示例#1
0
off_t corsaro_file_rpeek(corsaro_file_in_t *file, void *buffer, off_t len)
{
  /* refuse to read from a libtrace file */
  assert(file->mode == CORSARO_FILE_MODE_ASCII ||
	 file->mode == CORSARO_FILE_MODE_BINARY ||
	 file->mode == CORSARO_FILE_MODE_UNKNOWN);
  assert(file->wand_io != NULL);

  return wandio_peek(file->wand_io, buffer, len);
}
示例#2
0
static int pcapfile_probe_magic(io_t *io)
{
	pcapfile_header_t header;
	int len;
	len = wandio_peek(io, &header, sizeof(header));

	/* Is this long enough? */
	if (len < (int)sizeof(header)) {
		return 0;
	}
	/* Pcap magic? */
	if (header_is_magic(&header)) {
		return 1;
	}
	/* Nope, not pcap */
	return 0;
}
示例#3
0
corsaro_file_in_t *corsaro_file_ropen(const char *filename)
{
  corsaro_file_in_t *f = NULL;
  char buffer[1024];
  int len;

  /* 2013-01-22 AK has removed all of the logging output on failures this is
     because i dont want to need a corsaro_t object to open a file. but also
     because i think it should be up to the caller to log the errors. logs from
     this deep in corsaro just confuse people when somewhat common errors occur
     (file not found etc). */

  if((f = malloc(sizeof(corsaro_file_in_t))) == NULL)
    {
      return NULL;
    }

  /* we need to try and guess the mode... */
  /* if there is a : in the uri, we guess it is a libtrace file */
  /* this should be refined to do something more intelligent */
  if(strchr(filename, ':') != NULL)
    {
      f->mode = CORSARO_FILE_MODE_TRACE;

      /* open this as a trace file */
      f->trace_io = trace_create(filename);

      if(trace_is_err(f->trace_io))
	{
	  free(f);
	  return NULL;
	}

      if (trace_start(f->trace_io) == -1) {
	free(f);
	return NULL;
      }
      /* trace is set to go! */
      return f;
    }
  else
    {
      /* lets open the file and take a peek to see what we find */
      if((f->wand_io = wandio_create(filename)) == NULL)
	{
	  free(f);
	  return NULL;
	}

      len = wandio_peek(f->wand_io, buffer, sizeof(buffer));

      /* an ASCII corsaro file will start with "# CORSARO_VERSION" */
      if(len >= strlen(CORSARO_FILE_ASCII_CHECK) &&
	 memcmp(CORSARO_FILE_ASCII_CHECK, buffer,
		strlen(CORSARO_FILE_ASCII_CHECK)) == 0)
	{
	  f->mode = CORSARO_FILE_MODE_ASCII;
	}
      /* a binary corsaro file will start with an corsaro header "EDGRHEAD" but,
	 it is possible that an old binary corsaro file can just start with an
	 interval header - "EDGRINTR", so we will only look for "EDGR" */
      else if(len >= 4 && buffer[0] == 'E' && buffer[1] == 'D' &&
	      buffer[2] == 'G' && buffer[3] == 'R')
	{
	  f->mode = CORSARO_FILE_MODE_BINARY;
	}
      else
	{
	  /* who knows, but maybe someone wants to read a non-corsaro file */
	  f->mode = CORSARO_FILE_MODE_UNKNOWN;
	}
    }

  return f;
}