1 /* csids.c
2 *
3 * Copyright (c) 2000 by Mike Hall <mlh@io.com>
4 * Copyright (c) 2000 by Cisco Systems
5 *
6 * SPDX-License-Identifier: GPL-2.0-or-later
7 */
8
9 #include "config.h"
10 #include "wtap-int.h"
11 #include "csids.h"
12 #include "file_wrappers.h"
13
14 #include <stdlib.h>
15 #include <string.h>
16
17 /*
18 * This module reads the output from the Cisco Secure Intrusion Detection
19 * System iplogging facility. The term iplogging is misleading since this
20 * logger will only output TCP. There is no link layer information.
21 * Packet format is 4 byte timestamp (seconds since epoch), and a 4 byte size
22 * of data following for that packet.
23 *
24 * For a time there was an error in iplogging and the ip length, flags, and id
25 * were byteswapped. We will check for this and handle it before handing to
26 * wireshark.
27 */
28
29 typedef struct {
30 gboolean byteswapped;
31 } csids_t;
32
33 static gboolean csids_read(wtap *wth, wtap_rec *rec, Buffer *buf,
34 int *err, gchar **err_info, gint64 *data_offset);
35 static gboolean csids_seek_read(wtap *wth, gint64 seek_off,
36 wtap_rec *rec, Buffer *buf, int *err, gchar **err_info);
37 static gboolean csids_read_packet(FILE_T fh, csids_t *csids,
38 wtap_rec *rec, Buffer *buf, int *err, gchar **err_info);
39
40 struct csids_header {
41 guint32 seconds; /* seconds since epoch */
42 guint16 zeropad; /* 2 byte zero'ed pads */
43 guint16 caplen; /* the capture length */
44 };
45
46 static int csids_file_type_subtype = -1;
47
48 void register_csids(void);
49
csids_open(wtap * wth,int * err,gchar ** err_info)50 wtap_open_return_val csids_open(wtap *wth, int *err, gchar **err_info)
51 {
52 /* There is no file header. There is only a header for each packet
53 * so we read a packet header and compare the caplen with iplen. They
54 * should always be equal except with the weird byteswap version.
55 *
56 * THIS IS BROKEN-- anytime the caplen is 0x0101 or 0x0202 up to 0x0505
57 * this will byteswap it. I need to fix this. XXX --mlh
58 */
59
60 int tmp,iplen;
61
62 gboolean byteswap = FALSE;
63 struct csids_header hdr;
64 csids_t *csids;
65
66 /* check the file to make sure it is a csids file. */
67 if( !wtap_read_bytes( wth->fh, &hdr, sizeof( struct csids_header), err, err_info ) ) {
68 if( *err != WTAP_ERR_SHORT_READ ) {
69 return WTAP_OPEN_ERROR;
70 }
71 return WTAP_OPEN_NOT_MINE;
72 }
73 if( hdr.zeropad != 0 || hdr.caplen == 0 ) {
74 return WTAP_OPEN_NOT_MINE;
75 }
76 hdr.seconds = pntoh32( &hdr.seconds );
77 hdr.caplen = pntoh16( &hdr.caplen );
78 if( !wtap_read_bytes( wth->fh, &tmp, 2, err, err_info ) ) {
79 if( *err != WTAP_ERR_SHORT_READ ) {
80 return WTAP_OPEN_ERROR;
81 }
82 return WTAP_OPEN_NOT_MINE;
83 }
84 if( !wtap_read_bytes(wth->fh, &iplen, 2, err, err_info ) ) {
85 if( *err != WTAP_ERR_SHORT_READ ) {
86 return WTAP_OPEN_ERROR;
87 }
88 return WTAP_OPEN_NOT_MINE;
89 }
90 iplen = pntoh16(&iplen);
91
92 if ( iplen == 0 )
93 return WTAP_OPEN_NOT_MINE;
94
95 /* if iplen and hdr.caplen are equal, default to no byteswap. */
96 if( iplen > hdr.caplen ) {
97 /* maybe this is just a byteswapped version. the iplen ipflags */
98 /* and ipid are swapped. We cannot use the normal swaps because */
99 /* we don't know the host */
100 iplen = GUINT16_SWAP_LE_BE(iplen);
101 if( iplen <= hdr.caplen ) {
102 /* we know this format */
103 byteswap = TRUE;
104 } else {
105 /* don't know this one */
106 return WTAP_OPEN_NOT_MINE;
107 }
108 } else {
109 byteswap = FALSE;
110 }
111
112 /* no file header. So reset the fh to 0 so we can read the first packet */
113 if (file_seek(wth->fh, 0, SEEK_SET, err) == -1)
114 return WTAP_OPEN_ERROR;
115
116 csids = g_new(csids_t, 1);
117 wth->priv = (void *)csids;
118 csids->byteswapped = byteswap;
119 wth->file_encap = WTAP_ENCAP_RAW_IP;
120 wth->file_type_subtype = csids_file_type_subtype;
121 wth->snapshot_length = 0; /* not known */
122 wth->subtype_read = csids_read;
123 wth->subtype_seek_read = csids_seek_read;
124 wth->file_tsprec = WTAP_TSPREC_SEC;
125
126 /*
127 * Add an IDB; we don't know how many interfaces were
128 * involved, so we just say one interface, about which
129 * we only know the link-layer type, snapshot length,
130 * and time stamp resolution.
131 */
132 wtap_add_generated_idb(wth);
133
134 return WTAP_OPEN_MINE;
135 }
136
137 /* Find the next packet and parse it; called from wtap_read(). */
csids_read(wtap * wth,wtap_rec * rec,Buffer * buf,int * err,gchar ** err_info,gint64 * data_offset)138 static gboolean csids_read(wtap *wth, wtap_rec *rec, Buffer *buf,
139 int *err, gchar **err_info, gint64 *data_offset)
140 {
141 csids_t *csids = (csids_t *)wth->priv;
142
143 *data_offset = file_tell(wth->fh);
144
145 return csids_read_packet( wth->fh, csids, rec, buf, err, err_info );
146 }
147
148 /* Used to read packets in random-access fashion */
149 static gboolean
csids_seek_read(wtap * wth,gint64 seek_off,wtap_rec * rec,Buffer * buf,int * err,gchar ** err_info)150 csids_seek_read(wtap *wth,
151 gint64 seek_off,
152 wtap_rec *rec,
153 Buffer *buf,
154 int *err,
155 gchar **err_info)
156 {
157 csids_t *csids = (csids_t *)wth->priv;
158
159 if( file_seek( wth->random_fh, seek_off, SEEK_SET, err ) == -1 )
160 return FALSE;
161
162 if( !csids_read_packet( wth->random_fh, csids, rec, buf, err, err_info ) ) {
163 if( *err == 0 )
164 *err = WTAP_ERR_SHORT_READ;
165 return FALSE;
166 }
167 return TRUE;
168 }
169
170 static gboolean
csids_read_packet(FILE_T fh,csids_t * csids,wtap_rec * rec,Buffer * buf,int * err,gchar ** err_info)171 csids_read_packet(FILE_T fh, csids_t *csids, wtap_rec *rec,
172 Buffer *buf, int *err, gchar **err_info)
173 {
174 struct csids_header hdr;
175 guint8 *pd;
176
177 if( !wtap_read_bytes_or_eof( fh, &hdr, sizeof( struct csids_header), err, err_info ) )
178 return FALSE;
179 hdr.seconds = pntoh32(&hdr.seconds);
180 hdr.caplen = pntoh16(&hdr.caplen);
181 /*
182 * The maximum value of hdr.caplen is 65535, which is less than
183 * WTAP_MAX_PACKET_SIZE_STANDARD will ever be, so we don't need to check
184 * it.
185 */
186
187 rec->rec_type = REC_TYPE_PACKET;
188 rec->block = wtap_block_create(WTAP_BLOCK_PACKET);
189 rec->presence_flags = WTAP_HAS_TS;
190 rec->rec_header.packet_header.len = hdr.caplen;
191 rec->rec_header.packet_header.caplen = hdr.caplen;
192 rec->ts.secs = hdr.seconds;
193 rec->ts.nsecs = 0;
194
195 if( !wtap_read_packet_bytes( fh, buf, rec->rec_header.packet_header.caplen, err, err_info ) )
196 return FALSE;
197
198 pd = ws_buffer_start_ptr( buf );
199 if( csids->byteswapped ) {
200 if( rec->rec_header.packet_header.caplen >= 2 ) {
201 PBSWAP16(pd); /* the ip len */
202 if( rec->rec_header.packet_header.caplen >= 4 ) {
203 PBSWAP16(pd+2); /* ip id */
204 if( rec->rec_header.packet_header.caplen >= 6 )
205 PBSWAP16(pd+4); /* ip flags and fragoff */
206 }
207 }
208 }
209
210 return TRUE;
211 }
212
213 static const struct supported_block_type csids_blocks_supported[] = {
214 /*
215 * We support packet blocks, with no comments or other options.
216 */
217 { WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, NO_OPTIONS_SUPPORTED }
218 };
219
220 static const struct file_type_subtype_info csids_info = {
221 "CSIDS IPLog", "csids", NULL, NULL,
222 FALSE, BLOCKS_SUPPORTED(csids_blocks_supported),
223 NULL, NULL, NULL
224 };
225
register_csids(void)226 void register_csids(void)
227 {
228 csids_file_type_subtype = wtap_register_file_type_subtype(&csids_info);
229
230 /*
231 * Register name for backwards compatibility with the
232 * wtap_filetypes table in Lua.
233 */
234 wtap_register_backwards_compatibility_lua_name("CSIDS",
235 csids_file_type_subtype);
236 }
237
238 /*
239 * Editor modelines - https://www.wireshark.org/tools/modelines.html
240 *
241 * Local Variables:
242 * c-basic-offset: 2
243 * tab-width: 8
244 * indent-tabs-mode: nil
245 * End:
246 *
247 * vi: set shiftwidth=2 tabstop=8 expandtab:
248 * :indentSize=2:tabSize=8:noTabs=true:
249 */
250