wiretap/peekclassic.c

   1 /* peekclassic.c
   2  * Routines for opening files in what Savvius (formerly WildPackets) calls
   3  * the classic file format in the description of their "PeekRdr Sample
   4  * Application" (C++ source code to read their capture files, downloading
   5  * of which requires a maintenance contract, so it's not free as in beer
   6  * and probably not as in speech, either).
   7  *
   8  * As that description says, it's used by AiroPeek and AiroPeek NX prior
   9  * to 2.0, EtherPeek prior to 6.0, and EtherPeek NX prior to 3.0.  It
  10  * was probably also used by TokenPeek.
  11  *
  12  * This handles versions 5, 6, and 7 of that format (the format version
  13  * number is what appears in the file, and is distinct from the application
  14  * version number).
  15  *
  16  * Copyright (c) 2001, Daniel Thompson <d.thompson@gmx.net>
  17  *
  18  * Wiretap Library
  19  * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
  20  *
  21  * This program is free software; you can redistribute it and/or
  22  * modify it under the terms of the GNU General Public License
  23  * as published by the Free Software Foundation; either version 2
  24  * of the License, or (at your option) any later version.
  25  *
  26  * This program is distributed in the hope that it will be useful,
  27  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  28  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  29  * GNU General Public License for more details.
  30  *
  31  * You should have received a copy of the GNU General Public License
  32  * along with this program; if not, write to the Free Software
  33  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  34  */
  35
  36 #include "config.h"
  37 #include <errno.h>
  38 #include <string.h>
  39 #include "wtap-int.h"
  40 #include "file_wrappers.h"
  41 #include "peekclassic.h"
  42 /* CREDITS
  43  *
  44  * This file decoder could not have been writen without examining how
  45  * tcptrace (http://www.tcptrace.org/) handles EtherPeek files.
  46  */
  47
  48 /* master header */
  49 typedef struct peekclassic_master_header {
  50         guint8  version;
  51         guint8  status;
  52 } peekclassic_master_header_t;
  53 #define PEEKCLASSIC_MASTER_HDR_SIZE 2
  54
  55 /* secondary header (V5,V6,V7) */
  56 typedef struct peekclassic_v567_header {
  57         guint32 filelength;
  58         guint32 numPackets;
  59         guint32 timeDate;
  60         guint32 timeStart;
  61         guint32 timeStop;
  62         guint32 mediaType;  /* Media Type Ethernet=0 Token Ring = 1 */
  63         guint32 physMedium; /* Physical Medium native=0 802.1=1 */
  64         guint32 appVers;    /* App Version Number Maj.Min.Bug.Build */
  65         guint32 linkSpeed;  /* Link Speed Bits/sec */
  66         guint32 reserved[3];
  67 } peekclassic_v567_header_t;
  68 #define PEEKCLASSIC_V567_HDR_SIZE 48
  69
  70 /* full header */
  71 typedef struct peekclassic_header {
  72         peekclassic_master_header_t master;
  73         union {
  74                 peekclassic_v567_header_t v567;
  75         } secondary;
  76 } peekclassic_header_t;
  77
  78 /*
  79  * Packet header (V5, V6).
  80  *
  81  * NOTE: the time stamp, although it's a 32-bit number, is only aligned
  82  * on a 16-bit boundary.  (Does this date back to 68K Macs?  The 68000
  83  * only required 16-bit alignment of 32-bit quantities, as did the 68010,
  84  * and the 68020/68030/68040 required no alignment.)
  85  *
  86  * As such, we cannot declare this as a C structure, as compilers on
  87  * most platforms will put 2 bytes of padding before the time stamp to
  88  * align it on a 32-bit boundary.
  89  *
  90  * So, instead, we #define numbers as the offsets of the fields.
  91  */
  92 #define PEEKCLASSIC_V56_LENGTH_OFFSET           0
  93 #define PEEKCLASSIC_V56_SLICE_LENGTH_OFFSET     2
  94 #define PEEKCLASSIC_V56_FLAGS_OFFSET            4
  95 #define PEEKCLASSIC_V56_STATUS_OFFSET           5
  96 #define PEEKCLASSIC_V56_TIMESTAMP_OFFSET        6
  97 #define PEEKCLASSIC_V56_DESTNUM_OFFSET          10
  98 #define PEEKCLASSIC_V56_SRCNUM_OFFSET           12
  99 #define PEEKCLASSIC_V56_PROTONUM_OFFSET         14
 100 #define PEEKCLASSIC_V56_PROTOSTR_OFFSET         16
 101 #define PEEKCLASSIC_V56_FILTERNUM_OFFSET        24
 102 #define PEEKCLASSIC_V56_PKT_SIZE                26
 103
 104 /* 64-bit time in micro seconds from the (Mac) epoch */
 105 typedef struct peekclassic_utime {
 106         guint32 upper;
 107         guint32 lower;
 108 } peekclassic_utime;
 109
 110 /*
 111  * Packet header (V7).
 112  *
 113  * This doesn't have the same alignment problem, but we do it with
 114  * #defines anyway.
 115  */
 116 #define PEEKCLASSIC_V7_PROTONUM_OFFSET          0
 117 #define PEEKCLASSIC_V7_LENGTH_OFFSET            2
 118 #define PEEKCLASSIC_V7_SLICE_LENGTH_OFFSET      4
 119 #define PEEKCLASSIC_V7_FLAGS_OFFSET             6
 120 #define PEEKCLASSIC_V7_STATUS_OFFSET            7
 121 #define PEEKCLASSIC_V7_TIMESTAMP_OFFSET         8
 122 #define PEEKCLASSIC_V7_PKT_SIZE                 16
 123
 124 typedef struct peekclassic_encap_lookup {
 125         guint16 protoNum;
 126         int     encap;
 127 } peekclassic_encap_lookup_t;
 128
 129 static const unsigned int mac2unix = 2082844800u;
 130 static const peekclassic_encap_lookup_t peekclassic_encap[] = {
 131         { 1400, WTAP_ENCAP_ETHERNET }
 132 };
 133 #define NUM_PEEKCLASSIC_ENCAPS \
 134         (sizeof (peekclassic_encap) / sizeof (peekclassic_encap[0]))
 135
 136 typedef struct {
 137         time_t reference_time;
 138 } peekclassic_t;
 139
 140 static gboolean peekclassic_read_v7(wtap *wth, int *err, gchar **err_info,
 141     gint64 *data_offset);
 142 static gboolean peekclassic_seek_read_v7(wtap *wth, gint64 seek_off,
 143     struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
 144 static int peekclassic_read_packet_v7(wtap *wth, FILE_T fh,
 145     struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
 146 static gboolean peekclassic_read_v56(wtap *wth, int *err, gchar **err_info,
 147     gint64 *data_offset);
 148 static gboolean peekclassic_seek_read_v56(wtap *wth, gint64 seek_off,
 149     struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
 150 static gboolean peekclassic_read_packet_v56(wtap *wth, FILE_T fh,
 151     struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
 152
 153 wtap_open_return_val peekclassic_open(wtap *wth, int *err, gchar **err_info)
 154 {
 155         peekclassic_header_t ep_hdr;
 156         time_t reference_time;
 157         int file_encap;
 158         peekclassic_t *peekclassic;
 159
 160         /* Peek classic files do not start with a magic value large enough
 161          * to be unique; hence we use the following algorithm to determine
 162          * the type of an unknown file:
 163          *  - populate the master header and reject file if there is no match
 164          *  - populate the secondary header and check that the reserved space
 165          *      is zero, and check some other fields; this isn't perfect,
 166          *      and we may have to add more checks at some point.
 167          */
 168         g_assert(sizeof(ep_hdr.master) == PEEKCLASSIC_MASTER_HDR_SIZE);
 169         if (!wtap_read_bytes(wth->fh, &ep_hdr.master,
 170             (int)sizeof(ep_hdr.master), err, err_info)) {
 171                 if (*err != WTAP_ERR_SHORT_READ)
 172                         return WTAP_OPEN_ERROR;
 173                 return WTAP_OPEN_NOT_MINE;
 174         }
 175
 176         /*
 177          * It appears that EtherHelp (a free application from WildPackets
 178          * that did blind capture, saving to a file, so that you could
 179          * give the resulting file to somebody with EtherPeek) saved
 180          * captures in EtherPeek format except that it ORed the 0x80
 181          * bit on in the version number.
 182          *
 183          * We therefore strip off the 0x80 bit in the version number.
 184          * Perhaps there's some reason to care whether the capture
 185          * came from EtherHelp; if we discover one, we should check
 186          * that bit.
 187          */
 188         ep_hdr.master.version &= ~0x80;
 189
 190         /* switch on the file version */
 191         switch (ep_hdr.master.version) {
 192
 193         case 5:
 194         case 6:
 195         case 7:
 196                 /* get the secondary header */
 197                 g_assert(sizeof(ep_hdr.secondary.v567) ==
 198                         PEEKCLASSIC_V567_HDR_SIZE);
 199                 if (!wtap_read_bytes(wth->fh, &ep_hdr.secondary.v567,
 200                     (int)sizeof(ep_hdr.secondary.v567), err, err_info)) {
 201                         if (*err != WTAP_ERR_SHORT_READ)
 202                                 return WTAP_OPEN_ERROR;
 203                         return WTAP_OPEN_NOT_MINE;
 204                 }
 205
 206                 if ((0 != ep_hdr.secondary.v567.reserved[0]) ||
 207                     (0 != ep_hdr.secondary.v567.reserved[1]) ||
 208                     (0 != ep_hdr.secondary.v567.reserved[2])) {
 209                         /* still unknown */
 210                         return WTAP_OPEN_NOT_MINE;
 211                 }
 212
 213                 /*
 214                  * Check the mediaType and physMedium fields.
 215                  * We assume it's not a Peek classic file if
 216                  * these aren't values we know, rather than
 217                  * reporting them as invalid Peek classic files,
 218                  * as, given the lack of a magic number, we need
 219                  * all the checks we can get.
 220                  */
 221                 ep_hdr.secondary.v567.mediaType =
 222                     g_ntohl(ep_hdr.secondary.v567.mediaType);
 223                 ep_hdr.secondary.v567.physMedium =
 224                     g_ntohl(ep_hdr.secondary.v567.physMedium);
 225
 226                 switch (ep_hdr.secondary.v567.physMedium) {
 227
 228                 case 0:
 229                         /*
 230                          * "Native" format, presumably meaning
 231                          * Ethernet or Token Ring.
 232                          */
 233                         switch (ep_hdr.secondary.v567.mediaType) {
 234
 235                         case 0:
 236                                 file_encap = WTAP_ENCAP_ETHERNET;
 237                                 break;
 238
 239                         case 1:
 240                                 file_encap = WTAP_ENCAP_TOKEN_RING;
 241                                 break;
 242
 243                         default:
 244                                 /*
 245                                  * Assume this isn't a Peek classic file.
 246                                  */
 247                                 return WTAP_OPEN_NOT_MINE;
 248                         }
 249                         break;
 250
 251                 case 1:
 252                         switch (ep_hdr.secondary.v567.mediaType) {
 253
 254                         case 0:
 255                                 /*
 256                                  * 802.11, with a private header giving
 257                                  * some radio information.  Presumably
 258                                  * this is from AiroPeek.
 259                                  */
 260                                 file_encap = WTAP_ENCAP_IEEE_802_11_WITH_RADIO;
 261                                 break;
 262
 263                         default:
 264                                 /*
 265                                  * Assume this isn't a Peek classic file.
 266                                  */
 267                                 return WTAP_OPEN_NOT_MINE;
 268                         }
 269                         break;
 270
 271                 default:
 272                         /*
 273                          * Assume this isn't a Peek classic file.
 274                          */
 275                         return WTAP_OPEN_NOT_MINE;
 276                 }
 277
 278
 279                 /*
 280                  * Assume this is a V5, V6 or V7 Peek classic file, and
 281                  * byte swap the rest of the fields in the secondary header.
 282                  *
 283                  * XXX - we could check the file length if the file were
 284                  * uncompressed, but it might be compressed.
 285                  */
 286                 ep_hdr.secondary.v567.filelength =
 287                     g_ntohl(ep_hdr.secondary.v567.filelength);
 288                 ep_hdr.secondary.v567.numPackets =
 289                     g_ntohl(ep_hdr.secondary.v567.numPackets);
 290                 ep_hdr.secondary.v567.timeDate =
 291                     g_ntohl(ep_hdr.secondary.v567.timeDate);
 292                 ep_hdr.secondary.v567.timeStart =
 293                     g_ntohl(ep_hdr.secondary.v567.timeStart);
 294                 ep_hdr.secondary.v567.timeStop =
 295                     g_ntohl(ep_hdr.secondary.v567.timeStop);
 296                 ep_hdr.secondary.v567.appVers =
 297                     g_ntohl(ep_hdr.secondary.v567.appVers);
 298                 ep_hdr.secondary.v567.linkSpeed =
 299                     g_ntohl(ep_hdr.secondary.v567.linkSpeed);
 300
 301                 /* Get the reference time as a time_t */
 302                 reference_time = ep_hdr.secondary.v567.timeDate - mac2unix;
 303                 break;
 304
 305         default:
 306                 /*
 307                  * Assume this isn't a Peek classic file.
 308                  */
 309                 return WTAP_OPEN_NOT_MINE;
 310         }
 311
 312         /*
 313          * This is a Peek classic file.
 314          *
 315          * At this point we have recognised the file type and have populated
 316          * the whole ep_hdr structure in host byte order.
 317          */
 318         peekclassic = (peekclassic_t *)g_malloc(sizeof(peekclassic_t));
 319         wth->priv = (void *)peekclassic;
 320         peekclassic->reference_time = reference_time;
 321         switch (ep_hdr.master.version) {
 322
 323         case 5:
 324         case 6:
 325                 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_PEEKCLASSIC_V56;
 326                 /*
 327                  * XXX - can we get the file encapsulation from the
 328                  * header in the same way we do for V7 files?
 329                  */
 330                 wth->file_encap = WTAP_ENCAP_PER_PACKET;
 331                 wth->subtype_read = peekclassic_read_v56;
 332                 wth->subtype_seek_read = peekclassic_seek_read_v56;
 333                 break;
 334
 335         case 7:
 336                 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_PEEKCLASSIC_V7;
 337                 wth->file_encap = file_encap;
 338                 wth->subtype_read = peekclassic_read_v7;
 339                 wth->subtype_seek_read = peekclassic_seek_read_v7;
 340                 break;
 341
 342         default:
 343                 /* this is impossible */
 344                 g_assert_not_reached();
 345         }
 346
 347         wth->snapshot_length   = 0; /* not available in header */
 348         wth->file_tsprec = WTAP_TSPREC_USEC;
 349
 350         return WTAP_OPEN_MINE;
 351 }
 352
 353 static gboolean peekclassic_read_v7(wtap *wth, int *err, gchar **err_info,
 354     gint64 *data_offset)
 355 {
 356         int sliceLength;
 357
 358         *data_offset = file_tell(wth->fh);
 359
 360         /* Read the packet. */
 361         sliceLength = peekclassic_read_packet_v7(wth, wth->fh, &wth->phdr,
 362             wth->frame_buffer, err, err_info);
 363         if (sliceLength < 0)
 364                 return FALSE;
 365
 366         /* Skip extra ignored data at the end of the packet. */
 367         if ((guint32)sliceLength > wth->phdr.caplen) {
 368                 if (!file_skip(wth->fh, sliceLength - wth->phdr.caplen, err))
 369                         return FALSE;
 370         }
 371
 372         /* Records are padded to an even length, so if the slice length
 373            is odd, read the padding byte. */
 374         if (sliceLength & 0x01) {
 375                 if (!file_skip(wth->fh, 1, err))
 376                         return FALSE;
 377         }
 378
 379         return TRUE;
 380 }
 381
 382 static gboolean peekclassic_seek_read_v7(wtap *wth, gint64 seek_off,
 383     struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info)
 384 {
 385         if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
 386                 return FALSE;
 387
 388         /* Read the packet. */
 389         if (peekclassic_read_packet_v7(wth, wth->random_fh, phdr, buf,
 390             err, err_info) == -1) {
 391                 if (*err == 0)
 392                         *err = WTAP_ERR_SHORT_READ;
 393                 return FALSE;
 394         }
 395         return TRUE;
 396 }
 397
 398 #define RADIO_INFO_SIZE 4
 399
 400 static int peekclassic_read_packet_v7(wtap *wth, FILE_T fh,
 401     struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info)
 402 {
 403         guint8 ep_pkt[PEEKCLASSIC_V7_PKT_SIZE];
 404 #if 0
 405         guint16 protoNum;
 406 #endif
 407         guint16 length;
 408         guint16 sliceLength;
 409 #if 0
 410         guint8  flags;
 411 #endif
 412         guint8  status;
 413         guint64 timestamp;
 414         time_t tsecs;
 415         guint32 tusecs;
 416         guint8 radio_info[RADIO_INFO_SIZE];
 417
 418         if (!wtap_read_bytes_or_eof(fh, ep_pkt, sizeof(ep_pkt), err, err_info))
 419                 return -1;
 420
 421         /* Extract the fields from the packet */
 422 #if 0
 423         protoNum = pntoh16(&ep_pkt[PEEKCLASSIC_V7_PROTONUM_OFFSET]);
 424 #endif
 425         length = pntoh16(&ep_pkt[PEEKCLASSIC_V7_LENGTH_OFFSET]);
 426         sliceLength = pntoh16(&ep_pkt[PEEKCLASSIC_V7_SLICE_LENGTH_OFFSET]);
 427 #if 0
 428         flags = ep_pkt[PEEKCLASSIC_V7_FLAGS_OFFSET];
 429 #endif
 430         status = ep_pkt[PEEKCLASSIC_V7_STATUS_OFFSET];
 431         timestamp = pntoh64(&ep_pkt[PEEKCLASSIC_V7_TIMESTAMP_OFFSET]);
 432
 433         /* force sliceLength to be the actual length of the packet */
 434         if (0 == sliceLength) {
 435                 sliceLength = length;
 436         }
 437         /*
 438          * The maximum value of sliceLength and length are 65535, which
 439          * are less than WTAP_MAX_PACKET_SIZE will ever be, so we don't
 440          * need to check them.
 441          */
 442
 443         /* fill in packet header values */
 444         phdr->rec_type = REC_TYPE_PACKET;
 445         phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
 446         tsecs = (time_t) (timestamp/1000000);
 447         tusecs = (guint32) (timestamp - tsecs*1000000);
 448         phdr->ts.secs  = tsecs - mac2unix;
 449         phdr->ts.nsecs = tusecs * 1000;
 450         phdr->len    = length;
 451         phdr->caplen = sliceLength;
 452
 453         switch (wth->file_encap) {
 454
 455         case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
 456                 memset(&phdr->pseudo_header.ieee_802_11, 0, sizeof(phdr->pseudo_header.ieee_802_11));
 457                 phdr->pseudo_header.ieee_802_11.fcs_len = 0;            /* no FCS */
 458                 phdr->pseudo_header.ieee_802_11.decrypted = FALSE;
 459                 phdr->pseudo_header.ieee_802_11.datapad = FALSE;
 460                 phdr->pseudo_header.ieee_802_11.phy = PHDR_802_11_PHY_UNKNOWN;
 461
 462                 /*
 463                  * Now process the radio information pseudo-header.
 464                  * It's a 4-byte pseudo-header, consisting of:
 465                  *
 466                  *   1 byte of data rate, in units of 500 kb/s;
 467                  *
 468                  *   1 byte of channel number;
 469                  *
 470                  *   1 byte of signal strength as a percentage of
 471                  *   the maximum, i.e. (RXVECTOR RSSI/RXVECTOR RSSI_Max)*100,
 472                  *   or, at least, that's what I infer it is, given what
 473                  *   the WildPackets note "Converting Signal Strength
 474                  *   Percentage to dBm Values" says (it also says that
 475                  *   the conversion the percentage to a dBm value is
 476                  *   an adapter-dependent process, so, as we don't know
 477                  *   what type of adapter was used to do the capture,
 478                  *   we can't do the conversion);
 479                  *
 480                  *   1 byte of unknown content (padding?).
 481                  */
 482                 if (phdr->len < RADIO_INFO_SIZE || phdr->caplen < RADIO_INFO_SIZE) {
 483                         *err = WTAP_ERR_BAD_FILE;
 484                         *err_info = g_strdup_printf("peekclassic: 802.11 packet has length < 4");
 485                         return -1;
 486                 }
 487                 phdr->len -= RADIO_INFO_SIZE;
 488                 phdr->caplen -= RADIO_INFO_SIZE;
 489                 sliceLength -= RADIO_INFO_SIZE;
 490
 491                 /* read the pseudo-header */
 492                 if (!wtap_read_bytes(fh, radio_info, RADIO_INFO_SIZE, err, err_info))
 493                         return -1;
 494
 495                 phdr->pseudo_header.ieee_802_11.has_data_rate = TRUE;
 496                 phdr->pseudo_header.ieee_802_11.data_rate = radio_info[0];
 497
 498                 phdr->pseudo_header.ieee_802_11.has_channel = TRUE;
 499                 phdr->pseudo_header.ieee_802_11.channel = radio_info[1];
 500
 501                 phdr->pseudo_header.ieee_802_11.has_signal_percent = TRUE;
 502                 phdr->pseudo_header.ieee_802_11.signal_percent = radio_info[2];
 503
 504                 /*
 505                  * The last 4 bytes appear to be random data - the length
 506                  * might include the FCS - so we reduce the length by 4.
 507                  *
 508                  * Or maybe this is just the same kind of random 4 bytes
 509                  * of junk at the end you get in Wireless Sniffer
 510                  * captures.
 511                  */
 512                 if (phdr->len < 4 || phdr->caplen < 4) {
 513                         *err = WTAP_ERR_BAD_FILE;
 514                         *err_info = g_strdup_printf("peekclassic: 802.11 packet has length < 8");
 515                         return -1;
 516                 }
 517                 phdr->len -= 4;
 518                 phdr->caplen -= 4;
 519                 break;
 520
 521         case WTAP_ENCAP_ETHERNET:
 522                 /* XXX - it appears that if the low-order bit of
 523                    "status" is 0, there's an FCS in this frame,
 524                    and if it's 1, there's 4 bytes of 0. */
 525                 phdr->pseudo_header.eth.fcs_len = (status & 0x01) ? 0 : 4;
 526                 break;
 527         }
 528
 529         /* read the packet data */
 530         if (!wtap_read_packet_bytes(fh, buf, phdr->caplen, err, err_info))
 531                 return -1;
 532
 533         return sliceLength;
 534 }
 535
 536 static gboolean peekclassic_read_v56(wtap *wth, int *err, gchar **err_info,
 537     gint64 *data_offset)
 538 {
 539         *data_offset = file_tell(wth->fh);
 540
 541         /* read the packet */
 542         if (!peekclassic_read_packet_v56(wth, wth->fh, &wth->phdr,
 543             wth->frame_buffer, err, err_info))
 544                 return FALSE;
 545
 546         /*
 547          * XXX - is the captured packet data padded to a multiple
 548          * of 2 bytes?
 549          */
 550         return TRUE;
 551 }
 552
 553 static gboolean peekclassic_seek_read_v56(wtap *wth, gint64 seek_off,
 554     struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info)
 555 {
 556         if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
 557                 return FALSE;
 558
 559         /* read the packet */
 560         if (!peekclassic_read_packet_v56(wth, wth->random_fh, phdr, buf,
 561             err, err_info)) {
 562                 if (*err == 0)
 563                         *err = WTAP_ERR_SHORT_READ;
 564                 return FALSE;
 565         }
 566         return TRUE;
 567 }
 568
 569 static gboolean peekclassic_read_packet_v56(wtap *wth, FILE_T fh,
 570     struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info)
 571 {
 572         peekclassic_t *peekclassic = (peekclassic_t *)wth->priv;
 573         guint8 ep_pkt[PEEKCLASSIC_V56_PKT_SIZE];
 574         guint16 length;
 575         guint16 sliceLength;
 576 #if 0
 577         guint8  flags;
 578         guint8  status;
 579 #endif
 580         guint32 timestamp;
 581 #if 0
 582         guint16 destNum;
 583         guint16 srcNum;
 584 #endif
 585         guint16 protoNum;
 586 #if 0
 587         char    protoStr[8];
 588 #endif
 589         unsigned int i;
 590
 591         if (!wtap_read_bytes_or_eof(fh, ep_pkt, sizeof(ep_pkt), err, err_info))
 592                 return FALSE;
 593
 594         /* Extract the fields from the packet */
 595         length = pntoh16(&ep_pkt[PEEKCLASSIC_V56_LENGTH_OFFSET]);
 596         sliceLength = pntoh16(&ep_pkt[PEEKCLASSIC_V56_SLICE_LENGTH_OFFSET]);
 597 #if 0
 598         flags = ep_pkt[PEEKCLASSIC_V56_FLAGS_OFFSET];
 599         status = ep_pkt[PEEKCLASSIC_V56_STATUS_OFFSET];
 600 #endif
 601         timestamp = pntoh32(&ep_pkt[PEEKCLASSIC_V56_TIMESTAMP_OFFSET]);
 602 #if 0
 603         destNum = pntoh16(&ep_pkt[PEEKCLASSIC_V56_DESTNUM_OFFSET]);
 604         srcNum = pntoh16(&ep_pkt[PEEKCLASSIC_V56_SRCNUM_OFFSET]);
 605 #endif
 606         protoNum = pntoh16(&ep_pkt[PEEKCLASSIC_V56_PROTONUM_OFFSET]);
 607 #if 0
 608         memcpy(protoStr, &ep_pkt[PEEKCLASSIC_V56_PROTOSTR_OFFSET],
 609             sizeof protoStr);
 610 #endif
 611
 612         /*
 613          * XXX - is the captured packet data padded to a multiple
 614          * of 2 bytes?
 615          */
 616
 617         /* force sliceLength to be the actual length of the packet */
 618         if (0 == sliceLength) {
 619                 sliceLength = length;
 620         }
 621         /*
 622          * The maximum value of sliceLength and length are 65535, which
 623          * are less than WTAP_MAX_PACKET_SIZE will ever be, so we don't
 624          * need to check them.
 625          */
 626
 627         /* fill in packet header values */
 628         phdr->rec_type = REC_TYPE_PACKET;
 629         phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
 630         /* timestamp is in milliseconds since reference_time */
 631         phdr->ts.secs  = peekclassic->reference_time + (timestamp / 1000);
 632         phdr->ts.nsecs = 1000 * (timestamp % 1000) * 1000;
 633         phdr->len      = length;
 634         phdr->caplen   = sliceLength;
 635
 636         phdr->pkt_encap = WTAP_ENCAP_UNKNOWN;
 637         for (i=0; i<NUM_PEEKCLASSIC_ENCAPS; i++) {
 638                 if (peekclassic_encap[i].protoNum == protoNum) {
 639                         phdr->pkt_encap = peekclassic_encap[i].encap;
 640                 }
 641         }
 642
 643         switch (phdr->pkt_encap) {
 644
 645         case WTAP_ENCAP_ETHERNET:
 646                 /* We assume there's no FCS in this frame. */
 647                 phdr->pseudo_header.eth.fcs_len = 0;
 648                 break;
 649         }
 650
 651         /* read the packet data */
 652         return wtap_read_packet_bytes(fh, buf, sliceLength, err, err_info);
 653 }
 654
 655 /*
 656  * Editor modelines  -  http://www.wireshark.org/tools/modelines.html
 657  *
 658  * Local variables:
 659  * c-basic-offset: 8
 660  * tab-width: 8
 661  * indent-tabs-mode: t
 662  * End:
 663  *
 664  * vi: set shiftwidth=8 tabstop=8 noexpandtab:
 665  * :indentSize=8:tabSize=8:noTabs=false:
 666  */