wiretap/peekclassic.c

   1 /* peekclassic.c
   2  * Routines for opening files in what Savvius (formerly WildPackets) calls
   3  * the classic file format in the description of their "PeekRdr Sample
   4  * Application" (C++ source code to read their capture files, downloading
   5  * of which requires a maintenance contract, so it's not free as in beer
   6  * and probably not as in speech, either).
   7  *
   8  * As that description says, it's used by AiroPeek and AiroPeek NX prior
   9  * to 2.0, EtherPeek prior to 6.0, and EtherPeek NX prior to 3.0.  It
  10  * was probably also used by TokenPeek.
  11  *
  12  * This handles versions 5, 6, and 7 of that format (the format version
  13  * number is what appears in the file, and is distinct from the application
  14  * version number).
  15  *
  16  * Copyright (c) 2001, Daniel Thompson <d.thompson@gmx.net>
  17  *
  18  * Wiretap Library
  19  * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
  20  *
  21  * This program is free software; you can redistribute it and/or
  22  * modify it under the terms of the GNU General Public License
  23  * as published by the Free Software Foundation; either version 2
  24  * of the License, or (at your option) any later version.
  25  *
  26  * This program is distributed in the hope that it will be useful,
  27  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  28  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  29  * GNU General Public License for more details.
  30  *
  31  * You should have received a copy of the GNU General Public License
  32  * along with this program; if not, write to the Free Software
  33  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  34  */
  35
  36 #include "config.h"
  37 #include <errno.h>
  38 #include <string.h>
  39 #include "wtap-int.h"
  40 #include "file_wrappers.h"
  41 #include "peekclassic.h"
  42 /* CREDITS
  43  *
  44  * This file decoder could not have been writen without examining how
  45  * tcptrace (http://www.tcptrace.org/) handles EtherPeek files.
  46  */
  47
  48 /* master header */
  49 typedef struct peekclassic_master_header {
  50         guint8  version;
  51         guint8  status;
  52 } peekclassic_master_header_t;
  53 #define PEEKCLASSIC_MASTER_HDR_SIZE 2
  54
  55 /* secondary header (V5,V6,V7) */
  56 typedef struct peekclassic_v567_header {
  57         guint32 filelength;
  58         guint32 numPackets;
  59         guint32 timeDate;
  60         guint32 timeStart;
  61         guint32 timeStop;
  62         guint32 mediaType;  /* Media Type Ethernet=0 Token Ring = 1 */
  63         guint32 physMedium; /* Physical Medium native=0 802.1=1 */
  64         guint32 appVers;    /* App Version Number Maj.Min.Bug.Build */
  65         guint32 linkSpeed;  /* Link Speed Bits/sec */
  66         guint32 reserved[3];
  67 } peekclassic_v567_header_t;
  68 #define PEEKCLASSIC_V567_HDR_SIZE 48
  69
  70 /* full header */
  71 typedef struct peekclassic_header {
  72         peekclassic_master_header_t master;
  73         union {
  74                 peekclassic_v567_header_t v567;
  75         } secondary;
  76 } peekclassic_header_t;
  77
  78 /*
  79  * Packet header (V5, V6).
  80  *
  81  * NOTE: the time stamp, although it's a 32-bit number, is only aligned
  82  * on a 16-bit boundary.  (Does this date back to 68K Macs?  The 68000
  83  * only required 16-bit alignment of 32-bit quantities, as did the 68010,
  84  * and the 68020/68030/68040 required no alignment.)
  85  *
  86  * As such, we cannot declare this as a C structure, as compilers on
  87  * most platforms will put 2 bytes of padding before the time stamp to
  88  * align it on a 32-bit boundary.
  89  *
  90  * So, instead, we #define numbers as the offsets of the fields.
  91  */
  92 #define PEEKCLASSIC_V56_LENGTH_OFFSET           0
  93 #define PEEKCLASSIC_V56_SLICE_LENGTH_OFFSET     2
  94 #define PEEKCLASSIC_V56_FLAGS_OFFSET            4
  95 #define PEEKCLASSIC_V56_STATUS_OFFSET           5
  96 #define PEEKCLASSIC_V56_TIMESTAMP_OFFSET        6
  97 #define PEEKCLASSIC_V56_DESTNUM_OFFSET          10
  98 #define PEEKCLASSIC_V56_SRCNUM_OFFSET           12
  99 #define PEEKCLASSIC_V56_PROTONUM_OFFSET         14
 100 #define PEEKCLASSIC_V56_PROTOSTR_OFFSET         16
 101 #define PEEKCLASSIC_V56_FILTERNUM_OFFSET        24
 102 #define PEEKCLASSIC_V56_PKT_SIZE                26
 103
 104 /* 64-bit time in micro seconds from the (Mac) epoch */
 105 typedef struct peekclassic_utime {
 106         guint32 upper;
 107         guint32 lower;
 108 } peekclassic_utime;
 109
 110 /*
 111  * Packet header (V7).
 112  *
 113  * This doesn't have the same alignment problem, but we do it with
 114  * #defines anyway.
 115  */
 116 #define PEEKCLASSIC_V7_PROTONUM_OFFSET          0
 117 #define PEEKCLASSIC_V7_LENGTH_OFFSET            2
 118 #define PEEKCLASSIC_V7_SLICE_LENGTH_OFFSET      4
 119 #define PEEKCLASSIC_V7_FLAGS_OFFSET             6
 120 #define PEEKCLASSIC_V7_STATUS_OFFSET            7
 121 #define PEEKCLASSIC_V7_TIMESTAMP_OFFSET         8
 122 #define PEEKCLASSIC_V7_PKT_SIZE                 16
 123
 124 typedef struct peekclassic_encap_lookup {
 125         guint16 protoNum;
 126         int     encap;
 127 } peekclassic_encap_lookup_t;
 128
 129 static const unsigned int mac2unix = 2082844800u;
 130 static const peekclassic_encap_lookup_t peekclassic_encap[] = {
 131         { 1400, WTAP_ENCAP_ETHERNET }
 132 };
 133 #define NUM_PEEKCLASSIC_ENCAPS \
 134         (sizeof (peekclassic_encap) / sizeof (peekclassic_encap[0]))
 135
 136 typedef struct {
 137         time_t reference_time;
 138 } peekclassic_t;
 139
 140 static gboolean peekclassic_read_v7(wtap *wth, int *err, gchar **err_info,
 141     gint64 *data_offset);
 142 static gboolean peekclassic_seek_read_v7(wtap *wth, gint64 seek_off,
 143     struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
 144 static int peekclassic_read_packet_v7(wtap *wth, FILE_T fh,
 145     struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
 146 static gboolean peekclassic_read_v56(wtap *wth, int *err, gchar **err_info,
 147     gint64 *data_offset);
 148 static gboolean peekclassic_seek_read_v56(wtap *wth, gint64 seek_off,
 149     struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
 150 static gboolean peekclassic_read_packet_v56(wtap *wth, FILE_T fh,
 151     struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
 152
 153 wtap_open_return_val peekclassic_open(wtap *wth, int *err, gchar **err_info)
 154 {
 155         peekclassic_header_t ep_hdr;
 156         time_t reference_time;
 157         int file_encap;
 158         peekclassic_t *peekclassic;
 159
 160         /* Peek classic files do not start with a magic value large enough
 161          * to be unique; hence we use the following algorithm to determine
 162          * the type of an unknown file:
 163          *  - populate the master header and reject file if there is no match
 164          *  - populate the secondary header and check that the reserved space
 165          *      is zero, and check some other fields; this isn't perfect,
 166          *      and we may have to add more checks at some point.
 167          */
 168         g_assert(sizeof(ep_hdr.master) == PEEKCLASSIC_MASTER_HDR_SIZE);
 169         if (!wtap_read_bytes(wth->fh, &ep_hdr.master,
 170             (int)sizeof(ep_hdr.master), err, err_info)) {
 171                 if (*err != WTAP_ERR_SHORT_READ)
 172                         return WTAP_OPEN_ERROR;
 173                 return WTAP_OPEN_NOT_MINE;
 174         }
 175
 176         /*
 177          * It appears that EtherHelp (a free application from WildPackets
 178          * that did blind capture, saving to a file, so that you could
 179          * give the resulting file to somebody with EtherPeek) saved
 180          * captures in EtherPeek format except that it ORed the 0x80
 181          * bit on in the version number.
 182          *
 183          * We therefore strip off the 0x80 bit in the version number.
 184          * Perhaps there's some reason to care whether the capture
 185          * came from EtherHelp; if we discover one, we should check
 186          * that bit.
 187          */
 188         ep_hdr.master.version &= ~0x80;
 189
 190         /* switch on the file version */
 191         switch (ep_hdr.master.version) {
 192
 193         case 5:
 194         case 6:
 195         case 7:
 196                 /* get the secondary header */
 197                 g_assert(sizeof(ep_hdr.secondary.v567) ==
 198                         PEEKCLASSIC_V567_HDR_SIZE);
 199                 if (!wtap_read_bytes(wth->fh, &ep_hdr.secondary.v567,
 200                     (int)sizeof(ep_hdr.secondary.v567), err, err_info)) {
 201                         if (*err != WTAP_ERR_SHORT_READ)
 202                                 return WTAP_OPEN_ERROR;
 203                         return WTAP_OPEN_NOT_MINE;
 204                 }
 205
 206                 if ((0 != ep_hdr.secondary.v567.reserved[0]) ||
 207                     (0 != ep_hdr.secondary.v567.reserved[1]) ||
 208                     (0 != ep_hdr.secondary.v567.reserved[2])) {
 209                         /* still unknown */
 210                         return WTAP_OPEN_NOT_MINE;
 211                 }
 212
 213                 /*
 214                  * Check the mediaType and physMedium fields.
 215                  * We assume it's not a Peek classic file if
 216                  * these aren't values we know, rather than
 217                  * reporting them as invalid Peek classic files,
 218                  * as, given the lack of a magic number, we need
 219                  * all the checks we can get.
 220                  */
 221                 ep_hdr.secondary.v567.mediaType =
 222                     g_ntohl(ep_hdr.secondary.v567.mediaType);
 223                 ep_hdr.secondary.v567.physMedium =
 224                     g_ntohl(ep_hdr.secondary.v567.physMedium);
 225
 226                 switch (ep_hdr.secondary.v567.physMedium) {
 227
 228                 case 0:
 229                         /*
 230                          * "Native" format, presumably meaning
 231                          * Ethernet or Token Ring.
 232                          */
 233                         switch (ep_hdr.secondary.v567.mediaType) {
 234
 235                         case 0:
 236                                 file_encap = WTAP_ENCAP_ETHERNET;
 237                                 break;
 238
 239                         case 1:
 240                                 file_encap = WTAP_ENCAP_TOKEN_RING;
 241                                 break;
 242
 243                         default:
 244                                 /*
 245                                  * Assume this isn't a Peek classic file.
 246                                  */
 247                                 return WTAP_OPEN_NOT_MINE;
 248                         }
 249                         break;
 250
 251                 case 1:
 252                         switch (ep_hdr.secondary.v567.mediaType) {
 253
 254                         case 0:
 255                                 /*
 256                                  * 802.11, with a private header giving
 257                                  * some radio information.  Presumably
 258                                  * this is from AiroPeek.
 259                                  */
 260                                 file_encap = WTAP_ENCAP_IEEE_802_11_WITH_RADIO;
 261                                 break;
 262
 263                         default:
 264                                 /*
 265                                  * Assume this isn't a Peek classic file.
 266                                  */
 267                                 return WTAP_OPEN_NOT_MINE;
 268                         }
 269                         break;
 270
 271                 default:
 272                         /*
 273                          * Assume this isn't a Peek classic file.
 274                          */
 275                         return WTAP_OPEN_NOT_MINE;
 276                 }
 277
 278
 279                 /*
 280                  * Assume this is a V5, V6 or V7 Peek classic file, and
 281                  * byte swap the rest of the fields in the secondary header.
 282                  *
 283                  * XXX - we could check the file length if the file were
 284                  * uncompressed, but it might be compressed.
 285                  */
 286                 ep_hdr.secondary.v567.filelength =
 287                     g_ntohl(ep_hdr.secondary.v567.filelength);
 288                 ep_hdr.secondary.v567.numPackets =
 289                     g_ntohl(ep_hdr.secondary.v567.numPackets);
 290                 ep_hdr.secondary.v567.timeDate =
 291                     g_ntohl(ep_hdr.secondary.v567.timeDate);
 292                 ep_hdr.secondary.v567.timeStart =
 293                     g_ntohl(ep_hdr.secondary.v567.timeStart);
 294                 ep_hdr.secondary.v567.timeStop =
 295                     g_ntohl(ep_hdr.secondary.v567.timeStop);
 296                 ep_hdr.secondary.v567.appVers =
 297                     g_ntohl(ep_hdr.secondary.v567.appVers);
 298                 ep_hdr.secondary.v567.linkSpeed =
 299                     g_ntohl(ep_hdr.secondary.v567.linkSpeed);
 300
 301                 /* Get the reference time as a time_t */
 302                 reference_time = ep_hdr.secondary.v567.timeDate - mac2unix;
 303                 break;
 304
 305         default:
 306                 /*
 307                  * Assume this isn't a Peek classic file.
 308                  */
 309                 return WTAP_OPEN_NOT_MINE;
 310         }
 311
 312         /*
 313          * This is a Peek classic file.
 314          *
 315          * At this point we have recognised the file type and have populated
 316          * the whole ep_hdr structure in host byte order.
 317          */
 318         peekclassic = (peekclassic_t *)g_malloc(sizeof(peekclassic_t));
 319         wth->priv = (void *)peekclassic;
 320         peekclassic->reference_time = reference_time;
 321         switch (ep_hdr.master.version) {
 322
 323         case 5:
 324         case 6:
 325                 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_PEEKCLASSIC_V56;
 326                 /*
 327                  * XXX - can we get the file encapsulation from the
 328                  * header in the same way we do for V7 files?
 329                  */
 330                 wth->file_encap = WTAP_ENCAP_PER_PACKET;
 331                 wth->subtype_read = peekclassic_read_v56;
 332                 wth->subtype_seek_read = peekclassic_seek_read_v56;
 333                 break;
 334
 335         case 7:
 336                 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_PEEKCLASSIC_V7;
 337                 wth->file_encap = file_encap;
 338                 wth->subtype_read = peekclassic_read_v7;
 339                 wth->subtype_seek_read = peekclassic_seek_read_v7;
 340                 break;
 341
 342         default:
 343                 /* this is impossible */
 344                 g_assert_not_reached();
 345         }
 346
 347         wth->snapshot_length   = 0; /* not available in header */
 348         wth->file_tsprec = WTAP_TSPREC_USEC;
 349
 350         return WTAP_OPEN_MINE;
 351 }
 352
 353 static gboolean peekclassic_read_v7(wtap *wth, int *err, gchar **err_info,
 354     gint64 *data_offset)
 355 {
 356         int sliceLength;
 357
 358         *data_offset = file_tell(wth->fh);
 359
 360         /* Read the packet. */
 361         sliceLength = peekclassic_read_packet_v7(wth, wth->fh, &wth->phdr,
 362             wth->frame_buffer, err, err_info);
 363         if (sliceLength < 0)
 364                 return FALSE;
 365
 366         /* Skip extra ignored data at the end of the packet. */
 367         if ((guint32)sliceLength > wth->phdr.caplen) {
 368                 if (!wtap_read_bytes(wth->fh, NULL, sliceLength - wth->phdr.caplen,
 369                     err, err_info))
 370                         return FALSE;
 371         }
 372
 373         /* Records are padded to an even length, so if the slice length
 374            is odd, read the padding byte. */
 375         if (sliceLength & 0x01) {
 376                 if (!wtap_read_bytes(wth->fh, NULL, 1, err, err_info))
 377                         return FALSE;
 378         }
 379
 380         return TRUE;
 381 }
 382
 383 static gboolean peekclassic_seek_read_v7(wtap *wth, gint64 seek_off,
 384     struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info)
 385 {
 386         if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
 387                 return FALSE;
 388
 389         /* Read the packet. */
 390         if (peekclassic_read_packet_v7(wth, wth->random_fh, phdr, buf,
 391             err, err_info) == -1) {
 392                 if (*err == 0)
 393                         *err = WTAP_ERR_SHORT_READ;
 394                 return FALSE;
 395         }
 396         return TRUE;
 397 }
 398
 399 #define RADIO_INFO_SIZE 4
 400
 401 static int peekclassic_read_packet_v7(wtap *wth, FILE_T fh,
 402     struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info)
 403 {
 404         guint8 ep_pkt[PEEKCLASSIC_V7_PKT_SIZE];
 405 #if 0
 406         guint16 protoNum;
 407 #endif
 408         guint16 length;
 409         guint16 sliceLength;
 410 #if 0
 411         guint8  flags;
 412 #endif
 413         guint8  status;
 414         guint64 timestamp;
 415         time_t tsecs;
 416         guint32 tusecs;
 417         guint8 radio_info[RADIO_INFO_SIZE];
 418
 419         if (!wtap_read_bytes_or_eof(fh, ep_pkt, sizeof(ep_pkt), err, err_info))
 420                 return -1;
 421
 422         /* Extract the fields from the packet */
 423 #if 0
 424         protoNum = pntoh16(&ep_pkt[PEEKCLASSIC_V7_PROTONUM_OFFSET]);
 425 #endif
 426         length = pntoh16(&ep_pkt[PEEKCLASSIC_V7_LENGTH_OFFSET]);
 427         sliceLength = pntoh16(&ep_pkt[PEEKCLASSIC_V7_SLICE_LENGTH_OFFSET]);
 428 #if 0
 429         flags = ep_pkt[PEEKCLASSIC_V7_FLAGS_OFFSET];
 430 #endif
 431         status = ep_pkt[PEEKCLASSIC_V7_STATUS_OFFSET];
 432         timestamp = pntoh64(&ep_pkt[PEEKCLASSIC_V7_TIMESTAMP_OFFSET]);
 433
 434         /* force sliceLength to be the actual length of the packet */
 435         if (0 == sliceLength) {
 436                 sliceLength = length;
 437         }
 438         /*
 439          * The maximum value of sliceLength and length are 65535, which
 440          * are less than WTAP_MAX_PACKET_SIZE_STANDARD will ever be, so we don't
 441          * need to check them.
 442          */
 443
 444         /* fill in packet header values */
 445         phdr->rec_type = REC_TYPE_PACKET;
 446         phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
 447         tsecs = (time_t) (timestamp/1000000);
 448         tusecs = (guint32) (timestamp - tsecs*1000000);
 449         phdr->ts.secs  = tsecs - mac2unix;
 450         phdr->ts.nsecs = tusecs * 1000;
 451         phdr->len    = length;
 452         phdr->caplen = sliceLength;
 453
 454         switch (wth->file_encap) {
 455
 456         case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
 457                 memset(&phdr->pseudo_header.ieee_802_11, 0, sizeof(phdr->pseudo_header.ieee_802_11));
 458                 phdr->pseudo_header.ieee_802_11.fcs_len = 0;            /* no FCS */
 459                 phdr->pseudo_header.ieee_802_11.decrypted = FALSE;
 460                 phdr->pseudo_header.ieee_802_11.datapad = FALSE;
 461                 phdr->pseudo_header.ieee_802_11.phy = PHDR_802_11_PHY_UNKNOWN;
 462
 463                 /*
 464                  * Now process the radio information pseudo-header.
 465                  * It's a 4-byte pseudo-header, consisting of:
 466                  *
 467                  *   1 byte of data rate, in units of 500 kb/s;
 468                  *
 469                  *   1 byte of channel number;
 470                  *
 471                  *   1 byte of signal strength as a percentage of
 472                  *   the maximum, i.e. (RXVECTOR RSSI/RXVECTOR RSSI_Max)*100,
 473                  *   or, at least, that's what I infer it is, given what
 474                  *   the WildPackets note "Converting Signal Strength
 475                  *   Percentage to dBm Values" says (it also says that
 476                  *   the conversion the percentage to a dBm value is
 477                  *   an adapter-dependent process, so, as we don't know
 478                  *   what type of adapter was used to do the capture,
 479                  *   we can't do the conversion);
 480                  *
 481                  *   1 byte of unknown content (padding?).
 482                  */
 483                 if (phdr->len < RADIO_INFO_SIZE || phdr->caplen < RADIO_INFO_SIZE) {
 484                         *err = WTAP_ERR_BAD_FILE;
 485                         *err_info = g_strdup_printf("peekclassic: 802.11 packet has length < 4");
 486                         return -1;
 487                 }
 488                 phdr->len -= RADIO_INFO_SIZE;
 489                 phdr->caplen -= RADIO_INFO_SIZE;
 490                 sliceLength -= RADIO_INFO_SIZE;
 491
 492                 /* read the pseudo-header */
 493                 if (!wtap_read_bytes(fh, radio_info, RADIO_INFO_SIZE, err, err_info))
 494                         return -1;
 495
 496                 phdr->pseudo_header.ieee_802_11.has_data_rate = TRUE;
 497                 phdr->pseudo_header.ieee_802_11.data_rate = radio_info[0];
 498
 499                 phdr->pseudo_header.ieee_802_11.has_channel = TRUE;
 500                 phdr->pseudo_header.ieee_802_11.channel = radio_info[1];
 501
 502                 phdr->pseudo_header.ieee_802_11.has_signal_percent = TRUE;
 503                 phdr->pseudo_header.ieee_802_11.signal_percent = radio_info[2];
 504
 505                 /*
 506                  * The last 4 bytes appear to be random data - the length
 507                  * might include the FCS - so we reduce the length by 4.
 508                  *
 509                  * Or maybe this is just the same kind of random 4 bytes
 510                  * of junk at the end you get in Wireless Sniffer
 511                  * captures.
 512                  */
 513                 if (phdr->len < 4 || phdr->caplen < 4) {
 514                         *err = WTAP_ERR_BAD_FILE;
 515                         *err_info = g_strdup_printf("peekclassic: 802.11 packet has length < 8");
 516                         return -1;
 517                 }
 518                 phdr->len -= 4;
 519                 phdr->caplen -= 4;
 520                 break;
 521
 522         case WTAP_ENCAP_ETHERNET:
 523                 /* XXX - it appears that if the low-order bit of
 524                    "status" is 0, there's an FCS in this frame,
 525                    and if it's 1, there's 4 bytes of 0. */
 526                 phdr->pseudo_header.eth.fcs_len = (status & 0x01) ? 0 : 4;
 527                 break;
 528         }
 529
 530         /* read the packet data */
 531         if (!wtap_read_packet_bytes(fh, buf, phdr->caplen, err, err_info))
 532                 return -1;
 533
 534         return sliceLength;
 535 }
 536
 537 static gboolean peekclassic_read_v56(wtap *wth, int *err, gchar **err_info,
 538     gint64 *data_offset)
 539 {
 540         *data_offset = file_tell(wth->fh);
 541
 542         /* read the packet */
 543         if (!peekclassic_read_packet_v56(wth, wth->fh, &wth->phdr,
 544             wth->frame_buffer, err, err_info))
 545                 return FALSE;
 546
 547         /*
 548          * XXX - is the captured packet data padded to a multiple
 549          * of 2 bytes?
 550          */
 551         return TRUE;
 552 }
 553
 554 static gboolean peekclassic_seek_read_v56(wtap *wth, gint64 seek_off,
 555     struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info)
 556 {
 557         if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
 558                 return FALSE;
 559
 560         /* read the packet */
 561         if (!peekclassic_read_packet_v56(wth, wth->random_fh, phdr, buf,
 562             err, err_info)) {
 563                 if (*err == 0)
 564                         *err = WTAP_ERR_SHORT_READ;
 565                 return FALSE;
 566         }
 567         return TRUE;
 568 }
 569
 570 static gboolean peekclassic_read_packet_v56(wtap *wth, FILE_T fh,
 571     struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info)
 572 {
 573         peekclassic_t *peekclassic = (peekclassic_t *)wth->priv;
 574         guint8 ep_pkt[PEEKCLASSIC_V56_PKT_SIZE];
 575         guint16 length;
 576         guint16 sliceLength;
 577 #if 0
 578         guint8  flags;
 579         guint8  status;
 580 #endif
 581         guint32 timestamp;
 582 #if 0
 583         guint16 destNum;
 584         guint16 srcNum;
 585 #endif
 586         guint16 protoNum;
 587 #if 0
 588         char    protoStr[8];
 589 #endif
 590         unsigned int i;
 591
 592         if (!wtap_read_bytes_or_eof(fh, ep_pkt, sizeof(ep_pkt), err, err_info))
 593                 return FALSE;
 594
 595         /* Extract the fields from the packet */
 596         length = pntoh16(&ep_pkt[PEEKCLASSIC_V56_LENGTH_OFFSET]);
 597         sliceLength = pntoh16(&ep_pkt[PEEKCLASSIC_V56_SLICE_LENGTH_OFFSET]);
 598 #if 0
 599         flags = ep_pkt[PEEKCLASSIC_V56_FLAGS_OFFSET];
 600         status = ep_pkt[PEEKCLASSIC_V56_STATUS_OFFSET];
 601 #endif
 602         timestamp = pntoh32(&ep_pkt[PEEKCLASSIC_V56_TIMESTAMP_OFFSET]);
 603 #if 0
 604         destNum = pntoh16(&ep_pkt[PEEKCLASSIC_V56_DESTNUM_OFFSET]);
 605         srcNum = pntoh16(&ep_pkt[PEEKCLASSIC_V56_SRCNUM_OFFSET]);
 606 #endif
 607         protoNum = pntoh16(&ep_pkt[PEEKCLASSIC_V56_PROTONUM_OFFSET]);
 608 #if 0
 609         memcpy(protoStr, &ep_pkt[PEEKCLASSIC_V56_PROTOSTR_OFFSET],
 610             sizeof protoStr);
 611 #endif
 612
 613         /*
 614          * XXX - is the captured packet data padded to a multiple
 615          * of 2 bytes?
 616          */
 617
 618         /* force sliceLength to be the actual length of the packet */
 619         if (0 == sliceLength) {
 620                 sliceLength = length;
 621         }
 622         /*
 623          * The maximum value of sliceLength and length are 65535, which
 624          * are less than WTAP_MAX_PACKET_SIZE_STANDARD will ever be, so we don't
 625          * need to check them.
 626          */
 627
 628         /* fill in packet header values */
 629         phdr->rec_type = REC_TYPE_PACKET;
 630         phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
 631         /* timestamp is in milliseconds since reference_time */
 632         phdr->ts.secs  = peekclassic->reference_time + (timestamp / 1000);
 633         phdr->ts.nsecs = 1000 * (timestamp % 1000) * 1000;
 634         phdr->len      = length;
 635         phdr->caplen   = sliceLength;
 636
 637         phdr->pkt_encap = WTAP_ENCAP_UNKNOWN;
 638         for (i=0; i<NUM_PEEKCLASSIC_ENCAPS; i++) {
 639                 if (peekclassic_encap[i].protoNum == protoNum) {
 640                         phdr->pkt_encap = peekclassic_encap[i].encap;
 641                 }
 642         }
 643
 644         switch (phdr->pkt_encap) {
 645
 646         case WTAP_ENCAP_ETHERNET:
 647                 /* We assume there's no FCS in this frame. */
 648                 phdr->pseudo_header.eth.fcs_len = 0;
 649                 break;
 650         }
 651
 652         /* read the packet data */
 653         return wtap_read_packet_bytes(fh, buf, sliceLength, err, err_info);
 654 }
 655
 656 /*
 657  * Editor modelines  -  http://www.wireshark.org/tools/modelines.html
 658  *
 659  * Local variables:
 660  * c-basic-offset: 8
 661  * tab-width: 8
 662  * indent-tabs-mode: t
 663  * End:
 664  *
 665  * vi: set shiftwidth=8 tabstop=8 noexpandtab:
 666  * :indentSize=8:tabSize=8:noTabs=false:
 667  */