4 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version 2
9 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
25 #include "file_wrappers.h"
29 * A file begins with a header containing:
31 * a 4-byte magic number, with 'c', 'p', 's', 'e';
33 * either a 2-byte little-endian "format indicator" (version number?),
34 * or a 1-byte major version number followed by a 1-byte minor version
35 * number, or a 1-byte "format indicator" followed by something else
36 * that's always been 0;
38 * a 2-byte 0xe8 0x03 (1000 - a data rate? megabits/second?)
40 * 4 bytes of 0x01 0x00 0x01 0x00;
42 * either a 4-byte little-endian file size followed by 0x00 0x00 0x00 0x00
43 * or an 8-byte little-endian file size;
45 * a 4-byte little-endian packet count (in dns_error_of_udp, it exceeds?)
47 * a 4-byte little-endian number?
49 * hex 2c 01 c8 00 00 00 da 36 00 00 00 00 00 00;
51 * the same 4-byte little-endian number as above (yes, misaligned);
55 * a bunch of 0s, up to an offset of 0x36d6;
59 * Following that is a sequence of { record offset block, up to 200 records }
62 * A record offset block has 1 byte with the value 0xfe, a sequence of
63 * up to 200 4-byte little-endian record offsets, and 4 or more bytes
64 * of unknown data, making the block 805 bytes long.
66 * The record offsets are offsets, from the beginning of the record offset
67 * block (i.e., from the 0xfe byte), of the records following the block.
70 /* Magic number in Capsa files. */
71 static const char capsa_magic[] = {
76 * Before each group of 200 or fewer records there's a block of frame
77 * offsets, giving the offsets, from the beginning of that block minus
78 * one(1), of the next N records.
80 #define N_RECORDS_PER_GROUP 200
82 /* Capsa (format indicator 1) record header. */
84 guint32 unknown1; /* low-order 32 bits of a number? */
85 guint32 unknown2; /* 0x00 0x00 0x00 0x00 */
86 guint32 timestamplo; /* low-order 32 bits of the time stamp, in microseconds since January 1, 1970, 00:00:00 UTC */
87 guint32 timestamphi; /* high-order 32 bits of the time stamp, in microseconds since January 1, 1970, 00:00:00 UTC */
88 guint16 rec_len; /* length of record */
89 guint16 incl_len; /* number of octets captured in file */
90 guint16 orig_len; /* actual length of packet */
91 guint16 unknown5; /* 0x00 0x00 */
92 guint8 count1; /* count1*4 bytes after unknown8 */
93 guint8 count2; /* count2*4 bytes after that */
94 guint16 unknown7; /* 0x01 0x10 */
95 guint32 unknown8; /* 0x00 0x00 0x00 0x00 or random numbers */
98 /* Packet Builder (format indicator 2) record header. */
100 guint16 rec_len; /* length of record */
101 guint16 incl_len; /* number of octets captured in file */
102 guint16 orig_len; /* actual length of packet */
107 guint32 timestamplo; /* low-order 32 bits of the time stamp, in microseconds since January 1, 1970, 00:00:00 UTC */
108 guint32 timestamphi; /* high-order 32 bits of the time stamp, in microseconds since January 1, 1970, 00:00:00 UTC */
114 guint16 format_indicator;
115 guint32 number_of_frames;
118 guint32 record_offsets[N_RECORDS_PER_GROUP];
121 static gboolean capsa_read(wtap *wth, int *err, gchar **err_info,
122 gint64 *data_offset);
123 static gboolean capsa_seek_read(wtap *wth, gint64 seek_off,
124 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
125 static int capsa_read_packet(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
126 Buffer *buf, int *err, gchar **err_info);
128 wtap_open_return_val capsa_open(wtap *wth, int *err, gchar **err_info)
130 char magic[sizeof capsa_magic];
131 guint16 format_indicator;
132 int file_type_subtype;
133 guint32 number_of_frames;
136 /* Read in the string that should be at the start of a Capsa file */
137 if (!wtap_read_bytes(wth->fh, magic, sizeof magic, err, err_info)) {
138 if (*err != WTAP_ERR_SHORT_READ)
139 return WTAP_OPEN_ERROR;
140 return WTAP_OPEN_NOT_MINE;
143 if (memcmp(magic, capsa_magic, sizeof capsa_magic) != 0) {
144 return WTAP_OPEN_NOT_MINE;
147 /* Read the mysterious "format indicator" */
148 if (!wtap_read_bytes(wth->fh, &format_indicator, sizeof format_indicator,
150 return WTAP_OPEN_ERROR;
151 format_indicator = GUINT16_FROM_LE(format_indicator);
154 * Make sure it's a format we support.
156 switch (format_indicator) {
159 file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_COLASOFT_CAPSA;
162 case 2: /* Packet Builder */
163 file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_COLASOFT_PACKET_BUILDER;
167 *err = WTAP_ERR_UNSUPPORTED;
168 *err_info = g_strdup_printf("capsa: format indicator %u unsupported",
170 return WTAP_OPEN_ERROR;
174 * Link speed, in megabytes/second?
176 if (!file_skip(wth->fh, 2, err))
177 return WTAP_OPEN_ERROR;
180 * Flags of some sort? Four 1-byte numbers, two of which are 1
181 * and two of which are zero? Two 2-byte numbers or flag fields,
182 * both of which are 1?
184 if (!file_skip(wth->fh, 4, err))
185 return WTAP_OPEN_ERROR;
188 * File size, in bytes.
190 if (!file_skip(wth->fh, 4, err))
191 return WTAP_OPEN_ERROR;
194 * Zeroes? Or upper 4 bytes of file size?
196 if (!file_skip(wth->fh, 4, err))
197 return WTAP_OPEN_ERROR;
202 if (!wtap_read_bytes(wth->fh, &number_of_frames, sizeof number_of_frames,
204 return WTAP_OPEN_ERROR;
205 number_of_frames = GUINT32_FROM_LE(number_of_frames);
208 * Skip past what we think is file header.
210 if (!file_seek(wth->fh, 0x44ef, SEEK_SET, err))
211 return WTAP_OPEN_ERROR;
213 wth->file_type_subtype = file_type_subtype;
214 capsa = (capsa_t *)g_malloc(sizeof(capsa_t));
215 capsa->format_indicator = format_indicator;
216 capsa->number_of_frames = number_of_frames;
217 capsa->frame_count = 0;
218 wth->priv = (void *)capsa;
219 wth->subtype_read = capsa_read;
220 wth->subtype_seek_read = capsa_seek_read;
222 * XXX - we've never seen a Wi-Fi Capsa capture, so we don't
223 * yet know how to handle them.
225 wth->file_encap = WTAP_ENCAP_ETHERNET;
226 wth->snapshot_length = 0; /* not available in header */
227 wth->file_tsprec = WTAP_TSPREC_USEC;
228 return WTAP_OPEN_MINE;
231 /* Read the next packet */
232 static gboolean capsa_read(wtap *wth, int *err, gchar **err_info,
235 capsa_t *capsa = (capsa_t *)wth->priv;
236 guint32 frame_within_block;
239 if (capsa->frame_count == capsa->number_of_frames) {
241 * No more frames left. Return an EOF.
246 frame_within_block = capsa->frame_count % N_RECORDS_PER_GROUP;
247 if (frame_within_block == 0) {
249 * Here's a record offset block.
250 * Get the offset of the block, and then skip the
253 capsa->base_offset = file_tell(wth->fh);
254 if (!file_skip(wth->fh, 1, err))
258 * Now read the record offsets.
260 if (!wtap_read_bytes(wth->fh, &capsa->record_offsets,
261 sizeof capsa->record_offsets, err, err_info))
265 * And finish processing all 805 bytes by skipping
268 if (!file_skip(wth->fh, 4, err))
272 *data_offset = capsa->base_offset +
273 GUINT32_FROM_LE(capsa->record_offsets[frame_within_block]);
274 if (!file_seek(wth->fh, *data_offset, SEEK_SET, err))
277 padbytes = capsa_read_packet(wth, wth->fh, &wth->phdr,
278 wth->frame_buffer, err, err_info);
283 * Skip over the padding, if any.
286 if (!file_skip(wth->fh, padbytes, err))
290 capsa->frame_count++;
296 capsa_seek_read(wtap *wth, gint64 seek_off,
297 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info)
299 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
302 if (capsa_read_packet(wth, wth->random_fh, phdr, buf, err, err_info) == -1) {
304 *err = WTAP_ERR_SHORT_READ;
311 capsa_read_packet(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
312 Buffer *buf, int *err, gchar **err_info)
314 capsa_t *capsa = (capsa_t *)wth->priv;
315 struct capsarec_hdr capsarec_hdr;
316 struct pbrec_hdr pbrec_hdr;
323 /* Read record header. */
324 switch (capsa->format_indicator) {
327 if (!wtap_read_bytes_or_eof(fh, &capsarec_hdr,
328 sizeof capsarec_hdr, err, err_info))
330 rec_size = GUINT16_FROM_LE(capsarec_hdr.rec_len);
331 orig_size = GUINT16_FROM_LE(capsarec_hdr.orig_len);
332 packet_size = GUINT16_FROM_LE(capsarec_hdr.incl_len);
333 header_size = sizeof capsarec_hdr;
334 timestamp = (((guint64)GUINT32_FROM_LE(capsarec_hdr.timestamphi))<<32) + GUINT32_FROM_LE(capsarec_hdr.timestamplo);
337 * OK, the rest of this is variable-length.
338 * We skip: (count1+count2)*4 bytes.
339 * XXX - what is that? Measured statistics?
340 * Calculated statistics?
342 if (!file_skip(fh, (capsarec_hdr.count1 + capsarec_hdr.count2)*4,
345 header_size += (capsarec_hdr.count1 + capsarec_hdr.count2)*4;
349 if (!wtap_read_bytes_or_eof(fh, &pbrec_hdr,
350 sizeof pbrec_hdr, err, err_info))
352 rec_size = GUINT16_FROM_LE(pbrec_hdr.rec_len);
353 orig_size = GUINT16_FROM_LE(pbrec_hdr.orig_len);
354 packet_size = GUINT16_FROM_LE(pbrec_hdr.incl_len);
355 header_size = sizeof pbrec_hdr;
356 timestamp = (((guint64)GUINT32_FROM_LE(pbrec_hdr.timestamphi))<<32) + GUINT32_FROM_LE(pbrec_hdr.timestamplo);
358 * XXX - from the results of some conversions between
359 * Capsa format and pcap by Colasoft Packet Builder,
360 * I do not trust its conversion of time stamps (at
361 * least one of Colasoft's sample files, when
362 * converted to pcap format, has, as its time stamps,
363 * time stamps on the day after the conversion was
364 * done, which seems like more than just coincidence).
369 g_assert_not_reached();
370 *err = WTAP_ERR_INTERNAL;
373 if (orig_size > WTAP_MAX_PACKET_SIZE) {
375 * Probably a corrupt capture file; don't blow up trying
376 * to allocate space for an immensely-large packet.
378 *err = WTAP_ERR_BAD_FILE;
379 *err_info = g_strdup_printf("capsa: File has %u-byte original length, bigger than maximum of %u",
380 orig_size, WTAP_MAX_PACKET_SIZE);
383 if (packet_size > WTAP_MAX_PACKET_SIZE) {
385 * Probably a corrupt capture file; don't blow up trying
386 * to allocate space for an immensely-large packet.
388 *err = WTAP_ERR_BAD_FILE;
389 *err_info = g_strdup_printf("capsa: File has %u-byte packet, bigger than maximum of %u",
390 packet_size, WTAP_MAX_PACKET_SIZE);
393 if (header_size + packet_size > rec_size) {
395 * Probably a corrupt capture file.
397 *err = WTAP_ERR_BAD_FILE;
398 *err_info = g_strdup_printf("capsa: File has %u-byte packet with %u-byte record header, bigger than record size %u",
399 packet_size, header_size, rec_size);
404 * The "on the wire" record size always includes the CRC.
405 * If it's greater than the "captured" size by 4, then
406 * we subtract 4 from it, to reflect the way the "on the wire"
407 * record size works for other file formats.
409 if (orig_size == packet_size + 4)
410 orig_size = packet_size;
413 * We assume there's no FCS in this frame.
414 * XXX - is there ever one?
416 phdr->pseudo_header.eth.fcs_len = 0;
418 phdr->rec_type = REC_TYPE_PACKET;
419 phdr->caplen = packet_size;
420 phdr->len = orig_size;
421 phdr->presence_flags = WTAP_HAS_CAP_LEN|WTAP_HAS_TS;
422 phdr->ts.secs = (time_t)(timestamp / 1000000);
423 phdr->ts.nsecs = ((int)(timestamp % 1000000))*1000;
426 * Read the packet data.
428 if (!wtap_read_packet_bytes(fh, buf, packet_size, err, err_info))
429 return -1; /* failed */
431 return rec_size - (header_size + packet_size);
435 * Editor modelines - http://www.wireshark.org/tools/modelines.html
440 * indent-tabs-mode: t
443 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
444 * :indentSize=8:tabSize=8:noTabs=false: