| blob | ab94ded313f120422751d35f4bce7c0e62bd14d5 |
1 /* peekclassic.c
2 * Routines for opening files in what Savvius (formerly WildPackets) calls
3 * the classic file format in the description of their "PeekRdr Sample
4 * Application" (C++ source code to read their capture files, downloading
5 * of which requires a maintenance contract, so it's not free as in beer
6 * and probably not as in speech, either).
7 *
8 * As that description says, it's used by AiroPeek and AiroPeek NX prior
9 * to 2.0, EtherPeek prior to 6.0, and EtherPeek NX prior to 3.0. It
10 * was probably also used by TokenPeek.
11 *
12 * This handles versions 5, 6, and 7 of that format (the format version
13 * number is what appears in the file, and is distinct from the application
14 * version number).
15 *
16 * Copyright (c) 2001, Daniel Thompson <d.thompson@gmx.net>
17 *
18 * Wiretap Library
19 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
20 *
21 * SPDX-License-Identifier: GPL-2.0-or-later
22 */
27 #include <string.h>
29 #include <wsutil/epochs.h>
30 #include <wsutil/802_11-utils.h>
31 #include <wsutil/ws_assert.h>
36 /* CREDITS
37 *
38 * This file decoder could not have been written without examining how
39 * tcptrace (http://www.tcptrace.org/) handles EtherPeek files.
40 */
42 /* master header */
47 #define PEEKCLASSIC_MASTER_HDR_SIZE 2
49 /* secondary header (V5,V6,V7) */
62 #define PEEKCLASSIC_V567_HDR_SIZE 48
64 /* full header */
66 peekclassic_master_header_t master;
68 peekclassic_v567_header_t v567;
72 /*
73 * Packet header (V5, V6).
74 *
75 * NOTE: the time stamp, although it's a 32-bit number, is only aligned
76 * on a 16-bit boundary. (Does this date back to 68K Macs? The 68000
77 * only required 16-bit alignment of 32-bit quantities, as did the 68010,
78 * and the 68020/68030/68040 required no alignment.)
79 *
80 * As such, we cannot declare this as a C structure, as compilers on
81 * most platforms will put 2 bytes of padding before the time stamp to
82 * align it on a 32-bit boundary.
83 *
84 * So, instead, we #define numbers as the offsets of the fields.
85 */
86 #define PEEKCLASSIC_V56_LENGTH_OFFSET 0
87 #define PEEKCLASSIC_V56_SLICE_LENGTH_OFFSET 2
88 #define PEEKCLASSIC_V56_FLAGS_OFFSET 4
89 #define PEEKCLASSIC_V56_STATUS_OFFSET 5
90 #define PEEKCLASSIC_V56_TIMESTAMP_OFFSET 6
91 #define PEEKCLASSIC_V56_DESTNUM_OFFSET 10
92 #define PEEKCLASSIC_V56_SRCNUM_OFFSET 12
93 #define PEEKCLASSIC_V56_PROTONUM_OFFSET 14
94 #define PEEKCLASSIC_V56_PROTOSTR_OFFSET 16
95 #define PEEKCLASSIC_V56_FILTERNUM_OFFSET 24
96 #define PEEKCLASSIC_V56_PKT_SIZE 26
98 /* 64-bit time in micro seconds from the (Mac) epoch */
104 /*
105 * Packet header (V7).
106 *
107 * This doesn't have the same alignment problem, but we do it with
108 * #defines anyway.
109 */
110 #define PEEKCLASSIC_V7_PROTONUM_OFFSET 0
111 #define PEEKCLASSIC_V7_LENGTH_OFFSET 2
112 #define PEEKCLASSIC_V7_SLICE_LENGTH_OFFSET 4
113 #define PEEKCLASSIC_V7_FLAGS_OFFSET 6
114 #define PEEKCLASSIC_V7_STATUS_OFFSET 7
115 #define PEEKCLASSIC_V7_TIMESTAMP_OFFSET 8
116 #define PEEKCLASSIC_V7_PKT_SIZE 16
118 /*
119 * Flag bits.
120 */
130 /*
131 * Status bits.
132 */
162 {
163 peekclassic_header_t ep_hdr;
168 /* Peek classic files do not start with a magic value large enough
169 * to be unique; hence we use the following algorithm to determine
170 * the type of an unknown file:
171 * - populate the master header and reject file if there is no match
172 * - populate the secondary header and check that the reserved space
173 * is zero, and check some other fields; this isn't perfect,
174 * and we may have to add more checks at some point.
175 */
182 }
184 /*
185 * It appears that EtherHelp (a free application from WildPackets
186 * that did blind capture, saving to a file, so that you could
187 * give the resulting file to somebody with EtherPeek) saved
188 * captures in EtherPeek format except that it ORed the 0x80
189 * bit on in the version number.
190 *
191 * We therefore strip off the 0x80 bit in the version number.
192 * Perhaps there's some reason to care whether the capture
193 * came from EtherHelp; if we discover one, we should check
194 * that bit.
195 */
198 /* switch on the file version */
204 /* get the secondary header */
206 PEEKCLASSIC_V567_HDR_SIZE);
212 }
217 /* still unknown */
219 }
221 /*
222 * Check the mediaType and physMedium fields.
223 * We assume it's not a Peek classic file if
224 * these aren't values we know, rather than
225 * reporting them as invalid Peek classic files,
226 * as, given the lack of a magic number, we need
227 * all the checks we can get.
228 */
237 /*
238 * "Native" format, presumably meaning
239 * Ethernet or Token Ring.
240 */
252 /*
253 * Assume this isn't a Peek classic file.
254 */
256 }
263 /*
264 * 802.11, with a private header giving
265 * some radio information. Presumably
266 * this is from AiroPeek.
267 */
272 /*
273 * Assume this isn't a Peek classic file.
274 */
276 }
280 /*
281 * Assume this isn't a Peek classic file.
282 */
284 }
287 /*
288 * Assume this is a V5, V6 or V7 Peek classic file, and
289 * byte swap the rest of the fields in the secondary header.
290 *
291 * XXX - we could check the file length if the file were
292 * uncompressed, but it might be compressed.
293 */
309 /* Get the reference time as a time_t */
314 /*
315 * Assume this isn't a Peek classic file.
316 */
318 }
320 /*
321 * This is a Peek classic file.
322 *
323 * At this point we have recognised the file type and have populated
324 * the whole ep_hdr structure in host byte order.
325 */
346 /* this is impossible */
348 }
353 /*
354 * Add an IDB; we don't know how many interfaces were
355 * involved, so we just say one interface, about which
356 * we only know the link-layer type, snapshot length,
357 * and time stamp resolution.
358 */
362 }
366 {
371 /* Read the packet. */
377 /* Skip extra ignored data at the end of the packet. */
382 }
384 /* Records are padded to an even length, so if the slice length
385 is odd, read the padding byte. */
389 }
392 }
396 {
400 /* Read the packet. */
406 }
408 }
410 #define RADIO_INFO_SIZE 4
414 {
416 #if 0
418 #endif
432 /* Extract the fields from the packet */
433 #if 0
435 #endif
442 /* force sliceLength to be the actual length of the packet */
445 }
446 /*
447 * The maximum value of sliceLength and length are 65535, which
448 * are less than WTAP_MAX_PACKET_SIZE_STANDARD will ever be, so we don't
449 * need to check them.
450 */
452 /* fill in packet header values */
474 memset(&rec->rec_header.packet_header.pseudo_header.ieee_802_11, 0, sizeof(rec->rec_header.packet_header.pseudo_header.ieee_802_11));
480 /*
481 * Now process the radio information pseudo-header.
482 * It's a 4-byte pseudo-header, consisting of:
483 *
484 * 1 byte of data rate, in units of 500 kb/s;
485 *
486 * 1 byte of channel number;
487 *
488 * 1 byte of signal strength as a percentage of
489 * the maximum, i.e. (RXVECTOR RSSI/RXVECTOR RSSI_Max)*100,
490 * or, at least, that's what I infer it is, given what
491 * the WildPackets note "Converting Signal Strength
492 * Percentage to dBm Values" says (it also says that
493 * the conversion the percentage to a dBm value is
494 * an adapter-dependent process, so, as we don't know
495 * what type of adapter was used to do the capture,
496 * we can't do the conversion);
497 *
498 * 1 byte of unknown content (padding?).
499 */
500 if (rec->rec_header.packet_header.len < RADIO_INFO_SIZE || rec->rec_header.packet_header.caplen < RADIO_INFO_SIZE) {
504 }
509 /* read the pseudo-header */
522 /*
523 * We don't know they PHY, but we do have the data rate;
524 * try to guess it based on the data rate and channel.
525 */
527 /* 11b */
529 rec->rec_header.packet_header.pseudo_header.ieee_802_11.phy_info.info_11b.has_short_preamble = false;
531 /* 11a or 11g, depending on the band. */
533 /* 11g */
537 /* 11a */
539 rec->rec_header.packet_header.pseudo_header.ieee_802_11.phy_info.info_11a.has_channel_type = false;
540 rec->rec_header.packet_header.pseudo_header.ieee_802_11.phy_info.info_11a.has_turbo_type = false;
541 }
542 }
544 /*
545 * The last 4 bytes appear to be random data - the length
546 * might include the FCS - so we reduce the length by 4.
547 *
548 * Or maybe this is just the same kind of random 4 bytes
549 * of junk at the end you get in Wireless Sniffer
550 * captures.
551 */
556 }
562 /* XXX - it appears that if the low-order bit of
563 "status" is 0, there's an FCS in this frame,
564 and if it's 1, there's 4 bytes of 0. */
567 }
569 /* read the packet data */
574 }
578 {
581 /* read the packet */
586 /*
587 * XXX - is the captured packet data padded to a multiple
588 * of 2 bytes?
589 */
591 }
595 {
599 /* read the packet */
605 }
607 }
611 {
617 #if 0
619 #endif
621 #if 0
624 #endif
625 #if 0
628 #endif
634 /* Extract the fields from the packet */
638 #if 0
640 #endif
642 #if 0
648 #endif
650 /*
651 * XXX - is the captured packet data padded to a multiple
652 * of 2 bytes?
653 */
655 /* force sliceLength to be the actual length of the packet */
658 }
659 /*
660 * The maximum value of sliceLength and length are 65535, which
661 * are less than WTAP_MAX_PACKET_SIZE_STANDARD will ever be, so we don't
662 * need to check them.
663 */
665 /* fill in packet header values */
669 /* timestamp is in milliseconds since reference_time */
686 /* We assume there's no FCS in this frame. */
689 }
691 /* read the packet data */
693 }
696 /*
697 * We support packet blocks, with no comments or other options.
698 */
700 };
706 };
709 /*
710 * We support packet blocks, with no comments or other options.
711 */
713 };
719 };
722 {
726 /*
727 * Register names for backwards compatibility with the
728 * wtap_filetypes table in Lua.
729 */
731 peekclassic_v56_file_type_subtype);
733 peekclassic_v7_file_type_subtype);
734 }
736 /*
737 * Editor modelines - https://www.wireshark.org/tools/modelines.html
738 *
739 * Local variables:
740 * c-basic-offset: 8
741 * tab-width: 8
742 * indent-tabs-mode: t
743 * End:
744 *
745 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
746 * :indentSize=8:tabSize=8:noTabs=false:
747 */