6 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
23 /* The code in ngsniffer.c that decodes the time fields for each packet in the
24 * Sniffer trace originally came from code from TCPVIEW:
29 * Networks and Distributed Computing
30 * Computing & Communications
31 * University of Washington
32 * Administration Building, AG-44
34 * Internet: martinh@cac.washington.edu
37 * Copyright 1992 by the University of Washington
39 * Permission to use, copy, modify, and distribute this software and its
40 * documentation for any purpose and without fee is hereby granted, provided
41 * that the above copyright notice appears in all copies and that both the
42 * above copyright notice and this permission notice appear in supporting
43 * documentation, and that the name of the University of Washington not be
44 * used in advertising or publicity pertaining to distribution of the software
45 * without specific, written prior permission. This software is made
46 * available "as is", and
47 * THE UNIVERSITY OF WASHINGTON DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
48 * WITH REGARD TO THIS SOFTWARE, INCLUDING WITHOUT LIMITATION ALL IMPLIED
49 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND IN
50 * NO EVENT SHALL THE UNIVERSITY OF WASHINGTON BE LIABLE FOR ANY SPECIAL,
51 * INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
52 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, TORT
53 * (INCLUDING NEGLIGENCE) OR STRICT LIABILITY, ARISING OUT OF OR IN CONNECTION
54 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
64 #include "file_wrappers.h"
67 #include "ngsniffer.h"
69 /* Magic number in Sniffer files. */
70 static const char ngsniffer_magic[] = {
71 'T', 'R', 'S', 'N', 'I', 'F', 'F', ' ', 'd', 'a', 't', 'a',
72 ' ', ' ', ' ', ' ', 0x1a
76 * Sniffer record types.
78 #define REC_VERS 1 /* Version record (f_vers) */
79 #define REC_FRAME2 4 /* Frame data (f_frame2) */
80 #define REC_FRAME4 8 /* Frame data (f_frame4) */
81 #define REC_FRAME6 12 /* Frame data (f_frame6) (see below) */
82 #define REC_EOF 3 /* End-of-file record (no data follows) */
84 * and now for some unknown header types
86 #define REC_HEADER1 6 /* Header containing serial numbers? */
87 #define REC_HEADER2 7 /* Header containing ??? */
88 #define REC_V2DESC 8 /* In version 2 sniffer traces contains
89 * infos about this capturing session.
90 * Collides with REC_FRAME4 */
91 #define REC_HEADER3 13 /* Retransmission counts? */
92 #define REC_HEADER4 14 /* ? */
93 #define REC_HEADER5 15 /* ? */
94 #define REC_HEADER6 16 /* More broadcast/retransmission counts? */
95 #define REC_HEADER7 17 /* ? */
99 * Sniffer version record format.
102 gint16 maj_vers; /* major version number */
103 gint16 min_vers; /* minor version number */
104 gint16 time; /* DOS-format time */
105 gint16 date; /* DOS-format date */
106 gint8 type; /* what type of records follow */
107 guint8 network; /* network type */
108 gint8 format; /* format version */
109 guint8 timeunit; /* timestamp units */
110 gint8 cmprs_vers; /* compression version */
111 gint8 cmprs_level; /* compression level */
112 gint16 rsvd[2]; /* reserved */
118 #define NETWORK_TRING 0 /* Token ring */
119 #define NETWORK_ENET 1 /* Ethernet */
120 #define NETWORK_ARCNET 2 /* ARCNET */
121 #define NETWORK_STARLAN 3 /* StarLAN */
122 #define NETWORK_PCNW 4 /* PC Network broadband (Sytek?) */
123 #define NETWORK_LOCALTALK 5 /* LocalTalk */
124 #define NETWORK_SYNCHRO 7 /* Internetwork analyzer (synchronous) */
125 #define NETWORK_ASYNC 8 /* Internetwork analyzer (asynchronous) */
126 #define NETWORK_FDDI 9 /* FDDI */
127 #define NETWORK_ATM 10 /* ATM */
130 * Sniffer type 2 data record format - followed by frame data.
132 * The Expert Sniffer Network Analyzer Operations manual, Release 5.50,
133 * documents some of the values used in "fs" and "flags". "flags" don't
134 * look as if they'd be of much interest to us, as those are internal
135 * flags for state used by the Sniffer, but "fs" gives various status
136 * bits including error indications *and*:
138 * ISDN channel information for ISDN;
140 * PPP vs. SLIP information for Async.
142 * In that section it also refers to "FDDI analyzers using the NPI PCI
143 * FDDI adapter" and "FDDI analyzers using the NPI ISA FDDI adapter",
144 * referring to the first as "F1SNIFF" and the second as "FDSNIFF";
145 * those sound as if they *could* be replacements for "TRSNIFF" in
146 * the file header, but that manual says, earlier, that the header
147 * starts with "TRSNIFF data, no matter where the frames were
150 * It also says that a type 2 record has an 8-bit "time_high"
151 * and an 8-bit "time_day" field; the code here used to have a
152 * 16-bit "time_high" value, but that gave wrong time stamps on at
153 * least some captures. Did some older manual have it as a 16-bit
154 * "tstamp_high", so that perhaps it depends on the version number
155 * in the file, or is it "tstamp_high" plus "tstamp_day" in all
156 * versions? (I forget whether this came purely from tcpview, or if
157 * I saw any of it in an NAI document.)
159 * We interpret them as unsigned, as interpreting them as signed
160 * would appear to allow time stamps that precede the start of the
161 * capture. The description of the record format shows them as
162 * "char", but the section "How the Analyzer Stores Time" shows a
163 * time stamp structure with those fields being "unsigned char".
165 * In addition, the description of the record format has the comment
166 * for the "time_day" field saying it's the time in days since the
167 * start of the capture, but the "How the Analyzer Stores Time"
168 * section says it's increased by 1 if the capture continues past
169 * midnight - and also says that the time stamp structure has a time
170 * relative to midnight when the capture started, not since the
171 * actual capture start, so that might be a difference between
172 * the internal time stamp in the Sniffer software and the time
173 * stamp in capture files (i.e., the latter might be relative to
174 * the time when the capture starts).
177 guint16 time_low; /* low part of time stamp */
178 guint16 time_med; /* middle part of time stamp */
179 guint8 time_high; /* high part of the time stamp */
180 guint8 time_day; /* time in days since start of capture */
181 gint16 size; /* number of bytes of data */
182 guint8 fs; /* frame error status bits */
183 guint8 flags; /* buffer flags */
184 gint16 true_size; /* size of original frame, in bytes */
185 gint16 rsvd; /* reserved */
191 * The bits differ for different link-layer types.
197 #define FS_ETH_CRC 0x80 /* CRC error */
198 #define FS_ETH_ALIGN 0x40 /* bad alignment */
199 #define FS_ETH_RU 0x20 /* "RU out of resources" */
200 #define FS_ETH_OVERRUN 0x10 /* DMA overrun */
201 #define FS_ETH_RUNT 0x08 /* frame too small */
202 #define FS_ETH_COLLISION 0x02 /* collision fragment */
207 #define FS_FDDI_INVALID 0x10 /* frame indicators are invalid */
208 #define FS_FDDI_ERROR 0x20 /* "frame error bit 1" */
209 #define FS_FDDI_PCI_VDL 0x01 /* VDL error on frame on PCI adapter */
210 #define FS_FDDI_PCI_CRC 0x02 /* CRC error on frame on PCI adapter */
211 #define FS_FDDI_ISA_CRC 0x20 /* CRC error on frame on ISA adapter */
214 * Internetwork analyzer (synchronous and asynchronous).
216 #define FS_WAN_DTE 0x80 /* DTE->DCE frame */
219 * Internetwork analyzer (synchronous).
221 #define FS_SYNC_LOST 0x01 /* some frames were lost */
222 #define FS_SYNC_CRC 0x02 /* CRC error */
223 #define FS_SYNC_ABORT 0x04 /* aborted frame */
224 #define FS_ISDN_CHAN_MASK 0x18 /* ISDN channel */
225 #define FS_ISDN_CHAN_D 0x18 /* ISDN channel D */
226 #define FS_ISDN_CHAN_B1 0x08 /* ISDN channel B1 */
227 #define FS_ISDN_CHAN_B2 0x10 /* ISDN channel B2 */
230 * Internetwork analyzer (asynchronous).
231 * XXX - are some of these synchronous flags? They're listed with the
232 * asynchronous flags in the Sniffer 5.50 Network Analyzer Operations
233 * manual. Is one of the "overrun" errors a synchronous overrun error?
235 #define FS_ASYNC_LOST 0x01 /* some frames were lost */
236 #define FS_ASYNC_OVERRUN 0x02 /* UART overrun, lost bytes */
237 #define FS_ASYNC_FRAMING 0x04 /* bad character (framing error?) */
238 #define FS_ASYNC_PPP 0x08 /* PPP frame */
239 #define FS_ASYNC_SLIP 0x10 /* SLIP frame */
240 #define FS_ASYNC_ALIGN 0x20 /* alignment or DLPP(?) error */
241 #define FS_ASYNC_OVERRUN2 0x40 /* overrun or bad frame length */
244 * Sniffer type 4 data record format - followed by frame data.
246 * The ATM Sniffer manual says that the "flags" field holds "buffer flags;
247 * BF_xxxx", but doesn't say what the BF_xxxx flags are. They may
248 * be the same as they are in a type 2 record, in which case they're
249 * probably not of much interest to us.
251 * XXX - the manual also says there's an 8-byte "ATMTimeStamp" driver
252 * time stamp at the end of "ATMSaveInfo", but, from an ATM Sniffer capture
253 * file I've looked at, that appears not to be the case.
257 * Fields from the AAL5 trailer for the frame, if it's an AAL5 frame
258 * rather than a cell.
260 typedef struct _ATM_AAL5Trailer {
261 guint16 aal5t_u2u; /* user-to-user indicator */
262 guint16 aal5t_len; /* length of the packet */
263 guint32 aal5t_chksum; /* checksum for AAL5 packet */
266 typedef struct _ATMTimeStamp {
267 guint32 msw; /* most significant word */
268 guint32 lsw; /* least significant word */
271 typedef struct _ATMSaveInfo {
272 guint32 StatusWord; /* status word from driver */
273 ATM_AAL5Trailer Trailer; /* AAL5 trailer */
274 guint8 AppTrafType; /* traffic type */
275 guint8 AppHLType; /* protocol type */
276 guint16 AppReserved; /* reserved */
277 guint16 Vpi; /* virtual path identifier */
278 guint16 Vci; /* virtual circuit identifier */
279 guint16 channel; /* link: 0 for DCE, 1 for DTE */
280 guint16 cells; /* number of cells */
281 guint32 AppVal1; /* type-dependent */
282 guint32 AppVal2; /* type-dependent */
286 * Bits in StatusWord.
288 #define SW_ERRMASK 0x0F /* Error mask: */
289 #define SW_RX_FIFO_UNDERRUN 0x01 /* Receive FIFO underrun */
290 #define SW_RX_FIFO_OVERRUN 0x02 /* Receive FIFO overrun */
291 #define SW_RX_PKT_TOO_LONG 0x03 /* Received packet > max size */
292 #define SW_CRC_ERROR 0x04 /* CRC error */
293 #define SW_USER_ABORTED_RX 0x05 /* User aborted receive */
294 #define SW_BUF_LEN_TOO_LONG 0x06 /* buffer len > max buf */
295 #define SW_INTERNAL_T1_ERROR 0x07 /* Internal T1 error */
296 #define SW_RX_CHANNEL_DEACTIV8 0x08 /* Rx channel deactivate */
298 #define SW_ERROR 0x80 /* Error indicator */
299 #define SW_CONGESTION 0x40 /* Congestion indicator */
300 #define SW_CLP 0x20 /* Cell loss priority indicator */
301 #define SW_RAW_CELL 0x100 /* RAW cell indicator */
302 #define SW_OAM_CELL 0x200 /* OAM cell indicator */
305 * Bits in AppTrafType.
307 * For AAL types other than AAL5, the packet data is presumably for a
308 * single cell, not a reassembled frame, as the ATM Sniffer manual says
309 * it dosn't reassemble cells other than AAL5 cells.
311 #define ATT_AALTYPE 0x0F /* AAL type: */
312 #define ATT_AAL_UNKNOWN 0x00 /* Unknown AAL */
313 #define ATT_AAL1 0x01 /* AAL1 */
314 #define ATT_AAL3_4 0x02 /* AAL3/4 */
315 #define ATT_AAL5 0x03 /* AAL5 */
316 #define ATT_AAL_USER 0x04 /* User AAL */
317 #define ATT_AAL_SIGNALLING 0x05 /* Signaling AAL */
318 #define ATT_OAMCELL 0x06 /* OAM cell */
320 #define ATT_HLTYPE 0xF0 /* Higher-layer type: */
321 #define ATT_HL_UNKNOWN 0x00 /* unknown */
322 #define ATT_HL_LLCMX 0x10 /* LLC multiplexed (probably RFC 1483) */
323 #define ATT_HL_VCMX 0x20 /* VC multiplexed (probably RFC 1483) */
324 #define ATT_HL_LANE 0x30 /* LAN Emulation */
325 #define ATT_HL_ILMI 0x40 /* ILMI */
326 #define ATT_HL_FRMR 0x50 /* Frame Relay */
327 #define ATT_HL_SPANS 0x60 /* FORE SPANS */
328 #define ATT_HL_IPSILON 0x70 /* Ipsilon */
331 * Values for AppHLType; the interpretation depends on the ATT_HLTYPE
332 * bits in AppTrafType.
334 #define AHLT_UNKNOWN 0x0
335 #define AHLT_VCMX_802_3_FCS 0x1 /* VCMX: 802.3 FCS */
336 #define AHLT_LANE_LE_CTRL 0x1 /* LANE: LE Ctrl */
337 #define AHLT_IPSILON_FT0 0x1 /* Ipsilon: Flow Type 0 */
338 #define AHLT_VCMX_802_4_FCS 0x2 /* VCMX: 802.4 FCS */
339 #define AHLT_LANE_802_3 0x2 /* LANE: 802.3 */
340 #define AHLT_IPSILON_FT1 0x2 /* Ipsilon: Flow Type 1 */
341 #define AHLT_VCMX_802_5_FCS 0x3 /* VCMX: 802.5 FCS */
342 #define AHLT_LANE_802_5 0x3 /* LANE: 802.5 */
343 #define AHLT_IPSILON_FT2 0x3 /* Ipsilon: Flow Type 2 */
344 #define AHLT_VCMX_FDDI_FCS 0x4 /* VCMX: FDDI FCS */
345 #define AHLT_LANE_802_3_MC 0x4 /* LANE: 802.3 multicast */
346 #define AHLT_VCMX_802_6_FCS 0x5 /* VCMX: 802.6 FCS */
347 #define AHLT_LANE_802_5_MC 0x5 /* LANE: 802.5 multicast */
348 #define AHLT_VCMX_802_3 0x7 /* VCMX: 802.3 */
349 #define AHLT_VCMX_802_4 0x8 /* VCMX: 802.4 */
350 #define AHLT_VCMX_802_5 0x9 /* VCMX: 802.5 */
351 #define AHLT_VCMX_FDDI 0xa /* VCMX: FDDI */
352 #define AHLT_VCMX_802_6 0xb /* VCMX: 802.6 */
353 #define AHLT_VCMX_FRAGMENTS 0xc /* VCMX: Fragments */
354 #define AHLT_VCMX_BPDU 0xe /* VCMX: BPDU */
357 guint16 time_low; /* low part of time stamp */
358 guint16 time_med; /* middle part of time stamp */
359 guint8 time_high; /* high part of time stamp */
360 guint8 time_day; /* time in days since start of capture */
361 gint16 size; /* number of bytes of data */
362 gint8 fs; /* frame error status bits */
363 gint8 flags; /* buffer flags */
364 gint16 true_size; /* size of original frame, in bytes */
365 gint16 rsvd3; /* reserved */
366 gint16 atm_pad; /* pad to 4-byte boundary */
367 ATMSaveInfo atm_info; /* ATM-specific stuff */
371 * XXX - I have a version 5.50 file with a bunch of token ring
372 * records listed as type "12". The record format below was
373 * derived from frame4_rec and a bit of experimentation.
377 guint16 time_low; /* low part of time stamp */
378 guint16 time_med; /* middle part of time stamp */
379 guint8 time_high; /* high part of time stamp */
380 guint8 time_day; /* time in days since start of capture */
381 gint16 size; /* number of bytes of data */
382 guint8 fs; /* frame error status bits */
383 guint8 flags; /* buffer flags */
384 gint16 true_size; /* size of original frame, in bytes */
385 guint8 chemical_x[22]; /* ? */
389 * Network type values in some type 7 records.
391 * Captures with a major version number of 2 appear to have type 7
392 * records with text in them (at least one I have does).
394 * Captures with a major version of 4, and at least some captures with
395 * a major version of 5, have type 7 records with those values in the
398 * However, some captures with a major version number of 5 appear not to
399 * have type 7 records at all (at least one I have doesn't), but do appear
400 * to put non-zero values in the "rsvd" field of the version header (at
401 * least one I have does) - at least some other captures with smaller version
402 * numbers appear to put 0 there, so *maybe* that's where the network
403 * (sub)type is hidden in those captures. The version 5 captures I've seen
404 * that *do* have type 7 records put 0 there, so it's not as if *all* V5
405 * captures have something in the "rsvd" field, however.
407 * The semantics of these network types is inferred from the Sniffer
408 * documentation, as they correspond to types described in the UI;
411 * http://www.mcafee.com/common/media/sniffer/support/sdos/operation.pdf
413 * starting at page 3-10 (56 of 496).
415 * XXX - I've seen X.25 captures with NET_ROUTER, and I've seen bridge/
416 * router captures with NET_HDLC. Sigh.... Are those just captures for
417 * which the user set the wrong network type when capturing?
419 #define NET_SDLC 0 /* Probably "SDLC then SNA" */
420 #define NET_HDLC 1 /* Used for X.25; is it used for other
421 things as well, or is it "HDLC then
422 X.25", as referred to by the document
423 cited above, and only used for X.25? */
424 #define NET_FRAME_RELAY 2
425 #define NET_ROUTER 3 /* Probably "Router/Bridge", for various
426 point-to-point protocols for use between
427 bridges and routers, including PPP as well
428 as various proprietary protocols; also
429 used for ISDN, for reasons not obvious
430 to me, given that a Sniffer knows
431 whether it's using a WAN or an ISDN pod */
432 #define NET_PPP 4 /* "Asynchronous", which includes SLIP too */
433 #define NET_SMDS 5 /* Not mentioned in the document, but
434 that's a document for version 5.50 of
435 the Sniffer, and that version might use
436 version 5 in the file format and thus
437 might not be using type 7 records */
440 * Values for V.timeunit, in picoseconds, so that they can be represented
441 * as integers. These values must be < 2^(64-40); see below.
443 * XXX - at least some captures with a V.timeunit value of 2 show
444 * packets with time stamps in 2011 if the time stamp is interpreted
445 * to be in units of 15 microseconds. The capture predates 2008,
446 * so that interpretation is probably wrong. Perhaps the interpretation
447 * of V.timeunit depends on the version number of the file?
449 static const guint32 Psec[] = {
450 15000000, /* 15.0 usecs = 15000000 psecs */
451 838096, /* .838096 usecs = 838096 psecs */
452 15000000, /* 15.0 usecs = 15000000 psecs */
453 500000, /* 0.5 usecs = 500000 psecs */
454 2000000, /* 2.0 usecs = 2000000 psecs */
455 1000000, /* 1.0 usecs = 1000000 psecs */
456 /* XXX - Sniffer doc says 0.08 usecs = 80000 psecs */
457 100000 /* 0.1 usecs = 100000 psecs */
459 #define NUM_NGSNIFF_TIMEUNITS (sizeof Psec / sizeof Psec[0])
461 /* Information for a compressed Sniffer data stream. */
463 unsigned char *buf; /* buffer into which we uncompress data */
464 unsigned int nbytes; /* number of bytes of data in that buffer */
465 int nextout; /* offset in that buffer of stream's current position */
466 gint64 comp_offset; /* current offset in compressed data stream */
467 gint64 uncomp_offset; /* current offset in uncompressed data stream */
468 } ngsniffer_comp_stream_t;
475 guint network; /* network type */
476 ngsniffer_comp_stream_t seq; /* sequential access */
477 ngsniffer_comp_stream_t rand; /* random access */
478 GList *first_blob; /* list element for first blob */
479 GList *last_blob; /* list element for last blob */
480 GList *current_blob; /* list element for current blob */
483 static int process_header_records(wtap *wth, int *err, gchar **err_info,
484 gint16 maj_vers, guint8 network);
485 static int process_rec_header2_v2(wtap *wth, unsigned char *buffer,
486 guint16 length, int *err, gchar **err_info);
487 static int process_rec_header2_v145(wtap *wth, unsigned char *buffer,
488 guint16 length, gint16 maj_vers, int *err, gchar **err_info);
489 static gboolean ngsniffer_read(wtap *wth, int *err, gchar **err_info,
490 gint64 *data_offset);
491 static gboolean ngsniffer_seek_read(wtap *wth, gint64 seek_off,
492 union wtap_pseudo_header *pseudo_header, guint8 *pd, int packet_size,
493 int *err, gchar **err_info);
494 static int ngsniffer_read_rec_header(wtap *wth, gboolean is_random,
495 guint16 *typep, guint16 *lengthp, int *err, gchar **err_info);
496 static gboolean ngsniffer_read_frame2(wtap *wth, gboolean is_random,
497 struct frame2_rec *frame2, int *err, gchar **err_info);
498 static void set_pseudo_header_frame2(wtap *wth,
499 union wtap_pseudo_header *pseudo_header, struct frame2_rec *frame2);
500 static gboolean ngsniffer_read_frame4(wtap *wth, gboolean is_random,
501 struct frame4_rec *frame4, int *err, gchar **err_info);
502 static void set_pseudo_header_frame4(union wtap_pseudo_header *pseudo_header,
503 struct frame4_rec *frame4);
504 static gboolean ngsniffer_read_frame6(wtap *wth, gboolean is_random,
505 struct frame6_rec *frame6, int *err, gchar **err_info);
506 static void set_pseudo_header_frame6(wtap *wth,
507 union wtap_pseudo_header *pseudo_header, struct frame6_rec *frame6);
508 static gboolean ngsniffer_read_rec_data(wtap *wth, gboolean is_random,
509 guint8 *pd, unsigned int length, int *err, gchar **err_info);
510 static int infer_pkt_encap(const guint8 *pd, int len);
511 static int fix_pseudo_header(int encap, const guint8 *pd, int len,
512 union wtap_pseudo_header *pseudo_header);
513 static void ngsniffer_sequential_close(wtap *wth);
514 static void ngsniffer_close(wtap *wth);
515 static gboolean ngsniffer_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
516 const union wtap_pseudo_header *pseudo_header, const guint8 *pd, int *err);
517 static gboolean ngsniffer_dump_close(wtap_dumper *wdh, int *err);
518 static int SnifferDecompress( unsigned char * inbuf, size_t inlen,
519 unsigned char * outbuf, size_t outlen, int *err );
520 static gint64 ng_file_read(void *buffer, unsigned int nbytes, wtap *wth,
521 gboolean is_random, int *err, gchar **err_info);
522 static int read_blob(FILE_T infile, ngsniffer_comp_stream_t *comp_stream,
523 int *err, gchar **err_info);
524 static gint64 ng_file_seek_seq(wtap *wth, gint64 offset, int whence, int *err,
526 static gint64 ng_file_seek_rand(wtap *wth, gint64 offset, int whence, int *err,
530 ngsniffer_open(wtap *wth, int *err, gchar **err_info)
533 char magic[sizeof ngsniffer_magic];
535 char record_length[4]; /* only the first 2 bytes are length,
536 the last 2 are "reserved" and are thrown away */
538 struct vers_rec version;
544 static const int sniffer_encap[] = {
545 WTAP_ENCAP_TOKEN_RING,
548 WTAP_ENCAP_UNKNOWN, /* StarLAN */
549 WTAP_ENCAP_UNKNOWN, /* PC Network broadband */
550 WTAP_ENCAP_UNKNOWN, /* LocalTalk */
551 WTAP_ENCAP_UNKNOWN, /* Znet */
552 WTAP_ENCAP_PER_PACKET, /* Internetwork analyzer (synchronous) */
553 WTAP_ENCAP_PER_PACKET, /* Internetwork analyzer (asynchronous) */
554 WTAP_ENCAP_FDDI_BITSWAPPED,
557 #define NUM_NGSNIFF_ENCAPS (sizeof sniffer_encap / sizeof sniffer_encap[0])
559 ngsniffer_t *ngsniffer;
561 /* Read in the string that should be at the start of a Sniffer file */
562 errno = WTAP_ERR_CANT_READ;
563 bytes_read = file_read(magic, sizeof magic, wth->fh);
564 if (bytes_read != sizeof magic) {
565 *err = file_error(wth->fh, err_info);
570 wth->data_offset += sizeof magic;
572 if (memcmp(magic, ngsniffer_magic, sizeof ngsniffer_magic)) {
577 * Read the first record, which the manual says is a version
580 errno = WTAP_ERR_CANT_READ;
581 bytes_read = file_read(record_type, 2, wth->fh);
582 if (bytes_read != 2) {
583 *err = file_error(wth->fh, err_info);
588 wth->data_offset += 2;
589 bytes_read = file_read(record_length, 4, wth->fh);
590 if (bytes_read != 4) {
591 *err = file_error(wth->fh, err_info);
596 wth->data_offset += 4;
598 type = pletohs(record_type);
600 if (type != REC_VERS) {
601 *err = WTAP_ERR_BAD_RECORD;
602 *err_info = g_strdup_printf("ngsniffer: Sniffer file doesn't start with a version record");
606 errno = WTAP_ERR_CANT_READ;
607 bytes_read = file_read(&version, sizeof version, wth->fh);
608 if (bytes_read != sizeof version) {
609 *err = file_error(wth->fh, err_info);
614 wth->data_offset += sizeof version;
616 /* Check the data link type. */
617 if (version.network >= NUM_NGSNIFF_ENCAPS
618 || sniffer_encap[version.network] == WTAP_ENCAP_UNKNOWN) {
619 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
620 *err_info = g_strdup_printf("ngsniffer: network type %u unknown or unsupported",
625 /* Check the time unit */
626 if (version.timeunit >= NUM_NGSNIFF_TIMEUNITS) {
627 *err = WTAP_ERR_UNSUPPORTED;
628 *err_info = g_strdup_printf("ngsniffer: Unknown timeunit %u", version.timeunit);
632 /* compressed or uncompressed Sniffer file? */
633 if (version.format != 1) {
634 wth->file_type = WTAP_FILE_NGSNIFFER_COMPRESSED;
637 wth->file_type = WTAP_FILE_NGSNIFFER_UNCOMPRESSED;
640 /* Set encap type before reading header records because the
641 * header record may change encap type.
643 wth->file_encap = sniffer_encap[version.network];
646 * We don't know how to handle the remaining header record types,
647 * so we just skip them - except for REC_HEADER2 records, which
648 * we look at, for "Internetwork analyzer" captures, to attempt to
649 * determine what the link-layer encapsulation is.
651 * XXX - in some version 1.16 internetwork analyzer files
652 * generated by the Windows Sniffer when saving Windows
653 * Sniffer files as DOS Sniffer files, there's no REC_HEADER2
654 * record, but the first "rsvd" word is 1 for PRI ISDN files, 2
655 * for BRI ISDN files, and 0 for non-ISDN files; is that something
656 * the DOS Sniffer understands?
658 maj_vers = pletohs(&version.maj_vers);
659 if (process_header_records(wth, err, err_info, maj_vers,
660 version.network) < 0)
662 if ((version.network == NETWORK_SYNCHRO ||
663 version.network == NETWORK_ASYNC) &&
664 wth->file_encap == WTAP_ENCAP_PER_PACKET) {
666 * Well, we haven't determined the internetwork analyzer
673 * ... and this is a version 1 capture; look
674 * at the first "rsvd" word.
676 switch (pletohs(&version.rsvd[0])) {
680 wth->file_encap = WTAP_ENCAP_ISDN;
687 * ...and this is a version 3 capture; we've
688 * seen nothing in those that obviously
689 * indicates the capture type, but the only
690 * one we've seen is a Frame Relay capture,
691 * so mark it as Frame Relay for now.
693 wth->file_encap = WTAP_ENCAP_FRELAY_WITH_PHDR;
699 * Now, if we have a random stream open, position it to the same
700 * location, which should be the beginning of the real data, and
701 * should be the beginning of the compressed data.
703 * XXX - will we see any records other than REC_FRAME2, REC_FRAME4,
704 * or REC_EOF after this? If not, we can get rid of the loop in
705 * "ngsniffer_read()".
707 if (wth->random_fh != NULL) {
708 if (file_seek(wth->random_fh, wth->data_offset, SEEK_SET, err) == -1)
712 /* This is a ngsniffer file */
713 ngsniffer = (ngsniffer_t *)g_malloc(sizeof(ngsniffer_t));
714 wth->priv = (void *)ngsniffer;
715 ngsniffer->maj_vers = maj_vers;
716 ngsniffer->min_vers = pletohs(&version.min_vers);
718 /* We haven't allocated any uncompression buffers yet. */
719 ngsniffer->seq.buf = NULL;
720 ngsniffer->rand.buf = NULL;
722 /* Set the current file offset; the offset in the compressed file
723 and in the uncompressed data stream currently the same. */
724 ngsniffer->seq.uncomp_offset = wth->data_offset;
725 ngsniffer->seq.comp_offset = wth->data_offset;
726 ngsniffer->rand.uncomp_offset = wth->data_offset;
727 ngsniffer->rand.comp_offset = wth->data_offset;
729 /* We don't yet have any list of compressed blobs. */
730 ngsniffer->first_blob = NULL;
731 ngsniffer->last_blob = NULL;
732 ngsniffer->current_blob = NULL;
734 wth->subtype_read = ngsniffer_read;
735 wth->subtype_seek_read = ngsniffer_seek_read;
736 wth->subtype_sequential_close = ngsniffer_sequential_close;
737 wth->subtype_close = ngsniffer_close;
738 wth->snapshot_length = 0; /* not available in header, only in frame */
739 ngsniffer->timeunit = Psec[version.timeunit];
740 ngsniffer->network = version.network;
742 /* Get capture start time */
743 start_date = pletohs(&version.date);
744 tm.tm_year = ((start_date&0xfe00)>>9) + 1980 - 1900;
745 tm.tm_mon = ((start_date&0x1e0)>>5) - 1;
746 tm.tm_mday = (start_date&0x1f);
748 /* The time does not appear to act as an offset; only the date */
749 start_time = pletohs(&version.time);
750 tm.tm_hour = (start_time&0xf800)>>11;
751 tm.tm_min = (start_time&0x7e0)>>5;
752 tm.tm_sec = (start_time&0x1f)<<1;
758 ngsniffer->start = mktime(&tm);
760 * XXX - what if "secs" is -1? Unlikely,
761 * but if the capture was done in a time
762 * zone that switches between standard and
763 * summer time sometime other than when we
764 * do, and thus the time was one that doesn't
765 * exist here because a switch from standard
766 * to summer time zips over it, it could
769 * On the other hand, if the capture was done
770 * in a different time zone, this won't work
771 * right anyway; unfortunately, the time zone
772 * isn't stored in the capture file.
775 wth->tsprecision = WTAP_FILE_TSPREC_NSEC; /* XXX */
781 process_header_records(wtap *wth, int *err, gchar **err_info, gint16 maj_vers,
786 char record_length[4]; /* only the first 2 bytes are length,
787 the last 2 are "reserved" and are thrown away */
788 guint16 type, length;
790 unsigned char buffer[256];
793 errno = WTAP_ERR_CANT_READ;
794 bytes_read = file_read(record_type, 2, wth->fh);
795 if (bytes_read != 2) {
796 *err = file_error(wth->fh, err_info);
799 if (bytes_read != 0) {
800 *err = WTAP_ERR_SHORT_READ;
806 type = pletohs(record_type);
807 if ((type != REC_HEADER1) && (type != REC_HEADER2)
808 && (type != REC_HEADER3) && (type != REC_HEADER4)
809 && (type != REC_HEADER5) && (type != REC_HEADER6)
810 && (type != REC_HEADER7)
811 && ((type != REC_V2DESC) || (maj_vers > 2)) ) {
813 * Well, this is either some unknown header type
814 * (we ignore this case), an uncompressed data
815 * frame or the length of a compressed blob
816 * which implies data. Seek backwards over the
817 * two bytes we read, and return.
819 if (file_seek(wth->fh, -2, SEEK_CUR, err) == -1)
824 errno = WTAP_ERR_CANT_READ;
825 bytes_read = file_read(record_length, 4, wth->fh);
826 if (bytes_read != 4) {
827 *err = file_error(wth->fh, err_info);
829 *err = WTAP_ERR_SHORT_READ;
832 wth->data_offset += 6;
834 length = pletohs(record_length);
837 * Is this is an "Internetwork analyzer" capture, and
838 * is this a REC_HEADER2 record?
840 * If so, it appears to specify the particular type
841 * of network we're on.
843 * XXX - handle sync and async differently? (E.g.,
844 * does this apply only to sync?)
846 if ((network == NETWORK_SYNCHRO || network == NETWORK_ASYNC) &&
847 type == REC_HEADER2) {
849 * Yes, get the first up-to-256 bytes of the
852 bytes_to_read = MIN(length, (int)sizeof buffer);
853 bytes_read = file_read(buffer, bytes_to_read,
855 if (bytes_read != bytes_to_read) {
856 *err = file_error(wth->fh, err_info);
858 *err = WTAP_ERR_SHORT_READ;
866 if (process_rec_header2_v2(wth, buffer,
867 length, err, err_info) < 0)
874 if (process_rec_header2_v145(wth, buffer,
875 length, maj_vers, err, err_info) < 0)
881 * Skip the rest of the record.
883 if (length > sizeof buffer) {
884 if (file_seek(wth->fh, length - sizeof buffer,
885 SEEK_CUR, err) == -1)
889 /* Nope, just skip over the data. */
890 if (file_seek(wth->fh, length, SEEK_CUR, err) == -1)
893 wth->data_offset += length;
898 process_rec_header2_v2(wtap *wth, unsigned char *buffer, guint16 length,
899 int *err, gchar **err_info)
901 static const char x_25_str[] = "HDLC\nX.25\n";
904 * There appears to be a string in a REC_HEADER2 record, with
905 * a list of protocols. In one X.25 capture I've seen, the
906 * string was "HDLC\nX.25\nCLNP\nISO_TP\nSESS\nPRES\nVTP\nACSE".
907 * Presumably CLNP and everything else is per-packet, but
908 * we assume "HDLC\nX.25\n" indicates that it's an X.25 capture.
910 if (length < sizeof x_25_str - 1) {
912 * There's not enough data to compare.
914 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
915 *err_info = g_strdup_printf("ngsniffer: WAN capture has too-short protocol list");
919 if (strncmp((char *)buffer, x_25_str, sizeof x_25_str - 1) == 0) {
923 wth->file_encap = WTAP_ENCAP_LAPB;
925 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
926 *err_info = g_strdup_printf("ngsniffer: WAN capture protocol string %.*s unknown",
934 process_rec_header2_v145(wtap *wth, unsigned char *buffer, guint16 length,
935 gint16 maj_vers, int *err, gchar **err_info)
938 * The 5th byte of the REC_HEADER2 record appears to be a
943 * There is no 5th byte; give up.
945 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
946 *err_info = g_strdup("ngsniffer: WAN capture has no network subtype");
951 * The X.25 captures I've seen have a type of NET_HDLC, and the
952 * Sniffer documentation seems to imply that it's used for
953 * X.25, although it could be used for other purposes as well.
955 * NET_ROUTER is used for all sorts of point-to-point protocols,
956 * including ISDN. It appears, from the documentation, that the
957 * Sniffer attempts to infer the particular protocol by looking
958 * at the traffic; it's not clear whether it stores in the file
959 * an indication of the protocol it inferred was being used.
961 * Unfortunately, it also appears that NET_HDLC is used for
962 * stuff other than X.25 as well, so we can't just interpret
963 * it unconditionally as X.25.
965 * For now, we interpret both NET_HDLC and NET_ROUTER as "per-packet
966 * encapsulation". We remember that we saw NET_ROUTER, though,
967 * as it appears that we can infer whether a packet is PPP or
968 * ISDN based on the channel number subfield of the frame error
969 * status bits - if it's 0, it's PPP, otherwise it's ISDN and
970 * the channel number indicates which channel it is. We assume
971 * NET_HDLC isn't used for ISDN.
976 wth->file_encap = WTAP_ENCAP_SDLC;
980 wth->file_encap = WTAP_ENCAP_PER_PACKET;
983 case NET_FRAME_RELAY:
984 wth->file_encap = WTAP_ENCAP_FRELAY_WITH_PHDR;
989 * For most of the version 4 capture files I've seen,
990 * 0xfa in buffer[1] means the file is an ISDN capture,
991 * but there's one PPP file with 0xfa there; does that
992 * mean that the 0xfa has nothing to do with ISDN,
993 * or is that just an ISDN file with no D channel
994 * packets? (The channel number is not 0 in any
995 * of the packets, so perhaps it is.)
997 * For one version 5 ISDN capture I've seen, there's
998 * a 0x01 in buffer[6]; none of the non-ISDN version
999 * 5 captures have it.
1001 wth->file_encap = WTAP_ENCAP_PER_PACKET;
1005 if (buffer[1] == 0xfa)
1006 wth->file_encap = WTAP_ENCAP_ISDN;
1012 * There is no 5th byte; give up.
1014 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
1015 *err_info = g_strdup("ngsniffer: WAN bridge/router capture has no ISDN flag");
1018 if (buffer[6] == 0x01)
1019 wth->file_encap = WTAP_ENCAP_ISDN;
1025 wth->file_encap = WTAP_ENCAP_PPP_WITH_PHDR;
1030 * Reject these until we can figure them out.
1032 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
1033 *err_info = g_strdup_printf("ngsniffer: WAN network subtype %u unknown or unsupported",
1040 /* Read the next packet */
1042 ngsniffer_read(wtap *wth, int *err, gchar **err_info, gint64 *data_offset)
1044 ngsniffer_t *ngsniffer;
1046 guint16 type, length;
1047 struct frame2_rec frame2;
1048 struct frame4_rec frame4;
1049 struct frame6_rec frame6;
1050 guint16 time_low, time_med, true_size, size;
1051 guint8 time_high, time_day;
1052 guint64 t, tsecs, tpsecs;
1055 ngsniffer = (ngsniffer_t *)wth->priv;
1058 * Read the record header.
1060 *data_offset = wth->data_offset;
1061 ret = ngsniffer_read_rec_header(wth, FALSE, &type, &length,
1064 /* Read error or EOF */
1067 wth->data_offset += 6;
1072 if (ngsniffer->network == NETWORK_ATM) {
1074 * We shouldn't get a frame2 record in
1077 *err = WTAP_ERR_BAD_RECORD;
1078 *err_info = g_strdup("ngsniffer: REC_FRAME2 record in an ATM Sniffer file");
1082 /* Read the f_frame2_struct */
1083 if (!ngsniffer_read_frame2(wth, FALSE, &frame2, err,
1088 wth->data_offset += sizeof frame2;
1089 time_low = pletohs(&frame2.time_low);
1090 time_med = pletohs(&frame2.time_med);
1091 time_high = frame2.time_high;
1092 time_day = frame2.time_day;
1093 size = pletohs(&frame2.size);
1094 true_size = pletohs(&frame2.true_size);
1096 length -= sizeof frame2; /* we already read that much */
1098 set_pseudo_header_frame2(wth, &wth->pseudo_header,
1103 if (ngsniffer->network != NETWORK_ATM) {
1105 * We shouldn't get a frame2 record in
1106 * a non-ATM capture.
1108 *err = WTAP_ERR_BAD_RECORD;
1109 *err_info = g_strdup("ngsniffer: REC_FRAME4 record in a non-ATM Sniffer file");
1113 /* Read the f_frame4_struct */
1114 if (!ngsniffer_read_frame4(wth, FALSE, &frame4, err,
1119 wth->data_offset += sizeof frame4;
1120 time_low = pletohs(&frame4.time_low);
1121 time_med = pletohs(&frame4.time_med);
1122 time_high = frame4.time_high;
1123 time_day = frame4.time_day;
1124 size = pletohs(&frame4.size);
1125 true_size = pletohs(&frame4.true_size);
1128 * XXX - it looks as if some version 4 captures have
1129 * a bogus record length, based on the assumption
1130 * that the record is a frame2 record.
1132 if (ngsniffer->maj_vers >= 5)
1133 length -= sizeof frame4; /* we already read that much */
1135 if (ngsniffer->min_vers >= 95)
1136 length -= sizeof frame2;
1138 length -= sizeof frame4;
1141 set_pseudo_header_frame4(&wth->pseudo_header, &frame4);
1145 /* Read the f_frame6_struct */
1146 if (!ngsniffer_read_frame6(wth, FALSE, &frame6, err,
1151 wth->data_offset += sizeof frame6;
1152 time_low = pletohs(&frame6.time_low);
1153 time_med = pletohs(&frame6.time_med);
1154 time_high = frame6.time_high;
1155 time_day = frame6.time_day;
1156 size = pletohs(&frame6.size);
1157 true_size = pletohs(&frame6.true_size);
1159 length -= sizeof frame6; /* we already read that much */
1161 set_pseudo_header_frame6(wth, &wth->pseudo_header,
1167 * End of file. Return an EOF indication.
1169 *err = 0; /* EOF, not error */
1173 break; /* unknown type, skip it */
1177 * Well, we don't know what it is, or we know what
1178 * it is but can't handle it. Skip past the data
1179 * portion, and keep looping.
1181 if (ng_file_seek_seq(wth, length, SEEK_CUR, err, err_info)
1184 wth->data_offset += length;
1189 * OK, is the frame data size greater than than what's left of the
1192 if (size > length) {
1194 * Yes - treat this as an error.
1196 *err = WTAP_ERR_BAD_RECORD;
1197 *err_info = g_strdup("ngsniffer: Record length is less than packet size");
1201 wth->phdr.len = true_size ? true_size : size;
1202 wth->phdr.caplen = size;
1205 * Read the packet data.
1207 buffer_assure_space(wth->frame_buffer, length);
1208 pd = buffer_start_ptr(wth->frame_buffer);
1209 if (!ngsniffer_read_rec_data(wth, FALSE, pd, length, err, err_info))
1210 return FALSE; /* Read error */
1211 wth->data_offset += length;
1213 wth->phdr.pkt_encap = fix_pseudo_header(wth->file_encap, pd, length,
1214 &wth->pseudo_header);
1217 * 40-bit time stamp, in units of timeunit picoseconds.
1219 t = (((guint64)time_high)<<32) | (((guint64)time_med) << 16) | time_low;
1222 * timeunit is always < 2^(64-40), so t * timeunit fits in 64
1223 * bits. That gives a 64-bit time stamp, in units of
1226 t *= ngsniffer->timeunit;
1229 * Convert to seconds and picoseconds.
1231 tsecs = t/G_GINT64_CONSTANT(1000000000000U);
1232 tpsecs = t - tsecs*G_GINT64_CONSTANT(1000000000000U);
1235 * Add in the time_day value (86400 seconds/day).
1237 tsecs += time_day*86400;
1240 * Add in the capture start time.
1242 tsecs += ngsniffer->start;
1244 wth->phdr.ts.secs = (time_t)tsecs;
1245 wth->phdr.ts.nsecs = (int)(tpsecs/1000); /* psecs to nsecs */
1250 ngsniffer_seek_read(wtap *wth, gint64 seek_off,
1251 union wtap_pseudo_header *pseudo_header, guint8 *pd, int packet_size,
1252 int *err, gchar **err_info)
1255 guint16 type, length;
1256 struct frame2_rec frame2;
1257 struct frame4_rec frame4;
1258 struct frame6_rec frame6;
1260 if (ng_file_seek_rand(wth, seek_off, SEEK_SET, err, err_info) == -1)
1263 ret = ngsniffer_read_rec_header(wth, TRUE, &type, &length, err,
1266 /* Read error or EOF */
1268 /* EOF means "short read" in random-access mode */
1269 *err = WTAP_ERR_SHORT_READ;
1277 /* Read the f_frame2_struct */
1278 if (!ngsniffer_read_frame2(wth, TRUE, &frame2, err, err_info)) {
1283 length -= sizeof frame2; /* we already read that much */
1285 set_pseudo_header_frame2(wth, pseudo_header, &frame2);
1289 /* Read the f_frame4_struct */
1290 if (!ngsniffer_read_frame4(wth, TRUE, &frame4, err, err_info)) {
1295 length -= sizeof frame4; /* we already read that much */
1297 set_pseudo_header_frame4(pseudo_header, &frame4);
1301 /* Read the f_frame6_struct */
1302 if (!ngsniffer_read_frame6(wth, TRUE, &frame6, err, err_info)) {
1307 length -= sizeof frame6; /* we already read that much */
1309 set_pseudo_header_frame6(wth, pseudo_header, &frame6);
1316 g_assert_not_reached();
1321 * Got the pseudo-header (if any), now get the data.
1323 if (!ngsniffer_read_rec_data(wth, TRUE, pd, packet_size, err, err_info))
1326 fix_pseudo_header(wth->file_encap, pd, packet_size, pseudo_header);
1332 ngsniffer_read_rec_header(wtap *wth, gboolean is_random, guint16 *typep,
1333 guint16 *lengthp, int *err, gchar **err_info)
1336 char record_type[2];
1337 char record_length[4]; /* only 1st 2 bytes are length */
1340 * Read the record header.
1342 bytes_read = ng_file_read(record_type, 2, wth, is_random, err,
1344 if (bytes_read != 2) {
1347 if (bytes_read != 0) {
1348 *err = WTAP_ERR_SHORT_READ;
1353 bytes_read = ng_file_read(record_length, 4, wth, is_random, err,
1355 if (bytes_read != 4) {
1357 *err = WTAP_ERR_SHORT_READ;
1361 *typep = pletohs(record_type);
1362 *lengthp = pletohs(record_length);
1363 return 1; /* success */
1367 ngsniffer_read_frame2(wtap *wth, gboolean is_random, struct frame2_rec *frame2,
1368 int *err, gchar **err_info)
1372 /* Read the f_frame2_struct */
1373 bytes_read = ng_file_read(frame2, (unsigned int)sizeof *frame2, wth,
1374 is_random, err, err_info);
1375 if (bytes_read != sizeof *frame2) {
1377 *err = WTAP_ERR_SHORT_READ;
1384 set_pseudo_header_frame2(wtap *wth, union wtap_pseudo_header *pseudo_header,
1385 struct frame2_rec *frame2)
1388 * In one PPP "Internetwork analyzer" capture:
1390 * The only bit seen in "frame2.fs" is the 0x80 bit, which
1391 * probably indicates the packet's direction; all other
1392 * bits were zero. The Expert Sniffer Network Analyzer
1393 * 5.50 Operations manual says that bit is the FS_DTE bit
1394 * for async/PPP data. The other bits are error bits
1395 * plus bits indicating whether the frame is PPP or SLIP,
1396 * but the PPP bit isn't set.
1398 * All bits in "frame2.flags" were zero.
1400 * In one X.25 "Internetwork analyzer" capture:
1402 * The only bit seen in "frame2.fs" is the 0x80 bit, which
1403 * probably indicates the packet's direction; all other
1406 * "frame2.flags" was always 0x18; however, the Sniffer
1407 * manual says that just means that a display filter was
1408 * calculated for the frame, and it should be displayed,
1409 * so perhaps that's just a quirk of that particular capture.
1411 * In one Ethernet capture:
1413 * "frame2.fs" was always 0; the Sniffer manual says they're
1414 * error bits of various sorts.
1416 * "frame2.flags" was either 0 or 0x18, with no obvious
1417 * correlation with anything. See previous comment
1418 * about display filters.
1420 * In one Token Ring capture:
1422 * "frame2.fs" was either 0 or 0xcc; the Sniffer manual says
1423 * nothing about those bits for Token Ring captures.
1425 * "frame2.flags" was either 0 or 0x18, with no obvious
1426 * correlation with anything. See previous comment
1427 * about display filters.
1429 switch (wth->file_encap) {
1431 case WTAP_ENCAP_ETHERNET:
1433 * XXX - do we ever have an FCS? If not, why do we often
1434 * have 4 extra bytes of stuff at the end? Do some
1435 * PC Ethernet interfaces report the length including the
1436 * FCS but not store the FCS in the packet, or do some
1437 * Ethernet drivers work that way?
1439 pseudo_header->eth.fcs_len = 0;
1442 case WTAP_ENCAP_PPP_WITH_PHDR:
1443 case WTAP_ENCAP_SDLC:
1444 pseudo_header->p2p.sent = (frame2->fs & FS_WAN_DTE) ? TRUE : FALSE;
1447 case WTAP_ENCAP_LAPB:
1448 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1449 case WTAP_ENCAP_PER_PACKET:
1450 pseudo_header->x25.flags = (frame2->fs & FS_WAN_DTE) ? 0x00 : FROM_DCE;
1453 case WTAP_ENCAP_ISDN:
1454 pseudo_header->isdn.uton = (frame2->fs & FS_WAN_DTE) ? FALSE : TRUE;
1455 switch (frame2->fs & FS_ISDN_CHAN_MASK) {
1457 case FS_ISDN_CHAN_D:
1458 pseudo_header->isdn.channel = 0; /* D-channel */
1461 case FS_ISDN_CHAN_B1:
1462 pseudo_header->isdn.channel = 1; /* B1-channel */
1465 case FS_ISDN_CHAN_B2:
1466 pseudo_header->isdn.channel = 2; /* B2-channel */
1470 pseudo_header->isdn.channel = 30; /* XXX */
1477 ngsniffer_read_frame4(wtap *wth, gboolean is_random, struct frame4_rec *frame4,
1478 int *err, gchar **err_info)
1482 /* Read the f_frame4_struct */
1483 bytes_read = ng_file_read(frame4, (unsigned int)sizeof *frame4, wth,
1484 is_random, err, err_info);
1485 if (bytes_read != sizeof *frame4) {
1487 *err = WTAP_ERR_SHORT_READ;
1494 set_pseudo_header_frame4(union wtap_pseudo_header *pseudo_header,
1495 struct frame4_rec *frame4)
1498 guint8 aal_type, hl_type;
1502 * Map flags from frame4.atm_info.StatusWord.
1504 pseudo_header->atm.flags = 0;
1505 StatusWord = pletohl(&frame4->atm_info.StatusWord);
1506 if (StatusWord & SW_RAW_CELL)
1507 pseudo_header->atm.flags |= ATM_RAW_CELL;
1509 aal_type = frame4->atm_info.AppTrafType & ATT_AALTYPE;
1510 hl_type = frame4->atm_info.AppTrafType & ATT_HLTYPE;
1511 vpi = pletohs(&frame4->atm_info.Vpi);
1512 vci = pletohs(&frame4->atm_info.Vci);
1516 case ATT_AAL_UNKNOWN:
1518 * Map ATT_AAL_UNKNOWN on VPI 0, VCI 5 to ATT_AAL_SIGNALLING,
1519 * as that's the VPCI used for signalling.
1521 * XXX - is this necessary, or will frames to 0/5 always
1522 * have ATT_AAL_SIGNALLING?
1524 if (vpi == 0 && vci == 5)
1525 pseudo_header->atm.aal = AAL_SIGNALLING;
1527 pseudo_header->atm.aal = AAL_UNKNOWN;
1528 pseudo_header->atm.type = TRAF_UNKNOWN;
1529 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1533 pseudo_header->atm.aal = AAL_1;
1534 pseudo_header->atm.type = TRAF_UNKNOWN;
1535 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1539 pseudo_header->atm.aal = AAL_3_4;
1540 pseudo_header->atm.type = TRAF_UNKNOWN;
1541 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1545 pseudo_header->atm.aal = AAL_5;
1548 case ATT_HL_UNKNOWN:
1549 pseudo_header->atm.type = TRAF_UNKNOWN;
1550 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1554 pseudo_header->atm.type = TRAF_LLCMX;
1555 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1559 pseudo_header->atm.type = TRAF_VCMX;
1560 switch (frame4->atm_info.AppHLType) {
1563 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1566 case AHLT_VCMX_802_3_FCS:
1567 pseudo_header->atm.subtype =
1568 TRAF_ST_VCMX_802_3_FCS;
1571 case AHLT_VCMX_802_4_FCS:
1572 pseudo_header->atm.subtype =
1573 TRAF_ST_VCMX_802_4_FCS;
1576 case AHLT_VCMX_802_5_FCS:
1577 pseudo_header->atm.subtype =
1578 TRAF_ST_VCMX_802_5_FCS;
1581 case AHLT_VCMX_FDDI_FCS:
1582 pseudo_header->atm.subtype =
1583 TRAF_ST_VCMX_FDDI_FCS;
1586 case AHLT_VCMX_802_6_FCS:
1587 pseudo_header->atm.subtype =
1588 TRAF_ST_VCMX_802_6_FCS;
1591 case AHLT_VCMX_802_3:
1592 pseudo_header->atm.subtype = TRAF_ST_VCMX_802_3;
1595 case AHLT_VCMX_802_4:
1596 pseudo_header->atm.subtype = TRAF_ST_VCMX_802_4;
1599 case AHLT_VCMX_802_5:
1600 pseudo_header->atm.subtype = TRAF_ST_VCMX_802_5;
1603 case AHLT_VCMX_FDDI:
1604 pseudo_header->atm.subtype = TRAF_ST_VCMX_FDDI;
1607 case AHLT_VCMX_802_6:
1608 pseudo_header->atm.subtype = TRAF_ST_VCMX_802_6;
1611 case AHLT_VCMX_FRAGMENTS:
1612 pseudo_header->atm.subtype =
1613 TRAF_ST_VCMX_FRAGMENTS;
1616 case AHLT_VCMX_BPDU:
1617 pseudo_header->atm.subtype = TRAF_ST_VCMX_BPDU;
1621 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1627 pseudo_header->atm.type = TRAF_LANE;
1628 switch (frame4->atm_info.AppHLType) {
1631 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1634 case AHLT_LANE_LE_CTRL:
1635 pseudo_header->atm.subtype =
1636 TRAF_ST_LANE_LE_CTRL;
1639 case AHLT_LANE_802_3:
1640 pseudo_header->atm.subtype = TRAF_ST_LANE_802_3;
1643 case AHLT_LANE_802_5:
1644 pseudo_header->atm.subtype = TRAF_ST_LANE_802_5;
1647 case AHLT_LANE_802_3_MC:
1648 pseudo_header->atm.subtype =
1649 TRAF_ST_LANE_802_3_MC;
1652 case AHLT_LANE_802_5_MC:
1653 pseudo_header->atm.subtype =
1654 TRAF_ST_LANE_802_5_MC;
1658 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1664 pseudo_header->atm.type = TRAF_ILMI;
1665 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1669 pseudo_header->atm.type = TRAF_FR;
1670 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1674 pseudo_header->atm.type = TRAF_SPANS;
1675 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1678 case ATT_HL_IPSILON:
1679 pseudo_header->atm.type = TRAF_IPSILON;
1680 switch (frame4->atm_info.AppHLType) {
1683 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1686 case AHLT_IPSILON_FT0:
1687 pseudo_header->atm.subtype =
1688 TRAF_ST_IPSILON_FT0;
1691 case AHLT_IPSILON_FT1:
1692 pseudo_header->atm.subtype =
1693 TRAF_ST_IPSILON_FT1;
1696 case AHLT_IPSILON_FT2:
1697 pseudo_header->atm.subtype =
1698 TRAF_ST_IPSILON_FT2;
1702 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1708 pseudo_header->atm.type = TRAF_UNKNOWN;
1709 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1715 pseudo_header->atm.aal = AAL_USER;
1716 pseudo_header->atm.type = TRAF_UNKNOWN;
1717 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1720 case ATT_AAL_SIGNALLING:
1721 pseudo_header->atm.aal = AAL_SIGNALLING;
1722 pseudo_header->atm.type = TRAF_UNKNOWN;
1723 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1727 pseudo_header->atm.aal = AAL_OAMCELL;
1728 pseudo_header->atm.type = TRAF_UNKNOWN;
1729 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1733 pseudo_header->atm.aal = AAL_UNKNOWN;
1734 pseudo_header->atm.type = TRAF_UNKNOWN;
1735 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1738 pseudo_header->atm.vpi = vpi;
1739 pseudo_header->atm.vci = vci;
1740 pseudo_header->atm.channel = pletohs(&frame4->atm_info.channel);
1741 pseudo_header->atm.cells = pletohs(&frame4->atm_info.cells);
1742 pseudo_header->atm.aal5t_u2u = pletohs(&frame4->atm_info.Trailer.aal5t_u2u);
1743 pseudo_header->atm.aal5t_len = pletohs(&frame4->atm_info.Trailer.aal5t_len);
1744 pseudo_header->atm.aal5t_chksum = pntohl(&frame4->atm_info.Trailer.aal5t_chksum);
1748 ngsniffer_read_frame6(wtap *wth, gboolean is_random, struct frame6_rec *frame6,
1749 int *err, gchar **err_info)
1753 /* Read the f_frame6_struct */
1754 bytes_read = ng_file_read(frame6, (unsigned int)sizeof *frame6, wth,
1755 is_random, err, err_info);
1756 if (bytes_read != sizeof *frame6) {
1758 *err = WTAP_ERR_SHORT_READ;
1765 set_pseudo_header_frame6(wtap *wth, union wtap_pseudo_header *pseudo_header,
1766 struct frame6_rec *frame6 _U_)
1768 /* XXX - Once the frame format is divined, something will most likely go here */
1770 switch (wth->file_encap) {
1772 case WTAP_ENCAP_ETHERNET:
1773 /* XXX - is there an FCS? */
1774 pseudo_header->eth.fcs_len = -1;
1780 ngsniffer_read_rec_data(wtap *wth, gboolean is_random, guint8 *pd,
1781 unsigned int length, int *err, gchar **err_info)
1785 bytes_read = ng_file_read(pd, length, wth, is_random, err, err_info);
1787 if (bytes_read != (gint64) length) {
1789 *err = WTAP_ERR_SHORT_READ;
1796 * OK, this capture is from an "Internetwork analyzer", and we either
1797 * didn't see a type 7 record or it had a network type such as NET_HDLC
1798 * that doesn't tell us which *particular* HDLC derivative this is;
1799 * let's look at the first few bytes of the packet, a pointer to which
1800 * was passed to us as an argument, and see whether it looks like PPP,
1801 * Frame Relay, Wellfleet HDLC, Cisco HDLC, or LAPB - or, if it's none
1802 * of those, assume it's LAPD.
1804 * (XXX - are there any "Internetwork analyzer" captures that don't
1805 * have type 7 records? If so, is there some other field that will
1806 * tell us what type of capture it is?)
1809 infer_pkt_encap(const guint8 *pd, int len)
1815 * Nothing to infer, but it doesn't matter how you
1816 * dissect an empty packet. Let's just say PPP.
1818 return WTAP_ENCAP_PPP_WITH_PHDR;
1821 if (pd[0] == 0xFF) {
1823 * PPP. (XXX - check for 0xFF 0x03?)
1825 return WTAP_ENCAP_PPP_WITH_PHDR;
1829 if (pd[0] == 0x07 && pd[1] == 0x03) {
1833 return WTAP_ENCAP_WFLEET_HDLC;
1834 } else if ((pd[0] == 0x0F && pd[1] == 0x00) ||
1835 (pd[0] == 0x8F && pd[1] == 0x00)) {
1839 return WTAP_ENCAP_CHDLC_WITH_PHDR;
1843 * Check for Frame Relay. Look for packets with at least
1844 * 3 bytes of header - 2 bytes of DLCI followed by 1 byte
1845 * of control, which, for now, we require to be 0x03 (UI),
1846 * although there might be other frame types as well.
1847 * Scan forward until we see the last DLCI byte, with
1848 * the low-order bit being 1, and then check the next
1849 * byte to see if it's a control byte.
1851 * XXX - in version 4 and 5 captures, wouldn't this just
1852 * have a capture subtype of NET_FRAME_RELAY? Or is this
1853 * here only to handle other versions of the capture
1854 * file, where we might just not yet have found where
1855 * the subtype is specified in the capture?
1857 * Bay^H^H^HNortel Networks has a mechanism in the Optivity
1858 * software for some of their routers to save captures
1859 * in Sniffer format; they use a version number of 4.9, but
1860 * don't put out any header records before the first FRAME2
1861 * record. That means we have to use heuristics to guess
1862 * what type of packet we have.
1864 for (i = 0; i < len && (pd[i] & 0x01) == 0; i++)
1866 i++; /* advance to the byte after the last DLCI byte */
1871 return WTAP_ENCAP_LAPB;
1874 return WTAP_ENCAP_FRELAY_WITH_PHDR;
1878 * Assume LAPB, for now. If we support other HDLC encapsulations,
1879 * we can check whether the low-order bit of the first byte is
1880 * set (as it should be for LAPB) if no other checks pass.
1882 * Or, if it's truly impossible to distinguish ISDN from non-ISDN
1883 * captures, we could assume it's ISDN if it's not anything
1886 return WTAP_ENCAP_LAPB;
1890 fix_pseudo_header(int encap, const guint8 *pd, int len,
1891 union wtap_pseudo_header *pseudo_header)
1895 case WTAP_ENCAP_PER_PACKET:
1897 * Infer the packet type from the first two bytes.
1899 encap = infer_pkt_encap(pd, len);
1902 * Fix up the pseudo-header to match the new
1903 * encapsulation type.
1907 case WTAP_ENCAP_WFLEET_HDLC:
1908 case WTAP_ENCAP_CHDLC_WITH_PHDR:
1909 case WTAP_ENCAP_PPP_WITH_PHDR:
1910 if (pseudo_header->x25.flags == 0)
1911 pseudo_header->p2p.sent = TRUE;
1913 pseudo_header->p2p.sent = FALSE;
1916 case WTAP_ENCAP_ISDN:
1917 if (pseudo_header->x25.flags == 0x00)
1918 pseudo_header->isdn.uton = FALSE;
1920 pseudo_header->isdn.uton = TRUE;
1923 * XXX - this is currently a per-packet
1924 * encapsulation type, and we can't determine
1925 * whether a capture is an ISDN capture before
1926 * seeing any packets, and B-channel PPP packets
1927 * look like PPP packets and are given
1928 * WTAP_ENCAP_PPP_WITH_PHDR, not WTAP_ENCAP_ISDN,
1929 * so we assume this is a D-channel packet and
1930 * thus give it a channel number of 0.
1932 pseudo_header->isdn.channel = 0;
1937 case WTAP_ENCAP_ATM_PDUS:
1939 * If the Windows Sniffer writes out one of its ATM
1940 * capture files in DOS Sniffer format, it doesn't
1941 * distinguish between LE Control and LANE encapsulated
1942 * LAN frames, it just marks them as LAN frames,
1943 * so we fix that up here.
1945 * I've also seen DOS Sniffer captures claiming that
1946 * LANE packets that *don't* start with FF 00 are
1947 * marked as LE Control frames, so we fix that up
1950 if (pseudo_header->atm.type == TRAF_LANE && len >= 2) {
1951 if (pd[0] == 0xff && pd[1] == 0x00) {
1953 * This must be LE Control.
1955 pseudo_header->atm.subtype =
1956 TRAF_ST_LANE_LE_CTRL;
1959 * This can't be LE Control.
1961 if (pseudo_header->atm.subtype ==
1962 TRAF_ST_LANE_LE_CTRL) {
1964 * XXX - Ethernet or Token Ring?
1966 pseudo_header->atm.subtype =
1976 /* Throw away the buffers used by the sequential I/O stream, but not
1977 those used by the random I/O stream. */
1979 ngsniffer_sequential_close(wtap *wth)
1981 ngsniffer_t *ngsniffer;
1983 ngsniffer = (ngsniffer_t *)wth->priv;
1984 if (ngsniffer->seq.buf != NULL) {
1985 g_free(ngsniffer->seq.buf);
1986 ngsniffer->seq.buf = NULL;
1991 free_blob(gpointer data, gpointer user_data _U_)
1996 /* Close stuff used by the random I/O stream, if any, and free up any
1997 private data structures. (If there's a "sequential_close" routine
1998 for a capture file type, it'll be called before the "close" routine
1999 is called, so we don't have to free the sequential buffer here.) */
2001 ngsniffer_close(wtap *wth)
2003 ngsniffer_t *ngsniffer;
2005 ngsniffer = (ngsniffer_t *)wth->priv;
2006 if (ngsniffer->rand.buf != NULL)
2007 g_free(ngsniffer->rand.buf);
2008 if (ngsniffer->first_blob != NULL) {
2009 g_list_foreach(ngsniffer->first_blob, free_blob, NULL);
2010 g_list_free(ngsniffer->first_blob);
2015 gboolean first_frame;
2019 static const int wtap_encap[] = {
2020 -1, /* WTAP_ENCAP_UNKNOWN -> unsupported */
2021 1, /* WTAP_ENCAP_ETHERNET */
2022 0, /* WTAP_ENCAP_TOKEN_RING */
2023 -1, /* WTAP_ENCAP_SLIP -> unsupported */
2024 7, /* WTAP_ENCAP_PPP -> Internetwork analyzer (synchronous) FIXME ! */
2025 9, /* WTAP_ENCAP_FDDI */
2026 9, /* WTAP_ENCAP_FDDI_BITSWAPPED */
2027 -1, /* WTAP_ENCAP_RAW_IP -> unsupported */
2028 2, /* WTAP_ENCAP_ARCNET */
2029 -1, /* WTAP_ENCAP_ATM_RFC1483 */
2030 -1, /* WTAP_ENCAP_LINUX_ATM_CLIP */
2031 7, /* WTAP_ENCAP_LAPB -> Internetwork analyzer (synchronous) */
2032 -1, /* WTAP_ENCAP_ATM_PDUS */
2033 -1, /* WTAP_ENCAP_NULL -> unsupported */
2034 -1, /* WTAP_ENCAP_ASCEND -> unsupported */
2035 -1, /* WTAP_ENCAP_ISDN -> unsupported */
2036 -1, /* WTAP_ENCAP_IP_OVER_FC -> unsupported */
2037 7, /* WTAP_ENCAP_PPP_WITH_PHDR -> Internetwork analyzer (synchronous) FIXME ! */
2039 #define NUM_WTAP_ENCAPS (sizeof wtap_encap / sizeof wtap_encap[0])
2041 /* Returns 0 if we could write the specified encapsulation type,
2042 an error indication otherwise. */
2044 ngsniffer_dump_can_write_encap(int encap)
2046 /* Per-packet encapsulations aren't supported. */
2047 if (encap == WTAP_ENCAP_PER_PACKET)
2048 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
2050 if (encap < 0 || (unsigned)encap >= NUM_WTAP_ENCAPS || wtap_encap[encap] == -1)
2051 return WTAP_ERR_UNSUPPORTED_ENCAP;
2056 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
2059 ngsniffer_dump_open(wtap_dumper *wdh, int *err)
2061 ngsniffer_dump_t *ngsniffer;
2062 char buf[6] = {REC_VERS, 0x00, 0x12, 0x00, 0x00, 0x00}; /* version record */
2064 /* This is a sniffer file */
2065 wdh->subtype_write = ngsniffer_dump;
2066 wdh->subtype_close = ngsniffer_dump_close;
2068 ngsniffer = (ngsniffer_dump_t *)g_malloc(sizeof(ngsniffer_dump_t));
2069 wdh->priv = (void *)ngsniffer;
2070 ngsniffer->first_frame = TRUE;
2071 ngsniffer->start = 0;
2073 /* Write the file header. */
2074 if (!wtap_dump_file_write(wdh, ngsniffer_magic, sizeof ngsniffer_magic,
2077 if (!wtap_dump_file_write(wdh, buf, 6, err))
2083 /* Write a record for a packet to a dump file.
2084 Returns TRUE on success, FALSE on failure. */
2086 ngsniffer_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
2087 const union wtap_pseudo_header *pseudo_header, const guint8 *pd, int *err)
2089 ngsniffer_dump_t *ngsniffer = (ngsniffer_dump_t *)wdh->priv;
2090 struct frame2_rec rec_hdr;
2094 guint16 t_low, t_med;
2096 struct vers_rec version;
2097 gint16 maj_vers, min_vers;
2101 /* Sniffer files have a capture start date in the file header, and
2102 have times relative to the beginning of that day in the packet
2103 headers; pick the date of the first packet as the capture start
2105 if (ngsniffer->first_frame) {
2106 ngsniffer->first_frame=FALSE;
2108 /* calling localtime() on MSVC 2005 with huge values causes it to crash */
2109 /* XXX - find the exact value that still does work */
2110 /* XXX - using _USE_32BIT_TIME_T might be another way to circumvent this problem */
2111 if (phdr->ts.secs > 2000000000)
2115 tm = localtime(&phdr->ts.secs);
2116 if (tm != NULL && tm->tm_year >= 1980) {
2117 start_date = (tm->tm_year - (1980 - 1900)) << 9;
2118 start_date |= (tm->tm_mon + 1) << 5;
2119 start_date |= tm->tm_mday;
2120 /* record the start date, not the start time */
2121 ngsniffer->start = phdr->ts.secs - (3600*tm->tm_hour + 60*tm->tm_min + tm->tm_sec);
2124 ngsniffer->start = 0;
2127 /* "sniffer" version ? */
2130 version.maj_vers = htoles(maj_vers);
2131 version.min_vers = htoles(min_vers);
2133 version.date = htoles(start_date);
2135 version.network = wtap_encap[wdh->encap];
2137 version.timeunit = 1; /* 0.838096 */
2138 version.cmprs_vers = 0;
2139 version.cmprs_level = 0;
2140 version.rsvd[0] = 0;
2141 version.rsvd[1] = 0;
2142 if (!wtap_dump_file_write(wdh, &version, sizeof version, err))
2146 buf[0] = REC_FRAME2;
2148 buf[2] = (char)((phdr->caplen + sizeof(struct frame2_rec))%256);
2149 buf[3] = (char)((phdr->caplen + sizeof(struct frame2_rec))/256);
2152 if (!wtap_dump_file_write(wdh, buf, 6, err))
2154 /* Seconds since the start of the capture */
2155 tsecs = phdr->ts.secs - ngsniffer->start;
2156 /* Extract the number of days since the start of the capture */
2157 rec_hdr.time_day = (guint8)(tsecs / 86400); /* # days of capture - 86400 secs/day */
2158 tsecs -= rec_hdr.time_day * 86400; /* time within day */
2159 /* Convert to picoseconds */
2160 t = tsecs*G_GINT64_CONSTANT(1000000000000U) +
2161 phdr->ts.nsecs*G_GINT64_CONSTANT(1000U);
2162 /* Convert to units of timeunit = 1 */
2164 t_low = (guint16)((t >> 0) & 0xFFFF);
2165 t_med = (guint16)((t >> 16) & 0xFFFF);
2166 t_high = (guint8)((t >> 32) & 0xFF);
2167 rec_hdr.time_low = htoles(t_low);
2168 rec_hdr.time_med = htoles(t_med);
2169 rec_hdr.time_high = t_high;
2170 rec_hdr.size = htoles(phdr->caplen);
2171 switch (wdh->encap) {
2173 case WTAP_ENCAP_LAPB:
2174 case WTAP_ENCAP_FRELAY_WITH_PHDR:
2175 rec_hdr.fs = (pseudo_header->x25.flags & FROM_DCE) ? 0x00 : FS_WAN_DTE;
2178 case WTAP_ENCAP_PPP_WITH_PHDR:
2179 case WTAP_ENCAP_SDLC:
2180 rec_hdr.fs = pseudo_header->p2p.sent ? 0x00 : FS_WAN_DTE;
2183 case WTAP_ENCAP_ISDN:
2184 rec_hdr.fs = pseudo_header->isdn.uton ? FS_WAN_DTE : 0x00;
2185 switch (pseudo_header->isdn.channel) {
2187 case 0: /* D-channel */
2188 rec_hdr.fs |= FS_ISDN_CHAN_D;
2191 case 1: /* B1-channel */
2192 rec_hdr.fs |= FS_ISDN_CHAN_B1;
2195 case 2: /* B2-channel */
2196 rec_hdr.fs |= FS_ISDN_CHAN_B2;
2206 rec_hdr.true_size = phdr->len != phdr->caplen ? htoles(phdr->len) : 0;
2208 if (!wtap_dump_file_write(wdh, &rec_hdr, sizeof rec_hdr, err))
2210 if (!wtap_dump_file_write(wdh, pd, phdr->caplen, err))
2215 /* Finish writing to a dump file.
2216 Returns TRUE on success, FALSE on failure. */
2218 ngsniffer_dump_close(wtap_dumper *wdh, int *err)
2221 char buf[6] = {REC_EOF, 0x00, 0x00, 0x00, 0x00, 0x00};
2223 if (!wtap_dump_file_write(wdh, buf, 6, err))
2229 SnifferDecompress() decompresses a blob of compressed data from a
2230 Sniffer(R) capture file.
2232 This function is Copyright (c) 1999-2999 Tim Farley
2235 inbuf - buffer of compressed bytes from file, not including
2236 the preceding length word
2237 inlen - length of inbuf in bytes (max 64k)
2238 outbuf - decompressed contents, could contain a partial Sniffer
2240 outlen - length of outbuf.
2242 Return value is the number of bytes in outbuf on return.
2245 SnifferDecompress(unsigned char *inbuf, size_t inlen, unsigned char *outbuf,
2246 size_t outlen, int *err)
2248 unsigned char * pin = inbuf;
2249 unsigned char * pout = outbuf;
2250 unsigned char * pin_end = pin + inlen;
2251 unsigned char * pout_end = pout + outlen;
2252 unsigned int bit_mask; /* one bit is set in this, to mask with bit_value */
2253 unsigned int bit_value = 0; /* cache the last 16 coding bits we retrieved */
2254 unsigned int code_type; /* encoding type, from high 4 bits of byte */
2255 unsigned int code_low; /* other 4 bits from encoding byte */
2256 int length; /* length of RLE sequence or repeated string */
2257 int offset; /* offset of string to repeat */
2259 if (inlen > G_MAXUINT16) {
2263 bit_mask = 0; /* don't have any bits yet */
2266 /* Shift down the bit mask we use to see whats encoded */
2267 bit_mask = bit_mask >> 1;
2269 /* If there are no bits left, time to get another 16 bits */
2270 if ( 0 == bit_mask )
2272 bit_mask = 0x8000; /* start with the high bit */
2273 bit_value = pletohs(pin); /* get the next 16 bits */
2274 pin += 2; /* skip over what we just grabbed */
2275 if ( pin >= pin_end )
2277 *err = WTAP_ERR_UNC_TRUNCATED; /* data was oddly truncated */
2282 /* Use the bits in bit_value to see what's encoded and what is raw data */
2283 if ( !(bit_mask & bit_value) )
2285 /* bit not set - raw byte we just copy */
2286 *(pout++) = *(pin++);
2290 /* bit set - next item is encoded. Peel off high nybble
2291 of next byte to see the encoding type. Set aside low
2292 nybble while we are at it */
2293 code_type = (unsigned int) ((*pin) >> 4 ) & 0xF;
2294 code_low = (unsigned int) ((*pin) & 0xF );
2295 pin++; /* increment over the code byte we just retrieved */
2296 if ( pin >= pin_end )
2298 *err = WTAP_ERR_UNC_TRUNCATED; /* data was oddly truncated */
2302 /* Based on the code type, decode the compressed string */
2303 switch ( code_type )
2305 case 0 : /* RLE short runs */
2307 Run length is the low nybble of the first code byte.
2308 Byte to repeat immediately follows.
2309 Total code size: 2 bytes.
2311 length = code_low + 3;
2312 /* If length would put us past end of output, avoid overflow */
2313 if ( pout + length > pout_end )
2315 *err = WTAP_ERR_UNC_OVERFLOW;
2319 /* generate the repeated series of bytes */
2320 memset( pout, *pin++, length );
2323 case 1 : /* RLE long runs */
2325 Low 4 bits of run length is the low nybble of the
2326 first code byte, upper 8 bits of run length is in
2328 Byte to repeat immediately follows.
2329 Total code size: 3 bytes.
2331 length = code_low + ((unsigned int)(*pin++) << 4) + 19;
2332 /* If we are already at end of input, there is no byte
2334 if ( pin >= pin_end )
2336 *err = WTAP_ERR_UNC_TRUNCATED; /* data was oddly truncated */
2339 /* If length would put us past end of output, avoid overflow */
2340 if ( pout + length > pout_end )
2342 *err = WTAP_ERR_UNC_OVERFLOW;
2346 /* generate the repeated series of bytes */
2347 memset( pout, *pin++, length );
2350 case 2 : /* LZ77 long strings */
2352 Low 4 bits of offset to string is the low nybble of the
2353 first code byte, upper 8 bits of offset is in
2355 Length of string immediately follows.
2356 Total code size: 3 bytes.
2358 offset = code_low + ((unsigned int)(*pin++) << 4) + 3;
2359 /* If we are already at end of input, there is no byte
2361 if ( pin >= pin_end )
2363 *err = WTAP_ERR_UNC_TRUNCATED; /* data was oddly truncated */
2366 /* Check if offset would put us back past begin of buffer */
2367 if ( pout - offset < outbuf )
2369 *err = WTAP_ERR_UNC_BAD_OFFSET;
2373 /* get length from next byte, make sure it won't overrun buf */
2374 length = (unsigned int)(*pin++) + 16;
2375 if ( pout + length > pout_end )
2377 *err = WTAP_ERR_UNC_OVERFLOW;
2381 /* Copy the string from previous text to output position,
2382 advance output pointer */
2383 memcpy( pout, pout - offset, length );
2386 default : /* (3 to 15): LZ77 short strings */
2388 Low 4 bits of offset to string is the low nybble of the
2389 first code byte, upper 8 bits of offset is in
2391 Length of string to repeat is overloaded into code_type.
2392 Total code size: 2 bytes.
2394 offset = code_low + ((unsigned int)(*pin++) << 4) + 3;
2395 /* Check if offset would put us back past begin of buffer */
2396 if ( pout - offset < outbuf )
2398 *err = WTAP_ERR_UNC_BAD_OFFSET;
2402 /* get length from code_type, make sure it won't overrun buf */
2404 if ( pout + length > pout_end )
2406 *err = WTAP_ERR_UNC_OVERFLOW;
2410 /* Copy the string from previous text to output position,
2411 advance output pointer */
2412 memcpy( pout, pout - offset, length );
2418 /* If we've consumed all the input, we are done */
2419 if ( pin >= pin_end )
2423 return (int) ( pout - outbuf ); /* return length of expanded text */
2427 * XXX - is there any guarantee that this is big enough to hold the
2428 * uncompressed data from any blob?
2430 #define OUTBUF_SIZE 65536
2431 #define INBUF_SIZE 65536
2433 /* Information about a compressed blob; we save the offset in the
2434 underlying compressed file, and the offset in the uncompressed data
2435 stream, of the blob. */
2437 gint64 blob_comp_offset;
2438 gint64 blob_uncomp_offset;
2442 ng_file_read(void *buffer, unsigned int nbytes, wtap *wth, gboolean is_random,
2443 int *err, gchar **err_info)
2445 ngsniffer_t *ngsniffer;
2447 ngsniffer_comp_stream_t *comp_stream;
2448 unsigned int copybytes = nbytes; /* bytes left to be copied */
2449 gint64 copied_bytes = 0; /* bytes already copied */
2450 unsigned char *outbuffer = buffer; /* where to write next decompressed data */
2452 unsigned int bytes_to_copy;
2453 unsigned int bytes_left;
2455 ngsniffer = (ngsniffer_t *)wth->priv;
2457 infile = wth->random_fh;
2458 comp_stream = &ngsniffer->rand;
2461 comp_stream = &ngsniffer->seq;
2464 if (wth->file_type == WTAP_FILE_NGSNIFFER_UNCOMPRESSED) {
2465 errno = WTAP_ERR_CANT_READ;
2466 copied_bytes = file_read(buffer, copybytes, infile);
2467 if ((unsigned int) copied_bytes != copybytes)
2468 *err = file_error(infile, err_info);
2469 return copied_bytes;
2472 /* Allocate the stream buffer if it hasn't already been allocated. */
2473 if (comp_stream->buf == NULL) {
2474 comp_stream->buf = g_malloc(OUTBUF_SIZE);
2477 /* This is the first read of the random file, so we're at
2478 the beginning of the sequence of blobs in the file
2479 (as we've not done any random reads yet to move the
2480 current position in the random stream); set the
2481 current blob to be the first blob. */
2482 ngsniffer->current_blob = ngsniffer->first_blob;
2484 /* This is the first sequential read; if we also have a
2485 random stream open, allocate the first element for the
2486 list of blobs, and make it the last element as well. */
2487 if (wth->random_fh != NULL) {
2488 g_assert(ngsniffer->first_blob == NULL);
2489 blob = g_malloc(sizeof (blob_info_t));
2490 blob->blob_comp_offset = comp_stream->comp_offset;
2491 blob->blob_uncomp_offset = comp_stream->uncomp_offset;
2492 ngsniffer->first_blob = g_list_append(ngsniffer->first_blob,
2494 ngsniffer->last_blob = ngsniffer->first_blob;
2498 /* Now read the first blob into the buffer. */
2499 if (read_blob(infile, comp_stream, err, err_info) < 0)
2502 while (copybytes > 0) {
2503 bytes_left = comp_stream->nbytes - comp_stream->nextout;
2504 if (bytes_left == 0) {
2505 /* There's no decompressed stuff left to copy from the current
2506 blob; get the next blob. */
2509 /* Move to the next blob in the list. */
2510 ngsniffer->current_blob = g_list_next(ngsniffer->current_blob);
2511 if (!ngsniffer->current_blob) {
2513 * XXX - this "can't happen"; we should have a
2514 * blob for every byte in the file.
2516 *err = WTAP_ERR_CANT_SEEK;
2519 blob = ngsniffer->current_blob->data;
2521 /* If we also have a random stream open, add a new element,
2522 for this blob, to the list of blobs; we know the list is
2523 non-empty, as we initialized it on the first sequential
2524 read, so we just add the new element at the end, and
2525 adjust the pointer to the last element to refer to it. */
2526 if (wth->random_fh != NULL) {
2527 blob = g_malloc(sizeof (blob_info_t));
2528 blob->blob_comp_offset = comp_stream->comp_offset;
2529 blob->blob_uncomp_offset = comp_stream->uncomp_offset;
2530 ngsniffer->last_blob = g_list_append(ngsniffer->last_blob,
2535 if (read_blob(infile, comp_stream, err, err_info) < 0)
2537 bytes_left = comp_stream->nbytes - comp_stream->nextout;
2540 bytes_to_copy = copybytes;
2541 if (bytes_to_copy > bytes_left)
2542 bytes_to_copy = bytes_left;
2543 memcpy(outbuffer, &comp_stream->buf[comp_stream->nextout],
2545 copybytes -= bytes_to_copy;
2546 copied_bytes += bytes_to_copy;
2547 outbuffer += bytes_to_copy;
2548 comp_stream->nextout += bytes_to_copy;
2549 comp_stream->uncomp_offset += bytes_to_copy;
2551 return copied_bytes;
2554 /* Read a blob from a compressed stream.
2555 Return -1 and set "*err" and "*err_info" on error, otherwise return 0. */
2557 read_blob(FILE_T infile, ngsniffer_comp_stream_t *comp_stream, int *err,
2562 unsigned short blob_len;
2563 gint16 blob_len_host;
2564 gboolean uncompressed;
2565 unsigned char *file_inbuf;
2568 /* Read one 16-bit word which is length of next compressed blob */
2569 errno = WTAP_ERR_CANT_READ;
2570 read_len = file_read(&blob_len, 2, infile);
2571 if (2 != read_len) {
2572 *err = file_error(infile, err_info);
2575 comp_stream->comp_offset += 2;
2576 blob_len_host = pletohs(&blob_len);
2578 /* Compressed or uncompressed? */
2579 if (blob_len_host < 0) {
2580 /* Uncompressed blob; blob length is absolute value of the number. */
2581 in_len = -blob_len_host;
2582 uncompressed = TRUE;
2584 in_len = blob_len_host;
2585 uncompressed = FALSE;
2588 file_inbuf = g_malloc(INBUF_SIZE);
2591 errno = WTAP_ERR_CANT_READ;
2592 read_len = file_read(file_inbuf, in_len, infile);
2593 if ((size_t) in_len != read_len) {
2594 *err = file_error(infile, err_info);
2598 comp_stream->comp_offset += in_len;
2601 memcpy(comp_stream->buf, file_inbuf, in_len);
2604 /* Decompress the blob */
2605 out_len = SnifferDecompress(file_inbuf, in_len,
2606 comp_stream->buf, OUTBUF_SIZE, err);
2614 comp_stream->nextout = 0;
2615 comp_stream->nbytes = out_len;
2619 /* Seek in the sequential data stream; we can only seek forward, and we
2620 do it on compressed files by skipping forward. */
2622 ng_file_seek_seq(wtap *wth, gint64 offset, int whence, int *err,
2627 unsigned int amount_to_read;
2628 ngsniffer_t *ngsniffer;
2630 if (wth->file_type == WTAP_FILE_NGSNIFFER_UNCOMPRESSED)
2631 return file_seek(wth->fh, offset, whence, err);
2633 ngsniffer = (ngsniffer_t *)wth->priv;
2637 break; /* "offset" is the target offset */
2640 offset += ngsniffer->seq.uncomp_offset;
2641 break; /* "offset" is relative to the current offset */
2644 g_assert_not_reached(); /* "offset" is relative to the end of the file... */
2645 break; /* ...but we don't know where that is. */
2648 delta = offset - ngsniffer->seq.uncomp_offset;
2649 g_assert(delta >= 0);
2651 /* Ok, now read and discard "delta" bytes. */
2652 buf = g_malloc(INBUF_SIZE);
2653 while (delta != 0) {
2654 if (delta > INBUF_SIZE)
2655 amount_to_read = INBUF_SIZE;
2657 amount_to_read = (unsigned int) delta;
2659 if (ng_file_read(buf, amount_to_read, wth, FALSE, err, err_info) < 0) {
2661 return -1; /* error */
2664 delta -= amount_to_read;
2671 /* Seek in the random data stream.
2673 On compressed files, we see whether we're seeking to a position within
2674 the blob we currently have in memory and, if not, we find in the list
2675 of blobs the last blob that starts at or before the position to which
2676 we're seeking, and read that blob in. We can then move to the appropriate
2677 position within the blob we have in memory (whether it's the blob we
2678 already had in memory or, if necessary, the one we read in). */
2680 ng_file_seek_rand(wtap *wth, gint64 offset, int whence, int *err,
2683 ngsniffer_t *ngsniffer;
2686 blob_info_t *next_blob, *new_blob;
2688 if (wth->file_type == WTAP_FILE_NGSNIFFER_UNCOMPRESSED)
2689 return file_seek(wth->random_fh, offset, whence, err);
2691 ngsniffer = (ngsniffer_t *)wth->priv;
2696 break; /* "offset" is the target offset */
2699 offset += ngsniffer->rand.uncomp_offset;
2700 break; /* "offset" is relative to the current offset */
2703 g_assert_not_reached(); /* "offset" is relative to the end of the file... */
2704 break; /* ...but we don't know where that is. */
2707 delta = offset - ngsniffer->rand.uncomp_offset;
2709 /* Is the place to which we're seeking within the current buffer, or
2710 will we have to read a different blob into the buffer? */
2713 /* We're going forwards.
2714 Is the place to which we're seeking within the current buffer? */
2715 if ((size_t)(ngsniffer->rand.nextout + delta) >= ngsniffer->rand.nbytes) {
2716 /* No. Search for a blob that contains the target offset in
2717 the uncompressed byte stream, starting with the blob
2718 following the current blob. */
2719 new = g_list_next(ngsniffer->current_blob);
2721 next = g_list_next(new);
2723 /* No more blobs; the current one is it. */
2727 next_blob = next->data;
2728 /* Does the next blob start after the target offset?
2729 If so, the current blob is the one we want. */
2730 if (next_blob->blob_uncomp_offset > offset)
2736 } else if (delta < 0) {
2737 /* We're going backwards.
2738 Is the place to which we're seeking within the current buffer? */
2739 if (ngsniffer->rand.nextout + delta < 0) {
2740 /* No. Search for a blob that contains the target offset in
2741 the uncompressed byte stream, starting with the blob
2742 preceding the current blob. */
2743 new = g_list_previous(ngsniffer->current_blob);
2745 /* Does this blob start at or before the target offset?
2746 If so, the current blob is the one we want. */
2747 new_blob = new->data;
2748 if (new_blob->blob_uncomp_offset <= offset)
2751 /* It doesn't - skip to the previous blob. */
2752 new = g_list_previous(new);
2758 /* The place to which we're seeking isn't in the current buffer;
2759 move to a new blob. */
2760 new_blob = new->data;
2762 /* Seek in the compressed file to the offset in the compressed file
2763 of the beginning of that blob. */
2764 if (file_seek(wth->random_fh, new_blob->blob_comp_offset, SEEK_SET, err) == -1)
2767 /* Make the blob we found the current one. */
2768 ngsniffer->current_blob = new;
2770 /* Now set the current offsets to the offsets of the beginning
2772 ngsniffer->rand.uncomp_offset = new_blob->blob_uncomp_offset;
2773 ngsniffer->rand.comp_offset = new_blob->blob_comp_offset;
2775 /* Now fill the buffer. */
2776 if (read_blob(wth->random_fh, &ngsniffer->rand, err, err_info) < 0)
2779 /* Set "delta" to the amount to move within this blob; it had
2780 better be >= 0, and < the amount of uncompressed data in
2781 the blob, as otherwise it'd mean we need to seek before
2782 the beginning or after the end of this blob. */
2783 delta = offset - ngsniffer->rand.uncomp_offset;
2784 g_assert(delta >= 0 && (unsigned long)delta < ngsniffer->rand.nbytes);
2787 /* OK, the place to which we're seeking is in the buffer; adjust
2788 "ngsniffer->rand.nextout" to point to the place to which
2789 we're seeking, and adjust "ngsniffer->rand.uncomp_offset" to be
2790 the destination offset. */
2791 ngsniffer->rand.nextout += (int) delta;
2792 ngsniffer->rand.uncomp_offset += delta;