6 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 /* The code in ngsniffer.c that decodes the time fields for each packet in the
24 * Sniffer trace originally came from code from TCPVIEW:
29 * Networks and Distributed Computing
30 * Computing & Communications
31 * University of Washington
32 * Administration Building, AG-44
34 * Internet: martinh@cac.washington.edu
37 * Copyright 1992 by the University of Washington
39 * Permission to use, copy, modify, and distribute this software and its
40 * documentation for any purpose and without fee is hereby granted, provided
41 * that the above copyright notice appears in all copies and that both the
42 * above copyright notice and this permission notice appear in supporting
43 * documentation, and that the name of the University of Washington not be
44 * used in advertising or publicity pertaining to distribution of the software
45 * without specific, written prior permission. This software is made
46 * available "as is", and
47 * THE UNIVERSITY OF WASHINGTON DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
48 * WITH REGARD TO THIS SOFTWARE, INCLUDING WITHOUT LIMITATION ALL IMPLIED
49 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND IN
50 * NO EVENT SHALL THE UNIVERSITY OF WASHINGTON BE LIABLE FOR ANY SPECIAL,
51 * INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
52 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, TORT
53 * (INCLUDING NEGLIGENCE) OR STRICT LIABILITY, ARISING OUT OF OR IN CONNECTION
54 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
62 #include "file_wrappers.h"
65 #include "ngsniffer.h"
67 /* Magic number in Sniffer files. */
68 static const char ngsniffer_magic[] = {
69 'T', 'R', 'S', 'N', 'I', 'F', 'F', ' ', 'd', 'a', 't', 'a',
70 ' ', ' ', ' ', ' ', 0x1a
74 * Sniffer record types.
76 #define REC_VERS 1 /* Version record (f_vers) */
77 #define REC_FRAME2 4 /* Frame data (f_frame2) */
78 #define REC_FRAME4 8 /* Frame data (f_frame4) */
79 #define REC_FRAME6 12 /* Frame data (f_frame6) (see below) */
80 #define REC_EOF 3 /* End-of-file record (no data follows) */
82 * and now for some unknown header types
84 #define REC_HEADER1 6 /* Header containing various information,
85 * not yet reverse engineered - some binary,
86 * some strings (Serial numbers? Names
87 * under which the software is registered?
88 * Software version numbers? Mysterious
89 * strings such as "PA-55X" and "PA-30X"
90 * and "PA-57X" and "PA-11X"?), some strings
91 * that are partially overwritten
92 * ("UNSERIALIZED", "Network General
93 * Corporation"), differing from major
94 * version to major version */
95 #define REC_HEADER2 7 /* Header containing ??? */
96 #define REC_V2DESC 8 /* In version 2 sniffer traces contains
97 * info about this capturing session,
98 * in the form of a multi-line string
99 * with NL as the line separator.
100 * Collides with REC_FRAME4 */
101 #define REC_HEADER3 13 /* Retransmission counts? */
102 #define REC_HEADER4 14 /* ? */
103 #define REC_HEADER5 15 /* ? */
104 #define REC_HEADER6 16 /* More broadcast/retransmission counts? */
105 #define REC_HEADER7 17 /* ? */
109 * Sniffer version record format.
112 gint16 maj_vers; /* major version number */
113 gint16 min_vers; /* minor version number */
114 gint16 time; /* DOS-format time */
115 gint16 date; /* DOS-format date */
116 gint8 type; /* what type of records follow */
117 guint8 network; /* network type */
118 gint8 format; /* format version */
119 guint8 timeunit; /* timestamp units */
120 gint8 cmprs_vers; /* compression version */
121 gint8 cmprs_level; /* compression level */
122 gint16 rsvd[2]; /* reserved */
128 #define NETWORK_TRING 0 /* Token ring */
129 #define NETWORK_ENET 1 /* Ethernet */
130 #define NETWORK_ARCNET 2 /* ARCNET */
131 #define NETWORK_STARLAN 3 /* StarLAN */
132 #define NETWORK_PCNW 4 /* PC Network broadband (Sytek?) */
133 #define NETWORK_LOCALTALK 5 /* LocalTalk */
134 #define NETWORK_SYNCHRO 7 /* Internetwork analyzer (synchronous) */
135 #define NETWORK_ASYNC 8 /* Internetwork analyzer (asynchronous) */
136 #define NETWORK_FDDI 9 /* FDDI */
137 #define NETWORK_ATM 10 /* ATM */
140 * Sniffer type 2 data record format - followed by frame data.
142 * The Expert Sniffer Network Analyzer Operations manual, Release 5.50,
143 * documents some of the values used in "fs" and "flags". "flags" don't
144 * look as if they'd be of much interest to us, as those are internal
145 * flags for state used by the Sniffer, but "fs" gives various status
146 * bits including error indications *and*:
148 * ISDN channel information for ISDN;
150 * PPP vs. SLIP information for Async.
152 * In that section it also refers to "FDDI analyzers using the NPI PCI
153 * FDDI adapter" and "FDDI analyzers using the NPI ISA FDDI adapter",
154 * referring to the first as "F1SNIFF" and the second as "FDSNIFF";
155 * those sound as if they *could* be replacements for "TRSNIFF" in
156 * the file header, but that manual says, earlier, that the header
157 * starts with "TRSNIFF data, no matter where the frames were
160 * It also says that a type 2 record has an 8-bit "time_high"
161 * and an 8-bit "time_day" field; the code here used to have a
162 * 16-bit "time_high" value, but that gave wrong time stamps on at
163 * least some captures. Did some older manual have it as a 16-bit
164 * "tstamp_high", so that perhaps it depends on the version number
165 * in the file, or is it "tstamp_high" plus "tstamp_day" in all
166 * versions? (I forget whether this came purely from tcpview, or if
167 * I saw any of it in an NAI document.)
169 * We interpret them as unsigned, as interpreting them as signed
170 * would appear to allow time stamps that precede the start of the
171 * capture. The description of the record format shows them as
172 * "char", but the section "How the Analyzer Stores Time" shows a
173 * time stamp structure with those fields being "unsigned char".
175 * In addition, the description of the record format has the comment
176 * for the "time_day" field saying it's the time in days since the
177 * start of the capture, but the "How the Analyzer Stores Time"
178 * section says it's increased by 1 if the capture continues past
179 * midnight - and also says that the time stamp structure has a time
180 * relative to midnight when the capture started, not since the
181 * actual capture start, so that might be a difference between
182 * the internal time stamp in the Sniffer software and the time
183 * stamp in capture files (i.e., the latter might be relative to
184 * the time when the capture starts).
187 guint16 time_low; /* low part of time stamp */
188 guint16 time_med; /* middle part of time stamp */
189 guint8 time_high; /* high part of the time stamp */
190 guint8 time_day; /* time in days since start of capture */
191 gint16 size; /* number of bytes of data */
192 guint8 fs; /* frame error status bits */
193 guint8 flags; /* buffer flags */
194 gint16 true_size; /* size of original frame, in bytes */
195 gint16 rsvd; /* reserved */
201 * The bits differ for different link-layer types.
207 #define FS_ETH_CRC 0x80 /* CRC error */
208 #define FS_ETH_ALIGN 0x40 /* bad alignment */
209 #define FS_ETH_RU 0x20 /* "RU out of resources" */
210 #define FS_ETH_OVERRUN 0x10 /* DMA overrun */
211 #define FS_ETH_RUNT 0x08 /* frame too small */
212 #define FS_ETH_COLLISION 0x02 /* collision fragment */
217 #define FS_FDDI_INVALID 0x10 /* frame indicators are invalid */
218 #define FS_FDDI_ERROR 0x20 /* "frame error bit 1" */
219 #define FS_FDDI_PCI_VDL 0x01 /* VDL error on frame on PCI adapter */
220 #define FS_FDDI_PCI_CRC 0x02 /* CRC error on frame on PCI adapter */
221 #define FS_FDDI_ISA_CRC 0x20 /* CRC error on frame on ISA adapter */
224 * Internetwork analyzer (synchronous and asynchronous).
226 #define FS_WAN_DTE 0x80 /* DTE->DCE frame */
229 * Internetwork analyzer (synchronous).
231 #define FS_SYNC_LOST 0x01 /* some frames were lost */
232 #define FS_SYNC_CRC 0x02 /* CRC error */
233 #define FS_SYNC_ABORT 0x04 /* aborted frame */
234 #define FS_ISDN_CHAN_MASK 0x18 /* ISDN channel */
235 #define FS_ISDN_CHAN_D 0x18 /* ISDN channel D */
236 #define FS_ISDN_CHAN_B1 0x08 /* ISDN channel B1 */
237 #define FS_ISDN_CHAN_B2 0x10 /* ISDN channel B2 */
240 * Internetwork analyzer (asynchronous).
241 * XXX - are some of these synchronous flags? They're listed with the
242 * asynchronous flags in the Sniffer 5.50 Network Analyzer Operations
243 * manual. Is one of the "overrun" errors a synchronous overrun error?
245 #define FS_ASYNC_LOST 0x01 /* some frames were lost */
246 #define FS_ASYNC_OVERRUN 0x02 /* UART overrun, lost bytes */
247 #define FS_ASYNC_FRAMING 0x04 /* bad character (framing error?) */
248 #define FS_ASYNC_PPP 0x08 /* PPP frame */
249 #define FS_ASYNC_SLIP 0x10 /* SLIP frame */
250 #define FS_ASYNC_ALIGN 0x20 /* alignment or DLPP(?) error */
251 #define FS_ASYNC_OVERRUN2 0x40 /* overrun or bad frame length */
254 * Sniffer type 4 data record format - followed by frame data.
256 * The ATM Sniffer manual says that the "flags" field holds "buffer flags;
257 * BF_xxxx", but doesn't say what the BF_xxxx flags are. They may
258 * be the same as they are in a type 2 record, in which case they're
259 * probably not of much interest to us.
261 * XXX - the manual also says there's an 8-byte "ATMTimeStamp" driver
262 * time stamp at the end of "ATMSaveInfo", but, from an ATM Sniffer capture
263 * file I've looked at, that appears not to be the case.
267 * Fields from the AAL5 trailer for the frame, if it's an AAL5 frame
268 * rather than a cell.
270 typedef struct _ATM_AAL5Trailer {
271 guint16 aal5t_u2u; /* user-to-user indicator */
272 guint16 aal5t_len; /* length of the packet */
273 guint32 aal5t_chksum; /* checksum for AAL5 packet */
276 typedef struct _ATMTimeStamp {
277 guint32 msw; /* most significant word */
278 guint32 lsw; /* least significant word */
281 typedef struct _ATMSaveInfo {
282 guint32 StatusWord; /* status word from driver */
283 ATM_AAL5Trailer Trailer; /* AAL5 trailer */
284 guint8 AppTrafType; /* traffic type */
285 guint8 AppHLType; /* protocol type */
286 guint16 AppReserved; /* reserved */
287 guint16 Vpi; /* virtual path identifier */
288 guint16 Vci; /* virtual circuit identifier */
289 guint16 channel; /* link: 0 for DCE, 1 for DTE */
290 guint16 cells; /* number of cells */
291 guint32 AppVal1; /* type-dependent */
292 guint32 AppVal2; /* type-dependent */
296 * Bits in StatusWord.
298 #define SW_ERRMASK 0x0F /* Error mask: */
299 #define SW_RX_FIFO_UNDERRUN 0x01 /* Receive FIFO underrun */
300 #define SW_RX_FIFO_OVERRUN 0x02 /* Receive FIFO overrun */
301 #define SW_RX_PKT_TOO_LONG 0x03 /* Received packet > max size */
302 #define SW_CRC_ERROR 0x04 /* CRC error */
303 #define SW_USER_ABORTED_RX 0x05 /* User aborted receive */
304 #define SW_BUF_LEN_TOO_LONG 0x06 /* buffer len > max buf */
305 #define SW_INTERNAL_T1_ERROR 0x07 /* Internal T1 error */
306 #define SW_RX_CHANNEL_DEACTIV8 0x08 /* Rx channel deactivate */
308 #define SW_ERROR 0x80 /* Error indicator */
309 #define SW_CONGESTION 0x40 /* Congestion indicator */
310 #define SW_CLP 0x20 /* Cell loss priority indicator */
311 #define SW_RAW_CELL 0x100 /* RAW cell indicator */
312 #define SW_OAM_CELL 0x200 /* OAM cell indicator */
315 * Bits in AppTrafType.
317 * For AAL types other than AAL5, the packet data is presumably for a
318 * single cell, not a reassembled frame, as the ATM Sniffer manual says
319 * it dosn't reassemble cells other than AAL5 cells.
321 #define ATT_AALTYPE 0x0F /* AAL type: */
322 #define ATT_AAL_UNKNOWN 0x00 /* Unknown AAL */
323 #define ATT_AAL1 0x01 /* AAL1 */
324 #define ATT_AAL3_4 0x02 /* AAL3/4 */
325 #define ATT_AAL5 0x03 /* AAL5 */
326 #define ATT_AAL_USER 0x04 /* User AAL */
327 #define ATT_AAL_SIGNALLING 0x05 /* Signaling AAL */
328 #define ATT_OAMCELL 0x06 /* OAM cell */
330 #define ATT_HLTYPE 0xF0 /* Higher-layer type: */
331 #define ATT_HL_UNKNOWN 0x00 /* unknown */
332 #define ATT_HL_LLCMX 0x10 /* LLC multiplexed (probably RFC 1483) */
333 #define ATT_HL_VCMX 0x20 /* VC multiplexed (probably RFC 1483) */
334 #define ATT_HL_LANE 0x30 /* LAN Emulation */
335 #define ATT_HL_ILMI 0x40 /* ILMI */
336 #define ATT_HL_FRMR 0x50 /* Frame Relay */
337 #define ATT_HL_SPANS 0x60 /* FORE SPANS */
338 #define ATT_HL_IPSILON 0x70 /* Ipsilon */
341 * Values for AppHLType; the interpretation depends on the ATT_HLTYPE
342 * bits in AppTrafType.
344 #define AHLT_UNKNOWN 0x0
345 #define AHLT_VCMX_802_3_FCS 0x1 /* VCMX: 802.3 FCS */
346 #define AHLT_LANE_LE_CTRL 0x1 /* LANE: LE Ctrl */
347 #define AHLT_IPSILON_FT0 0x1 /* Ipsilon: Flow Type 0 */
348 #define AHLT_VCMX_802_4_FCS 0x2 /* VCMX: 802.4 FCS */
349 #define AHLT_LANE_802_3 0x2 /* LANE: 802.3 */
350 #define AHLT_IPSILON_FT1 0x2 /* Ipsilon: Flow Type 1 */
351 #define AHLT_VCMX_802_5_FCS 0x3 /* VCMX: 802.5 FCS */
352 #define AHLT_LANE_802_5 0x3 /* LANE: 802.5 */
353 #define AHLT_IPSILON_FT2 0x3 /* Ipsilon: Flow Type 2 */
354 #define AHLT_VCMX_FDDI_FCS 0x4 /* VCMX: FDDI FCS */
355 #define AHLT_LANE_802_3_MC 0x4 /* LANE: 802.3 multicast */
356 #define AHLT_VCMX_802_6_FCS 0x5 /* VCMX: 802.6 FCS */
357 #define AHLT_LANE_802_5_MC 0x5 /* LANE: 802.5 multicast */
358 #define AHLT_VCMX_802_3 0x7 /* VCMX: 802.3 */
359 #define AHLT_VCMX_802_4 0x8 /* VCMX: 802.4 */
360 #define AHLT_VCMX_802_5 0x9 /* VCMX: 802.5 */
361 #define AHLT_VCMX_FDDI 0xa /* VCMX: FDDI */
362 #define AHLT_VCMX_802_6 0xb /* VCMX: 802.6 */
363 #define AHLT_VCMX_FRAGMENTS 0xc /* VCMX: Fragments */
364 #define AHLT_VCMX_BPDU 0xe /* VCMX: BPDU */
367 guint16 time_low; /* low part of time stamp */
368 guint16 time_med; /* middle part of time stamp */
369 guint8 time_high; /* high part of time stamp */
370 guint8 time_day; /* time in days since start of capture */
371 gint16 size; /* number of bytes of data */
372 gint8 fs; /* frame error status bits */
373 gint8 flags; /* buffer flags */
374 gint16 true_size; /* size of original frame, in bytes */
375 gint16 rsvd3; /* reserved */
376 gint16 atm_pad; /* pad to 4-byte boundary */
377 ATMSaveInfo atm_info; /* ATM-specific stuff */
381 * XXX - I have a version 5.50 file with a bunch of token ring
382 * records listed as type "12". The record format below was
383 * derived from frame4_rec and a bit of experimentation.
387 guint16 time_low; /* low part of time stamp */
388 guint16 time_med; /* middle part of time stamp */
389 guint8 time_high; /* high part of time stamp */
390 guint8 time_day; /* time in days since start of capture */
391 gint16 size; /* number of bytes of data */
392 guint8 fs; /* frame error status bits */
393 guint8 flags; /* buffer flags */
394 gint16 true_size; /* size of original frame, in bytes */
395 guint8 chemical_x[22]; /* ? */
399 * Network type values in some type 7 records.
401 * Captures with a major version number of 2 appear to have type 7
402 * records with text in them (at least one I have does).
404 * Captures with a major version of 4, and at least some captures with
405 * a major version of 5, have type 7 records with those values in the
408 * However, some captures with a major version number of 5 appear not to
409 * have type 7 records at all (at least one I have doesn't), but do appear
410 * to put non-zero values in the "rsvd" field of the version header (at
411 * least one I have does) - at least some other captures with smaller version
412 * numbers appear to put 0 there, so *maybe* that's where the network
413 * (sub)type is hidden in those captures. The version 5 captures I've seen
414 * that *do* have type 7 records put 0 there, so it's not as if *all* V5
415 * captures have something in the "rsvd" field, however.
417 * The semantics of these network types is inferred from the Sniffer
418 * documentation, as they correspond to types described in the UI;
421 * http://www.mcafee.com/common/media/sniffer/support/sdos/operation.pdf
423 * starting at page 3-10 (56 of 496).
425 * XXX - I've seen X.25 captures with NET_ROUTER, and I've seen bridge/
426 * router captures with NET_HDLC. Sigh.... Are those just captures for
427 * which the user set the wrong network type when capturing?
429 #define NET_SDLC 0 /* Probably "SDLC then SNA" */
430 #define NET_HDLC 1 /* Used for X.25; is it used for other
431 things as well, or is it "HDLC then
432 X.25", as referred to by the document
433 cited above, and only used for X.25? */
434 #define NET_FRAME_RELAY 2
435 #define NET_ROUTER 3 /* Probably "Router/Bridge", for various
436 point-to-point protocols for use between
437 bridges and routers, including PPP as well
438 as various proprietary protocols; also
439 used for ISDN, for reasons not obvious
440 to me, given that a Sniffer knows
441 whether it's using a WAN or an ISDN pod */
442 #define NET_PPP 4 /* "Asynchronous", which includes SLIP too */
443 #define NET_SMDS 5 /* Not mentioned in the document, but
444 that's a document for version 5.50 of
445 the Sniffer, and that version might use
446 version 5 in the file format and thus
447 might not be using type 7 records */
450 * Values for V.timeunit, in picoseconds, so that they can be represented
451 * as integers. These values must be < 2^(64-40); see below.
453 * XXX - at least some captures with a V.timeunit value of 2 show
454 * packets with time stamps in 2011 if the time stamp is interpreted
455 * to be in units of 15 microseconds. The capture predates 2008,
456 * so that interpretation is probably wrong. Perhaps the interpretation
457 * of V.timeunit depends on the version number of the file?
459 static const guint32 Psec[] = {
460 15000000, /* 15.0 usecs = 15000000 psecs */
461 838096, /* .838096 usecs = 838096 psecs */
462 15000000, /* 15.0 usecs = 15000000 psecs */
463 500000, /* 0.5 usecs = 500000 psecs */
464 2000000, /* 2.0 usecs = 2000000 psecs */
465 1000000, /* 1.0 usecs = 1000000 psecs */
466 /* XXX - Sniffer doc says 0.08 usecs = 80000 psecs */
467 100000 /* 0.1 usecs = 100000 psecs */
469 #define NUM_NGSNIFF_TIMEUNITS (sizeof Psec / sizeof Psec[0])
471 /* Information for a compressed Sniffer data stream. */
473 unsigned char *buf; /* buffer into which we uncompress data */
474 unsigned int nbytes; /* number of bytes of data in that buffer */
475 int nextout; /* offset in that buffer of stream's current position */
476 gint64 comp_offset; /* current offset in compressed data stream */
477 gint64 uncomp_offset; /* current offset in uncompressed data stream */
478 } ngsniffer_comp_stream_t;
485 guint network; /* network type */
486 ngsniffer_comp_stream_t seq; /* sequential access */
487 ngsniffer_comp_stream_t rand; /* random access */
488 GList *first_blob; /* list element for first blob */
489 GList *last_blob; /* list element for last blob */
490 GList *current_blob; /* list element for current blob */
494 * DOS date to "struct tm" conversion values.
496 /* DOS year = upper 7 bits */
497 #define DOS_YEAR_OFFSET (1980-1900) /* tm_year = year+1900, DOS date year year+1980 */
498 #define DOS_YEAR_SHIFT 9
499 #define DOS_YEAR_MASK (0x7F<<DOS_YEAR_SHIFT)
500 /* DOS month = next 4 bits */
501 #define DOS_MONTH_OFFSET (-1) /* tm_mon = month #-1, DOS date month = month # */
502 #define DOS_MONTH_SHIFT 5
503 #define DOS_MONTH_MASK (0x0F<<DOS_MONTH_SHIFT)
504 /* DOS day = next 5 bits */
505 #define DOS_DAY_SHIFT 0
506 #define DOS_DAY_MASK (0x1F<<DOS_DAY_SHIFT)
508 static int process_header_records(wtap *wth, int *err, gchar **err_info,
509 gint16 maj_vers, guint8 network);
510 static int process_rec_header2_v2(wtap *wth, unsigned char *buffer,
511 guint16 length, int *err, gchar **err_info);
512 static int process_rec_header2_v145(wtap *wth, unsigned char *buffer,
513 guint16 length, gint16 maj_vers, int *err, gchar **err_info);
514 static gboolean ngsniffer_read(wtap *wth, int *err, gchar **err_info,
515 gint64 *data_offset);
516 static gboolean ngsniffer_seek_read(wtap *wth, gint64 seek_off,
517 struct wtap_pkthdr *phdr, guint8 *pd, int packet_size,
518 int *err, gchar **err_info);
519 static int ngsniffer_read_rec_header(wtap *wth, gboolean is_random,
520 guint16 *typep, guint16 *lengthp, int *err, gchar **err_info);
521 static gboolean ngsniffer_read_frame2(wtap *wth, gboolean is_random,
522 struct frame2_rec *frame2, int *err, gchar **err_info);
523 static void set_pseudo_header_frame2(wtap *wth,
524 union wtap_pseudo_header *pseudo_header, struct frame2_rec *frame2);
525 static gboolean ngsniffer_read_frame4(wtap *wth, gboolean is_random,
526 struct frame4_rec *frame4, int *err, gchar **err_info);
527 static void set_pseudo_header_frame4(union wtap_pseudo_header *pseudo_header,
528 struct frame4_rec *frame4);
529 static gboolean ngsniffer_read_frame6(wtap *wth, gboolean is_random,
530 struct frame6_rec *frame6, int *err, gchar **err_info);
531 static void set_pseudo_header_frame6(wtap *wth,
532 union wtap_pseudo_header *pseudo_header, struct frame6_rec *frame6);
533 static gboolean ngsniffer_read_rec_data(wtap *wth, gboolean is_random,
534 guint8 *pd, unsigned int length, int *err, gchar **err_info);
535 static int infer_pkt_encap(const guint8 *pd, int len);
536 static int fix_pseudo_header(int encap, const guint8 *pd, int len,
537 union wtap_pseudo_header *pseudo_header);
538 static void ngsniffer_sequential_close(wtap *wth);
539 static void ngsniffer_close(wtap *wth);
540 static gboolean ngsniffer_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
541 const guint8 *pd, int *err);
542 static gboolean ngsniffer_dump_close(wtap_dumper *wdh, int *err);
543 static int SnifferDecompress( unsigned char * inbuf, size_t inlen,
544 unsigned char * outbuf, size_t outlen, int *err );
545 static gint64 ng_file_read(void *buffer, unsigned int nbytes, wtap *wth,
546 gboolean is_random, int *err, gchar **err_info);
547 static int read_blob(FILE_T infile, ngsniffer_comp_stream_t *comp_stream,
548 int *err, gchar **err_info);
549 static gboolean ng_file_skip_seq(wtap *wth, gint64 delta, int *err,
551 static gboolean ng_file_seek_rand(wtap *wth, gint64 offset, int *err,
555 ngsniffer_open(wtap *wth, int *err, gchar **err_info)
558 char magic[sizeof ngsniffer_magic];
560 char record_length[4]; /* only the first 2 bytes are length,
561 the last 2 are "reserved" and are thrown away */
563 struct vers_rec version;
569 static const int sniffer_encap[] = {
570 WTAP_ENCAP_TOKEN_RING,
573 WTAP_ENCAP_UNKNOWN, /* StarLAN */
574 WTAP_ENCAP_UNKNOWN, /* PC Network broadband */
575 WTAP_ENCAP_UNKNOWN, /* LocalTalk */
576 WTAP_ENCAP_UNKNOWN, /* Znet */
577 WTAP_ENCAP_PER_PACKET, /* Internetwork analyzer (synchronous) */
578 WTAP_ENCAP_PER_PACKET, /* Internetwork analyzer (asynchronous) */
579 WTAP_ENCAP_FDDI_BITSWAPPED,
582 #define NUM_NGSNIFF_ENCAPS (sizeof sniffer_encap / sizeof sniffer_encap[0])
584 gint64 current_offset;
585 ngsniffer_t *ngsniffer;
587 /* Read in the string that should be at the start of a Sniffer file */
588 errno = WTAP_ERR_CANT_READ;
589 bytes_read = file_read(magic, sizeof magic, wth->fh);
590 if (bytes_read != sizeof magic) {
591 *err = file_error(wth->fh, err_info);
592 if (*err != 0 && *err != WTAP_ERR_SHORT_READ)
597 if (memcmp(magic, ngsniffer_magic, sizeof ngsniffer_magic)) {
602 * Read the first record, which the manual says is a version
605 errno = WTAP_ERR_CANT_READ;
606 bytes_read = file_read(record_type, 2, wth->fh);
607 if (bytes_read != 2) {
608 *err = file_error(wth->fh, err_info);
610 *err = WTAP_ERR_SHORT_READ;
613 bytes_read = file_read(record_length, 4, wth->fh);
614 if (bytes_read != 4) {
615 *err = file_error(wth->fh, err_info);
617 *err = WTAP_ERR_SHORT_READ;
621 type = pletohs(record_type);
623 if (type != REC_VERS) {
624 *err = WTAP_ERR_BAD_FILE;
625 *err_info = g_strdup_printf("ngsniffer: Sniffer file doesn't start with a version record");
629 errno = WTAP_ERR_CANT_READ;
630 bytes_read = file_read(&version, sizeof version, wth->fh);
631 if (bytes_read != sizeof version) {
632 *err = file_error(wth->fh, err_info);
634 *err = WTAP_ERR_SHORT_READ;
638 /* Check the data link type. */
639 if (version.network >= NUM_NGSNIFF_ENCAPS
640 || sniffer_encap[version.network] == WTAP_ENCAP_UNKNOWN) {
641 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
642 *err_info = g_strdup_printf("ngsniffer: network type %u unknown or unsupported",
647 /* Check the time unit */
648 if (version.timeunit >= NUM_NGSNIFF_TIMEUNITS) {
649 *err = WTAP_ERR_UNSUPPORTED;
650 *err_info = g_strdup_printf("ngsniffer: Unknown timeunit %u", version.timeunit);
654 /* compressed or uncompressed Sniffer file? */
655 if (version.format != 1) {
656 wth->file_type = WTAP_FILE_NGSNIFFER_COMPRESSED;
658 wth->file_type = WTAP_FILE_NGSNIFFER_UNCOMPRESSED;
661 /* Set encap type before reading header records because the
662 * header record may change encap type.
664 wth->file_encap = sniffer_encap[version.network];
667 * We don't know how to handle the remaining header record types,
668 * so we just skip them - except for REC_HEADER2 records, which
669 * we look at, for "Internetwork analyzer" captures, to attempt to
670 * determine what the link-layer encapsulation is.
672 * XXX - in some version 1.16 internetwork analyzer files
673 * generated by the Windows Sniffer when saving Windows
674 * Sniffer files as DOS Sniffer files, there's no REC_HEADER2
675 * record, but the first "rsvd" word is 1 for PRI ISDN files, 2
676 * for BRI ISDN files, and 0 for non-ISDN files; is that something
677 * the DOS Sniffer understands?
679 maj_vers = pletohs(&version.maj_vers);
680 if (process_header_records(wth, err, err_info, maj_vers,
681 version.network) < 0)
683 if ((version.network == NETWORK_SYNCHRO ||
684 version.network == NETWORK_ASYNC) &&
685 wth->file_encap == WTAP_ENCAP_PER_PACKET) {
687 * Well, we haven't determined the internetwork analyzer
694 * ... and this is a version 1 capture; look
695 * at the first "rsvd" word.
697 switch (pletohs(&version.rsvd[0])) {
701 wth->file_encap = WTAP_ENCAP_ISDN;
708 * ...and this is a version 3 capture; we've
709 * seen nothing in those that obviously
710 * indicates the capture type, but the only
711 * one we've seen is a Frame Relay capture,
712 * so mark it as Frame Relay for now.
714 wth->file_encap = WTAP_ENCAP_FRELAY_WITH_PHDR;
719 current_offset = file_tell(wth->fh);
722 * Now, if we have a random stream open, position it to the same
723 * location, which should be the beginning of the real data, and
724 * should be the beginning of the compressed data.
726 * XXX - will we see any records other than REC_FRAME2, REC_FRAME4,
727 * or REC_EOF after this? If not, we can get rid of the loop in
728 * "ngsniffer_read()".
730 if (wth->random_fh != NULL) {
731 if (file_seek(wth->random_fh, current_offset, SEEK_SET, err) == -1)
735 /* This is a ngsniffer file */
736 ngsniffer = (ngsniffer_t *)g_malloc(sizeof(ngsniffer_t));
737 wth->priv = (void *)ngsniffer;
738 ngsniffer->maj_vers = maj_vers;
739 ngsniffer->min_vers = pletohs(&version.min_vers);
741 /* We haven't allocated any uncompression buffers yet. */
742 ngsniffer->seq.buf = NULL;
743 ngsniffer->rand.buf = NULL;
745 /* Set the current file offset; the offset in the compressed file
746 and in the uncompressed data stream currently the same. */
747 ngsniffer->seq.uncomp_offset = current_offset;
748 ngsniffer->seq.comp_offset = current_offset;
749 ngsniffer->rand.uncomp_offset = current_offset;
750 ngsniffer->rand.comp_offset = current_offset;
752 /* We don't yet have any list of compressed blobs. */
753 ngsniffer->first_blob = NULL;
754 ngsniffer->last_blob = NULL;
755 ngsniffer->current_blob = NULL;
757 wth->subtype_read = ngsniffer_read;
758 wth->subtype_seek_read = ngsniffer_seek_read;
759 wth->subtype_sequential_close = ngsniffer_sequential_close;
760 wth->subtype_close = ngsniffer_close;
761 wth->snapshot_length = 0; /* not available in header, only in frame */
762 ngsniffer->timeunit = Psec[version.timeunit];
763 ngsniffer->network = version.network;
765 /* Get capture start time */
766 start_date = pletohs(&version.date);
767 tm.tm_year = ((start_date&DOS_YEAR_MASK)>>DOS_YEAR_SHIFT) + DOS_YEAR_OFFSET;
768 tm.tm_mon = ((start_date&DOS_MONTH_MASK)>>DOS_MONTH_SHIFT) + DOS_MONTH_OFFSET;
769 tm.tm_mday = ((start_date&DOS_DAY_MASK)>>DOS_DAY_SHIFT);
771 /* The time does not appear to act as an offset; only the date */
772 start_time = pletohs(&version.time);
773 tm.tm_hour = (start_time&0xf800)>>11;
774 tm.tm_min = (start_time&0x7e0)>>5;
775 tm.tm_sec = (start_time&0x1f)<<1;
781 ngsniffer->start = mktime(&tm);
783 * XXX - what if "secs" is -1? Unlikely,
784 * but if the capture was done in a time
785 * zone that switches between standard and
786 * summer time sometime other than when we
787 * do, and thus the time was one that doesn't
788 * exist here because a switch from standard
789 * to summer time zips over it, it could
792 * On the other hand, if the capture was done
793 * in a different time zone, this won't work
794 * right anyway; unfortunately, the time zone
795 * isn't stored in the capture file.
798 wth->tsprecision = WTAP_FILE_TSPREC_NSEC; /* XXX */
804 process_header_records(wtap *wth, int *err, gchar **err_info, gint16 maj_vers,
809 char record_length[4]; /* only the first 2 bytes are length,
810 the last 2 are "reserved" and are thrown away */
811 guint16 type, length;
813 unsigned char buffer[256];
816 errno = WTAP_ERR_CANT_READ;
817 bytes_read = file_read(record_type, 2, wth->fh);
818 if (bytes_read != 2) {
819 *err = file_error(wth->fh, err_info);
822 if (bytes_read != 0) {
823 *err = WTAP_ERR_SHORT_READ;
829 type = pletohs(record_type);
830 if ((type != REC_HEADER1) && (type != REC_HEADER2)
831 && (type != REC_HEADER3) && (type != REC_HEADER4)
832 && (type != REC_HEADER5) && (type != REC_HEADER6)
833 && (type != REC_HEADER7)
834 && ((type != REC_V2DESC) || (maj_vers > 2)) ) {
836 * Well, this is either some unknown header type
837 * (we ignore this case), an uncompressed data
838 * frame or the length of a compressed blob
839 * which implies data. Seek backwards over the
840 * two bytes we read, and return.
842 if (file_seek(wth->fh, -2, SEEK_CUR, err) == -1)
847 errno = WTAP_ERR_CANT_READ;
848 bytes_read = file_read(record_length, 4, wth->fh);
849 if (bytes_read != 4) {
850 *err = file_error(wth->fh, err_info);
852 *err = WTAP_ERR_SHORT_READ;
856 length = pletohs(record_length);
859 * Is this is an "Internetwork analyzer" capture, and
860 * is this a REC_HEADER2 record?
862 * If so, it appears to specify the particular type
863 * of network we're on.
865 * XXX - handle sync and async differently? (E.g.,
866 * does this apply only to sync?)
868 if ((network == NETWORK_SYNCHRO || network == NETWORK_ASYNC) &&
869 type == REC_HEADER2) {
871 * Yes, get the first up-to-256 bytes of the
874 bytes_to_read = MIN(length, (int)sizeof buffer);
875 bytes_read = file_read(buffer, bytes_to_read,
877 if (bytes_read != bytes_to_read) {
878 *err = file_error(wth->fh, err_info);
880 *err = WTAP_ERR_SHORT_READ;
888 if (process_rec_header2_v2(wth, buffer,
889 length, err, err_info) < 0)
896 if (process_rec_header2_v145(wth, buffer,
897 length, maj_vers, err, err_info) < 0)
903 * Skip the rest of the record.
905 if (length > sizeof buffer) {
906 if (file_seek(wth->fh, length - sizeof buffer,
907 SEEK_CUR, err) == -1)
911 /* Nope, just skip over the data. */
912 if (file_seek(wth->fh, length, SEEK_CUR, err) == -1)
919 process_rec_header2_v2(wtap *wth, unsigned char *buffer, guint16 length,
920 int *err, gchar **err_info)
922 static const char x_25_str[] = "HDLC\nX.25\n";
925 * There appears to be a string in a REC_HEADER2 record, with
926 * a list of protocols. In one X.25 capture I've seen, the
927 * string was "HDLC\nX.25\nCLNP\nISO_TP\nSESS\nPRES\nVTP\nACSE".
928 * Presumably CLNP and everything else is per-packet, but
929 * we assume "HDLC\nX.25\n" indicates that it's an X.25 capture.
931 if (length < sizeof x_25_str - 1) {
933 * There's not enough data to compare.
935 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
936 *err_info = g_strdup_printf("ngsniffer: WAN capture has too-short protocol list");
940 if (strncmp((char *)buffer, x_25_str, sizeof x_25_str - 1) == 0) {
944 wth->file_encap = WTAP_ENCAP_LAPB;
946 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
947 *err_info = g_strdup_printf("ngsniffer: WAN capture protocol string %.*s unknown",
955 process_rec_header2_v145(wtap *wth, unsigned char *buffer, guint16 length,
956 gint16 maj_vers, int *err, gchar **err_info)
959 * The 5th byte of the REC_HEADER2 record appears to be a
964 * There is no 5th byte; give up.
966 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
967 *err_info = g_strdup("ngsniffer: WAN capture has no network subtype");
972 * The X.25 captures I've seen have a type of NET_HDLC, and the
973 * Sniffer documentation seems to imply that it's used for
974 * X.25, although it could be used for other purposes as well.
976 * NET_ROUTER is used for all sorts of point-to-point protocols,
977 * including ISDN. It appears, from the documentation, that the
978 * Sniffer attempts to infer the particular protocol by looking
979 * at the traffic; it's not clear whether it stores in the file
980 * an indication of the protocol it inferred was being used.
982 * Unfortunately, it also appears that NET_HDLC is used for
983 * stuff other than X.25 as well, so we can't just interpret
984 * it unconditionally as X.25.
986 * For now, we interpret both NET_HDLC and NET_ROUTER as "per-packet
987 * encapsulation". We remember that we saw NET_ROUTER, though,
988 * as it appears that we can infer whether a packet is PPP or
989 * ISDN based on the channel number subfield of the frame error
990 * status bits - if it's 0, it's PPP, otherwise it's ISDN and
991 * the channel number indicates which channel it is. We assume
992 * NET_HDLC isn't used for ISDN.
997 wth->file_encap = WTAP_ENCAP_SDLC;
1001 wth->file_encap = WTAP_ENCAP_PER_PACKET;
1004 case NET_FRAME_RELAY:
1005 wth->file_encap = WTAP_ENCAP_FRELAY_WITH_PHDR;
1010 * For most of the version 4 capture files I've seen,
1011 * 0xfa in buffer[1] means the file is an ISDN capture,
1012 * but there's one PPP file with 0xfa there; does that
1013 * mean that the 0xfa has nothing to do with ISDN,
1014 * or is that just an ISDN file with no D channel
1015 * packets? (The channel number is not 0 in any
1016 * of the packets, so perhaps it is.)
1018 * For one version 5 ISDN capture I've seen, there's
1019 * a 0x01 in buffer[6]; none of the non-ISDN version
1020 * 5 captures have it.
1022 wth->file_encap = WTAP_ENCAP_PER_PACKET;
1026 if (buffer[1] == 0xfa)
1027 wth->file_encap = WTAP_ENCAP_ISDN;
1033 * There is no 5th byte; give up.
1035 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
1036 *err_info = g_strdup("ngsniffer: WAN bridge/router capture has no ISDN flag");
1039 if (buffer[6] == 0x01)
1040 wth->file_encap = WTAP_ENCAP_ISDN;
1046 wth->file_encap = WTAP_ENCAP_PPP_WITH_PHDR;
1051 * Reject these until we can figure them out.
1053 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
1054 *err_info = g_strdup_printf("ngsniffer: WAN network subtype %u unknown or unsupported",
1061 /* Read the next packet */
1063 ngsniffer_read(wtap *wth, int *err, gchar **err_info, gint64 *data_offset)
1065 ngsniffer_t *ngsniffer;
1067 guint16 type, length;
1068 struct frame2_rec frame2;
1069 struct frame4_rec frame4;
1070 struct frame6_rec frame6;
1071 guint16 time_low, time_med, true_size, size;
1072 guint8 time_high, time_day;
1073 guint64 t, tsecs, tpsecs;
1076 ngsniffer = (ngsniffer_t *)wth->priv;
1079 * We use the uncompressed offset, as that's what
1080 * we need to use for compressed files.
1082 *data_offset = ngsniffer->seq.uncomp_offset;
1085 * Read the record header.
1087 ret = ngsniffer_read_rec_header(wth, FALSE, &type, &length,
1090 /* Read error or EOF */
1097 if (ngsniffer->network == NETWORK_ATM) {
1099 * We shouldn't get a frame2 record in
1102 *err = WTAP_ERR_BAD_FILE;
1103 *err_info = g_strdup("ngsniffer: REC_FRAME2 record in an ATM Sniffer file");
1107 /* Read the f_frame2_struct */
1108 if (!ngsniffer_read_frame2(wth, FALSE, &frame2, err,
1113 time_low = pletohs(&frame2.time_low);
1114 time_med = pletohs(&frame2.time_med);
1115 time_high = frame2.time_high;
1116 time_day = frame2.time_day;
1117 size = pletohs(&frame2.size);
1118 true_size = pletohs(&frame2.true_size);
1120 length -= sizeof frame2; /* we already read that much */
1122 set_pseudo_header_frame2(wth, &wth->phdr.pseudo_header,
1127 if (ngsniffer->network != NETWORK_ATM) {
1129 * We shouldn't get a frame2 record in
1130 * a non-ATM capture.
1132 *err = WTAP_ERR_BAD_FILE;
1133 *err_info = g_strdup("ngsniffer: REC_FRAME4 record in a non-ATM Sniffer file");
1137 /* Read the f_frame4_struct */
1138 if (!ngsniffer_read_frame4(wth, FALSE, &frame4, err,
1143 time_low = pletohs(&frame4.time_low);
1144 time_med = pletohs(&frame4.time_med);
1145 time_high = frame4.time_high;
1146 time_day = frame4.time_day;
1147 size = pletohs(&frame4.size);
1148 true_size = pletohs(&frame4.true_size);
1151 * XXX - it looks as if some version 4 captures have
1152 * a bogus record length, based on the assumption
1153 * that the record is a frame2 record.
1155 if (ngsniffer->maj_vers >= 5)
1156 length -= sizeof frame4; /* we already read that much */
1158 if (ngsniffer->min_vers >= 95)
1159 length -= sizeof frame2;
1161 length -= sizeof frame4;
1164 set_pseudo_header_frame4(&wth->phdr.pseudo_header, &frame4);
1168 /* Read the f_frame6_struct */
1169 if (!ngsniffer_read_frame6(wth, FALSE, &frame6, err,
1174 time_low = pletohs(&frame6.time_low);
1175 time_med = pletohs(&frame6.time_med);
1176 time_high = frame6.time_high;
1177 time_day = frame6.time_day;
1178 size = pletohs(&frame6.size);
1179 true_size = pletohs(&frame6.true_size);
1181 length -= sizeof frame6; /* we already read that much */
1183 set_pseudo_header_frame6(wth, &wth->phdr.pseudo_header,
1189 * End of file. Return an EOF indication.
1191 *err = 0; /* EOF, not error */
1195 break; /* unknown type, skip it */
1199 * Well, we don't know what it is, or we know what
1200 * it is but can't handle it. Skip past the data
1201 * portion, and keep looping.
1203 if (!ng_file_skip_seq(wth, length, err, err_info))
1209 * OK, is the frame data size greater than than what's left of the
1212 if (size > length) {
1214 * Yes - treat this as an error.
1216 *err = WTAP_ERR_BAD_FILE;
1217 *err_info = g_strdup("ngsniffer: Record length is less than packet size");
1221 wth->phdr.presence_flags = true_size ? WTAP_HAS_TS|WTAP_HAS_CAP_LEN : WTAP_HAS_TS;
1222 wth->phdr.len = true_size ? true_size : size;
1223 wth->phdr.caplen = size;
1226 * Read the packet data.
1228 buffer_assure_space(wth->frame_buffer, length);
1229 pd = buffer_start_ptr(wth->frame_buffer);
1230 if (!ngsniffer_read_rec_data(wth, FALSE, pd, length, err, err_info))
1231 return FALSE; /* Read error */
1233 wth->phdr.pkt_encap = fix_pseudo_header(wth->file_encap, pd, length,
1234 &wth->phdr.pseudo_header);
1237 * 40-bit time stamp, in units of timeunit picoseconds.
1239 t = (((guint64)time_high)<<32) | (((guint64)time_med) << 16) | time_low;
1242 * timeunit is always < 2^(64-40), so t * timeunit fits in 64
1243 * bits. That gives a 64-bit time stamp, in units of
1246 t *= ngsniffer->timeunit;
1249 * Convert to seconds and picoseconds.
1251 tsecs = t/G_GINT64_CONSTANT(1000000000000U);
1252 tpsecs = t - tsecs*G_GINT64_CONSTANT(1000000000000U);
1255 * Add in the time_day value (86400 seconds/day).
1257 tsecs += time_day*86400;
1260 * Add in the capture start time.
1262 tsecs += ngsniffer->start;
1264 wth->phdr.ts.secs = (time_t)tsecs;
1265 wth->phdr.ts.nsecs = (int)(tpsecs/1000); /* psecs to nsecs */
1270 ngsniffer_seek_read(wtap *wth, gint64 seek_off,
1271 struct wtap_pkthdr *phdr, guint8 *pd, int packet_size,
1272 int *err, gchar **err_info)
1274 union wtap_pseudo_header *pseudo_header = &phdr->pseudo_header;
1276 guint16 type, length;
1277 struct frame2_rec frame2;
1278 struct frame4_rec frame4;
1279 struct frame6_rec frame6;
1281 if (!ng_file_seek_rand(wth, seek_off, err, err_info))
1284 ret = ngsniffer_read_rec_header(wth, TRUE, &type, &length, err,
1287 /* Read error or EOF */
1289 /* EOF means "short read" in random-access mode */
1290 *err = WTAP_ERR_SHORT_READ;
1298 /* Read the f_frame2_struct */
1299 if (!ngsniffer_read_frame2(wth, TRUE, &frame2, err, err_info)) {
1304 length -= sizeof frame2; /* we already read that much */
1306 set_pseudo_header_frame2(wth, pseudo_header, &frame2);
1310 /* Read the f_frame4_struct */
1311 if (!ngsniffer_read_frame4(wth, TRUE, &frame4, err, err_info)) {
1316 length -= sizeof frame4; /* we already read that much */
1318 set_pseudo_header_frame4(pseudo_header, &frame4);
1322 /* Read the f_frame6_struct */
1323 if (!ngsniffer_read_frame6(wth, TRUE, &frame6, err, err_info)) {
1328 length -= sizeof frame6; /* we already read that much */
1330 set_pseudo_header_frame6(wth, pseudo_header, &frame6);
1337 g_assert_not_reached();
1342 * Got the pseudo-header (if any), now get the data.
1344 if (!ngsniffer_read_rec_data(wth, TRUE, pd, packet_size, err, err_info))
1347 fix_pseudo_header(wth->file_encap, pd, packet_size, pseudo_header);
1353 ngsniffer_read_rec_header(wtap *wth, gboolean is_random, guint16 *typep,
1354 guint16 *lengthp, int *err, gchar **err_info)
1357 char record_type[2];
1358 char record_length[4]; /* only 1st 2 bytes are length */
1361 * Read the record header.
1363 bytes_read = ng_file_read(record_type, 2, wth, is_random, err,
1365 if (bytes_read != 2) {
1368 if (bytes_read != 0) {
1369 *err = WTAP_ERR_SHORT_READ;
1374 bytes_read = ng_file_read(record_length, 4, wth, is_random, err,
1376 if (bytes_read != 4) {
1378 *err = WTAP_ERR_SHORT_READ;
1382 *typep = pletohs(record_type);
1383 *lengthp = pletohs(record_length);
1384 return 1; /* success */
1388 ngsniffer_read_frame2(wtap *wth, gboolean is_random, struct frame2_rec *frame2,
1389 int *err, gchar **err_info)
1393 /* Read the f_frame2_struct */
1394 bytes_read = ng_file_read(frame2, (unsigned int)sizeof *frame2, wth,
1395 is_random, err, err_info);
1396 if (bytes_read != sizeof *frame2) {
1398 *err = WTAP_ERR_SHORT_READ;
1405 set_pseudo_header_frame2(wtap *wth, union wtap_pseudo_header *pseudo_header,
1406 struct frame2_rec *frame2)
1409 * In one PPP "Internetwork analyzer" capture:
1411 * The only bit seen in "frame2.fs" is the 0x80 bit, which
1412 * probably indicates the packet's direction; all other
1413 * bits were zero. The Expert Sniffer Network Analyzer
1414 * 5.50 Operations manual says that bit is the FS_DTE bit
1415 * for async/PPP data. The other bits are error bits
1416 * plus bits indicating whether the frame is PPP or SLIP,
1417 * but the PPP bit isn't set.
1419 * All bits in "frame2.flags" were zero.
1421 * In one X.25 "Internetwork analyzer" capture:
1423 * The only bit seen in "frame2.fs" is the 0x80 bit, which
1424 * probably indicates the packet's direction; all other
1427 * "frame2.flags" was always 0x18; however, the Sniffer
1428 * manual says that just means that a display filter was
1429 * calculated for the frame, and it should be displayed,
1430 * so perhaps that's just a quirk of that particular capture.
1432 * In one Ethernet capture:
1434 * "frame2.fs" was always 0; the Sniffer manual says they're
1435 * error bits of various sorts.
1437 * "frame2.flags" was either 0 or 0x18, with no obvious
1438 * correlation with anything. See previous comment
1439 * about display filters.
1441 * In one Token Ring capture:
1443 * "frame2.fs" was either 0 or 0xcc; the Sniffer manual says
1444 * nothing about those bits for Token Ring captures.
1446 * "frame2.flags" was either 0 or 0x18, with no obvious
1447 * correlation with anything. See previous comment
1448 * about display filters.
1450 switch (wth->file_encap) {
1452 case WTAP_ENCAP_ETHERNET:
1454 * XXX - do we ever have an FCS? If not, why do we often
1455 * have 4 extra bytes of stuff at the end? Do some
1456 * PC Ethernet interfaces report the length including the
1457 * FCS but not store the FCS in the packet, or do some
1458 * Ethernet drivers work that way?
1460 pseudo_header->eth.fcs_len = 0;
1463 case WTAP_ENCAP_PPP_WITH_PHDR:
1464 case WTAP_ENCAP_SDLC:
1465 pseudo_header->p2p.sent = (frame2->fs & FS_WAN_DTE) ? TRUE : FALSE;
1468 case WTAP_ENCAP_LAPB:
1469 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1470 case WTAP_ENCAP_PER_PACKET:
1471 pseudo_header->x25.flags = (frame2->fs & FS_WAN_DTE) ? 0x00 : FROM_DCE;
1474 case WTAP_ENCAP_ISDN:
1475 pseudo_header->isdn.uton = (frame2->fs & FS_WAN_DTE) ? FALSE : TRUE;
1476 switch (frame2->fs & FS_ISDN_CHAN_MASK) {
1478 case FS_ISDN_CHAN_D:
1479 pseudo_header->isdn.channel = 0; /* D-channel */
1482 case FS_ISDN_CHAN_B1:
1483 pseudo_header->isdn.channel = 1; /* B1-channel */
1486 case FS_ISDN_CHAN_B2:
1487 pseudo_header->isdn.channel = 2; /* B2-channel */
1491 pseudo_header->isdn.channel = 30; /* XXX */
1498 ngsniffer_read_frame4(wtap *wth, gboolean is_random, struct frame4_rec *frame4,
1499 int *err, gchar **err_info)
1503 /* Read the f_frame4_struct */
1504 bytes_read = ng_file_read(frame4, (unsigned int)sizeof *frame4, wth,
1505 is_random, err, err_info);
1506 if (bytes_read != sizeof *frame4) {
1508 *err = WTAP_ERR_SHORT_READ;
1515 set_pseudo_header_frame4(union wtap_pseudo_header *pseudo_header,
1516 struct frame4_rec *frame4)
1519 guint8 aal_type, hl_type;
1523 * Map flags from frame4.atm_info.StatusWord.
1525 pseudo_header->atm.flags = 0;
1526 StatusWord = pletohl(&frame4->atm_info.StatusWord);
1527 if (StatusWord & SW_RAW_CELL)
1528 pseudo_header->atm.flags |= ATM_RAW_CELL;
1530 aal_type = frame4->atm_info.AppTrafType & ATT_AALTYPE;
1531 hl_type = frame4->atm_info.AppTrafType & ATT_HLTYPE;
1532 vpi = pletohs(&frame4->atm_info.Vpi);
1533 vci = pletohs(&frame4->atm_info.Vci);
1537 case ATT_AAL_UNKNOWN:
1539 * Map ATT_AAL_UNKNOWN on VPI 0, VCI 5 to ATT_AAL_SIGNALLING,
1540 * as that's the VPCI used for signalling.
1542 * XXX - is this necessary, or will frames to 0/5 always
1543 * have ATT_AAL_SIGNALLING?
1545 if (vpi == 0 && vci == 5)
1546 pseudo_header->atm.aal = AAL_SIGNALLING;
1548 pseudo_header->atm.aal = AAL_UNKNOWN;
1549 pseudo_header->atm.type = TRAF_UNKNOWN;
1550 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1554 pseudo_header->atm.aal = AAL_1;
1555 pseudo_header->atm.type = TRAF_UNKNOWN;
1556 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1560 pseudo_header->atm.aal = AAL_3_4;
1561 pseudo_header->atm.type = TRAF_UNKNOWN;
1562 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1566 pseudo_header->atm.aal = AAL_5;
1569 case ATT_HL_UNKNOWN:
1570 pseudo_header->atm.type = TRAF_UNKNOWN;
1571 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1575 pseudo_header->atm.type = TRAF_LLCMX;
1576 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1580 pseudo_header->atm.type = TRAF_VCMX;
1581 switch (frame4->atm_info.AppHLType) {
1584 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1587 case AHLT_VCMX_802_3_FCS:
1588 pseudo_header->atm.subtype =
1589 TRAF_ST_VCMX_802_3_FCS;
1592 case AHLT_VCMX_802_4_FCS:
1593 pseudo_header->atm.subtype =
1594 TRAF_ST_VCMX_802_4_FCS;
1597 case AHLT_VCMX_802_5_FCS:
1598 pseudo_header->atm.subtype =
1599 TRAF_ST_VCMX_802_5_FCS;
1602 case AHLT_VCMX_FDDI_FCS:
1603 pseudo_header->atm.subtype =
1604 TRAF_ST_VCMX_FDDI_FCS;
1607 case AHLT_VCMX_802_6_FCS:
1608 pseudo_header->atm.subtype =
1609 TRAF_ST_VCMX_802_6_FCS;
1612 case AHLT_VCMX_802_3:
1613 pseudo_header->atm.subtype = TRAF_ST_VCMX_802_3;
1616 case AHLT_VCMX_802_4:
1617 pseudo_header->atm.subtype = TRAF_ST_VCMX_802_4;
1620 case AHLT_VCMX_802_5:
1621 pseudo_header->atm.subtype = TRAF_ST_VCMX_802_5;
1624 case AHLT_VCMX_FDDI:
1625 pseudo_header->atm.subtype = TRAF_ST_VCMX_FDDI;
1628 case AHLT_VCMX_802_6:
1629 pseudo_header->atm.subtype = TRAF_ST_VCMX_802_6;
1632 case AHLT_VCMX_FRAGMENTS:
1633 pseudo_header->atm.subtype =
1634 TRAF_ST_VCMX_FRAGMENTS;
1637 case AHLT_VCMX_BPDU:
1638 pseudo_header->atm.subtype = TRAF_ST_VCMX_BPDU;
1642 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1648 pseudo_header->atm.type = TRAF_LANE;
1649 switch (frame4->atm_info.AppHLType) {
1652 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1655 case AHLT_LANE_LE_CTRL:
1656 pseudo_header->atm.subtype =
1657 TRAF_ST_LANE_LE_CTRL;
1660 case AHLT_LANE_802_3:
1661 pseudo_header->atm.subtype = TRAF_ST_LANE_802_3;
1664 case AHLT_LANE_802_5:
1665 pseudo_header->atm.subtype = TRAF_ST_LANE_802_5;
1668 case AHLT_LANE_802_3_MC:
1669 pseudo_header->atm.subtype =
1670 TRAF_ST_LANE_802_3_MC;
1673 case AHLT_LANE_802_5_MC:
1674 pseudo_header->atm.subtype =
1675 TRAF_ST_LANE_802_5_MC;
1679 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1685 pseudo_header->atm.type = TRAF_ILMI;
1686 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1690 pseudo_header->atm.type = TRAF_FR;
1691 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1695 pseudo_header->atm.type = TRAF_SPANS;
1696 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1699 case ATT_HL_IPSILON:
1700 pseudo_header->atm.type = TRAF_IPSILON;
1701 switch (frame4->atm_info.AppHLType) {
1704 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1707 case AHLT_IPSILON_FT0:
1708 pseudo_header->atm.subtype =
1709 TRAF_ST_IPSILON_FT0;
1712 case AHLT_IPSILON_FT1:
1713 pseudo_header->atm.subtype =
1714 TRAF_ST_IPSILON_FT1;
1717 case AHLT_IPSILON_FT2:
1718 pseudo_header->atm.subtype =
1719 TRAF_ST_IPSILON_FT2;
1723 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1729 pseudo_header->atm.type = TRAF_UNKNOWN;
1730 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1736 pseudo_header->atm.aal = AAL_USER;
1737 pseudo_header->atm.type = TRAF_UNKNOWN;
1738 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1741 case ATT_AAL_SIGNALLING:
1742 pseudo_header->atm.aal = AAL_SIGNALLING;
1743 pseudo_header->atm.type = TRAF_UNKNOWN;
1744 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1748 pseudo_header->atm.aal = AAL_OAMCELL;
1749 pseudo_header->atm.type = TRAF_UNKNOWN;
1750 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1754 pseudo_header->atm.aal = AAL_UNKNOWN;
1755 pseudo_header->atm.type = TRAF_UNKNOWN;
1756 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1759 pseudo_header->atm.vpi = vpi;
1760 pseudo_header->atm.vci = vci;
1761 pseudo_header->atm.channel = pletohs(&frame4->atm_info.channel);
1762 pseudo_header->atm.cells = pletohs(&frame4->atm_info.cells);
1763 pseudo_header->atm.aal5t_u2u = pletohs(&frame4->atm_info.Trailer.aal5t_u2u);
1764 pseudo_header->atm.aal5t_len = pletohs(&frame4->atm_info.Trailer.aal5t_len);
1765 pseudo_header->atm.aal5t_chksum = pntohl(&frame4->atm_info.Trailer.aal5t_chksum);
1769 ngsniffer_read_frame6(wtap *wth, gboolean is_random, struct frame6_rec *frame6,
1770 int *err, gchar **err_info)
1774 /* Read the f_frame6_struct */
1775 bytes_read = ng_file_read(frame6, (unsigned int)sizeof *frame6, wth,
1776 is_random, err, err_info);
1777 if (bytes_read != sizeof *frame6) {
1779 *err = WTAP_ERR_SHORT_READ;
1786 set_pseudo_header_frame6(wtap *wth, union wtap_pseudo_header *pseudo_header,
1787 struct frame6_rec *frame6 _U_)
1789 /* XXX - Once the frame format is divined, something will most likely go here */
1791 switch (wth->file_encap) {
1793 case WTAP_ENCAP_ETHERNET:
1794 /* XXX - is there an FCS? */
1795 pseudo_header->eth.fcs_len = -1;
1801 ngsniffer_read_rec_data(wtap *wth, gboolean is_random, guint8 *pd,
1802 unsigned int length, int *err, gchar **err_info)
1806 bytes_read = ng_file_read(pd, length, wth, is_random, err, err_info);
1808 if (bytes_read != (gint64) length) {
1810 *err = WTAP_ERR_SHORT_READ;
1817 * OK, this capture is from an "Internetwork analyzer", and we either
1818 * didn't see a type 7 record or it had a network type such as NET_HDLC
1819 * that doesn't tell us which *particular* HDLC derivative this is;
1820 * let's look at the first few bytes of the packet, a pointer to which
1821 * was passed to us as an argument, and see whether it looks like PPP,
1822 * Frame Relay, Wellfleet HDLC, Cisco HDLC, or LAPB - or, if it's none
1823 * of those, assume it's LAPD.
1825 * (XXX - are there any "Internetwork analyzer" captures that don't
1826 * have type 7 records? If so, is there some other field that will
1827 * tell us what type of capture it is?)
1830 infer_pkt_encap(const guint8 *pd, int len)
1836 * Nothing to infer, but it doesn't matter how you
1837 * dissect an empty packet. Let's just say PPP.
1839 return WTAP_ENCAP_PPP_WITH_PHDR;
1842 if (pd[0] == 0xFF) {
1844 * PPP. (XXX - check for 0xFF 0x03?)
1846 return WTAP_ENCAP_PPP_WITH_PHDR;
1850 if (pd[0] == 0x07 && pd[1] == 0x03) {
1854 return WTAP_ENCAP_WFLEET_HDLC;
1855 } else if ((pd[0] == 0x0F && pd[1] == 0x00) ||
1856 (pd[0] == 0x8F && pd[1] == 0x00)) {
1860 return WTAP_ENCAP_CHDLC_WITH_PHDR;
1864 * Check for Frame Relay. Look for packets with at least
1865 * 3 bytes of header - 2 bytes of DLCI followed by 1 byte
1866 * of control, which, for now, we require to be 0x03 (UI),
1867 * although there might be other frame types as well.
1868 * Scan forward until we see the last DLCI byte, with
1869 * the low-order bit being 1, and then check the next
1870 * byte to see if it's a control byte.
1872 * XXX - in version 4 and 5 captures, wouldn't this just
1873 * have a capture subtype of NET_FRAME_RELAY? Or is this
1874 * here only to handle other versions of the capture
1875 * file, where we might just not yet have found where
1876 * the subtype is specified in the capture?
1878 * Bay^H^H^HNortel Networks has a mechanism in the Optivity
1879 * software for some of their routers to save captures
1880 * in Sniffer format; they use a version number of 4.9, but
1881 * don't put out any header records before the first FRAME2
1882 * record. That means we have to use heuristics to guess
1883 * what type of packet we have.
1885 for (i = 0; i < len && (pd[i] & 0x01) == 0; i++)
1887 i++; /* advance to the byte after the last DLCI byte */
1892 return WTAP_ENCAP_LAPB;
1895 return WTAP_ENCAP_FRELAY_WITH_PHDR;
1899 * Assume LAPB, for now. If we support other HDLC encapsulations,
1900 * we can check whether the low-order bit of the first byte is
1901 * set (as it should be for LAPB) if no other checks pass.
1903 * Or, if it's truly impossible to distinguish ISDN from non-ISDN
1904 * captures, we could assume it's ISDN if it's not anything
1907 return WTAP_ENCAP_LAPB;
1911 fix_pseudo_header(int encap, const guint8 *pd, int len,
1912 union wtap_pseudo_header *pseudo_header)
1916 case WTAP_ENCAP_PER_PACKET:
1918 * Infer the packet type from the first two bytes.
1920 encap = infer_pkt_encap(pd, len);
1923 * Fix up the pseudo-header to match the new
1924 * encapsulation type.
1928 case WTAP_ENCAP_WFLEET_HDLC:
1929 case WTAP_ENCAP_CHDLC_WITH_PHDR:
1930 case WTAP_ENCAP_PPP_WITH_PHDR:
1931 if (pseudo_header->x25.flags == 0)
1932 pseudo_header->p2p.sent = TRUE;
1934 pseudo_header->p2p.sent = FALSE;
1937 case WTAP_ENCAP_ISDN:
1938 if (pseudo_header->x25.flags == 0x00)
1939 pseudo_header->isdn.uton = FALSE;
1941 pseudo_header->isdn.uton = TRUE;
1944 * XXX - this is currently a per-packet
1945 * encapsulation type, and we can't determine
1946 * whether a capture is an ISDN capture before
1947 * seeing any packets, and B-channel PPP packets
1948 * look like PPP packets and are given
1949 * WTAP_ENCAP_PPP_WITH_PHDR, not WTAP_ENCAP_ISDN,
1950 * so we assume this is a D-channel packet and
1951 * thus give it a channel number of 0.
1953 pseudo_header->isdn.channel = 0;
1958 case WTAP_ENCAP_ATM_PDUS:
1960 * If the Windows Sniffer writes out one of its ATM
1961 * capture files in DOS Sniffer format, it doesn't
1962 * distinguish between LE Control and LANE encapsulated
1963 * LAN frames, it just marks them as LAN frames,
1964 * so we fix that up here.
1966 * I've also seen DOS Sniffer captures claiming that
1967 * LANE packets that *don't* start with FF 00 are
1968 * marked as LE Control frames, so we fix that up
1971 if (pseudo_header->atm.type == TRAF_LANE && len >= 2) {
1972 if (pd[0] == 0xff && pd[1] == 0x00) {
1974 * This must be LE Control.
1976 pseudo_header->atm.subtype =
1977 TRAF_ST_LANE_LE_CTRL;
1980 * This can't be LE Control.
1982 if (pseudo_header->atm.subtype ==
1983 TRAF_ST_LANE_LE_CTRL) {
1985 * XXX - Ethernet or Token Ring?
1987 pseudo_header->atm.subtype =
1997 /* Throw away the buffers used by the sequential I/O stream, but not
1998 those used by the random I/O stream. */
2000 ngsniffer_sequential_close(wtap *wth)
2002 ngsniffer_t *ngsniffer;
2004 ngsniffer = (ngsniffer_t *)wth->priv;
2005 if (ngsniffer->seq.buf != NULL) {
2006 g_free(ngsniffer->seq.buf);
2007 ngsniffer->seq.buf = NULL;
2012 free_blob(gpointer data, gpointer user_data _U_)
2017 /* Close stuff used by the random I/O stream, if any, and free up any
2018 private data structures. (If there's a "sequential_close" routine
2019 for a capture file type, it'll be called before the "close" routine
2020 is called, so we don't have to free the sequential buffer here.) */
2022 ngsniffer_close(wtap *wth)
2024 ngsniffer_t *ngsniffer;
2026 ngsniffer = (ngsniffer_t *)wth->priv;
2027 if (ngsniffer->rand.buf != NULL)
2028 g_free(ngsniffer->rand.buf);
2029 if (ngsniffer->first_blob != NULL) {
2030 g_list_foreach(ngsniffer->first_blob, free_blob, NULL);
2031 g_list_free(ngsniffer->first_blob);
2036 gboolean first_frame;
2040 static const int wtap_encap[] = {
2041 -1, /* WTAP_ENCAP_UNKNOWN -> unsupported */
2042 1, /* WTAP_ENCAP_ETHERNET */
2043 0, /* WTAP_ENCAP_TOKEN_RING */
2044 -1, /* WTAP_ENCAP_SLIP -> unsupported */
2045 7, /* WTAP_ENCAP_PPP -> Internetwork analyzer (synchronous) FIXME ! */
2046 9, /* WTAP_ENCAP_FDDI */
2047 9, /* WTAP_ENCAP_FDDI_BITSWAPPED */
2048 -1, /* WTAP_ENCAP_RAW_IP -> unsupported */
2049 2, /* WTAP_ENCAP_ARCNET */
2050 -1, /* WTAP_ENCAP_ARCNET_LINUX -> unsupported */
2051 -1, /* WTAP_ENCAP_ATM_RFC1483 */
2052 -1, /* WTAP_ENCAP_LINUX_ATM_CLIP */
2053 7, /* WTAP_ENCAP_LAPB -> Internetwork analyzer (synchronous) */
2054 -1, /* WTAP_ENCAP_ATM_PDUS */
2055 -1, /* WTAP_ENCAP_NULL -> unsupported */
2056 -1, /* WTAP_ENCAP_ASCEND -> unsupported */
2057 -1, /* WTAP_ENCAP_ISDN -> unsupported */
2058 -1, /* WTAP_ENCAP_IP_OVER_FC -> unsupported */
2059 7, /* WTAP_ENCAP_PPP_WITH_PHDR -> Internetwork analyzer (synchronous) FIXME ! */
2061 #define NUM_WTAP_ENCAPS (sizeof wtap_encap / sizeof wtap_encap[0])
2063 /* Returns 0 if we could write the specified encapsulation type,
2064 an error indication otherwise. */
2066 ngsniffer_dump_can_write_encap(int encap)
2068 /* Per-packet encapsulations aren't supported. */
2069 if (encap == WTAP_ENCAP_PER_PACKET)
2070 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
2072 if (encap < 0 || (unsigned)encap >= NUM_WTAP_ENCAPS || wtap_encap[encap] == -1)
2073 return WTAP_ERR_UNSUPPORTED_ENCAP;
2078 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
2081 ngsniffer_dump_open(wtap_dumper *wdh, int *err)
2083 ngsniffer_dump_t *ngsniffer;
2084 char buf[6] = {REC_VERS, 0x00, 0x12, 0x00, 0x00, 0x00}; /* version record */
2086 /* This is a sniffer file */
2087 wdh->subtype_write = ngsniffer_dump;
2088 wdh->subtype_close = ngsniffer_dump_close;
2090 ngsniffer = (ngsniffer_dump_t *)g_malloc(sizeof(ngsniffer_dump_t));
2091 wdh->priv = (void *)ngsniffer;
2092 ngsniffer->first_frame = TRUE;
2093 ngsniffer->start = 0;
2095 /* Write the file header. */
2096 if (!wtap_dump_file_write(wdh, ngsniffer_magic, sizeof ngsniffer_magic,
2099 if (!wtap_dump_file_write(wdh, buf, 6, err))
2105 /* Write a record for a packet to a dump file.
2106 Returns TRUE on success, FALSE on failure. */
2108 ngsniffer_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
2109 const guint8 *pd, int *err)
2111 const union wtap_pseudo_header *pseudo_header = &phdr->pseudo_header;
2112 ngsniffer_dump_t *ngsniffer = (ngsniffer_dump_t *)wdh->priv;
2113 struct frame2_rec rec_hdr;
2117 guint16 t_low, t_med;
2119 struct vers_rec version;
2120 gint16 maj_vers, min_vers;
2124 /* Sniffer files have a capture start date in the file header, and
2125 have times relative to the beginning of that day in the packet
2126 headers; pick the date of the first packet as the capture start
2128 if (ngsniffer->first_frame) {
2129 ngsniffer->first_frame=FALSE;
2130 #if (defined _WIN32) && (_MSC_VER < 1500)
2131 /* calling localtime() on MSVC 2005 with huge values causes it to crash */
2132 /* XXX - find the exact value that still does work */
2133 /* XXX - using _USE_32BIT_TIME_T might be another way to circumvent this problem */
2134 if (phdr->ts.secs > 2000000000)
2138 tm = localtime(&phdr->ts.secs);
2139 if (tm != NULL && tm->tm_year >= DOS_YEAR_OFFSET) {
2140 start_date = (tm->tm_year - DOS_YEAR_OFFSET) << DOS_YEAR_SHIFT;
2141 start_date |= (tm->tm_mon - DOS_MONTH_OFFSET) << DOS_MONTH_SHIFT;
2142 start_date |= tm->tm_mday << DOS_DAY_SHIFT;
2143 /* record the start date, not the start time */
2144 ngsniffer->start = phdr->ts.secs - (3600*tm->tm_hour + 60*tm->tm_min + tm->tm_sec);
2147 ngsniffer->start = 0;
2150 /* "sniffer" version ? */
2153 version.maj_vers = htoles(maj_vers);
2154 version.min_vers = htoles(min_vers);
2156 version.date = htoles(start_date);
2158 version.network = wtap_encap[wdh->encap];
2160 version.timeunit = 1; /* 0.838096 */
2161 version.cmprs_vers = 0;
2162 version.cmprs_level = 0;
2163 version.rsvd[0] = 0;
2164 version.rsvd[1] = 0;
2165 if (!wtap_dump_file_write(wdh, &version, sizeof version, err))
2169 buf[0] = REC_FRAME2;
2171 buf[2] = (char)((phdr->caplen + sizeof(struct frame2_rec))%256);
2172 buf[3] = (char)((phdr->caplen + sizeof(struct frame2_rec))/256);
2175 if (!wtap_dump_file_write(wdh, buf, 6, err))
2177 /* Seconds since the start of the capture */
2178 tsecs = phdr->ts.secs - ngsniffer->start;
2179 /* Extract the number of days since the start of the capture */
2180 rec_hdr.time_day = (guint8)(tsecs / 86400); /* # days of capture - 86400 secs/day */
2181 tsecs -= rec_hdr.time_day * 86400; /* time within day */
2182 /* Convert to picoseconds */
2183 t = tsecs*G_GINT64_CONSTANT(1000000000000U) +
2184 phdr->ts.nsecs*G_GINT64_CONSTANT(1000U);
2185 /* Convert to units of timeunit = 1 */
2187 t_low = (guint16)((t >> 0) & 0xFFFF);
2188 t_med = (guint16)((t >> 16) & 0xFFFF);
2189 t_high = (guint8)((t >> 32) & 0xFF);
2190 rec_hdr.time_low = htoles(t_low);
2191 rec_hdr.time_med = htoles(t_med);
2192 rec_hdr.time_high = t_high;
2193 rec_hdr.size = htoles(phdr->caplen);
2194 switch (wdh->encap) {
2196 case WTAP_ENCAP_LAPB:
2197 case WTAP_ENCAP_FRELAY_WITH_PHDR:
2198 rec_hdr.fs = (pseudo_header->x25.flags & FROM_DCE) ? 0x00 : FS_WAN_DTE;
2201 case WTAP_ENCAP_PPP_WITH_PHDR:
2202 case WTAP_ENCAP_SDLC:
2203 rec_hdr.fs = pseudo_header->p2p.sent ? 0x00 : FS_WAN_DTE;
2206 case WTAP_ENCAP_ISDN:
2207 rec_hdr.fs = pseudo_header->isdn.uton ? FS_WAN_DTE : 0x00;
2208 switch (pseudo_header->isdn.channel) {
2210 case 0: /* D-channel */
2211 rec_hdr.fs |= FS_ISDN_CHAN_D;
2214 case 1: /* B1-channel */
2215 rec_hdr.fs |= FS_ISDN_CHAN_B1;
2218 case 2: /* B2-channel */
2219 rec_hdr.fs |= FS_ISDN_CHAN_B2;
2229 rec_hdr.true_size = phdr->len != phdr->caplen ? htoles(phdr->len) : 0;
2231 if (!wtap_dump_file_write(wdh, &rec_hdr, sizeof rec_hdr, err))
2233 if (!wtap_dump_file_write(wdh, pd, phdr->caplen, err))
2238 /* Finish writing to a dump file.
2239 Returns TRUE on success, FALSE on failure. */
2241 ngsniffer_dump_close(wtap_dumper *wdh, int *err)
2244 char buf[6] = {REC_EOF, 0x00, 0x00, 0x00, 0x00, 0x00};
2246 if (!wtap_dump_file_write(wdh, buf, 6, err))
2252 SnifferDecompress() decompresses a blob of compressed data from a
2253 Sniffer(R) capture file.
2255 This function is Copyright (c) 1999-2999 Tim Farley
2258 inbuf - buffer of compressed bytes from file, not including
2259 the preceding length word
2260 inlen - length of inbuf in bytes (max 64k)
2261 outbuf - decompressed contents, could contain a partial Sniffer
2263 outlen - length of outbuf.
2265 Return value is the number of bytes in outbuf on return.
2268 SnifferDecompress(unsigned char *inbuf, size_t inlen, unsigned char *outbuf,
2269 size_t outlen, int *err)
2271 unsigned char * pin = inbuf;
2272 unsigned char * pout = outbuf;
2273 unsigned char * pin_end = pin + inlen;
2274 unsigned char * pout_end = pout + outlen;
2275 unsigned int bit_mask; /* one bit is set in this, to mask with bit_value */
2276 unsigned int bit_value = 0; /* cache the last 16 coding bits we retrieved */
2277 unsigned int code_type; /* encoding type, from high 4 bits of byte */
2278 unsigned int code_low; /* other 4 bits from encoding byte */
2279 int length; /* length of RLE sequence or repeated string */
2280 int offset; /* offset of string to repeat */
2282 if (inlen > G_MAXUINT16) {
2286 bit_mask = 0; /* don't have any bits yet */
2289 /* Shift down the bit mask we use to see whats encoded */
2290 bit_mask = bit_mask >> 1;
2292 /* If there are no bits left, time to get another 16 bits */
2293 if ( 0 == bit_mask )
2295 bit_mask = 0x8000; /* start with the high bit */
2296 bit_value = pletohs(pin); /* get the next 16 bits */
2297 pin += 2; /* skip over what we just grabbed */
2298 if ( pin >= pin_end )
2300 *err = WTAP_ERR_UNC_TRUNCATED; /* data was oddly truncated */
2305 /* Use the bits in bit_value to see what's encoded and what is raw data */
2306 if ( !(bit_mask & bit_value) )
2308 /* bit not set - raw byte we just copy */
2309 *(pout++) = *(pin++);
2313 /* bit set - next item is encoded. Peel off high nybble
2314 of next byte to see the encoding type. Set aside low
2315 nybble while we are at it */
2316 code_type = (unsigned int) ((*pin) >> 4 ) & 0xF;
2317 code_low = (unsigned int) ((*pin) & 0xF );
2318 pin++; /* increment over the code byte we just retrieved */
2319 if ( pin >= pin_end )
2321 *err = WTAP_ERR_UNC_TRUNCATED; /* data was oddly truncated */
2325 /* Based on the code type, decode the compressed string */
2326 switch ( code_type )
2328 case 0 : /* RLE short runs */
2330 Run length is the low nybble of the first code byte.
2331 Byte to repeat immediately follows.
2332 Total code size: 2 bytes.
2334 length = code_low + 3;
2335 /* If length would put us past end of output, avoid overflow */
2336 if ( pout + length > pout_end )
2338 *err = WTAP_ERR_UNC_OVERFLOW;
2342 /* generate the repeated series of bytes */
2343 memset( pout, *pin++, length );
2346 case 1 : /* RLE long runs */
2348 Low 4 bits of run length is the low nybble of the
2349 first code byte, upper 8 bits of run length is in
2351 Byte to repeat immediately follows.
2352 Total code size: 3 bytes.
2354 length = code_low + ((unsigned int)(*pin++) << 4) + 19;
2355 /* If we are already at end of input, there is no byte
2357 if ( pin >= pin_end )
2359 *err = WTAP_ERR_UNC_TRUNCATED; /* data was oddly truncated */
2362 /* If length would put us past end of output, avoid overflow */
2363 if ( pout + length > pout_end )
2365 *err = WTAP_ERR_UNC_OVERFLOW;
2369 /* generate the repeated series of bytes */
2370 memset( pout, *pin++, length );
2373 case 2 : /* LZ77 long strings */
2375 Low 4 bits of offset to string is the low nybble of the
2376 first code byte, upper 8 bits of offset is in
2378 Length of string immediately follows.
2379 Total code size: 3 bytes.
2381 offset = code_low + ((unsigned int)(*pin++) << 4) + 3;
2382 /* If we are already at end of input, there is no byte
2384 if ( pin >= pin_end )
2386 *err = WTAP_ERR_UNC_TRUNCATED; /* data was oddly truncated */
2389 /* Check if offset would put us back past begin of buffer */
2390 if ( pout - offset < outbuf )
2392 *err = WTAP_ERR_UNC_BAD_OFFSET;
2396 /* get length from next byte, make sure it won't overrun buf */
2397 length = (unsigned int)(*pin++) + 16;
2398 if ( pout + length > pout_end )
2400 *err = WTAP_ERR_UNC_OVERFLOW;
2404 /* Copy the string from previous text to output position,
2405 advance output pointer */
2406 memcpy( pout, pout - offset, length );
2409 default : /* (3 to 15): LZ77 short strings */
2411 Low 4 bits of offset to string is the low nybble of the
2412 first code byte, upper 8 bits of offset is in
2414 Length of string to repeat is overloaded into code_type.
2415 Total code size: 2 bytes.
2417 offset = code_low + ((unsigned int)(*pin++) << 4) + 3;
2418 /* Check if offset would put us back past begin of buffer */
2419 if ( pout - offset < outbuf )
2421 *err = WTAP_ERR_UNC_BAD_OFFSET;
2425 /* get length from code_type, make sure it won't overrun buf */
2427 if ( pout + length > pout_end )
2429 *err = WTAP_ERR_UNC_OVERFLOW;
2433 /* Copy the string from previous text to output position,
2434 advance output pointer */
2435 memcpy( pout, pout - offset, length );
2441 /* If we've consumed all the input, we are done */
2442 if ( pin >= pin_end )
2446 return (int) ( pout - outbuf ); /* return length of expanded text */
2450 * XXX - is there any guarantee that this is big enough to hold the
2451 * uncompressed data from any blob?
2453 #define OUTBUF_SIZE 65536
2454 #define INBUF_SIZE 65536
2456 /* Information about a compressed blob; we save the offset in the
2457 underlying compressed file, and the offset in the uncompressed data
2458 stream, of the blob. */
2460 gint64 blob_comp_offset;
2461 gint64 blob_uncomp_offset;
2465 ng_file_read(void *buffer, unsigned int nbytes, wtap *wth, gboolean is_random,
2466 int *err, gchar **err_info)
2468 ngsniffer_t *ngsniffer;
2470 ngsniffer_comp_stream_t *comp_stream;
2471 unsigned int copybytes = nbytes; /* bytes left to be copied */
2472 gint64 copied_bytes = 0; /* bytes already copied */
2473 unsigned char *outbuffer = (unsigned char *)buffer; /* where to write next decompressed data */
2475 unsigned int bytes_to_copy;
2476 unsigned int bytes_left;
2478 ngsniffer = (ngsniffer_t *)wth->priv;
2480 infile = wth->random_fh;
2481 comp_stream = &ngsniffer->rand;
2484 comp_stream = &ngsniffer->seq;
2487 if (wth->file_type == WTAP_FILE_NGSNIFFER_UNCOMPRESSED) {
2488 errno = WTAP_ERR_CANT_READ;
2489 copied_bytes = file_read(buffer, copybytes, infile);
2490 if ((unsigned int) copied_bytes != copybytes)
2491 *err = file_error(infile, err_info);
2492 if (copied_bytes != -1) {
2493 comp_stream->uncomp_offset += copied_bytes;
2494 comp_stream->comp_offset += copied_bytes;
2496 return copied_bytes;
2499 /* Allocate the stream buffer if it hasn't already been allocated. */
2500 if (comp_stream->buf == NULL) {
2501 comp_stream->buf = (unsigned char *)g_malloc(OUTBUF_SIZE);
2504 /* This is the first read of the random file, so we're at
2505 the beginning of the sequence of blobs in the file
2506 (as we've not done any random reads yet to move the
2507 current position in the random stream); set the
2508 current blob to be the first blob. */
2509 ngsniffer->current_blob = ngsniffer->first_blob;
2511 /* This is the first sequential read; if we also have a
2512 random stream open, allocate the first element for the
2513 list of blobs, and make it the last element as well. */
2514 if (wth->random_fh != NULL) {
2515 g_assert(ngsniffer->first_blob == NULL);
2516 blob = g_new(blob_info_t,1);
2517 blob->blob_comp_offset = comp_stream->comp_offset;
2518 blob->blob_uncomp_offset = comp_stream->uncomp_offset;
2519 ngsniffer->first_blob = g_list_append(ngsniffer->first_blob,
2521 ngsniffer->last_blob = ngsniffer->first_blob;
2525 /* Now read the first blob into the buffer. */
2526 if (read_blob(infile, comp_stream, err, err_info) < 0)
2529 while (copybytes > 0) {
2530 bytes_left = comp_stream->nbytes - comp_stream->nextout;
2531 if (bytes_left == 0) {
2532 /* There's no decompressed stuff left to copy from the current
2533 blob; get the next blob. */
2536 /* Move to the next blob in the list. */
2537 ngsniffer->current_blob = g_list_next(ngsniffer->current_blob);
2538 if (!ngsniffer->current_blob) {
2540 * XXX - this "can't happen"; we should have a
2541 * blob for every byte in the file.
2543 *err = WTAP_ERR_CANT_SEEK;
2547 /* If we also have a random stream open, add a new element,
2548 for this blob, to the list of blobs; we know the list is
2549 non-empty, as we initialized it on the first sequential
2550 read, so we just add the new element at the end, and
2551 adjust the pointer to the last element to refer to it. */
2552 if (wth->random_fh != NULL) {
2553 blob = g_new(blob_info_t,1);
2554 blob->blob_comp_offset = comp_stream->comp_offset;
2555 blob->blob_uncomp_offset = comp_stream->uncomp_offset;
2556 ngsniffer->last_blob = g_list_append(ngsniffer->last_blob,
2561 if (read_blob(infile, comp_stream, err, err_info) < 0)
2563 bytes_left = comp_stream->nbytes - comp_stream->nextout;
2566 bytes_to_copy = copybytes;
2567 if (bytes_to_copy > bytes_left)
2568 bytes_to_copy = bytes_left;
2569 memcpy(outbuffer, &comp_stream->buf[comp_stream->nextout],
2571 copybytes -= bytes_to_copy;
2572 copied_bytes += bytes_to_copy;
2573 outbuffer += bytes_to_copy;
2574 comp_stream->nextout += bytes_to_copy;
2575 comp_stream->uncomp_offset += bytes_to_copy;
2577 return copied_bytes;
2580 /* Read a blob from a compressed stream.
2581 Return -1 and set "*err" and "*err_info" on error, otherwise return 0. */
2583 read_blob(FILE_T infile, ngsniffer_comp_stream_t *comp_stream, int *err,
2588 unsigned short blob_len;
2589 gint16 blob_len_host;
2590 gboolean uncompressed;
2591 unsigned char *file_inbuf;
2594 /* Read one 16-bit word which is length of next compressed blob */
2595 errno = WTAP_ERR_CANT_READ;
2596 read_len = file_read(&blob_len, 2, infile);
2597 if (2 != read_len) {
2598 *err = file_error(infile, err_info);
2601 comp_stream->comp_offset += 2;
2602 blob_len_host = pletohs(&blob_len);
2604 /* Compressed or uncompressed? */
2605 if (blob_len_host < 0) {
2606 /* Uncompressed blob; blob length is absolute value of the number. */
2607 in_len = -blob_len_host;
2608 uncompressed = TRUE;
2610 in_len = blob_len_host;
2611 uncompressed = FALSE;
2614 file_inbuf = (unsigned char *)g_malloc(INBUF_SIZE);
2617 errno = WTAP_ERR_CANT_READ;
2618 read_len = file_read(file_inbuf, in_len, infile);
2619 if ((size_t) in_len != read_len) {
2620 *err = file_error(infile, err_info);
2624 comp_stream->comp_offset += in_len;
2627 memcpy(comp_stream->buf, file_inbuf, in_len);
2630 /* Decompress the blob */
2631 out_len = SnifferDecompress(file_inbuf, in_len,
2632 comp_stream->buf, OUTBUF_SIZE, err);
2640 comp_stream->nextout = 0;
2641 comp_stream->nbytes = out_len;
2645 /* Skip some number of bytes forward in the sequential stream. */
2647 ng_file_skip_seq(wtap *wth, gint64 delta, int *err, gchar **err_info)
2649 ngsniffer_t *ngsniffer;
2651 unsigned int amount_to_read;
2653 ngsniffer = (ngsniffer_t *)wth->priv;
2655 if (wth->file_type == WTAP_FILE_NGSNIFFER_UNCOMPRESSED) {
2656 ngsniffer->seq.uncomp_offset += delta;
2657 if (file_skip(wth->fh, delta, err) == -1)
2662 g_assert(delta >= 0);
2664 /* Ok, now read and discard "delta" bytes. */
2665 buf = (char *)g_malloc(INBUF_SIZE);
2666 while (delta != 0) {
2667 if (delta > INBUF_SIZE)
2668 amount_to_read = INBUF_SIZE;
2670 amount_to_read = (unsigned int) delta;
2672 if (ng_file_read(buf, amount_to_read, wth, FALSE, err, err_info) < 0) {
2674 return FALSE; /* error */
2677 delta -= amount_to_read;
2684 /* Seek to a given offset in the random data stream.
2686 On compressed files, we see whether we're seeking to a position within
2687 the blob we currently have in memory and, if not, we find in the list
2688 of blobs the last blob that starts at or before the position to which
2689 we're seeking, and read that blob in. We can then move to the appropriate
2690 position within the blob we have in memory (whether it's the blob we
2691 already had in memory or, if necessary, the one we read in). */
2693 ng_file_seek_rand(wtap *wth, gint64 offset, int *err, gchar **err_info)
2695 ngsniffer_t *ngsniffer;
2697 GList *new_list, *next_list;
2698 blob_info_t *next_blob, *new_blob;
2700 ngsniffer = (ngsniffer_t *)wth->priv;
2702 if (wth->file_type == WTAP_FILE_NGSNIFFER_UNCOMPRESSED) {
2703 if (file_seek(wth->random_fh, offset, SEEK_SET, err) == -1)
2708 delta = offset - ngsniffer->rand.uncomp_offset;
2710 /* Is the place to which we're seeking within the current buffer, or
2711 will we have to read a different blob into the buffer? */
2714 /* We're going forwards.
2715 Is the place to which we're seeking within the current buffer? */
2716 if ((size_t)(ngsniffer->rand.nextout + delta) >= ngsniffer->rand.nbytes) {
2717 /* No. Search for a blob that contains the target offset in
2718 the uncompressed byte stream, starting with the blob
2719 following the current blob. */
2720 new_list = g_list_next(ngsniffer->current_blob);
2722 next_list = g_list_next(new_list);
2723 if (next_list == NULL) {
2724 /* No more blobs; the current one is it. */
2728 next_blob = (blob_info_t *)next_list->data;
2729 /* Does the next blob start after the target offset?
2730 If so, the current blob is the one we want. */
2731 if (next_blob->blob_uncomp_offset > offset)
2734 new_list = next_list;
2737 } else if (delta < 0) {
2738 /* We're going backwards.
2739 Is the place to which we're seeking within the current buffer? */
2740 if (ngsniffer->rand.nextout + delta < 0) {
2741 /* No. Search for a blob that contains the target offset in
2742 the uncompressed byte stream, starting with the blob
2743 preceding the current blob. */
2744 new_list = g_list_previous(ngsniffer->current_blob);
2746 /* Does this blob start at or before the target offset?
2747 If so, the current blob is the one we want. */
2748 new_blob = (blob_info_t *)new_list->data;
2749 if (new_blob->blob_uncomp_offset <= offset)
2752 /* It doesn't - skip to the previous blob. */
2753 new_list = g_list_previous(new_list);
2758 if (new_list != NULL) {
2759 /* The place to which we're seeking isn't in the current buffer;
2760 move to a new blob. */
2761 new_blob = (blob_info_t *)new_list->data;
2763 /* Seek in the compressed file to the offset in the compressed file
2764 of the beginning of that blob. */
2765 if (file_seek(wth->random_fh, new_blob->blob_comp_offset, SEEK_SET, err) == -1)
2768 /* Make the blob we found the current one. */
2769 ngsniffer->current_blob = new_list;
2771 /* Now set the current offsets to the offsets of the beginning
2773 ngsniffer->rand.uncomp_offset = new_blob->blob_uncomp_offset;
2774 ngsniffer->rand.comp_offset = new_blob->blob_comp_offset;
2776 /* Now fill the buffer. */
2777 if (read_blob(wth->random_fh, &ngsniffer->rand, err, err_info) < 0)
2780 /* Set "delta" to the amount to move within this blob; it had
2781 better be >= 0, and < the amount of uncompressed data in
2782 the blob, as otherwise it'd mean we need to seek before
2783 the beginning or after the end of this blob. */
2784 delta = offset - ngsniffer->rand.uncomp_offset;
2785 g_assert(delta >= 0 && (unsigned long)delta < ngsniffer->rand.nbytes);
2788 /* OK, the place to which we're seeking is in the buffer; adjust
2789 "ngsniffer->rand.nextout" to point to the place to which
2790 we're seeking, and adjust "ngsniffer->rand.uncomp_offset" to be
2791 the destination offset. */
2792 ngsniffer->rand.nextout += (int) delta;
2793 ngsniffer->rand.uncomp_offset += delta;