1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
|
/* ipfix.c
*
* Wiretap Library
* Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
*
* File format support for ipfix file format
* Copyright (c) 2010 by Hadriel Kaplan <hadrielk@yahoo.com>
* with generous copying from other wiretaps, such as pcapng
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
/* File format reference:
* RFC 5655 and 5101
* https://tools.ietf.org/rfc/rfc5655
* https://tools.ietf.org/rfc/rfc5101
*
* This wiretap is for an ipfix file format reader, per RFC 5655/5101.
* All "records" in the file are IPFIX messages, beginning with an IPFIX
* message header of 16 bytes as follows from RFC 5101:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Version Number | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Export Time |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Observation Domain ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure F: IPFIX Message Header Format
* which is then followed by one or more "Sets": Data Sets, Template Sets,
* and Options Template Sets. Each Set then has one or more Records in
* it.
*
* All IPFIX files are recorded in big-endian form (network byte order),
* per the RFCs. That means if we're on a little-endian system, all
* hell will break loose if we don't g_ntohX.
*
* Since wireshark already has an IPFIX dissector (implemented in
* packet-netflow.c), this reader will just set that dissector upon
* reading each message. Thus, an IPFIX Message is treated as a packet
* as far as the dissector is concerned.
*/
#include "config.h"
#define WS_LOG_DOMAIN LOG_DOMAIN_WIRETAP
#include <stdlib.h>
#include <string.h>
#include "wtap-int.h"
#include "file_wrappers.h"
#include "ipfix.h"
#include <wsutil/strtoi.h>
#include <wsutil/wslog.h>
#define RECORDS_FOR_IPFIX_CHECK 20
static gboolean
ipfix_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err,
gchar **err_info, gint64 *data_offset);
static gboolean
ipfix_seek_read(wtap *wth, gint64 seek_off,
wtap_rec *rec, Buffer *buf, int *err, gchar **err_info);
#define IPFIX_VERSION 10
/* ipfix: message header */
typedef struct ipfix_message_header_s {
guint16 version;
guint16 message_length;
guint32 export_time_secs;
guint32 sequence_number;
guint32 observation_id; /* might be 0 for none */
/* x bytes msg_body */
} ipfix_message_header_t;
#define IPFIX_MSG_HDR_SIZE 16
/* ipfix: common Set header for every Set type */
typedef struct ipfix_set_header_s {
guint16 set_type;
guint16 set_length;
/* x bytes set_body */
} ipfix_set_header_t;
#define IPFIX_SET_HDR_SIZE 4
static int ipfix_file_type_subtype = -1;
void register_ipfix(void);
/* Read IPFIX message header from file. Return true on success. Set *err to
* 0 on EOF, any other value for "real" errors (EOF is ok, since return
* value is still FALSE)
*/
static gboolean
ipfix_read_message_header(ipfix_message_header_t *pfx_hdr, FILE_T fh, int *err, gchar **err_info)
{
if (!wtap_read_bytes_or_eof(fh, pfx_hdr, IPFIX_MSG_HDR_SIZE, err, err_info))
return FALSE;
/* fix endianness, because IPFIX files are always big-endian */
pfx_hdr->version = g_ntohs(pfx_hdr->version);
pfx_hdr->message_length = g_ntohs(pfx_hdr->message_length);
pfx_hdr->export_time_secs = g_ntohl(pfx_hdr->export_time_secs);
pfx_hdr->sequence_number = g_ntohl(pfx_hdr->sequence_number);
pfx_hdr->observation_id = g_ntohl(pfx_hdr->observation_id);
/* is the version number one we expect? */
if (pfx_hdr->version != IPFIX_VERSION) {
/* Not an ipfix file. */
*err = WTAP_ERR_BAD_FILE;
*err_info = ws_strdup_printf("ipfix: wrong version %d", pfx_hdr->version);
return FALSE;
}
if (pfx_hdr->message_length < 16) {
*err = WTAP_ERR_BAD_FILE;
*err_info = ws_strdup_printf("ipfix: message length %u is too short", pfx_hdr->message_length);
return FALSE;
}
/* go back to before header */
if (file_seek(fh, 0 - IPFIX_MSG_HDR_SIZE, SEEK_CUR, err) == -1) {
ws_debug("couldn't go back in file before header");
return FALSE;
}
return TRUE;
}
/* Read IPFIX message header from file and fill in the struct wtap_rec
* for the packet, and, if that succeeds, read the packet data.
* Return true on success. Set *err to 0 on EOF, any other value for "real"
* errors (EOF is ok, since return value is still FALSE).
*/
static gboolean
ipfix_read_message(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info)
{
ipfix_message_header_t msg_hdr;
if (!ipfix_read_message_header(&msg_hdr, fh, err, err_info))
return FALSE;
/*
* The maximum value of msg_hdr.message_length is 65535, which is
* less than WTAP_MAX_PACKET_SIZE_STANDARD will ever be, so we don't need
* to check it.
*/
rec->rec_type = REC_TYPE_PACKET;
rec->block = wtap_block_create(WTAP_BLOCK_PACKET);
rec->presence_flags = WTAP_HAS_TS;
rec->rec_header.packet_header.len = msg_hdr.message_length;
rec->rec_header.packet_header.caplen = msg_hdr.message_length;
rec->ts.secs = msg_hdr.export_time_secs;
rec->ts.nsecs = 0;
return wtap_read_packet_bytes(fh, buf, msg_hdr.message_length, err, err_info);
}
/* classic wtap: open capture file. Return WTAP_OPEN_MINE on success,
* WTAP_OPEN_NOT_MINE on normal failure like malformed format,
* WTAP_OPEN_ERROR on bad error like file system
*/
wtap_open_return_val
ipfix_open(wtap *wth, int *err, gchar **err_info)
{
gint i, n, records_for_ipfix_check = RECORDS_FOR_IPFIX_CHECK;
gchar *s;
guint16 checked_len = 0;
ipfix_message_header_t msg_hdr;
ipfix_set_header_t set_hdr;
ws_debug("opening file");
/* number of records to scan before deciding if this really is IPFIX */
if ((s = getenv("IPFIX_RECORDS_TO_CHECK")) != NULL) {
if (ws_strtoi32(s, NULL, &n) && n > 0 && n < 101) {
records_for_ipfix_check = n;
}
}
/*
* IPFIX is a little hard because there's no magic number; we look at
* the first few records and see if they look enough like IPFIX
* records.
*/
for (i = 0; i < records_for_ipfix_check; i++) {
/* read first message header to check version */
if (!ipfix_read_message_header(&msg_hdr, wth->fh, err, err_info)) {
ws_debug("couldn't read message header #%d with err code #%d (%s)",
i, *err, *err_info);
if (*err == WTAP_ERR_BAD_FILE) {
*err = 0; /* not actually an error in this case */
g_free(*err_info);
*err_info = NULL;
return WTAP_OPEN_NOT_MINE;
}
if (*err != 0 && *err != WTAP_ERR_SHORT_READ)
return WTAP_OPEN_ERROR; /* real failure */
/* else it's EOF */
if (i < 1) {
/* we haven't seen enough to prove this is a ipfix file */
return WTAP_OPEN_NOT_MINE;
}
/*
* If we got here, it's EOF and we haven't yet seen anything
* that doesn't look like an IPFIX record - i.e. everything
* we've seen looks like an IPFIX record - so we assume this
* is an IPFIX file.
*/
break;
}
if (file_seek(wth->fh, IPFIX_MSG_HDR_SIZE, SEEK_CUR, err) == -1) {
ws_debug("failed seek to next message in file, %d bytes away",
msg_hdr.message_length);
return WTAP_OPEN_NOT_MINE;
}
checked_len = IPFIX_MSG_HDR_SIZE;
/* check each Set in IPFIX Message for sanity */
while (checked_len < msg_hdr.message_length) {
if (!wtap_read_bytes(wth->fh, &set_hdr, IPFIX_SET_HDR_SIZE,
err, err_info)) {
if (*err == WTAP_ERR_SHORT_READ) {
/* Not a valid IPFIX Set, so not an IPFIX file. */
ws_debug("error %d reading set", *err);
return WTAP_OPEN_NOT_MINE;
}
/* A real I/O error; fail. */
return WTAP_OPEN_ERROR;
}
set_hdr.set_length = g_ntohs(set_hdr.set_length);
if ((set_hdr.set_length < IPFIX_SET_HDR_SIZE) ||
((set_hdr.set_length + checked_len) > msg_hdr.message_length)) {
ws_debug("found invalid set_length of %d",
set_hdr.set_length);
return WTAP_OPEN_NOT_MINE;
}
if (file_seek(wth->fh, set_hdr.set_length - IPFIX_SET_HDR_SIZE,
SEEK_CUR, err) == -1)
{
ws_debug("failed seek to next set in file, %d bytes away",
set_hdr.set_length - IPFIX_SET_HDR_SIZE);
return WTAP_OPEN_ERROR;
}
checked_len += set_hdr.set_length;
}
}
/* go back to beginning of file */
if (file_seek (wth->fh, 0, SEEK_SET, err) != 0)
{
return WTAP_OPEN_ERROR;
}
/* all's good, this is a IPFIX file */
wth->file_encap = WTAP_ENCAP_RAW_IPFIX;
wth->snapshot_length = 0;
wth->file_tsprec = WTAP_TSPREC_SEC;
wth->subtype_read = ipfix_read;
wth->subtype_seek_read = ipfix_seek_read;
wth->file_type_subtype = ipfix_file_type_subtype;
/*
* Add an IDB; we don't know how many interfaces were
* involved, so we just say one interface, about which
* we only know the link-layer type, snapshot length,
* and time stamp resolution.
*/
wtap_add_generated_idb(wth);
return WTAP_OPEN_MINE;
}
/* classic wtap: read packet */
static gboolean
ipfix_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err,
gchar **err_info, gint64 *data_offset)
{
*data_offset = file_tell(wth->fh);
ws_debug("offset is initially %" PRId64, *data_offset);
if (!ipfix_read_message(wth->fh, rec, buf, err, err_info)) {
ws_debug("couldn't read message header with code: %d\n, and error '%s'",
*err, *err_info);
return FALSE;
}
return TRUE;
}
/* classic wtap: seek to file position and read packet */
static gboolean
ipfix_seek_read(wtap *wth, gint64 seek_off, wtap_rec *rec,
Buffer *buf, int *err, gchar **err_info)
{
/* seek to the right file position */
if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1) {
ws_debug("couldn't read message header with code: %d\n, and error '%s'",
*err, *err_info);
return FALSE; /* Seek error */
}
ws_debug("reading at offset %" PRIu64, seek_off);
if (!ipfix_read_message(wth->random_fh, rec, buf, err, err_info)) {
ws_debug("couldn't read message header");
if (*err == 0)
*err = WTAP_ERR_SHORT_READ;
return FALSE;
}
return TRUE;
}
static const struct supported_block_type ipfix_blocks_supported[] = {
/*
* We support packet blocks, with no comments or other options.
*/
{ WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, NO_OPTIONS_SUPPORTED }
};
static const struct file_type_subtype_info ipfix_info = {
"IPFIX File Format", "ipfix", "pfx", "ipfix",
FALSE, BLOCKS_SUPPORTED(ipfix_blocks_supported),
NULL, NULL, NULL
};
void register_ipfix(void)
{
ipfix_file_type_subtype = wtap_register_file_type_subtype(&ipfix_info);
/*
* Register name for backwards compatibility with the
* wtap_filetypes table in Lua.
*/
wtap_register_backwards_compatibility_lua_name("IPFIX",
ipfix_file_type_subtype);
}
/*
* Editor modelines - https://www.wireshark.org/tools/modelines.html
*
* Local variables:
* c-basic-offset: 4
* tab-width: 8
* indent-tabs-mode: nil
* End:
*
* vi: set shiftwidth=4 tabstop=8 expandtab:
* :indentSize=4:tabSize=8:noTabs=true:
*/
|