| blob | ff6ef19317c80ba2792c9067b919a3ff13450c29 |
1 /* netxray.c
2 *
3 * Wiretap Library
4 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
5 *
6 * SPDX-License-Identifier: GPL-2.0-or-later
7 */
12 #include <string.h>
17 /* Capture file header, *including* magic number, is padded to 128 bytes. */
18 #define CAPTUREFILE_HEADER_SIZE 128
20 /* Magic number size, in both 1.x and later files. */
21 #define MAGIC_SIZE 4
23 /* Magic number in NetXRay 1.x files. */
26 };
28 /* Magic number in NetXRay 2.0 and later, and Windows Sniffer, files. */
31 };
33 /* NetXRay file header (minus magic number). */
34 /* */
35 /* As field usages are identified, please revise as needed */
36 /* Please do *not* use netxray_hdr xxx... names in the code */
37 /* (Placeholder names for all 'unknown' fields are */
38 /* of form xxx_x<hex_hdr_offset> */
39 /* where <hex_hdr_offset> *includes* the magic number) */
65 /* (realtick[1], realtick[2] also currently */
66 /* used as flag for 'FCS presence') */
79 /* positive values = west of UTC: */
80 /* negative values = east of UTC: */
81 /* e.g. +5 is American Eastern */
82 /* [Does not appear to be adjusted for DST ] */
83 };
85 /*
86 * Capture type, in hdr.captype.
87 *
88 * Values other than 0 are dependent on the network type.
89 * For Ethernet captures, it indicates the type of capture pod.
90 * For WAN captures (all of which are done with a pod), it indicates
91 * the link-layer type.
92 */
95 /*
96 * Ethernet capture types.
97 */
101 /* Captype 5 seen in capture from Distributed Sniffer with: */
102 /* Version 4.50.211 software */
103 /* SysKonnect SK-9843 Gigabit Ethernet Server Adapter */
104 #define ETH_CAPTYPE_GIGPOD2 6 /* gigabit Ethernet, captured with blade on S6040-model Sniffer */
106 /*
107 * WAN capture types.
108 */
124 /*
125 * # of ticks that equal 1 second, in version 002.xxx files other
126 * than Ethernet captures with a captype other than CAPTYPE_NDIS;
127 * the index into this array is hdr.timeunit.
128 *
129 * DO NOT SEND IN PATCHES THAT CHANGE ANY OF THE NON-ZERO VALUES IN
130 * ANY OF THE TpS TABLES. THOSE VALUES ARE CORRECT FOR AT LEAST ONE
131 * CAPTURE, SO CHANGING THEM WILL BREAK AT LEAST SOME CAPTURES. WE
132 * WILL NOT CHECK IN PATCHES THAT CHANGE THESE VALUES.
133 *
134 * Instead, if a value in a TpS table is wrong, check whether captype
135 * has a non-zero value; if so, perhaps we need a new TpS table for the
136 * corresponding network type and captype, or perhaps the 'realtick'
137 * field contains the correct ticks-per-second value.
138 *
139 * TpS...[] entries of 0.0 mean that no capture file for the
140 * corresponding captype/timeunit values has yet been seen, or that
141 * we're using the 'realtick' value.
142 *
143 * XXX - 05/29/07: For Ethernet captype = 0 (NDIS) and timeunit = 2:
144 * Perusal of a number of Sniffer captures
145 * (including those from Wireshark bug reports
146 * and those from the Wireshark 'menagerie')
147 * suggests that 'realtick' for this case
148 * contains the correct ticks/second to be used.
149 * So: we'll use realtick for Ethernet captype=0 and timeunit=2.
150 * (It might be that realtick should be used for Ethernet captype = 0
151 * and timeunit = 1 but I've not yet enough captures to be sure).
152 * Based upon the captures reviewed to date, realtick cannot be used for
153 * any of the other Ethernet captype/timeunit combinations for which there
154 * are non-zero values in the TpS tables.
155 *
156 * In at least one capture where "realtick" doesn't correspond
157 * to the value from the appropriate TpS table, the per-packet header's
158 * "xxx" field is all zero, so it's not as if a 2.x header includes
159 * a "compatibility" time stamp corresponding to the value from the
160 * TpS table and a "real" time stamp corresponding to "realtick".
161 *
162 * XXX - the item corresponding to timeunit = 2 is 1193180.0, presumably
163 * because somebody found it gave the right answer for some captures, but
164 * 3 times that, i.e. 3579540.0, appears to give the right answer for some
165 * other captures.
166 *
167 * Some captures have realtick of 1193182, some have 3579545, and some
168 * have 1193000. Most of those, in one set of captures somebody has,
169 * are wrong. (Did that mean "wrong for some capture files, but not
170 * for the files in which they occurred", or "wrong for the files in
171 * which they occurred? If it's "wrong for some capture files, but
172 * not for the files in which they occurred", perhaps those were Ethernet
173 * captures with a captype of 0 and timeunit = 2, so that we now use
174 * realtick, and perhaps that fixes the problems.)
175 *
176 * XXX - in at least one ATM capture, hdr.realtick is 1193180.0
177 * and hdr.timeunit is 0. Does that capture have a captype of
178 * CAPTYPE_ATM? If so, what should the table for ATM captures with
179 * that captype be?
180 */
182 #define NUM_NETXRAY_TIMEUNITS array_length(TpS)
184 /*
185 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_GIGPOD.
186 * 0.0 means "unknown".
187 *
188 * It appears that, at least for Ethernet captures, if captype is
189 * ETH_CAPTYPE_GIGPOD, that indicates that it's a gigabit Ethernet
190 * capture, possibly from a special whizzo gigabit pod, and also
191 * indicates that the time stamps have some higher resolution than
192 * in other captures, possibly thanks to a high-resolution timer
193 * on the pod.
194 *
195 * It also appears that the time units might differ for gigabit pod
196 * captures between version 002.001 and 002.002. For 002.001,
197 * the values below are correct; for 002.002, it's claimed that
198 * the right value for TpS_gigpod[2] is 1250000.0, but at least one
199 * 002.002 gigabit pod capture has 31250000.0 as the right value.
200 * XXX: Note that the TpS_otherpod[2] value is 1250000.0; It seems
201 * reasonable to suspect that the original claim might actually
202 * have been for a capture with a captype of 'otherpod'.
203 * (Based upon captures reviewed realtick does not contain the
204 * correct TpS values for the 'gigpod' captype).
205 */
207 #define NUM_NETXRAY_TIMEUNITS_GIGPOD array_length(TpS_gigpod)
209 /*
210 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_OTHERPOD.
211 * (Based upon captures reviewed realtick does not contain the
212 * correct TpS values for the 'otherpod' captype).
213 */
215 #define NUM_NETXRAY_TIMEUNITS_OTHERPOD array_length(TpS_otherpod)
217 /*
218 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_OTHERPOD2.
219 * (Based upon captures reviewed realtick does not contain the
220 * correct TpS values for the 'otherpod2' captype).
221 */
223 #define NUM_NETXRAY_TIMEUNITS_OTHERPOD2 array_length(TpS_otherpod2)
225 /*
226 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_GIGPOD2.
227 * (Based upon captures reviewed realtick does not contain the
228 * correct TpS values for the 'gigpod2' captype).
229 */
231 #define NUM_NETXRAY_TIMEUNITS_GIGPOD2 array_length(TpS_gigpod2)
233 /* Version number strings. */
236 };
240 };
244 };
248 };
252 };
256 };
258 /* Old NetXRay data record format - followed by frame data. */
264 };
266 /* NetXRay format version 1.x data record format - followed by frame data. */
273 };
275 /*
276 * NetXRay format version 2.x data record format - followed by frame data.
277 *
278 * The xxx fields appear to be:
279 *
280 * xxx[0]: ATM traffic type and subtype in the low 3 bits of
281 * each nibble, and flags(?) in the upper bit of each nibble.
282 * Always 0 for 802.11?
283 *
284 * xxx[1]: Always 0 for 802.11?
285 *
286 * xxx[2], xxx[3]: for Ethernet, 802.11, ISDN LAPD, LAPB,
287 * Frame Relay, if both are 0xff, there are 4 bytes of stuff
288 * at the end of the packet data, which might be an FCS or
289 * which might be junk to discard.
290 *
291 * xxx[4-7]: Always 0 for 802.11?
292 *
293 * xxx[8], xxx[9]: 2 bytes of a flag word? If treated as
294 * a 2-byte little-endian flag word:
295 *
296 * 0x0001: Error of some sort, including bad CRC, although
297 * in one ISDN capture it's set in some B2 channel
298 * packets of unknown content (as opposed to the B1
299 * traffic in the capture, which is PPP)
300 * 0x0002: Seen in 802.11 - short preamble? Bad CRC?
301 * 0x0004: Some particular type of error?
302 * 0x0008: For (Gigabit?) Ethernet (with special probe?),
303 * 4 bytes at end are junk rather than CRC?
304 * 0x0100: CRC error on ATM? Protected and Not decrypted
305 * for 802.11? Bad CRC? Short preamble?
306 * 0x0200: Something for ATM? Something else for 802.11?
307 * 0x0400: raw ATM cell
308 * 0x0800: OAM cell?
309 * 0x2000: port on which the packet was captured?
310 *
311 * The Sniffer Portable 4.8 User's Guide lists a set of packet status
312 * flags including:
313 *
314 * packet is marked;
315 * packet was captured from Port A on the pod or adapter card;
316 * packet was captured from Port B on the pod or adapter card;
317 * packet has a symptom or diagnosis associated with it;
318 * packet is an event filter trigger;
319 * CRC error packet with normal packet size;
320 * CRC error packet with oversize error;
321 * packet size < 64 bytes (including CRC) but with valid CRC;
322 * packet size < 64 bytes (including CRC) with CRC error;
323 * packet size > 1518 bytes (including CRC) but with valid CRC;
324 * packet damaged by a collision;
325 * packet length not a multiple of 8 bits;
326 * address conflict in the ring on Token Ring;
327 * packet is not copied (received) by the destination host on
328 * Token Ring;
329 * AAL5 length error;
330 * AAL5 maximum segments error;
331 * ATM timeout error;
332 * ATM buffer error;
333 * ATM unknown error;
334 * and a ton of AAL2 errors.
335 *
336 * Not all those bits necessarily correspond to flag bits in the file,
337 * but some might.
338 *
339 * In one ATM capture, the 0x2000 bit was set for all frames; in another,
340 * it's unset for all frames. This, plus the ATMbook having two ports,
341 * suggests that it *might* be a "port A vs. port B" flag.
342 *
343 * The 0x0001 bit appears to be set for CRC errors on Ethernet and 802.11.
344 * It also appears to be set on ATM for AAL5 PDUs that appear to be
345 * completely reassembled and that have a CRC error and for frames that
346 * appear to be part of a full AAL5 PDU. In at least two files with
347 * frames of the former type, the 0x0100 and 0x0200 flags are set;
348 * in at least one file with frames of the latter type, neither of
349 * those flags are set.
350 *
351 * The field appears to be somewhat random in some captures,
352 * however.
353 *
354 * xxx[10]: for 802.11, always 0?
355 *
356 * xxx[11]: for 802.11, 0x05 if the packet is WEP-encrypted(?).
357 *
358 * xxx[12]: for 802.11, channel number.
359 *
360 * xxx[13]: for 802.11, data rate, in 500 Kb/s units.
361 *
362 * xxx[14]: for 802.11, signal strength.
363 *
364 * xxx[15]: for 802.11, noise level; 0xFF means none reported,
365 * 0x7F means 100%.
366 *
367 * xxx[16-19]: for 802.11, PHY header, at least for {HR/}DSSS,
368 * in at least one capture.
369 * In another capture, xxx[16] appears to be the
370 * data rate in 500 Kb/s units
371 * Chip-dependent stuff?
372 *
373 * xxx[20-25]: for 802.11, MAC address of sending machine(?).
374 *
375 * xxx[26]: for 802.11, one of 0x00, 0x01, 0x03, or 0x0b?
376 *
377 * xxx[27]: for 802.11, one of 0x00 or 0x30?
378 */
385 };
387 /*
388 * Union of the data record headers.
389 */
394 };
432 wtap_open_return_val
434 {
444 WTAP_ENCAP_UNKNOWN,
445 WTAP_ENCAP_ETHERNET,
446 WTAP_ENCAP_TOKEN_RING,
447 WTAP_ENCAP_FDDI_BITSWAPPED,
448 /*
449 * XXX - some PPP captures may look like Ethernet,
450 * perhaps because they're using NDIS to capture on the
451 * same machine and it provides simulated-Ethernet
452 * packets, but captures taken with various serial
453 * pods use the same network type value but aren't
454 * shaped like Ethernet. We handle that below.
455 */
462 WTAP_ENCAP_IEEE_802_11_WITH_RADIO,
463 /* Wireless WAN with radio information */
464 WTAP_ENCAP_UNKNOWN /* IrDA */
465 };
466 #define NUM_NETXRAY_ENCAPS array_length(netxray_encap)
471 /* Read in the string that should be at the start of a NetXRay
472 * file */
477 }
485 }
487 /* Read the rest of the header. */
496 /* It appears that version 1.1 files (as produced by Windows
497 * Sniffer Pro 2.0.01) have the time stamp in microseconds,
498 * rather than the milliseconds version 1.0 files appear to
499 * have.
500 *
501 * It also appears that version 2.00x files have per-packet
502 * headers with some extra fields. */
531 }
532 }
537 /*
538 * The byte after hdr.network is usually 0, in which case
539 * the hdr.network byte is an NDIS network type value - 1.
540 */
545 /*
546 * However, in some Ethernet captures, it's 2, and the
547 * hdr.network byte is 1 rather than 0. We assume
548 * that if there's a byte after hdr.network with the value
549 * 2, the hdr.network byte is an NDIS network type, rather
550 * than an NDIS network type - 1.
551 */
557 *err_info = ws_strdup_printf("netxray: the byte after the network type has the value %u, which I don't understand",
560 }
568 }
570 /*
571 * Figure out the time stamp units and start time stamp.
572 */
587 /*
588 * In version 1.1 files (as produced by Windows
589 * Sniffer Pro 2.0.01), the time stamp is in
590 * microseconds, rather than the milliseconds
591 * time stamps in NetXRay and older versions
592 * of Windows Sniffer.
593 */
599 /* "Can't happen" - we rejected that above */
604 }
606 /*
607 * Get the time stamp units from the appropriate TpS
608 * table or from the file header.
609 */
613 /*
614 * Ethernet - the table to use depends on whether
615 * this is an NDIS or pod capture.
616 */
626 }
627 /*
628 XXX: 05/29/07: Use 'realtick' instead of TpS table if timeunit=2;
629 Using 'realtick' in this case results
630 in the correct 'ticks per second' for all the captures that
631 I have of this type (including captures from a number of Wireshark
632 bug reports).
633 */
636 }
639 }
650 }
653 /*
654 * At least for 002.002 and 002.003
655 * captures, the start time stamp is 0,
656 * not the value in the file.
657 */
670 }
673 /*
674 * At least for 002.002 and 002.003
675 * captures, the start time stamp is 0,
676 * not the value in the file.
677 */
690 }
692 /*
693 * XXX: start time stamp in the one capture file examined of this type was 0;
694 * We'll assume the start time handling is the same as for other pods.
695 *
696 * At least for 002.002 and 002.003
697 * captures, the start time stamp is 0,
698 * not the value in the file.
699 */
712 }
714 /*
715 * XXX: start time stamp in the one capture file examined of this type was 0;
716 * We'll assume the start time handling is the same as for other pods.
717 *
718 * At least for 002.002 and 002.003
719 * captures, the start time stamp is 0,
720 * not the value in the file.
721 */
732 }
743 }
746 }
748 /*
749 * If the number of ticks per second is greater than
750 * 1 million, make the precision be nanoseconds rather
751 * than microseconds.
752 *
753 * XXX - do values only slightly greater than one million
754 * correspond to a resolution sufficiently better than
755 * 1 microsecond to display more digits of precision?
756 * XXX - Seems reasonable to use nanosecs only if TPS >= 10M
757 */
760 else
763 /* "Can't happen" - we rejected that above */
768 }
772 /*
773 * In version 0 and 1, we assume, for now, that all
774 * WAN captures have frames that look like Ethernet
775 * frames (as a result, presumably, of having passed
776 * through NDISWAN).
777 *
778 * In version 2, it looks as if there's stuff in the
779 * file header to specify what particular type of WAN
780 * capture we have.
781 */
786 /*
787 * PPP.
788 */
793 /*
794 * Frame Relay.
795 *
796 * XXX - in at least one capture, this
797 * is Cisco HDLC, not Frame Relay, but
798 * in another capture, it's Frame Relay.
799 *
800 * [Bytes in each capture:
801 * Cisco HDLC: hdr.xxx_x60[06:10]: 0x02 0x00 0x01 0x00 0x06
802 * Frame Relay: hdr.xxx_x60[06:10] 0x00 0x00 0x00 0x00 0x00
804 * Cisco HDLC: hdr.xxx_x60[14:15]: 0xff 0xff
805 * Frame Relay: hdr.xxx_x60[14:15]: 0x00 0x00
806 * ]
807 */
813 /*
814 * Various HDLC flavors?
815 */
819 /*
820 * XXX - at least one capture of
821 * this type appears to be PPP.
822 */
835 *err_info = ws_strdup_printf("netxray: WAN HDLC capture subsubtype 0x%02x unknown or unsupported",
838 }
842 /*
843 * SDLC.
844 */
849 /*
850 * Cisco router (CHDLC) captured with pod
851 */
860 }
866 /* This is a netxray file */
879 /*
880 * If frames have an extra 4 bytes of stuff at the end, is
881 * it an FCS, or just junk?
882 */
890 /*
891 * It appears that, in at least some version 2 Ethernet
892 * captures, for frames that have 0xff in hdr_2_x.xxx[2]
893 * and hdr_2_x.xxx[3] in the per-packet header:
894 *
895 * if, in the file header, hdr.realtick[1] is 0x34
896 * and hdr.realtick[2] is 0x12, the frames have an
897 * FCS at the end;
898 *
899 * otherwise, they have 4 bytes of junk at the end.
900 *
901 * Yes, it's strange that you have to check the *middle*
902 * of the time stamp field; you can't check for any
903 * particular value of the time stamp field.
904 *
905 * For now, we assume that to be true for 802.11 captures
906 * as well; it appears to be the case for at least one
907 * such capture - the file doesn't have 0x34 and 0x12,
908 * and the 4 bytes at the end of the frames with 0xff
909 * are junk, not an FCS.
910 *
911 * For ISDN captures, it appears, at least in some
912 * captures, to be similar, although I haven't yet
913 * checked whether it's a valid FCS.
914 *
915 * XXX - should we do this for all encapsulation types?
916 *
917 * XXX - is there some other field that *really* indicates
918 * whether we have an FCS or not? The check of the time
919 * stamp is bizarre, as we're checking the middle.
920 * Perhaps hdr.realtick[0] is 0x00, in which case time
921 * stamp units in the range 1192960 through 1193215
922 * correspond to captures with an FCS, but that's still
923 * a bit bizarre.
924 *
925 * Note that there are captures with a network type of 0
926 * (Ethernet) and capture type of 0 (NDIS) that do, and
927 * that don't, have 0x34 0x12 in them, and at least one
928 * of the NDIS captures with 0x34 0x12 in it has FCSes,
929 * so it's not as if no NDIS captures have an FCS.
930 *
931 * There are also captures with a network type of 4 (WAN),
932 * capture type of 6 (HDLC), and subtype of 2 (T1 PRI) that
933 * do, and that don't, have 0x34 0x12, so there are at least
934 * some captures taken with a WAN pod that might lack an FCS.
935 * (We haven't yet tried dissecting the 4 bytes at the
936 * end of packets with hdr_2_x.xxx[2] and hdr_2_x.xxx[3]
937 * equal to 0xff as an FCS.)
938 *
939 * All captures I've seen that have 0x34 and 0x12 *and*
940 * have at least one frame with an FCS have a value of
941 * 0x01 in xxx_x40[4]. No captures I've seen with a network
942 * type of 0 (Ethernet) missing 0x34 0x12 have 0x01 there,
943 * however. However, there's at least one capture
944 * without 0x34 and 0x12, with a network type of 0,
945 * and with 0x01 in xxx_x40[4], *without* FCSes in the
946 * frames - the 4 bytes at the end are all zero - so it's
947 * not as simple as "xxx_x40[4] = 0x01 means the 4 bytes at
948 * the end are FCSes". Also, there's also at least one
949 * 802.11 capture with an xxx_x40[4] value of 0x01 with junk
950 * rather than an FCS at the end of the frame, so xxx_x40[4]
951 * isn't an obvious flag to determine whether the
952 * capture has FCSes.
953 *
954 * There don't seem to be any other values in any of the
955 * xxx_x5..., xxx_x6...., xxx_x7.... fields
956 * that obviously correspond to frames having an FCS.
957 *
958 * 05/29/07: Examination of numerous sniffer captures suggests
959 * that the apparent correlation of certain realtick
960 * bytes to 'FCS presence' may actually be
961 * a 'false positive'.
962 * ToDo: Review analysis and update code.
963 * It might be that the ticks-per-second value
964 * is hardware-dependent, and that hardware with
965 * a particular realtick value puts an FCS there
966 * and other hardware doesn't.
967 */
971 }
973 }
975 /*
976 * Remember the ISDN type, as we need it to interpret the
977 * channel number in ISDN captures.
978 */
981 /* Remember the offset after the last packet in the capture (which
982 * isn't necessarily the last packet in the file), as it appears
983 * there's sometimes crud after it.
984 * XXX: Remember 'start_offset' to help testing for 'short file' at EOF
985 */
991 /* Seek to the beginning of the data records. */
994 }
996 /*
997 * Add an IDB; we don't know how many interfaces were
998 * involved, so we just say one interface, about which
999 * we only know the link-layer type, snapshot length,
1000 * and time stamp resolution.
1001 */
1005 }
1007 /* Read the next packet */
1008 static bool
1011 {
1015 reread:
1016 /*
1017 * Return the offset of the record header, so we can reread it
1018 * if we go back to this frame.
1019 */
1022 /* Have we reached the end of the packet data? */
1024 /* Yes. */
1027 }
1029 /* Read and process record header. */
1032 /*
1033 * Error or EOF.
1034 */
1036 /*
1037 * Error of some sort; give up.
1038 */
1040 }
1042 /* We're at EOF. Wrap?
1043 * XXX: Need to handle 'short file' cases
1044 * (Distributed Sniffer seems to have a
1045 * certain small propensity to generate 'short' files
1046 * i.e. [many] bytes are missing from the end of the file)
1047 * case 1: start_offset < end_offset
1048 * wrap will read already read packets again;
1049 * so: error with "short file"
1050 * case 2: start_offset > end_offset ("circular" file)
1051 * wrap will mean there's a gap (missing packets).
1052 * However, I don't see a good way to identify this
1053 * case so we'll just have to allow the wrap.
1054 * (Maybe there can be an error message after all
1055 * packets are read since there'll be less packets than
1056 * specified in the file header).
1057 * Note that these cases occur *only* if a 'short' eof occurs exactly
1058 * at the expected beginning of a frame header record; If there is a
1059 * partial frame header (or partial frame data) record, then the
1060 * netxray_read... functions will detect the short record.
1061 */
1065 }
1068 /* Yes. Remember that we did. */
1074 }
1076 /* We've already wrapped - don't wrap again. */
1078 }
1080 /*
1081 * Read the packet data.
1082 */
1087 /*
1088 * If there's extra stuff at the end of the record, skip it.
1089 */
1093 /*
1094 * If it's an ATM packet, and we don't have enough information
1095 * from the packet header to determine its type or subtype,
1096 * attempt to guess them from the packet data.
1097 */
1100 }
1102 static bool
1105 {
1112 /*
1113 * EOF - we report that as a short read, as
1114 * we've read this once and know that it
1115 * should be there.
1116 */
1118 }
1120 }
1122 /*
1123 * Read the packet data.
1124 */
1129 /*
1130 * If it's an ATM packet, and we don't have enough information
1131 * from the packet header to determine its type or subtype,
1132 * attempt to guess them from the packet data.
1133 */
1136 }
1138 static int
1141 {
1149 /* Read record header. */
1163 }
1165 /*
1166 * If *err is 0, we're at EOF. *err being 0 and a return
1167 * value of -1 tells our caller we're at EOF.
1168 *
1169 * Otherwise, we got an error, and *err *not* being 0
1170 * and a return value tells our caller we have an error.
1171 */
1173 }
1175 /*
1176 * If this is Ethernet, 802.11, ISDN, X.25, or ATM, set the
1177 * pseudo-header.
1178 */
1185 /*
1186 * XXX - if hdr_1_x.xxx[15] is 1
1187 * the frame appears not to have any extra
1188 * stuff at the end, but if it's 0,
1189 * there appears to be 4 bytes of stuff
1190 * at the end, but it's not an FCS.
1191 *
1192 * Or is that just the low-order bit?
1193 *
1194 * For now, we just say "no FCS".
1195 */
1198 }
1205 /*
1206 * It appears, at least with version 2 captures,
1207 * that we have 4 bytes of stuff (which might be
1208 * a valid FCS or might be junk) at the end of
1209 * the packet if hdr_2_x.xxx[2] and
1210 * hdr_2_x.xxx[3] are 0xff, and we don't if
1211 * they don't.
1212 *
1213 * It also appears that if the low-order bit of
1214 * hdr_2_x.xxx[8] is set, the packet has a
1215 * bad FCS.
1216 */
1219 /*
1220 * We have 4 bytes of stuff at the
1221 * end of the frame - FCS, or junk?
1222 */
1224 /*
1225 * FCS.
1226 */
1229 /*
1230 * Junk.
1231 */
1233 }
1239 /*
1240 * It appears, in one 802.11 capture, that
1241 * we have 4 bytes of junk at the ends of
1242 * frames in which hdr_2_x.xxx[2] and
1243 * hdr_2_x.xxx[3] are 0xff; I haven't
1244 * seen any frames where it's an FCS, but,
1245 * for now, we still check the fcs_valid
1246 * flag - I also haven't seen any capture
1247 * where we'd set it based on the realtick
1248 * value.
1249 *
1250 * It also appears that if the low-order bit of
1251 * hdr_2_x.xxx[8] is set, the packet has a
1252 * bad FCS. According to Ken Mann, the 0x4 bit
1253 * is sometimes also set for errors.
1254 *
1255 * Ken also says that xxx[11] is 0x5 when the
1256 * packet is WEP-encrypted.
1257 */
1258 memset(&rec->rec_header.packet_header.pseudo_header.ieee_802_11, 0, sizeof(rec->rec_header.packet_header.pseudo_header.ieee_802_11));
1261 /*
1262 * We have 4 bytes of stuff at the
1263 * end of the frame - FCS, or junk?
1264 */
1266 /*
1267 * FCS.
1268 */
1271 /*
1272 * Junk.
1273 */
1275 }
1283 /*
1284 * XXX - any other information, such as PHY
1285 * type, frequency, 11n/11ac information,
1286 * etc.?
1287 */
1300 /*
1301 * According to Ken Mann, at least in the captures
1302 * he's seen, xxx[15] is the noise level, which
1303 * is either 0xFF meaning "none reported" or a value
1304 * from 0x00 to 0x7F for 0 to 100%.
1305 */
1310 }
1314 /*
1315 * ISDN.
1316 *
1317 * The bottommost bit of byte 12 of hdr_2_x.xxx
1318 * is the direction flag.
1319 *
1320 * The bottom 5 bits of byte 13 of hdr_2_x.xxx
1321 * are the channel number, but some mapping is
1322 * required for PRI. (Is it really just the time
1323 * slot?)
1324 */
1332 /*
1333 * E1 PRI. Channel numbers 0 and 16
1334 * are the D channel; channel numbers 1
1335 * through 15 are B1 through B15; channel
1336 * numbers 17 through 31 are B16 through
1337 * B31.
1338 */
1346 /*
1347 * T1 PRI. Channel numbers 0 and 24
1348 * are the D channel; channel numbers 1
1349 * through 23 are B1 through B23.
1350 */
1356 }
1358 /*
1359 * It appears, at least with version 2 captures,
1360 * that we have 4 bytes of stuff (which might be
1361 * a valid FCS or might be junk) at the end of
1362 * the packet if hdr_2_x.xxx[2] and
1363 * hdr_2_x.xxx[3] are 0xff, and we don't if
1364 * they don't.
1365 *
1366 * XXX - does the low-order bit of hdr_2_x.xxx[8]
1367 * indicate a bad FCS, as is the case with
1368 * Ethernet?
1369 */
1372 /*
1373 * FCS, or junk, at the end.
1374 * XXX - is it an FCS if "fcs_valid" is
1375 * true?
1376 */
1378 }
1383 /*
1384 * LAPB/X.25 and Frame Relay.
1385 *
1386 * The bottommost bit of byte 12 of hdr_2_x.xxx
1387 * is the direction flag. (Probably true for other
1388 * HDLC encapsulations as well.)
1389 */
1393 /*
1394 * It appears, at least with version 2 captures,
1395 * that we have 4 bytes of stuff (which might be
1396 * a valid FCS or might be junk) at the end of
1397 * the packet if hdr_2_x.xxx[2] and
1398 * hdr_2_x.xxx[3] are 0xff, and we don't if
1399 * they don't.
1400 *
1401 * XXX - does the low-order bit of hdr_2_x.xxx[8]
1402 * indicate a bad FCS, as is the case with
1403 * Ethernet?
1404 */
1407 /*
1408 * FCS, or junk, at the end.
1409 * XXX - is it an FCS if "fcs_valid" is
1410 * true?
1411 */
1413 }
1424 /*
1425 * XXX - the low-order bit of hdr_2_x.xxx[8]
1426 * seems to indicate some sort of error. In
1427 * at least one capture, a number of packets
1428 * have that flag set, and they appear either
1429 * to be the beginning part of an incompletely
1430 * reassembled AAL5 PDU, with either checksum
1431 * errors at higher levels (possibly due to
1432 * the packet being reported as shorter than
1433 * it actually is, and checksumming failing
1434 * because it doesn't include all the data)
1435 * or "Malformed frame" errors from being
1436 * too short, or appear to be later parts
1437 * of an incompletely reassembled AAL5 PDU
1438 * with the last one in a sequence of errors
1439 * having what looks like an AAL5 trailer,
1440 * with a length and checksum.
1441 *
1442 * Does it just mean "reassembly failed",
1443 * as appears to be the case in those
1444 * packets, or does it mean "CRC error"
1445 * at the AAL5 layer (which would be the
1446 * case if you were treating an incompletely
1447 * reassembled PDU as a completely reassembled
1448 * PDU, although you'd also expect a length
1449 * error in that case), or does it mean
1450 * "generic error", with some other flag
1451 * or flags indicating what particular
1452 * error occurred? The documentation
1453 * for Sniffer Pro 4.7 indicates a bunch
1454 * of different error types, both in general
1455 * and for ATM in particular.
1456 *
1457 * No obvious bits in hdr_2_x.xxx appear
1458 * to be additional flags of that sort.
1459 *
1460 * XXX - in that capture, I see several
1461 * reassembly errors in a row; should those
1462 * packets be reassembled in the ATM dissector?
1463 * What happens if a reassembly fails because
1464 * a cell is bad?
1465 */
1469 /*
1470 * XXX - is 0x08 an "OAM cell" flag?
1471 * Are the 0x01 and 0x02 bits error indications?
1472 * Some packets in one capture that have the
1473 * 0x01 bit set in hdr_2_x.xxx[8] and that
1474 * appear to have been reassembled completely
1475 * but have a bad CRC have 0x03 in hdr_2_x.xxx[9]
1476 * (and don't have the 0x20 bit set).
1477 *
1478 * In the capture with incomplete reassemblies,
1479 * all packets have the 0x20 bit set. In at
1480 * least some of the captures with complete
1481 * reassemblies with CRC errors, no packets
1482 * have the 0x20 bit set.
1483 *
1484 * Are hdr_2_x.xxx[8] and hdr_2_x.xxx[9] a 16-bit
1485 * flag field?
1486 */
1495 /*
1496 * XXX - the uppermost bit of hdr_2_xxx[0]
1497 * looks as if it might be a flag of some sort.
1498 * The remaining 3 bits appear to be an AAL
1499 * type - 5 is, surprise surprise, AAL5.
1500 */
1532 /*
1533 * XXX - is the 0x08 bit of hdr_2_x.xxx[0]
1534 * a flag? I've not yet seen a case where
1535 * it matters.
1536 */
1554 /*
1555 * I've seen a frame with type
1556 * 0x30 and subtype 0x08 that
1557 * was LANE 802.3, a frame
1558 * with type 0x30 and subtype
1559 * 0x04 that was LANE 802.3,
1560 * and another frame with type
1561 * 0x30 and subtype 0x08 that
1562 * was junk with a string in
1563 * it that had also appeared
1564 * in some CDP and LE Control
1565 * frames, and that was preceded
1566 * by a malformed LE Control
1567 * frame - was that a reassembly
1568 * failure?
1569 *
1570 * I've seen frames with type
1571 * 0x50 and subtype 0x0c, some
1572 * of which were LE Control
1573 * frames, and at least one
1574 * of which was neither an LE
1575 * Control frame nor a LANE
1576 * 802.3 frame, and contained
1577 * the string "ForeThought_6.2.1
1578 * Alpha" - does that imply
1579 * FORE's own encapsulation,
1580 * or was this a reassembly failure?
1581 * The latter frame was preceded
1582 * by a malformed LE Control
1583 * frame.
1584 *
1585 * I've seen a couple of frames
1586 * with type 0x60 and subtype 0x00,
1587 * one of which was LANE 802.3 and
1588 * one of which was LE Control.
1589 * I've seen one frame with type
1590 * 0x60 and subtype 0x0c, which
1591 * was LANE 802.3.
1592 *
1593 * I've seen a couple of frames
1594 * with type 0x70 and subtype 0x00,
1595 * both of which were LANE 802.3.
1596 */
1610 }
1612 }
1614 }
1616 }
1629 /*
1630 * We subtract the padding from the packet size, so our caller
1631 * doesn't see it.
1632 */
1645 /*
1646 * We subtract the padding from the packet size, so our caller
1647 * doesn't see it.
1648 */
1652 }
1655 }
1657 static void
1659 {
1663 /*
1664 * Try to guess the type and subtype based
1665 * on the VPI/VCI and packet contents.
1666 */
1670 /*
1671 * Try to guess the subtype based on the
1672 * packet contents.
1673 */
1675 }
1676 }
1677 }
1693 };
1694 #define NUM_WTAP_ENCAPS_1_1 array_length(wtap_encap_1_1)
1696 static int
1698 {
1704 }
1707 }
1709 /* Returns 0 if we could write the specified encapsulation type,
1710 an error indication otherwise. */
1711 static int
1713 {
1714 /* Per-packet encapsulations aren't supported. */
1722 }
1724 /* Returns true on success, false on failure; sets "*err" to an error code on
1725 failure */
1726 static bool
1728 {
1734 /* We can't fill in all the fields in the file header, as we
1735 haven't yet written any packets. As we'll have to rewrite
1736 the header when we've written out all the packets, we just
1737 skip over the header for now. */
1749 }
1751 /* Write a record for a packet to a dump file.
1752 Returns true on success, false on failure. */
1753 static bool
1757 {
1763 /* We can only write packet records. */
1767 }
1769 /*
1770 * Make sure this packet doesn't have a link-layer type that
1771 * differs from the one for the file.
1772 */
1776 }
1778 /* The captured length field is 16 bits, so there's a hard
1779 limit of 65535. */
1783 }
1785 /* NetXRay/Windows Sniffer files have a capture start date/time
1786 in the header, in a UNIX-style format, with one-second resolution,
1787 and a start time stamp with microsecond resolution that's just
1788 an arbitrary time stamp relative to some unknown time (boot
1789 time?), and have times relative to the start time stamp in
1790 the packet headers; pick the seconds value of the time stamp
1791 of the first packet as the UNIX-style start date/time, and make
1792 the high-resolution start time stamp 0, with the time stamp of
1793 packets being the delta between the stamp of the packet and
1794 the stamp of the first packet with the microseconds part 0. */
1797 /*
1798 * XXX - NetXRay ran on Windows, where MSVC's localtime()
1799 * can't handle time_t < 0, so *maybe* it makes sense
1800 * to allow time stamps up to 2^32-1 "seconds since the
1801 * Epoch", but maybe the start time in those files is
1802 * signed, in which case we should check against
1803 * INT32_MIN and INT32_MAX and make start_secs a
1804 * int32_t.
1805 */
1809 }
1811 }
1813 /* build the header for each packet */
1827 /* write the packet data */
1834 }
1836 /* Finish writing to a dump file.
1837 Returns true on success, false on failure. */
1838 static bool
1840 {
1849 /* Go back to beginning */
1853 /* Rewrite the file header. */
1857 /* "sniffer" version ? */
1863 /* XXX - large files? */
1874 /* Don't double-count the size of the file header */
1877 }
1891 };
1892 #define NUM_WTAP_ENCAPS_2_0 array_length(wtap_encap_2_0)
1894 static int
1896 {
1902 }
1905 }
1907 /* Returns 0 if we could write the specified encapsulation type,
1908 an error indication otherwise. */
1909 static int
1911 {
1912 /* Per-packet encapsulations aren't supported. */
1920 }
1922 /* Returns true on success, false on failure; sets "*err" to an error code on
1923 failure */
1924 static bool
1926 {
1932 /* We can't fill in all the fields in the file header, as we
1933 haven't yet written any packets. As we'll have to rewrite
1934 the header when we've written out all the packets, we just
1935 skip over the header for now. */
1947 }
1949 /* Write a record for a packet to a dump file.
1950 Returns true on success, false on failure. */
1951 static bool
1955 {
1962 /* We can only write packet records. */
1966 }
1968 /*
1969 * Make sure this packet doesn't have a link-layer type that
1970 * differs from the one for the file.
1971 */
1975 }
1977 /* Don't write anything we're not willing to read. */
1981 }
1983 /* NetXRay/Windows Sniffer files have a capture start date/time
1984 in the header, in a UNIX-style format, with one-second resolution,
1985 and a start time stamp with microsecond resolution that's just
1986 an arbitrary time stamp relative to some unknown time (boot
1987 time?), and have times relative to the start time stamp in
1988 the packet headers; pick the seconds value of the time stamp
1989 of the first packet as the UNIX-style start date/time, and make
1990 the high-resolution start time stamp 0, with the time stamp of
1991 packets being the delta between the stamp of the packet and
1992 the stamp of the first packet with the microseconds part 0. */
1995 /*
1996 * XXX - NetXRay ran on Windows, where MSVC's localtime()
1997 * can't handle time_t < 0, so *maybe* it makes sense
1998 * to allow time stamps up to 2^32-1 "seconds since the
1999 * Epoch", but maybe the start time in those files is
2000 * signed, in which case we should check against
2001 * INT32_MIN and INT32_MAX and make start_secs a
2002 * int32_t.
2003 */
2007 }
2009 }
2011 /* build the header for each packet */
2051 }
2056 /* write the packet data */
2063 }
2065 /* Finish writing to a dump file.
2066 Returns true on success, false on failure. */
2067 static bool
2069 {
2078 /* Go back to beginning */
2082 /* Rewrite the file header. */
2086 /* "sniffer" version ? */
2092 /* XXX - large files? */
2119 }
2126 /* Don't double-count the size of the file header */
2129 }
2132 /*
2133 * We support packet blocks, with no comments or other options.
2134 */
2136 };
2142 };
2145 /*
2146 * We support packet blocks, with no comments or other options.
2147 */
2149 };
2155 };
2158 /*
2159 * We support packet blocks, with no comments or other options.
2160 */
2162 };
2168 };
2171 /*
2172 * We support packet blocks, with no comments or other options.
2173 */
2175 };
2181 };
2184 {
2190 /*
2191 * Register names for backwards compatibility with the
2192 * wtap_filetypes table in Lua.
2193 */
2195 netxray_old_file_type_subtype);
2197 netxray_1_0_file_type_subtype);
2199 netxray_1_1_file_type_subtype);
2201 netxray_2_00x_file_type_subtype);
2202 }
2204 /*
2205 * Editor modelines - https://www.wireshark.org/tools/modelines.html
2206 *
2207 * Local variables:
2208 * c-basic-offset: 8
2209 * tab-width: 8
2210 * indent-tabs-mode: t
2211 * End:
2212 *
2213 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
2214 * :indentSize=8:tabSize=8:noTabs=false:
2215 */