root/source3/utils/log2pcaphex.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. print_pcap_header
  2. print_pcap_packet
  3. print_hex_packet
  4. print_netbios_packet
  5. read_log_msg
  6. read_log_data
  7. main

   1 /* 
   2    Unix SMB/CIFS implementation.
   3    Utility to extract pcap files from samba (log level 10) log files
   4 
   5    Copyright (C) Jelmer Vernooij 2003
   6    Thanks to Tim Potter for the genial idea
   7 
   8    Portions (from capconvert.c) (C) Andrew Tridgell 1997
   9    Portions (from text2pcap.c) (C) Ashok Narayanan 2001
  10 
  11    Example:
  12         Output NBSS(SMB) packets in hex and convert to pcap adding
  13         Eth/IP/TCP headers
  14 
  15         log2pcap -h < samba.log | text2pcap -T 139,139 - samba.pcap
  16 
  17         Output directly to pcap format without Eth headers or TCP
  18         sequence numbers
  19 
  20         log2pcap samba.log samba.pcap
  21 
  22     TODO:
  23         - Hex to text2pcap outputs are not properly parsed in Wireshark
  24           the NBSS or SMB level.  This is a bug.
  25         - Writing directly to pcap format doesn't include sequence numbers
  26           in the TCP packets
  27         - Check if a packet is a response or request and set IP to/from
  28           addresses accordingly.  Currently all packets come from the same
  29           dummy IP and go to the same dummy IP
  30         - Add a message when done parsing about the number of pacekts
  31           processed
  32         - Parse NBSS packet header data from log file
  33         - Have correct IP and TCP checksums.
  34 
  35    Warning:
  36         Samba log level 10 outputs a max of 512 bytes from the packet data
  37         section.  Packets larger than this will be truncated.
  38 
  39    This program is free software; you can redistribute it and/or modify
  40    it under the terms of the GNU General Public License as published by
  41    the Free Software Foundation; either version 3 of the License, or
  42    (at your option) any later version.
  43 
  44    This program is distributed in the hope that it will be useful,
  45    but WITHOUT ANY WARRANTY; without even the implied warranty of
  46    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  47    GNU General Public License for more details.
  48 
  49    You should have received a copy of the GNU General Public License
  50    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  51 */
  52 
  53 #include "includes.h"
  54 
  55 /* We don't care about the paranoid malloc checker in this standalone
  56    program */
  57 #undef malloc
  58 
  59 #include <assert.h>
  60 
  61 int quiet = 0;
  62 int hexformat = 0;
  63 
  64 #define itoa(a) ((a) < 0xa?'0'+(a):'A' + (a-0xa))
  65 
  66 #include <stdlib.h>
  67 #include <unistd.h>
  68 #include <sys/time.h>
  69 #include <stdio.h>
  70 #include <fcntl.h>
  71 
  72 #define TCPDUMP_MAGIC 0xa1b2c3d4
  73 
  74 /* tcpdump file format */
  75 struct tcpdump_file_header {
  76         uint32 magic;
  77         uint16 major;
  78         uint16 minor;
  79         int32 zone;
  80         uint32 sigfigs;
  81         uint32 snaplen;
  82         uint32 linktype;
  83 };
  84 
  85 struct tcpdump_packet {
  86         struct timeval ts;
  87         uint32 caplen;
  88         uint32 len;
  89 };
  90 
  91 typedef struct {
  92     uint8  ver_hdrlen;
  93     uint8  dscp;
  94     uint16 packet_length;
  95     uint16 identification;
  96     uint8  flags;
  97     uint8  fragment;
  98     uint8  ttl;
  99     uint8  protocol;
 100     uint16 hdr_checksum;
 101     uint32 src_addr;
 102     uint32 dest_addr;
 103 } hdr_ip_t;
 104 
 105 static hdr_ip_t HDR_IP = {0x45, 0, 0, 0x3412, 0, 0, 0xff, 6, 0, 0x01010101, 0x02020202};
 106 
 107 typedef struct {
 108     uint16 source_port;
 109     uint16 dest_port;
 110     uint32 seq_num;
 111     uint32 ack_num;
 112     uint8  hdr_length;
 113     uint8  flags;
 114     uint16 window;
 115     uint16 checksum;
 116     uint16 urg;
 117 } hdr_tcp_t;
 118 
 119 static hdr_tcp_t HDR_TCP = {139, 139, 0, 0, 0x50, 0, 0, 0, 0};
 120 
 121 void print_pcap_header(FILE *out)
     /* [<][>][^][v][top][bottom][index][help] */
 122 {
 123         struct tcpdump_file_header h;
 124         h.magic = TCPDUMP_MAGIC;
 125         h.major = 2;
 126         h.minor = 4;
 127         h.zone = 0;
 128         h.sigfigs = 0;
 129         h.snaplen = 102400; /* As long packets as possible */
 130         h.linktype = 101; /* Raw IP */
 131         fwrite(&h, sizeof(struct tcpdump_file_header), 1, out);
 132 }
 133 
 134 void print_pcap_packet(FILE *out, unsigned char *data, long length, long caplen)
     /* [<][>][^][v][top][bottom][index][help] */
 135 {
 136         static int i = 0;
 137         struct tcpdump_packet p;
 138         i++;
 139         p.ts.tv_usec = 0;
 140         p.ts.tv_sec = 0;
 141         p.caplen = caplen;
 142         p.len = length;
 143         fwrite(&p, sizeof(struct tcpdump_packet), 1, out);
 144         fwrite(data, sizeof(unsigned char), caplen, out);
 145 }
 146 
 147 void print_hex_packet(FILE *out, unsigned char *data, long length)
     /* [<][>][^][v][top][bottom][index][help] */
 148 {
 149         long i,cur = 0;
 150         while(cur < length) {
 151                 fprintf(out, "%06lX ", cur);
 152                 for(i = cur; i < length && i < cur + 16; i++) {
 153                         fprintf(out, "%02x ", data[i]);
 154                 }
 155         
 156                 cur = i;
 157                 fprintf(out, "\n");
 158         }
 159 }
 160 
 161 void print_netbios_packet(FILE *out, unsigned char *data, long length, long actual_length)
     /* [<][>][^][v][top][bottom][index][help] */
 162 {       
 163         unsigned char *newdata; long offset = 0;
 164         long newlen;
 165         
 166         newlen = length+sizeof(HDR_IP)+sizeof(HDR_TCP);
 167         newdata = malloc(newlen);
 168 
 169         HDR_IP.packet_length = htons(newlen);
 170         HDR_TCP.window = htons(0x2000);
 171         HDR_TCP.source_port = HDR_TCP.dest_port = htons(139);
 172 
 173         memcpy(newdata+offset, &HDR_IP, sizeof(HDR_IP));offset+=sizeof(HDR_IP);
 174         memcpy(newdata+offset, &HDR_TCP, sizeof(HDR_TCP));offset+=sizeof(HDR_TCP);
 175         memcpy(newdata+offset,data,length);
 176         
 177         print_pcap_packet(out, newdata, newlen, actual_length+offset);
 178         free(newdata);
 179 }
 180 
 181 unsigned char *curpacket = NULL;
 182 unsigned short curpacket_len = 0;
 183 long line_num = 0;
 184 
 185 /* Read the log message produced by lib/util.c:show_msg() containing the:
 186  *  SMB_HEADER
 187  *  SMB_PARAMETERS
 188  *  SMB_DATA.ByteCount
 189  *
 190  * Example:
 191  * [2007/04/08 20:41:39, 5] lib/util.c:show_msg(516)
 192  *   size=144
 193  *   smb_com=0x73
 194  *   smb_rcls=0
 195  *   smb_reh=0
 196  *   smb_err=0
 197  *   smb_flg=136
 198  *   smb_flg2=49153
 199  *   smb_tid=1
 200  *   smb_pid=65279
 201  *   smb_uid=0
 202  *   smb_mid=64
 203  *   smt_wct=3
 204  *   smb_vwv[ 0]=  117 (0x75)
 205  *   smb_vwv[ 1]=  128 (0x80)
 206  *   smb_vwv[ 2]=    1 (0x1)
 207  *   smb_bcc=87
 208  */
 209 void read_log_msg(FILE *in, unsigned char **_buffer, unsigned short *buffersize, long *data_offset, long *data_length)
     /* [<][>][^][v][top][bottom][index][help] */
 210 {
 211         unsigned char *buffer;
 212         int tmp; long i;
 213         assert(fscanf(in, " size=%hu\n", buffersize)); line_num++;
 214         buffer = malloc(*buffersize+4); /* +4 for NBSS Header */
 215         memset(buffer, 0, *buffersize+4);
 216         /* NetBIOS Session Service */
 217         buffer[0] = 0x00;
 218         buffer[1] = 0x00;
 219         memcpy(buffer+2, &buffersize, 2); /* TODO: need to copy as little-endian regardless of platform */
 220         /* SMB Packet */
 221         buffer[4] = 0xFF;
 222         buffer[5] = 'S';
 223         buffer[6] = 'M';
 224         buffer[7] = 'B';
 225         assert(fscanf(in, "  smb_com=0x%x\n", &tmp)); buffer[smb_com] = tmp; line_num++;
 226         assert(fscanf(in, "  smb_rcls=%d\n", &tmp)); buffer[smb_rcls] = tmp; line_num++;
 227         assert(fscanf(in, "  smb_reh=%d\n", &tmp)); buffer[smb_reh] = tmp; line_num++;
 228         assert(fscanf(in, "  smb_err=%d\n", &tmp)); memcpy(buffer+smb_err, &tmp, 2); line_num++;
 229         assert(fscanf(in, "  smb_flg=%d\n", &tmp)); buffer[smb_flg] = tmp; line_num++;
 230         assert(fscanf(in, "  smb_flg2=%d\n", &tmp)); memcpy(buffer+smb_flg2, &tmp, 2); line_num++;
 231         assert(fscanf(in, "  smb_tid=%d\n", &tmp)); memcpy(buffer+smb_tid, &tmp, 2); line_num++;
 232         assert(fscanf(in, "  smb_pid=%d\n", &tmp)); memcpy(buffer+smb_pid, &tmp, 2); line_num++;
 233         assert(fscanf(in, "  smb_uid=%d\n", &tmp)); memcpy(buffer+smb_uid, &tmp, 2); line_num++;
 234         assert(fscanf(in, "  smb_mid=%d\n", &tmp)); memcpy(buffer+smb_mid, &tmp, 2); line_num++;
 235         assert(fscanf(in, "  smt_wct=%d\n", &tmp)); buffer[smb_wct] = tmp; line_num++;
 236         for(i = 0; i < buffer[smb_wct]; i++) {
 237                 assert(fscanf(in, "  smb_vwv[%*3d]=%*5d (0x%X)\n", &tmp)); line_num++;
 238                 memcpy(buffer+smb_vwv+i*2, &tmp, 2);
 239         }
 240 
 241         *data_offset = smb_vwv+buffer[smb_wct]*2;
 242         assert(fscanf(in, "  smb_bcc=%ld\n", data_length)); buffer[(*data_offset)] = *data_length; line_num++;
 243         (*data_offset)+=2;
 244         *_buffer = buffer;
 245 }
 246 
 247 /* Read the log message produced by lib/util.c:dump_data() containing:
 248  *  SMB_DATA.Bytes
 249  *
 250  * Example:
 251  * [2007/04/08 20:41:39, 10] lib/util.c:dump_data(2243)
 252  *   [000] 00 55 00 6E 00 69 00 78  00 00 00 53 00 61 00 6D  .U.n.i.x ...S.a.m
 253  *   [010] 00 62 00 61 00 20 00 33  00 2E 00 30 00 2E 00 32  .b.a. .3 ...0...2
 254  *   [020] 00 34 00 2D 00 49 00 73  00 69 00 6C 00 6F 00 6E  .4.-.I.s .i.l.o.n
 255  *   [030] 00 20 00 4F 00 6E 00 65  00 46 00 53 00 20 00 76  . .O.n.e .F.S. .v
 256  *   [040] 00 34 00 2E 00 30 00 00  00 49 00 53 00 49 00 4C  .4...0.. .I.S.I.L
 257  *   [050] 00 4F 00 4E 00 00 00                              .O.N...
 258  */
 259 long read_log_data(FILE *in, unsigned char *buffer, long data_length)
     /* [<][>][^][v][top][bottom][index][help] */
 260 {
 261         long i, addr; char real[2][16]; int ret;
 262         unsigned int tmp;
 263         for(i = 0; i < data_length; i++) {
 264                 if(i % 16 == 0){
 265                         if(i != 0) {
 266                                 /* Read and discard the ascii data after each line. */
 267                                 assert(fscanf(in, "  %8c %8c\n", real[0], real[1]) == 2);
 268                         }
 269                         ret = fscanf(in, "  [%03lX]", &addr); line_num++;
 270                         if(!ret) {
 271                                 if(!quiet)
 272                                         fprintf(stderr, "%ld: Only first %ld bytes are logged, "
 273                                             "packet trace will be incomplete\n", line_num, i-1);
 274                                 return i-1;
 275                         }
 276                         assert(addr == i);
 277                 }
 278                 if(!fscanf(in, "%02X", &tmp)) {
 279                         if(!quiet)
 280                                 fprintf(stderr, "%ld: Log message formated incorrectly. "
 281                                     "Only first %ld bytes are logged, packet trace will "
 282                                     "be incomplete\n", line_num, i-1);
 283                         while ((tmp = getc(in)) != '\n');
 284                         return i-1;
 285                 }
 286                 buffer[i] = tmp;
 287         }
 288 
 289         /* Consume the newline so we don't increment num_lines twice */
 290         while ((tmp = getc(in)) != '\n');
 291         return data_length;
 292 }
 293 
 294 int main (int argc, char **argv)
     /* [<][>][^][v][top][bottom][index][help] */
 295 {
 296         const char *infile, *outfile;
 297         FILE *out, *in;
 298         int opt;
 299         poptContext pc;
 300         char buffer[4096];
 301         long data_offset, data_length;
 302         long data_bytes_read = 0;
 303         int in_packet = 0;
 304         struct poptOption long_options[] = {
 305                 POPT_AUTOHELP
 306                 { "quiet", 'q', POPT_ARG_NONE, &quiet, 0, "Be quiet, don't output warnings" },
 307                 { "hex", 'h', POPT_ARG_NONE, &hexformat, 0, "Output format readable by text2pcap" },
 308                 POPT_TABLEEND
 309         };
 310         
 311         pc = poptGetContext(NULL, argc, (const char **) argv, long_options,
 312                             POPT_CONTEXT_KEEP_FIRST);
 313         poptSetOtherOptionHelp(pc, "[<infile> [<outfile>]]");
 314         
 315         
 316         while((opt = poptGetNextOpt(pc)) != -1) {
 317                 switch (opt) {
 318                 }
 319         }
 320 
 321         poptGetArg(pc); /* Drop argv[0], the program name */
 322 
 323         infile = poptGetArg(pc);
 324 
 325         if(infile) {
 326                 in  = fopen(infile, "r");
 327                 if(!in) {
 328                         perror("fopen");
 329                         return 1;
 330                 }
 331         } else in = stdin;
 332         
 333         outfile = poptGetArg(pc);
 334 
 335         if(outfile) {
 336                 out = fopen(outfile, "w+");
 337                 if(!out) { 
 338                         perror("fopen"); 
 339                         fprintf(stderr, "Can't find %s, using stdout...\n", outfile);
 340                 }
 341         }
 342 
 343         if(!outfile) out = stdout;
 344 
 345         if(!hexformat)print_pcap_header(out);
 346 
 347         while(!feof(in)) {
 348                 fgets(buffer, sizeof(buffer), in); line_num++;
 349                 if(buffer[0] == '[') { /* Header */
 350                         if(strstr(buffer, "show_msg")) {
 351                                 in_packet++;
 352                                 if(in_packet == 1)continue;
 353                                 read_log_msg(in, &curpacket, &curpacket_len, &data_offset, &data_length);
 354                         } else if(in_packet && strstr(buffer, "dump_data")) {
 355                                 data_bytes_read = read_log_data(in, curpacket+data_offset, data_length);
 356                         }  else { 
 357                                 if(in_packet){ 
 358                                         if(hexformat) print_hex_packet(out, curpacket, curpacket_len); 
 359                                         else print_netbios_packet(out, curpacket, curpacket_len, data_bytes_read+data_offset);
 360                                         free(curpacket); 
 361                                 }
 362                                 in_packet = 0;
 363                         }
 364                 } 
 365         }
 366 
 367         if (in != stdin) {
 368                 fclose(in);
 369         }
 370 
 371         if (out != stdout) {
 372                 fclose(out);
 373         }
 374 
 375         return 0;
 376 }

/* [<][>][^][v][top][bottom][index][help] */