static int vsock_addr_to_str(const address* addr, gchar *buf, int buf_len)
{
const guint8 *addrp = (const guint8 *)addr->data;
if(pletoh64(&addrp[0])==2){
g_strlcpy(buf, "host", buf_len);
} else {
g_snprintf(buf, buf_len, "%" G_GINT64_MODIFIER "u", pletoh64(&addrp[0]));
}
return (int)(strlen(buf)+1);
}
uint64_t Tvbuff::tvb_get_letoh64(tvbuff_t *tvb,int offset)
{
const uint8_t* ptr;
ptr = ensure_contiguous(tvb,offset,sizeof(uint64_t));
return pletoh64(ptr);
}
static gboolean netmon_process_rec_header(wtap *wth, FILE_T fh,
struct wtap_pkthdr *phdr, int *err, gchar **err_info)
{
netmon_t *netmon = (netmon_t *)wth->priv;
int hdr_size = 0;
union {
struct netmonrec_1_x_hdr hdr_1_x;
struct netmonrec_2_x_hdr hdr_2_x;
} hdr;
int bytes_read;
gint64 delta = 0; /* signed - frame times can be before the nominal start */
gint64 t;
time_t secs;
guint32 nsecs;
guint32 packet_size = 0;
guint32 orig_size = 0;
/* Read record header. */
switch (netmon->version_major) {
case 1:
hdr_size = sizeof (struct netmonrec_1_x_hdr);
break;
case 2:
hdr_size = sizeof (struct netmonrec_2_x_hdr);
break;
}
errno = WTAP_ERR_CANT_READ;
bytes_read = file_read(&hdr, hdr_size, fh);
if (bytes_read != hdr_size) {
*err = file_error(fh, err_info);
if (*err == 0 && bytes_read != 0) {
*err = WTAP_ERR_SHORT_READ;
}
return FALSE;
}
switch (netmon->version_major) {
case 1:
orig_size = pletoh16(&hdr.hdr_1_x.orig_len);
packet_size = pletoh16(&hdr.hdr_1_x.incl_len);
break;
case 2:
orig_size = pletoh32(&hdr.hdr_2_x.orig_len);
packet_size = pletoh32(&hdr.hdr_2_x.incl_len);
break;
}
if (packet_size > WTAP_MAX_PACKET_SIZE) {
/*
* Probably a corrupt capture file; don't blow up trying
* to allocate space for an immensely-large packet.
*/
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("netmon: File has %u-byte packet, bigger than maximum of %u",
packet_size, WTAP_MAX_PACKET_SIZE);
return FALSE;
}
/*
* If this is an ATM packet, the first
* "sizeof (struct netmon_atm_hdr)" bytes have destination and
* source addresses (6 bytes - MAC addresses of some sort?)
* and the VPI and VCI; read them and generate the pseudo-header
* from them.
*/
switch (wth->file_encap) {
case WTAP_ENCAP_ATM_PDUS:
if (packet_size < sizeof (struct netmon_atm_hdr)) {
/*
* Uh-oh, the packet isn't big enough to even
* have a pseudo-header.
*/
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("netmon: ATM file has a %u-byte packet, too small to have even an ATM pseudo-header",
packet_size);
return FALSE;
}
if (!netmon_read_atm_pseudoheader(fh, &phdr->pseudo_header,
err, err_info))
return FALSE; /* Read error */
/*
* Don't count the pseudo-header as part of the packet.
*/
orig_size -= (guint)sizeof (struct netmon_atm_hdr);
packet_size -= (guint)sizeof (struct netmon_atm_hdr);
break;
default:
break;
}
switch (netmon->version_major) {
case 1:
/*
* According to Paul Long, this offset is unsigned.
* It's 32 bits, so the maximum value will fit in
* a gint64 such as delta, even after multiplying
* it by 1000000.
*
* pletoh32() returns a guint32; we cast it to gint64
* before multiplying, so that the product doesn't
* overflow a guint32.
*/
delta = ((gint64)pletoh32(&hdr.hdr_1_x.ts_delta))*1000000;
break;
case 2:
/*
* OK, this is weird. Microsoft's documentation
* says this is in microseconds and is a 64-bit
* unsigned number, but it can be negative; they
* say what appears to amount to "treat it as an
* unsigned number, multiply it by 10, and then
* interpret the resulting 64-bit quantity as a
* signed number". That operation can turn a
* value with the uppermost bit 0 to a value with
* the uppermost bit 1, hence turning a large
* positive number-of-microseconds into a small
* negative number-of-100-nanosecond-increments.
*/
delta = pletoh64(&hdr.hdr_2_x.ts_delta)*10;
/*
* OK, it's now a signed value in 100-nanosecond
* units. Now convert it to nanosecond units.
*/
delta *= 100;
break;
}
secs = 0;
t = netmon->start_nsecs + delta;
while (t < 0) {
/*
* Propagate a borrow into the seconds.
* The seconds is a time_t, and can be < 0
* (unlikely, as Windows didn't exist before
* January 1, 1970, 00:00:00 UTC), while the
* nanoseconds should be positive, as in
* "nanoseconds since the instant of time
* represented by the seconds".
*
* We do not want t to be negative, as, according
* to the C90 standard, "if either operand [of /
* or %] is negative, whether the result of the
* / operator is the largest integer less than or
* equal to the algebraic quotient or the smallest
* greater than or equal to the algebraic quotient
* is implementation-defined, as is the sign of
* the result of the % operator", and we want
* the result of the division and remainder
* operations to be the same on all platforms.
*/
t += 1000000000;
secs--;
}
secs += (time_t)(t/1000000000);
nsecs = (guint32)(t%1000000000);
phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
phdr->ts.secs = netmon->start_secs + secs;
phdr->ts.nsecs = nsecs;
phdr->caplen = packet_size;
phdr->len = orig_size;
return TRUE;
}
static process_record_retval
netmon_process_record(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
Buffer *buf, int *err, gchar **err_info)
{
netmon_t *netmon = (netmon_t *)wth->priv;
int hdr_size = 0;
union {
struct netmonrec_1_x_hdr hdr_1_x;
struct netmonrec_2_x_hdr hdr_2_x;
} hdr;
int bytes_read;
gint64 delta = 0; /* signed - frame times can be before the nominal start */
gint64 t;
time_t secs;
int nsecs;
guint32 packet_size = 0;
guint32 orig_size = 0;
int trlr_size;
union {
struct netmonrec_2_1_trlr trlr_2_1;
struct netmonrec_2_2_trlr trlr_2_2;
struct netmonrec_2_3_trlr trlr_2_3;
} trlr;
guint16 network;
int pkt_encap;
/* Read record header. */
switch (netmon->version_major) {
case 1:
hdr_size = sizeof (struct netmonrec_1_x_hdr);
break;
case 2:
hdr_size = sizeof (struct netmonrec_2_x_hdr);
break;
}
errno = WTAP_ERR_CANT_READ;
bytes_read = file_read(&hdr, hdr_size, fh);
if (bytes_read != hdr_size) {
*err = file_error(fh, err_info);
if (*err == 0 && bytes_read != 0) {
*err = WTAP_ERR_SHORT_READ;
}
return FAILURE;
}
switch (netmon->version_major) {
case 1:
orig_size = pletoh16(&hdr.hdr_1_x.orig_len);
packet_size = pletoh16(&hdr.hdr_1_x.incl_len);
break;
case 2:
orig_size = pletoh32(&hdr.hdr_2_x.orig_len);
packet_size = pletoh32(&hdr.hdr_2_x.incl_len);
break;
}
if (packet_size > WTAP_MAX_PACKET_SIZE) {
/*
* Probably a corrupt capture file; don't blow up trying
* to allocate space for an immensely-large packet.
*/
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("netmon: File has %u-byte packet, bigger than maximum of %u",
packet_size, WTAP_MAX_PACKET_SIZE);
return FAILURE;
}
phdr->rec_type = REC_TYPE_PACKET;
/*
* If this is an ATM packet, the first
* "sizeof (struct netmon_atm_hdr)" bytes have destination and
* source addresses (6 bytes - MAC addresses of some sort?)
* and the VPI and VCI; read them and generate the pseudo-header
* from them.
*/
switch (wth->file_encap) {
case WTAP_ENCAP_ATM_PDUS:
if (packet_size < sizeof (struct netmon_atm_hdr)) {
/*
* Uh-oh, the packet isn't big enough to even
* have a pseudo-header.
*/
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("netmon: ATM file has a %u-byte packet, too small to have even an ATM pseudo-header",
packet_size);
return FAILURE;
}
if (!netmon_read_atm_pseudoheader(fh, &phdr->pseudo_header,
err, err_info))
return FAILURE; /* Read error */
/*
* Don't count the pseudo-header as part of the packet.
*/
orig_size -= (guint)sizeof (struct netmon_atm_hdr);
packet_size -= (guint)sizeof (struct netmon_atm_hdr);
break;
default:
break;
}
switch (netmon->version_major) {
case 1:
/*
* According to Paul Long, this offset is unsigned.
* It's 32 bits, so the maximum value will fit in
* a gint64 such as delta, even after multiplying
* it by 1000000.
*
* pletoh32() returns a guint32; we cast it to gint64
* before multiplying, so that the product doesn't
* overflow a guint32.
*/
delta = ((gint64)pletoh32(&hdr.hdr_1_x.ts_delta))*1000000;
break;
case 2:
/*
* OK, this is weird. Microsoft's documentation
* says this is in microseconds and is a 64-bit
* unsigned number, but it can be negative; they
* say what appears to amount to "treat it as an
* unsigned number, multiply it by 10, and then
* interpret the resulting 64-bit quantity as a
* signed number". That operation can turn a
* value with the uppermost bit 0 to a value with
* the uppermost bit 1, hence turning a large
* positive number-of-microseconds into a small
* negative number-of-100-nanosecond-increments.
*/
delta = pletoh64(&hdr.hdr_2_x.ts_delta)*10;
/*
* OK, it's now a signed value in 100-nanosecond
* units. Now convert it to nanosecond units.
*/
delta *= 100;
break;
}
secs = 0;
t = netmon->start_nsecs + delta;
while (t < 0) {
/*
* Propagate a borrow into the seconds.
* The seconds is a time_t, and can be < 0
* (unlikely, as Windows didn't exist before
* January 1, 1970, 00:00:00 UTC), while the
* nanoseconds should be positive, as in
* "nanoseconds since the instant of time
* represented by the seconds".
*
* We do not want t to be negative, as, according
* to the C90 standard, "if either operand [of /
* or %] is negative, whether the result of the
* / operator is the largest integer less than or
* equal to the algebraic quotient or the smallest
* greater than or equal to the algebraic quotient
* is implementation-defined, as is the sign of
* the result of the % operator", and we want
* the result of the division and remainder
* operations to be the same on all platforms.
*/
t += 1000000000;
secs--;
}
secs += (time_t)(t/1000000000);
nsecs = (int)(t%1000000000);
phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
phdr->ts.secs = netmon->start_secs + secs;
phdr->ts.nsecs = nsecs;
phdr->caplen = packet_size;
phdr->len = orig_size;
/*
* Read the packet data.
*/
if (!wtap_read_packet_bytes(fh, buf, phdr->caplen, err, err_info))
return FAILURE;
/*
* For version 2.1 and later, there's additional information
* after the frame data.
*/
if ((netmon->version_major == 2 && netmon->version_minor >= 1) ||
netmon->version_major > 2) {
if (netmon->version_major > 2) {
/*
* Asssume 2.3 format, for now.
*/
trlr_size = (int)sizeof (struct netmonrec_2_3_trlr);
} else {
switch (netmon->version_minor) {
case 1:
trlr_size = (int)sizeof (struct netmonrec_2_1_trlr);
break;
case 2:
trlr_size = (int)sizeof (struct netmonrec_2_2_trlr);
break;
default:
trlr_size = (int)sizeof (struct netmonrec_2_3_trlr);
break;
}
}
errno = WTAP_ERR_CANT_READ;
bytes_read = file_read(&trlr, trlr_size, fh);
if (bytes_read != trlr_size) {
*err = file_error(fh, err_info);
if (*err == 0 && bytes_read != 0) {
*err = WTAP_ERR_SHORT_READ;
}
return FAILURE;
}
network = pletoh16(trlr.trlr_2_1.network);
if ((network & 0xF000) == NETMON_NET_PCAP_BASE) {
/*
* Converted pcap file - the LINKTYPE_ value
* is the network value with 0xF000 masked off.
*/
network &= 0x0FFF;
pkt_encap = wtap_pcap_encap_to_wtap_encap(network);
if (pkt_encap == WTAP_ENCAP_UNKNOWN) {
*err = WTAP_ERR_UNSUPPORTED;
*err_info = g_strdup_printf("netmon: converted pcap network type %u unknown or unsupported",
network);
return FAILURE;
}
} else if (network < NUM_NETMON_ENCAPS) {
/*
* Regular NetMon encapsulation.
*/
pkt_encap = netmon_encap[network];
if (pkt_encap == WTAP_ENCAP_UNKNOWN) {
*err = WTAP_ERR_UNSUPPORTED;
*err_info = g_strdup_printf("netmon: network type %u unknown or unsupported",
network);
return FAILURE;
}
} else {
/*
* Special packet type for metadata.
*/
switch (network) {
case NETMON_NET_NETEVENT:
/*
* Event Tracing event.
*
* http://msdn.microsoft.com/en-us/library/aa363759(VS.85).aspx
*/
return RETRY;
case NETMON_NET_NETWORK_INFO_EX:
/*
* List of adapters on which the capture
* was done.
*/
return RETRY;
case NETMON_NET_PAYLOAD_HEADER:
/*
* Header for a fake frame constructed
* by reassembly.
*/
return RETRY;
case NETMON_NET_NETWORK_INFO:
/*
* List of adapters on which the capture
* was done.
*/
return RETRY;
case NETMON_NET_DNS_CACHE:
/*
* List of resolved IP addresses.
*/
return RETRY;
case NETMON_NET_NETMON_FILTER:
/*
* NetMon capture or display filter
* string.
*/
return RETRY;
default:
*err = WTAP_ERR_UNSUPPORTED;
*err_info = g_strdup_printf("netmon: network type %u unknown or unsupported",
network);
return FAILURE;
}
}
phdr->pkt_encap = pkt_encap;
if (netmon->version_major > 2 || netmon->version_minor > 2) {
guint64 d;
d = pletoh64(trlr.trlr_2_3.utc_timestamp);
/*
* Get the time as seconds and nanoseconds.
* and overwrite the time stamp obtained
* from the record header.
*/
if (!filetime_to_nstime(&phdr->ts, d)) {
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("netmon: time stamp outside supported range");
return FAILURE;
}
}
}
netmon_set_pseudo_header_info(phdr, buf);
return SUCCESS;
}
