/* netmon.c
*
- * $Id: netmon.c,v 1.23 2000/01/13 07:09:17 guy Exp $
+ * $Id$
*
* Wiretap Library
- * Copyright (c) 1998 by Gilbert Ramirez <gram@verdict.uthscsa.edu>
- *
+ * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
+ *
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
- *
+ *
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
- *
*/
+
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include <errno.h>
-#include <time.h>
#include <string.h>
-#include "wtap.h"
+#include "wtap-int.h"
#include "file_wrappers.h"
#include "buffer.h"
+#include "atm.h"
+#include "pcap-encap.h"
#include "netmon.h"
/* The file at
guint32 incl_len; /* number of octets captured in file */
};
-static int netmon_read(wtap *wth, int *err);
+/*
+ * Network Monitor 2.1 and later record trailers; documented in the Network
+ * Monitor 3.x help files, for 3.3 and later, although they don't clearly
+ * state how the trailer format changes from version to version.
+ *
+ * Some fields are multi-byte integers, but they're not aligned on their
+ * natural boundaries.
+ */
+struct netmonrec_2_1_trlr {
+ guint8 network[2]; /* network type for this packet */
+};
+
+struct netmonrec_2_2_trlr {
+ guint8 network[2]; /* network type for this packet */
+ guint8 process_info_index[4]; /* index into the process info table */
+};
+
+struct netmonrec_2_3_trlr {
+ guint8 network[2]; /* network type for this packet */
+ guint8 process_info_index[4]; /* index into the process info table */
+ guint8 utc_timestamp[8]; /* packet time stamp, as .1 us units since January 1, 1601, 00:00:00 UTC */
+ guint8 timezone_index; /* index of time zone information */
+};
+
+/*
+ * The link-layer header on ATM packets.
+ */
+struct netmon_atm_hdr {
+ guint8 dest[6]; /* "Destination address" - what is it? */
+ guint8 src[6]; /* "Source address" - what is it? */
+ guint16 vpi; /* VPI */
+ guint16 vci; /* VCI */
+};
+
+typedef struct {
+ time_t start_secs;
+ guint32 start_usecs;
+ guint8 version_major;
+ guint8 version_minor;
+ guint32 *frame_table;
+ guint32 frame_table_size;
+ guint current_frame;
+} netmon_t;
+
+/*
+ * XXX - at least in some NetMon 3.4 VPN captures, the per-packet
+ * link-layer type is 0, but the packets have Ethernet headers.
+ * We handle this by mapping 0 to WTAP_ENCAP_ETHERNET; should we,
+ * instead, use the per-file link-layer type?
+ */
+static const int netmon_encap[] = {
+ WTAP_ENCAP_ETHERNET,
+ WTAP_ENCAP_ETHERNET,
+ WTAP_ENCAP_TOKEN_RING,
+ WTAP_ENCAP_FDDI_BITSWAPPED,
+ WTAP_ENCAP_ATM_PDUS, /* NDIS WAN - this is what's used for ATM */
+ WTAP_ENCAP_UNKNOWN, /* NDIS LocalTalk, but format 2.x uses it for IP-over-IEEE 1394 */
+ WTAP_ENCAP_IEEE802_11_NETMON_RADIO,
+ /* NDIS "DIX", but format 2.x uses it for 802.11 */
+ WTAP_ENCAP_RAW_IP, /* NDIS ARCNET raw, but format 2.x uses it for "Tunneling interfaces" */
+ WTAP_ENCAP_RAW_IP, /* NDIS ARCNET 878.2, but format 2.x uses it for "Wireless WAN" */
+ WTAP_ENCAP_RAW_IP, /* NDIS ATM (no, this is NOT used for ATM); format 2.x uses it for "Raw IP Frames" */
+ WTAP_ENCAP_UNKNOWN, /* NDIS Wireless WAN */
+ WTAP_ENCAP_UNKNOWN /* NDIS IrDA */
+};
+#define NUM_NETMON_ENCAPS (sizeof netmon_encap / sizeof netmon_encap[0])
+
+/*
+ * Special link-layer types.
+ */
+#define NETMON_NET_PCAP_BASE 0xE000
+#define NETMON_NET_NETEVENT 0xFFE0
+#define NETMON_NET_NETWORK_INFO_EX 0xFFFB
+#define NETMON_NET_PAYLOAD_HEADER 0xFFFC
+#define NETMON_NET_NETWORK_INFO 0xFFFD
+#define NETMON_NET_DNS_CACHE 0xFFFE
+#define NETMON_NET_NETMON_FILTER 0xFFFF
+
+static gboolean netmon_read(wtap *wth, int *err, gchar **err_info,
+ gint64 *data_offset);
+static gboolean netmon_seek_read(wtap *wth, gint64 seek_off,
+ union wtap_pseudo_header *pseudo_header, guchar *pd, int length,
+ int *err, gchar **err_info);
+static gboolean netmon_read_atm_pseudoheader(FILE_T fh,
+ union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info);
+static gboolean netmon_read_rec_data(FILE_T fh, guchar *pd, int length,
+ int *err, gchar **err_info);
+static int netmon_read_rec_trailer(FILE_T fh, int trlr_size, int *err,
+ gchar **err_info);
+static void netmon_sequential_close(wtap *wth);
static gboolean netmon_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
- const u_char *pd, int *err);
+ const union wtap_pseudo_header *pseudo_header, const guchar *pd, int *err);
static gboolean netmon_dump_close(wtap_dumper *wdh, int *err);
-int netmon_open(wtap *wth, int *err)
+int netmon_open(wtap *wth, int *err, gchar **err_info)
{
int bytes_read;
char magic[sizeof netmon_1_x_magic];
struct netmon_hdr hdr;
int file_type;
- static const int netmon_encap[] = {
- WTAP_ENCAP_UNKNOWN,
- WTAP_ENCAP_ETHERNET,
- WTAP_ENCAP_TR,
- WTAP_ENCAP_FDDI_BITSWAPPED,
- WTAP_ENCAP_UNKNOWN, /* WAN */
- WTAP_ENCAP_UNKNOWN, /* LocalTalk */
- WTAP_ENCAP_UNKNOWN, /* "DIX" - should not occur */
- WTAP_ENCAP_UNKNOWN, /* ARCNET raw */
- WTAP_ENCAP_UNKNOWN, /* ARCNET 878.2 */
- WTAP_ENCAP_UNKNOWN, /* ATM */
- WTAP_ENCAP_UNKNOWN, /* Wireless WAN */
- WTAP_ENCAP_UNKNOWN /* IrDA */
- };
- #define NUM_NETMON_ENCAPS (sizeof netmon_encap / sizeof netmon_encap[0])
struct tm tm;
+ int frame_table_offset;
guint32 frame_table_length;
- guint32 first_frame_table_entry;
+ guint32 frame_table_size;
+ guint32 *frame_table;
+#ifdef WORDS_BIGENDIAN
+ unsigned int i;
+#endif
+ netmon_t *netmon;
/* Read in the string that should be at the start of a Network
* Monitor file */
- file_seek(wth->fh, 0, SEEK_SET);
errno = WTAP_ERR_CANT_READ;
- bytes_read = file_read(magic, 1, sizeof magic, wth->fh);
+ bytes_read = file_read(magic, sizeof magic, wth->fh);
if (bytes_read != sizeof magic) {
- *err = file_error(wth->fh);
+ *err = file_error(wth->fh, err_info);
if (*err != 0)
return -1;
return 0;
/* Read the rest of the header. */
errno = WTAP_ERR_CANT_READ;
- bytes_read = file_read(&hdr, 1, sizeof hdr, wth->fh);
+ bytes_read = file_read(&hdr, sizeof hdr, wth->fh);
if (bytes_read != sizeof hdr) {
- *err = file_error(wth->fh);
+ *err = file_error(wth->fh, err_info);
if (*err != 0)
return -1;
return 0;
break;
default:
- g_message("netmon: major version %u unsupported", hdr.ver_major);
*err = WTAP_ERR_UNSUPPORTED;
+ *err_info = g_strdup_printf("netmon: major version %u unsupported", hdr.ver_major);
return -1;
}
hdr.network = pletohs(&hdr.network);
if (hdr.network >= NUM_NETMON_ENCAPS
|| netmon_encap[hdr.network] == WTAP_ENCAP_UNKNOWN) {
- g_message("netmon: network type %u unknown or unsupported",
+ *err = WTAP_ERR_UNSUPPORTED_ENCAP;
+ *err_info = g_strdup_printf("netmon: network type %u unknown or unsupported",
hdr.network);
- *err = WTAP_ERR_UNSUPPORTED;
return -1;
}
/* This is a netmon file */
wth->file_type = file_type;
- wth->capture.netmon = g_malloc(sizeof(netmon_t));
+ netmon = (netmon_t *)g_malloc(sizeof(netmon_t));
+ wth->priv = (void *)netmon;
wth->subtype_read = netmon_read;
- wth->file_encap = netmon_encap[hdr.network];
- wth->snapshot_length = 16384; /* XXX - not available in header */
+ wth->subtype_seek_read = netmon_seek_read;
+ wth->subtype_sequential_close = netmon_sequential_close;
+
+ /* NetMon capture file formats v2.1+ use per-packet encapsulation types. NetMon 3 sets the value in
+ * the header to 1 (Ethernet) for backwards compability. */
+ if((hdr.ver_major == 2 && hdr.ver_minor >= 1) || hdr.ver_major > 2)
+ wth->file_encap = WTAP_ENCAP_PER_PACKET;
+ else
+ wth->file_encap = netmon_encap[hdr.network];
+
+ wth->snapshot_length = 0; /* not available in header */
/*
* Convert the time stamp to a "time_t" and a number of
* milliseconds.
tm.tm_min = pletohs(&hdr.ts_min);
tm.tm_sec = pletohs(&hdr.ts_sec);
tm.tm_isdst = -1;
- wth->capture.netmon->start_secs = mktime(&tm);
+ netmon->start_secs = mktime(&tm);
/*
* XXX - what if "secs" is -1? Unlikely, but if the capture was
* done in a time zone that switches between standard and summer
* intervals since 1601-01-01 00:00:00 "UTC", there, instead
* of stuffing a SYSTEMTIME, which is time-zone-dependent, there?).
*/
- wth->capture.netmon->start_usecs = pletohs(&hdr.ts_msec)*1000;
+ netmon->start_usecs = pletohs(&hdr.ts_msec)*1000;
- wth->capture.netmon->version_major = hdr.ver_major;
+ netmon->version_major = hdr.ver_major;
+ netmon->version_minor = hdr.ver_minor;
/*
- * The "frame index table" appears to come after the last
- * packet; remember its offset, so we know when we have no
- * more packets to read.
+ * Get the offset of the frame index table.
*/
- wth->capture.netmon->end_offset = pletohl(&hdr.frametableoffset);
+ frame_table_offset = pletohl(&hdr.frametableoffset);
/*
* It appears that some NetMon 2.x files don't have the
* first packet starting exactly 128 bytes into the file.
- * So we read the first entry from the frame table, and
- * use that as the offset of the first packet.
*
- * First, make sure the frame table has at least one entry
- * in it....
+ * Furthermore, it also appears that there are "holes" in
+ * the file, i.e. frame N+1 doesn't always follow immediately
+ * after frame N.
+ *
+ * Therefore, we must read the frame table, and use the offsets
+ * in it as the offsets of the frames.
*/
frame_table_length = pletohl(&hdr.frametablelength);
- if (frame_table_length < sizeof first_frame_table_entry) {
- g_message("netmon: frame table length is %u, which means it's less than one entry in size",
+ frame_table_size = frame_table_length / (guint32)sizeof (guint32);
+ if ((frame_table_size * sizeof (guint32)) != frame_table_length) {
+ *err = WTAP_ERR_UNSUPPORTED;
+ *err_info = g_strdup_printf("netmon: frame table length is %u, which is not a multiple of the size of an entry",
frame_table_length);
+ g_free(netmon);
+ return -1;
+ }
+ if (frame_table_size == 0) {
*err = WTAP_ERR_UNSUPPORTED;
+ *err_info = g_strdup_printf("netmon: frame table length is %u, which means it's less than one entry in size",
+ frame_table_length);
+ g_free(netmon);
+ return -1;
+ }
+ if (file_seek(wth->fh, frame_table_offset, SEEK_SET, err) == -1) {
+ g_free(netmon);
+ return -1;
+ }
+ frame_table = g_malloc(frame_table_length);
+ errno = WTAP_ERR_CANT_READ;
+ bytes_read = file_read(frame_table, frame_table_length, wth->fh);
+ if ((guint32)bytes_read != frame_table_length) {
+ *err = file_error(wth->fh, err_info);
+ if (*err == 0)
+ *err = WTAP_ERR_SHORT_READ;
+ g_free(frame_table);
+ g_free(netmon);
return -1;
}
+ netmon->frame_table_size = frame_table_size;
+ netmon->frame_table = frame_table;
+#ifdef WORDS_BIGENDIAN
/*
- * Now read that entry. (It appears that the N+1st frame immediately
- * follows the Nth frame, so we don't need any entries after the
- * first entry.)
+ * OK, now byte-swap the frame table.
*/
- errno = WTAP_ERR_CANT_READ;
- file_seek(wth->fh, wth->capture.netmon->end_offset, SEEK_SET);
- bytes_read = file_read(&first_frame_table_entry, 1,
- sizeof first_frame_table_entry, wth->fh);
- if (bytes_read != sizeof first_frame_table_entry) {
- *err = file_error(wth->fh);
- if (*err != 0)
- return -1;
- return 0;
- }
+ for (i = 0; i < frame_table_size; i++)
+ frame_table[i] = pletohl(&frame_table[i]);
+#endif
- /* Seek to the beginning of the data records. */
- wth->data_offset = pletohl(&first_frame_table_entry);
- file_seek(wth->fh, wth->data_offset, SEEK_SET);
+ /* Set up to start reading at the first frame. */
+ netmon->current_frame = 0;
+ wth->tsprecision = WTAP_FILE_TSPREC_USEC;
return 1;
}
+static size_t
+netmon_trailer_size(netmon_t *netmon)
+{
+ if ((netmon->version_major == 2 && netmon->version_minor >= 1) ||
+ netmon->version_major > 2) {
+ if (netmon->version_major > 2) {
+ /*
+ * Asssume 2.3 format, for now.
+ */
+ return sizeof (struct netmonrec_2_3_trlr);
+ } else {
+ switch (netmon->version_minor) {
+
+ case 1:
+ return sizeof (struct netmonrec_2_1_trlr);
+
+ case 2:
+ return sizeof (struct netmonrec_2_2_trlr);
+
+ default:
+ return sizeof (struct netmonrec_2_3_trlr);
+ }
+ }
+ }
+ return 0; /* no trailer */
+}
+
+static void
+netmon_set_pseudo_header_info(int pkt_encap,
+ union wtap_pseudo_header *pseudo_header, guchar *pd, int length)
+{
+ switch (pkt_encap) {
+
+ case WTAP_ENCAP_ATM_PDUS:
+ /*
+ * Attempt to guess from the packet data, the VPI, and
+ * the VCIinformation about the type of traffic.
+ */
+ atm_guess_traffic_type(pd, length, pseudo_header);
+ break;
+
+ case WTAP_ENCAP_ETHERNET:
+ /*
+ * We assume there's no FCS in this frame.
+ */
+ pseudo_header->eth.fcs_len = 0;
+ break;
+
+ case WTAP_ENCAP_IEEE802_11_NETMON_RADIO:
+ /*
+ * It appears to be the case that management
+ * frames have an FCS and data frames don't;
+ * I'm not sure about control frames. An
+ * "FCS length" of -2 means "NetMon weirdness".
+ */
+ pseudo_header->ieee_802_11.fcs_len = -2;
+ break;
+ }
+}
+
/* Read the next packet */
-static int netmon_read(wtap *wth, int *err)
+static gboolean netmon_read(wtap *wth, int *err, gchar **err_info,
+ gint64 *data_offset)
{
+ netmon_t *netmon = (netmon_t *)wth->priv;
guint32 packet_size = 0;
+ guint32 orig_size = 0;
int bytes_read;
union {
struct netmonrec_1_x_hdr hdr_1_x;
struct netmonrec_2_x_hdr hdr_2_x;
} hdr;
int hdr_size = 0;
- int data_offset;
+ int trlr_size;
+ int rec_offset;
+ guint8 *data_ptr;
+ gint64 delta = 0; /* signed - frame times can be before the nominal start */
time_t secs;
guint32 usecs;
double t;
+again:
/* Have we reached the end of the packet data? */
- if (wth->data_offset >= wth->capture.netmon->end_offset) {
- /* Yes. */
- return 0;
+ if (netmon->current_frame >= netmon->frame_table_size) {
+ /* Yes. We won't need the frame table any more;
+ free it. */
+ g_free(netmon->frame_table);
+ netmon->frame_table = NULL;
+ *err = 0; /* it's just an EOF, not an error */
+ return FALSE;
}
+
+ /* Seek to the beginning of the current record, if we're
+ not there already (seeking to the current position
+ may still cause a seek and a read of the underlying file,
+ so we don't want to do it unconditionally).
+
+ Yes, the current record could be before the previous
+ record. At least some captures put the trailer record
+ with statistics as the first physical record in the
+ file, but set the frame table up so it's the last
+ record in sequence. */
+ rec_offset = netmon->frame_table[netmon->current_frame];
+ if (wth->data_offset != rec_offset) {
+ wth->data_offset = rec_offset;
+ if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1)
+ return FALSE;
+ }
+ netmon->current_frame++;
+
/* Read record header. */
- switch (wth->capture.netmon->version_major) {
+ switch (netmon->version_major) {
case 1:
hdr_size = sizeof (struct netmonrec_1_x_hdr);
break;
}
errno = WTAP_ERR_CANT_READ;
- bytes_read = file_read(&hdr, 1, hdr_size, wth->fh);
+
+ bytes_read = file_read(&hdr, hdr_size, wth->fh);
if (bytes_read != hdr_size) {
- *err = file_error(wth->fh);
- if (*err != 0)
- return -1;
- if (bytes_read != 0) {
+ *err = file_error(wth->fh, err_info);
+ if (*err == 0 && bytes_read != 0) {
*err = WTAP_ERR_SHORT_READ;
- return -1;
}
- return 0;
+ return FALSE;
}
wth->data_offset += hdr_size;
- switch (wth->capture.netmon->version_major) {
+ switch (netmon->version_major) {
case 1:
+ orig_size = pletohs(&hdr.hdr_1_x.orig_len);
packet_size = pletohs(&hdr.hdr_1_x.incl_len);
break;
case 2:
+ orig_size = pletohl(&hdr.hdr_2_x.orig_len);
packet_size = pletohl(&hdr.hdr_2_x.incl_len);
break;
}
* Probably a corrupt capture file; don't blow up trying
* to allocate space for an immensely-large packet.
*/
- g_message("netmon: File has %u-byte packet, bigger than maximum of %u",
- packet_size, WTAP_MAX_PACKET_SIZE);
*err = WTAP_ERR_BAD_RECORD;
- return -1;
+ *err_info = g_strdup_printf("netmon: File has %u-byte packet, bigger than maximum of %u",
+ packet_size, WTAP_MAX_PACKET_SIZE);
+ return FALSE;
}
- buffer_assure_space(wth->frame_buffer, packet_size);
- data_offset = wth->data_offset;
- errno = WTAP_ERR_CANT_READ;
- bytes_read = file_read(buffer_start_ptr(wth->frame_buffer), 1,
- packet_size, wth->fh);
- if (bytes_read != packet_size) {
- *err = file_error(wth->fh);
- if (*err == 0)
- *err = WTAP_ERR_SHORT_READ;
- return -1;
+ *data_offset = wth->data_offset;
+
+ /*
+ * If this is an ATM packet, the first
+ * "sizeof (struct netmon_atm_hdr)" bytes have destination and
+ * source addresses (6 bytes - MAC addresses of some sort?)
+ * and the VPI and VCI; read them and generate the pseudo-header
+ * from them.
+ */
+ switch (wth->file_encap) {
+
+ case WTAP_ENCAP_ATM_PDUS:
+ if (packet_size < sizeof (struct netmon_atm_hdr)) {
+ /*
+ * Uh-oh, the packet isn't big enough to even
+ * have a pseudo-header.
+ */
+ *err = WTAP_ERR_BAD_RECORD;
+ *err_info = g_strdup_printf("netmon: ATM file has a %u-byte packet, too small to have even an ATM pseudo-header",
+ packet_size);
+ return FALSE;
+ }
+ if (!netmon_read_atm_pseudoheader(wth->fh, &wth->pseudo_header,
+ err, err_info))
+ return FALSE; /* Read error */
+
+ /*
+ * Don't count the pseudo-header as part of the packet.
+ */
+ orig_size -= (guint)sizeof (struct netmon_atm_hdr);
+ packet_size -= (guint)sizeof (struct netmon_atm_hdr);
+ wth->data_offset += sizeof (struct netmon_atm_hdr);
+ break;
+
+ default:
+ break;
}
+
+ buffer_assure_space(wth->frame_buffer, packet_size);
+ data_ptr = buffer_start_ptr(wth->frame_buffer);
+ if (!netmon_read_rec_data(wth->fh, data_ptr, packet_size, err,
+ err_info))
+ return FALSE; /* Read error */
wth->data_offset += packet_size;
- t = (double)wth->capture.netmon->start_usecs;
- switch (wth->capture.netmon->version_major) {
+ t = (double)netmon->start_usecs;
+ switch (netmon->version_major) {
case 1:
- t += ((double)pletohl(&hdr.hdr_1_x.ts_delta))*1000;
+ /*
+ * According to Paul Long, this offset is unsigned.
+ * It's 32 bits, so the maximum value will fit in
+ * a gint64 such as delta, even after multiplying
+ * it by 1000.
+ *
+ * pletohl() returns a guint32; we cast it to gint64
+ * before multiplying, so that the product doesn't
+ * overflow a guint32.
+ */
+ delta = ((gint64)pletohl(&hdr.hdr_1_x.ts_delta))*1000;
break;
case 2:
- t += (double)pletohl(&hdr.hdr_2_x.ts_delta_lo)
- + (double)pletohl(&hdr.hdr_2_x.ts_delta_hi)*4294967296.0;
+ delta = pletohl(&hdr.hdr_2_x.ts_delta_lo)
+ | (((guint64)pletohl(&hdr.hdr_2_x.ts_delta_hi)) << 32);
break;
}
+ t += (double)delta;
secs = (time_t)(t/1000000);
- usecs = (guint32)(t - secs*1000000);
- wth->phdr.ts.tv_sec = wth->capture.netmon->start_secs + secs;
- wth->phdr.ts.tv_usec = usecs;
+ usecs = (guint32)(t - (double)secs*1000000);
+ wth->phdr.ts.secs = netmon->start_secs + secs;
+ wth->phdr.ts.nsecs = usecs * 1000;
wth->phdr.caplen = packet_size;
- switch (wth->capture.netmon->version_major) {
+ wth->phdr.len = orig_size;
- case 1:
- wth->phdr.len = pletohs(&hdr.hdr_1_x.orig_len);
- break;
+ /*
+ * For version 2.1 and later, there's additional information
+ * after the frame data.
+ */
+ trlr_size = (int)netmon_trailer_size(netmon);
+ if (trlr_size != 0) {
+ /*
+ * I haz a trailer.
+ */
+ wth->phdr.pkt_encap = netmon_read_rec_trailer(wth->fh,
+ trlr_size, err, err_info);
+ if (wth->phdr.pkt_encap == -1)
+ return FALSE; /* error */
+ wth->data_offset += trlr_size;
+ if (wth->phdr.pkt_encap == 0)
+ goto again;
+ netmon_set_pseudo_header_info(wth->phdr.pkt_encap,
+ &wth->pseudo_header, data_ptr, packet_size);
+ } else {
+ netmon_set_pseudo_header_info(wth->file_encap,
+ &wth->pseudo_header, data_ptr, packet_size);
+ }
- case 2:
- wth->phdr.len = pletohl(&hdr.hdr_2_x.orig_len);
+ return TRUE;
+}
+
+static gboolean
+netmon_seek_read(wtap *wth, gint64 seek_off,
+ union wtap_pseudo_header *pseudo_header, guchar *pd, int length,
+ int *err, gchar **err_info)
+{
+ netmon_t *netmon = (netmon_t *)wth->priv;
+ int trlr_size;
+ int pkt_encap;
+
+ if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
+ return FALSE;
+
+ switch (wth->file_encap) {
+
+ case WTAP_ENCAP_ATM_PDUS:
+ if (!netmon_read_atm_pseudoheader(wth->random_fh, pseudo_header,
+ err, err_info)) {
+ /* Read error */
+ return FALSE;
+ }
break;
}
- wth->phdr.pkt_encap = wth->file_encap;
- return data_offset;
+ /*
+ * Read the packet data.
+ */
+ if (!netmon_read_rec_data(wth->random_fh, pd, length, err, err_info))
+ return FALSE;
+
+ /*
+ * For version 2.1 and later, there's additional information
+ * after the frame data.
+ */
+ trlr_size = (int)netmon_trailer_size(netmon);
+ if (trlr_size != 0) {
+ /*
+ * I haz a trailer.
+ */
+ pkt_encap = netmon_read_rec_trailer(wth->random_fh,
+ trlr_size, err, err_info);
+ if (pkt_encap == -1)
+ return FALSE; /* error */
+ if (pkt_encap == 0) {
+ /*
+ * This should not happen.
+ */
+ *err = WTAP_ERR_BAD_RECORD;
+ *err_info = g_strdup("netmon: saw metadata in netmon_seek_read");
+ return FALSE;
+ }
+ netmon_set_pseudo_header_info(pkt_encap, pseudo_header,
+ pd, length);
+ } else {
+ netmon_set_pseudo_header_info(wth->file_encap, pseudo_header,
+ pd, length);
+ }
+
+ return TRUE;
}
+static gboolean
+netmon_read_atm_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header,
+ int *err, gchar **err_info)
+{
+ struct netmon_atm_hdr atm_phdr;
+ int bytes_read;
+ guint16 vpi, vci;
+
+ errno = WTAP_ERR_CANT_READ;
+ bytes_read = file_read(&atm_phdr, sizeof (struct netmon_atm_hdr), fh);
+ if (bytes_read != sizeof (struct netmon_atm_hdr)) {
+ *err = file_error(fh, err_info);
+ if (*err == 0)
+ *err = WTAP_ERR_SHORT_READ;
+ return FALSE;
+ }
+
+ vpi = g_ntohs(atm_phdr.vpi);
+ vci = g_ntohs(atm_phdr.vci);
+
+ pseudo_header->atm.vpi = vpi;
+ pseudo_header->atm.vci = vci;
+
+ /* We don't have this information */
+ pseudo_header->atm.flags = 0;
+ pseudo_header->atm.channel = 0;
+ pseudo_header->atm.cells = 0;
+ pseudo_header->atm.aal5t_u2u = 0;
+ pseudo_header->atm.aal5t_len = 0;
+ pseudo_header->atm.aal5t_chksum = 0;
+
+ return TRUE;
+}
+
+static gboolean
+netmon_read_rec_data(FILE_T fh, guchar *pd, int length, int *err,
+ gchar **err_info)
+{
+ int bytes_read;
+
+ errno = WTAP_ERR_CANT_READ;
+ bytes_read = file_read(pd, length, fh);
+
+ if (bytes_read != length) {
+ *err = file_error(fh, err_info);
+ if (*err == 0)
+ *err = WTAP_ERR_SHORT_READ;
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/*
+ * Read a record trailer.
+ * On success, returns the packet encapsulation type.
+ * On error, returns -1 (which is WTAP_ENCAP_PER_PACKET, but we'd
+ * never return that on success).
+ * For metadata packets, returns 0 (which is WTAP_ENCAP_UNKNOWN, but
+ * we'd never return that on success).
+ */
+static int
+netmon_read_rec_trailer(FILE_T fh, int trlr_size, int *err, gchar **err_info)
+{
+ int bytes_read;
+ union {
+ struct netmonrec_2_1_trlr trlr_2_1;
+ struct netmonrec_2_2_trlr trlr_2_2;
+ struct netmonrec_2_3_trlr trlr_2_3;
+ } trlr;
+ guint16 network;
+ int pkt_encap;
+
+ errno = WTAP_ERR_CANT_READ;
+ bytes_read = file_read(&trlr, trlr_size, fh);
+ if (bytes_read != trlr_size) {
+ *err = file_error(fh, err_info);
+ if (*err == 0 && bytes_read != 0) {
+ *err = WTAP_ERR_SHORT_READ;
+ }
+ return -1; /* error */
+ }
+
+ network = pletohs(trlr.trlr_2_1.network);
+ if ((network & 0xF000) == NETMON_NET_PCAP_BASE) {
+ /*
+ * Converted pcap file - the LINKTYPE_ value
+ * is the network value with 0xF000 masked off.
+ */
+ network &= 0x0FFF;
+ pkt_encap = wtap_pcap_encap_to_wtap_encap(network);
+ if (pkt_encap == WTAP_ENCAP_UNKNOWN) {
+ *err = WTAP_ERR_UNSUPPORTED_ENCAP;
+ *err_info = g_strdup_printf("netmon: converted pcap network type %u unknown or unsupported",
+ network);
+ return -1; /* error */
+ }
+ } else if (network < NUM_NETMON_ENCAPS) {
+ /*
+ * Regular NetMon encapsulation.
+ */
+ pkt_encap = netmon_encap[network];
+ if (pkt_encap == WTAP_ENCAP_UNKNOWN) {
+ *err = WTAP_ERR_UNSUPPORTED_ENCAP;
+ *err_info = g_strdup_printf("netmon: network type %u unknown or unsupported",
+ network);
+ return -1; /* error */
+ }
+ } else {
+ /*
+ * Special packet type for metadata.
+ */
+ switch (network) {
+
+ case NETMON_NET_NETEVENT:
+ case NETMON_NET_NETWORK_INFO_EX:
+ case NETMON_NET_PAYLOAD_HEADER:
+ case NETMON_NET_NETWORK_INFO:
+ case NETMON_NET_DNS_CACHE:
+ case NETMON_NET_NETMON_FILTER:
+ /*
+ * Just ignore those record types, for
+ * now. Tell our caller to read the next
+ * record.
+ */
+ return 0;
+
+ default:
+ *err = WTAP_ERR_UNSUPPORTED_ENCAP;
+ *err_info = g_strdup_printf("netmon: network type %u unknown or unsupported",
+ network);
+ return -1; /* error */
+ }
+ }
+
+ return pkt_encap; /* success */
+}
+
+/* Throw away the frame table used by the sequential I/O stream. */
+static void
+netmon_sequential_close(wtap *wth)
+{
+ netmon_t *netmon = (netmon_t *)wth->priv;
+
+ if (netmon->frame_table != NULL) {
+ g_free(netmon->frame_table);
+ netmon->frame_table = NULL;
+ }
+}
+
+typedef struct {
+ gboolean got_first_record_time;
+ struct wtap_nstime first_record_time;
+ guint32 frame_table_offset;
+ guint32 *frame_table;
+ guint frame_table_index;
+ guint frame_table_size;
+} netmon_dump_t;
+
static const int wtap_encap[] = {
-1, /* WTAP_ENCAP_UNKNOWN -> unsupported */
1, /* WTAP_ENCAP_ETHERNET -> NDIS Ethernet */
- 2, /* WTAP_ENCAP_TR -> NDIS Token Ring */
+ 2, /* WTAP_ENCAP_TOKEN_RING -> NDIS Token Ring */
-1, /* WTAP_ENCAP_SLIP -> unsupported */
-1, /* WTAP_ENCAP_PPP -> unsupported */
3, /* WTAP_ENCAP_FDDI -> NDIS FDDI */
-1, /* WTAP_ENCAP_ATM_RFC1483 -> unsupported */
-1, /* WTAP_ENCAP_LINUX_ATM_CLIP -> unsupported */
-1, /* WTAP_ENCAP_LAPB -> unsupported*/
- -1, /* WTAP_ENCAP_ATM_SNIFFER -> unsupported */
+ 4, /* WTAP_ENCAP_ATM_PDUS -> NDIS WAN (*NOT* ATM!) */
-1 /* WTAP_ENCAP_NULL -> unsupported */
};
#define NUM_WTAP_ENCAPS (sizeof wtap_encap / sizeof wtap_encap[0])
/* Returns 0 if we could write the specified encapsulation type,
an error indication otherwise. */
-int netmon_dump_can_write_encap(int filetype, int encap)
+int netmon_dump_can_write_encap(int encap)
{
/* Per-packet encapsulations aren't supported. */
if (encap == WTAP_ENCAP_PER_PACKET)
return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
- if (encap < 0 || encap >= NUM_WTAP_ENCAPS || wtap_encap[encap] == -1)
+ if (encap < 0 || (unsigned) encap >= NUM_WTAP_ENCAPS || wtap_encap[encap] == -1)
return WTAP_ERR_UNSUPPORTED_ENCAP;
return 0;
failure */
gboolean netmon_dump_open(wtap_dumper *wdh, int *err)
{
- /* This is a netmon file */
- wdh->subtype_write = netmon_dump;
- wdh->subtype_close = netmon_dump_close;
+ netmon_dump_t *netmon;
/* We can't fill in all the fields in the file header, as we
haven't yet written any packets. As we'll have to rewrite
the header when we've written out all the packets, we just
skip over the header for now. */
- fseek(wdh->fh, CAPTUREFILE_HEADER_SIZE, SEEK_SET);
+ if (fseek(wdh->fh, CAPTUREFILE_HEADER_SIZE, SEEK_SET) == -1) {
+ *err = errno;
+ return FALSE;
+ }
- wdh->private.netmon = g_malloc(sizeof(netmon_dump_t));
- wdh->private.netmon->frame_table_offset = CAPTUREFILE_HEADER_SIZE;
- wdh->private.netmon->got_first_record_time = FALSE;
- wdh->private.netmon->frame_table = NULL;
- wdh->private.netmon->frame_table_index = 0;
- wdh->private.netmon->frame_table_size = 0;
+ wdh->subtype_write = netmon_dump;
+ wdh->subtype_close = netmon_dump_close;
+
+ netmon = (netmon_dump_t *)g_malloc(sizeof(netmon_dump_t));
+ wdh->priv = (void *)netmon;
+ netmon->frame_table_offset = CAPTUREFILE_HEADER_SIZE;
+ netmon->got_first_record_time = FALSE;
+ netmon->frame_table = NULL;
+ netmon->frame_table_index = 0;
+ netmon->frame_table_size = 0;
return TRUE;
}
/* Write a record for a packet to a dump file.
Returns TRUE on success, FALSE on failure. */
static gboolean netmon_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
- const u_char *pd, int *err)
+ const union wtap_pseudo_header *pseudo_header, const guchar *pd, int *err)
{
- netmon_dump_t *priv = wdh->private.netmon;
+ netmon_dump_t *netmon = (netmon_dump_t *)wdh->priv;
struct netmonrec_1_x_hdr rec_1_x_hdr;
struct netmonrec_2_x_hdr rec_2_x_hdr;
char *hdrp;
- int hdr_size;
- int nwritten;
+ size_t hdr_size;
+ double t;
+ guint32 time_low, time_high;
+ struct netmon_atm_hdr atm_hdr;
+ int atm_hdrsize;
/* NetMon files have a capture start time in the file header,
and have times relative to that in the packet headers;
pick the time of the first packet as the capture start
time. */
- if (!priv->got_first_record_time) {
- priv->first_record_time = phdr->ts;
- priv->got_first_record_time = TRUE;
+ if (!netmon->got_first_record_time) {
+ netmon->first_record_time = phdr->ts;
+ netmon->got_first_record_time = TRUE;
}
-
+
+ if (wdh->encap == WTAP_ENCAP_ATM_PDUS)
+ atm_hdrsize = sizeof (struct netmon_atm_hdr);
+ else
+ atm_hdrsize = 0;
switch (wdh->file_type) {
case WTAP_FILE_NETMON_1_x:
rec_1_x_hdr.ts_delta = htolel(
- (phdr->ts.tv_sec - priv->first_record_time.tv_sec)*1000
- + (phdr->ts.tv_usec - priv->first_record_time.tv_usec + 500)/1000);
- rec_1_x_hdr.orig_len = htoles(phdr->len);
- rec_1_x_hdr.incl_len = htoles(phdr->caplen);
+ (phdr->ts.secs - netmon->first_record_time.secs)*1000
+ + (phdr->ts.nsecs - netmon->first_record_time.nsecs + 500000)/1000000);
+ rec_1_x_hdr.orig_len = htoles(phdr->len + atm_hdrsize);
+ rec_1_x_hdr.incl_len = htoles(phdr->caplen + atm_hdrsize);
hdrp = (char *)&rec_1_x_hdr;
hdr_size = sizeof rec_1_x_hdr;
break;
case WTAP_FILE_NETMON_2_x:
- /* XXX - fill in 64-bit time diff in microseconds */
- rec_2_x_hdr.orig_len = htolel(phdr->len);
- rec_2_x_hdr.incl_len = htolel(phdr->caplen);
+ /*
+ * Unfortunately, not all the platforms on which we run
+ * support 64-bit integral types, even though most do
+ * (even on 32-bit processors), so we do it in floating
+ * point.
+ */
+ t = (phdr->ts.secs - netmon->first_record_time.secs)*1000000.0
+ + (phdr->ts.nsecs - netmon->first_record_time.nsecs) / 1000;
+ time_high = (guint32) (t/4294967296.0);
+ time_low = (guint32) (t - (time_high*4294967296.0));
+ rec_2_x_hdr.ts_delta_lo = htolel(time_low);
+ rec_2_x_hdr.ts_delta_hi = htolel(time_high);
+ rec_2_x_hdr.orig_len = htolel(phdr->len + atm_hdrsize);
+ rec_2_x_hdr.incl_len = htolel(phdr->caplen + atm_hdrsize);
hdrp = (char *)&rec_2_x_hdr;
hdr_size = sizeof rec_2_x_hdr;
break;
return FALSE;
}
- nwritten = fwrite(hdrp, 1, hdr_size, wdh->fh);
- if (nwritten != hdr_size) {
- if (nwritten < 0)
- *err = errno;
- else
- *err = WTAP_ERR_SHORT_WRITE;
+ if (!wtap_dump_file_write(wdh, hdrp, hdr_size, err))
return FALSE;
+
+ if (wdh->encap == WTAP_ENCAP_ATM_PDUS) {
+ /*
+ * Write the ATM header.
+ * We supply all-zero destination and source addresses.
+ */
+ memset(&atm_hdr.dest, 0, sizeof atm_hdr.dest);
+ memset(&atm_hdr.src, 0, sizeof atm_hdr.src);
+ atm_hdr.vpi = g_htons(pseudo_header->atm.vpi);
+ atm_hdr.vci = g_htons(pseudo_header->atm.vci);
+ if (!wtap_dump_file_write(wdh, &atm_hdr, sizeof atm_hdr, err))
+ return FALSE;
}
- nwritten = fwrite(pd, 1, phdr->caplen, wdh->fh);
- if (nwritten != phdr->caplen) {
- if (nwritten < 0)
- *err = errno;
- else
- *err = WTAP_ERR_SHORT_WRITE;
+
+ if (!wtap_dump_file_write(wdh, pd, phdr->caplen, err))
return FALSE;
- }
/*
* Stash the file offset of this frame.
*/
- if (priv->frame_table_size == 0) {
+ if (netmon->frame_table_size == 0) {
/*
* Haven't yet allocated the buffer for the frame table.
*/
- priv->frame_table = g_malloc(1024 * sizeof *priv->frame_table);
- priv->frame_table_size = 1024;
+ netmon->frame_table = g_malloc(1024 * sizeof *netmon->frame_table);
+ netmon->frame_table_size = 1024;
} else {
/*
* We've allocated it; are we at the end?
*/
- if (priv->frame_table_index >= priv->frame_table_size) {
+ if (netmon->frame_table_index >= netmon->frame_table_size) {
/*
* Yes - double the size of the frame table.
*/
- priv->frame_table_size *= 2;
- priv->frame_table = g_realloc(priv->frame_table,
- priv->frame_table_size * sizeof *priv->frame_table);
+ netmon->frame_table_size *= 2;
+ netmon->frame_table = g_realloc(netmon->frame_table,
+ netmon->frame_table_size * sizeof *netmon->frame_table);
}
}
- priv->frame_table[priv->frame_table_index] =
- htolel(priv->frame_table_offset);
- priv->frame_table_index++;
- priv->frame_table_offset += hdr_size + phdr->caplen;
+ netmon->frame_table[netmon->frame_table_index] =
+ htolel(netmon->frame_table_offset);
+ netmon->frame_table_index++;
+ netmon->frame_table_offset += (int) hdr_size + phdr->caplen + atm_hdrsize;
return TRUE;
}
Returns TRUE on success, FALSE on failure. */
static gboolean netmon_dump_close(wtap_dumper *wdh, int *err)
{
- netmon_dump_t *priv = wdh->private.netmon;
- int n_to_write;
- int nwritten;
+ netmon_dump_t *netmon = (netmon_dump_t *)wdh->priv;
+ size_t n_to_write;
struct netmon_hdr file_hdr;
const char *magicp;
- int magic_size;
+ size_t magic_size;
struct tm *tm;
- /* Write out the frame table. "priv->frame_table_index" is
+ /* Write out the frame table. "netmon->frame_table_index" is
the number of entries we've put into it. */
- n_to_write = priv->frame_table_index * sizeof *priv->frame_table;
- nwritten = fwrite(priv->frame_table, 1, n_to_write, wdh->fh);
- if (nwritten != n_to_write) {
- if (nwritten < 0)
- *err = errno;
- else
- *err = WTAP_ERR_SHORT_WRITE;
+ n_to_write = netmon->frame_table_index * sizeof *netmon->frame_table;
+ if (!wtap_dump_file_write(wdh, netmon->frame_table, n_to_write, err))
return FALSE;
- }
/* Now go fix up the file header. */
fseek(wdh->fh, 0, SEEK_SET);
case WTAP_FILE_NETMON_1_x:
magicp = netmon_1_x_magic;
magic_size = sizeof netmon_1_x_magic;
- /* current NetMon version, for 1.x, is 1.1 */
- file_hdr.ver_minor = 1;
+ /* NetMon file version, for 1.x, is 1.1 */
file_hdr.ver_major = 1;
+ file_hdr.ver_minor = 1;
break;
case WTAP_FILE_NETMON_2_x:
magicp = netmon_2_x_magic;
magic_size = sizeof netmon_2_x_magic;
- /* XXX - fill in V2 stuff. */
+ /*
+ * NetMon file version, for 2.x, is 2.0;
+ * for 3.0, it's 2.1.
+ */
+ file_hdr.ver_major = 2;
+ file_hdr.ver_minor = 0;
break;
default:
/* We should never get here - our open routine
should only get called for the types above. */
- *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE;
+ if (err != NULL)
+ *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE;
return FALSE;
}
- nwritten = fwrite(magicp, 1, magic_size, wdh->fh);
- if (nwritten != magic_size) {
- if (nwritten < 0)
- *err = errno;
- else
- *err = WTAP_ERR_SHORT_WRITE;
+ if (!wtap_dump_file_write(wdh, magicp, magic_size, err))
return FALSE;
- }
file_hdr.network = htoles(wtap_encap[wdh->encap]);
- tm = localtime(&priv->first_record_time.tv_sec);
- file_hdr.ts_year = htoles(1900 + tm->tm_year);
- file_hdr.ts_month = htoles(tm->tm_mon + 1);
- file_hdr.ts_dow = htoles(tm->tm_wday);
- file_hdr.ts_day = htoles(tm->tm_mday);
- file_hdr.ts_hour = htoles(tm->tm_hour);
- file_hdr.ts_min = htoles(tm->tm_min);
- file_hdr.ts_sec = htoles(tm->tm_sec);
- file_hdr.ts_msec = htoles(priv->first_record_time.tv_usec/1000);
+ tm = localtime(&netmon->first_record_time.secs);
+ if (tm != NULL) {
+ file_hdr.ts_year = htoles(1900 + tm->tm_year);
+ file_hdr.ts_month = htoles(tm->tm_mon + 1);
+ file_hdr.ts_dow = htoles(tm->tm_wday);
+ file_hdr.ts_day = htoles(tm->tm_mday);
+ file_hdr.ts_hour = htoles(tm->tm_hour);
+ file_hdr.ts_min = htoles(tm->tm_min);
+ file_hdr.ts_sec = htoles(tm->tm_sec);
+ } else {
+ file_hdr.ts_year = htoles(1900 + 0);
+ file_hdr.ts_month = htoles(0 + 1);
+ file_hdr.ts_dow = htoles(0);
+ file_hdr.ts_day = htoles(0);
+ file_hdr.ts_hour = htoles(0);
+ file_hdr.ts_min = htoles(0);
+ file_hdr.ts_sec = htoles(0);
+ }
+ file_hdr.ts_msec = htoles(netmon->first_record_time.nsecs/1000000);
/* XXX - what about rounding? */
- file_hdr.frametableoffset = htolel(priv->frame_table_offset);
+ file_hdr.frametableoffset = htolel(netmon->frame_table_offset);
file_hdr.frametablelength =
- htolel(priv->frame_table_index * sizeof *priv->frame_table);
- nwritten = fwrite(&file_hdr, 1, sizeof file_hdr, wdh->fh);
- if (nwritten != sizeof file_hdr) {
- if (nwritten < 0)
- *err = errno;
- else
- *err = WTAP_ERR_SHORT_WRITE;
+ htolel(netmon->frame_table_index * sizeof *netmon->frame_table);
+ if (!wtap_dump_file_write(wdh, &file_hdr, sizeof file_hdr, err))
return FALSE;
- }
return TRUE;
}
git.samba.org / obnox / wireshark / wip.git / blobdiff