Improve snoop file reader (#2050)

Author: seladb

Pcap++/header/PcapFileDevice.h

@@ -571,10 +571,10 @@ namespace pcpp
 #pragma pack()
 
 		LinkLayerType m_PcapLinkLayerType;
-		std::ifstream m_snoopFile;
+		std::ifstream m_SnoopFile;
 
 		bool readNextPacket(timespec& packetTimestamp, uint8_t* packetData, uint32_t packetDataLen,
-		                    uint32_t& capturedLength);
+		                    uint32_t& capturedLength, uint32_t& frameLength);
 
 	public:
 		/// A constructor for this class that gets the snoop full path file name to open. Notice that after calling this
@@ -612,7 +612,7 @@ namespace pcpp
 		/// @return True if the file is opened, false otherwise
 		bool isOpened() const override
 		{
-			return m_snoopFile.is_open();
+			return m_SnoopFile.is_open();
 		}
 
 		/// Close the snoop file

Pcap++/src/PcapFileDevice.cpp

@@ -1123,27 +1123,32 @@ namespace pcpp
 
 	SnoopFileReaderDevice::~SnoopFileReaderDevice()
 	{
-		m_snoopFile.close();
+		m_SnoopFile.close();
 	}
 
 	bool SnoopFileReaderDevice::open()
 	{
+		if (m_SnoopFile.is_open())
+		{
+			PCPP_LOG_ERROR("File already open");
+			return false;
+		}
+
 		resetStatisticCounters();
 
-		m_snoopFile.open(m_FileName.c_str(), std::ifstream::binary);
-		if (!m_snoopFile.is_open())
+		std::ifstream snoopFile;
+		snoopFile.open(m_FileName.c_str(), std::ifstream::binary);
+		if (!snoopFile.is_open())
 		{
 			PCPP_LOG_ERROR("Cannot open snoop reader device for filename '" << m_FileName << "'");
-			m_snoopFile.close();
 			return false;
 		}
 
 		snoop_file_header_t snoop_file_header;
-		m_snoopFile.read((char*)&snoop_file_header, sizeof(snoop_file_header_t));
-		if (!m_snoopFile)
+		snoopFile.read(reinterpret_cast<char*>(&snoop_file_header), sizeof(snoop_file_header_t));
+		if (!snoopFile)
 		{
 			PCPP_LOG_ERROR("Cannot read snoop file header for '" << m_FileName << "'");
-			m_snoopFile.close();
 			return false;
 		}
 
@@ -1170,22 +1175,22 @@ namespace pcpp
 		if (datalink_type > ARRAY_SIZE(snoop_encap) - 1)
 		{
 			PCPP_LOG_ERROR("Cannot read data link type for '" << m_FileName << "'");
-			m_snoopFile.close();
 			return false;
 		}
 
+		m_SnoopFile = std::move(snoopFile);
 		m_PcapLinkLayerType = snoop_encap[datalink_type];
 
 		PCPP_LOG_DEBUG("Successfully opened file reader device for filename '" << m_FileName << "'");
 		return true;
 	}
 
 	bool SnoopFileReaderDevice::readNextPacket(timespec& packetTimestamp, uint8_t* packetData, uint32_t packetDataLen,
-	                                           uint32_t& capturedLength)
+	                                           uint32_t& capturedLength, uint32_t& frameLength)
 	{
 		snoop_packet_header_t snoop_packet_header;
-		m_snoopFile.read(reinterpret_cast<char*>(&snoop_packet_header), sizeof(snoop_packet_header_t));
-		if (!m_snoopFile)
+		m_SnoopFile.read(reinterpret_cast<char*>(&snoop_packet_header), sizeof(snoop_packet_header_t));
+		if (!m_SnoopFile)
 		{
 			PCPP_LOG_ERROR("Failed to read packet metadata");
 			return false;
@@ -1194,26 +1199,26 @@ namespace pcpp
 		capturedLength = be32toh(snoop_packet_header.included_length);
 		if (capturedLength > packetDataLen)
 		{
+			PCPP_LOG_ERROR("Packet length " << capturedLength << " is too large");
 			return false;
 		}
 
-		m_snoopFile.read(reinterpret_cast<char*>(packetData), capturedLength);
-		if (!m_snoopFile)
+		m_SnoopFile.read(reinterpret_cast<char*>(packetData), capturedLength);
+		if (!m_SnoopFile)
 		{
+			PCPP_LOG_ERROR("Failed to read packet data");
 			return false;
 		}
 
 		packetTimestamp = { static_cast<time_t>(be32toh(snoop_packet_header.time_sec)),
 			                static_cast<long>(be32toh(snoop_packet_header.time_usec)) * 1000 };
 
+		frameLength = be32toh(snoop_packet_header.original_length);
+
 		auto pad = be32toh(snoop_packet_header.packet_record_length) -
 		           (sizeof(snoop_packet_header_t) + be32toh(snoop_packet_header.included_length));
 
-		m_snoopFile.ignore(pad);
-		if (!m_snoopFile)
-		{
-			return false;
-		}
+		m_SnoopFile.ignore(pad);
 
 		return true;
 	}
@@ -1228,15 +1233,15 @@ namespace pcpp
 
 		constexpr uint32_t maxPacketLength = 15'000;
 		timespec packetTimestamp{};
-		uint32_t capturedLength = 0;
+		uint32_t capturedLength = 0, frameLength = 0;
 		auto packetData = std::make_unique<uint8_t[]>(maxPacketLength);
 
-		while (readNextPacket(packetTimestamp, packetData.get(), maxPacketLength, capturedLength))
+		while (readNextPacket(packetTimestamp, packetData.get(), maxPacketLength, capturedLength, frameLength))
 		{
 			if (m_BpfWrapper.matches(packetData.get(), capturedLength, packetTimestamp, m_PcapLinkLayerType))
 			{
 				rawPacket.setRawData(capturedLength > 0 ? packetData.release() : nullptr, capturedLength, true,
-				                     packetTimestamp, m_PcapLinkLayerType);
+				                     packetTimestamp, m_PcapLinkLayerType, frameLength);
 				reportPacketProcessed();
 				return true;
 			}
@@ -1248,7 +1253,7 @@ namespace pcpp
 
 	void SnoopFileReaderDevice::close()
 	{
-		m_snoopFile.close();
+		m_SnoopFile.close();
 		PCPP_LOG_DEBUG("File reader closed for file '" << m_FileName << "'");
 	}
 }  // namespace pcpp

Tests/Pcap++Test/Tests/FileTests.cpp

@@ -5,6 +5,7 @@
 #include "PcapFileDevice.h"
 #include "../Common/PcapFileNamesDef.h"
 #include "../Common/TestUtils.h"
+#include "EndianPortable.h"
 #include <array>
 #include <fstream>
 #include <chrono>
@@ -1792,17 +1793,88 @@ enum class SnoopPacketHeaderParam
 	TimestampSec,
 	TimestampUsec,
 	Caplen,
-	TotalLen
+	Wirelen,
+	Pad
 };
 
+std::vector<uint8_t> createSnoopPacketHeader(const std::unordered_map<SnoopPacketHeaderParam, uint32_t>& params)
+{
+	struct snoop_packet_header
+	{
+		uint32_t original_length;
+		uint32_t included_length;
+		uint32_t packet_record_length;
+		uint32_t ndrops_cumulative;
+		uint32_t time_sec;
+		uint32_t time_usec;
+	};
+
+	// Defaults
+	uint32_t caplen = 1514;
+	uint32_t wirelen = 1514;
+	uint32_t pad = 0;
+
+	auto now = std::chrono::system_clock::now();
+	auto duration = now.time_since_epoch();
+	auto subSec = duration % std::chrono::seconds(1);
+	uint32_t sec = static_cast<uint32_t>(std::chrono::duration_cast<std::chrono::seconds>(duration).count());
+	uint32_t usec = static_cast<uint32_t>(std::chrono::duration_cast<std::chrono::microseconds>(subSec).count());
+
+	for (const auto& p : params)
+	{
+		switch (p.first)
+		{
+		case SnoopPacketHeaderParam::TimestampSec:
+		{
+			sec = p.second;
+			break;
+		}
+		case SnoopPacketHeaderParam::TimestampUsec:
+		{
+			usec = p.second;
+			break;
+		}
+		case SnoopPacketHeaderParam::Caplen:
+		{
+			caplen = p.second;
+			break;
+		}
+		case SnoopPacketHeaderParam::Wirelen:
+		{
+			wirelen = p.second;
+			break;
+		}
+		case SnoopPacketHeaderParam::Pad:
+		{
+			pad = p.second;
+			break;
+		}
+		}
+	}
+
+	snoop_packet_header header = { htobe32(wirelen),
+		                           htobe32(caplen),
+		                           htobe32(static_cast<uint32_t>(sizeof(snoop_packet_header) + caplen + pad)),
+		                           0u,
+		                           htobe32(sec),
+		                           htobe32(usec) };
+
+	std::vector<uint8_t> result(sizeof(snoop_packet_header));
+	std::memcpy(result.data(), &header, sizeof(snoop_packet_header));
+	return result;
+}
+
 PTF_TEST_CASE(TestSolarisSnoopFileRead)
 {
 	SuppressLogs suppressLogs;
 
+	std::array<uint8_t, 5> packetData = { 0x01, 0x02, 0x03, 0x04, 0x05 };
+
 	// Basic test
 	{
 		pcpp::SnoopFileReaderDevice readerDev(EXAMPLE_SOLARIS_SNOOP);
 		PTF_ASSERT_TRUE(readerDev.open());
+		PTF_ASSERT_TRUE(readerDev.isOpened());
 		pcpp::RawPacket rawPacket;
 		int packetCount = 0;
 		int ethCount = 0;
@@ -1831,8 +1903,8 @@ PTF_TEST_CASE(TestSolarisSnoopFileRead)
 		pcpp::IPcapDevice::PcapStats readerStatistics;
 
 		readerDev.getStatistics(readerStatistics);
-		PTF_ASSERT_EQUAL((uint32_t)readerStatistics.packetsRecv, 250);
-		PTF_ASSERT_EQUAL((uint32_t)readerStatistics.packetsDrop, 0);
+		PTF_ASSERT_EQUAL(readerStatistics.packetsRecv, 250);
+		PTF_ASSERT_EQUAL(readerStatistics.packetsDrop, 0);
 
 		PTF_ASSERT_EQUAL(packetCount, 250);
 		PTF_ASSERT_EQUAL(ethCount, 142);
@@ -1870,6 +1942,65 @@ PTF_TEST_CASE(TestSolarisSnoopFileRead)
 		}
 
 		PTF_ASSERT_EQUAL(packetCount, 16);
+
+		pcpp::IPcapDevice::PcapStats readerStatistics;
+		readerDev.getStatistics(readerStatistics);
+		PTF_ASSERT_EQUAL(readerStatistics.packetsRecv, 16);
+	}
+
+	// Packet details
+	{
+		TempFile snoopFile("snoop");
+		snoopFile << createSnoopHeader({});
+		snoopFile << createSnoopPacketHeader({
+		    { SnoopPacketHeaderParam::Caplen,        packetData.size()     },
+		    { SnoopPacketHeaderParam::Wirelen,       packetData.size() + 5 },
+		    { SnoopPacketHeaderParam::TimestampSec,  1234                  },
+		    { SnoopPacketHeaderParam::TimestampUsec, 5678                  }
+        });
+		snoopFile << packetData;
+		snoopFile.close();
+
+		pcpp::SnoopFileReaderDevice readerDev(snoopFile.getFileName());
+		PTF_ASSERT_TRUE(readerDev.open());
+
+		pcpp::RawPacket rawPacket;
+		PTF_ASSERT_TRUE(readerDev.getNextPacket(rawPacket));
+
+		PTF_ASSERT_EQUAL(rawPacket.getRawDataLen(), packetData.size());
+		PTF_ASSERT_EQUAL(rawPacket.getFrameLength(), packetData.size() + 5);
+		PTF_ASSERT_EQUAL(rawPacket.getPacketTimeStamp().tv_sec, 1234);
+		PTF_ASSERT_EQUAL(rawPacket.getPacketTimeStamp().tv_nsec, 5678000);
+
+		PTF_ASSERT_BUF_COMPARE(rawPacket.getRawData(), packetData.data(), packetData.size());
+	}
+
+	// Packet padding
+	{
+		TempFile snoopFile("snoop");
+		snoopFile << createSnoopHeader({});
+		snoopFile << createSnoopPacketHeader({
+		    { SnoopPacketHeaderParam::Caplen, packetData.size() },
+            { SnoopPacketHeaderParam::Pad,    3                 }
+        });
+		snoopFile << packetData;
+		snoopFile << std::array<uint8_t, 3>{ 0xff, 0xff, 0xff };
+		snoopFile << createSnoopPacketHeader({
+		    { SnoopPacketHeaderParam::Caplen, packetData.size() }
+        });
+		snoopFile << packetData;
+		snoopFile.close();
+
+		pcpp::SnoopFileReaderDevice readerDev(snoopFile.getFileName());
+		PTF_ASSERT_TRUE(readerDev.open());
+
+		pcpp::RawPacket rawPacket;
+		for (int i = 0; i < 2; i++)
+		{
+			PTF_ASSERT_TRUE(readerDev.getNextPacket(rawPacket));
+			PTF_ASSERT_EQUAL(rawPacket.getRawDataLen(), packetData.size());
+			PTF_ASSERT_BUF_COMPARE(rawPacket.getRawData(), packetData.data(), packetData.size());
+		}
 	}
 
 	// Device not open
@@ -1888,6 +2019,23 @@ PTF_TEST_CASE(TestSolarisSnoopFileRead)
 		                 "Cannot open snoop reader device for filename 'does_not_exist.snoop'");
 	}
 
+	// File already open
+	{
+		pcpp::SnoopFileReaderDevice readerDev(EXAMPLE_SOLARIS_SNOOP);
+		PTF_ASSERT_TRUE(readerDev.open());
+
+		PTF_ASSERT_FALSE(readerDev.open());
+		PTF_ASSERT_EQUAL(pcpp::Logger::getInstance().getLastError(), "File already open");
+	}
+
+	// Read packet from a non-open device
+	{
+		pcpp::SnoopFileReaderDevice readerDev(EXAMPLE_SOLARIS_SNOOP);
+		pcpp::RawPacket rawPacket;
+		PTF_ASSERT_FALSE(readerDev.getNextPacket(rawPacket));
+		PTF_ASSERT_EQUAL(pcpp::Logger::getInstance().getLastError(), "File device not open");
+	}
+
 	// Cannot read file header
 	{
 		TempFile snoopFile("snoop");
@@ -1897,6 +2045,7 @@ PTF_TEST_CASE(TestSolarisSnoopFileRead)
 		PTF_ASSERT_FALSE(readerDev.open());
 		PTF_ASSERT_EQUAL(pcpp::Logger::getInstance().getLastError(),
 		                 "Cannot read snoop file header for '" + snoopFile.getFileName() + "'");
+		PTF_ASSERT_FALSE(readerDev.isOpened());
 	}
 
 	// Wrong magic number
@@ -1953,6 +2102,36 @@ PTF_TEST_CASE(TestSolarisSnoopFileRead)
 		PTF_ASSERT_FALSE(readerDev.getNextPacket(rawPacket));
 		PTF_ASSERT_EQUAL(pcpp::Logger::getInstance().getLastError(), "Failed to read packet metadata");
 	}
+
+	// Packet data too large
+	{
+		TempFile snoopFile("snoop");
+		snoopFile << createSnoopHeader({});
+		snoopFile << createSnoopPacketHeader({
+		    { SnoopPacketHeaderParam::Caplen, 15'500 }
+        });
+		snoopFile.close();
+
+		pcpp::SnoopFileReaderDevice readerDev(snoopFile.getFileName());
+		PTF_ASSERT_TRUE(readerDev.open());
+		pcpp::RawPacket rawPacket;
+		PTF_ASSERT_FALSE(readerDev.getNextPacket(rawPacket));
+		PTF_ASSERT_EQUAL(pcpp::Logger::getInstance().getLastError(), "Packet length 15500 is too large");
+	}
+
+	// Cannot read packet data
+	{
+		TempFile snoopFile("snoop");
+		snoopFile << createSnoopHeader({});
+		snoopFile << createSnoopPacketHeader({});
+		snoopFile.close();
+
+		pcpp::SnoopFileReaderDevice readerDev(snoopFile.getFileName());
+		PTF_ASSERT_TRUE(readerDev.open());
+		pcpp::RawPacket rawPacket;
+		PTF_ASSERT_FALSE(readerDev.getNextPacket(rawPacket));
+		PTF_ASSERT_EQUAL(pcpp::Logger::getInstance().getLastError(), "Failed to read packet data");
+	}
 }  // TestSolarisSnoopFileRead
 
 PTF_TEST_CASE(TestPcapFileWriterDeviceDestructor)