3 * $Id: lanalyzer.c,v 1.33 2002/06/07 07:27:35 guy Exp $
6 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 #include "file_wrappers.h"
31 #include "lanalyzer.h"
33 /* The LANalyzer format is documented (at least in part) in Novell document
34 TID022037, which can be found at, among other places:
36 http://secinf.net/info/nw/lan/trace.txt
40 #define REC_TRACE_HEADER 0x1001
41 #define REC_CYCLIC_TRACE_HEADER 0x1007
42 #define REC_TRACE_SUMMARY 0x1002
43 #define REC_TRACE_PACKET_DATA 0x1005
45 /* LANalyzer board types (which indicate the type of network on which
46 the capture was done). */
47 #define BOARD_325 226 /* LANalyzer 325 (Ethernet) */
48 #define BOARD_325TR 227 /* LANalyzer 325TR (Token-ring) */
50 static gboolean lanalyzer_read(wtap *wth, int *err, long *data_offset);
51 static void lanalyzer_close(wtap *wth);
53 int lanalyzer_open(wtap *wth, int *err)
56 char LE_record_type[2];
57 char LE_record_length[2];
59 guint16 board_type, mxslc;
60 guint16 record_type, record_length;
61 guint8 cr_day, cr_month, cr_year;
64 errno = WTAP_ERR_CANT_READ;
65 bytes_read = file_read(LE_record_type, 1, 2, wth->fh);
66 bytes_read += file_read(LE_record_length, 1, 2, wth->fh);
67 if (bytes_read != 4) {
68 *err = file_error(wth->fh);
73 wth->data_offset += 4;
74 record_type = pletohs(LE_record_type);
75 record_length = pletohs(LE_record_length); /* make sure to do this for while() loop */
77 if (record_type != REC_TRACE_HEADER && record_type != REC_CYCLIC_TRACE_HEADER) {
81 /* If we made it this far, then the file is a LANAlyzer file.
82 * Let's get some info from it. Note that we get wth->snapshot_length
83 * from a record later in the file. */
84 wth->file_type = WTAP_FILE_LANALYZER;
85 wth->capture.lanalyzer = g_malloc(sizeof(lanalyzer_t));
86 wth->subtype_read = lanalyzer_read;
87 wth->subtype_seek_read = wtap_def_seek_read;
88 wth->subtype_close = lanalyzer_close;
89 wth->snapshot_length = 0;
91 /* Read records until we find the start of packets */
93 if (file_seek(wth->fh, record_length, SEEK_CUR, err) == -1) {
94 g_free(wth->capture.lanalyzer);
97 wth->data_offset += record_length;
98 errno = WTAP_ERR_CANT_READ;
99 bytes_read = file_read(LE_record_type, 1, 2, wth->fh);
100 bytes_read += file_read(LE_record_length, 1, 2, wth->fh);
101 if (bytes_read != 4) {
102 *err = file_error(wth->fh);
104 g_free(wth->capture.lanalyzer);
107 g_free(wth->capture.lanalyzer);
110 wth->data_offset += 4;
112 record_type = pletohs(LE_record_type);
113 record_length = pletohs(LE_record_length);
115 /*g_message("Record 0x%04X Length %d", record_type, record_length);*/
116 switch (record_type) {
117 /* Trace Summary Record */
118 case REC_TRACE_SUMMARY:
119 errno = WTAP_ERR_CANT_READ;
120 bytes_read = file_read(summary, 1, sizeof summary,
122 if (bytes_read != sizeof summary) {
123 *err = file_error(wth->fh);
125 g_free(wth->capture.lanalyzer);
128 g_free(wth->capture.lanalyzer);
131 wth->data_offset += sizeof summary;
133 /* Assume that the date of the creation of the trace file
134 * is the same date of the trace. Lanalyzer doesn't
135 * store the creation date/time of the trace, but only of
136 * the file. Unless you traced at 11:55 PM and saved at 00:05
137 * AM, the assumption that trace.date == file.date is true.
140 cr_month = summary[1];
141 cr_year = pletohs(&summary[2]);
142 /*g_message("Day %d Month %d Year %d (%04X)", cr_day, cr_month,
145 /* Get capture start time. I learned how to do
146 * this from Guy's code in ngsniffer.c
148 /* this strange year offset is not in the
149 * lanalyzer file format documentation, but it
151 tm.tm_year = cr_year - (1900 - 1792);
152 tm.tm_mon = cr_month - 1;
158 wth->capture.lanalyzer->start = mktime(&tm);
159 /*g_message("Day %d Month %d Year %d", tm.tm_mday,
160 tm.tm_mon, tm.tm_year);*/
161 mxslc = pletohs(&summary[30]);
162 wth->snapshot_length = mxslc;
164 record_length = 0; /* to fake the next iteration of while() */
165 board_type = pletohs(&summary[188]);
166 switch (board_type) {
168 wth->file_encap = WTAP_ENCAP_ETHERNET;
171 wth->file_encap = WTAP_ENCAP_TOKEN_RING;
174 g_message("lanalyzer: board type %u unknown",
176 g_free(wth->capture.lanalyzer);
177 *err = WTAP_ERR_UNSUPPORTED;
182 /* Trace Packet Data Record */
183 case REC_TRACE_PACKET_DATA:
184 /* Go back header number ob ytes so that lanalyzer_read
185 * can read this header */
186 if (file_seek(wth->fh, -bytes_read, SEEK_CUR, err) == -1) {
187 g_free(wth->capture.lanalyzer);
190 wth->data_offset -= bytes_read;
199 #define DESCRIPTOR_LEN 32
201 /* Read the next packet */
202 static gboolean lanalyzer_read(wtap *wth, int *err, long *data_offset)
206 char LE_record_type[2];
207 char LE_record_length[2];
208 guint16 record_type, record_length;
209 gchar descriptor[DESCRIPTOR_LEN];
210 guint16 time_low, time_med, time_high, true_size;
213 /* read the record type and length. */
214 errno = WTAP_ERR_CANT_READ;
215 bytes_read = file_read(LE_record_type, 1, 2, wth->fh);
216 if (bytes_read != 2) {
217 *err = file_error(wth->fh);
218 if (*err == 0 && bytes_read != 0) {
219 *err = WTAP_ERR_SHORT_READ;
223 wth->data_offset += 2;
224 bytes_read = file_read(LE_record_length, 1, 2, wth->fh);
225 if (bytes_read != 2) {
226 *err = file_error(wth->fh);
228 *err = WTAP_ERR_SHORT_READ;
231 wth->data_offset += 2;
233 record_type = pletohs(LE_record_type);
234 record_length = pletohs(LE_record_length);
236 /* Only Trace Packet Data Records should occur now that we're in
237 * the middle of reading packets. If any other record type exists
238 * after a Trace Packet Data Record, mark it as an error. */
239 if (record_type != REC_TRACE_PACKET_DATA) {
240 g_message("lanalyzer: record type %u seen after trace summary record",
242 *err = WTAP_ERR_BAD_RECORD;
246 packet_size = record_length - DESCRIPTOR_LEN;
249 /* Read the descriptor data */
250 errno = WTAP_ERR_CANT_READ;
251 bytes_read = file_read(descriptor, 1, DESCRIPTOR_LEN, wth->fh);
252 if (bytes_read != DESCRIPTOR_LEN) {
253 *err = file_error(wth->fh);
255 *err = WTAP_ERR_SHORT_READ;
258 wth->data_offset += DESCRIPTOR_LEN;
260 /* Read the packet data */
261 buffer_assure_space(wth->frame_buffer, packet_size);
262 *data_offset = wth->data_offset;
263 errno = WTAP_ERR_CANT_READ;
264 bytes_read = file_read(buffer_start_ptr(wth->frame_buffer), 1,
265 packet_size, wth->fh);
267 if (bytes_read != packet_size) {
268 *err = file_error(wth->fh);
270 *err = WTAP_ERR_SHORT_READ;
273 wth->data_offset += packet_size;
275 true_size = pletohs(&descriptor[4]);
276 time_low = pletohs(&descriptor[8]);
277 time_med = pletohs(&descriptor[10]);
278 time_high = pletohs(&descriptor[12]);
280 t = (double)time_low+(double)(time_med)*65536.0 +
281 (double)time_high*4294967296.0;
282 t = t/1000000.0 * 0.5; /* t = # of secs */
283 t += wth->capture.lanalyzer->start;
285 wth->phdr.ts.tv_sec = (long)t;
286 wth->phdr.ts.tv_usec = (unsigned long)((t-(double)(wth->phdr.ts.tv_sec))
289 wth->phdr.len = true_size - 4;
290 wth->phdr.caplen = packet_size;
291 wth->phdr.pkt_encap = wth->file_encap;
297 lanalyzer_close(wtap *wth)
299 g_free(wth->capture.lanalyzer);