2 * Routines for opening files in what Savvius (formerly WildPackets) calls
3 * the tagged file format in the description of their "PeekRdr Sample
4 * Application" (C++ source code to read their capture files, downloading
5 * of which requires a maintenance contract, so it's not free as in beer
6 * and probably not as in speech, either).
8 * As that description says, it's used by AiroPeek and AiroPeek NX 2.0
9 * and later, EtherPeek 6.0 and later, EtherPeek NX 3.0 and later,
10 * EtherPeek VX 1.0 and later, GigaPeek NX 1.0 and later, Omni3 1.0
11 * and later (both OmniPeek and the Remote Engine), and WANPeek NX
12 * 1.0 and later. They also say it'll be used by future Savvius
16 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
18 * This program is free software; you can redistribute it and/or
19 * modify it under the terms of the GNU General Public License
20 * as published by the Free Software Foundation; either version 2
21 * of the License, or (at your option) any later version.
23 * This program is distributed in the hope that it will be useful,
24 * but WITHOUT ANY WARRANTY; without even the implied warranty of
25 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26 * GNU General Public License for more details.
28 * You should have received a copy of the GNU General Public License
29 * along with this program; if not, write to the Free Software
30 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
38 #include "file_wrappers.h"
39 #include "peektagged.h"
40 #include <wsutil/frequency-utils.h>
44 * This file decoder could not have been writen without examining
45 * http://www.varsanofiev.com/inside/airopeekv9.htm, the help from
46 * Martin Regner and Guy Harris, and the etherpeek.c file (as it
47 * was called before renaming it to peekclassic.c).
53 * A Peek tagged file consists of multiple sections, each of which begins
54 * with a header in the following format.
56 * The section ID is a 4-character string saying what type of section
57 * it is. The section length is a little-endian field giving the
58 * length of the section, in bytes, including the section header
59 * itself. The other field of the section header is a little-endian
60 * constant that always appears to be 0x00000200.
62 * Files we've seen have the following sections, in order:
64 * "\177vers" - version information. The contents are XML, giving
65 * the file format version and application version information.
67 * "sess" - capture session information. The contents are XML, giving
68 * various information about the capture session.
70 * "pkts" - captured packets. The contents are binary records, one for
71 * each packet, with the record being a list of tagged values followed
72 * by the raw packet data.
74 typedef struct peektagged_section_header {
75 gint8 section_id[4]; /* string identifying the section */
76 guint32 section_len; /* little-endian section length */
77 guint32 section_const; /* little-endian 0x00000200 */
78 } peektagged_section_header_t;
81 * Network subtype values.
83 * XXX - do different network subtype values for 802.11 indicate different
84 * network adapter types, with some adapters supplying the FCS and others
85 * not supplying the FCS?
87 #define PEEKTAGGED_NST_ETHERNET 0
88 #define PEEKTAGGED_NST_802_11 1 /* 802.11 with 0's at the end */
89 #define PEEKTAGGED_NST_802_11_2 2 /* 802.11 with 0's at the end */
90 #define PEEKTAGGED_NST_802_11_WITH_FCS 3 /* 802.11 with FCS at the end */
92 /* tags for fields in packet header */
93 #define TAG_PEEKTAGGED_LENGTH 0x0000
94 #define TAG_PEEKTAGGED_TIMESTAMP_LOWER 0x0001
95 #define TAG_PEEKTAGGED_TIMESTAMP_UPPER 0x0002
96 #define TAG_PEEKTAGGED_FLAGS_AND_STATUS 0x0003 /* upper 24 bits unused? */
97 #define TAG_PEEKTAGGED_CHANNEL 0x0004
98 #define TAG_PEEKTAGGED_DATA_RATE_OR_MCS_INDEX 0x0005
99 #define TAG_PEEKTAGGED_SIGNAL_PERC 0x0006
100 #define TAG_PEEKTAGGED_SIGNAL_DBM 0x0007
101 #define TAG_PEEKTAGGED_NOISE_PERC 0x0008
102 #define TAG_PEEKTAGGED_NOISE_DBM 0x0009
103 #define TAG_PEEKTAGGED_UNKNOWN_0x000A 0x000A
104 #define TAG_PEEKTAGGED_CENTER_FREQUENCY 0x000D /* Frequency */
105 #define TAG_PEEKTAGGED_UNKNOWN_0x000E 0x000E /* "Band"? */
106 #define TAG_PEEKTAGGED_UNKNOWN_0x000F 0x000F /* antenna 2 signal dBm? */
107 #define TAG_PEEKTAGGED_UNKNOWN_0x0010 0x0010 /* antenna 3 signal dBm? */
108 #define TAG_PEEKTAGGED_UNKNOWN_0x0011 0x0011 /* antenna 4 signal dBm? */
109 #define TAG_PEEKTAGGED_UNKNOWN_0x0012 0x0012 /* antenna 2 noise dBm? */
110 #define TAG_PEEKTAGGED_UNKNOWN_0x0013 0x0013 /* antenna 3 noise dBm? */
111 #define TAG_PEEKTAGGED_UNKNOWN_0x0014 0x0014 /* antenna 4 noise dBm? */
112 #define TAG_PEEKTAGGED_EXT_FLAGS 0x0015 /* Extended flags for 802.11n and beyond */
114 #define TAG_PEEKTAGGED_SLICE_LENGTH 0xffff
119 * We're assuming here that the "remote Peek" flags from bug 9586 are
120 * the same as the "Peek tagged" flags.
122 #define FLAGS_CONTROL_FRAME 0x01 /* Frame is a control frame */
123 #define FLAGS_HAS_CRC_ERROR 0x02 /* Frame has a CRC error */
124 #define FLAGS_HAS_FRAME_ERROR 0x04 /* Frame has a frame error */
129 * Is this in the next 8 bits of the "flags and status" field?
131 #define STATUS_PROTECTED 0x0400 /* Frame is protected (encrypted) */
132 #define STATUS_DECRYPT_ERROR 0x0800 /* Error decrypting protected frame */
133 #define STATUS_SHORT_PREAMBLE 0x4000 /* Short preamble */
138 * Some determined from bug 10637, some determined from bug 9586,
139 * and the ones present in both agree, so we're assuming that
140 * the "remote Peek" protocol and the "Peek tagged" file format
141 * use the same bits (which wouldn't be too surprising, as they
142 * both come from Wildpackets).
144 #define EXT_FLAG_20_MHZ_LOWER 0x00000001
145 #define EXT_FLAG_20_MHZ_UPPER 0x00000002
146 #define EXT_FLAG_40_MHZ 0x00000004
147 #define EXT_FLAGS_BANDWIDTH 0x00000007
148 #define EXT_FLAG_HALF_GI 0x00000008
149 #define EXT_FLAG_FULL_GI 0x00000010
150 #define EXT_FLAGS_GI 0x00000018
151 #define EXT_FLAG_AMPDU 0x00000020
152 #define EXT_FLAG_AMSDU 0x00000040
153 #define EXT_FLAG_802_11ac 0x00000080
154 #define EXT_FLAG_MCS_INDEX_USED 0x00000100
156 /* 64-bit time in nanoseconds from the (Windows FILETIME) epoch */
157 typedef struct peektagged_utime {
166 static gboolean peektagged_read(wtap *wth, int *err, gchar **err_info,
167 gint64 *data_offset);
168 static gboolean peektagged_seek_read(wtap *wth, gint64 seek_off,
169 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
171 static int wtap_file_read_pattern (wtap *wth, const char *pattern, int *err,
180 c = file_getc(wth->fh);
183 *err = file_error(wth->fh, err_info);
184 if (*err != 0 && *err != WTAP_ERR_SHORT_READ)
185 return -1; /* error */
198 return (*cp == '\0' ? 1 : 0);
202 static int wtap_file_read_till_separator (wtap *wth, char *buffer, int buflen,
203 const char *separators, int *err,
210 for (cp = buffer, i = 0; i < buflen; i++, cp++)
212 c = file_getc(wth->fh);
215 *err = file_error(wth->fh, err_info);
216 if (*err != 0 && *err != WTAP_ERR_SHORT_READ)
217 return -1; /* error */
220 if (strchr (separators, c) != NULL)
232 static int wtap_file_read_number (wtap *wth, guint32 *num, int *err,
240 ret = wtap_file_read_till_separator (wth, str_num, sizeof (str_num)-1, "<",
242 if (ret == 0 || ret == -1) {
243 /* 0 means EOF, which means "not a valid Peek tagged file";
244 -1 means error, and "err" has been set. */
247 value = strtoul (str_num, &p, 10);
248 if (p == str_num || value > G_MAXUINT32)
250 *num = (guint32)value;
255 wtap_open_return_val peektagged_open(wtap *wth, int *err, gchar **err_info)
257 peektagged_section_header_t ap_hdr;
259 guint32 fileVersion = 0;
261 guint32 mediaSubType = 0;
263 static const int peektagged_encap[] = {
265 WTAP_ENCAP_IEEE_802_11_WITH_RADIO,
266 WTAP_ENCAP_IEEE_802_11_WITH_RADIO,
267 WTAP_ENCAP_IEEE_802_11_WITH_RADIO
269 #define NUM_PEEKTAGGED_ENCAPS (sizeof peektagged_encap / sizeof peektagged_encap[0])
270 peektagged_t *peektagged;
272 if (!wtap_read_bytes(wth->fh, &ap_hdr, (int)sizeof(ap_hdr), err, err_info)) {
273 if (*err != WTAP_ERR_SHORT_READ)
274 return WTAP_OPEN_ERROR;
275 return WTAP_OPEN_NOT_MINE;
278 if (memcmp (ap_hdr.section_id, "\177ver", sizeof(ap_hdr.section_id)) != 0)
279 return WTAP_OPEN_NOT_MINE; /* doesn't begin with a "\177ver" section */
282 * XXX - we should get the length of the "\177ver" section, check
283 * that it's followed by a little-endian 0x00000200, and then,
284 * when reading the XML, make sure we don't go past the end of
285 * that section, and skip to the end of that section when
286 * we have the file version (and possibly check to make sure all
287 * tags are properly opened and closed).
289 ret = wtap_file_read_pattern (wth, "<FileVersion>", err, err_info);
291 return WTAP_OPEN_ERROR;
293 /* 0 means EOF, which means "not a valid Peek tagged file" */
294 return WTAP_OPEN_NOT_MINE;
296 ret = wtap_file_read_number (wth, &fileVersion, err, err_info);
298 return WTAP_OPEN_ERROR;
300 /* 0 means EOF, which means "not a valid Peek tagged file" */
301 return WTAP_OPEN_NOT_MINE;
304 /* If we got this far, we assume it's a Peek tagged file. */
305 if (fileVersion != 9) {
306 /* We only support version 9. */
307 *err = WTAP_ERR_UNSUPPORTED;
308 *err_info = g_strdup_printf("peektagged: version %u unsupported",
310 return WTAP_OPEN_ERROR;
314 * XXX - once we've skipped the "\177ver" section, we should
315 * check for a "sess" section and fail if we don't see it.
316 * Then we should get the length of the "sess" section, check
317 * that it's followed by a little-endian 0x00000200, and then,
318 * when reading the XML, make sure we don't go past the end of
319 * that section, and skip to the end of the section when
320 * we have the file version (and possibly check to make sure all
321 * tags are properly opened and closed).
323 ret = wtap_file_read_pattern (wth, "<MediaType>", err, err_info);
325 return WTAP_OPEN_ERROR;
327 *err = WTAP_ERR_BAD_FILE;
328 *err_info = g_strdup("peektagged: <MediaType> tag not found");
329 return WTAP_OPEN_ERROR;
331 /* XXX - this appears to be 0 in both the EtherPeek and AiroPeek
332 files we've seen; should we require it to be 0? */
333 ret = wtap_file_read_number (wth, &mediaType, err, err_info);
335 return WTAP_OPEN_ERROR;
337 *err = WTAP_ERR_BAD_FILE;
338 *err_info = g_strdup("peektagged: <MediaType> value not found");
339 return WTAP_OPEN_ERROR;
342 ret = wtap_file_read_pattern (wth, "<MediaSubType>", err, err_info);
344 return WTAP_OPEN_ERROR;
346 *err = WTAP_ERR_BAD_FILE;
347 *err_info = g_strdup("peektagged: <MediaSubType> tag not found");
348 return WTAP_OPEN_ERROR;
350 ret = wtap_file_read_number (wth, &mediaSubType, err, err_info);
352 return WTAP_OPEN_ERROR;
354 *err = WTAP_ERR_BAD_FILE;
355 *err_info = g_strdup("peektagged: <MediaSubType> value not found");
356 return WTAP_OPEN_ERROR;
358 if (mediaSubType >= NUM_PEEKTAGGED_ENCAPS
359 || peektagged_encap[mediaSubType] == WTAP_ENCAP_UNKNOWN) {
360 *err = WTAP_ERR_UNSUPPORTED;
361 *err_info = g_strdup_printf("peektagged: network type %u unknown or unsupported",
363 return WTAP_OPEN_ERROR;
366 ret = wtap_file_read_pattern (wth, "pkts", err, err_info);
368 return WTAP_OPEN_ERROR;
370 *err = WTAP_ERR_SHORT_READ;
371 return WTAP_OPEN_ERROR;
374 /* skip 8 zero bytes */
375 if (file_seek (wth->fh, 8L, SEEK_CUR, err) == -1)
376 return WTAP_OPEN_NOT_MINE;
379 * This is an Peek tagged file.
381 file_encap = peektagged_encap[mediaSubType];
383 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_PEEKTAGGED;
384 wth->file_encap = file_encap;
385 wth->subtype_read = peektagged_read;
386 wth->subtype_seek_read = peektagged_seek_read;
387 wth->file_tsprec = WTAP_TSPREC_NSEC;
389 peektagged = (peektagged_t *)g_malloc(sizeof(peektagged_t));
390 wth->priv = (void *)peektagged;
391 switch (mediaSubType) {
393 case PEEKTAGGED_NST_ETHERNET:
394 case PEEKTAGGED_NST_802_11:
395 case PEEKTAGGED_NST_802_11_2:
396 peektagged->has_fcs = FALSE;
399 case PEEKTAGGED_NST_802_11_WITH_FCS:
400 peektagged->has_fcs = TRUE;
404 wth->snapshot_length = 0; /* not available in header */
406 return WTAP_OPEN_MINE;
412 * XXX - we should supply the additional radio information;
413 * the pseudo-header should probably be supplied in a fashion
414 * similar to the radiotap radio header, so that the 802.11
415 * dissector can determine which, if any, information items
419 peektagged_read_packet(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
420 Buffer *buf, int *err, gchar **err_info)
422 peektagged_t *peektagged = (peektagged_t *)wth->priv;
423 gboolean read_a_tag = FALSE;
426 gboolean saw_length = FALSE;
428 guint32 sliceLength = 0;
429 gboolean saw_timestamp_lower = FALSE;
430 gboolean saw_timestamp_upper = FALSE;
431 peektagged_utime timestamp;
432 guint32 ext_flags = 0;
433 gboolean saw_data_rate_or_mcs_index = FALSE;
434 guint32 data_rate_or_mcs_index = 0;
437 struct ieee_802_11_phdr ieee_802_11;
444 memset(&ieee_802_11, 0, sizeof ieee_802_11);
445 ieee_802_11.fcs_len = -1; /* Unknown */
446 ieee_802_11.decrypted = FALSE;
447 ieee_802_11.datapad = FALSE;
448 ieee_802_11.phy = PHDR_802_11_PHY_UNKNOWN;
450 /* Extract the fields from the packet header */
452 /* Get the tag and value.
453 XXX - this assumes all values are 4 bytes long. */
454 if (!wtap_read_bytes_or_eof(fh, tag_value, sizeof tag_value, err, err_info)) {
457 * Short read if we've read something already;
458 * just an EOF if we haven't.
461 *err = WTAP_ERR_SHORT_READ;
466 tag = pletoh16(&tag_value[0]);
469 case TAG_PEEKTAGGED_LENGTH:
471 *err = WTAP_ERR_BAD_FILE;
472 *err_info = g_strdup("peektagged: record has two length fields");
475 length = pletoh32(&tag_value[2]);
479 case TAG_PEEKTAGGED_TIMESTAMP_LOWER:
480 if (saw_timestamp_lower) {
481 *err = WTAP_ERR_BAD_FILE;
482 *err_info = g_strdup("peektagged: record has two timestamp-lower fields");
485 timestamp.lower = pletoh32(&tag_value[2]);
486 saw_timestamp_lower = TRUE;
489 case TAG_PEEKTAGGED_TIMESTAMP_UPPER:
490 if (saw_timestamp_upper) {
491 *err = WTAP_ERR_BAD_FILE;
492 *err_info = g_strdup("peektagged: record has two timestamp-upper fields");
495 timestamp.upper = pletoh32(&tag_value[2]);
496 saw_timestamp_upper = TRUE;
499 case TAG_PEEKTAGGED_FLAGS_AND_STATUS:
500 /* XXX - not used yet */
503 case TAG_PEEKTAGGED_CHANNEL:
504 ieee_802_11.has_channel = TRUE;
505 ieee_802_11.channel = pletoh32(&tag_value[2]);
508 case TAG_PEEKTAGGED_DATA_RATE_OR_MCS_INDEX:
509 data_rate_or_mcs_index = pletoh32(&tag_value[2]);
510 saw_data_rate_or_mcs_index = TRUE;
513 case TAG_PEEKTAGGED_SIGNAL_PERC:
514 ieee_802_11.has_signal_percent = TRUE;
515 ieee_802_11.signal_percent = pletoh32(&tag_value[2]);
518 case TAG_PEEKTAGGED_SIGNAL_DBM:
519 ieee_802_11.has_signal_dbm = TRUE;
520 ieee_802_11.signal_dbm = pletoh32(&tag_value[2]);
523 case TAG_PEEKTAGGED_NOISE_PERC:
524 ieee_802_11.has_noise_percent = TRUE;
525 ieee_802_11.noise_percent = pletoh32(&tag_value[2]);
528 case TAG_PEEKTAGGED_NOISE_DBM:
529 ieee_802_11.has_noise_dbm = TRUE;
530 ieee_802_11.noise_dbm = pletoh32(&tag_value[2]);
533 case TAG_PEEKTAGGED_UNKNOWN_0x000A:
535 * XXX - seen in some 802.11 captures.
536 * Always seems to have the value 0 or 5.
540 case TAG_PEEKTAGGED_CENTER_FREQUENCY:
541 /* XXX - also seen in an EtherPeek capture; value unknown */
542 ieee_802_11.has_frequency = TRUE;
543 ieee_802_11.frequency = pletoh32(&tag_value[2]);
546 case TAG_PEEKTAGGED_UNKNOWN_0x000E:
548 * XXX - seen in some 802.11 captures.
549 * Usually has the value 4, but, in some packets, has the
552 * Is this the mysterious "band" field that shows up in
553 * some "Peek remote" protocol captures, with values in
554 * the 30x or 40x ranges? It's not always associated
555 * with the "extended flags" tag for HT/VHT information,
556 * so it's probably not 11n/11ac-specific. Values other
557 * than 4 appear, in my captures, only in packets with
558 * the "extended flags" tag. 302 appeared in a packet
559 * with EXT_FLAG_MCS_INDEX_USED; 6 appeared in packets
560 * without EXT_FLAG_MCS_INDEX_USED.
564 case TAG_PEEKTAGGED_UNKNOWN_0x000F:
566 * XXX - seen in some 802.11 captures; dB or dBm value?
571 case TAG_PEEKTAGGED_UNKNOWN_0x0010:
573 * XXX - seen in some 802.11 captures; dB or dBm value?
578 case TAG_PEEKTAGGED_UNKNOWN_0x0011:
580 * XXX - seen in some 802.11 captures; dB or dBm value?
585 case TAG_PEEKTAGGED_UNKNOWN_0x0012:
587 * XXX - seen in some 802.11 captures; dB or dBm value?
592 case TAG_PEEKTAGGED_UNKNOWN_0x0013:
594 * XXX - seen in some 802.11 captures; dB or dBm value?
599 case TAG_PEEKTAGGED_UNKNOWN_0x0014:
601 * XXX - seen in some 802.11 captures; dB or dBm value?
606 case TAG_PEEKTAGGED_EXT_FLAGS:
608 * We assume this is present for HT and VHT frames and absent
611 ext_flags = pletoh32(&tag_value[2]);
612 if (ext_flags & EXT_FLAG_802_11ac) {
613 ieee_802_11.phy = PHDR_802_11_PHY_11AC;
615 * XXX - this probably has only one user, so only
616 * one MCS index and only one NSS, but where's the
619 for (i = 0; i < 4; i++)
620 ieee_802_11.phy_info.info_11ac.nss[i] = 0;
622 switch (ext_flags & EXT_FLAGS_GI) {
624 case EXT_FLAG_HALF_GI:
625 ieee_802_11.phy_info.info_11ac.has_short_gi = TRUE;
626 ieee_802_11.phy_info.info_11ac.short_gi = 1;
629 case EXT_FLAG_FULL_GI:
630 ieee_802_11.phy_info.info_11ac.has_short_gi = TRUE;
631 ieee_802_11.phy_info.info_11ac.short_gi = 0;
635 /* Mutually exclusive flags set or nothing set */
639 ieee_802_11.phy = PHDR_802_11_PHY_11N;
640 switch (ext_flags & EXT_FLAGS_BANDWIDTH) {
643 ieee_802_11.phy_info.info_11n.has_bandwidth = TRUE;
644 ieee_802_11.phy_info.info_11n.bandwidth = PHDR_802_11_BANDWIDTH_20_MHZ;
647 case EXT_FLAG_20_MHZ_LOWER:
648 ieee_802_11.phy_info.info_11n.has_bandwidth = TRUE;
649 ieee_802_11.phy_info.info_11n.bandwidth = PHDR_802_11_BANDWIDTH_20_20L;
652 case EXT_FLAG_20_MHZ_UPPER:
653 ieee_802_11.phy_info.info_11n.has_bandwidth = TRUE;
654 ieee_802_11.phy_info.info_11n.bandwidth = PHDR_802_11_BANDWIDTH_20_20U;
657 case EXT_FLAG_40_MHZ:
658 ieee_802_11.phy_info.info_11n.has_bandwidth = TRUE;
659 ieee_802_11.phy_info.info_11n.bandwidth = PHDR_802_11_BANDWIDTH_40_MHZ;
663 /* Mutually exclusive flags set */
667 switch (ext_flags & EXT_FLAGS_GI) {
669 case EXT_FLAG_HALF_GI:
670 ieee_802_11.phy_info.info_11n.has_short_gi = TRUE;
671 ieee_802_11.phy_info.info_11n.short_gi = 1;
674 case EXT_FLAG_FULL_GI:
675 ieee_802_11.phy_info.info_11n.has_short_gi = TRUE;
676 ieee_802_11.phy_info.info_11n.short_gi = 0;
680 /* Mutually exclusive flags set or nothing set */
686 case TAG_PEEKTAGGED_SLICE_LENGTH:
687 sliceLength = pletoh32(&tag_value[2]);
693 } while (tag != TAG_PEEKTAGGED_SLICE_LENGTH); /* last tag */
696 *err = WTAP_ERR_BAD_FILE;
697 *err_info = g_strdup("peektagged: record has no length field");
700 if (!saw_timestamp_lower) {
701 *err = WTAP_ERR_BAD_FILE;
702 *err_info = g_strdup("peektagged: record has no timestamp-lower field");
705 if (!saw_timestamp_upper) {
706 *err = WTAP_ERR_BAD_FILE;
707 *err_info = g_strdup("peektagged: record has no timestamp-upper field");
712 * If sliceLength is 0, force it to be the actual length of the packet.
714 if (sliceLength == 0)
715 sliceLength = length;
717 if (sliceLength > WTAP_MAX_PACKET_SIZE) {
719 * Probably a corrupt capture file; don't blow up trying
720 * to allocate space for an immensely-large packet.
722 *err = WTAP_ERR_BAD_FILE;
723 *err_info = g_strdup_printf("peektagged: File has %u-byte packet, bigger than maximum of %u",
724 sliceLength, WTAP_MAX_PACKET_SIZE);
728 phdr->rec_type = REC_TYPE_PACKET;
729 phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
731 phdr->caplen = sliceLength;
733 /* calculate and fill in packet time stamp */
734 t = (((guint64) timestamp.upper) << 32) + timestamp.lower;
735 if (!nsfiletime_to_nstime(&phdr->ts, t)) {
736 *err = WTAP_ERR_BAD_FILE;
737 *err_info = g_strdup("peektagged: time stamp outside supported range");
741 switch (wth->file_encap) {
743 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
744 if (saw_data_rate_or_mcs_index) {
745 if (ext_flags & EXT_FLAG_MCS_INDEX_USED) {
749 * XXX - what about 11ac?
751 if (!(ext_flags & EXT_FLAG_802_11ac)) {
752 ieee_802_11.phy_info.info_11n.has_mcs_index = TRUE;
753 ieee_802_11.phy_info.info_11n.mcs_index = data_rate_or_mcs_index;
756 /* It's a data rate. */
757 ieee_802_11.has_data_rate = TRUE;
758 ieee_802_11.data_rate = data_rate_or_mcs_index;
761 if (ieee_802_11.has_frequency && !ieee_802_11.has_channel) {
762 /* Frequency, but no channel; try to calculate the channel. */
763 channel = ieee80211_mhz_to_chan(ieee_802_11.frequency);
765 ieee_802_11.has_channel = TRUE;
766 ieee_802_11.channel = channel;
768 } else if (ieee_802_11.has_channel && !ieee_802_11.has_frequency) {
770 * If it's 11 legacy DHSS, 11b, or 11g, it's 2.4 GHz,
771 * so we can calculate the frequency.
773 * If it's 11a, it's 5 GHz, so we can calculate the
776 switch (ieee_802_11.phy) {
778 case PHDR_802_11_PHY_11_DSSS:
779 case PHDR_802_11_PHY_11B:
780 case PHDR_802_11_PHY_11G:
781 frequency = ieee80211_chan_to_mhz(ieee_802_11.channel, TRUE);
784 case PHDR_802_11_PHY_11A:
785 frequency = ieee80211_chan_to_mhz(ieee_802_11.channel, FALSE);
789 /* We don't know the band. */
793 if (frequency != 0) {
794 ieee_802_11.has_frequency = TRUE;
795 ieee_802_11.frequency = frequency;
798 phdr->pseudo_header.ieee_802_11 = ieee_802_11;
799 if (peektagged->has_fcs)
800 phdr->pseudo_header.ieee_802_11.fcs_len = 4;
802 if (phdr->len < 4 || phdr->caplen < 4) {
803 *err = WTAP_ERR_BAD_FILE;
804 *err_info = g_strdup_printf("peektagged: 802.11 packet has length < 4");
807 phdr->pseudo_header.ieee_802_11.fcs_len = 0;
812 phdr->pseudo_header.ieee_802_11.decrypted = FALSE;
813 phdr->pseudo_header.ieee_802_11.datapad = FALSE;
816 case WTAP_ENCAP_ETHERNET:
818 * The last 4 bytes appear to be 0 in the captures I've seen;
819 * are there any captures where it's an FCS?
821 if (phdr->len < 4 || phdr->caplen < 4) {
822 *err = WTAP_ERR_BAD_FILE;
823 *err_info = g_strdup_printf("peektagged: Ethernet packet has length < 4");
826 phdr->pseudo_header.eth.fcs_len = 0;
833 /* Read the packet data. */
834 if (!wtap_read_packet_bytes(fh, buf, phdr->caplen, err, err_info))
840 static gboolean peektagged_read(wtap *wth, int *err, gchar **err_info,
845 *data_offset = file_tell(wth->fh);
847 /* Read the packet. */
848 skip_len = peektagged_read_packet(wth, wth->fh, &wth->phdr,
849 wth->frame_buffer, err, err_info);
854 /* Skip extra junk at the end of the packet data. */
855 if (!file_skip(wth->fh, skip_len, err))
863 peektagged_seek_read(wtap *wth, gint64 seek_off,
864 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info)
866 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
869 /* Read the packet. */
870 if (peektagged_read_packet(wth, wth->random_fh, phdr, buf, err, err_info) == -1) {
872 *err = WTAP_ERR_SHORT_READ;
879 * Editor modelines - http://www.wireshark.org/tools/modelines.html
884 * indent-tabs-mode: nil
887 * vi: set shiftwidth=4 tabstop=8 expandtab:
888 * :indentSize=4:tabSize=8:noTabs=true: