data = NULL; + wtapng_if_descr_mandatory_t* int_data_mand = NULL; + if_filter_opt_t if_filter; + guint32 if_num = 0; + gint32 stream_num = -1; + guint8 *tag_ptr_tmp; + guint32 remaining_len_tmp; + struct erf_if_info* if_info = NULL; + + if (!wth) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: populate_stream_info called with wth NULL"); + return -1; + } + if (!pseudo_header) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: populate_stream_info called with pseudo_header NULL"); + return -1; + } + if (!state) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: populate_stream_info called with state NULL"); + return -1; + } + if (!state->if_map) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: populate_stream_info called with state->if_map NULL"); + return -1; + } + + tag_ptr_tmp = state->tag_ptr; + remaining_len_tmp = state->remaining_len; + + /* + * XXX: We ignore parent section ID because it doesn't represent the + * many-to-many relationship of interfaces and streams very well. The stream is + * associated with all interfaces in the record that don't have a stream_num + * that says otherwise. + */ + + if (state->sectionid > 0 && state->sectionid != 0x7fff) { + /* Section ID of stream is supposed to match stream_num. */ + stream_num = state->sectionid - 1; + } else { + /* First iterate tags, looking for the stream number interfaces might associate with. */ + while ((tagtotallength = erf_meta_read_tag(&tag, tag_ptr_tmp, remaining_len_tmp)) && !ERF_META_IS_SECTION(tag.type)) { + if (tag.type == ERF_META_TAG_stream_num) { + if (tag.length >= 4) { + stream_num = (gint32) pntoh32(tag.value); + } + } + + tag_ptr_tmp += tagtotallength; + remaining_len_tmp -= tagtotallength; + } + } + /* Otherwise assume the stream applies to all interfaces in the record */ + + for (if_num = 0; if_num < 4; if_num++) { + tag_ptr_tmp = state->tag_ptr; + remaining_len_tmp = state->remaining_len; + if_info = &state->if_map->interfaces[if_num]; + + /* Check if we should be handling this interface */ + /* XXX: currently skips interfaces that are not in the record. */ + if (state->if_map->interface_metadata & (1 << if_num) + || !(state->interface_metadata & (1 << if_num))) { + continue; + } + + if (if_info->stream_num != -1 + && if_info->stream_num != stream_num) { + continue; + } + + interface_index = if_info->if_index; + /* Get the wiretap interface metadata */ + if (interface_index >= 0) { + int_data = g_array_index(wth->interface_data, wtap_block_t, interface_index); + int_data_mand = (wtapng_if_descr_mandatory_t*)wtap_block_get_mandatory_data(int_data); + } + + if (!int_data) { + continue; + } + + while ((tagtotallength = erf_meta_read_tag(&tag, tag_ptr_tmp, remaining_len_tmp)) && !ERF_META_IS_SECTION(tag.type)) { + switch (tag.type) { + case ERF_META_TAG_fcs_len: + if (tag.length >= 4) { + /* Use the largest fcslen of matching streams */ + gint8 fcs_len = (gint8) pntoh32(tag.value); + guint8 old_fcs_len = 0; + + switch (wtap_block_get_uint8_option_value(int_data, OPT_IDB_FCSLEN, &old_fcs_len)) { + + case WTAP_OPTTYPE_SUCCESS: + /* We already have an FCS length option; update it. */ + if (fcs_len > old_fcs_len || !if_info->set_flags.fcs_len) { + wtap_block_set_uint8_option_value(int_data, OPT_IDB_FCSLEN, (guint8) pntoh32(tag.value)); + if_info->set_flags.fcs_len = 1; + } + break; + + case WTAP_OPTTYPE_NOT_FOUND: + /* We don't have an FCS length option; add it. */ + wtap_block_add_uint8_option(int_data, OPT_IDB_FCSLEN, (guint8) pntoh32(tag.value)); + if_info->set_flags.fcs_len = 1; + break; + + default: + /* "shouldn't happen" */ + break; + } + } + break; + case ERF_META_TAG_snaplen: + if (tag.length >= 4) { + /* Use the largest snaplen of matching streams */ + guint32 snaplen = pntoh32(tag.value); + + if (snaplen > int_data_mand->snap_len || !if_info->set_flags.snaplen) { + int_data_mand->snap_len = pntoh32(tag.value); + if_info->set_flags.snaplen = 1; + } + } + break; + case ERF_META_TAG_filter: + /* Override only if not set */ + if (!if_info->set_flags.filter) { + if_filter.type = if_filter_pcap; + if_filter.data.filter_str = g_strndup((gchar*) tag.value, tag.length); + wtap_block_add_if_filter_option(int_data, OPT_IDB_FILTER, &if_filter); + g_free(if_filter.data.filter_str); + if_info->set_flags.filter = 1; + } + break; + default: + break; + } + + tag_ptr_tmp += tagtotallength; + remaining_len_tmp -= tagtotallength; + } + } + state->tag_ptr = tag_ptr_tmp; + state->remaining_len = remaining_len_tmp; + + return 1; +} + +static int populate_anchor_info(erf_t *erf_priv, wtap *wth, union wtap_pseudo_header *pseudo_header, struct erf_meta_read_state *state, GPtrArray *anchor_mappings_to_update, int *err, gchar **err_info) { + struct erf_meta_tag tag = {0, 0, NULL}; + guint32 tagtotallength; + gchar *comment_ptr = NULL; + guint i = 0; + + if (!wth) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: populate_anchor_info called with wth NULL"); + return -1; + } + if (!state) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: populate_anchor_info called with state NULL"); + return -1; + } + if (!pseudo_header) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: populate_anchor_info called with pseudo_header NULL"); + return -1; + } + + if (!anchor_mappings_to_update || anchor_mappings_to_update->len == 0) + return 0; + + while ((tagtotallength = erf_meta_read_tag(&tag, state->tag_ptr, state->remaining_len)) && !ERF_META_IS_SECTION(tag.type)) { + /* XXX:Always gets the first comment tag in the section */ + switch(tag.type) { + case ERF_META_TAG_comment: + if(!comment_ptr) { + comment_ptr = g_strndup((gchar*)tag.value, tag.length); + } + break; + default: + break; + } + + state->tag_ptr += tagtotallength; + state->remaining_len -= tagtotallength; + } + + if(comment_ptr) { + for(i = 0; i < anchor_mappings_to_update->len; i++) { + struct erf_anchor_mapping *mapping; + struct erf_anchor_mapping *lookup_result; + + mapping = (struct erf_anchor_mapping*)g_ptr_array_index(anchor_mappings_to_update, i); + lookup_result = (struct erf_anchor_mapping*)g_hash_table_lookup(erf_priv->anchor_map, mapping); + + /* Use the most recent comment, across all anchors associated with the + * record. */ + if(lookup_result) { + if(lookup_result->gen_time < state->gen_time) { + lookup_result->gen_time = state->gen_time; + g_free(lookup_result->comment); + lookup_result->comment = g_strdup(comment_ptr); + } + } + else { + /* !lookup_result */ + struct erf_anchor_mapping *new_mapping; + new_mapping = g_new0(struct erf_anchor_mapping, 1); + new_mapping->anchor_id = mapping->anchor_id; + new_mapping->host_id = mapping->host_id; + new_mapping->gen_time = state->gen_time; + new_mapping->comment = g_strdup(comment_ptr); + g_hash_table_replace(erf_priv->anchor_map, new_mapping, new_mapping); + } + } + } + + g_free(comment_ptr); + + return 1; +} + +/* Populates the capture and interface information for display on the Capture File Properties */ +static int populate_summary_info(erf_t *erf_priv, wtap *wth, union wtap_pseudo_header *pseudo_header, Buffer *buf, guint32 packet_size, GPtrArray *anchor_mappings_to_update, int *err, gchar **err_info) +{ + struct erf_meta_read_state state = {0}; + struct erf_meta_read_state *state_post = NULL; + guint64 host_id; + guint8 source_id; + GList *post_list = NULL; + GList *item = NULL; + + struct erf_meta_tag tag = {0, 0, NULL}; + guint32 tagtotallength; + + if (!wth) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: populate_summary_info called with wth NULL"); + return -1; + } + if (!pseudo_header) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: populate_summary_info called with pseudo_header NULL"); + return -1; + } + if (!erf_priv) { + *err = WTAP_ERR_INTERNAL; + *err_info = ws_strdup_printf("erf: populate_summary_info called with erf_priv NULL"); + return -1; + } + + erf_get_source_from_header(pseudo_header, &host_id, &source_id); + + if (host_id == 0) { + host_id = erf_priv->implicit_host_id; + } + + state.if_map = erf_find_interface_mapping(erf_priv, host_id, source_id); + + if (!state.if_map) { + state.if_map = erf_if_mapping_create(host_id, source_id); + /* g_hash_table_add() only exists since 2.32. */ + g_hash_table_replace(erf_priv->if_map, state.if_map, state.if_map); + + } + + + state.tag_ptr = buf->data; + state.remaining_len = packet_size; + + /* Read until see next section tag */ + while ((tagtotallength = erf_meta_read_tag(&tag, state.tag_ptr, state.remaining_len))) { + /* + * Obtain the gen_time from the non-section at the beginning of the record + */ + if (!ERF_META_IS_SECTION(tag.type)) { + if(state.gen_time == 0U + && tag.type == ERF_META_TAG_gen_time + ) { + memcpy(&state.gen_time, tag.value, sizeof(state.gen_time)); + + /* + * Since wireshark doesn't have a concept of different summary metadata + * over time, skip the record if metadata is older than what we already have. + */ + /* TODO: This doesn't work very well for some tags that map to + * pcapng options where the pcapng specification only allows one + * instance per block, which is the case for most options. The + * only current exxceptions are: + * + * comments; + * IPv4 and IPv6 addresses for an interface; + * hash values for a packet; + * custom options. + * + * For options where only one instance is allowed per block, + * wtap_block_add_XXX_option() is currently used to add a new + * instance of an option to a block that has no instance (it + * fails if there's already an instance), and + * wtap_block_set_XXX_optin() is currently used to change the + * value of an option in a block that has one instance (it fails + * if there isn't already an instance). + * + * For options where more than one instance is allowed per block, + * wtap_block_add_XXX_option() is used to add a new instance to + * a block, no matter how many instances it currently has, and + * wtap_block_set_nth_XXX_option() is used to change the value + * of the Nth instance of an option in a block (the block must + * *have* an Nth instance). + * + * Currently we only particularly care about updating the capture comment + * and a few counters anyway. + */ + if ((state.if_map->interface_metadata & 0x03) + && state.gen_time < erf_priv->host_gentime && state.gen_time < erf_priv->capture_gentime + && (!anchor_mappings_to_update || !anchor_mappings_to_update->len)) { + return 0; + } + } + /* + * Skip until we get to the next section tag (which could be the current tag + * after an empty section or successful parsing). + */ + /* adjust offset */ + state.tag_ptr += tagtotallength; + state.remaining_len -= tagtotallength; + continue; + } + + /* + * We are now looking at the next section (and would have exited the loop + * if we reached the end). + */ + + /* Update parent section. Implicit grouping is by a change in section except Interface and Stream. */ + if (tag.type != state.sectiontype) { + if ((tag.type == ERF_META_SECTION_STREAM && state.sectiontype == ERF_META_SECTION_INTERFACE) || + (tag.type == ERF_META_SECTION_INTERFACE && state.sectiontype == ERF_META_SECTION_STREAM)) { + /* do nothing */ + } else { + state.parentsectiontype = state.sectiontype; + state.parentsectionid = state.sectionid; + } + } + + /* Update with new sectiontype */ + state.sectiontype = tag.type; + if (tag.length >= 4) { + state.sectionid = pntoh16(tag.value); + } else { + state.sectionid = 0; + } + + /* Adjust offset to that of first tag in section */ + state.tag_ptr += tagtotallength; + state.remaining_len -= tagtotallength; + + if (erf_meta_read_tag(&tag, state.tag_ptr, state.remaining_len)) { + /* + * Process parent section tag if present (which must be the first tag in + * the section). + */ + if (tag.type == ERF_META_TAG_parent_section && tag.length >= 4) { + state.parentsectiontype = pntoh16(tag.value); + state.parentsectionid = pntoh16(&tag.value[2]); + } + } + + /* Skip empty sections (includes if above read fails) */ + if (ERF_META_IS_SECTION(tag.type)) { + continue; + } + + /* + * Skip sections that don't apply to the general set of records + * (extension point for per-packet/event metadata). + * Unless we need to update the anchor info + * in which case, read into it + */ + if (state.sectionid & 0x8000) { + if(state.sectiontype & (ERF_META_SECTION_INFO)) { + /* TODO: do we care if it returns 0 or 1? */ + if (populate_anchor_info(erf_priv, wth, pseudo_header, &state, anchor_mappings_to_update, err, err_info) < 0) { + return -1; + } + } + continue; + } + + /* + * Start at first tag in section, makes loop + * simpler in called functions too. Also makes iterating after failure + * much simpler. + */ + switch (state.sectiontype) { + case ERF_META_SECTION_CAPTURE: + case ERF_META_SECTION_HOST: + /* TODO: do we care if it returns 0 or 1? */ + if (populate_capture_host_info(erf_priv, wth, pseudo_header, &state, err, err_info) < 0) { + return -1; + } + break; + case ERF_META_SECTION_MODULE: + /* TODO: do we care if it returns 0 or 1? */ + if (populate_module_info(erf_priv, wth, pseudo_header, &state, err, err_info) < 0) { + return -1; + } + break; + case ERF_META_SECTION_INTERFACE: + /* TODO: do we care if it returns 0 or 1? */ + if (populate_interface_info(erf_priv, wth, pseudo_header, &state, err, err_info) < 0) { + return -1; + } + break; + case ERF_META_SECTION_STREAM: + /* + * XXX: Treat streams specially in case the stream information appears + * before the interface information, as we associate them to interface + * data. + */ + post_list = g_list_append(post_list, g_memdup2(&state, sizeof(struct erf_meta_read_state))); + break; + case ERF_META_SECTION_SOURCE: + case ERF_META_SECTION_DNS: + default: + /* TODO: Not yet implemented */ + break; + } + } + + /* Process streams last */ + if (post_list) { + item = post_list; + do { + state_post = (struct erf_meta_read_state*) item->data; + switch (state_post->sectiontype) { + case ERF_META_SECTION_STREAM: + if (populate_stream_info(erf_priv, wth, pseudo_header, state_post, err, err_info) < 0) { + g_list_foreach(post_list, erf_free_data, NULL); + g_list_free(post_list); + return -1; + } + break; + } + } while ((item = g_list_next(item))); + /* g_list_free_full() only exists since 2.28. */ + g_list_foreach(post_list, erf_free_data, NULL); + g_list_free(post_list); + } + + /* + * Update known metadata so we only examine the first set of metadata. Need to + * do this here so can have interface and stream in same record. + */ + if (state.interface_metadata) { + state.if_map->interface_metadata |= state.interface_metadata; + state.if_map->interface_gentime = state.gen_time; + } + + return 0; +} + +static gboolean get_user_comment_string(wtap_dumper *wdh, gchar** user_comment_ptr) { + wtap_block_t wtap_block; + wtap_opttype_return_val ret; + + wtap_block = NULL; + + if(wdh->shb_hdrs && (wdh->shb_hdrs->len > 0)) { + wtap_block = g_array_index(wdh->shb_hdrs, wtap_block_t, 0); + } + + if(wtap_block != NULL) { + ret = wtap_block_get_nth_string_option_value(wtap_block, OPT_COMMENT, 0, user_comment_ptr); + if(ret != WTAP_OPTTYPE_SUCCESS) { + return FALSE; + } + } + + return TRUE; +} + +static gboolean erf_dump_priv_compare_capture_comment(wtap_dumper *wdh _U_, erf_dump_t *dump_priv, const union wtap_pseudo_header *pseudo_header, const guint8 *pd){ + struct erf_meta_read_state state = {0}; + struct erf_meta_tag tag = {0, 0, NULL}; + guint32 tagtotallength; + gboolean found_capture_section = FALSE; + gboolean found_normal_section = FALSE; + gchar* comment_ptr = NULL; + + state.remaining_len = pseudo_header->erf.phdr.wlen; + memcpy(&(state.tag_ptr), &pd, sizeof(pd)); + + while((tagtotallength = erf_meta_read_tag(&tag, state.tag_ptr, state.remaining_len))) { + if (ERF_META_IS_SECTION(tag.type)) { + state.sectiontype = tag.type; + if (tag.length >= 4) { + state.sectionid = pntoh16(tag.value); + } else { + state.sectionid = 0; + } + + /* Skip sections that don't apply to the general set of records */ + if (!(state.sectionid & 0x8000)) { + found_normal_section = TRUE; + + if(tag.type == ERF_META_SECTION_CAPTURE) { + /* Found the Capture Section */ + found_capture_section = TRUE; + } + } + } else { + if (state.sectiontype == ERF_META_SECTION_CAPTURE && !(state.sectionid & 0x8000)) { + if (tag.type == ERF_META_TAG_comment) { + /* XXX: Only compare the first comment tag */ + if(!comment_ptr) { + comment_ptr = g_strndup((char*)tag.value, tag.length); + } + break; + } + } + } + + /* Read until we have the Capture section */ + state.tag_ptr += tagtotallength; + state.remaining_len -= tagtotallength; + } + + if(found_capture_section && (comment_ptr || dump_priv->user_comment_ptr)) { + if(g_strcmp0(comment_ptr, dump_priv->user_comment_ptr) + && !(dump_priv->user_comment_ptr == NULL && comment_ptr && comment_ptr[0] == '\0')) { + /* Also treat "" in ERF as equivalent to NULL as that is how we clear the comment on write. */ + + /* Comments are different, we should write extra metadata record at the end of the list */ + dump_priv->write_next_extra_meta = TRUE; + g_free(comment_ptr); + return TRUE; + } else { + /* We have a capture comment but there is no change, we don't + * need to insert the 'changed' comment. This most likely happened + * because we were looking at list of periodic records and got up to the + * one where the comment was last set. */ + dump_priv->write_next_extra_meta = FALSE; + } + /* Otherwise no effect on whether we need to write extra metadata record */ + } + /* We didn't find a capture section (e.g. looking at a comment Anchor + * record), or the comment hadn't changed. */ + + g_free(comment_ptr); + /* Return whether we found any non-local metadata (i.e. whether the record has + * metadata that is more than just packet 'comments') */ + return found_normal_section; +} + +static void erf_close(wtap *wth) +{ + erf_t* erf_priv = (erf_t*)wth->priv; + + erf_priv_free(erf_priv); + /* XXX: Prevent double free by wtap_close() */ + wth->priv = NULL; +} + +static const struct supported_option_type section_block_options_supported[] = { + { OPT_COMMENT, ONE_OPTION_SUPPORTED }, /* XXX - multiple? */ + { OPT_SHB_USERAPPL, ONE_OPTION_SUPPORTED } +}; + +static const struct supported_option_type interface_block_options_supported[] = { + { OPT_COMMENT, ONE_OPTION_SUPPORTED }, /* XXX - multiple? */ + { OPT_IDB_NAME, ONE_OPTION_SUPPORTED }, + { OPT_IDB_DESCRIPTION, ONE_OPTION_SUPPORTED }, + { OPT_IDB_OS, ONE_OPTION_SUPPORTED }, + { OPT_IDB_TSOFFSET, ONE_OPTION_SUPPORTED }, + { OPT_IDB_SPEED, ONE_OPTION_SUPPORTED }, + { OPT_IDB_IP4ADDR, ONE_OPTION_SUPPORTED }, /* XXX - multiple? */ + { OPT_IDB_IP6ADDR, ONE_OPTION_SUPPORTED }, /* XXX - multiple? */ + { OPT_IDB_FILTER, ONE_OPTION_SUPPORTED }, + { OPT_IDB_FCSLEN, ONE_OPTION_SUPPORTED } +}; + +static const struct supported_option_type packet_block_options_supported[] = { + { OPT_COMMENT, ONE_OPTION_SUPPORTED } /* XXX - multiple? */ +}; + +static const struct supported_block_type erf_blocks_supported[] = { + /* + * Per-file comments and application supported; section blocks + * are used for that. + * ERF files have only one section. (XXX - true?) + */ + { WTAP_BLOCK_SECTION, ONE_BLOCK_SUPPORTED, OPTION_TYPES_SUPPORTED(section_block_options_supported) }, + + /* + * ERF supports multiple interfaces, with information, and + * supports associating packets with interfaces. Interface + * description blocks are used for that. + */ + { WTAP_BLOCK_IF_ID_AND_INFO, MULTIPLE_BLOCKS_SUPPORTED, OPTION_TYPES_SUPPORTED(interface_block_options_supported) }, + + /* + * Name resolution is supported, but we don't support comments. + */ + { WTAP_BLOCK_NAME_RESOLUTION, ONE_BLOCK_SUPPORTED, NO_OPTIONS_SUPPORTED }, + + /* + * ERF is a capture format, so it obviously supports packets. + */ + { WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, OPTION_TYPES_SUPPORTED(packet_block_options_supported) } +}; + +static const struct file_type_subtype_info erf_info = { + "Endace ERF capture", "erf", "erf", NULL, + FALSE, BLOCKS_SUPPORTED(erf_blocks_supported), + erf_dump_can_write_encap, erf_dump_open, NULL +}; + +void register_erf(void) +{ + erf_file_type_subtype = wtap_register_file_type_subtype(&erf_info); + + /* + * Register name for backwards compatibility with the + * wtap_filetypes table in Lua. + */ + wtap_register_backwards_compatibility_lua_name("ERF", erf_file_type_subtype); +} + +/* + * Editor modelines - https://www.wireshark.org/tools/modelines.html + * + * Local Variables: + * c-basic-offset: 2 + * tab-width: 8 + * indent-tabs-mode: nil + * End: + * + * vi: set shiftwidth=2 tabstop=8 expandtab: + * :indentSize=2:tabSize=8:noTabs=true: + */ |