wiretap/network_instruments.c

   1 /*
   2  * $Id$
   3  */
   4
   5 /***************************************************************************
   6                           network_instruments.c  -  description
   7                              -------------------
   8     begin                : Wed Oct 29 2003
   9     copyright            : (C) 2003 by root
  10     email                : scotte[AT}netinst.com
  11  ***************************************************************************/
  12
  13 /***************************************************************************
  14  *                                                                         *
  15  *   This program is free software; you can redistribute it and/or modify  *
  16  *   it under the terms of the GNU General Public License as published by  *
  17  *   the Free Software Foundation; either version 2 of the License, or     *
  18  *   (at your option) any later version.                                   *
  19  *                                                                         *
  20  ***************************************************************************/
  21
  22 #ifdef HAVE_CONFIG_H
  23 #include "config.h"
  24 #endif
  25
  26 #include <stdlib.h>
  27 #include <errno.h>
  28 #include <string.h>
  29 #include "wtap-int.h"
  30 #include "file_wrappers.h"
  31 #include "buffer.h"
  32 #include "network_instruments.h"
  33
  34 static const char network_instruments_magic[] = {"ObserverPktBufferVersion=15.00"};
  35 static const int true_magic_length = 17;
  36
  37 static const guint32 observer_packet_magic = 0x88888888;
  38
  39 /*
  40  * This structure is used to keep state when writing files. An instance is
  41  * allocated for each file, and its address is stored in the wtap_dumper.priv
  42  * pointer field.
  43  */
  44 typedef struct {
  45     guint64 packet_count;
  46     guint8  network_type;
  47     guint32 time_format;
  48 } observer_dump_private_state;
  49
  50 /*
  51  * Some time offsets are calculated in advance here, when the first Observer
  52  * file is opened for reading or writing, and are then used to adjust frame
  53  * timestamps as they are read or written.
  54  *
  55  * The Wiretap API expects timestamps in nanoseconds relative to
  56  * January 1, 1970, 00:00:00 GMT (the Wiretap epoch).
  57  *
  58  * Observer versions before 13.10 encode frame timestamps in nanoseconds
  59  * relative to January 1, 2000, 00:00:00 local time (the Observer epoch).
  60  * Versions 13.10 and later switch over to GMT encoding. Which encoding was used
  61  * when saving the file is identified via the time format TLV following
  62  * the file header.
  63  *
  64  * Unfortunately, even though Observer versions before 13.10 saved in local
  65  * time, they didn't include the timezone from which the frames were captured,
  66  * so converting to GMT correctly from all timezones is impossible. So an
  67  * assumption is made that the file is being read from within the same timezone
  68  * that it was written.
  69  *
  70  * All code herein is normalized to versions 13.10 and later, special casing for
  71  * versions earlier. In other words, timestamps are worked with as if
  72  * they are GMT-encoded, and adjustments from local time are made only if
  73  * the source file warrants it.
  74  *
  75  * All destination files are saved in GMT format.
  76  */
  77 static const time_t ansi_to_observer_epoch_offset = 946684800;
  78 static time_t gmt_to_localtime_offset = (time_t) -1;
  79
  80 static void init_gmt_to_localtime_offset(void)
  81 {
  82     if (gmt_to_localtime_offset == (time_t) -1) {
  83         time_t ansi_epoch_plus_one_day = 86400;
  84         struct tm gmt_tm;
  85         struct tm local_tm;
  86
  87         /*
  88          * Compute the local time zone offset as the number of seconds west
  89          * of GMT. There's no obvious cross-platform API for querying this
  90          * directly. As a workaround, GMT and local tm structures are populated
  91          * relative to the ANSI time_t epoch (plus one day to ensure that
  92          * local time stays after 1970/1/1 00:00:00). They are then converted
  93          * back to time_t as if they were both local times, resulting in the
  94          * time zone offset being the difference between them.
  95          */
  96         gmt_tm = *gmtime(&ansi_epoch_plus_one_day);
  97         local_tm = *localtime(&ansi_epoch_plus_one_day);
  98         local_tm.tm_isdst = 0;
  99         gmt_to_localtime_offset = mktime(&gmt_tm) - mktime(&local_tm);
 100     }
 101 }
 102
 103 static gboolean observer_read(wtap *wth, int *err, gchar **err_info,
 104     gint64 *data_offset);
 105 static gboolean observer_seek_read(wtap *wth, gint64 seek_off,
 106     union wtap_pseudo_header *pseudo_header, guint8 *pd, int length,
 107     int *err, gchar **err_info);
 108 static int read_packet_header(FILE_T fh, union wtap_pseudo_header *pseudo_header,
 109         packet_entry_header *packet_header, int *err, gchar **err_info);
 110 static int read_packet_data(FILE_T fh, int offset_to_frame, int current_offset_from_packet_header,
 111     guint8 *pd, int length, int *err, char **err_info);
 112 static gboolean skip_to_next_packet(wtap *wth, int offset_to_next_packet,
 113     int current_offset_from_packet_header, int *err, char **err_info);
 114 static gboolean observer_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
 115     const union wtap_pseudo_header *pseudo_header, const guint8 *pd, int *err);
 116 static gint observer_to_wtap_encap(int observer_encap);
 117 static gint wtap_to_observer_encap(int wtap_encap);
 118
 119 int network_instruments_open(wtap *wth, int *err, gchar **err_info)
 120 {
 121     int bytes_read;
 122     int offset;
 123     capture_file_header file_header;
 124     guint i;
 125     tlv_header tlvh;
 126     int seek_increment;
 127     int header_offset;
 128     packet_entry_header packet_header;
 129     observer_dump_private_state * private_state = NULL;
 130
 131     errno = WTAP_ERR_CANT_READ;
 132     offset = 0;
 133
 134     /* read in the buffer file header */
 135     bytes_read = file_read(&file_header, sizeof file_header, wth->fh);
 136     if (bytes_read != sizeof file_header) {
 137         *err = file_error(wth->fh, err_info);
 138         if (*err != 0)
 139             return -1;
 140         return 0;
 141     }
 142     offset += bytes_read;
 143     CAPTURE_FILE_HEADER_FROM_LE_IN_PLACE(file_header);
 144
 145     /* check if version info is present */
 146     if (memcmp(file_header.observer_version, network_instruments_magic, true_magic_length)!=0) {
 147         return 0;
 148     }
 149
 150     /* initialize the private state */
 151     private_state = (observer_dump_private_state *) g_malloc(sizeof(observer_dump_private_state));
 152     private_state->time_format = TIME_INFO_LOCAL;
 153     wth->priv = (void *) private_state;
 154
 155     /* get the location of the first packet */
 156     /* v15 and newer uses high byte offset, in previous versions it will be 0 */
 157     header_offset = file_header.offset_to_first_packet + ((int)(file_header.offset_to_first_packet_high_byte)<<16);
 158
 159     /* process extra information */
 160     for (i = 0; i < file_header.number_of_information_elements; i++) {
 161         /* for safety break if we've reached the first packet */
 162         if (offset >= header_offset)
 163             break;
 164
 165         /* read the TLV header */
 166         bytes_read = file_read(&tlvh, sizeof tlvh, wth->fh);
 167         if (bytes_read != sizeof tlvh) {
 168             *err = file_error(wth->fh, err_info);
 169             if (*err == 0)
 170                 *err = WTAP_ERR_SHORT_READ;
 171             return -1;
 172         }
 173         offset += bytes_read;
 174         TLV_HEADER_FROM_LE_IN_PLACE(tlvh);
 175
 176         if (tlvh.length < sizeof tlvh) {
 177             *err = WTAP_ERR_BAD_FILE;
 178             *err_info = g_strdup_printf("Observer: bad record (TLV length %u < %lu)",
 179                 tlvh.length, (unsigned long)sizeof tlvh);
 180             return -1;
 181         }
 182
 183         /* process (or skip over) the current TLV */
 184         switch (tlvh.type) {
 185         case INFORMATION_TYPE_TIME_INFO:
 186             bytes_read = file_read(&private_state->time_format, sizeof private_state->time_format, wth->fh);
 187             if (bytes_read != sizeof private_state->time_format) {
 188                 *err = file_error(wth->fh, err_info);
 189                 if(*err == 0)
 190                     *err = WTAP_ERR_SHORT_READ;
 191                 return -1;
 192             }
 193             private_state->time_format = GUINT32_FROM_LE(private_state->time_format);
 194             offset += bytes_read;
 195             break;
 196         default:
 197             seek_increment = tlvh.length - (int)sizeof tlvh;
 198             if (seek_increment > 0) {
 199                 if (file_seek(wth->fh, seek_increment, SEEK_CUR, err) == -1)
 200                     return -1;
 201             }
 202             offset += seek_increment;
 203         }
 204     }
 205
 206     /* get to the first packet */
 207     if (header_offset < offset) {
 208         *err = WTAP_ERR_BAD_FILE;
 209         *err_info = g_strdup_printf("Observer: bad record (offset to first packet %d < %d)",
 210             header_offset, offset);
 211         return FALSE;
 212     }
 213     seek_increment = header_offset - offset;
 214     if (seek_increment > 0) {
 215         if (file_seek(wth->fh, seek_increment, SEEK_CUR, err) == -1)
 216             return -1;
 217     }
 218
 219     /* pull off the packet header */
 220     bytes_read = file_read(&packet_header, sizeof packet_header, wth->fh);
 221     if (bytes_read != sizeof packet_header) {
 222         *err = file_error(wth->fh, err_info);
 223         if (*err != 0)
 224             return -1;
 225         return 0;
 226     }
 227     PACKET_ENTRY_HEADER_FROM_LE_IN_PLACE(packet_header);
 228
 229     /* check the packet's magic number */
 230     if (packet_header.packet_magic != observer_packet_magic) {
 231         *err = WTAP_ERR_UNSUPPORTED_ENCAP;
 232         *err_info = g_strdup_printf("Observer: unsupported packet version %ul", packet_header.packet_magic);
 233         return -1;
 234     }
 235
 236     /* check the data link type */
 237     if (observer_to_wtap_encap(packet_header.network_type) == WTAP_ENCAP_UNKNOWN) {
 238         *err = WTAP_ERR_UNSUPPORTED_ENCAP;
 239         *err_info = g_strdup_printf("Observer: network type %u unknown or unsupported", packet_header.network_type);
 240         return -1;
 241     }
 242     wth->file_encap = observer_to_wtap_encap(packet_header.network_type);
 243
 244     /* set up the rest of the capture parameters */
 245     private_state->packet_count = 0;
 246     private_state->network_type = wtap_to_observer_encap(wth->file_encap);
 247     wth->subtype_read = observer_read;
 248     wth->subtype_seek_read = observer_seek_read;
 249     wth->subtype_close = NULL;
 250     wth->subtype_sequential_close = NULL;
 251     wth->snapshot_length = 0;    /* not available in header */
 252     wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
 253     wth->file_type = WTAP_FILE_NETWORK_INSTRUMENTS;
 254
 255     /* reset the pointer to the first packet */
 256     if (file_seek(wth->fh, header_offset, SEEK_SET,
 257         err) == -1)
 258         return -1;
 259     wth->data_offset = header_offset;
 260
 261     init_gmt_to_localtime_offset();
 262
 263     return 1;
 264 }
 265
 266 /* Reads the next packet. */
 267 static gboolean observer_read(wtap *wth, int *err, gchar **err_info,
 268     gint64 *data_offset)
 269 {
 270     int bytes_consumed;
 271     int offset_from_packet_header = 0;
 272     packet_entry_header packet_header;
 273
 274     /* skip records other than data records */
 275     for (;;) {
 276         *data_offset = wth->data_offset;
 277
 278         /* process the packet header, including TLVs */
 279                 bytes_consumed = read_packet_header(wth->fh, &wth->pseudo_header, &packet_header, err,
 280             err_info);
 281         if (bytes_consumed <= 0)
 282             return FALSE;    /* EOF or error */
 283
 284         wth->data_offset += bytes_consumed;
 285
 286         if (packet_header.packet_type == PACKET_TYPE_DATA_PACKET)
 287             break;
 288
 289         /* skip to next packet */
 290         offset_from_packet_header = (int) (wth->data_offset - *data_offset);
 291         if (!skip_to_next_packet(wth, packet_header.offset_to_next_packet,
 292                 offset_from_packet_header, err, err_info)) {
 293             return FALSE;    /* EOF or error */
 294         }
 295     }
 296
 297     /* neglect frame markers for wiretap */
 298     if (packet_header.network_size < 4) {
 299         *err = WTAP_ERR_BAD_FILE;
 300         *err_info = g_strdup_printf("Observer: bad record: Packet length %u < 4",
 301             packet_header.network_size);
 302         return FALSE;
 303     }
 304
 305     /* set the wiretap packet header fields */
 306     wth->phdr.pkt_encap = observer_to_wtap_encap(packet_header.network_type);
 307     if(wth->file_encap == WTAP_ENCAP_FIBRE_CHANNEL_FC2_WITH_FRAME_DELIMS) {
 308         wth->phdr.len = packet_header.network_size;
 309         wth->phdr.caplen = packet_header.captured_size;
 310     } else {
 311         wth->phdr.len = packet_header.network_size - 4;
 312         wth->phdr.caplen = MIN(packet_header.captured_size, wth->phdr.len);
 313     }
 314
 315     /* set the wiretap timestamp, assuming for the moment that Observer encoded it in GMT */
 316     wth->phdr.ts.secs = (time_t) ((packet_header.nano_seconds_since_2000 / 1000000000) + ansi_to_observer_epoch_offset);
 317     wth->phdr.ts.nsecs = (int) (packet_header.nano_seconds_since_2000 % 1000000000);
 318
 319     /* adjust to local time, if necessary, also accounting for DST if the frame
 320        was captured while it was in effect */
 321     if (((observer_dump_private_state*)wth->priv)->time_format == TIME_INFO_LOCAL)
 322     {
 323         struct tm daylight_tm;
 324         struct tm standard_tm;
 325         time_t    dst_offset;
 326
 327         /* the Observer timestamp was encoded as local time, so add a
 328            correction from local time to GMT */
 329         wth->phdr.ts.secs += gmt_to_localtime_offset;
 330
 331         /* perform a DST adjustment if necessary */
 332         standard_tm = *localtime(&wth->phdr.ts.secs);
 333         if (standard_tm.tm_isdst > 0) {
 334             daylight_tm = standard_tm;
 335             standard_tm.tm_isdst = 0;
 336             dst_offset = mktime(&standard_tm) - mktime(&daylight_tm);
 337             wth->phdr.ts.secs -= dst_offset;
 338         }
 339     }
 340
 341     /* update the pseudo header */
 342     switch (wth->file_encap) {
 343     case WTAP_ENCAP_ETHERNET:
 344         /* There is no FCS in the frame */
 345         wth->pseudo_header.eth.fcs_len = 0;
 346         break;
 347         case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
 348                 /* Updated in read_packet_header */
 349                 break;
 350     }
 351
 352     /* set-up the packet buffer */
 353     buffer_assure_space(wth->frame_buffer, packet_header.captured_size);
 354
 355     /* read the frame data */
 356     offset_from_packet_header = (int) (wth->data_offset - *data_offset);
 357     bytes_consumed = read_packet_data(wth->fh, packet_header.offset_to_frame,
 358             offset_from_packet_header, buffer_start_ptr(wth->frame_buffer),
 359             packet_header.captured_size, err, err_info);
 360     if (bytes_consumed < 0) {
 361         return FALSE;
 362     }
 363     wth->data_offset += bytes_consumed;
 364
 365     /* skip over any extra bytes following the frame data */
 366     offset_from_packet_header = (int) (wth->data_offset - *data_offset);
 367     if (!skip_to_next_packet(wth, packet_header.offset_to_next_packet,
 368             offset_from_packet_header, err, err_info)) {
 369         return FALSE;
 370     }
 371
 372     return TRUE;
 373 }
 374
 375 /* Reads a packet at an offset. */
 376 static gboolean observer_seek_read(wtap *wth, gint64 seek_off,
 377     union wtap_pseudo_header *pseudo_header, guint8 *pd, int length,
 378     int *err, gchar **err_info)
 379 {
 380     packet_entry_header packet_header;
 381     int offset;
 382
 383     if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
 384         return FALSE;
 385
 386     /* process the packet header, including TLVs */
 387         offset = read_packet_header(wth->random_fh, pseudo_header, &packet_header, err,
 388         err_info);
 389     if (offset <= 0)
 390         return FALSE;    /* EOF or error */
 391
 392     /* update the pseudo header */
 393     switch (wth->file_encap) {
 394
 395     case WTAP_ENCAP_ETHERNET:
 396         /* There is no FCS in the frame */
 397         pseudo_header->eth.fcs_len = 0;
 398         break;
 399         case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
 400                 /* Updated in read_packet_header */
 401                 break;
 402     }
 403
 404     /* read the frame data */
 405     if (!read_packet_data(wth->random_fh, packet_header.offset_to_frame,
 406         offset, pd, length, err, err_info))
 407         return FALSE;
 408
 409     return TRUE;
 410 }
 411
 412 static int
 413 read_packet_header(FILE_T fh, union wtap_pseudo_header *pseudo_header,
 414         packet_entry_header *packet_header, int *err, gchar **err_info)
 415 {
 416     int offset;
 417     int bytes_read;
 418     guint i;
 419     tlv_header tlvh;
 420     int seek_increment;
 421         tlv_wireless_info wireless_header;
 422
 423     offset = 0;
 424
 425     /* pull off the packet header */
 426     bytes_read = file_read(packet_header, sizeof *packet_header, fh);
 427     if (bytes_read != sizeof *packet_header) {
 428         *err = file_error(fh, err_info);
 429         if (*err != 0)
 430             return -1;
 431         return 0;    /* EOF */
 432     }
 433     offset += bytes_read;
 434     PACKET_ENTRY_HEADER_FROM_LE_IN_PLACE(*packet_header);
 435
 436     /* check the packet's magic number */
 437     if (packet_header->packet_magic != observer_packet_magic) {
 438
 439         /*
 440          * Some files are zero-padded at the end. There is no warning of this
 441          * in the previous packet header information, such as setting
 442          * offset_to_next_packet to zero. So detect this situation by treating
 443          * an all-zero header as a sentinel. Return EOF when it is encountered,
 444          * rather than treat it as a bad record.
 445          */
 446         for (i = 0; i < sizeof *packet_header; i++) {
 447             if (((guint8*) packet_header)[i] != 0)
 448                 break;
 449         }
 450         if (i == sizeof *packet_header) {
 451             *err = 0;
 452             return 0;    /* EOF */
 453         }
 454
 455         *err = WTAP_ERR_BAD_FILE;
 456         *err_info = g_strdup_printf("Observer: bad record: Invalid magic number 0x%08x",
 457             packet_header->packet_magic);
 458         return -1;
 459     }
 460
 461     /* process extra information */
 462     for (i = 0; i < packet_header->number_of_information_elements; i++) {
 463         /* read the TLV header */
 464         bytes_read = file_read(&tlvh, sizeof tlvh, fh);
 465         if (bytes_read != sizeof tlvh) {
 466             *err = file_error(fh, err_info);
 467             if (*err == 0)
 468                 *err = WTAP_ERR_SHORT_READ;
 469             return -1;
 470         }
 471         offset += bytes_read;
 472         TLV_HEADER_FROM_LE_IN_PLACE(tlvh);
 473
 474         if (tlvh.length < sizeof tlvh) {
 475             *err = WTAP_ERR_BAD_FILE;
 476             *err_info = g_strdup_printf("Observer: bad record (TLV length %u < %lu)",
 477                 tlvh.length, (unsigned long)sizeof tlvh);
 478             return -1;
 479         }
 480
 481         /* process (or skip over) the current TLV */
 482         switch (tlvh.type) {
 483         case INFORMATION_TYPE_WIRELESS:
 484                         bytes_read = file_read(&wireless_header, sizeof wireless_header, fh);
 485                         if (bytes_read != sizeof wireless_header) {
 486                                 *err = file_error(fh, err_info);
 487                 if(*err == 0)
 488                     *err = WTAP_ERR_SHORT_READ;
 489                 return -1;
 490                         }
 491                         /* update the pseudo header */
 492                         pseudo_header->ieee_802_11.fcs_len = 0;
 493                         pseudo_header->ieee_802_11.channel = wireless_header.frequency;
 494                         pseudo_header->ieee_802_11.data_rate = wireless_header.rate;
 495                         pseudo_header->ieee_802_11.signal_level = wireless_header.strengthPercent;
 496                         offset += bytes_read;
 497             break;
 498         default:
 499                         /* skip the TLV data */
 500                         seek_increment = tlvh.length - (int)sizeof tlvh;
 501                         if (seek_increment > 0) {
 502                                 if (file_seek(fh, seek_increment, SEEK_CUR, err) == -1)
 503                                         return -1;
 504                         }
 505                         offset += seek_increment;
 506                 }
 507     }
 508
 509     return offset;
 510 }
 511
 512 static int
 513 read_packet_data(FILE_T fh, int offset_to_frame, int current_offset_from_packet_header, guint8 *pd,
 514     int length, int *err, char **err_info)
 515 {
 516     int seek_increment;
 517     int bytes_consumed = 0;
 518
 519     /* validate offsets */
 520     if (offset_to_frame < current_offset_from_packet_header) {
 521         *err = WTAP_ERR_BAD_FILE;
 522         *err_info = g_strdup_printf("Observer: bad record (offset to packet data %d < %d)",
 523             offset_to_frame, current_offset_from_packet_header);
 524         return -1;
 525     }
 526
 527     /* skip to the packet data */
 528     seek_increment = offset_to_frame - current_offset_from_packet_header;
 529     if (seek_increment > 0) {
 530         if (file_seek(fh, seek_increment, SEEK_CUR, err) == -1) {
 531             return -1;
 532         }
 533         bytes_consumed += seek_increment;
 534     }
 535
 536     /* read in the packet data */
 537     wtap_file_read_expected_bytes(pd, length, fh, err, err_info);
 538     bytes_consumed += length;
 539
 540     return bytes_consumed;
 541 }
 542
 543 static gboolean
 544 skip_to_next_packet(wtap *wth, int offset_to_next_packet, int current_offset_from_packet_header, int *err,
 545     char **err_info)
 546 {
 547     int seek_increment;
 548
 549     /* validate offsets */
 550     if (offset_to_next_packet < current_offset_from_packet_header) {
 551         *err = WTAP_ERR_BAD_FILE;
 552         *err_info = g_strdup_printf("Observer: bad record (offset to next packet %d < %d)",
 553             offset_to_next_packet, current_offset_from_packet_header);
 554         return FALSE;
 555     }
 556
 557     /* skip to the next packet header */
 558     seek_increment = offset_to_next_packet - current_offset_from_packet_header;
 559     if (seek_increment > 0) {
 560         if (file_seek(wth->fh, seek_increment, SEEK_CUR, err) == -1)
 561             return FALSE;
 562         wth->data_offset += seek_increment;
 563     }
 564
 565     return TRUE;
 566 }
 567
 568 /* Returns 0 if we could write the specified encapsulation type,
 569    an error indication otherwise. */
 570 int network_instruments_dump_can_write_encap(int encap)
 571 {
 572     /* per-packet encapsulations aren't supported */
 573     if (encap == WTAP_ENCAP_PER_PACKET)
 574         return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
 575
 576     if (encap < 0 || (wtap_to_observer_encap(encap) == OBSERVER_UNDEFINED))
 577         return WTAP_ERR_UNSUPPORTED_ENCAP;
 578
 579     return 0;
 580 }
 581
 582 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
 583    failure. */
 584 gboolean network_instruments_dump_open(wtap_dumper *wdh, int *err)
 585 {
 586     observer_dump_private_state * private_state = NULL;
 587     capture_file_header file_header;
 588
 589     tlv_header comment_header;
 590     tlv_time_info time_header;
 591     char comment[64];
 592     size_t comment_length;
 593     struct tm * current_time;
 594     time_t system_time;
 595
 596     /* initialize the private state */
 597     private_state = (observer_dump_private_state *) g_malloc(sizeof(observer_dump_private_state));
 598     private_state->packet_count = 0;
 599     private_state->network_type = wtap_to_observer_encap(wdh->encap);
 600     private_state->time_format = TIME_INFO_GMT;
 601
 602     /* populate the fields of wdh */
 603     wdh->priv = (void *) private_state;
 604     wdh->subtype_write = observer_dump;
 605
 606     /* initialize the file header */
 607     memset(&file_header, 0x00, sizeof(file_header));
 608     g_strlcpy(file_header.observer_version, network_instruments_magic, 31);
 609     file_header.offset_to_first_packet = (guint16)sizeof(file_header);
 610     file_header.offset_to_first_packet_high_byte = 0;
 611
 612     /* create the file comment TLV */
 613     {
 614         time(&system_time);
 615         current_time = localtime(&system_time);
 616         memset(&comment, 0x00, sizeof(comment));
 617         g_snprintf(comment, 64, "This capture was saved from Wireshark on %s", asctime(current_time));
 618         comment_length = strlen(comment);
 619
 620         comment_header.type = INFORMATION_TYPE_COMMENT;
 621         comment_header.length = (guint16) (sizeof(comment_header) + comment_length);
 622
 623         /* update the file header to account for the comment TLV */
 624         file_header.number_of_information_elements++;
 625         file_header.offset_to_first_packet += comment_header.length;
 626     }
 627
 628     /* create the timestamp encoding TLV */
 629     {
 630         time_header.type = INFORMATION_TYPE_TIME_INFO;
 631         time_header.length = (guint16) (sizeof(time_header));
 632         time_header.time_format = TIME_INFO_GMT;
 633
 634         /* update the file header to account for the timestamp encoding TLV */
 635         file_header.number_of_information_elements++;
 636         file_header.offset_to_first_packet += time_header.length;
 637     }
 638
 639     /* write the file header, swapping any multibyte fields first */
 640     CAPTURE_FILE_HEADER_TO_LE_IN_PLACE(file_header);
 641     if (!wtap_dump_file_write(wdh, &file_header, sizeof(file_header), err)) {
 642         return FALSE;
 643     }
 644     wdh->bytes_dumped += sizeof(file_header);
 645
 646     /* write the comment TLV */
 647     {
 648         TLV_HEADER_TO_LE_IN_PLACE(comment_header);
 649         if (!wtap_dump_file_write(wdh, &comment_header, sizeof(comment_header), err)) {
 650             return FALSE;
 651         }
 652         wdh->bytes_dumped += sizeof(comment_header);
 653
 654         if (!wtap_dump_file_write(wdh, &comment, comment_length, err)) {
 655             return FALSE;
 656         }
 657         wdh->bytes_dumped += comment_length;
 658     }
 659
 660     /* write the time info TLV */
 661     {
 662         TLV_TIME_INFO_TO_LE_IN_PLACE(time_header);
 663         if (!wtap_dump_file_write(wdh, &time_header, sizeof(time_header), err)) {
 664             return FALSE;
 665         }
 666         wdh->bytes_dumped += sizeof(time_header);
 667     }
 668
 669     init_gmt_to_localtime_offset();
 670
 671     return TRUE;
 672 }
 673
 674 /* Write a record for a packet to a dump file.
 675    Returns TRUE on success, FALSE on failure. */
 676 static gboolean observer_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
 677     const union wtap_pseudo_header *pseudo_header _U_, const guint8 *pd,
 678     int *err)
 679 {
 680     observer_dump_private_state * private_state = NULL;
 681     packet_entry_header           packet_header;
 682     guint64                       seconds_since_2000;
 683
 684     /* convert the number of seconds since epoch from ANSI-relative to
 685        Observer-relative */
 686     if (phdr->ts.secs < ansi_to_observer_epoch_offset) {
 687         if(phdr->ts.secs > (time_t) 0) {
 688             seconds_since_2000 = phdr->ts.secs;
 689         } else {
 690             seconds_since_2000 = (time_t) 0;
 691         }
 692     } else {
 693         seconds_since_2000 = phdr->ts.secs - ansi_to_observer_epoch_offset;
 694     }
 695
 696     /* populate the fields of the packet header */
 697     private_state = (observer_dump_private_state *) wdh->priv;
 698
 699     memset(&packet_header, 0x00, sizeof(packet_header));
 700     packet_header.packet_magic = observer_packet_magic;
 701     packet_header.network_speed = 1000000;
 702     packet_header.captured_size = (guint16) phdr->caplen;
 703     packet_header.network_size = (guint16) (phdr->len + 4);
 704     packet_header.offset_to_frame = sizeof(packet_header);
 705     /* XXX - what if this doesn't fit in 16 bits?  It's not guaranteed to... */
 706     packet_header.offset_to_next_packet = (guint16)sizeof(packet_header) + phdr->caplen;
 707     packet_header.network_type = private_state->network_type;
 708     packet_header.flags = 0x00;
 709     packet_header.number_of_information_elements = 0;
 710     packet_header.packet_type = PACKET_TYPE_DATA_PACKET;
 711     packet_header.packet_number = private_state->packet_count;
 712     packet_header.original_packet_number = packet_header.packet_number;
 713     packet_header.nano_seconds_since_2000 = seconds_since_2000 * 1000000000 + phdr->ts.nsecs;
 714
 715     private_state->packet_count++;
 716
 717     /* write the packet header */
 718     PACKET_ENTRY_HEADER_TO_LE_IN_PLACE(packet_header);
 719     if (!wtap_dump_file_write(wdh, &packet_header, sizeof(packet_header), err)) {
 720         return FALSE;
 721     }
 722     wdh->bytes_dumped += sizeof(packet_header);
 723
 724     /* write the packet data */
 725     if (!wtap_dump_file_write(wdh, pd, phdr->caplen, err)) {
 726         return FALSE;
 727     }
 728     wdh->bytes_dumped += phdr->caplen;
 729
 730     return TRUE;
 731 }
 732
 733 static gint observer_to_wtap_encap(int observer_encap)
 734 {
 735     switch(observer_encap) {
 736     case OBSERVER_ETHERNET:
 737         return WTAP_ENCAP_ETHERNET;
 738     case OBSERVER_TOKENRING:
 739         return WTAP_ENCAP_TOKEN_RING;
 740     case OBSERVER_FIBRE_CHANNEL:
 741         return WTAP_ENCAP_FIBRE_CHANNEL_FC2_WITH_FRAME_DELIMS;
 742     case OBSERVER_WIRELESS_802_11:
 743         return WTAP_ENCAP_IEEE_802_11_WITH_RADIO;
 744     case OBSERVER_UNDEFINED:
 745         return WTAP_ENCAP_UNKNOWN;
 746     }
 747     return WTAP_ENCAP_UNKNOWN;
 748 }
 749
 750 static gint wtap_to_observer_encap(int wtap_encap)
 751 {
 752     switch(wtap_encap) {
 753     case WTAP_ENCAP_ETHERNET:
 754         return OBSERVER_ETHERNET;
 755     case WTAP_ENCAP_TOKEN_RING:
 756         return OBSERVER_TOKENRING;
 757     case WTAP_ENCAP_FIBRE_CHANNEL_FC2_WITH_FRAME_DELIMS:
 758         return OBSERVER_FIBRE_CHANNEL;
 759     case WTAP_ENCAP_UNKNOWN:
 760         return OBSERVER_UNDEFINED;
 761     }
 762     return OBSERVER_UNDEFINED;
 763 }