3 * $Id: lanalyzer.c,v 1.32 2002/05/23 06:34:10 guy Exp $
6 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 #include "file_wrappers.h"
31 #include "lanalyzer.h"
33 /* The LANalyzer format is documented (at least in part) in Novell document
34 TID022037, which can be found at, among other places:
36 http://secinf.net/info/nw/lan/trace.txt
40 #define REC_TRACE_HEADER 0x1001
41 #define REC_CYCLIC_TRACE_HEADER 0x1007
42 #define REC_TRACE_SUMMARY 0x1002
43 #define REC_TRACE_PACKET_DATA 0x1005
45 /* LANalyzer board types (which indicate the type of network on which
46 the capture was done). */
47 #define BOARD_325 226 /* LANalyzer 325 (Ethernet) */
48 #define BOARD_325TR 227 /* LANalyzer 325TR (Token-ring) */
50 static gboolean lanalyzer_read(wtap *wth, int *err, long *data_offset);
51 static void lanalyzer_close(wtap *wth);
53 int lanalyzer_open(wtap *wth, int *err)
56 char LE_record_type[2];
57 char LE_record_length[2];
59 guint16 board_type, mxslc;
60 guint16 record_type, record_length;
61 guint8 cr_day, cr_month, cr_year;
64 errno = WTAP_ERR_CANT_READ;
65 bytes_read = file_read(LE_record_type, 1, 2, wth->fh);
66 bytes_read += file_read(LE_record_length, 1, 2, wth->fh);
67 if (bytes_read != 4) {
68 *err = file_error(wth->fh);
73 wth->data_offset += 4;
74 record_type = pletohs(LE_record_type);
75 record_length = pletohs(LE_record_length); /* make sure to do this for while() loop */
77 if (record_type != REC_TRACE_HEADER && record_type != REC_CYCLIC_TRACE_HEADER) {
81 /* If we made it this far, then the file is a LANAlyzer file.
82 * Let's get some info from it. Note that we get wth->snapshot_length
83 * from a record later in the file. */
84 wth->file_type = WTAP_FILE_LANALYZER;
85 wth->capture.lanalyzer = g_malloc(sizeof(lanalyzer_t));
86 wth->subtype_read = lanalyzer_read;
87 wth->subtype_seek_read = wtap_def_seek_read;
88 wth->subtype_close = lanalyzer_close;
89 wth->snapshot_length = 0;
91 /* Read records until we find the start of packets */
93 if (file_seek(wth->fh, record_length, SEEK_CUR) == -1) {
94 *err = file_error(wth->fh);
95 g_free(wth->capture.lanalyzer);
98 wth->data_offset += record_length;
99 errno = WTAP_ERR_CANT_READ;
100 bytes_read = file_read(LE_record_type, 1, 2, wth->fh);
101 bytes_read += file_read(LE_record_length, 1, 2, wth->fh);
102 if (bytes_read != 4) {
103 *err = file_error(wth->fh);
105 g_free(wth->capture.lanalyzer);
108 g_free(wth->capture.lanalyzer);
111 wth->data_offset += 4;
113 record_type = pletohs(LE_record_type);
114 record_length = pletohs(LE_record_length);
116 /*g_message("Record 0x%04X Length %d", record_type, record_length);*/
117 switch (record_type) {
118 /* Trace Summary Record */
119 case REC_TRACE_SUMMARY:
120 errno = WTAP_ERR_CANT_READ;
121 bytes_read = file_read(summary, 1, sizeof summary,
123 if (bytes_read != sizeof summary) {
124 *err = file_error(wth->fh);
126 g_free(wth->capture.lanalyzer);
129 g_free(wth->capture.lanalyzer);
132 wth->data_offset += sizeof summary;
134 /* Assume that the date of the creation of the trace file
135 * is the same date of the trace. Lanalyzer doesn't
136 * store the creation date/time of the trace, but only of
137 * the file. Unless you traced at 11:55 PM and saved at 00:05
138 * AM, the assumption that trace.date == file.date is true.
141 cr_month = summary[1];
142 cr_year = pletohs(&summary[2]);
143 /*g_message("Day %d Month %d Year %d (%04X)", cr_day, cr_month,
146 /* Get capture start time. I learned how to do
147 * this from Guy's code in ngsniffer.c
149 /* this strange year offset is not in the
150 * lanalyzer file format documentation, but it
152 tm.tm_year = cr_year - (1900 - 1792);
153 tm.tm_mon = cr_month - 1;
159 wth->capture.lanalyzer->start = mktime(&tm);
160 /*g_message("Day %d Month %d Year %d", tm.tm_mday,
161 tm.tm_mon, tm.tm_year);*/
162 mxslc = pletohs(&summary[30]);
163 wth->snapshot_length = mxslc;
165 record_length = 0; /* to fake the next iteration of while() */
166 board_type = pletohs(&summary[188]);
167 switch (board_type) {
169 wth->file_encap = WTAP_ENCAP_ETHERNET;
172 wth->file_encap = WTAP_ENCAP_TOKEN_RING;
175 g_message("lanalyzer: board type %u unknown",
177 g_free(wth->capture.lanalyzer);
178 *err = WTAP_ERR_UNSUPPORTED;
183 /* Trace Packet Data Record */
184 case REC_TRACE_PACKET_DATA:
185 /* Go back header number ob ytes so that lanalyzer_read
186 * can read this header */
187 if (file_seek(wth->fh, -bytes_read, SEEK_CUR) == -1) {
188 *err = file_error(wth->fh);
189 g_free(wth->capture.lanalyzer);
192 wth->data_offset -= bytes_read;
201 #define DESCRIPTOR_LEN 32
203 /* Read the next packet */
204 static gboolean lanalyzer_read(wtap *wth, int *err, long *data_offset)
208 char LE_record_type[2];
209 char LE_record_length[2];
210 guint16 record_type, record_length;
211 gchar descriptor[DESCRIPTOR_LEN];
212 guint16 time_low, time_med, time_high, true_size;
215 /* read the record type and length. */
216 errno = WTAP_ERR_CANT_READ;
217 bytes_read = file_read(LE_record_type, 1, 2, wth->fh);
218 if (bytes_read != 2) {
219 *err = file_error(wth->fh);
220 if (*err == 0 && bytes_read != 0) {
221 *err = WTAP_ERR_SHORT_READ;
225 wth->data_offset += 2;
226 bytes_read = file_read(LE_record_length, 1, 2, wth->fh);
227 if (bytes_read != 2) {
228 *err = file_error(wth->fh);
230 *err = WTAP_ERR_SHORT_READ;
233 wth->data_offset += 2;
235 record_type = pletohs(LE_record_type);
236 record_length = pletohs(LE_record_length);
238 /* Only Trace Packet Data Records should occur now that we're in
239 * the middle of reading packets. If any other record type exists
240 * after a Trace Packet Data Record, mark it as an error. */
241 if (record_type != REC_TRACE_PACKET_DATA) {
242 g_message("lanalyzer: record type %u seen after trace summary record",
244 *err = WTAP_ERR_BAD_RECORD;
248 packet_size = record_length - DESCRIPTOR_LEN;
251 /* Read the descriptor data */
252 errno = WTAP_ERR_CANT_READ;
253 bytes_read = file_read(descriptor, 1, DESCRIPTOR_LEN, wth->fh);
254 if (bytes_read != DESCRIPTOR_LEN) {
255 *err = file_error(wth->fh);
257 *err = WTAP_ERR_SHORT_READ;
260 wth->data_offset += DESCRIPTOR_LEN;
262 /* Read the packet data */
263 buffer_assure_space(wth->frame_buffer, packet_size);
264 *data_offset = wth->data_offset;
265 errno = WTAP_ERR_CANT_READ;
266 bytes_read = file_read(buffer_start_ptr(wth->frame_buffer), 1,
267 packet_size, wth->fh);
269 if (bytes_read != packet_size) {
270 *err = file_error(wth->fh);
272 *err = WTAP_ERR_SHORT_READ;
275 wth->data_offset += packet_size;
277 true_size = pletohs(&descriptor[4]);
278 time_low = pletohs(&descriptor[8]);
279 time_med = pletohs(&descriptor[10]);
280 time_high = pletohs(&descriptor[12]);
282 t = (double)time_low+(double)(time_med)*65536.0 +
283 (double)time_high*4294967296.0;
284 t = t/1000000.0 * 0.5; /* t = # of secs */
285 t += wth->capture.lanalyzer->start;
287 wth->phdr.ts.tv_sec = (long)t;
288 wth->phdr.ts.tv_usec = (unsigned long)((t-(double)(wth->phdr.ts.tv_sec))
291 wth->phdr.len = true_size - 4;
292 wth->phdr.caplen = packet_size;
293 wth->phdr.pkt_encap = wth->file_encap;
299 lanalyzer_close(wtap *wth)
301 g_free(wth->capture.lanalyzer);