Make sure the packet length isn't > WTAP_MAX_PACKET_SIZE.
[metze/wireshark/wip.git] / wiretap / netxray.c
1 /* netxray.c
2  *
3  * Wiretap Library
4  * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License
8  * as published by the Free Software Foundation; either version 2
9  * of the License, or (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, write to the Free Software
18  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19  */
20
21 #include "config.h"
22
23 #include <errno.h>
24 #include <string.h>
25 #include "wtap-int.h"
26 #include "file_wrappers.h"
27 #include "netxray.h"
28 #include "atm.h"
29
30 /* Capture file header, *including* magic number, is padded to 128 bytes. */
31 #define CAPTUREFILE_HEADER_SIZE 128
32
33 /* Magic number size, in both 1.x and later files. */
34 #define MAGIC_SIZE      4
35
36 /* Magic number in NetXRay 1.x files. */
37 static const char old_netxray_magic[MAGIC_SIZE] = {
38         'V', 'L', '\0', '\0'
39 };
40
41 /* Magic number in NetXRay 2.0 and later, and Windows Sniffer, files. */
42 static const char netxray_magic[MAGIC_SIZE] = {
43         'X', 'C', 'P', '\0'
44 };
45
46 /* NetXRay file header (minus magic number).                    */
47 /*                                                              */
48 /* As field usages are identified, please revise as needed      */
49 /* Please do *not* use netxray_hdr xxx... names in the code     */
50 /* (Placeholder names for all 'unknown' fields are              */
51 /*   of form xxx_x<hex_hdr_offset>                              */
52 /*   where <hex_hdr_offset> *includes* the magic number)        */
53
54 struct netxray_hdr {
55         char    version[8];     /* version number                               */
56         guint32 start_time;     /* UNIX [UTC] time when capture started         */
57
58         guint32 nframes;        /* number of packets                            */
59         guint32 xxx_x14;        /* unknown [some kind of file offset]           */
60         guint32 start_offset;   /* offset of first packet in capture            */
61         guint32 end_offset;     /* offset after last packet in capture          */
62
63         guint32 xxx_x20;        /* unknown [some kind of file offset]           */
64         guint32 xxx_x24;        /* unknown [unused ?]                           */
65         guint32 xxx_x28;        /* unknown [some kind of file offset]           */
66         guint8  network;        /* datalink type                                */
67         guint8  network_plus;   /* [See code]                                   */
68         guint8  xxx_x2E[2];     /* unknown                                      */
69
70         guint8  timeunit;       /* encodes length of a tick                     */
71         guint8  xxx_x31[3];     /* XXX - upper 3 bytes of timeunit ?            */
72         guint32 timelo;         /* lower 32 bits of capture start time stamp    */
73         guint32 timehi;         /* upper 32 bits of capture start time stamp    */
74         guint32 linespeed;      /* speed of network, in bits/second             */
75
76         guint8  xxx_x40[12];    /* unknown [other stuff]                        */
77         guint8  realtick[4];    /* (ticks/sec for Ethernet/Ndis/Timeunit=2 ?)   */
78                                 /* (realtick[1], realtick[2] also currently     */
79                                 /*  used as flag for 'FCS presence')            */
80
81         guint8  xxx_x50[4];     /* unknown [other stuff]                        */
82         guint8  captype;        /* capture type                                 */
83         guint8  xxx_x55[3];     /* unknown [other stuff]                        */
84         guint8  xxx_x58[4];     /* unknown [other stuff]                        */
85         guint8  wan_hdlc_subsub_captype; /* WAN HDLC subsub_captype             */
86         guint8  xxx_x5D[3];     /* unknown [other stuff]                        */
87
88         guint8  xxx_x60[16];    /* unknown [other stuff]                        */
89
90         guint8  xxx_x70[14];    /* unknown [other stuff]                        */
91         gint16 timezone_hrs;    /* timezone hours [at least for version 2.2..]; */
92                                 /*  positive values = west of UTC:              */
93                                 /*  negative values = east of UTC:              */
94                                 /*  e.g. +5 is American Eastern                 */
95                                 /* [Does not appear to be adjusted for DST ]    */
96 };
97
98 /*
99  * Capture type, in hdr.captype.
100  *
101  * Values other than 0 are dependent on the network type.
102  * For Ethernet captures, it indicates the type of capture pod.
103  * For WAN captures (all of which are done with a pod), it indicates
104  * the link-layer type.
105  */
106 #define CAPTYPE_NDIS    0               /* Capture on network interface using NDIS                      */
107
108 /*
109  * Ethernet capture types.
110  */
111 #define ETH_CAPTYPE_GIGPOD      2       /* gigabit Ethernet captured with pod                           */
112 #define ETH_CAPTYPE_OTHERPOD    3       /* non-gigabit Ethernet captured with pod                       */
113 #define ETH_CAPTYPE_OTHERPOD2   5       /* gigabit Ethernet via pod ??                                  */
114                                         /*  Captype 5 seen in capture from Distributed Sniffer with:    */
115                                         /*    Version 4.50.211 software                                 */
116                                         /*    SysKonnect SK-9843 Gigabit Ethernet Server Adapter        */
117 #define ETH_CAPTYPE_GIGPOD2     6       /* gigabit Ethernet, captured with blade on S6040-model Sniffer */
118
119 /*
120  * WAN capture types.
121  */
122 #define WAN_CAPTYPE_BROUTER     1       /* Bridge/router captured with pod */
123 #define WAN_CAPTYPE_PPP         3       /* PPP captured with pod */
124 #define WAN_CAPTYPE_FRELAY      4       /* Frame Relay captured with pod */
125 #define WAN_CAPTYPE_BROUTER2    5       /* Bridge/router captured with pod */
126 #define WAN_CAPTYPE_HDLC        6       /* HDLC (X.25, ISDN) captured with pod */
127 #define WAN_CAPTYPE_SDLC        7       /* SDLC captured with pod */
128 #define WAN_CAPTYPE_HDLC2       8       /* HDLC captured with pod */
129 #define WAN_CAPTYPE_BROUTER3    9       /* Bridge/router captured with pod */
130 #define WAN_CAPTYPE_SMDS        10      /* SMDS DXI */
131 #define WAN_CAPTYPE_BROUTER4    11      /* Bridge/router captured with pod */
132 #define WAN_CAPTYPE_BROUTER5    12      /* Bridge/router captured with pod */
133 #define WAN_CAPTYPE_CHDLC       19      /* Cisco router (CHDLC) captured with pod */
134
135 #define CAPTYPE_ATM             15      /* ATM captured with pod */
136
137 /*
138  * # of ticks that equal 1 second, in version 002.xxx files other
139  * than Ethernet captures with a captype other than CAPTYPE_NDIS;
140  * the index into this array is hdr.timeunit.
141  *
142  * DO NOT SEND IN PATCHES THAT CHANGE ANY OF THE NON-ZERO VALUES IN
143  * ANY OF THE TpS TABLES.  THOSE VALUES ARE CORRECT FOR AT LEAST ONE
144  * CAPTURE, SO CHANGING THEM WILL BREAK AT LEAST SOME CAPTURES.  WE
145  * WILL NOT CHECK IN PATCHES THAT CHANGE THESE VALUES.
146  *
147  * Instead, if a value in a TpS table is wrong, check whether captype
148  * has a non-zero value; if so, perhaps we need a new TpS table for the
149  * corresponding network type and captype, or perhaps the 'realtick'
150  * field contains the correct ticks-per-second value.
151  *
152  * TpS...[] entries of 0.0 mean that no capture file for the
153  * corresponding captype/timeunit values has yet been seen, or that
154  * we're using the 'realtick' value.
155  *
156  * XXX - 05/29/07: For Ethernet captype = 0 (NDIS) and timeunit = 2:
157  *  Perusal of a number of Sniffer captures
158  *  (including those from Wireshark bug reports
159  *  and those from the Wireshark 'menagerie')
160  *  suggests that 'realtick' for this case
161  *  contains the correct ticks/second to be used.
162  *  So: we'll use realtick for Ethernet captype=0 and timeunit=2.
163  *  (It might be that realtick should be used for Ethernet captype = 0
164  *  and timeunit = 1 but I've not yet enough captures to be sure).
165  *   Based upon the captures reviewed to date, realtick cannot be used for
166  *   any of the other Ethernet captype/timeunit combinations for which there
167  *   are non-zero values in the TpS tables.
168  *
169  *  In at least one capture where "realtick" doesn't correspond
170  *  to the value from the appropriate TpS table, the per-packet header's
171  *  "xxx" field is all zero, so it's not as if a 2.x header includes
172  *  a "compatibility" time stamp corresponding to the value from the
173  *  TpS table and a "real" time stamp corresponding to "realtick".
174  *
175  * XXX - the item corresponding to timeunit = 2 is 1193180.0, presumably
176  *  because somebody found it gave the right answer for some captures, but
177  *  3 times that, i.e. 3579540.0, appears to give the right answer for some
178  *  other captures.
179  *
180  *  Some captures have realtick of 1193182, some have 3579545, and some
181  *  have 1193000.  Most of those, in one set of captures somebody has,
182  *  are wrong.  (Did that mean "wrong for some capture files, but not
183  *  for the files in which they occurred", or "wrong for the files in
184  *  which they occurred?  If it's "wrong for some capture files, but
185  *  not for the files in which they occurred", perhaps those were Ethernet
186  *  captures with a captype of 0 and timeunit = 2, so that we now use
187  *  realtick, and perhaps that fixes the problems.)
188  *
189  * XXX - in at least one ATM capture, hdr.realtick is 1193180.0
190  *  and hdr.timeunit is 0.  Does that capture have a captype of
191  *  CAPTYPE_ATM?  If so, what should the table for ATM captures with
192  *  that captype be?
193  */
194 static const double TpS[] = { 1e6, 1193000.0, 1193182.0 };
195 #define NUM_NETXRAY_TIMEUNITS (sizeof TpS / sizeof TpS[0])
196
197 /*
198  * Table of time units for Ethernet captures with captype ETH_CAPTYPE_GIGPOD.
199  * 0.0 means "unknown".
200  *
201  * It appears that, at least for Ethernet captures, if captype is
202  * ETH_CAPTYPE_GIGPOD, that indicates that it's a gigabit Ethernet
203  * capture, possibly from a special whizzo gigabit pod, and also
204  * indicates that the time stamps have some higher resolution than
205  * in other captures, possibly thanks to a high-resolution timer
206  * on the pod.
207  *
208  * It also appears that the time units might differ for gigabit pod
209  * captures between version 002.001 and 002.002.  For 002.001,
210  * the values below are correct; for 002.002, it's claimed that
211  * the right value for TpS_gigpod[2] is 1250000.0, but at least one
212  * 002.002 gigabit pod capture has 31250000.0 as the right value.
213  * XXX: Note that the TpS_otherpod[2] value is 1250000.0; It seems
214  *  reasonable to suspect that the original claim might actually
215  *  have been for a capture with a captype of 'otherpod'.
216  * (Based upon captures reviewed realtick does not contain the
217  *   correct TpS values for the 'gigpod' captype).
218  */
219 static const double TpS_gigpod[] = { 1e9, 0.0, 31250000.0 };
220 #define NUM_NETXRAY_TIMEUNITS_GIGPOD (sizeof TpS_gigpod / sizeof TpS_gigpod[0])
221
222 /*
223  * Table of time units for Ethernet captures with captype ETH_CAPTYPE_OTHERPOD.
224  *  (Based upon captures reviewed realtick does not contain the
225  *   correct TpS values for the 'otherpod' captype).
226  */
227 static const double TpS_otherpod[] = { 1e6, 0.0, 1250000.0 };
228 #define NUM_NETXRAY_TIMEUNITS_OTHERPOD (sizeof TpS_otherpod / sizeof TpS_otherpod[0])
229
230 /*
231  * Table of time units for Ethernet captures with captype ETH_CAPTYPE_OTHERPOD2.
232  * (Based upon captures reviewed realtick does not contain the
233  *   correct TpS values for the 'otherpod2' captype).
234  */
235 static const double TpS_otherpod2[] = { 1e6, 0.0, 0.0 };
236 #define NUM_NETXRAY_TIMEUNITS_OTHERPOD2 (sizeof TpS_otherpod2 / sizeof TpS_otherpod2[0])
237
238 /*
239  * Table of time units for Ethernet captures with captype ETH_CAPTYPE_GIGPOD2.
240  * (Based upon captures reviewed realtick does not contain the
241  *   correct TpS values for the 'gigpod2' captype).
242  */
243 static const double TpS_gigpod2[] = { 1e9, 0.0, 20000000.0 };
244 #define NUM_NETXRAY_TIMEUNITS_GIGPOD2 (sizeof TpS_gigpod2 / sizeof TpS_gigpod2[0])
245
246 /* Version number strings. */
247 static const char vers_1_0[] = {
248         '0', '0', '1', '.', '0', '0', '0', '\0'
249 };
250
251 static const char vers_1_1[] = {
252         '0', '0', '1', '.', '1', '0', '0', '\0'
253 };
254
255 static const char vers_2_000[] = {
256         '0', '0', '2', '.', '0', '0', '0', '\0'
257 };
258
259 static const char vers_2_001[] = {
260         '0', '0', '2', '.', '0', '0', '1', '\0'
261 };
262
263 static const char vers_2_002[] = {
264         '0', '0', '2', '.', '0', '0', '2', '\0'
265 };
266
267 static const char vers_2_003[] = {
268         '0', '0', '2', '.', '0', '0', '3', '\0'
269 };
270
271 /* Old NetXRay data record format - followed by frame data. */
272 struct old_netxrayrec_hdr {
273         guint32 timelo;         /* lower 32 bits of time stamp */
274         guint32 timehi;         /* upper 32 bits of time stamp */
275         guint16 len;            /* packet length */
276         guint8  xxx[6];         /* unknown */
277 };
278
279 /* NetXRay format version 1.x data record format - followed by frame data. */
280 struct netxrayrec_1_x_hdr {
281         guint32 timelo;         /* lower 32 bits of time stamp */
282         guint32 timehi;         /* upper 32 bits of time stamp */
283         guint16 orig_len;       /* packet length */
284         guint16 incl_len;       /* capture length */
285         guint8  xxx[16];        /* unknown */
286 };
287
288 /*
289  * NetXRay format version 2.x data record format - followed by frame data.
290  *
291  * The xxx fields appear to be:
292  *
293  *      xxx[0]: ATM traffic type and subtype in the low 3 bits of
294  *      each nibble, and flags(?) in the upper bit of each nibble.
295  *
296  *      xxx[2], xxx[3]: for Ethernet, 802.11, ISDN LAPD, LAPB,
297  *      Frame Relay, if both are 0xff, there are 4 bytes of stuff
298  *      at the end of the packet data, which might be an FCS or
299  *      which might be junk to discard.
300  *
301  *      xxx[8], xxx[9]: 2 bytes of a flag word?  If treated as
302  *      a 2-byte little-endian flag word:
303  *
304  *              0x0001: Error of some sort, including bad CRC, although
305  *                  in one ISDN capture it's set in some B2 channel
306  *                  packets of unknown content (as opposed to the B1
307  *                  traffic in the capture, which is PPP)
308  *              0x0004: Some particular type of error?
309  *              0x0008: For (Gigabit?) Ethernet (with special probe?),
310  *                  4 bytes at end are junk rather than CRC?
311  *              0x0100: CRC error on ATM?  Protected and Not decrypted
312  *                  for 802.11?
313  *              0x0200: Something for ATM? Something else for 802.11?
314  *              0x0400: raw ATM cell
315  *              0x0800: OAM cell?
316  *              0x2000: port on which the packet was captured?
317  *
318  *      The Sniffer Portable 4.8 User's Guide lists a set of packet status
319  *      flags including:
320  *
321  *              packet is marked;
322  *              packet was captured from Port A on the pod or adapter card;
323  *              packet was captured from Port B on the pod or adapter card;
324  *              packet has a symptom or diagnosis associated with it;
325  *              packet is an event filter trigger;
326  *              CRC error packet with normal packet size;
327  *              CRC error packet with oversize error;
328  *              packet size < 64 bytes (including CRC) but with valid CRC;
329  *              packet size < 64 bytes (including CRC) with CRC error;
330  *              packet size > 1518 bytes (including CRC) but with valid CRC;
331  *              packet damaged by a collision;
332  *              packet length not a multiple of 8 bits;
333  *              address conflict in the ring on Token Ring;
334  *              packet is not copied (received) by the destination host on
335  *                  Token Ring;
336  *              AAL5 length error;
337  *              AAL5 maximum segments error;
338  *              ATM timeout error;
339  *              ATM buffer error;
340  *              ATM unknown error;
341  *              and a ton of AAL2 errors.
342  *
343  *      Not all those bits necessarily correspond to flag bits in the file,
344  *      but some might.
345  *
346  *      In one ATM capture, the 0x2000 bit was set for all frames; in another,
347  *      it's unset for all frames.  This, plus the ATMbook having two ports,
348  *      suggests that it *might* be a "port A vs. port B" flag.
349  *
350  *      The 0x0001 bit appears to be set for CRC errors on Ethernet and 802.11.
351  *      It also appears to be set on ATM for AAL5 PDUs that appear to be
352  *      completely reassembled and that have a CRC error and for frames that
353  *      appear to be part of a full AAL5 PDU.  In at least two files with
354  *      frames of the former type, the 0x0100 and 0x0200 flags are set;
355  *      in at least one file with frames of the latter type, neither of
356  *      those flags are set.
357  *
358  *      The field appears to be somewhat random in some captures,
359  *      however.
360  *
361  *      xxx[11]: for 802.11, 0x05 if the packet is WEP-encrypted(?).
362  *
363  *      xxx[12]: for 802.11, channel number.
364  *
365  *      xxx[13]: for 802.11, data rate.
366  *
367  *      xxx[14]: for 802.11, signal strength.
368  *
369  *      xxx[15]: for 802.11, noise level; 0xFF means none reported,
370  *          0x7F means 100%.
371  *
372  *      xxx[20-25]: for 802.11, MAC address of sending machine(?).
373  */
374 struct netxrayrec_2_x_hdr {
375         guint32 timelo;         /* lower 32 bits of time stamp */
376         guint32 timehi;         /* upper 32 bits of time stamp */
377         guint16 orig_len;       /* packet length */
378         guint16 incl_len;       /* capture length */
379         guint8  xxx[28];        /* various data */
380 };
381
382 /*
383  * Union of the data record headers.
384  */
385 union netxrayrec_hdr {
386         struct old_netxrayrec_hdr old_hdr;
387         struct netxrayrec_1_x_hdr hdr_1_x;
388         struct netxrayrec_2_x_hdr hdr_2_x;
389 };
390
391 typedef struct {
392         time_t          start_time;
393         double          ticks_per_sec;
394         double          start_timestamp;
395         gboolean        wrapped;
396         guint32         nframes;
397         gint64          start_offset;
398         gint64          end_offset;
399         int             version_major;
400         gboolean        fcs_valid;      /* if packets have valid FCS at the end */
401         guint           isdn_type;      /* 1 = E1 PRI, 2 = T1 PRI, 3 = BRI */
402 } netxray_t;
403
404 static gboolean netxray_read(wtap *wth, int *err, gchar **err_info,
405     gint64 *data_offset);
406 static gboolean netxray_seek_read(wtap *wth, gint64 seek_off,
407     struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
408 static int netxray_process_rec_header(wtap *wth, FILE_T fh,
409     struct wtap_pkthdr *phdr, int *err, gchar **err_info);
410 static void netxray_guess_atm_type(wtap *wth, struct wtap_pkthdr *phdr,
411     Buffer *buf);
412 static gboolean netxray_dump_1_1(wtap_dumper *wdh,
413     const struct wtap_pkthdr *phdr,
414     const guint8 *pd, int *err, gchar **err_info);
415 static gboolean netxray_dump_finish_1_1(wtap_dumper *wdh, int *err);
416 static gboolean netxray_dump_2_0(wtap_dumper *wdh,
417     const struct wtap_pkthdr *phdr,
418     const guint8 *pd, int *err, gchar **err_info);
419 static gboolean netxray_dump_finish_2_0(wtap_dumper *wdh, int *err);
420
421 wtap_open_return_val
422 netxray_open(wtap *wth, int *err, gchar **err_info)
423 {
424         char magic[MAGIC_SIZE];
425         gboolean is_old;
426         struct netxray_hdr hdr;
427         guint network_type;
428         double ticks_per_sec;
429         int version_major, version_minor;
430         int file_type;
431         double start_timestamp;
432         static const int netxray_encap[] = {
433                 WTAP_ENCAP_UNKNOWN,
434                 WTAP_ENCAP_ETHERNET,
435                 WTAP_ENCAP_TOKEN_RING,
436                 WTAP_ENCAP_FDDI_BITSWAPPED,
437                 /*
438                  * XXX - some PPP captures may look like Ethernet,
439                  * perhaps because they're using NDIS to capture on the
440                  * same machine and it provides simulated-Ethernet
441                  * packets, but captures taken with various serial
442                  * pods use the same network type value but aren't
443                  * shaped like Ethernet.  We handle that below.
444                  */
445                 WTAP_ENCAP_ETHERNET,            /* WAN(PPP), but shaped like Ethernet */
446                 WTAP_ENCAP_UNKNOWN,             /* LocalTalk */
447                 WTAP_ENCAP_UNKNOWN,             /* "DIX" - should not occur */
448                 WTAP_ENCAP_UNKNOWN,             /* ARCNET raw */
449                 WTAP_ENCAP_UNKNOWN,             /* ARCNET 878.2 */
450                 WTAP_ENCAP_ATM_PDUS_UNTRUNCATED,/* ATM */
451                 WTAP_ENCAP_IEEE_802_11_WITH_RADIO,
452                                                 /* Wireless WAN with radio information */
453                 WTAP_ENCAP_UNKNOWN              /* IrDA */
454         };
455         #define NUM_NETXRAY_ENCAPS (sizeof netxray_encap / sizeof netxray_encap[0])
456         int file_encap;
457         guint isdn_type = 0;
458         netxray_t *netxray;
459
460         /* Read in the string that should be at the start of a NetXRay
461          * file */
462         if (!wtap_read_bytes(wth->fh, magic, MAGIC_SIZE, err, err_info)) {
463                 if (*err != WTAP_ERR_SHORT_READ)
464                         return WTAP_OPEN_ERROR;
465                 return WTAP_OPEN_NOT_MINE;
466         }
467
468         if (memcmp(magic, netxray_magic, MAGIC_SIZE) == 0) {
469                 is_old = FALSE;
470         } else if (memcmp(magic, old_netxray_magic, MAGIC_SIZE) == 0) {
471                 is_old = TRUE;
472         } else {
473                 return WTAP_OPEN_NOT_MINE;
474         }
475
476         /* Read the rest of the header. */
477         if (!wtap_read_bytes(wth->fh, &hdr, sizeof hdr, err, err_info))
478                 return WTAP_OPEN_ERROR;
479
480         if (is_old) {
481                 version_major = 0;
482                 version_minor = 0;
483                 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_OLD;
484         } else {
485                 /* It appears that version 1.1 files (as produced by Windows
486                  * Sniffer Pro 2.0.01) have the time stamp in microseconds,
487                  * rather than the milliseconds version 1.0 files appear to
488                  * have.
489                  *
490                  * It also appears that version 2.00x files have per-packet
491                  * headers with some extra fields. */
492                 if (memcmp(hdr.version, vers_1_0, sizeof vers_1_0) == 0) {
493                         version_major = 1;
494                         version_minor = 0;
495                         file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_1_0;
496                 } else if (memcmp(hdr.version, vers_1_1, sizeof vers_1_1) == 0) {
497                         version_major = 1;
498                         version_minor = 1;
499                         file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_1_1;
500                 } else if (memcmp(hdr.version, vers_2_000, sizeof vers_2_000) == 0) {
501                         version_major = 2;
502                         version_minor = 0;
503                         file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x;
504                 } else if (memcmp(hdr.version, vers_2_001, sizeof vers_2_001) == 0) {
505                         version_major = 2;
506                         version_minor = 1;
507                         file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x;
508                 } else if (memcmp(hdr.version, vers_2_002, sizeof vers_2_002) == 0) {
509                         version_major = 2;
510                         version_minor = 2;
511                         file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x;
512                 } else if (memcmp(hdr.version, vers_2_003, sizeof vers_2_003) == 0) {
513                         version_major = 2;
514                         version_minor = 3;
515                         file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x;
516                 } else {
517                         *err = WTAP_ERR_UNSUPPORTED;
518                         *err_info = g_strdup_printf("netxray: version \"%.8s\" unsupported", hdr.version);
519                         return WTAP_OPEN_ERROR;
520                 }
521         }
522
523         switch (hdr.network_plus) {
524
525         case 0:
526                 /*
527                  * The byte after hdr.network is usually 0, in which case
528                  * the hdr.network byte is an NDIS network type value - 1.
529                  */
530                 network_type = hdr.network + 1;
531                 break;
532
533         case 2:
534                 /*
535                  * However, in some Ethernet captures, it's 2, and the
536                  * hdr.network byte is 1 rather than 0.  We assume
537                  * that if there's a byte after hdr.network with the value
538                  * 2, the hdr.network byte is an NDIS network type, rather
539                  * than an NDIS network type - 1.
540                  */
541                 network_type = hdr.network;
542                 break;
543
544         default:
545                 *err = WTAP_ERR_UNSUPPORTED;
546                 *err_info = g_strdup_printf("netxray: the byte after the network type has the value %u, which I don't understand",
547                     hdr.network_plus);
548                 return WTAP_OPEN_ERROR;
549         }
550
551         if (network_type >= NUM_NETXRAY_ENCAPS
552             || netxray_encap[network_type] == WTAP_ENCAP_UNKNOWN) {
553                 *err = WTAP_ERR_UNSUPPORTED;
554                 *err_info = g_strdup_printf("netxray: network type %u (%u) unknown or unsupported",
555                     network_type, hdr.network_plus);
556                 return WTAP_OPEN_ERROR;
557         }
558
559         /*
560          * Figure out the time stamp units and start time stamp.
561          */
562         start_timestamp = (double)pletoh32(&hdr.timelo)
563             + (double)pletoh32(&hdr.timehi)*4294967296.0;
564         switch (file_type) {
565
566         case WTAP_FILE_TYPE_SUBTYPE_NETXRAY_OLD:
567                 ticks_per_sec = 1000.0;
568                 wth->file_tsprec = WTAP_TSPREC_MSEC;
569                 break;
570
571         case WTAP_FILE_TYPE_SUBTYPE_NETXRAY_1_0:
572                 ticks_per_sec = 1000.0;
573                 wth->file_tsprec = WTAP_TSPREC_MSEC;
574                 break;
575
576         case WTAP_FILE_TYPE_SUBTYPE_NETXRAY_1_1:
577                 /*
578                  * In version 1.1 files (as produced by Windows Sniffer
579                  * Pro 2.0.01), the time stamp is in microseconds,
580                  * rather than the milliseconds time stamps in NetXRay
581                  * and older versions of Windows Sniffer.
582                  */
583                 ticks_per_sec = 1000000.0;
584                 wth->file_tsprec = WTAP_TSPREC_USEC;
585                 break;
586
587         case WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x:
588                 /*
589                  * Get the time stamp units from the appropriate TpS
590                  * table or from the file header.
591                  */
592                 switch (network_type) {
593
594                 case 1:
595                         /*
596                          * Ethernet - the table to use depends on whether
597                          * this is an NDIS or pod capture.
598                          */
599                         switch (hdr.captype) {
600
601                         case CAPTYPE_NDIS:
602                                 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS) {
603                                         *err = WTAP_ERR_UNSUPPORTED;
604                                         *err_info = g_strdup_printf(
605                                             "netxray: Unknown timeunit %u for Ethernet/CAPTYPE_NDIS version %.8s capture",
606                                             hdr.timeunit, hdr.version);
607                                         return WTAP_OPEN_ERROR;
608                                 }
609                                 /*
610                                 XXX: 05/29/07: Use 'realtick' instead of TpS table if timeunit=2;
611                                         Using 'realtick' in this case results
612                                         in the correct 'ticks per second' for all the captures that
613                                         I have of this type (including captures from a number of Wireshark
614                                         bug reports).
615                                 */
616                                 if (hdr.timeunit == 2) {
617                                         ticks_per_sec = pletoh32(hdr.realtick);
618                                 }
619                                 else {
620                                         ticks_per_sec = TpS[hdr.timeunit];
621                                 }
622                                 break;
623
624                         case ETH_CAPTYPE_GIGPOD:
625                                 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_GIGPOD
626                                     || TpS_gigpod[hdr.timeunit] == 0.0) {
627                                         *err = WTAP_ERR_UNSUPPORTED;
628                                         *err_info = g_strdup_printf(
629                                             "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_GIGPOD version %.8s capture",
630                                             hdr.timeunit, hdr.version);
631                                         return WTAP_OPEN_ERROR;
632                                 }
633                                 ticks_per_sec = TpS_gigpod[hdr.timeunit];
634
635                                 /*
636                                  * At least for 002.002 and 002.003
637                                  * captures, the start time stamp is 0,
638                                  * not the value in the file.
639                                  */
640                                 if (version_minor == 2 || version_minor == 3)
641                                         start_timestamp = 0.0;
642                                 break;
643
644                         case ETH_CAPTYPE_OTHERPOD:
645                                 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_OTHERPOD
646                                     || TpS_otherpod[hdr.timeunit] == 0.0) {
647                                         *err = WTAP_ERR_UNSUPPORTED;
648                                         *err_info = g_strdup_printf(
649                                             "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_OTHERPOD version %.8s capture",
650                                             hdr.timeunit, hdr.version);
651                                         return WTAP_OPEN_ERROR;
652                                 }
653                                 ticks_per_sec = TpS_otherpod[hdr.timeunit];
654
655                                 /*
656                                  * At least for 002.002 and 002.003
657                                  * captures, the start time stamp is 0,
658                                  * not the value in the file.
659                                  */
660                                 if (version_minor == 2 || version_minor == 3)
661                                         start_timestamp = 0.0;
662                                 break;
663
664                         case ETH_CAPTYPE_OTHERPOD2:
665                                 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_OTHERPOD2
666                                     || TpS_otherpod2[hdr.timeunit] == 0.0) {
667                                         *err = WTAP_ERR_UNSUPPORTED;
668                                         *err_info = g_strdup_printf(
669                                             "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_OTHERPOD2 version %.8s capture",
670                                             hdr.timeunit, hdr.version);
671                                         return WTAP_OPEN_ERROR;
672                                 }
673                                 ticks_per_sec = TpS_otherpod2[hdr.timeunit];
674                                 /*
675                                  * XXX: start time stamp in the one capture file examined of this type was 0;
676                                  *      We'll assume the start time handling is the same as for other pods.
677                                  *
678                                  * At least for 002.002 and 002.003
679                                  * captures, the start time stamp is 0,
680                                  * not the value in the file.
681                                  */
682                                 if (version_minor == 2 || version_minor == 3)
683                                         start_timestamp = 0.0;
684                                 break;
685
686                         case ETH_CAPTYPE_GIGPOD2:
687                                 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_GIGPOD2
688                                     || TpS_gigpod2[hdr.timeunit] == 0.0) {
689                                         *err = WTAP_ERR_UNSUPPORTED;
690                                         *err_info = g_strdup_printf(
691                                             "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_GIGPOD2 version %.8s capture",
692                                             hdr.timeunit, hdr.version);
693                                         return WTAP_OPEN_ERROR;
694                                 }
695                                 ticks_per_sec = TpS_gigpod2[hdr.timeunit];
696                                 /*
697                                  * XXX: start time stamp in the one capture file examined of this type was 0;
698                                  *      We'll assume the start time handling is the same as for other pods.
699                                  *
700                                  * At least for 002.002 and 002.003
701                                  * captures, the start time stamp is 0,
702                                  * not the value in the file.
703                                  */
704                                 if (version_minor == 2 || version_minor == 3)
705                                         start_timestamp = 0.0;
706                                 break;
707
708                         default:
709                                 *err = WTAP_ERR_UNSUPPORTED;
710                                 *err_info = g_strdup_printf(
711                                     "netxray: Unknown capture type %u for Ethernet version %.8s capture",
712                                     hdr.captype, hdr.version);
713                                 return WTAP_OPEN_ERROR;
714                         }
715                         break;
716
717                 default:
718                         if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS) {
719                                 *err = WTAP_ERR_UNSUPPORTED;
720                                 *err_info = g_strdup_printf(
721                                     "netxray: Unknown timeunit %u for %u/%u version %.8s capture",
722                                     hdr.timeunit, network_type, hdr.captype,
723                                     hdr.version);
724                                 return WTAP_OPEN_ERROR;
725                         }
726                         ticks_per_sec = TpS[hdr.timeunit];
727                         break;
728                 }
729
730                 /*
731                  * If the number of ticks per second is greater than
732                  * 1 million, make the precision be nanoseconds rather
733                  * than microseconds.
734                  *
735                  * XXX - do values only slightly greater than one million
736                  * correspond to a resolution sufficiently better than
737                  * 1 microsecond to display more digits of precision?
738                  * XXX - Seems reasonable to use nanosecs only if TPS >= 10M
739                  */
740                 if (ticks_per_sec >= 1e7)
741                         wth->file_tsprec = WTAP_TSPREC_NSEC;
742                 else
743                         wth->file_tsprec = WTAP_TSPREC_USEC;
744                 break;
745
746         default:
747                 g_assert_not_reached();
748                 ticks_per_sec = 0.0;
749         }
750         start_timestamp = start_timestamp/ticks_per_sec;
751
752         if (network_type == 4) {
753                 /*
754                  * In version 0 and 1, we assume, for now, that all
755                  * WAN captures have frames that look like Ethernet
756                  * frames (as a result, presumably, of having passed
757                  * through NDISWAN).
758                  *
759                  * In version 2, it looks as if there's stuff in the
760                  * file header to specify what particular type of WAN
761                  * capture we have.
762                  */
763                 if (version_major == 2) {
764                         switch (hdr.captype) {
765
766                         case WAN_CAPTYPE_PPP:
767                                 /*
768                                  * PPP.
769                                  */
770                                 file_encap = WTAP_ENCAP_PPP_WITH_PHDR;
771                                 break;
772
773                         case WAN_CAPTYPE_FRELAY:
774                                 /*
775                                  * Frame Relay.
776                                  *
777                                  * XXX - in at least one capture, this
778                                  * is Cisco HDLC, not Frame Relay, but
779                                  * in another capture, it's Frame Relay.
780                                  *
781                                  * [Bytes in each capture:
782                                  * Cisco HDLC:  hdr.xxx_x60[06:10]: 0x02 0x00 0x01 0x00 0x06
783                                  * Frame Relay: hdr.xxx_x60[06:10]  0x00 0x00 0x00 0x00 0x00
784
785                                  * Cisco HDLC:  hdr.xxx_x60[14:15]: 0xff 0xff
786                                  * Frame Relay: hdr.xxx_x60[14:15]: 0x00 0x00
787                                  * ]
788                                  */
789                                 file_encap = WTAP_ENCAP_FRELAY_WITH_PHDR;
790                                 break;
791
792                         case WAN_CAPTYPE_HDLC:
793                         case WAN_CAPTYPE_HDLC2:
794                                 /*
795                                  * Various HDLC flavors?
796                                  */
797                                 switch (hdr.wan_hdlc_subsub_captype) {
798
799                                 case 0: /* LAPB/X.25 */
800                                         /*
801                                          * XXX - at least one capture of
802                                          * this type appears to be PPP.
803                                          */
804                                         file_encap = WTAP_ENCAP_LAPB;
805                                         break;
806
807                                 case 1: /* E1 PRI */
808                                 case 2: /* T1 PRI */
809                                 case 3: /* BRI */
810                                         file_encap = WTAP_ENCAP_ISDN;
811                                         isdn_type = hdr.wan_hdlc_subsub_captype;
812                                         break;
813
814                                 default:
815                                         *err = WTAP_ERR_UNSUPPORTED;
816                                         *err_info = g_strdup_printf("netxray: WAN HDLC capture subsubtype 0x%02x unknown or unsupported",
817                                            hdr.wan_hdlc_subsub_captype);
818                                         return WTAP_OPEN_ERROR;
819                                 }
820                                 break;
821
822                         case WAN_CAPTYPE_SDLC:
823                                 /*
824                                  * SDLC.
825                                  */
826                                 file_encap = WTAP_ENCAP_SDLC;
827                                 break;
828
829                         case WAN_CAPTYPE_CHDLC:
830                                 /*
831                                  *  Cisco router (CHDLC) captured with pod
832                                  */
833                                 file_encap = WTAP_ENCAP_CHDLC_WITH_PHDR;
834                                 break;
835
836                         default:
837                                 *err = WTAP_ERR_UNSUPPORTED;
838                                 *err_info = g_strdup_printf("netxray: WAN capture subtype 0x%02x unknown or unsupported",
839                                    hdr.captype);
840                                 return WTAP_OPEN_ERROR;
841                         }
842                 } else
843                         file_encap = WTAP_ENCAP_ETHERNET;
844         } else
845                 file_encap = netxray_encap[network_type];
846
847         /* This is a netxray file */
848         wth->file_type_subtype = file_type;
849         netxray = (netxray_t *)g_malloc(sizeof(netxray_t));
850         wth->priv = (void *)netxray;
851         wth->subtype_read = netxray_read;
852         wth->subtype_seek_read = netxray_seek_read;
853         wth->file_encap = file_encap;
854         wth->snapshot_length = 0;       /* not available in header */
855         netxray->start_time = pletoh32(&hdr.start_time);
856         netxray->ticks_per_sec = ticks_per_sec;
857         netxray->start_timestamp = start_timestamp;
858         netxray->version_major = version_major;
859
860         /*
861          * If frames have an extra 4 bytes of stuff at the end, is
862          * it an FCS, or just junk?
863          */
864         netxray->fcs_valid = FALSE;
865         switch (file_encap) {
866
867         case WTAP_ENCAP_ETHERNET:
868         case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
869         case WTAP_ENCAP_ISDN:
870         case WTAP_ENCAP_LAPB:
871                 /*
872                  * It appears that, in at least some version 2 Ethernet
873                  * captures, for frames that have 0xff in hdr_2_x.xxx[2]
874                  * and hdr_2_x.xxx[3] in the per-packet header:
875                  *
876                  *      if, in the file header, hdr.realtick[1] is 0x34
877                  *      and hdr.realtick[2] is 0x12, the frames have an
878                  *      FCS at the end;
879                  *
880                  *      otherwise, they have 4 bytes of junk at the end.
881                  *
882                  * Yes, it's strange that you have to check the *middle*
883                  * of the time stamp field; you can't check for any
884                  * particular value of the time stamp field.
885                  *
886                  * For now, we assume that to be true for 802.11 captures
887                  * as well; it appears to be the case for at least one
888                  * such capture - the file doesn't have 0x34 and 0x12,
889                  * and the 4 bytes at the end of the frames with 0xff
890                  * are junk, not an FCS.
891                  *
892                  * For ISDN captures, it appears, at least in some
893                  * captures, to be similar, although I haven't yet
894                  * checked whether it's a valid FCS.
895                  *
896                  * XXX - should we do this for all encapsulation types?
897                  *
898                  * XXX - is there some other field that *really* indicates
899                  * whether we have an FCS or not?  The check of the time
900                  * stamp is bizarre, as we're checking the middle.
901                  * Perhaps hdr.realtick[0] is 0x00, in which case time
902                  * stamp units in the range 1192960 through 1193215
903                  * correspond to captures with an FCS, but that's still
904                  * a bit bizarre.
905                  *
906                  * Note that there are captures with a network type of 0
907                  * (Ethernet) and capture type of 0 (NDIS) that do, and
908                  * that don't, have 0x34 0x12 in them, and at least one
909                  * of the NDIS captures with 0x34 0x12 in it has FCSes,
910                  * so it's not as if no NDIS captures have an FCS.
911                  *
912                  * There are also captures with a network type of 4 (WAN),
913                  * capture type of 6 (HDLC), and subtype of 2 (T1 PRI) that
914                  * do, and that don't, have 0x34 0x12, so there are at least
915                  * some captures taken with a WAN pod that might lack an FCS.
916                  * (We haven't yet tried dissecting the 4 bytes at the
917                  * end of packets with hdr_2_x.xxx[2] and hdr_2_x.xxx[3]
918                  * equal to 0xff as an FCS.)
919                  *
920                  * All captures I've seen that have 0x34 and 0x12 *and*
921                  * have at least one frame with an FCS have a value of
922                  * 0x01 in xxx_x40[4].  No captures I've seen with a network
923                  * type of 0 (Ethernet) missing 0x34 0x12 have 0x01 there,
924                  * however.  However, there's at least one capture
925                  * without 0x34 and 0x12, with a network type of 0,
926                  * and with 0x01 in xxx_x40[4], *without* FCSes in the
927                  * frames - the 4 bytes at the end are all zero - so it's
928                  * not as simple as "xxx_x40[4] = 0x01 means the 4 bytes at
929                  * the end are FCSes".  Also, there's also at least one
930                  * 802.11 capture with an xxx_x40[4] value of 0x01 with junk
931                  * rather than an FCS at the end of the frame, so xxx_x40[4]
932                  * isn't an obvious flag to determine whether the
933                  * capture has FCSes.
934                  *
935                  * There don't seem to be any other values in any of the
936                  * xxx_x5..., xxx_x6...., xxx_x7.... fields
937                  * that obviously correspond to frames having an FCS.
938                  *
939                  * 05/29/07: Examination of numerous sniffer captures suggests
940                  *            that the apparent correlation of certain realtick
941                  *            bytes to 'FCS presence' may actually be
942                  *            a 'false positive'.
943                  *           ToDo: Review analysis and update code.
944                  *           It might be that the ticks-per-second value
945                  *           is hardware-dependent, and that hardware with
946                  *           a particular realtick value puts an FCS there
947                  *           and other hardware doesn't.
948                  */
949                 if (version_major == 2) {
950                         if (hdr.realtick[1] == 0x34 && hdr.realtick[2] == 0x12)
951                                 netxray->fcs_valid = TRUE;
952                 }
953                 break;
954         }
955
956         /*
957          * Remember the ISDN type, as we need it to interpret the
958          * channel number in ISDN captures.
959          */
960         netxray->isdn_type = isdn_type;
961
962         /* Remember the offset after the last packet in the capture (which
963          * isn't necessarily the last packet in the file), as it appears
964          * there's sometimes crud after it.
965          * XXX: Remember 'start_offset' to help testing for 'short file' at EOF
966          */
967         netxray->wrapped      = FALSE;
968         netxray->nframes      = pletoh32(&hdr.nframes);
969         netxray->start_offset = pletoh32(&hdr.start_offset);
970         netxray->end_offset   = pletoh32(&hdr.end_offset);
971
972         /* Seek to the beginning of the data records. */
973         if (file_seek(wth->fh, netxray->start_offset, SEEK_SET, err) == -1) {
974                 return WTAP_OPEN_ERROR;
975         }
976
977         return WTAP_OPEN_MINE;
978 }
979
980 /* Read the next packet */
981 static gboolean
982 netxray_read(wtap *wth, int *err, gchar **err_info,
983              gint64 *data_offset)
984 {
985         netxray_t *netxray = (netxray_t *)wth->priv;
986         int     padding;
987
988 reread:
989         /*
990          * Return the offset of the record header, so we can reread it
991          * if we go back to this frame.
992          */
993         *data_offset = file_tell(wth->fh);
994
995         /* Have we reached the end of the packet data? */
996         if (*data_offset == netxray->end_offset) {
997                 /* Yes. */
998                 *err = 0;       /* it's just an EOF, not an error */
999                 return FALSE;
1000         }
1001
1002         /* Read and process record header. */
1003         padding = netxray_process_rec_header(wth, wth->fh, &wth->phdr, err,
1004             err_info);
1005         if (padding < 0) {
1006                 /*
1007                  * Error or EOF.
1008                  */
1009                 if (*err != 0) {
1010                         /*
1011                          * Error of some sort; give up.
1012                          */
1013                         return FALSE;
1014                 }
1015
1016                 /* We're at EOF.  Wrap?
1017                  * XXX: Need to handle 'short file' cases
1018                  *      (Distributed Sniffer seems to have a
1019                  *       certain small propensity to generate 'short' files
1020                  *       i.e. [many] bytes are missing from the end of the file)
1021                  *   case 1: start_offset < end_offset
1022                  *           wrap will read already read packets again;
1023                  *           so: error with "short file"
1024                  *   case 2: start_offset > end_offset ("circular" file)
1025                  *           wrap will mean there's a gap (missing packets).
1026                  *           However, I don't see a good way to identify this
1027                  *           case so we'll just have to allow the wrap.
1028                  *           (Maybe there can be an error message after all
1029                  *            packets are read since there'll be less packets than
1030                  *            specified in the file header).
1031                  * Note that these cases occur *only* if a 'short' eof occurs exactly
1032                  * at the expected beginning of a frame header record; If there is a
1033                  * partial frame header (or partial frame data) record, then the
1034                  * netxray_read... functions will detect the short record.
1035                  */
1036                 if (netxray->start_offset < netxray->end_offset) {
1037                         *err = WTAP_ERR_SHORT_READ;
1038                         return FALSE;
1039                 }
1040
1041                 if (!netxray->wrapped) {
1042                         /* Yes.  Remember that we did. */
1043                         netxray->wrapped = TRUE;
1044                         if (file_seek(wth->fh, CAPTUREFILE_HEADER_SIZE,
1045                             SEEK_SET, err) == -1)
1046                                 return FALSE;
1047                         goto reread;
1048                 }
1049
1050                 /* We've already wrapped - don't wrap again. */
1051                 return FALSE;
1052         }
1053
1054         /*
1055          * Read the packet data.
1056          */
1057         if (!wtap_read_packet_bytes(wth->fh, wth->frame_buffer,
1058             wth->phdr.caplen, err, err_info))
1059                 return FALSE;
1060
1061         /*
1062          * If there's extra stuff at the end of the record, skip it.
1063          */
1064         if (file_seek(wth->fh, padding, SEEK_CUR, err) == -1)
1065                 return FALSE;
1066
1067         /*
1068          * If it's an ATM packet, and we don't have enough information
1069          * from the packet header to determine its type or subtype,
1070          * attempt to guess them from the packet data.
1071          */
1072         netxray_guess_atm_type(wth, &wth->phdr, wth->frame_buffer);
1073         return TRUE;
1074 }
1075
1076 static gboolean
1077 netxray_seek_read(wtap *wth, gint64 seek_off,
1078                   struct wtap_pkthdr *phdr, Buffer *buf,
1079                   int *err, gchar **err_info)
1080 {
1081         if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
1082                 return FALSE;
1083
1084         if (netxray_process_rec_header(wth, wth->random_fh, phdr, err,
1085             err_info) == -1) {
1086                 if (*err == 0) {
1087                         /*
1088                          * EOF - we report that as a short read, as
1089                          * we've read this once and know that it
1090                          * should be there.
1091                          */
1092                         *err = WTAP_ERR_SHORT_READ;
1093                 }
1094                 return FALSE;
1095         }
1096
1097         /*
1098          * Read the packet data.
1099          */
1100         if (!wtap_read_packet_bytes(wth->random_fh, buf, phdr->caplen, err,
1101             err_info))
1102                 return FALSE;
1103
1104         /*
1105          * If it's an ATM packet, and we don't have enough information
1106          * from the packet header to determine its type or subtype,
1107          * attempt to guess them from the packet data.
1108          */
1109         netxray_guess_atm_type(wth, phdr, buf);
1110         return TRUE;
1111 }
1112
1113 static int
1114 netxray_process_rec_header(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
1115                         int *err, gchar **err_info)
1116 {
1117         netxray_t *netxray = (netxray_t *)wth->priv;
1118         union netxrayrec_hdr hdr;
1119         int     hdr_size = 0;
1120         double  t;
1121         int     packet_size;
1122         int     padding = 0;
1123
1124         /* Read record header. */
1125         switch (netxray->version_major) {
1126
1127         case 0:
1128                 hdr_size = sizeof (struct old_netxrayrec_hdr);
1129                 break;
1130
1131         case 1:
1132                 hdr_size = sizeof (struct netxrayrec_1_x_hdr);
1133                 break;
1134
1135         case 2:
1136                 hdr_size = sizeof (struct netxrayrec_2_x_hdr);
1137                 break;
1138         }
1139         if (!wtap_read_bytes_or_eof(fh, (void *)&hdr, hdr_size, err, err_info)) {
1140                 /*
1141                  * If *err is 0, we're at EOF.  *err being 0 and a return
1142                  * value of -1 tells our caller we're at EOF.
1143                  *
1144                  * Otherwise, we got an error, and *err *not* being 0
1145                  * and a return value tells our caller we have an error.
1146                  */
1147                 return -1;
1148         }
1149
1150         /*
1151          * If this is Ethernet, 802.11, ISDN, X.25, or ATM, set the
1152          * pseudo-header.
1153          */
1154         switch (netxray->version_major) {
1155
1156         case 1:
1157                 switch (wth->file_encap) {
1158
1159                 case WTAP_ENCAP_ETHERNET:
1160                         /*
1161                          * XXX - if hdr_1_x.xxx[15] is 1
1162                          * the frame appears not to have any extra
1163                          * stuff at the end, but if it's 0,
1164                          * there appears to be 4 bytes of stuff
1165                          * at the end, but it's not an FCS.
1166                          *
1167                          * Or is that just the low-order bit?
1168                          *
1169                          * For now, we just say "no FCS".
1170                          */
1171                         phdr->pseudo_header.eth.fcs_len = 0;
1172                         break;
1173                 }
1174                 break;
1175
1176         case 2:
1177                 switch (wth->file_encap) {
1178
1179                 case WTAP_ENCAP_ETHERNET:
1180                         /*
1181                          * It appears, at least with version 2 captures,
1182                          * that we have 4 bytes of stuff (which might be
1183                          * a valid FCS or might be junk) at the end of
1184                          * the packet if hdr_2_x.xxx[2] and
1185                          * hdr_2_x.xxx[3] are 0xff, and we don't if
1186                          * they don't.
1187                          *
1188                          * It also appears that if the low-order bit of
1189                          * hdr_2_x.xxx[8] is set, the packet has a
1190                          * bad FCS.
1191                          */
1192                         if (hdr.hdr_2_x.xxx[2] == 0xff &&
1193                             hdr.hdr_2_x.xxx[3] == 0xff) {
1194                                 /*
1195                                  * We have 4 bytes of stuff at the
1196                                  * end of the frame - FCS, or junk?
1197                                  */
1198                                 if (netxray->fcs_valid) {
1199                                         /*
1200                                          * FCS.
1201                                          */
1202                                         phdr->pseudo_header.eth.fcs_len = 4;
1203                                 } else {
1204                                         /*
1205                                          * Junk.
1206                                          */
1207                                         padding = 4;
1208                                 }
1209                         } else
1210                                 phdr->pseudo_header.eth.fcs_len = 0;
1211                         break;
1212
1213                 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
1214                         /*
1215                          * It appears, in one 802.11 capture, that
1216                          * we have 4 bytes of junk at the ends of
1217                          * frames in which hdr_2_x.xxx[2] and
1218                          * hdr_2_x.xxx[3] are 0xff; I haven't
1219                          * seen any frames where it's an FCS, but,
1220                          * for now, we still check the fcs_valid
1221                          * flag - I also haven't seen any capture
1222                          * where we'd set it based on the realtick
1223                          * value.
1224                          *
1225                          * It also appears that if the low-order bit of
1226                          * hdr_2_x.xxx[8] is set, the packet has a
1227                          * bad FCS.  According to Ken Mann, the 0x4 bit
1228                          * is sometimes also set for errors.
1229                          *
1230                          * Ken also says that xxx[11] is 0x5 when the
1231                          * packet is WEP-encrypted.
1232                          */
1233                         memset(&phdr->pseudo_header.ieee_802_11, 0, sizeof(phdr->pseudo_header.ieee_802_11));
1234                         if (hdr.hdr_2_x.xxx[2] == 0xff &&
1235                             hdr.hdr_2_x.xxx[3] == 0xff) {
1236                                 /*
1237                                  * We have 4 bytes of stuff at the
1238                                  * end of the frame - FCS, or junk?
1239                                  */
1240                                 if (netxray->fcs_valid) {
1241                                         /*
1242                                          * FCS.
1243                                          */
1244                                         phdr->pseudo_header.ieee_802_11.fcs_len = 4;
1245                                 } else {
1246                                         /*
1247                                          * Junk.
1248                                          */
1249                                         padding = 4;
1250                                 }
1251                         } else
1252                                 phdr->pseudo_header.ieee_802_11.fcs_len = 0;
1253
1254                         phdr->pseudo_header.ieee_802_11.decrypted = FALSE;
1255                         phdr->pseudo_header.ieee_802_11.datapad = FALSE;
1256                         phdr->pseudo_header.ieee_802_11.phy = PHDR_802_11_PHY_UNKNOWN;
1257
1258                         /*
1259                          * XXX - any other information, such as PHY
1260                          * type, frequency, 11n/11ac information,
1261                          * etc.?
1262                          */
1263                         phdr->pseudo_header.ieee_802_11.has_channel = TRUE;
1264                         phdr->pseudo_header.ieee_802_11.channel =
1265                             hdr.hdr_2_x.xxx[12];
1266
1267                         phdr->pseudo_header.ieee_802_11.has_data_rate = TRUE;
1268                         phdr->pseudo_header.ieee_802_11.data_rate =
1269                             hdr.hdr_2_x.xxx[13];
1270
1271                         phdr->pseudo_header.ieee_802_11.has_signal_percent = TRUE;
1272                         phdr->pseudo_header.ieee_802_11.signal_percent =
1273                             hdr.hdr_2_x.xxx[14];
1274
1275                         /*
1276                          * According to Ken Mann, at least in the captures
1277                          * he's seen, xxx[15] is the noise level, which
1278                          * is either 0xFF meaning "none reported" or a value
1279                          * from 0x00 to 0x7F for 0 to 100%.
1280                          */
1281                         if (hdr.hdr_2_x.xxx[15] != 0xFF) {
1282                                 phdr->pseudo_header.ieee_802_11.has_noise_percent = TRUE;
1283                                 phdr->pseudo_header.ieee_802_11.noise_percent =
1284                                     hdr.hdr_2_x.xxx[15]*100/127;
1285                         }
1286                         break;
1287
1288                 case WTAP_ENCAP_ISDN:
1289                         /*
1290                          * ISDN.
1291                          *
1292                          * The bottommost bit of byte 12 of hdr_2_x.xxx
1293                          * is the direction flag.
1294                          *
1295                          * The bottom 5 bits of byte 13 of hdr_2_x.xxx
1296                          * are the channel number, but some mapping is
1297                          * required for PRI.  (Is it really just the time
1298                          * slot?)
1299                          */
1300                         phdr->pseudo_header.isdn.uton =
1301                             (hdr.hdr_2_x.xxx[12] & 0x01);
1302                         phdr->pseudo_header.isdn.channel =
1303                             hdr.hdr_2_x.xxx[13] & 0x1F;
1304                         switch (netxray->isdn_type) {
1305
1306                         case 1:
1307                                 /*
1308                                  * E1 PRI.  Channel numbers 0 and 16
1309                                  * are the D channel; channel numbers 1
1310                                  * through 15 are B1 through B15; channel
1311                                  * numbers 17 through 31 are B16 through
1312                                  * B31.
1313                                  */
1314                                 if (phdr->pseudo_header.isdn.channel == 16)
1315                                         phdr->pseudo_header.isdn.channel = 0;
1316                                 else if (phdr->pseudo_header.isdn.channel > 16)
1317                                         phdr->pseudo_header.isdn.channel -= 1;
1318                                 break;
1319
1320                         case 2:
1321                                 /*
1322                                  * T1 PRI.  Channel numbers 0 and 24
1323                                  * are the D channel; channel numbers 1
1324                                  * through 23 are B1 through B23.
1325                                  */
1326                                 if (phdr->pseudo_header.isdn.channel == 24)
1327                                         phdr->pseudo_header.isdn.channel = 0;
1328                                 else if (phdr->pseudo_header.isdn.channel > 24)
1329                                         phdr->pseudo_header.isdn.channel -= 1;
1330                                 break;
1331                         }
1332
1333                         /*
1334                          * It appears, at least with version 2 captures,
1335                          * that we have 4 bytes of stuff (which might be
1336                          * a valid FCS or might be junk) at the end of
1337                          * the packet if hdr_2_x.xxx[2] and
1338                          * hdr_2_x.xxx[3] are 0xff, and we don't if
1339                          * they don't.
1340                          *
1341                          * XXX - does the low-order bit of hdr_2_x.xxx[8]
1342                          * indicate a bad FCS, as is the case with
1343                          * Ethernet?
1344                          */
1345                         if (hdr.hdr_2_x.xxx[2] == 0xff &&
1346                             hdr.hdr_2_x.xxx[3] == 0xff) {
1347                                 /*
1348                                  * FCS, or junk, at the end.
1349                                  * XXX - is it an FCS if "fcs_valid" is
1350                                  * true?
1351                                  */
1352                                 padding = 4;
1353                         }
1354                         break;
1355
1356                 case WTAP_ENCAP_LAPB:
1357                 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1358                         /*
1359                          * LAPB/X.25 and Frame Relay.
1360                          *
1361                          * The bottommost bit of byte 12 of hdr_2_x.xxx
1362                          * is the direction flag.  (Probably true for other
1363                          * HDLC encapsulations as well.)
1364                          */
1365                         phdr->pseudo_header.x25.flags =
1366                             (hdr.hdr_2_x.xxx[12] & 0x01) ? 0x00 : FROM_DCE;
1367
1368                         /*
1369                          * It appears, at least with version 2 captures,
1370                          * that we have 4 bytes of stuff (which might be
1371                          * a valid FCS or might be junk) at the end of
1372                          * the packet if hdr_2_x.xxx[2] and
1373                          * hdr_2_x.xxx[3] are 0xff, and we don't if
1374                          * they don't.
1375                          *
1376                          * XXX - does the low-order bit of hdr_2_x.xxx[8]
1377                          * indicate a bad FCS, as is the case with
1378                          * Ethernet?
1379                          */
1380                         if (hdr.hdr_2_x.xxx[2] == 0xff &&
1381                             hdr.hdr_2_x.xxx[3] == 0xff) {
1382                                 /*
1383                                  * FCS, or junk, at the end.
1384                                  * XXX - is it an FCS if "fcs_valid" is
1385                                  * true?
1386                                  */
1387                                 padding = 4;
1388                         }
1389                         break;
1390
1391                 case WTAP_ENCAP_PPP_WITH_PHDR:
1392                 case WTAP_ENCAP_SDLC:
1393                 case WTAP_ENCAP_CHDLC_WITH_PHDR:
1394                         phdr->pseudo_header.p2p.sent =
1395                             (hdr.hdr_2_x.xxx[12] & 0x01) ? TRUE : FALSE;
1396                         break;
1397
1398                 case WTAP_ENCAP_ATM_PDUS_UNTRUNCATED:
1399                         /*
1400                          * XXX - the low-order bit of hdr_2_x.xxx[8]
1401                          * seems to indicate some sort of error.  In
1402                          * at least one capture, a number of packets
1403                          * have that flag set, and they appear either
1404                          * to be the beginning part of an incompletely
1405                          * reassembled AAL5 PDU, with either checksum
1406                          * errors at higher levels (possibly due to
1407                          * the packet being reported as shorter than
1408                          * it actually is, and checksumming failing
1409                          * because it doesn't include all the data)
1410                          * or "Malformed frame" errors from being
1411                          * too short, or appear to be later parts
1412                          * of an incompletely reassembled AAL5 PDU
1413                          * with the last one in a sequence of errors
1414                          * having what looks like an AAL5 trailer,
1415                          * with a length and checksum.
1416                          *
1417                          * Does it just mean "reassembly failed",
1418                          * as appears to be the case in those
1419                          * packets, or does it mean "CRC error"
1420                          * at the AAL5 layer (which would be the
1421                          * case if you were treating an incompletely
1422                          * reassembled PDU as a completely reassembled
1423                          * PDU, although you'd also expect a length
1424                          * error in that case), or does it mean
1425                          * "generic error", with some other flag
1426                          * or flags indicating what particular
1427                          * error occurred?  The documentation
1428                          * for Sniffer Pro 4.7 indicates a bunch
1429                          * of different error types, both in general
1430                          * and for ATM in particular.
1431                          *
1432                          * No obvious bits in hdr_2_x.xxx appear
1433                          * to be additional flags of that sort.
1434                          *
1435                          * XXX - in that capture, I see several
1436                          * reassembly errors in a row; should those
1437                          * packets be reassembled in the ATM dissector?
1438                          * What happens if a reassembly fails because
1439                          * a cell is bad?
1440                          */
1441                         phdr->pseudo_header.atm.flags = 0;
1442                         if (hdr.hdr_2_x.xxx[8] & 0x01)
1443                                 phdr->pseudo_header.atm.flags |= ATM_REASSEMBLY_ERROR;
1444                         /*
1445                          * XXX - is 0x08 an "OAM cell" flag?
1446                          * Are the 0x01 and 0x02 bits error indications?
1447                          * Some packets in one capture that have the
1448                          * 0x01 bit set in hdr_2_x.xxx[8] and that
1449                          * appear to have been reassembled completely
1450                          * but have a bad CRC have 0x03 in hdr_2_x.xxx[9]
1451                          * (and don't have the 0x20 bit set).
1452                          *
1453                          * In the capture with incomplete reassemblies,
1454                          * all packets have the 0x20 bit set.  In at
1455                          * least some of the captures with complete
1456                          * reassemblies with CRC errors, no packets
1457                          * have the 0x20 bit set.
1458                          *
1459                          * Are hdr_2_x.xxx[8] and hdr_2_x.xxx[9] a 16-bit
1460                          * flag field?
1461                          */
1462                         if (hdr.hdr_2_x.xxx[9] & 0x04)
1463                                 phdr->pseudo_header.atm.flags |= ATM_RAW_CELL;
1464                         phdr->pseudo_header.atm.vpi = hdr.hdr_2_x.xxx[11];
1465                         phdr->pseudo_header.atm.vci = pletoh16(&hdr.hdr_2_x.xxx[12]);
1466                         phdr->pseudo_header.atm.channel =
1467                             (hdr.hdr_2_x.xxx[15] & 0x10)? 1 : 0;
1468                         phdr->pseudo_header.atm.cells = 0;
1469
1470                         /*
1471                          * XXX - the uppermost bit of hdr_2_xxx[0]
1472                          * looks as if it might be a flag of some sort.
1473                          * The remaining 3 bits appear to be an AAL
1474                          * type - 5 is, surprise surprise, AAL5.
1475                          */
1476                         switch (hdr.hdr_2_x.xxx[0] & 0x70) {
1477
1478                         case 0x00:      /* Unknown */
1479                                 phdr->pseudo_header.atm.aal = AAL_UNKNOWN;
1480                                 phdr->pseudo_header.atm.type = TRAF_UNKNOWN;
1481                                 phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1482                                 break;
1483
1484                         case 0x10:      /* XXX - AAL1? */
1485                                 phdr->pseudo_header.atm.aal = AAL_UNKNOWN;
1486                                 phdr->pseudo_header.atm.type = TRAF_UNKNOWN;
1487                                 phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1488                                 break;
1489
1490                         case 0x20:      /* XXX - AAL2?  */
1491                                 phdr->pseudo_header.atm.aal = AAL_UNKNOWN;
1492                                 phdr->pseudo_header.atm.type = TRAF_UNKNOWN;
1493                                 phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1494                                 break;
1495
1496                         case 0x40:      /* XXX - AAL3/4? */
1497                                 phdr->pseudo_header.atm.aal = AAL_UNKNOWN;
1498                                 phdr->pseudo_header.atm.type = TRAF_UNKNOWN;
1499                                 phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1500                                 break;
1501
1502                         case 0x30:      /* XXX - AAL5 cells seen with this */
1503                         case 0x50:      /* AAL5 (including signalling) */
1504                         case 0x60:      /* XXX - AAL5 cells seen with this */
1505                         case 0x70:      /* XXX - AAL5 cells seen with this */
1506                                 phdr->pseudo_header.atm.aal = AAL_5;
1507                                 /*
1508                                  * XXX - is the 0x08 bit of hdr_2_x.xxx[0]
1509                                  * a flag?  I've not yet seen a case where
1510                                  * it matters.
1511                                  */
1512                                 switch (hdr.hdr_2_x.xxx[0] & 0x07) {
1513
1514                                 case 0x01:
1515                                 case 0x02:      /* Signalling traffic */
1516                                         phdr->pseudo_header.atm.aal = AAL_SIGNALLING;
1517                                         phdr->pseudo_header.atm.type = TRAF_UNKNOWN;
1518                                         phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1519                                         break;
1520
1521                                 case 0x03:      /* ILMI */
1522                                         phdr->pseudo_header.atm.type = TRAF_ILMI;
1523                                         phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1524                                         break;
1525
1526                                 case 0x00:
1527                                 case 0x04:
1528                                 case 0x05:
1529                                         /*
1530                                          * I've seen a frame with type
1531                                          * 0x30 and subtype 0x08 that
1532                                          * was LANE 802.3, a frame
1533                                          * with type 0x30 and subtype
1534                                          * 0x04 that was LANE 802.3,
1535                                          * and another frame with type
1536                                          * 0x30 and subtype 0x08 that
1537                                          * was junk with a string in
1538                                          * it that had also appeared
1539                                          * in some CDP and LE Control
1540                                          * frames, and that was preceded
1541                                          * by a malformed LE Control
1542                                          * frame - was that a reassembly
1543                                          * failure?
1544                                          *
1545                                          * I've seen frames with type
1546                                          * 0x50 and subtype 0x0c, some
1547                                          * of which were LE Control
1548                                          * frames, and at least one
1549                                          * of which was neither an LE
1550                                          * Control frame nor a LANE
1551                                          * 802.3 frame, and contained
1552                                          * the string "ForeThought_6.2.1
1553                                          * Alpha" - does that imply
1554                                          * FORE's own encapsulation,
1555                                          * or was this a reassembly failure?
1556                                          * The latter frame was preceded
1557                                          * by a malformed LE Control
1558                                          * frame.
1559                                          *
1560                                          * I've seen a couple of frames
1561                                          * with type 0x60 and subtype 0x00,
1562                                          * one of which was LANE 802.3 and
1563                                          * one of which was LE Control.
1564                                          * I've seen one frame with type
1565                                          * 0x60 and subtype 0x0c, which
1566                                          * was LANE 802.3.
1567                                          *
1568                                          * I've seen a couple of frames
1569                                          * with type 0x70 and subtype 0x00,
1570                                          * both of which were LANE 802.3.
1571                                          */
1572                                         phdr->pseudo_header.atm.type = TRAF_LANE;
1573                                         phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1574                                         break;
1575
1576                                 case 0x06:      /* XXX - not seen yet */
1577                                         phdr->pseudo_header.atm.type = TRAF_UNKNOWN;
1578                                         phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1579                                         break;
1580
1581                                 case 0x07:      /* LLC multiplexed */
1582                                         phdr->pseudo_header.atm.type = TRAF_LLCMX;      /* XXX */
1583                                         phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;      /* XXX */
1584                                         break;
1585                                 }
1586                                 break;
1587                         }
1588                         break;
1589                 }
1590                 break;
1591         }
1592
1593         phdr->rec_type = REC_TYPE_PACKET;
1594         if (netxray->version_major == 0) {
1595                 phdr->presence_flags = WTAP_HAS_TS;
1596                 t = (double)pletoh32(&hdr.old_hdr.timelo)
1597                     + (double)pletoh32(&hdr.old_hdr.timehi)*4294967296.0;
1598                 t /= netxray->ticks_per_sec;
1599                 t -= netxray->start_timestamp;
1600                 phdr->ts.secs = netxray->start_time + (long)t;
1601                 phdr->ts.nsecs = (int)((t-(double)(unsigned long)(t))
1602                         *1.0e9);
1603                 /*
1604                  * We subtract the padding from the packet size, so our caller
1605                  * doesn't see it.
1606                  */
1607                 packet_size = pletoh16(&hdr.old_hdr.len);
1608                 phdr->caplen = packet_size - padding;
1609                 phdr->len = phdr->caplen;
1610         } else {
1611                 phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
1612                 t = (double)pletoh32(&hdr.hdr_1_x.timelo)
1613                     + (double)pletoh32(&hdr.hdr_1_x.timehi)*4294967296.0;
1614                 t /= netxray->ticks_per_sec;
1615                 t -= netxray->start_timestamp;
1616                 phdr->ts.secs = netxray->start_time + (time_t)t;
1617                 phdr->ts.nsecs = (int)((t-(double)(unsigned long)(t))
1618                         *1.0e9);
1619                 /*
1620                  * We subtract the padding from the packet size, so our caller
1621                  * doesn't see it.
1622                  */
1623                 packet_size = pletoh16(&hdr.hdr_1_x.incl_len);
1624                 phdr->caplen = packet_size - padding;
1625                 phdr->len = pletoh16(&hdr.hdr_1_x.orig_len) - padding;
1626         }
1627
1628         return padding;
1629 }
1630
1631 static void
1632 netxray_guess_atm_type(wtap *wth, struct wtap_pkthdr *phdr, Buffer *buf)
1633 {
1634         const guint8 *pd;
1635
1636         if (wth->file_encap == WTAP_ENCAP_ATM_PDUS_UNTRUNCATED &&
1637            !(phdr->pseudo_header.atm.flags & ATM_REASSEMBLY_ERROR)) {
1638                 if (phdr->pseudo_header.atm.aal == AAL_UNKNOWN) {
1639                         /*
1640                          * Try to guess the type and subtype based
1641                          * on the VPI/VCI and packet contents.
1642                          */
1643                         pd = ws_buffer_start_ptr(buf);
1644                         atm_guess_traffic_type(phdr, pd);
1645                 } else if (phdr->pseudo_header.atm.aal == AAL_5 &&
1646                     phdr->pseudo_header.atm.type == TRAF_LANE) {
1647                         /*
1648                          * Try to guess the subtype based on the
1649                          * packet contents.
1650                          */
1651                         pd = ws_buffer_start_ptr(buf);
1652                         atm_guess_lane_type(phdr, pd);
1653                 }
1654         }
1655 }
1656
1657 typedef struct {
1658         gboolean first_frame;
1659         nstime_t start;
1660         guint32 nframes;
1661 } netxray_dump_t;
1662
1663 static const struct {
1664         int     wtap_encap_value;
1665         int     ndis_value;
1666 } wtap_encap_1_1[] = {
1667         { WTAP_ENCAP_ETHERNET, 0 },             /* -> NDIS Ethernet */
1668         { WTAP_ENCAP_TOKEN_RING, 1 },           /* -> NDIS Token Ring */
1669         { WTAP_ENCAP_FDDI, 2 },                 /* -> NDIS FDDI */
1670         { WTAP_ENCAP_FDDI_BITSWAPPED, 2 },      /* -> NDIS FDDI */
1671 };
1672 #define NUM_WTAP_ENCAPS_1_1 (sizeof wtap_encap_1_1 / sizeof wtap_encap_1_1[0])
1673
1674 static int
1675 wtap_encap_to_netxray_1_1_encap(int encap)
1676 {
1677         unsigned int i;
1678
1679         for (i = 0; i < NUM_WTAP_ENCAPS_1_1; i++) {
1680                 if (encap == wtap_encap_1_1[i].wtap_encap_value)
1681                         return wtap_encap_1_1[i].ndis_value;
1682         }
1683
1684         return -1;
1685 }
1686
1687 /* Returns 0 if we could write the specified encapsulation type,
1688    an error indication otherwise. */
1689 int
1690 netxray_dump_can_write_encap_1_1(int encap)
1691 {
1692         /* Per-packet encapsulations aren't supported. */
1693         if (encap == WTAP_ENCAP_PER_PACKET)
1694                 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1695
1696         if (wtap_encap_to_netxray_1_1_encap(encap) == -1)
1697                 return WTAP_ERR_UNWRITABLE_ENCAP;
1698
1699         return 0;
1700 }
1701
1702 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1703    failure */
1704 gboolean
1705 netxray_dump_open_1_1(wtap_dumper *wdh, int *err)
1706 {
1707         netxray_dump_t *netxray;
1708
1709         wdh->subtype_write = netxray_dump_1_1;
1710         wdh->subtype_finish = netxray_dump_finish_1_1;
1711
1712         /* We can't fill in all the fields in the file header, as we
1713            haven't yet written any packets.  As we'll have to rewrite
1714            the header when we've written out all the packets, we just
1715            skip over the header for now. */
1716         if (wtap_dump_file_seek(wdh, CAPTUREFILE_HEADER_SIZE, SEEK_SET, err) == -1)
1717                 return FALSE;
1718         wdh->bytes_dumped += CAPTUREFILE_HEADER_SIZE;
1719
1720         netxray = (netxray_dump_t *)g_malloc(sizeof(netxray_dump_t));
1721         wdh->priv = (void *)netxray;
1722         netxray->first_frame = TRUE;
1723         netxray->start.secs = 0;
1724         netxray->start.nsecs = 0;
1725         netxray->nframes = 0;
1726
1727         return TRUE;
1728 }
1729
1730 /* Write a record for a packet to a dump file.
1731    Returns TRUE on success, FALSE on failure. */
1732 static gboolean
1733 netxray_dump_1_1(wtap_dumper *wdh,
1734                  const struct wtap_pkthdr *phdr,
1735                  const guint8 *pd, int *err, gchar **err_info _U_)
1736 {
1737         netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
1738         guint64 timestamp;
1739         guint32 t32;
1740         struct netxrayrec_1_x_hdr rec_hdr;
1741
1742         /* We can only write packet records. */
1743         if (phdr->rec_type != REC_TYPE_PACKET) {
1744                 *err = WTAP_ERR_UNWRITABLE_REC_TYPE;
1745                 return FALSE;
1746         }
1747
1748         /* The captured length field is 16 bits, so there's a hard
1749            limit of 65535. */
1750         if (phdr->caplen > 65535) {
1751                 *err = WTAP_ERR_PACKET_TOO_LARGE;
1752                 return FALSE;
1753         }
1754
1755         /* NetXRay/Windows Sniffer files have a capture start date/time
1756            in the header, in a UNIX-style format, with one-second resolution,
1757            and a start time stamp with microsecond resolution that's just
1758            an arbitrary time stamp relative to some unknown time (boot
1759            time?), and have times relative to the start time stamp in
1760            the packet headers; pick the seconds value of the time stamp
1761            of the first packet as the UNIX-style start date/time, and make
1762            the high-resolution start time stamp 0, with the time stamp of
1763            packets being the delta between the stamp of the packet and
1764            the stamp of the first packet with the microseconds part 0. */
1765         if (netxray->first_frame) {
1766                 netxray->first_frame = FALSE;
1767                 netxray->start = phdr->ts;
1768         }
1769
1770         /* build the header for each packet */
1771         memset(&rec_hdr, '\0', sizeof(rec_hdr));
1772         timestamp = ((guint64)phdr->ts.secs - (guint64)netxray->start.secs)*1000000
1773                 + ((guint64)phdr->ts.nsecs)/1000;
1774         t32 = (guint32)(timestamp%G_GINT64_CONSTANT(4294967296));
1775         rec_hdr.timelo = GUINT32_TO_LE(t32);
1776         t32 = (guint32)(timestamp/G_GINT64_CONSTANT(4294967296));
1777         rec_hdr.timehi = GUINT32_TO_LE(t32);
1778         rec_hdr.orig_len = GUINT16_TO_LE(phdr->len);
1779         rec_hdr.incl_len = GUINT16_TO_LE(phdr->caplen);
1780
1781         if (!wtap_dump_file_write(wdh, &rec_hdr, sizeof(rec_hdr), err))
1782                 return FALSE;
1783         wdh->bytes_dumped += sizeof(rec_hdr);
1784
1785         /* write the packet data */
1786         if (!wtap_dump_file_write(wdh, pd, phdr->caplen, err))
1787                 return FALSE;
1788         wdh->bytes_dumped += phdr->caplen;
1789
1790         netxray->nframes++;
1791
1792         return TRUE;
1793 }
1794
1795 /* Finish writing to a dump file.
1796    Returns TRUE on success, FALSE on failure. */
1797 static gboolean
1798 netxray_dump_finish_1_1(wtap_dumper *wdh, int *err)
1799 {
1800         char hdr_buf[CAPTUREFILE_HEADER_SIZE - sizeof(netxray_magic)];
1801         netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
1802         gint64 filelen;
1803         struct netxray_hdr file_hdr;
1804
1805         if (-1 == (filelen = wtap_dump_file_tell(wdh, err)))
1806                 return FALSE;
1807
1808         /* Go back to beginning */
1809         if (wtap_dump_file_seek(wdh, 0, SEEK_SET, err) == -1)
1810                 return FALSE;
1811
1812         /* Rewrite the file header. */
1813         if (!wtap_dump_file_write(wdh, netxray_magic, sizeof netxray_magic, err))
1814                 return FALSE;
1815
1816         /* "sniffer" version ? */
1817         memset(&file_hdr, '\0', sizeof file_hdr);
1818         memcpy(file_hdr.version, vers_1_1, sizeof vers_1_1);
1819         file_hdr.start_time = GUINT32_TO_LE(netxray->start.secs);
1820         file_hdr.nframes = GUINT32_TO_LE(netxray->nframes);
1821         file_hdr.start_offset = GUINT32_TO_LE(CAPTUREFILE_HEADER_SIZE);
1822         /* XXX - large files? */
1823         file_hdr.end_offset = GUINT32_TO_LE((guint32)filelen);
1824         file_hdr.network = wtap_encap_to_netxray_1_1_encap(wdh->encap);
1825         file_hdr.timelo = GUINT32_TO_LE(0);
1826         file_hdr.timehi = GUINT32_TO_LE(0);
1827
1828         memset(hdr_buf, '\0', sizeof hdr_buf);
1829         memcpy(hdr_buf, &file_hdr, sizeof(file_hdr));
1830         if (!wtap_dump_file_write(wdh, hdr_buf, sizeof hdr_buf, err))
1831                 return FALSE;
1832
1833         return TRUE;
1834 }
1835
1836 static const struct {
1837         int     wtap_encap_value;
1838         int     ndis_value;
1839 } wtap_encap_2_0[] = {
1840         { WTAP_ENCAP_ETHERNET, 0 },                     /* -> NDIS Ethernet */
1841         { WTAP_ENCAP_TOKEN_RING, 1 },           /* -> NDIS Token Ring */
1842         { WTAP_ENCAP_FDDI, 2 },                 /* -> NDIS FDDI */
1843         { WTAP_ENCAP_FDDI_BITSWAPPED, 2 },              /* -> NDIS FDDI */
1844         { WTAP_ENCAP_PPP_WITH_PHDR, 3 },                /* -> NDIS WAN */
1845         { WTAP_ENCAP_FRELAY_WITH_PHDR, 3 },             /* -> NDIS WAN */
1846         { WTAP_ENCAP_LAPB, 3 },                 /* -> NDIS WAN */
1847         { WTAP_ENCAP_SDLC, 3 },                 /* -> NDIS WAN */
1848 };
1849 #define NUM_WTAP_ENCAPS_2_0 (sizeof wtap_encap_2_0 / sizeof wtap_encap_2_0[0])
1850
1851 static int
1852 wtap_encap_to_netxray_2_0_encap(int encap)
1853 {
1854         unsigned int i;
1855
1856         for (i = 0; i < NUM_WTAP_ENCAPS_2_0; i++) {
1857                 if (encap == wtap_encap_2_0[i].wtap_encap_value)
1858                         return wtap_encap_2_0[i].ndis_value;
1859         }
1860
1861         return -1;
1862 }
1863
1864 /* Returns 0 if we could write the specified encapsulation type,
1865    an error indication otherwise. */
1866 int
1867 netxray_dump_can_write_encap_2_0(int encap)
1868 {
1869         /* Per-packet encapsulations aren't supported. */
1870         if (encap == WTAP_ENCAP_PER_PACKET)
1871                 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1872
1873         if (wtap_encap_to_netxray_2_0_encap(encap) == -1)
1874                 return WTAP_ERR_UNWRITABLE_ENCAP;
1875
1876         return 0;
1877 }
1878
1879 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1880    failure */
1881 gboolean
1882 netxray_dump_open_2_0(wtap_dumper *wdh, int *err)
1883 {
1884         netxray_dump_t *netxray;
1885
1886         wdh->subtype_write = netxray_dump_2_0;
1887         wdh->subtype_finish = netxray_dump_finish_2_0;
1888
1889         /* We can't fill in all the fields in the file header, as we
1890            haven't yet written any packets.  As we'll have to rewrite
1891            the header when we've written out all the packets, we just
1892            skip over the header for now. */
1893         if (wtap_dump_file_seek(wdh, CAPTUREFILE_HEADER_SIZE, SEEK_SET, err) == -1)
1894                 return FALSE;
1895
1896         wdh->bytes_dumped += CAPTUREFILE_HEADER_SIZE;
1897
1898         netxray = (netxray_dump_t *)g_malloc(sizeof(netxray_dump_t));
1899         wdh->priv = (void *)netxray;
1900         netxray->first_frame = TRUE;
1901         netxray->start.secs = 0;
1902         netxray->start.nsecs = 0;
1903         netxray->nframes = 0;
1904
1905         return TRUE;
1906 }
1907
1908 /* Write a record for a packet to a dump file.
1909    Returns TRUE on success, FALSE on failure. */
1910 static gboolean
1911 netxray_dump_2_0(wtap_dumper *wdh,
1912                  const struct wtap_pkthdr *phdr,
1913                  const guint8 *pd, int *err, gchar **err_info _U_)
1914 {
1915         const union wtap_pseudo_header *pseudo_header = &phdr->pseudo_header;
1916         netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
1917         guint64 timestamp;
1918         guint32 t32;
1919         struct netxrayrec_2_x_hdr rec_hdr;
1920
1921         /* We can only write packet records. */
1922         if (phdr->rec_type != REC_TYPE_PACKET) {
1923                 *err = WTAP_ERR_UNWRITABLE_REC_TYPE;
1924                 return FALSE;
1925         }
1926
1927         /* Don't write anything we're not willing to read. */
1928         if (phdr->caplen > WTAP_MAX_PACKET_SIZE) {
1929                 *err = WTAP_ERR_PACKET_TOO_LARGE;
1930                 return FALSE;
1931         }
1932
1933         /* NetXRay/Windows Sniffer files have a capture start date/time
1934            in the header, in a UNIX-style format, with one-second resolution,
1935            and a start time stamp with microsecond resolution that's just
1936            an arbitrary time stamp relative to some unknown time (boot
1937            time?), and have times relative to the start time stamp in
1938            the packet headers; pick the seconds value of the time stamp
1939            of the first packet as the UNIX-style start date/time, and make
1940            the high-resolution start time stamp 0, with the time stamp of
1941            packets being the delta between the stamp of the packet and
1942            the stamp of the first packet with the microseconds part 0. */
1943         if (netxray->first_frame) {
1944                 netxray->first_frame = FALSE;
1945                 netxray->start = phdr->ts;
1946         }
1947
1948         /* build the header for each packet */
1949         memset(&rec_hdr, '\0', sizeof(rec_hdr));
1950         timestamp = ((guint64)phdr->ts.secs - (guint64)netxray->start.secs)*1000000
1951                 + ((guint64)phdr->ts.nsecs)/1000;
1952         t32 = (guint32)(timestamp%G_GINT64_CONSTANT(4294967296));
1953         rec_hdr.timelo = GUINT32_TO_LE(t32);
1954         t32 = (guint32)(timestamp/G_GINT64_CONSTANT(4294967296));
1955         rec_hdr.timehi = GUINT32_TO_LE(t32);
1956         rec_hdr.orig_len = GUINT16_TO_LE(phdr->len);
1957         rec_hdr.incl_len = GUINT16_TO_LE(phdr->caplen);
1958
1959         switch (phdr->pkt_encap) {
1960
1961         case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
1962                 rec_hdr.xxx[12] =
1963                     pseudo_header->ieee_802_11.has_channel ?
1964                       pseudo_header->ieee_802_11.channel :
1965                       0;
1966                 rec_hdr.xxx[13] =
1967                     pseudo_header->ieee_802_11.has_data_rate ?
1968                       (guint8)pseudo_header->ieee_802_11.data_rate :
1969                       0;
1970                 rec_hdr.xxx[14] =
1971                     pseudo_header->ieee_802_11.has_signal_percent ?
1972                       pseudo_header->ieee_802_11.signal_percent :
1973                       0;
1974                 rec_hdr.xxx[15] =
1975                     pseudo_header->ieee_802_11.has_noise_percent ?
1976                       pseudo_header->ieee_802_11.noise_percent*127/100 :
1977                       0xFF;
1978                 break;
1979
1980         case WTAP_ENCAP_PPP_WITH_PHDR:
1981         case WTAP_ENCAP_SDLC:
1982                 rec_hdr.xxx[12] |= pseudo_header->p2p.sent ? 0x01 : 0x00;
1983                 break;
1984
1985         case WTAP_ENCAP_FRELAY_WITH_PHDR:
1986                 rec_hdr.xxx[12] |= (pseudo_header->x25.flags & FROM_DCE) ? 0x00 : 0x01;
1987                 break;
1988         }
1989
1990         if (!wtap_dump_file_write(wdh, &rec_hdr, sizeof(rec_hdr), err))
1991                 return FALSE;
1992         wdh->bytes_dumped += sizeof(rec_hdr);
1993
1994         /* write the packet data */
1995         if (!wtap_dump_file_write(wdh, pd, phdr->caplen, err))
1996                 return FALSE;
1997         wdh->bytes_dumped += phdr->caplen;
1998
1999         netxray->nframes++;
2000
2001         return TRUE;
2002 }
2003
2004 /* Finish writing to a dump file.
2005    Returns TRUE on success, FALSE on failure. */
2006 static gboolean
2007 netxray_dump_finish_2_0(wtap_dumper *wdh, int *err)
2008 {
2009         char hdr_buf[CAPTUREFILE_HEADER_SIZE - sizeof(netxray_magic)];
2010         netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
2011         gint64 filelen;
2012         struct netxray_hdr file_hdr;
2013
2014         if (-1 == (filelen = wtap_dump_file_tell(wdh, err)))
2015                 return FALSE;
2016
2017         /* Go back to beginning */
2018         if (wtap_dump_file_seek(wdh, 0, SEEK_SET, err) == -1)
2019                 return FALSE;
2020
2021         /* Rewrite the file header. */
2022         if (!wtap_dump_file_write(wdh, netxray_magic, sizeof netxray_magic, err))
2023                 return FALSE;
2024
2025         /* "sniffer" version ? */
2026         memset(&file_hdr, '\0', sizeof file_hdr);
2027         memcpy(file_hdr.version, vers_2_001, sizeof vers_2_001);
2028         file_hdr.start_time = GUINT32_TO_LE(netxray->start.secs);
2029         file_hdr.nframes = GUINT32_TO_LE(netxray->nframes);
2030         file_hdr.start_offset = GUINT32_TO_LE(CAPTUREFILE_HEADER_SIZE);
2031         /* XXX - large files? */
2032         file_hdr.end_offset = GUINT32_TO_LE((guint32)filelen);
2033         file_hdr.network = wtap_encap_to_netxray_2_0_encap(wdh->encap);
2034         file_hdr.timelo = GUINT32_TO_LE(0);
2035         file_hdr.timehi = GUINT32_TO_LE(0);
2036         switch (wdh->encap) {
2037
2038         case WTAP_ENCAP_PPP_WITH_PHDR:
2039                 file_hdr.captype = WAN_CAPTYPE_PPP;
2040                 break;
2041
2042         case WTAP_ENCAP_FRELAY_WITH_PHDR:
2043                 file_hdr.captype = WAN_CAPTYPE_FRELAY;
2044                 break;
2045
2046         case WTAP_ENCAP_LAPB:
2047                 file_hdr.captype = WAN_CAPTYPE_HDLC;
2048                 file_hdr.wan_hdlc_subsub_captype = 0;
2049                 break;
2050
2051         case WTAP_ENCAP_SDLC:
2052                 file_hdr.captype = WAN_CAPTYPE_SDLC;
2053                 break;
2054
2055         default:
2056                 file_hdr.captype = CAPTYPE_NDIS;
2057                 break;
2058         }
2059
2060         memset(hdr_buf, '\0', sizeof hdr_buf);
2061         memcpy(hdr_buf, &file_hdr, sizeof(file_hdr));
2062         if (!wtap_dump_file_write(wdh, hdr_buf, sizeof hdr_buf, err))
2063                 return FALSE;
2064
2065         return TRUE;
2066 }
2067
2068 /*
2069  * Editor modelines  -  http://www.wireshark.org/tools/modelines.html
2070  *
2071  * Local variables:
2072  * c-basic-offset: 8
2073  * tab-width: 8
2074  * indent-tabs-mode: t
2075  * End:
2076  *
2077  * vi: set shiftwidth=8 tabstop=8 noexpandtab:
2078  * :indentSize=8:tabSize=8:noTabs=false:
2079  */