4 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
6 * SPDX-License-Identifier: GPL-2.0-or-later
13 #include "file_wrappers.h"
16 /* See RFC 1761 for a description of the "snoop" file format. */
18 /* Magic number in "snoop" files. */
19 static const char snoop_magic[] = {
20 's', 'n', 'o', 'o', 'p', '\0', '\0', '\0'
23 /* "snoop" file header (minus magic number). */
25 guint32 version; /* version number (should be 2) */
26 guint32 network; /* network type */
29 /* "snoop" record header. */
31 guint32 orig_len; /* actual length of packet */
32 guint32 incl_len; /* number of octets captured in file */
33 guint32 rec_len; /* length of record */
34 guint32 cum_drops; /* cumulative number of dropped packets */
35 guint32 ts_sec; /* timestamp seconds */
36 guint32 ts_usec; /* timestamp microseconds */
40 * The link-layer header on ATM packets.
42 struct snoop_atm_hdr {
43 guint8 flags; /* destination and traffic type */
45 guint16 vci; /* VCI */
49 * Extra information stuffed into the padding in Shomiti/Finisar Surveyor
52 struct shomiti_trailer {
53 guint16 phy_rx_length; /* length on the wire, including FCS? */
54 guint16 phy_rx_status; /* status flags */
55 guint32 ts_40_ns_lsb; /* 40 ns time stamp, low-order bytes? */
56 guint32 ts_40_ns_msb; /* 40 ns time stamp, low-order bytes? */
57 gint32 frame_id; /* "FrameID"? */
61 * phy_rx_status flags.
63 #define RX_STATUS_OVERFLOW 0x8000 /* overflow error */
64 #define RX_STATUS_BAD_CRC 0x4000 /* CRC error */
65 #define RX_STATUS_DRIBBLE_NIBBLE 0x2000 /* dribble/nibble bits? */
66 #define RX_STATUS_SHORT_FRAME 0x1000 /* frame < 64 bytes */
67 #define RX_STATUS_OVERSIZE_FRAME 0x0800 /* frame > 1518 bytes */
68 #define RX_STATUS_GOOD_FRAME 0x0400 /* frame OK */
69 #define RX_STATUS_N12_BYTES_RECEIVED 0x0200 /* first 12 bytes of frame received? */
70 #define RX_STATUS_RXABORT 0x0100 /* RXABORT during reception */
71 #define RX_STATUS_FIFO_ERROR 0x0080 /* receive FIFO error */
72 #define RX_STATUS_TRIGGERED 0x0001 /* frame did trigger */
74 static gboolean snoop_read(wtap *wth, int *err, gchar **err_info,
76 static gboolean snoop_seek_read(wtap *wth, gint64 seek_off,
77 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
78 static int snoop_read_packet(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
79 Buffer *buf, int *err, gchar **err_info);
80 static gboolean snoop_read_atm_pseudoheader(FILE_T fh,
81 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info);
82 static gboolean snoop_read_shomiti_wireless_pseudoheader(FILE_T fh,
83 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info,
85 static gboolean snoop_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
86 const guint8 *pd, int *err, gchar **err_info);
91 * http://www.opengroup.org/onlinepubs/9638599/apdxf.htm
93 * for the "dlpi.h" header file specified by The Open Group, which lists
94 * the DL_ values for various protocols; Solaris 7 uses the same values.
98 * http://www.iana.org/assignments/snoop-datalink-types/snoop-datalink-types.xml
100 * for the IETF list of snoop datalink types.
104 * http://mrpink.lerc.nasa.gov/118x/support.html
106 * had links to modified versions of "tcpdump" and "libpcap" for SUNatm
107 * DLPI support; they suggested that the 3.0 verson of SUNatm uses those
108 * values. The Wayback Machine archived that page, but not the stuff
109 * to which it linked, unfortunately.
111 * It also has a link to "convert.c", which is a program to convert files
112 * from the format written by the "atmsnoop" program that comes with the
113 * SunATM package to regular "snoop" format, claims that "SunATM 2.1 claimed
114 * to be DL_FDDI (don't ask why). SunATM 3.0 claims to be DL_IPATM, which
117 * It also says that "ATM Mac header is 12 bytes long.", and seems to imply
118 * that in an "atmsnoop" file, the header contains 2 bytes (direction and
119 * VPI?), 2 bytes of VCI, 6 bytes of something, and 2 bytes of Ethernet
120 * type; if those 6 bytes are 2 bytes of DSAP, 2 bytes of LSAP, 1 byte
121 * of LLC control, and 3 bytes of SNAP OUI, that'd mean that an ATM
122 * pseudo-header in an "atmsnoop" file is probably 1 byte of direction,
123 * 1 byte of VPI, and 2 bytes of VCI.
125 * The aforementioned page also has a link to some capture files from
126 * "atmsnoop"; this version of "snoop.c" appears to be able to read them.
128 * Source to an "atmdump" package, which includes a modified version of
129 * "libpcap" to handle SunATM DLPI and an ATM driver for FreeBSD, and
130 * also includes "atmdump", which is a modified "tcpdump", was available
133 * ftp://ftp.cs.ndsu.nodak.edu/pub/freebsd/atm/atm-bpf.tgz
135 * (the host name is no longer valid) and that code also indicated that
136 * DL_IPATM is used, and that an ATM packet handed up from the Sun driver
137 * for the Sun SBus ATM card on Solaris 2.5.1 has 1 byte of direction,
138 * 1 byte of VPI, 2 bytes of VCI, and then the ATM PDU, and suggests that
139 * the direction flag is 0x80 for "transmitted" (presumably meaning
140 * DTE->DCE) and presumably not 0x80 for "received" (presumably meaning
141 * DCE->DTE). That code was used as the basis for the SunATM support in
142 * later versions of libpcap and tcpdump, and it worked at the time the
143 * development was done with the SunATM code on the system on which the
144 * development was done.
146 * In fact, the "direction" byte appears to have some other stuff, perhaps
147 * a traffic type, in the lower 7 bits, with the 8th bit indicating the
148 * direction. That appears to be the case.
150 * I don't know what the encapsulation of any of the other types is, so I
151 * leave them all as WTAP_ENCAP_UNKNOWN, except for those for which Brian
152 * Ginsbach has supplied information about the way UNICOS/mp uses them.
153 * I also don't know whether "snoop" can handle any of them (it presumably
154 * can't handle ATM, otherwise Sun wouldn't have supplied "atmsnoop"; even
155 * if it can't, this may be useful reference information for anybody doing
156 * code to use DLPI to do raw packet captures on those network types.
158 * http://web.archive.org/web/20010906213807/http://www.shomiti.com/support/TNCapFileFormat.htm
160 * gives information on Shomiti's mutant flavor of snoop. For some unknown
161 * reason, they decided not to just Go With The DLPI Flow, and instead used
162 * the types unspecified in RFC 1461 for their own nefarious purposes, such
163 * as distinguishing 10MB from 100MB from 1000MB Ethernet and distinguishing
164 * 4MB from 16MB Token Ring, and distinguishing both of them from the
165 * "Shomiti" versions of same.
167 wtap_open_return_val snoop_open(wtap *wth, int *err, gchar **err_info)
169 char magic[sizeof snoop_magic];
170 struct snoop_hdr hdr;
171 struct snooprec_hdr rec_hdr;
174 static const int snoop_encap[] = {
175 WTAP_ENCAP_ETHERNET, /* IEEE 802.3 */
176 WTAP_ENCAP_UNKNOWN, /* IEEE 802.4 Token Bus */
177 WTAP_ENCAP_TOKEN_RING,
178 WTAP_ENCAP_UNKNOWN, /* IEEE 802.6 Metro Net */
180 WTAP_ENCAP_UNKNOWN, /* HDLC */
181 WTAP_ENCAP_UNKNOWN, /* Character Synchronous, e.g. bisync */
182 WTAP_ENCAP_UNKNOWN, /* IBM Channel-to-Channel */
183 WTAP_ENCAP_FDDI_BITSWAPPED,
184 WTAP_ENCAP_NULL, /* Other */
185 WTAP_ENCAP_UNKNOWN, /* Frame Relay LAPF */
186 WTAP_ENCAP_UNKNOWN, /* Multi-protocol over Frame Relay */
187 WTAP_ENCAP_UNKNOWN, /* Character Async (e.g., SLIP and PPP?) */
188 WTAP_ENCAP_UNKNOWN, /* X.25 Classical IP */
189 WTAP_ENCAP_NULL, /* software loopback */
190 WTAP_ENCAP_UNKNOWN, /* not defined in "dlpi.h" */
191 WTAP_ENCAP_IP_OVER_FC, /* Fibre Channel */
192 WTAP_ENCAP_UNKNOWN, /* ATM */
193 WTAP_ENCAP_ATM_PDUS, /* ATM Classical IP */
194 WTAP_ENCAP_UNKNOWN, /* X.25 LAPB */
195 WTAP_ENCAP_UNKNOWN, /* ISDN */
196 WTAP_ENCAP_UNKNOWN, /* HIPPI */
197 WTAP_ENCAP_UNKNOWN, /* 100VG-AnyLAN Ethernet */
198 WTAP_ENCAP_UNKNOWN, /* 100VG-AnyLAN Token Ring */
199 WTAP_ENCAP_UNKNOWN, /* "ISO 8802/3 and Ethernet" */
200 WTAP_ENCAP_UNKNOWN, /* 100BaseT (but that's just Ethernet) */
201 WTAP_ENCAP_IP_OVER_IB_SNOOP, /* Infiniband */
203 #define NUM_SNOOP_ENCAPS (sizeof snoop_encap / sizeof snoop_encap[0])
204 #define SNOOP_PRIVATE_BIT 0x80000000
205 static const int snoop_private_encap[] = {
206 WTAP_ENCAP_UNKNOWN, /* Not Used */
207 WTAP_ENCAP_UNKNOWN, /* IPv4 Tunnel Link */
208 WTAP_ENCAP_UNKNOWN, /* IPv6 Tunnel Link */
209 WTAP_ENCAP_UNKNOWN, /* Virtual network interface */
210 WTAP_ENCAP_UNKNOWN, /* IEEE 802.11 */
211 WTAP_ENCAP_IPNET, /* ipnet(7D) link */
212 WTAP_ENCAP_UNKNOWN, /* IPMP stub interface */
213 WTAP_ENCAP_UNKNOWN, /* 6to4 Tunnel Link */
215 #define NUM_SNOOP_PRIVATE_ENCAPS (sizeof snoop_private_encap / sizeof snoop_private_encap[0])
216 static const int shomiti_encap[] = {
217 WTAP_ENCAP_ETHERNET, /* IEEE 802.3 */
218 WTAP_ENCAP_UNKNOWN, /* IEEE 802.4 Token Bus */
219 WTAP_ENCAP_TOKEN_RING,
220 WTAP_ENCAP_UNKNOWN, /* IEEE 802.6 Metro Net */
222 WTAP_ENCAP_UNKNOWN, /* HDLC */
223 WTAP_ENCAP_UNKNOWN, /* Character Synchronous, e.g. bisync */
224 WTAP_ENCAP_UNKNOWN, /* IBM Channel-to-Channel */
225 WTAP_ENCAP_FDDI_BITSWAPPED,
226 WTAP_ENCAP_UNKNOWN, /* Other */
227 WTAP_ENCAP_ETHERNET, /* Fast Ethernet */
228 WTAP_ENCAP_TOKEN_RING, /* 4MB 802.5 token ring */
229 WTAP_ENCAP_ETHERNET, /* Gigabit Ethernet */
230 WTAP_ENCAP_TOKEN_RING, /* "IEEE 802.5 Shomiti" */
231 WTAP_ENCAP_TOKEN_RING, /* "4MB IEEE 802.5 Shomiti" */
232 WTAP_ENCAP_UNKNOWN, /* Other */
233 WTAP_ENCAP_UNKNOWN, /* Other */
234 WTAP_ENCAP_UNKNOWN, /* Other */
235 WTAP_ENCAP_IEEE_802_11_WITH_RADIO, /* IEEE 802.11 with Radio Header */
236 WTAP_ENCAP_ETHERNET, /* 10 Gigabit Ethernet */
238 #define NUM_SHOMITI_ENCAPS (sizeof shomiti_encap / sizeof shomiti_encap[0])
242 /* Read in the string that should be at the start of a "snoop" file */
243 if (!wtap_read_bytes(wth->fh, magic, sizeof magic, err, err_info)) {
244 if (*err != WTAP_ERR_SHORT_READ)
245 return WTAP_OPEN_ERROR;
246 return WTAP_OPEN_NOT_MINE;
249 if (memcmp(magic, snoop_magic, sizeof snoop_magic) != 0) {
250 return WTAP_OPEN_NOT_MINE;
253 /* Read the rest of the header. */
254 if (!wtap_read_bytes(wth->fh, &hdr, sizeof hdr, err, err_info))
255 return WTAP_OPEN_ERROR;
258 * Make sure it's a version we support.
260 hdr.version = g_ntohl(hdr.version);
261 switch (hdr.version) {
263 case 2: /* Solaris 2.x and later snoop, and Shomiti
264 Surveyor prior to 3.0, or 3.0 and later
266 case 3: /* Surveyor 3.0 and later, with Shomiti CMM2 hardware */
267 case 4: /* Surveyor 3.0 and later, with Shomiti GAM hardware */
268 case 5: /* Surveyor 3.0 and later, with Shomiti THG hardware */
272 *err = WTAP_ERR_UNSUPPORTED;
273 *err_info = g_strdup_printf("snoop: version %u unsupported", hdr.version);
274 return WTAP_OPEN_ERROR;
278 * Oh, this is lovely.
280 * I suppose Shomiti could give a bunch of lawyerly noise about
281 * how "well, RFC 1761 said they were unassigned, and that's
282 * the standard, not the DLPI header file, so it's perfectly OK
283 * for us to use them, blah blah blah", but it's still irritating
284 * as hell that they used the unassigned-in-RFC-1761 values for
285 * their own purposes - especially given that Sun also used
286 * one of them in atmsnoop.
288 * We can't determine whether it's a Shomiti capture based on
289 * the version number, as, according to their documentation on
290 * their capture file format, Shomiti uses a version number of 2
291 * if the data "was captured using an NDIS card", which presumably
292 * means "captured with an ordinary boring network card via NDIS"
293 * as opposed to "captured with our whizzo special capture
296 * The only way I can see to determine that is to check how much
297 * padding there is in the first packet - if there's enough
298 * padding for a Shomiti trailer, it's probably a Shomiti
299 * capture, and otherwise, it's probably from Snoop.
303 * Start out assuming it's not a Shomiti capture.
307 /* Read first record header. */
308 saved_offset = file_tell(wth->fh);
309 if (!wtap_read_bytes_or_eof(wth->fh, &rec_hdr, sizeof rec_hdr, err, err_info)) {
311 return WTAP_OPEN_ERROR;
314 * The file ends after the record header, which means this
315 * is a capture with no packets.
317 * We assume it's a snoop file; the actual type of file is
318 * irrelevant, as there are no records in it, and thus no
319 * extra information if it's a Shomiti capture, and no
320 * link-layer headers whose type we have to know, and no
321 * Ethernet frames that might have an FCS.
325 * Compute the number of bytes of padding in the
326 * record. If it's at least the size of a Shomiti
327 * trailer record, we assume this is a Shomiti
328 * capture. (Some atmsnoop captures appear
329 * to have 4 bytes of padding, and at least one
330 * snoop capture appears to have 6 bytes of padding;
331 * the Shomiti header is larger than either of those.)
333 if (g_ntohl(rec_hdr.rec_len) >
334 (sizeof rec_hdr + g_ntohl(rec_hdr.incl_len))) {
336 * Well, we have padding; how much?
338 padbytes = g_ntohl(rec_hdr.rec_len) -
339 ((guint)sizeof rec_hdr + g_ntohl(rec_hdr.incl_len));
342 * Is it at least the size of a Shomiti trailer?
345 (padbytes >= sizeof (struct shomiti_trailer));
350 * Seek back to the beginning of the first record.
352 if (file_seek(wth->fh, saved_offset, SEEK_SET, err) == -1)
353 return WTAP_OPEN_ERROR;
355 hdr.network = g_ntohl(hdr.network);
357 if (hdr.network >= NUM_SHOMITI_ENCAPS
358 || shomiti_encap[hdr.network] == WTAP_ENCAP_UNKNOWN) {
359 *err = WTAP_ERR_UNSUPPORTED;
360 *err_info = g_strdup_printf("snoop: Shomiti network type %u unknown or unsupported",
362 return WTAP_OPEN_ERROR;
364 file_encap = shomiti_encap[hdr.network];
366 /* This is a Shomiti file */
367 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_SHOMITI;
368 } else if (hdr.network & SNOOP_PRIVATE_BIT) {
369 if ((hdr.network^SNOOP_PRIVATE_BIT) >= NUM_SNOOP_PRIVATE_ENCAPS
370 || snoop_private_encap[hdr.network^SNOOP_PRIVATE_BIT] == WTAP_ENCAP_UNKNOWN) {
371 *err = WTAP_ERR_UNSUPPORTED;
372 *err_info = g_strdup_printf("snoop: private network type %u unknown or unsupported",
374 return WTAP_OPEN_ERROR;
376 file_encap = snoop_private_encap[hdr.network^SNOOP_PRIVATE_BIT];
378 /* This is a snoop file */
379 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_SNOOP;
381 if (hdr.network >= NUM_SNOOP_ENCAPS
382 || snoop_encap[hdr.network] == WTAP_ENCAP_UNKNOWN) {
383 *err = WTAP_ERR_UNSUPPORTED;
384 *err_info = g_strdup_printf("snoop: network type %u unknown or unsupported",
386 return WTAP_OPEN_ERROR;
388 file_encap = snoop_encap[hdr.network];
390 /* This is a snoop file */
391 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_SNOOP;
395 * We don't currently use the extra information in Shomiti
396 * records, so we use the same routines to read snoop and
399 wth->subtype_read = snoop_read;
400 wth->subtype_seek_read = snoop_seek_read;
401 wth->file_encap = file_encap;
402 wth->snapshot_length = 0; /* not available in header */
403 wth->file_tsprec = WTAP_TSPREC_USEC;
404 return WTAP_OPEN_MINE;
416 } shomiti_wireless_header;
419 /* Read the next packet */
420 static gboolean snoop_read(wtap *wth, int *err, gchar **err_info,
425 *data_offset = file_tell(wth->fh);
427 padbytes = snoop_read_packet(wth, wth->fh, &wth->phdr,
428 wth->frame_buffer, err, err_info);
433 * Skip over the padding, if any.
436 if (!wtap_read_bytes(wth->fh, NULL, padbytes, err, err_info))
444 snoop_seek_read(wtap *wth, gint64 seek_off,
445 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info)
447 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
450 if (snoop_read_packet(wth, wth->random_fh, phdr, buf, err, err_info) == -1) {
452 *err = WTAP_ERR_SHORT_READ;
459 snoop_read_packet(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
460 Buffer *buf, int *err, gchar **err_info)
462 struct snooprec_hdr hdr;
468 /* Read record header. */
469 if (!wtap_read_bytes_or_eof(fh, &hdr, sizeof hdr, err, err_info))
472 rec_size = g_ntohl(hdr.rec_len);
473 orig_size = g_ntohl(hdr.orig_len);
474 packet_size = g_ntohl(hdr.incl_len);
475 if (orig_size > WTAP_MAX_PACKET_SIZE_STANDARD) {
477 * Probably a corrupt capture file; don't blow up trying
478 * to allocate space for an immensely-large packet.
480 *err = WTAP_ERR_BAD_FILE;
481 *err_info = g_strdup_printf("snoop: File has %u-byte original length, bigger than maximum of %u",
482 orig_size, WTAP_MAX_PACKET_SIZE_STANDARD);
485 if (packet_size > WTAP_MAX_PACKET_SIZE_STANDARD) {
487 * Probably a corrupt capture file; don't blow up trying
488 * to allocate space for an immensely-large packet.
490 *err = WTAP_ERR_BAD_FILE;
491 *err_info = g_strdup_printf("snoop: File has %u-byte packet, bigger than maximum of %u",
492 packet_size, WTAP_MAX_PACKET_SIZE_STANDARD);
495 if (packet_size > rec_size) {
497 * Probably a corrupt capture file.
499 *err = WTAP_ERR_BAD_FILE;
500 *err_info = g_strdup_printf("snoop: File has %u-byte packet, bigger than record size %u",
501 packet_size, rec_size);
505 switch (wth->file_encap) {
507 case WTAP_ENCAP_ATM_PDUS:
509 * This is an ATM packet, so the first four bytes are
510 * the direction of the packet (transmit/receive), the
511 * VPI, and the VCI; read them and generate the
512 * pseudo-header from them.
514 if (packet_size < sizeof (struct snoop_atm_hdr)) {
516 * Uh-oh, the packet isn't big enough to even
517 * have a pseudo-header.
519 *err = WTAP_ERR_BAD_FILE;
520 *err_info = g_strdup_printf("snoop: atmsnoop file has a %u-byte packet, too small to have even an ATM pseudo-header",
524 if (!snoop_read_atm_pseudoheader(fh, &phdr->pseudo_header,
526 return -1; /* Read error */
529 * Don't count the pseudo-header as part of the packet.
531 rec_size -= (guint32)sizeof (struct snoop_atm_hdr);
532 orig_size -= (guint32)sizeof (struct snoop_atm_hdr);
533 packet_size -= (guint32)sizeof (struct snoop_atm_hdr);
536 case WTAP_ENCAP_ETHERNET:
538 * If this is a snoop file, we assume there's no FCS in
539 * this frame; if this is a Shomit file, we assume there
540 * is. (XXX - or should we treat it a "maybe"?)
542 if (wth->file_type_subtype == WTAP_FILE_TYPE_SUBTYPE_SHOMITI)
543 phdr->pseudo_header.eth.fcs_len = 4;
545 phdr->pseudo_header.eth.fcs_len = 0;
548 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
549 if (packet_size < sizeof (shomiti_wireless_header)) {
551 * Uh-oh, the packet isn't big enough to even
552 * have a pseudo-header.
554 *err = WTAP_ERR_BAD_FILE;
555 *err_info = g_strdup_printf("snoop: Shomiti wireless file has a %u-byte packet, too small to have even a wireless pseudo-header",
559 if (!snoop_read_shomiti_wireless_pseudoheader(fh,
560 &phdr->pseudo_header, err, err_info, &header_size))
561 return -1; /* Read error */
564 * Don't count the pseudo-header as part of the packet.
566 rec_size -= header_size;
567 orig_size -= header_size;
568 packet_size -= header_size;
572 phdr->rec_type = REC_TYPE_PACKET;
573 phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
574 phdr->ts.secs = g_ntohl(hdr.ts_sec);
575 phdr->ts.nsecs = g_ntohl(hdr.ts_usec) * 1000;
576 phdr->caplen = packet_size;
577 phdr->len = orig_size;
579 if (rec_size < (sizeof hdr + packet_size)) {
581 * What, *negative* padding? Bogus.
583 *err = WTAP_ERR_BAD_FILE;
584 *err_info = g_strdup_printf("snoop: File has %u-byte record with packet size of %u",
585 rec_size, packet_size);
590 * Read the packet data.
592 if (!wtap_read_packet_bytes(fh, buf, packet_size, err, err_info))
593 return -1; /* failed */
596 * If this is ATM LANE traffic, try to guess what type of LANE
597 * traffic it is based on the packet contents.
599 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS &&
600 phdr->pseudo_header.atm.type == TRAF_LANE) {
601 atm_guess_lane_type(phdr, ws_buffer_start_ptr(buf));
604 return rec_size - ((guint)sizeof hdr + packet_size);
608 snoop_read_atm_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header,
609 int *err, gchar **err_info)
611 struct snoop_atm_hdr atm_phdr;
615 if (!wtap_read_bytes(fh, &atm_phdr, sizeof atm_phdr, err, err_info))
619 vci = pntoh16(&atm_phdr.vci);
622 * The lower 4 bits of the first byte of the header indicate
623 * the type of traffic, as per the "atmioctl.h" header in
626 switch (atm_phdr.flags & 0x0F) {
628 case 0x01: /* LANE */
629 pseudo_header->atm.aal = AAL_5;
630 pseudo_header->atm.type = TRAF_LANE;
633 case 0x02: /* RFC 1483 LLC multiplexed traffic */
634 pseudo_header->atm.aal = AAL_5;
635 pseudo_header->atm.type = TRAF_LLCMX;
638 case 0x05: /* ILMI */
639 pseudo_header->atm.aal = AAL_5;
640 pseudo_header->atm.type = TRAF_ILMI;
643 case 0x06: /* Signalling AAL */
644 pseudo_header->atm.aal = AAL_SIGNALLING;
645 pseudo_header->atm.type = TRAF_UNKNOWN;
648 case 0x03: /* MARS (RFC 2022) */
649 pseudo_header->atm.aal = AAL_5;
650 pseudo_header->atm.type = TRAF_UNKNOWN;
653 case 0x04: /* IFMP (Ipsilon Flow Management Protocol; see RFC 1954) */
654 pseudo_header->atm.aal = AAL_5;
655 pseudo_header->atm.type = TRAF_UNKNOWN; /* XXX - TRAF_IPSILON? */
660 * Assume it's AAL5, unless it's VPI 0 and VCI 5, in which
661 * case assume it's AAL_SIGNALLING; we know nothing more
664 * XXX - is this necessary? Or are we guaranteed that
665 * all signalling traffic has a type of 0x06?
667 * XXX - is this guaranteed to be AAL5? Or, if the type is
668 * 0x00 ("raw"), might it be non-AAL5 traffic?
670 if (vpi == 0 && vci == 5)
671 pseudo_header->atm.aal = AAL_SIGNALLING;
673 pseudo_header->atm.aal = AAL_5;
674 pseudo_header->atm.type = TRAF_UNKNOWN;
677 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
679 pseudo_header->atm.vpi = vpi;
680 pseudo_header->atm.vci = vci;
681 pseudo_header->atm.channel = (atm_phdr.flags & 0x80) ? 0 : 1;
683 /* We don't have this information */
684 pseudo_header->atm.flags = 0;
685 pseudo_header->atm.cells = 0;
686 pseudo_header->atm.aal5t_u2u = 0;
687 pseudo_header->atm.aal5t_len = 0;
688 pseudo_header->atm.aal5t_chksum = 0;
694 snoop_read_shomiti_wireless_pseudoheader(FILE_T fh,
695 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info,
698 shomiti_wireless_header whdr;
701 if (!wtap_read_bytes(fh, &whdr, sizeof whdr, err, err_info))
704 /* the 4th byte of the pad is actually a header length,
705 * we've already read 8 bytes of it, and it must never
708 * XXX - presumably that means that the header length
709 * doesn't include the length field, as we've read
712 * XXX - what's in the other 3 bytes of the padding? Is it a
713 * 4-byte length field?
714 * XXX - is there anything in the rest of the header of interest?
715 * XXX - are there any files where the header is shorter than
716 * 4 bytes of length plus 8 bytes of information?
718 if (whdr.pad[3] < 8) {
719 *err = WTAP_ERR_BAD_FILE;
720 *err_info = g_strdup_printf("snoop: Header length in Surveyor record is %u, less than minimum of 8",
724 /* Skip the header. */
725 rsize = ((int) whdr.pad[3]) - 8;
726 if (!wtap_read_bytes(fh, NULL, rsize, err, err_info))
729 memset(&pseudo_header->ieee_802_11, 0, sizeof(pseudo_header->ieee_802_11));
730 pseudo_header->ieee_802_11.fcs_len = 4;
731 pseudo_header->ieee_802_11.decrypted = FALSE;
732 pseudo_header->ieee_802_11.datapad = FALSE;
733 pseudo_header->ieee_802_11.phy = PHDR_802_11_PHY_UNKNOWN;
734 pseudo_header->ieee_802_11.has_channel = TRUE;
735 pseudo_header->ieee_802_11.channel = whdr.channel;
736 pseudo_header->ieee_802_11.has_data_rate = TRUE;
737 pseudo_header->ieee_802_11.data_rate = whdr.rate;
738 pseudo_header->ieee_802_11.has_signal_percent = TRUE;
739 pseudo_header->ieee_802_11.signal_percent = whdr.signal;
741 /* add back the header and don't forget the pad as well */
742 *header_size = rsize + 8 + 4;
747 static const int wtap_encap[] = {
748 -1, /* WTAP_ENCAP_UNKNOWN -> unsupported */
749 0x04, /* WTAP_ENCAP_ETHERNET -> DL_ETHER */
750 0x02, /* WTAP_ENCAP_TOKEN_RING -> DL_TPR */
751 -1, /* WTAP_ENCAP_SLIP -> unsupported */
752 -1, /* WTAP_ENCAP_PPP -> unsupported */
753 0x08, /* WTAP_ENCAP_FDDI -> DL_FDDI */
754 0x08, /* WTAP_ENCAP_FDDI_BITSWAPPED -> DL_FDDI */
755 -1, /* WTAP_ENCAP_RAW_IP -> unsupported */
756 -1, /* WTAP_ENCAP_ARCNET -> unsupported */
757 -1, /* WTAP_ENCAP_ARCNET_LINUX -> unsupported */
758 -1, /* WTAP_ENCAP_ATM_RFC1483 -> unsupported */
759 -1, /* WTAP_ENCAP_LINUX_ATM_CLIP -> unsupported */
760 -1, /* WTAP_ENCAP_LAPB -> unsupported*/
761 0x12, /* WTAP_ENCAP_ATM_PDUS -> DL_IPATM */
763 #define NUM_WTAP_ENCAPS (sizeof wtap_encap / sizeof wtap_encap[0])
765 /* Returns 0 if we could write the specified encapsulation type,
766 an error indication otherwise. */
767 int snoop_dump_can_write_encap(int encap)
769 /* Per-packet encapsulations aren't supported. */
770 if (encap == WTAP_ENCAP_PER_PACKET)
771 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
773 if (encap < 0 || (unsigned)encap >= NUM_WTAP_ENCAPS || wtap_encap[encap] == -1)
774 return WTAP_ERR_UNWRITABLE_ENCAP;
779 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
781 gboolean snoop_dump_open(wtap_dumper *wdh, int *err)
783 struct snoop_hdr file_hdr;
785 /* This is a snoop file */
786 wdh->subtype_write = snoop_dump;
788 /* Write the file header. */
789 if (!wtap_dump_file_write(wdh, &snoop_magic, sizeof snoop_magic, err))
792 /* current "snoop" format is 2 */
793 file_hdr.version = g_htonl(2);
794 file_hdr.network = g_htonl(wtap_encap[wdh->encap]);
795 if (!wtap_dump_file_write(wdh, &file_hdr, sizeof file_hdr, err))
801 /* Write a record for a packet to a dump file.
802 Returns TRUE on success, FALSE on failure. */
803 static gboolean snoop_dump(wtap_dumper *wdh,
804 const struct wtap_pkthdr *phdr,
805 const guint8 *pd, int *err, gchar **err_info _U_)
807 const union wtap_pseudo_header *pseudo_header = &phdr->pseudo_header;
808 struct snooprec_hdr rec_hdr;
811 static const char zeroes[4] = {0};
812 struct snoop_atm_hdr atm_hdr;
815 /* We can only write packet records. */
816 if (phdr->rec_type != REC_TYPE_PACKET) {
817 *err = WTAP_ERR_UNWRITABLE_REC_TYPE;
821 if (wdh->encap == WTAP_ENCAP_ATM_PDUS)
822 atm_hdrsize = sizeof (struct snoop_atm_hdr);
826 /* Record length = header length plus data length... */
827 reclen = (int)sizeof rec_hdr + phdr->caplen + atm_hdrsize;
830 /* ... plus enough bytes to pad it to a 4-byte boundary. */
831 padlen = ((reclen + 3) & ~3) - reclen;
834 /* Don't write anything we're not willing to read. */
835 if (phdr->caplen + atm_hdrsize > WTAP_MAX_PACKET_SIZE_STANDARD) {
836 *err = WTAP_ERR_PACKET_TOO_LARGE;
840 rec_hdr.orig_len = g_htonl(phdr->len + atm_hdrsize);
841 rec_hdr.incl_len = g_htonl(phdr->caplen + atm_hdrsize);
842 rec_hdr.rec_len = g_htonl(reclen);
843 rec_hdr.cum_drops = 0;
844 rec_hdr.ts_sec = g_htonl(phdr->ts.secs);
845 rec_hdr.ts_usec = g_htonl(phdr->ts.nsecs / 1000);
846 if (!wtap_dump_file_write(wdh, &rec_hdr, sizeof rec_hdr, err))
849 if (wdh->encap == WTAP_ENCAP_ATM_PDUS) {
851 * Write the ATM header.
854 (pseudo_header->atm.channel == 0) ? 0x80 : 0x00;
855 switch (pseudo_header->atm.aal) {
859 atm_hdr.flags |= 0x06;
863 switch (pseudo_header->atm.type) {
867 atm_hdr.flags |= 0x01;
871 /* RFC 1483 LLC multiplexed traffic */
872 atm_hdr.flags |= 0x02;
877 atm_hdr.flags |= 0x05;
882 atm_hdr.vpi = (guint8) pseudo_header->atm.vpi;
883 atm_hdr.vci = g_htons(pseudo_header->atm.vci);
884 if (!wtap_dump_file_write(wdh, &atm_hdr, sizeof atm_hdr, err))
888 if (!wtap_dump_file_write(wdh, pd, phdr->caplen, err))
891 /* Now write the padding. */
892 if (!wtap_dump_file_write(wdh, zeroes, padlen, err))
898 * Editor modelines - http://www.wireshark.org/tools/modelines.html
903 * indent-tabs-mode: t
906 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
907 * :indentSize=8:tabSize=8:noTabs=false: