4 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
6 * SPDX-License-Identifier: GPL-2.0-or-later
14 #include "file_wrappers.h"
18 /* Capture file header, *including* magic number, is padded to 128 bytes. */
19 #define CAPTUREFILE_HEADER_SIZE 128
21 /* Magic number size, in both 1.x and later files. */
24 /* Magic number in NetXRay 1.x files. */
25 static const char old_netxray_magic[MAGIC_SIZE] = {
29 /* Magic number in NetXRay 2.0 and later, and Windows Sniffer, files. */
30 static const char netxray_magic[MAGIC_SIZE] = {
34 /* NetXRay file header (minus magic number). */
36 /* As field usages are identified, please revise as needed */
37 /* Please do *not* use netxray_hdr xxx... names in the code */
38 /* (Placeholder names for all 'unknown' fields are */
39 /* of form xxx_x<hex_hdr_offset> */
40 /* where <hex_hdr_offset> *includes* the magic number) */
43 char version[8]; /* version number */
44 guint32 start_time; /* UNIX [UTC] time when capture started */
46 guint32 nframes; /* number of packets */
47 guint32 xxx_x14; /* unknown [some kind of file offset] */
48 guint32 start_offset; /* offset of first packet in capture */
49 guint32 end_offset; /* offset after last packet in capture */
51 guint32 xxx_x20; /* unknown [some kind of file offset] */
52 guint32 xxx_x24; /* unknown [unused ?] */
53 guint32 xxx_x28; /* unknown [some kind of file offset] */
54 guint8 network; /* datalink type */
55 guint8 network_plus; /* [See code] */
56 guint8 xxx_x2E[2]; /* unknown */
58 guint8 timeunit; /* encodes length of a tick */
59 guint8 xxx_x31[3]; /* XXX - upper 3 bytes of timeunit ? */
60 guint32 timelo; /* lower 32 bits of capture start time stamp */
61 guint32 timehi; /* upper 32 bits of capture start time stamp */
62 guint32 linespeed; /* speed of network, in bits/second */
64 guint8 xxx_x40[12]; /* unknown [other stuff] */
65 guint8 realtick[4]; /* (ticks/sec for Ethernet/Ndis/Timeunit=2 ?) */
66 /* (realtick[1], realtick[2] also currently */
67 /* used as flag for 'FCS presence') */
69 guint8 xxx_x50[4]; /* unknown [other stuff] */
70 guint8 captype; /* capture type */
71 guint8 xxx_x55[3]; /* unknown [other stuff] */
72 guint8 xxx_x58[4]; /* unknown [other stuff] */
73 guint8 wan_hdlc_subsub_captype; /* WAN HDLC subsub_captype */
74 guint8 xxx_x5D[3]; /* unknown [other stuff] */
76 guint8 xxx_x60[16]; /* unknown [other stuff] */
78 guint8 xxx_x70[14]; /* unknown [other stuff] */
79 gint16 timezone_hrs; /* timezone hours [at least for version 2.2..]; */
80 /* positive values = west of UTC: */
81 /* negative values = east of UTC: */
82 /* e.g. +5 is American Eastern */
83 /* [Does not appear to be adjusted for DST ] */
87 * Capture type, in hdr.captype.
89 * Values other than 0 are dependent on the network type.
90 * For Ethernet captures, it indicates the type of capture pod.
91 * For WAN captures (all of which are done with a pod), it indicates
92 * the link-layer type.
94 #define CAPTYPE_NDIS 0 /* Capture on network interface using NDIS */
97 * Ethernet capture types.
99 #define ETH_CAPTYPE_GIGPOD 2 /* gigabit Ethernet captured with pod */
100 #define ETH_CAPTYPE_OTHERPOD 3 /* non-gigabit Ethernet captured with pod */
101 #define ETH_CAPTYPE_OTHERPOD2 5 /* gigabit Ethernet via pod ?? */
102 /* Captype 5 seen in capture from Distributed Sniffer with: */
103 /* Version 4.50.211 software */
104 /* SysKonnect SK-9843 Gigabit Ethernet Server Adapter */
105 #define ETH_CAPTYPE_GIGPOD2 6 /* gigabit Ethernet, captured with blade on S6040-model Sniffer */
110 #define WAN_CAPTYPE_BROUTER 1 /* Bridge/router captured with pod */
111 #define WAN_CAPTYPE_PPP 3 /* PPP captured with pod */
112 #define WAN_CAPTYPE_FRELAY 4 /* Frame Relay captured with pod */
113 #define WAN_CAPTYPE_BROUTER2 5 /* Bridge/router captured with pod */
114 #define WAN_CAPTYPE_HDLC 6 /* HDLC (X.25, ISDN) captured with pod */
115 #define WAN_CAPTYPE_SDLC 7 /* SDLC captured with pod */
116 #define WAN_CAPTYPE_HDLC2 8 /* HDLC captured with pod */
117 #define WAN_CAPTYPE_BROUTER3 9 /* Bridge/router captured with pod */
118 #define WAN_CAPTYPE_SMDS 10 /* SMDS DXI */
119 #define WAN_CAPTYPE_BROUTER4 11 /* Bridge/router captured with pod */
120 #define WAN_CAPTYPE_BROUTER5 12 /* Bridge/router captured with pod */
121 #define WAN_CAPTYPE_CHDLC 19 /* Cisco router (CHDLC) captured with pod */
123 #define CAPTYPE_ATM 15 /* ATM captured with pod */
126 * # of ticks that equal 1 second, in version 002.xxx files other
127 * than Ethernet captures with a captype other than CAPTYPE_NDIS;
128 * the index into this array is hdr.timeunit.
130 * DO NOT SEND IN PATCHES THAT CHANGE ANY OF THE NON-ZERO VALUES IN
131 * ANY OF THE TpS TABLES. THOSE VALUES ARE CORRECT FOR AT LEAST ONE
132 * CAPTURE, SO CHANGING THEM WILL BREAK AT LEAST SOME CAPTURES. WE
133 * WILL NOT CHECK IN PATCHES THAT CHANGE THESE VALUES.
135 * Instead, if a value in a TpS table is wrong, check whether captype
136 * has a non-zero value; if so, perhaps we need a new TpS table for the
137 * corresponding network type and captype, or perhaps the 'realtick'
138 * field contains the correct ticks-per-second value.
140 * TpS...[] entries of 0.0 mean that no capture file for the
141 * corresponding captype/timeunit values has yet been seen, or that
142 * we're using the 'realtick' value.
144 * XXX - 05/29/07: For Ethernet captype = 0 (NDIS) and timeunit = 2:
145 * Perusal of a number of Sniffer captures
146 * (including those from Wireshark bug reports
147 * and those from the Wireshark 'menagerie')
148 * suggests that 'realtick' for this case
149 * contains the correct ticks/second to be used.
150 * So: we'll use realtick for Ethernet captype=0 and timeunit=2.
151 * (It might be that realtick should be used for Ethernet captype = 0
152 * and timeunit = 1 but I've not yet enough captures to be sure).
153 * Based upon the captures reviewed to date, realtick cannot be used for
154 * any of the other Ethernet captype/timeunit combinations for which there
155 * are non-zero values in the TpS tables.
157 * In at least one capture where "realtick" doesn't correspond
158 * to the value from the appropriate TpS table, the per-packet header's
159 * "xxx" field is all zero, so it's not as if a 2.x header includes
160 * a "compatibility" time stamp corresponding to the value from the
161 * TpS table and a "real" time stamp corresponding to "realtick".
163 * XXX - the item corresponding to timeunit = 2 is 1193180.0, presumably
164 * because somebody found it gave the right answer for some captures, but
165 * 3 times that, i.e. 3579540.0, appears to give the right answer for some
168 * Some captures have realtick of 1193182, some have 3579545, and some
169 * have 1193000. Most of those, in one set of captures somebody has,
170 * are wrong. (Did that mean "wrong for some capture files, but not
171 * for the files in which they occurred", or "wrong for the files in
172 * which they occurred? If it's "wrong for some capture files, but
173 * not for the files in which they occurred", perhaps those were Ethernet
174 * captures with a captype of 0 and timeunit = 2, so that we now use
175 * realtick, and perhaps that fixes the problems.)
177 * XXX - in at least one ATM capture, hdr.realtick is 1193180.0
178 * and hdr.timeunit is 0. Does that capture have a captype of
179 * CAPTYPE_ATM? If so, what should the table for ATM captures with
182 static const double TpS[] = { 1e6, 1193000.0, 1193182.0 };
183 #define NUM_NETXRAY_TIMEUNITS (sizeof TpS / sizeof TpS[0])
186 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_GIGPOD.
187 * 0.0 means "unknown".
189 * It appears that, at least for Ethernet captures, if captype is
190 * ETH_CAPTYPE_GIGPOD, that indicates that it's a gigabit Ethernet
191 * capture, possibly from a special whizzo gigabit pod, and also
192 * indicates that the time stamps have some higher resolution than
193 * in other captures, possibly thanks to a high-resolution timer
196 * It also appears that the time units might differ for gigabit pod
197 * captures between version 002.001 and 002.002. For 002.001,
198 * the values below are correct; for 002.002, it's claimed that
199 * the right value for TpS_gigpod[2] is 1250000.0, but at least one
200 * 002.002 gigabit pod capture has 31250000.0 as the right value.
201 * XXX: Note that the TpS_otherpod[2] value is 1250000.0; It seems
202 * reasonable to suspect that the original claim might actually
203 * have been for a capture with a captype of 'otherpod'.
204 * (Based upon captures reviewed realtick does not contain the
205 * correct TpS values for the 'gigpod' captype).
207 static const double TpS_gigpod[] = { 1e9, 0.0, 31250000.0 };
208 #define NUM_NETXRAY_TIMEUNITS_GIGPOD (sizeof TpS_gigpod / sizeof TpS_gigpod[0])
211 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_OTHERPOD.
212 * (Based upon captures reviewed realtick does not contain the
213 * correct TpS values for the 'otherpod' captype).
215 static const double TpS_otherpod[] = { 1e6, 0.0, 1250000.0 };
216 #define NUM_NETXRAY_TIMEUNITS_OTHERPOD (sizeof TpS_otherpod / sizeof TpS_otherpod[0])
219 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_OTHERPOD2.
220 * (Based upon captures reviewed realtick does not contain the
221 * correct TpS values for the 'otherpod2' captype).
223 static const double TpS_otherpod2[] = { 1e6, 0.0, 0.0 };
224 #define NUM_NETXRAY_TIMEUNITS_OTHERPOD2 (sizeof TpS_otherpod2 / sizeof TpS_otherpod2[0])
227 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_GIGPOD2.
228 * (Based upon captures reviewed realtick does not contain the
229 * correct TpS values for the 'gigpod2' captype).
231 static const double TpS_gigpod2[] = { 1e9, 0.0, 20000000.0 };
232 #define NUM_NETXRAY_TIMEUNITS_GIGPOD2 (sizeof TpS_gigpod2 / sizeof TpS_gigpod2[0])
234 /* Version number strings. */
235 static const char vers_1_0[] = {
236 '0', '0', '1', '.', '0', '0', '0', '\0'
239 static const char vers_1_1[] = {
240 '0', '0', '1', '.', '1', '0', '0', '\0'
243 static const char vers_2_000[] = {
244 '0', '0', '2', '.', '0', '0', '0', '\0'
247 static const char vers_2_001[] = {
248 '0', '0', '2', '.', '0', '0', '1', '\0'
251 static const char vers_2_002[] = {
252 '0', '0', '2', '.', '0', '0', '2', '\0'
255 static const char vers_2_003[] = {
256 '0', '0', '2', '.', '0', '0', '3', '\0'
259 /* Old NetXRay data record format - followed by frame data. */
260 struct old_netxrayrec_hdr {
261 guint32 timelo; /* lower 32 bits of time stamp */
262 guint32 timehi; /* upper 32 bits of time stamp */
263 guint16 len; /* packet length */
264 guint8 xxx[6]; /* unknown */
267 /* NetXRay format version 1.x data record format - followed by frame data. */
268 struct netxrayrec_1_x_hdr {
269 guint32 timelo; /* lower 32 bits of time stamp */
270 guint32 timehi; /* upper 32 bits of time stamp */
271 guint16 orig_len; /* packet length */
272 guint16 incl_len; /* capture length */
273 guint8 xxx[16]; /* unknown */
277 * NetXRay format version 2.x data record format - followed by frame data.
279 * The xxx fields appear to be:
281 * xxx[0]: ATM traffic type and subtype in the low 3 bits of
282 * each nibble, and flags(?) in the upper bit of each nibble.
284 * xxx[2], xxx[3]: for Ethernet, 802.11, ISDN LAPD, LAPB,
285 * Frame Relay, if both are 0xff, there are 4 bytes of stuff
286 * at the end of the packet data, which might be an FCS or
287 * which might be junk to discard.
289 * xxx[8], xxx[9]: 2 bytes of a flag word? If treated as
290 * a 2-byte little-endian flag word:
292 * 0x0001: Error of some sort, including bad CRC, although
293 * in one ISDN capture it's set in some B2 channel
294 * packets of unknown content (as opposed to the B1
295 * traffic in the capture, which is PPP)
296 * 0x0004: Some particular type of error?
297 * 0x0008: For (Gigabit?) Ethernet (with special probe?),
298 * 4 bytes at end are junk rather than CRC?
299 * 0x0100: CRC error on ATM? Protected and Not decrypted
301 * 0x0200: Something for ATM? Something else for 802.11?
302 * 0x0400: raw ATM cell
304 * 0x2000: port on which the packet was captured?
306 * The Sniffer Portable 4.8 User's Guide lists a set of packet status
310 * packet was captured from Port A on the pod or adapter card;
311 * packet was captured from Port B on the pod or adapter card;
312 * packet has a symptom or diagnosis associated with it;
313 * packet is an event filter trigger;
314 * CRC error packet with normal packet size;
315 * CRC error packet with oversize error;
316 * packet size < 64 bytes (including CRC) but with valid CRC;
317 * packet size < 64 bytes (including CRC) with CRC error;
318 * packet size > 1518 bytes (including CRC) but with valid CRC;
319 * packet damaged by a collision;
320 * packet length not a multiple of 8 bits;
321 * address conflict in the ring on Token Ring;
322 * packet is not copied (received) by the destination host on
325 * AAL5 maximum segments error;
329 * and a ton of AAL2 errors.
331 * Not all those bits necessarily correspond to flag bits in the file,
334 * In one ATM capture, the 0x2000 bit was set for all frames; in another,
335 * it's unset for all frames. This, plus the ATMbook having two ports,
336 * suggests that it *might* be a "port A vs. port B" flag.
338 * The 0x0001 bit appears to be set for CRC errors on Ethernet and 802.11.
339 * It also appears to be set on ATM for AAL5 PDUs that appear to be
340 * completely reassembled and that have a CRC error and for frames that
341 * appear to be part of a full AAL5 PDU. In at least two files with
342 * frames of the former type, the 0x0100 and 0x0200 flags are set;
343 * in at least one file with frames of the latter type, neither of
344 * those flags are set.
346 * The field appears to be somewhat random in some captures,
349 * xxx[11]: for 802.11, 0x05 if the packet is WEP-encrypted(?).
351 * xxx[12]: for 802.11, channel number.
353 * xxx[13]: for 802.11, data rate.
355 * xxx[14]: for 802.11, signal strength.
357 * xxx[15]: for 802.11, noise level; 0xFF means none reported,
360 * xxx[20-25]: for 802.11, MAC address of sending machine(?).
362 struct netxrayrec_2_x_hdr {
363 guint32 timelo; /* lower 32 bits of time stamp */
364 guint32 timehi; /* upper 32 bits of time stamp */
365 guint16 orig_len; /* packet length */
366 guint16 incl_len; /* capture length */
367 guint8 xxx[28]; /* various data */
371 * Union of the data record headers.
373 union netxrayrec_hdr {
374 struct old_netxrayrec_hdr old_hdr;
375 struct netxrayrec_1_x_hdr hdr_1_x;
376 struct netxrayrec_2_x_hdr hdr_2_x;
381 double ticks_per_sec;
382 double start_timestamp;
388 gboolean fcs_valid; /* if packets have valid FCS at the end */
389 guint isdn_type; /* 1 = E1 PRI, 2 = T1 PRI, 3 = BRI */
392 static gboolean netxray_read(wtap *wth, int *err, gchar **err_info,
393 gint64 *data_offset);
394 static gboolean netxray_seek_read(wtap *wth, gint64 seek_off,
395 wtap_rec *rec, Buffer *buf, int *err, gchar **err_info);
396 static int netxray_process_rec_header(wtap *wth, FILE_T fh,
397 wtap_rec *rec, int *err, gchar **err_info);
398 static void netxray_guess_atm_type(wtap *wth, wtap_rec *rec,
400 static gboolean netxray_dump_1_1(wtap_dumper *wdh,
402 const guint8 *pd, int *err, gchar **err_info);
403 static gboolean netxray_dump_finish_1_1(wtap_dumper *wdh, int *err);
404 static gboolean netxray_dump_2_0(wtap_dumper *wdh,
406 const guint8 *pd, int *err, gchar **err_info);
407 static gboolean netxray_dump_finish_2_0(wtap_dumper *wdh, int *err);
410 netxray_open(wtap *wth, int *err, gchar **err_info)
412 char magic[MAGIC_SIZE];
414 struct netxray_hdr hdr;
416 double ticks_per_sec;
417 int version_major, version_minor;
419 double start_timestamp;
420 static const int netxray_encap[] = {
423 WTAP_ENCAP_TOKEN_RING,
424 WTAP_ENCAP_FDDI_BITSWAPPED,
426 * XXX - some PPP captures may look like Ethernet,
427 * perhaps because they're using NDIS to capture on the
428 * same machine and it provides simulated-Ethernet
429 * packets, but captures taken with various serial
430 * pods use the same network type value but aren't
431 * shaped like Ethernet. We handle that below.
433 WTAP_ENCAP_ETHERNET, /* WAN(PPP), but shaped like Ethernet */
434 WTAP_ENCAP_UNKNOWN, /* LocalTalk */
435 WTAP_ENCAP_UNKNOWN, /* "DIX" - should not occur */
436 WTAP_ENCAP_UNKNOWN, /* ARCNET raw */
437 WTAP_ENCAP_UNKNOWN, /* ARCNET 878.2 */
438 WTAP_ENCAP_ATM_PDUS_UNTRUNCATED,/* ATM */
439 WTAP_ENCAP_IEEE_802_11_WITH_RADIO,
440 /* Wireless WAN with radio information */
441 WTAP_ENCAP_UNKNOWN /* IrDA */
443 #define NUM_NETXRAY_ENCAPS (sizeof netxray_encap / sizeof netxray_encap[0])
448 /* Read in the string that should be at the start of a NetXRay
450 if (!wtap_read_bytes(wth->fh, magic, MAGIC_SIZE, err, err_info)) {
451 if (*err != WTAP_ERR_SHORT_READ)
452 return WTAP_OPEN_ERROR;
453 return WTAP_OPEN_NOT_MINE;
456 if (memcmp(magic, netxray_magic, MAGIC_SIZE) == 0) {
458 } else if (memcmp(magic, old_netxray_magic, MAGIC_SIZE) == 0) {
461 return WTAP_OPEN_NOT_MINE;
464 /* Read the rest of the header. */
465 if (!wtap_read_bytes(wth->fh, &hdr, sizeof hdr, err, err_info))
466 return WTAP_OPEN_ERROR;
471 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_OLD;
473 /* It appears that version 1.1 files (as produced by Windows
474 * Sniffer Pro 2.0.01) have the time stamp in microseconds,
475 * rather than the milliseconds version 1.0 files appear to
478 * It also appears that version 2.00x files have per-packet
479 * headers with some extra fields. */
480 if (memcmp(hdr.version, vers_1_0, sizeof vers_1_0) == 0) {
483 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_1_0;
484 } else if (memcmp(hdr.version, vers_1_1, sizeof vers_1_1) == 0) {
487 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_1_1;
488 } else if (memcmp(hdr.version, vers_2_000, sizeof vers_2_000) == 0) {
491 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x;
492 } else if (memcmp(hdr.version, vers_2_001, sizeof vers_2_001) == 0) {
495 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x;
496 } else if (memcmp(hdr.version, vers_2_002, sizeof vers_2_002) == 0) {
499 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x;
500 } else if (memcmp(hdr.version, vers_2_003, sizeof vers_2_003) == 0) {
503 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x;
505 *err = WTAP_ERR_UNSUPPORTED;
506 *err_info = g_strdup_printf("netxray: version \"%.8s\" unsupported", hdr.version);
507 return WTAP_OPEN_ERROR;
511 switch (hdr.network_plus) {
515 * The byte after hdr.network is usually 0, in which case
516 * the hdr.network byte is an NDIS network type value - 1.
518 network_type = hdr.network + 1;
523 * However, in some Ethernet captures, it's 2, and the
524 * hdr.network byte is 1 rather than 0. We assume
525 * that if there's a byte after hdr.network with the value
526 * 2, the hdr.network byte is an NDIS network type, rather
527 * than an NDIS network type - 1.
529 network_type = hdr.network;
533 *err = WTAP_ERR_UNSUPPORTED;
534 *err_info = g_strdup_printf("netxray: the byte after the network type has the value %u, which I don't understand",
536 return WTAP_OPEN_ERROR;
539 if (network_type >= NUM_NETXRAY_ENCAPS
540 || netxray_encap[network_type] == WTAP_ENCAP_UNKNOWN) {
541 *err = WTAP_ERR_UNSUPPORTED;
542 *err_info = g_strdup_printf("netxray: network type %u (%u) unknown or unsupported",
543 network_type, hdr.network_plus);
544 return WTAP_OPEN_ERROR;
548 * Figure out the time stamp units and start time stamp.
550 start_timestamp = (double)pletoh32(&hdr.timelo)
551 + (double)pletoh32(&hdr.timehi)*4294967296.0;
554 case WTAP_FILE_TYPE_SUBTYPE_NETXRAY_OLD:
555 ticks_per_sec = 1000.0;
556 wth->file_tsprec = WTAP_TSPREC_MSEC;
559 case WTAP_FILE_TYPE_SUBTYPE_NETXRAY_1_0:
560 ticks_per_sec = 1000.0;
561 wth->file_tsprec = WTAP_TSPREC_MSEC;
564 case WTAP_FILE_TYPE_SUBTYPE_NETXRAY_1_1:
566 * In version 1.1 files (as produced by Windows Sniffer
567 * Pro 2.0.01), the time stamp is in microseconds,
568 * rather than the milliseconds time stamps in NetXRay
569 * and older versions of Windows Sniffer.
571 ticks_per_sec = 1000000.0;
572 wth->file_tsprec = WTAP_TSPREC_USEC;
575 case WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x:
577 * Get the time stamp units from the appropriate TpS
578 * table or from the file header.
580 switch (network_type) {
584 * Ethernet - the table to use depends on whether
585 * this is an NDIS or pod capture.
587 switch (hdr.captype) {
590 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS) {
591 *err = WTAP_ERR_UNSUPPORTED;
592 *err_info = g_strdup_printf(
593 "netxray: Unknown timeunit %u for Ethernet/CAPTYPE_NDIS version %.8s capture",
594 hdr.timeunit, hdr.version);
595 return WTAP_OPEN_ERROR;
598 XXX: 05/29/07: Use 'realtick' instead of TpS table if timeunit=2;
599 Using 'realtick' in this case results
600 in the correct 'ticks per second' for all the captures that
601 I have of this type (including captures from a number of Wireshark
604 if (hdr.timeunit == 2) {
605 ticks_per_sec = pletoh32(hdr.realtick);
608 ticks_per_sec = TpS[hdr.timeunit];
612 case ETH_CAPTYPE_GIGPOD:
613 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_GIGPOD
614 || TpS_gigpod[hdr.timeunit] == 0.0) {
615 *err = WTAP_ERR_UNSUPPORTED;
616 *err_info = g_strdup_printf(
617 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_GIGPOD version %.8s capture",
618 hdr.timeunit, hdr.version);
619 return WTAP_OPEN_ERROR;
621 ticks_per_sec = TpS_gigpod[hdr.timeunit];
624 * At least for 002.002 and 002.003
625 * captures, the start time stamp is 0,
626 * not the value in the file.
628 if (version_minor == 2 || version_minor == 3)
629 start_timestamp = 0.0;
632 case ETH_CAPTYPE_OTHERPOD:
633 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_OTHERPOD
634 || TpS_otherpod[hdr.timeunit] == 0.0) {
635 *err = WTAP_ERR_UNSUPPORTED;
636 *err_info = g_strdup_printf(
637 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_OTHERPOD version %.8s capture",
638 hdr.timeunit, hdr.version);
639 return WTAP_OPEN_ERROR;
641 ticks_per_sec = TpS_otherpod[hdr.timeunit];
644 * At least for 002.002 and 002.003
645 * captures, the start time stamp is 0,
646 * not the value in the file.
648 if (version_minor == 2 || version_minor == 3)
649 start_timestamp = 0.0;
652 case ETH_CAPTYPE_OTHERPOD2:
653 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_OTHERPOD2
654 || TpS_otherpod2[hdr.timeunit] == 0.0) {
655 *err = WTAP_ERR_UNSUPPORTED;
656 *err_info = g_strdup_printf(
657 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_OTHERPOD2 version %.8s capture",
658 hdr.timeunit, hdr.version);
659 return WTAP_OPEN_ERROR;
661 ticks_per_sec = TpS_otherpod2[hdr.timeunit];
663 * XXX: start time stamp in the one capture file examined of this type was 0;
664 * We'll assume the start time handling is the same as for other pods.
666 * At least for 002.002 and 002.003
667 * captures, the start time stamp is 0,
668 * not the value in the file.
670 if (version_minor == 2 || version_minor == 3)
671 start_timestamp = 0.0;
674 case ETH_CAPTYPE_GIGPOD2:
675 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_GIGPOD2
676 || TpS_gigpod2[hdr.timeunit] == 0.0) {
677 *err = WTAP_ERR_UNSUPPORTED;
678 *err_info = g_strdup_printf(
679 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_GIGPOD2 version %.8s capture",
680 hdr.timeunit, hdr.version);
681 return WTAP_OPEN_ERROR;
683 ticks_per_sec = TpS_gigpod2[hdr.timeunit];
685 * XXX: start time stamp in the one capture file examined of this type was 0;
686 * We'll assume the start time handling is the same as for other pods.
688 * At least for 002.002 and 002.003
689 * captures, the start time stamp is 0,
690 * not the value in the file.
692 if (version_minor == 2 || version_minor == 3)
693 start_timestamp = 0.0;
697 *err = WTAP_ERR_UNSUPPORTED;
698 *err_info = g_strdup_printf(
699 "netxray: Unknown capture type %u for Ethernet version %.8s capture",
700 hdr.captype, hdr.version);
701 return WTAP_OPEN_ERROR;
706 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS) {
707 *err = WTAP_ERR_UNSUPPORTED;
708 *err_info = g_strdup_printf(
709 "netxray: Unknown timeunit %u for %u/%u version %.8s capture",
710 hdr.timeunit, network_type, hdr.captype,
712 return WTAP_OPEN_ERROR;
714 ticks_per_sec = TpS[hdr.timeunit];
719 * If the number of ticks per second is greater than
720 * 1 million, make the precision be nanoseconds rather
723 * XXX - do values only slightly greater than one million
724 * correspond to a resolution sufficiently better than
725 * 1 microsecond to display more digits of precision?
726 * XXX - Seems reasonable to use nanosecs only if TPS >= 10M
728 if (ticks_per_sec >= 1e7)
729 wth->file_tsprec = WTAP_TSPREC_NSEC;
731 wth->file_tsprec = WTAP_TSPREC_USEC;
735 g_assert_not_reached();
738 start_timestamp = start_timestamp/ticks_per_sec;
740 if (network_type == 4) {
742 * In version 0 and 1, we assume, for now, that all
743 * WAN captures have frames that look like Ethernet
744 * frames (as a result, presumably, of having passed
747 * In version 2, it looks as if there's stuff in the
748 * file header to specify what particular type of WAN
751 if (version_major == 2) {
752 switch (hdr.captype) {
754 case WAN_CAPTYPE_PPP:
758 file_encap = WTAP_ENCAP_PPP_WITH_PHDR;
761 case WAN_CAPTYPE_FRELAY:
765 * XXX - in at least one capture, this
766 * is Cisco HDLC, not Frame Relay, but
767 * in another capture, it's Frame Relay.
769 * [Bytes in each capture:
770 * Cisco HDLC: hdr.xxx_x60[06:10]: 0x02 0x00 0x01 0x00 0x06
771 * Frame Relay: hdr.xxx_x60[06:10] 0x00 0x00 0x00 0x00 0x00
773 * Cisco HDLC: hdr.xxx_x60[14:15]: 0xff 0xff
774 * Frame Relay: hdr.xxx_x60[14:15]: 0x00 0x00
777 file_encap = WTAP_ENCAP_FRELAY_WITH_PHDR;
780 case WAN_CAPTYPE_HDLC:
781 case WAN_CAPTYPE_HDLC2:
783 * Various HDLC flavors?
785 switch (hdr.wan_hdlc_subsub_captype) {
787 case 0: /* LAPB/X.25 */
789 * XXX - at least one capture of
790 * this type appears to be PPP.
792 file_encap = WTAP_ENCAP_LAPB;
798 file_encap = WTAP_ENCAP_ISDN;
799 isdn_type = hdr.wan_hdlc_subsub_captype;
803 *err = WTAP_ERR_UNSUPPORTED;
804 *err_info = g_strdup_printf("netxray: WAN HDLC capture subsubtype 0x%02x unknown or unsupported",
805 hdr.wan_hdlc_subsub_captype);
806 return WTAP_OPEN_ERROR;
810 case WAN_CAPTYPE_SDLC:
814 file_encap = WTAP_ENCAP_SDLC;
817 case WAN_CAPTYPE_CHDLC:
819 * Cisco router (CHDLC) captured with pod
821 file_encap = WTAP_ENCAP_CHDLC_WITH_PHDR;
825 *err = WTAP_ERR_UNSUPPORTED;
826 *err_info = g_strdup_printf("netxray: WAN capture subtype 0x%02x unknown or unsupported",
828 return WTAP_OPEN_ERROR;
831 file_encap = WTAP_ENCAP_ETHERNET;
833 file_encap = netxray_encap[network_type];
835 /* This is a netxray file */
836 wth->file_type_subtype = file_type;
837 netxray = (netxray_t *)g_malloc(sizeof(netxray_t));
838 wth->priv = (void *)netxray;
839 wth->subtype_read = netxray_read;
840 wth->subtype_seek_read = netxray_seek_read;
841 wth->file_encap = file_encap;
842 wth->snapshot_length = 0; /* not available in header */
843 netxray->start_time = pletoh32(&hdr.start_time);
844 netxray->ticks_per_sec = ticks_per_sec;
845 netxray->start_timestamp = start_timestamp;
846 netxray->version_major = version_major;
849 * If frames have an extra 4 bytes of stuff at the end, is
850 * it an FCS, or just junk?
852 netxray->fcs_valid = FALSE;
853 switch (file_encap) {
855 case WTAP_ENCAP_ETHERNET:
856 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
857 case WTAP_ENCAP_ISDN:
858 case WTAP_ENCAP_LAPB:
860 * It appears that, in at least some version 2 Ethernet
861 * captures, for frames that have 0xff in hdr_2_x.xxx[2]
862 * and hdr_2_x.xxx[3] in the per-packet header:
864 * if, in the file header, hdr.realtick[1] is 0x34
865 * and hdr.realtick[2] is 0x12, the frames have an
868 * otherwise, they have 4 bytes of junk at the end.
870 * Yes, it's strange that you have to check the *middle*
871 * of the time stamp field; you can't check for any
872 * particular value of the time stamp field.
874 * For now, we assume that to be true for 802.11 captures
875 * as well; it appears to be the case for at least one
876 * such capture - the file doesn't have 0x34 and 0x12,
877 * and the 4 bytes at the end of the frames with 0xff
878 * are junk, not an FCS.
880 * For ISDN captures, it appears, at least in some
881 * captures, to be similar, although I haven't yet
882 * checked whether it's a valid FCS.
884 * XXX - should we do this for all encapsulation types?
886 * XXX - is there some other field that *really* indicates
887 * whether we have an FCS or not? The check of the time
888 * stamp is bizarre, as we're checking the middle.
889 * Perhaps hdr.realtick[0] is 0x00, in which case time
890 * stamp units in the range 1192960 through 1193215
891 * correspond to captures with an FCS, but that's still
894 * Note that there are captures with a network type of 0
895 * (Ethernet) and capture type of 0 (NDIS) that do, and
896 * that don't, have 0x34 0x12 in them, and at least one
897 * of the NDIS captures with 0x34 0x12 in it has FCSes,
898 * so it's not as if no NDIS captures have an FCS.
900 * There are also captures with a network type of 4 (WAN),
901 * capture type of 6 (HDLC), and subtype of 2 (T1 PRI) that
902 * do, and that don't, have 0x34 0x12, so there are at least
903 * some captures taken with a WAN pod that might lack an FCS.
904 * (We haven't yet tried dissecting the 4 bytes at the
905 * end of packets with hdr_2_x.xxx[2] and hdr_2_x.xxx[3]
906 * equal to 0xff as an FCS.)
908 * All captures I've seen that have 0x34 and 0x12 *and*
909 * have at least one frame with an FCS have a value of
910 * 0x01 in xxx_x40[4]. No captures I've seen with a network
911 * type of 0 (Ethernet) missing 0x34 0x12 have 0x01 there,
912 * however. However, there's at least one capture
913 * without 0x34 and 0x12, with a network type of 0,
914 * and with 0x01 in xxx_x40[4], *without* FCSes in the
915 * frames - the 4 bytes at the end are all zero - so it's
916 * not as simple as "xxx_x40[4] = 0x01 means the 4 bytes at
917 * the end are FCSes". Also, there's also at least one
918 * 802.11 capture with an xxx_x40[4] value of 0x01 with junk
919 * rather than an FCS at the end of the frame, so xxx_x40[4]
920 * isn't an obvious flag to determine whether the
923 * There don't seem to be any other values in any of the
924 * xxx_x5..., xxx_x6...., xxx_x7.... fields
925 * that obviously correspond to frames having an FCS.
927 * 05/29/07: Examination of numerous sniffer captures suggests
928 * that the apparent correlation of certain realtick
929 * bytes to 'FCS presence' may actually be
930 * a 'false positive'.
931 * ToDo: Review analysis and update code.
932 * It might be that the ticks-per-second value
933 * is hardware-dependent, and that hardware with
934 * a particular realtick value puts an FCS there
935 * and other hardware doesn't.
937 if (version_major == 2) {
938 if (hdr.realtick[1] == 0x34 && hdr.realtick[2] == 0x12)
939 netxray->fcs_valid = TRUE;
945 * Remember the ISDN type, as we need it to interpret the
946 * channel number in ISDN captures.
948 netxray->isdn_type = isdn_type;
950 /* Remember the offset after the last packet in the capture (which
951 * isn't necessarily the last packet in the file), as it appears
952 * there's sometimes crud after it.
953 * XXX: Remember 'start_offset' to help testing for 'short file' at EOF
955 netxray->wrapped = FALSE;
956 netxray->nframes = pletoh32(&hdr.nframes);
957 netxray->start_offset = pletoh32(&hdr.start_offset);
958 netxray->end_offset = pletoh32(&hdr.end_offset);
960 /* Seek to the beginning of the data records. */
961 if (file_seek(wth->fh, netxray->start_offset, SEEK_SET, err) == -1) {
962 return WTAP_OPEN_ERROR;
965 return WTAP_OPEN_MINE;
968 /* Read the next packet */
970 netxray_read(wtap *wth, int *err, gchar **err_info,
973 netxray_t *netxray = (netxray_t *)wth->priv;
978 * Return the offset of the record header, so we can reread it
979 * if we go back to this frame.
981 *data_offset = file_tell(wth->fh);
983 /* Have we reached the end of the packet data? */
984 if (*data_offset == netxray->end_offset) {
986 *err = 0; /* it's just an EOF, not an error */
990 /* Read and process record header. */
991 padding = netxray_process_rec_header(wth, wth->fh, &wth->rec, err,
999 * Error of some sort; give up.
1004 /* We're at EOF. Wrap?
1005 * XXX: Need to handle 'short file' cases
1006 * (Distributed Sniffer seems to have a
1007 * certain small propensity to generate 'short' files
1008 * i.e. [many] bytes are missing from the end of the file)
1009 * case 1: start_offset < end_offset
1010 * wrap will read already read packets again;
1011 * so: error with "short file"
1012 * case 2: start_offset > end_offset ("circular" file)
1013 * wrap will mean there's a gap (missing packets).
1014 * However, I don't see a good way to identify this
1015 * case so we'll just have to allow the wrap.
1016 * (Maybe there can be an error message after all
1017 * packets are read since there'll be less packets than
1018 * specified in the file header).
1019 * Note that these cases occur *only* if a 'short' eof occurs exactly
1020 * at the expected beginning of a frame header record; If there is a
1021 * partial frame header (or partial frame data) record, then the
1022 * netxray_read... functions will detect the short record.
1024 if (netxray->start_offset < netxray->end_offset) {
1025 *err = WTAP_ERR_SHORT_READ;
1029 if (!netxray->wrapped) {
1030 /* Yes. Remember that we did. */
1031 netxray->wrapped = TRUE;
1032 if (file_seek(wth->fh, CAPTUREFILE_HEADER_SIZE,
1033 SEEK_SET, err) == -1)
1038 /* We've already wrapped - don't wrap again. */
1043 * Read the packet data.
1045 if (!wtap_read_packet_bytes(wth->fh, wth->rec_data,
1046 wth->rec.rec_header.packet_header.caplen, err, err_info))
1050 * If there's extra stuff at the end of the record, skip it.
1052 if (!wtap_read_bytes(wth->fh, NULL, padding, err, err_info))
1056 * If it's an ATM packet, and we don't have enough information
1057 * from the packet header to determine its type or subtype,
1058 * attempt to guess them from the packet data.
1060 netxray_guess_atm_type(wth, &wth->rec, wth->rec_data);
1065 netxray_seek_read(wtap *wth, gint64 seek_off,
1066 wtap_rec *rec, Buffer *buf,
1067 int *err, gchar **err_info)
1069 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
1072 if (netxray_process_rec_header(wth, wth->random_fh, rec, err,
1076 * EOF - we report that as a short read, as
1077 * we've read this once and know that it
1080 *err = WTAP_ERR_SHORT_READ;
1086 * Read the packet data.
1088 if (!wtap_read_packet_bytes(wth->random_fh, buf, rec->rec_header.packet_header.caplen, err,
1093 * If it's an ATM packet, and we don't have enough information
1094 * from the packet header to determine its type or subtype,
1095 * attempt to guess them from the packet data.
1097 netxray_guess_atm_type(wth, rec, buf);
1102 netxray_process_rec_header(wtap *wth, FILE_T fh, wtap_rec *rec,
1103 int *err, gchar **err_info)
1105 netxray_t *netxray = (netxray_t *)wth->priv;
1106 union netxrayrec_hdr hdr;
1112 /* Read record header. */
1113 switch (netxray->version_major) {
1116 hdr_size = sizeof (struct old_netxrayrec_hdr);
1120 hdr_size = sizeof (struct netxrayrec_1_x_hdr);
1124 hdr_size = sizeof (struct netxrayrec_2_x_hdr);
1127 if (!wtap_read_bytes_or_eof(fh, (void *)&hdr, hdr_size, err, err_info)) {
1129 * If *err is 0, we're at EOF. *err being 0 and a return
1130 * value of -1 tells our caller we're at EOF.
1132 * Otherwise, we got an error, and *err *not* being 0
1133 * and a return value tells our caller we have an error.
1139 * If this is Ethernet, 802.11, ISDN, X.25, or ATM, set the
1142 switch (netxray->version_major) {
1145 switch (wth->file_encap) {
1147 case WTAP_ENCAP_ETHERNET:
1149 * XXX - if hdr_1_x.xxx[15] is 1
1150 * the frame appears not to have any extra
1151 * stuff at the end, but if it's 0,
1152 * there appears to be 4 bytes of stuff
1153 * at the end, but it's not an FCS.
1155 * Or is that just the low-order bit?
1157 * For now, we just say "no FCS".
1159 rec->rec_header.packet_header.pseudo_header.eth.fcs_len = 0;
1165 switch (wth->file_encap) {
1167 case WTAP_ENCAP_ETHERNET:
1169 * It appears, at least with version 2 captures,
1170 * that we have 4 bytes of stuff (which might be
1171 * a valid FCS or might be junk) at the end of
1172 * the packet if hdr_2_x.xxx[2] and
1173 * hdr_2_x.xxx[3] are 0xff, and we don't if
1176 * It also appears that if the low-order bit of
1177 * hdr_2_x.xxx[8] is set, the packet has a
1180 if (hdr.hdr_2_x.xxx[2] == 0xff &&
1181 hdr.hdr_2_x.xxx[3] == 0xff) {
1183 * We have 4 bytes of stuff at the
1184 * end of the frame - FCS, or junk?
1186 if (netxray->fcs_valid) {
1190 rec->rec_header.packet_header.pseudo_header.eth.fcs_len = 4;
1198 rec->rec_header.packet_header.pseudo_header.eth.fcs_len = 0;
1201 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
1203 * It appears, in one 802.11 capture, that
1204 * we have 4 bytes of junk at the ends of
1205 * frames in which hdr_2_x.xxx[2] and
1206 * hdr_2_x.xxx[3] are 0xff; I haven't
1207 * seen any frames where it's an FCS, but,
1208 * for now, we still check the fcs_valid
1209 * flag - I also haven't seen any capture
1210 * where we'd set it based on the realtick
1213 * It also appears that if the low-order bit of
1214 * hdr_2_x.xxx[8] is set, the packet has a
1215 * bad FCS. According to Ken Mann, the 0x4 bit
1216 * is sometimes also set for errors.
1218 * Ken also says that xxx[11] is 0x5 when the
1219 * packet is WEP-encrypted.
1221 memset(&rec->rec_header.packet_header.pseudo_header.ieee_802_11, 0, sizeof(rec->rec_header.packet_header.pseudo_header.ieee_802_11));
1222 if (hdr.hdr_2_x.xxx[2] == 0xff &&
1223 hdr.hdr_2_x.xxx[3] == 0xff) {
1225 * We have 4 bytes of stuff at the
1226 * end of the frame - FCS, or junk?
1228 if (netxray->fcs_valid) {
1232 rec->rec_header.packet_header.pseudo_header.ieee_802_11.fcs_len = 4;
1240 rec->rec_header.packet_header.pseudo_header.ieee_802_11.fcs_len = 0;
1242 rec->rec_header.packet_header.pseudo_header.ieee_802_11.decrypted = FALSE;
1243 rec->rec_header.packet_header.pseudo_header.ieee_802_11.datapad = FALSE;
1244 rec->rec_header.packet_header.pseudo_header.ieee_802_11.phy = PHDR_802_11_PHY_UNKNOWN;
1247 * XXX - any other information, such as PHY
1248 * type, frequency, 11n/11ac information,
1251 rec->rec_header.packet_header.pseudo_header.ieee_802_11.has_channel = TRUE;
1252 rec->rec_header.packet_header.pseudo_header.ieee_802_11.channel =
1253 hdr.hdr_2_x.xxx[12];
1255 rec->rec_header.packet_header.pseudo_header.ieee_802_11.has_data_rate = TRUE;
1256 rec->rec_header.packet_header.pseudo_header.ieee_802_11.data_rate =
1257 hdr.hdr_2_x.xxx[13];
1259 rec->rec_header.packet_header.pseudo_header.ieee_802_11.has_signal_percent = TRUE;
1260 rec->rec_header.packet_header.pseudo_header.ieee_802_11.signal_percent =
1261 hdr.hdr_2_x.xxx[14];
1264 * According to Ken Mann, at least in the captures
1265 * he's seen, xxx[15] is the noise level, which
1266 * is either 0xFF meaning "none reported" or a value
1267 * from 0x00 to 0x7F for 0 to 100%.
1269 if (hdr.hdr_2_x.xxx[15] != 0xFF) {
1270 rec->rec_header.packet_header.pseudo_header.ieee_802_11.has_noise_percent = TRUE;
1271 rec->rec_header.packet_header.pseudo_header.ieee_802_11.noise_percent =
1272 hdr.hdr_2_x.xxx[15]*100/127;
1276 case WTAP_ENCAP_ISDN:
1280 * The bottommost bit of byte 12 of hdr_2_x.xxx
1281 * is the direction flag.
1283 * The bottom 5 bits of byte 13 of hdr_2_x.xxx
1284 * are the channel number, but some mapping is
1285 * required for PRI. (Is it really just the time
1288 rec->rec_header.packet_header.pseudo_header.isdn.uton =
1289 (hdr.hdr_2_x.xxx[12] & 0x01);
1290 rec->rec_header.packet_header.pseudo_header.isdn.channel =
1291 hdr.hdr_2_x.xxx[13] & 0x1F;
1292 switch (netxray->isdn_type) {
1296 * E1 PRI. Channel numbers 0 and 16
1297 * are the D channel; channel numbers 1
1298 * through 15 are B1 through B15; channel
1299 * numbers 17 through 31 are B16 through
1302 if (rec->rec_header.packet_header.pseudo_header.isdn.channel == 16)
1303 rec->rec_header.packet_header.pseudo_header.isdn.channel = 0;
1304 else if (rec->rec_header.packet_header.pseudo_header.isdn.channel > 16)
1305 rec->rec_header.packet_header.pseudo_header.isdn.channel -= 1;
1310 * T1 PRI. Channel numbers 0 and 24
1311 * are the D channel; channel numbers 1
1312 * through 23 are B1 through B23.
1314 if (rec->rec_header.packet_header.pseudo_header.isdn.channel == 24)
1315 rec->rec_header.packet_header.pseudo_header.isdn.channel = 0;
1316 else if (rec->rec_header.packet_header.pseudo_header.isdn.channel > 24)
1317 rec->rec_header.packet_header.pseudo_header.isdn.channel -= 1;
1322 * It appears, at least with version 2 captures,
1323 * that we have 4 bytes of stuff (which might be
1324 * a valid FCS or might be junk) at the end of
1325 * the packet if hdr_2_x.xxx[2] and
1326 * hdr_2_x.xxx[3] are 0xff, and we don't if
1329 * XXX - does the low-order bit of hdr_2_x.xxx[8]
1330 * indicate a bad FCS, as is the case with
1333 if (hdr.hdr_2_x.xxx[2] == 0xff &&
1334 hdr.hdr_2_x.xxx[3] == 0xff) {
1336 * FCS, or junk, at the end.
1337 * XXX - is it an FCS if "fcs_valid" is
1344 case WTAP_ENCAP_LAPB:
1345 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1347 * LAPB/X.25 and Frame Relay.
1349 * The bottommost bit of byte 12 of hdr_2_x.xxx
1350 * is the direction flag. (Probably true for other
1351 * HDLC encapsulations as well.)
1353 rec->rec_header.packet_header.pseudo_header.dte_dce.flags =
1354 (hdr.hdr_2_x.xxx[12] & 0x01) ? 0x00 : FROM_DCE;
1357 * It appears, at least with version 2 captures,
1358 * that we have 4 bytes of stuff (which might be
1359 * a valid FCS or might be junk) at the end of
1360 * the packet if hdr_2_x.xxx[2] and
1361 * hdr_2_x.xxx[3] are 0xff, and we don't if
1364 * XXX - does the low-order bit of hdr_2_x.xxx[8]
1365 * indicate a bad FCS, as is the case with
1368 if (hdr.hdr_2_x.xxx[2] == 0xff &&
1369 hdr.hdr_2_x.xxx[3] == 0xff) {
1371 * FCS, or junk, at the end.
1372 * XXX - is it an FCS if "fcs_valid" is
1379 case WTAP_ENCAP_PPP_WITH_PHDR:
1380 case WTAP_ENCAP_SDLC:
1381 case WTAP_ENCAP_CHDLC_WITH_PHDR:
1382 rec->rec_header.packet_header.pseudo_header.p2p.sent =
1383 (hdr.hdr_2_x.xxx[12] & 0x01) ? TRUE : FALSE;
1386 case WTAP_ENCAP_ATM_PDUS_UNTRUNCATED:
1388 * XXX - the low-order bit of hdr_2_x.xxx[8]
1389 * seems to indicate some sort of error. In
1390 * at least one capture, a number of packets
1391 * have that flag set, and they appear either
1392 * to be the beginning part of an incompletely
1393 * reassembled AAL5 PDU, with either checksum
1394 * errors at higher levels (possibly due to
1395 * the packet being reported as shorter than
1396 * it actually is, and checksumming failing
1397 * because it doesn't include all the data)
1398 * or "Malformed frame" errors from being
1399 * too short, or appear to be later parts
1400 * of an incompletely reassembled AAL5 PDU
1401 * with the last one in a sequence of errors
1402 * having what looks like an AAL5 trailer,
1403 * with a length and checksum.
1405 * Does it just mean "reassembly failed",
1406 * as appears to be the case in those
1407 * packets, or does it mean "CRC error"
1408 * at the AAL5 layer (which would be the
1409 * case if you were treating an incompletely
1410 * reassembled PDU as a completely reassembled
1411 * PDU, although you'd also expect a length
1412 * error in that case), or does it mean
1413 * "generic error", with some other flag
1414 * or flags indicating what particular
1415 * error occurred? The documentation
1416 * for Sniffer Pro 4.7 indicates a bunch
1417 * of different error types, both in general
1418 * and for ATM in particular.
1420 * No obvious bits in hdr_2_x.xxx appear
1421 * to be additional flags of that sort.
1423 * XXX - in that capture, I see several
1424 * reassembly errors in a row; should those
1425 * packets be reassembled in the ATM dissector?
1426 * What happens if a reassembly fails because
1429 rec->rec_header.packet_header.pseudo_header.atm.flags = 0;
1430 if (hdr.hdr_2_x.xxx[8] & 0x01)
1431 rec->rec_header.packet_header.pseudo_header.atm.flags |= ATM_REASSEMBLY_ERROR;
1433 * XXX - is 0x08 an "OAM cell" flag?
1434 * Are the 0x01 and 0x02 bits error indications?
1435 * Some packets in one capture that have the
1436 * 0x01 bit set in hdr_2_x.xxx[8] and that
1437 * appear to have been reassembled completely
1438 * but have a bad CRC have 0x03 in hdr_2_x.xxx[9]
1439 * (and don't have the 0x20 bit set).
1441 * In the capture with incomplete reassemblies,
1442 * all packets have the 0x20 bit set. In at
1443 * least some of the captures with complete
1444 * reassemblies with CRC errors, no packets
1445 * have the 0x20 bit set.
1447 * Are hdr_2_x.xxx[8] and hdr_2_x.xxx[9] a 16-bit
1450 if (hdr.hdr_2_x.xxx[9] & 0x04)
1451 rec->rec_header.packet_header.pseudo_header.atm.flags |= ATM_RAW_CELL;
1452 rec->rec_header.packet_header.pseudo_header.atm.vpi = hdr.hdr_2_x.xxx[11];
1453 rec->rec_header.packet_header.pseudo_header.atm.vci = pletoh16(&hdr.hdr_2_x.xxx[12]);
1454 rec->rec_header.packet_header.pseudo_header.atm.channel =
1455 (hdr.hdr_2_x.xxx[15] & 0x10)? 1 : 0;
1456 rec->rec_header.packet_header.pseudo_header.atm.cells = 0;
1459 * XXX - the uppermost bit of hdr_2_xxx[0]
1460 * looks as if it might be a flag of some sort.
1461 * The remaining 3 bits appear to be an AAL
1462 * type - 5 is, surprise surprise, AAL5.
1464 switch (hdr.hdr_2_x.xxx[0] & 0x70) {
1466 case 0x00: /* Unknown */
1467 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_UNKNOWN;
1468 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN;
1469 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1472 case 0x10: /* XXX - AAL1? */
1473 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_UNKNOWN;
1474 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN;
1475 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1478 case 0x20: /* XXX - AAL2? */
1479 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_UNKNOWN;
1480 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN;
1481 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1484 case 0x40: /* XXX - AAL3/4? */
1485 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_UNKNOWN;
1486 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN;
1487 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1490 case 0x30: /* XXX - AAL5 cells seen with this */
1491 case 0x50: /* AAL5 (including signalling) */
1492 case 0x60: /* XXX - AAL5 cells seen with this */
1493 case 0x70: /* XXX - AAL5 cells seen with this */
1494 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_5;
1496 * XXX - is the 0x08 bit of hdr_2_x.xxx[0]
1497 * a flag? I've not yet seen a case where
1500 switch (hdr.hdr_2_x.xxx[0] & 0x07) {
1503 case 0x02: /* Signalling traffic */
1504 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_SIGNALLING;
1505 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN;
1506 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1509 case 0x03: /* ILMI */
1510 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_ILMI;
1511 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1518 * I've seen a frame with type
1519 * 0x30 and subtype 0x08 that
1520 * was LANE 802.3, a frame
1521 * with type 0x30 and subtype
1522 * 0x04 that was LANE 802.3,
1523 * and another frame with type
1524 * 0x30 and subtype 0x08 that
1525 * was junk with a string in
1526 * it that had also appeared
1527 * in some CDP and LE Control
1528 * frames, and that was preceded
1529 * by a malformed LE Control
1530 * frame - was that a reassembly
1533 * I've seen frames with type
1534 * 0x50 and subtype 0x0c, some
1535 * of which were LE Control
1536 * frames, and at least one
1537 * of which was neither an LE
1538 * Control frame nor a LANE
1539 * 802.3 frame, and contained
1540 * the string "ForeThought_6.2.1
1541 * Alpha" - does that imply
1542 * FORE's own encapsulation,
1543 * or was this a reassembly failure?
1544 * The latter frame was preceded
1545 * by a malformed LE Control
1548 * I've seen a couple of frames
1549 * with type 0x60 and subtype 0x00,
1550 * one of which was LANE 802.3 and
1551 * one of which was LE Control.
1552 * I've seen one frame with type
1553 * 0x60 and subtype 0x0c, which
1556 * I've seen a couple of frames
1557 * with type 0x70 and subtype 0x00,
1558 * both of which were LANE 802.3.
1560 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_LANE;
1561 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1564 case 0x06: /* XXX - not seen yet */
1565 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN;
1566 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1569 case 0x07: /* LLC multiplexed */
1570 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_LLCMX; /* XXX */
1571 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN; /* XXX */
1581 rec->rec_type = REC_TYPE_PACKET;
1582 if (netxray->version_major == 0) {
1583 rec->presence_flags = WTAP_HAS_TS;
1584 t = (double)pletoh32(&hdr.old_hdr.timelo)
1585 + (double)pletoh32(&hdr.old_hdr.timehi)*4294967296.0;
1586 t /= netxray->ticks_per_sec;
1587 t -= netxray->start_timestamp;
1588 rec->ts.secs = netxray->start_time + (long)t;
1589 rec->ts.nsecs = (int)((t-(double)(unsigned long)(t))
1592 * We subtract the padding from the packet size, so our caller
1595 packet_size = pletoh16(&hdr.old_hdr.len);
1596 rec->rec_header.packet_header.caplen = packet_size - padding;
1597 rec->rec_header.packet_header.len = rec->rec_header.packet_header.caplen;
1599 rec->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
1600 t = (double)pletoh32(&hdr.hdr_1_x.timelo)
1601 + (double)pletoh32(&hdr.hdr_1_x.timehi)*4294967296.0;
1602 t /= netxray->ticks_per_sec;
1603 t -= netxray->start_timestamp;
1604 rec->ts.secs = netxray->start_time + (time_t)t;
1605 rec->ts.nsecs = (int)((t-(double)(unsigned long)(t))
1608 * We subtract the padding from the packet size, so our caller
1611 packet_size = pletoh16(&hdr.hdr_1_x.incl_len);
1612 rec->rec_header.packet_header.caplen = packet_size - padding;
1613 rec->rec_header.packet_header.len = pletoh16(&hdr.hdr_1_x.orig_len) - padding;
1620 netxray_guess_atm_type(wtap *wth, wtap_rec *rec, Buffer *buf)
1624 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS_UNTRUNCATED &&
1625 !(rec->rec_header.packet_header.pseudo_header.atm.flags & ATM_REASSEMBLY_ERROR)) {
1626 if (rec->rec_header.packet_header.pseudo_header.atm.aal == AAL_UNKNOWN) {
1628 * Try to guess the type and subtype based
1629 * on the VPI/VCI and packet contents.
1631 pd = ws_buffer_start_ptr(buf);
1632 atm_guess_traffic_type(rec, pd);
1633 } else if (rec->rec_header.packet_header.pseudo_header.atm.aal == AAL_5 &&
1634 rec->rec_header.packet_header.pseudo_header.atm.type == TRAF_LANE) {
1636 * Try to guess the subtype based on the
1639 pd = ws_buffer_start_ptr(buf);
1640 atm_guess_lane_type(rec, pd);
1646 gboolean first_frame;
1651 static const struct {
1652 int wtap_encap_value;
1654 } wtap_encap_1_1[] = {
1655 { WTAP_ENCAP_ETHERNET, 0 }, /* -> NDIS Ethernet */
1656 { WTAP_ENCAP_TOKEN_RING, 1 }, /* -> NDIS Token Ring */
1657 { WTAP_ENCAP_FDDI, 2 }, /* -> NDIS FDDI */
1658 { WTAP_ENCAP_FDDI_BITSWAPPED, 2 }, /* -> NDIS FDDI */
1660 #define NUM_WTAP_ENCAPS_1_1 (sizeof wtap_encap_1_1 / sizeof wtap_encap_1_1[0])
1663 wtap_encap_to_netxray_1_1_encap(int encap)
1667 for (i = 0; i < NUM_WTAP_ENCAPS_1_1; i++) {
1668 if (encap == wtap_encap_1_1[i].wtap_encap_value)
1669 return wtap_encap_1_1[i].ndis_value;
1675 /* Returns 0 if we could write the specified encapsulation type,
1676 an error indication otherwise. */
1678 netxray_dump_can_write_encap_1_1(int encap)
1680 /* Per-packet encapsulations aren't supported. */
1681 if (encap == WTAP_ENCAP_PER_PACKET)
1682 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1684 if (wtap_encap_to_netxray_1_1_encap(encap) == -1)
1685 return WTAP_ERR_UNWRITABLE_ENCAP;
1690 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1693 netxray_dump_open_1_1(wtap_dumper *wdh, int *err)
1695 netxray_dump_t *netxray;
1697 wdh->subtype_write = netxray_dump_1_1;
1698 wdh->subtype_finish = netxray_dump_finish_1_1;
1700 /* We can't fill in all the fields in the file header, as we
1701 haven't yet written any packets. As we'll have to rewrite
1702 the header when we've written out all the packets, we just
1703 skip over the header for now. */
1704 if (wtap_dump_file_seek(wdh, CAPTUREFILE_HEADER_SIZE, SEEK_SET, err) == -1)
1706 wdh->bytes_dumped += CAPTUREFILE_HEADER_SIZE;
1708 netxray = (netxray_dump_t *)g_malloc(sizeof(netxray_dump_t));
1709 wdh->priv = (void *)netxray;
1710 netxray->first_frame = TRUE;
1711 netxray->start.secs = 0;
1712 netxray->start.nsecs = 0;
1713 netxray->nframes = 0;
1718 /* Write a record for a packet to a dump file.
1719 Returns TRUE on success, FALSE on failure. */
1721 netxray_dump_1_1(wtap_dumper *wdh,
1722 const wtap_rec *rec,
1723 const guint8 *pd, int *err, gchar **err_info _U_)
1725 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
1728 struct netxrayrec_1_x_hdr rec_hdr;
1730 /* We can only write packet records. */
1731 if (rec->rec_type != REC_TYPE_PACKET) {
1732 *err = WTAP_ERR_UNWRITABLE_REC_TYPE;
1736 /* The captured length field is 16 bits, so there's a hard
1738 if (rec->rec_header.packet_header.caplen > 65535) {
1739 *err = WTAP_ERR_PACKET_TOO_LARGE;
1743 /* NetXRay/Windows Sniffer files have a capture start date/time
1744 in the header, in a UNIX-style format, with one-second resolution,
1745 and a start time stamp with microsecond resolution that's just
1746 an arbitrary time stamp relative to some unknown time (boot
1747 time?), and have times relative to the start time stamp in
1748 the packet headers; pick the seconds value of the time stamp
1749 of the first packet as the UNIX-style start date/time, and make
1750 the high-resolution start time stamp 0, with the time stamp of
1751 packets being the delta between the stamp of the packet and
1752 the stamp of the first packet with the microseconds part 0. */
1753 if (netxray->first_frame) {
1754 netxray->first_frame = FALSE;
1755 netxray->start = rec->ts;
1758 /* build the header for each packet */
1759 memset(&rec_hdr, '\0', sizeof(rec_hdr));
1760 timestamp = ((guint64)rec->ts.secs - (guint64)netxray->start.secs)*1000000
1761 + ((guint64)rec->ts.nsecs)/1000;
1762 t32 = (guint32)(timestamp%G_GINT64_CONSTANT(4294967296));
1763 rec_hdr.timelo = GUINT32_TO_LE(t32);
1764 t32 = (guint32)(timestamp/G_GINT64_CONSTANT(4294967296));
1765 rec_hdr.timehi = GUINT32_TO_LE(t32);
1766 rec_hdr.orig_len = GUINT16_TO_LE(rec->rec_header.packet_header.len);
1767 rec_hdr.incl_len = GUINT16_TO_LE(rec->rec_header.packet_header.caplen);
1769 if (!wtap_dump_file_write(wdh, &rec_hdr, sizeof(rec_hdr), err))
1771 wdh->bytes_dumped += sizeof(rec_hdr);
1773 /* write the packet data */
1774 if (!wtap_dump_file_write(wdh, pd, rec->rec_header.packet_header.caplen, err))
1776 wdh->bytes_dumped += rec->rec_header.packet_header.caplen;
1783 /* Finish writing to a dump file.
1784 Returns TRUE on success, FALSE on failure. */
1786 netxray_dump_finish_1_1(wtap_dumper *wdh, int *err)
1788 char hdr_buf[CAPTUREFILE_HEADER_SIZE - sizeof(netxray_magic)];
1789 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
1791 struct netxray_hdr file_hdr;
1793 if (-1 == (filelen = wtap_dump_file_tell(wdh, err)))
1796 /* Go back to beginning */
1797 if (wtap_dump_file_seek(wdh, 0, SEEK_SET, err) == -1)
1800 /* Rewrite the file header. */
1801 if (!wtap_dump_file_write(wdh, netxray_magic, sizeof netxray_magic, err))
1804 /* "sniffer" version ? */
1805 memset(&file_hdr, '\0', sizeof file_hdr);
1806 memcpy(file_hdr.version, vers_1_1, sizeof vers_1_1);
1807 file_hdr.start_time = GUINT32_TO_LE(netxray->start.secs);
1808 file_hdr.nframes = GUINT32_TO_LE(netxray->nframes);
1809 file_hdr.start_offset = GUINT32_TO_LE(CAPTUREFILE_HEADER_SIZE);
1810 /* XXX - large files? */
1811 file_hdr.end_offset = GUINT32_TO_LE((guint32)filelen);
1812 file_hdr.network = wtap_encap_to_netxray_1_1_encap(wdh->encap);
1813 file_hdr.timelo = GUINT32_TO_LE(0);
1814 file_hdr.timehi = GUINT32_TO_LE(0);
1816 memset(hdr_buf, '\0', sizeof hdr_buf);
1817 memcpy(hdr_buf, &file_hdr, sizeof(file_hdr));
1818 if (!wtap_dump_file_write(wdh, hdr_buf, sizeof hdr_buf, err))
1824 static const struct {
1825 int wtap_encap_value;
1827 } wtap_encap_2_0[] = {
1828 { WTAP_ENCAP_ETHERNET, 0 }, /* -> NDIS Ethernet */
1829 { WTAP_ENCAP_TOKEN_RING, 1 }, /* -> NDIS Token Ring */
1830 { WTAP_ENCAP_FDDI, 2 }, /* -> NDIS FDDI */
1831 { WTAP_ENCAP_FDDI_BITSWAPPED, 2 }, /* -> NDIS FDDI */
1832 { WTAP_ENCAP_PPP_WITH_PHDR, 3 }, /* -> NDIS WAN */
1833 { WTAP_ENCAP_FRELAY_WITH_PHDR, 3 }, /* -> NDIS WAN */
1834 { WTAP_ENCAP_LAPB, 3 }, /* -> NDIS WAN */
1835 { WTAP_ENCAP_SDLC, 3 }, /* -> NDIS WAN */
1837 #define NUM_WTAP_ENCAPS_2_0 (sizeof wtap_encap_2_0 / sizeof wtap_encap_2_0[0])
1840 wtap_encap_to_netxray_2_0_encap(int encap)
1844 for (i = 0; i < NUM_WTAP_ENCAPS_2_0; i++) {
1845 if (encap == wtap_encap_2_0[i].wtap_encap_value)
1846 return wtap_encap_2_0[i].ndis_value;
1852 /* Returns 0 if we could write the specified encapsulation type,
1853 an error indication otherwise. */
1855 netxray_dump_can_write_encap_2_0(int encap)
1857 /* Per-packet encapsulations aren't supported. */
1858 if (encap == WTAP_ENCAP_PER_PACKET)
1859 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1861 if (wtap_encap_to_netxray_2_0_encap(encap) == -1)
1862 return WTAP_ERR_UNWRITABLE_ENCAP;
1867 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1870 netxray_dump_open_2_0(wtap_dumper *wdh, int *err)
1872 netxray_dump_t *netxray;
1874 wdh->subtype_write = netxray_dump_2_0;
1875 wdh->subtype_finish = netxray_dump_finish_2_0;
1877 /* We can't fill in all the fields in the file header, as we
1878 haven't yet written any packets. As we'll have to rewrite
1879 the header when we've written out all the packets, we just
1880 skip over the header for now. */
1881 if (wtap_dump_file_seek(wdh, CAPTUREFILE_HEADER_SIZE, SEEK_SET, err) == -1)
1884 wdh->bytes_dumped += CAPTUREFILE_HEADER_SIZE;
1886 netxray = (netxray_dump_t *)g_malloc(sizeof(netxray_dump_t));
1887 wdh->priv = (void *)netxray;
1888 netxray->first_frame = TRUE;
1889 netxray->start.secs = 0;
1890 netxray->start.nsecs = 0;
1891 netxray->nframes = 0;
1896 /* Write a record for a packet to a dump file.
1897 Returns TRUE on success, FALSE on failure. */
1899 netxray_dump_2_0(wtap_dumper *wdh,
1900 const wtap_rec *rec,
1901 const guint8 *pd, int *err, gchar **err_info _U_)
1903 const union wtap_pseudo_header *pseudo_header = &rec->rec_header.packet_header.pseudo_header;
1904 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
1907 struct netxrayrec_2_x_hdr rec_hdr;
1909 /* We can only write packet records. */
1910 if (rec->rec_type != REC_TYPE_PACKET) {
1911 *err = WTAP_ERR_UNWRITABLE_REC_TYPE;
1915 /* Don't write anything we're not willing to read. */
1916 if (rec->rec_header.packet_header.caplen > WTAP_MAX_PACKET_SIZE_STANDARD) {
1917 *err = WTAP_ERR_PACKET_TOO_LARGE;
1921 /* NetXRay/Windows Sniffer files have a capture start date/time
1922 in the header, in a UNIX-style format, with one-second resolution,
1923 and a start time stamp with microsecond resolution that's just
1924 an arbitrary time stamp relative to some unknown time (boot
1925 time?), and have times relative to the start time stamp in
1926 the packet headers; pick the seconds value of the time stamp
1927 of the first packet as the UNIX-style start date/time, and make
1928 the high-resolution start time stamp 0, with the time stamp of
1929 packets being the delta between the stamp of the packet and
1930 the stamp of the first packet with the microseconds part 0. */
1931 if (netxray->first_frame) {
1932 netxray->first_frame = FALSE;
1933 netxray->start = rec->ts;
1936 /* build the header for each packet */
1937 memset(&rec_hdr, '\0', sizeof(rec_hdr));
1938 timestamp = ((guint64)rec->ts.secs - (guint64)netxray->start.secs)*1000000
1939 + ((guint64)rec->ts.nsecs)/1000;
1940 t32 = (guint32)(timestamp%G_GINT64_CONSTANT(4294967296));
1941 rec_hdr.timelo = GUINT32_TO_LE(t32);
1942 t32 = (guint32)(timestamp/G_GINT64_CONSTANT(4294967296));
1943 rec_hdr.timehi = GUINT32_TO_LE(t32);
1944 rec_hdr.orig_len = GUINT16_TO_LE(rec->rec_header.packet_header.len);
1945 rec_hdr.incl_len = GUINT16_TO_LE(rec->rec_header.packet_header.caplen);
1947 switch (rec->rec_header.packet_header.pkt_encap) {
1949 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
1951 pseudo_header->ieee_802_11.has_channel ?
1952 pseudo_header->ieee_802_11.channel :
1955 pseudo_header->ieee_802_11.has_data_rate ?
1956 (guint8)pseudo_header->ieee_802_11.data_rate :
1959 pseudo_header->ieee_802_11.has_signal_percent ?
1960 pseudo_header->ieee_802_11.signal_percent :
1963 pseudo_header->ieee_802_11.has_noise_percent ?
1964 pseudo_header->ieee_802_11.noise_percent*127/100 :
1968 case WTAP_ENCAP_PPP_WITH_PHDR:
1969 case WTAP_ENCAP_SDLC:
1970 rec_hdr.xxx[12] |= pseudo_header->p2p.sent ? 0x01 : 0x00;
1973 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1974 rec_hdr.xxx[12] |= (pseudo_header->dte_dce.flags & FROM_DCE) ? 0x00 : 0x01;
1978 if (!wtap_dump_file_write(wdh, &rec_hdr, sizeof(rec_hdr), err))
1980 wdh->bytes_dumped += sizeof(rec_hdr);
1982 /* write the packet data */
1983 if (!wtap_dump_file_write(wdh, pd, rec->rec_header.packet_header.caplen, err))
1985 wdh->bytes_dumped += rec->rec_header.packet_header.caplen;
1992 /* Finish writing to a dump file.
1993 Returns TRUE on success, FALSE on failure. */
1995 netxray_dump_finish_2_0(wtap_dumper *wdh, int *err)
1997 char hdr_buf[CAPTUREFILE_HEADER_SIZE - sizeof(netxray_magic)];
1998 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
2000 struct netxray_hdr file_hdr;
2002 if (-1 == (filelen = wtap_dump_file_tell(wdh, err)))
2005 /* Go back to beginning */
2006 if (wtap_dump_file_seek(wdh, 0, SEEK_SET, err) == -1)
2009 /* Rewrite the file header. */
2010 if (!wtap_dump_file_write(wdh, netxray_magic, sizeof netxray_magic, err))
2013 /* "sniffer" version ? */
2014 memset(&file_hdr, '\0', sizeof file_hdr);
2015 memcpy(file_hdr.version, vers_2_001, sizeof vers_2_001);
2016 file_hdr.start_time = GUINT32_TO_LE(netxray->start.secs);
2017 file_hdr.nframes = GUINT32_TO_LE(netxray->nframes);
2018 file_hdr.start_offset = GUINT32_TO_LE(CAPTUREFILE_HEADER_SIZE);
2019 /* XXX - large files? */
2020 file_hdr.end_offset = GUINT32_TO_LE((guint32)filelen);
2021 file_hdr.network = wtap_encap_to_netxray_2_0_encap(wdh->encap);
2022 file_hdr.timelo = GUINT32_TO_LE(0);
2023 file_hdr.timehi = GUINT32_TO_LE(0);
2024 switch (wdh->encap) {
2026 case WTAP_ENCAP_PPP_WITH_PHDR:
2027 file_hdr.captype = WAN_CAPTYPE_PPP;
2030 case WTAP_ENCAP_FRELAY_WITH_PHDR:
2031 file_hdr.captype = WAN_CAPTYPE_FRELAY;
2034 case WTAP_ENCAP_LAPB:
2035 file_hdr.captype = WAN_CAPTYPE_HDLC;
2036 file_hdr.wan_hdlc_subsub_captype = 0;
2039 case WTAP_ENCAP_SDLC:
2040 file_hdr.captype = WAN_CAPTYPE_SDLC;
2044 file_hdr.captype = CAPTYPE_NDIS;
2048 memset(hdr_buf, '\0', sizeof hdr_buf);
2049 memcpy(hdr_buf, &file_hdr, sizeof(file_hdr));
2050 if (!wtap_dump_file_write(wdh, hdr_buf, sizeof hdr_buf, err))
2057 * Editor modelines - http://www.wireshark.org/tools/modelines.html
2062 * indent-tabs-mode: t
2065 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
2066 * :indentSize=8:tabSize=8:noTabs=false: