ProtocolProfilerDecoders.tcl

1. #####
2. # ProtocolProfileDecoders.tcl
3. # Author: Thomas Schockaert
4. # Last Changed: 20141104
5. # Contents: The procedures that turn a piece of hex string into something more meaningful to the user.
6. # Howto:
7. # - Procedure names follow a specific naming-scheme:
8. #   1) the word 'decode'
9. #   2) an underscore
10. #   3) whatever you put in the protocol map as the third field of the field definitions
11. #   Example: pmap(0) {"testfield" 10 "mytext"}
12. #   -> This field will be decoded by the procedure named 'decode_mytext'
13. # - Each procedure takes a fielddefinition and the rawvalue as arguments.
14. #   1) 'fielddefinition' is whatever you put in the protocol map for a certain index
15. #   2) 'rawvalue' is the protocol data on from the wire
16. # - You return a readable value
17. #   1) you can use this to map an entire protocol level
18. #   2) you can use this to translate protocol-specific encodings (example: dns encodes hostnames in a 'special' way)
19. #####
20.  
21. proc decode_dnssoa { fielddefinition rawvalue } {
22.    
23. }
24.  
25. ### decode_ipv4 { fielddefinition rawvalue }
26. # Description:
27. # - Reads every the rawvalue in blocks of 2 characters, which yields a 2-character hex string that can be translated to its decimal counterpart.
28. # - The decimal counterparts are concatenated with a dot to create an IP address
29. # Returns:
30. # - an IP address
31. proc decode_ip { fielddefinition rawvalue } {
32.     set readablevalue ""
33.     set y 0
34.     while { $y < [string length $rawvalue] } {
35.         # decimal representation of the size of the label
36.         set octet [substr $rawvalue $y 2]
37.         lappend readablevalue "[expr 0x$octet]"
38.         set y [expr $y+2]
39.     }
40.     set readablevalue [join $readablevalue "."]
41.     return $readablevalue
42. }
43.  
44. ### decode_dnstext { fielddefinition rawvalue }
45. # Description:
46. # - The translation that happens is described here: http://www.tcpipguide.com/free/t_DNSNameNotationandMessageCompressionTechnique.htm
47. # Returns:
48. # - a hostname (FQDN)
49. proc decode_dnstext { fielddefinition rawvalue } {
50.     set readablevalue ""
51.     set y 0
52.     while { $y < [string length $rawvalue] } {
53.         # decimal representation of the size of the label
54.         set label_size [expr [expr 0x[substr $rawvalue $y 2]]*2]
55.         set label [substr $rawvalue [expr $y+2] $label_size]
56.         lappend readablevalue "[binary format H* $label]"
57.         set y [expr $y+2+$label_size]
58.     }
59.     set readablevalue [join $readablevalue "."]
60.     return $readablevalue
61. }
62.  
63. ### decode_tmap { fielddefinition rawvalue }
64. # Description:
65. # - Finds the rawvalue in a statically defined tmap (= textmap) array. If found, returns that value, if not found, uses the element with index '-1' from the array.
66. # Returns:
67. # - the textual, human-readable equivalent of a hex string
68. proc decode_tmap { fielddefinition rawvalue } {
69.     set fieldname [lindex $fielddefinition 0]
70.     #upvar $stop_here stop_here_local
71.     set stop_here_local 0
72.     eval "if \{ \[catch \{ set readablevalue \$static::tmap_$fieldname\(0x$rawvalue\) \} errmsg\] \} \{ set stop_here_local 1 \}"
73.     eval "if \{ \$stop_here_local == 1 \} \{ set readablevalue \$static::tmap_$fieldname\(-1\) \}"
74.     return $readablevalue
75. }
76.  
77. ### decode_lmap { fielddefinition rawvalue }
78. # Description:
79. # - The rawvalue consists of multipe entries of the same size.
80. # - This iterates those entries and finds the corresponding value in a statically defined tmap (= textmap) array. If found, returns that value, if not found, uses the element with index '-1' from the array.
81. # Returns:
82. # - the textual, human-readable equivalent of all entries in the rawvalue hex string, concatenated with a comma (,)
83. proc decode_lmap { fielddefinition rawvalue } {
84.     set fieldname [lindex $fielddefinition 0]
85.     set listmap_fieldsize [lindex $fielddefinition 3]
86.     set readablevalue ""
87.     set listmapvalue_notfound 0
88.     for { set z 0 } { $z < [string length $rawvalue] } { set z [expr $z+4] } {
89.         set listmap_currentvalue [substr $rawvalue $z 4]
90.         eval "if \{ \[catch \{ set tmp_readablevalue \$static::tmap_$fieldname\(0x$listmap_currentvalue\) \} errmsg\] \} \{ set listmapvalue_notfound 1 \}"
91.         eval "if \{ \$listmapvalue_notfound == 1 \} \{ set tmp_readablevalue \$static::tmap_$fieldname\(-1\) \}"
92.         lappend readablevalue "$tmp_readablevalue"
93.     }
94.     set readablevalue [join $readablevalue ","]
95.     return $readablevalue
96. }
97.  
98. ### decode_dec { fielddefinition rawvalue }
99. # Description:
100. # - Converts the rawvalue to decimal
101. # Returns:
102. # - the decimal equivalent of the rawvalue hex string
103. proc decode_dec { fielddefinition rawvalue } {
104.     if { $rawvalue == "" } {
105.         return 0
106.     }  
107.     return [expr 0x$rawvalue]
108. }
109.  
110. ### decode_dec { fielddefinition rawvalue }
111. # Description:
112. # - Prefixes the hex string with '0x'
113. # Returns:
114. # - the hexadecimal notation of the rawvalue hex string
115. proc decode_hex { fielddefinition rawvalue } {
116.     return 0x$rawvalue
117. }
118.  
119. ### decode_time { fielddefinition rawvalue }
120. # Description:
121. # - Decodes the hex string as a unix epoch time string
122. # Returns:
123. # - the date and time in the default format of the clock format command
124. proc decode_time { fielddefinition rawvalue } {
125.     return [clock format [expr 0x$rawvalue]]
126. }