int write_to_pcap(PacketFrame * frame)
{
int res = 0;
if(NULL == frame || NULL == frame->m_fp) return -1;
if(0 == ftell(frame->m_fp)) {
write_pcap_header(frame->m_fp);
}
res = write_packet_header(frame);
res = write_packet_data(frame);
return res;
}
/* here we search through all the frag we have collected to see if
one fits */
static int
check_fragments( int idx, tcp_stream_chunk *sc, guint32 acknowledged ) {
tcp_frag *prev = NULL;
tcp_frag *current;
guint32 lowest_seq;
gchar *dummy_str;
current = frags[idx];
if( current ) {
lowest_seq = current->seq;
while( current ) {
if( (glong)(lowest_seq - current->seq) > 0 ) {
lowest_seq = current->seq;
}
if( current->seq < seq[idx] ) {
guint32 newseq;
/* this sequence number seems dated, but
check the end to make sure it has no more
info than we have already seen */
newseq = current->seq + current->len;
if( newseq > seq[idx] ) {
guint32 new_pos;
/* this one has more than we have seen. let's get the
payload that we have not seen. This happens when
part of this frame has been retransmitted */
new_pos = seq[idx] - current->seq;
if ( current->data_len > new_pos ) {
sc->dlen = current->data_len - new_pos;
write_packet_data( idx, sc, current->data + new_pos );
}
seq[idx] += (current->len - new_pos);
}
/* Remove the fragment from the list as the "new" part of it
* has been processed or its data has been seen already in
* another packet. */
if( prev ) {
prev->next = current->next;
} else {
frags[idx] = current->next;
}
g_free( current->data );
g_free( current );
return 1;
}
if( current->seq == seq[idx] ) {
/* this fragment fits the stream */
if( current->data ) {
sc->dlen = current->data_len;
write_packet_data( idx, sc, current->data );
}
seq[idx] += current->len;
if( prev ) {
prev->next = current->next;
} else {
frags[idx] = current->next;
}
g_free( current->data );
g_free( current );
return 1;
}
prev = current;
current = current->next;
}
if( (glong)(acknowledged - lowest_seq) > 0 ) {
/* There are frames missing in the capture file that were seen
* by the receiving host. Add dummy stream chunk with the data
* "[xxx bytes missing in capture file]".
*/
dummy_str = g_strdup_printf("[%d bytes missing in capture file]",
(int)(lowest_seq - seq[idx]) );
sc->dlen = (guint32) strlen(dummy_str);
write_packet_data( idx, sc, dummy_str );
g_free(dummy_str);
seq[idx] = lowest_seq;
return 1;
}
}
return 0;
}
void
reassemble_tcp( guint32 tcp_stream, guint32 sequence, guint32 acknowledgement,
guint32 length, const char* data, guint32 data_length,
int synflag, address *net_src, address *net_dst,
guint srcport, guint dstport) {
guint8 srcx[MAX_IPADDR_LEN], dstx[MAX_IPADDR_LEN];
int src_index, j, first = 0, len;
guint32 newseq;
tcp_frag *tmp_frag;
tcp_stream_chunk sc;
src_index = -1;
/* First, check if this packet should be processed. */
if (find_tcp_index) {
if ((port[0] == srcport && port[1] == dstport &&
ADDRESSES_EQUAL(&tcp_addr[0], net_src) &&
ADDRESSES_EQUAL(&tcp_addr[1], net_dst))
||
(port[1] == srcport && port[0] == dstport &&
ADDRESSES_EQUAL(&tcp_addr[1], net_src) &&
ADDRESSES_EQUAL(&tcp_addr[0], net_dst))) {
find_tcp_index = FALSE;
tcp_stream_to_follow = tcp_stream;
}
else {
return;
}
}
else if ( tcp_stream != tcp_stream_to_follow )
return;
if ((net_src->type != AT_IPv4 && net_src->type != AT_IPv6) ||
(net_dst->type != AT_IPv4 && net_dst->type != AT_IPv6))
return;
if (net_src->type == AT_IPv4)
len = 4;
else
len = 16;
memcpy(srcx, net_src->data, len);
memcpy(dstx, net_dst->data, len);
/* follow_tcp_index() needs to learn address/port pairs */
if (find_tcp_addr) {
find_tcp_addr = FALSE;
memcpy(ip_address[0], net_src->data, net_src->len);
port[0] = srcport;
memcpy(ip_address[1], net_dst->data, net_dst->len);
port[1] = dstport;
}
/* Check to see if we have seen this source IP and port before.
(Yes, we have to check both source IP and port; the connection
might be between two different ports on the same machine.) */
for( j=0; j<2; j++ ) {
if (memcmp(src_addr[j], srcx, len) == 0 && src_port[j] == srcport ) {
src_index = j;
}
}
/* we didn't find it if src_index == -1 */
if( src_index < 0 ) {
/* assign it to a src_index and get going */
for( j=0; j<2; j++ ) {
if( src_port[j] == 0 ) {
memcpy(src_addr[j], srcx, len);
src_port[j] = srcport;
src_index = j;
first = 1;
break;
}
}
}
if( src_index < 0 ) {
fprintf( stderr, "ERROR in reassemble_tcp: Too many addresses!\n");
return;
}
if( data_length < length ) {
incomplete_tcp_stream = TRUE;
}
/* Before adding data for this flow to the data_out_file, check whether
* this frame acks fragments that were already seen. This happens when
* frames are not in the capture file, but were actually seen by the
* receiving host (Fixes bug 592).
*/
if( frags[1-src_index] ) {
memcpy(sc.src_addr, dstx, len);
sc.src_port = dstport;
sc.dlen = 0; /* Will be filled in in check_fragments */
while ( check_fragments( 1-src_index, &sc, acknowledgement ) )
;
}
/* Initialize our stream chunk. This data gets written to disk. */
memcpy(sc.src_addr, srcx, len);
sc.src_port = srcport;
sc.dlen = data_length;
/* now that we have filed away the srcs, lets get the sequence number stuff
figured out */
if( first ) {
/* this is the first time we have seen this src's sequence number */
seq[src_index] = sequence + length;
if( synflag ) {
seq[src_index]++;
}
/* write out the packet data */
write_packet_data( src_index, &sc, data );
return;
}
/* if we are here, we have already seen this src, let's
try and figure out if this packet is in the right place */
if( sequence < seq[src_index] ) {
/* this sequence number seems dated, but
check the end to make sure it has no more
info than we have already seen */
newseq = sequence + length;
if( newseq > seq[src_index] ) {
guint32 new_len;
/* this one has more than we have seen. let's get the
payload that we have not seen. */
new_len = seq[src_index] - sequence;
if ( data_length <= new_len ) {
data = NULL;
data_length = 0;
incomplete_tcp_stream = TRUE;
} else {
data += new_len;
data_length -= new_len;
}
sc.dlen = data_length;
sequence = seq[src_index];
length = newseq - seq[src_index];
/* this will now appear to be right on time :) */
}
}
if ( sequence == seq[src_index] ) {
/* right on time */
seq[src_index] += length;
if( synflag ) seq[src_index]++;
if( data ) {
write_packet_data( src_index, &sc, data );
}
/* done with the packet, see if it caused a fragment to fit */
while( check_fragments( src_index, &sc, 0 ) )
;
}
else {
/* out of order packet */
if(data_length > 0 && ((glong)(sequence - seq[src_index]) > 0) ) {
tmp_frag = (tcp_frag *)g_malloc( sizeof( tcp_frag ) );
tmp_frag->data = (gchar *)g_malloc( data_length );
tmp_frag->seq = sequence;
tmp_frag->len = length;
tmp_frag->data_len = data_length;
memcpy( tmp_frag->data, data, data_length );
if( frags[src_index] ) {
tmp_frag->next = frags[src_index];
} else {
tmp_frag->next = NULL;
}
frags[src_index] = tmp_frag;
}
}
} /* end reassemble_tcp */
/*
* Opens an .xml file with Trace data formated according to 3GPP TS 32.423 and converts it to
* an "Exported PDU type file with the entire xml file as the first "packet" appending the
* raw messages as subsequent packages to be dissected by wireshark.
*/
static wtap_open_return_val
create_temp_pcapng_file(wtap *wth, int *err, gchar **err_info, nettrace_3gpp_32_423_file_info_t *file_info)
{
int import_file_fd;
wtap_dumper* wdh_exp_pdu;
int exp_pdu_file_err;
/* pcapng defs */
wtapng_section_t *shb_hdr;
wtapng_iface_descriptions_t *idb_inf;
wtapng_if_descr_t int_data;
GString *os_info_str;
char *appname;
gint64 file_size;
int packet_size;
guint8 *packet_buf;
int wrt_err;
gchar *wrt_err_info;
struct wtap_pkthdr phdr;
gboolean do_random = FALSE;
char *curr_pos, *next_pos;
import_file_fd = create_tempfile(&(file_info->tmpname), "Wireshark_PDU_");
/* Now open a file and dump to it */
/* Create data for SHB */
os_info_str = g_string_new("");
get_os_version_info(os_info_str);
appname = g_strdup_printf("Wireshark %s", get_ws_vcs_version_info());
shb_hdr = g_new(wtapng_section_t, 1);
shb_hdr->section_length = -1;
/* options */
shb_hdr->opt_comment = g_strdup_printf("File converted to Exported PDU format during opening");
/*
* UTF-8 string containing the description of the hardware used to create
* this section.
*/
shb_hdr->shb_hardware = NULL;
/*
* UTF-8 string containing the name of the operating system used to create
* this section.
*/
shb_hdr->shb_os = g_string_free(os_info_str, FALSE);
/*
* UTF-8 string containing the name of the application used to create
* this section.
*/
shb_hdr->shb_user_appl = appname;
/* Create fake IDB info */
idb_inf = g_new(wtapng_iface_descriptions_t, 1);
idb_inf->interface_data = g_array_new(FALSE, FALSE, sizeof(wtapng_if_descr_t));
/* create the fake interface data */
int_data.wtap_encap = WTAP_ENCAP_WIRESHARK_UPPER_PDU;
int_data.time_units_per_second = 1000000; /* default microsecond resolution */
int_data.link_type = wtap_wtap_encap_to_pcap_encap(WTAP_ENCAP_WIRESHARK_UPPER_PDU);
int_data.snap_len = WTAP_MAX_PACKET_SIZE;
int_data.if_name = g_strdup("Fake IF");
int_data.opt_comment = NULL;
int_data.if_description = NULL;
int_data.if_speed = 0;
int_data.if_tsresol = 6;
int_data.if_filter_str = NULL;
int_data.bpf_filter_len = 0;
int_data.if_filter_bpf_bytes = NULL;
int_data.if_os = NULL;
int_data.if_fcslen = -1;
int_data.num_stat_entries = 0; /* Number of ISB:s */
int_data.interface_statistics = NULL;
g_array_append_val(idb_inf->interface_data, int_data);
wdh_exp_pdu = wtap_dump_fdopen_ng(import_file_fd, WTAP_FILE_TYPE_SUBTYPE_PCAPNG, WTAP_ENCAP_WIRESHARK_UPPER_PDU,
WTAP_MAX_PACKET_SIZE, FALSE, shb_hdr, idb_inf, NULL, &exp_pdu_file_err);
if (wdh_exp_pdu == NULL) {
return WTAP_OPEN_ERROR;
}
g_free(shb_hdr);
g_free(appname);
/* OK we've opend a new pcap-ng file and written the headers, time to do the packets, strt by finding the file size */
if ((file_size = wtap_file_size(wth, err)) == -1)
return WTAP_OPEN_ERROR;
if (file_size > MAX_FILE_SIZE) {
/*
* Don't blow up trying to allocate space for an
* immensely-large file.
*/
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("mime_file: File has %" G_GINT64_MODIFIER "d-byte packet, bigger than maximum of %u",
file_size, MAX_FILE_SIZE);
return WTAP_OPEN_ERROR;
}
packet_size = (int)file_size;
/* Allocate the packet buffer
* (the whole file + Exported PDU tag "protocol" and
* the string "xml" + 1 filler to end on 4 byte boundary for the tag
* + End of options 4 bytes
*/
/* XXX add the length of exported bdu tag(s) here */
packet_buf = (guint8 *)g_malloc(packet_size + 12);
packet_buf[0] = 0;
packet_buf[1] = 12; /* EXP_PDU_TAG_PROTO_NAME */
packet_buf[2] = 0;
packet_buf[3] = 4;
packet_buf[4] = 0x78; /* "x" */
packet_buf[5] = 0x6d; /* "m" */
packet_buf[6] = 0x6c; /* "l" */
packet_buf[7] = 0;
/* End of options */
packet_buf[8] = 0;
packet_buf[9] = 0;
packet_buf[10] = 0;
packet_buf[11] = 0;
if (!wtap_read_bytes(wth->fh, packet_buf + 12, packet_size, &wrt_err, &wrt_err_info)){
return WTAP_OPEN_ERROR;
}
/* Create the packet header */
memset(&phdr, 0, sizeof(struct wtap_pkthdr));
phdr.rec_type = REC_TYPE_PACKET;
phdr.presence_flags = 0; /* yes, we have no bananas^Wtime stamp */
phdr.caplen = packet_size + 12;
phdr.len = packet_size + 12;
phdr.ts.secs = 0;
phdr.ts.nsecs = 0;
/* XXX: report errors! */
if (!wtap_dump(wdh_exp_pdu, &phdr, packet_buf, &wrt_err, &wrt_err_info)) {
switch (wrt_err) {
case WTAP_ERR_UNWRITABLE_REC_DATA:
g_free(wrt_err_info);
break;
default:
break;
}
g_free(packet_buf);
return WTAP_OPEN_ERROR;
}
/* Advance *packet_buf to point at the raw file data */
curr_pos = packet_buf + 12;
/* Lets add the raw messages as packets after the main "packet" with the whole file */
while ((curr_pos = strstr(curr_pos, "<msg")) != NULL){
wtap_open_return_val temp_val;
curr_pos = curr_pos + 4;
next_pos = strstr(curr_pos, "</msg>");
if (!next_pos){
/* Somethings wrong, bail out */
break;
}
next_pos = next_pos + 6;
/* Do we have a raw msg?) */
curr_pos = strstr(curr_pos, "<rawMsg");
if (!curr_pos){
/* No rawMsg, continue */
curr_pos = next_pos;
continue;
}
curr_pos = curr_pos + 7;
/* Add the raw msg*/
temp_val = write_packet_data(wdh_exp_pdu, &phdr, &wrt_err, &wrt_err_info, curr_pos);
if (temp_val != WTAP_OPEN_MINE){
g_free(packet_buf);
return temp_val;
}
curr_pos = next_pos;
}
/* Close the written file*/
if (!wtap_dump_close(wdh_exp_pdu, err)){
g_free(packet_buf);
return WTAP_OPEN_ERROR;
}
g_free(packet_buf);
/* Now open the file for reading */
/* Find out if random read was requested */
if (wth->random_fh){
do_random = TRUE;
}
file_info->wth_tmp_file =
wtap_open_offline(file_info->tmpname, WTAP_TYPE_AUTO, err, err_info, do_random);
if (!file_info->wth_tmp_file){
return WTAP_OPEN_ERROR;
}
return WTAP_OPEN_MINE;
}
