3 * $Id: ngsniffer.c,v 1.104 2003/01/10 04:04:41 guy Exp $
6 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
23 /* The code in ngsniffer.c that decodes the time fields for each packet in the
24 * Sniffer trace originally came from code from TCPVIEW:
29 * Networks and Distributed Computing
30 * Computing & Communications
31 * University of Washington
32 * Administration Building, AG-44
34 * Internet: martinh@cac.washington.edu
37 * Copyright 1992 by the University of Washington
39 * Permission to use, copy, modify, and distribute this software and its
40 * documentation for any purpose and without fee is hereby granted, provided
41 * that the above copyright notice appears in all copies and that both the
42 * above copyright notice and this permission notice appear in supporting
43 * documentation, and that the name of the University of Washington not be
44 * used in advertising or publicity pertaining to distribution of the software
45 * without specific, written prior permission. This software is made
46 * available "as is", and
47 * THE UNIVERSITY OF WASHINGTON DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
48 * WITH REGARD TO THIS SOFTWARE, INCLUDING WITHOUT LIMITATION ALL IMPLIED
49 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND IN
50 * NO EVENT SHALL THE UNIVERSITY OF WASHINGTON BE LIABLE FOR ANY SPECIAL,
51 * INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
52 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, TORT
53 * (INCLUDING NEGLIGENCE) OR STRICT LIABILITY, ARISING OUT OF OR IN CONNECTION
54 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
65 #include "file_wrappers.h"
68 #include "ngsniffer.h"
70 /* Magic number in Sniffer files. */
71 static const char ngsniffer_magic[] = {
72 'T', 'R', 'S', 'N', 'I', 'F', 'F', ' ', 'd', 'a', 't', 'a',
73 ' ', ' ', ' ', ' ', 0x1a
77 * Sniffer record types.
79 #define REC_VERS 1 /* Version record (f_vers) */
80 #define REC_FRAME2 4 /* Frame data (f_frame2) */
81 #define REC_FRAME4 8 /* Frame data (f_frame4) */
82 #define REC_FRAME6 12 /* Frame data (f_frame6) (see below) */
83 #define REC_EOF 3 /* End-of-file record (no data follows) */
85 * and now for some unknown header types
87 #define REC_HEADER1 6 /* Header containing serial numbers? */
88 #define REC_HEADER2 7 /* Header containing ??? */
89 #define REC_V2DESC 8 /* In version 2 sniffer traces contains
90 * infos about this capturing session.
91 * Collides with REC_FRAME4 */
92 #define REC_HEADER3 13 /* Retransmission counts? */
93 #define REC_HEADER4 14 /* ? */
94 #define REC_HEADER5 15 /* ? */
95 #define REC_HEADER6 16 /* More broadcast/retransmission counts? */
96 #define REC_HEADER7 17 /* ? */
100 * Sniffer version record format.
103 gint16 maj_vers; /* major version number */
104 gint16 min_vers; /* minor version number */
105 gint16 time; /* DOS-format time */
106 gint16 date; /* DOS-format date */
107 gint8 type; /* what type of records follow */
108 guint8 network; /* network type */
109 gint8 format; /* format version */
110 guint8 timeunit; /* timestamp units */
111 gint8 cmprs_vers; /* compression version */
112 gint8 cmprs_level; /* compression level */
113 gint16 rsvd[2]; /* reserved */
117 * Sniffer type 2 data record format - followed by frame data.
121 * http://download.nai.com/products/media/sniffer/support/sdos/operation.pdf
123 * documents some of the values used in "fs" and "flags". "flags" don't
124 * look as if they'd be of much interest to us, as those are internal
125 * flags for state used by the Sniffer, but "fs" gives various status
126 * bits including error indications *and*:
128 * ISDN channel information for ISDN;
130 * PPP vs. SLIP information for Async.
132 * In that section it also refers to "FDDI analyzers using the NPI PCI
133 * FDDI adapter" and "FDDI analyzers using the NPI ISA FDDI adapter",
134 * referring to the first as "F1SNIFF" and the second as "FDSNIFF";
135 * those sound as if they *could* be replacements for "TRSNIFF" in
136 * the file header, but that manual says, earlier, that the header
137 * starts with "TRSNIFF data, no matter where the frames were
140 * It also says that "time_high" is really "tstamp_high" and "tstamp_day";
141 * did some older manual have it as a 16-bit "tstamp_high", so that perhaps
142 * it depends on the version number in the file, or is it "tstamp_high"
143 * plus "tstamp_day" in all versions? (I forget whether this came purely
144 * from tcpview, or if I saw any of it in an NAI document.)
147 guint16 time_low; /* low part of time stamp */
148 guint16 time_med; /* middle part of time stamp */
149 guint16 time_high; /* high part of time stamp */
150 gint16 size; /* number of bytes of data */
151 guint8 fs; /* frame error status bits */
152 guint8 flags; /* buffer flags */
153 gint16 true_size; /* size of original frame, in bytes */
154 gint16 rsvd; /* reserved */
158 * Sniffer type 4 data record format - followed by frame data.
160 * The ATM Sniffer manual says that the "flags" field holds "buffer flags;
161 * BF_xxxx", but doesn't say what the BF_xxxx flags are. They may
162 * be the same as they are in a type 2 record, in which case they're
163 * probably not of much interest to us.
165 * XXX - the manual also says there's an 8-byte "ATMTimeStamp" driver
166 * time stamp at the end of "ATMSaveInfo", but, from an ATM Sniffer capture
167 * file I've looked at, that appears not to be the case.
171 * Fields from the AAL5 trailer for the frame, if it's an AAL5 frame
172 * rather than a cell.
174 typedef struct _ATM_AAL5Trailer {
175 guint16 aal5t_u2u; /* user-to-user indicator */
176 guint16 aal5t_len; /* length of the packet */
177 guint32 aal5t_chksum; /* checksum for AAL5 packet */
180 typedef struct _ATMTimeStamp {
181 guint32 msw; /* most significant word */
182 guint32 lsw; /* least significant word */
185 typedef struct _ATMSaveInfo {
186 guint32 StatusWord; /* status word from driver */
187 ATM_AAL5Trailer Trailer; /* AAL5 trailer */
188 guint8 AppTrafType; /* traffic type */
189 guint8 AppHLType; /* protocol type */
190 guint16 AppReserved; /* reserved */
191 guint16 Vpi; /* virtual path identifier */
192 guint16 Vci; /* virtual circuit identifier */
193 guint16 channel; /* link: 0 for DCE, 1 for DTE */
194 guint16 cells; /* number of cells */
195 guint32 AppVal1; /* type-dependent */
196 guint32 AppVal2; /* type-dependent */
200 * Bits in StatusWord.
202 #define SW_ERRMASK 0x0F /* Error mask: */
203 #define SW_RX_FIFO_UNDERRUN 0x01 /* Receive FIFO underrun */
204 #define SW_RX_FIFO_OVERRUN 0x02 /* Receive FIFO overrun */
205 #define SW_RX_PKT_TOO_LONG 0x03 /* Received packet > max size */
206 #define SW_CRC_ERROR 0x04 /* CRC error */
207 #define SW_USER_ABORTED_RX 0x05 /* User aborted receive */
208 #define SW_BUF_LEN_TOO_LONG 0x06 /* buffer len > max buf */
209 #define SW_INTERNAL_T1_ERROR 0x07 /* Internal T1 error */
210 #define SW_RX_CHANNEL_DEACTIV8 0x08 /* Rx channel deactivate */
212 #define SW_ERROR 0x80 /* Error indicator */
213 #define SW_CONGESTION 0x40 /* Congestion indicator */
214 #define SW_CLP 0x20 /* Cell loss priority indicator */
215 #define SW_RAW_CELL 0x100 /* RAW cell indicator */
216 #define SW_OAM_CELL 0x200 /* OAM cell indicator */
219 * Bits in AppTrafType.
221 * For AAL types other than AAL5, the packet data is presumably for a
222 * single cell, not a reassembled frame, as the ATM Sniffer manual says
223 * it dosn't reassemble cells other than AAL5 cells.
225 #define ATT_AALTYPE 0x0F /* AAL type: */
226 #define ATT_AAL_UNKNOWN 0x00 /* Unknown AAL */
227 #define ATT_AAL1 0x01 /* AAL1 */
228 #define ATT_AAL3_4 0x02 /* AAL3/4 */
229 #define ATT_AAL5 0x03 /* AAL5 */
230 #define ATT_AAL_USER 0x04 /* User AAL */
231 #define ATT_AAL_SIGNALLING 0x05 /* Signaling AAL */
232 #define ATT_OAMCELL 0x06 /* OAM cell */
234 #define ATT_HLTYPE 0xF0 /* Higher-layer type: */
235 #define ATT_HL_UNKNOWN 0x00 /* unknown */
236 #define ATT_HL_LLCMX 0x10 /* LLC multiplexed (probably RFC 1483) */
237 #define ATT_HL_VCMX 0x20 /* VC multiplexed (probably RFC 1483) */
238 #define ATT_HL_LANE 0x30 /* LAN Emulation */
239 #define ATT_HL_ILMI 0x40 /* ILMI */
240 #define ATT_HL_FRMR 0x50 /* Frame Relay */
241 #define ATT_HL_SPANS 0x60 /* FORE SPANS */
242 #define ATT_HL_IPSILON 0x70 /* Ipsilon */
245 * Values for AppHLType; the interpretation depends on the ATT_HLTYPE
246 * bits in AppTrafType.
248 #define AHLT_UNKNOWN 0x0
249 #define AHLT_VCMX_802_3_FCS 0x1 /* VCMX: 802.3 FCS */
250 #define AHLT_LANE_LE_CTRL 0x1 /* LANE: LE Ctrl */
251 #define AHLT_IPSILON_FT0 0x1 /* Ipsilon: Flow Type 0 */
252 #define AHLT_VCMX_802_4_FCS 0x2 /* VCMX: 802.4 FCS */
253 #define AHLT_LANE_802_3 0x2 /* LANE: 802.3 */
254 #define AHLT_IPSILON_FT1 0x2 /* Ipsilon: Flow Type 1 */
255 #define AHLT_VCMX_802_5_FCS 0x3 /* VCMX: 802.5 FCS */
256 #define AHLT_LANE_802_5 0x3 /* LANE: 802.5 */
257 #define AHLT_IPSILON_FT2 0x3 /* Ipsilon: Flow Type 2 */
258 #define AHLT_VCMX_FDDI_FCS 0x4 /* VCMX: FDDI FCS */
259 #define AHLT_LANE_802_3_MC 0x4 /* LANE: 802.3 multicast */
260 #define AHLT_VCMX_802_6_FCS 0x5 /* VCMX: 802.6 FCS */
261 #define AHLT_LANE_802_5_MC 0x5 /* LANE: 802.5 multicast */
262 #define AHLT_VCMX_802_3 0x7 /* VCMX: 802.3 */
263 #define AHLT_VCMX_802_4 0x8 /* VCMX: 802.4 */
264 #define AHLT_VCMX_802_5 0x9 /* VCMX: 802.5 */
265 #define AHLT_VCMX_FDDI 0xa /* VCMX: FDDI */
266 #define AHLT_VCMX_802_6 0xb /* VCMX: 802.6 */
267 #define AHLT_VCMX_FRAGMENTS 0xc /* VCMX: Fragments */
268 #define AHLT_VCMX_BPDU 0xe /* VCMX: BPDU */
271 guint16 time_low; /* low part of time stamp */
272 guint16 time_med; /* middle part of time stamp */
273 gint8 time_high; /* high part of time stamp */
274 gint8 time_day; /* time in days since start of capture */
275 gint16 size; /* number of bytes of data */
276 gint8 fs; /* frame error status bits */
277 gint8 flags; /* buffer flags */
278 gint16 true_size; /* size of original frame, in bytes */
279 gint16 rsvd3; /* reserved */
280 gint16 atm_pad; /* pad to 4-byte boundary */
281 ATMSaveInfo atm_info; /* ATM-specific stuff */
285 * XXX - I have a version 5.50 file with a bunch of token ring
286 * records listed as type "12". The record format below was
287 * derived from frame4_rec and a bit of experimentation.
291 guint16 time_low; /* low part of time stamp */
292 guint16 time_med; /* middle part of time stamp */
293 gint8 time_high; /* high part of time stamp */
294 gint8 time_day; /* time in days since start of capture */
295 gint16 size; /* number of bytes of data */
296 guint8 fs; /* frame error status bits */
297 guint8 flags; /* buffer flags */
298 gint16 true_size; /* size of original frame, in bytes */
299 guint8 chemical_x[22]; /* ? */
303 * Network type values in some type 7 records.
305 * Captures with a major version number of 2 appear to have type 7
306 * records with text in them (at least one I have does).
308 * Captures with a major version of 4, and at least some captures with
309 * a major version of 5, have type 7 records with those values in the
312 * However, some captures with a major version number of 5 appear not to
313 * have type 7 records at all (at least one I have doesn't), but do appear
314 * to put non-zero values in the "rsvd" field of the version header (at
315 * least one I have does) - at least some other captures with smaller version
316 * numbers appear to put 0 there, so *maybe* that's where the network
317 * (sub)type is hidden in those captures. The version 5 captures I've seen
318 * that *do* have type 7 records put 0 there, so it's not as if *all* V5
319 * captures have something in the "rsvd" field, however.
321 * The semantics of these network types is inferred from the Sniffer
322 * documentation, as they correspond to types described in the UI;
325 * http://download.nai.com/products/media/sniffer/support/sdos/operation.pdf
327 * starting at page 3-10 (56 of 496).
329 * XXX - I've seen X.25 captures with NET_ROUTER, and I've seen bridge/
330 * router captures with NET_HDLC. Sigh....
332 #define NET_SDLC 0 /* Probably "SDLC then SNA" */
333 #define NET_HDLC 1 /* Used for X.25; is it used for other
334 things as well, or is it "HDLC then
335 X.25", as referred to by the document
336 cited above, and only used for X.25? */
337 #define NET_FRAME_RELAY 2
338 #define NET_ROUTER 3 /* Probably "Router/Bridge", for various
339 point-to-point protocols for use between
340 bridges and routers, including PPP as well
341 as various proprietary protocols; also
342 used for ISDN, for reasons not obvious
343 to me, given that a Sniffer knows
344 whether it's using a WAN or an ISDN pod */
345 #define NET_PPP 4 /* "Asynchronous", which includes SLIP too */
346 #define NET_SMDS 5 /* Not mentioned in the document, but
347 that's a document for version 5.50 of
348 the Sniffer, and that version might use
349 version 5 in the file format and thus
350 might not be using type 7 records */
352 /* values for V.timeunit */
353 #define NUM_NGSNIFF_TIMEUNITS 7
354 static double Usec[] = { 15.0, 0.838096, 15.0, 0.5, 2.0, 1.0, 0.1 };
356 static int process_header_records(wtap *wth, int *err, gint16 version,
357 gboolean *is_router);
358 static int process_rec_header2_v2(wtap *wth, unsigned char *buffer,
359 guint16 length, int *err);
360 static int process_rec_header2_v45(wtap *wth, unsigned char *buffer,
361 guint16 length, gboolean *is_router, int *err);
362 static gboolean ngsniffer_read(wtap *wth, int *err, long *data_offset);
363 static gboolean ngsniffer_seek_read(wtap *wth, long seek_off,
364 union wtap_pseudo_header *pseudo_header, guchar *pd, int packet_size,
366 static int ngsniffer_read_rec_header(wtap *wth, gboolean is_random,
367 guint16 *typep, guint16 *lengthp, int *err);
368 static gboolean ngsniffer_read_frame2(wtap *wth, gboolean is_random,
369 struct frame2_rec *frame2, int *err);
370 static int set_pseudo_header_frame2(wtap *wth,
371 union wtap_pseudo_header *pseudo_header, struct frame2_rec *frame2);
372 static gboolean ngsniffer_read_frame4(wtap *wth, gboolean is_random,
373 struct frame4_rec *frame4, int *err);
374 static void set_pseudo_header_frame4(union wtap_pseudo_header *pseudo_header,
375 struct frame4_rec *frame4);
376 static gboolean ngsniffer_read_frame6(wtap *wth, gboolean is_random,
377 struct frame6_rec *frame6, int *err);
378 static void set_pseudo_header_frame6(union wtap_pseudo_header *pseudo_header,
379 struct frame6_rec *frame6);
380 static gboolean ngsniffer_read_rec_data(wtap *wth, gboolean is_random,
381 guchar *pd, int length, int *err);
382 static int infer_pkt_encap(const guint8 *pd, int len);
383 static int fix_pseudo_header(int encap, const guint8 *pd, int len,
384 union wtap_pseudo_header *pseudo_header);
385 static void ngsniffer_sequential_close(wtap *wth);
386 static void ngsniffer_close(wtap *wth);
387 static gboolean ngsniffer_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
388 const union wtap_pseudo_header *pseudo_header, const guchar *pd, int *err);
389 static gboolean ngsniffer_dump_close(wtap_dumper *wdh, int *err);
390 static int SnifferDecompress( unsigned char * inbuf, size_t inlen,
391 unsigned char * outbuf, size_t outlen, int *err );
392 static int ng_file_read(void *buffer, size_t elementsize, size_t numelements,
393 wtap *wth, gboolean is_random, int *err);
394 static int read_blob(FILE_T infile, ngsniffer_comp_stream_t *comp_stream,
396 static long ng_file_seek_seq(wtap *wth, long offset, int whence, int *err);
397 static long ng_file_seek_rand(wtap *wth, long offset, int whence, int *err);
399 int ngsniffer_open(wtap *wth, int *err)
402 char magic[sizeof ngsniffer_magic];
404 char record_length[4]; /* only the first 2 bytes are length,
405 the last 2 are "reserved" and are thrown away */
406 guint16 type, length;
407 struct vers_rec version;
411 static const int sniffer_encap[] = {
412 WTAP_ENCAP_TOKEN_RING,
415 WTAP_ENCAP_UNKNOWN, /* StarLAN */
416 WTAP_ENCAP_UNKNOWN, /* PC Network broadband */
417 WTAP_ENCAP_UNKNOWN, /* LocalTalk */
418 WTAP_ENCAP_UNKNOWN, /* Znet */
419 WTAP_ENCAP_PER_PACKET, /* Internetwork analyzer (synchronous) */
420 WTAP_ENCAP_PER_PACKET, /* Internetwork analyzer (asynchronous) */
421 WTAP_ENCAP_FDDI_BITSWAPPED,
424 #define NUM_NGSNIFF_ENCAPS (sizeof sniffer_encap / sizeof sniffer_encap[0])
428 /* Read in the string that should be at the start of a Sniffer file */
429 errno = WTAP_ERR_CANT_READ;
430 bytes_read = file_read(magic, 1, sizeof magic, wth->fh);
431 if (bytes_read != sizeof magic) {
432 *err = file_error(wth->fh);
437 wth->data_offset += sizeof magic;
439 if (memcmp(magic, ngsniffer_magic, sizeof ngsniffer_magic)) {
444 * Read the first record, which the manual says is a version
447 errno = WTAP_ERR_CANT_READ;
448 bytes_read = file_read(record_type, 1, 2, wth->fh);
449 bytes_read += file_read(record_length, 1, 4, wth->fh);
450 if (bytes_read != 6) {
451 *err = file_error(wth->fh);
456 wth->data_offset += 6;
458 type = pletohs(record_type);
459 length = pletohs(record_length);
461 if (type != REC_VERS) {
462 g_message("ngsniffer: Sniffer file doesn't start with a version record");
463 *err = WTAP_ERR_BAD_RECORD;
467 errno = WTAP_ERR_CANT_READ;
468 bytes_read = file_read(&version, 1, sizeof version, wth->fh);
469 if (bytes_read != sizeof version) {
470 *err = file_error(wth->fh);
475 wth->data_offset += sizeof version;
477 /* Check the data link type. */
478 if (version.network >= NUM_NGSNIFF_ENCAPS
479 || sniffer_encap[version.network] == WTAP_ENCAP_UNKNOWN) {
480 g_message("ngsniffer: network type %u unknown or unsupported",
482 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
486 /* Check the time unit */
487 if (version.timeunit >= NUM_NGSNIFF_TIMEUNITS) {
488 g_message("ngsniffer: Unknown timeunit %u", version.timeunit);
489 *err = WTAP_ERR_UNSUPPORTED;
493 /* compressed or uncompressed Sniffer file? */
494 if (version.format != 1) {
495 wth->file_type = WTAP_FILE_NGSNIFFER_COMPRESSED;
498 wth->file_type = WTAP_FILE_NGSNIFFER_UNCOMPRESSED;
501 /* Set encap type before reading header records because the
502 * header record may change encap type.
504 wth->file_encap = sniffer_encap[version.network];
507 * We don't know how to handle the remaining header record types,
508 * so we just skip them - except for REC_HEADER2 records, which
509 * we look at, for "Internetwork analyzer" captures, to attempt to
510 * determine what the link-layer encapsulation is.
512 maj_vers = pletohs(&version.maj_vers);
513 if (process_header_records(wth, err, maj_vers, &is_router) < 0)
517 * Now, if we have a random stream open, position it to the same
518 * location, which should be the beginning of the real data, and
519 * should be the beginning of the compressed data.
521 * XXX - will we see any records other than REC_FRAME2, REC_FRAME4,
522 * or REC_EOF after this? If not, we can get rid of the loop in
523 * "ngsniffer_read()".
525 if (wth->random_fh != NULL) {
526 if (file_seek(wth->random_fh, wth->data_offset, SEEK_SET, err) == -1)
530 /* This is a ngsniffer file */
531 wth->capture.ngsniffer = g_malloc(sizeof(ngsniffer_t));
532 wth->capture.ngsniffer->maj_vers = maj_vers;
533 wth->capture.ngsniffer->min_vers = pletohs(&version.min_vers);
535 /* We haven't allocated any uncompression buffers yet. */
536 wth->capture.ngsniffer->seq.buf = NULL;
537 wth->capture.ngsniffer->rand.buf = NULL;
539 /* Set the current file offset; the offset in the compressed file
540 and in the uncompressed data stream currently the same. */
541 wth->capture.ngsniffer->seq.uncomp_offset = wth->data_offset;
542 wth->capture.ngsniffer->seq.comp_offset = wth->data_offset;
543 wth->capture.ngsniffer->rand.uncomp_offset = wth->data_offset;
544 wth->capture.ngsniffer->rand.comp_offset = wth->data_offset;
546 /* We don't yet have any list of compressed blobs. */
547 wth->capture.ngsniffer->first_blob = NULL;
548 wth->capture.ngsniffer->last_blob = NULL;
549 wth->capture.ngsniffer->current_blob = NULL;
551 wth->subtype_read = ngsniffer_read;
552 wth->subtype_seek_read = ngsniffer_seek_read;
553 wth->subtype_sequential_close = ngsniffer_sequential_close;
554 wth->subtype_close = ngsniffer_close;
555 wth->snapshot_length = 0; /* not available in header, only in frame */
556 wth->capture.ngsniffer->timeunit = Usec[version.timeunit];
557 wth->capture.ngsniffer->is_atm =
558 (wth->file_encap == WTAP_ENCAP_ATM_PDUS);
559 wth->capture.ngsniffer->is_router = is_router;
561 /* Get capture start time */
562 start_time = pletohs(&version.time);
563 start_date = pletohs(&version.date);
564 tm.tm_year = ((start_date&0xfe00)>>9) + 1980 - 1900;
565 tm.tm_mon = ((start_date&0x1e0)>>5) - 1;
566 tm.tm_mday = (start_date&0x1f);
567 /* The time does not appear to act as an offset; only the date
568 tm.tm_hour = (start_time&0xf800)>>11;
569 tm.tm_min = (start_time&0x7e0)>>5;
570 tm.tm_sec = (start_time&0x1f)<<1;*/
575 wth->capture.ngsniffer->start = mktime(&tm);
577 * XXX - what if "secs" is -1? Unlikely,
578 * but if the capture was done in a time
579 * zone that switches between standard and
580 * summer time sometime other than when we
581 * do, and thus the time was one that doesn't
582 * exist here because a switch from standard
583 * to summer time zips over it, it could
586 * On the other hand, if the capture was done
587 * in a different time zone, this won't work
588 * right anyway; unfortunately, the time zone
589 * isn't stored in the capture file.
596 process_header_records(wtap *wth, int *err, gint16 version, gboolean *is_router)
600 char record_length[4]; /* only the first 2 bytes are length,
601 the last 2 are "reserved" and are thrown away */
602 guint16 type, length;
604 unsigned char buffer[256];
608 errno = WTAP_ERR_CANT_READ;
609 bytes_read = file_read(record_type, 1, 2, wth->fh);
610 if (bytes_read != 2) {
611 *err = file_error(wth->fh);
614 if (bytes_read != 0) {
615 *err = WTAP_ERR_SHORT_READ;
621 type = pletohs(record_type);
622 if ((type != REC_HEADER1) && (type != REC_HEADER2)
623 && (type != REC_HEADER3) && (type != REC_HEADER4)
624 && (type != REC_HEADER5) && (type != REC_HEADER6)
625 && (type != REC_HEADER7)
626 && ((type != REC_V2DESC) || (version > 2)) ) {
628 * Well, this is either some unknown header type
629 * (we ignore this case), an uncompressed data
630 * frame or the length of a compressed blob
631 * which implies data. Seek backwards over the
632 * two bytes we read, and return.
634 if (file_seek(wth->fh, -2, SEEK_CUR, err) == -1)
639 errno = WTAP_ERR_CANT_READ;
640 bytes_read = file_read(record_length, 1, 4, wth->fh);
641 if (bytes_read != 4) {
642 *err = file_error(wth->fh);
644 *err = WTAP_ERR_SHORT_READ;
647 wth->data_offset += 6;
649 length = pletohs(record_length);
652 * Do we not yet know the encapsulation type (i.e., is
653 * this is an "Internetwork analyzer" capture?), and
654 * is this a REC_HEADER2 record?
656 * If so, it appears to specify the particular type
657 * of network we're on.
659 if (wth->file_encap == WTAP_ENCAP_PER_PACKET &&
660 type == REC_HEADER2) {
662 * Yes, get the first up-to-256 bytes of the
665 bytes_to_read = MIN(length, sizeof buffer);
666 bytes_read = file_read(buffer, 1, bytes_to_read,
668 if (bytes_read != bytes_to_read) {
669 *err = file_error(wth->fh);
671 *err = WTAP_ERR_SHORT_READ;
679 if (process_rec_header2_v2(wth, buffer,
686 if (process_rec_header2_v45(wth, buffer,
687 length, is_router, err) < 0)
693 * Skip the rest of the record.
695 if (length > sizeof buffer) {
696 if (file_seek(wth->fh, length - sizeof buffer,
697 SEEK_CUR, err) == -1)
702 /* Nope, just skip over the data. */
703 if (file_seek(wth->fh, length, SEEK_CUR, err) == -1)
706 wth->data_offset += length;
711 process_rec_header2_v2(wtap *wth, unsigned char *buffer, guint16 length,
714 static const char x_25_str[] = "HDLC\nX.25\n";
717 * There appears to be a string in a REC_HEADER2 record, with
718 * a list of protocols. In one X.25 capture I've seen, the
719 * string was "HDLC\nX.25\nCLNP\nISO_TP\nSESS\nPRES\nVTP\nACSE".
720 * Presumably CLNP and everything else is per-packet, but
721 * we assume "HDLC\nX.25\n" indicates that it's an X.25 capture.
723 if (length < sizeof x_25_str - 1) {
725 * There's not enough data to compare.
727 g_message("ngsniffer: WAN capture has too-short protocol list");
728 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
732 if (strncmp(buffer, x_25_str, sizeof x_25_str - 1) == 0) {
736 wth->file_encap = WTAP_ENCAP_LAPB;
738 g_message("ngsniffer: WAN capture protocol string %.*s unknown",
740 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
747 process_rec_header2_v45(wtap *wth, unsigned char *buffer, guint16 length,
748 gboolean *is_router, int *err)
751 * The 5th byte of the REC_HEADER2 record appears to be a
756 * There is no 5th byte; give up.
758 g_message("ngsniffer: WAN capture has no network subtype");
759 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
764 * The X.25 captures I've seen have a type of NET_HDLC, and the
765 * Sniffer documentation seems to imply that it's used for
766 * X.25, although it could be used for other purposes as well.
768 * NET_ROUTER is used for all sorts of point-to-point protocols,
769 * including ISDN. It appears, from the documentation, that the
770 * Sniffer attempts to infer the particular protocol by looking
771 * at the traffic; it's not clear whether it stores in the file
772 * an indication of the protocol it inferred was being used.
774 * Unfortunately, it also appears that NET_HDLC is used for
775 * stuff other than X.25 as well, so we can't just interpret
776 * it unconditionally as X.25.
778 * For now, we interpret both NET_HDLC and NET_ROUTER as "per-packet
779 * encapsulation". We remember that we saw NET_ROUTER, though,
780 * as it appears that we can infer whether a packet is PPP or
781 * ISDN based on the channel number subfield of the frame error
782 * status bits - if it's 0, it's PPP, otherwise it's ISDN and
783 * the channel number indicates which channel it is. We assume
784 * NET_HDLC isn't used for ISDN.
789 wth->file_encap = WTAP_ENCAP_SDLC;
793 wth->file_encap = WTAP_ENCAP_PER_PACKET;
796 case NET_FRAME_RELAY:
797 wth->file_encap = WTAP_ENCAP_FRELAY;
801 wth->file_encap = WTAP_ENCAP_PER_PACKET;
806 wth->file_encap = WTAP_ENCAP_PPP_WITH_PHDR;
811 * Reject these until we can figure them out.
813 g_message("ngsniffer: WAN network subtype %u unknown or unsupported",
815 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
821 /* Read the next packet */
822 static gboolean ngsniffer_read(wtap *wth, int *err, long *data_offset)
825 guint16 type, length;
826 struct frame2_rec frame2;
827 struct frame4_rec frame4;
828 struct frame6_rec frame6;
830 guint16 time_low, time_med, time_high, true_size, size;
832 int pkt_encap = wth->file_encap;
836 * Read the record header.
838 *data_offset = wth->data_offset;
839 ret = ngsniffer_read_rec_header(wth, FALSE, &type, &length,
842 /* Read error or EOF */
845 wth->data_offset += 6;
850 if (wth->capture.ngsniffer->is_atm) {
852 * We shouldn't get a frame2 record in
855 g_message("ngsniffer: REC_FRAME2 record in an ATM Sniffer file");
856 *err = WTAP_ERR_BAD_RECORD;
860 /* Read the f_frame2_struct */
861 if (!ngsniffer_read_frame2(wth, FALSE, &frame2, err)) {
865 wth->data_offset += sizeof frame2;
866 time_low = pletohs(&frame2.time_low);
867 time_med = pletohs(&frame2.time_med);
868 time_high = pletohs(&frame2.time_high);
869 size = pletohs(&frame2.size);
870 true_size = pletohs(&frame2.true_size);
872 length -= sizeof frame2; /* we already read that much */
874 t = (double)time_low+(double)(time_med)*65536.0 +
875 (double)time_high*4294967296.0;
877 pkt_encap = set_pseudo_header_frame2(wth,
878 &wth->pseudo_header, &frame2);
882 if (!wth->capture.ngsniffer->is_atm) {
884 * We shouldn't get a frame2 record in
887 g_message("ngsniffer: REC_FRAME4 record in a non-ATM Sniffer file");
888 *err = WTAP_ERR_BAD_RECORD;
892 /* Read the f_frame4_struct */
893 if (!ngsniffer_read_frame4(wth, FALSE, &frame4, err)) {
897 wth->data_offset += sizeof frame4;
898 time_low = pletohs(&frame4.time_low);
899 time_med = pletohs(&frame4.time_med);
900 time_high = frame4.time_high;
901 size = pletohs(&frame4.size);
902 true_size = pletohs(&frame4.true_size);
905 * XXX - it looks as if version 4 captures have
906 * a bogus record length, based on the assumption
907 * that the record is a frame2 record.
909 if (wth->capture.ngsniffer->maj_vers >= 5)
910 length -= sizeof frame4; /* we already read that much */
912 if (wth->capture.ngsniffer->min_vers >= 95)
913 length -= sizeof frame2;
915 length -= sizeof frame4;
919 * XXX - use the "time_day" field? Is that for captures
920 * that take a *really* long time?
922 t = (double)time_low+(double)(time_med)*65536.0 +
923 (double)time_high*4294967296.0;
925 set_pseudo_header_frame4(&wth->pseudo_header, &frame4);
929 /* Read the f_frame6_struct */
930 if (!ngsniffer_read_frame6(wth, FALSE, &frame6, err)) {
934 wth->data_offset += sizeof frame6;
935 time_low = pletohs(&frame6.time_low);
936 time_med = pletohs(&frame6.time_med);
937 time_high = frame6.time_high;
938 size = pletohs(&frame6.size);
939 true_size = pletohs(&frame6.true_size);
941 length -= sizeof frame6; /* we already read that much */
944 * XXX - use the "time_day" field? Is that for captures
945 * that take a *really* long time?
947 t = (double)time_low+(double)(time_med)*65536.0 +
948 (double)time_high*4294967296.0;
950 set_pseudo_header_frame6(&wth->pseudo_header, &frame6);
955 * End of file. Return an EOF indication.
957 *err = 0; /* EOF, not error */
961 break; /* unknown type, skip it */
965 * Well, we don't know what it is, or we know what
966 * it is but can't handle it. Skip past the data
967 * portion, and keep looping.
969 if (ng_file_seek_seq(wth, length, SEEK_CUR, err) == -1)
971 wth->data_offset += length;
976 * OK, is the frame data size greater than than what's left of the
981 * Yes - treat this as an error.
983 g_message("ngsniffer: Record length is less than packet size");
984 *err = WTAP_ERR_BAD_RECORD;
988 wth->phdr.len = true_size ? true_size : size;
989 wth->phdr.caplen = size;
992 * Read the packet data.
994 buffer_assure_space(wth->frame_buffer, length);
995 pd = buffer_start_ptr(wth->frame_buffer);
996 if (!ngsniffer_read_rec_data(wth, FALSE, pd, length, err))
997 return FALSE; /* Read error */
998 wth->data_offset += length;
1000 pkt_encap = fix_pseudo_header(pkt_encap, pd, length,
1001 &wth->pseudo_header);
1002 wth->phdr.pkt_encap = pkt_encap;
1004 t = t/1000000.0 * wth->capture.ngsniffer->timeunit; /* t = # of secs */
1005 t += wth->capture.ngsniffer->start;
1006 wth->phdr.ts.tv_sec = (long)t;
1007 wth->phdr.ts.tv_usec = (unsigned long)((t-(double)(wth->phdr.ts.tv_sec))
1012 static gboolean ngsniffer_seek_read(wtap *wth, long seek_off,
1013 union wtap_pseudo_header *pseudo_header, guchar *pd, int packet_size,
1017 guint16 type, length;
1018 struct frame2_rec frame2;
1019 struct frame4_rec frame4;
1020 struct frame6_rec frame6;
1021 int pkt_encap = wth->file_encap;
1023 if (ng_file_seek_rand(wth, seek_off, SEEK_SET, err) == -1)
1026 ret = ngsniffer_read_rec_header(wth, TRUE, &type, &length, err);
1028 /* Read error or EOF */
1030 /* EOF means "short read" in random-access mode */
1031 *err = WTAP_ERR_SHORT_READ;
1039 /* Read the f_frame2_struct */
1040 if (!ngsniffer_read_frame2(wth, TRUE, &frame2, err)) {
1045 length -= sizeof frame2; /* we already read that much */
1047 pkt_encap = set_pseudo_header_frame2(wth, pseudo_header,
1052 /* Read the f_frame4_struct */
1053 if (!ngsniffer_read_frame4(wth, TRUE, &frame4, err)) {
1058 length -= sizeof frame4; /* we already read that much */
1060 set_pseudo_header_frame4(pseudo_header, &frame4);
1064 /* Read the f_frame6_struct */
1065 if (!ngsniffer_read_frame6(wth, TRUE, &frame6, err)) {
1070 length -= sizeof frame6; /* we already read that much */
1072 set_pseudo_header_frame6(pseudo_header, &frame6);
1079 g_assert_not_reached();
1084 * Got the pseudo-header (if any), now get the data.
1086 if (!ngsniffer_read_rec_data(wth, TRUE, pd, packet_size, err))
1089 fix_pseudo_header(pkt_encap, pd, packet_size, pseudo_header);
1094 static int ngsniffer_read_rec_header(wtap *wth, gboolean is_random,
1095 guint16 *typep, guint16 *lengthp, int *err)
1098 char record_type[2];
1099 char record_length[4]; /* only 1st 2 bytes are length */
1102 * Read the record header.
1104 bytes_read = ng_file_read(record_type, 1, 2, wth, is_random, err);
1105 if (bytes_read != 2) {
1108 if (bytes_read != 0) {
1109 *err = WTAP_ERR_SHORT_READ;
1114 bytes_read = ng_file_read(record_length, 1, 4, wth, is_random, err);
1115 if (bytes_read != 4) {
1117 *err = WTAP_ERR_SHORT_READ;
1121 *typep = pletohs(record_type);
1122 *lengthp = pletohs(record_length);
1123 return 1; /* success */
1126 static gboolean ngsniffer_read_frame2(wtap *wth, gboolean is_random,
1127 struct frame2_rec *frame2, int *err)
1131 /* Read the f_frame2_struct */
1132 bytes_read = ng_file_read(frame2, 1, sizeof *frame2, wth, is_random,
1134 if (bytes_read != sizeof *frame2) {
1136 *err = WTAP_ERR_SHORT_READ;
1142 static int set_pseudo_header_frame2(wtap *wth,
1143 union wtap_pseudo_header *pseudo_header, struct frame2_rec *frame2)
1148 * In one PPP "Internetwork analyzer" capture:
1150 * The only bit seen in "frame2.fs" is the 0x80 bit, which
1151 * probably indicates the packet's direction; all other
1152 * bits were zero. The Expert Sniffer Network Analyzer
1153 * 5.50 Operations manual says that bit is the FS_DTE bit
1154 * for async/PPP data. The other bits are error bits
1155 * plus bits indicating whether the frame is PPP or SLIP,
1156 * but the PPP bit isn't set.
1158 * All bits in "frame2.flags" were zero.
1160 * In one X.25 "Internetwork analyzer" capture:
1162 * The only bit seen in "frame2.fs" is the 0x80 bit, which
1163 * probably indicates the packet's direction; all other
1166 * "frame2.flags" was always 0x18; however, the Sniffer
1167 * manual says that just means that a display filter was
1168 * calculated for the frame, and it should be displayed,
1169 * so perhaps that's just a quirk of that particular capture.
1171 * In one Ethernet capture:
1173 * "frame2.fs" was always 0; the Sniffer manual says they're
1174 * error bits of various sorts.
1176 * "frame2.flags" was either 0 or 0x18, with no obvious
1177 * correlation with anything. See previous comment
1178 * about display filters.
1180 * In one Token Ring capture:
1182 * "frame2.fs" was either 0 or 0xcc; the Sniffer manual says
1183 * nothing about those bits for Token Ring captures.
1185 * "frame2.flags" was either 0 or 0x18, with no obvious
1186 * correlation with anything. See previous comment
1187 * about display filters.
1189 * In some NET_ROUTER captures, the 0x18 bits in "frame2.fs" are
1190 * 0 for frames in a non-ISDN capture and non-zero for frames in
1191 * an ISDN capture, specifying the channel number in the fashion
1192 * described in the Sniffer manual, so we use that to distinguish
1193 * between ISDN frames and non-ISDN frames.
1195 if (wth->file_encap == WTAP_ENCAP_PER_PACKET &&
1196 wth->capture.ngsniffer->is_router &&
1197 (frame2->fs & 0x18) != 0)
1198 pkt_encap = WTAP_ENCAP_ISDN;
1200 pkt_encap = wth->file_encap;
1202 switch (pkt_encap) {
1204 case WTAP_ENCAP_PPP_WITH_PHDR:
1205 pseudo_header->p2p.sent = (frame2->fs & 0x80) ? TRUE : FALSE;
1208 case WTAP_ENCAP_LAPB:
1209 case WTAP_ENCAP_FRELAY:
1210 case WTAP_ENCAP_PER_PACKET:
1211 pseudo_header->x25.flags = (frame2->fs & 0x80) ? 0x00 : FROM_DCE;
1214 case WTAP_ENCAP_ISDN:
1215 pseudo_header->isdn.uton = (frame2->fs & 0x80) ? FALSE : TRUE;
1216 switch (frame2->fs & 0x18) {
1219 pseudo_header->isdn.channel = 0; /* D-channel */
1223 pseudo_header->isdn.channel = 1; /* B1-channel */
1227 pseudo_header->isdn.channel = 2; /* B1-channel */
1231 pseudo_header->isdn.channel = 30; /* XXX */
1238 static gboolean ngsniffer_read_frame4(wtap *wth, gboolean is_random,
1239 struct frame4_rec *frame4, int *err)
1243 /* Read the f_frame4_struct */
1244 bytes_read = ng_file_read(frame4, 1, sizeof *frame4, wth, is_random,
1246 if (bytes_read != sizeof *frame4) {
1248 *err = WTAP_ERR_SHORT_READ;
1254 static void set_pseudo_header_frame4(union wtap_pseudo_header *pseudo_header,
1255 struct frame4_rec *frame4)
1258 guint8 aal_type, hl_type;
1262 * Map flags from frame4.atm_info.StatusWord.
1264 pseudo_header->atm.flags = 0;
1265 StatusWord = pletohl(&frame4->atm_info.StatusWord);
1266 if (StatusWord & SW_RAW_CELL)
1267 pseudo_header->atm.flags |= ATM_RAW_CELL;
1269 aal_type = frame4->atm_info.AppTrafType & ATT_AALTYPE;
1270 hl_type = frame4->atm_info.AppTrafType & ATT_HLTYPE;
1271 vpi = pletohs(&frame4->atm_info.Vpi);
1272 vci = pletohs(&frame4->atm_info.Vci);
1276 case ATT_AAL_UNKNOWN:
1278 * Map ATT_AAL_UNKNOWN on VPI 0, VCI 5 to ATT_AAL_SIGNALLING,
1279 * as that's the VPCI used for signalling.
1281 * XXX - is this necessary, or will frames to 0/5 always
1282 * have ATT_AAL_SIGNALLING?
1284 if (vpi == 0 && vci == 5)
1285 pseudo_header->atm.aal = AAL_SIGNALLING;
1287 pseudo_header->atm.aal = AAL_UNKNOWN;
1288 pseudo_header->atm.type = TRAF_UNKNOWN;
1289 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1293 pseudo_header->atm.aal = AAL_1;
1294 pseudo_header->atm.type = TRAF_UNKNOWN;
1295 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1299 pseudo_header->atm.aal = AAL_3_4;
1300 pseudo_header->atm.type = TRAF_UNKNOWN;
1301 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1305 pseudo_header->atm.aal = AAL_5;
1308 case ATT_HL_UNKNOWN:
1309 pseudo_header->atm.type = TRAF_UNKNOWN;
1310 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1314 pseudo_header->atm.type = TRAF_LLCMX;
1315 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1319 pseudo_header->atm.type = TRAF_VCMX;
1320 switch (frame4->atm_info.AppHLType) {
1323 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1326 case AHLT_VCMX_802_3_FCS:
1327 pseudo_header->atm.subtype =
1328 TRAF_ST_VCMX_802_3_FCS;
1331 case AHLT_VCMX_802_4_FCS:
1332 pseudo_header->atm.subtype =
1333 TRAF_ST_VCMX_802_4_FCS;
1336 case AHLT_VCMX_802_5_FCS:
1337 pseudo_header->atm.subtype =
1338 TRAF_ST_VCMX_802_5_FCS;
1341 case AHLT_VCMX_FDDI_FCS:
1342 pseudo_header->atm.subtype =
1343 TRAF_ST_VCMX_FDDI_FCS;
1346 case AHLT_VCMX_802_6_FCS:
1347 pseudo_header->atm.subtype =
1348 TRAF_ST_VCMX_802_6_FCS;
1351 case AHLT_VCMX_802_3:
1352 pseudo_header->atm.subtype = TRAF_ST_VCMX_802_3;
1355 case AHLT_VCMX_802_4:
1356 pseudo_header->atm.subtype = TRAF_ST_VCMX_802_4;
1359 case AHLT_VCMX_802_5:
1360 pseudo_header->atm.subtype = TRAF_ST_VCMX_802_5;
1363 case AHLT_VCMX_FDDI:
1364 pseudo_header->atm.subtype = TRAF_ST_VCMX_FDDI;
1367 case AHLT_VCMX_802_6:
1368 pseudo_header->atm.subtype = TRAF_ST_VCMX_802_6;
1371 case AHLT_VCMX_FRAGMENTS:
1372 pseudo_header->atm.subtype =
1373 TRAF_ST_VCMX_FRAGMENTS;
1376 case AHLT_VCMX_BPDU:
1377 pseudo_header->atm.subtype = TRAF_ST_VCMX_BPDU;
1381 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1387 pseudo_header->atm.type = TRAF_LANE;
1388 switch (frame4->atm_info.AppHLType) {
1391 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1394 case AHLT_LANE_LE_CTRL:
1395 pseudo_header->atm.subtype =
1396 TRAF_ST_LANE_LE_CTRL;
1399 case AHLT_LANE_802_3:
1400 pseudo_header->atm.subtype = TRAF_ST_LANE_802_3;
1403 case AHLT_LANE_802_5:
1404 pseudo_header->atm.subtype = TRAF_ST_LANE_802_5;
1407 case AHLT_LANE_802_3_MC:
1408 pseudo_header->atm.subtype =
1409 TRAF_ST_LANE_802_3_MC;
1412 case AHLT_LANE_802_5_MC:
1413 pseudo_header->atm.subtype =
1414 TRAF_ST_LANE_802_5_MC;
1418 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1424 pseudo_header->atm.type = TRAF_ILMI;
1425 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1429 pseudo_header->atm.type = TRAF_FR;
1430 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1434 pseudo_header->atm.type = TRAF_SPANS;
1435 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1438 case ATT_HL_IPSILON:
1439 pseudo_header->atm.type = TRAF_IPSILON;
1440 switch (frame4->atm_info.AppHLType) {
1443 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1446 case AHLT_IPSILON_FT0:
1447 pseudo_header->atm.subtype =
1448 TRAF_ST_IPSILON_FT0;
1451 case AHLT_IPSILON_FT1:
1452 pseudo_header->atm.subtype =
1453 TRAF_ST_IPSILON_FT1;
1456 case AHLT_IPSILON_FT2:
1457 pseudo_header->atm.subtype =
1458 TRAF_ST_IPSILON_FT2;
1462 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1468 pseudo_header->atm.type = TRAF_UNKNOWN;
1469 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1475 pseudo_header->atm.aal = AAL_USER;
1476 pseudo_header->atm.type = TRAF_UNKNOWN;
1477 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1480 case ATT_AAL_SIGNALLING:
1481 pseudo_header->atm.aal = AAL_SIGNALLING;
1482 pseudo_header->atm.type = TRAF_UNKNOWN;
1483 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1487 pseudo_header->atm.aal = AAL_OAMCELL;
1488 pseudo_header->atm.type = TRAF_UNKNOWN;
1489 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1493 pseudo_header->atm.aal = AAL_UNKNOWN;
1494 pseudo_header->atm.type = TRAF_UNKNOWN;
1495 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1498 pseudo_header->atm.vpi = vpi;
1499 pseudo_header->atm.vci = vci;
1500 pseudo_header->atm.channel = pletohs(&frame4->atm_info.channel);
1501 pseudo_header->atm.cells = pletohs(&frame4->atm_info.cells);
1502 pseudo_header->atm.aal5t_u2u = pletohs(&frame4->atm_info.Trailer.aal5t_u2u);
1503 pseudo_header->atm.aal5t_len = pletohs(&frame4->atm_info.Trailer.aal5t_len);
1504 pseudo_header->atm.aal5t_chksum = pntohl(&frame4->atm_info.Trailer.aal5t_chksum);
1507 static gboolean ngsniffer_read_frame6(wtap *wth, gboolean is_random,
1508 struct frame6_rec *frame6, int *err)
1512 /* Read the f_frame6_struct */
1513 bytes_read = ng_file_read(frame6, 1, sizeof *frame6, wth, is_random,
1515 if (bytes_read != sizeof *frame6) {
1517 *err = WTAP_ERR_SHORT_READ;
1523 static void set_pseudo_header_frame6(
1524 union wtap_pseudo_header *pseudo_header _U_,
1525 struct frame6_rec *frame6 _U_)
1527 /* XXX - Once the frame format is divined, something will most likely go here */
1530 static gboolean ngsniffer_read_rec_data(wtap *wth, gboolean is_random,
1531 guchar *pd, int length, int *err)
1535 bytes_read = ng_file_read(pd, 1, length, wth, is_random, err);
1537 if (bytes_read != length) {
1539 *err = WTAP_ERR_SHORT_READ;
1546 * OK, this capture is from an "Internetwork analyzer", and we either
1547 * didn't see a type 7 record or it had a network type such as NET_HDLC
1548 * that doesn't tell us which *particular* HDLC derivative this is;
1549 * let's look at the first few bytes of the packet, a pointer to which
1550 * was passed to us as an argument, and see whether it looks like PPP,
1551 * Frame Relay, Wellfleet HDLC, Cisco HDLC, or LAPB - or, if it's none
1552 * of those, assume it's LAPD.
1554 * (XXX - are there any "Internetwork analyzer" captures that don't
1555 * have type 7 records? If so, is there some other field that will
1556 * tell us what type of capture it is?)
1558 static int infer_pkt_encap(const guint8 *pd, int len)
1562 * Nothing to infer, but it doesn't matter how you
1563 * dissect an empty packet. Let's just say PPP.
1565 return WTAP_ENCAP_PPP_WITH_PHDR;
1572 * PPP. (XXX - check for 0xFF 0x03?)
1574 return WTAP_ENCAP_PPP_WITH_PHDR;
1581 * XXX - in version 4 and 5 captures, wouldn't this just
1582 * have a capture subtype of NET_FRAME_RELAY? Or is this
1583 * here only to handle other versions of the capture
1584 * file, where we might just not yet have found where
1585 * the subtype is specified in the capture?
1587 return WTAP_ENCAP_FRELAY;
1591 if (pd[0] == 0x07 && pd[1] == 0x03) {
1595 return WTAP_ENCAP_WFLEET_HDLC;
1596 } else if ((pd[0] == 0x0F && pd[1] == 0x00) ||
1597 (pd[0] == 0x8F && pd[1] == 0x00)) {
1601 return WTAP_ENCAP_CHDLC;
1609 return WTAP_ENCAP_LAPB;
1613 * We report it as WTAP_ENCAP_ISDN.
1615 * XXX - is there something buried in the header to tell us
1616 * whether the capture was taken with an ISDN pod?
1618 * Or is this here just because some ISDN captures run
1619 * LAPB/X.25 over the B channel(s), so we check for
1620 * LAPB even in NET_ROUTER captures? If so, we should
1621 * perhaps move that heuristic up to the ISDN dissector,
1622 * so that we can infer LAPB traffic in *all* ISDN
1623 * captures, not just DOS Sniffer ISDN captures?
1625 return WTAP_ENCAP_ISDN;
1629 static int fix_pseudo_header(int encap, const guint8 *pd, int len,
1630 union wtap_pseudo_header *pseudo_header)
1634 case WTAP_ENCAP_PER_PACKET:
1636 * Infer the packet type from the first two bytes.
1638 encap = infer_pkt_encap(pd, len);
1641 * Fix up the pseudo-header to match the new
1642 * encapsulation type.
1646 case WTAP_ENCAP_WFLEET_HDLC:
1647 case WTAP_ENCAP_CHDLC:
1648 case WTAP_ENCAP_PPP_WITH_PHDR:
1649 if (pseudo_header->x25.flags == 0)
1650 pseudo_header->p2p.sent = TRUE;
1652 pseudo_header->p2p.sent = FALSE;
1655 case WTAP_ENCAP_ISDN:
1656 if (pseudo_header->x25.flags == 0x00)
1657 pseudo_header->isdn.uton = FALSE;
1659 pseudo_header->isdn.uton = TRUE;
1662 * XXX - this is currently a per-packet
1663 * encapsulation type, and we can't determine
1664 * whether a capture is an ISDN capture before
1665 * seeing any packets, and B-channel PPP packets
1666 * look like PPP packets and are given
1667 * WTAP_ENCAP_PPP_WITH_PHDR, not WTAP_ENCAP_ISDN,
1668 * so we assume this is a D-channel packet and
1669 * thus give it a channel number of 0.
1671 pseudo_header->isdn.channel = 0;
1676 case WTAP_ENCAP_ATM_PDUS:
1678 * If the Windows Sniffer writes out one of its ATM
1679 * capture files in DOS Sniffer format, it doesn't
1680 * distinguish between LE Control and LANE encapsulated
1681 * LAN frames, so we fix that up here.
1683 if (pseudo_header->atm.type == TRAF_LANE && len >= 2 &&
1684 pd[0] == 0xff && pd[1] == 0x00)
1685 pseudo_header->atm.subtype = TRAF_ST_LANE_LE_CTRL;
1691 /* Throw away the buffers used by the sequential I/O stream, but not
1692 those used by the random I/O stream. */
1693 static void ngsniffer_sequential_close(wtap *wth)
1695 if (wth->capture.ngsniffer->seq.buf != NULL) {
1696 g_free(wth->capture.ngsniffer->seq.buf);
1697 wth->capture.ngsniffer->seq.buf = NULL;
1701 static void free_blob(gpointer data, gpointer user_data _U_)
1706 /* Close stuff used by the random I/O stream, if any, and free up any
1707 private data structures. (If there's a "sequential_close" routine
1708 for a capture file type, it'll be called before the "close" routine
1709 is called, so we don't have to free the sequential buffer here.) */
1710 static void ngsniffer_close(wtap *wth)
1712 if (wth->capture.ngsniffer->rand.buf != NULL)
1713 g_free(wth->capture.ngsniffer->rand.buf);
1714 if (wth->capture.ngsniffer->first_blob != NULL) {
1715 g_list_foreach(wth->capture.ngsniffer->first_blob, free_blob, NULL);
1716 g_list_free(wth->capture.ngsniffer->first_blob);
1718 g_free(wth->capture.ngsniffer);
1721 static const int wtap_encap[] = {
1722 -1, /* WTAP_ENCAP_UNKNOWN -> unsupported */
1723 1, /* WTAP_ENCAP_ETHERNET */
1724 0, /* WTAP_ENCAP_TOKEN_RING */
1725 -1, /* WTAP_ENCAP_SLIP -> unsupported */
1726 7, /* WTAP_ENCAP_PPP -> Internetwork analyzer (synchronous) FIXME ! */
1727 9, /* WTAP_ENCAP_FDDI */
1728 9, /* WTAP_ENCAP_FDDI_BITSWAPPED */
1729 -1, /* WTAP_ENCAP_RAW_IP -> unsupported */
1730 2, /* WTAP_ENCAP_ARCNET */
1731 -1, /* WTAP_ENCAP_ATM_RFC1483 */
1732 -1, /* WTAP_ENCAP_LINUX_ATM_CLIP */
1733 7, /* WTAP_ENCAP_LAPB -> Internetwork analyzer (synchronous) */
1734 -1, /* WTAP_ENCAP_ATM_PDUS */
1735 -1, /* WTAP_ENCAP_NULL -> unsupported */
1736 -1, /* WTAP_ENCAP_ASCEND -> unsupported */
1737 -1, /* WTAP_ENCAP_ISDN -> unsupported */
1738 -1, /* WTAP_ENCAP_IP_OVER_FC -> unsupported */
1739 7, /* WTAP_ENCAP_PPP_WITH_PHDR -> Internetwork analyzer (synchronous) FIXME ! */
1741 #define NUM_WTAP_ENCAPS (sizeof wtap_encap / sizeof wtap_encap[0])
1743 /* Returns 0 if we could write the specified encapsulation type,
1744 an error indication otherwise. */
1745 int ngsniffer_dump_can_write_encap(int encap)
1747 /* Per-packet encapsulations aren't supported. */
1748 if (encap == WTAP_ENCAP_PER_PACKET)
1749 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1751 if (encap < 0 || (unsigned)encap >= NUM_WTAP_ENCAPS || wtap_encap[encap] == -1)
1752 return WTAP_ERR_UNSUPPORTED_ENCAP;
1757 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1759 gboolean ngsniffer_dump_open(wtap_dumper *wdh, gboolean cant_seek _U_, int *err)
1762 char buf[6] = {REC_VERS, 0x00, 0x12, 0x00, 0x00, 0x00}; /* version record */
1764 /* This is a sniffer file */
1765 wdh->subtype_write = ngsniffer_dump;
1766 wdh->subtype_close = ngsniffer_dump_close;
1768 wdh->dump.ngsniffer = g_malloc(sizeof(ngsniffer_dump_t));
1769 wdh->dump.ngsniffer->first_frame = TRUE;
1770 wdh->dump.ngsniffer->start = 0;
1772 /* Write the file header. */
1773 nwritten = fwrite(ngsniffer_magic, 1, sizeof ngsniffer_magic, wdh->fh);
1774 if (nwritten != sizeof ngsniffer_magic) {
1775 if (nwritten == 0 && ferror(wdh->fh))
1778 *err = WTAP_ERR_SHORT_WRITE;
1781 nwritten = fwrite(buf, 1, 6, wdh->fh);
1782 if (nwritten != 6) {
1783 if (nwritten == 0 && ferror(wdh->fh))
1786 *err = WTAP_ERR_SHORT_WRITE;
1793 /* Write a record for a packet to a dump file.
1794 Returns TRUE on success, FALSE on failure. */
1795 static gboolean ngsniffer_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
1796 const union wtap_pseudo_header *pseudo_header, const guchar *pd, int *err)
1798 ngsniffer_dump_t *priv = wdh->dump.ngsniffer;
1799 struct frame2_rec rec_hdr;
1803 guint16 t_low, t_med, t_high;
1804 struct vers_rec version;
1805 gint16 maj_vers, min_vers;
1809 /* Sniffer files have a capture start date in the file header, and
1810 have times relative to the beginning of that day in the packet
1811 headers; pick the date of the first packet as the capture start
1813 if (priv->first_frame) {
1814 priv->first_frame=FALSE;
1815 tm = localtime(&phdr->ts.tv_sec);
1817 start_date = (tm->tm_year - (1980 - 1900)) << 9;
1818 start_date |= (tm->tm_mon + 1) << 5;
1819 start_date |= tm->tm_mday;
1820 /* record the start date, not the start time */
1821 priv->start = phdr->ts.tv_sec - (3600*tm->tm_hour + 60*tm->tm_min + tm->tm_sec);
1827 /* "sniffer" version ? */
1830 version.maj_vers = htoles(maj_vers);
1831 version.min_vers = htoles(min_vers);
1833 version.date = htoles(start_date);
1835 version.network = wtap_encap[wdh->encap];
1837 version.timeunit = 1; /* 0.838096 */
1838 version.cmprs_vers = 0;
1839 version.cmprs_level = 0;
1840 version.rsvd[0] = 0;
1841 version.rsvd[1] = 0;
1842 nwritten = fwrite(&version, 1, sizeof version, wdh->fh);
1843 if (nwritten != sizeof version) {
1844 if (nwritten == 0 && ferror(wdh->fh))
1847 *err = WTAP_ERR_SHORT_WRITE;
1852 buf[0] = REC_FRAME2;
1854 buf[2] = (char)((phdr->caplen + sizeof(struct frame2_rec))%256);
1855 buf[3] = (char)((phdr->caplen + sizeof(struct frame2_rec))/256);
1858 nwritten = fwrite(buf, 1, 6, wdh->fh);
1859 if (nwritten != 6) {
1860 if (nwritten == 0 && ferror(wdh->fh))
1863 *err = WTAP_ERR_SHORT_WRITE;
1866 t = (double)phdr->ts.tv_sec + (double)phdr->ts.tv_usec/1.0e6; /* # of secs */
1867 t = (t - priv->start)*1.0e6 / Usec[1]; /* timeunit = 1 */
1868 t_low = (guint16)(t-(double)((guint32)(t/65536.0))*65536.0);
1869 t_med = (guint16)((guint32)(t/65536.0) % 65536);
1870 t_high = (guint16)(t/4294967296.0);
1871 rec_hdr.time_low = htoles(t_low);
1872 rec_hdr.time_med = htoles(t_med);
1873 rec_hdr.time_high = htoles(t_high);
1874 rec_hdr.size = htoles(phdr->caplen);
1875 if (wdh->encap == WTAP_ENCAP_LAPB || wdh->encap == WTAP_ENCAP_PPP_WITH_PHDR)
1876 rec_hdr.fs = (pseudo_header->x25.flags & FROM_DCE) ? 0x00 : 0x80;
1880 rec_hdr.true_size = phdr->len != phdr->caplen ? htoles(phdr->len) : 0;
1882 nwritten = fwrite(&rec_hdr, 1, sizeof rec_hdr, wdh->fh);
1883 if (nwritten != sizeof rec_hdr) {
1884 if (nwritten == 0 && ferror(wdh->fh))
1887 *err = WTAP_ERR_SHORT_WRITE;
1890 nwritten = fwrite(pd, 1, phdr->caplen, wdh->fh);
1891 if (nwritten != phdr->caplen) {
1892 if (nwritten == 0 && ferror(wdh->fh))
1895 *err = WTAP_ERR_SHORT_WRITE;
1901 /* Finish writing to a dump file.
1902 Returns TRUE on success, FALSE on failure. */
1903 static gboolean ngsniffer_dump_close(wtap_dumper *wdh, int *err)
1906 char buf[6] = {REC_EOF, 0x00, 0x00, 0x00, 0x00, 0x00};
1909 nwritten = fwrite(buf, 1, 6, wdh->fh);
1910 if (nwritten != 6) {
1912 if (nwritten == 0 && ferror(wdh->fh))
1915 *err = WTAP_ERR_SHORT_WRITE;
1923 SnifferDecompress() decompresses a blob of compressed data from a
1924 Sniffer(R) capture file.
1926 This function is Copyright (c) 1999-2999 Tim Farley
1929 inbuf - buffer of compressed bytes from file, not including
1930 the preceding length word
1931 inlen - length of inbuf in bytes
1932 outbuf - decompressed contents, could contain a partial Sniffer
1934 outlen - length of outbuf.
1936 Return value is the number of bytes in outbuf on return.
1939 SnifferDecompress( unsigned char * inbuf, size_t inlen,
1940 unsigned char * outbuf, size_t outlen, int *err )
1942 unsigned char * pin = inbuf;
1943 unsigned char * pout = outbuf;
1944 unsigned char * pin_end = pin + inlen;
1945 unsigned char * pout_end = pout + outlen;
1946 unsigned int bit_mask; /* one bit is set in this, to mask with bit_value */
1947 unsigned int bit_value = 0; /* cache the last 16 coding bits we retrieved */
1948 unsigned int code_type; /* encoding type, from high 4 bits of byte */
1949 unsigned int code_low; /* other 4 bits from encoding byte */
1950 int length; /* length of RLE sequence or repeated string */
1951 int offset; /* offset of string to repeat */
1953 bit_mask = 0; /* don't have any bits yet */
1956 /* Shift down the bit mask we use to see whats encoded */
1957 bit_mask = bit_mask >> 1;
1959 /* If there are no bits left, time to get another 16 bits */
1960 if ( 0 == bit_mask )
1962 bit_mask = 0x8000; /* start with the high bit */
1963 bit_value = pletohs(pin); /* get the next 16 bits */
1964 pin += 2; /* skip over what we just grabbed */
1965 if ( pin >= pin_end )
1967 *err = WTAP_ERR_UNC_TRUNCATED; /* data was oddly truncated */
1972 /* Use the bits in bit_value to see what's encoded and what is raw data */
1973 if ( !(bit_mask & bit_value) )
1975 /* bit not set - raw byte we just copy */
1976 *(pout++) = *(pin++);
1980 /* bit set - next item is encoded. Peel off high nybble
1981 of next byte to see the encoding type. Set aside low
1982 nybble while we are at it */
1983 code_type = (unsigned int) ((*pin) >> 4 ) & 0xF;
1984 code_low = (unsigned int) ((*pin) & 0xF );
1985 pin++; /* increment over the code byte we just retrieved */
1986 if ( pin >= pin_end )
1988 *err = WTAP_ERR_UNC_TRUNCATED; /* data was oddly truncated */
1992 /* Based on the code type, decode the compressed string */
1993 switch ( code_type )
1995 case 0 : /* RLE short runs */
1997 Run length is the low nybble of the first code byte.
1998 Byte to repeat immediately follows.
1999 Total code size: 2 bytes.
2001 length = code_low + 3;
2002 /* If length would put us past end of output, avoid overflow */
2003 if ( pout + length > pout_end )
2005 *err = WTAP_ERR_UNC_OVERFLOW;
2009 /* generate the repeated series of bytes */
2010 memset( pout, *pin++, length );
2013 case 1 : /* RLE long runs */
2015 Low 4 bits of run length is the low nybble of the
2016 first code byte, upper 8 bits of run length is in
2018 Byte to repeat immediately follows.
2019 Total code size: 3 bytes.
2021 length = code_low + ((unsigned int)(*pin++) << 4) + 19;
2022 /* If we are already at end of input, there is no byte
2024 if ( pin >= pin_end )
2026 *err = WTAP_ERR_UNC_TRUNCATED; /* data was oddly truncated */
2029 /* If length would put us past end of output, avoid overflow */
2030 if ( pout + length > pout_end )
2032 *err = WTAP_ERR_UNC_OVERFLOW;
2036 /* generate the repeated series of bytes */
2037 memset( pout, *pin++, length );
2040 case 2 : /* LZ77 long strings */
2042 Low 4 bits of offset to string is the low nybble of the
2043 first code byte, upper 8 bits of offset is in
2045 Length of string immediately follows.
2046 Total code size: 3 bytes.
2048 offset = code_low + ((unsigned int)(*pin++) << 4) + 3;
2049 /* If we are already at end of input, there is no byte
2051 if ( pin >= pin_end )
2053 *err = WTAP_ERR_UNC_TRUNCATED; /* data was oddly truncated */
2056 /* Check if offset would put us back past begin of buffer */
2057 if ( pout - offset < outbuf )
2059 *err = WTAP_ERR_UNC_BAD_OFFSET;
2063 /* get length from next byte, make sure it won't overrun buf */
2064 length = (unsigned int)(*pin++) + 16;
2065 if ( pout + length > pout_end )
2067 *err = WTAP_ERR_UNC_OVERFLOW;
2071 /* Copy the string from previous text to output position,
2072 advance output pointer */
2073 memcpy( pout, pout - offset, length );
2076 default : /* (3 to 15): LZ77 short strings */
2078 Low 4 bits of offset to string is the low nybble of the
2079 first code byte, upper 8 bits of offset is in
2081 Length of string to repeat is overloaded into code_type.
2082 Total code size: 2 bytes.
2084 offset = code_low + ((unsigned int)(*pin++) << 4) + 3;
2085 /* Check if offset would put us back past begin of buffer */
2086 if ( pout - offset < outbuf )
2088 *err = WTAP_ERR_UNC_BAD_OFFSET;
2092 /* get length from code_type, make sure it won't overrun buf */
2094 if ( pout + length > pout_end )
2096 *err = WTAP_ERR_UNC_OVERFLOW;
2100 /* Copy the string from previous text to output position,
2101 advance output pointer */
2102 memcpy( pout, pout - offset, length );
2108 /* If we've consumed all the input, we are done */
2109 if ( pin >= pin_end )
2113 return ( pout - outbuf ); /* return length of expanded text */
2117 * XXX - is there any guarantee that this is big enough to hold the
2118 * uncompressed data from any blob?
2120 #define OUTBUF_SIZE 65536
2122 /* Information about a compressed blob; we save the offset in the
2123 underlying compressed file, and the offset in the uncompressed data
2124 stream, of the blob. */
2126 long blob_comp_offset;
2127 long blob_uncomp_offset;
2131 ng_file_read(void *buffer, size_t elementsize, size_t numelements, wtap *wth,
2132 gboolean is_random, int *err)
2135 ngsniffer_comp_stream_t *comp_stream;
2136 int copybytes = elementsize * numelements; /* bytes left to be copied */
2137 int copied_bytes = 0; /* bytes already copied */
2138 unsigned char *outbuffer = buffer; /* where to write next decompressed data */
2144 infile = wth->random_fh;
2145 comp_stream = &wth->capture.ngsniffer->rand;
2148 comp_stream = &wth->capture.ngsniffer->seq;
2151 if (wth->file_type == WTAP_FILE_NGSNIFFER_UNCOMPRESSED) {
2152 errno = WTAP_ERR_CANT_READ;
2153 copied_bytes = file_read(buffer, 1, copybytes, infile);
2154 if (copied_bytes != copybytes)
2155 *err = file_error(infile);
2156 return copied_bytes;
2159 /* Allocate the stream buffer if it hasn't already been allocated. */
2160 if (comp_stream->buf == NULL) {
2161 comp_stream->buf = g_malloc(OUTBUF_SIZE);
2164 /* This is the first read of the random file, so we're at
2165 the beginning of the sequence of blobs in the file
2166 (as we've not done any random reads yet to move the
2167 current position in the random stream); set the
2168 current blob to be the first blob. */
2169 wth->capture.ngsniffer->current_blob =
2170 wth->capture.ngsniffer->first_blob;
2172 /* This is the first sequential read; if we also have a
2173 random stream open, allocate the first element for the
2174 list of blobs, and make it the last element as well. */
2175 if (wth->random_fh != NULL) {
2176 g_assert(wth->capture.ngsniffer->first_blob == NULL);
2177 blob = g_malloc(sizeof (blob_info_t));
2178 blob->blob_comp_offset = comp_stream->comp_offset;
2179 blob->blob_uncomp_offset = comp_stream->uncomp_offset;
2180 wth->capture.ngsniffer->first_blob =
2181 g_list_append(wth->capture.ngsniffer->first_blob, blob);
2182 wth->capture.ngsniffer->last_blob =
2183 wth->capture.ngsniffer->first_blob;
2187 /* Now read the first blob into the buffer. */
2188 if (read_blob(infile, comp_stream, err) < 0)
2191 while (copybytes > 0) {
2192 bytes_left = comp_stream->nbytes - comp_stream->nextout;
2193 if (bytes_left == 0) {
2194 /* There's no decompressed stuff left to copy from the current
2195 blob; get the next blob. */
2198 /* Move to the next blob in the list. */
2199 wth->capture.ngsniffer->current_blob =
2200 g_list_next(wth->capture.ngsniffer->current_blob);
2201 blob = wth->capture.ngsniffer->current_blob->data;
2203 /* If we also have a random stream open, add a new element,
2204 for this blob, to the list of blobs; we know the list is
2205 non-empty, as we initialized it on the first sequential
2206 read, so we just add the new element at the end, and
2207 adjust the pointer to the last element to refer to it. */
2208 if (wth->random_fh != NULL) {
2209 blob = g_malloc(sizeof (blob_info_t));
2210 blob->blob_comp_offset = comp_stream->comp_offset;
2211 blob->blob_uncomp_offset = comp_stream->uncomp_offset;
2212 wth->capture.ngsniffer->last_blob =
2213 g_list_append(wth->capture.ngsniffer->last_blob, blob);
2217 if (read_blob(infile, comp_stream, err) < 0)
2219 bytes_left = comp_stream->nbytes - comp_stream->nextout;
2222 bytes_to_copy = copybytes;
2223 if (bytes_to_copy > bytes_left)
2224 bytes_to_copy = bytes_left;
2225 memcpy(outbuffer, &comp_stream->buf[comp_stream->nextout],
2227 copybytes -= bytes_to_copy;
2228 copied_bytes += bytes_to_copy;
2229 outbuffer += bytes_to_copy;
2230 comp_stream->nextout += bytes_to_copy;
2231 comp_stream->uncomp_offset += bytes_to_copy;
2233 return copied_bytes;
2236 /* Read a blob from a compressed stream.
2237 Return -1 and set "*err" on error, otherwise return 0. */
2239 read_blob(FILE_T infile, ngsniffer_comp_stream_t *comp_stream, int *err)
2243 unsigned short blob_len;
2244 gint16 blob_len_host;
2245 gboolean uncompressed;
2246 unsigned char file_inbuf[65536];
2249 /* Read one 16-bit word which is length of next compressed blob */
2250 errno = WTAP_ERR_CANT_READ;
2251 read_len = file_read(&blob_len, 1, 2, infile);
2252 if (2 != read_len) {
2253 *err = file_error(infile);
2256 comp_stream->comp_offset += 2;
2257 blob_len_host = pletohs(&blob_len);
2259 /* Compressed or uncompressed? */
2260 if (blob_len_host < 0) {
2261 /* Uncompressed blob; blob length is absolute value of the number. */
2262 in_len = -blob_len_host;
2263 uncompressed = TRUE;
2265 in_len = blob_len_host;
2266 uncompressed = FALSE;
2270 errno = WTAP_ERR_CANT_READ;
2271 read_len = file_read(file_inbuf, 1, in_len, infile);
2272 if (in_len != read_len) {
2273 *err = file_error(infile);
2276 comp_stream->comp_offset += in_len;
2279 memcpy(comp_stream->buf, file_inbuf, in_len);
2282 /* Decompress the blob */
2283 out_len = SnifferDecompress(file_inbuf, in_len,
2284 comp_stream->buf, OUTBUF_SIZE, err);
2288 comp_stream->nextout = 0;
2289 comp_stream->nbytes = out_len;
2293 /* Seek in the sequential data stream; we can only seek forward, and we
2294 do it on compressed files by skipping forward. */
2296 ng_file_seek_seq(wtap *wth, long offset, int whence, int *err)
2300 long amount_to_read;
2302 if (wth->file_type == WTAP_FILE_NGSNIFFER_UNCOMPRESSED)
2303 return file_seek(wth->fh, offset, whence, err);
2308 break; /* "offset" is the target offset */
2311 offset += wth->capture.ngsniffer->seq.uncomp_offset;
2312 break; /* "offset" is relative to the current offset */
2315 g_assert_not_reached(); /* "offset" is relative to the end of the file... */
2316 break; /* ...but we don't know where that is. */
2319 delta = offset - wth->capture.ngsniffer->seq.uncomp_offset;
2320 g_assert(delta >= 0);
2322 /* Ok, now read and discard "delta" bytes. */
2323 while (delta != 0) {
2324 amount_to_read = delta;
2325 if ((unsigned long)amount_to_read > sizeof buf)
2326 amount_to_read = sizeof buf;
2327 if (ng_file_read(buf, 1, amount_to_read, wth, FALSE, err) < 0)
2328 return -1; /* error */
2329 delta -= amount_to_read;
2334 /* Seek in the random data stream.
2336 On compressed files, we see whether we're seeking to a position within
2337 the blob we currently have in memory and, if not, we find in the list
2338 of blobs the last blob that starts at or before the position to which
2339 we're seeking, and read that blob in. We can then move to the appropriate
2340 position within the blob we have in memory (whether it's the blob we
2341 already had in memory or, if necessary, the one we read in). */
2343 ng_file_seek_rand(wtap *wth, long offset, int whence, int *err)
2345 ngsniffer_t *ngsniffer;
2348 blob_info_t *next_blob, *new_blob;
2350 if (wth->file_type == WTAP_FILE_NGSNIFFER_UNCOMPRESSED)
2351 return file_seek(wth->random_fh, offset, whence, err);
2353 ngsniffer = wth->capture.ngsniffer;
2358 break; /* "offset" is the target offset */
2361 offset += ngsniffer->rand.uncomp_offset;
2362 break; /* "offset" is relative to the current offset */
2365 g_assert_not_reached(); /* "offset" is relative to the end of the file... */
2366 break; /* ...but we don't know where that is. */
2369 delta = offset - ngsniffer->rand.uncomp_offset;
2371 /* Is the place to which we're seeking within the current buffer, or
2372 will we have to read a different blob into the buffer? */
2375 /* We're going forwards.
2376 Is the place to which we're seeking within the current buffer? */
2377 if ((size_t)(ngsniffer->rand.nextout + delta) >= ngsniffer->rand.nbytes) {
2378 /* No. Search for a blob that contains the target offset in
2379 the uncompressed byte stream, starting with the blob
2380 following the current blob. */
2381 new = g_list_next(ngsniffer->current_blob);
2383 next = g_list_next(new);
2385 /* No more blobs; the current one is it. */
2389 next_blob = next->data;
2390 /* Does the next blob start after the target offset?
2391 If so, the current blob is the one we want. */
2392 if (next_blob->blob_uncomp_offset > offset)
2398 } else if (delta < 0) {
2399 /* We're going backwards.
2400 Is the place to which we're seeking within the current buffer? */
2401 if (ngsniffer->rand.nextout + delta < 0) {
2402 /* No. Search for a blob that contains the target offset in
2403 the uncompressed byte stream, starting with the blob
2404 preceding the current blob. */
2405 new = g_list_previous(ngsniffer->current_blob);
2407 /* Does this blob start at or before the target offset?
2408 If so, the current blob is the one we want. */
2409 new_blob = new->data;
2410 if (new_blob->blob_uncomp_offset <= offset)
2413 /* It doesn't - skip to the previous blob. */
2414 new = g_list_previous(new);
2420 /* The place to which we're seeking isn't in the current buffer;
2421 move to a new blob. */
2422 new_blob = new->data;
2424 /* Seek in the compressed file to the offset in the compressed file
2425 of the beginning of that blob. */
2426 if (file_seek(wth->random_fh, new_blob->blob_comp_offset, SEEK_SET, err) == -1)
2429 /* Make the blob we found the current one. */
2430 ngsniffer->current_blob = new;
2432 /* Now set the current offsets to the offsets of the beginning
2434 ngsniffer->rand.uncomp_offset = new_blob->blob_uncomp_offset;
2435 ngsniffer->rand.comp_offset = new_blob->blob_comp_offset;
2437 /* Now fill the buffer. */
2438 if (read_blob(wth->random_fh, &ngsniffer->rand, err) < 0)
2441 /* Set "delta" to the amount to move within this blob; it had
2442 better be >= 0, and < the amount of uncompressed data in
2443 the blob, as otherwise it'd mean we need to seek before
2444 the beginning or after the end of this blob. */
2445 delta = offset - ngsniffer->rand.uncomp_offset;
2446 g_assert(delta >= 0 && (unsigned long)delta < ngsniffer->rand.nbytes);
2449 /* OK, the place to which we're seeking is in the buffer; adjust
2450 "ngsniffer->rand.nextout" to point to the place to which
2451 we're seeking, and adjust "ngsniffer->rand.uncomp_offset" to be
2452 the destination offset. */
2453 ngsniffer->rand.nextout += delta;
2454 ngsniffer->rand.uncomp_offset += delta;