3 * $Id: ngsniffer.c,v 1.67 2001/10/04 08:30:36 guy Exp $
6 * Copyright (c) 1998 by Gilbert Ramirez <gram@xiexie.org>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24 /* The code in ngsniffer.c that decodes the time fields for each packet in the
25 * Sniffer trace originally came from code from TCPVIEW:
30 * Networks and Distributed Computing
31 * Computing & Communications
32 * University of Washington
33 * Administration Building, AG-44
35 * Internet: martinh@cac.washington.edu
38 * Copyright 1992 by the University of Washington
40 * Permission to use, copy, modify, and distribute this software and its
41 * documentation for any purpose and without fee is hereby granted, provided
42 * that the above copyright notice appears in all copies and that both the
43 * above copyright notice and this permission notice appear in supporting
44 * documentation, and that the name of the University of Washington not be
45 * used in advertising or publicity pertaining to distribution of the software
46 * without specific, written prior permission. This software is made
47 * available "as is", and
48 * THE UNIVERSITY OF WASHINGTON DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
49 * WITH REGARD TO THIS SOFTWARE, INCLUDING WITHOUT LIMITATION ALL IMPLIED
50 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND IN
51 * NO EVENT SHALL THE UNIVERSITY OF WASHINGTON BE LIABLE FOR ANY SPECIAL,
52 * INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
53 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, TORT
54 * (INCLUDING NEGLIGENCE) OR STRICT LIABILITY, ARISING OUT OF OR IN CONNECTION
55 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
66 #include "file_wrappers.h"
68 #include "ngsniffer.h"
70 /* Magic number in Sniffer files. */
71 static const char ngsniffer_magic[] = {
72 'T', 'R', 'S', 'N', 'I', 'F', 'F', ' ', 'd', 'a', 't', 'a',
73 ' ', ' ', ' ', ' ', 0x1a
77 * Sniffer record types.
79 #define REC_VERS 1 /* Version record (f_vers) */
80 #define REC_FRAME2 4 /* Frame data (f_frame2) */
81 #define REC_FRAME4 8 /* Frame data (f_frame4) */
82 #define REC_FRAME6 12 /* Frame data (f_frame6) (see below) */
83 #define REC_EOF 3 /* End-of-file record (no data follows) */
85 * and now for some unknown header types
87 #define REC_HEADER1 6 /* Header containing serial numbers? */
88 #define REC_HEADER2 7 /* Header containing ??? */
89 #define REC_V2DESC 8 /* In version 2 sniffer traces contains
90 * infos about this capturing session.
91 * Collides with REC_FRAME4 */
92 #define REC_HEADER3 13 /* Retransmission counts? */
93 #define REC_HEADER4 14 /* ? */
94 #define REC_HEADER5 15 /* ? */
95 #define REC_HEADER6 16 /* More broadcast/retransmission counts? */
96 #define REC_HEADER7 17 /* ? */
100 * Sniffer version record format.
103 gint16 maj_vers; /* major version number */
104 gint16 min_vers; /* minor version number */
105 gint16 time; /* DOS-format time */
106 gint16 date; /* DOS-format date */
107 gint8 type; /* what type of records follow */
108 guint8 network; /* network type */
109 gint8 format; /* format version */
110 guint8 timeunit; /* timestamp units */
111 gint8 cmprs_vers; /* compression version */
112 gint8 cmprs_level; /* compression level */
113 gint16 rsvd[2]; /* reserved */
117 * Sniffer type 2 data record format - followed by frame data.
120 guint16 time_low; /* low part of time stamp */
121 guint16 time_med; /* middle part of time stamp */
122 guint16 time_high; /* high part of time stamp */
123 gint16 size; /* number of bytes of data */
124 guint8 fs; /* frame error status bits */
125 guint8 flags; /* buffer flags */
126 gint16 true_size; /* size of original frame, in bytes */
127 gint16 rsvd; /* reserved */
131 * Sniffer type 4 data record format - followed by frame data.
133 * XXX - the manual says that the "flags" field holds "buffer flags;
134 * BF_xxxx", but doesn't say what the BF_xxxx flags are.
136 * XXX - the manual also says there's an 8-byte "ATMTimeStamp" driver
137 * time stamp at the end of "ATMSaveInfo", but, from an ATM Sniffer capture
138 * file I've looked at, that appears not to be the case.
142 * Fields from the AAL5 trailer for the frame, if it's an AAL5 frame
143 * rather than a cell.
145 typedef struct _ATM_AAL5Trailer {
146 guint16 aal5t_u2u; /* user-to-user indicator */
147 guint16 aal5t_len; /* length of the packet */
148 guint32 aal5t_chksum; /* checksum for AAL5 packet */
151 typedef struct _ATMTimeStamp {
152 guint32 msw; /* most significant word */
153 guint32 lsw; /* least significant word */
156 typedef struct _ATMSaveInfo {
157 guint32 StatusWord; /* status word from driver */
158 ATM_AAL5Trailer Trailer; /* AAL5 trailer */
159 guint8 AppTrafType; /* traffic type */
160 guint8 AppHLType; /* protocol type */
161 guint16 AppReserved; /* reserved */
162 guint16 Vpi; /* virtual path identifier */
163 guint16 Vci; /* virtual circuit identifier */
164 guint16 channel; /* link: 0 for DCE, 1 for DTE */
165 guint16 cells; /* number of cells */
166 guint32 AppVal1; /* type-dependent */
167 guint32 AppVal2; /* type-dependent */
171 * Bits in StatusWord.
173 #define SW_ERRMASK 0x0F /* Error mask: */
174 #define SW_RX_FIFO_UNDERRUN 0x01 /* Receive FIFO underrun */
175 #define SW_RX_FIFO_OVERRUN 0x02 /* Receive FIFO overrun */
176 #define SW_RX_PKT_TOO_LONG 0x03 /* Received packet > max size */
177 #define SW_CRC_ERROR 0x04 /* CRC error */
178 #define SW_USER_ABORTED_RX 0x05 /* User aborted receive */
179 #define SW_BUF_LEN_TOO_LONG 0x06 /* buffer len > max buf */
180 #define SW_INTERNAL_T1_ERROR 0x07 /* Internal T1 error */
181 #define SW_RX_CHANNEL_DEACTIV8 0x08 /* Rx channel deactivate */
183 #define SW_ERROR 0x80 /* Error indicator */
184 #define SW_CONGESTION 0x40 /* Congestion indicator */
185 #define SW_CLP 0x20 /* Cell loss priority indicator */
186 #define SW_RAW_CELL 0x100 /* RAW cell indicator */
187 #define SW_OAM_CELL 0x200 /* OAM cell indicator */
190 * Bits in AppTrafType.
192 * For AAL types other than AAL5, the packet data is presumably for a
193 * single cell, not a reassembled frame, as the ATM Sniffer manual says
194 * it dosn't reassemble cells other than AAL5 cells.
196 #define ATT_AALTYPE 0x0F /* AAL type: */
197 #define ATT_AAL_UNKNOWN 0x00 /* Unknown AAL */
198 #define ATT_AAL1 0x01 /* AAL1 */
199 #define ATT_AAL3_4 0x02 /* AAL3/4 */
200 #define ATT_AAL5 0x03 /* AAL5 */
201 #define ATT_AAL_USER 0x04 /* User AAL */
202 #define ATT_AAL_SIGNALLING 0x05 /* Signaling AAL */
203 #define ATT_OAMCELL 0x06 /* OAM cell */
205 #define ATT_HLTYPE 0xF0 /* Higher-layer type: */
206 #define ATT_HL_UNKNOWN 0x00 /* unknown */
207 #define ATT_HL_LLCMX 0x10 /* LLC multiplexed (probably RFC 1483) */
208 #define ATT_HL_VCMX 0x20 /* VC multiplexed (probably RFC 1483) */
209 #define ATT_HL_LANE 0x30 /* LAN Emulation */
210 #define ATT_HL_ILMI 0x40 /* ILMI */
211 #define ATT_HL_FRMR 0x50 /* Frame Relay */
212 #define ATT_HL_SPANS 0x60 /* FORE SPANS */
213 #define ATT_HL_IPSILON 0x70 /* Ipsilon */
216 * Values for AppHLType; the interpretation depends on the ATT_HLTYPE
217 * bits in AppTrafType.
219 #define AHLT_UNKNOWN 0x0
220 #define AHLT_VCMX_802_3_FCS 0x1 /* VCMX: 802.3 FCS */
221 #define AHLT_LANE_LE_CTRL 0x1 /* LANE: LE Ctrl */
222 #define AHLT_IPSILON_FT0 0x1 /* Ipsilon: Flow Type 0 */
223 #define AHLT_VCMX_802_4_FCS 0x2 /* VCMX: 802.4 FCS */
224 #define AHLT_LANE_802_3 0x2 /* LANE: 802.3 */
225 #define AHLT_IPSILON_FT1 0x2 /* Ipsilon: Flow Type 1 */
226 #define AHLT_VCMX_802_5_FCS 0x3 /* VCMX: 802.5 FCS */
227 #define AHLT_LANE_802_5 0x3 /* LANE: 802.5 */
228 #define AHLT_IPSILON_FT2 0x3 /* Ipsilon: Flow Type 2 */
229 #define AHLT_VCMX_FDDI_FCS 0x4 /* VCMX: FDDI FCS */
230 #define AHLT_LANE_802_3_MC 0x4 /* LANE: 802.3 multicast */
231 #define AHLT_VCMX_802_6_FCS 0x5 /* VCMX: 802.6 FCS */
232 #define AHLT_LANE_802_5_MC 0x5 /* LANE: 802.5 multicast */
233 #define AHLT_VCMX_802_3 0x7 /* VCMX: 802.3 */
234 #define AHLT_VCMX_802_4 0x8 /* VCMX: 802.4 */
235 #define AHLT_VCMX_802_5 0x9 /* VCMX: 802.5 */
236 #define AHLT_VCMX_FDDI 0xa /* VCMX: FDDI */
237 #define AHLT_VCMX_802_6 0xb /* VCMX: 802.6 */
238 #define AHLT_VCMX_FRAGMENTS 0xc /* VCMX: Fragments */
239 #define AHLT_VCMX_BPDU 0xe /* VCMX: BPDU */
242 guint16 time_low; /* low part of time stamp */
243 guint16 time_med; /* middle part of time stamp */
244 gint8 time_high; /* high part of time stamp */
245 gint8 time_day; /* time in days since start of capture */
246 gint16 size; /* number of bytes of data */
247 gint8 fs; /* frame error status bits */
248 gint8 flags; /* buffer flags */
249 gint16 true_size; /* size of original frame, in bytes */
250 gint16 rsvd3; /* reserved */
251 gint16 atm_pad; /* pad to 4-byte boundary */
252 ATMSaveInfo atm_info; /* ATM-specific stuff */
256 * XXX - I have a version 5.50 file with a bunch of token ring
257 * records listed as type "12". The record format below was
258 * derived from frame4_rec and a bit of experimentation.
262 guint16 time_low; /* low part of time stamp */
263 guint16 time_med; /* middle part of time stamp */
264 gint8 time_high; /* high part of time stamp */
265 gint8 time_day; /* time in days since start of capture */
266 gint16 size; /* number of bytes of data */
267 gint8 fs; /* frame error status bits */
268 gint8 flags; /* buffer flags */
269 gint16 true_size; /* size of original frame, in bytes */
270 guint8 chemical_x[22]; /* ? */
274 * Network type values in type 7 records.
278 #define NET_FRAME_RELAY 2
279 #define NET_ROUTER 3 /* what's this? */
283 /* values for V.timeunit */
284 #define NUM_NGSNIFF_TIMEUNITS 7
285 static double Usec[] = { 15.0, 0.838096, 15.0, 0.5, 2.0, 1.0, 0.1 };
287 static int skip_header_records(wtap *wth, int *err, gint16 version);
288 static gboolean ngsniffer_read(wtap *wth, int *err, long *data_offset);
289 static int ngsniffer_seek_read(wtap *wth, long seek_off,
290 union wtap_pseudo_header *pseudo_header, u_char *pd, int packet_size);
291 static int ngsniffer_read_rec_header(wtap *wth, gboolean is_random,
292 guint16 *typep, guint16 *lengthp, int *err);
293 static int ngsniffer_read_frame2(wtap *wth, gboolean is_random,
294 struct frame2_rec *frame2, int *err);
295 static void set_pseudo_header_frame2(union wtap_pseudo_header *pseudo_header,
296 struct frame2_rec *frame2);
297 static int ngsniffer_read_frame4(wtap *wth, gboolean is_random,
298 struct frame4_rec *frame4, int *err);
299 static void set_pseudo_header_frame4(union wtap_pseudo_header *pseudo_header,
300 struct frame4_rec *frame4);
301 static int ngsniffer_read_frame6(wtap *wth, gboolean is_random,
302 struct frame6_rec *frame6, int *err);
303 static void set_pseudo_header_frame6(union wtap_pseudo_header *pseudo_header,
304 struct frame6_rec *frame6);
305 static int ngsniffer_read_rec_data(wtap *wth, gboolean is_random, u_char *pd,
306 int length, int *err);
307 static void fix_pseudo_header(wtap *wth,
308 union wtap_pseudo_header *pseudo_header);
309 static void ngsniffer_sequential_close(wtap *wth);
310 static void ngsniffer_close(wtap *wth);
311 static gboolean ngsniffer_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
312 const union wtap_pseudo_header *pseudo_header, const u_char *pd, int *err);
313 static gboolean ngsniffer_dump_close(wtap_dumper *wdh, int *err);
314 static int SnifferDecompress( unsigned char * inbuf, size_t inlen,
315 unsigned char * outbuf, size_t outlen, int *err );
316 static int ng_file_read(void *buffer, size_t elementsize, size_t numelements,
317 wtap *wth, gboolean is_random, int *err);
318 static int read_blob(FILE_T infile, ngsniffer_comp_stream_t *comp_stream,
320 static long ng_file_seek_seq(wtap *wth, long offset, int whence);
321 static long ng_file_seek_rand(wtap *wth, long offset, int whence);
323 int ngsniffer_open(wtap *wth, int *err)
326 char magic[sizeof ngsniffer_magic];
328 char record_length[4]; /* only the first 2 bytes are length,
329 the last 2 are "reserved" and are thrown away */
330 guint16 type, length;
331 struct vers_rec version;
334 static const int sniffer_encap[] = {
335 WTAP_ENCAP_TOKEN_RING,
338 WTAP_ENCAP_UNKNOWN, /* StarLAN */
339 WTAP_ENCAP_UNKNOWN, /* PC Network broadband */
340 WTAP_ENCAP_UNKNOWN, /* LocalTalk */
341 WTAP_ENCAP_UNKNOWN, /* Znet */
342 WTAP_ENCAP_UNKNOWN, /* Internetwork analyzer (synchronous) */
343 WTAP_ENCAP_UNKNOWN, /* Internetwork analyzer (asynchronous) */
344 WTAP_ENCAP_FDDI_BITSWAPPED,
345 WTAP_ENCAP_ATM_SNIFFER
347 #define NUM_NGSNIFF_ENCAPS (sizeof sniffer_encap / sizeof sniffer_encap[0])
350 /* Read in the string that should be at the start of a Sniffer file */
351 errno = WTAP_ERR_CANT_READ;
352 bytes_read = file_read(magic, 1, sizeof magic, wth->fh);
353 if (bytes_read != sizeof magic) {
354 *err = file_error(wth->fh);
359 wth->data_offset += sizeof magic;
361 if (memcmp(magic, ngsniffer_magic, sizeof ngsniffer_magic)) {
366 * Read the first record, which the manual says is a version
369 errno = WTAP_ERR_CANT_READ;
370 bytes_read = file_read(record_type, 1, 2, wth->fh);
371 bytes_read += file_read(record_length, 1, 4, wth->fh);
372 if (bytes_read != 6) {
373 *err = file_error(wth->fh);
378 wth->data_offset += 6;
380 type = pletohs(record_type);
381 length = pletohs(record_length);
383 if (type != REC_VERS) {
384 g_message("ngsniffer: Sniffer file doesn't start with a version record");
385 *err = WTAP_ERR_BAD_RECORD;
389 errno = WTAP_ERR_CANT_READ;
390 bytes_read = file_read(&version, 1, sizeof version, wth->fh);
391 if (bytes_read != sizeof version) {
392 *err = file_error(wth->fh);
397 wth->data_offset += sizeof version;
399 /* Check the data link type.
400 If "version.network" is 7, that's "Internetwork analyzer";
401 Sniffers appear to write out LAPB, LAPD and PPP captures
402 (and perhaps other types of captures) in that fashion,
403 and, so far, the only way we know of distinguishing them
404 is to look at the first byte of the packet - if it's 0xFF,
405 it's PPP, otherwise if it's odd, it's LAPB else it's LAPD.
406 Therefore, we treat it as WTAP_ENCAP_UNKNOWN for now, but
407 don't treat that as an error.
409 In one PPP capture, the two 16-bit words of the "rsvd" field
410 were 1 and 3, respectively, and in one X.25 capture, they
411 were both 0. That's too small a sample from which to
412 conclude anything, however.... */
413 if (version.network >= NUM_NGSNIFF_ENCAPS
414 || (sniffer_encap[version.network] == WTAP_ENCAP_UNKNOWN
415 && version.network != 7)) {
416 g_message("ngsniffer: network type %u unknown or unsupported",
418 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
422 /* Check the time unit */
423 if (version.timeunit >= NUM_NGSNIFF_TIMEUNITS) {
424 g_message("ngsniffer: Unknown timeunit %u", version.timeunit);
425 *err = WTAP_ERR_UNSUPPORTED;
429 /* compressed or uncompressed Sniffer file? */
430 if (version.format != 1) {
431 wth->file_type = WTAP_FILE_NGSNIFFER_COMPRESSED;
434 wth->file_type = WTAP_FILE_NGSNIFFER_UNCOMPRESSED;
437 /* Set encap type before reading header records because the
438 * header record may change encap type.
440 wth->file_encap = sniffer_encap[version.network];
443 * We don't know how to handle the remaining header record types,
444 * so we just skip them - except for REC_HEADER2 records, which
445 * we look at, for "Internetwork analyzer" captures, to attempt to
446 * determine what the link-layer encapsulation is.
448 if (skip_header_records(wth, err, version.maj_vers) < 0)
452 * Now, if we have a random stream open, position it to the same
453 * location, which should be the beginning of the real data, and
454 * should be the beginning of the compressed data.
456 * XXX - will we see any records other than REC_FRAME2, REC_FRAME4,
457 * or REC_EOF after this? If not, we can get rid of the loop in
458 * "ngsniffer_read()".
460 if (wth->random_fh != NULL)
461 file_seek(wth->random_fh, wth->data_offset, SEEK_SET);
463 /* This is a ngsniffer file */
464 wth->capture.ngsniffer = g_malloc(sizeof(ngsniffer_t));
466 /* We haven't allocated any uncompression buffers yet. */
467 wth->capture.ngsniffer->seq.buf = NULL;
468 wth->capture.ngsniffer->rand.buf = NULL;
470 /* Set the current file offset; the offset in the compressed file
471 and in the uncompressed data stream currently the same. */
472 wth->capture.ngsniffer->seq.uncomp_offset = wth->data_offset;
473 wth->capture.ngsniffer->seq.comp_offset = wth->data_offset;
474 wth->capture.ngsniffer->rand.uncomp_offset = wth->data_offset;
475 wth->capture.ngsniffer->rand.comp_offset = wth->data_offset;
477 /* We don't yet have any list of compressed blobs. */
478 wth->capture.ngsniffer->first_blob = NULL;
479 wth->capture.ngsniffer->last_blob = NULL;
480 wth->capture.ngsniffer->current_blob = NULL;
482 wth->subtype_read = ngsniffer_read;
483 wth->subtype_seek_read = ngsniffer_seek_read;
484 wth->subtype_sequential_close = ngsniffer_sequential_close;
485 wth->subtype_close = ngsniffer_close;
486 wth->snapshot_length = 16384; /* not available in header, only in frame */
487 wth->capture.ngsniffer->timeunit = Usec[version.timeunit];
488 wth->capture.ngsniffer->is_atm =
489 (wth->file_encap == WTAP_ENCAP_ATM_SNIFFER);
491 /* Get capture start time */
492 start_time = pletohs(&version.time);
493 start_date = pletohs(&version.date);
494 tm.tm_year = ((start_date&0xfe00)>>9) + 1980 - 1900;
495 tm.tm_mon = ((start_date&0x1e0)>>5) - 1;
496 tm.tm_mday = (start_date&0x1f);
497 /* The time does not appear to act as an offset; only the date
498 tm.tm_hour = (start_time&0xf800)>>11;
499 tm.tm_min = (start_time&0x7e0)>>5;
500 tm.tm_sec = (start_time&0x1f)<<1;*/
505 wth->capture.ngsniffer->start = mktime(&tm);
507 * XXX - what if "secs" is -1? Unlikely,
508 * but if the capture was done in a time
509 * zone that switches between standard and
510 * summer time sometime other than when we
511 * do, and thus the time was one that doesn't
512 * exist here because a switch from standard
513 * to summer time zips over it, it could
516 * On the other hand, if the capture was done
517 * in a different time zone, this won't work
518 * right anyway; unfortunately, the time zone
519 * isn't stored in the capture file.
526 skip_header_records(wtap *wth, int *err, gint16 version)
530 char record_length[4]; /* only the first 2 bytes are length,
531 the last 2 are "reserved" and are thrown away */
532 guint16 type, length;
534 unsigned char buffer[32];
537 errno = WTAP_ERR_CANT_READ;
538 bytes_read = file_read(record_type, 1, 2, wth->fh);
539 if (bytes_read != 2) {
540 *err = file_error(wth->fh);
543 if (bytes_read != 0) {
544 *err = WTAP_ERR_SHORT_READ;
550 type = pletohs(record_type);
551 if ((type != REC_HEADER1) && (type != REC_HEADER2)
552 && (type != REC_HEADER3) && (type != REC_HEADER4)
553 && (type != REC_HEADER5) && (type != REC_HEADER6)
554 && (type != REC_HEADER7)
555 && ((type != REC_V2DESC) || (version > 2)) ) {
557 * Well, this is either some unknown header type
558 * (we ignore this case), an uncompressed data
559 * frame or the length of a compressed blob
560 * which implies data. Seek backwards over the
561 * two bytes we read, and return.
563 file_seek(wth->fh, -2, SEEK_CUR);
567 errno = WTAP_ERR_CANT_READ;
568 bytes_read = file_read(record_length, 1, 4, wth->fh);
569 if (bytes_read != 4) {
570 *err = file_error(wth->fh);
572 *err = WTAP_ERR_SHORT_READ;
575 wth->data_offset += 6;
577 length = pletohs(record_length);
580 * Is this a REC_HEADER2 record, and do we not yet know
581 * the encapsulation type (i.e., is this is an
582 * "Internetwork analyzer" capture?
584 * If so, the 5th byte of the record appears to specify
585 * the particular type of network we're on.
587 if (type == REC_HEADER2 &&
588 wth->file_encap == WTAP_ENCAP_UNKNOWN) {
590 * Yes, get the first 32 bytes of the record
593 bytes_to_read = MIN(length, sizeof buffer);
594 bytes_read = file_read(buffer, 1, bytes_to_read,
596 if (bytes_read != bytes_to_read) {
597 *err = file_error(wth->fh);
599 *err = WTAP_ERR_SHORT_READ;
604 * Skip the rest of the record.
606 if (length > sizeof buffer) {
607 file_seek(wth->fh, length - sizeof buffer,
612 * XXX - what about LAPB and LAPD? At least one
613 * X.25 capture has a type of NET_HDLC, but one
614 * might also consider LAPD to be an HDLC
615 * variant; if it also has a type of NET_HDLC,
616 * we'd have to look at some other data to
619 * I have no LAPD captures, so I can't check
620 * various fields of this record (and I'd
621 * need multiple captures of both LAPB/X.25
622 * and LAPD/ISDN to be reasonable certain
623 * where the magic key is).
625 * So, for now, we don't set the encapsulation
630 case NET_FRAME_RELAY:
631 wth->file_encap = WTAP_ENCAP_FRELAY;
635 wth->file_encap = WTAP_ENCAP_PPP;
640 /* Nope, just skip over the data. */
641 file_seek(wth->fh, length, SEEK_CUR);
643 wth->data_offset += length;
647 /* Read the next packet */
648 static gboolean ngsniffer_read(wtap *wth, int *err, long *data_offset)
651 guint16 type, length;
652 struct frame2_rec frame2;
653 struct frame4_rec frame4;
654 struct frame6_rec frame6;
656 guint16 time_low, time_med, time_high, true_size, size;
661 * Read the record header.
663 *data_offset = wth->data_offset;
664 ret = ngsniffer_read_rec_header(wth, FALSE, &type, &length,
667 /* Read error or EOF */
670 wth->data_offset += 6;
675 if (wth->capture.ngsniffer->is_atm) {
677 * We shouldn't get a frame2 record in
680 g_message("ngsniffer: REC_FRAME2 record in an ATM Sniffer file");
681 *err = WTAP_ERR_BAD_RECORD;
685 /* Read the f_frame2_struct */
686 ret = ngsniffer_read_frame2(wth, FALSE, &frame2, err);
691 wth->data_offset += sizeof frame2;
692 time_low = pletohs(&frame2.time_low);
693 time_med = pletohs(&frame2.time_med);
694 time_high = pletohs(&frame2.time_high);
695 size = pletohs(&frame2.size);
696 true_size = pletohs(&frame2.true_size);
698 length -= sizeof frame2; /* we already read that much */
700 t = (double)time_low+(double)(time_med)*65536.0 +
701 (double)time_high*4294967296.0;
703 set_pseudo_header_frame2(&wth->pseudo_header, &frame2);
707 if (!wth->capture.ngsniffer->is_atm) {
709 * We shouldn't get a frame2 record in
712 g_message("ngsniffer: REC_FRAME4 record in a non-ATM Sniffer file");
713 *err = WTAP_ERR_BAD_RECORD;
717 /* Read the f_frame4_struct */
718 ret = ngsniffer_read_frame4(wth, FALSE, &frame4, err);
719 wth->data_offset += sizeof frame4;
720 time_low = pletohs(&frame4.time_low);
721 time_med = pletohs(&frame4.time_med);
722 time_high = frame4.time_high;
723 size = pletohs(&frame4.size);
724 true_size = pletohs(&frame4.true_size);
726 length -= sizeof frame4; /* we already read that much */
729 * XXX - use the "time_day" field? Is that for captures
730 * that take a *really* long time?
732 t = (double)time_low+(double)(time_med)*65536.0 +
733 (double)time_high*4294967296.0;
735 set_pseudo_header_frame4(&wth->pseudo_header, &frame4);
739 /* XXX - Is this test valid? */
740 if (wth->capture.ngsniffer->is_atm) {
741 g_message("ngsniffer: REC_FRAME6 record in an ATM Sniffer file");
742 *err = WTAP_ERR_BAD_RECORD;
746 /* Read the f_frame6_struct */
747 ret = ngsniffer_read_frame6(wth, FALSE, &frame6, err);
748 wth->data_offset += sizeof frame6;
749 time_low = pletohs(&frame6.time_low);
750 time_med = pletohs(&frame6.time_med);
751 time_high = frame6.time_high;
752 size = pletohs(&frame6.size);
753 true_size = pletohs(&frame6.true_size);
755 length -= sizeof frame6; /* we already read that much */
758 * XXX - use the "time_day" field? Is that for captures
759 * that take a *really* long time?
761 t = (double)time_low+(double)(time_med)*65536.0 +
762 (double)time_high*4294967296.0;
764 set_pseudo_header_frame6(&wth->pseudo_header, &frame6);
769 * End of file. Return an EOF indication.
771 *err = 0; /* EOF, not error */
775 break; /* unknown type, skip it */
779 * Well, we don't know what it is, or we know what
780 * it is but can't handle it. Skip past the data
781 * portion, and keep looping.
783 ng_file_seek_seq(wth, length, SEEK_CUR);
784 wth->data_offset += length;
789 * OK, is the frame data size greater than than what's left of the
794 * Yes - treat this as an error.
796 g_message("ngsniffer: Record length is less than packet size");
797 *err = WTAP_ERR_BAD_RECORD;
801 wth->phdr.len = true_size ? true_size : size;
802 wth->phdr.caplen = size;
805 * Read the packet data.
807 buffer_assure_space(wth->frame_buffer, length);
808 pd = buffer_start_ptr(wth->frame_buffer);
809 if (ngsniffer_read_rec_data(wth, FALSE, pd, length, err) < 0)
810 return FALSE; /* Read error */
811 wth->data_offset += length;
813 if (wth->file_encap == WTAP_ENCAP_UNKNOWN) {
815 * OK, this is from an "Internetwork analyzer", and
816 * we either didn't see a type 7 record or it had
817 * a network type such as NET_HDLC that doesn't
818 * tell us which *particular* HDLC derivative this
819 * is; let's look at the first byte of the packet,
820 * and figure out whether it's LAPB, LAPD, PPP, or
827 wth->file_encap = WTAP_ENCAP_PPP;
828 } else if (pd[0] == 0x34 || pd[0] == 0x28) {
832 wth->file_encap = WTAP_ENCAP_FRELAY;
833 } else if (pd[0] & 1) {
837 wth->file_encap = WTAP_ENCAP_LAPB;
842 wth->file_encap = WTAP_ENCAP_LAPD;
847 * Fix up the pseudo-header; we may have set "x25.flags",
848 * but, for some traffic, we should set "p2p.sent" instead.
850 fix_pseudo_header(wth, &wth->pseudo_header);
852 t = t/1000000.0 * wth->capture.ngsniffer->timeunit; /* t = # of secs */
853 t += wth->capture.ngsniffer->start;
854 wth->phdr.ts.tv_sec = (long)t;
855 wth->phdr.ts.tv_usec = (unsigned long)((t-(double)(wth->phdr.ts.tv_sec))
857 wth->phdr.pkt_encap = wth->file_encap;
861 static int ngsniffer_seek_read(wtap *wth, long seek_off,
862 union wtap_pseudo_header *pseudo_header, u_char *pd, int packet_size)
865 int err; /* XXX - return this */
866 guint16 type, length;
867 struct frame2_rec frame2;
868 struct frame4_rec frame4;
869 struct frame6_rec frame6;
871 ng_file_seek_rand(wth, seek_off, SEEK_SET);
873 ret = ngsniffer_read_rec_header(wth, TRUE, &type, &length, &err);
875 /* Read error or EOF */
882 /* Read the f_frame2_struct */
883 ret = ngsniffer_read_frame2(wth, TRUE, &frame2, &err);
889 length -= sizeof frame2; /* we already read that much */
891 set_pseudo_header_frame2(pseudo_header, &frame2);
895 /* Read the f_frame4_struct */
896 ret = ngsniffer_read_frame4(wth, TRUE, &frame4, &err);
898 length -= sizeof frame4; /* we already read that much */
900 set_pseudo_header_frame4(pseudo_header, &frame4);
904 /* Read the f_frame6_struct */
905 ret = ngsniffer_read_frame6(wth, TRUE, &frame6, &err);
907 length -= sizeof frame6; /* we already read that much */
909 set_pseudo_header_frame6(pseudo_header, &frame6);
916 g_assert_not_reached();
921 * Fix up the pseudo-header; we may have set "x25.flags",
922 * but, for some traffic, we should set "p2p.sent" instead.
924 fix_pseudo_header(wth, pseudo_header);
927 * Got the pseudo-header (if any), now get the data.
929 return ngsniffer_read_rec_data(wth, TRUE, pd, packet_size, &err);
932 static int ngsniffer_read_rec_header(wtap *wth, gboolean is_random,
933 guint16 *typep, guint16 *lengthp, int *err)
937 char record_length[4]; /* only 1st 2 bytes are length */
940 * Read the record header.
942 bytes_read = ng_file_read(record_type, 1, 2, wth, is_random, err);
943 if (bytes_read != 2) {
946 if (bytes_read != 0) {
947 *err = WTAP_ERR_SHORT_READ;
952 bytes_read = ng_file_read(record_length, 1, 4, wth, is_random, err);
953 if (bytes_read != 4) {
955 *err = WTAP_ERR_SHORT_READ;
959 *typep = pletohs(record_type);
960 *lengthp = pletohs(record_length);
961 return 1; /* success */
964 static int ngsniffer_read_frame2(wtap *wth, gboolean is_random,
965 struct frame2_rec *frame2, int *err)
969 /* Read the f_frame2_struct */
970 bytes_read = ng_file_read(frame2, 1, sizeof *frame2, wth, is_random,
972 if (bytes_read != sizeof *frame2) {
974 *err = WTAP_ERR_SHORT_READ;
980 static void set_pseudo_header_frame2(union wtap_pseudo_header *pseudo_header,
981 struct frame2_rec *frame2)
984 * In one PPP "Internetwork analyzer" capture,
985 * the only bit seen in "fs" is the 0x80 bit,
986 * which probably indicates the packet's
987 * direction; all other bits were zero.
988 * All bits in "frame2.flags" were zero.
990 * In one X.25 "Interenetwork analyzer" capture,
991 * the only bit seen in "fs" is the 0x80 bit,
992 * which probably indicates the packet's
993 * direction; all other bits were zero.
994 * "frame2.flags" was always 0x18.
996 * In one Ethernet capture, "fs" was always 0,
997 * and "flags" was either 0 or 0x18, with no
998 * obvious correlation with anything.
1000 * In one Token Ring capture, "fs" was either 0
1001 * or 0xcc, and "flags" was either 0 or 0x18,
1002 * with no obvious correlation with anything.
1004 pseudo_header->x25.flags = (frame2->fs & 0x80) ? 0x00 : 0x80;
1007 static int ngsniffer_read_frame4(wtap *wth, gboolean is_random,
1008 struct frame4_rec *frame4, int *err)
1012 /* Read the f_frame4_struct */
1013 bytes_read = ng_file_read(frame4, 1, sizeof *frame4, wth, is_random,
1015 if (bytes_read != sizeof *frame4) {
1017 *err = WTAP_ERR_SHORT_READ;
1023 static void set_pseudo_header_frame4(union wtap_pseudo_header *pseudo_header,
1024 struct frame4_rec *frame4)
1026 pseudo_header->ngsniffer_atm.AppTrafType = frame4->atm_info.AppTrafType;
1027 pseudo_header->ngsniffer_atm.AppHLType = frame4->atm_info.AppHLType;
1028 pseudo_header->ngsniffer_atm.Vpi = pletohs(&frame4->atm_info.Vpi);
1029 pseudo_header->ngsniffer_atm.Vci = pletohs(&frame4->atm_info.Vci);
1030 pseudo_header->ngsniffer_atm.channel = pletohs(&frame4->atm_info.channel);
1031 pseudo_header->ngsniffer_atm.cells = pletohs(&frame4->atm_info.cells);
1032 pseudo_header->ngsniffer_atm.aal5t_u2u = pletohs(&frame4->atm_info.Trailer.aal5t_u2u);
1033 pseudo_header->ngsniffer_atm.aal5t_len = pletohs(&frame4->atm_info.Trailer.aal5t_len);
1034 pseudo_header->ngsniffer_atm.aal5t_chksum = pletohl(&frame4->atm_info.Trailer.aal5t_chksum);
1037 static int ngsniffer_read_frame6(wtap *wth, gboolean is_random,
1038 struct frame6_rec *frame6, int *err)
1042 /* Read the f_frame6_struct */
1043 bytes_read = ng_file_read(frame6, 1, sizeof *frame6, wth, is_random,
1045 if (bytes_read != sizeof *frame6) {
1047 *err = WTAP_ERR_SHORT_READ;
1053 static void set_pseudo_header_frame6(union wtap_pseudo_header *pseudo_header,
1054 struct frame6_rec *frame6)
1056 /* XXX - Once the frame format is divined, something will most likely go here */
1059 static int ngsniffer_read_rec_data(wtap *wth, gboolean is_random, u_char *pd,
1060 int length, int *err)
1064 bytes_read = ng_file_read(pd, 1, length, wth, is_random, err);
1066 if (bytes_read != length) {
1068 *err = WTAP_ERR_SHORT_READ;
1074 static void fix_pseudo_header(wtap *wth,
1075 union wtap_pseudo_header *pseudo_header)
1077 switch (wth->file_encap) {
1079 case WTAP_ENCAP_LAPD:
1080 if (pseudo_header->x25.flags == 0x00)
1081 pseudo_header->p2p.sent = TRUE;
1083 pseudo_header->p2p.sent = FALSE;
1088 /* Throw away the buffers used by the sequential I/O stream, but not
1089 those used by the random I/O stream. */
1090 static void ngsniffer_sequential_close(wtap *wth)
1092 if (wth->capture.ngsniffer->seq.buf != NULL) {
1093 g_free(wth->capture.ngsniffer->seq.buf);
1094 wth->capture.ngsniffer->seq.buf = NULL;
1098 static void free_blob(gpointer data, gpointer user_data)
1103 static void ngsniffer_close(wtap *wth)
1105 if (wth->capture.ngsniffer->seq.buf != NULL)
1106 g_free(wth->capture.ngsniffer->seq.buf);
1107 if (wth->capture.ngsniffer->rand.buf != NULL)
1108 g_free(wth->capture.ngsniffer->rand.buf);
1109 if (wth->capture.ngsniffer->first_blob != NULL) {
1110 g_list_foreach(wth->capture.ngsniffer->first_blob, free_blob, NULL);
1111 g_list_free(wth->capture.ngsniffer->first_blob);
1113 g_free(wth->capture.ngsniffer);
1116 static const int wtap_encap[] = {
1117 -1, /* WTAP_ENCAP_UNKNOWN -> unsupported */
1118 1, /* WTAP_ENCAP_ETHERNET */
1119 0, /* WTAP_ENCAP_TOKEN_RING */
1120 -1, /* WTAP_ENCAP_SLIP -> unsupported */
1121 7, /* WTAP_ENCAP_PPP -> Internetwork analyzer (synchronous) FIXME ! */
1122 -1, /* WTAP_ENCAP_FDDI -> unsupported */
1123 9, /* WTAP_ENCAP_FDDI_BITSWAPPED */
1124 -1, /* WTAP_ENCAP_RAW_IP -> unsupported */
1125 2, /* WTAP_ENCAP_ARCNET */
1126 -1, /* WTAP_ENCAP_ATM_RFC1483 */
1127 -1, /* WTAP_ENCAP_LINUX_ATM_CLIP */
1128 7, /* WTAP_ENCAP_LAPB -> Internetwork analyzer (synchronous) */
1129 -1, /* WTAP_ENCAP_ATM_SNIFFER */
1130 -1 /* WTAP_ENCAP_NULL -> unsupported */
1132 #define NUM_WTAP_ENCAPS (sizeof wtap_encap / sizeof wtap_encap[0])
1134 /* Returns 0 if we could write the specified encapsulation type,
1135 an error indication otherwise. */
1136 int ngsniffer_dump_can_write_encap(int filetype, int encap)
1138 /* Per-packet encapsulations aren't supported. */
1139 if (encap == WTAP_ENCAP_PER_PACKET)
1140 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1142 if (encap < 0 || encap >= NUM_WTAP_ENCAPS || wtap_encap[encap] == -1)
1143 return WTAP_ERR_UNSUPPORTED_ENCAP;
1148 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1150 gboolean ngsniffer_dump_open(wtap_dumper *wdh, int *err)
1153 char buf[6] = {REC_VERS, 0x00, 0x12, 0x00, 0x00, 0x00}; /* version record */
1155 /* This is a sniffer file */
1156 wdh->subtype_write = ngsniffer_dump;
1157 wdh->subtype_close = ngsniffer_dump_close;
1159 wdh->dump.ngsniffer = g_malloc(sizeof(ngsniffer_dump_t));
1160 wdh->dump.ngsniffer->first_frame = TRUE;
1161 wdh->dump.ngsniffer->start = 0;
1163 /* Write the file header. */
1164 nwritten = fwrite(ngsniffer_magic, 1, sizeof ngsniffer_magic, wdh->fh);
1165 if (nwritten != sizeof ngsniffer_magic) {
1166 if (nwritten == 0 && ferror(wdh->fh))
1169 *err = WTAP_ERR_SHORT_WRITE;
1172 nwritten = fwrite(buf, 1, 6, wdh->fh);
1173 if (nwritten != 6) {
1174 if (nwritten == 0 && ferror(wdh->fh))
1177 *err = WTAP_ERR_SHORT_WRITE;
1184 /* Write a record for a packet to a dump file.
1185 Returns TRUE on success, FALSE on failure. */
1186 static gboolean ngsniffer_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
1187 const union wtap_pseudo_header *pseudo_header, const u_char *pd, int *err)
1189 ngsniffer_dump_t *priv = wdh->dump.ngsniffer;
1190 struct frame2_rec rec_hdr;
1194 guint16 t_low, t_med, t_high;
1195 struct vers_rec version;
1196 gint16 maj_vers, min_vers;
1200 /* Sniffer files have a capture start date in the file header, and
1201 have times relative to the beginning of that day in the packet
1202 headers; pick the date of the first packet as the capture start
1204 if (priv->first_frame) {
1205 priv->first_frame=FALSE;
1206 tm = localtime(&phdr->ts.tv_sec);
1208 start_date = (tm->tm_year - (1980 - 1900)) << 9;
1209 start_date |= (tm->tm_mon + 1) << 5;
1210 start_date |= tm->tm_mday;
1211 /* record the start date, not the start time */
1212 priv->start = phdr->ts.tv_sec - (3600*tm->tm_hour + 60*tm->tm_min + tm->tm_sec);
1218 /* "sniffer" version ? */
1221 version.maj_vers = htoles(maj_vers);
1222 version.min_vers = htoles(min_vers);
1224 version.date = htoles(start_date);
1226 version.network = wtap_encap[wdh->encap];
1228 version.timeunit = 1; /* 0.838096 */
1229 version.cmprs_vers = 0;
1230 version.cmprs_level = 0;
1231 version.rsvd[0] = 0;
1232 version.rsvd[1] = 0;
1233 nwritten = fwrite(&version, 1, sizeof version, wdh->fh);
1234 if (nwritten != sizeof version) {
1235 if (nwritten == 0 && ferror(wdh->fh))
1238 *err = WTAP_ERR_SHORT_WRITE;
1243 buf[0] = REC_FRAME2;
1245 buf[2] = (char)((phdr->caplen + sizeof(struct frame2_rec))%256);
1246 buf[3] = (char)((phdr->caplen + sizeof(struct frame2_rec))/256);
1249 nwritten = fwrite(buf, 1, 6, wdh->fh);
1250 if (nwritten != 6) {
1251 if (nwritten == 0 && ferror(wdh->fh))
1254 *err = WTAP_ERR_SHORT_WRITE;
1257 t = (double)phdr->ts.tv_sec + (double)phdr->ts.tv_usec/1.0e6; /* # of secs */
1258 t = (t - priv->start)*1.0e6 / Usec[1]; /* timeunit = 1 */
1259 t_low = (guint16)(t-(double)((guint32)(t/65536.0))*65536.0);
1260 t_med = (guint16)((guint32)(t/65536.0) % 65536);
1261 t_high = (guint16)(t/4294967296.0);
1262 rec_hdr.time_low = htoles(t_low);
1263 rec_hdr.time_med = htoles(t_med);
1264 rec_hdr.time_high = htoles(t_high);
1265 rec_hdr.size = htoles(phdr->caplen);
1266 if (wdh->encap == WTAP_ENCAP_LAPB || wdh->encap == WTAP_ENCAP_PPP)
1267 rec_hdr.fs = (pseudo_header->x25.flags & 0x80) ? 0x00 : 0x80;
1271 rec_hdr.true_size = phdr->len != phdr->caplen ? htoles(phdr->len) : 0;
1273 nwritten = fwrite(&rec_hdr, 1, sizeof rec_hdr, wdh->fh);
1274 if (nwritten != sizeof rec_hdr) {
1275 if (nwritten == 0 && ferror(wdh->fh))
1278 *err = WTAP_ERR_SHORT_WRITE;
1281 nwritten = fwrite(pd, 1, phdr->caplen, wdh->fh);
1282 if (nwritten != phdr->caplen) {
1283 if (nwritten == 0 && ferror(wdh->fh))
1286 *err = WTAP_ERR_SHORT_WRITE;
1292 /* Finish writing to a dump file.
1293 Returns TRUE on success, FALSE on failure. */
1294 static gboolean ngsniffer_dump_close(wtap_dumper *wdh, int *err)
1297 char buf[6] = {REC_EOF, 0x00, 0x00, 0x00, 0x00, 0x00};
1300 nwritten = fwrite(buf, 1, 6, wdh->fh);
1301 if (nwritten != 6) {
1302 if (nwritten == 0 && ferror(wdh->fh))
1305 *err = WTAP_ERR_SHORT_WRITE;
1312 SnifferDecompress() decompresses a blob of compressed data from a
1313 Sniffer(R) capture file.
1315 This function is Copyright (c) 1999-2999 Tim Farley
1318 inbuf - buffer of compressed bytes from file, not including
1319 the preceding length word
1320 inlen - length of inbuf in bytes
1321 outbuf - decompressed contents, could contain a partial Sniffer
1323 outlen - length of outbuf.
1325 Return value is the number of bytes in outbuf on return.
1328 SnifferDecompress( unsigned char * inbuf, size_t inlen,
1329 unsigned char * outbuf, size_t outlen, int *err )
1331 unsigned char * pin = inbuf;
1332 unsigned char * pout = outbuf;
1333 unsigned char * pin_end = pin + inlen;
1334 unsigned char * pout_end = pout + outlen;
1335 unsigned int bit_mask; /* one bit is set in this, to mask with bit_value */
1336 unsigned int bit_value = 0; /* cache the last 16 coding bits we retrieved */
1337 unsigned int code_type; /* encoding type, from high 4 bits of byte */
1338 unsigned int code_low; /* other 4 bits from encoding byte */
1339 int length; /* length of RLE sequence or repeated string */
1340 int offset; /* offset of string to repeat */
1342 bit_mask = 0; /* don't have any bits yet */
1345 /* Shift down the bit mask we use to see whats encoded */
1346 bit_mask = bit_mask >> 1;
1348 /* If there are no bits left, time to get another 16 bits */
1349 if ( 0 == bit_mask )
1351 bit_mask = 0x8000; /* start with the high bit */
1352 bit_value = pletohs(pin); /* get the next 16 bits */
1353 pin += 2; /* skip over what we just grabbed */
1354 if ( pin >= pin_end )
1356 *err = WTAP_ERR_UNC_TRUNCATED; /* data was oddly truncated */
1361 /* Use the bits in bit_value to see what's encoded and what is raw data */
1362 if ( !(bit_mask & bit_value) )
1364 /* bit not set - raw byte we just copy */
1365 *(pout++) = *(pin++);
1369 /* bit set - next item is encoded. Peel off high nybble
1370 of next byte to see the encoding type. Set aside low
1371 nybble while we are at it */
1372 code_type = (unsigned int) ((*pin) >> 4 ) & 0xF;
1373 code_low = (unsigned int) ((*pin) & 0xF );
1374 pin++; /* increment over the code byte we just retrieved */
1375 if ( pin >= pin_end )
1377 *err = WTAP_ERR_UNC_TRUNCATED; /* data was oddly truncated */
1381 /* Based on the code type, decode the compressed string */
1382 switch ( code_type )
1384 case 0 : /* RLE short runs */
1386 Run length is the low nybble of the first code byte.
1387 Byte to repeat immediately follows.
1388 Total code size: 2 bytes.
1390 length = code_low + 3;
1391 /* If length would put us past end of output, avoid overflow */
1392 if ( pout + length > pout_end )
1394 *err = WTAP_ERR_UNC_OVERFLOW;
1398 /* generate the repeated series of bytes */
1399 memset( pout, *pin++, length );
1402 case 1 : /* RLE long runs */
1404 Low 4 bits of run length is the low nybble of the
1405 first code byte, upper 8 bits of run length is in
1407 Byte to repeat immediately follows.
1408 Total code size: 3 bytes.
1410 length = code_low + ((unsigned int)(*pin++) << 4) + 19;
1411 /* If we are already at end of input, there is no byte
1413 if ( pin >= pin_end )
1415 *err = WTAP_ERR_UNC_TRUNCATED; /* data was oddly truncated */
1418 /* If length would put us past end of output, avoid overflow */
1419 if ( pout + length > pout_end )
1421 *err = WTAP_ERR_UNC_OVERFLOW;
1425 /* generate the repeated series of bytes */
1426 memset( pout, *pin++, length );
1429 case 2 : /* LZ77 long strings */
1431 Low 4 bits of offset to string is the low nybble of the
1432 first code byte, upper 8 bits of offset is in
1434 Length of string immediately follows.
1435 Total code size: 3 bytes.
1437 offset = code_low + ((unsigned int)(*pin++) << 4) + 3;
1438 /* If we are already at end of input, there is no byte
1440 if ( pin >= pin_end )
1442 *err = WTAP_ERR_UNC_TRUNCATED; /* data was oddly truncated */
1445 /* Check if offset would put us back past begin of buffer */
1446 if ( pout - offset < outbuf )
1448 *err = WTAP_ERR_UNC_BAD_OFFSET;
1452 /* get length from next byte, make sure it won't overrun buf */
1453 length = (unsigned int)(*pin++) + 16;
1454 if ( pout + length > pout_end )
1456 *err = WTAP_ERR_UNC_OVERFLOW;
1460 /* Copy the string from previous text to output position,
1461 advance output pointer */
1462 memcpy( pout, pout - offset, length );
1465 default : /* (3 to 15): LZ77 short strings */
1467 Low 4 bits of offset to string is the low nybble of the
1468 first code byte, upper 8 bits of offset is in
1470 Length of string to repeat is overloaded into code_type.
1471 Total code size: 2 bytes.
1473 offset = code_low + ((unsigned int)(*pin++) << 4) + 3;
1474 /* Check if offset would put us back past begin of buffer */
1475 if ( pout - offset < outbuf )
1477 *err = WTAP_ERR_UNC_BAD_OFFSET;
1481 /* get length from code_type, make sure it won't overrun buf */
1483 if ( pout + length > pout_end )
1485 *err = WTAP_ERR_UNC_OVERFLOW;
1489 /* Copy the string from previous text to output position,
1490 advance output pointer */
1491 memcpy( pout, pout - offset, length );
1497 /* If we've consumed all the input, we are done */
1498 if ( pin >= pin_end )
1502 return ( pout - outbuf ); /* return length of expanded text */
1506 * XXX - is there any guarantee that this is big enough to hold the
1507 * uncompressed data from any blob?
1509 #define OUTBUF_SIZE 65536
1511 /* Information about a compressed blob; we save the offset in the
1512 underlying compressed file, and the offset in the uncompressed data
1513 stream, of the blob. */
1515 long blob_comp_offset;
1516 long blob_uncomp_offset;
1520 ng_file_read(void *buffer, size_t elementsize, size_t numelements, wtap *wth,
1521 gboolean is_random, int *err)
1524 ngsniffer_comp_stream_t *comp_stream;
1525 int copybytes = elementsize * numelements; /* bytes left to be copied */
1526 int copied_bytes = 0; /* bytes already copied */
1527 unsigned char *outbuffer = buffer; /* where to write next decompressed data */
1533 infile = wth->random_fh;
1534 comp_stream = &wth->capture.ngsniffer->rand;
1537 comp_stream = &wth->capture.ngsniffer->seq;
1540 if (wth->file_type == WTAP_FILE_NGSNIFFER_UNCOMPRESSED) {
1541 errno = WTAP_ERR_CANT_READ;
1542 copied_bytes = file_read(buffer, 1, copybytes, infile);
1543 if (copied_bytes != copybytes)
1544 *err = file_error(infile);
1545 return copied_bytes;
1548 /* Allocate the stream buffer if it hasn't already been allocated. */
1549 if (comp_stream->buf == NULL) {
1550 comp_stream->buf = g_malloc(OUTBUF_SIZE);
1553 /* This is the first read of the random file, so we're at
1554 the beginning of the sequence of blobs in the file
1555 (as we've not done any random reads yet to move the
1556 current position in the random stream); set the
1557 current blob to be the first blob. */
1558 wth->capture.ngsniffer->current_blob =
1559 wth->capture.ngsniffer->first_blob;
1561 /* This is the first sequential read; if we also have a
1562 random stream open, allocate the first element for the
1563 list of blobs, and make it the last element as well. */
1564 if (wth->random_fh != NULL) {
1565 g_assert(wth->capture.ngsniffer->first_blob == NULL);
1566 blob = g_malloc(sizeof (blob_info_t));
1567 blob->blob_comp_offset = comp_stream->comp_offset;
1568 blob->blob_uncomp_offset = comp_stream->uncomp_offset;
1569 wth->capture.ngsniffer->first_blob =
1570 g_list_append(wth->capture.ngsniffer->first_blob, blob);
1571 wth->capture.ngsniffer->last_blob =
1572 wth->capture.ngsniffer->first_blob;
1576 /* Now read the first blob into the buffer. */
1577 if (read_blob(infile, comp_stream, err) < 0)
1580 while (copybytes > 0) {
1581 bytes_left = comp_stream->nbytes - comp_stream->nextout;
1582 if (bytes_left == 0) {
1583 /* There's no decompressed stuff left to copy from the current
1584 blob; get the next blob. */
1587 /* Move to the next blob in the list. */
1588 wth->capture.ngsniffer->current_blob =
1589 g_list_next(wth->capture.ngsniffer->current_blob);
1590 blob = wth->capture.ngsniffer->current_blob->data;
1592 /* If we also have a random stream open, add a new element,
1593 for this blob, to the list of blobs; we know the list is
1594 non-empty, as we initialized it on the first sequential
1595 read, so we just add the new element at the end, and
1596 adjust the pointer to the last element to refer to it. */
1597 if (wth->random_fh != NULL) {
1598 blob = g_malloc(sizeof (blob_info_t));
1599 blob->blob_comp_offset = comp_stream->comp_offset;
1600 blob->blob_uncomp_offset = comp_stream->uncomp_offset;
1601 wth->capture.ngsniffer->last_blob =
1602 g_list_append(wth->capture.ngsniffer->last_blob, blob);
1606 if (read_blob(infile, comp_stream, err) < 0)
1608 bytes_left = comp_stream->nbytes - comp_stream->nextout;
1611 bytes_to_copy = copybytes;
1612 if (bytes_to_copy > bytes_left)
1613 bytes_to_copy = bytes_left;
1614 memcpy(outbuffer, &comp_stream->buf[comp_stream->nextout],
1616 copybytes -= bytes_to_copy;
1617 copied_bytes += bytes_to_copy;
1618 outbuffer += bytes_to_copy;
1619 comp_stream->nextout += bytes_to_copy;
1620 comp_stream->uncomp_offset += bytes_to_copy;
1622 return copied_bytes;
1625 /* Read a blob from a compressed stream.
1626 Return -1 and set "*err" on error, otherwise return 0. */
1628 read_blob(FILE_T infile, ngsniffer_comp_stream_t *comp_stream, int *err)
1632 unsigned short blob_len;
1633 gint16 blob_len_host;
1634 gboolean uncompressed;
1635 unsigned char file_inbuf[65536];
1638 /* Read one 16-bit word which is length of next compressed blob */
1639 errno = WTAP_ERR_CANT_READ;
1640 read_len = file_read(&blob_len, 1, 2, infile);
1641 if (2 != read_len) {
1642 *err = file_error(infile);
1645 comp_stream->comp_offset += 2;
1646 blob_len_host = pletohs(&blob_len);
1648 /* Compressed or uncompressed? */
1649 if (blob_len_host < 0) {
1650 /* Uncompressed blob; blob length is absolute value of the number. */
1651 in_len = -blob_len_host;
1652 uncompressed = TRUE;
1654 in_len = blob_len_host;
1655 uncompressed = FALSE;
1659 errno = WTAP_ERR_CANT_READ;
1660 read_len = file_read(file_inbuf, 1, in_len, infile);
1661 if (in_len != read_len) {
1662 *err = file_error(infile);
1665 comp_stream->comp_offset += in_len;
1668 memcpy(comp_stream->buf, file_inbuf, in_len);
1671 /* Decompress the blob */
1672 out_len = SnifferDecompress(file_inbuf, in_len,
1673 comp_stream->buf, OUTBUF_SIZE, err);
1677 comp_stream->nextout = 0;
1678 comp_stream->nbytes = out_len;
1682 /* Seek in the sequential data stream; we can only seek forward, and we
1683 do it on compressed files by skipping forward. */
1685 ng_file_seek_seq(wtap *wth, long offset, int whence)
1689 long amount_to_read;
1692 if (wth->file_type == WTAP_FILE_NGSNIFFER_UNCOMPRESSED)
1693 return file_seek(wth->fh, offset, whence);
1698 break; /* "offset" is the target offset */
1701 offset += wth->capture.ngsniffer->seq.uncomp_offset;
1702 break; /* "offset" is relative to the current offset */
1705 g_assert_not_reached(); /* "offset" is relative to the end of the file... */
1706 break; /* ...but we don't know where that is. */
1709 delta = offset - wth->capture.ngsniffer->seq.uncomp_offset;
1710 g_assert(delta >= 0);
1712 /* Ok, now read and discard "delta" bytes. */
1713 while (delta != 0) {
1714 amount_to_read = delta;
1715 if (amount_to_read > sizeof buf)
1716 amount_to_read = sizeof buf;
1717 if (ng_file_read(buf, 1, amount_to_read, wth, FALSE, &err) < 0)
1718 return -1; /* error */
1719 delta -= amount_to_read;
1724 /* Seek in the random data stream.
1726 On compressed files, we see whether we're seeking to a position within
1727 the blob we currently have in memory and, if not, we find in the list
1728 of blobs the last blob that starts at or before the position to which
1729 we're seeking, and read that blob in. We can then move to the appropriate
1730 position within the blob we have in memory (whether it's the blob we
1731 already had in memory or, if necessary, the one we read in). */
1733 ng_file_seek_rand(wtap *wth, long offset, int whence)
1735 ngsniffer_t *ngsniffer;
1739 blob_info_t *next_blob, *new_blob;
1741 if (wth->file_type == WTAP_FILE_NGSNIFFER_UNCOMPRESSED)
1742 return file_seek(wth->random_fh, offset, whence);
1744 ngsniffer = wth->capture.ngsniffer;
1749 break; /* "offset" is the target offset */
1752 offset += ngsniffer->rand.uncomp_offset;
1753 break; /* "offset" is relative to the current offset */
1756 g_assert_not_reached(); /* "offset" is relative to the end of the file... */
1757 break; /* ...but we don't know where that is. */
1760 delta = offset - ngsniffer->rand.uncomp_offset;
1762 /* Is the place to which we're seeking within the current buffer, or
1763 will we have to read a different blob into the buffer? */
1766 /* We're going forwards.
1767 Is the place to which we're seeking within the current buffer? */
1768 if (ngsniffer->rand.nextout + delta >= ngsniffer->rand.nbytes) {
1769 /* No. Search for a blob that contains the target offset in
1770 the uncompressed byte stream, starting with the blob
1771 following the current blob. */
1772 new = g_list_next(ngsniffer->current_blob);
1774 next = g_list_next(new);
1776 /* No more blobs; the current one is it. */
1780 next_blob = next->data;
1781 /* Does the next blob start after the target offset?
1782 If so, the current blob is the one we want. */
1783 if (next_blob->blob_uncomp_offset > offset)
1789 } else if (delta < 0) {
1790 /* We're going backwards.
1791 Is the place to which we're seeking within the current buffer? */
1792 if (ngsniffer->rand.nextout + delta < 0) {
1793 /* No. Search for a blob that contains the target offset in
1794 the uncompressed byte stream, starting with the blob
1795 preceding the current blob. */
1796 new = g_list_previous(ngsniffer->current_blob);
1798 /* Does this blob start at or before the target offset?
1799 If so, the current blob is the one we want. */
1800 new_blob = new->data;
1801 if (new_blob->blob_uncomp_offset <= offset)
1804 /* It doesn't - skip to the previous blob. */
1805 new = g_list_previous(new);
1811 /* The place to which we're seeking isn't in the current buffer;
1812 move to a new blob. */
1813 new_blob = new->data;
1815 /* Seek in the compressed file to the offset in the compressed file
1816 of the beginning of that blob. */
1817 if (file_seek(wth->random_fh, new_blob->blob_comp_offset, SEEK_SET) == -1)
1820 /* Make the blob we found the current one. */
1821 ngsniffer->current_blob = new;
1823 /* Now set the current offsets to the offsets of the beginning
1825 ngsniffer->rand.uncomp_offset = new_blob->blob_uncomp_offset;
1826 ngsniffer->rand.comp_offset = new_blob->blob_comp_offset;
1828 /* Now fill the buffer. */
1829 if (read_blob(wth->random_fh, &ngsniffer->rand, &err) < 0)
1832 /* Set "delta" to the amount to move within this blob; it had
1833 better be >= 0, and < the amount of uncompressed data in
1834 the blob, as otherwise it'd mean we need to seek before
1835 the beginning or after the end of this blob. */
1836 delta = offset - ngsniffer->rand.uncomp_offset;
1837 g_assert(delta >= 0 && delta < ngsniffer->rand.nbytes);
1840 /* OK, the place to which we're seeking is in the buffer; adjust
1841 "ngsniffer->rand.nextout" to point to the place to which
1842 we're seeking, and adjust "ngsniffer->rand.uncomp_offset" to be
1843 the destination offset. */
1844 ngsniffer->rand.nextout += delta;
1845 ngsniffer->rand.uncomp_offset += delta;