Context Navigation

source: lib/trace.c @ 24b42dd

4.0.1-hotfixescachetimestampsdevelopdpdk-ndagetsilivegetfragoffhelplibtrace4ndag_formatpfringrc-4.0.1rc-4.0.2rc-4.0.3rc-4.0.4ringdecrementfixringperformanceringtimestampfixes

Last change on this file since 24b42dd was 24b42dd, checked in by Daniel Lawson <dlawson@…>, 16 years ago
sanity in dag_start
Property mode set to `100644`
File size: 39.2 KB

Line
1	/*
2	* This file is part of libtrace
3	*
4	* Copyright (c) 2004 The University of Waikato, Hamilton, New Zealand.
5	* Authors: Daniel Lawson
6	* Perry Lorier
7	*
8	* All rights reserved.
9	*
10	* This code has been developed by the University of Waikato WAND
11	* research group. For further information please see http://www.wand.net.nz/
12	*
13	* libtrace is free software; you can redistribute it and/or modify
14	* it under the terms of the GNU General Public License as published by
15	* the Free Software Foundation; either version 2 of the License, or
16	* (at your option) any later version.
17	*
18	* libtrace is distributed in the hope that it will be useful,
19	* but WITHOUT ANY WARRANTY; without even the implied warranty of
20	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21	* GNU General Public License for more details.
22	*
23	* You should have received a copy of the GNU General Public License
24	* along with libtrace; if not, write to the Free Software
25	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
26	*
27	* $Id$
28	*
29	*/
30
31	/** @file
32	*
33	* @brief Trace file processing library
34	*
35	* @author Daniel Lawson
36	* @author Perry Lorier
37	*
38	*/
39	#define _GNU_SOURCE
40	#include "common.h"
41	#include "config.h"
42	#include <assert.h>
43	#include <errno.h>
44	#include <fcntl.h>
45	#include <netdb.h>
46	#include <stdio.h>
47	#include <stdlib.h>
48	#include <string.h>
49	#include <sys/stat.h>
50	#include <sys/types.h>
51
52	#ifdef HAVE_LIMITS_H
53	# include <limits.h>
54	#endif
55
56	#ifdef HAVE_SYS_LIMITS_H
57	# include <sys/limits.h>
58	#endif
59
60	#include <sys/socket.h>
61	#include <sys/un.h>
62	#include <sys/mman.h>
63	#include <unistd.h>
64	#include <net/ethernet.h>
65	#include <time.h>
66	#include <sys/ioctl.h>
67
68	#ifdef HAVE_STDINT_H
69	# include <stdint.h>
70	#else
71	# error "Can't find stdint.h - you need to replace this"
72	#endif
73
74	#ifdef HAVE_STDDEF_H
75	# include <stddef.h>
76	#else
77	# error "Can't find stddef.h - do you define ptrdiff_t elsewhere?"
78	#endif
79
80	#include "libtrace.h"
81	#include "fifo.h"
82
83	#ifdef HAVE_PCAP_BPF_H
84	# include <pcap-bpf.h>
85	#else
86	# ifdef HAVE_NET_BPF_H
87	# include <net/bpf.h>
88	# endif
89	#endif
90
91	#include <zlib.h>
92	#include <pcap.h>
93	#include <zlib.h>
94
95
96	#include "wag.h"
97
98	#ifdef HAVE_DAG_API
99	# include "dagnew.h"
100	# include "dagapi.h"
101	# define DAGDEVICE 1
102	#else
103	# include "dagformat.h"
104	#endif
105
106
107	typedef enum {SOCKET, TRACE, STDIN, DEVICE, INTERFACE, RT } source_t;
108
109	typedef enum {ERF, PCAP, PCAPINT, DAG, RTCLIENT, WAG, WAGINT } format_t;
110
111	struct libtrace_filter_t {
112	struct bpf_insn *filter;
113	char * filterstring;
114	};
115
116	struct libtrace_t {
117	format_t format;
118	source_t sourcetype;
119	union {
120	struct {
121	char *hostname;
122	short port;
123	} rt;
124	char *path;
125	char *interface;
126	} conn_info;
127	union {
128	int fd;
129	gzFile *file;
130	pcap_t *pcap;
131	} input;
132	struct fifo_t *fifo;
133	void *buf;
134	struct {
135	void *buffer;
136	int size;
137	} packet;
138	double last_ts;
139	double start_ts;
140	};
141
142	#define URI_PROTO_LINE 16
143	static int init_trace(struct libtrace_t *libtrace, char uri) {
144	char *scan = calloc(sizeof(char),URI_PROTO_LINE);
145	char *uridata = 0;
146	struct stat buf;
147
148	// parse the URI to determine what sort of event we are dealing with
149
150	// want snippet before the : to get the uri base type.
151
152	if((uridata = strchr(uri,':')) == NULL) {
153	// badly formed URI - needs a :
154	return 0;
155	}
156
157	if ((uridata - uri) > URI_PROTO_LINE) {
158	// badly formed URI - uri type is too long
159	return 0;
160	}
161	strncpy(scan,uri, (uridata - uri));
162
163	if (!strncasecmp(scan,"erf",3)) {
164	(*libtrace)->format=ERF;
165	} else if (!strncasecmp(scan,"pcapint",7)) {
166	(*libtrace)->format=PCAPINT;
167	} else if (!strncasecmp(scan,"pcap",4)) {
168	(*libtrace)->format=PCAP;
169	} else if (!strncasecmp(scan,"dag",3)) {
170	(*libtrace)->format=DAG;
171	} else if (!strncasecmp(scan,"rtclient",7)) {
172	(*libtrace)->format=RTCLIENT;
173	} else if (!strncasecmp(scan,"wagint",6)) {
174	(*libtrace)->format=WAGINT;
175	} else if (!strncasecmp(scan,"wag",3)) {
176	(*libtrace)->format=WAG;
177	} else {
178	//badly formed URI
179	return 0;
180	}
181
182	// push uridata past the delimiter
183	uridata++;
184
185	// libtrace->format now contains the type of uri
186	// libtrace->uridata contains the appropriate data for this
187
188	switch((*libtrace)->format) {
189	case PCAPINT:
190	case WAGINT:
191	/* Can have uridata of the following format
192	* eth0
193	* etc
194	*/
195	// We basically assume this is correct.
196	(*libtrace)->sourcetype = INTERFACE;
197	(*libtrace)->conn_info.path = strdup(uridata);
198	break;
199	case PCAP:
200	case ERF:
201	case WAG:
202	/*
203	* Can have uridata of the following format
204	* /path/to/socket (probably not PCAP)
205	* /path/to/file
206	* /path/to/file.gz (not PCAP)
207	* /dev/device (use PCAPINT)
208	* -
209	*/
210	if (!strncmp(uridata,"-",1)) {
211	(*libtrace)->sourcetype = STDIN;
212	} else {
213	if (stat(uridata,&buf) == -1) {
214	perror("stat");
215	return 0;
216	}
217	if (S_ISSOCK(buf.st_mode)) {
218	(*libtrace)->sourcetype = SOCKET;
219	} else if (S_ISCHR(buf.st_mode)) {
220	(*libtrace)->sourcetype = DEVICE;
221	} else {
222	(*libtrace)->sourcetype = TRACE;
223	}
224	(*libtrace)->conn_info.path = strdup(uridata);
225	}
226	break;
227	case DAG:
228	/*
229	* Can have uridata of the following format:
230	* /dev/device
231	*/
232	if (stat(uridata,&buf) == -1) {
233	perror("stat");
234	return 0;
235	}
236	if (S_ISCHR(buf.st_mode)) {
237	(*libtrace)->sourcetype = DEVICE;
238	} else {
239	fprintf(stderr,"%s isn't a valid char device, exiting\n",uridata);
240	exit(1);
241	}
242	(*libtrace)->conn_info.path = strdup(uridata);
243
244	break;
245
246	case RTCLIENT:
247	/*
248	* Can have the uridata in the format
249	* hostname
250	* hostname:port
251	*/
252	(*libtrace)->sourcetype = RT;
253	if (strlen(uridata) == 0) {
254	(*libtrace)->conn_info.rt.hostname =
255	strdup("localhost");
256	(*libtrace)->conn_info.rt.port =
257	COLLECTOR_PORT;
258	break;
259	}
260	if ((scan = strchr(uridata,':')) == NULL) {
261	(*libtrace)->conn_info.rt.hostname =
262	strdup(uridata);
263	(*libtrace)->conn_info.rt.port =
264	COLLECTOR_PORT;
265	} else {
266	(*libtrace)->conn_info.rt.hostname =
267	(char *)strndup(uridata,(scan - uridata));
268
269	(*libtrace)->conn_info.rt.port =
270	atoi(++scan);
271	}
272	break;
273	}
274
275
276	(*libtrace)->fifo = create_fifo(1048576);
277	//(*libtrace)->packet.buffer = 0;
278	//(*libtrace)->packet.size = 0;
279
280	return 1;
281	}
282
283	/** Create a trace file from a URI
284	*
285	* @returns opaque pointer to a libtrace_t
286	*
287	* Valid URI's are:
288	* erf:/path/to/erf/file
289	* erf:/path/to/erf/file.gz
290	* erf:/path/to/rtclient/socket
291	* erf:- (stdin)
292	* pcapint:pcapinterface (eg: pcapint:eth0)
293	* pcap:/path/to/pcap/file
294	* pcap:-
295	* rtclient:hostname
296	* rtclient:hostname:port
297	* wag:-
298	* wag:/path/to/wag/file
299	* wag:/path/to/wag/file.gz
300	* wag:/path/to/wag/socket
301	* wagint:/dev/device
302	*
303	* URIs which have yet to be implemented are:
304	* dag:/dev/dagcard
305	* pcap:/path/to/pcap/socket
306	*
307	* If an error occured when attempting to open a trace, NULL is returned
308	* and an error is output to stdout.
309	*/
310	struct libtrace_t trace_create(char uri) {
311	struct libtrace_t *libtrace = malloc(sizeof(struct libtrace_t));
312	struct hostent *he;
313	struct sockaddr_in remote;
314	struct sockaddr_un unix_sock;
315	char errbuf[PCAP_ERRBUF_SIZE];
316
317	if(init_trace(&libtrace,uri) == 0) {
318	return 0;
319	}
320
321	switch(libtrace->sourcetype) {
322	case RT:
323	if ((he=gethostbyname(libtrace->conn_info.rt.hostname)) == NULL) {
324	perror("gethostbyname");
325	return 0;
326	}
327	if ((libtrace->input.fd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
328	perror("socket");
329	return 0;
330	}
331
332	remote.sin_family = AF_INET;
333	remote.sin_port = htons(libtrace->conn_info.rt.port);
334	remote.sin_addr = ((struct in_addr )he->h_addr);
335	bzero(&(remote.sin_zero), 8);
336
337	if (connect(libtrace->input.fd, (struct sockaddr *)&remote,
338	sizeof(struct sockaddr)) == -1) {
339	perror("connect (inet)");
340	return 0;
341	}
342	break;
343	case TRACE:
344	if (libtrace->format == PCAP) {
345	if ((libtrace->input.pcap = pcap_open_offline(libtrace->conn_info.path, errbuf)) == NULL) {
346	fprintf(stderr,"%s\n",errbuf);
347	return 0;
348	}
349	} else {
350	libtrace->input.file = gzopen(libtrace->conn_info.path, "r");
351	}
352	break;
353	case STDIN:
354	if (libtrace->format == PCAP) {
355	libtrace->input.pcap = pcap_open_offline("-",errbuf);
356	} else {
357	libtrace->input.file = gzdopen(STDIN, "r");
358	}
359	break;
360	case SOCKET:
361	/* Pcap doesn't work */
362	if (libtrace->format != PCAP) {
363	if ((libtrace->input.fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
364	perror("socket");
365	return 0;
366	}
367	unix_sock.sun_family = AF_UNIX;
368	bzero(unix_sock.sun_path,108);
369	snprintf(unix_sock.sun_path,108,"%s",libtrace->conn_info.path);
370
371	if (connect(libtrace->input.fd, (struct sockaddr *)&unix_sock,
372	sizeof(struct sockaddr)) == -1) {
373	perror("connect (unix)");
374	return 0;
375	}
376	}
377	break;
378	case DEVICE:
379	case INTERFACE:
380	switch (libtrace->format) {
381	case PCAPINT:
382	case PCAP:
383	libtrace->input.pcap = pcap_open_live(
384	libtrace->conn_info.path,
385	4096,
386	1,
387	0,
388	errbuf);
389	break;
390	default:
391	fprintf(stderr,"Unknown format trace, hoping I can just read\n");
392	case WAGINT:
393	case WAG:
394	libtrace->input.fd = open(
395	libtrace->conn_info.path,
396	O_RDONLY);
397	break;
398	#ifdef DAGDEVICE
399	case DAG:
400	if((libtrace->input.fd = dag_open(libtrace->conn_info.path)) < 0) {
401	fprintf(stderr,"Cannot open DAG %s: %m", libtrace->conn_info.path,errno);
402	exit(0);
403	}
404	if((libtrace->buf = dag_mmap(libtrace->input.fd)) == MAP_FAILED) {
405	fprintf(stderr,"Cannot mmap DAG %s: %m", libtrace->conn_info.path,errno);
406	exit(0);
407	}
408	if(dag_start(libtrace->input.fd) < 0) {
409	fprintf(stderr,"Cannot start DAG %s: %m", libtrace->conn_info.path,errno);
410	exit(0);
411	}
412	break;
413	#endif
414
415	}
416	break;
417	default:
418	fprintf(stderr,"Unsupported source type for libtrace, terminating (%i)\n",libtrace->sourcetype);
419	exit(0);
420
421	}
422	return libtrace;
423	}
424
425	/** Close a trace file, freeing up any resources it may have been using
426	*
427	*/
428	void trace_destroy(struct libtrace_t *libtrace) {
429	assert(libtrace);
430	if (libtrace->format == PCAP \|\| libtrace->format == PCAPINT) {
431	pcap_close(libtrace->input.pcap);
432	} else if (libtrace->sourcetype == SOCKET \|\| libtrace->sourcetype == RT) {
433	close(libtrace->input.fd);
434	} else {
435	gzclose(libtrace->input.file);
436	}
437	// need to free things!
438	destroy_fifo(libtrace->fifo);
439	free(libtrace);
440	}
441
442	static int trace_read(struct libtrace_t libtrace, void buffer, size_t len) {
443	int numbytes;
444	static unsigned bottom = 0, top, diff, curr, scan;
445	static short lctr = 0;
446	struct dag_record_t *recptr = 0;
447	int rlen;
448	assert(libtrace);
449	assert(len >= 0);
450
451	if (buffer == 0)
452	buffer = malloc(len);
453
454	while(1) {
455	switch(libtrace->sourcetype) {
456	case SOCKET:
457	case RT:
458	// read from the network
459	if ((numbytes=recv(libtrace->input.fd,
460	buffer,
461	len,
462	MSG_NOSIGNAL)) == -1) {
463	if (errno == EINTR) {
464	// ignore EINTR in case
465	// a caller is using signals
466	continue;
467	}
468	perror("recv");
469	return -1;
470	}
471	break;
472	case DEVICE:
473	switch(libtrace->format) {
474	case DAG:
475	top = dag_offset(libtrace->input.fd,
476	&bottom,
477	0);
478	diff = top - bottom;
479	errno = 0;
480	curr = 0;
481
482	recptr = (dag_record_t ) ((void )libtrace->buf + (bottom + curr));
483
484	buffer=libtrace->buf + (bottom + curr);
485
486	numbytes=diff;
487
488
489	break;
490	default:
491	if ((numbytes=read(libtrace->input.fd,
492	buffer,
493	len)) == -1) {
494	perror("read");
495	return -1;
496	}
497	}
498	break;
499	default:
500	if ((numbytes=gzread(libtrace->input.file,
501	buffer,
502	len)) == -1) {
503	perror("gzread");
504	return -1;
505	}
506	}
507	break;
508	}
509	return numbytes;
510
511	}
512
513	/** Read one packet from the trace into buffer
514	*
515	* @param libtrace the libtrace opaque pointer
516	* @param packet the packet opaque pointer
517	* @returns false if it failed to read a packet
518	*
519	*/
520	#define RP_BUFSIZE 65536
521	int trace_read_packet(struct libtrace_t libtrace, struct libtrace_packet_t packet) {
522	int numbytes;
523	int size;
524	char buf[RP_BUFSIZE];
525	struct pcap_pkthdr pcaphdr;
526	const u_char *pcappkt;
527	int read_required = 0;
528
529	void *buffer = 0;
530	if (!libtrace) {
531	fprintf(stderr,"Oi! You called trace_read_packet() with a NULL libtrace parameter!\n");
532	}
533	assert(libtrace);
534	assert(packet);
535
536	//bzero(buffer,len);
537
538	/* Store the trace we are reading from into the packet opaque
539	* structure */
540	packet->trace = libtrace;
541
542	buffer = packet->buffer;
543	/* PCAP gives us it's own per-packet interface. Let's use it */
544	if (libtrace->format == PCAP \|\| libtrace->format == PCAPINT) {
545	if ((pcappkt = pcap_next(libtrace->input.pcap, &pcaphdr)) == NULL) {
546	return -1;
547	}
548	memcpy(buffer,&pcaphdr,sizeof(struct pcap_pkthdr));
549	memcpy(buffer + sizeof(struct pcap_pkthdr),pcappkt,pcaphdr.len);
550	numbytes = pcaphdr.len;
551
552	packet->size = numbytes + sizeof(struct pcap_pkthdr);
553	return numbytes;
554	}
555
556	/* If we're reading from an ERF input, it's an offline trace. We can make some assumptions */
557	if (libtrace->format == ERF) {
558	void *buffer2 = buffer;
559	// read in the trace header
560	if ((numbytes=gzread(libtrace->input.file,
561	buffer,
562	sizeof(dag_record_t))) == -1) {
563	perror("gzread");
564	return -1;
565	}
566	if (numbytes == 0) {
567	return 0;
568	}
569	size = ntohs(((dag_record_t *)buffer)->rlen) - sizeof(dag_record_t);
570	assert(size < LIBTRACE_PACKET_BUFSIZE);
571	buffer2 = buffer + sizeof(dag_record_t);
572
573	// read in the rest of the packet
574	if ((numbytes=gzread(libtrace->input.file,
575	buffer2,
576	size)) == -1) {
577	perror("gzread");
578	return -1;
579	}
580	packet->size = numbytes + sizeof(dag_record_t);
581	return sizeof(dag_record_t) + numbytes;
582	}
583
584	do {
585	if (fifo_out_available(libtrace->fifo) == 0 \|\| read_required) {
586	if ((numbytes = trace_read(libtrace,buf,RP_BUFSIZE))<=0){
587	return numbytes;
588	}
589	fifo_write(libtrace->fifo,buf,numbytes);
590
591	read_required = 0;
592	}
593
594	switch (libtrace->format) {
595	case RTCLIENT:
596	// only do this if we're reading from the RT interface
597	if (fifo_out_read(libtrace->fifo, &packet->status, sizeof(int)) == 0) {
598	read_required = 1;
599	continue;
600	}
601
602	fifo_out_update(libtrace->fifo,sizeof(int));
603
604	/* FALL THRU */
605	case ERF:
606	case DAG:
607	// read in the erf header
608	if ((numbytes = fifo_out_read(libtrace->fifo, buffer, sizeof(dag_record_t))) == 0) {
609	fifo_out_reset(libtrace->fifo);
610	read_required = 1;
611	continue;
612	}
613
614	size = ntohs(((dag_record_t *)buffer)->rlen);
615	break;
616	case WAG:
617	if ((numbytes = fifo_out_read(libtrace->fifo,
618	&size,
619	sizeof(size)))
620	== 0) {
621	fifo_out_reset(libtrace->fifo);
622	read_required = 1;
623	continue;
624	}
625	size*=4;
626	break;
627	default:
628	fprintf(stderr,"Unknown type in _read()\n");
629	assert(0);
630	}
631
632	assert(size < LIBTRACE_PACKET_BUFSIZE);
633
634	// read in the full packet
635	if ((numbytes = fifo_out_read(libtrace->fifo, buffer, size)) == 0) {
636	fifo_out_reset(libtrace->fifo);
637	read_required = 1;
638	continue;
639	}
640
641	// got in our whole packet, so...
642	fifo_out_update(libtrace->fifo,size);
643
644	if (libtrace->sourcetype == SOCKET \|\| libtrace->sourcetype == RT) {
645	fifo_ack_update(libtrace->fifo,size + sizeof(int));
646	} else {
647	fifo_ack_update(libtrace->fifo,size);
648	}
649
650	packet->size = numbytes;
651	return numbytes;
652
653	} while (1);
654	}
655
656
657	/** get a pointer to the link layer
658	* @param libtrace a pointer to the trace object returned from gettrace
659	* @param buffer a pointer to a filled in buffer
660	* @param buflen a pointer to the size of the buffer
661	*
662	* @returns a pointer to the link layer, or NULL if there is no link layer
663	* you should call trace_get_link_type() to find out what type of link layer this is
664	*/
665	void trace_get_link(struct libtrace_packet_t packet) {
666	void *ethptr = 0;
667
668	struct wag_event_t event = (struct wag_event_t )packet->buffer;
669	struct wag_data_event_t *data_event;
670
671
672	switch(packet->trace->format) {
673	case ERF:
674	case DAG:
675	case RTCLIENT:
676	if (trace_get_link_type(packet)==TRACE_TYPE_ETH)
677	ethptr = ((uint8_t *)packet->buffer +
678	dag_record_size + 2);
679	else
680	ethptr = ((uint8_t *)packet->buffer +
681	dag_record_size + 2);
682	break;
683	case PCAPINT:
684	case PCAP:
685	ethptr = (struct ether_header *)(packet->buffer + sizeof(struct pcap_pkthdr));
686	break;
687	case WAGINT:
688	case WAG:
689	switch (event->type) {
690	case 0x0:
691	data_event = (void*)&(event->payload);
692	return data_event->data;
693	default:
694	fprintf(stderr,"Unknown WAG Event (0x%08x)\n",event->type);
695	return NULL;
696	}
697
698	default:
699	fprintf(stderr,"Dunno this trace format\n");
700	assert(0);
701	}
702	return ethptr;
703	}
704
705	/** get a pointer to the IP header (if any)
706	* @param libtrace a pointer to the trace object returned from gettrace
707	* @param buffer a pointer to a filled in buffer
708	* @param buflen a pointer to the size of the buffer
709	*
710	* @returns a pointer to the IP header, or NULL if there is not an IP packet
711	*/
712	struct libtrace_ip trace_get_ip(struct libtrace_packet_t packet) {
713	struct libtrace_ip *ipptr = 0;
714
715	switch(trace_get_link_type(packet)) {
716	case TRACE_TYPE_80211:
717	{
718
719	struct ieee_802_11_header *wifi = trace_get_link(packet);
720
721	// Data packet?
722	if (wifi->type != 2) {
723	ipptr = NULL;
724	}
725	else {
726	struct ieee_802_11_payload eth = (void)wifi->data;
727	if (eth->type != 0x0008) {
728	ipptr=NULL;
729	} else {
730	ipptr=(void*)eth->data;
731	}
732	}
733	}
734	break;
735	case TRACE_TYPE_ETH:
736	{
737	struct ether_header *eth =
738	trace_get_link(packet);
739	if (ntohs(eth->ether_type)!=0x0800) {
740	ipptr = NULL;
741	}
742	else {
743	ipptr = ((void *)eth) + 14;
744	}
745	break;
746	}
747	case TRACE_TYPE_ATM:
748	{
749	struct atm_rec *atm =
750	trace_get_link(packet);
751	// TODO: Find out what ATM does, and return
752	// NULL for non IP data
753	// Presumably it uses the normal stuff
754	ipptr = (void*)&atm->pload;
755	break;
756	}
757	default:
758	fprintf(stderr,"Don't understand link layer type %i in trace_get_ip()\n",
759	trace_get_link_type(packet));
760	ipptr=NULL;
761	break;
762	}
763
764	return ipptr;
765	}
766
767
768	/** get a pointer to the TCP header (if any)
769	* @param libtrace a pointer to the trace object returned from gettrace
770	* @param buffer a pointer to a filled in buffer
771	* @param buflen a pointer to the size of the buffer
772	*
773	* @returns a pointer to the TCP header, or NULL if there is not a TCP packet
774	*/
775	struct libtrace_tcp trace_get_tcp(struct libtrace_packet_t packet) {
776	struct libtrace_tcp *tcpptr = 0;
777	struct libtrace_ip *ipptr = 0;
778
779	if(!(ipptr = trace_get_ip(packet))) {
780	return 0;
781	}
782	if (ipptr->ip_p == 6) {
783	tcpptr = (struct libtrace_tcp )((ptrdiff_t)ipptr + (ipptr->ip_hl 4));
784	}
785	return tcpptr;
786	}
787
788	/** get a pointer to the UDP header (if any)
789	* @param libtrace a pointer to the trace object returned from gettrace
790	* @param buffer a pointer to a filled in buffer
791	* @param buflen a pointer to the size of the buffer
792	*
793	* @returns a pointer to the UDP header, or NULL if this is not a UDP packet
794	*/
795	struct libtrace_udp trace_get_udp(struct libtrace_packet_t packet) {
796	struct libtrace_udp *udpptr = 0;
797	struct libtrace_ip *ipptr = 0;
798
799	if(!(ipptr = trace_get_ip(packet))) {
800	return 0;
801	}
802	if (ipptr->ip_p == 17) {
803	udpptr = (struct libtrace_udp )((ptrdiff_t)ipptr + (ipptr->ip_hl 4));
804	}
805	return udpptr;
806	}
807
808	/** get a pointer to the ICMP header (if any)
809	* @param libtrace a pointer to the trace object returned from gettrace
810	* @param buffer a pointer to a filled in buffer
811	* @param buflen a pointer to the size of the buffer
812	*
813	* @returns a pointer to the ICMP header, or NULL if this is not a ICMP packet
814	*/
815	struct libtrace_icmp trace_get_icmp(struct libtrace_packet_t packet) {
816	struct libtrace_icmp *icmpptr = 0;
817	struct libtrace_ip *ipptr = 0;
818
819	if(!(ipptr = trace_get_ip(packet))) {
820	return 0;
821	}
822	if (ipptr->ip_p == 1) {
823	icmpptr = (struct libtrace_icmp )((ptrdiff_t)ipptr + (ipptr->ip_hl 4));
824	}
825	return icmpptr;
826	}
827
828	/** Get the current time in DAG time format
829	* @param libtrace the libtrace opaque pointer
830	* @param buffer a pointer to a filled in buffer
831	* @param buflen the length of the buffer
832	* @returns a 64 bit timestamp in DAG ERF format (upper 32 bits are the seconds
833	* past 1970-01-01, the lower 32bits are partial seconds)
834	* @author Daniel Lawson
835	*/
836	uint64_t trace_get_erf_timestamp(struct libtrace_packet_t *packet) {
837	uint64_t timestamp = 0;
838	dag_record_t *erfptr = 0;
839	struct pcap_pkthdr *pcapptr = 0;
840	struct wag_event_t *wagptr = 0;
841	switch (packet->trace->format) {
842	case DAG:
843	case ERF:
844	case RTCLIENT:
845	erfptr = (dag_record_t *)packet->buffer;
846	timestamp = erfptr->ts;
847	break;
848	case PCAPINT:
849	case PCAP:
850	pcapptr = (struct pcap_pkthdr *)packet->buffer;
851	timestamp = ((((uint64_t)pcapptr->ts.tv_sec) << 32) + \
852	(pcapptr->ts.tv_usec*UINT_MAX/1000000));
853	break;
854	case WAGINT:
855	case WAG:
856	wagptr = (struct wag_event_t *)packet->buffer;
857	timestamp = wagptr->timestamp_lo;
858	timestamp \|= (uint64_t)wagptr->timestamp_hi<<32;
859	timestamp = ((timestamp%44000000)*(UINT_MAX/44000000))
860	\| ((timestamp/44000000)<<32);
861	break;
862	default:
863	fprintf(stderr,"Unknown format in trace_get_erf_timestamp\n");
864	timestamp = 0;
865	}
866	return timestamp;
867	}
868
869	/** Get the current time in struct timeval
870	* @param libtrace the libtrace opaque pointer
871	* @param buffer a pointer to a filled in buffer
872	* @param buflen the length of the buffer
873	* @returns time that this packet was seen in a struct timeval
874	* @author Daniel Lawson
875	* @author Perry Lorier
876	*/
877	struct timeval trace_get_timeval(struct libtrace_packet_t *packet) {
878	struct timeval tv;
879	struct pcap_pkthdr *pcapptr = 0;
880	uint64_t ts;
881	//uint32_t seconds;
882	switch (packet->trace->format) {
883	case PCAPINT:
884	case PCAP:
885	pcapptr = (struct pcap_pkthdr *)packet->buffer;
886	tv = pcapptr->ts;
887	break;
888	case WAGINT:
889	case WAG:
890	case DAG:
891	case ERF:
892	case RTCLIENT:
893	default:
894	// FIXME: This isn't portable to big-endian machines
895	ts = trace_get_erf_timestamp(packet);
896	tv.tv_sec = ts >> 32;
897	ts = (1000000 * (ts & 0xffffffffULL));
898	ts += (ts & 0x80000000ULL) << 1;
899	tv.tv_usec = ts >> 32;
900	if (tv.tv_usec >= 1000000) {
901	tv.tv_usec -= 1000000;
902	tv.tv_sec += 1;
903	}
904	break;
905	}
906	return tv;
907	}
908
909	/** Get the current time in floating point seconds
910	* @param libtrace the libtrace opaque pointer
911	* @param buffer a pointer to a filled in buffer
912	* @param buflen the length of the buffer
913	* @returns time that this packet was seen in 64bit floating point seconds
914	* @author Perry Lorier
915	*/
916	double trace_get_seconds(struct libtrace_packet_t *packet) {
917	uint64_t ts;
918	ts = trace_get_erf_timestamp(packet);
919	return (ts>>32) + ((ts & UINT_MAX)*1.0 / UINT_MAX);
920	}
921
922	/** Get the size of the packet in the trace
923	* @param packet the packet opaque pointer
924	* @returns the size of the packet in the trace
925	* @author Perry Lorier
926	* @note Due to this being a header capture, or anonymisation, this may not
927	* be the same size as the original packet. See trace_get_wire_length() for the
928	* original size of the packet.
929	* @note This can (and often is) different for different packets in a trace!
930	* @par
931	* This is sometimes called the "snaplen".
932	*/
933	int trace_get_capture_length(struct libtrace_packet_t *packet) {
934	dag_record_t *erfptr = 0;
935	struct pcap_pkthdr *pcapptr = 0;
936	struct wag_event_t *wag_event;
937	switch (packet->trace->format) {
938	case DAG:
939	case ERF:
940	case RTCLIENT:
941	erfptr = (dag_record_t *)packet->buffer;
942	return ntohs(erfptr->rlen);
943	case PCAPINT:
944	case PCAP:
945	pcapptr = (struct pcap_pkthdr *)packet->buffer;
946	//return ntohs(pcapptr->caplen);
947	return pcapptr->caplen;
948	case WAGINT:
949	case WAG:
950	wag_event = (struct wag_event_t *)packet->buffer;
951	switch(wag_event->type) {
952	case 0:
953	return wag_event->length*4-(
954	sizeof(struct wag_event_t)+
955	sizeof(struct wag_data_event_t)
956	);
957	default:
958	assert(0);
959	}
960	default:
961	assert(0);
962	}
963	return -1;
964	}
965
966	/** Get the size of the packet as it was seen on the wire.
967	* @param libtrace the libtrace opaque pointer
968	* @param buffer a pointer to a filled in buffer
969	* @param buflen the length of the buffer
970	* @returns the size of the packet as it was on the wire.
971	* @author Perry Lorier
972	* @author Daniel Lawson
973	* @note Due to the trace being a header capture, or anonymisation this may
974	* not be the same as the Capture Len.
975	*/
976	int trace_get_wire_length(struct libtrace_packet_t *packet){
977	dag_record_t *erfptr = 0;
978	struct pcap_pkthdr *pcapptr = 0;
979	struct wag_event_t *wag_event = 0;
980	switch (packet->trace->format) {
981	case DAG:
982	case ERF:
983	case RTCLIENT:
984	erfptr = (dag_record_t *)packet->buffer;
985	return ntohs(erfptr->wlen);
986	break;
987	case PCAPINT:
988	case PCAP:
989	pcapptr = (struct pcap_pkthdr *)packet->buffer;
990	return ntohs(pcapptr->len);
991	break;
992	case WAGINT:
993	case WAG:
994	wag_event = (struct wag_event_t *)packet->buffer;
995	switch(wag_event->type) {
996	case 0:
997	return ((struct wag_data_event_t *)(&wag_event->payload))->frame_length;
998	default:
999	assert(0);
1000	}
1001	}
1002	return -1;
1003
1004	}
1005
1006	/** Get the type of the link layer
1007	* @param libtrace the libtrace opaque pointer
1008	* @param buffer a pointer to a filled in buffer
1009	* @param buflen the length of the buffer
1010	* @returns libtrace_linktype_t
1011	* @author Perry Lorier
1012	* @author Daniel Lawson
1013	*/
1014	libtrace_linktype_t trace_get_link_type(struct libtrace_packet_t *packet ) {
1015	dag_record_t *erfptr = 0;
1016	struct pcap_pkthdr *pcapptr = 0;
1017	int linktype = 0;
1018	switch (packet->trace->format) {
1019	case DAG:
1020	case ERF:
1021	case RTCLIENT:
1022	erfptr = (dag_record_t *)packet->buffer;
1023	switch (erfptr->type) {
1024	case TYPE_ETH: return TRACE_TYPE_ETH;
1025	case TYPE_ATM: return TRACE_TYPE_ATM;
1026	default: assert(0);
1027	}
1028	return erfptr->type;
1029
1030	break;
1031	case PCAPINT:
1032	case PCAP:
1033	pcapptr = (struct pcap_pkthdr *)packet->buffer;
1034	linktype = pcap_datalink(packet->trace->input.pcap);
1035	switch (linktype) {
1036	case 1:
1037	return TRACE_TYPE_ETH;
1038	case 11:
1039	return TRACE_TYPE_ATM;
1040	case DLT_IEEE802_11:
1041	return TRACE_TYPE_80211;
1042	}
1043	break;
1044	case WAGINT:
1045	case WAG:
1046	return TRACE_TYPE_80211;
1047	}
1048	return -1;
1049	}
1050
1051	/** Get the source MAC addres
1052	* @param libtrace the libtrace opaque pointer
1053	* @param buffer a pointer to a filled in buffer
1054	* @param buflen the length of the buffer
1055	* @returns a pointer to the source mac, (or NULL if there is no source MAC)
1056	* @author Perry Lorier
1057	*/
1058	uint8_t trace_get_source_mac(struct libtrace_packet_t packet) {
1059	void *link = trace_get_link(packet);
1060	struct ieee_802_11_header *wifi = link;
1061	struct ether_header *ethptr = link;
1062	if (!link)
1063	return NULL;
1064	switch (trace_get_link_type(packet)) {
1065	case TRACE_TYPE_80211:
1066	return (uint8_t*)&wifi->mac2;
1067	case TRACE_TYPE_ETH:
1068	return (uint8_t*)&ethptr->ether_shost;
1069	default:
1070	fprintf(stderr,"Not implemented\n");
1071	assert(0);
1072	}
1073	}
1074
1075	/** Get the destination MAC addres
1076	* @param libtrace the libtrace opaque pointer
1077	* @param buffer a pointer to a filled in buffer
1078	* @param buflen the length of the buffer
1079	* @returns a pointer to the destination mac, (or NULL if there is no
1080	* destination MAC)
1081	* @author Perry Lorier
1082	*/
1083	uint8_t trace_get_destination_mac(struct libtrace_packet_t packet) {
1084	void *link = trace_get_link(packet);
1085	struct ieee_802_11_header *wifi = link;
1086	struct ether_header *ethptr = link;
1087	if (!link)
1088	return NULL;
1089	switch (trace_get_link_type(packet)) {
1090	case TRACE_TYPE_80211:
1091	return (uint8_t*)&wifi->mac1;
1092	case TRACE_TYPE_ETH:
1093	return (uint8_t*)&ethptr->ether_dhost;
1094	default:
1095	fprintf(stderr,"Not implemented\n");
1096	assert(0);
1097	}
1098	}
1099
1100
1101	/** process a libtrace event
1102	* @param trace the libtrace opaque pointer
1103	* @param packet the libtrace_packet opaque pointer
1104	* @param fd a pointer to a file descriptor to listen on
1105	* @param seconds a pointer the time in seconds since to the next event
1106	* @returns
1107	* TRACE_EVENT_IOWAIT Waiting on I/O on <fd>
1108	* TRACE_EVENT_SLEEP Next event in <seconds>
1109	* TRACE_EVENT_PACKET Packet arrived in <buffer> with size <size>
1110	* FIXME currently keeps a copy of the packet inside the trace pointer,
1111	* which in turn is stored inside the new packet object...
1112	* @author Perry Lorier
1113	*/
1114	struct libtrace_eventobj_t trace_event(struct libtrace_t *trace,
1115	struct libtrace_packet_t *packet) {
1116	struct libtrace_eventobj_t event;
1117
1118	if (!trace) {
1119	fprintf(stderr,"You called trace_event() with a NULL trace object!\n");
1120	}
1121	assert(trace);
1122	assert(packet);
1123
1124	/* Store the trace we are reading from into the packet opaque
1125	* structure */
1126	packet->trace = trace;
1127
1128	/* Is there a packet ready? */
1129	switch (trace->sourcetype) {
1130	case INTERFACE:
1131	{
1132	int data;
1133	event.fd = pcap_fileno(trace->input.pcap);
1134	if(ioctl(event.fd,FIONREAD,&data)==-1){
1135	perror("ioctl(FIONREAD)");
1136	}
1137	if (data>0) {
1138	trace_read_packet(trace,packet);
1139	event.type = TRACE_EVENT_PACKET;
1140	return event;
1141	}
1142	event.type = TRACE_EVENT_IOWAIT;
1143	return event;
1144	}
1145	case SOCKET:
1146	case DEVICE:
1147	case RT:
1148	{
1149	int data;
1150	event.fd = trace->input.fd;
1151	if(ioctl(event.fd,FIONREAD,&data)==-1){
1152	perror("ioctl(FIONREAD)");
1153	}
1154	if (data>0) {
1155	trace_read_packet(trace,packet);
1156	event.type = TRACE_EVENT_PACKET;
1157	return event;
1158	}
1159	event.type = TRACE_EVENT_IOWAIT;
1160	return event;
1161	}
1162	case STDIN:
1163	case TRACE:
1164	{
1165	double ts;
1166	/* "Prime" the pump */
1167	if (!trace->packet.buffer) {
1168	trace->packet.buffer = malloc(4096);
1169	trace->packet.size=
1170	trace_read_packet(trace,packet);
1171	}
1172	ts=trace_get_seconds(packet);
1173	if (trace->last_ts!=0) {
1174	event.seconds = ts - trace->last_ts;
1175	if (event.seconds>time(NULL)-trace->start_ts) {
1176	event.type = TRACE_EVENT_SLEEP;
1177	return event;
1178	}
1179
1180	}
1181	else {
1182	trace->start_ts = time(NULL);
1183	trace->last_ts = ts;
1184	}
1185
1186	packet->size = trace->packet.size;
1187	memcpy(packet->buffer,trace->packet.buffer,trace->packet.size);
1188
1189	free(trace->packet.buffer);
1190	trace->packet.buffer = 0;
1191	event.type = TRACE_EVENT_PACKET;
1192	return event;
1193	}
1194	default:
1195	assert(0);
1196	}
1197	assert(0);
1198	}
1199
1200	/** setup a BPF filter
1201	* @param filterstring a char * containing the bpf filter string
1202	* @returns opaque pointer pointer to a libtrace_filter_t object
1203	* @author Daniel Lawson
1204	*/
1205	struct libtrace_filter_t trace_bpf_setfilter(const char filterstring) {
1206	struct libtrace_filter_t *filter = malloc(sizeof(struct libtrace_filter_t));
1207	filter->filterstring = strdup(filterstring);
1208	filter->filter = 0;
1209	return filter;
1210	}
1211
1212	/** apply a BPF filter
1213	* @param libtrace the libtrace opaque pointer
1214	* @param filter the filter opaque pointer
1215	* @param buffer a pointer to a filled buffer
1216	* @param buflen the length of the buffer
1217	* @returns 0 if the filter fails, 1 if it succeeds
1218	* @author Daniel Lawson
1219	*/
1220	int trace_bpf_filter(struct libtrace_filter_t *filter,
1221	struct libtrace_packet_t *packet) {
1222
1223	void *linkptr = 0;
1224	int clen = 0;
1225	assert(filter);
1226	assert(packet);
1227	linkptr = trace_get_link(packet);
1228	assert(linkptr);
1229	clen = trace_get_capture_length(packet);
1230
1231
1232	if (filter->filterstring && ! filter->filter) {
1233	pcap_t *pcap;
1234	struct bpf_program bpfprog;
1235
1236	switch (trace_get_link_type(packet)) {
1237	case TRACE_TYPE_ETH:
1238	pcap = pcap_open_dead(DLT_EN10MB, 1500);
1239	break;
1240	default:
1241	printf("only works for ETH at the moment\n");
1242	assert(0);
1243	}
1244
1245	// build filter
1246	if (pcap_compile( pcap, &bpfprog, filter->filterstring, 1, 0)) {
1247	printf("bpf compilation error: %s\n",
1248	pcap_geterr(pcap));
1249	assert(0);
1250	}
1251	pcap_close(pcap);
1252	filter->filter = bpfprog.bf_insns;
1253	}
1254
1255	assert(filter->filter);
1256	return bpf_filter(filter->filter, linkptr, clen, clen);
1257
1258	}
1259
1260	/** Get the direction flag, if it has one
1261	* @param libtrace the libtrace opaque pointer
1262	* @param buffer a point to a fille in buffer
1263	* @param buflen the length of the buffer
1264	* @returns a signed value containing the direction flag, or -1 if this is not supported
1265	* @author Daniel Lawson
1266	*/
1267	int8_t trace_get_direction(struct libtrace_packet_t *packet) {
1268
1269	int8_t direction;
1270	dag_record_t *erfptr = 0;
1271	assert(packet);
1272
1273	switch(packet->trace->format) {
1274	case DAG:
1275	case ERF:
1276	case RTCLIENT:
1277	erfptr = (dag_record_t *)packet->buffer;
1278	direction = erfptr->flags.iface;
1279	break;
1280	default:
1281	direction = -1;
1282	}
1283
1284	return direction;
1285
1286
1287	}
1288
1289
1290	/** Attempt to deduce the 'server' port
1291	* @param protocol the IP protocol (eg, 6 or 17 for TCP or UDP)
1292	* @param source the TCP or UDP source port
1293	* @param dest the TCP or UDP destination port
1294	* @returns a hint as to which port is the server port
1295	* @author Daniel Lawson
1296	*/
1297	#define ROOT_SERVER(x) ((x) < 512)
1298	#define ROOT_CLIENT(x) ((512 <= (x)) && ((x) < 1024))
1299	#define NONROOT_SERVER(x) ((x) >= 5000)
1300	#define NONROOT_CLIENT(x) ((1024 <= (x)) && ((x) < 5000))
1301	#define DYNAMIC(x) ((49152 < (x)) && ((x) < 65535))
1302	#define SERVER(x) ROOT_SERVER(x) \|\| NONROOT_SERVER(x)
1303	#define CLIENT(x) ROOT_CLIENT(x) \|\| NONROOT_CLIENT(x)
1304
1305	int8_t trace_get_server_port(uint8_t protocol, uint16_t source, uint16_t dest) {
1306	/*
1307	* * If the ports are equal, return DEST
1308	* * Check for well-known ports in the given protocol
1309	* * Root server ports: 0 - 511
1310	* * Root client ports: 512 - 1023
1311	* * non-root client ports: 1024 - 4999
1312	* * non-root server ports: 5000+
1313	* * Check for static ranges: 1024 - 49151
1314	* * Check for dynamic ranges: 49152 - 65535
1315	* * flip a coin.
1316	*/
1317
1318	uint16_t server, client;
1319
1320	/* equal */
1321	if (source == client)
1322	return USE_DEST;
1323
1324	/* root server port, 0 - 511 */
1325	if (ROOT_SERVER(source) && ROOT_SERVER(dest)) {
1326	if (source < dest)
1327	return USE_SOURCE;
1328	return USE_DEST;
1329	}
1330
1331	if (ROOT_SERVER(source) && !ROOT_SERVER(dest))
1332	return USE_SOURCE;
1333	if (!ROOT_SERVER(source) && ROOT_SERVER(dest))
1334	return USE_DEST;
1335
1336	/* non-root server */
1337	if (NONROOT_SERVER(source) && NONROOT_SERVER(dest)) {
1338	if (source < dest)
1339	return USE_SOURCE;
1340	return USE_DEST;
1341	}
1342	if (NONROOT_SERVER(source) && !NONROOT_SERVER(dest))
1343	return USE_SOURCE;
1344	if (!NONROOT_SERVER(source) && NONROOT_SERVER(dest))
1345	return USE_DEST;
1346
1347	/* root client */
1348	if (ROOT_CLIENT(source) && ROOT_CLIENT(dest)) {
1349	if (source < dest)
1350	return USE_SOURCE;
1351	return USE_DEST;
1352	}
1353	if (ROOT_CLIENT(source) && !ROOT_CLIENT(dest)) {
1354	/* prefer root-client over nonroot-client */
1355	if (NONROOT_CLIENT(dest))
1356	return USE_SOURCE;
1357	return USE_DEST;
1358	}
1359	if (!ROOT_CLIENT(source) && ROOT_CLIENT(dest)) {
1360	/* prefer root-client over nonroot-client */
1361	if (NONROOT_CLIENT(source))
1362	return USE_DEST;
1363	return USE_SOURCE;
1364	}
1365
1366	/* nonroot client */
1367	if (NONROOT_CLIENT(source) && NONROOT_CLIENT(dest)) {
1368	if (source < dest)
1369	return USE_SOURCE;
1370	return USE_DEST;
1371	}
1372	if (NONROOT_CLIENT(source) && !NONROOT_CLIENT(dest))
1373	return USE_DEST;
1374	if (!NONROOT_CLIENT(source) && NONROOT_CLIENT(dest))
1375	return USE_SOURCE;
1376
1377	/* dynamic range */
1378	if (DYNAMIC(source) && DYNAMIC(dest))
1379	if (source < dest)
1380	return USE_SOURCE;
1381	return USE_DEST;
1382	if (DYNAMIC(source) && !DYNAMIC(dest))
1383	return USE_DEST;
1384	if (!DYNAMIC(source) && DYNAMIC(dest))
1385	return USE_SOURCE;
1386	/*
1387	if (SERVER(source) && CLIENT(dest))
1388	return USE_SOURCE;
1389
1390	if (SERVER(dest) && CLIENT(source))
1391	return USE_DEST;
1392	if (ROOT_SERVER(source) && !ROOT_SERVER(dest))
1393	return USE_SOURCE;
1394	if (ROOT_SERVER(dest) && !ROOT_SERVER(source))
1395	return USE_DEST;
1396	*/
1397	// failing that test...
1398	if (source < dest) {
1399	return USE_SOURCE;
1400	}
1401	return USE_DEST;
1402
1403	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: