4 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version 2
9 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
26 #include "file_wrappers.h"
28 #include <wsutil/buffer.h>
31 /* Capture file header, *including* magic number, is padded to 128 bytes. */
32 #define CAPTUREFILE_HEADER_SIZE 128
34 /* Magic number size, in both 1.x and later files. */
37 /* Magic number in NetXRay 1.x files. */
38 static const char old_netxray_magic[MAGIC_SIZE] = {
42 /* Magic number in NetXRay 2.0 and later, and Windows Sniffer, files. */
43 static const char netxray_magic[MAGIC_SIZE] = {
47 /* NetXRay file header (minus magic number). */
49 /* As field usages are identified, please revise as needed */
50 /* Please do *not* use netxray_hdr xxx... names in the code */
51 /* (Placeholder names for all 'unknown' fields are */
52 /* of form xxx_x<hex_hdr_offset> */
53 /* where <hex_hdr_offset> *includes* the magic number) */
56 char version[8]; /* version number */
57 guint32 start_time; /* UNIX [UTC] time when capture started */
59 guint32 nframes; /* number of packets */
60 guint32 xxx_x14; /* unknown [some kind of file offset] */
61 guint32 start_offset; /* offset of first packet in capture */
62 guint32 end_offset; /* offset after last packet in capture */
64 guint32 xxx_x20; /* unknown [some kind of file offset] */
65 guint32 xxx_x24; /* unknown [unused ?] */
66 guint32 xxx_x28; /* unknown [some kind of file offset] */
67 guint8 network; /* datalink type */
68 guint8 network_plus; /* [See code] */
69 guint8 xxx_x2E[2]; /* unknown */
71 guint8 timeunit; /* encodes length of a tick */
72 guint8 xxx_x31[3]; /* XXX - upper 3 bytes of timeunit ? */
73 guint32 timelo; /* lower 32 bits of capture start time stamp */
74 guint32 timehi; /* upper 32 bits of capture start time stamp */
75 guint32 linespeed; /* speed of network, in bits/second */
77 guint8 xxx_x40[12]; /* unknown [other stuff] */
78 guint8 realtick[4]; /* (ticks/sec for Ethernet/Ndis/Timeunit=2 ?) */
79 /* (realtick[1], realtick[2] also currently */
80 /* used as flag for 'FCS presence') */
82 guint8 xxx_x50[4]; /* unknown [other stuff] */
83 guint8 captype; /* capture type */
84 guint8 xxx_x55[3]; /* unknown [other stuff] */
85 guint8 xxx_x58[4]; /* unknown [other stuff] */
86 guint8 wan_hdlc_subsub_captype; /* WAN HDLC subsub_captype */
87 guint8 xxx_x5D[3]; /* unknown [other stuff] */
89 guint8 xxx_x60[16]; /* unknown [other stuff] */
91 guint8 xxx_x70[14]; /* unknown [other stuff] */
92 gint16 timezone_hrs; /* timezone hours [at least for version 2.2..]; */
93 /* positive values = west of UTC: */
94 /* negative values = east of UTC: */
95 /* e.g. +5 is American Eastern */
96 /* [Does not appear to be adjusted for DST ] */
100 * Capture type, in hdr.captype.
102 * Values other than 0 are dependent on the network type.
103 * For Ethernet captures, it indicates the type of capture pod.
104 * For WAN captures (all of which are done with a pod), it indicates
105 * the link-layer type.
107 #define CAPTYPE_NDIS 0 /* Capture on network interface using NDIS */
110 * Ethernet capture types.
112 #define ETH_CAPTYPE_GIGPOD 2 /* gigabit Ethernet captured with pod */
113 #define ETH_CAPTYPE_OTHERPOD 3 /* non-gigabit Ethernet captured with pod */
114 #define ETH_CAPTYPE_OTHERPOD2 5 /* gigabit Ethernet via pod ?? */
115 /* Captype 5 seen in capture from Distributed Sniffer with: */
116 /* Version 4.50.211 software */
117 /* SysKonnect SK-9843 Gigabit Ethernet Server Adapter */
118 #define ETH_CAPTYPE_GIGPOD2 6 /* gigabit Ethernet, captured with blade on S6040-model Sniffer */
123 #define WAN_CAPTYPE_BROUTER 1 /* Bridge/router captured with pod */
124 #define WAN_CAPTYPE_PPP 3 /* PPP captured with pod */
125 #define WAN_CAPTYPE_FRELAY 4 /* Frame Relay captured with pod */
126 #define WAN_CAPTYPE_BROUTER2 5 /* Bridge/router captured with pod */
127 #define WAN_CAPTYPE_HDLC 6 /* HDLC (X.25, ISDN) captured with pod */
128 #define WAN_CAPTYPE_SDLC 7 /* SDLC captured with pod */
129 #define WAN_CAPTYPE_HDLC2 8 /* HDLC captured with pod */
130 #define WAN_CAPTYPE_BROUTER3 9 /* Bridge/router captured with pod */
131 #define WAN_CAPTYPE_SMDS 10 /* SMDS DXI */
132 #define WAN_CAPTYPE_BROUTER4 11 /* Bridge/router captured with pod */
133 #define WAN_CAPTYPE_BROUTER5 12 /* Bridge/router captured with pod */
134 #define WAN_CAPTYPE_CHDLC 19 /* Cisco router (CHDLC) captured with pod */
136 #define CAPTYPE_ATM 15 /* ATM captured with pod */
139 * # of ticks that equal 1 second, in version 002.xxx files other
140 * than Ethernet captures with a captype other than CAPTYPE_NDIS;
141 * the index into this array is hdr.timeunit.
143 * DO NOT SEND IN PATCHES THAT CHANGE ANY OF THE NON-ZERO VALUES IN
144 * ANY OF THE TpS TABLES. THOSE VALUES ARE CORRECT FOR AT LEAST ONE
145 * CAPTURE, SO CHANGING THEM WILL BREAK AT LEAST SOME CAPTURES. WE
146 * WILL NOT CHECK IN PATCHES THAT CHANGE THESE VALUES.
148 * Instead, if a value in a TpS table is wrong, check whether captype
149 * has a non-zero value; if so, perhaps we need a new TpS table for the
150 * corresponding network type and captype, or perhaps the 'realtick'
151 * field contains the correct ticks-per-second value.
153 * TpS...[] entries of 0.0 mean that no capture file for the
154 * corresponding captype/timeunit values has yet been seen, or that
155 * we're using the 'realtick' value.
157 * XXX - 05/29/07: For Ethernet captype = 0 (NDIS) and timeunit = 2:
158 * Perusal of a number of Sniffer captures
159 * (including those from Wireshark bug reports
160 * and those from the Wireshark 'menagerie')
161 * suggests that 'realtick' for this case
162 * contains the correct ticks/second to be used.
163 * So: we'll use realtick for Ethernet captype=0 and timeunit=2.
164 * (It might be that realtick should be used for Ethernet captype = 0
165 * and timeunit = 1 but I've not yet enough captures to be sure).
166 * Based upon the captures reviewed to date, realtick cannot be used for
167 * any of the other Ethernet captype/timeunit combinations for which there
168 * are non-zero values in the TpS tables.
170 * In at least one capture where "realtick" doesn't correspond
171 * to the value from the appropriate TpS table, the per-packet header's
172 * "xxx" field is all zero, so it's not as if a 2.x header includes
173 * a "compatibility" time stamp corresponding to the value from the
174 * TpS table and a "real" time stamp corresponding to "realtick".
176 * XXX - the item corresponding to timeunit = 2 is 1193180.0, presumably
177 * because somebody found it gave the right answer for some captures, but
178 * 3 times that, i.e. 3579540.0, appears to give the right answer for some
181 * Some captures have realtick of 1193182, some have 3579545, and some
182 * have 1193000. Most of those, in one set of captures somebody has,
183 * are wrong. (Did that mean "wrong for some capture files, but not
184 * for the files in which they occurred", or "wrong for the files in
185 * which they occurred? If it's "wrong for some capture files, but
186 * not for the files in which they occurred", perhaps those were Ethernet
187 * captures with a captype of 0 and timeunit = 2, so that we now use
188 * realtick, and perhaps that fixes the problems.)
190 * XXX - in at least one ATM capture, hdr.realtick is 1193180.0
191 * and hdr.timeunit is 0. Does that capture have a captype of
192 * CAPTYPE_ATM? If so, what should the table for ATM captures with
195 static const double TpS[] = { 1e6, 1193000.0, 1193182.0 };
196 #define NUM_NETXRAY_TIMEUNITS (sizeof TpS / sizeof TpS[0])
199 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_GIGPOD.
200 * 0.0 means "unknown".
202 * It appears that, at least for Ethernet captures, if captype is
203 * ETH_CAPTYPE_GIGPOD, that indicates that it's a gigabit Ethernet
204 * capture, possibly from a special whizzo gigabit pod, and also
205 * indicates that the time stamps have some higher resolution than
206 * in other captures, possibly thanks to a high-resolution timer
209 * It also appears that the time units might differ for gigabit pod
210 * captures between version 002.001 and 002.002. For 002.001,
211 * the values below are correct; for 002.002, it's claimed that
212 * the right value for TpS_gigpod[2] is 1250000.0, but at least one
213 * 002.002 gigabit pod capture has 31250000.0 as the right value.
214 * XXX: Note that the TpS_otherpod[2] value is 1250000.0; It seems
215 * reasonable to suspect that the original claim might actually
216 * have been for a capture with a captype of 'otherpod'.
217 * (Based upon captures reviewed realtick does not contain the
218 * correct TpS values for the 'gigpod' captype).
220 static const double TpS_gigpod[] = { 1e9, 0.0, 31250000.0 };
221 #define NUM_NETXRAY_TIMEUNITS_GIGPOD (sizeof TpS_gigpod / sizeof TpS_gigpod[0])
224 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_OTHERPOD.
225 * (Based upon captures reviewed realtick does not contain the
226 * correct TpS values for the 'otherpod' captype).
228 static const double TpS_otherpod[] = { 1e6, 0.0, 1250000.0 };
229 #define NUM_NETXRAY_TIMEUNITS_OTHERPOD (sizeof TpS_otherpod / sizeof TpS_otherpod[0])
232 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_OTHERPOD2.
233 * (Based upon captures reviewed realtick does not contain the
234 * correct TpS values for the 'otherpod2' captype).
236 static const double TpS_otherpod2[] = { 1e6, 0.0, 0.0 };
237 #define NUM_NETXRAY_TIMEUNITS_OTHERPOD2 (sizeof TpS_otherpod2 / sizeof TpS_otherpod2[0])
240 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_GIGPOD2.
241 * (Based upon captures reviewed realtick does not contain the
242 * correct TpS values for the 'gigpod2' captype).
244 static const double TpS_gigpod2[] = { 1e9, 0.0, 20000000.0 };
245 #define NUM_NETXRAY_TIMEUNITS_GIGPOD2 (sizeof TpS_gigpod2 / sizeof TpS_gigpod2[0])
247 /* Version number strings. */
248 static const char vers_1_0[] = {
249 '0', '0', '1', '.', '0', '0', '0', '\0'
252 static const char vers_1_1[] = {
253 '0', '0', '1', '.', '1', '0', '0', '\0'
256 static const char vers_2_000[] = {
257 '0', '0', '2', '.', '0', '0', '0', '\0'
260 static const char vers_2_001[] = {
261 '0', '0', '2', '.', '0', '0', '1', '\0'
264 static const char vers_2_002[] = {
265 '0', '0', '2', '.', '0', '0', '2', '\0'
268 static const char vers_2_003[] = {
269 '0', '0', '2', '.', '0', '0', '3', '\0'
272 /* Old NetXRay data record format - followed by frame data. */
273 struct old_netxrayrec_hdr {
274 guint32 timelo; /* lower 32 bits of time stamp */
275 guint32 timehi; /* upper 32 bits of time stamp */
276 guint16 len; /* packet length */
277 guint8 xxx[6]; /* unknown */
280 /* NetXRay format version 1.x data record format - followed by frame data. */
281 struct netxrayrec_1_x_hdr {
282 guint32 timelo; /* lower 32 bits of time stamp */
283 guint32 timehi; /* upper 32 bits of time stamp */
284 guint16 orig_len; /* packet length */
285 guint16 incl_len; /* capture length */
286 guint8 xxx[16]; /* unknown */
290 * NetXRay format version 2.x data record format - followed by frame data.
292 * The xxx fields appear to be:
294 * xxx[0]: ATM traffic type and subtype in the low 3 bits of
295 * each nibble, and flags(?) in the upper bit of each nibble.
297 * xxx[2], xxx[3]: for Ethernet, 802.11, ISDN LAPD, LAPB,
298 * Frame Relay, if both are 0xff, there are 4 bytes of stuff
299 * at the end of the packet data, which might be an FCS or
300 * which might be junk to discard.
302 * xxx[8], xxx[9]: 2 bytes of a flag word? If treated as
303 * a 2-byte little-endian flag word:
305 * 0x0001: Error of some sort, including bad CRC, although
306 * in one ISDN capture it's set in some B2 channel
307 * packets of unknown content (as opposed to the B1
308 * traffic in the capture, which is PPP)
309 * 0x0004: Some particular type of error?
310 * 0x0008: For (Gigabit?) Ethernet (with special probe?),
311 * 4 bytes at end are junk rather than CRC?
312 * 0x0100: CRC error on ATM? Protected and Not decrypted
314 * 0x0200: Something for ATM? Something else for 802.11?
315 * 0x0400: raw ATM cell
317 * 0x2000: port on which the packet was captured?
319 * The Sniffer Portable 4.8 User's Guide lists a set of packet status
323 * packet was captured from Port A on the pod or adapter card;
324 * packet was captured from Port B on the pod or adapter card;
325 * packet has a symptom or diagnosis associated with it;
326 * packet is an event filter trigger;
327 * CRC error packet with normal packet size;
328 * CRC error packet with oversize error;
329 * packet size < 64 bytes (including CRC) but with valid CRC;
330 * packet size < 64 bytes (including CRC) with CRC error;
331 * packet size > 1518 bytes (including CRC) but with valid CRC;
332 * packet damaged by a collision;
333 * packet length not a multiple of 8 bits;
334 * address conflict in the ring on Token Ring;
335 * packet is not copied (received) by the destination host on
338 * AAL5 maximum segments error;
342 * and a ton of AAL2 errors.
344 * Not all those bits necessarily correspond to flag bits in the file,
347 * In one ATM capture, the 0x2000 bit was set for all frames; in another,
348 * it's unset for all frames. This, plus the ATMbook having two ports,
349 * suggests that it *might* be a "port A vs. port B" flag.
351 * The 0x0001 bit appears to be set for CRC errors on Ethernet and 802.11.
352 * It also appears to be set on ATM for AAL5 PDUs that appear to be
353 * completely reassembled and that have a CRC error and for frames that
354 * appear to be part of a full AAL5 PDU. In at least two files with
355 * frames of the former type, the 0x0100 and 0x0200 flags are set;
356 * in at least one file with frames of the latter type, neither of
357 * those flags are set.
359 * The field appears to be somewhat random in some captures,
362 * xxx[11]: for 802.11, 0x05 if the packet is WEP-encrypted(?).
364 * xxx[12]: for 802.11, channel number.
366 * xxx[13]: for 802.11, data rate.
368 * xxx[14]: for 802.11, signal strength.
370 * xxx[15]: for 802.11, noise level; 0xFF means none reported,
373 * xxx[20-25]: for 802.11, MAC address of sending machine(?).
375 struct netxrayrec_2_x_hdr {
376 guint32 timelo; /* lower 32 bits of time stamp */
377 guint32 timehi; /* upper 32 bits of time stamp */
378 guint16 orig_len; /* packet length */
379 guint16 incl_len; /* capture length */
380 guint8 xxx[28]; /* various data */
384 * Union of the data record headers.
386 union netxrayrec_hdr {
387 struct old_netxrayrec_hdr old_hdr;
388 struct netxrayrec_1_x_hdr hdr_1_x;
389 struct netxrayrec_2_x_hdr hdr_2_x;
394 double ticks_per_sec;
395 double start_timestamp;
401 gboolean fcs_valid; /* if packets have valid FCS at the end */
402 guint isdn_type; /* 1 = E1 PRI, 2 = T1 PRI, 3 = BRI */
405 static gboolean netxray_read(wtap *wth, int *err, gchar **err_info,
406 gint64 *data_offset);
407 static gboolean netxray_seek_read(wtap *wth, gint64 seek_off,
408 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
409 static int netxray_process_rec_header(wtap *wth, FILE_T fh,
410 struct wtap_pkthdr *phdr, int *err, gchar **err_info);
411 static void netxray_guess_atm_type(wtap *wth, struct wtap_pkthdr *phdr,
413 static gboolean netxray_dump_1_1(wtap_dumper *wdh,
414 const struct wtap_pkthdr *phdr,
415 const guint8 *pd, int *err, gchar **err_info);
416 static gboolean netxray_dump_close_1_1(wtap_dumper *wdh, int *err);
417 static gboolean netxray_dump_2_0(wtap_dumper *wdh,
418 const struct wtap_pkthdr *phdr,
419 const guint8 *pd, int *err, gchar **err_info);
420 static gboolean netxray_dump_close_2_0(wtap_dumper *wdh, int *err);
423 netxray_open(wtap *wth, int *err, gchar **err_info)
425 char magic[MAGIC_SIZE];
427 struct netxray_hdr hdr;
429 double ticks_per_sec;
430 int version_major, version_minor;
432 double start_timestamp;
433 static const int netxray_encap[] = {
436 WTAP_ENCAP_TOKEN_RING,
437 WTAP_ENCAP_FDDI_BITSWAPPED,
439 * XXX - some PPP captures may look like Ethernet,
440 * perhaps because they're using NDIS to capture on the
441 * same machine and it provides simulated-Ethernet
442 * packets, but captures taken with various serial
443 * pods use the same network type value but aren't
444 * shaped like Ethernet. We handle that below.
446 WTAP_ENCAP_ETHERNET, /* WAN(PPP), but shaped like Ethernet */
447 WTAP_ENCAP_UNKNOWN, /* LocalTalk */
448 WTAP_ENCAP_UNKNOWN, /* "DIX" - should not occur */
449 WTAP_ENCAP_UNKNOWN, /* ARCNET raw */
450 WTAP_ENCAP_UNKNOWN, /* ARCNET 878.2 */
451 WTAP_ENCAP_ATM_PDUS_UNTRUNCATED,/* ATM */
452 WTAP_ENCAP_IEEE_802_11_WITH_RADIO,
453 /* Wireless WAN with radio information */
454 WTAP_ENCAP_UNKNOWN /* IrDA */
456 #define NUM_NETXRAY_ENCAPS (sizeof netxray_encap / sizeof netxray_encap[0])
461 /* Read in the string that should be at the start of a NetXRay
463 if (!wtap_read_bytes(wth->fh, magic, MAGIC_SIZE, err, err_info)) {
464 if (*err != WTAP_ERR_SHORT_READ)
465 return WTAP_OPEN_ERROR;
466 return WTAP_OPEN_NOT_MINE;
469 if (memcmp(magic, netxray_magic, MAGIC_SIZE) == 0) {
471 } else if (memcmp(magic, old_netxray_magic, MAGIC_SIZE) == 0) {
474 return WTAP_OPEN_NOT_MINE;
477 /* Read the rest of the header. */
478 if (!wtap_read_bytes(wth->fh, &hdr, sizeof hdr, err, err_info))
479 return WTAP_OPEN_ERROR;
484 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_OLD;
486 /* It appears that version 1.1 files (as produced by Windows
487 * Sniffer Pro 2.0.01) have the time stamp in microseconds,
488 * rather than the milliseconds version 1.0 files appear to
491 * It also appears that version 2.00x files have per-packet
492 * headers with some extra fields. */
493 if (memcmp(hdr.version, vers_1_0, sizeof vers_1_0) == 0) {
496 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_1_0;
497 } else if (memcmp(hdr.version, vers_1_1, sizeof vers_1_1) == 0) {
500 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_1_1;
501 } else if (memcmp(hdr.version, vers_2_000, sizeof vers_2_000) == 0) {
504 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x;
505 } else if (memcmp(hdr.version, vers_2_001, sizeof vers_2_001) == 0) {
508 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x;
509 } else if (memcmp(hdr.version, vers_2_002, sizeof vers_2_002) == 0) {
512 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x;
513 } else if (memcmp(hdr.version, vers_2_003, sizeof vers_2_003) == 0) {
516 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x;
518 *err = WTAP_ERR_UNSUPPORTED;
519 *err_info = g_strdup_printf("netxray: version \"%.8s\" unsupported", hdr.version);
520 return WTAP_OPEN_ERROR;
524 switch (hdr.network_plus) {
528 * The byte after hdr.network is usually 0, in which case
529 * the hdr.network byte is an NDIS network type value - 1.
531 network_type = hdr.network + 1;
536 * However, in some Ethernet captures, it's 2, and the
537 * hdr.network byte is 1 rather than 0. We assume
538 * that if there's a byte after hdr.network with the value
539 * 2, the hdr.network byte is an NDIS network type, rather
540 * than an NDIS network type - 1.
542 network_type = hdr.network;
546 *err = WTAP_ERR_UNSUPPORTED;
547 *err_info = g_strdup_printf("netxray: the byte after the network type has the value %u, which I don't understand",
549 return WTAP_OPEN_ERROR;
552 if (network_type >= NUM_NETXRAY_ENCAPS
553 || netxray_encap[network_type] == WTAP_ENCAP_UNKNOWN) {
554 *err = WTAP_ERR_UNSUPPORTED;
555 *err_info = g_strdup_printf("netxray: network type %u (%u) unknown or unsupported",
556 network_type, hdr.network_plus);
557 return WTAP_OPEN_ERROR;
561 * Figure out the time stamp units and start time stamp.
563 start_timestamp = (double)pletoh32(&hdr.timelo)
564 + (double)pletoh32(&hdr.timehi)*4294967296.0;
567 case WTAP_FILE_TYPE_SUBTYPE_NETXRAY_OLD:
568 ticks_per_sec = 1000.0;
569 wth->file_tsprec = WTAP_TSPREC_MSEC;
572 case WTAP_FILE_TYPE_SUBTYPE_NETXRAY_1_0:
573 ticks_per_sec = 1000.0;
574 wth->file_tsprec = WTAP_TSPREC_MSEC;
577 case WTAP_FILE_TYPE_SUBTYPE_NETXRAY_1_1:
579 * In version 1.1 files (as produced by Windows Sniffer
580 * Pro 2.0.01), the time stamp is in microseconds,
581 * rather than the milliseconds time stamps in NetXRay
582 * and older versions of Windows Sniffer.
584 ticks_per_sec = 1000000.0;
585 wth->file_tsprec = WTAP_TSPREC_USEC;
588 case WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x:
590 * Get the time stamp units from the appropriate TpS
591 * table or from the file header.
593 switch (network_type) {
597 * Ethernet - the table to use depends on whether
598 * this is an NDIS or pod capture.
600 switch (hdr.captype) {
603 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS) {
604 *err = WTAP_ERR_UNSUPPORTED;
605 *err_info = g_strdup_printf(
606 "netxray: Unknown timeunit %u for Ethernet/CAPTYPE_NDIS version %.8s capture",
607 hdr.timeunit, hdr.version);
608 return WTAP_OPEN_ERROR;
611 XXX: 05/29/07: Use 'realtick' instead of TpS table if timeunit=2;
612 Using 'realtick' in this case results
613 in the correct 'ticks per second' for all the captures that
614 I have of this type (including captures from a number of Wireshark
617 if (hdr.timeunit == 2) {
618 ticks_per_sec = pletoh32(hdr.realtick);
621 ticks_per_sec = TpS[hdr.timeunit];
625 case ETH_CAPTYPE_GIGPOD:
626 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_GIGPOD
627 || TpS_gigpod[hdr.timeunit] == 0.0) {
628 *err = WTAP_ERR_UNSUPPORTED;
629 *err_info = g_strdup_printf(
630 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_GIGPOD version %.8s capture",
631 hdr.timeunit, hdr.version);
632 return WTAP_OPEN_ERROR;
634 ticks_per_sec = TpS_gigpod[hdr.timeunit];
637 * At least for 002.002 and 002.003
638 * captures, the start time stamp is 0,
639 * not the value in the file.
641 if (version_minor == 2 || version_minor == 3)
642 start_timestamp = 0.0;
645 case ETH_CAPTYPE_OTHERPOD:
646 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_OTHERPOD
647 || TpS_otherpod[hdr.timeunit] == 0.0) {
648 *err = WTAP_ERR_UNSUPPORTED;
649 *err_info = g_strdup_printf(
650 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_OTHERPOD version %.8s capture",
651 hdr.timeunit, hdr.version);
652 return WTAP_OPEN_ERROR;
654 ticks_per_sec = TpS_otherpod[hdr.timeunit];
657 * At least for 002.002 and 002.003
658 * captures, the start time stamp is 0,
659 * not the value in the file.
661 if (version_minor == 2 || version_minor == 3)
662 start_timestamp = 0.0;
665 case ETH_CAPTYPE_OTHERPOD2:
666 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_OTHERPOD2
667 || TpS_otherpod2[hdr.timeunit] == 0.0) {
668 *err = WTAP_ERR_UNSUPPORTED;
669 *err_info = g_strdup_printf(
670 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_OTHERPOD2 version %.8s capture",
671 hdr.timeunit, hdr.version);
672 return WTAP_OPEN_ERROR;
674 ticks_per_sec = TpS_otherpod2[hdr.timeunit];
676 * XXX: start time stamp in the one capture file examined of this type was 0;
677 * We'll assume the start time handling is the same as for other pods.
679 * At least for 002.002 and 002.003
680 * captures, the start time stamp is 0,
681 * not the value in the file.
683 if (version_minor == 2 || version_minor == 3)
684 start_timestamp = 0.0;
687 case ETH_CAPTYPE_GIGPOD2:
688 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_GIGPOD2
689 || TpS_gigpod2[hdr.timeunit] == 0.0) {
690 *err = WTAP_ERR_UNSUPPORTED;
691 *err_info = g_strdup_printf(
692 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_GIGPOD2 version %.8s capture",
693 hdr.timeunit, hdr.version);
694 return WTAP_OPEN_ERROR;
696 ticks_per_sec = TpS_gigpod2[hdr.timeunit];
698 * XXX: start time stamp in the one capture file examined of this type was 0;
699 * We'll assume the start time handling is the same as for other pods.
701 * At least for 002.002 and 002.003
702 * captures, the start time stamp is 0,
703 * not the value in the file.
705 if (version_minor == 2 || version_minor == 3)
706 start_timestamp = 0.0;
710 *err = WTAP_ERR_UNSUPPORTED;
711 *err_info = g_strdup_printf(
712 "netxray: Unknown capture type %u for Ethernet version %.8s capture",
713 hdr.captype, hdr.version);
714 return WTAP_OPEN_ERROR;
719 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS) {
720 *err = WTAP_ERR_UNSUPPORTED;
721 *err_info = g_strdup_printf(
722 "netxray: Unknown timeunit %u for %u/%u version %.8s capture",
723 hdr.timeunit, network_type, hdr.captype,
725 return WTAP_OPEN_ERROR;
727 ticks_per_sec = TpS[hdr.timeunit];
732 * If the number of ticks per second is greater than
733 * 1 million, make the precision be nanoseconds rather
736 * XXX - do values only slightly greater than one million
737 * correspond to a resolution sufficiently better than
738 * 1 microsecond to display more digits of precision?
739 * XXX - Seems reasonable to use nanosecs only if TPS >= 10M
741 if (ticks_per_sec >= 1e7)
742 wth->file_tsprec = WTAP_TSPREC_NSEC;
744 wth->file_tsprec = WTAP_TSPREC_USEC;
748 g_assert_not_reached();
751 start_timestamp = start_timestamp/ticks_per_sec;
753 if (network_type == 4) {
755 * In version 0 and 1, we assume, for now, that all
756 * WAN captures have frames that look like Ethernet
757 * frames (as a result, presumably, of having passed
760 * In version 2, it looks as if there's stuff in the
761 * file header to specify what particular type of WAN
764 if (version_major == 2) {
765 switch (hdr.captype) {
767 case WAN_CAPTYPE_PPP:
771 file_encap = WTAP_ENCAP_PPP_WITH_PHDR;
774 case WAN_CAPTYPE_FRELAY:
778 * XXX - in at least one capture, this
779 * is Cisco HDLC, not Frame Relay, but
780 * in another capture, it's Frame Relay.
782 * [Bytes in each capture:
783 * Cisco HDLC: hdr.xxx_x60[06:10]: 0x02 0x00 0x01 0x00 0x06
784 * Frame Relay: hdr.xxx_x60[06:10] 0x00 0x00 0x00 0x00 0x00
786 * Cisco HDLC: hdr.xxx_x60[14:15]: 0xff 0xff
787 * Frame Relay: hdr.xxx_x60[14:15]: 0x00 0x00
790 file_encap = WTAP_ENCAP_FRELAY_WITH_PHDR;
793 case WAN_CAPTYPE_HDLC:
794 case WAN_CAPTYPE_HDLC2:
796 * Various HDLC flavors?
798 switch (hdr.wan_hdlc_subsub_captype) {
800 case 0: /* LAPB/X.25 */
802 * XXX - at least one capture of
803 * this type appears to be PPP.
805 file_encap = WTAP_ENCAP_LAPB;
811 file_encap = WTAP_ENCAP_ISDN;
812 isdn_type = hdr.wan_hdlc_subsub_captype;
816 *err = WTAP_ERR_UNSUPPORTED;
817 *err_info = g_strdup_printf("netxray: WAN HDLC capture subsubtype 0x%02x unknown or unsupported",
818 hdr.wan_hdlc_subsub_captype);
819 return WTAP_OPEN_ERROR;
823 case WAN_CAPTYPE_SDLC:
827 file_encap = WTAP_ENCAP_SDLC;
830 case WAN_CAPTYPE_CHDLC:
832 * Cisco router (CHDLC) captured with pod
834 file_encap = WTAP_ENCAP_CHDLC_WITH_PHDR;
838 *err = WTAP_ERR_UNSUPPORTED;
839 *err_info = g_strdup_printf("netxray: WAN capture subtype 0x%02x unknown or unsupported",
841 return WTAP_OPEN_ERROR;
844 file_encap = WTAP_ENCAP_ETHERNET;
846 file_encap = netxray_encap[network_type];
848 /* This is a netxray file */
849 wth->file_type_subtype = file_type;
850 netxray = (netxray_t *)g_malloc(sizeof(netxray_t));
851 wth->priv = (void *)netxray;
852 wth->subtype_read = netxray_read;
853 wth->subtype_seek_read = netxray_seek_read;
854 wth->file_encap = file_encap;
855 wth->snapshot_length = 0; /* not available in header */
856 netxray->start_time = pletoh32(&hdr.start_time);
857 netxray->ticks_per_sec = ticks_per_sec;
858 netxray->start_timestamp = start_timestamp;
859 netxray->version_major = version_major;
862 * If frames have an extra 4 bytes of stuff at the end, is
863 * it an FCS, or just junk?
865 netxray->fcs_valid = FALSE;
866 switch (file_encap) {
868 case WTAP_ENCAP_ETHERNET:
869 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
870 case WTAP_ENCAP_ISDN:
871 case WTAP_ENCAP_LAPB:
873 * It appears that, in at least some version 2 Ethernet
874 * captures, for frames that have 0xff in hdr_2_x.xxx[2]
875 * and hdr_2_x.xxx[3] in the per-packet header:
877 * if, in the file header, hdr.realtick[1] is 0x34
878 * and hdr.realtick[2] is 0x12, the frames have an
881 * otherwise, they have 4 bytes of junk at the end.
883 * Yes, it's strange that you have to check the *middle*
884 * of the time stamp field; you can't check for any
885 * particular value of the time stamp field.
887 * For now, we assume that to be true for 802.11 captures
888 * as well; it appears to be the case for at least one
889 * such capture - the file doesn't have 0x34 and 0x12,
890 * and the 4 bytes at the end of the frames with 0xff
891 * are junk, not an FCS.
893 * For ISDN captures, it appears, at least in some
894 * captures, to be similar, although I haven't yet
895 * checked whether it's a valid FCS.
897 * XXX - should we do this for all encapsulation types?
899 * XXX - is there some other field that *really* indicates
900 * whether we have an FCS or not? The check of the time
901 * stamp is bizarre, as we're checking the middle.
902 * Perhaps hdr.realtick[0] is 0x00, in which case time
903 * stamp units in the range 1192960 through 1193215
904 * correspond to captures with an FCS, but that's still
907 * Note that there are captures with a network type of 0
908 * (Ethernet) and capture type of 0 (NDIS) that do, and
909 * that don't, have 0x34 0x12 in them, and at least one
910 * of the NDIS captures with 0x34 0x12 in it has FCSes,
911 * so it's not as if no NDIS captures have an FCS.
913 * There are also captures with a network type of 4 (WAN),
914 * capture type of 6 (HDLC), and subtype of 2 (T1 PRI) that
915 * do, and that don't, have 0x34 0x12, so there are at least
916 * some captures taken with a WAN pod that might lack an FCS.
917 * (We haven't yet tried dissecting the 4 bytes at the
918 * end of packets with hdr_2_x.xxx[2] and hdr_2_x.xxx[3]
919 * equal to 0xff as an FCS.)
921 * All captures I've seen that have 0x34 and 0x12 *and*
922 * have at least one frame with an FCS have a value of
923 * 0x01 in xxx_x40[4]. No captures I've seen with a network
924 * type of 0 (Ethernet) missing 0x34 0x12 have 0x01 there,
925 * however. However, there's at least one capture
926 * without 0x34 and 0x12, with a network type of 0,
927 * and with 0x01 in xxx_x40[4], *without* FCSes in the
928 * frames - the 4 bytes at the end are all zero - so it's
929 * not as simple as "xxx_x40[4] = 0x01 means the 4 bytes at
930 * the end are FCSes". Also, there's also at least one
931 * 802.11 capture with an xxx_x40[4] value of 0x01 with junk
932 * rather than an FCS at the end of the frame, so xxx_x40[4]
933 * isn't an obvious flag to determine whether the
936 * There don't seem to be any other values in any of the
937 * xxx_x5..., xxx_x6...., xxx_x7.... fields
938 * that obviously correspond to frames having an FCS.
940 * 05/29/07: Examination of numerous sniffer captures suggests
941 * that the apparent correlation of certain realtick
942 * bytes to 'FCS presence' may actually be
943 * a 'false positive'.
944 * ToDo: Review analysis and update code.
945 * It might be that the ticks-per-second value
946 * is hardware-dependent, and that hardware with
947 * a particular realtick value puts an FCS there
948 * and other hardware doesn't.
950 if (version_major == 2) {
951 if (hdr.realtick[1] == 0x34 && hdr.realtick[2] == 0x12)
952 netxray->fcs_valid = TRUE;
958 * Remember the ISDN type, as we need it to interpret the
959 * channel number in ISDN captures.
961 netxray->isdn_type = isdn_type;
963 /* Remember the offset after the last packet in the capture (which
964 * isn't necessarily the last packet in the file), as it appears
965 * there's sometimes crud after it.
966 * XXX: Remember 'start_offset' to help testing for 'short file' at EOF
968 netxray->wrapped = FALSE;
969 netxray->nframes = pletoh32(&hdr.nframes);
970 netxray->start_offset = pletoh32(&hdr.start_offset);
971 netxray->end_offset = pletoh32(&hdr.end_offset);
973 /* Seek to the beginning of the data records. */
974 if (file_seek(wth->fh, netxray->start_offset, SEEK_SET, err) == -1) {
975 return WTAP_OPEN_ERROR;
978 return WTAP_OPEN_MINE;
981 /* Read the next packet */
983 netxray_read(wtap *wth, int *err, gchar **err_info,
986 netxray_t *netxray = (netxray_t *)wth->priv;
991 * Return the offset of the record header, so we can reread it
992 * if we go back to this frame.
994 *data_offset = file_tell(wth->fh);
996 /* Have we reached the end of the packet data? */
997 if (*data_offset == netxray->end_offset) {
999 *err = 0; /* it's just an EOF, not an error */
1003 /* Read and process record header. */
1004 padding = netxray_process_rec_header(wth, wth->fh, &wth->phdr, err,
1012 * Error of some sort; give up.
1017 /* We're at EOF. Wrap?
1018 * XXX: Need to handle 'short file' cases
1019 * (Distributed Sniffer seems to have a
1020 * certain small propensity to generate 'short' files
1021 * i.e. [many] bytes are missing from the end of the file)
1022 * case 1: start_offset < end_offset
1023 * wrap will read already read packets again;
1024 * so: error with "short file"
1025 * case 2: start_offset > end_offset ("circular" file)
1026 * wrap will mean there's a gap (missing packets).
1027 * However, I don't see a good way to identify this
1028 * case so we'll just have to allow the wrap.
1029 * (Maybe there can be an error message after all
1030 * packets are read since there'll be less packets than
1031 * specified in the file header).
1032 * Note that these cases occur *only* if a 'short' eof occurs exactly
1033 * at the expected beginning of a frame header record; If there is a
1034 * partial frame header (or partial frame data) record, then the
1035 * netxray_read... functions will detect the short record.
1037 if (netxray->start_offset < netxray->end_offset) {
1038 *err = WTAP_ERR_SHORT_READ;
1042 if (!netxray->wrapped) {
1043 /* Yes. Remember that we did. */
1044 netxray->wrapped = TRUE;
1045 if (file_seek(wth->fh, CAPTUREFILE_HEADER_SIZE,
1046 SEEK_SET, err) == -1)
1051 /* We've already wrapped - don't wrap again. */
1056 * Read the packet data.
1058 if (!wtap_read_packet_bytes(wth->fh, wth->frame_buffer,
1059 wth->phdr.caplen, err, err_info))
1063 * If there's extra stuff at the end of the record, skip it.
1065 if (file_seek(wth->fh, padding, SEEK_CUR, err) == -1)
1069 * If it's an ATM packet, and we don't have enough information
1070 * from the packet header to determine its type or subtype,
1071 * attempt to guess them from the packet data.
1073 netxray_guess_atm_type(wth, &wth->phdr, wth->frame_buffer);
1078 netxray_seek_read(wtap *wth, gint64 seek_off,
1079 struct wtap_pkthdr *phdr, Buffer *buf,
1080 int *err, gchar **err_info)
1082 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
1085 if (netxray_process_rec_header(wth, wth->random_fh, phdr, err,
1089 * EOF - we report that as a short read, as
1090 * we've read this once and know that it
1093 *err = WTAP_ERR_SHORT_READ;
1099 * Read the packet data.
1101 if (!wtap_read_packet_bytes(wth->random_fh, buf, phdr->caplen, err,
1106 * If it's an ATM packet, and we don't have enough information
1107 * from the packet header to determine its type or subtype,
1108 * attempt to guess them from the packet data.
1110 netxray_guess_atm_type(wth, phdr, buf);
1115 netxray_process_rec_header(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
1116 int *err, gchar **err_info)
1118 netxray_t *netxray = (netxray_t *)wth->priv;
1119 union netxrayrec_hdr hdr;
1125 /* Read record header. */
1126 switch (netxray->version_major) {
1129 hdr_size = sizeof (struct old_netxrayrec_hdr);
1133 hdr_size = sizeof (struct netxrayrec_1_x_hdr);
1137 hdr_size = sizeof (struct netxrayrec_2_x_hdr);
1140 if (!wtap_read_bytes_or_eof(fh, (void *)&hdr, hdr_size, err, err_info)) {
1142 * If *err is 0, we're at EOF. *err being 0 and a return
1143 * value of -1 tells our caller we're at EOF.
1145 * Otherwise, we got an error, and *err *not* being 0
1146 * and a return value tells our caller we have an error.
1152 * If this is Ethernet, 802.11, ISDN, X.25, or ATM, set the
1155 switch (netxray->version_major) {
1158 switch (wth->file_encap) {
1160 case WTAP_ENCAP_ETHERNET:
1162 * XXX - if hdr_1_x.xxx[15] is 1
1163 * the frame appears not to have any extra
1164 * stuff at the end, but if it's 0,
1165 * there appears to be 4 bytes of stuff
1166 * at the end, but it's not an FCS.
1168 * Or is that just the low-order bit?
1170 * For now, we just say "no FCS".
1172 phdr->pseudo_header.eth.fcs_len = 0;
1178 switch (wth->file_encap) {
1180 case WTAP_ENCAP_ETHERNET:
1182 * It appears, at least with version 2 captures,
1183 * that we have 4 bytes of stuff (which might be
1184 * a valid FCS or might be junk) at the end of
1185 * the packet if hdr_2_x.xxx[2] and
1186 * hdr_2_x.xxx[3] are 0xff, and we don't if
1189 * It also appears that if the low-order bit of
1190 * hdr_2_x.xxx[8] is set, the packet has a
1193 if (hdr.hdr_2_x.xxx[2] == 0xff &&
1194 hdr.hdr_2_x.xxx[3] == 0xff) {
1196 * We have 4 bytes of stuff at the
1197 * end of the frame - FCS, or junk?
1199 if (netxray->fcs_valid) {
1203 phdr->pseudo_header.eth.fcs_len = 4;
1211 phdr->pseudo_header.eth.fcs_len = 0;
1214 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
1216 * It appears, in one 802.11 capture, that
1217 * we have 4 bytes of junk at the ends of
1218 * frames in which hdr_2_x.xxx[2] and
1219 * hdr_2_x.xxx[3] are 0xff; I haven't
1220 * seen any frames where it's an FCS, but,
1221 * for now, we still check the fcs_valid
1222 * flag - I also haven't seen any capture
1223 * where we'd set it based on the realtick
1226 * It also appears that if the low-order bit of
1227 * hdr_2_x.xxx[8] is set, the packet has a
1228 * bad FCS. According to Ken Mann, the 0x4 bit
1229 * is sometimes also set for errors.
1231 * Ken also says that xxx[11] is 0x5 when the
1232 * packet is WEP-encrypted.
1234 if (hdr.hdr_2_x.xxx[2] == 0xff &&
1235 hdr.hdr_2_x.xxx[3] == 0xff) {
1237 * We have 4 bytes of stuff at the
1238 * end of the frame - FCS, or junk?
1240 if (netxray->fcs_valid) {
1244 phdr->pseudo_header.ieee_802_11.fcs_len = 4;
1252 phdr->pseudo_header.ieee_802_11.fcs_len = 0;
1254 phdr->pseudo_header.ieee_802_11.decrypted = FALSE;
1256 phdr->pseudo_header.ieee_802_11.channel =
1257 hdr.hdr_2_x.xxx[12];
1258 phdr->pseudo_header.ieee_802_11.data_rate =
1259 hdr.hdr_2_x.xxx[13];
1260 phdr->pseudo_header.ieee_802_11.signal_percent =
1261 hdr.hdr_2_x.xxx[14];
1263 * According to Ken Mann, at least in the captures
1264 * he's seen, xxx[15] is the noise level, which
1265 * is either 0xFF meaning "none reported" or a value
1266 * from 0x00 to 0x7F for 0 to 100%.
1268 if (hdr.hdr_2_x.xxx[15] == 0xFF) {
1269 phdr->pseudo_header.ieee_802_11.presence_flags =
1270 PHDR_802_11_HAS_CHANNEL |
1271 PHDR_802_11_HAS_DATA_RATE |
1272 PHDR_802_11_HAS_SIGNAL_PERCENT;
1274 phdr->pseudo_header.ieee_802_11.noise_percent =
1275 hdr.hdr_2_x.xxx[15]*100/127;
1276 phdr->pseudo_header.ieee_802_11.presence_flags =
1277 PHDR_802_11_HAS_CHANNEL |
1278 PHDR_802_11_HAS_DATA_RATE |
1279 PHDR_802_11_HAS_SIGNAL_PERCENT |
1280 PHDR_802_11_HAS_NOISE_PERCENT;
1284 case WTAP_ENCAP_ISDN:
1288 * The bottommost bit of byte 12 of hdr_2_x.xxx
1289 * is the direction flag.
1291 * The bottom 5 bits of byte 13 of hdr_2_x.xxx
1292 * are the channel number, but some mapping is
1293 * required for PRI. (Is it really just the time
1296 phdr->pseudo_header.isdn.uton =
1297 (hdr.hdr_2_x.xxx[12] & 0x01);
1298 phdr->pseudo_header.isdn.channel =
1299 hdr.hdr_2_x.xxx[13] & 0x1F;
1300 switch (netxray->isdn_type) {
1304 * E1 PRI. Channel numbers 0 and 16
1305 * are the D channel; channel numbers 1
1306 * through 15 are B1 through B15; channel
1307 * numbers 17 through 31 are B16 through
1310 if (phdr->pseudo_header.isdn.channel == 16)
1311 phdr->pseudo_header.isdn.channel = 0;
1312 else if (phdr->pseudo_header.isdn.channel > 16)
1313 phdr->pseudo_header.isdn.channel -= 1;
1318 * T1 PRI. Channel numbers 0 and 24
1319 * are the D channel; channel numbers 1
1320 * through 23 are B1 through B23.
1322 if (phdr->pseudo_header.isdn.channel == 24)
1323 phdr->pseudo_header.isdn.channel = 0;
1324 else if (phdr->pseudo_header.isdn.channel > 24)
1325 phdr->pseudo_header.isdn.channel -= 1;
1330 * It appears, at least with version 2 captures,
1331 * that we have 4 bytes of stuff (which might be
1332 * a valid FCS or might be junk) at the end of
1333 * the packet if hdr_2_x.xxx[2] and
1334 * hdr_2_x.xxx[3] are 0xff, and we don't if
1337 * XXX - does the low-order bit of hdr_2_x.xxx[8]
1338 * indicate a bad FCS, as is the case with
1341 if (hdr.hdr_2_x.xxx[2] == 0xff &&
1342 hdr.hdr_2_x.xxx[3] == 0xff) {
1344 * FCS, or junk, at the end.
1345 * XXX - is it an FCS if "fcs_valid" is
1352 case WTAP_ENCAP_LAPB:
1353 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1355 * LAPB/X.25 and Frame Relay.
1357 * The bottommost bit of byte 12 of hdr_2_x.xxx
1358 * is the direction flag. (Probably true for other
1359 * HDLC encapsulations as well.)
1361 phdr->pseudo_header.x25.flags =
1362 (hdr.hdr_2_x.xxx[12] & 0x01) ? 0x00 : FROM_DCE;
1365 * It appears, at least with version 2 captures,
1366 * that we have 4 bytes of stuff (which might be
1367 * a valid FCS or might be junk) at the end of
1368 * the packet if hdr_2_x.xxx[2] and
1369 * hdr_2_x.xxx[3] are 0xff, and we don't if
1372 * XXX - does the low-order bit of hdr_2_x.xxx[8]
1373 * indicate a bad FCS, as is the case with
1376 if (hdr.hdr_2_x.xxx[2] == 0xff &&
1377 hdr.hdr_2_x.xxx[3] == 0xff) {
1379 * FCS, or junk, at the end.
1380 * XXX - is it an FCS if "fcs_valid" is
1387 case WTAP_ENCAP_PPP_WITH_PHDR:
1388 case WTAP_ENCAP_SDLC:
1389 case WTAP_ENCAP_CHDLC_WITH_PHDR:
1390 phdr->pseudo_header.p2p.sent =
1391 (hdr.hdr_2_x.xxx[12] & 0x01) ? TRUE : FALSE;
1394 case WTAP_ENCAP_ATM_PDUS_UNTRUNCATED:
1396 * XXX - the low-order bit of hdr_2_x.xxx[8]
1397 * seems to indicate some sort of error. In
1398 * at least one capture, a number of packets
1399 * have that flag set, and they appear either
1400 * to be the beginning part of an incompletely
1401 * reassembled AAL5 PDU, with either checksum
1402 * errors at higher levels (possibly due to
1403 * the packet being reported as shorter than
1404 * it actually is, and checksumming failing
1405 * because it doesn't include all the data)
1406 * or "Malformed frame" errors from being
1407 * too short, or appear to be later parts
1408 * of an incompletely reassembled AAL5 PDU
1409 * with the last one in a sequence of errors
1410 * having what looks like an AAL5 trailer,
1411 * with a length and checksum.
1413 * Does it just mean "reassembly failed",
1414 * as appears to be the case in those
1415 * packets, or does it mean "CRC error"
1416 * at the AAL5 layer (which would be the
1417 * case if you were treating an incompletely
1418 * reassembled PDU as a completely reassembled
1419 * PDU, although you'd also expect a length
1420 * error in that case), or does it mean
1421 * "generic error", with some other flag
1422 * or flags indicating what particular
1423 * error occurred? The documentation
1424 * for Sniffer Pro 4.7 indicates a bunch
1425 * of different error types, both in general
1426 * and for ATM in particular.
1428 * No obvious bits in hdr_2_x.xxx appear
1429 * to be additional flags of that sort.
1431 * XXX - in that capture, I see several
1432 * reassembly errors in a row; should those
1433 * packets be reassembled in the ATM dissector?
1434 * What happens if a reassembly fails because
1437 phdr->pseudo_header.atm.flags = 0;
1438 if (hdr.hdr_2_x.xxx[8] & 0x01)
1439 phdr->pseudo_header.atm.flags |= ATM_REASSEMBLY_ERROR;
1441 * XXX - is 0x08 an "OAM cell" flag?
1442 * Are the 0x01 and 0x02 bits error indications?
1443 * Some packets in one capture that have the
1444 * 0x01 bit set in hdr_2_x.xxx[8] and that
1445 * appear to have been reassembled completely
1446 * but have a bad CRC have 0x03 in hdr_2_x.xxx[9]
1447 * (and don't have the 0x20 bit set).
1449 * In the capture with incomplete reassemblies,
1450 * all packets have the 0x20 bit set. In at
1451 * least some of the captures with complete
1452 * reassemblies with CRC errors, no packets
1453 * have the 0x20 bit set.
1455 * Are hdr_2_x.xxx[8] and hdr_2_x.xxx[9] a 16-bit
1458 if (hdr.hdr_2_x.xxx[9] & 0x04)
1459 phdr->pseudo_header.atm.flags |= ATM_RAW_CELL;
1460 phdr->pseudo_header.atm.vpi = hdr.hdr_2_x.xxx[11];
1461 phdr->pseudo_header.atm.vci = pletoh16(&hdr.hdr_2_x.xxx[12]);
1462 phdr->pseudo_header.atm.channel =
1463 (hdr.hdr_2_x.xxx[15] & 0x10)? 1 : 0;
1464 phdr->pseudo_header.atm.cells = 0;
1467 * XXX - the uppermost bit of hdr_2_xxx[0]
1468 * looks as if it might be a flag of some sort.
1469 * The remaining 3 bits appear to be an AAL
1470 * type - 5 is, surprise surprise, AAL5.
1472 switch (hdr.hdr_2_x.xxx[0] & 0x70) {
1474 case 0x00: /* Unknown */
1475 phdr->pseudo_header.atm.aal = AAL_UNKNOWN;
1476 phdr->pseudo_header.atm.type = TRAF_UNKNOWN;
1477 phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1480 case 0x10: /* XXX - AAL1? */
1481 phdr->pseudo_header.atm.aal = AAL_UNKNOWN;
1482 phdr->pseudo_header.atm.type = TRAF_UNKNOWN;
1483 phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1486 case 0x20: /* XXX - AAL2? */
1487 phdr->pseudo_header.atm.aal = AAL_UNKNOWN;
1488 phdr->pseudo_header.atm.type = TRAF_UNKNOWN;
1489 phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1492 case 0x40: /* XXX - AAL3/4? */
1493 phdr->pseudo_header.atm.aal = AAL_UNKNOWN;
1494 phdr->pseudo_header.atm.type = TRAF_UNKNOWN;
1495 phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1498 case 0x30: /* XXX - AAL5 cells seen with this */
1499 case 0x50: /* AAL5 (including signalling) */
1500 case 0x60: /* XXX - AAL5 cells seen with this */
1501 case 0x70: /* XXX - AAL5 cells seen with this */
1502 phdr->pseudo_header.atm.aal = AAL_5;
1504 * XXX - is the 0x08 bit of hdr_2_x.xxx[0]
1505 * a flag? I've not yet seen a case where
1508 switch (hdr.hdr_2_x.xxx[0] & 0x07) {
1511 case 0x02: /* Signalling traffic */
1512 phdr->pseudo_header.atm.aal = AAL_SIGNALLING;
1513 phdr->pseudo_header.atm.type = TRAF_UNKNOWN;
1514 phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1517 case 0x03: /* ILMI */
1518 phdr->pseudo_header.atm.type = TRAF_ILMI;
1519 phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1526 * I've seen a frame with type
1527 * 0x30 and subtype 0x08 that
1528 * was LANE 802.3, a frame
1529 * with type 0x30 and subtype
1530 * 0x04 that was LANE 802.3,
1531 * and another frame with type
1532 * 0x30 and subtype 0x08 that
1533 * was junk with a string in
1534 * it that had also appeared
1535 * in some CDP and LE Control
1536 * frames, and that was preceded
1537 * by a malformed LE Control
1538 * frame - was that a reassembly
1541 * I've seen frames with type
1542 * 0x50 and subtype 0x0c, some
1543 * of which were LE Control
1544 * frames, and at least one
1545 * of which was neither an LE
1546 * Control frame nor a LANE
1547 * 802.3 frame, and contained
1548 * the string "ForeThought_6.2.1
1549 * Alpha" - does that imply
1550 * FORE's own encapsulation,
1551 * or was this a reassembly failure?
1552 * The latter frame was preceded
1553 * by a malformed LE Control
1556 * I've seen a couple of frames
1557 * with type 0x60 and subtype 0x00,
1558 * one of which was LANE 802.3 and
1559 * one of which was LE Control.
1560 * I've seen one frame with type
1561 * 0x60 and subtype 0x0c, which
1564 * I've seen a couple of frames
1565 * with type 0x70 and subtype 0x00,
1566 * both of which were LANE 802.3.
1568 phdr->pseudo_header.atm.type = TRAF_LANE;
1569 phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1572 case 0x06: /* XXX - not seen yet */
1573 phdr->pseudo_header.atm.type = TRAF_UNKNOWN;
1574 phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1577 case 0x07: /* LLC multiplexed */
1578 phdr->pseudo_header.atm.type = TRAF_LLCMX; /* XXX */
1579 phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN; /* XXX */
1589 phdr->rec_type = REC_TYPE_PACKET;
1590 if (netxray->version_major == 0) {
1591 phdr->presence_flags = WTAP_HAS_TS;
1592 t = (double)pletoh32(&hdr.old_hdr.timelo)
1593 + (double)pletoh32(&hdr.old_hdr.timehi)*4294967296.0;
1594 t /= netxray->ticks_per_sec;
1595 t -= netxray->start_timestamp;
1596 phdr->ts.secs = netxray->start_time + (long)t;
1597 phdr->ts.nsecs = (int)((t-(double)(unsigned long)(t))
1600 * We subtract the padding from the packet size, so our caller
1603 packet_size = pletoh16(&hdr.old_hdr.len);
1604 phdr->caplen = packet_size - padding;
1605 phdr->len = phdr->caplen;
1607 phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
1608 t = (double)pletoh32(&hdr.hdr_1_x.timelo)
1609 + (double)pletoh32(&hdr.hdr_1_x.timehi)*4294967296.0;
1610 t /= netxray->ticks_per_sec;
1611 t -= netxray->start_timestamp;
1612 phdr->ts.secs = netxray->start_time + (time_t)t;
1613 phdr->ts.nsecs = (int)((t-(double)(unsigned long)(t))
1616 * We subtract the padding from the packet size, so our caller
1619 packet_size = pletoh16(&hdr.hdr_1_x.incl_len);
1620 phdr->caplen = packet_size - padding;
1621 phdr->len = pletoh16(&hdr.hdr_1_x.orig_len) - padding;
1628 netxray_guess_atm_type(wtap *wth, struct wtap_pkthdr *phdr, Buffer *buf)
1632 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS_UNTRUNCATED &&
1633 !(phdr->pseudo_header.atm.flags & ATM_REASSEMBLY_ERROR)) {
1634 if (phdr->pseudo_header.atm.aal == AAL_UNKNOWN) {
1636 * Try to guess the type and subtype based
1637 * on the VPI/VCI and packet contents.
1639 pd = ws_buffer_start_ptr(buf);
1640 atm_guess_traffic_type(phdr, pd);
1641 } else if (phdr->pseudo_header.atm.aal == AAL_5 &&
1642 phdr->pseudo_header.atm.type == TRAF_LANE) {
1644 * Try to guess the subtype based on the
1647 pd = ws_buffer_start_ptr(buf);
1648 atm_guess_lane_type(phdr, pd);
1654 gboolean first_frame;
1659 static const struct {
1660 int wtap_encap_value;
1662 } wtap_encap_1_1[] = {
1663 { WTAP_ENCAP_ETHERNET, 0 }, /* -> NDIS Ethernet */
1664 { WTAP_ENCAP_TOKEN_RING, 1 }, /* -> NDIS Token Ring */
1665 { WTAP_ENCAP_FDDI, 2 }, /* -> NDIS FDDI */
1666 { WTAP_ENCAP_FDDI_BITSWAPPED, 2 }, /* -> NDIS FDDI */
1668 #define NUM_WTAP_ENCAPS_1_1 (sizeof wtap_encap_1_1 / sizeof wtap_encap_1_1[0])
1671 wtap_encap_to_netxray_1_1_encap(int encap)
1675 for (i = 0; i < NUM_WTAP_ENCAPS_1_1; i++) {
1676 if (encap == wtap_encap_1_1[i].wtap_encap_value)
1677 return wtap_encap_1_1[i].ndis_value;
1683 /* Returns 0 if we could write the specified encapsulation type,
1684 an error indication otherwise. */
1686 netxray_dump_can_write_encap_1_1(int encap)
1688 /* Per-packet encapsulations aren't supported. */
1689 if (encap == WTAP_ENCAP_PER_PACKET)
1690 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1692 if (wtap_encap_to_netxray_1_1_encap(encap) == -1)
1693 return WTAP_ERR_UNWRITABLE_ENCAP;
1698 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1701 netxray_dump_open_1_1(wtap_dumper *wdh, int *err)
1703 netxray_dump_t *netxray;
1705 wdh->subtype_write = netxray_dump_1_1;
1706 wdh->subtype_close = netxray_dump_close_1_1;
1708 /* We can't fill in all the fields in the file header, as we
1709 haven't yet written any packets. As we'll have to rewrite
1710 the header when we've written out all the packets, we just
1711 skip over the header for now. */
1712 if (wtap_dump_file_seek(wdh, CAPTUREFILE_HEADER_SIZE, SEEK_SET, err) == -1)
1714 wdh->bytes_dumped += CAPTUREFILE_HEADER_SIZE;
1716 netxray = (netxray_dump_t *)g_malloc(sizeof(netxray_dump_t));
1717 wdh->priv = (void *)netxray;
1718 netxray->first_frame = TRUE;
1719 netxray->start.secs = 0;
1720 netxray->start.nsecs = 0;
1721 netxray->nframes = 0;
1726 /* Write a record for a packet to a dump file.
1727 Returns TRUE on success, FALSE on failure. */
1729 netxray_dump_1_1(wtap_dumper *wdh,
1730 const struct wtap_pkthdr *phdr,
1731 const guint8 *pd, int *err, gchar **err_info _U_)
1733 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
1736 struct netxrayrec_1_x_hdr rec_hdr;
1738 /* We can only write packet records. */
1739 if (phdr->rec_type != REC_TYPE_PACKET) {
1740 *err = WTAP_ERR_REC_TYPE_UNSUPPORTED;
1744 /* The captured length field is 16 bits, so there's a hard
1746 if (phdr->caplen > 65535) {
1747 *err = WTAP_ERR_PACKET_TOO_LARGE;
1751 /* NetXRay/Windows Sniffer files have a capture start date/time
1752 in the header, in a UNIX-style format, with one-second resolution,
1753 and a start time stamp with microsecond resolution that's just
1754 an arbitrary time stamp relative to some unknown time (boot
1755 time?), and have times relative to the start time stamp in
1756 the packet headers; pick the seconds value of the time stamp
1757 of the first packet as the UNIX-style start date/time, and make
1758 the high-resolution start time stamp 0, with the time stamp of
1759 packets being the delta between the stamp of the packet and
1760 the stamp of the first packet with the microseconds part 0. */
1761 if (netxray->first_frame) {
1762 netxray->first_frame = FALSE;
1763 netxray->start = phdr->ts;
1766 /* build the header for each packet */
1767 memset(&rec_hdr, '\0', sizeof(rec_hdr));
1768 timestamp = ((guint64)phdr->ts.secs - (guint64)netxray->start.secs)*1000000
1769 + ((guint64)phdr->ts.nsecs)/1000;
1770 t32 = (guint32)(timestamp%G_GINT64_CONSTANT(4294967296));
1771 rec_hdr.timelo = GUINT32_TO_LE(t32);
1772 t32 = (guint32)(timestamp/G_GINT64_CONSTANT(4294967296));
1773 rec_hdr.timehi = GUINT32_TO_LE(t32);
1774 rec_hdr.orig_len = GUINT16_TO_LE(phdr->len);
1775 rec_hdr.incl_len = GUINT16_TO_LE(phdr->caplen);
1777 if (!wtap_dump_file_write(wdh, &rec_hdr, sizeof(rec_hdr), err))
1779 wdh->bytes_dumped += sizeof(rec_hdr);
1781 /* write the packet data */
1782 if (!wtap_dump_file_write(wdh, pd, phdr->caplen, err))
1784 wdh->bytes_dumped += phdr->caplen;
1791 /* Finish writing to a dump file.
1792 Returns TRUE on success, FALSE on failure. */
1794 netxray_dump_close_1_1(wtap_dumper *wdh, int *err)
1796 char hdr_buf[CAPTUREFILE_HEADER_SIZE - sizeof(netxray_magic)];
1797 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
1799 struct netxray_hdr file_hdr;
1801 if (-1 == (filelen = wtap_dump_file_tell(wdh, err)))
1804 /* Go back to beginning */
1805 if (wtap_dump_file_seek(wdh, 0, SEEK_SET, err) == -1)
1808 /* Rewrite the file header. */
1809 if (!wtap_dump_file_write(wdh, netxray_magic, sizeof netxray_magic, err))
1812 /* "sniffer" version ? */
1813 memset(&file_hdr, '\0', sizeof file_hdr);
1814 memcpy(file_hdr.version, vers_1_1, sizeof vers_1_1);
1815 file_hdr.start_time = GUINT32_TO_LE(netxray->start.secs);
1816 file_hdr.nframes = GUINT32_TO_LE(netxray->nframes);
1817 file_hdr.start_offset = GUINT32_TO_LE(CAPTUREFILE_HEADER_SIZE);
1818 /* XXX - large files? */
1819 file_hdr.end_offset = GUINT32_TO_LE((guint32)filelen);
1820 file_hdr.network = wtap_encap_to_netxray_1_1_encap(wdh->encap);
1821 file_hdr.timelo = GUINT32_TO_LE(0);
1822 file_hdr.timehi = GUINT32_TO_LE(0);
1824 memset(hdr_buf, '\0', sizeof hdr_buf);
1825 memcpy(hdr_buf, &file_hdr, sizeof(file_hdr));
1826 if (!wtap_dump_file_write(wdh, hdr_buf, sizeof hdr_buf, err))
1832 static const struct {
1833 int wtap_encap_value;
1835 } wtap_encap_2_0[] = {
1836 { WTAP_ENCAP_ETHERNET, 0 }, /* -> NDIS Ethernet */
1837 { WTAP_ENCAP_TOKEN_RING, 1 }, /* -> NDIS Token Ring */
1838 { WTAP_ENCAP_FDDI, 2 }, /* -> NDIS FDDI */
1839 { WTAP_ENCAP_FDDI_BITSWAPPED, 2 }, /* -> NDIS FDDI */
1840 { WTAP_ENCAP_PPP_WITH_PHDR, 3 }, /* -> NDIS WAN */
1841 { WTAP_ENCAP_FRELAY_WITH_PHDR, 3 }, /* -> NDIS WAN */
1842 { WTAP_ENCAP_LAPB, 3 }, /* -> NDIS WAN */
1843 { WTAP_ENCAP_SDLC, 3 }, /* -> NDIS WAN */
1845 #define NUM_WTAP_ENCAPS_2_0 (sizeof wtap_encap_2_0 / sizeof wtap_encap_2_0[0])
1848 wtap_encap_to_netxray_2_0_encap(int encap)
1852 for (i = 0; i < NUM_WTAP_ENCAPS_2_0; i++) {
1853 if (encap == wtap_encap_2_0[i].wtap_encap_value)
1854 return wtap_encap_2_0[i].ndis_value;
1860 /* Returns 0 if we could write the specified encapsulation type,
1861 an error indication otherwise. */
1863 netxray_dump_can_write_encap_2_0(int encap)
1865 /* Per-packet encapsulations aren't supported. */
1866 if (encap == WTAP_ENCAP_PER_PACKET)
1867 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1869 if (wtap_encap_to_netxray_2_0_encap(encap) == -1)
1870 return WTAP_ERR_UNWRITABLE_ENCAP;
1875 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1878 netxray_dump_open_2_0(wtap_dumper *wdh, int *err)
1880 netxray_dump_t *netxray;
1882 wdh->subtype_write = netxray_dump_2_0;
1883 wdh->subtype_close = netxray_dump_close_2_0;
1885 /* We can't fill in all the fields in the file header, as we
1886 haven't yet written any packets. As we'll have to rewrite
1887 the header when we've written out all the packets, we just
1888 skip over the header for now. */
1889 if (wtap_dump_file_seek(wdh, CAPTUREFILE_HEADER_SIZE, SEEK_SET, err) == -1)
1892 wdh->bytes_dumped += CAPTUREFILE_HEADER_SIZE;
1894 netxray = (netxray_dump_t *)g_malloc(sizeof(netxray_dump_t));
1895 wdh->priv = (void *)netxray;
1896 netxray->first_frame = TRUE;
1897 netxray->start.secs = 0;
1898 netxray->start.nsecs = 0;
1899 netxray->nframes = 0;
1904 /* Write a record for a packet to a dump file.
1905 Returns TRUE on success, FALSE on failure. */
1907 netxray_dump_2_0(wtap_dumper *wdh,
1908 const struct wtap_pkthdr *phdr,
1909 const guint8 *pd, int *err, gchar **err_info _U_)
1911 const union wtap_pseudo_header *pseudo_header = &phdr->pseudo_header;
1912 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
1915 struct netxrayrec_2_x_hdr rec_hdr;
1917 /* We can only write packet records. */
1918 if (phdr->rec_type != REC_TYPE_PACKET) {
1919 *err = WTAP_ERR_REC_TYPE_UNSUPPORTED;
1923 /* Don't write anything we're not willing to read. */
1924 if (phdr->caplen > WTAP_MAX_PACKET_SIZE) {
1925 *err = WTAP_ERR_PACKET_TOO_LARGE;
1929 /* NetXRay/Windows Sniffer files have a capture start date/time
1930 in the header, in a UNIX-style format, with one-second resolution,
1931 and a start time stamp with microsecond resolution that's just
1932 an arbitrary time stamp relative to some unknown time (boot
1933 time?), and have times relative to the start time stamp in
1934 the packet headers; pick the seconds value of the time stamp
1935 of the first packet as the UNIX-style start date/time, and make
1936 the high-resolution start time stamp 0, with the time stamp of
1937 packets being the delta between the stamp of the packet and
1938 the stamp of the first packet with the microseconds part 0. */
1939 if (netxray->first_frame) {
1940 netxray->first_frame = FALSE;
1941 netxray->start = phdr->ts;
1944 /* build the header for each packet */
1945 memset(&rec_hdr, '\0', sizeof(rec_hdr));
1946 timestamp = ((guint64)phdr->ts.secs - (guint64)netxray->start.secs)*1000000
1947 + ((guint64)phdr->ts.nsecs)/1000;
1948 t32 = (guint32)(timestamp%G_GINT64_CONSTANT(4294967296));
1949 rec_hdr.timelo = GUINT32_TO_LE(t32);
1950 t32 = (guint32)(timestamp/G_GINT64_CONSTANT(4294967296));
1951 rec_hdr.timehi = GUINT32_TO_LE(t32);
1952 rec_hdr.orig_len = GUINT16_TO_LE(phdr->len);
1953 rec_hdr.incl_len = GUINT16_TO_LE(phdr->caplen);
1955 switch (phdr->pkt_encap) {
1957 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
1959 (pseudo_header->ieee_802_11.presence_flags & PHDR_802_11_HAS_CHANNEL) ?
1960 pseudo_header->ieee_802_11.channel :
1963 (pseudo_header->ieee_802_11.presence_flags & PHDR_802_11_HAS_DATA_RATE) ?
1964 (guint8)pseudo_header->ieee_802_11.data_rate :
1967 (pseudo_header->ieee_802_11.presence_flags & PHDR_802_11_HAS_SIGNAL_PERCENT) ?
1968 pseudo_header->ieee_802_11.signal_percent :
1971 (pseudo_header->ieee_802_11.presence_flags & PHDR_802_11_HAS_NOISE_PERCENT) ?
1972 pseudo_header->ieee_802_11.noise_percent*127/100 :
1976 case WTAP_ENCAP_PPP_WITH_PHDR:
1977 case WTAP_ENCAP_SDLC:
1978 rec_hdr.xxx[12] |= pseudo_header->p2p.sent ? 0x01 : 0x00;
1981 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1982 rec_hdr.xxx[12] |= (pseudo_header->x25.flags & FROM_DCE) ? 0x00 : 0x01;
1986 if (!wtap_dump_file_write(wdh, &rec_hdr, sizeof(rec_hdr), err))
1988 wdh->bytes_dumped += sizeof(rec_hdr);
1990 /* write the packet data */
1991 if (!wtap_dump_file_write(wdh, pd, phdr->caplen, err))
1993 wdh->bytes_dumped += phdr->caplen;
2000 /* Finish writing to a dump file.
2001 Returns TRUE on success, FALSE on failure. */
2003 netxray_dump_close_2_0(wtap_dumper *wdh, int *err)
2005 char hdr_buf[CAPTUREFILE_HEADER_SIZE - sizeof(netxray_magic)];
2006 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
2008 struct netxray_hdr file_hdr;
2010 if (-1 == (filelen = wtap_dump_file_tell(wdh, err)))
2013 /* Go back to beginning */
2014 if (wtap_dump_file_seek(wdh, 0, SEEK_SET, err) == -1)
2017 /* Rewrite the file header. */
2018 if (!wtap_dump_file_write(wdh, netxray_magic, sizeof netxray_magic, err))
2021 /* "sniffer" version ? */
2022 memset(&file_hdr, '\0', sizeof file_hdr);
2023 memcpy(file_hdr.version, vers_2_001, sizeof vers_2_001);
2024 file_hdr.start_time = GUINT32_TO_LE(netxray->start.secs);
2025 file_hdr.nframes = GUINT32_TO_LE(netxray->nframes);
2026 file_hdr.start_offset = GUINT32_TO_LE(CAPTUREFILE_HEADER_SIZE);
2027 /* XXX - large files? */
2028 file_hdr.end_offset = GUINT32_TO_LE((guint32)filelen);
2029 file_hdr.network = wtap_encap_to_netxray_2_0_encap(wdh->encap);
2030 file_hdr.timelo = GUINT32_TO_LE(0);
2031 file_hdr.timehi = GUINT32_TO_LE(0);
2032 switch (wdh->encap) {
2034 case WTAP_ENCAP_PPP_WITH_PHDR:
2035 file_hdr.captype = WAN_CAPTYPE_PPP;
2038 case WTAP_ENCAP_FRELAY_WITH_PHDR:
2039 file_hdr.captype = WAN_CAPTYPE_FRELAY;
2042 case WTAP_ENCAP_LAPB:
2043 file_hdr.captype = WAN_CAPTYPE_HDLC;
2044 file_hdr.wan_hdlc_subsub_captype = 0;
2047 case WTAP_ENCAP_SDLC:
2048 file_hdr.captype = WAN_CAPTYPE_SDLC;
2052 file_hdr.captype = CAPTYPE_NDIS;
2056 memset(hdr_buf, '\0', sizeof hdr_buf);
2057 memcpy(hdr_buf, &file_hdr, sizeof(file_hdr));
2058 if (!wtap_dump_file_write(wdh, hdr_buf, sizeof hdr_buf, err))
2065 * Editor modelines - http://www.wireshark.org/tools/modelines.html
2070 * indent-tabs-mode: t
2073 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
2074 * :indentSize=8:tabSize=8:noTabs=false: