4 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
6 * SPDX-License-Identifier: GPL-2.0-or-later
9 /* The code in ngsniffer.c that decodes the time fields for each packet in the
10 * Sniffer trace originally came from code from TCPVIEW:
15 * Networks and Distributed Computing
16 * Computing & Communications
17 * University of Washington
18 * Administration Building, AG-44
20 * Internet: martinh@cac.washington.edu
23 * Copyright 1992 by the University of Washington
25 * Permission to use, copy, modify, and distribute this software and its
26 * documentation for any purpose and without fee is hereby granted, provided
27 * that the above copyright notice appears in all copies and that both the
28 * above copyright notice and this permission notice appear in supporting
29 * documentation, and that the name of the University of Washington not be
30 * used in advertising or publicity pertaining to distribution of the software
31 * without specific, written prior permission. This software is made
32 * available "as is", and
33 * THE UNIVERSITY OF WASHINGTON DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
34 * WITH REGARD TO THIS SOFTWARE, INCLUDING WITHOUT LIMITATION ALL IMPLIED
35 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND IN
36 * NO EVENT SHALL THE UNIVERSITY OF WASHINGTON BE LIABLE FOR ANY SPECIAL,
37 * INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
38 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, TORT
39 * (INCLUDING NEGLIGENCE) OR STRICT LIABILITY, ARISING OUT OF OR IN CONNECTION
40 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
48 #include "file_wrappers.h"
49 #include "ngsniffer.h"
51 /* Magic number in Sniffer files. */
52 static const char ngsniffer_magic[] = {
53 'T', 'R', 'S', 'N', 'I', 'F', 'F', ' ', 'd', 'a', 't', 'a',
54 ' ', ' ', ' ', ' ', 0x1a
58 * Sniffer record types.
60 #define REC_VERS 1 /* Version record (f_vers) */
61 #define REC_FRAME2 4 /* Frame data (f_frame2) */
62 #define REC_FRAME4 8 /* Frame data (f_frame4) */
63 #define REC_FRAME6 12 /* Frame data (f_frame6) (see below) */
64 #define REC_EOF 3 /* End-of-file record (no data follows) */
66 * and now for some unknown header types
68 #define REC_HEADER1 6 /* Header containing various information,
69 * not yet reverse engineered - some binary,
70 * some strings (Serial numbers? Names
71 * under which the software is registered?
72 * Software version numbers? Mysterious
73 * strings such as "PA-55X" and "PA-30X"
74 * and "PA-57X" and "PA-11X"?), some strings
75 * that are partially overwritten
76 * ("UNSERIALIZED", "Network General
77 * Corporation"), differing from major
78 * version to major version */
79 #define REC_HEADER2 7 /* Header containing ??? */
80 #define REC_V2DESC 8 /* In version 2 sniffer traces contains
81 * info about this capturing session,
82 * in the form of a multi-line string
83 * with NL as the line separator.
84 * Collides with REC_FRAME4 */
85 #define REC_HEADER3 13 /* Retransmission counts? */
86 #define REC_HEADER4 14 /* ? */
87 #define REC_HEADER5 15 /* ? */
88 #define REC_HEADER6 16 /* More broadcast/retransmission counts? */
89 #define REC_HEADER7 17 /* ? */
93 * Sniffer version record format.
96 gint16 maj_vers; /* major version number */
97 gint16 min_vers; /* minor version number */
98 gint16 time_dos; /* DOS-format time */
99 gint16 date; /* DOS-format date */
100 gint8 type; /* what type of records follow */
101 guint8 network; /* network type */
102 gint8 format; /* format version */
103 guint8 timeunit; /* timestamp units */
104 gint8 cmprs_vers; /* compression version */
105 gint8 cmprs_level; /* compression level */
106 gint16 rsvd[2]; /* reserved */
112 #define NETWORK_TRING 0 /* Token ring */
113 #define NETWORK_ENET 1 /* Ethernet */
114 #define NETWORK_ARCNET 2 /* ARCNET */
115 #define NETWORK_STARLAN 3 /* StarLAN */
116 #define NETWORK_PCNW 4 /* PC Network broadband (Sytek?) */
117 #define NETWORK_LOCALTALK 5 /* LocalTalk */
118 #define NETWORK_SYNCHRO 7 /* Internetwork analyzer (synchronous) */
119 #define NETWORK_ASYNC 8 /* Internetwork analyzer (asynchronous) */
120 #define NETWORK_FDDI 9 /* FDDI */
121 #define NETWORK_ATM 10 /* ATM */
124 * Sniffer type 2 data record format - followed by frame data.
126 * The Expert Sniffer Network Analyzer Operations manual, Release 5.50,
127 * documents some of the values used in "fs" and "flags". "flags" don't
128 * look as if they'd be of much interest to us, as those are internal
129 * flags for state used by the Sniffer, but "fs" gives various status
130 * bits including error indications *and*:
132 * ISDN channel information for ISDN;
134 * PPP vs. SLIP information for Async.
136 * In that section it also refers to "FDDI analyzers using the NPI PCI
137 * FDDI adapter" and "FDDI analyzers using the NPI ISA FDDI adapter",
138 * referring to the first as "F1SNIFF" and the second as "FDSNIFF";
139 * those sound as if they *could* be replacements for "TRSNIFF" in
140 * the file header, but that manual says, earlier, that the header
141 * starts with "TRSNIFF data, no matter where the frames were
144 * It also says that a type 2 record has an 8-bit "time_high"
145 * and an 8-bit "time_day" field; the code here used to have a
146 * 16-bit "time_high" value, but that gave wrong time stamps on at
147 * least some captures. Did some older manual have it as a 16-bit
148 * "tstamp_high", so that perhaps it depends on the version number
149 * in the file, or is it "tstamp_high" plus "tstamp_day" in all
150 * versions? (I forget whether this came purely from tcpview, or if
151 * I saw any of it in an NAI document.)
153 * We interpret them as unsigned, as interpreting them as signed
154 * would appear to allow time stamps that precede the start of the
155 * capture. The description of the record format shows them as
156 * "char", but the section "How the Analyzer Stores Time" shows a
157 * time stamp structure with those fields being "unsigned char".
159 * In addition, the description of the record format has the comment
160 * for the "time_day" field saying it's the time in days since the
161 * start of the capture, but the "How the Analyzer Stores Time"
162 * section says it's increased by 1 if the capture continues past
163 * midnight - and also says that the time stamp structure has a time
164 * relative to midnight when the capture started, not since the
165 * actual capture start, so that might be a difference between
166 * the internal time stamp in the Sniffer software and the time
167 * stamp in capture files (i.e., the latter might be relative to
168 * the time when the capture starts).
171 guint16 time_low; /* low part of time stamp */
172 guint16 time_med; /* middle part of time stamp */
173 guint8 time_high; /* high part of the time stamp */
174 guint8 time_day; /* time in days since start of capture */
175 gint16 size; /* number of bytes of data */
176 guint8 fs; /* frame error status bits */
177 guint8 flags; /* buffer flags */
178 gint16 true_size; /* size of original frame, in bytes */
179 gint16 rsvd; /* reserved */
185 * The bits differ for different link-layer types.
191 #define FS_ETH_CRC 0x80 /* CRC error */
192 #define FS_ETH_ALIGN 0x40 /* bad alignment */
193 #define FS_ETH_RU 0x20 /* "RU out of resources" */
194 #define FS_ETH_OVERRUN 0x10 /* DMA overrun */
195 #define FS_ETH_RUNT 0x08 /* frame too small */
196 #define FS_ETH_COLLISION 0x02 /* collision fragment */
201 #define FS_FDDI_INVALID 0x10 /* frame indicators are invalid */
202 #define FS_FDDI_ERROR 0x20 /* "frame error bit 1" */
203 #define FS_FDDI_PCI_VDL 0x01 /* VDL error on frame on PCI adapter */
204 #define FS_FDDI_PCI_CRC 0x02 /* CRC error on frame on PCI adapter */
205 #define FS_FDDI_ISA_CRC 0x20 /* CRC error on frame on ISA adapter */
208 * Internetwork analyzer (synchronous and asynchronous).
210 #define FS_WAN_DTE 0x80 /* DTE->DCE frame */
213 * Internetwork analyzer (synchronous).
215 #define FS_SYNC_LOST 0x01 /* some frames were lost */
216 #define FS_SYNC_CRC 0x02 /* CRC error */
217 #define FS_SYNC_ABORT 0x04 /* aborted frame */
218 #define FS_ISDN_CHAN_MASK 0x18 /* ISDN channel */
219 #define FS_ISDN_CHAN_D 0x18 /* ISDN channel D */
220 #define FS_ISDN_CHAN_B1 0x08 /* ISDN channel B1 */
221 #define FS_ISDN_CHAN_B2 0x10 /* ISDN channel B2 */
224 * Internetwork analyzer (asynchronous).
225 * XXX - are some of these synchronous flags? They're listed with the
226 * asynchronous flags in the Sniffer 5.50 Network Analyzer Operations
227 * manual. Is one of the "overrun" errors a synchronous overrun error?
229 #define FS_ASYNC_LOST 0x01 /* some frames were lost */
230 #define FS_ASYNC_OVERRUN 0x02 /* UART overrun, lost bytes */
231 #define FS_ASYNC_FRAMING 0x04 /* bad character (framing error?) */
232 #define FS_ASYNC_PPP 0x08 /* PPP frame */
233 #define FS_ASYNC_SLIP 0x10 /* SLIP frame */
234 #define FS_ASYNC_ALIGN 0x20 /* alignment or DLPP(?) error */
235 #define FS_ASYNC_OVERRUN2 0x40 /* overrun or bad frame length */
238 * Sniffer type 4 data record format - followed by frame data.
240 * The ATM Sniffer manual says that the "flags" field holds "buffer flags;
241 * BF_xxxx", but doesn't say what the BF_xxxx flags are. They may
242 * be the same as they are in a type 2 record, in which case they're
243 * probably not of much interest to us.
245 * XXX - the manual also says there's an 8-byte "ATMTimeStamp" driver
246 * time stamp at the end of "ATMSaveInfo", but, from an ATM Sniffer capture
247 * file I've looked at, that appears not to be the case.
251 * Fields from the AAL5 trailer for the frame, if it's an AAL5 frame
252 * rather than a cell.
254 typedef struct _ATM_AAL5Trailer {
255 guint16 aal5t_u2u; /* user-to-user indicator */
256 guint16 aal5t_len; /* length of the packet */
257 guint32 aal5t_chksum; /* checksum for AAL5 packet */
260 typedef struct _ATMTimeStamp {
261 guint32 msw; /* most significant word */
262 guint32 lsw; /* least significant word */
265 typedef struct _ATMSaveInfo {
266 guint32 StatusWord; /* status word from driver */
267 ATM_AAL5Trailer Trailer; /* AAL5 trailer */
268 guint8 AppTrafType; /* traffic type */
269 guint8 AppHLType; /* protocol type */
270 guint16 AppReserved; /* reserved */
271 guint16 Vpi; /* virtual path identifier */
272 guint16 Vci; /* virtual circuit identifier */
273 guint16 channel; /* link: 0 for DCE, 1 for DTE */
274 guint16 cells; /* number of cells */
275 guint32 AppVal1; /* type-dependent */
276 guint32 AppVal2; /* type-dependent */
280 * Bits in StatusWord.
282 #define SW_ERRMASK 0x0F /* Error mask: */
283 #define SW_RX_FIFO_UNDERRUN 0x01 /* Receive FIFO underrun */
284 #define SW_RX_FIFO_OVERRUN 0x02 /* Receive FIFO overrun */
285 #define SW_RX_PKT_TOO_LONG 0x03 /* Received packet > max size */
286 #define SW_CRC_ERROR 0x04 /* CRC error */
287 #define SW_USER_ABORTED_RX 0x05 /* User aborted receive */
288 #define SW_BUF_LEN_TOO_LONG 0x06 /* buffer len > max buf */
289 #define SW_INTERNAL_T1_ERROR 0x07 /* Internal T1 error */
290 #define SW_RX_CHANNEL_DEACTIV8 0x08 /* Rx channel deactivate */
292 #define SW_ERROR 0x80 /* Error indicator */
293 #define SW_CONGESTION 0x40 /* Congestion indicator */
294 #define SW_CLP 0x20 /* Cell loss priority indicator */
295 #define SW_RAW_CELL 0x100 /* RAW cell indicator */
296 #define SW_OAM_CELL 0x200 /* OAM cell indicator */
299 * Bits in AppTrafType.
301 * For AAL types other than AAL5, the packet data is presumably for a
302 * single cell, not a reassembled frame, as the ATM Sniffer manual says
303 * it dosn't reassemble cells other than AAL5 cells.
305 #define ATT_AALTYPE 0x0F /* AAL type: */
306 #define ATT_AAL_UNKNOWN 0x00 /* Unknown AAL */
307 #define ATT_AAL1 0x01 /* AAL1 */
308 #define ATT_AAL3_4 0x02 /* AAL3/4 */
309 #define ATT_AAL5 0x03 /* AAL5 */
310 #define ATT_AAL_USER 0x04 /* User AAL */
311 #define ATT_AAL_SIGNALLING 0x05 /* Signaling AAL */
312 #define ATT_OAMCELL 0x06 /* OAM cell */
314 #define ATT_HLTYPE 0xF0 /* Higher-layer type: */
315 #define ATT_HL_UNKNOWN 0x00 /* unknown */
316 #define ATT_HL_LLCMX 0x10 /* LLC multiplexed (probably RFC 1483) */
317 #define ATT_HL_VCMX 0x20 /* VC multiplexed (probably RFC 1483) */
318 #define ATT_HL_LANE 0x30 /* LAN Emulation */
319 #define ATT_HL_ILMI 0x40 /* ILMI */
320 #define ATT_HL_FRMR 0x50 /* Frame Relay */
321 #define ATT_HL_SPANS 0x60 /* FORE SPANS */
322 #define ATT_HL_IPSILON 0x70 /* Ipsilon */
325 * Values for AppHLType; the interpretation depends on the ATT_HLTYPE
326 * bits in AppTrafType.
328 #define AHLT_UNKNOWN 0x0
329 #define AHLT_VCMX_802_3_FCS 0x1 /* VCMX: 802.3 FCS */
330 #define AHLT_LANE_LE_CTRL 0x1 /* LANE: LE Ctrl */
331 #define AHLT_IPSILON_FT0 0x1 /* Ipsilon: Flow Type 0 */
332 #define AHLT_VCMX_802_4_FCS 0x2 /* VCMX: 802.4 FCS */
333 #define AHLT_LANE_802_3 0x2 /* LANE: 802.3 */
334 #define AHLT_IPSILON_FT1 0x2 /* Ipsilon: Flow Type 1 */
335 #define AHLT_VCMX_802_5_FCS 0x3 /* VCMX: 802.5 FCS */
336 #define AHLT_LANE_802_5 0x3 /* LANE: 802.5 */
337 #define AHLT_IPSILON_FT2 0x3 /* Ipsilon: Flow Type 2 */
338 #define AHLT_VCMX_FDDI_FCS 0x4 /* VCMX: FDDI FCS */
339 #define AHLT_LANE_802_3_MC 0x4 /* LANE: 802.3 multicast */
340 #define AHLT_VCMX_802_6_FCS 0x5 /* VCMX: 802.6 FCS */
341 #define AHLT_LANE_802_5_MC 0x5 /* LANE: 802.5 multicast */
342 #define AHLT_VCMX_802_3 0x7 /* VCMX: 802.3 */
343 #define AHLT_VCMX_802_4 0x8 /* VCMX: 802.4 */
344 #define AHLT_VCMX_802_5 0x9 /* VCMX: 802.5 */
345 #define AHLT_VCMX_FDDI 0xa /* VCMX: FDDI */
346 #define AHLT_VCMX_802_6 0xb /* VCMX: 802.6 */
347 #define AHLT_VCMX_FRAGMENTS 0xc /* VCMX: Fragments */
348 #define AHLT_VCMX_BPDU 0xe /* VCMX: BPDU */
351 guint16 time_low; /* low part of time stamp */
352 guint16 time_med; /* middle part of time stamp */
353 guint8 time_high; /* high part of time stamp */
354 guint8 time_day; /* time in days since start of capture */
355 gint16 size; /* number of bytes of data */
356 gint8 fs; /* frame error status bits */
357 gint8 flags; /* buffer flags */
358 gint16 true_size; /* size of original frame, in bytes */
359 gint16 rsvd3; /* reserved */
360 gint16 atm_pad; /* pad to 4-byte boundary */
361 ATMSaveInfo atm_info; /* ATM-specific stuff */
365 * XXX - I have a version 5.50 file with a bunch of token ring
366 * records listed as type "12". The record format below was
367 * derived from frame4_rec and a bit of experimentation.
371 guint16 time_low; /* low part of time stamp */
372 guint16 time_med; /* middle part of time stamp */
373 guint8 time_high; /* high part of time stamp */
374 guint8 time_day; /* time in days since start of capture */
375 gint16 size; /* number of bytes of data */
376 guint8 fs; /* frame error status bits */
377 guint8 flags; /* buffer flags */
378 gint16 true_size; /* size of original frame, in bytes */
379 guint8 chemical_x[22]; /* ? */
383 * Network type values in some type 7 records.
385 * Captures with a major version number of 2 appear to have type 7
386 * records with text in them (at least one I have does).
388 * Captures with a major version of 4, and at least some captures with
389 * a major version of 5, have type 7 records with those values in the
392 * However, some captures with a major version number of 5 appear not to
393 * have type 7 records at all (at least one I have doesn't), but do appear
394 * to put non-zero values in the "rsvd" field of the version header (at
395 * least one I have does) - at least some other captures with smaller version
396 * numbers appear to put 0 there, so *maybe* that's where the network
397 * (sub)type is hidden in those captures. The version 5 captures I've seen
398 * that *do* have type 7 records put 0 there, so it's not as if *all* V5
399 * captures have something in the "rsvd" field, however.
401 * The semantics of these network types is inferred from the Sniffer
402 * documentation, as they correspond to types described in the UI;
405 * http://www.mcafee.com/common/media/sniffer/support/sdos/operation.pdf
407 * starting at page 3-10 (56 of 496).
409 * XXX - I've seen X.25 captures with NET_ROUTER, and I've seen bridge/
410 * router captures with NET_HDLC. Sigh.... Are those just captures for
411 * which the user set the wrong network type when capturing?
413 #define NET_SDLC 0 /* Probably "SDLC then SNA" */
414 #define NET_HDLC 1 /* Used for X.25; is it used for other
415 things as well, or is it "HDLC then
416 X.25", as referred to by the document
417 cited above, and only used for X.25? */
418 #define NET_FRAME_RELAY 2
419 #define NET_ROUTER 3 /* Probably "Router/Bridge", for various
420 point-to-point protocols for use between
421 bridges and routers, including PPP as well
422 as various proprietary protocols; also
423 used for ISDN, for reasons not obvious
424 to me, given that a Sniffer knows
425 whether it's using a WAN or an ISDN pod */
426 #define NET_PPP 4 /* "Asynchronous", which includes SLIP too */
427 #define NET_SMDS 5 /* Not mentioned in the document, but
428 that's a document for version 5.50 of
429 the Sniffer, and that version might use
430 version 5 in the file format and thus
431 might not be using type 7 records */
434 * Values for V.timeunit, in picoseconds, so that they can be represented
435 * as integers. These values must be < 2^(64-40); see below.
437 * XXX - at least some captures with a V.timeunit value of 2 show
438 * packets with time stamps in 2011 if the time stamp is interpreted
439 * to be in units of 15 microseconds. The capture predates 2008,
440 * so that interpretation is probably wrong. Perhaps the interpretation
441 * of V.timeunit depends on the version number of the file?
443 static const guint32 Psec[] = {
444 15000000, /* 15.0 usecs = 15000000 psecs */
445 838096, /* .838096 usecs = 838096 psecs */
446 15000000, /* 15.0 usecs = 15000000 psecs */
447 500000, /* 0.5 usecs = 500000 psecs */
448 2000000, /* 2.0 usecs = 2000000 psecs */
449 1000000, /* 1.0 usecs = 1000000 psecs */
450 /* XXX - Sniffer doc says 0.08 usecs = 80000 psecs */
451 100000 /* 0.1 usecs = 100000 psecs */
453 #define NUM_NGSNIFF_TIMEUNITS (sizeof Psec / sizeof Psec[0])
455 /* Information for a compressed Sniffer data stream. */
457 unsigned char *buf; /* buffer into which we uncompress data */
458 unsigned int nbytes; /* number of bytes of data in that buffer */
459 int nextout; /* offset in that buffer of stream's current position */
460 gint64 comp_offset; /* current offset in compressed data stream */
461 gint64 uncomp_offset; /* current offset in uncompressed data stream */
462 } ngsniffer_comp_stream_t;
469 guint network; /* network type */
470 ngsniffer_comp_stream_t seq; /* sequential access */
471 ngsniffer_comp_stream_t rand; /* random access */
472 GList *first_blob; /* list element for first blob */
473 GList *last_blob; /* list element for last blob */
474 GList *current_blob; /* list element for current blob */
478 * DOS date to "struct tm" conversion values.
480 /* DOS year = upper 7 bits */
481 #define DOS_YEAR_OFFSET (1980-1900) /* tm_year = year+1900, DOS date year year+1980 */
482 #define DOS_YEAR_SHIFT 9
483 #define DOS_YEAR_MASK (0x7F<<DOS_YEAR_SHIFT)
484 /* DOS month = next 4 bits */
485 #define DOS_MONTH_OFFSET (-1) /* tm_mon = month #-1, DOS date month = month # */
486 #define DOS_MONTH_SHIFT 5
487 #define DOS_MONTH_MASK (0x0F<<DOS_MONTH_SHIFT)
488 /* DOS day = next 5 bits */
489 #define DOS_DAY_SHIFT 0
490 #define DOS_DAY_MASK (0x1F<<DOS_DAY_SHIFT)
492 static int process_header_records(wtap *wth, int *err, gchar **err_info,
493 gint16 maj_vers, guint8 network);
494 static int process_rec_header2_v2(wtap *wth, unsigned char *buffer,
495 guint16 length, int *err, gchar **err_info);
496 static int process_rec_header2_v145(wtap *wth, unsigned char *buffer,
497 guint16 length, gint16 maj_vers, int *err, gchar **err_info);
498 static gboolean ngsniffer_read(wtap *wth, int *err, gchar **err_info,
499 gint64 *data_offset);
500 static gboolean ngsniffer_seek_read(wtap *wth, gint64 seek_off,
501 wtap_rec *rec, Buffer *buf, int *err, gchar **err_info);
502 static int ngsniffer_process_record(wtap *wth, gboolean is_random,
503 guint *padding, wtap_rec *rec, Buffer *buf, int *err,
505 static void set_pseudo_header_frame2(wtap *wth,
506 union wtap_pseudo_header *pseudo_header, struct frame2_rec *frame2);
507 static void set_pseudo_header_frame4(union wtap_pseudo_header *pseudo_header,
508 struct frame4_rec *frame4);
509 static void set_pseudo_header_frame6(wtap *wth,
510 union wtap_pseudo_header *pseudo_header, struct frame6_rec *frame6);
511 static int infer_pkt_encap(const guint8 *pd, int len);
512 static int fix_pseudo_header(int encap, Buffer *buf, int len,
513 union wtap_pseudo_header *pseudo_header);
514 static void ngsniffer_sequential_close(wtap *wth);
515 static void ngsniffer_close(wtap *wth);
516 static gboolean ngsniffer_dump(wtap_dumper *wdh, const wtap_rec *rec,
517 const guint8 *pd, int *err, gchar **err_info);
518 static gboolean ngsniffer_dump_finish(wtap_dumper *wdh, int *err);
519 static int SnifferDecompress( unsigned char * inbuf, size_t inlen,
520 unsigned char * outbuf, size_t outlen, int *err, gchar **err_info );
521 static gboolean ng_read_bytes_or_eof(wtap *wth, void *buffer,
522 unsigned int nbytes, gboolean is_random, int *err, gchar **err_info);
523 static gboolean ng_read_bytes(wtap *wth, void *buffer, unsigned int nbytes,
524 gboolean is_random, int *err, gchar **err_info);
525 static gboolean read_blob(FILE_T infile, ngsniffer_comp_stream_t *comp_stream,
526 int *err, gchar **err_info);
527 static gboolean ng_skip_bytes_seq(wtap *wth, unsigned int count, int *err,
529 static gboolean ng_file_seek_rand(wtap *wth, gint64 offset, int *err,
533 ngsniffer_open(wtap *wth, int *err, gchar **err_info)
535 char magic[sizeof ngsniffer_magic];
537 char record_length[4]; /* only the first 2 bytes are length,
538 the last 2 are "reserved" and are thrown away */
540 struct vers_rec version;
546 static const int sniffer_encap[] = {
547 WTAP_ENCAP_TOKEN_RING,
550 WTAP_ENCAP_UNKNOWN, /* StarLAN */
551 WTAP_ENCAP_UNKNOWN, /* PC Network broadband */
552 WTAP_ENCAP_UNKNOWN, /* LocalTalk */
553 WTAP_ENCAP_UNKNOWN, /* Znet */
554 WTAP_ENCAP_PER_PACKET, /* Internetwork analyzer (synchronous) */
555 WTAP_ENCAP_PER_PACKET, /* Internetwork analyzer (asynchronous) */
556 WTAP_ENCAP_FDDI_BITSWAPPED,
559 #define NUM_NGSNIFF_ENCAPS (sizeof sniffer_encap / sizeof sniffer_encap[0])
561 gint64 current_offset;
562 ngsniffer_t *ngsniffer;
564 /* Read in the string that should be at the start of a Sniffer file */
565 if (!wtap_read_bytes(wth->fh, magic, sizeof magic, err, err_info)) {
566 if (*err != WTAP_ERR_SHORT_READ)
567 return WTAP_OPEN_ERROR;
568 return WTAP_OPEN_NOT_MINE;
571 if (memcmp(magic, ngsniffer_magic, sizeof ngsniffer_magic)) {
572 return WTAP_OPEN_NOT_MINE;
576 * Read the first record, which the manual says is a version
579 if (!wtap_read_bytes(wth->fh, record_type, 2, err, err_info))
580 return WTAP_OPEN_ERROR;
581 if (!wtap_read_bytes(wth->fh, record_length, 4, err, err_info))
582 return WTAP_OPEN_ERROR;
584 type = pletoh16(record_type);
586 if (type != REC_VERS) {
587 *err = WTAP_ERR_BAD_FILE;
588 *err_info = g_strdup("ngsniffer: Sniffer file doesn't start with a version record");
589 return WTAP_OPEN_ERROR;
592 if (!wtap_read_bytes(wth->fh, &version, sizeof version, err, err_info))
593 return WTAP_OPEN_ERROR;
595 /* Check the data link type. */
596 if (version.network >= NUM_NGSNIFF_ENCAPS
597 || sniffer_encap[version.network] == WTAP_ENCAP_UNKNOWN) {
598 *err = WTAP_ERR_UNSUPPORTED;
599 *err_info = g_strdup_printf("ngsniffer: network type %u unknown or unsupported",
601 return WTAP_OPEN_ERROR;
604 /* Check the time unit */
605 if (version.timeunit >= NUM_NGSNIFF_TIMEUNITS) {
606 *err = WTAP_ERR_UNSUPPORTED;
607 *err_info = g_strdup_printf("ngsniffer: Unknown timeunit %u", version.timeunit);
608 return WTAP_OPEN_ERROR;
611 /* compressed or uncompressed Sniffer file? */
612 if (version.format != 1) {
613 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_NGSNIFFER_COMPRESSED;
615 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_NGSNIFFER_UNCOMPRESSED;
618 /* Set encap type before reading header records because the
619 * header record may change encap type.
621 wth->file_encap = sniffer_encap[version.network];
624 * We don't know how to handle the remaining header record types,
625 * so we just skip them - except for REC_HEADER2 records, which
626 * we look at, for "Internetwork analyzer" captures, to attempt to
627 * determine what the link-layer encapsulation is.
629 * XXX - in some version 1.16 internetwork analyzer files
630 * generated by the Windows Sniffer when saving Windows
631 * Sniffer files as DOS Sniffer files, there's no REC_HEADER2
632 * record, but the first "rsvd" word is 1 for PRI ISDN files, 2
633 * for BRI ISDN files, and 0 for non-ISDN files; is that something
634 * the DOS Sniffer understands?
636 maj_vers = pletoh16(&version.maj_vers);
637 if (process_header_records(wth, err, err_info, maj_vers,
638 version.network) < 0)
639 return WTAP_OPEN_ERROR;
640 if ((version.network == NETWORK_SYNCHRO ||
641 version.network == NETWORK_ASYNC) &&
642 wth->file_encap == WTAP_ENCAP_PER_PACKET) {
644 * Well, we haven't determined the internetwork analyzer
651 * ... and this is a version 1 capture; look
652 * at the first "rsvd" word.
654 switch (pletoh16(&version.rsvd[0])) {
658 wth->file_encap = WTAP_ENCAP_ISDN;
665 * ...and this is a version 3 capture; we've
666 * seen nothing in those that obviously
667 * indicates the capture type, but the only
668 * one we've seen is a Frame Relay capture,
669 * so mark it as Frame Relay for now.
671 wth->file_encap = WTAP_ENCAP_FRELAY_WITH_PHDR;
676 current_offset = file_tell(wth->fh);
679 * Now, if we have a random stream open, position it to the same
680 * location, which should be the beginning of the real data, and
681 * should be the beginning of the compressed data.
683 * XXX - will we see any records other than REC_FRAME2, REC_FRAME4,
684 * or REC_EOF after this? If not, we can get rid of the loop in
685 * "ngsniffer_read()".
687 if (wth->random_fh != NULL) {
688 if (file_seek(wth->random_fh, current_offset, SEEK_SET, err) == -1)
689 return WTAP_OPEN_ERROR;
692 /* This is a ngsniffer file */
693 ngsniffer = (ngsniffer_t *)g_malloc(sizeof(ngsniffer_t));
694 wth->priv = (void *)ngsniffer;
695 ngsniffer->maj_vers = maj_vers;
696 ngsniffer->min_vers = pletoh16(&version.min_vers);
698 /* We haven't allocated any uncompression buffers yet. */
699 ngsniffer->seq.buf = NULL;
700 ngsniffer->seq.nbytes = 0;
701 ngsniffer->seq.nextout = 0;
702 ngsniffer->rand.buf = NULL;
703 ngsniffer->rand.nbytes = 0;
704 ngsniffer->rand.nextout = 0;
706 /* Set the current file offset; the offset in the compressed file
707 and in the uncompressed data stream currently the same. */
708 ngsniffer->seq.uncomp_offset = current_offset;
709 ngsniffer->seq.comp_offset = current_offset;
710 ngsniffer->rand.uncomp_offset = current_offset;
711 ngsniffer->rand.comp_offset = current_offset;
713 /* We don't yet have any list of compressed blobs. */
714 ngsniffer->first_blob = NULL;
715 ngsniffer->last_blob = NULL;
716 ngsniffer->current_blob = NULL;
718 wth->subtype_read = ngsniffer_read;
719 wth->subtype_seek_read = ngsniffer_seek_read;
720 wth->subtype_sequential_close = ngsniffer_sequential_close;
721 wth->subtype_close = ngsniffer_close;
722 wth->snapshot_length = 0; /* not available in header, only in frame */
723 ngsniffer->timeunit = Psec[version.timeunit];
724 ngsniffer->network = version.network;
726 /* Get capture start time */
727 start_date = pletoh16(&version.date);
728 tm.tm_year = ((start_date&DOS_YEAR_MASK)>>DOS_YEAR_SHIFT) + DOS_YEAR_OFFSET;
729 tm.tm_mon = ((start_date&DOS_MONTH_MASK)>>DOS_MONTH_SHIFT) + DOS_MONTH_OFFSET;
730 tm.tm_mday = ((start_date&DOS_DAY_MASK)>>DOS_DAY_SHIFT);
732 * The time does not appear to act as an offset; only the date.
733 * XXX - sometimes it does appear to act as an offset; is this
737 start_time = pletoh16(&version.time_dos);
738 tm.tm_hour = (start_time&0xf800)>>11;
739 tm.tm_min = (start_time&0x7e0)>>5;
740 tm.tm_sec = (start_time&0x1f)<<1;
747 ngsniffer->start = mktime(&tm);
749 * XXX - what if "secs" is -1? Unlikely,
750 * but if the capture was done in a time
751 * zone that switches between standard and
752 * summer time sometime other than when we
753 * do, and thus the time was one that doesn't
754 * exist here because a switch from standard
755 * to summer time zips over it, it could
758 * On the other hand, if the capture was done
759 * in a different time zone, this won't work
760 * right anyway; unfortunately, the time zone
761 * isn't stored in the capture file.
764 wth->file_tsprec = WTAP_TSPREC_NSEC; /* XXX */
766 return WTAP_OPEN_MINE;
770 process_header_records(wtap *wth, int *err, gchar **err_info, gint16 maj_vers,
774 char record_length[4]; /* only the first 2 bytes are length,
775 the last 2 are "reserved" and are thrown away */
776 guint16 rec_type, rec_length_remaining;
778 unsigned char buffer[256];
781 if (!wtap_read_bytes_or_eof(wth->fh, record_type, 2, err, err_info)) {
787 rec_type = pletoh16(record_type);
788 if ((rec_type != REC_HEADER1) && (rec_type != REC_HEADER2)
789 && (rec_type != REC_HEADER3) && (rec_type != REC_HEADER4)
790 && (rec_type != REC_HEADER5) && (rec_type != REC_HEADER6)
791 && (rec_type != REC_HEADER7)
792 && ((rec_type != REC_V2DESC) || (maj_vers > 2)) ) {
794 * Well, this is either some unknown header type
795 * (we ignore this case), an uncompressed data
796 * frame or the length of a compressed blob
797 * which implies data. Seek backwards over the
798 * two bytes we read, and return.
800 if (file_seek(wth->fh, -2, SEEK_CUR, err) == -1)
805 if (!wtap_read_bytes(wth->fh, record_length, 4,
809 rec_length_remaining = pletoh16(record_length);
812 * Is this is an "Internetwork analyzer" capture, and
813 * is this a REC_HEADER2 record?
815 * If so, it appears to specify the particular type
816 * of network we're on.
818 * XXX - handle sync and async differently? (E.g.,
819 * does this apply only to sync?)
821 if ((network == NETWORK_SYNCHRO || network == NETWORK_ASYNC) &&
822 rec_type == REC_HEADER2) {
824 * Yes, get the first up-to-256 bytes of the
827 bytes_to_read = MIN(rec_length_remaining, (int)sizeof buffer);
828 if (!wtap_read_bytes(wth->fh, buffer,
829 bytes_to_read, err, err_info))
835 if (process_rec_header2_v2(wth, buffer,
836 rec_length_remaining, err, err_info) < 0)
843 if (process_rec_header2_v145(wth, buffer,
844 rec_length_remaining, maj_vers, err, err_info) < 0)
850 * Skip the rest of the record.
852 if (rec_length_remaining > sizeof buffer) {
853 if (file_seek(wth->fh, rec_length_remaining - sizeof buffer,
854 SEEK_CUR, err) == -1)
858 /* Nope, just skip over the data. */
859 if (file_seek(wth->fh, rec_length_remaining, SEEK_CUR, err) == -1)
866 process_rec_header2_v2(wtap *wth, unsigned char *buffer, guint16 length,
867 int *err, gchar **err_info)
869 static const char x_25_str[] = "HDLC\nX.25\n";
872 * There appears to be a string in a REC_HEADER2 record, with
873 * a list of protocols. In one X.25 capture I've seen, the
874 * string was "HDLC\nX.25\nCLNP\nISO_TP\nSESS\nPRES\nVTP\nACSE".
875 * Presumably CLNP and everything else is per-packet, but
876 * we assume "HDLC\nX.25\n" indicates that it's an X.25 capture.
878 if (length < sizeof x_25_str - 1) {
880 * There's not enough data to compare.
882 *err = WTAP_ERR_UNSUPPORTED;
883 *err_info = g_strdup("ngsniffer: WAN capture has too-short protocol list");
887 if (strncmp((char *)buffer, x_25_str, sizeof x_25_str - 1) == 0) {
891 wth->file_encap = WTAP_ENCAP_LAPB;
893 *err = WTAP_ERR_UNSUPPORTED;
894 *err_info = g_strdup_printf("ngsniffer: WAN capture protocol string %.*s unknown",
902 process_rec_header2_v145(wtap *wth, unsigned char *buffer, guint16 length,
903 gint16 maj_vers, int *err, gchar **err_info)
906 * The 5th byte of the REC_HEADER2 record appears to be a
911 * There is no 5th byte; give up.
913 *err = WTAP_ERR_UNSUPPORTED;
914 *err_info = g_strdup("ngsniffer: WAN capture has no network subtype");
919 * The X.25 captures I've seen have a type of NET_HDLC, and the
920 * Sniffer documentation seems to imply that it's used for
921 * X.25, although it could be used for other purposes as well.
923 * NET_ROUTER is used for all sorts of point-to-point protocols,
924 * including ISDN. It appears, from the documentation, that the
925 * Sniffer attempts to infer the particular protocol by looking
926 * at the traffic; it's not clear whether it stores in the file
927 * an indication of the protocol it inferred was being used.
929 * Unfortunately, it also appears that NET_HDLC is used for
930 * stuff other than X.25 as well, so we can't just interpret
931 * it unconditionally as X.25.
933 * For now, we interpret both NET_HDLC and NET_ROUTER as "per-packet
934 * encapsulation". We remember that we saw NET_ROUTER, though,
935 * as it appears that we can infer whether a packet is PPP or
936 * ISDN based on the channel number subfield of the frame error
937 * status bits - if it's 0, it's PPP, otherwise it's ISDN and
938 * the channel number indicates which channel it is. We assume
939 * NET_HDLC isn't used for ISDN.
944 wth->file_encap = WTAP_ENCAP_SDLC;
948 wth->file_encap = WTAP_ENCAP_PER_PACKET;
951 case NET_FRAME_RELAY:
952 wth->file_encap = WTAP_ENCAP_FRELAY_WITH_PHDR;
957 * For most of the version 4 capture files I've seen,
958 * 0xfa in buffer[1] means the file is an ISDN capture,
959 * but there's one PPP file with 0xfa there; does that
960 * mean that the 0xfa has nothing to do with ISDN,
961 * or is that just an ISDN file with no D channel
962 * packets? (The channel number is not 0 in any
963 * of the packets, so perhaps it is.)
965 * For one version 5 ISDN capture I've seen, there's
966 * a 0x01 in buffer[6]; none of the non-ISDN version
967 * 5 captures have it.
969 wth->file_encap = WTAP_ENCAP_PER_PACKET;
973 if (buffer[1] == 0xfa)
974 wth->file_encap = WTAP_ENCAP_ISDN;
980 * There is no 5th byte; give up.
982 *err = WTAP_ERR_UNSUPPORTED;
983 *err_info = g_strdup("ngsniffer: WAN bridge/router capture has no ISDN flag");
986 if (buffer[6] == 0x01)
987 wth->file_encap = WTAP_ENCAP_ISDN;
993 wth->file_encap = WTAP_ENCAP_PPP_WITH_PHDR;
998 * Reject these until we can figure them out.
1000 *err = WTAP_ERR_UNSUPPORTED;
1001 *err_info = g_strdup_printf("ngsniffer: WAN network subtype %u unknown or unsupported",
1008 /* Read the next packet */
1010 ngsniffer_read(wtap *wth, int *err, gchar **err_info, gint64 *data_offset)
1012 ngsniffer_t *ngsniffer;
1016 ngsniffer = (ngsniffer_t *)wth->priv;
1019 * We use the uncompressed offset, as that's what
1020 * we need to use for compressed files.
1022 *data_offset = ngsniffer->seq.uncomp_offset;
1025 * Process the record.
1027 ret = ngsniffer_process_record(wth, FALSE, &padding,
1028 &wth->rec, wth->rec_data, err, err_info);
1030 /* Read error or short read */
1035 * ret is the record type.
1044 * Skip any extra data in the record.
1047 if (!ng_skip_bytes_seq(wth, padding, err,
1055 * End of file. Return an EOF indication.
1057 *err = 0; /* EOF, not error */
1062 * Well, we don't know what it is, or we know what
1063 * it is but can't handle it. Skip past the data
1064 * portion, the length of which is in padding,
1068 if (!ng_skip_bytes_seq(wth, padding, err,
1078 ngsniffer_seek_read(wtap *wth, gint64 seek_off,
1079 wtap_rec *rec, Buffer *buf, int *err, gchar **err_info)
1083 if (!ng_file_seek_rand(wth, seek_off, err, err_info))
1086 ret = ngsniffer_process_record(wth, TRUE, NULL, rec, buf, err, err_info);
1088 /* Read error or short read */
1093 * ret is the record type.
1107 g_assert_not_reached();
1115 * Returns -1 on error, REC_EOF on end-of-file, record type on success.
1116 * If padding is non-null, sets *padding to the amount of padding at
1117 * the end of the record.
1120 ngsniffer_process_record(wtap *wth, gboolean is_random, guint *padding,
1121 wtap_rec *rec, Buffer *buf, int *err, gchar **err_info)
1123 ngsniffer_t *ngsniffer;
1124 char record_type[2];
1125 char record_length[4]; /* only 1st 2 bytes are length */
1126 guint rec_type, rec_length_remaining;
1127 struct frame2_rec frame2;
1128 struct frame4_rec frame4;
1129 struct frame6_rec frame6;
1130 guint16 time_low, time_med, true_size, size;
1131 guint8 time_high, time_day;
1132 guint64 t, tsecs, tpsecs;
1135 * Read the record header.
1137 if (!ng_read_bytes_or_eof(wth, record_type, 2, is_random, err, err_info)) {
1142 if (!ng_read_bytes(wth, record_length, 4, is_random, err, err_info))
1145 rec_type = pletoh16(record_type);
1146 rec_length_remaining = pletoh16(record_length);
1148 ngsniffer = (ngsniffer_t *)wth->priv;
1152 if (ngsniffer->network == NETWORK_ATM) {
1154 * We shouldn't get a frame2 record in
1157 *err = WTAP_ERR_BAD_FILE;
1158 *err_info = g_strdup("ngsniffer: REC_FRAME2 record in an ATM Sniffer file");
1162 /* Do we have an f_frame2_struct worth of data? */
1163 if (rec_length_remaining < sizeof frame2) {
1164 *err = WTAP_ERR_BAD_FILE;
1165 *err_info = g_strdup("ngsniffer: REC_FRAME2 record length is less than record header length");
1169 /* Read the f_frame2_struct */
1170 if (!ng_read_bytes(wth, &frame2, (unsigned int)sizeof frame2,
1171 is_random, err, err_info))
1173 time_low = pletoh16(&frame2.time_low);
1174 time_med = pletoh16(&frame2.time_med);
1175 time_high = frame2.time_high;
1176 time_day = frame2.time_day;
1177 size = pletoh16(&frame2.size);
1178 true_size = pletoh16(&frame2.true_size);
1180 rec_length_remaining -= (guint)sizeof frame2; /* we already read that much */
1182 set_pseudo_header_frame2(wth, &rec->rec_header.packet_header.pseudo_header, &frame2);
1186 if (ngsniffer->network != NETWORK_ATM) {
1188 * We shouldn't get a frame2 record in
1189 * a non-ATM capture.
1191 *err = WTAP_ERR_BAD_FILE;
1192 *err_info = g_strdup("ngsniffer: REC_FRAME4 record in a non-ATM Sniffer file");
1197 * XXX - it looks as if some version 4 captures have
1198 * a bogus record length, based on the assumption
1199 * that the record is a frame2 record, i.e. the length
1200 * was calculated based on the record being a frame2
1201 * record, so it's too short by (sizeof frame4 - sizeof frame2).
1203 if (ngsniffer->maj_vers < 5 && ngsniffer->min_vers >= 95)
1204 rec_length_remaining += (guint)(sizeof frame4 - sizeof frame2);
1206 /* Do we have an f_frame4_struct worth of data? */
1207 if (rec_length_remaining < sizeof frame4) {
1208 *err = WTAP_ERR_BAD_FILE;
1209 *err_info = g_strdup("ngsniffer: REC_FRAME4 record length is less than record header length");
1213 /* Read the f_frame4_struct */
1214 if (!ng_read_bytes(wth, &frame4, (unsigned int)sizeof frame4,
1215 is_random, err, err_info))
1217 time_low = pletoh16(&frame4.time_low);
1218 time_med = pletoh16(&frame4.time_med);
1219 time_high = frame4.time_high;
1220 time_day = frame4.time_day;
1221 size = pletoh16(&frame4.size);
1222 true_size = pletoh16(&frame4.true_size);
1224 rec_length_remaining -= (guint)sizeof frame4; /* we already read that much */
1226 set_pseudo_header_frame4(&rec->rec_header.packet_header.pseudo_header, &frame4);
1230 /* Do we have an f_frame6_struct worth of data? */
1231 if (rec_length_remaining < sizeof frame6) {
1232 *err = WTAP_ERR_BAD_FILE;
1233 *err_info = g_strdup("ngsniffer: REC_FRAME6 record length is less than record header length");
1237 /* Read the f_frame6_struct */
1238 if (!ng_read_bytes(wth, &frame6, (unsigned int)sizeof frame6,
1239 is_random, err, err_info))
1241 time_low = pletoh16(&frame6.time_low);
1242 time_med = pletoh16(&frame6.time_med);
1243 time_high = frame6.time_high;
1244 time_day = frame6.time_day;
1245 size = pletoh16(&frame6.size);
1246 true_size = pletoh16(&frame6.true_size);
1248 rec_length_remaining -= (guint)sizeof frame6; /* we already read that much */
1250 set_pseudo_header_frame6(wth, &rec->rec_header.packet_header.pseudo_header, &frame6);
1255 * End of file. Return an EOF indication.
1257 *err = 0; /* EOF, not error */
1262 * Unknown record type, or type that's not an EOF or
1265 if (padding != NULL) {
1267 * Treat the entire record as padding, so we
1270 *padding = rec_length_remaining;
1272 return rec_type; /* unknown type */
1276 * This is a packet record.
1278 * Is the frame data size greater than than what's left of the
1281 if (size > rec_length_remaining) {
1283 * Yes - treat this as an error.
1285 *err = WTAP_ERR_BAD_FILE;
1286 *err_info = g_strdup("ngsniffer: Record length is less than packet size");
1290 * The maximum value of length is 65535, which is less than
1291 * WTAP_MAX_PACKET_SIZE_STANDARD will ever be, so we don't need to check
1295 if (padding != NULL) {
1297 * Padding, if the frame data size is less than what's
1298 * left of the record.
1300 *padding = rec_length_remaining - size;
1303 rec->rec_type = REC_TYPE_PACKET;
1304 rec->presence_flags = true_size ? WTAP_HAS_TS|WTAP_HAS_CAP_LEN : WTAP_HAS_TS;
1305 rec->rec_header.packet_header.len = true_size ? true_size : size;
1306 rec->rec_header.packet_header.caplen = size;
1309 * Read the packet data.
1311 ws_buffer_assure_space(buf, size);
1312 if (!ng_read_bytes(wth, ws_buffer_start_ptr(buf), size, is_random,
1316 rec->rec_header.packet_header.pkt_encap = fix_pseudo_header(wth->file_encap,
1317 buf, size, &rec->rec_header.packet_header.pseudo_header);
1320 * 40-bit time stamp, in units of timeunit picoseconds.
1322 t = (((guint64)time_high)<<32) | (((guint64)time_med) << 16) | time_low;
1325 * timeunit is always < 2^(64-40), so t * timeunit fits in 64
1326 * bits. That gives a 64-bit time stamp, in units of
1329 t *= ngsniffer->timeunit;
1332 * Convert to seconds and picoseconds.
1334 tsecs = t/G_GUINT64_CONSTANT(1000000000000);
1335 tpsecs = t - tsecs*G_GUINT64_CONSTANT(1000000000000);
1338 * Add in the time_day value (86400 seconds/day).
1340 tsecs += time_day*86400;
1343 * Add in the capture start time.
1345 tsecs += ngsniffer->start;
1347 rec->ts.secs = (time_t)tsecs;
1348 rec->ts.nsecs = (int)(tpsecs/1000); /* psecs to nsecs */
1350 return rec_type; /* success */
1354 set_pseudo_header_frame2(wtap *wth, union wtap_pseudo_header *pseudo_header,
1355 struct frame2_rec *frame2)
1358 * In one PPP "Internetwork analyzer" capture:
1360 * The only bit seen in "frame2.fs" is the 0x80 bit, which
1361 * probably indicates the packet's direction; all other
1362 * bits were zero. The Expert Sniffer Network Analyzer
1363 * 5.50 Operations manual says that bit is the FS_DTE bit
1364 * for async/PPP data. The other bits are error bits
1365 * plus bits indicating whether the frame is PPP or SLIP,
1366 * but the PPP bit isn't set.
1368 * All bits in "frame2.flags" were zero.
1370 * In one X.25 "Internetwork analyzer" capture:
1372 * The only bit seen in "frame2.fs" is the 0x80 bit, which
1373 * probably indicates the packet's direction; all other
1376 * "frame2.flags" was always 0x18; however, the Sniffer
1377 * manual says that just means that a display filter was
1378 * calculated for the frame, and it should be displayed,
1379 * so perhaps that's just a quirk of that particular capture.
1381 * In one Ethernet capture:
1383 * "frame2.fs" was always 0; the Sniffer manual says they're
1384 * error bits of various sorts.
1386 * "frame2.flags" was either 0 or 0x18, with no obvious
1387 * correlation with anything. See previous comment
1388 * about display filters.
1390 * In one Token Ring capture:
1392 * "frame2.fs" was either 0 or 0xcc; the Sniffer manual says
1393 * nothing about those bits for Token Ring captures.
1395 * "frame2.flags" was either 0 or 0x18, with no obvious
1396 * correlation with anything. See previous comment
1397 * about display filters.
1399 switch (wth->file_encap) {
1401 case WTAP_ENCAP_ETHERNET:
1403 * XXX - do we ever have an FCS? If not, why do we often
1404 * have 4 extra bytes of stuff at the end? Do some
1405 * PC Ethernet interfaces report the length including the
1406 * FCS but not store the FCS in the packet, or do some
1407 * Ethernet drivers work that way?
1409 pseudo_header->eth.fcs_len = 0;
1412 case WTAP_ENCAP_PPP_WITH_PHDR:
1413 case WTAP_ENCAP_SDLC:
1414 pseudo_header->p2p.sent = (frame2->fs & FS_WAN_DTE) ? TRUE : FALSE;
1417 case WTAP_ENCAP_LAPB:
1418 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1419 case WTAP_ENCAP_PER_PACKET:
1420 pseudo_header->x25.flags = (frame2->fs & FS_WAN_DTE) ? 0x00 : FROM_DCE;
1423 case WTAP_ENCAP_ISDN:
1424 pseudo_header->isdn.uton = (frame2->fs & FS_WAN_DTE) ? FALSE : TRUE;
1425 switch (frame2->fs & FS_ISDN_CHAN_MASK) {
1427 case FS_ISDN_CHAN_D:
1428 pseudo_header->isdn.channel = 0; /* D-channel */
1431 case FS_ISDN_CHAN_B1:
1432 pseudo_header->isdn.channel = 1; /* B1-channel */
1435 case FS_ISDN_CHAN_B2:
1436 pseudo_header->isdn.channel = 2; /* B2-channel */
1440 pseudo_header->isdn.channel = 30; /* XXX */
1447 set_pseudo_header_frame4(union wtap_pseudo_header *pseudo_header,
1448 struct frame4_rec *frame4)
1451 guint8 aal_type, hl_type;
1455 * Map flags from frame4.atm_info.StatusWord.
1457 pseudo_header->atm.flags = 0;
1458 StatusWord = pletoh32(&frame4->atm_info.StatusWord);
1459 if (StatusWord & SW_RAW_CELL)
1460 pseudo_header->atm.flags |= ATM_RAW_CELL;
1462 aal_type = frame4->atm_info.AppTrafType & ATT_AALTYPE;
1463 hl_type = frame4->atm_info.AppTrafType & ATT_HLTYPE;
1464 vpi = pletoh16(&frame4->atm_info.Vpi);
1465 vci = pletoh16(&frame4->atm_info.Vci);
1469 case ATT_AAL_UNKNOWN:
1471 * Map ATT_AAL_UNKNOWN on VPI 0, VCI 5 to ATT_AAL_SIGNALLING,
1472 * as that's the VPCI used for signalling.
1474 * XXX - is this necessary, or will frames to 0/5 always
1475 * have ATT_AAL_SIGNALLING?
1477 if (vpi == 0 && vci == 5)
1478 pseudo_header->atm.aal = AAL_SIGNALLING;
1480 pseudo_header->atm.aal = AAL_UNKNOWN;
1481 pseudo_header->atm.type = TRAF_UNKNOWN;
1482 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1486 pseudo_header->atm.aal = AAL_1;
1487 pseudo_header->atm.type = TRAF_UNKNOWN;
1488 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1492 pseudo_header->atm.aal = AAL_3_4;
1493 pseudo_header->atm.type = TRAF_UNKNOWN;
1494 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1498 pseudo_header->atm.aal = AAL_5;
1501 case ATT_HL_UNKNOWN:
1502 pseudo_header->atm.type = TRAF_UNKNOWN;
1503 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1507 pseudo_header->atm.type = TRAF_LLCMX;
1508 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1512 pseudo_header->atm.type = TRAF_VCMX;
1513 switch (frame4->atm_info.AppHLType) {
1516 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1519 case AHLT_VCMX_802_3_FCS:
1520 pseudo_header->atm.subtype =
1521 TRAF_ST_VCMX_802_3_FCS;
1524 case AHLT_VCMX_802_4_FCS:
1525 pseudo_header->atm.subtype =
1526 TRAF_ST_VCMX_802_4_FCS;
1529 case AHLT_VCMX_802_5_FCS:
1530 pseudo_header->atm.subtype =
1531 TRAF_ST_VCMX_802_5_FCS;
1534 case AHLT_VCMX_FDDI_FCS:
1535 pseudo_header->atm.subtype =
1536 TRAF_ST_VCMX_FDDI_FCS;
1539 case AHLT_VCMX_802_6_FCS:
1540 pseudo_header->atm.subtype =
1541 TRAF_ST_VCMX_802_6_FCS;
1544 case AHLT_VCMX_802_3:
1545 pseudo_header->atm.subtype = TRAF_ST_VCMX_802_3;
1548 case AHLT_VCMX_802_4:
1549 pseudo_header->atm.subtype = TRAF_ST_VCMX_802_4;
1552 case AHLT_VCMX_802_5:
1553 pseudo_header->atm.subtype = TRAF_ST_VCMX_802_5;
1556 case AHLT_VCMX_FDDI:
1557 pseudo_header->atm.subtype = TRAF_ST_VCMX_FDDI;
1560 case AHLT_VCMX_802_6:
1561 pseudo_header->atm.subtype = TRAF_ST_VCMX_802_6;
1564 case AHLT_VCMX_FRAGMENTS:
1565 pseudo_header->atm.subtype =
1566 TRAF_ST_VCMX_FRAGMENTS;
1569 case AHLT_VCMX_BPDU:
1570 pseudo_header->atm.subtype = TRAF_ST_VCMX_BPDU;
1574 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1580 pseudo_header->atm.type = TRAF_LANE;
1581 switch (frame4->atm_info.AppHLType) {
1584 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1587 case AHLT_LANE_LE_CTRL:
1588 pseudo_header->atm.subtype =
1589 TRAF_ST_LANE_LE_CTRL;
1592 case AHLT_LANE_802_3:
1593 pseudo_header->atm.subtype = TRAF_ST_LANE_802_3;
1596 case AHLT_LANE_802_5:
1597 pseudo_header->atm.subtype = TRAF_ST_LANE_802_5;
1600 case AHLT_LANE_802_3_MC:
1601 pseudo_header->atm.subtype =
1602 TRAF_ST_LANE_802_3_MC;
1605 case AHLT_LANE_802_5_MC:
1606 pseudo_header->atm.subtype =
1607 TRAF_ST_LANE_802_5_MC;
1611 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1617 pseudo_header->atm.type = TRAF_ILMI;
1618 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1622 pseudo_header->atm.type = TRAF_FR;
1623 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1627 pseudo_header->atm.type = TRAF_SPANS;
1628 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1631 case ATT_HL_IPSILON:
1632 pseudo_header->atm.type = TRAF_IPSILON;
1633 switch (frame4->atm_info.AppHLType) {
1636 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1639 case AHLT_IPSILON_FT0:
1640 pseudo_header->atm.subtype =
1641 TRAF_ST_IPSILON_FT0;
1644 case AHLT_IPSILON_FT1:
1645 pseudo_header->atm.subtype =
1646 TRAF_ST_IPSILON_FT1;
1649 case AHLT_IPSILON_FT2:
1650 pseudo_header->atm.subtype =
1651 TRAF_ST_IPSILON_FT2;
1655 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1661 pseudo_header->atm.type = TRAF_UNKNOWN;
1662 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1668 pseudo_header->atm.aal = AAL_USER;
1669 pseudo_header->atm.type = TRAF_UNKNOWN;
1670 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1673 case ATT_AAL_SIGNALLING:
1674 pseudo_header->atm.aal = AAL_SIGNALLING;
1675 pseudo_header->atm.type = TRAF_UNKNOWN;
1676 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1680 pseudo_header->atm.aal = AAL_OAMCELL;
1681 pseudo_header->atm.type = TRAF_UNKNOWN;
1682 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1686 pseudo_header->atm.aal = AAL_UNKNOWN;
1687 pseudo_header->atm.type = TRAF_UNKNOWN;
1688 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1691 pseudo_header->atm.vpi = vpi;
1692 pseudo_header->atm.vci = vci;
1693 pseudo_header->atm.channel = pletoh16(&frame4->atm_info.channel);
1694 pseudo_header->atm.cells = pletoh16(&frame4->atm_info.cells);
1695 pseudo_header->atm.aal5t_u2u = pletoh16(&frame4->atm_info.Trailer.aal5t_u2u);
1696 pseudo_header->atm.aal5t_len = pletoh16(&frame4->atm_info.Trailer.aal5t_len);
1697 pseudo_header->atm.aal5t_chksum = pntoh32(&frame4->atm_info.Trailer.aal5t_chksum);
1701 set_pseudo_header_frame6(wtap *wth, union wtap_pseudo_header *pseudo_header,
1702 struct frame6_rec *frame6 _U_)
1704 /* XXX - Once the frame format is divined, something will most likely go here */
1706 switch (wth->file_encap) {
1708 case WTAP_ENCAP_ETHERNET:
1709 /* XXX - is there an FCS? */
1710 pseudo_header->eth.fcs_len = -1;
1716 * OK, this capture is from an "Internetwork analyzer", and we either
1717 * didn't see a type 7 record or it had a network type such as NET_HDLC
1718 * that doesn't tell us which *particular* HDLC derivative this is;
1719 * let's look at the first few bytes of the packet, a pointer to which
1720 * was passed to us as an argument, and see whether it looks like PPP,
1721 * Frame Relay, Wellfleet HDLC, Cisco HDLC, or LAPB - or, if it's none
1722 * of those, assume it's LAPD.
1724 * (XXX - are there any "Internetwork analyzer" captures that don't
1725 * have type 7 records? If so, is there some other field that will
1726 * tell us what type of capture it is?)
1729 infer_pkt_encap(const guint8 *pd, int len)
1735 * Nothing to infer, but it doesn't matter how you
1736 * dissect an empty packet. Let's just say PPP.
1738 return WTAP_ENCAP_PPP_WITH_PHDR;
1741 if (pd[0] == 0xFF) {
1743 * PPP. (XXX - check for 0xFF 0x03?)
1745 return WTAP_ENCAP_PPP_WITH_PHDR;
1749 if (pd[0] == 0x07 && pd[1] == 0x03) {
1753 return WTAP_ENCAP_WFLEET_HDLC;
1754 } else if ((pd[0] == 0x0F && pd[1] == 0x00) ||
1755 (pd[0] == 0x8F && pd[1] == 0x00)) {
1759 return WTAP_ENCAP_CHDLC_WITH_PHDR;
1763 * Check for Frame Relay. Look for packets with at least
1764 * 3 bytes of header - 2 bytes of DLCI followed by 1 byte
1765 * of control, which, for now, we require to be 0x03 (UI),
1766 * although there might be other frame types as well.
1767 * Scan forward until we see the last DLCI byte, with
1768 * the low-order bit being 1, and then check the next
1769 * byte to see if it's a control byte.
1771 * XXX - in version 4 and 5 captures, wouldn't this just
1772 * have a capture subtype of NET_FRAME_RELAY? Or is this
1773 * here only to handle other versions of the capture
1774 * file, where we might just not yet have found where
1775 * the subtype is specified in the capture?
1777 * Bay^H^H^HNortel Networks has a mechanism in the Optivity
1778 * software for some of their routers to save captures
1779 * in Sniffer format; they use a version number of 4.9, but
1780 * don't put out any header records before the first FRAME2
1781 * record. That means we have to use heuristics to guess
1782 * what type of packet we have.
1784 for (i = 0; i < len && (pd[i] & 0x01) == 0; i++)
1786 i++; /* advance to the byte after the last DLCI byte */
1791 return WTAP_ENCAP_LAPB;
1794 return WTAP_ENCAP_FRELAY_WITH_PHDR;
1798 * Assume LAPB, for now. If we support other HDLC encapsulations,
1799 * we can check whether the low-order bit of the first byte is
1800 * set (as it should be for LAPB) if no other checks pass.
1802 * Or, if it's truly impossible to distinguish ISDN from non-ISDN
1803 * captures, we could assume it's ISDN if it's not anything
1806 return WTAP_ENCAP_LAPB;
1810 fix_pseudo_header(int encap, Buffer *buf, int len,
1811 union wtap_pseudo_header *pseudo_header)
1815 pd = ws_buffer_start_ptr(buf);
1818 case WTAP_ENCAP_PER_PACKET:
1820 * Infer the packet type from the first two bytes.
1822 encap = infer_pkt_encap(pd, len);
1825 * Fix up the pseudo-header to match the new
1826 * encapsulation type.
1830 case WTAP_ENCAP_WFLEET_HDLC:
1831 case WTAP_ENCAP_CHDLC_WITH_PHDR:
1832 case WTAP_ENCAP_PPP_WITH_PHDR:
1833 if (pseudo_header->x25.flags == 0)
1834 pseudo_header->p2p.sent = TRUE;
1836 pseudo_header->p2p.sent = FALSE;
1839 case WTAP_ENCAP_ISDN:
1840 if (pseudo_header->x25.flags == 0x00)
1841 pseudo_header->isdn.uton = FALSE;
1843 pseudo_header->isdn.uton = TRUE;
1846 * XXX - this is currently a per-packet
1847 * encapsulation type, and we can't determine
1848 * whether a capture is an ISDN capture before
1849 * seeing any packets, and B-channel PPP packets
1850 * look like PPP packets and are given
1851 * WTAP_ENCAP_PPP_WITH_PHDR, not WTAP_ENCAP_ISDN,
1852 * so we assume this is a D-channel packet and
1853 * thus give it a channel number of 0.
1855 pseudo_header->isdn.channel = 0;
1860 case WTAP_ENCAP_ATM_PDUS:
1862 * If the Windows Sniffer writes out one of its ATM
1863 * capture files in DOS Sniffer format, it doesn't
1864 * distinguish between LE Control and LANE encapsulated
1865 * LAN frames, it just marks them as LAN frames,
1866 * so we fix that up here.
1868 * I've also seen DOS Sniffer captures claiming that
1869 * LANE packets that *don't* start with FF 00 are
1870 * marked as LE Control frames, so we fix that up
1873 if (pseudo_header->atm.type == TRAF_LANE && len >= 2) {
1874 if (pd[0] == 0xff && pd[1] == 0x00) {
1876 * This must be LE Control.
1878 pseudo_header->atm.subtype =
1879 TRAF_ST_LANE_LE_CTRL;
1882 * This can't be LE Control.
1884 if (pseudo_header->atm.subtype ==
1885 TRAF_ST_LANE_LE_CTRL) {
1887 * XXX - Ethernet or Token Ring?
1889 pseudo_header->atm.subtype =
1899 /* Throw away the buffers used by the sequential I/O stream, but not
1900 those used by the random I/O stream. */
1902 ngsniffer_sequential_close(wtap *wth)
1904 ngsniffer_t *ngsniffer;
1906 ngsniffer = (ngsniffer_t *)wth->priv;
1907 if (ngsniffer->seq.buf != NULL) {
1908 g_free(ngsniffer->seq.buf);
1909 ngsniffer->seq.buf = NULL;
1914 free_blob(gpointer data, gpointer user_data _U_)
1919 /* Close stuff used by the random I/O stream, if any, and free up any
1920 private data structures. (If there's a "sequential_close" routine
1921 for a capture file type, it'll be called before the "close" routine
1922 is called, so we don't have to free the sequential buffer here.) */
1924 ngsniffer_close(wtap *wth)
1926 ngsniffer_t *ngsniffer;
1928 ngsniffer = (ngsniffer_t *)wth->priv;
1929 g_free(ngsniffer->rand.buf);
1930 g_list_foreach(ngsniffer->first_blob, free_blob, NULL);
1931 g_list_free(ngsniffer->first_blob);
1935 gboolean first_frame;
1939 static const int wtap_encap[] = {
1940 -1, /* WTAP_ENCAP_UNKNOWN -> unsupported */
1941 1, /* WTAP_ENCAP_ETHERNET */
1942 0, /* WTAP_ENCAP_TOKEN_RING */
1943 -1, /* WTAP_ENCAP_SLIP -> unsupported */
1944 7, /* WTAP_ENCAP_PPP -> Internetwork analyzer (synchronous) FIXME ! */
1945 9, /* WTAP_ENCAP_FDDI */
1946 9, /* WTAP_ENCAP_FDDI_BITSWAPPED */
1947 -1, /* WTAP_ENCAP_RAW_IP -> unsupported */
1948 2, /* WTAP_ENCAP_ARCNET */
1949 -1, /* WTAP_ENCAP_ARCNET_LINUX -> unsupported */
1950 -1, /* WTAP_ENCAP_ATM_RFC1483 */
1951 -1, /* WTAP_ENCAP_LINUX_ATM_CLIP */
1952 7, /* WTAP_ENCAP_LAPB -> Internetwork analyzer (synchronous) */
1953 -1, /* WTAP_ENCAP_ATM_PDUS */
1954 -1, /* WTAP_ENCAP_NULL -> unsupported */
1955 -1, /* WTAP_ENCAP_ASCEND -> unsupported */
1956 -1, /* WTAP_ENCAP_ISDN -> unsupported */
1957 -1, /* WTAP_ENCAP_IP_OVER_FC -> unsupported */
1958 7, /* WTAP_ENCAP_PPP_WITH_PHDR -> Internetwork analyzer (synchronous) FIXME ! */
1960 #define NUM_WTAP_ENCAPS (sizeof wtap_encap / sizeof wtap_encap[0])
1962 /* Returns 0 if we could write the specified encapsulation type,
1963 an error indication otherwise. */
1965 ngsniffer_dump_can_write_encap(int encap)
1967 /* Per-packet encapsulations aren't supported. */
1968 if (encap == WTAP_ENCAP_PER_PACKET)
1969 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1971 if (encap < 0 || (unsigned)encap >= NUM_WTAP_ENCAPS || wtap_encap[encap] == -1)
1972 return WTAP_ERR_UNWRITABLE_ENCAP;
1977 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1980 ngsniffer_dump_open(wtap_dumper *wdh, int *err)
1982 ngsniffer_dump_t *ngsniffer;
1983 char buf[6] = {REC_VERS, 0x00, 0x12, 0x00, 0x00, 0x00}; /* version record */
1985 /* This is a sniffer file */
1986 wdh->subtype_write = ngsniffer_dump;
1987 wdh->subtype_finish = ngsniffer_dump_finish;
1989 ngsniffer = (ngsniffer_dump_t *)g_malloc(sizeof(ngsniffer_dump_t));
1990 wdh->priv = (void *)ngsniffer;
1991 ngsniffer->first_frame = TRUE;
1992 ngsniffer->start = 0;
1994 /* Write the file header. */
1995 if (!wtap_dump_file_write(wdh, ngsniffer_magic, sizeof ngsniffer_magic,
1998 if (!wtap_dump_file_write(wdh, buf, 6, err))
2004 /* Write a record for a packet to a dump file.
2005 Returns TRUE on success, FALSE on failure. */
2007 ngsniffer_dump(wtap_dumper *wdh, const wtap_rec *rec,
2008 const guint8 *pd, int *err, gchar **err_info _U_)
2010 const union wtap_pseudo_header *pseudo_header = &rec->rec_header.packet_header.pseudo_header;
2011 ngsniffer_dump_t *ngsniffer = (ngsniffer_dump_t *)wdh->priv;
2012 struct frame2_rec rec_hdr;
2016 guint16 t_low, t_med;
2018 struct vers_rec version;
2019 gint16 maj_vers, min_vers;
2023 /* We can only write packet records. */
2024 if (rec->rec_type != REC_TYPE_PACKET) {
2025 *err = WTAP_ERR_UNWRITABLE_REC_TYPE;
2029 /* The captured length field is 16 bits, so there's a hard
2031 if (rec->rec_header.packet_header.caplen > 65535) {
2032 *err = WTAP_ERR_PACKET_TOO_LARGE;
2036 /* Sniffer files have a capture start date in the file header, and
2037 have times relative to the beginning of that day in the packet
2038 headers; pick the date of the first packet as the capture start
2040 if (ngsniffer->first_frame) {
2041 ngsniffer->first_frame=FALSE;
2042 tm = localtime(&rec->ts.secs);
2043 if (tm != NULL && tm->tm_year >= DOS_YEAR_OFFSET) {
2044 start_date = (tm->tm_year - DOS_YEAR_OFFSET) << DOS_YEAR_SHIFT;
2045 start_date |= (tm->tm_mon - DOS_MONTH_OFFSET) << DOS_MONTH_SHIFT;
2046 start_date |= tm->tm_mday << DOS_DAY_SHIFT;
2047 /* record the start date, not the start time */
2048 ngsniffer->start = rec->ts.secs - (3600*tm->tm_hour + 60*tm->tm_min + tm->tm_sec);
2051 ngsniffer->start = 0;
2054 /* "sniffer" version ? */
2057 version.maj_vers = GUINT16_TO_LE(maj_vers);
2058 version.min_vers = GUINT16_TO_LE(min_vers);
2059 version.time_dos = 0;
2060 version.date = GUINT16_TO_LE(start_date);
2062 version.network = wtap_encap[wdh->encap];
2064 version.timeunit = 1; /* 0.838096 */
2065 version.cmprs_vers = 0;
2066 version.cmprs_level = 0;
2067 version.rsvd[0] = 0;
2068 version.rsvd[1] = 0;
2069 if (!wtap_dump_file_write(wdh, &version, sizeof version, err))
2073 buf[0] = REC_FRAME2;
2075 buf[2] = (char)((rec->rec_header.packet_header.caplen + sizeof(struct frame2_rec))%256);
2076 buf[3] = (char)((rec->rec_header.packet_header.caplen + sizeof(struct frame2_rec))/256);
2079 if (!wtap_dump_file_write(wdh, buf, 6, err))
2081 /* Seconds since the start of the capture */
2082 tsecs = rec->ts.secs - ngsniffer->start;
2083 /* Extract the number of days since the start of the capture */
2084 rec_hdr.time_day = (guint8)(tsecs / 86400); /* # days of capture - 86400 secs/day */
2085 tsecs -= rec_hdr.time_day * 86400; /* time within day */
2086 /* Convert to picoseconds */
2087 t = tsecs*G_GUINT64_CONSTANT(1000000000000) +
2088 rec->ts.nsecs*G_GUINT64_CONSTANT(1000);
2089 /* Convert to units of timeunit = 1 */
2091 t_low = (guint16)((t >> 0) & 0xFFFF);
2092 t_med = (guint16)((t >> 16) & 0xFFFF);
2093 t_high = (guint8)((t >> 32) & 0xFF);
2094 rec_hdr.time_low = GUINT16_TO_LE(t_low);
2095 rec_hdr.time_med = GUINT16_TO_LE(t_med);
2096 rec_hdr.time_high = t_high;
2097 rec_hdr.size = GUINT16_TO_LE(rec->rec_header.packet_header.caplen);
2098 switch (wdh->encap) {
2100 case WTAP_ENCAP_LAPB:
2101 case WTAP_ENCAP_FRELAY_WITH_PHDR:
2102 rec_hdr.fs = (pseudo_header->x25.flags & FROM_DCE) ? 0x00 : FS_WAN_DTE;
2105 case WTAP_ENCAP_PPP_WITH_PHDR:
2106 case WTAP_ENCAP_SDLC:
2107 rec_hdr.fs = pseudo_header->p2p.sent ? 0x00 : FS_WAN_DTE;
2110 case WTAP_ENCAP_ISDN:
2111 rec_hdr.fs = pseudo_header->isdn.uton ? FS_WAN_DTE : 0x00;
2112 switch (pseudo_header->isdn.channel) {
2114 case 0: /* D-channel */
2115 rec_hdr.fs |= FS_ISDN_CHAN_D;
2118 case 1: /* B1-channel */
2119 rec_hdr.fs |= FS_ISDN_CHAN_B1;
2122 case 2: /* B2-channel */
2123 rec_hdr.fs |= FS_ISDN_CHAN_B2;
2133 rec_hdr.true_size = rec->rec_header.packet_header.len != rec->rec_header.packet_header.caplen ? GUINT16_TO_LE(rec->rec_header.packet_header.len) : 0;
2135 if (!wtap_dump_file_write(wdh, &rec_hdr, sizeof rec_hdr, err))
2137 if (!wtap_dump_file_write(wdh, pd, rec->rec_header.packet_header.caplen, err))
2142 /* Finish writing to a dump file.
2143 Returns TRUE on success, FALSE on failure. */
2145 ngsniffer_dump_finish(wtap_dumper *wdh, int *err)
2148 char buf[6] = {REC_EOF, 0x00, 0x00, 0x00, 0x00, 0x00};
2150 if (!wtap_dump_file_write(wdh, buf, 6, err))
2156 SnifferDecompress() decompresses a blob of compressed data from a
2157 Sniffer(R) capture file.
2159 This function is Copyright (c) 1999-2999 Tim Farley
2162 inbuf - buffer of compressed bytes from file, not including
2163 the preceding length word
2164 inlen - length of inbuf in bytes (max 64k)
2165 outbuf - decompressed contents, could contain a partial Sniffer
2167 outlen - length of outbuf.
2168 err - return error code here
2169 err_info - for WTAP_ERR_DECOMPRESS, return descriptive string here
2171 Return value is the number of bytes in outbuf on return.
2175 * Make sure we have at least "length" bytes remaining
2176 * in the input buffer.
2178 #define CHECK_INPUT_POINTER( length ) \
2179 if ( pin + (length - 1) >= pin_end ) \
2181 *err = WTAP_ERR_DECOMPRESS; \
2182 *err_info = g_strdup("ngsniffer: Compressed data item goes past the end of the compressed block"); \
2187 * Make sure the byte containing the high order part of a buffer
2188 * offset is present.
2190 * If it is, then fetch it and combine it with the low-order part.
2192 #define FETCH_OFFSET_HIGH \
2193 CHECK_INPUT_POINTER( 1 ); \
2194 offset = code_low + ((unsigned int)(*pin++) << 4) + 3;
2197 * Make sure the output buffer is big enough to get "length"
2198 * bytes added to it.
2200 #define CHECK_OUTPUT_LENGTH( length ) \
2201 if ( pout + length > pout_end ) \
2203 *err = WTAP_ERR_UNC_OVERFLOW; \
2208 * Make sure we have another byte to fetch, and then fetch it and
2209 * append it to the buffer "length" times.
2211 #define APPEND_RLE_BYTE( length ) \
2212 /* If length would put us past end of output, avoid overflow */ \
2213 CHECK_OUTPUT_LENGTH( length ); \
2214 CHECK_INPUT_POINTER( 1 ); \
2215 memset( pout, *pin++, length ); \
2219 * Make sure the specified offset and length refer, in the output
2220 * buffer, to data that's entirely within the part of the output
2221 * buffer that we've already filled in.
2223 * Then append the string from the specified offset, with the
2224 * specified length, to the output buffer.
2226 #define APPEND_LZW_STRING( offset, length ) \
2227 /* If length would put us past end of output, avoid overflow */ \
2228 CHECK_OUTPUT_LENGTH( length ); \
2229 /* Check if offset would put us back past begin of buffer */ \
2230 if ( pout - offset < outbuf ) \
2232 *err = WTAP_ERR_DECOMPRESS; \
2233 *err_info = g_strdup("ngsniffer: LZ77 compressed data has bad offset to string"); \
2236 /* Check if offset would cause us to copy on top of ourselves */ \
2237 if ( pout - offset + length > pout ) \
2239 *err = WTAP_ERR_DECOMPRESS; \
2240 *err_info = g_strdup("ngsniffer: LZ77 compressed data has bad offset to string"); \
2243 /* Copy the string from previous text to output position, \
2244 advance output pointer */ \
2245 memcpy( pout, pout - offset, length ); \
2249 SnifferDecompress(unsigned char *inbuf, size_t inlen, unsigned char *outbuf,
2250 size_t outlen, int *err, gchar **err_info)
2252 unsigned char * pin = inbuf;
2253 unsigned char * pout = outbuf;
2254 unsigned char * pin_end = pin + inlen;
2255 unsigned char * pout_end = pout + outlen;
2256 unsigned int bit_mask; /* one bit is set in this, to mask with bit_value */
2257 unsigned int bit_value = 0; /* cache the last 16 coding bits we retrieved */
2258 unsigned int code_type; /* encoding type, from high 4 bits of byte */
2259 unsigned int code_low; /* other 4 bits from encoding byte */
2260 int length; /* length of RLE sequence or repeated string */
2261 int offset; /* offset of string to repeat */
2263 if (inlen > G_MAXUINT16) {
2267 bit_mask = 0; /* don't have any bits yet */
2268 /* Process until we've consumed all the input */
2269 while (pin < pin_end)
2271 /* Shift down the bit mask we use to see what's encoded */
2272 bit_mask = bit_mask >> 1;
2274 /* If there are no bits left, time to get another 16 bits */
2275 if ( 0 == bit_mask )
2277 /* make sure there are at least *three* bytes
2278 available - the two bytes of the bit value,
2279 plus one byte after it */
2280 CHECK_INPUT_POINTER( 3 );
2281 bit_mask = 0x8000; /* start with the high bit */
2282 bit_value = pletoh16(pin); /* get the next 16 bits */
2283 pin += 2; /* skip over what we just grabbed */
2286 /* Use the bits in bit_value to see what's encoded and what is raw data */
2287 if ( !(bit_mask & bit_value) )
2289 /* bit not set - raw byte we just copy */
2291 /* If length would put us past end of output, avoid overflow */
2292 CHECK_OUTPUT_LENGTH( 1 );
2293 *(pout++) = *(pin++);
2297 /* bit set - next item is encoded. Peel off high nybble
2298 of next byte to see the encoding type. Set aside low
2299 nybble while we are at it */
2300 code_type = (unsigned int) ((*pin) >> 4 ) & 0xF;
2301 code_low = (unsigned int) ((*pin) & 0xF );
2302 pin++; /* increment over the code byte we just retrieved */
2304 /* Based on the code type, decode the compressed string */
2305 switch ( code_type )
2307 case 0 : /* RLE short runs */
2309 Run length is the low nybble of the first code byte.
2310 Byte to repeat immediately follows.
2311 Total code size: 2 bytes.
2313 length = code_low + 3;
2315 /* check the length and then, if it's OK,
2316 generate the repeated series of bytes */
2317 APPEND_RLE_BYTE( length );
2319 case 1 : /* RLE long runs */
2321 Low 4 bits of run length is the low nybble of the
2322 first code byte, upper 8 bits of run length is in
2324 Byte to repeat immediately follows.
2325 Total code size: 3 bytes.
2327 CHECK_INPUT_POINTER( 1 );
2328 length = code_low + ((unsigned int)(*pin++) << 4) + 19;
2330 /* check the length and then, if it's OK,
2331 generate the repeated series of bytes */
2332 APPEND_RLE_BYTE( length );
2334 case 2 : /* LZ77 long strings */
2336 Low 4 bits of offset to string is the low nybble of the
2337 first code byte, upper 8 bits of offset is in
2339 Length of string immediately follows.
2340 Total code size: 3 bytes.
2344 /* get length from next byte, make sure it won't overrun buf */
2345 CHECK_INPUT_POINTER( 1 );
2346 length = (unsigned int)(*pin++) + 16;
2348 /* check the offset and length and then, if
2349 they're OK, copy the data */
2350 APPEND_LZW_STRING( offset, length );
2352 default : /* (3 to 15): LZ77 short strings */
2354 Low 4 bits of offset to string is the low nybble of the
2355 first code byte, upper 8 bits of offset is in
2357 Length of string to repeat is overloaded into code_type.
2358 Total code size: 2 bytes.
2362 /* get length from code_type */
2365 /* check the offset and length and then, if
2366 they're OK, copy the data */
2367 APPEND_LZW_STRING( offset, length );
2373 return (int) ( pout - outbuf ); /* return length of expanded text */
2377 * XXX - is there any guarantee that 65535 bytes is big enough to hold the
2378 * uncompressed data from any blob?
2380 #define OUTBUF_SIZE 65536
2381 #define INBUF_SIZE 65536
2383 /* Information about a compressed blob; we save the offset in the
2384 underlying compressed file, and the offset in the uncompressed data
2385 stream, of the blob. */
2387 gint64 blob_comp_offset;
2388 gint64 blob_uncomp_offset;
2392 ng_read_bytes_or_eof(wtap *wth, void *buffer, unsigned int nbytes, gboolean is_random,
2393 int *err, gchar **err_info)
2395 ngsniffer_t *ngsniffer;
2397 ngsniffer_comp_stream_t *comp_stream;
2398 unsigned char *outbuffer = (unsigned char *)buffer; /* where to write next decompressed data */
2400 unsigned int bytes_to_copy;
2401 unsigned int bytes_left;
2403 ngsniffer = (ngsniffer_t *)wth->priv;
2405 infile = wth->random_fh;
2406 comp_stream = &ngsniffer->rand;
2409 comp_stream = &ngsniffer->seq;
2412 if (wth->file_type_subtype == WTAP_FILE_TYPE_SUBTYPE_NGSNIFFER_UNCOMPRESSED) {
2413 if (!wtap_read_bytes_or_eof(infile, buffer, nbytes, err, err_info))
2415 comp_stream->uncomp_offset += nbytes;
2416 comp_stream->comp_offset += nbytes;
2420 /* Allocate the stream buffer if it hasn't already been allocated. */
2421 if (comp_stream->buf == NULL) {
2422 comp_stream->buf = (unsigned char *)g_malloc(OUTBUF_SIZE);
2425 /* This is the first read of the random file, so we're at
2426 the beginning of the sequence of blobs in the file
2427 (as we've not done any random reads yet to move the
2428 current position in the random stream); set the
2429 current blob to be the first blob. */
2430 ngsniffer->current_blob = ngsniffer->first_blob;
2432 /* This is the first sequential read; if we also have a
2433 random stream open, allocate the first element for the
2434 list of blobs, and make it the last element as well. */
2435 if (wth->random_fh != NULL) {
2436 g_assert(ngsniffer->first_blob == NULL);
2437 blob = g_new(blob_info_t,1);
2438 blob->blob_comp_offset = comp_stream->comp_offset;
2439 blob->blob_uncomp_offset = comp_stream->uncomp_offset;
2440 ngsniffer->first_blob = g_list_append(ngsniffer->first_blob,
2442 ngsniffer->last_blob = ngsniffer->first_blob;
2446 /* Now read the first blob into the buffer. */
2447 if (!read_blob(infile, comp_stream, err, err_info))
2450 while (nbytes > 0) {
2451 bytes_left = comp_stream->nbytes - comp_stream->nextout;
2452 if (bytes_left == 0) {
2453 /* There's no decompressed stuff left to copy from the current
2454 blob; get the next blob. */
2457 /* Move to the next blob in the list. */
2458 ngsniffer->current_blob = g_list_next(ngsniffer->current_blob);
2459 if (!ngsniffer->current_blob) {
2461 * XXX - this "can't happen"; we should have a
2462 * blob for every byte in the file.
2464 *err = WTAP_ERR_CANT_SEEK;
2468 /* If we also have a random stream open, add a new element,
2469 for this blob, to the list of blobs; we know the list is
2470 non-empty, as we initialized it on the first sequential
2471 read, so we just add the new element at the end, and
2472 adjust the pointer to the last element to refer to it. */
2473 if (wth->random_fh != NULL) {
2474 blob = g_new(blob_info_t,1);
2475 blob->blob_comp_offset = comp_stream->comp_offset;
2476 blob->blob_uncomp_offset = comp_stream->uncomp_offset;
2477 ngsniffer->last_blob = g_list_append(ngsniffer->last_blob,
2482 if (!read_blob(infile, comp_stream, err, err_info))
2484 bytes_left = comp_stream->nbytes - comp_stream->nextout;
2487 bytes_to_copy = nbytes;
2488 if (bytes_to_copy > bytes_left)
2489 bytes_to_copy = bytes_left;
2490 memcpy(outbuffer, &comp_stream->buf[comp_stream->nextout],
2492 nbytes -= bytes_to_copy;
2493 outbuffer += bytes_to_copy;
2494 comp_stream->nextout += bytes_to_copy;
2495 comp_stream->uncomp_offset += bytes_to_copy;
2501 ng_read_bytes(wtap *wth, void *buffer, unsigned int nbytes, gboolean is_random,
2502 int *err, gchar **err_info)
2504 if (!ng_read_bytes_or_eof(wth, buffer, nbytes, is_random, err, err_info)) {
2506 * In this case, even reading zero bytes, because we're at
2507 * the end of the file, is a short read.
2510 *err = WTAP_ERR_SHORT_READ;
2516 /* Read a blob from a compressed stream.
2517 Return FALSE and set "*err" and "*err_info" on error, otherwise return TRUE. */
2519 read_blob(FILE_T infile, ngsniffer_comp_stream_t *comp_stream, int *err,
2523 unsigned short blob_len;
2524 gint16 blob_len_host;
2525 gboolean uncompressed;
2526 unsigned char *file_inbuf;
2529 /* Read one 16-bit word which is length of next compressed blob */
2530 if (!wtap_read_bytes_or_eof(infile, &blob_len, 2, err, err_info))
2532 comp_stream->comp_offset += 2;
2533 blob_len_host = pletoh16(&blob_len);
2535 /* Compressed or uncompressed? */
2536 if (blob_len_host < 0) {
2537 /* Uncompressed blob; blob length is absolute value of the number. */
2538 in_len = -blob_len_host;
2539 uncompressed = TRUE;
2541 in_len = blob_len_host;
2542 uncompressed = FALSE;
2545 file_inbuf = (unsigned char *)g_malloc(INBUF_SIZE);
2548 if (!wtap_read_bytes(infile, file_inbuf, in_len, err, err_info)) {
2552 comp_stream->comp_offset += in_len;
2555 memcpy(comp_stream->buf, file_inbuf, in_len);
2558 /* Decompress the blob */
2559 out_len = SnifferDecompress(file_inbuf, in_len,
2560 comp_stream->buf, OUTBUF_SIZE, err,
2569 comp_stream->nextout = 0;
2570 comp_stream->nbytes = out_len;
2574 /* Skip some number of bytes forward in the sequential stream. */
2576 ng_skip_bytes_seq(wtap *wth, unsigned int count, int *err, gchar **err_info)
2578 ngsniffer_t *ngsniffer;
2580 unsigned int amount_to_read;
2582 ngsniffer = (ngsniffer_t *)wth->priv;
2584 if (wth->file_type_subtype == WTAP_FILE_TYPE_SUBTYPE_NGSNIFFER_UNCOMPRESSED) {
2585 ngsniffer->seq.uncomp_offset += count;
2586 return wtap_read_bytes(wth->fh, NULL, count, err, err_info);
2589 /* Ok, now read and discard "count" bytes. */
2590 buf = (char *)g_malloc(INBUF_SIZE);
2591 while (count != 0) {
2592 if (count > INBUF_SIZE)
2593 amount_to_read = INBUF_SIZE;
2595 amount_to_read = count;
2597 if (!ng_read_bytes(wth, buf, amount_to_read, FALSE, err, err_info)) {
2599 return FALSE; /* error */
2602 count -= amount_to_read;
2609 /* Seek to a given offset in the random data stream.
2611 On compressed files, we see whether we're seeking to a position within
2612 the blob we currently have in memory and, if not, we find in the list
2613 of blobs the last blob that starts at or before the position to which
2614 we're seeking, and read that blob in. We can then move to the appropriate
2615 position within the blob we have in memory (whether it's the blob we
2616 already had in memory or, if necessary, the one we read in). */
2618 ng_file_seek_rand(wtap *wth, gint64 offset, int *err, gchar **err_info)
2620 ngsniffer_t *ngsniffer;
2622 GList *new_list, *next_list;
2623 blob_info_t *next_blob, *new_blob;
2625 ngsniffer = (ngsniffer_t *)wth->priv;
2627 if (wth->file_type_subtype == WTAP_FILE_TYPE_SUBTYPE_NGSNIFFER_UNCOMPRESSED) {
2628 if (file_seek(wth->random_fh, offset, SEEK_SET, err) == -1)
2633 delta = offset - ngsniffer->rand.uncomp_offset;
2635 /* Is the place to which we're seeking within the current buffer, or
2636 will we have to read a different blob into the buffer? */
2639 /* We're going forwards.
2640 Is the place to which we're seeking within the current buffer? */
2641 if ((size_t)(ngsniffer->rand.nextout + delta) >= ngsniffer->rand.nbytes) {
2642 /* No. Search for a blob that contains the target
2643 offset in the uncompressed byte stream. */
2644 if (ngsniffer->current_blob == NULL) {
2645 /* We haven't read anything from the random
2646 file yet, so we have no current blob;
2647 search all the blobs, starting with
2649 new_list = ngsniffer->first_blob;
2651 /* We're seeking forward, so start searching
2652 with the blob after the current one. */
2653 new_list = g_list_next(ngsniffer->current_blob);
2656 next_list = g_list_next(new_list);
2657 if (next_list == NULL) {
2658 /* No more blobs; the current one is it. */
2662 next_blob = (blob_info_t *)next_list->data;
2663 /* Does the next blob start after the target offset?
2664 If so, the current blob is the one we want. */
2665 if (next_blob->blob_uncomp_offset > offset)
2668 new_list = next_list;
2670 if (new_list == NULL) {
2672 * We're seeking past the end of what
2673 * we've read so far.
2675 *err = WTAP_ERR_CANT_SEEK;
2679 } else if (delta < 0) {
2680 /* We're going backwards.
2681 Is the place to which we're seeking within the current buffer? */
2682 if (ngsniffer->rand.nextout + delta < 0) {
2683 /* No. Search for a blob that contains the target
2684 offset in the uncompressed byte stream. */
2685 if (ngsniffer->current_blob == NULL) {
2686 /* We haven't read anything from the random
2687 file yet, so we have no current blob;
2688 search all the blobs, starting with
2690 new_list = ngsniffer->last_blob;
2692 /* We're seeking backward, so start searching
2693 with the blob before the current one. */
2694 new_list = g_list_previous(ngsniffer->current_blob);
2697 /* Does this blob start at or before the target offset?
2698 If so, the current blob is the one we want. */
2699 new_blob = (blob_info_t *)new_list->data;
2700 if (new_blob->blob_uncomp_offset <= offset)
2703 /* It doesn't - skip to the previous blob. */
2704 new_list = g_list_previous(new_list);
2706 if (new_list == NULL) {
2708 * XXX - shouldn't happen.
2710 *err = WTAP_ERR_CANT_SEEK;
2716 if (new_list != NULL) {
2717 /* The place to which we're seeking isn't in the current buffer;
2718 move to a new blob. */
2719 new_blob = (blob_info_t *)new_list->data;
2721 /* Seek in the compressed file to the offset in the compressed file
2722 of the beginning of that blob. */
2723 if (file_seek(wth->random_fh, new_blob->blob_comp_offset, SEEK_SET, err) == -1)
2727 * Do we have a buffer for the random stream yet?
2729 if (ngsniffer->rand.buf == NULL) {
2731 * No - allocate it, as we'll be reading into it.
2733 ngsniffer->rand.buf = (unsigned char *)g_malloc(OUTBUF_SIZE);
2736 /* Make the blob we found the current one. */
2737 ngsniffer->current_blob = new_list;
2739 /* Now set the current offsets to the offsets of the beginning
2741 ngsniffer->rand.uncomp_offset = new_blob->blob_uncomp_offset;
2742 ngsniffer->rand.comp_offset = new_blob->blob_comp_offset;
2744 /* Now fill the buffer. */
2745 if (!read_blob(wth->random_fh, &ngsniffer->rand, err, err_info))
2748 /* Set "delta" to the amount to move within this blob; it had
2749 better be >= 0, and < the amount of uncompressed data in
2750 the blob, as otherwise it'd mean we need to seek before
2751 the beginning or after the end of this blob. */
2752 delta = offset - ngsniffer->rand.uncomp_offset;
2753 g_assert(delta >= 0 && (unsigned long)delta < ngsniffer->rand.nbytes);
2756 /* OK, the place to which we're seeking is in the buffer; adjust
2757 "ngsniffer->rand.nextout" to point to the place to which
2758 we're seeking, and adjust "ngsniffer->rand.uncomp_offset" to be
2759 the destination offset. */
2760 ngsniffer->rand.nextout += (int) delta;
2761 ngsniffer->rand.uncomp_offset += delta;
2767 * Editor modelines - http://www.wireshark.org/tools/modelines.html
2772 * indent-tabs-mode: t
2775 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
2776 * :indentSize=8:tabSize=8:noTabs=false: