4 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
6 * SPDX-License-Identifier: GPL-2.0-or-later
14 #include "file_wrappers.h"
18 /* Capture file header, *including* magic number, is padded to 128 bytes. */
19 #define CAPTUREFILE_HEADER_SIZE 128
21 /* Magic number size, in both 1.x and later files. */
24 /* Magic number in NetXRay 1.x files. */
25 static const char old_netxray_magic[MAGIC_SIZE] = {
29 /* Magic number in NetXRay 2.0 and later, and Windows Sniffer, files. */
30 static const char netxray_magic[MAGIC_SIZE] = {
34 /* NetXRay file header (minus magic number). */
36 /* As field usages are identified, please revise as needed */
37 /* Please do *not* use netxray_hdr xxx... names in the code */
38 /* (Placeholder names for all 'unknown' fields are */
39 /* of form xxx_x<hex_hdr_offset> */
40 /* where <hex_hdr_offset> *includes* the magic number) */
43 char version[8]; /* version number */
44 guint32 start_time; /* UNIX [UTC] time when capture started */
46 guint32 nframes; /* number of packets */
47 guint32 xxx_x14; /* unknown [some kind of file offset] */
48 guint32 start_offset; /* offset of first packet in capture */
49 guint32 end_offset; /* offset after last packet in capture */
51 guint32 xxx_x20; /* unknown [some kind of file offset] */
52 guint32 xxx_x24; /* unknown [unused ?] */
53 guint32 xxx_x28; /* unknown [some kind of file offset] */
54 guint8 network; /* datalink type */
55 guint8 network_plus; /* [See code] */
56 guint8 xxx_x2E[2]; /* unknown */
58 guint8 timeunit; /* encodes length of a tick */
59 guint8 xxx_x31[3]; /* XXX - upper 3 bytes of timeunit ? */
60 guint32 timelo; /* lower 32 bits of capture start time stamp */
61 guint32 timehi; /* upper 32 bits of capture start time stamp */
62 guint32 linespeed; /* speed of network, in bits/second */
64 guint8 xxx_x40[12]; /* unknown [other stuff] */
65 guint8 realtick[4]; /* (ticks/sec for Ethernet/Ndis/Timeunit=2 ?) */
66 /* (realtick[1], realtick[2] also currently */
67 /* used as flag for 'FCS presence') */
69 guint8 xxx_x50[4]; /* unknown [other stuff] */
70 guint8 captype; /* capture type */
71 guint8 xxx_x55[3]; /* unknown [other stuff] */
72 guint8 xxx_x58[4]; /* unknown [other stuff] */
73 guint8 wan_hdlc_subsub_captype; /* WAN HDLC subsub_captype */
74 guint8 xxx_x5D[3]; /* unknown [other stuff] */
76 guint8 xxx_x60[16]; /* unknown [other stuff] */
78 guint8 xxx_x70[14]; /* unknown [other stuff] */
79 gint16 timezone_hrs; /* timezone hours [at least for version 2.2..]; */
80 /* positive values = west of UTC: */
81 /* negative values = east of UTC: */
82 /* e.g. +5 is American Eastern */
83 /* [Does not appear to be adjusted for DST ] */
87 * Capture type, in hdr.captype.
89 * Values other than 0 are dependent on the network type.
90 * For Ethernet captures, it indicates the type of capture pod.
91 * For WAN captures (all of which are done with a pod), it indicates
92 * the link-layer type.
94 #define CAPTYPE_NDIS 0 /* Capture on network interface using NDIS */
97 * Ethernet capture types.
99 #define ETH_CAPTYPE_GIGPOD 2 /* gigabit Ethernet captured with pod */
100 #define ETH_CAPTYPE_OTHERPOD 3 /* non-gigabit Ethernet captured with pod */
101 #define ETH_CAPTYPE_OTHERPOD2 5 /* gigabit Ethernet via pod ?? */
102 /* Captype 5 seen in capture from Distributed Sniffer with: */
103 /* Version 4.50.211 software */
104 /* SysKonnect SK-9843 Gigabit Ethernet Server Adapter */
105 #define ETH_CAPTYPE_GIGPOD2 6 /* gigabit Ethernet, captured with blade on S6040-model Sniffer */
110 #define WAN_CAPTYPE_BROUTER 1 /* Bridge/router captured with pod */
111 #define WAN_CAPTYPE_PPP 3 /* PPP captured with pod */
112 #define WAN_CAPTYPE_FRELAY 4 /* Frame Relay captured with pod */
113 #define WAN_CAPTYPE_BROUTER2 5 /* Bridge/router captured with pod */
114 #define WAN_CAPTYPE_HDLC 6 /* HDLC (X.25, ISDN) captured with pod */
115 #define WAN_CAPTYPE_SDLC 7 /* SDLC captured with pod */
116 #define WAN_CAPTYPE_HDLC2 8 /* HDLC captured with pod */
117 #define WAN_CAPTYPE_BROUTER3 9 /* Bridge/router captured with pod */
118 #define WAN_CAPTYPE_SMDS 10 /* SMDS DXI */
119 #define WAN_CAPTYPE_BROUTER4 11 /* Bridge/router captured with pod */
120 #define WAN_CAPTYPE_BROUTER5 12 /* Bridge/router captured with pod */
121 #define WAN_CAPTYPE_CHDLC 19 /* Cisco router (CHDLC) captured with pod */
123 #define CAPTYPE_ATM 15 /* ATM captured with pod */
126 * # of ticks that equal 1 second, in version 002.xxx files other
127 * than Ethernet captures with a captype other than CAPTYPE_NDIS;
128 * the index into this array is hdr.timeunit.
130 * DO NOT SEND IN PATCHES THAT CHANGE ANY OF THE NON-ZERO VALUES IN
131 * ANY OF THE TpS TABLES. THOSE VALUES ARE CORRECT FOR AT LEAST ONE
132 * CAPTURE, SO CHANGING THEM WILL BREAK AT LEAST SOME CAPTURES. WE
133 * WILL NOT CHECK IN PATCHES THAT CHANGE THESE VALUES.
135 * Instead, if a value in a TpS table is wrong, check whether captype
136 * has a non-zero value; if so, perhaps we need a new TpS table for the
137 * corresponding network type and captype, or perhaps the 'realtick'
138 * field contains the correct ticks-per-second value.
140 * TpS...[] entries of 0.0 mean that no capture file for the
141 * corresponding captype/timeunit values has yet been seen, or that
142 * we're using the 'realtick' value.
144 * XXX - 05/29/07: For Ethernet captype = 0 (NDIS) and timeunit = 2:
145 * Perusal of a number of Sniffer captures
146 * (including those from Wireshark bug reports
147 * and those from the Wireshark 'menagerie')
148 * suggests that 'realtick' for this case
149 * contains the correct ticks/second to be used.
150 * So: we'll use realtick for Ethernet captype=0 and timeunit=2.
151 * (It might be that realtick should be used for Ethernet captype = 0
152 * and timeunit = 1 but I've not yet enough captures to be sure).
153 * Based upon the captures reviewed to date, realtick cannot be used for
154 * any of the other Ethernet captype/timeunit combinations for which there
155 * are non-zero values in the TpS tables.
157 * In at least one capture where "realtick" doesn't correspond
158 * to the value from the appropriate TpS table, the per-packet header's
159 * "xxx" field is all zero, so it's not as if a 2.x header includes
160 * a "compatibility" time stamp corresponding to the value from the
161 * TpS table and a "real" time stamp corresponding to "realtick".
163 * XXX - the item corresponding to timeunit = 2 is 1193180.0, presumably
164 * because somebody found it gave the right answer for some captures, but
165 * 3 times that, i.e. 3579540.0, appears to give the right answer for some
168 * Some captures have realtick of 1193182, some have 3579545, and some
169 * have 1193000. Most of those, in one set of captures somebody has,
170 * are wrong. (Did that mean "wrong for some capture files, but not
171 * for the files in which they occurred", or "wrong for the files in
172 * which they occurred? If it's "wrong for some capture files, but
173 * not for the files in which they occurred", perhaps those were Ethernet
174 * captures with a captype of 0 and timeunit = 2, so that we now use
175 * realtick, and perhaps that fixes the problems.)
177 * XXX - in at least one ATM capture, hdr.realtick is 1193180.0
178 * and hdr.timeunit is 0. Does that capture have a captype of
179 * CAPTYPE_ATM? If so, what should the table for ATM captures with
182 static const double TpS[] = { 1e6, 1193000.0, 1193182.0 };
183 #define NUM_NETXRAY_TIMEUNITS (sizeof TpS / sizeof TpS[0])
186 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_GIGPOD.
187 * 0.0 means "unknown".
189 * It appears that, at least for Ethernet captures, if captype is
190 * ETH_CAPTYPE_GIGPOD, that indicates that it's a gigabit Ethernet
191 * capture, possibly from a special whizzo gigabit pod, and also
192 * indicates that the time stamps have some higher resolution than
193 * in other captures, possibly thanks to a high-resolution timer
196 * It also appears that the time units might differ for gigabit pod
197 * captures between version 002.001 and 002.002. For 002.001,
198 * the values below are correct; for 002.002, it's claimed that
199 * the right value for TpS_gigpod[2] is 1250000.0, but at least one
200 * 002.002 gigabit pod capture has 31250000.0 as the right value.
201 * XXX: Note that the TpS_otherpod[2] value is 1250000.0; It seems
202 * reasonable to suspect that the original claim might actually
203 * have been for a capture with a captype of 'otherpod'.
204 * (Based upon captures reviewed realtick does not contain the
205 * correct TpS values for the 'gigpod' captype).
207 static const double TpS_gigpod[] = { 1e9, 0.0, 31250000.0 };
208 #define NUM_NETXRAY_TIMEUNITS_GIGPOD (sizeof TpS_gigpod / sizeof TpS_gigpod[0])
211 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_OTHERPOD.
212 * (Based upon captures reviewed realtick does not contain the
213 * correct TpS values for the 'otherpod' captype).
215 static const double TpS_otherpod[] = { 1e6, 0.0, 1250000.0 };
216 #define NUM_NETXRAY_TIMEUNITS_OTHERPOD (sizeof TpS_otherpod / sizeof TpS_otherpod[0])
219 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_OTHERPOD2.
220 * (Based upon captures reviewed realtick does not contain the
221 * correct TpS values for the 'otherpod2' captype).
223 static const double TpS_otherpod2[] = { 1e6, 0.0, 0.0 };
224 #define NUM_NETXRAY_TIMEUNITS_OTHERPOD2 (sizeof TpS_otherpod2 / sizeof TpS_otherpod2[0])
227 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_GIGPOD2.
228 * (Based upon captures reviewed realtick does not contain the
229 * correct TpS values for the 'gigpod2' captype).
231 static const double TpS_gigpod2[] = { 1e9, 0.0, 20000000.0 };
232 #define NUM_NETXRAY_TIMEUNITS_GIGPOD2 (sizeof TpS_gigpod2 / sizeof TpS_gigpod2[0])
234 /* Version number strings. */
235 static const char vers_1_0[] = {
236 '0', '0', '1', '.', '0', '0', '0', '\0'
239 static const char vers_1_1[] = {
240 '0', '0', '1', '.', '1', '0', '0', '\0'
243 static const char vers_2_000[] = {
244 '0', '0', '2', '.', '0', '0', '0', '\0'
247 static const char vers_2_001[] = {
248 '0', '0', '2', '.', '0', '0', '1', '\0'
251 static const char vers_2_002[] = {
252 '0', '0', '2', '.', '0', '0', '2', '\0'
255 static const char vers_2_003[] = {
256 '0', '0', '2', '.', '0', '0', '3', '\0'
259 /* Old NetXRay data record format - followed by frame data. */
260 struct old_netxrayrec_hdr {
261 guint32 timelo; /* lower 32 bits of time stamp */
262 guint32 timehi; /* upper 32 bits of time stamp */
263 guint16 len; /* packet length */
264 guint8 xxx[6]; /* unknown */
267 /* NetXRay format version 1.x data record format - followed by frame data. */
268 struct netxrayrec_1_x_hdr {
269 guint32 timelo; /* lower 32 bits of time stamp */
270 guint32 timehi; /* upper 32 bits of time stamp */
271 guint16 orig_len; /* packet length */
272 guint16 incl_len; /* capture length */
273 guint8 xxx[16]; /* unknown */
277 * NetXRay format version 2.x data record format - followed by frame data.
279 * The xxx fields appear to be:
281 * xxx[0]: ATM traffic type and subtype in the low 3 bits of
282 * each nibble, and flags(?) in the upper bit of each nibble.
284 * xxx[2], xxx[3]: for Ethernet, 802.11, ISDN LAPD, LAPB,
285 * Frame Relay, if both are 0xff, there are 4 bytes of stuff
286 * at the end of the packet data, which might be an FCS or
287 * which might be junk to discard.
289 * xxx[8], xxx[9]: 2 bytes of a flag word? If treated as
290 * a 2-byte little-endian flag word:
292 * 0x0001: Error of some sort, including bad CRC, although
293 * in one ISDN capture it's set in some B2 channel
294 * packets of unknown content (as opposed to the B1
295 * traffic in the capture, which is PPP)
296 * 0x0004: Some particular type of error?
297 * 0x0008: For (Gigabit?) Ethernet (with special probe?),
298 * 4 bytes at end are junk rather than CRC?
299 * 0x0100: CRC error on ATM? Protected and Not decrypted
301 * 0x0200: Something for ATM? Something else for 802.11?
302 * 0x0400: raw ATM cell
304 * 0x2000: port on which the packet was captured?
306 * The Sniffer Portable 4.8 User's Guide lists a set of packet status
310 * packet was captured from Port A on the pod or adapter card;
311 * packet was captured from Port B on the pod or adapter card;
312 * packet has a symptom or diagnosis associated with it;
313 * packet is an event filter trigger;
314 * CRC error packet with normal packet size;
315 * CRC error packet with oversize error;
316 * packet size < 64 bytes (including CRC) but with valid CRC;
317 * packet size < 64 bytes (including CRC) with CRC error;
318 * packet size > 1518 bytes (including CRC) but with valid CRC;
319 * packet damaged by a collision;
320 * packet length not a multiple of 8 bits;
321 * address conflict in the ring on Token Ring;
322 * packet is not copied (received) by the destination host on
325 * AAL5 maximum segments error;
329 * and a ton of AAL2 errors.
331 * Not all those bits necessarily correspond to flag bits in the file,
334 * In one ATM capture, the 0x2000 bit was set for all frames; in another,
335 * it's unset for all frames. This, plus the ATMbook having two ports,
336 * suggests that it *might* be a "port A vs. port B" flag.
338 * The 0x0001 bit appears to be set for CRC errors on Ethernet and 802.11.
339 * It also appears to be set on ATM for AAL5 PDUs that appear to be
340 * completely reassembled and that have a CRC error and for frames that
341 * appear to be part of a full AAL5 PDU. In at least two files with
342 * frames of the former type, the 0x0100 and 0x0200 flags are set;
343 * in at least one file with frames of the latter type, neither of
344 * those flags are set.
346 * The field appears to be somewhat random in some captures,
349 * xxx[11]: for 802.11, 0x05 if the packet is WEP-encrypted(?).
351 * xxx[12]: for 802.11, channel number.
353 * xxx[13]: for 802.11, data rate.
355 * xxx[14]: for 802.11, signal strength.
357 * xxx[15]: for 802.11, noise level; 0xFF means none reported,
360 * xxx[20-25]: for 802.11, MAC address of sending machine(?).
362 struct netxrayrec_2_x_hdr {
363 guint32 timelo; /* lower 32 bits of time stamp */
364 guint32 timehi; /* upper 32 bits of time stamp */
365 guint16 orig_len; /* packet length */
366 guint16 incl_len; /* capture length */
367 guint8 xxx[28]; /* various data */
371 * Union of the data record headers.
373 union netxrayrec_hdr {
374 struct old_netxrayrec_hdr old_hdr;
375 struct netxrayrec_1_x_hdr hdr_1_x;
376 struct netxrayrec_2_x_hdr hdr_2_x;
381 double ticks_per_sec;
382 double start_timestamp;
388 gboolean fcs_valid; /* if packets have valid FCS at the end */
389 guint isdn_type; /* 1 = E1 PRI, 2 = T1 PRI, 3 = BRI */
392 static gboolean netxray_read(wtap *wth, wtap_rec *rec, Buffer *buf,
393 int *err, gchar **err_info, gint64 *data_offset);
394 static gboolean netxray_seek_read(wtap *wth, gint64 seek_off,
395 wtap_rec *rec, Buffer *buf, int *err, gchar **err_info);
396 static int netxray_process_rec_header(wtap *wth, FILE_T fh,
397 wtap_rec *rec, int *err, gchar **err_info);
398 static void netxray_guess_atm_type(wtap *wth, wtap_rec *rec,
400 static gboolean netxray_dump_1_1(wtap_dumper *wdh,
402 const guint8 *pd, int *err, gchar **err_info);
403 static gboolean netxray_dump_finish_1_1(wtap_dumper *wdh, int *err);
404 static gboolean netxray_dump_2_0(wtap_dumper *wdh,
406 const guint8 *pd, int *err, gchar **err_info);
407 static gboolean netxray_dump_finish_2_0(wtap_dumper *wdh, int *err);
410 netxray_open(wtap *wth, int *err, gchar **err_info)
412 char magic[MAGIC_SIZE];
414 struct netxray_hdr hdr;
416 double ticks_per_sec;
417 int version_major, version_minor;
419 double start_timestamp;
420 static const int netxray_encap[] = {
423 WTAP_ENCAP_TOKEN_RING,
424 WTAP_ENCAP_FDDI_BITSWAPPED,
426 * XXX - some PPP captures may look like Ethernet,
427 * perhaps because they're using NDIS to capture on the
428 * same machine and it provides simulated-Ethernet
429 * packets, but captures taken with various serial
430 * pods use the same network type value but aren't
431 * shaped like Ethernet. We handle that below.
433 WTAP_ENCAP_ETHERNET, /* WAN(PPP), but shaped like Ethernet */
434 WTAP_ENCAP_UNKNOWN, /* LocalTalk */
435 WTAP_ENCAP_UNKNOWN, /* "DIX" - should not occur */
436 WTAP_ENCAP_UNKNOWN, /* ARCNET raw */
437 WTAP_ENCAP_UNKNOWN, /* ARCNET 878.2 */
438 WTAP_ENCAP_ATM_PDUS_UNTRUNCATED,/* ATM */
439 WTAP_ENCAP_IEEE_802_11_WITH_RADIO,
440 /* Wireless WAN with radio information */
441 WTAP_ENCAP_UNKNOWN /* IrDA */
443 #define NUM_NETXRAY_ENCAPS (sizeof netxray_encap / sizeof netxray_encap[0])
448 /* Read in the string that should be at the start of a NetXRay
450 if (!wtap_read_bytes(wth->fh, magic, MAGIC_SIZE, err, err_info)) {
451 if (*err != WTAP_ERR_SHORT_READ)
452 return WTAP_OPEN_ERROR;
453 return WTAP_OPEN_NOT_MINE;
456 if (memcmp(magic, netxray_magic, MAGIC_SIZE) == 0) {
458 } else if (memcmp(magic, old_netxray_magic, MAGIC_SIZE) == 0) {
461 return WTAP_OPEN_NOT_MINE;
464 /* Read the rest of the header. */
465 if (!wtap_read_bytes(wth->fh, &hdr, sizeof hdr, err, err_info))
466 return WTAP_OPEN_ERROR;
471 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_OLD;
473 /* It appears that version 1.1 files (as produced by Windows
474 * Sniffer Pro 2.0.01) have the time stamp in microseconds,
475 * rather than the milliseconds version 1.0 files appear to
478 * It also appears that version 2.00x files have per-packet
479 * headers with some extra fields. */
480 if (memcmp(hdr.version, vers_1_0, sizeof vers_1_0) == 0) {
483 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_1_0;
484 } else if (memcmp(hdr.version, vers_1_1, sizeof vers_1_1) == 0) {
487 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_1_1;
488 } else if (memcmp(hdr.version, vers_2_000, sizeof vers_2_000) == 0) {
491 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x;
492 } else if (memcmp(hdr.version, vers_2_001, sizeof vers_2_001) == 0) {
495 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x;
496 } else if (memcmp(hdr.version, vers_2_002, sizeof vers_2_002) == 0) {
499 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x;
500 } else if (memcmp(hdr.version, vers_2_003, sizeof vers_2_003) == 0) {
503 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x;
505 *err = WTAP_ERR_UNSUPPORTED;
506 *err_info = g_strdup_printf("netxray: version \"%.8s\" unsupported", hdr.version);
507 return WTAP_OPEN_ERROR;
511 switch (hdr.network_plus) {
515 * The byte after hdr.network is usually 0, in which case
516 * the hdr.network byte is an NDIS network type value - 1.
518 network_type = hdr.network + 1;
523 * However, in some Ethernet captures, it's 2, and the
524 * hdr.network byte is 1 rather than 0. We assume
525 * that if there's a byte after hdr.network with the value
526 * 2, the hdr.network byte is an NDIS network type, rather
527 * than an NDIS network type - 1.
529 network_type = hdr.network;
533 *err = WTAP_ERR_UNSUPPORTED;
534 *err_info = g_strdup_printf("netxray: the byte after the network type has the value %u, which I don't understand",
536 return WTAP_OPEN_ERROR;
539 if (network_type >= NUM_NETXRAY_ENCAPS
540 || netxray_encap[network_type] == WTAP_ENCAP_UNKNOWN) {
541 *err = WTAP_ERR_UNSUPPORTED;
542 *err_info = g_strdup_printf("netxray: network type %u (%u) unknown or unsupported",
543 network_type, hdr.network_plus);
544 return WTAP_OPEN_ERROR;
548 * Figure out the time stamp units and start time stamp.
550 start_timestamp = (double)pletoh32(&hdr.timelo)
551 + (double)pletoh32(&hdr.timehi)*4294967296.0;
554 case WTAP_FILE_TYPE_SUBTYPE_NETXRAY_OLD:
555 ticks_per_sec = 1000.0;
556 wth->file_tsprec = WTAP_TSPREC_MSEC;
559 case WTAP_FILE_TYPE_SUBTYPE_NETXRAY_1_0:
560 ticks_per_sec = 1000.0;
561 wth->file_tsprec = WTAP_TSPREC_MSEC;
564 case WTAP_FILE_TYPE_SUBTYPE_NETXRAY_1_1:
566 * In version 1.1 files (as produced by Windows Sniffer
567 * Pro 2.0.01), the time stamp is in microseconds,
568 * rather than the milliseconds time stamps in NetXRay
569 * and older versions of Windows Sniffer.
571 ticks_per_sec = 1000000.0;
572 wth->file_tsprec = WTAP_TSPREC_USEC;
575 case WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x:
577 * Get the time stamp units from the appropriate TpS
578 * table or from the file header.
580 switch (network_type) {
584 * Ethernet - the table to use depends on whether
585 * this is an NDIS or pod capture.
587 switch (hdr.captype) {
590 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS) {
591 *err = WTAP_ERR_UNSUPPORTED;
592 *err_info = g_strdup_printf(
593 "netxray: Unknown timeunit %u for Ethernet/CAPTYPE_NDIS version %.8s capture",
594 hdr.timeunit, hdr.version);
595 return WTAP_OPEN_ERROR;
598 XXX: 05/29/07: Use 'realtick' instead of TpS table if timeunit=2;
599 Using 'realtick' in this case results
600 in the correct 'ticks per second' for all the captures that
601 I have of this type (including captures from a number of Wireshark
604 if (hdr.timeunit == 2) {
605 ticks_per_sec = pletoh32(hdr.realtick);
608 ticks_per_sec = TpS[hdr.timeunit];
612 case ETH_CAPTYPE_GIGPOD:
613 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_GIGPOD
614 || TpS_gigpod[hdr.timeunit] == 0.0) {
615 *err = WTAP_ERR_UNSUPPORTED;
616 *err_info = g_strdup_printf(
617 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_GIGPOD version %.8s capture",
618 hdr.timeunit, hdr.version);
619 return WTAP_OPEN_ERROR;
621 ticks_per_sec = TpS_gigpod[hdr.timeunit];
624 * At least for 002.002 and 002.003
625 * captures, the start time stamp is 0,
626 * not the value in the file.
628 if (version_minor == 2 || version_minor == 3)
629 start_timestamp = 0.0;
632 case ETH_CAPTYPE_OTHERPOD:
633 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_OTHERPOD
634 || TpS_otherpod[hdr.timeunit] == 0.0) {
635 *err = WTAP_ERR_UNSUPPORTED;
636 *err_info = g_strdup_printf(
637 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_OTHERPOD version %.8s capture",
638 hdr.timeunit, hdr.version);
639 return WTAP_OPEN_ERROR;
641 ticks_per_sec = TpS_otherpod[hdr.timeunit];
644 * At least for 002.002 and 002.003
645 * captures, the start time stamp is 0,
646 * not the value in the file.
648 if (version_minor == 2 || version_minor == 3)
649 start_timestamp = 0.0;
652 case ETH_CAPTYPE_OTHERPOD2:
653 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_OTHERPOD2
654 || TpS_otherpod2[hdr.timeunit] == 0.0) {
655 *err = WTAP_ERR_UNSUPPORTED;
656 *err_info = g_strdup_printf(
657 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_OTHERPOD2 version %.8s capture",
658 hdr.timeunit, hdr.version);
659 return WTAP_OPEN_ERROR;
661 ticks_per_sec = TpS_otherpod2[hdr.timeunit];
663 * XXX: start time stamp in the one capture file examined of this type was 0;
664 * We'll assume the start time handling is the same as for other pods.
666 * At least for 002.002 and 002.003
667 * captures, the start time stamp is 0,
668 * not the value in the file.
670 if (version_minor == 2 || version_minor == 3)
671 start_timestamp = 0.0;
674 case ETH_CAPTYPE_GIGPOD2:
675 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_GIGPOD2
676 || TpS_gigpod2[hdr.timeunit] == 0.0) {
677 *err = WTAP_ERR_UNSUPPORTED;
678 *err_info = g_strdup_printf(
679 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_GIGPOD2 version %.8s capture",
680 hdr.timeunit, hdr.version);
681 return WTAP_OPEN_ERROR;
683 ticks_per_sec = TpS_gigpod2[hdr.timeunit];
685 * XXX: start time stamp in the one capture file examined of this type was 0;
686 * We'll assume the start time handling is the same as for other pods.
688 * At least for 002.002 and 002.003
689 * captures, the start time stamp is 0,
690 * not the value in the file.
692 if (version_minor == 2 || version_minor == 3)
693 start_timestamp = 0.0;
697 *err = WTAP_ERR_UNSUPPORTED;
698 *err_info = g_strdup_printf(
699 "netxray: Unknown capture type %u for Ethernet version %.8s capture",
700 hdr.captype, hdr.version);
701 return WTAP_OPEN_ERROR;
706 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS) {
707 *err = WTAP_ERR_UNSUPPORTED;
708 *err_info = g_strdup_printf(
709 "netxray: Unknown timeunit %u for %u/%u version %.8s capture",
710 hdr.timeunit, network_type, hdr.captype,
712 return WTAP_OPEN_ERROR;
714 ticks_per_sec = TpS[hdr.timeunit];
719 * If the number of ticks per second is greater than
720 * 1 million, make the precision be nanoseconds rather
723 * XXX - do values only slightly greater than one million
724 * correspond to a resolution sufficiently better than
725 * 1 microsecond to display more digits of precision?
726 * XXX - Seems reasonable to use nanosecs only if TPS >= 10M
728 if (ticks_per_sec >= 1e7)
729 wth->file_tsprec = WTAP_TSPREC_NSEC;
731 wth->file_tsprec = WTAP_TSPREC_USEC;
735 g_assert_not_reached();
738 start_timestamp = start_timestamp/ticks_per_sec;
740 if (network_type == 4) {
742 * In version 0 and 1, we assume, for now, that all
743 * WAN captures have frames that look like Ethernet
744 * frames (as a result, presumably, of having passed
747 * In version 2, it looks as if there's stuff in the
748 * file header to specify what particular type of WAN
751 if (version_major == 2) {
752 switch (hdr.captype) {
754 case WAN_CAPTYPE_PPP:
758 file_encap = WTAP_ENCAP_PPP_WITH_PHDR;
761 case WAN_CAPTYPE_FRELAY:
765 * XXX - in at least one capture, this
766 * is Cisco HDLC, not Frame Relay, but
767 * in another capture, it's Frame Relay.
769 * [Bytes in each capture:
770 * Cisco HDLC: hdr.xxx_x60[06:10]: 0x02 0x00 0x01 0x00 0x06
771 * Frame Relay: hdr.xxx_x60[06:10] 0x00 0x00 0x00 0x00 0x00
773 * Cisco HDLC: hdr.xxx_x60[14:15]: 0xff 0xff
774 * Frame Relay: hdr.xxx_x60[14:15]: 0x00 0x00
777 file_encap = WTAP_ENCAP_FRELAY_WITH_PHDR;
780 case WAN_CAPTYPE_HDLC:
781 case WAN_CAPTYPE_HDLC2:
783 * Various HDLC flavors?
785 switch (hdr.wan_hdlc_subsub_captype) {
787 case 0: /* LAPB/X.25 */
789 * XXX - at least one capture of
790 * this type appears to be PPP.
792 file_encap = WTAP_ENCAP_LAPB;
798 file_encap = WTAP_ENCAP_ISDN;
799 isdn_type = hdr.wan_hdlc_subsub_captype;
803 *err = WTAP_ERR_UNSUPPORTED;
804 *err_info = g_strdup_printf("netxray: WAN HDLC capture subsubtype 0x%02x unknown or unsupported",
805 hdr.wan_hdlc_subsub_captype);
806 return WTAP_OPEN_ERROR;
810 case WAN_CAPTYPE_SDLC:
814 file_encap = WTAP_ENCAP_SDLC;
817 case WAN_CAPTYPE_CHDLC:
819 * Cisco router (CHDLC) captured with pod
821 file_encap = WTAP_ENCAP_CHDLC_WITH_PHDR;
825 *err = WTAP_ERR_UNSUPPORTED;
826 *err_info = g_strdup_printf("netxray: WAN capture subtype 0x%02x unknown or unsupported",
828 return WTAP_OPEN_ERROR;
831 file_encap = WTAP_ENCAP_ETHERNET;
833 file_encap = netxray_encap[network_type];
835 /* This is a netxray file */
836 wth->file_type_subtype = file_type;
837 netxray = (netxray_t *)g_malloc(sizeof(netxray_t));
838 wth->priv = (void *)netxray;
839 wth->subtype_read = netxray_read;
840 wth->subtype_seek_read = netxray_seek_read;
841 wth->file_encap = file_encap;
842 wth->snapshot_length = 0; /* not available in header */
843 netxray->start_time = pletoh32(&hdr.start_time);
844 netxray->ticks_per_sec = ticks_per_sec;
845 netxray->start_timestamp = start_timestamp;
846 netxray->version_major = version_major;
849 * If frames have an extra 4 bytes of stuff at the end, is
850 * it an FCS, or just junk?
852 netxray->fcs_valid = FALSE;
853 switch (file_encap) {
855 case WTAP_ENCAP_ETHERNET:
856 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
857 case WTAP_ENCAP_ISDN:
858 case WTAP_ENCAP_LAPB:
860 * It appears that, in at least some version 2 Ethernet
861 * captures, for frames that have 0xff in hdr_2_x.xxx[2]
862 * and hdr_2_x.xxx[3] in the per-packet header:
864 * if, in the file header, hdr.realtick[1] is 0x34
865 * and hdr.realtick[2] is 0x12, the frames have an
868 * otherwise, they have 4 bytes of junk at the end.
870 * Yes, it's strange that you have to check the *middle*
871 * of the time stamp field; you can't check for any
872 * particular value of the time stamp field.
874 * For now, we assume that to be true for 802.11 captures
875 * as well; it appears to be the case for at least one
876 * such capture - the file doesn't have 0x34 and 0x12,
877 * and the 4 bytes at the end of the frames with 0xff
878 * are junk, not an FCS.
880 * For ISDN captures, it appears, at least in some
881 * captures, to be similar, although I haven't yet
882 * checked whether it's a valid FCS.
884 * XXX - should we do this for all encapsulation types?
886 * XXX - is there some other field that *really* indicates
887 * whether we have an FCS or not? The check of the time
888 * stamp is bizarre, as we're checking the middle.
889 * Perhaps hdr.realtick[0] is 0x00, in which case time
890 * stamp units in the range 1192960 through 1193215
891 * correspond to captures with an FCS, but that's still
894 * Note that there are captures with a network type of 0
895 * (Ethernet) and capture type of 0 (NDIS) that do, and
896 * that don't, have 0x34 0x12 in them, and at least one
897 * of the NDIS captures with 0x34 0x12 in it has FCSes,
898 * so it's not as if no NDIS captures have an FCS.
900 * There are also captures with a network type of 4 (WAN),
901 * capture type of 6 (HDLC), and subtype of 2 (T1 PRI) that
902 * do, and that don't, have 0x34 0x12, so there are at least
903 * some captures taken with a WAN pod that might lack an FCS.
904 * (We haven't yet tried dissecting the 4 bytes at the
905 * end of packets with hdr_2_x.xxx[2] and hdr_2_x.xxx[3]
906 * equal to 0xff as an FCS.)
908 * All captures I've seen that have 0x34 and 0x12 *and*
909 * have at least one frame with an FCS have a value of
910 * 0x01 in xxx_x40[4]. No captures I've seen with a network
911 * type of 0 (Ethernet) missing 0x34 0x12 have 0x01 there,
912 * however. However, there's at least one capture
913 * without 0x34 and 0x12, with a network type of 0,
914 * and with 0x01 in xxx_x40[4], *without* FCSes in the
915 * frames - the 4 bytes at the end are all zero - so it's
916 * not as simple as "xxx_x40[4] = 0x01 means the 4 bytes at
917 * the end are FCSes". Also, there's also at least one
918 * 802.11 capture with an xxx_x40[4] value of 0x01 with junk
919 * rather than an FCS at the end of the frame, so xxx_x40[4]
920 * isn't an obvious flag to determine whether the
923 * There don't seem to be any other values in any of the
924 * xxx_x5..., xxx_x6...., xxx_x7.... fields
925 * that obviously correspond to frames having an FCS.
927 * 05/29/07: Examination of numerous sniffer captures suggests
928 * that the apparent correlation of certain realtick
929 * bytes to 'FCS presence' may actually be
930 * a 'false positive'.
931 * ToDo: Review analysis and update code.
932 * It might be that the ticks-per-second value
933 * is hardware-dependent, and that hardware with
934 * a particular realtick value puts an FCS there
935 * and other hardware doesn't.
937 if (version_major == 2) {
938 if (hdr.realtick[1] == 0x34 && hdr.realtick[2] == 0x12)
939 netxray->fcs_valid = TRUE;
945 * Remember the ISDN type, as we need it to interpret the
946 * channel number in ISDN captures.
948 netxray->isdn_type = isdn_type;
950 /* Remember the offset after the last packet in the capture (which
951 * isn't necessarily the last packet in the file), as it appears
952 * there's sometimes crud after it.
953 * XXX: Remember 'start_offset' to help testing for 'short file' at EOF
955 netxray->wrapped = FALSE;
956 netxray->nframes = pletoh32(&hdr.nframes);
957 netxray->start_offset = pletoh32(&hdr.start_offset);
958 netxray->end_offset = pletoh32(&hdr.end_offset);
960 /* Seek to the beginning of the data records. */
961 if (file_seek(wth->fh, netxray->start_offset, SEEK_SET, err) == -1) {
962 return WTAP_OPEN_ERROR;
965 return WTAP_OPEN_MINE;
968 /* Read the next packet */
970 netxray_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err,
971 gchar **err_info, gint64 *data_offset)
973 netxray_t *netxray = (netxray_t *)wth->priv;
978 * Return the offset of the record header, so we can reread it
979 * if we go back to this frame.
981 *data_offset = file_tell(wth->fh);
983 /* Have we reached the end of the packet data? */
984 if (*data_offset == netxray->end_offset) {
986 *err = 0; /* it's just an EOF, not an error */
990 /* Read and process record header. */
991 padding = netxray_process_rec_header(wth, wth->fh, rec, err, err_info);
998 * Error of some sort; give up.
1003 /* We're at EOF. Wrap?
1004 * XXX: Need to handle 'short file' cases
1005 * (Distributed Sniffer seems to have a
1006 * certain small propensity to generate 'short' files
1007 * i.e. [many] bytes are missing from the end of the file)
1008 * case 1: start_offset < end_offset
1009 * wrap will read already read packets again;
1010 * so: error with "short file"
1011 * case 2: start_offset > end_offset ("circular" file)
1012 * wrap will mean there's a gap (missing packets).
1013 * However, I don't see a good way to identify this
1014 * case so we'll just have to allow the wrap.
1015 * (Maybe there can be an error message after all
1016 * packets are read since there'll be less packets than
1017 * specified in the file header).
1018 * Note that these cases occur *only* if a 'short' eof occurs exactly
1019 * at the expected beginning of a frame header record; If there is a
1020 * partial frame header (or partial frame data) record, then the
1021 * netxray_read... functions will detect the short record.
1023 if (netxray->start_offset < netxray->end_offset) {
1024 *err = WTAP_ERR_SHORT_READ;
1028 if (!netxray->wrapped) {
1029 /* Yes. Remember that we did. */
1030 netxray->wrapped = TRUE;
1031 if (file_seek(wth->fh, CAPTUREFILE_HEADER_SIZE,
1032 SEEK_SET, err) == -1)
1037 /* We've already wrapped - don't wrap again. */
1042 * Read the packet data.
1044 if (!wtap_read_packet_bytes(wth->fh, buf,
1045 rec->rec_header.packet_header.caplen, err, err_info))
1049 * If there's extra stuff at the end of the record, skip it.
1051 if (!wtap_read_bytes(wth->fh, NULL, padding, err, err_info))
1055 * If it's an ATM packet, and we don't have enough information
1056 * from the packet header to determine its type or subtype,
1057 * attempt to guess them from the packet data.
1059 netxray_guess_atm_type(wth, rec, buf);
1064 netxray_seek_read(wtap *wth, gint64 seek_off,
1065 wtap_rec *rec, Buffer *buf,
1066 int *err, gchar **err_info)
1068 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
1071 if (netxray_process_rec_header(wth, wth->random_fh, rec, err,
1075 * EOF - we report that as a short read, as
1076 * we've read this once and know that it
1079 *err = WTAP_ERR_SHORT_READ;
1085 * Read the packet data.
1087 if (!wtap_read_packet_bytes(wth->random_fh, buf, rec->rec_header.packet_header.caplen, err,
1092 * If it's an ATM packet, and we don't have enough information
1093 * from the packet header to determine its type or subtype,
1094 * attempt to guess them from the packet data.
1096 netxray_guess_atm_type(wth, rec, buf);
1101 netxray_process_rec_header(wtap *wth, FILE_T fh, wtap_rec *rec,
1102 int *err, gchar **err_info)
1104 netxray_t *netxray = (netxray_t *)wth->priv;
1105 union netxrayrec_hdr hdr;
1111 /* Read record header. */
1112 switch (netxray->version_major) {
1115 hdr_size = sizeof (struct old_netxrayrec_hdr);
1119 hdr_size = sizeof (struct netxrayrec_1_x_hdr);
1123 hdr_size = sizeof (struct netxrayrec_2_x_hdr);
1126 if (!wtap_read_bytes_or_eof(fh, (void *)&hdr, hdr_size, err, err_info)) {
1128 * If *err is 0, we're at EOF. *err being 0 and a return
1129 * value of -1 tells our caller we're at EOF.
1131 * Otherwise, we got an error, and *err *not* being 0
1132 * and a return value tells our caller we have an error.
1138 * If this is Ethernet, 802.11, ISDN, X.25, or ATM, set the
1141 switch (netxray->version_major) {
1144 switch (wth->file_encap) {
1146 case WTAP_ENCAP_ETHERNET:
1148 * XXX - if hdr_1_x.xxx[15] is 1
1149 * the frame appears not to have any extra
1150 * stuff at the end, but if it's 0,
1151 * there appears to be 4 bytes of stuff
1152 * at the end, but it's not an FCS.
1154 * Or is that just the low-order bit?
1156 * For now, we just say "no FCS".
1158 rec->rec_header.packet_header.pseudo_header.eth.fcs_len = 0;
1164 switch (wth->file_encap) {
1166 case WTAP_ENCAP_ETHERNET:
1168 * It appears, at least with version 2 captures,
1169 * that we have 4 bytes of stuff (which might be
1170 * a valid FCS or might be junk) at the end of
1171 * the packet if hdr_2_x.xxx[2] and
1172 * hdr_2_x.xxx[3] are 0xff, and we don't if
1175 * It also appears that if the low-order bit of
1176 * hdr_2_x.xxx[8] is set, the packet has a
1179 if (hdr.hdr_2_x.xxx[2] == 0xff &&
1180 hdr.hdr_2_x.xxx[3] == 0xff) {
1182 * We have 4 bytes of stuff at the
1183 * end of the frame - FCS, or junk?
1185 if (netxray->fcs_valid) {
1189 rec->rec_header.packet_header.pseudo_header.eth.fcs_len = 4;
1197 rec->rec_header.packet_header.pseudo_header.eth.fcs_len = 0;
1200 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
1202 * It appears, in one 802.11 capture, that
1203 * we have 4 bytes of junk at the ends of
1204 * frames in which hdr_2_x.xxx[2] and
1205 * hdr_2_x.xxx[3] are 0xff; I haven't
1206 * seen any frames where it's an FCS, but,
1207 * for now, we still check the fcs_valid
1208 * flag - I also haven't seen any capture
1209 * where we'd set it based on the realtick
1212 * It also appears that if the low-order bit of
1213 * hdr_2_x.xxx[8] is set, the packet has a
1214 * bad FCS. According to Ken Mann, the 0x4 bit
1215 * is sometimes also set for errors.
1217 * Ken also says that xxx[11] is 0x5 when the
1218 * packet is WEP-encrypted.
1220 memset(&rec->rec_header.packet_header.pseudo_header.ieee_802_11, 0, sizeof(rec->rec_header.packet_header.pseudo_header.ieee_802_11));
1221 if (hdr.hdr_2_x.xxx[2] == 0xff &&
1222 hdr.hdr_2_x.xxx[3] == 0xff) {
1224 * We have 4 bytes of stuff at the
1225 * end of the frame - FCS, or junk?
1227 if (netxray->fcs_valid) {
1231 rec->rec_header.packet_header.pseudo_header.ieee_802_11.fcs_len = 4;
1239 rec->rec_header.packet_header.pseudo_header.ieee_802_11.fcs_len = 0;
1241 rec->rec_header.packet_header.pseudo_header.ieee_802_11.decrypted = FALSE;
1242 rec->rec_header.packet_header.pseudo_header.ieee_802_11.datapad = FALSE;
1243 rec->rec_header.packet_header.pseudo_header.ieee_802_11.phy = PHDR_802_11_PHY_UNKNOWN;
1246 * XXX - any other information, such as PHY
1247 * type, frequency, 11n/11ac information,
1250 rec->rec_header.packet_header.pseudo_header.ieee_802_11.has_channel = TRUE;
1251 rec->rec_header.packet_header.pseudo_header.ieee_802_11.channel =
1252 hdr.hdr_2_x.xxx[12];
1254 rec->rec_header.packet_header.pseudo_header.ieee_802_11.has_data_rate = TRUE;
1255 rec->rec_header.packet_header.pseudo_header.ieee_802_11.data_rate =
1256 hdr.hdr_2_x.xxx[13];
1258 rec->rec_header.packet_header.pseudo_header.ieee_802_11.has_signal_percent = TRUE;
1259 rec->rec_header.packet_header.pseudo_header.ieee_802_11.signal_percent =
1260 hdr.hdr_2_x.xxx[14];
1263 * According to Ken Mann, at least in the captures
1264 * he's seen, xxx[15] is the noise level, which
1265 * is either 0xFF meaning "none reported" or a value
1266 * from 0x00 to 0x7F for 0 to 100%.
1268 if (hdr.hdr_2_x.xxx[15] != 0xFF) {
1269 rec->rec_header.packet_header.pseudo_header.ieee_802_11.has_noise_percent = TRUE;
1270 rec->rec_header.packet_header.pseudo_header.ieee_802_11.noise_percent =
1271 hdr.hdr_2_x.xxx[15]*100/127;
1275 case WTAP_ENCAP_ISDN:
1279 * The bottommost bit of byte 12 of hdr_2_x.xxx
1280 * is the direction flag.
1282 * The bottom 5 bits of byte 13 of hdr_2_x.xxx
1283 * are the channel number, but some mapping is
1284 * required for PRI. (Is it really just the time
1287 rec->rec_header.packet_header.pseudo_header.isdn.uton =
1288 (hdr.hdr_2_x.xxx[12] & 0x01);
1289 rec->rec_header.packet_header.pseudo_header.isdn.channel =
1290 hdr.hdr_2_x.xxx[13] & 0x1F;
1291 switch (netxray->isdn_type) {
1295 * E1 PRI. Channel numbers 0 and 16
1296 * are the D channel; channel numbers 1
1297 * through 15 are B1 through B15; channel
1298 * numbers 17 through 31 are B16 through
1301 if (rec->rec_header.packet_header.pseudo_header.isdn.channel == 16)
1302 rec->rec_header.packet_header.pseudo_header.isdn.channel = 0;
1303 else if (rec->rec_header.packet_header.pseudo_header.isdn.channel > 16)
1304 rec->rec_header.packet_header.pseudo_header.isdn.channel -= 1;
1309 * T1 PRI. Channel numbers 0 and 24
1310 * are the D channel; channel numbers 1
1311 * through 23 are B1 through B23.
1313 if (rec->rec_header.packet_header.pseudo_header.isdn.channel == 24)
1314 rec->rec_header.packet_header.pseudo_header.isdn.channel = 0;
1315 else if (rec->rec_header.packet_header.pseudo_header.isdn.channel > 24)
1316 rec->rec_header.packet_header.pseudo_header.isdn.channel -= 1;
1321 * It appears, at least with version 2 captures,
1322 * that we have 4 bytes of stuff (which might be
1323 * a valid FCS or might be junk) at the end of
1324 * the packet if hdr_2_x.xxx[2] and
1325 * hdr_2_x.xxx[3] are 0xff, and we don't if
1328 * XXX - does the low-order bit of hdr_2_x.xxx[8]
1329 * indicate a bad FCS, as is the case with
1332 if (hdr.hdr_2_x.xxx[2] == 0xff &&
1333 hdr.hdr_2_x.xxx[3] == 0xff) {
1335 * FCS, or junk, at the end.
1336 * XXX - is it an FCS if "fcs_valid" is
1343 case WTAP_ENCAP_LAPB:
1344 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1346 * LAPB/X.25 and Frame Relay.
1348 * The bottommost bit of byte 12 of hdr_2_x.xxx
1349 * is the direction flag. (Probably true for other
1350 * HDLC encapsulations as well.)
1352 rec->rec_header.packet_header.pseudo_header.dte_dce.flags =
1353 (hdr.hdr_2_x.xxx[12] & 0x01) ? 0x00 : FROM_DCE;
1356 * It appears, at least with version 2 captures,
1357 * that we have 4 bytes of stuff (which might be
1358 * a valid FCS or might be junk) at the end of
1359 * the packet if hdr_2_x.xxx[2] and
1360 * hdr_2_x.xxx[3] are 0xff, and we don't if
1363 * XXX - does the low-order bit of hdr_2_x.xxx[8]
1364 * indicate a bad FCS, as is the case with
1367 if (hdr.hdr_2_x.xxx[2] == 0xff &&
1368 hdr.hdr_2_x.xxx[3] == 0xff) {
1370 * FCS, or junk, at the end.
1371 * XXX - is it an FCS if "fcs_valid" is
1378 case WTAP_ENCAP_PPP_WITH_PHDR:
1379 case WTAP_ENCAP_SDLC:
1380 case WTAP_ENCAP_CHDLC_WITH_PHDR:
1381 rec->rec_header.packet_header.pseudo_header.p2p.sent =
1382 (hdr.hdr_2_x.xxx[12] & 0x01) ? TRUE : FALSE;
1385 case WTAP_ENCAP_ATM_PDUS_UNTRUNCATED:
1387 * XXX - the low-order bit of hdr_2_x.xxx[8]
1388 * seems to indicate some sort of error. In
1389 * at least one capture, a number of packets
1390 * have that flag set, and they appear either
1391 * to be the beginning part of an incompletely
1392 * reassembled AAL5 PDU, with either checksum
1393 * errors at higher levels (possibly due to
1394 * the packet being reported as shorter than
1395 * it actually is, and checksumming failing
1396 * because it doesn't include all the data)
1397 * or "Malformed frame" errors from being
1398 * too short, or appear to be later parts
1399 * of an incompletely reassembled AAL5 PDU
1400 * with the last one in a sequence of errors
1401 * having what looks like an AAL5 trailer,
1402 * with a length and checksum.
1404 * Does it just mean "reassembly failed",
1405 * as appears to be the case in those
1406 * packets, or does it mean "CRC error"
1407 * at the AAL5 layer (which would be the
1408 * case if you were treating an incompletely
1409 * reassembled PDU as a completely reassembled
1410 * PDU, although you'd also expect a length
1411 * error in that case), or does it mean
1412 * "generic error", with some other flag
1413 * or flags indicating what particular
1414 * error occurred? The documentation
1415 * for Sniffer Pro 4.7 indicates a bunch
1416 * of different error types, both in general
1417 * and for ATM in particular.
1419 * No obvious bits in hdr_2_x.xxx appear
1420 * to be additional flags of that sort.
1422 * XXX - in that capture, I see several
1423 * reassembly errors in a row; should those
1424 * packets be reassembled in the ATM dissector?
1425 * What happens if a reassembly fails because
1428 rec->rec_header.packet_header.pseudo_header.atm.flags = 0;
1429 if (hdr.hdr_2_x.xxx[8] & 0x01)
1430 rec->rec_header.packet_header.pseudo_header.atm.flags |= ATM_REASSEMBLY_ERROR;
1432 * XXX - is 0x08 an "OAM cell" flag?
1433 * Are the 0x01 and 0x02 bits error indications?
1434 * Some packets in one capture that have the
1435 * 0x01 bit set in hdr_2_x.xxx[8] and that
1436 * appear to have been reassembled completely
1437 * but have a bad CRC have 0x03 in hdr_2_x.xxx[9]
1438 * (and don't have the 0x20 bit set).
1440 * In the capture with incomplete reassemblies,
1441 * all packets have the 0x20 bit set. In at
1442 * least some of the captures with complete
1443 * reassemblies with CRC errors, no packets
1444 * have the 0x20 bit set.
1446 * Are hdr_2_x.xxx[8] and hdr_2_x.xxx[9] a 16-bit
1449 if (hdr.hdr_2_x.xxx[9] & 0x04)
1450 rec->rec_header.packet_header.pseudo_header.atm.flags |= ATM_RAW_CELL;
1451 rec->rec_header.packet_header.pseudo_header.atm.vpi = hdr.hdr_2_x.xxx[11];
1452 rec->rec_header.packet_header.pseudo_header.atm.vci = pletoh16(&hdr.hdr_2_x.xxx[12]);
1453 rec->rec_header.packet_header.pseudo_header.atm.channel =
1454 (hdr.hdr_2_x.xxx[15] & 0x10)? 1 : 0;
1455 rec->rec_header.packet_header.pseudo_header.atm.cells = 0;
1458 * XXX - the uppermost bit of hdr_2_xxx[0]
1459 * looks as if it might be a flag of some sort.
1460 * The remaining 3 bits appear to be an AAL
1461 * type - 5 is, surprise surprise, AAL5.
1463 switch (hdr.hdr_2_x.xxx[0] & 0x70) {
1465 case 0x00: /* Unknown */
1466 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_UNKNOWN;
1467 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN;
1468 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1471 case 0x10: /* XXX - AAL1? */
1472 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_UNKNOWN;
1473 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN;
1474 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1477 case 0x20: /* XXX - AAL2? */
1478 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_UNKNOWN;
1479 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN;
1480 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1483 case 0x40: /* XXX - AAL3/4? */
1484 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_UNKNOWN;
1485 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN;
1486 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1489 case 0x30: /* XXX - AAL5 cells seen with this */
1490 case 0x50: /* AAL5 (including signalling) */
1491 case 0x60: /* XXX - AAL5 cells seen with this */
1492 case 0x70: /* XXX - AAL5 cells seen with this */
1493 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_5;
1495 * XXX - is the 0x08 bit of hdr_2_x.xxx[0]
1496 * a flag? I've not yet seen a case where
1499 switch (hdr.hdr_2_x.xxx[0] & 0x07) {
1502 case 0x02: /* Signalling traffic */
1503 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_SIGNALLING;
1504 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN;
1505 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1508 case 0x03: /* ILMI */
1509 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_ILMI;
1510 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1517 * I've seen a frame with type
1518 * 0x30 and subtype 0x08 that
1519 * was LANE 802.3, a frame
1520 * with type 0x30 and subtype
1521 * 0x04 that was LANE 802.3,
1522 * and another frame with type
1523 * 0x30 and subtype 0x08 that
1524 * was junk with a string in
1525 * it that had also appeared
1526 * in some CDP and LE Control
1527 * frames, and that was preceded
1528 * by a malformed LE Control
1529 * frame - was that a reassembly
1532 * I've seen frames with type
1533 * 0x50 and subtype 0x0c, some
1534 * of which were LE Control
1535 * frames, and at least one
1536 * of which was neither an LE
1537 * Control frame nor a LANE
1538 * 802.3 frame, and contained
1539 * the string "ForeThought_6.2.1
1540 * Alpha" - does that imply
1541 * FORE's own encapsulation,
1542 * or was this a reassembly failure?
1543 * The latter frame was preceded
1544 * by a malformed LE Control
1547 * I've seen a couple of frames
1548 * with type 0x60 and subtype 0x00,
1549 * one of which was LANE 802.3 and
1550 * one of which was LE Control.
1551 * I've seen one frame with type
1552 * 0x60 and subtype 0x0c, which
1555 * I've seen a couple of frames
1556 * with type 0x70 and subtype 0x00,
1557 * both of which were LANE 802.3.
1559 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_LANE;
1560 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1563 case 0x06: /* XXX - not seen yet */
1564 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN;
1565 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1568 case 0x07: /* LLC multiplexed */
1569 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_LLCMX; /* XXX */
1570 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN; /* XXX */
1580 rec->rec_type = REC_TYPE_PACKET;
1581 if (netxray->version_major == 0) {
1582 rec->presence_flags = WTAP_HAS_TS;
1583 t = (double)pletoh32(&hdr.old_hdr.timelo)
1584 + (double)pletoh32(&hdr.old_hdr.timehi)*4294967296.0;
1585 t /= netxray->ticks_per_sec;
1586 t -= netxray->start_timestamp;
1587 rec->ts.secs = netxray->start_time + (long)t;
1588 rec->ts.nsecs = (int)((t-(double)(unsigned long)(t))
1591 * We subtract the padding from the packet size, so our caller
1594 packet_size = pletoh16(&hdr.old_hdr.len);
1595 rec->rec_header.packet_header.caplen = packet_size - padding;
1596 rec->rec_header.packet_header.len = rec->rec_header.packet_header.caplen;
1598 rec->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
1599 t = (double)pletoh32(&hdr.hdr_1_x.timelo)
1600 + (double)pletoh32(&hdr.hdr_1_x.timehi)*4294967296.0;
1601 t /= netxray->ticks_per_sec;
1602 t -= netxray->start_timestamp;
1603 rec->ts.secs = netxray->start_time + (time_t)t;
1604 rec->ts.nsecs = (int)((t-(double)(unsigned long)(t))
1607 * We subtract the padding from the packet size, so our caller
1610 packet_size = pletoh16(&hdr.hdr_1_x.incl_len);
1611 rec->rec_header.packet_header.caplen = packet_size - padding;
1612 rec->rec_header.packet_header.len = pletoh16(&hdr.hdr_1_x.orig_len) - padding;
1619 netxray_guess_atm_type(wtap *wth, wtap_rec *rec, Buffer *buf)
1623 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS_UNTRUNCATED &&
1624 !(rec->rec_header.packet_header.pseudo_header.atm.flags & ATM_REASSEMBLY_ERROR)) {
1625 if (rec->rec_header.packet_header.pseudo_header.atm.aal == AAL_UNKNOWN) {
1627 * Try to guess the type and subtype based
1628 * on the VPI/VCI and packet contents.
1630 pd = ws_buffer_start_ptr(buf);
1631 atm_guess_traffic_type(rec, pd);
1632 } else if (rec->rec_header.packet_header.pseudo_header.atm.aal == AAL_5 &&
1633 rec->rec_header.packet_header.pseudo_header.atm.type == TRAF_LANE) {
1635 * Try to guess the subtype based on the
1638 pd = ws_buffer_start_ptr(buf);
1639 atm_guess_lane_type(rec, pd);
1645 gboolean first_frame;
1650 static const struct {
1651 int wtap_encap_value;
1653 } wtap_encap_1_1[] = {
1654 { WTAP_ENCAP_ETHERNET, 0 }, /* -> NDIS Ethernet */
1655 { WTAP_ENCAP_TOKEN_RING, 1 }, /* -> NDIS Token Ring */
1656 { WTAP_ENCAP_FDDI, 2 }, /* -> NDIS FDDI */
1657 { WTAP_ENCAP_FDDI_BITSWAPPED, 2 }, /* -> NDIS FDDI */
1659 #define NUM_WTAP_ENCAPS_1_1 (sizeof wtap_encap_1_1 / sizeof wtap_encap_1_1[0])
1662 wtap_encap_to_netxray_1_1_encap(int encap)
1666 for (i = 0; i < NUM_WTAP_ENCAPS_1_1; i++) {
1667 if (encap == wtap_encap_1_1[i].wtap_encap_value)
1668 return wtap_encap_1_1[i].ndis_value;
1674 /* Returns 0 if we could write the specified encapsulation type,
1675 an error indication otherwise. */
1677 netxray_dump_can_write_encap_1_1(int encap)
1679 /* Per-packet encapsulations aren't supported. */
1680 if (encap == WTAP_ENCAP_PER_PACKET)
1681 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1683 if (wtap_encap_to_netxray_1_1_encap(encap) == -1)
1684 return WTAP_ERR_UNWRITABLE_ENCAP;
1689 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1692 netxray_dump_open_1_1(wtap_dumper *wdh, int *err)
1694 netxray_dump_t *netxray;
1696 wdh->subtype_write = netxray_dump_1_1;
1697 wdh->subtype_finish = netxray_dump_finish_1_1;
1699 /* We can't fill in all the fields in the file header, as we
1700 haven't yet written any packets. As we'll have to rewrite
1701 the header when we've written out all the packets, we just
1702 skip over the header for now. */
1703 if (wtap_dump_file_seek(wdh, CAPTUREFILE_HEADER_SIZE, SEEK_SET, err) == -1)
1705 wdh->bytes_dumped += CAPTUREFILE_HEADER_SIZE;
1707 netxray = (netxray_dump_t *)g_malloc(sizeof(netxray_dump_t));
1708 wdh->priv = (void *)netxray;
1709 netxray->first_frame = TRUE;
1710 netxray->start.secs = 0;
1711 netxray->start.nsecs = 0;
1712 netxray->nframes = 0;
1717 /* Write a record for a packet to a dump file.
1718 Returns TRUE on success, FALSE on failure. */
1720 netxray_dump_1_1(wtap_dumper *wdh,
1721 const wtap_rec *rec,
1722 const guint8 *pd, int *err, gchar **err_info _U_)
1724 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
1727 struct netxrayrec_1_x_hdr rec_hdr;
1729 /* We can only write packet records. */
1730 if (rec->rec_type != REC_TYPE_PACKET) {
1731 *err = WTAP_ERR_UNWRITABLE_REC_TYPE;
1736 * Make sure this packet doesn't have a link-layer type that
1737 * differs from the one for the file.
1739 if (wdh->encap != rec->rec_header.packet_header.pkt_encap) {
1740 *err = WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1744 /* The captured length field is 16 bits, so there's a hard
1746 if (rec->rec_header.packet_header.caplen > 65535) {
1747 *err = WTAP_ERR_PACKET_TOO_LARGE;
1751 /* NetXRay/Windows Sniffer files have a capture start date/time
1752 in the header, in a UNIX-style format, with one-second resolution,
1753 and a start time stamp with microsecond resolution that's just
1754 an arbitrary time stamp relative to some unknown time (boot
1755 time?), and have times relative to the start time stamp in
1756 the packet headers; pick the seconds value of the time stamp
1757 of the first packet as the UNIX-style start date/time, and make
1758 the high-resolution start time stamp 0, with the time stamp of
1759 packets being the delta between the stamp of the packet and
1760 the stamp of the first packet with the microseconds part 0. */
1761 if (netxray->first_frame) {
1762 netxray->first_frame = FALSE;
1763 netxray->start = rec->ts;
1766 /* build the header for each packet */
1767 memset(&rec_hdr, '\0', sizeof(rec_hdr));
1768 timestamp = ((guint64)rec->ts.secs - (guint64)netxray->start.secs)*1000000
1769 + ((guint64)rec->ts.nsecs)/1000;
1770 t32 = (guint32)(timestamp%G_GINT64_CONSTANT(4294967296));
1771 rec_hdr.timelo = GUINT32_TO_LE(t32);
1772 t32 = (guint32)(timestamp/G_GINT64_CONSTANT(4294967296));
1773 rec_hdr.timehi = GUINT32_TO_LE(t32);
1774 rec_hdr.orig_len = GUINT16_TO_LE(rec->rec_header.packet_header.len);
1775 rec_hdr.incl_len = GUINT16_TO_LE(rec->rec_header.packet_header.caplen);
1777 if (!wtap_dump_file_write(wdh, &rec_hdr, sizeof(rec_hdr), err))
1779 wdh->bytes_dumped += sizeof(rec_hdr);
1781 /* write the packet data */
1782 if (!wtap_dump_file_write(wdh, pd, rec->rec_header.packet_header.caplen, err))
1784 wdh->bytes_dumped += rec->rec_header.packet_header.caplen;
1791 /* Finish writing to a dump file.
1792 Returns TRUE on success, FALSE on failure. */
1794 netxray_dump_finish_1_1(wtap_dumper *wdh, int *err)
1796 char hdr_buf[CAPTUREFILE_HEADER_SIZE - sizeof(netxray_magic)];
1797 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
1799 struct netxray_hdr file_hdr;
1801 if (-1 == (filelen = wtap_dump_file_tell(wdh, err)))
1804 /* Go back to beginning */
1805 if (wtap_dump_file_seek(wdh, 0, SEEK_SET, err) == -1)
1808 /* Rewrite the file header. */
1809 if (!wtap_dump_file_write(wdh, netxray_magic, sizeof netxray_magic, err))
1812 /* "sniffer" version ? */
1813 memset(&file_hdr, '\0', sizeof file_hdr);
1814 memcpy(file_hdr.version, vers_1_1, sizeof vers_1_1);
1815 file_hdr.start_time = GUINT32_TO_LE(netxray->start.secs);
1816 file_hdr.nframes = GUINT32_TO_LE(netxray->nframes);
1817 file_hdr.start_offset = GUINT32_TO_LE(CAPTUREFILE_HEADER_SIZE);
1818 /* XXX - large files? */
1819 file_hdr.end_offset = GUINT32_TO_LE((guint32)filelen);
1820 file_hdr.network = wtap_encap_to_netxray_1_1_encap(wdh->encap);
1821 file_hdr.timelo = GUINT32_TO_LE(0);
1822 file_hdr.timehi = GUINT32_TO_LE(0);
1824 memset(hdr_buf, '\0', sizeof hdr_buf);
1825 memcpy(hdr_buf, &file_hdr, sizeof(file_hdr));
1826 if (!wtap_dump_file_write(wdh, hdr_buf, sizeof hdr_buf, err))
1832 static const struct {
1833 int wtap_encap_value;
1835 } wtap_encap_2_0[] = {
1836 { WTAP_ENCAP_ETHERNET, 0 }, /* -> NDIS Ethernet */
1837 { WTAP_ENCAP_TOKEN_RING, 1 }, /* -> NDIS Token Ring */
1838 { WTAP_ENCAP_FDDI, 2 }, /* -> NDIS FDDI */
1839 { WTAP_ENCAP_FDDI_BITSWAPPED, 2 }, /* -> NDIS FDDI */
1840 { WTAP_ENCAP_PPP_WITH_PHDR, 3 }, /* -> NDIS WAN */
1841 { WTAP_ENCAP_FRELAY_WITH_PHDR, 3 }, /* -> NDIS WAN */
1842 { WTAP_ENCAP_LAPB, 3 }, /* -> NDIS WAN */
1843 { WTAP_ENCAP_SDLC, 3 }, /* -> NDIS WAN */
1845 #define NUM_WTAP_ENCAPS_2_0 (sizeof wtap_encap_2_0 / sizeof wtap_encap_2_0[0])
1848 wtap_encap_to_netxray_2_0_encap(int encap)
1852 for (i = 0; i < NUM_WTAP_ENCAPS_2_0; i++) {
1853 if (encap == wtap_encap_2_0[i].wtap_encap_value)
1854 return wtap_encap_2_0[i].ndis_value;
1860 /* Returns 0 if we could write the specified encapsulation type,
1861 an error indication otherwise. */
1863 netxray_dump_can_write_encap_2_0(int encap)
1865 /* Per-packet encapsulations aren't supported. */
1866 if (encap == WTAP_ENCAP_PER_PACKET)
1867 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1869 if (wtap_encap_to_netxray_2_0_encap(encap) == -1)
1870 return WTAP_ERR_UNWRITABLE_ENCAP;
1875 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1878 netxray_dump_open_2_0(wtap_dumper *wdh, int *err)
1880 netxray_dump_t *netxray;
1882 wdh->subtype_write = netxray_dump_2_0;
1883 wdh->subtype_finish = netxray_dump_finish_2_0;
1885 /* We can't fill in all the fields in the file header, as we
1886 haven't yet written any packets. As we'll have to rewrite
1887 the header when we've written out all the packets, we just
1888 skip over the header for now. */
1889 if (wtap_dump_file_seek(wdh, CAPTUREFILE_HEADER_SIZE, SEEK_SET, err) == -1)
1892 wdh->bytes_dumped += CAPTUREFILE_HEADER_SIZE;
1894 netxray = (netxray_dump_t *)g_malloc(sizeof(netxray_dump_t));
1895 wdh->priv = (void *)netxray;
1896 netxray->first_frame = TRUE;
1897 netxray->start.secs = 0;
1898 netxray->start.nsecs = 0;
1899 netxray->nframes = 0;
1904 /* Write a record for a packet to a dump file.
1905 Returns TRUE on success, FALSE on failure. */
1907 netxray_dump_2_0(wtap_dumper *wdh,
1908 const wtap_rec *rec,
1909 const guint8 *pd, int *err, gchar **err_info _U_)
1911 const union wtap_pseudo_header *pseudo_header = &rec->rec_header.packet_header.pseudo_header;
1912 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
1915 struct netxrayrec_2_x_hdr rec_hdr;
1917 /* We can only write packet records. */
1918 if (rec->rec_type != REC_TYPE_PACKET) {
1919 *err = WTAP_ERR_UNWRITABLE_REC_TYPE;
1924 * Make sure this packet doesn't have a link-layer type that
1925 * differs from the one for the file.
1927 if (wdh->encap != rec->rec_header.packet_header.pkt_encap) {
1928 *err = WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1932 /* Don't write anything we're not willing to read. */
1933 if (rec->rec_header.packet_header.caplen > WTAP_MAX_PACKET_SIZE_STANDARD) {
1934 *err = WTAP_ERR_PACKET_TOO_LARGE;
1938 /* NetXRay/Windows Sniffer files have a capture start date/time
1939 in the header, in a UNIX-style format, with one-second resolution,
1940 and a start time stamp with microsecond resolution that's just
1941 an arbitrary time stamp relative to some unknown time (boot
1942 time?), and have times relative to the start time stamp in
1943 the packet headers; pick the seconds value of the time stamp
1944 of the first packet as the UNIX-style start date/time, and make
1945 the high-resolution start time stamp 0, with the time stamp of
1946 packets being the delta between the stamp of the packet and
1947 the stamp of the first packet with the microseconds part 0. */
1948 if (netxray->first_frame) {
1949 netxray->first_frame = FALSE;
1950 netxray->start = rec->ts;
1953 /* build the header for each packet */
1954 memset(&rec_hdr, '\0', sizeof(rec_hdr));
1955 timestamp = ((guint64)rec->ts.secs - (guint64)netxray->start.secs)*1000000
1956 + ((guint64)rec->ts.nsecs)/1000;
1957 t32 = (guint32)(timestamp%G_GINT64_CONSTANT(4294967296));
1958 rec_hdr.timelo = GUINT32_TO_LE(t32);
1959 t32 = (guint32)(timestamp/G_GINT64_CONSTANT(4294967296));
1960 rec_hdr.timehi = GUINT32_TO_LE(t32);
1961 rec_hdr.orig_len = GUINT16_TO_LE(rec->rec_header.packet_header.len);
1962 rec_hdr.incl_len = GUINT16_TO_LE(rec->rec_header.packet_header.caplen);
1964 switch (rec->rec_header.packet_header.pkt_encap) {
1966 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
1968 pseudo_header->ieee_802_11.has_channel ?
1969 pseudo_header->ieee_802_11.channel :
1972 pseudo_header->ieee_802_11.has_data_rate ?
1973 (guint8)pseudo_header->ieee_802_11.data_rate :
1976 pseudo_header->ieee_802_11.has_signal_percent ?
1977 pseudo_header->ieee_802_11.signal_percent :
1980 pseudo_header->ieee_802_11.has_noise_percent ?
1981 pseudo_header->ieee_802_11.noise_percent*127/100 :
1985 case WTAP_ENCAP_PPP_WITH_PHDR:
1986 case WTAP_ENCAP_SDLC:
1987 rec_hdr.xxx[12] |= pseudo_header->p2p.sent ? 0x01 : 0x00;
1990 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1991 rec_hdr.xxx[12] |= (pseudo_header->dte_dce.flags & FROM_DCE) ? 0x00 : 0x01;
1995 if (!wtap_dump_file_write(wdh, &rec_hdr, sizeof(rec_hdr), err))
1997 wdh->bytes_dumped += sizeof(rec_hdr);
1999 /* write the packet data */
2000 if (!wtap_dump_file_write(wdh, pd, rec->rec_header.packet_header.caplen, err))
2002 wdh->bytes_dumped += rec->rec_header.packet_header.caplen;
2009 /* Finish writing to a dump file.
2010 Returns TRUE on success, FALSE on failure. */
2012 netxray_dump_finish_2_0(wtap_dumper *wdh, int *err)
2014 char hdr_buf[CAPTUREFILE_HEADER_SIZE - sizeof(netxray_magic)];
2015 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
2017 struct netxray_hdr file_hdr;
2019 if (-1 == (filelen = wtap_dump_file_tell(wdh, err)))
2022 /* Go back to beginning */
2023 if (wtap_dump_file_seek(wdh, 0, SEEK_SET, err) == -1)
2026 /* Rewrite the file header. */
2027 if (!wtap_dump_file_write(wdh, netxray_magic, sizeof netxray_magic, err))
2030 /* "sniffer" version ? */
2031 memset(&file_hdr, '\0', sizeof file_hdr);
2032 memcpy(file_hdr.version, vers_2_001, sizeof vers_2_001);
2033 file_hdr.start_time = GUINT32_TO_LE(netxray->start.secs);
2034 file_hdr.nframes = GUINT32_TO_LE(netxray->nframes);
2035 file_hdr.start_offset = GUINT32_TO_LE(CAPTUREFILE_HEADER_SIZE);
2036 /* XXX - large files? */
2037 file_hdr.end_offset = GUINT32_TO_LE((guint32)filelen);
2038 file_hdr.network = wtap_encap_to_netxray_2_0_encap(wdh->encap);
2039 file_hdr.timelo = GUINT32_TO_LE(0);
2040 file_hdr.timehi = GUINT32_TO_LE(0);
2041 switch (wdh->encap) {
2043 case WTAP_ENCAP_PPP_WITH_PHDR:
2044 file_hdr.captype = WAN_CAPTYPE_PPP;
2047 case WTAP_ENCAP_FRELAY_WITH_PHDR:
2048 file_hdr.captype = WAN_CAPTYPE_FRELAY;
2051 case WTAP_ENCAP_LAPB:
2052 file_hdr.captype = WAN_CAPTYPE_HDLC;
2053 file_hdr.wan_hdlc_subsub_captype = 0;
2056 case WTAP_ENCAP_SDLC:
2057 file_hdr.captype = WAN_CAPTYPE_SDLC;
2061 file_hdr.captype = CAPTYPE_NDIS;
2065 memset(hdr_buf, '\0', sizeof hdr_buf);
2066 memcpy(hdr_buf, &file_hdr, sizeof(file_hdr));
2067 if (!wtap_dump_file_write(wdh, hdr_buf, sizeof hdr_buf, err))
2074 * Editor modelines - https://www.wireshark.org/tools/modelines.html
2079 * indent-tabs-mode: t
2082 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
2083 * :indentSize=8:tabSize=8:noTabs=false:
git.samba.org / metze / wireshark / wip.git / blob