2 * Copyright (c) 2003 Endace Technology Ltd, Hamilton, New Zealand.
5 * This software and documentation has been developed by Endace Technology Ltd.
6 * along with the DAG PCI network capture cards. For further information please
7 * visit http://www.endace.com/.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions are met:
12 * 1. Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. The name of Endace Technology Ltd may not be used to endorse or promote
20 * products derived from this software without specific prior written
23 * THIS SOFTWARE IS PROVIDED BY ENDACE TECHNOLOGY LTD ``AS IS'' AND ANY EXPRESS
24 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
25 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
26 * EVENT SHALL ENDACE TECHNOLOGY LTD BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
27 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
28 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
29 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
30 * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
31 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
32 * POSSIBILITY OF SUCH DAMAGE.
38 * erf - Endace ERF (Extensible Record Format)
42 * http://www.endace.com/support/EndaceRecordFormat.pdf
52 #include <wsutil/crc32.h>
55 #include "file_wrappers.h"
57 #include "pcap-encap.h"
61 static int erf_read_header(FILE_T fh,
62 struct wtap_pkthdr *phdr,
63 erf_header_t *erf_header,
67 guint32 *packet_size);
68 static gboolean erf_read(wtap *wth, int *err, gchar **err_info,
70 static gboolean erf_seek_read(wtap *wth, gint64 seek_off,
71 struct wtap_pkthdr *phdr, guint8 *pd,
72 int length, int *err, gchar **err_info);
77 } erf_to_wtap_map[] = {
78 { ERF_TYPE_HDLC_POS, WTAP_ENCAP_CHDLC },
79 { ERF_TYPE_HDLC_POS, WTAP_ENCAP_HHDLC },
80 { ERF_TYPE_HDLC_POS, WTAP_ENCAP_CHDLC_WITH_PHDR },
81 { ERF_TYPE_HDLC_POS, WTAP_ENCAP_PPP },
82 { ERF_TYPE_HDLC_POS, WTAP_ENCAP_FRELAY },
83 { ERF_TYPE_HDLC_POS, WTAP_ENCAP_MTP2 },
84 { ERF_TYPE_ETH, WTAP_ENCAP_ETHERNET },
85 { 99, WTAP_ENCAP_ERF }, /*this type added so WTAP_ENCAP_ERF will work and then be treated at ERF->ERF*/
88 #define NUM_ERF_ENCAPS (sizeof erf_to_wtap_map / sizeof erf_to_wtap_map[0])
90 extern int erf_open(wtap *wth, int *err, gchar **err_info)
92 int i, n, records_for_erf_check = RECORDS_FOR_ERF_CHECK;
95 erf_timestamp_t prevts,ts;
101 guint64 erf_ext_header;
106 memset(&prevts, 0, sizeof(prevts));
108 /* number of records to scan before deciding if this really is ERF */
109 if ((s = getenv("ERF_RECORDS_TO_CHECK")) != NULL) {
110 if ((n = atoi(s)) > 0 && n < 101) {
111 records_for_erf_check = n;
116 * ERF is a little hard because there's no magic number; we look at
117 * the first few records and see if they look enough like ERF
121 for (i = 0; i < records_for_erf_check; i++) { /* records_for_erf_check */
123 r = file_read(&header,sizeof(header),wth->fh);
126 if (r != sizeof(header)) {
127 *err = file_error(wth->fh, err_info);
128 if (*err != 0 && *err != WTAP_ERR_SHORT_READ) {
131 /* ERF header too short accept the file,
132 only if the very first records have been successfully checked */
133 if (i < MIN_RECORDS_FOR_ERF_CHECK) {
136 /* BREAK, the last record is too short, and will be ignored */
142 rlen=g_ntohs(header.rlen);
144 /* fail on invalid record type, invalid rlen, timestamps decreasing, or incrementing too far */
146 /* Test valid rlen >= 16 */
151 packet_size = rlen - (guint32)sizeof(header);
152 if (packet_size > WTAP_MAX_PACKET_SIZE) {
154 * Probably a corrupt capture file or a file that's not an ERF file
155 * but that passed earlier tests; don't blow up trying
156 * to allocate space for an immensely-large packet.
161 /* Skip PAD records, timestamps may not be set */
162 if ((header.type & 0x7F) == ERF_TYPE_PAD) {
163 if (file_seek(wth->fh, packet_size, SEEK_CUR, err) == -1) {
169 /* fail on invalid record type, decreasing timestamps or non-zero pad-bits */
170 /* Not all types within this range are decoded, but it is a first filter */
171 if ((header.type & 0x7F) == 0 || (header.type & 0x7F) > ERF_TYPE_MAX ) {
175 /* The ERF_TYPE_MAX is the PAD record, but the last used type is ERF_TYPE_INFINIBAND_LINK */
176 if ((header.type & 0x7F) > ERF_TYPE_INFINIBAND_LINK) {
180 if ((ts = pletohll(&header.ts)) < prevts) {
181 /* reassembled AALx records may not be in time order, also records are not in strict time order between physical interfaces, so allow 1 sec fudge */
182 if ( ((prevts-ts)>>32) > 1 ) {
187 /* Check to see if timestamp increment is > 1 week */
188 if ( (valid_prev) && (ts > prevts) && (((ts-prevts)>>32) > 3600*24*7) ) {
192 memcpy(&prevts, &ts, sizeof(prevts));
194 /* Read over the extension headers */
197 if (file_read(&erf_ext_header, sizeof(erf_ext_header),wth->fh) != sizeof(erf_ext_header)) {
198 *err = file_error(wth->fh, err_info);
200 *err = WTAP_ERR_SHORT_READ;
203 packet_size -= (guint32)sizeof(erf_ext_header);
204 memcpy(&type, &erf_ext_header, sizeof(type));
208 /* Read over MC or ETH subheader */
209 switch(header.type & 0x7F) {
210 case ERF_TYPE_MC_HDLC:
211 case ERF_TYPE_MC_RAW:
212 case ERF_TYPE_MC_ATM:
213 case ERF_TYPE_MC_RAW_CHANNEL:
214 case ERF_TYPE_MC_AAL5:
215 case ERF_TYPE_MC_AAL2:
216 case ERF_TYPE_COLOR_MC_HDLC_POS:
217 case ERF_TYPE_AAL2: /* not an MC type but has a similar 'AAL2 ext' header */
218 if (file_read(&mc_hdr,sizeof(mc_hdr),wth->fh) != sizeof(mc_hdr)) {
219 *err = file_error(wth->fh, err_info);
222 packet_size -= (guint32)sizeof(mc_hdr);
225 case ERF_TYPE_COLOR_ETH:
226 case ERF_TYPE_DSM_COLOR_ETH:
227 if (file_read(ð_hdr,sizeof(eth_hdr),wth->fh) != sizeof(eth_hdr)) {
228 *err = file_error(wth->fh, err_info);
231 packet_size -= (guint32)sizeof(eth_hdr);
237 /* The file_seek function do not return an error if the end of file
238 is reached whereas the record is truncated */
239 if (packet_size > WTAP_MAX_PACKET_SIZE) {
241 * Probably a corrupt capture file; don't blow up trying
242 * to allocate space for an immensely-large packet.
246 buffer=(gchar *)g_malloc(packet_size);
247 r = file_read(buffer, packet_size, wth->fh);
250 if (r != packet_size) {
251 /* ERF record too short, accept the file,
252 only if the very first records have been successfully checked */
253 if (i < MIN_RECORDS_FOR_ERF_CHECK) {
260 } /* records_for_erf_check */
262 if (file_seek(wth->fh, 0L, SEEK_SET, err) == -1) { /* rewind */
266 /* This is an ERF file */
267 wth->file_type = WTAP_FILE_ERF;
268 wth->snapshot_length = 0; /* not available in header, only in frame */
271 * Use the encapsulation for ERF records.
273 wth->file_encap = WTAP_ENCAP_ERF;
275 wth->subtype_read = erf_read;
276 wth->subtype_seek_read = erf_seek_read;
277 wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
279 erf_populate_interfaces(wth);
284 /* Read the next packet */
285 static gboolean erf_read(wtap *wth, int *err, gchar **err_info,
288 erf_header_t erf_header;
289 guint32 packet_size, bytes_read;
291 *data_offset = file_tell(wth->fh);
294 if (!erf_read_header(wth->fh,
295 &wth->phdr, &erf_header,
296 err, err_info, &bytes_read, &packet_size)) {
300 buffer_assure_space(wth->frame_buffer, packet_size);
302 wtap_file_read_expected_bytes(buffer_start_ptr(wth->frame_buffer),
303 (gint32)(packet_size), wth->fh, err, err_info);
305 } while ( erf_header.type == ERF_TYPE_PAD );
310 static gboolean erf_seek_read(wtap *wth, gint64 seek_off,
311 struct wtap_pkthdr *phdr, guint8 *pd,
312 int length _U_, int *err, gchar **err_info)
314 erf_header_t erf_header;
317 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
321 if (!erf_read_header(wth->random_fh, phdr, &erf_header,
322 err, err_info, NULL, &packet_size))
324 } while ( erf_header.type == ERF_TYPE_PAD );
326 wtap_file_read_expected_bytes(pd, (int)packet_size, wth->random_fh, err,
332 static int erf_read_header(FILE_T fh,
333 struct wtap_pkthdr *phdr,
334 erf_header_t *erf_header,
338 guint32 *packet_size)
340 union wtap_pseudo_header *pseudo_header = &phdr->pseudo_header;
343 guint64 erf_exhdr_sw;
348 int max = sizeof(pseudo_header->erf.ehdr_list)/sizeof(struct erf_ehdr);
350 wtap_file_read_expected_bytes(erf_header, sizeof(*erf_header), fh, err,
352 if (bytes_read != NULL) {
353 *bytes_read = sizeof(*erf_header);
356 *packet_size = g_ntohs(erf_header->rlen) - (guint32)sizeof(*erf_header);
358 if (*packet_size > WTAP_MAX_PACKET_SIZE) {
360 * Probably a corrupt capture file; don't blow up trying
361 * to allocate space for an immensely-large packet.
363 *err = WTAP_ERR_BAD_FILE;
364 *err_info = g_strdup_printf("erf: File has %u-byte packet, bigger than maximum of %u",
365 *packet_size, WTAP_MAX_PACKET_SIZE);
369 if (*packet_size == 0) {
370 /* If this isn't a pad record, it's a corrupt packet; bail out */
371 if ((erf_header->type & 0x7F) != ERF_TYPE_PAD) {
372 *err = WTAP_ERR_BAD_FILE;
373 *err_info = g_strdup_printf("erf: File has 0 byte packet");
380 guint64 ts = pletohll(&erf_header->ts);
382 phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN|WTAP_HAS_INTERFACE_ID;
383 phdr->ts.secs = (long) (ts >> 32);
384 ts = ((ts & 0xffffffff) * 1000 * 1000 * 1000);
385 ts += (ts & 0x80000000) << 1; /* rounding */
386 phdr->ts.nsecs = ((int) (ts >> 32));
387 if (phdr->ts.nsecs >= 1000000000) {
388 phdr->ts.nsecs -= 1000000000;
391 phdr->interface_id = (erf_header->flags & 0x03);
394 /* Copy the ERF pseudo header */
395 memset(&pseudo_header->erf, 0, sizeof(pseudo_header->erf));
396 pseudo_header->erf.phdr.ts = pletohll(&erf_header->ts);
397 pseudo_header->erf.phdr.type = erf_header->type;
398 pseudo_header->erf.phdr.flags = erf_header->flags;
399 pseudo_header->erf.phdr.rlen = g_ntohs(erf_header->rlen);
400 pseudo_header->erf.phdr.lctr = g_ntohs(erf_header->lctr);
401 pseudo_header->erf.phdr.wlen = g_ntohs(erf_header->wlen);
403 /* Copy the ERF extension header into the pseudo header */
404 type = erf_header->type;
406 wtap_file_read_expected_bytes(&erf_exhdr, sizeof(erf_exhdr), fh, err,
408 if (bytes_read != NULL)
409 *bytes_read += (guint32)sizeof(erf_exhdr);
410 *packet_size -= (guint32)sizeof(erf_exhdr);
411 skiplen += (guint32)sizeof(erf_exhdr);
412 erf_exhdr_sw = pntohll(erf_exhdr);
414 memcpy(&pseudo_header->erf.ehdr_list[i].ehdr, &erf_exhdr_sw, sizeof(erf_exhdr_sw));
419 switch (erf_header->type & 0x7F) {
422 case ERF_TYPE_RAW_LINK:
423 case ERF_TYPE_INFINIBAND:
424 case ERF_TYPE_INFINIBAND_LINK:
427 phdr->len = g_htons(erf_header->wlen);
428 phdr->caplen = g_htons(erf_header->wlen);
434 case ERF_TYPE_HDLC_POS:
435 case ERF_TYPE_COLOR_HDLC_POS:
436 case ERF_TYPE_DSM_COLOR_HDLC_POS:
442 case ERF_TYPE_COLOR_ETH:
443 case ERF_TYPE_DSM_COLOR_ETH:
444 wtap_file_read_expected_bytes(ð_hdr, sizeof(eth_hdr), fh, err,
446 if (bytes_read != NULL)
447 *bytes_read += (guint32)sizeof(eth_hdr);
448 *packet_size -= (guint32)sizeof(eth_hdr);
449 skiplen += (guint32)sizeof(eth_hdr);
450 pseudo_header->erf.subhdr.eth_hdr = g_htons(eth_hdr);
453 case ERF_TYPE_MC_HDLC:
454 case ERF_TYPE_MC_RAW:
455 case ERF_TYPE_MC_ATM:
456 case ERF_TYPE_MC_RAW_CHANNEL:
457 case ERF_TYPE_MC_AAL5:
458 case ERF_TYPE_MC_AAL2:
459 case ERF_TYPE_COLOR_MC_HDLC_POS:
460 case ERF_TYPE_AAL2: /* not an MC type but has a similar 'AAL2 ext' header */
461 wtap_file_read_expected_bytes(&mc_hdr, sizeof(mc_hdr), fh, err,
463 if (bytes_read != NULL)
464 *bytes_read += (guint32)sizeof(mc_hdr);
465 *packet_size -= (guint32)sizeof(mc_hdr);
466 skiplen += (guint32)sizeof(mc_hdr);
467 pseudo_header->erf.subhdr.mc_hdr = g_htonl(mc_hdr);
470 case ERF_TYPE_IP_COUNTER:
471 case ERF_TYPE_TCP_FLOW_COUNTER:
472 /* unsupported, continue with default: */
474 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
475 *err_info = g_strdup_printf("erf: unknown record encapsulation %u",
481 phdr->len = g_htons(erf_header->wlen);
482 phdr->caplen = MIN( g_htons(erf_header->wlen),
483 g_htons(erf_header->rlen) - (guint32)sizeof(*erf_header) - skiplen );
486 if (*packet_size > WTAP_MAX_PACKET_SIZE) {
488 * Probably a corrupt capture file; don't blow up trying
489 * to allocate space for an immensely-large packet.
491 *err = WTAP_ERR_BAD_FILE;
492 *err_info = g_strdup_printf("erf: File has %u-byte packet, bigger than maximum of %u",
493 *packet_size, WTAP_MAX_PACKET_SIZE);
500 static int wtap_wtap_encap_to_erf_encap(int encap)
503 for(i = 0; i < NUM_ERF_ENCAPS; i++){
504 if(erf_to_wtap_map[i].wtap_encap_value == encap)
505 return erf_to_wtap_map[i].erf_encap_value;
510 static gboolean erf_write_phdr(wtap_dumper *wdh, int encap, const union wtap_pseudo_header *pseudo_header, int * err)
512 guint8 erf_hdr[sizeof(struct erf_mc_phdr)];
513 guint8 erf_subhdr[((sizeof(struct erf_mc_hdr) > sizeof(struct erf_eth_hdr))?
514 sizeof(struct erf_mc_hdr) : sizeof(struct erf_eth_hdr))];
515 guint8 ehdr[8*MAX_ERF_EHDR];
517 size_t subhdr_size = 0;
523 memset(&erf_hdr, 0, sizeof(erf_hdr));
524 phtolell(&erf_hdr[0], pseudo_header->erf.phdr.ts);
525 erf_hdr[8] = pseudo_header->erf.phdr.type;
526 erf_hdr[9] = pseudo_header->erf.phdr.flags;
527 phtons(&erf_hdr[10], pseudo_header->erf.phdr.rlen);
528 phtons(&erf_hdr[12], pseudo_header->erf.phdr.lctr);
529 phtons(&erf_hdr[14], pseudo_header->erf.phdr.wlen);
530 size = sizeof(struct erf_phdr);
532 switch(pseudo_header->erf.phdr.type & 0x7F) {
533 case ERF_TYPE_MC_HDLC:
534 case ERF_TYPE_MC_RAW:
535 case ERF_TYPE_MC_ATM:
536 case ERF_TYPE_MC_RAW_CHANNEL:
537 case ERF_TYPE_MC_AAL5:
538 case ERF_TYPE_MC_AAL2:
539 case ERF_TYPE_COLOR_MC_HDLC_POS:
540 phtonl(&erf_subhdr[0], pseudo_header->erf.subhdr.mc_hdr);
541 subhdr_size += (int)sizeof(struct erf_mc_hdr);
544 case ERF_TYPE_COLOR_ETH:
545 case ERF_TYPE_DSM_COLOR_ETH:
546 phtons(&erf_subhdr[0], pseudo_header->erf.subhdr.eth_hdr);
547 subhdr_size += (int)sizeof(struct erf_eth_hdr);
557 if (!wtap_dump_file_write(wdh, erf_hdr, size, err))
559 wdh->bytes_dumped += size;
561 /*write out up to MAX_ERF_EHDR extension headers*/
562 has_more = pseudo_header->erf.phdr.type & 0x80;
563 if(has_more){ /*we have extension headers*/
565 phtonll(ehdr+(i*8), pseudo_header->erf.ehdr_list[i].ehdr);
566 if(i == MAX_ERF_EHDR-1) ehdr[i*8] = ehdr[i*8] & 0x7F;
567 has_more = ehdr[i*8] & 0x80;
569 }while(has_more && i < MAX_ERF_EHDR);
570 if (!wtap_dump_file_write(wdh, ehdr, 8*i, err))
572 wdh->bytes_dumped += 8*i;
575 if(!wtap_dump_file_write(wdh, erf_subhdr, subhdr_size, err))
577 wdh->bytes_dumped += subhdr_size;
582 static gboolean erf_dump(
584 const struct wtap_pkthdr *phdr,
588 const union wtap_pseudo_header *pseudo_header = &phdr->pseudo_header;
589 union wtap_pseudo_header other_phdr;
591 gint64 alignbytes = 0;
594 gboolean must_add_crc = FALSE;
595 guint32 crc32 = 0x00000000;
597 if(wdh->encap == WTAP_ENCAP_PER_PACKET){
598 encap = phdr->pkt_encap;
603 if(encap == WTAP_ENCAP_ERF){
604 /* We've been handed an ERF record, so there's not much to do here. */
605 alignbytes = wdh->bytes_dumped + pseudo_header->erf.phdr.rlen;
607 if(!erf_write_phdr(wdh, encap, pseudo_header, err)) return FALSE;
609 if(!wtap_dump_file_write(wdh, pd, phdr->caplen, err)) return FALSE;
610 wdh->bytes_dumped += phdr->caplen;
612 /*XXX: this pads the record to its original length, which is fine in most
613 * cases. However with >MAX_ERF_EHDR unnecessary padding will be added, and
614 * if the record was truncated this will be incorrectly treated as payload.
615 * More than 8 extension headers is unusual though, only the first 8 are
616 * written out anyway and fixing properly would require major refactor.*/
617 while(wdh->bytes_dumped < alignbytes){
618 if(!wtap_dump_file_write(wdh, "", 1, err)) return FALSE;
624 /*generate a fake header in other_phdr using data that we know*/
625 /*covert time erf timestamp format*/
626 other_phdr.erf.phdr.ts = ((guint64) phdr->ts.secs << 32) + (((guint64) phdr->ts.nsecs <<32) / 1000 / 1000 / 1000);
627 other_phdr.erf.phdr.type = wtap_wtap_encap_to_erf_encap(encap);
628 other_phdr.erf.phdr.flags = 0x4; /*vlen flag set because we're creating variable length records*/
629 other_phdr.erf.phdr.lctr = 0;
630 /*now we work out rlen, accounting for all the different headers and missing fcs(eth)*/
631 other_phdr.erf.phdr.rlen = phdr->caplen+16;
632 other_phdr.erf.phdr.wlen = phdr->len;
633 switch(other_phdr.erf.phdr.type){
635 other_phdr.erf.phdr.rlen += 2; /*2 bytes for erf eth_type*/
636 if (pseudo_header->eth.fcs_len != 4) {
637 /* Either this packet doesn't include the FCS
638 (pseudo_header->eth.fcs_len = 0), or we don't
639 know whether it has an FCS (= -1). We have to
641 if(!(phdr->caplen < phdr->len)){ /*don't add FCS if packet has been snapped off*/
642 crc32 = crc32_ccitt_seed(pd, phdr->caplen, 0xFFFFFFFF);
643 other_phdr.erf.phdr.rlen += 4; /*4 bytes for added checksum*/
644 other_phdr.erf.phdr.wlen += 4;
649 case ERF_TYPE_HDLC_POS:
650 /*we assume that it's missing a FCS checksum, make one up*/
651 if(!(phdr->caplen < phdr->len)){ /*unless of course, the packet has been snapped off*/
652 crc32 = crc32_ccitt_seed(pd, phdr->caplen, 0xFFFFFFFF);
653 other_phdr.erf.phdr.rlen += 4; /*4 bytes for added checksum*/
654 other_phdr.erf.phdr.wlen += 4;
655 must_add_crc = TRUE; /* XXX - these never have an FCS? */
662 alignbytes = (8 - (other_phdr.erf.phdr.rlen % 8)) % 8; /*calculate how much padding will be required */
663 if(phdr->caplen < phdr->len){ /*if packet has been snapped, we need to round down what we output*/
664 round_down = (8 - (guint)alignbytes) % 8;
665 other_phdr.erf.phdr.rlen -= round_down;
667 other_phdr.erf.phdr.rlen += (gint16)alignbytes;
670 if(!erf_write_phdr(wdh, WTAP_ENCAP_ERF, &other_phdr, err)) return FALSE;
671 if(!wtap_dump_file_write(wdh, pd, phdr->caplen - round_down, err)) return FALSE;
672 wdh->bytes_dumped += phdr->caplen - round_down;
674 /*add the 4 byte CRC if necessary*/
676 if(!wtap_dump_file_write(wdh, &crc32, 4, err)) return FALSE;
677 wdh->bytes_dumped += 4;
679 /*records should be 8byte aligned, so we add padding*/
681 for(i = (gint16)alignbytes; i > 0; i--){
682 if(!wtap_dump_file_write(wdh, "", 1, err)) return FALSE;
690 int erf_dump_can_write_encap(int encap)
693 if(encap == WTAP_ENCAP_PER_PACKET)
696 if (wtap_wtap_encap_to_erf_encap(encap) == -1)
697 return WTAP_ERR_UNSUPPORTED_ENCAP;
702 int erf_dump_open(wtap_dumper *wdh, int *err)
704 wdh->subtype_write = erf_dump;
705 wdh->subtype_close = NULL;
707 switch(wdh->file_type){
709 wdh->tsprecision = WTAP_FILE_TSPREC_NSEC;
712 *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE;
720 int erf_populate_interfaces(wtap *wth)
722 wtapng_if_descr_t int_data;
728 if (!wth->interface_data) {
729 wth->interface_data = g_array_new(FALSE, FALSE, sizeof(wtapng_if_descr_t));
732 memset(&int_data, 0, sizeof(int_data)); /* Zero all fields */
734 int_data.wtap_encap = WTAP_ENCAP_ERF;
735 /* int_data.time_units_per_second = (1LL<<32); ERF format resolution is 2^-32, capture resolution is unknown */
736 int_data.time_units_per_second = 1000000000; /* XXX Since Wireshark only supports down to nanosecond resolution we have to dilute to this */
737 int_data.link_type = wtap_wtap_encap_to_pcap_encap(WTAP_ENCAP_ERF);
738 int_data.snap_len = 65535; /* ERF max length */
739 int_data.opt_comment = NULL;
740 /* XXX: if_IPv4addr opt 4 Interface network address and netmask.*/
741 /* XXX: if_IPv6addr opt 5 Interface network address and prefix length (stored in the last byte).*/
742 /* XXX: if_MACaddr opt 6 Interface Hardware MAC address (48 bits).*/
743 /* XXX: if_EUIaddr opt 7 Interface Hardware EUI address (64 bits)*/
744 int_data.if_speed = 0; /* Unknown */
745 /* int_data.if_tsresol = 0xa0; ERF format resolution is 2^-32 = 0xa0, capture resolution is unknown */
746 int_data.if_tsresol = 0x09; /* XXX Since Wireshark only supports down to nanosecond resolution we have to dilute to this */
747 /* XXX: if_tzone 10 Time zone for GMT support (TODO: specify better). */
748 int_data.if_filter_str = NULL;
749 int_data.bpf_filter_len = 0;
750 int_data.if_filter_bpf_bytes = NULL;
751 int_data.if_os = NULL;
752 int_data.if_fcslen = 0; /* unknown! */
753 /* XXX if_tsoffset; opt 14 A 64 bits integer value that specifies an offset (in seconds)...*/
754 /* Interface statistics */
755 int_data.num_stat_entries = 0;
756 int_data.interface_statistics = NULL;
758 /* Preemptively create interface entries for 4 interfaces, since this is the max number in ERF */
759 for (i=0; i<4; i++) {
760 int_data.if_name = g_strdup_printf("Port %c", 'A'+i);
761 int_data.if_description = g_strdup_printf("ERF Interface Id %d (Port %c)", i, 'A'+i);
763 g_array_append_val(wth->interface_data, int_data);
764 wth->number_of_interfaces++;