2 * Routines for opening files in what Savvius (formerly WildPackets) calls
3 * the classic file format in the description of their "PeekRdr Sample
4 * Application" (C++ source code to read their capture files, downloading
5 * of which requires a maintenance contract, so it's not free as in beer
6 * and probably not as in speech, either).
8 * As that description says, it's used by AiroPeek and AiroPeek NX prior
9 * to 2.0, EtherPeek prior to 6.0, and EtherPeek NX prior to 3.0. It
10 * was probably also used by TokenPeek.
12 * This handles versions 5, 6, and 7 of that format (the format version
13 * number is what appears in the file, and is distinct from the application
16 * Copyright (c) 2001, Daniel Thompson <d.thompson@gmx.net>
19 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
21 * This program is free software; you can redistribute it and/or
22 * modify it under the terms of the GNU General Public License
23 * as published by the Free Software Foundation; either version 2
24 * of the License, or (at your option) any later version.
26 * This program is distributed in the hope that it will be useful,
27 * but WITHOUT ANY WARRANTY; without even the implied warranty of
28 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
29 * GNU General Public License for more details.
31 * You should have received a copy of the GNU General Public License
32 * along with this program; if not, write to the Free Software
33 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
40 #include "file_wrappers.h"
41 #include "peekclassic.h"
44 * This file decoder could not have been writen without examining how
45 * tcptrace (http://www.tcptrace.org/) handles EtherPeek files.
49 typedef struct peekclassic_master_header {
52 } peekclassic_master_header_t;
53 #define PEEKCLASSIC_MASTER_HDR_SIZE 2
55 /* secondary header (V5,V6,V7) */
56 typedef struct peekclassic_v567_header {
62 guint32 mediaType; /* Media Type Ethernet=0 Token Ring = 1 */
63 guint32 physMedium; /* Physical Medium native=0 802.1=1 */
64 guint32 appVers; /* App Version Number Maj.Min.Bug.Build */
65 guint32 linkSpeed; /* Link Speed Bits/sec */
67 } peekclassic_v567_header_t;
68 #define PEEKCLASSIC_V567_HDR_SIZE 48
71 typedef struct peekclassic_header {
72 peekclassic_master_header_t master;
74 peekclassic_v567_header_t v567;
76 } peekclassic_header_t;
79 * Packet header (V5, V6).
81 * NOTE: the time stamp, although it's a 32-bit number, is only aligned
82 * on a 16-bit boundary. (Does this date back to 68K Macs? The 68000
83 * only required 16-bit alignment of 32-bit quantities, as did the 68010,
84 * and the 68020/68030/68040 required no alignment.)
86 * As such, we cannot declare this as a C structure, as compilers on
87 * most platforms will put 2 bytes of padding before the time stamp to
88 * align it on a 32-bit boundary.
90 * So, instead, we #define numbers as the offsets of the fields.
92 #define PEEKCLASSIC_V56_LENGTH_OFFSET 0
93 #define PEEKCLASSIC_V56_SLICE_LENGTH_OFFSET 2
94 #define PEEKCLASSIC_V56_FLAGS_OFFSET 4
95 #define PEEKCLASSIC_V56_STATUS_OFFSET 5
96 #define PEEKCLASSIC_V56_TIMESTAMP_OFFSET 6
97 #define PEEKCLASSIC_V56_DESTNUM_OFFSET 10
98 #define PEEKCLASSIC_V56_SRCNUM_OFFSET 12
99 #define PEEKCLASSIC_V56_PROTONUM_OFFSET 14
100 #define PEEKCLASSIC_V56_PROTOSTR_OFFSET 16
101 #define PEEKCLASSIC_V56_FILTERNUM_OFFSET 24
102 #define PEEKCLASSIC_V56_PKT_SIZE 26
104 /* 64-bit time in micro seconds from the (Mac) epoch */
105 typedef struct peekclassic_utime {
111 * Packet header (V7).
113 * This doesn't have the same alignment problem, but we do it with
116 #define PEEKCLASSIC_V7_PROTONUM_OFFSET 0
117 #define PEEKCLASSIC_V7_LENGTH_OFFSET 2
118 #define PEEKCLASSIC_V7_SLICE_LENGTH_OFFSET 4
119 #define PEEKCLASSIC_V7_FLAGS_OFFSET 6
120 #define PEEKCLASSIC_V7_STATUS_OFFSET 7
121 #define PEEKCLASSIC_V7_TIMESTAMP_OFFSET 8
122 #define PEEKCLASSIC_V7_PKT_SIZE 16
124 typedef struct peekclassic_encap_lookup {
127 } peekclassic_encap_lookup_t;
129 static const unsigned int mac2unix = 2082844800u;
130 static const peekclassic_encap_lookup_t peekclassic_encap[] = {
131 { 1400, WTAP_ENCAP_ETHERNET }
133 #define NUM_PEEKCLASSIC_ENCAPS \
134 (sizeof (peekclassic_encap) / sizeof (peekclassic_encap[0]))
137 time_t reference_time;
140 static gboolean peekclassic_read_v7(wtap *wth, int *err, gchar **err_info,
141 gint64 *data_offset);
142 static gboolean peekclassic_seek_read_v7(wtap *wth, gint64 seek_off,
143 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
144 static int peekclassic_read_packet_v7(wtap *wth, FILE_T fh,
145 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
146 static gboolean peekclassic_read_v56(wtap *wth, int *err, gchar **err_info,
147 gint64 *data_offset);
148 static gboolean peekclassic_seek_read_v56(wtap *wth, gint64 seek_off,
149 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
150 static gboolean peekclassic_read_packet_v56(wtap *wth, FILE_T fh,
151 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
153 wtap_open_return_val peekclassic_open(wtap *wth, int *err, gchar **err_info)
155 peekclassic_header_t ep_hdr;
156 time_t reference_time;
158 peekclassic_t *peekclassic;
160 /* Peek classic files do not start with a magic value large enough
161 * to be unique; hence we use the following algorithm to determine
162 * the type of an unknown file:
163 * - populate the master header and reject file if there is no match
164 * - populate the secondary header and check that the reserved space
165 * is zero, and check some other fields; this isn't perfect,
166 * and we may have to add more checks at some point.
168 g_assert(sizeof(ep_hdr.master) == PEEKCLASSIC_MASTER_HDR_SIZE);
169 if (!wtap_read_bytes(wth->fh, &ep_hdr.master,
170 (int)sizeof(ep_hdr.master), err, err_info)) {
171 if (*err != WTAP_ERR_SHORT_READ)
172 return WTAP_OPEN_ERROR;
173 return WTAP_OPEN_NOT_MINE;
177 * It appears that EtherHelp (a free application from WildPackets
178 * that did blind capture, saving to a file, so that you could
179 * give the resulting file to somebody with EtherPeek) saved
180 * captures in EtherPeek format except that it ORed the 0x80
181 * bit on in the version number.
183 * We therefore strip off the 0x80 bit in the version number.
184 * Perhaps there's some reason to care whether the capture
185 * came from EtherHelp; if we discover one, we should check
188 ep_hdr.master.version &= ~0x80;
190 /* switch on the file version */
191 switch (ep_hdr.master.version) {
196 /* get the secondary header */
197 g_assert(sizeof(ep_hdr.secondary.v567) ==
198 PEEKCLASSIC_V567_HDR_SIZE);
199 if (!wtap_read_bytes(wth->fh, &ep_hdr.secondary.v567,
200 (int)sizeof(ep_hdr.secondary.v567), err, err_info)) {
201 if (*err != WTAP_ERR_SHORT_READ)
202 return WTAP_OPEN_ERROR;
203 return WTAP_OPEN_NOT_MINE;
206 if ((0 != ep_hdr.secondary.v567.reserved[0]) ||
207 (0 != ep_hdr.secondary.v567.reserved[1]) ||
208 (0 != ep_hdr.secondary.v567.reserved[2])) {
210 return WTAP_OPEN_NOT_MINE;
214 * Check the mediaType and physMedium fields.
215 * We assume it's not a Peek classic file if
216 * these aren't values we know, rather than
217 * reporting them as invalid Peek classic files,
218 * as, given the lack of a magic number, we need
219 * all the checks we can get.
221 ep_hdr.secondary.v567.mediaType =
222 g_ntohl(ep_hdr.secondary.v567.mediaType);
223 ep_hdr.secondary.v567.physMedium =
224 g_ntohl(ep_hdr.secondary.v567.physMedium);
226 switch (ep_hdr.secondary.v567.physMedium) {
230 * "Native" format, presumably meaning
231 * Ethernet or Token Ring.
233 switch (ep_hdr.secondary.v567.mediaType) {
236 file_encap = WTAP_ENCAP_ETHERNET;
240 file_encap = WTAP_ENCAP_TOKEN_RING;
245 * Assume this isn't a Peek classic file.
247 return WTAP_OPEN_NOT_MINE;
252 switch (ep_hdr.secondary.v567.mediaType) {
256 * 802.11, with a private header giving
257 * some radio information. Presumably
258 * this is from AiroPeek.
260 file_encap = WTAP_ENCAP_IEEE_802_11_WITH_RADIO;
265 * Assume this isn't a Peek classic file.
267 return WTAP_OPEN_NOT_MINE;
273 * Assume this isn't a Peek classic file.
275 return WTAP_OPEN_NOT_MINE;
280 * Assume this is a V5, V6 or V7 Peek classic file, and
281 * byte swap the rest of the fields in the secondary header.
283 * XXX - we could check the file length if the file were
284 * uncompressed, but it might be compressed.
286 ep_hdr.secondary.v567.filelength =
287 g_ntohl(ep_hdr.secondary.v567.filelength);
288 ep_hdr.secondary.v567.numPackets =
289 g_ntohl(ep_hdr.secondary.v567.numPackets);
290 ep_hdr.secondary.v567.timeDate =
291 g_ntohl(ep_hdr.secondary.v567.timeDate);
292 ep_hdr.secondary.v567.timeStart =
293 g_ntohl(ep_hdr.secondary.v567.timeStart);
294 ep_hdr.secondary.v567.timeStop =
295 g_ntohl(ep_hdr.secondary.v567.timeStop);
296 ep_hdr.secondary.v567.appVers =
297 g_ntohl(ep_hdr.secondary.v567.appVers);
298 ep_hdr.secondary.v567.linkSpeed =
299 g_ntohl(ep_hdr.secondary.v567.linkSpeed);
301 /* Get the reference time as a time_t */
302 reference_time = ep_hdr.secondary.v567.timeDate - mac2unix;
307 * Assume this isn't a Peek classic file.
309 return WTAP_OPEN_NOT_MINE;
313 * This is a Peek classic file.
315 * At this point we have recognised the file type and have populated
316 * the whole ep_hdr structure in host byte order.
318 peekclassic = (peekclassic_t *)g_malloc(sizeof(peekclassic_t));
319 wth->priv = (void *)peekclassic;
320 peekclassic->reference_time = reference_time;
321 switch (ep_hdr.master.version) {
325 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_PEEKCLASSIC_V56;
327 * XXX - can we get the file encapsulation from the
328 * header in the same way we do for V7 files?
330 wth->file_encap = WTAP_ENCAP_PER_PACKET;
331 wth->subtype_read = peekclassic_read_v56;
332 wth->subtype_seek_read = peekclassic_seek_read_v56;
336 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_PEEKCLASSIC_V7;
337 wth->file_encap = file_encap;
338 wth->subtype_read = peekclassic_read_v7;
339 wth->subtype_seek_read = peekclassic_seek_read_v7;
343 /* this is impossible */
344 g_assert_not_reached();
347 wth->snapshot_length = 0; /* not available in header */
348 wth->file_tsprec = WTAP_TSPREC_USEC;
350 return WTAP_OPEN_MINE;
353 static gboolean peekclassic_read_v7(wtap *wth, int *err, gchar **err_info,
358 *data_offset = file_tell(wth->fh);
360 /* Read the packet. */
361 sliceLength = peekclassic_read_packet_v7(wth, wth->fh, &wth->phdr,
362 wth->frame_buffer, err, err_info);
366 /* Skip extra ignored data at the end of the packet. */
367 if ((guint32)sliceLength > wth->phdr.caplen) {
368 if (!file_skip(wth->fh, sliceLength - wth->phdr.caplen, err))
372 /* Records are padded to an even length, so if the slice length
373 is odd, read the padding byte. */
374 if (sliceLength & 0x01) {
375 if (!file_skip(wth->fh, 1, err))
382 static gboolean peekclassic_seek_read_v7(wtap *wth, gint64 seek_off,
383 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info)
385 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
388 /* Read the packet. */
389 if (peekclassic_read_packet_v7(wth, wth->random_fh, phdr, buf,
390 err, err_info) == -1) {
392 *err = WTAP_ERR_SHORT_READ;
398 #define RADIO_INFO_SIZE 4
400 static int peekclassic_read_packet_v7(wtap *wth, FILE_T fh,
401 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info)
403 guint8 ep_pkt[PEEKCLASSIC_V7_PKT_SIZE];
416 guint8 radio_info[RADIO_INFO_SIZE];
418 if (!wtap_read_bytes_or_eof(fh, ep_pkt, sizeof(ep_pkt), err, err_info))
421 /* Extract the fields from the packet */
423 protoNum = pntoh16(&ep_pkt[PEEKCLASSIC_V7_PROTONUM_OFFSET]);
425 length = pntoh16(&ep_pkt[PEEKCLASSIC_V7_LENGTH_OFFSET]);
426 sliceLength = pntoh16(&ep_pkt[PEEKCLASSIC_V7_SLICE_LENGTH_OFFSET]);
428 flags = ep_pkt[PEEKCLASSIC_V7_FLAGS_OFFSET];
430 status = ep_pkt[PEEKCLASSIC_V7_STATUS_OFFSET];
431 timestamp = pntoh64(&ep_pkt[PEEKCLASSIC_V7_TIMESTAMP_OFFSET]);
433 /* force sliceLength to be the actual length of the packet */
434 if (0 == sliceLength) {
435 sliceLength = length;
438 * The maximum value of sliceLength and length are 65535, which
439 * are less than WTAP_MAX_PACKET_SIZE will ever be, so we don't
440 * need to check them.
443 /* fill in packet header values */
444 phdr->rec_type = REC_TYPE_PACKET;
445 phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
446 tsecs = (time_t) (timestamp/1000000);
447 tusecs = (guint32) (timestamp - tsecs*1000000);
448 phdr->ts.secs = tsecs - mac2unix;
449 phdr->ts.nsecs = tusecs * 1000;
451 phdr->caplen = sliceLength;
453 switch (wth->file_encap) {
455 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
456 memset(&phdr->pseudo_header.ieee_802_11, 0, sizeof(phdr->pseudo_header.ieee_802_11));
457 phdr->pseudo_header.ieee_802_11.fcs_len = 0; /* no FCS */
458 phdr->pseudo_header.ieee_802_11.decrypted = FALSE;
459 phdr->pseudo_header.ieee_802_11.datapad = FALSE;
460 phdr->pseudo_header.ieee_802_11.phy = PHDR_802_11_PHY_UNKNOWN;
463 * Now process the radio information pseudo-header.
464 * It's a 4-byte pseudo-header, consisting of:
466 * 1 byte of data rate, in units of 500 kb/s;
468 * 1 byte of channel number;
470 * 1 byte of signal strength as a percentage of
471 * the maximum, i.e. (RXVECTOR RSSI/RXVECTOR RSSI_Max)*100,
472 * or, at least, that's what I infer it is, given what
473 * the WildPackets note "Converting Signal Strength
474 * Percentage to dBm Values" says (it also says that
475 * the conversion the percentage to a dBm value is
476 * an adapter-dependent process, so, as we don't know
477 * what type of adapter was used to do the capture,
478 * we can't do the conversion);
480 * 1 byte of unknown content (padding?).
482 if (phdr->len < RADIO_INFO_SIZE || phdr->caplen < RADIO_INFO_SIZE) {
483 *err = WTAP_ERR_BAD_FILE;
484 *err_info = g_strdup_printf("peekclassic: 802.11 packet has length < 4");
487 phdr->len -= RADIO_INFO_SIZE;
488 phdr->caplen -= RADIO_INFO_SIZE;
489 sliceLength -= RADIO_INFO_SIZE;
491 /* read the pseudo-header */
492 if (!wtap_read_bytes(fh, radio_info, RADIO_INFO_SIZE, err, err_info))
495 phdr->pseudo_header.ieee_802_11.has_data_rate = TRUE;
496 phdr->pseudo_header.ieee_802_11.data_rate = radio_info[0];
498 phdr->pseudo_header.ieee_802_11.has_channel = TRUE;
499 phdr->pseudo_header.ieee_802_11.channel = radio_info[1];
501 phdr->pseudo_header.ieee_802_11.has_signal_percent = TRUE;
502 phdr->pseudo_header.ieee_802_11.signal_percent = radio_info[2];
505 * The last 4 bytes appear to be random data - the length
506 * might include the FCS - so we reduce the length by 4.
508 * Or maybe this is just the same kind of random 4 bytes
509 * of junk at the end you get in Wireless Sniffer
512 if (phdr->len < 4 || phdr->caplen < 4) {
513 *err = WTAP_ERR_BAD_FILE;
514 *err_info = g_strdup_printf("peekclassic: 802.11 packet has length < 8");
521 case WTAP_ENCAP_ETHERNET:
522 /* XXX - it appears that if the low-order bit of
523 "status" is 0, there's an FCS in this frame,
524 and if it's 1, there's 4 bytes of 0. */
525 phdr->pseudo_header.eth.fcs_len = (status & 0x01) ? 0 : 4;
529 /* read the packet data */
530 if (!wtap_read_packet_bytes(fh, buf, phdr->caplen, err, err_info))
536 static gboolean peekclassic_read_v56(wtap *wth, int *err, gchar **err_info,
539 *data_offset = file_tell(wth->fh);
541 /* read the packet */
542 if (!peekclassic_read_packet_v56(wth, wth->fh, &wth->phdr,
543 wth->frame_buffer, err, err_info))
547 * XXX - is the captured packet data padded to a multiple
553 static gboolean peekclassic_seek_read_v56(wtap *wth, gint64 seek_off,
554 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info)
556 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
559 /* read the packet */
560 if (!peekclassic_read_packet_v56(wth, wth->random_fh, phdr, buf,
563 *err = WTAP_ERR_SHORT_READ;
569 static gboolean peekclassic_read_packet_v56(wtap *wth, FILE_T fh,
570 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info)
572 peekclassic_t *peekclassic = (peekclassic_t *)wth->priv;
573 guint8 ep_pkt[PEEKCLASSIC_V56_PKT_SIZE];
591 if (!wtap_read_bytes_or_eof(fh, ep_pkt, sizeof(ep_pkt), err, err_info))
594 /* Extract the fields from the packet */
595 length = pntoh16(&ep_pkt[PEEKCLASSIC_V56_LENGTH_OFFSET]);
596 sliceLength = pntoh16(&ep_pkt[PEEKCLASSIC_V56_SLICE_LENGTH_OFFSET]);
598 flags = ep_pkt[PEEKCLASSIC_V56_FLAGS_OFFSET];
599 status = ep_pkt[PEEKCLASSIC_V56_STATUS_OFFSET];
601 timestamp = pntoh32(&ep_pkt[PEEKCLASSIC_V56_TIMESTAMP_OFFSET]);
603 destNum = pntoh16(&ep_pkt[PEEKCLASSIC_V56_DESTNUM_OFFSET]);
604 srcNum = pntoh16(&ep_pkt[PEEKCLASSIC_V56_SRCNUM_OFFSET]);
606 protoNum = pntoh16(&ep_pkt[PEEKCLASSIC_V56_PROTONUM_OFFSET]);
608 memcpy(protoStr, &ep_pkt[PEEKCLASSIC_V56_PROTOSTR_OFFSET],
613 * XXX - is the captured packet data padded to a multiple
617 /* force sliceLength to be the actual length of the packet */
618 if (0 == sliceLength) {
619 sliceLength = length;
622 * The maximum value of sliceLength and length are 65535, which
623 * are less than WTAP_MAX_PACKET_SIZE will ever be, so we don't
624 * need to check them.
627 /* fill in packet header values */
628 phdr->rec_type = REC_TYPE_PACKET;
629 phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
630 /* timestamp is in milliseconds since reference_time */
631 phdr->ts.secs = peekclassic->reference_time + (timestamp / 1000);
632 phdr->ts.nsecs = 1000 * (timestamp % 1000) * 1000;
634 phdr->caplen = sliceLength;
636 phdr->pkt_encap = WTAP_ENCAP_UNKNOWN;
637 for (i=0; i<NUM_PEEKCLASSIC_ENCAPS; i++) {
638 if (peekclassic_encap[i].protoNum == protoNum) {
639 phdr->pkt_encap = peekclassic_encap[i].encap;
643 switch (phdr->pkt_encap) {
645 case WTAP_ENCAP_ETHERNET:
646 /* We assume there's no FCS in this frame. */
647 phdr->pseudo_header.eth.fcs_len = 0;
651 /* read the packet data */
652 return wtap_read_packet_bytes(fh, buf, sliceLength, err, err_info);
656 * Editor modelines - http://www.wireshark.org/tools/modelines.html
661 * indent-tabs-mode: t
664 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
665 * :indentSize=8:tabSize=8:noTabs=false: