/* netxray.c
*
- * $Id: netxray.c,v 1.63 2003/01/03 02:24:56 guy Exp $
+ * $Id$
*
* Wiretap Library
* Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
#include "file_wrappers.h"
#include "netxray.h"
#include "buffer.h"
+#include "atm.h"
/* Capture file header, *including* magic number, is padded to 128 bytes. */
#define CAPTUREFILE_HEADER_SIZE 128
guint32 start_offset; /* offset of first packet in capture */
guint32 end_offset; /* offset after last packet in capture */
guint32 xxy[3]; /* unknown */
- guint16 network; /* datalink type */
- guint8 xxz[2]; /* XXX - is this the upper 2 bytes of the datalink type? */
+ guint8 network; /* datalink type */
+ guint8 xxz[3]; /* XXX - is this the upper 3 bytes of the datalink type? */
guint8 timeunit; /* encodes length of a tick */
guint8 xxa[3]; /* XXX - is this the upper 3 bytes of the time units? */
guint32 timelo; /* lower 32 bits of time stamp of capture start */
guint32 timehi; /* upper 32 bits of time stamp of capture start */
guint32 linespeed; /* speed of network, in bits/second */
- guint32 xxb[16]; /* other stuff */
+ guint8 xxb[12]; /* other stuff */
+ guint8 realtick[4]; /* in version 2, units of the timestamps */
+ guint8 xxc[48]; /* other unknown stuff */
};
/*
- * # of ticks that equal 1 second
+ * Capture type, in xxc[4].
+ *
+ * XXX - S6040-model Sniffers with gigabit blades store 6 here for
+ * Etherneet captures, and some other Ethernet captures had a capture
+ * type of 3, so presumably the interpretation of the capture type
+ * depends on the network type. We prefix all the capture types
+ * for WAN captures with WAN_.
+ */
+#define CAPTYPE_NDIS 0 /* Capture on network interface using NDIS */
+
+/*
+ * Ethernet capture types.
+ */
+#define ETH_CAPTYPE_GIGPOD 2 /* gigabit Ethernet captured with pod */
+#define ETH_CAPTYPE_OTHERPOD 3 /* non-gigabit Ethernet captured with pod */
+#define ETH_CAPTYPE_GIGPOD2 6 /* gigabit Ethernet captured with pod */
+
+/*
+ * WAN capture types.
*/
-static double TpS[] = { 1e6, 1193000.0, 1193180.0 };
+#define WAN_CAPTYPE_BROUTER 1 /* Bridge/router captured with pod */
+#define WAN_CAPTYPE_PPP 3 /* PPP captured with pod */
+#define WAN_CAPTYPE_FRELAY 4 /* Frame Relay captured with pod */
+#define WAN_CAPTYPE_BROUTER2 5 /* Bridge/router captured with pod */
+#define WAN_CAPTYPE_HDLC 6 /* HDLC (X.25, ISDN) captured with pod */
+#define WAN_CAPTYPE_SDLC 7 /* SDLC captured with pod */
+#define WAN_CAPTYPE_HDLC2 8 /* HDLC captured with pod */
+#define WAN_CAPTYPE_BROUTER3 9 /* Bridge/router captured with pod */
+#define WAN_CAPTYPE_SMDS 10 /* SMDS DXI */
+#define WAN_CAPTYPE_BROUTER4 11 /* Bridge/router captured with pod */
+#define WAN_CAPTYPE_BROUTER5 12 /* Bridge/router captured with pod */
+
+#define CAPTYPE_ATM 15 /* ATM captured with pod */
+
+/*
+ * # of ticks that equal 1 second, in version 002.xxx files with a zero
+ * hdr.realtick value; the index into this array is hdr.timeunit.
+ *
+ * XXX - the third item was 1193180.0, presumably because somebody found
+ * it gave the right answer for some captures, but 3 times that, i.e.
+ * 3579540.0, appears to give the right answer for some other captures.
+ * In at least some captures, 3579540.0 is what's in the hdr.realtick
+ * field, but hdr.timeunit is 0, giving a TpS value of 1000000.0.
+ *
+ * Which of 1193180.0 or 1193000.0 is right for captures with no
+ * hdr.realtick value (i.e., hdr.realtick is 0) and a hdr.timeunit value
+ * of 1? In at least one ATM capture, hdr.realtick is 1193180.0
+ * and hdr.timeunit is 0. However, in at least one Ethernet capture,
+ * hdr.realtick is 1193000.0 and hdr.timeunit is 1, so both of those
+ * values appear in hdr.realtick; perhaps whatever capture provoked
+ * us to change from 1193180.0 to 1193000.0 has a hdr.realtick value
+ * of 1193000.0 - or vice versa.
+ *
+ * XXX - what's the significance of hdr.timeunit if hdr.realticks is
+ * non-zero? It's different in different captures; does it signify
+ * anything?
+ *
+ * XXX - what's the range of hdr.timeunit in files with hdr.realticks
+ * 0? Does it ever have a value of 2 in any of those captures, or is
+ * it either 0 or 1?
+ */
+static double TpS[] = { 1e6, 1193000.0, 3579540.0 };
#define NUM_NETXRAY_TIMEUNITS (sizeof TpS / sizeof TpS[0])
/* Version number strings. */
'0', '0', '2', '.', '0', '0', '2', '\0'
};
+static const char vers_2_003[] = {
+ '0', '0', '2', '.', '0', '0', '3', '\0'
+};
+
/* Old NetXRay data record format - followed by frame data. */
struct old_netxrayrec_hdr {
guint32 timelo; /* lower 32 bits of time stamp */
guint32 timehi; /* upper 32 bits of time stamp */
guint16 orig_len; /* packet length */
guint16 incl_len; /* capture length */
- guint8 xxx[28]; /* unknown */
- /* For 802.11 captures, "xxx" data appears to include:
- the channel, in xxx[12];
- the data rate, in .5 Mb/s units, in xxx[13];
- the signal level, as a percentage, in xxx[14];
- 0xff, in xxx[15]. */
+ guint8 xxx[28]; /* various data */
};
/*
struct netxrayrec_2_x_hdr hdr_2_x;
};
-static gboolean netxray_read(wtap *wth, int *err, long *data_offset);
+static gboolean netxray_read(wtap *wth, int *err, gchar **err_info,
+ long *data_offset);
static gboolean netxray_seek_read(wtap *wth, long seek_off,
- union wtap_pseudo_header *pseudo_header, guchar *pd, int length, int *err);
+ union wtap_pseudo_header *pseudo_header, guchar *pd, int length,
+ int *err, gchar **err_info);
static int netxray_read_rec_header(wtap *wth, FILE_T fh,
union netxrayrec_hdr *hdr, int *err);
-static void netxray_set_pseudo_header(wtap *wth,
+static guint netxray_set_pseudo_header(wtap *wth, const guint8 *pd, int len,
union wtap_pseudo_header *pseudo_header, union netxrayrec_hdr *hdr);
static gboolean netxray_read_rec_data(FILE_T fh, guint8 *data_ptr,
guint32 packet_size, int *err);
const union wtap_pseudo_header *pseudo_header, const guchar *pd, int *err);
static gboolean netxray_dump_close_2_0(wtap_dumper *wdh, int *err);
-int netxray_open(wtap *wth, int *err)
+int netxray_open(wtap *wth, int *err, gchar **err_info)
{
int bytes_read;
char magic[sizeof netxray_magic];
gboolean is_old;
struct netxray_hdr hdr;
+ guint network_type;
double timeunit;
- int version_major;
+ int version_major, version_minor;
int file_type;
- double t;
+ double start_timestamp;
static const int netxray_encap[] = {
+ WTAP_ENCAP_UNKNOWN,
WTAP_ENCAP_ETHERNET,
WTAP_ENCAP_TOKEN_RING,
WTAP_ENCAP_FDDI_BITSWAPPED,
/*
- * XXX - PPP captures may look like Ethernet, perhaps
- * because they're using NDIS to capture on the
+ * XXX - some PPP captures may look like Ethernet,
+ * perhaps because they're using NDIS to capture on the
* same machine and it provides simulated-Ethernet
- * packets, but at least one ISDN capture uses the
- * same network type value but isn't shaped like
- * Ethernet.
+ * packets, but captures taken with various serial
+ * pods use the same network type value but aren't
+ * shaped like Ethernet. We handle that below.
*/
WTAP_ENCAP_ETHERNET, /* WAN(PPP), but shaped like Ethernet */
WTAP_ENCAP_UNKNOWN, /* LocalTalk */
WTAP_ENCAP_UNKNOWN, /* "DIX" - should not occur */
WTAP_ENCAP_UNKNOWN, /* ARCNET raw */
WTAP_ENCAP_UNKNOWN, /* ARCNET 878.2 */
- /*
- * XXX - not all ATM captures have LLC-encapsulated frames
- * in them; there's probably something hidden in the
- * per-packet header giving the traffic type.
- */
- WTAP_ENCAP_ATM_RFC1483, /* ATM */
+ WTAP_ENCAP_ATM_PDUS_UNTRUNCATED, /* ATM */
WTAP_ENCAP_IEEE_802_11_WITH_RADIO,
/* Wireless WAN with radio information */
WTAP_ENCAP_UNKNOWN /* IrDA */
};
#define NUM_NETXRAY_ENCAPS (sizeof netxray_encap / sizeof netxray_encap[0])
+ int file_encap;
+ guint isdn_type = 0;
/* Read in the string that should be at the start of a NetXRay
* file */
wth->data_offset += sizeof hdr;
if (is_old) {
- timeunit = 1000.0;
version_major = 0;
+ version_minor = 0;
file_type = WTAP_FILE_NETXRAY_OLD;
} else {
/* It appears that version 1.1 files (as produced by Windows
* It also appears that version 2.00x files have per-packet
* headers with some extra fields. */
if (memcmp(hdr.version, vers_1_0, sizeof vers_1_0) == 0) {
- timeunit = 1000.0;
version_major = 1;
+ version_minor = 0;
file_type = WTAP_FILE_NETXRAY_1_0;
} else if (memcmp(hdr.version, vers_1_1, sizeof vers_1_1) == 0) {
- timeunit = 1000000.0;
version_major = 1;
+ version_minor = 1;
file_type = WTAP_FILE_NETXRAY_1_1;
- } else if (memcmp(hdr.version, vers_2_000, sizeof vers_2_000) == 0
- || memcmp(hdr.version, vers_2_001, sizeof vers_2_001) == 0
- || memcmp(hdr.version, vers_2_002, sizeof vers_2_002) == 0) {
- if (hdr.timeunit > NUM_NETXRAY_TIMEUNITS) {
- g_message("netxray: Unknown timeunit %u",
- hdr.timeunit);
- *err = WTAP_ERR_UNSUPPORTED;
- return -1;
- }
- timeunit = TpS[hdr.timeunit];
+ } else if (memcmp(hdr.version, vers_2_000, sizeof vers_2_000) == 0) {
+ version_major = 2;
+ version_minor = 0;
+ file_type = WTAP_FILE_NETXRAY_2_00x;
+ } else if (memcmp(hdr.version, vers_2_001, sizeof vers_2_001) == 0) {
version_major = 2;
+ version_minor = 1;
+ file_type = WTAP_FILE_NETXRAY_2_00x;
+ } else if (memcmp(hdr.version, vers_2_002, sizeof vers_2_002) == 0) {
+ version_major = 2;
+ version_minor = 2;
+ file_type = WTAP_FILE_NETXRAY_2_00x;
+ } else if (memcmp(hdr.version, vers_2_003, sizeof vers_2_003) == 0) {
+ version_major = 2;
+ version_minor = 3;
file_type = WTAP_FILE_NETXRAY_2_00x;
} else {
- g_message("netxray: version \"%.8s\" unsupported", hdr.version);
*err = WTAP_ERR_UNSUPPORTED;
+ *err_info = g_strdup_printf("netxray: version \"%.8s\" unsupported", hdr.version);
return -1;
}
}
- hdr.network = pletohs(&hdr.network);
- if (hdr.network >= NUM_NETXRAY_ENCAPS
- || netxray_encap[hdr.network] == WTAP_ENCAP_UNKNOWN) {
- g_message("netxray: network type %u unknown or unsupported",
- hdr.network);
+ switch (hdr.xxz[0]) {
+
+ case 0:
+ /*
+ * The byte after hdr.network is usually 0, in which case
+ * the hdr.network byte is an NDIS network type value - 1.
+ */
+ network_type = hdr.network + 1;
+ break;
+
+ case 2:
+ /*
+ * However, in some Ethernet captures, it's 2, and the
+ * hdr.network byte is 1 rather than 0. We assume
+ * that if there's a byte after hdr.network with the value
+ * 2, the hdr.network byte is an NDIS network type, rather
+ * than an NDIS network type - 1.
+ */
+ network_type = hdr.network;
+ break;
+
+ default:
+ *err = WTAP_ERR_UNSUPPORTED;
+ *err_info = g_strdup_printf("netxray: the byte after the network type has the value %u, which I don't understand",
+ hdr.xxz[0]);
+ return -1;
+ }
+
+ if (network_type >= NUM_NETXRAY_ENCAPS
+ || netxray_encap[network_type] == WTAP_ENCAP_UNKNOWN) {
*err = WTAP_ERR_UNSUPPORTED_ENCAP;
+ *err_info = g_strdup_printf("netxray: network type %u (%u) unknown or unsupported",
+ network_type, hdr.xxz[0]);
return -1;
}
- /* This is a netxray file */
- wth->file_type = file_type;
- wth->capture.netxray = g_malloc(sizeof(netxray_t));
- wth->subtype_read = netxray_read;
- wth->subtype_seek_read = netxray_seek_read;
- wth->subtype_close = netxray_close;
- if (hdr.network == 3) {
+ /*
+ * Figure out the time stamp units and start time stamp.
+ */
+ start_timestamp = (double)pletohl(&hdr.timelo)
+ + (double)pletohl(&hdr.timehi)*4294967296.0;
+ switch (file_type) {
+
+ case WTAP_FILE_NETXRAY_OLD:
+ timeunit = 1000.0;
+ break;
+
+ case WTAP_FILE_NETXRAY_1_0:
+ timeunit = 1000.0;
+ break;
+
+ case WTAP_FILE_NETXRAY_1_1:
+ /*
+ * In version 1.1 files (as produced by Windows Sniffer
+ * Pro 2.0.01), the time stamp is in microseconds,
+ * rather than the milliseconds time stamps in NetXRay
+ * and older versions of Windows Sniffer.
+ */
+ timeunit = 1000000.0;
+ break;
+
+ case WTAP_FILE_NETXRAY_2_00x:
+ /*
+ * In version 2.x files, there appears to be a time stamp
+ * value in the file header for at least some captures.
+ * In others, the time stamp value is 0; if that's the case,
+ * use the hdr.timeunit value.
+ */
+ timeunit = pletohl(&hdr.realtick);
+ if (timeunit == 0) {
+ if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS) {
+ *err = WTAP_ERR_UNSUPPORTED;
+ *err_info = g_strdup_printf("netxray: Unknown timeunit %u",
+ hdr.timeunit);
+ return -1;
+ }
+ timeunit = TpS[hdr.timeunit];
+ }
+
+ /*
+ * For gigabit pod captures, the start timestamp appears
+ * to be 0.
+ *
+ * XXX - is that true for other types of captures, such
+ * as gigabit pod captures with hdr.xxc[4] = 6, or
+ * for other pod captures? Is it true for *all* pod
+ * captures?
+ */
+ if (network_type == 1 && hdr.xxc[4] == ETH_CAPTYPE_GIGPOD &&
+ (version_minor == 2 || version_minor == 3))
+ start_timestamp = 0.0;
+ break;
+
+ default:
+ g_assert_not_reached();
+ timeunit = 0.0;
+ }
+ start_timestamp = start_timestamp/timeunit;
+
+ if (network_type == 4) {
/*
* In version 0 and 1, we assume, for now, that all
* WAN captures have frames that look like Ethernet
* frames (as a result, presumably, of having passed
* through NDISWAN).
*
- * In version 2, there's probably something in the "xxb"
+ * In version 2, it looks as if there's stuff in the "xxc"
* words of the file header to specify what particular
- * type of WAN capture we have; however, the only version
- * 2 WAN captures we've seen are ISDN captures, so we
- * assume they're ISDN, for now.
+ * type of WAN capture we have.
*/
- if (version_major == 2)
- wth->file_encap = WTAP_ENCAP_ISDN;
- else
- wth->file_encap = WTAP_ENCAP_ETHERNET;
+ if (version_major == 2) {
+ switch (hdr.xxc[4]) {
+
+ case WAN_CAPTYPE_PPP:
+ /*
+ * PPP.
+ */
+ file_encap = WTAP_ENCAP_PPP_WITH_PHDR;
+ break;
+
+ case WAN_CAPTYPE_FRELAY:
+ /*
+ * Frame Relay.
+ *
+ * XXX - in at least one capture, this
+ * is Cisco HDLC, not Frame Relay, but
+ * in another capture, it's Frame Relay.
+ *
+ * In the Cisco HDLC capture, hdr.xxc[22:26]
+ * is 0x02 0x00 0x01 0x00 0x06, but it's
+ * 0x00 0x00 0x00 0x00 0x00 in the Frame
+ * Relay capture. Also, hdr.xxc[30:31]
+ * is 0xff 0xff in the Cisco HDLC capture
+ * and 0x00 0x00 in the Frame Relay capture,
+ * and hdr.xxc[46:47] is 0xff 0xff in the
+ * Cisco HDLC capture and 0x05 0x00 in the
+ * Frame Relay capture.
+ */
+ file_encap = WTAP_ENCAP_FRELAY_WITH_PHDR;
+ break;
+
+ case WAN_CAPTYPE_HDLC:
+ case WAN_CAPTYPE_HDLC2:
+ /*
+ * Various HDLC flavors?
+ */
+ switch (hdr.xxc[12]) {
+
+ case 0: /* LAPB/X.25 */
+ file_encap = WTAP_ENCAP_LAPB;
+ break;
+
+ case 1: /* E1 PRI */
+ case 2: /* T1 PRI */
+ case 3: /* BRI */
+ file_encap = WTAP_ENCAP_ISDN;
+ isdn_type = hdr.xxc[12];
+ break;
+
+ default:
+ *err = WTAP_ERR_UNSUPPORTED_ENCAP;
+ *err_info = g_strdup_printf("netxray: WAN HDLC capture subsubtype 0x%02x unknown or unsupported",
+ hdr.xxc[12]);
+ return -1;
+ }
+ break;
+
+ case WAN_CAPTYPE_SDLC:
+ /*
+ * SDLC.
+ */
+ file_encap = WTAP_ENCAP_SDLC;
+ break;
+
+ default:
+ *err = WTAP_ERR_UNSUPPORTED_ENCAP;
+ *err_info = g_strdup_printf("netxray: WAN capture subtype 0x%02x unknown or unsupported",
+ hdr.xxc[4]);
+ return -1;
+ }
+ } else
+ file_encap = WTAP_ENCAP_ETHERNET;
} else
- wth->file_encap = netxray_encap[hdr.network];
+ file_encap = netxray_encap[network_type];
+
+ /* This is a netxray file */
+ wth->file_type = file_type;
+ wth->capture.netxray = g_malloc(sizeof(netxray_t));
+ wth->subtype_read = netxray_read;
+ wth->subtype_seek_read = netxray_seek_read;
+ wth->subtype_close = netxray_close;
+ wth->file_encap = file_encap;
wth->snapshot_length = 0; /* not available in header */
wth->capture.netxray->start_time = pletohl(&hdr.start_time);
wth->capture.netxray->timeunit = timeunit;
- t = (double)pletohl(&hdr.timelo)
- + (double)pletohl(&hdr.timehi)*4294967296.0;
- t = t/timeunit;
- wth->capture.netxray->start_timestamp = t;
+ wth->capture.netxray->start_timestamp = start_timestamp;
wth->capture.netxray->version_major = version_major;
/*
- * End-of-packet padding. 802.11 captures appear to have four
- * bytes of it.
- *
- * We've seen what appears to be an FCS at the end of some frames
- * in some Ethernet captures, but this stuff appears to be just
- * padding - Sniffers don't show it, and it doesn't have values
- * that look like FCS values.
+ * If frames have an extra 4 bytes of stuff at the end, is
+ * it an FCS, or just junk?
*/
- wth->capture.netxray->padding = 0;
- if (netxray_encap[hdr.network] == WTAP_ENCAP_IEEE_802_11_WITH_RADIO) {
- wth->capture.netxray->padding = 4;
+ wth->capture.netxray->fcs_valid = FALSE;
+ switch (file_encap) {
+
+ case WTAP_ENCAP_ETHERNET:
+ case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
+ case WTAP_ENCAP_ISDN:
+ /*
+ * It appears that, in at least some version 2 Ethernet
+ * captures, for frames that have 0xff in hdr_2_x.xxx[2]
+ * and hdr_2_x.xxx[3] in the per-packet header:
+ *
+ * if, in the file header, hdr.realtick[1] is 0x34
+ * and hdr.realtick[2] is 0x12, the frames have an
+ * FCS at the end;
+ *
+ * otherwise, they have 4 bytes of junk at the end.
+ *
+ * Yes, it's strange that you have to check the *middle*
+ * of the time stamp field; you can't check for any
+ * particular value of the time stamp field.
+ *
+ * For now, we assume that to be true for 802.11 captures
+ * as well; it appears to be the case for at least one
+ * such capture - the file doesn't have 0x34 and 0x12,
+ * and the 4 bytes at the end of the frames with 0xff
+ * are junk, not an FCS.
+ *
+ * For ISDN captures, it appears, at least in some
+ * captures, to be similar, although I haven't yet
+ * checked whether it's a valid FCS.
+ *
+ * XXX - should we do this for all encapsulation types?
+ *
+ * XXX - is there some other field that *really* indicates
+ * whether we have an FCS or not? The check of the time
+ * stamp is bizarre, as we're checking the middle.
+ * Perhaps hdr.realtick[0] is 0x00, in which case time
+ * stamp units in the range 1192960 through 1193215
+ * correspond to captures with an FCS, but that's still
+ * a bit bizarre.
+ *
+ * Note that there are captures with a network type of 0
+ * (Ethernet) and capture type of 0 (NDIS) that do, and
+ * that don't, have 0x34 0x12 in them, and at least one
+ * of the NDIS captures with 0x34 0x12 in it has FCSes,
+ * so it's not as if no NDIS captures have an FCS.
+ *
+ * There are also captures with a network type of 4 (WAN),
+ * capture type of 6 (HDLC), and subtype of 2 (T1 PRI) that
+ * do, and that don't, have 0x34 0x12, so there are at least
+ * some captures taken with a WAN pod that might lack an FCS.
+ * (We haven't yet tried dissecting the 4 bytes at the
+ * end of packets with hdr_2_x.xxx[2] and hdr_2_x.xxx[3]
+ * equal to 0xff as an FCS.)
+ *
+ * All captures I've seen that have 0x34 and 0x12 *and*
+ * have at least one frame with an FCS have a value of
+ * 0x01 in xxb[4]. No captures I've seen with a network
+ * type of 0 (Ethernet) missing 0x34 0x12 have 0x01 there,
+ * however. However, there's at least one capture
+ * without 0x34 and 0x12, with a network type of 0,
+ * and with 0x01 in xxb[4], *without* FCSes in the
+ * frames - the 4 bytes at the end are all zero - so it's
+ * not as simple as "xxb[4] = 0x01 means the 4 bytes at
+ * the end are FCSes". Also, there's also at least one
+ * 802.11 capture with an xxb[4] value of 0x01 with junk
+ * rather than an FCS at the end of the frame, so xxb[4]
+ * isn't an obvious flag to determine whether the
+ * capture has FCSes.
+ *
+ * There don't seem to be any other values in xxb or xxc
+ * that obviously correspond to frames having an FCS.
+ */
+ if (version_major == 2) {
+ if (hdr.realtick[1] == 0x34 && hdr.realtick[2] == 0x12)
+ wth->capture.netxray->fcs_valid = TRUE;
+ }
+ break;
}
- /*wth->frame_number = 0;*/
- /*wth->file_byte_offset = 0x10b;*/
+
+ /*
+ * Remember the ISDN type, as we need it to interpret the
+ * channel number in ISDN captures.
+ */
+ wth->capture.netxray->isdn_type = isdn_type;
/* Remember the offset after the last packet in the capture (which
* isn't necessarily the last packet in the file), as it appears
}
/* Read the next packet */
-static gboolean netxray_read(wtap *wth, int *err, long *data_offset)
+static gboolean netxray_read(wtap *wth, int *err, gchar **err_info _U_,
+ long *data_offset)
{
guint32 packet_size;
union netxrayrec_hdr hdr;
int hdr_size;
double t;
+ guint8 *pd;
+ guint padding;
reread:
/* Have we reached the end of the packet data? */
else
packet_size = pletohs(&hdr.hdr_1_x.incl_len);
buffer_assure_space(wth->frame_buffer, packet_size);
- if (!netxray_read_rec_data(wth->fh, buffer_start_ptr(wth->frame_buffer),
- packet_size, err))
+ pd = buffer_start_ptr(wth->frame_buffer);
+ if (!netxray_read_rec_data(wth->fh, pd, packet_size, err))
return FALSE;
wth->data_offset += packet_size;
/*
* Set the pseudo-header.
*/
- netxray_set_pseudo_header(wth, &wth->pseudo_header, &hdr);
+ padding = netxray_set_pseudo_header(wth, pd, packet_size,
+ &wth->pseudo_header, &hdr);
if (wth->capture.netxray->version_major == 0) {
t = (double)pletohl(&hdr.old_hdr.timelo)
* We subtract the padding from the packet size, so our caller
* doesn't see it.
*/
- wth->phdr.caplen = packet_size - wth->capture.netxray->padding;
+ wth->phdr.caplen = packet_size - padding;
wth->phdr.len = wth->phdr.caplen;
} else {
t = (double)pletohl(&hdr.hdr_1_x.timelo)
* We subtract the padding from the packet size, so our caller
* doesn't see it.
*/
- wth->phdr.caplen = packet_size - wth->capture.netxray->padding;
- wth->phdr.len = pletohs(&hdr.hdr_1_x.orig_len) - wth->capture.netxray->padding;
+ wth->phdr.caplen = packet_size - padding;
+ wth->phdr.len = pletohs(&hdr.hdr_1_x.orig_len) - padding;
}
- wth->phdr.pkt_encap = wth->file_encap;
return TRUE;
}
static gboolean
netxray_seek_read(wtap *wth, long seek_off,
- union wtap_pseudo_header *pseudo_header, guchar *pd, int length, int *err)
+ union wtap_pseudo_header *pseudo_header, guchar *pd, int length,
+ int *err, gchar **err_info _U_)
{
union netxrayrec_hdr hdr;
+ gboolean ret;
if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
return FALSE;
}
/*
- * Set the pseudo-header.
+ * Read the packet data.
*/
- netxray_set_pseudo_header(wth, pseudo_header, &hdr);
+ ret = netxray_read_rec_data(wth->random_fh, pd, length, err);
+ if (!ret)
+ return FALSE;
/*
- * Read the packet data.
+ * Set the pseudo-header.
*/
- return netxray_read_rec_data(wth->random_fh, pd, length, err);
+ netxray_set_pseudo_header(wth, pd, length, pseudo_header, &hdr);
+ return TRUE;
}
static int
return hdr_size;
}
-static void
-netxray_set_pseudo_header(wtap *wth, union wtap_pseudo_header *pseudo_header,
- union netxrayrec_hdr *hdr)
+static guint
+netxray_set_pseudo_header(wtap *wth, const guint8 *pd, int len,
+ union wtap_pseudo_header *pseudo_header, union netxrayrec_hdr *hdr)
{
+ guint padding = 0;
+
/*
- * If this is 802.11, or ISDN, set the pseudo-header.
+ * If this is Ethernet, 802.11, ISDN, X.25, or ATM, set the
+ * pseudo-header.
*/
- if (wth->capture.netxray->version_major == 2) {
+ switch (wth->capture.netxray->version_major) {
+
+ case 1:
+ switch (wth->file_encap) {
+
+ case WTAP_ENCAP_ETHERNET:
+ /*
+ * XXX - if hdr->hdr_1_x.xxx[15] is 1
+ * the frame appears not to have any extra
+ * stuff at the end, but if it's 0,
+ * there appears to be 4 bytes of stuff
+ * at the end, but it's not an FCS.
+ *
+ * Or is that just the low-order bit?
+ *
+ * For now, we just say "no FCS".
+ */
+ pseudo_header->eth.fcs_len = 0;
+ break;
+ }
+ break;
+
+ case 2:
switch (wth->file_encap) {
+ case WTAP_ENCAP_ETHERNET:
+ /*
+ * It appears, at least with version 2 captures,
+ * that we have 4 bytes of stuff (which might be
+ * a valid FCS or might be junk) at the end of
+ * the packet if hdr->hdr_2_x.xxx[2] and
+ * hdr->hdr_2_x.xxx[3] are 0xff, and we don't if
+ * they don't.
+ *
+ * It also appears that if the low-order bit of
+ * hdr->hdr_2_x.xxx[8] is set, the packet has a
+ * bad FCS.
+ */
+ if (hdr->hdr_2_x.xxx[2] == 0xff &&
+ hdr->hdr_2_x.xxx[3] == 0xff) {
+ /*
+ * We have 4 bytes of stuff at the
+ * end of the frame - FCS, or junk?
+ */
+ if (wth->capture.netxray->fcs_valid) {
+ /*
+ * FCS.
+ */
+ pseudo_header->eth.fcs_len = 4;
+ } else {
+ /*
+ * Junk.
+ */
+ padding = 4;
+ }
+ } else
+ pseudo_header->eth.fcs_len = 0;
+ break;
+
case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
+ /*
+ * It appears, in one 802.11 capture, that
+ * we have 4 bytes of junk at the ends of
+ * frames in which hdr->hdr_2_x.xxx[2] and
+ * hdr->hdr_2_x.xxx[3] are 0xff; I haven't
+ * seen any frames where it's an FCS, but,
+ * for now, we still check the fcs_valid
+ * flag - I also haven't seen any capture
+ * where we'd set it based on the realtick
+ * value.
+ *
+ * It also appears that if the low-order bit of
+ * hdr->hdr_2_x.xxx[8] is set, the packet has a
+ * bad FCS. According to Ken Mann, the 0x4 bit
+ * is sometimes also set for errors.
+ *
+ * Ken also says that xxx[11] is 0x5 when the
+ * packet is WEP-encrypted.
+ */
+ if (hdr->hdr_2_x.xxx[2] == 0xff &&
+ hdr->hdr_2_x.xxx[3] == 0xff) {
+ /*
+ * We have 4 bytes of stuff at the
+ * end of the frame - FCS, or junk?
+ */
+ if (wth->capture.netxray->fcs_valid) {
+ /*
+ * FCS.
+ */
+ pseudo_header->ieee_802_11.fcs_len = 4;
+ } else {
+ /*
+ * Junk.
+ */
+ padding = 4;
+ }
+ } else
+ pseudo_header->ieee_802_11.fcs_len = 0;
+
pseudo_header->ieee_802_11.channel =
hdr->hdr_2_x.xxx[12];
pseudo_header->ieee_802_11.data_rate =
hdr->hdr_2_x.xxx[13];
pseudo_header->ieee_802_11.signal_level =
hdr->hdr_2_x.xxx[14];
+ /*
+ * According to Ken Mann, at least in the captures
+ * he's seen, xxx[15] is the noise level, which
+ * is either 0xFF meaning "none reported" or a value
+ * from 0x00 to 0x7F for 0 to 100%.
+ */
break;
case WTAP_ENCAP_ISDN:
/*
* ISDN.
- * It appears that the high-order bit of byte
- * 10 is a direction flag, and that the two
- * low-order bits of byte 13 of "hdr.hdr_2_x.xxx"
- * indicates whether this is a B-channel (1 or 2)
- * or a D-channel (0).
*
- * XXX - or is it just a channel number? Primary
- * Rate ISDN has more channels; let's assume that
- * the bottom 5 bits are the channel number, which
- * is enough for European PRI. (XXX - maybe the
- * whole byte is the channel number?)
+ * The bottommost bit of byte 12 of "hdr.hdr_2_x.xxx"
+ * is the direction flag.
+ *
+ * The bottom 5 bits of byte 13 of "hdr.hdr_2_x.xxx"
+ * are the channel number, but some mapping is
+ * required for PRI. (Is it really just the time
+ * slot?)
*/
pseudo_header->isdn.uton =
- (hdr->hdr_2_x.xxx[10] & 0x80);
+ (hdr->hdr_2_x.xxx[12] & 0x01);
pseudo_header->isdn.channel =
hdr->hdr_2_x.xxx[13] & 0x1F;
+ switch (wth->capture.netxray->isdn_type) {
+
+ case 1:
+ /*
+ * E1 PRI. Channel numbers 0 and 16
+ * are the D channel; channel numbers 1
+ * through 15 are B1 through B15; channel
+ * numbers 17 through 31 are B16 through
+ * B31.
+ */
+ if (pseudo_header->isdn.channel == 16)
+ pseudo_header->isdn.channel = 0;
+ else if (pseudo_header->isdn.channel > 16)
+ pseudo_header->isdn.channel -= 1;
+ break;
+
+ case 2:
+ /*
+ * T1 PRI. Channel numbers 0 and 24
+ * are the D channel; channel numbers 1
+ * through 23 are B1 through B23.
+ */
+ if (pseudo_header->isdn.channel == 24)
+ pseudo_header->isdn.channel = 0;
+ else if (pseudo_header->isdn.channel > 24)
+ pseudo_header->isdn.channel -= 1;
+ break;
+ }
+
+ /*
+ * It appears, at least with version 2 captures,
+ * that we have 4 bytes of stuff (which might be
+ * a valid FCS or might be junk) at the end of
+ * the packet if hdr->hdr_2_x.xxx[2] and
+ * hdr->hdr_2_x.xxx[3] are 0xff, and we don't if
+ * they don't.
+ *
+ * XXX - does the low-order bit of hdr->hdr_2_x.xxx[8]
+ * indicate a bad FCS, as is the case with
+ * Ethernet?
+ */
+ if (hdr->hdr_2_x.xxx[2] == 0xff &&
+ hdr->hdr_2_x.xxx[3] == 0xff) {
+ /*
+ * FCS, or junk, at the end.
+ * XXX - is it an FCS if "fcs_valid" is
+ * true?
+ */
+ padding = 4;
+ }
+ break;
+
+ case WTAP_ENCAP_LAPB:
+ case WTAP_ENCAP_FRELAY_WITH_PHDR:
+ /*
+ * LAPB/X.25 and Frame Relay.
+ *
+ * The bottommost bit of byte 12 of "hdr.hdr_2_x.xxx"
+ * is the direction flag. (Probably true for other
+ * HDLC encapsulations as well.)
+ */
+ pseudo_header->x25.flags =
+ (hdr->hdr_2_x.xxx[12] & 0x01) ? 0x00 : FROM_DCE;
+ break;
+
+ case WTAP_ENCAP_PPP_WITH_PHDR:
+ case WTAP_ENCAP_SDLC:
+ pseudo_header->p2p.sent =
+ (hdr->hdr_2_x.xxx[12] & 0x01) ? TRUE : FALSE;
+ break;
+
+ case WTAP_ENCAP_ATM_PDUS_UNTRUNCATED:
+ pseudo_header->atm.flags = 0;
+ /*
+ * XXX - is 0x08 an "OAM cell" flag?
+ */
+ if (hdr->hdr_2_x.xxx[9] & 0x04)
+ pseudo_header->atm.flags |= ATM_RAW_CELL;
+ pseudo_header->atm.vpi = hdr->hdr_2_x.xxx[11];
+ pseudo_header->atm.vci = pletohs(&hdr->hdr_2_x.xxx[12]);
+ pseudo_header->atm.channel =
+ (hdr->hdr_2_x.xxx[15] & 0x10)? 1 : 0;
+ pseudo_header->atm.cells = 0;
+
+ switch (hdr->hdr_2_x.xxx[0] & 0xF0) {
+
+ case 0x00: /* Unknown */
+ /*
+ * Infer the AAL, traffic type, and subtype.
+ */
+ atm_guess_traffic_type(pd, len,
+ pseudo_header);
+ break;
+
+ case 0x50: /* AAL5 (including signalling) */
+ pseudo_header->atm.aal = AAL_5;
+ switch (hdr->hdr_2_x.xxx[0] & 0x0F) {
+
+ case 0x09:
+ case 0x0a: /* Signalling traffic */
+ pseudo_header->atm.aal = AAL_SIGNALLING;
+ pseudo_header->atm.type = TRAF_UNKNOWN;
+ pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
+ break;
+
+ case 0x0b: /* ILMI */
+ pseudo_header->atm.type = TRAF_ILMI;
+ pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
+ break;
+
+ case 0x0c: /* LANE LE Control */
+ pseudo_header->atm.type = TRAF_LANE;
+ pseudo_header->atm.subtype = TRAF_ST_LANE_LE_CTRL;
+ break;
+
+ case 0x0d:
+ /*
+ * 0x0d is *mostly* LANE 802.3,
+ * but I've seen an LE Control frame
+ * with 0x0d.
+ */
+ pseudo_header->atm.type = TRAF_LANE;
+ atm_guess_lane_type(pd, len,
+ pseudo_header);
+ break;
+
+ case 0x0f: /* LLC multiplexed */
+ pseudo_header->atm.type = TRAF_LLCMX; /* XXX */
+ pseudo_header->atm.subtype = TRAF_ST_UNKNOWN; /* XXX */
+ break;
+
+ default:
+ /*
+ * XXX - discover the other types.
+ */
+ pseudo_header->atm.type = TRAF_UNKNOWN;
+ pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
+ break;
+ }
+ break;
+
+ default:
+ /*
+ * 0x60 seen, and dissected by Sniffer
+ * Pro as a raw cell.
+ *
+ * XXX - discover what those types are.
+ */
+ pseudo_header->atm.aal = AAL_UNKNOWN;
+ pseudo_header->atm.type = TRAF_UNKNOWN;
+ pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
+ break;
+ }
break;
}
+ break;
}
+ return padding;
}
static gboolean
g_free(wth->capture.netxray);
}
-static const int wtap_encap[] = {
- -1, /* WTAP_ENCAP_UNKNOWN -> unsupported */
- 0, /* WTAP_ENCAP_ETHERNET -> NDIS Ethernet */
- 1, /* WTAP_ENCAP_TOKEN_RING -> NDIS Token Ring */
- -1, /* WTAP_ENCAP_SLIP -> unsupported */
- -1, /* WTAP_ENCAP_PPP -> unsupported */
- 2, /* WTAP_ENCAP_FDDI -> NDIS FDDI */
- 2, /* WTAP_ENCAP_FDDI_BITSWAPPED -> NDIS FDDI */
- -1, /* WTAP_ENCAP_RAW_IP -> unsupported */
- -1, /* WTAP_ENCAP_ARCNET -> unsupported */
- -1, /* WTAP_ENCAP_ATM_RFC1483 -> unsupported */
- -1, /* WTAP_ENCAP_LINUX_ATM_CLIP -> unsupported */
- -1, /* WTAP_ENCAP_LAPB -> unsupported */
- -1, /* WTAP_ENCAP_ATM_SNIFFER -> unsupported */
- -1 /* WTAP_ENCAP_NULL -> unsupported */
+static const struct {
+ int wtap_encap_value;
+ int ndis_value;
+} wtap_encap_1_1[] = {
+ { WTAP_ENCAP_ETHERNET, 0 }, /* -> NDIS Ethernet */
+ { WTAP_ENCAP_TOKEN_RING, 1 }, /* -> NDIS Token Ring */
+ { WTAP_ENCAP_FDDI, 2 }, /* -> NDIS FDDI */
+ { WTAP_ENCAP_FDDI_BITSWAPPED, 2 }, /* -> NDIS FDDI */
};
-#define NUM_WTAP_ENCAPS (sizeof wtap_encap / sizeof wtap_encap[0])
+#define NUM_WTAP_ENCAPS_1_1 (sizeof wtap_encap_1_1 / sizeof wtap_encap_1_1[0])
+
+static int
+wtap_encap_to_netxray_1_1_encap(int encap)
+{
+ unsigned int i;
+
+ for (i = 0; i < NUM_WTAP_ENCAPS_1_1; i++) {
+ if (encap == wtap_encap_1_1[i].wtap_encap_value)
+ return wtap_encap_1_1[i].ndis_value;
+ }
+
+ return -1;
+}
/* Returns 0 if we could write the specified encapsulation type,
an error indication otherwise. */
-int netxray_dump_can_write_encap(int encap)
+int netxray_dump_can_write_encap_1_1(int encap)
{
/* Per-packet encapsulations aren't supported. */
if (encap == WTAP_ENCAP_PER_PACKET)
return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
- if (encap < 0 || (unsigned)encap >= NUM_WTAP_ENCAPS || wtap_encap[encap] == -1)
+ if (wtap_encap_to_netxray_1_1_encap(encap) == -1)
return WTAP_ERR_UNSUPPORTED_ENCAP;
return 0;
file_hdr.nframes = htolel(netxray->nframes);
file_hdr.start_offset = htolel(CAPTUREFILE_HEADER_SIZE);
file_hdr.end_offset = htolel(filelen);
- file_hdr.network = htoles(wtap_encap[wdh->encap]);
+ file_hdr.network = wtap_encap_to_netxray_1_1_encap(wdh->encap);
file_hdr.timelo = htolel(0);
file_hdr.timehi = htolel(0);
return TRUE;
}
+static const struct {
+ int wtap_encap_value;
+ int ndis_value;
+} wtap_encap_2_0[] = {
+ { WTAP_ENCAP_ETHERNET, 0 }, /* -> NDIS Ethernet */
+ { WTAP_ENCAP_TOKEN_RING, 1 }, /* -> NDIS Token Ring */
+ { WTAP_ENCAP_FDDI, 2 }, /* -> NDIS FDDI */
+ { WTAP_ENCAP_FDDI_BITSWAPPED, 2 }, /* -> NDIS FDDI */
+ { WTAP_ENCAP_PPP_WITH_PHDR, 3 }, /* -> NDIS WAN */
+ { WTAP_ENCAP_FRELAY_WITH_PHDR, 3 }, /* -> NDIS WAN */
+ { WTAP_ENCAP_LAPB, 3 }, /* -> NDIS WAN */
+ { WTAP_ENCAP_SDLC, 3 }, /* -> NDIS WAN */
+};
+#define NUM_WTAP_ENCAPS_2_0 (sizeof wtap_encap_2_0 / sizeof wtap_encap_2_0[0])
+
+static int
+wtap_encap_to_netxray_2_0_encap(int encap)
+{
+ unsigned int i;
+
+ for (i = 0; i < NUM_WTAP_ENCAPS_2_0; i++) {
+ if (encap == wtap_encap_2_0[i].wtap_encap_value)
+ return wtap_encap_2_0[i].ndis_value;
+ }
+
+ return -1;
+}
+
+/* Returns 0 if we could write the specified encapsulation type,
+ an error indication otherwise. */
+int netxray_dump_can_write_encap_2_0(int encap)
+{
+ /* Per-packet encapsulations aren't supported. */
+ if (encap == WTAP_ENCAP_PER_PACKET)
+ return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
+
+ if (wtap_encap_to_netxray_2_0_encap(encap) == -1)
+ return WTAP_ERR_UNSUPPORTED_ENCAP;
+
+ return 0;
+}
+
/* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
failure */
gboolean netxray_dump_open_2_0(wtap_dumper *wdh, gboolean cant_seek, int *err)
rec_hdr.orig_len = htoles(phdr->len);
rec_hdr.incl_len = htoles(phdr->caplen);
- if (phdr->pkt_encap == WTAP_ENCAP_IEEE_802_11_WITH_RADIO)
- {
- rec_hdr.xxx[12] = pseudo_header->ieee_802_11.channel;
- rec_hdr.xxx[13] = pseudo_header->ieee_802_11.data_rate;
- rec_hdr.xxx[14] = pseudo_header->ieee_802_11.signal_level;
+ switch (phdr->pkt_encap) {
+
+ case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
+ rec_hdr.xxx[12] = pseudo_header->ieee_802_11.channel;
+ rec_hdr.xxx[13] = pseudo_header->ieee_802_11.data_rate;
+ rec_hdr.xxx[14] = pseudo_header->ieee_802_11.signal_level;
+ break;
+
+ case WTAP_ENCAP_PPP_WITH_PHDR:
+ case WTAP_ENCAP_SDLC:
+ rec_hdr.xxx[12] |= pseudo_header->p2p.sent ? 0x01 : 0x00;
+ break;
+
+ case WTAP_ENCAP_FRELAY_WITH_PHDR:
+ rec_hdr.xxx[12] |= (pseudo_header->x25.flags & FROM_DCE) ? 0x00 : 0x01;
+ break;
}
nwritten = fwrite(&rec_hdr, 1, sizeof(rec_hdr), wdh->fh);
file_hdr.nframes = htolel(netxray->nframes);
file_hdr.start_offset = htolel(CAPTUREFILE_HEADER_SIZE);
file_hdr.end_offset = htolel(filelen);
- file_hdr.network = htoles(wtap_encap[wdh->encap]);
+ file_hdr.network = wtap_encap_to_netxray_2_0_encap(wdh->encap);
file_hdr.timelo = htolel(0);
file_hdr.timehi = htolel(0);
+ switch (wdh->encap) {
+
+ case WTAP_ENCAP_PPP_WITH_PHDR:
+ file_hdr.xxc[4] = WAN_CAPTYPE_PPP;
+ break;
+
+ case WTAP_ENCAP_FRELAY_WITH_PHDR:
+ file_hdr.xxc[4] = WAN_CAPTYPE_FRELAY;
+ break;
+
+ case WTAP_ENCAP_LAPB:
+ file_hdr.xxc[4] = WAN_CAPTYPE_HDLC;
+ file_hdr.xxc[12] = 0;
+ break;
+
+ case WTAP_ENCAP_SDLC:
+ file_hdr.xxc[4] = WAN_CAPTYPE_SDLC;
+ break;
+
+ default:
+ file_hdr.xxc[4] = CAPTYPE_NDIS;
+ break;
+ }
memset(hdr_buf, '\0', sizeof hdr_buf);
memcpy(hdr_buf, &file_hdr, sizeof(file_hdr));