Adding first code to support absolute timeshifts.

Niels Jakob Buch · Niels Jakob Buch · commit 33e2d6a4e562 · 2018-02-27T16:54:51.000+01:00
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,4 @@
+out.pcap
+raw_mac_capture1.pcap
+raw_mac_capture2.pcap
+raw_mac_capture3.pcap
diff --git a/README b/README
@@ -1,4 +1,4 @@
-capshift v0.2 Alpha
+capshift v0.3 Beta
 Original by Foeh Mannay, January 2015
 Current version by Niels Jakob Buch, February 2018
 
@@ -9,11 +9,13 @@ PURPOSE
 you have two pcap files taken from different devices whose clocks are not synchronised
 and you can't be bothered to repeatedly hand-correct the timestamps.
 
-Please see http://networkingbodges.blogspot.com/ for more information on this if you 
-are interested.
+Or, you are analysing network traffic for different purposes, and needs test-data that 
+are matching specific time or dates.
 
 INSTALLATION
 ============
+The library has on purpose been built to follow POSIX standards and should be cross-platform
+compatible with no challenges.
 
 For Linux / Mac / MinGW it should be possible to build from source using:
 
@@ -24,17 +26,25 @@ USAGE
 
 There are only three parameters and all are mandatory. You must specify your
 input capture file (original pcap format) with the -r flag, your output capture file
-with the -w flag and your time offset with the -o flag. Here's an example:
+with the -w flag and your time options with the -o, -t, -d or -t AND -d flag. Here's the four examples:
 
 ./capshift -r original.cap -w shifted.cap -o +14.5
+./capshift -r original.cap -w shifted.cap -t 20:03
+./capshift -r original.cap -w shifted.cap -d 21-12-2019
+./capshift -r original.cap -w shifted.cap -t 23:30 -d 20-7-2017
 
-Parsing capfile, attempting to shift forward by 14.5s...
+The purpose of -t is to shift the time-stamps to another time, keeping the date.
 
-45 frames processed.
+The purpose of the -d is to shift the time-stamps to another date, but keeping the time-of-day.
+
+The purpose of using both -t and -d is the give a totally fresh time-stamp.
+
+Please note that all pcap records will be time-stamped relatively to the first record, based on the existing timestamps.
 
 CHANGE LOG
 ==========
 
 v0.1a	First working release.
 v0.2a   Bugs for larger timeshifts, and larger files fixed.
+v0.3b   Adding absolute timeshifts 
 
diff --git a/capshift b/capshift
diff --git a/capshift.c b/capshift.c
@@ -1,12 +1,11 @@
-
-
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <time.h>
 
 #include "capshift.h"
 
-#define SWVERSION "v0.2 alpha"
+#define SWVERSION "v0.3 beta"
 #define SWRELEASEDATE "February 2018"
 
 // capshift (pCAP time SHIFT) shifts the timestamps in pcap files by the specified time
@@ -19,16 +18,18 @@ params_t *parseParams(int argc, char *argv[]){
 	// Returns a struct with various parameters or NULL if invalid
 	unsigned int i = 1;
 	char 	*timestring = NULL,
-			*endptr = NULL;
+			*endptr = NULL,
+			*datestring = NULL,
+			*offsetstring = NULL;
 	params_t *parameters = (params_t*)malloc(sizeof(params_t));
 	if(parameters == NULL) return(NULL);
 
-	// There must be 4 parameters
-	if(argc != 7) return(NULL);
-
 	// Set some defaults
 	parameters->infile = NULL;
 	parameters->outfile = NULL;
+	parameters->abs = 0;
+	parameters->sign = ADD;
+
 
 	// Look for the various flags, then store the corresponding value
 	while(i < argc){
@@ -43,6 +44,16 @@ params_t *parseParams(int argc, char *argv[]){
 			continue;
 		}
 		if(strcmp(argv[i],"-o") == 0){
+			offsetstring = argv[++i];
+			i++;
+			continue;
+		}
+		if(strcmp(argv[i],"-d") == 0){
+			datestring = argv[++i];
+			i++;
+			continue;
+		}
+		if(strcmp(argv[i],"-t") == 0){
 			timestring = argv[++i];
 			i++;
 			continue;
@@ -54,44 +65,82 @@ params_t *parseParams(int argc, char *argv[]){
 	// If the input files still aren't set, bomb
 	if((parameters->infile == NULL) || (parameters->outfile == NULL)) return(NULL);
 
-	// Try to parse the time offset string
-	if(timestring == NULL) return NULL;
-	
-	// If there is a + or - present, set the sign accordingly
-	switch(timestring[0]){
-		case '-':
-			parameters->sign = SUBTRACT;
-			timestring++;
-			break;
-		case '+':
-			parameters->sign = ADD;
-			timestring++;
-			break;
+	if ((datestring != NULL) && (timestring != NULL) && (offsetstring == NULL)) {
+		// the case of exact time AND DATE, set parameters abs, secs, usecs and sign
+		parameters->abs = 0; // Means absolate displacement
+
+		return(parameters);
+	}
+
+	if ((datestring != NULL) && (timestring == NULL) && (offsetstring == NULL)) {
+		// the case of exact date only (keep time-of-day), set parameters abs, secs, usecs and sign
+		parameters->abs = 0; // Means absolute
+		return(parameters);
+	}
+
+	if ((datestring == NULL) && (timestring != NULL) && (offsetstring == NULL)) {
+		// the case of exact time only, set parameters abs, secs, usecs and sign
+		parameters->abs = 0; // Means absolute
+		return(parameters);
+	}
+
+	if ((datestring == NULL) && (timestring == NULL) && (offsetstring != NULL)) {
+		printf("DEBUG: A relative offset is the case...%s\n", offsetstring);
+		// the case of exact offset, set parameters abs, secs, usecs and sign
+		parameters->abs = 1; // Means relative
+		// If there is a + or - present, set the sign accordingly
+		switch(offsetstring[0]){
+			case '-':
+				parameters->sign = SUBTRACT;
+				offsetstring++;
+				break;
+			case '+':
+				parameters->sign = ADD;
+				offsetstring++;
+				break;
+		}
+		// If there are non-numeric characters present, bail out
+		if((offsetstring[0] < '0') || (offsetstring[0] > '9')) return(NULL);
+
+		// Grab the seconds
+		parameters->secs = strtol(offsetstring, &endptr, 10);
+		// Look for a decimal point, if present then grab and scale out microseconds
+		if(endptr[0] == '.'){
+			offsetstring = endptr + 1;
+			parameters->usecs = strtol(offsetstring, &endptr, 10);
+
+			// scale the usecs field as appropriate for place value
+			i = endptr - offsetstring;
+			while(i < 6){
+				parameters->usecs *= 10;
+				i++;
+			}
+			while(i > 6){
+				parameters->usecs /= 10;
+				i--;
+			}
+		} else parameters->usecs = 0;
+		
+		if(endptr[0] != '\x00') return(NULL);
+
+		return(parameters);
 	}
+
+	char *token;
+	token = strsep(&datestring, "-");
+	int dd;
+	dd  = strtol(token,NULL,10);
+
+	token = strsep(&datestring, "-");
+	int mm;
+	mm  = strtol(token,NULL,10);
+	token = strsep(&datestring, "-");
+	int yy;
+	yy  = strtol(token,NULL,10);
+	printf("Dato er %d/%d/%d", dd, mm, yy);
 	
-	// If there are non-numeric characters present, bail out
-	if((timestring[0] < '0') || (timestring[0] > '9')) return(NULL);
 	
-	// Grab the seconds
-	parameters->secs = strtol(timestring, &endptr, 10);
-	// Look for a decimal point, if present then grab and scale out microseconds
-	if(endptr[0] == '.'){
-		timestring = endptr + 1;
-		parameters->usecs = strtol(timestring, &endptr, 10);
-
-		// scale the usecs field as appropriate for place value
-		i = endptr - timestring;
-		while(i < 6){
-			parameters->usecs *= 10;
-			i++;
-		}
-		while(i > 6){
-			parameters->usecs /= 10;
-			i--;
-		}
-	} else parameters->usecs = 0;
 	
-	if(endptr[0] != '\x00') return(NULL);
 
 	return(parameters);
 }
@@ -101,6 +150,7 @@ int parse_pcap(FILE *capfile, FILE *outfile, guint32 sign, guint32 secs, guint32
 	guint32				caplen = 0;
 	int					count = 0;
 	pcaprec_hdr_t		*rechdr = NULL;
+	int				first_timestamp_found = 0;
 	
 	if(sign == ADD) {
 		printf("\nParsing capfile, attempting to shift forward by %u.%u seconds...\n", secs, usecs);
@@ -154,7 +204,11 @@ int parse_pcap(FILE *capfile, FILE *outfile, guint32 sign, guint32 secs, guint32
 		}
 				
 		// Adjust timestamp as required, handling over/underflow
-		
+		if (first_timestamp_found == 0) {
+			printf("Nu er vi ved første RAW -> %d", (int)rechdr->ts_sec );
+			printf("Nu er vi ved første since midnigt-> %d", (int)rechdr->ts_sec % 86400 );
+			first_timestamp_found = 1;
+		}
 		if(sign == SUBTRACT){
 			rechdr->ts_sec -= secs;
 			if (usecs > rechdr->ts_usec){
@@ -201,6 +255,27 @@ int parse_pcap(FILE *capfile, FILE *outfile, guint32 sign, guint32 secs, guint32
 	return(count);
 }
 
+int findoffset() {
+		
+	time_t curtime;
+	time_t newtime;
+	time(&curtime);
+	/* 
+	struct tm *dayoffset;	
+	dayoffset = localtime(&curtime);
+	dayoffset->tm_mday = 0;
+	dayoffset->tm_mon = 0;
+	dayoffset->tm_year = 0;
+	dayoffset->tm_wday = 0;
+	newtime = mktime(dayoffset); */
+	time_t seconds_since_midnight = curtime % 86400;
+	printf("Current time = %s", ctime(&curtime));
+	printf("Current time = %d", (int)curtime);
+	// printf("New time = %s", ctime(&newtime));
+	printf("New time = %d", (int)seconds_since_midnight);
+	return(0);
+}
+
 int main(int argc, char *argv[]){
 // The main function basically just calls other functions to do the work.
 	params_t			*parameters = NULL;
@@ -209,14 +284,28 @@ int main(int argc, char *argv[]){
 	
 	// Parse our command line parameters and verify they are usable. If not, show help.
 	parameters = parseParams(argc, argv);
+
 	if(parameters == NULL){
-		printf("capshift: a utility to adjust the timestamps of pcap files by a fixed offset.\n");
+		printf("\n\n                     _     _  __ _  \n"); 
+ 		printf("                    | |   (_)/ _| |  \n");
+		printf("  ___ __ _ _ __  ___| |__  _| |_| |_ \n");
+		printf(" / __/ _` | '_ \\/ __| '_ \\| |  _| __|\n");
+		printf("| (_| (_| | |_) \\__ \\ | | | | | | |_ \n");
+ 		printf(" \\___\\__,_| .__/|___/_| |_|_|_|  \\__|\n");
+ 		printf("         | |                        \n");
+ 		printf("         |_|                        \n");
+		printf("\ncapshift: a utility to adjust the timestamps of pcap files.\n");
+		printf("Written by Niels Jakob Buch & Foeh Mannay.\n");
 		printf("Version %s, %s\n\n", SWVERSION, SWRELEASEDATE);
 		printf("Usage:\n");
-		printf("%s -r inputcapfile -w outputcapfile -o offset \n\n",argv[0]);
+		printf("%s -r inputcapfile -w outputcapfile [time option]\n\n",argv[0]);
 		printf("Where inputcapfile is a tcpdump-style .cap file\n");
 		printf("outputcapfile is the file where the time-shifted version will be saved\n");
-		printf("offset is the number of seconds to shift by (e.g. -1.5, +0.200)\n");
+		printf("[time option] is:\n");
+		printf("	-o offset 		: offset is the number of seconds to shift by (e.g. -1.5, +0.200)\n");
+		printf("	-d date 		: where date is the day shift to, keeping the time-of-day.\n");	
+		printf("	-t time 		: where time is the time-of-day to shift to, keeping the day.\n");
+		printf("	-d date -t time		: where date and time is the time AND day to shift to.\n\n\n");
 		return(1);
 	}
 	
@@ -242,3 +331,4 @@ int main(int argc, char *argv[]){
 }
 
 
+
diff --git a/capshift.h b/capshift.h
@@ -27,6 +27,7 @@ typedef struct params_s {
 	guint32		secs;
 	guint32		usecs;
 	guint32		sign;
+        guint32         abs;    /* indicate if its a relative or absolate displacement 0=abs 1=rel */
 } params_t;
 
 
