/* netscreen.c * * Juniper NetScreen snoop output parser * Created by re-using a lot of code from cosine.c * Copyright (c) 2007 by Sake Blok * * Wiretap Library * Copyright (c) 1998 by Gilbert Ramirez * * SPDX-License-Identifier: GPL-2.0-or-later */ #include "config.h" #include "wtap-int.h" #include "netscreen.h" #include "file_wrappers.h" #include #include /* XXX TODO: * * o Construct a list of interfaces, with interface names, give * them link-layer types based on the interface name and packet * data, and supply interface IDs with each packet (i.e., make * this supply a pcapng-style set of interfaces and associate * packets with interfaces). This is probably the right way * to "Pass the interface names and the traffic direction to either * the frame-structure, a pseudo-header or use PPI." See the * message at * * https://www.wireshark.org/lists/wireshark-dev/200708/msg00029.html * * to see whether any further discussion is still needed. I suspect * it doesn't; pcapng existed at the time, as per the final * message in that thread: * * https://www.wireshark.org/lists/wireshark-dev/200708/msg00039.html * * but I don't think we fully *supported* it at that point. Now * that we do, we have the infrastructure to support this, except * that we currently have no way to translate interface IDs to * interface names in the "frame" dissector or to supply interface * information as part of the packet metadata from Wiretap modules. * That should be fixed so that we can show interface information, * such as the interface name, in packet dissections from, for example, * pcapng captures. */ static gboolean info_line(const gchar *line); static gint64 netscreen_seek_next_packet(wtap *wth, int *err, gchar **err_info, char *hdr); static gboolean netscreen_check_file_type(wtap *wth, int *err, gchar **err_info); static gboolean netscreen_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info, gint64 *data_offset); static gboolean netscreen_seek_read(wtap *wth, gint64 seek_off, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info); static gboolean parse_netscreen_packet(FILE_T fh, wtap_rec *rec, Buffer* buf, char *line, int *err, gchar **err_info); static int parse_single_hex_dump_line(char* rec, guint8 *buf, guint byte_offset, guint pkt_len); /* Error returns from parse_single_hex_dump_line() */ #define PARSE_LINE_INVALID_CHARACTER -1 #define PARSE_LINE_NO_BYTES_SEEN -2 #define PARSE_LINE_TOO_MANY_BYTES_SEEN -3 static int netscreen_file_type_subtype = -1; void register_netscreen(void); /* Returns TRUE if the line appears to be a line with protocol info. Otherwise it returns FALSE. */ static gboolean info_line(const gchar *line) { int i=NETSCREEN_SPACES_ON_INFO_LINE; while (i-- > 0) { if (g_ascii_isspace(*line)) { line++; continue; } else { return FALSE; } } return TRUE; } /* Seeks to the beginning of the next packet, and returns the byte offset. Copy the header line to hdr. Returns -1 on failure, and sets "*err" to the error and sets "*err_info" to null or an additional error string. */ static gint64 netscreen_seek_next_packet(wtap *wth, int *err, gchar **err_info, char *hdr) { gint64 cur_off; char buf[NETSCREEN_LINE_LENGTH]; while (1) { cur_off = file_tell(wth->fh); if (cur_off == -1) { /* Error */ *err = file_error(wth->fh, err_info); return -1; } if (file_gets(buf, sizeof(buf), wth->fh) == NULL) { /* EOF or error. */ *err = file_error(wth->fh, err_info); break; } if (strstr(buf, NETSCREEN_REC_MAGIC_STR1) || strstr(buf, NETSCREEN_REC_MAGIC_STR2)) { (void) g_strlcpy(hdr, buf, NETSCREEN_LINE_LENGTH); return cur_off; } } return -1; } /* Look through the first part of a file to see if this is * NetScreen snoop output. * * Returns TRUE if it is, FALSE if it isn't or if we get an I/O error; * if we get an I/O error, "*err" will be set to a non-zero value and * "*err_info" is set to null or an additional error string. */ static gboolean netscreen_check_file_type(wtap *wth, int *err, gchar **err_info) { char buf[NETSCREEN_LINE_LENGTH]; guint reclen, line; buf[NETSCREEN_LINE_LENGTH-1] = '\0'; for (line = 0; line < NETSCREEN_HEADER_LINES_TO_CHECK; line++) { if (file_gets(buf, NETSCREEN_LINE_LENGTH, wth->fh) == NULL) { /* EOF or error. */ *err = file_error(wth->fh, err_info); return FALSE; } reclen = (guint) strlen(buf); if (reclen < MIN(strlen(NETSCREEN_HDR_MAGIC_STR1), strlen(NETSCREEN_HDR_MAGIC_STR2))) { continue; } if (strstr(buf, NETSCREEN_HDR_MAGIC_STR1) || strstr(buf, NETSCREEN_HDR_MAGIC_STR2)) { return TRUE; } } *err = 0; return FALSE; } wtap_open_return_val netscreen_open(wtap *wth, int *err, gchar **err_info) { /* Look for a NetScreen snoop header line */ if (!netscreen_check_file_type(wth, err, err_info)) { if (*err != 0 && *err != WTAP_ERR_SHORT_READ) return WTAP_OPEN_ERROR; return WTAP_OPEN_NOT_MINE; } if (file_seek(wth->fh, 0L, SEEK_SET, err) == -1) /* rewind */ return WTAP_OPEN_ERROR; wth->file_encap = WTAP_ENCAP_UNKNOWN; wth->file_type_subtype = netscreen_file_type_subtype; wth->snapshot_length = 0; /* not known */ wth->subtype_read = netscreen_read; wth->subtype_seek_read = netscreen_seek_read; wth->file_tsprec = WTAP_TSPREC_100_MSEC; return WTAP_OPEN_MINE; } /* Find the next packet and parse it; called from wtap_read(). */ static gboolean netscreen_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info, gint64 *data_offset) { gint64 offset; char line[NETSCREEN_LINE_LENGTH]; /* Find the next packet */ offset = netscreen_seek_next_packet(wth, err, err_info, line); if (offset < 0) return FALSE; /* Parse the header and convert the ASCII hex dump to binary data */ if (!parse_netscreen_packet(wth->fh, rec, buf, line, err, err_info)) return FALSE; /* * If the per-file encapsulation isn't known, set it to this * packet's encapsulation. * * If it *is* known, and it isn't this packet's encapsulation, * set it to WTAP_ENCAP_PER_PACKET, as this file doesn't * have a single encapsulation for all packets in the file. */ if (wth->file_encap == WTAP_ENCAP_UNKNOWN) wth->file_encap = rec->rec_header.packet_header.pkt_encap; else { if (wth->file_encap != rec->rec_header.packet_header.pkt_encap) wth->file_encap = WTAP_ENCAP_PER_PACKET; } *data_offset = offset; return TRUE; } /* Used to read packets in random-access fashion */ static gboolean netscreen_seek_read(wtap *wth, gint64 seek_off, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info) { char line[NETSCREEN_LINE_LENGTH]; if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1) { return FALSE; } if (file_gets(line, NETSCREEN_LINE_LENGTH, wth->random_fh) == NULL) { *err = file_error(wth->random_fh, err_info); if (*err == 0) { *err = WTAP_ERR_SHORT_READ; } return FALSE; } return parse_netscreen_packet(wth->random_fh, rec, buf, line, err, err_info); } /* Parses a packet record header. There are a few possible formats: * * XXX list extra formats here! 6843828.0: trust(o) len=98:00121ebbd132->00600868d659/0800 192.168.1.1 -> 192.168.1.10/6 vhl=45, tos=00, id=37739, frag=0000, ttl=64 tlen=84 tcp:ports 2222->2333, seq=3452113890, ack=1540618280, flag=5018/ACK 00 60 08 68 d6 59 00 12 1e bb d1 32 08 00 45 00 .`.h.Y.....2..E. 00 54 93 6b 00 00 40 06 63 dd c0 a8 01 01 c0 a8 .T.k..@.c....... 01 0a 08 ae 09 1d cd c3 13 e2 5b d3 f8 28 50 18 ..........[..(P. 1f d4 79 21 00 00 e7 76 89 64 16 e2 19 0a 80 09 ..y!...v.d...... 31 e7 04 28 04 58 f3 d9 b1 9f 3d 65 1a db d8 61 1..(.X....=e...a 2c 21 b6 d3 20 60 0c 8c 35 98 88 cf 20 91 0e a9 ,!...`..5....... 1d 0b .. * The first line of a packet is in the form .: ({i,o}) len=:> * where: * * and are a time stamp in seconds and deciseconds, * giving the time since the firewall was booted; * * is the name of the interface on which the packet was * received or on which it was transmitted; * * {i,o} is i for a received packet and o for a transmitted packet; * * is the length of the packet on the network; * * , at least for Ethernet, appears to be a source MAC * address, folowed by "->", folowed by a destination MAC * address, followed by a sequence of Ethertypes, each * preceded by a "/" (multiple Ethertypes if there are VLAN * tags and the like), possibly followed by ", tag ". * * Following that may be some "info lines", each of which is indented * by 14 spaces, giving a dissection of the payload after the * link-layer header. * * Following that is a hex/ASCII dump of the contents of the * packet, with 16 octets per line. */ static gboolean parse_netscreen_packet(FILE_T fh, wtap_rec *rec, Buffer* buf, char *line, int *err, gchar **err_info) { guint pkt_len; int sec; int dsec; char cap_int[NETSCREEN_MAX_INT_NAME_LENGTH]; char direction[2]; char cap_src[13]; char cap_dst[13]; guint8 *pd; gchar *p; int n, i = 0; int offset = 0; gchar dststr[13]; rec->rec_type = REC_TYPE_PACKET; rec->block = wtap_block_create(WTAP_BLOCK_PACKET); rec->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN; /* Suppress compiler warnings */ memset(cap_int, 0, sizeof(cap_int)); memset(cap_dst, 0, sizeof(cap_dst)); if (sscanf(line, "%9d.%9d: %15[a-z0-9/:.-](%1[io]) len=%9u:%12s->%12s/", &sec, &dsec, cap_int, direction, &pkt_len, cap_src, cap_dst) < 5) { *err = WTAP_ERR_BAD_FILE; *err_info = g_strdup("netscreen: Can't parse packet-header"); return -1; } if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) { /* * Probably a corrupt capture file; don't blow up trying * to allocate space for an immensely-large packet. */ *err = WTAP_ERR_BAD_FILE; *err_info = ws_strdup_printf("netscreen: File has %u-byte packet, bigger than maximum of %u", pkt_len, WTAP_MAX_PACKET_SIZE_STANDARD); return FALSE; } /* * If direction[0] is 'o', the direction is NETSCREEN_EGRESS, * otherwise it's NETSCREEN_INGRESS. */ rec->ts.secs = sec; rec->ts.nsecs = dsec * 100000000; rec->rec_header.packet_header.len = pkt_len; /* Make sure we have enough room for the packet */ ws_buffer_assure_space(buf, pkt_len); pd = ws_buffer_start_ptr(buf); while(1) { /* The last packet is not delimited by an empty line, but by EOF * So accept EOF as a valid delimiter too */ if (file_gets(line, NETSCREEN_LINE_LENGTH, fh) == NULL) { break; } /* * Skip blanks. * The number of blanks is not fixed - for wireless * interfaces, there may be 14 extra spaces before * the hex data. */ for (p = &line[0]; g_ascii_isspace(*p); p++) ; /* packets are delimited with empty lines */ if (*p == '\0') { break; } n = parse_single_hex_dump_line(p, pd, offset, pkt_len); /* * The smallest packet has a length of 6 bytes. * If the first line either gets an error when * parsed as hex data, or has fewer than 6 * bytes of hex data, check whether it's an * info line by see if it has at least * NETSCREEN_SPACES_ON_INFO_LINE spaces at the * beginning. * * If it does, count this line and, if we have, * so far, skipped no more than NETSCREEN_MAX_INFOLINES * lines, skip this line. */ if (offset == 0 && n < 6) { if (info_line(line)) { /* Info line */ if (++i <= NETSCREEN_MAX_INFOLINES) { /* Skip this line */ continue; } } else { if (n >= 0) { *err = WTAP_ERR_BAD_FILE; *err_info = g_strdup("netscreen: first line of packet data has only %d hex bytes, < 6"); return FALSE; } /* Otherwise, fall through to report error */ } } /* If there is no more data and the line was not empty, * then there must be an error in the file */ if (n < 0) { switch (n) { case PARSE_LINE_INVALID_CHARACTER: *err = WTAP_ERR_BAD_FILE; *err_info = g_strdup("netscreen: invalid character in hex data"); break; case PARSE_LINE_NO_BYTES_SEEN: *err = WTAP_ERR_BAD_FILE; *err_info = g_strdup("netscreen: no hex bytes seen in hex data"); break; case PARSE_LINE_TOO_MANY_BYTES_SEEN: *err = WTAP_ERR_BAD_FILE; *err_info = g_strdup("netscreen: number of hex bytes seen in hex data is greater than the packet length"); break; default: *err = WTAP_ERR_INTERNAL; *err_info = g_strdup_printf("netscreen: unknown error %d from parse_single_hex_dump_line()", n); break; } return FALSE; } /* Adjust the offset to the data that was just added to the buffer */ offset += n; } /* * Determine the encapsulation type, based on the * first 4 characters of the interface name * * XXX convert this to a 'case' structure when adding more * (non-ethernet) interfacetypes */ if (strncmp(cap_int, "adsl", 4) == 0) { /* The ADSL interface can be bridged with or without * PPP encapsulation. Check whether the first six bytes * of the hex data are the same as the destination mac * address in the header. If they are, assume ethernet * LinkLayer or else PPP */ snprintf(dststr, 13, "%02x%02x%02x%02x%02x%02x", pd[0], pd[1], pd[2], pd[3], pd[4], pd[5]); if (strncmp(dststr, cap_dst, 12) == 0) rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_ETHERNET; else rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_PPP; } else if (strncmp(cap_int, "seri", 4) == 0) rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_PPP; else rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_ETHERNET; rec->rec_header.packet_header.caplen = offset; return TRUE; } /* Take a string representing one line from a hex dump, with leading white * space removed, and converts the text to binary data. We place the bytes * in the buffer at the specified offset. * * Returns number of bytes successfully read, -1 if bad. */ static int parse_single_hex_dump_line(char* rec, guint8 *buf, guint byte_offset, guint pkt_len) { int num_items_scanned; guint8 character; guint8 byte; for (num_items_scanned = 0; num_items_scanned < 16; num_items_scanned++) { character = *rec++; if (character >= '0' && character <= '9') byte = character - '0' + 0; else if (character >= 'A' && character <= 'F') byte = character - 'A' + 0xA; else if (character >= 'a' && character <= 'f') byte = character - 'a' + 0xa; else if (character == ' ' || character == '\r' || character == '\n' || character == '\0') { /* Nothing more to parse */ break; } else return PARSE_LINE_INVALID_CHARACTER; /* not a hex digit, space before ASCII dump, or EOL */ byte <<= 4; character = *rec++ & 0xFF; if (character >= '0' && character <= '9') byte += character - '0' + 0; else if (character >= 'A' && character <= 'F') byte += character - 'A' + 0xA; else if (character >= 'a' && character <= 'f') byte += character - 'a' + 0xa; else return PARSE_LINE_INVALID_CHARACTER; /* not a hex digit */ /* If there was more hex-data than was announced in the len=x * header, then there must be an error in the file; quit * now, as adding this byte will overflow the buffer. */ if (byte_offset + num_items_scanned >= pkt_len) { return PARSE_LINE_TOO_MANY_BYTES_SEEN; } buf[byte_offset + num_items_scanned] = byte; character = *rec++ & 0xFF; if (character == '\0' || character == '\r' || character == '\n') { /* Nothing more to parse */ break; } else if (character != ' ') { /* not space before ASCII dump */ return PARSE_LINE_INVALID_CHARACTER; } } if (num_items_scanned == 0) return PARSE_LINE_NO_BYTES_SEEN; return num_items_scanned; } static const struct supported_block_type netscreen_blocks_supported[] = { /* * We support packet blocks, with no comments or other options. */ { WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, NO_OPTIONS_SUPPORTED } }; static const struct file_type_subtype_info netscreen_info = { "NetScreen snoop text file", "netscreen", "txt", NULL, FALSE, BLOCKS_SUPPORTED(netscreen_blocks_supported), NULL, NULL, NULL }; void register_netscreen(void) { netscreen_file_type_subtype = wtap_register_file_type_subtype(&netscreen_info); /* * Register name for backwards compatibility with the * wtap_filetypes table in Lua. */ wtap_register_backwards_compatibility_lua_name("NETSCREEN", netscreen_file_type_subtype); } /* * Editor modelines - https://www.wireshark.org/tools/modelines.html * * Local variables: * c-basic-offset: 8 * tab-width: 8 * indent-tabs-mode: t * End: * * vi: set shiftwidth=8 tabstop=8 noexpandtab: * :indentSize=8:tabSize=8:noTabs=false: */