4 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version 2
9 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
26 #include "file_wrappers.h"
30 /* Capture file header, *including* magic number, is padded to 128 bytes. */
31 #define CAPTUREFILE_HEADER_SIZE 128
33 /* Magic number size, in both 1.x and later files. */
36 /* Magic number in NetXRay 1.x files. */
37 static const char old_netxray_magic[MAGIC_SIZE] = {
41 /* Magic number in NetXRay 2.0 and later, and Windows Sniffer, files. */
42 static const char netxray_magic[MAGIC_SIZE] = {
46 /* NetXRay file header (minus magic number). */
48 /* As field usages are identified, please revise as needed */
49 /* Please do *not* use netxray_hdr xxx... names in the code */
50 /* (Placeholder names for all 'unknown' fields are */
51 /* of form xxx_x<hex_hdr_offset> */
52 /* where <hex_hdr_offset> *includes* the magic number) */
55 char version[8]; /* version number */
56 guint32 start_time; /* UNIX [UTC] time when capture started */
58 guint32 nframes; /* number of packets */
59 guint32 xxx_x14; /* unknown [some kind of file offset] */
60 guint32 start_offset; /* offset of first packet in capture */
61 guint32 end_offset; /* offset after last packet in capture */
63 guint32 xxx_x20; /* unknown [some kind of file offset] */
64 guint32 xxx_x24; /* unknown [unused ?] */
65 guint32 xxx_x28; /* unknown [some kind of file offset] */
66 guint8 network; /* datalink type */
67 guint8 network_plus; /* [See code] */
68 guint8 xxx_x2E[2]; /* unknown */
70 guint8 timeunit; /* encodes length of a tick */
71 guint8 xxx_x31[3]; /* XXX - upper 3 bytes of timeunit ? */
72 guint32 timelo; /* lower 32 bits of capture start time stamp */
73 guint32 timehi; /* upper 32 bits of capture start time stamp */
74 guint32 linespeed; /* speed of network, in bits/second */
76 guint8 xxx_x40[12]; /* unknown [other stuff] */
77 guint8 realtick[4]; /* (ticks/sec for Ethernet/Ndis/Timeunit=2 ?) */
78 /* (realtick[1], realtick[2] also currently */
79 /* used as flag for 'FCS presence') */
81 guint8 xxx_x50[4]; /* unknown [other stuff] */
82 guint8 captype; /* capture type */
83 guint8 xxx_x55[3]; /* unknown [other stuff] */
84 guint8 xxx_x58[4]; /* unknown [other stuff] */
85 guint8 wan_hdlc_subsub_captype; /* WAN HDLC subsub_captype */
86 guint8 xxx_x5D[3]; /* unknown [other stuff] */
88 guint8 xxx_x60[16]; /* unknown [other stuff] */
90 guint8 xxx_x70[14]; /* unknown [other stuff] */
91 gint16 timezone_hrs; /* timezone hours [at least for version 2.2..]; */
92 /* positive values = west of UTC: */
93 /* negative values = east of UTC: */
94 /* e.g. +5 is American Eastern */
95 /* [Does not appear to be adjusted for DST ] */
99 * Capture type, in hdr.captype.
101 * Values other than 0 are dependent on the network type.
102 * For Ethernet captures, it indicates the type of capture pod.
103 * For WAN captures (all of which are done with a pod), it indicates
104 * the link-layer type.
106 #define CAPTYPE_NDIS 0 /* Capture on network interface using NDIS */
109 * Ethernet capture types.
111 #define ETH_CAPTYPE_GIGPOD 2 /* gigabit Ethernet captured with pod */
112 #define ETH_CAPTYPE_OTHERPOD 3 /* non-gigabit Ethernet captured with pod */
113 #define ETH_CAPTYPE_OTHERPOD2 5 /* gigabit Ethernet via pod ?? */
114 /* Captype 5 seen in capture from Distributed Sniffer with: */
115 /* Version 4.50.211 software */
116 /* SysKonnect SK-9843 Gigabit Ethernet Server Adapter */
117 #define ETH_CAPTYPE_GIGPOD2 6 /* gigabit Ethernet, captured with blade on S6040-model Sniffer */
122 #define WAN_CAPTYPE_BROUTER 1 /* Bridge/router captured with pod */
123 #define WAN_CAPTYPE_PPP 3 /* PPP captured with pod */
124 #define WAN_CAPTYPE_FRELAY 4 /* Frame Relay captured with pod */
125 #define WAN_CAPTYPE_BROUTER2 5 /* Bridge/router captured with pod */
126 #define WAN_CAPTYPE_HDLC 6 /* HDLC (X.25, ISDN) captured with pod */
127 #define WAN_CAPTYPE_SDLC 7 /* SDLC captured with pod */
128 #define WAN_CAPTYPE_HDLC2 8 /* HDLC captured with pod */
129 #define WAN_CAPTYPE_BROUTER3 9 /* Bridge/router captured with pod */
130 #define WAN_CAPTYPE_SMDS 10 /* SMDS DXI */
131 #define WAN_CAPTYPE_BROUTER4 11 /* Bridge/router captured with pod */
132 #define WAN_CAPTYPE_BROUTER5 12 /* Bridge/router captured with pod */
133 #define WAN_CAPTYPE_CHDLC 19 /* Cisco router (CHDLC) captured with pod */
135 #define CAPTYPE_ATM 15 /* ATM captured with pod */
138 * # of ticks that equal 1 second, in version 002.xxx files other
139 * than Ethernet captures with a captype other than CAPTYPE_NDIS;
140 * the index into this array is hdr.timeunit.
142 * DO NOT SEND IN PATCHES THAT CHANGE ANY OF THE NON-ZERO VALUES IN
143 * ANY OF THE TpS TABLES. THOSE VALUES ARE CORRECT FOR AT LEAST ONE
144 * CAPTURE, SO CHANGING THEM WILL BREAK AT LEAST SOME CAPTURES. WE
145 * WILL NOT CHECK IN PATCHES THAT CHANGE THESE VALUES.
147 * Instead, if a value in a TpS table is wrong, check whether captype
148 * has a non-zero value; if so, perhaps we need a new TpS table for the
149 * corresponding network type and captype, or perhaps the 'realtick'
150 * field contains the correct ticks-per-second value.
152 * TpS...[] entries of 0.0 mean that no capture file for the
153 * corresponding captype/timeunit values has yet been seen, or that
154 * we're using the 'realtick' value.
156 * XXX - 05/29/07: For Ethernet captype = 0 (NDIS) and timeunit = 2:
157 * Perusal of a number of Sniffer captures
158 * (including those from Wireshark bug reports
159 * and those from the Wireshark 'menagerie')
160 * suggests that 'realtick' for this case
161 * contains the correct ticks/second to be used.
162 * So: we'll use realtick for Ethernet captype=0 and timeunit=2.
163 * (It might be that realtick should be used for Ethernet captype = 0
164 * and timeunit = 1 but I've not yet enough captures to be sure).
165 * Based upon the captures reviewed to date, realtick cannot be used for
166 * any of the other Ethernet captype/timeunit combinations for which there
167 * are non-zero values in the TpS tables.
169 * In at least one capture where "realtick" doesn't correspond
170 * to the value from the appropriate TpS table, the per-packet header's
171 * "xxx" field is all zero, so it's not as if a 2.x header includes
172 * a "compatibility" time stamp corresponding to the value from the
173 * TpS table and a "real" time stamp corresponding to "realtick".
175 * XXX - the item corresponding to timeunit = 2 is 1193180.0, presumably
176 * because somebody found it gave the right answer for some captures, but
177 * 3 times that, i.e. 3579540.0, appears to give the right answer for some
180 * Some captures have realtick of 1193182, some have 3579545, and some
181 * have 1193000. Most of those, in one set of captures somebody has,
182 * are wrong. (Did that mean "wrong for some capture files, but not
183 * for the files in which they occurred", or "wrong for the files in
184 * which they occurred? If it's "wrong for some capture files, but
185 * not for the files in which they occurred", perhaps those were Ethernet
186 * captures with a captype of 0 and timeunit = 2, so that we now use
187 * realtick, and perhaps that fixes the problems.)
189 * XXX - in at least one ATM capture, hdr.realtick is 1193180.0
190 * and hdr.timeunit is 0. Does that capture have a captype of
191 * CAPTYPE_ATM? If so, what should the table for ATM captures with
194 static const double TpS[] = { 1e6, 1193000.0, 1193182.0 };
195 #define NUM_NETXRAY_TIMEUNITS (sizeof TpS / sizeof TpS[0])
198 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_GIGPOD.
199 * 0.0 means "unknown".
201 * It appears that, at least for Ethernet captures, if captype is
202 * ETH_CAPTYPE_GIGPOD, that indicates that it's a gigabit Ethernet
203 * capture, possibly from a special whizzo gigabit pod, and also
204 * indicates that the time stamps have some higher resolution than
205 * in other captures, possibly thanks to a high-resolution timer
208 * It also appears that the time units might differ for gigabit pod
209 * captures between version 002.001 and 002.002. For 002.001,
210 * the values below are correct; for 002.002, it's claimed that
211 * the right value for TpS_gigpod[2] is 1250000.0, but at least one
212 * 002.002 gigabit pod capture has 31250000.0 as the right value.
213 * XXX: Note that the TpS_otherpod[2] value is 1250000.0; It seems
214 * reasonable to suspect that the original claim might actually
215 * have been for a capture with a captype of 'otherpod'.
216 * (Based upon captures reviewed realtick does not contain the
217 * correct TpS values for the 'gigpod' captype).
219 static const double TpS_gigpod[] = { 1e9, 0.0, 31250000.0 };
220 #define NUM_NETXRAY_TIMEUNITS_GIGPOD (sizeof TpS_gigpod / sizeof TpS_gigpod[0])
223 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_OTHERPOD.
224 * (Based upon captures reviewed realtick does not contain the
225 * correct TpS values for the 'otherpod' captype).
227 static const double TpS_otherpod[] = { 1e6, 0.0, 1250000.0 };
228 #define NUM_NETXRAY_TIMEUNITS_OTHERPOD (sizeof TpS_otherpod / sizeof TpS_otherpod[0])
231 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_OTHERPOD2.
232 * (Based upon captures reviewed realtick does not contain the
233 * correct TpS values for the 'otherpod2' captype).
235 static const double TpS_otherpod2[] = { 1e6, 0.0, 0.0 };
236 #define NUM_NETXRAY_TIMEUNITS_OTHERPOD2 (sizeof TpS_otherpod2 / sizeof TpS_otherpod2[0])
239 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_GIGPOD2.
240 * (Based upon captures reviewed realtick does not contain the
241 * correct TpS values for the 'gigpod2' captype).
243 static const double TpS_gigpod2[] = { 1e9, 0.0, 20000000.0 };
244 #define NUM_NETXRAY_TIMEUNITS_GIGPOD2 (sizeof TpS_gigpod2 / sizeof TpS_gigpod2[0])
246 /* Version number strings. */
247 static const char vers_1_0[] = {
248 '0', '0', '1', '.', '0', '0', '0', '\0'
251 static const char vers_1_1[] = {
252 '0', '0', '1', '.', '1', '0', '0', '\0'
255 static const char vers_2_000[] = {
256 '0', '0', '2', '.', '0', '0', '0', '\0'
259 static const char vers_2_001[] = {
260 '0', '0', '2', '.', '0', '0', '1', '\0'
263 static const char vers_2_002[] = {
264 '0', '0', '2', '.', '0', '0', '2', '\0'
267 static const char vers_2_003[] = {
268 '0', '0', '2', '.', '0', '0', '3', '\0'
271 /* Old NetXRay data record format - followed by frame data. */
272 struct old_netxrayrec_hdr {
273 guint32 timelo; /* lower 32 bits of time stamp */
274 guint32 timehi; /* upper 32 bits of time stamp */
275 guint16 len; /* packet length */
276 guint8 xxx[6]; /* unknown */
279 /* NetXRay format version 1.x data record format - followed by frame data. */
280 struct netxrayrec_1_x_hdr {
281 guint32 timelo; /* lower 32 bits of time stamp */
282 guint32 timehi; /* upper 32 bits of time stamp */
283 guint16 orig_len; /* packet length */
284 guint16 incl_len; /* capture length */
285 guint8 xxx[16]; /* unknown */
289 * NetXRay format version 2.x data record format - followed by frame data.
291 * The xxx fields appear to be:
293 * xxx[0]: ATM traffic type and subtype in the low 3 bits of
294 * each nibble, and flags(?) in the upper bit of each nibble.
296 * xxx[2], xxx[3]: for Ethernet, 802.11, ISDN LAPD, LAPB,
297 * Frame Relay, if both are 0xff, there are 4 bytes of stuff
298 * at the end of the packet data, which might be an FCS or
299 * which might be junk to discard.
301 * xxx[8], xxx[9]: 2 bytes of a flag word? If treated as
302 * a 2-byte little-endian flag word:
304 * 0x0001: Error of some sort, including bad CRC, although
305 * in one ISDN capture it's set in some B2 channel
306 * packets of unknown content (as opposed to the B1
307 * traffic in the capture, which is PPP)
308 * 0x0004: Some particular type of error?
309 * 0x0008: For (Gigabit?) Ethernet (with special probe?),
310 * 4 bytes at end are junk rather than CRC?
311 * 0x0100: CRC error on ATM? Protected and Not decrypted
313 * 0x0200: Something for ATM? Something else for 802.11?
314 * 0x0400: raw ATM cell
316 * 0x2000: port on which the packet was captured?
318 * The Sniffer Portable 4.8 User's Guide lists a set of packet status
322 * packet was captured from Port A on the pod or adapter card;
323 * packet was captured from Port B on the pod or adapter card;
324 * packet has a symptom or diagnosis associated with it;
325 * packet is an event filter trigger;
326 * CRC error packet with normal packet size;
327 * CRC error packet with oversize error;
328 * packet size < 64 bytes (including CRC) but with valid CRC;
329 * packet size < 64 bytes (including CRC) with CRC error;
330 * packet size > 1518 bytes (including CRC) but with valid CRC;
331 * packet damaged by a collision;
332 * packet length not a multiple of 8 bits;
333 * address conflict in the ring on Token Ring;
334 * packet is not copied (received) by the destination host on
337 * AAL5 maximum segments error;
341 * and a ton of AAL2 errors.
343 * Not all those bits necessarily correspond to flag bits in the file,
346 * In one ATM capture, the 0x2000 bit was set for all frames; in another,
347 * it's unset for all frames. This, plus the ATMbook having two ports,
348 * suggests that it *might* be a "port A vs. port B" flag.
350 * The 0x0001 bit appears to be set for CRC errors on Ethernet and 802.11.
351 * It also appears to be set on ATM for AAL5 PDUs that appear to be
352 * completely reassembled and that have a CRC error and for frames that
353 * appear to be part of a full AAL5 PDU. In at least two files with
354 * frames of the former type, the 0x0100 and 0x0200 flags are set;
355 * in at least one file with frames of the latter type, neither of
356 * those flags are set.
358 * The field appears to be somewhat random in some captures,
361 * xxx[11]: for 802.11, 0x05 if the packet is WEP-encrypted(?).
363 * xxx[12]: for 802.11, channel number.
365 * xxx[13]: for 802.11, data rate.
367 * xxx[14]: for 802.11, signal strength.
369 * xxx[15]: for 802.11, noise level; 0xFF means none reported,
372 * xxx[20-25]: for 802.11, MAC address of sending machine(?).
374 struct netxrayrec_2_x_hdr {
375 guint32 timelo; /* lower 32 bits of time stamp */
376 guint32 timehi; /* upper 32 bits of time stamp */
377 guint16 orig_len; /* packet length */
378 guint16 incl_len; /* capture length */
379 guint8 xxx[28]; /* various data */
383 * Union of the data record headers.
385 union netxrayrec_hdr {
386 struct old_netxrayrec_hdr old_hdr;
387 struct netxrayrec_1_x_hdr hdr_1_x;
388 struct netxrayrec_2_x_hdr hdr_2_x;
393 double ticks_per_sec;
394 double start_timestamp;
400 gboolean fcs_valid; /* if packets have valid FCS at the end */
401 guint isdn_type; /* 1 = E1 PRI, 2 = T1 PRI, 3 = BRI */
404 static gboolean netxray_read(wtap *wth, int *err, gchar **err_info,
405 gint64 *data_offset);
406 static gboolean netxray_seek_read(wtap *wth, gint64 seek_off,
407 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
408 static int netxray_process_rec_header(wtap *wth, FILE_T fh,
409 struct wtap_pkthdr *phdr, int *err, gchar **err_info);
410 static void netxray_guess_atm_type(wtap *wth, struct wtap_pkthdr *phdr,
412 static gboolean netxray_dump_1_1(wtap_dumper *wdh,
413 const struct wtap_pkthdr *phdr,
414 const guint8 *pd, int *err, gchar **err_info);
415 static gboolean netxray_dump_finish_1_1(wtap_dumper *wdh, int *err);
416 static gboolean netxray_dump_2_0(wtap_dumper *wdh,
417 const struct wtap_pkthdr *phdr,
418 const guint8 *pd, int *err, gchar **err_info);
419 static gboolean netxray_dump_finish_2_0(wtap_dumper *wdh, int *err);
422 netxray_open(wtap *wth, int *err, gchar **err_info)
424 char magic[MAGIC_SIZE];
426 struct netxray_hdr hdr;
428 double ticks_per_sec;
429 int version_major, version_minor;
431 double start_timestamp;
432 static const int netxray_encap[] = {
435 WTAP_ENCAP_TOKEN_RING,
436 WTAP_ENCAP_FDDI_BITSWAPPED,
438 * XXX - some PPP captures may look like Ethernet,
439 * perhaps because they're using NDIS to capture on the
440 * same machine and it provides simulated-Ethernet
441 * packets, but captures taken with various serial
442 * pods use the same network type value but aren't
443 * shaped like Ethernet. We handle that below.
445 WTAP_ENCAP_ETHERNET, /* WAN(PPP), but shaped like Ethernet */
446 WTAP_ENCAP_UNKNOWN, /* LocalTalk */
447 WTAP_ENCAP_UNKNOWN, /* "DIX" - should not occur */
448 WTAP_ENCAP_UNKNOWN, /* ARCNET raw */
449 WTAP_ENCAP_UNKNOWN, /* ARCNET 878.2 */
450 WTAP_ENCAP_ATM_PDUS_UNTRUNCATED,/* ATM */
451 WTAP_ENCAP_IEEE_802_11_WITH_RADIO,
452 /* Wireless WAN with radio information */
453 WTAP_ENCAP_UNKNOWN /* IrDA */
455 #define NUM_NETXRAY_ENCAPS (sizeof netxray_encap / sizeof netxray_encap[0])
460 /* Read in the string that should be at the start of a NetXRay
462 if (!wtap_read_bytes(wth->fh, magic, MAGIC_SIZE, err, err_info)) {
463 if (*err != WTAP_ERR_SHORT_READ)
464 return WTAP_OPEN_ERROR;
465 return WTAP_OPEN_NOT_MINE;
468 if (memcmp(magic, netxray_magic, MAGIC_SIZE) == 0) {
470 } else if (memcmp(magic, old_netxray_magic, MAGIC_SIZE) == 0) {
473 return WTAP_OPEN_NOT_MINE;
476 /* Read the rest of the header. */
477 if (!wtap_read_bytes(wth->fh, &hdr, sizeof hdr, err, err_info))
478 return WTAP_OPEN_ERROR;
483 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_OLD;
485 /* It appears that version 1.1 files (as produced by Windows
486 * Sniffer Pro 2.0.01) have the time stamp in microseconds,
487 * rather than the milliseconds version 1.0 files appear to
490 * It also appears that version 2.00x files have per-packet
491 * headers with some extra fields. */
492 if (memcmp(hdr.version, vers_1_0, sizeof vers_1_0) == 0) {
495 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_1_0;
496 } else if (memcmp(hdr.version, vers_1_1, sizeof vers_1_1) == 0) {
499 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_1_1;
500 } else if (memcmp(hdr.version, vers_2_000, sizeof vers_2_000) == 0) {
503 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x;
504 } else if (memcmp(hdr.version, vers_2_001, sizeof vers_2_001) == 0) {
507 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x;
508 } else if (memcmp(hdr.version, vers_2_002, sizeof vers_2_002) == 0) {
511 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x;
512 } else if (memcmp(hdr.version, vers_2_003, sizeof vers_2_003) == 0) {
515 file_type = WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x;
517 *err = WTAP_ERR_UNSUPPORTED;
518 *err_info = g_strdup_printf("netxray: version \"%.8s\" unsupported", hdr.version);
519 return WTAP_OPEN_ERROR;
523 switch (hdr.network_plus) {
527 * The byte after hdr.network is usually 0, in which case
528 * the hdr.network byte is an NDIS network type value - 1.
530 network_type = hdr.network + 1;
535 * However, in some Ethernet captures, it's 2, and the
536 * hdr.network byte is 1 rather than 0. We assume
537 * that if there's a byte after hdr.network with the value
538 * 2, the hdr.network byte is an NDIS network type, rather
539 * than an NDIS network type - 1.
541 network_type = hdr.network;
545 *err = WTAP_ERR_UNSUPPORTED;
546 *err_info = g_strdup_printf("netxray: the byte after the network type has the value %u, which I don't understand",
548 return WTAP_OPEN_ERROR;
551 if (network_type >= NUM_NETXRAY_ENCAPS
552 || netxray_encap[network_type] == WTAP_ENCAP_UNKNOWN) {
553 *err = WTAP_ERR_UNSUPPORTED;
554 *err_info = g_strdup_printf("netxray: network type %u (%u) unknown or unsupported",
555 network_type, hdr.network_plus);
556 return WTAP_OPEN_ERROR;
560 * Figure out the time stamp units and start time stamp.
562 start_timestamp = (double)pletoh32(&hdr.timelo)
563 + (double)pletoh32(&hdr.timehi)*4294967296.0;
566 case WTAP_FILE_TYPE_SUBTYPE_NETXRAY_OLD:
567 ticks_per_sec = 1000.0;
568 wth->file_tsprec = WTAP_TSPREC_MSEC;
571 case WTAP_FILE_TYPE_SUBTYPE_NETXRAY_1_0:
572 ticks_per_sec = 1000.0;
573 wth->file_tsprec = WTAP_TSPREC_MSEC;
576 case WTAP_FILE_TYPE_SUBTYPE_NETXRAY_1_1:
578 * In version 1.1 files (as produced by Windows Sniffer
579 * Pro 2.0.01), the time stamp is in microseconds,
580 * rather than the milliseconds time stamps in NetXRay
581 * and older versions of Windows Sniffer.
583 ticks_per_sec = 1000000.0;
584 wth->file_tsprec = WTAP_TSPREC_USEC;
587 case WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x:
589 * Get the time stamp units from the appropriate TpS
590 * table or from the file header.
592 switch (network_type) {
596 * Ethernet - the table to use depends on whether
597 * this is an NDIS or pod capture.
599 switch (hdr.captype) {
602 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS) {
603 *err = WTAP_ERR_UNSUPPORTED;
604 *err_info = g_strdup_printf(
605 "netxray: Unknown timeunit %u for Ethernet/CAPTYPE_NDIS version %.8s capture",
606 hdr.timeunit, hdr.version);
607 return WTAP_OPEN_ERROR;
610 XXX: 05/29/07: Use 'realtick' instead of TpS table if timeunit=2;
611 Using 'realtick' in this case results
612 in the correct 'ticks per second' for all the captures that
613 I have of this type (including captures from a number of Wireshark
616 if (hdr.timeunit == 2) {
617 ticks_per_sec = pletoh32(hdr.realtick);
620 ticks_per_sec = TpS[hdr.timeunit];
624 case ETH_CAPTYPE_GIGPOD:
625 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_GIGPOD
626 || TpS_gigpod[hdr.timeunit] == 0.0) {
627 *err = WTAP_ERR_UNSUPPORTED;
628 *err_info = g_strdup_printf(
629 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_GIGPOD version %.8s capture",
630 hdr.timeunit, hdr.version);
631 return WTAP_OPEN_ERROR;
633 ticks_per_sec = TpS_gigpod[hdr.timeunit];
636 * At least for 002.002 and 002.003
637 * captures, the start time stamp is 0,
638 * not the value in the file.
640 if (version_minor == 2 || version_minor == 3)
641 start_timestamp = 0.0;
644 case ETH_CAPTYPE_OTHERPOD:
645 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_OTHERPOD
646 || TpS_otherpod[hdr.timeunit] == 0.0) {
647 *err = WTAP_ERR_UNSUPPORTED;
648 *err_info = g_strdup_printf(
649 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_OTHERPOD version %.8s capture",
650 hdr.timeunit, hdr.version);
651 return WTAP_OPEN_ERROR;
653 ticks_per_sec = TpS_otherpod[hdr.timeunit];
656 * At least for 002.002 and 002.003
657 * captures, the start time stamp is 0,
658 * not the value in the file.
660 if (version_minor == 2 || version_minor == 3)
661 start_timestamp = 0.0;
664 case ETH_CAPTYPE_OTHERPOD2:
665 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_OTHERPOD2
666 || TpS_otherpod2[hdr.timeunit] == 0.0) {
667 *err = WTAP_ERR_UNSUPPORTED;
668 *err_info = g_strdup_printf(
669 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_OTHERPOD2 version %.8s capture",
670 hdr.timeunit, hdr.version);
671 return WTAP_OPEN_ERROR;
673 ticks_per_sec = TpS_otherpod2[hdr.timeunit];
675 * XXX: start time stamp in the one capture file examined of this type was 0;
676 * We'll assume the start time handling is the same as for other pods.
678 * At least for 002.002 and 002.003
679 * captures, the start time stamp is 0,
680 * not the value in the file.
682 if (version_minor == 2 || version_minor == 3)
683 start_timestamp = 0.0;
686 case ETH_CAPTYPE_GIGPOD2:
687 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_GIGPOD2
688 || TpS_gigpod2[hdr.timeunit] == 0.0) {
689 *err = WTAP_ERR_UNSUPPORTED;
690 *err_info = g_strdup_printf(
691 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_GIGPOD2 version %.8s capture",
692 hdr.timeunit, hdr.version);
693 return WTAP_OPEN_ERROR;
695 ticks_per_sec = TpS_gigpod2[hdr.timeunit];
697 * XXX: start time stamp in the one capture file examined of this type was 0;
698 * We'll assume the start time handling is the same as for other pods.
700 * At least for 002.002 and 002.003
701 * captures, the start time stamp is 0,
702 * not the value in the file.
704 if (version_minor == 2 || version_minor == 3)
705 start_timestamp = 0.0;
709 *err = WTAP_ERR_UNSUPPORTED;
710 *err_info = g_strdup_printf(
711 "netxray: Unknown capture type %u for Ethernet version %.8s capture",
712 hdr.captype, hdr.version);
713 return WTAP_OPEN_ERROR;
718 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS) {
719 *err = WTAP_ERR_UNSUPPORTED;
720 *err_info = g_strdup_printf(
721 "netxray: Unknown timeunit %u for %u/%u version %.8s capture",
722 hdr.timeunit, network_type, hdr.captype,
724 return WTAP_OPEN_ERROR;
726 ticks_per_sec = TpS[hdr.timeunit];
731 * If the number of ticks per second is greater than
732 * 1 million, make the precision be nanoseconds rather
735 * XXX - do values only slightly greater than one million
736 * correspond to a resolution sufficiently better than
737 * 1 microsecond to display more digits of precision?
738 * XXX - Seems reasonable to use nanosecs only if TPS >= 10M
740 if (ticks_per_sec >= 1e7)
741 wth->file_tsprec = WTAP_TSPREC_NSEC;
743 wth->file_tsprec = WTAP_TSPREC_USEC;
747 g_assert_not_reached();
750 start_timestamp = start_timestamp/ticks_per_sec;
752 if (network_type == 4) {
754 * In version 0 and 1, we assume, for now, that all
755 * WAN captures have frames that look like Ethernet
756 * frames (as a result, presumably, of having passed
759 * In version 2, it looks as if there's stuff in the
760 * file header to specify what particular type of WAN
763 if (version_major == 2) {
764 switch (hdr.captype) {
766 case WAN_CAPTYPE_PPP:
770 file_encap = WTAP_ENCAP_PPP_WITH_PHDR;
773 case WAN_CAPTYPE_FRELAY:
777 * XXX - in at least one capture, this
778 * is Cisco HDLC, not Frame Relay, but
779 * in another capture, it's Frame Relay.
781 * [Bytes in each capture:
782 * Cisco HDLC: hdr.xxx_x60[06:10]: 0x02 0x00 0x01 0x00 0x06
783 * Frame Relay: hdr.xxx_x60[06:10] 0x00 0x00 0x00 0x00 0x00
785 * Cisco HDLC: hdr.xxx_x60[14:15]: 0xff 0xff
786 * Frame Relay: hdr.xxx_x60[14:15]: 0x00 0x00
789 file_encap = WTAP_ENCAP_FRELAY_WITH_PHDR;
792 case WAN_CAPTYPE_HDLC:
793 case WAN_CAPTYPE_HDLC2:
795 * Various HDLC flavors?
797 switch (hdr.wan_hdlc_subsub_captype) {
799 case 0: /* LAPB/X.25 */
801 * XXX - at least one capture of
802 * this type appears to be PPP.
804 file_encap = WTAP_ENCAP_LAPB;
810 file_encap = WTAP_ENCAP_ISDN;
811 isdn_type = hdr.wan_hdlc_subsub_captype;
815 *err = WTAP_ERR_UNSUPPORTED;
816 *err_info = g_strdup_printf("netxray: WAN HDLC capture subsubtype 0x%02x unknown or unsupported",
817 hdr.wan_hdlc_subsub_captype);
818 return WTAP_OPEN_ERROR;
822 case WAN_CAPTYPE_SDLC:
826 file_encap = WTAP_ENCAP_SDLC;
829 case WAN_CAPTYPE_CHDLC:
831 * Cisco router (CHDLC) captured with pod
833 file_encap = WTAP_ENCAP_CHDLC_WITH_PHDR;
837 *err = WTAP_ERR_UNSUPPORTED;
838 *err_info = g_strdup_printf("netxray: WAN capture subtype 0x%02x unknown or unsupported",
840 return WTAP_OPEN_ERROR;
843 file_encap = WTAP_ENCAP_ETHERNET;
845 file_encap = netxray_encap[network_type];
847 /* This is a netxray file */
848 wth->file_type_subtype = file_type;
849 netxray = (netxray_t *)g_malloc(sizeof(netxray_t));
850 wth->priv = (void *)netxray;
851 wth->subtype_read = netxray_read;
852 wth->subtype_seek_read = netxray_seek_read;
853 wth->file_encap = file_encap;
854 wth->snapshot_length = 0; /* not available in header */
855 netxray->start_time = pletoh32(&hdr.start_time);
856 netxray->ticks_per_sec = ticks_per_sec;
857 netxray->start_timestamp = start_timestamp;
858 netxray->version_major = version_major;
861 * If frames have an extra 4 bytes of stuff at the end, is
862 * it an FCS, or just junk?
864 netxray->fcs_valid = FALSE;
865 switch (file_encap) {
867 case WTAP_ENCAP_ETHERNET:
868 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
869 case WTAP_ENCAP_ISDN:
870 case WTAP_ENCAP_LAPB:
872 * It appears that, in at least some version 2 Ethernet
873 * captures, for frames that have 0xff in hdr_2_x.xxx[2]
874 * and hdr_2_x.xxx[3] in the per-packet header:
876 * if, in the file header, hdr.realtick[1] is 0x34
877 * and hdr.realtick[2] is 0x12, the frames have an
880 * otherwise, they have 4 bytes of junk at the end.
882 * Yes, it's strange that you have to check the *middle*
883 * of the time stamp field; you can't check for any
884 * particular value of the time stamp field.
886 * For now, we assume that to be true for 802.11 captures
887 * as well; it appears to be the case for at least one
888 * such capture - the file doesn't have 0x34 and 0x12,
889 * and the 4 bytes at the end of the frames with 0xff
890 * are junk, not an FCS.
892 * For ISDN captures, it appears, at least in some
893 * captures, to be similar, although I haven't yet
894 * checked whether it's a valid FCS.
896 * XXX - should we do this for all encapsulation types?
898 * XXX - is there some other field that *really* indicates
899 * whether we have an FCS or not? The check of the time
900 * stamp is bizarre, as we're checking the middle.
901 * Perhaps hdr.realtick[0] is 0x00, in which case time
902 * stamp units in the range 1192960 through 1193215
903 * correspond to captures with an FCS, but that's still
906 * Note that there are captures with a network type of 0
907 * (Ethernet) and capture type of 0 (NDIS) that do, and
908 * that don't, have 0x34 0x12 in them, and at least one
909 * of the NDIS captures with 0x34 0x12 in it has FCSes,
910 * so it's not as if no NDIS captures have an FCS.
912 * There are also captures with a network type of 4 (WAN),
913 * capture type of 6 (HDLC), and subtype of 2 (T1 PRI) that
914 * do, and that don't, have 0x34 0x12, so there are at least
915 * some captures taken with a WAN pod that might lack an FCS.
916 * (We haven't yet tried dissecting the 4 bytes at the
917 * end of packets with hdr_2_x.xxx[2] and hdr_2_x.xxx[3]
918 * equal to 0xff as an FCS.)
920 * All captures I've seen that have 0x34 and 0x12 *and*
921 * have at least one frame with an FCS have a value of
922 * 0x01 in xxx_x40[4]. No captures I've seen with a network
923 * type of 0 (Ethernet) missing 0x34 0x12 have 0x01 there,
924 * however. However, there's at least one capture
925 * without 0x34 and 0x12, with a network type of 0,
926 * and with 0x01 in xxx_x40[4], *without* FCSes in the
927 * frames - the 4 bytes at the end are all zero - so it's
928 * not as simple as "xxx_x40[4] = 0x01 means the 4 bytes at
929 * the end are FCSes". Also, there's also at least one
930 * 802.11 capture with an xxx_x40[4] value of 0x01 with junk
931 * rather than an FCS at the end of the frame, so xxx_x40[4]
932 * isn't an obvious flag to determine whether the
935 * There don't seem to be any other values in any of the
936 * xxx_x5..., xxx_x6...., xxx_x7.... fields
937 * that obviously correspond to frames having an FCS.
939 * 05/29/07: Examination of numerous sniffer captures suggests
940 * that the apparent correlation of certain realtick
941 * bytes to 'FCS presence' may actually be
942 * a 'false positive'.
943 * ToDo: Review analysis and update code.
944 * It might be that the ticks-per-second value
945 * is hardware-dependent, and that hardware with
946 * a particular realtick value puts an FCS there
947 * and other hardware doesn't.
949 if (version_major == 2) {
950 if (hdr.realtick[1] == 0x34 && hdr.realtick[2] == 0x12)
951 netxray->fcs_valid = TRUE;
957 * Remember the ISDN type, as we need it to interpret the
958 * channel number in ISDN captures.
960 netxray->isdn_type = isdn_type;
962 /* Remember the offset after the last packet in the capture (which
963 * isn't necessarily the last packet in the file), as it appears
964 * there's sometimes crud after it.
965 * XXX: Remember 'start_offset' to help testing for 'short file' at EOF
967 netxray->wrapped = FALSE;
968 netxray->nframes = pletoh32(&hdr.nframes);
969 netxray->start_offset = pletoh32(&hdr.start_offset);
970 netxray->end_offset = pletoh32(&hdr.end_offset);
972 /* Seek to the beginning of the data records. */
973 if (file_seek(wth->fh, netxray->start_offset, SEEK_SET, err) == -1) {
974 return WTAP_OPEN_ERROR;
977 return WTAP_OPEN_MINE;
980 /* Read the next packet */
982 netxray_read(wtap *wth, int *err, gchar **err_info,
985 netxray_t *netxray = (netxray_t *)wth->priv;
990 * Return the offset of the record header, so we can reread it
991 * if we go back to this frame.
993 *data_offset = file_tell(wth->fh);
995 /* Have we reached the end of the packet data? */
996 if (*data_offset == netxray->end_offset) {
998 *err = 0; /* it's just an EOF, not an error */
1002 /* Read and process record header. */
1003 padding = netxray_process_rec_header(wth, wth->fh, &wth->phdr, err,
1011 * Error of some sort; give up.
1016 /* We're at EOF. Wrap?
1017 * XXX: Need to handle 'short file' cases
1018 * (Distributed Sniffer seems to have a
1019 * certain small propensity to generate 'short' files
1020 * i.e. [many] bytes are missing from the end of the file)
1021 * case 1: start_offset < end_offset
1022 * wrap will read already read packets again;
1023 * so: error with "short file"
1024 * case 2: start_offset > end_offset ("circular" file)
1025 * wrap will mean there's a gap (missing packets).
1026 * However, I don't see a good way to identify this
1027 * case so we'll just have to allow the wrap.
1028 * (Maybe there can be an error message after all
1029 * packets are read since there'll be less packets than
1030 * specified in the file header).
1031 * Note that these cases occur *only* if a 'short' eof occurs exactly
1032 * at the expected beginning of a frame header record; If there is a
1033 * partial frame header (or partial frame data) record, then the
1034 * netxray_read... functions will detect the short record.
1036 if (netxray->start_offset < netxray->end_offset) {
1037 *err = WTAP_ERR_SHORT_READ;
1041 if (!netxray->wrapped) {
1042 /* Yes. Remember that we did. */
1043 netxray->wrapped = TRUE;
1044 if (file_seek(wth->fh, CAPTUREFILE_HEADER_SIZE,
1045 SEEK_SET, err) == -1)
1050 /* We've already wrapped - don't wrap again. */
1055 * Read the packet data.
1057 if (!wtap_read_packet_bytes(wth->fh, wth->frame_buffer,
1058 wth->phdr.caplen, err, err_info))
1062 * If there's extra stuff at the end of the record, skip it.
1064 if (file_seek(wth->fh, padding, SEEK_CUR, err) == -1)
1068 * If it's an ATM packet, and we don't have enough information
1069 * from the packet header to determine its type or subtype,
1070 * attempt to guess them from the packet data.
1072 netxray_guess_atm_type(wth, &wth->phdr, wth->frame_buffer);
1077 netxray_seek_read(wtap *wth, gint64 seek_off,
1078 struct wtap_pkthdr *phdr, Buffer *buf,
1079 int *err, gchar **err_info)
1081 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
1084 if (netxray_process_rec_header(wth, wth->random_fh, phdr, err,
1088 * EOF - we report that as a short read, as
1089 * we've read this once and know that it
1092 *err = WTAP_ERR_SHORT_READ;
1098 * Read the packet data.
1100 if (!wtap_read_packet_bytes(wth->random_fh, buf, phdr->caplen, err,
1105 * If it's an ATM packet, and we don't have enough information
1106 * from the packet header to determine its type or subtype,
1107 * attempt to guess them from the packet data.
1109 netxray_guess_atm_type(wth, phdr, buf);
1114 netxray_process_rec_header(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
1115 int *err, gchar **err_info)
1117 netxray_t *netxray = (netxray_t *)wth->priv;
1118 union netxrayrec_hdr hdr;
1124 /* Read record header. */
1125 switch (netxray->version_major) {
1128 hdr_size = sizeof (struct old_netxrayrec_hdr);
1132 hdr_size = sizeof (struct netxrayrec_1_x_hdr);
1136 hdr_size = sizeof (struct netxrayrec_2_x_hdr);
1139 if (!wtap_read_bytes_or_eof(fh, (void *)&hdr, hdr_size, err, err_info)) {
1141 * If *err is 0, we're at EOF. *err being 0 and a return
1142 * value of -1 tells our caller we're at EOF.
1144 * Otherwise, we got an error, and *err *not* being 0
1145 * and a return value tells our caller we have an error.
1151 * If this is Ethernet, 802.11, ISDN, X.25, or ATM, set the
1154 switch (netxray->version_major) {
1157 switch (wth->file_encap) {
1159 case WTAP_ENCAP_ETHERNET:
1161 * XXX - if hdr_1_x.xxx[15] is 1
1162 * the frame appears not to have any extra
1163 * stuff at the end, but if it's 0,
1164 * there appears to be 4 bytes of stuff
1165 * at the end, but it's not an FCS.
1167 * Or is that just the low-order bit?
1169 * For now, we just say "no FCS".
1171 phdr->pseudo_header.eth.fcs_len = 0;
1177 switch (wth->file_encap) {
1179 case WTAP_ENCAP_ETHERNET:
1181 * It appears, at least with version 2 captures,
1182 * that we have 4 bytes of stuff (which might be
1183 * a valid FCS or might be junk) at the end of
1184 * the packet if hdr_2_x.xxx[2] and
1185 * hdr_2_x.xxx[3] are 0xff, and we don't if
1188 * It also appears that if the low-order bit of
1189 * hdr_2_x.xxx[8] is set, the packet has a
1192 if (hdr.hdr_2_x.xxx[2] == 0xff &&
1193 hdr.hdr_2_x.xxx[3] == 0xff) {
1195 * We have 4 bytes of stuff at the
1196 * end of the frame - FCS, or junk?
1198 if (netxray->fcs_valid) {
1202 phdr->pseudo_header.eth.fcs_len = 4;
1210 phdr->pseudo_header.eth.fcs_len = 0;
1213 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
1215 * It appears, in one 802.11 capture, that
1216 * we have 4 bytes of junk at the ends of
1217 * frames in which hdr_2_x.xxx[2] and
1218 * hdr_2_x.xxx[3] are 0xff; I haven't
1219 * seen any frames where it's an FCS, but,
1220 * for now, we still check the fcs_valid
1221 * flag - I also haven't seen any capture
1222 * where we'd set it based on the realtick
1225 * It also appears that if the low-order bit of
1226 * hdr_2_x.xxx[8] is set, the packet has a
1227 * bad FCS. According to Ken Mann, the 0x4 bit
1228 * is sometimes also set for errors.
1230 * Ken also says that xxx[11] is 0x5 when the
1231 * packet is WEP-encrypted.
1233 memset(&phdr->pseudo_header.ieee_802_11, 0, sizeof(phdr->pseudo_header.ieee_802_11));
1234 if (hdr.hdr_2_x.xxx[2] == 0xff &&
1235 hdr.hdr_2_x.xxx[3] == 0xff) {
1237 * We have 4 bytes of stuff at the
1238 * end of the frame - FCS, or junk?
1240 if (netxray->fcs_valid) {
1244 phdr->pseudo_header.ieee_802_11.fcs_len = 4;
1252 phdr->pseudo_header.ieee_802_11.fcs_len = 0;
1254 phdr->pseudo_header.ieee_802_11.decrypted = FALSE;
1255 phdr->pseudo_header.ieee_802_11.datapad = FALSE;
1256 phdr->pseudo_header.ieee_802_11.phy = PHDR_802_11_PHY_UNKNOWN;
1259 * XXX - any other information, such as PHY
1260 * type, frequency, 11n/11ac information,
1263 phdr->pseudo_header.ieee_802_11.has_channel = TRUE;
1264 phdr->pseudo_header.ieee_802_11.channel =
1265 hdr.hdr_2_x.xxx[12];
1267 phdr->pseudo_header.ieee_802_11.has_data_rate = TRUE;
1268 phdr->pseudo_header.ieee_802_11.data_rate =
1269 hdr.hdr_2_x.xxx[13];
1271 phdr->pseudo_header.ieee_802_11.has_signal_percent = TRUE;
1272 phdr->pseudo_header.ieee_802_11.signal_percent =
1273 hdr.hdr_2_x.xxx[14];
1276 * According to Ken Mann, at least in the captures
1277 * he's seen, xxx[15] is the noise level, which
1278 * is either 0xFF meaning "none reported" or a value
1279 * from 0x00 to 0x7F for 0 to 100%.
1281 if (hdr.hdr_2_x.xxx[15] != 0xFF) {
1282 phdr->pseudo_header.ieee_802_11.has_noise_percent = TRUE;
1283 phdr->pseudo_header.ieee_802_11.noise_percent =
1284 hdr.hdr_2_x.xxx[15]*100/127;
1288 case WTAP_ENCAP_ISDN:
1292 * The bottommost bit of byte 12 of hdr_2_x.xxx
1293 * is the direction flag.
1295 * The bottom 5 bits of byte 13 of hdr_2_x.xxx
1296 * are the channel number, but some mapping is
1297 * required for PRI. (Is it really just the time
1300 phdr->pseudo_header.isdn.uton =
1301 (hdr.hdr_2_x.xxx[12] & 0x01);
1302 phdr->pseudo_header.isdn.channel =
1303 hdr.hdr_2_x.xxx[13] & 0x1F;
1304 switch (netxray->isdn_type) {
1308 * E1 PRI. Channel numbers 0 and 16
1309 * are the D channel; channel numbers 1
1310 * through 15 are B1 through B15; channel
1311 * numbers 17 through 31 are B16 through
1314 if (phdr->pseudo_header.isdn.channel == 16)
1315 phdr->pseudo_header.isdn.channel = 0;
1316 else if (phdr->pseudo_header.isdn.channel > 16)
1317 phdr->pseudo_header.isdn.channel -= 1;
1322 * T1 PRI. Channel numbers 0 and 24
1323 * are the D channel; channel numbers 1
1324 * through 23 are B1 through B23.
1326 if (phdr->pseudo_header.isdn.channel == 24)
1327 phdr->pseudo_header.isdn.channel = 0;
1328 else if (phdr->pseudo_header.isdn.channel > 24)
1329 phdr->pseudo_header.isdn.channel -= 1;
1334 * It appears, at least with version 2 captures,
1335 * that we have 4 bytes of stuff (which might be
1336 * a valid FCS or might be junk) at the end of
1337 * the packet if hdr_2_x.xxx[2] and
1338 * hdr_2_x.xxx[3] are 0xff, and we don't if
1341 * XXX - does the low-order bit of hdr_2_x.xxx[8]
1342 * indicate a bad FCS, as is the case with
1345 if (hdr.hdr_2_x.xxx[2] == 0xff &&
1346 hdr.hdr_2_x.xxx[3] == 0xff) {
1348 * FCS, or junk, at the end.
1349 * XXX - is it an FCS if "fcs_valid" is
1356 case WTAP_ENCAP_LAPB:
1357 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1359 * LAPB/X.25 and Frame Relay.
1361 * The bottommost bit of byte 12 of hdr_2_x.xxx
1362 * is the direction flag. (Probably true for other
1363 * HDLC encapsulations as well.)
1365 phdr->pseudo_header.x25.flags =
1366 (hdr.hdr_2_x.xxx[12] & 0x01) ? 0x00 : FROM_DCE;
1369 * It appears, at least with version 2 captures,
1370 * that we have 4 bytes of stuff (which might be
1371 * a valid FCS or might be junk) at the end of
1372 * the packet if hdr_2_x.xxx[2] and
1373 * hdr_2_x.xxx[3] are 0xff, and we don't if
1376 * XXX - does the low-order bit of hdr_2_x.xxx[8]
1377 * indicate a bad FCS, as is the case with
1380 if (hdr.hdr_2_x.xxx[2] == 0xff &&
1381 hdr.hdr_2_x.xxx[3] == 0xff) {
1383 * FCS, or junk, at the end.
1384 * XXX - is it an FCS if "fcs_valid" is
1391 case WTAP_ENCAP_PPP_WITH_PHDR:
1392 case WTAP_ENCAP_SDLC:
1393 case WTAP_ENCAP_CHDLC_WITH_PHDR:
1394 phdr->pseudo_header.p2p.sent =
1395 (hdr.hdr_2_x.xxx[12] & 0x01) ? TRUE : FALSE;
1398 case WTAP_ENCAP_ATM_PDUS_UNTRUNCATED:
1400 * XXX - the low-order bit of hdr_2_x.xxx[8]
1401 * seems to indicate some sort of error. In
1402 * at least one capture, a number of packets
1403 * have that flag set, and they appear either
1404 * to be the beginning part of an incompletely
1405 * reassembled AAL5 PDU, with either checksum
1406 * errors at higher levels (possibly due to
1407 * the packet being reported as shorter than
1408 * it actually is, and checksumming failing
1409 * because it doesn't include all the data)
1410 * or "Malformed frame" errors from being
1411 * too short, or appear to be later parts
1412 * of an incompletely reassembled AAL5 PDU
1413 * with the last one in a sequence of errors
1414 * having what looks like an AAL5 trailer,
1415 * with a length and checksum.
1417 * Does it just mean "reassembly failed",
1418 * as appears to be the case in those
1419 * packets, or does it mean "CRC error"
1420 * at the AAL5 layer (which would be the
1421 * case if you were treating an incompletely
1422 * reassembled PDU as a completely reassembled
1423 * PDU, although you'd also expect a length
1424 * error in that case), or does it mean
1425 * "generic error", with some other flag
1426 * or flags indicating what particular
1427 * error occurred? The documentation
1428 * for Sniffer Pro 4.7 indicates a bunch
1429 * of different error types, both in general
1430 * and for ATM in particular.
1432 * No obvious bits in hdr_2_x.xxx appear
1433 * to be additional flags of that sort.
1435 * XXX - in that capture, I see several
1436 * reassembly errors in a row; should those
1437 * packets be reassembled in the ATM dissector?
1438 * What happens if a reassembly fails because
1441 phdr->pseudo_header.atm.flags = 0;
1442 if (hdr.hdr_2_x.xxx[8] & 0x01)
1443 phdr->pseudo_header.atm.flags |= ATM_REASSEMBLY_ERROR;
1445 * XXX - is 0x08 an "OAM cell" flag?
1446 * Are the 0x01 and 0x02 bits error indications?
1447 * Some packets in one capture that have the
1448 * 0x01 bit set in hdr_2_x.xxx[8] and that
1449 * appear to have been reassembled completely
1450 * but have a bad CRC have 0x03 in hdr_2_x.xxx[9]
1451 * (and don't have the 0x20 bit set).
1453 * In the capture with incomplete reassemblies,
1454 * all packets have the 0x20 bit set. In at
1455 * least some of the captures with complete
1456 * reassemblies with CRC errors, no packets
1457 * have the 0x20 bit set.
1459 * Are hdr_2_x.xxx[8] and hdr_2_x.xxx[9] a 16-bit
1462 if (hdr.hdr_2_x.xxx[9] & 0x04)
1463 phdr->pseudo_header.atm.flags |= ATM_RAW_CELL;
1464 phdr->pseudo_header.atm.vpi = hdr.hdr_2_x.xxx[11];
1465 phdr->pseudo_header.atm.vci = pletoh16(&hdr.hdr_2_x.xxx[12]);
1466 phdr->pseudo_header.atm.channel =
1467 (hdr.hdr_2_x.xxx[15] & 0x10)? 1 : 0;
1468 phdr->pseudo_header.atm.cells = 0;
1471 * XXX - the uppermost bit of hdr_2_xxx[0]
1472 * looks as if it might be a flag of some sort.
1473 * The remaining 3 bits appear to be an AAL
1474 * type - 5 is, surprise surprise, AAL5.
1476 switch (hdr.hdr_2_x.xxx[0] & 0x70) {
1478 case 0x00: /* Unknown */
1479 phdr->pseudo_header.atm.aal = AAL_UNKNOWN;
1480 phdr->pseudo_header.atm.type = TRAF_UNKNOWN;
1481 phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1484 case 0x10: /* XXX - AAL1? */
1485 phdr->pseudo_header.atm.aal = AAL_UNKNOWN;
1486 phdr->pseudo_header.atm.type = TRAF_UNKNOWN;
1487 phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1490 case 0x20: /* XXX - AAL2? */
1491 phdr->pseudo_header.atm.aal = AAL_UNKNOWN;
1492 phdr->pseudo_header.atm.type = TRAF_UNKNOWN;
1493 phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1496 case 0x40: /* XXX - AAL3/4? */
1497 phdr->pseudo_header.atm.aal = AAL_UNKNOWN;
1498 phdr->pseudo_header.atm.type = TRAF_UNKNOWN;
1499 phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1502 case 0x30: /* XXX - AAL5 cells seen with this */
1503 case 0x50: /* AAL5 (including signalling) */
1504 case 0x60: /* XXX - AAL5 cells seen with this */
1505 case 0x70: /* XXX - AAL5 cells seen with this */
1506 phdr->pseudo_header.atm.aal = AAL_5;
1508 * XXX - is the 0x08 bit of hdr_2_x.xxx[0]
1509 * a flag? I've not yet seen a case where
1512 switch (hdr.hdr_2_x.xxx[0] & 0x07) {
1515 case 0x02: /* Signalling traffic */
1516 phdr->pseudo_header.atm.aal = AAL_SIGNALLING;
1517 phdr->pseudo_header.atm.type = TRAF_UNKNOWN;
1518 phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1521 case 0x03: /* ILMI */
1522 phdr->pseudo_header.atm.type = TRAF_ILMI;
1523 phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1530 * I've seen a frame with type
1531 * 0x30 and subtype 0x08 that
1532 * was LANE 802.3, a frame
1533 * with type 0x30 and subtype
1534 * 0x04 that was LANE 802.3,
1535 * and another frame with type
1536 * 0x30 and subtype 0x08 that
1537 * was junk with a string in
1538 * it that had also appeared
1539 * in some CDP and LE Control
1540 * frames, and that was preceded
1541 * by a malformed LE Control
1542 * frame - was that a reassembly
1545 * I've seen frames with type
1546 * 0x50 and subtype 0x0c, some
1547 * of which were LE Control
1548 * frames, and at least one
1549 * of which was neither an LE
1550 * Control frame nor a LANE
1551 * 802.3 frame, and contained
1552 * the string "ForeThought_6.2.1
1553 * Alpha" - does that imply
1554 * FORE's own encapsulation,
1555 * or was this a reassembly failure?
1556 * The latter frame was preceded
1557 * by a malformed LE Control
1560 * I've seen a couple of frames
1561 * with type 0x60 and subtype 0x00,
1562 * one of which was LANE 802.3 and
1563 * one of which was LE Control.
1564 * I've seen one frame with type
1565 * 0x60 and subtype 0x0c, which
1568 * I've seen a couple of frames
1569 * with type 0x70 and subtype 0x00,
1570 * both of which were LANE 802.3.
1572 phdr->pseudo_header.atm.type = TRAF_LANE;
1573 phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1576 case 0x06: /* XXX - not seen yet */
1577 phdr->pseudo_header.atm.type = TRAF_UNKNOWN;
1578 phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1581 case 0x07: /* LLC multiplexed */
1582 phdr->pseudo_header.atm.type = TRAF_LLCMX; /* XXX */
1583 phdr->pseudo_header.atm.subtype = TRAF_ST_UNKNOWN; /* XXX */
1593 phdr->rec_type = REC_TYPE_PACKET;
1594 if (netxray->version_major == 0) {
1595 phdr->presence_flags = WTAP_HAS_TS;
1596 t = (double)pletoh32(&hdr.old_hdr.timelo)
1597 + (double)pletoh32(&hdr.old_hdr.timehi)*4294967296.0;
1598 t /= netxray->ticks_per_sec;
1599 t -= netxray->start_timestamp;
1600 phdr->ts.secs = netxray->start_time + (long)t;
1601 phdr->ts.nsecs = (int)((t-(double)(unsigned long)(t))
1604 * We subtract the padding from the packet size, so our caller
1607 packet_size = pletoh16(&hdr.old_hdr.len);
1608 phdr->caplen = packet_size - padding;
1609 phdr->len = phdr->caplen;
1611 phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
1612 t = (double)pletoh32(&hdr.hdr_1_x.timelo)
1613 + (double)pletoh32(&hdr.hdr_1_x.timehi)*4294967296.0;
1614 t /= netxray->ticks_per_sec;
1615 t -= netxray->start_timestamp;
1616 phdr->ts.secs = netxray->start_time + (time_t)t;
1617 phdr->ts.nsecs = (int)((t-(double)(unsigned long)(t))
1620 * We subtract the padding from the packet size, so our caller
1623 packet_size = pletoh16(&hdr.hdr_1_x.incl_len);
1624 phdr->caplen = packet_size - padding;
1625 phdr->len = pletoh16(&hdr.hdr_1_x.orig_len) - padding;
1632 netxray_guess_atm_type(wtap *wth, struct wtap_pkthdr *phdr, Buffer *buf)
1636 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS_UNTRUNCATED &&
1637 !(phdr->pseudo_header.atm.flags & ATM_REASSEMBLY_ERROR)) {
1638 if (phdr->pseudo_header.atm.aal == AAL_UNKNOWN) {
1640 * Try to guess the type and subtype based
1641 * on the VPI/VCI and packet contents.
1643 pd = ws_buffer_start_ptr(buf);
1644 atm_guess_traffic_type(phdr, pd);
1645 } else if (phdr->pseudo_header.atm.aal == AAL_5 &&
1646 phdr->pseudo_header.atm.type == TRAF_LANE) {
1648 * Try to guess the subtype based on the
1651 pd = ws_buffer_start_ptr(buf);
1652 atm_guess_lane_type(phdr, pd);
1658 gboolean first_frame;
1663 static const struct {
1664 int wtap_encap_value;
1666 } wtap_encap_1_1[] = {
1667 { WTAP_ENCAP_ETHERNET, 0 }, /* -> NDIS Ethernet */
1668 { WTAP_ENCAP_TOKEN_RING, 1 }, /* -> NDIS Token Ring */
1669 { WTAP_ENCAP_FDDI, 2 }, /* -> NDIS FDDI */
1670 { WTAP_ENCAP_FDDI_BITSWAPPED, 2 }, /* -> NDIS FDDI */
1672 #define NUM_WTAP_ENCAPS_1_1 (sizeof wtap_encap_1_1 / sizeof wtap_encap_1_1[0])
1675 wtap_encap_to_netxray_1_1_encap(int encap)
1679 for (i = 0; i < NUM_WTAP_ENCAPS_1_1; i++) {
1680 if (encap == wtap_encap_1_1[i].wtap_encap_value)
1681 return wtap_encap_1_1[i].ndis_value;
1687 /* Returns 0 if we could write the specified encapsulation type,
1688 an error indication otherwise. */
1690 netxray_dump_can_write_encap_1_1(int encap)
1692 /* Per-packet encapsulations aren't supported. */
1693 if (encap == WTAP_ENCAP_PER_PACKET)
1694 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1696 if (wtap_encap_to_netxray_1_1_encap(encap) == -1)
1697 return WTAP_ERR_UNWRITABLE_ENCAP;
1702 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1705 netxray_dump_open_1_1(wtap_dumper *wdh, int *err)
1707 netxray_dump_t *netxray;
1709 wdh->subtype_write = netxray_dump_1_1;
1710 wdh->subtype_finish = netxray_dump_finish_1_1;
1712 /* We can't fill in all the fields in the file header, as we
1713 haven't yet written any packets. As we'll have to rewrite
1714 the header when we've written out all the packets, we just
1715 skip over the header for now. */
1716 if (wtap_dump_file_seek(wdh, CAPTUREFILE_HEADER_SIZE, SEEK_SET, err) == -1)
1718 wdh->bytes_dumped += CAPTUREFILE_HEADER_SIZE;
1720 netxray = (netxray_dump_t *)g_malloc(sizeof(netxray_dump_t));
1721 wdh->priv = (void *)netxray;
1722 netxray->first_frame = TRUE;
1723 netxray->start.secs = 0;
1724 netxray->start.nsecs = 0;
1725 netxray->nframes = 0;
1730 /* Write a record for a packet to a dump file.
1731 Returns TRUE on success, FALSE on failure. */
1733 netxray_dump_1_1(wtap_dumper *wdh,
1734 const struct wtap_pkthdr *phdr,
1735 const guint8 *pd, int *err, gchar **err_info _U_)
1737 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
1740 struct netxrayrec_1_x_hdr rec_hdr;
1742 /* We can only write packet records. */
1743 if (phdr->rec_type != REC_TYPE_PACKET) {
1744 *err = WTAP_ERR_UNWRITABLE_REC_TYPE;
1748 /* The captured length field is 16 bits, so there's a hard
1750 if (phdr->caplen > 65535) {
1751 *err = WTAP_ERR_PACKET_TOO_LARGE;
1755 /* NetXRay/Windows Sniffer files have a capture start date/time
1756 in the header, in a UNIX-style format, with one-second resolution,
1757 and a start time stamp with microsecond resolution that's just
1758 an arbitrary time stamp relative to some unknown time (boot
1759 time?), and have times relative to the start time stamp in
1760 the packet headers; pick the seconds value of the time stamp
1761 of the first packet as the UNIX-style start date/time, and make
1762 the high-resolution start time stamp 0, with the time stamp of
1763 packets being the delta between the stamp of the packet and
1764 the stamp of the first packet with the microseconds part 0. */
1765 if (netxray->first_frame) {
1766 netxray->first_frame = FALSE;
1767 netxray->start = phdr->ts;
1770 /* build the header for each packet */
1771 memset(&rec_hdr, '\0', sizeof(rec_hdr));
1772 timestamp = ((guint64)phdr->ts.secs - (guint64)netxray->start.secs)*1000000
1773 + ((guint64)phdr->ts.nsecs)/1000;
1774 t32 = (guint32)(timestamp%G_GINT64_CONSTANT(4294967296));
1775 rec_hdr.timelo = GUINT32_TO_LE(t32);
1776 t32 = (guint32)(timestamp/G_GINT64_CONSTANT(4294967296));
1777 rec_hdr.timehi = GUINT32_TO_LE(t32);
1778 rec_hdr.orig_len = GUINT16_TO_LE(phdr->len);
1779 rec_hdr.incl_len = GUINT16_TO_LE(phdr->caplen);
1781 if (!wtap_dump_file_write(wdh, &rec_hdr, sizeof(rec_hdr), err))
1783 wdh->bytes_dumped += sizeof(rec_hdr);
1785 /* write the packet data */
1786 if (!wtap_dump_file_write(wdh, pd, phdr->caplen, err))
1788 wdh->bytes_dumped += phdr->caplen;
1795 /* Finish writing to a dump file.
1796 Returns TRUE on success, FALSE on failure. */
1798 netxray_dump_finish_1_1(wtap_dumper *wdh, int *err)
1800 char hdr_buf[CAPTUREFILE_HEADER_SIZE - sizeof(netxray_magic)];
1801 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
1803 struct netxray_hdr file_hdr;
1805 if (-1 == (filelen = wtap_dump_file_tell(wdh, err)))
1808 /* Go back to beginning */
1809 if (wtap_dump_file_seek(wdh, 0, SEEK_SET, err) == -1)
1812 /* Rewrite the file header. */
1813 if (!wtap_dump_file_write(wdh, netxray_magic, sizeof netxray_magic, err))
1816 /* "sniffer" version ? */
1817 memset(&file_hdr, '\0', sizeof file_hdr);
1818 memcpy(file_hdr.version, vers_1_1, sizeof vers_1_1);
1819 file_hdr.start_time = GUINT32_TO_LE(netxray->start.secs);
1820 file_hdr.nframes = GUINT32_TO_LE(netxray->nframes);
1821 file_hdr.start_offset = GUINT32_TO_LE(CAPTUREFILE_HEADER_SIZE);
1822 /* XXX - large files? */
1823 file_hdr.end_offset = GUINT32_TO_LE((guint32)filelen);
1824 file_hdr.network = wtap_encap_to_netxray_1_1_encap(wdh->encap);
1825 file_hdr.timelo = GUINT32_TO_LE(0);
1826 file_hdr.timehi = GUINT32_TO_LE(0);
1828 memset(hdr_buf, '\0', sizeof hdr_buf);
1829 memcpy(hdr_buf, &file_hdr, sizeof(file_hdr));
1830 if (!wtap_dump_file_write(wdh, hdr_buf, sizeof hdr_buf, err))
1836 static const struct {
1837 int wtap_encap_value;
1839 } wtap_encap_2_0[] = {
1840 { WTAP_ENCAP_ETHERNET, 0 }, /* -> NDIS Ethernet */
1841 { WTAP_ENCAP_TOKEN_RING, 1 }, /* -> NDIS Token Ring */
1842 { WTAP_ENCAP_FDDI, 2 }, /* -> NDIS FDDI */
1843 { WTAP_ENCAP_FDDI_BITSWAPPED, 2 }, /* -> NDIS FDDI */
1844 { WTAP_ENCAP_PPP_WITH_PHDR, 3 }, /* -> NDIS WAN */
1845 { WTAP_ENCAP_FRELAY_WITH_PHDR, 3 }, /* -> NDIS WAN */
1846 { WTAP_ENCAP_LAPB, 3 }, /* -> NDIS WAN */
1847 { WTAP_ENCAP_SDLC, 3 }, /* -> NDIS WAN */
1849 #define NUM_WTAP_ENCAPS_2_0 (sizeof wtap_encap_2_0 / sizeof wtap_encap_2_0[0])
1852 wtap_encap_to_netxray_2_0_encap(int encap)
1856 for (i = 0; i < NUM_WTAP_ENCAPS_2_0; i++) {
1857 if (encap == wtap_encap_2_0[i].wtap_encap_value)
1858 return wtap_encap_2_0[i].ndis_value;
1864 /* Returns 0 if we could write the specified encapsulation type,
1865 an error indication otherwise. */
1867 netxray_dump_can_write_encap_2_0(int encap)
1869 /* Per-packet encapsulations aren't supported. */
1870 if (encap == WTAP_ENCAP_PER_PACKET)
1871 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1873 if (wtap_encap_to_netxray_2_0_encap(encap) == -1)
1874 return WTAP_ERR_UNWRITABLE_ENCAP;
1879 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1882 netxray_dump_open_2_0(wtap_dumper *wdh, int *err)
1884 netxray_dump_t *netxray;
1886 wdh->subtype_write = netxray_dump_2_0;
1887 wdh->subtype_finish = netxray_dump_finish_2_0;
1889 /* We can't fill in all the fields in the file header, as we
1890 haven't yet written any packets. As we'll have to rewrite
1891 the header when we've written out all the packets, we just
1892 skip over the header for now. */
1893 if (wtap_dump_file_seek(wdh, CAPTUREFILE_HEADER_SIZE, SEEK_SET, err) == -1)
1896 wdh->bytes_dumped += CAPTUREFILE_HEADER_SIZE;
1898 netxray = (netxray_dump_t *)g_malloc(sizeof(netxray_dump_t));
1899 wdh->priv = (void *)netxray;
1900 netxray->first_frame = TRUE;
1901 netxray->start.secs = 0;
1902 netxray->start.nsecs = 0;
1903 netxray->nframes = 0;
1908 /* Write a record for a packet to a dump file.
1909 Returns TRUE on success, FALSE on failure. */
1911 netxray_dump_2_0(wtap_dumper *wdh,
1912 const struct wtap_pkthdr *phdr,
1913 const guint8 *pd, int *err, gchar **err_info _U_)
1915 const union wtap_pseudo_header *pseudo_header = &phdr->pseudo_header;
1916 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
1919 struct netxrayrec_2_x_hdr rec_hdr;
1921 /* We can only write packet records. */
1922 if (phdr->rec_type != REC_TYPE_PACKET) {
1923 *err = WTAP_ERR_UNWRITABLE_REC_TYPE;
1927 /* Don't write anything we're not willing to read. */
1928 if (phdr->caplen > WTAP_MAX_PACKET_SIZE) {
1929 *err = WTAP_ERR_PACKET_TOO_LARGE;
1933 /* NetXRay/Windows Sniffer files have a capture start date/time
1934 in the header, in a UNIX-style format, with one-second resolution,
1935 and a start time stamp with microsecond resolution that's just
1936 an arbitrary time stamp relative to some unknown time (boot
1937 time?), and have times relative to the start time stamp in
1938 the packet headers; pick the seconds value of the time stamp
1939 of the first packet as the UNIX-style start date/time, and make
1940 the high-resolution start time stamp 0, with the time stamp of
1941 packets being the delta between the stamp of the packet and
1942 the stamp of the first packet with the microseconds part 0. */
1943 if (netxray->first_frame) {
1944 netxray->first_frame = FALSE;
1945 netxray->start = phdr->ts;
1948 /* build the header for each packet */
1949 memset(&rec_hdr, '\0', sizeof(rec_hdr));
1950 timestamp = ((guint64)phdr->ts.secs - (guint64)netxray->start.secs)*1000000
1951 + ((guint64)phdr->ts.nsecs)/1000;
1952 t32 = (guint32)(timestamp%G_GINT64_CONSTANT(4294967296));
1953 rec_hdr.timelo = GUINT32_TO_LE(t32);
1954 t32 = (guint32)(timestamp/G_GINT64_CONSTANT(4294967296));
1955 rec_hdr.timehi = GUINT32_TO_LE(t32);
1956 rec_hdr.orig_len = GUINT16_TO_LE(phdr->len);
1957 rec_hdr.incl_len = GUINT16_TO_LE(phdr->caplen);
1959 switch (phdr->pkt_encap) {
1961 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
1963 pseudo_header->ieee_802_11.has_channel ?
1964 pseudo_header->ieee_802_11.channel :
1967 pseudo_header->ieee_802_11.has_data_rate ?
1968 (guint8)pseudo_header->ieee_802_11.data_rate :
1971 pseudo_header->ieee_802_11.has_signal_percent ?
1972 pseudo_header->ieee_802_11.signal_percent :
1975 pseudo_header->ieee_802_11.has_noise_percent ?
1976 pseudo_header->ieee_802_11.noise_percent*127/100 :
1980 case WTAP_ENCAP_PPP_WITH_PHDR:
1981 case WTAP_ENCAP_SDLC:
1982 rec_hdr.xxx[12] |= pseudo_header->p2p.sent ? 0x01 : 0x00;
1985 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1986 rec_hdr.xxx[12] |= (pseudo_header->x25.flags & FROM_DCE) ? 0x00 : 0x01;
1990 if (!wtap_dump_file_write(wdh, &rec_hdr, sizeof(rec_hdr), err))
1992 wdh->bytes_dumped += sizeof(rec_hdr);
1994 /* write the packet data */
1995 if (!wtap_dump_file_write(wdh, pd, phdr->caplen, err))
1997 wdh->bytes_dumped += phdr->caplen;
2004 /* Finish writing to a dump file.
2005 Returns TRUE on success, FALSE on failure. */
2007 netxray_dump_finish_2_0(wtap_dumper *wdh, int *err)
2009 char hdr_buf[CAPTUREFILE_HEADER_SIZE - sizeof(netxray_magic)];
2010 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
2012 struct netxray_hdr file_hdr;
2014 if (-1 == (filelen = wtap_dump_file_tell(wdh, err)))
2017 /* Go back to beginning */
2018 if (wtap_dump_file_seek(wdh, 0, SEEK_SET, err) == -1)
2021 /* Rewrite the file header. */
2022 if (!wtap_dump_file_write(wdh, netxray_magic, sizeof netxray_magic, err))
2025 /* "sniffer" version ? */
2026 memset(&file_hdr, '\0', sizeof file_hdr);
2027 memcpy(file_hdr.version, vers_2_001, sizeof vers_2_001);
2028 file_hdr.start_time = GUINT32_TO_LE(netxray->start.secs);
2029 file_hdr.nframes = GUINT32_TO_LE(netxray->nframes);
2030 file_hdr.start_offset = GUINT32_TO_LE(CAPTUREFILE_HEADER_SIZE);
2031 /* XXX - large files? */
2032 file_hdr.end_offset = GUINT32_TO_LE((guint32)filelen);
2033 file_hdr.network = wtap_encap_to_netxray_2_0_encap(wdh->encap);
2034 file_hdr.timelo = GUINT32_TO_LE(0);
2035 file_hdr.timehi = GUINT32_TO_LE(0);
2036 switch (wdh->encap) {
2038 case WTAP_ENCAP_PPP_WITH_PHDR:
2039 file_hdr.captype = WAN_CAPTYPE_PPP;
2042 case WTAP_ENCAP_FRELAY_WITH_PHDR:
2043 file_hdr.captype = WAN_CAPTYPE_FRELAY;
2046 case WTAP_ENCAP_LAPB:
2047 file_hdr.captype = WAN_CAPTYPE_HDLC;
2048 file_hdr.wan_hdlc_subsub_captype = 0;
2051 case WTAP_ENCAP_SDLC:
2052 file_hdr.captype = WAN_CAPTYPE_SDLC;
2056 file_hdr.captype = CAPTYPE_NDIS;
2060 memset(hdr_buf, '\0', sizeof hdr_buf);
2061 memcpy(hdr_buf, &file_hdr, sizeof(file_hdr));
2062 if (!wtap_dump_file_write(wdh, hdr_buf, sizeof hdr_buf, err))
2069 * Editor modelines - http://www.wireshark.org/tools/modelines.html
2074 * indent-tabs-mode: t
2077 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
2078 * :indentSize=8:tabSize=8:noTabs=false:
git.samba.org / metze / wireshark / wip.git / blob