| blob | 086bd4cfd0161feee0e533179c0d3a62b0c38f0c |
1 /* netxray.c
2 *
3 * Wiretap Library
4 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
5 *
6 * SPDX-License-Identifier: GPL-2.0-or-later
7 */
12 #include <string.h>
17 /* Capture file header, *including* magic number, is padded to 128 bytes. */
18 #define CAPTUREFILE_HEADER_SIZE 128
20 /* Magic number size, in both 1.x and later files. */
21 #define MAGIC_SIZE 4
23 /* Magic number in NetXRay 1.x files. */
26 };
28 /* Magic number in NetXRay 2.0 and later, and Windows Sniffer, files. */
31 };
33 /* NetXRay file header (minus magic number). */
34 /* */
35 /* As field usages are identified, please revise as needed */
36 /* Please do *not* use netxray_hdr xxx... names in the code */
37 /* (Placeholder names for all 'unknown' fields are */
38 /* of form xxx_x<hex_hdr_offset> */
39 /* where <hex_hdr_offset> *includes* the magic number) */
65 /* (realtick[1], realtick[2] also currently */
66 /* used as flag for 'FCS presence') */
79 /* positive values = west of UTC: */
80 /* negative values = east of UTC: */
81 /* e.g. +5 is American Eastern */
82 /* [Does not appear to be adjusted for DST ] */
83 };
85 /*
86 * Capture type, in hdr.captype.
87 *
88 * Values other than 0 are dependent on the network type.
89 * For Ethernet captures, it indicates the type of capture pod.
90 * For WAN captures (all of which are done with a pod), it indicates
91 * the link-layer type.
92 */
95 /*
96 * Ethernet capture types.
97 */
101 /* Captype 5 seen in capture from Distributed Sniffer with: */
102 /* Version 4.50.211 software */
103 /* SysKonnect SK-9843 Gigabit Ethernet Server Adapter */
104 #define ETH_CAPTYPE_GIGPOD2 6 /* gigabit Ethernet, captured with blade on S6040-model Sniffer */
106 /*
107 * WAN capture types.
108 */
124 /*
125 * # of ticks that equal 1 second, in version 002.xxx files other
126 * than Ethernet captures with a captype other than CAPTYPE_NDIS;
127 * the index into this array is hdr.timeunit.
128 *
129 * DO NOT SEND IN PATCHES THAT CHANGE ANY OF THE NON-ZERO VALUES IN
130 * ANY OF THE TpS TABLES. THOSE VALUES ARE CORRECT FOR AT LEAST ONE
131 * CAPTURE, SO CHANGING THEM WILL BREAK AT LEAST SOME CAPTURES. WE
132 * WILL NOT CHECK IN PATCHES THAT CHANGE THESE VALUES.
133 *
134 * Instead, if a value in a TpS table is wrong, check whether captype
135 * has a non-zero value; if so, perhaps we need a new TpS table for the
136 * corresponding network type and captype, or perhaps the 'realtick'
137 * field contains the correct ticks-per-second value.
138 *
139 * TpS...[] entries of 0.0 mean that no capture file for the
140 * corresponding captype/timeunit values has yet been seen, or that
141 * we're using the 'realtick' value.
142 *
143 * XXX - 05/29/07: For Ethernet captype = 0 (NDIS) and timeunit = 2:
144 * Perusal of a number of Sniffer captures
145 * (including those from Wireshark bug reports
146 * and those from the Wireshark 'menagerie')
147 * suggests that 'realtick' for this case
148 * contains the correct ticks/second to be used.
149 * So: we'll use realtick for Ethernet captype=0 and timeunit=2.
150 * (It might be that realtick should be used for Ethernet captype = 0
151 * and timeunit = 1 but I've not yet enough captures to be sure).
152 * Based upon the captures reviewed to date, realtick cannot be used for
153 * any of the other Ethernet captype/timeunit combinations for which there
154 * are non-zero values in the TpS tables.
155 *
156 * In at least one capture where "realtick" doesn't correspond
157 * to the value from the appropriate TpS table, the per-packet header's
158 * "xxx" field is all zero, so it's not as if a 2.x header includes
159 * a "compatibility" time stamp corresponding to the value from the
160 * TpS table and a "real" time stamp corresponding to "realtick".
161 *
162 * XXX - the item corresponding to timeunit = 2 is 1193180.0, presumably
163 * because somebody found it gave the right answer for some captures, but
164 * 3 times that, i.e. 3579540.0, appears to give the right answer for some
165 * other captures.
166 *
167 * Some captures have realtick of 1193182, some have 3579545, and some
168 * have 1193000. Most of those, in one set of captures somebody has,
169 * are wrong. (Did that mean "wrong for some capture files, but not
170 * for the files in which they occurred", or "wrong for the files in
171 * which they occurred? If it's "wrong for some capture files, but
172 * not for the files in which they occurred", perhaps those were Ethernet
173 * captures with a captype of 0 and timeunit = 2, so that we now use
174 * realtick, and perhaps that fixes the problems.)
175 *
176 * XXX - in at least one ATM capture, hdr.realtick is 1193180.0
177 * and hdr.timeunit is 0. Does that capture have a captype of
178 * CAPTYPE_ATM? If so, what should the table for ATM captures with
179 * that captype be?
180 */
182 #define NUM_NETXRAY_TIMEUNITS array_length(TpS)
184 /*
185 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_GIGPOD.
186 * 0.0 means "unknown".
187 *
188 * It appears that, at least for Ethernet captures, if captype is
189 * ETH_CAPTYPE_GIGPOD, that indicates that it's a gigabit Ethernet
190 * capture, possibly from a special whizzo gigabit pod, and also
191 * indicates that the time stamps have some higher resolution than
192 * in other captures, possibly thanks to a high-resolution timer
193 * on the pod.
194 *
195 * It also appears that the time units might differ for gigabit pod
196 * captures between version 002.001 and 002.002. For 002.001,
197 * the values below are correct; for 002.002, it's claimed that
198 * the right value for TpS_gigpod[2] is 1250000.0, but at least one
199 * 002.002 gigabit pod capture has 31250000.0 as the right value.
200 * XXX: Note that the TpS_otherpod[2] value is 1250000.0; It seems
201 * reasonable to suspect that the original claim might actually
202 * have been for a capture with a captype of 'otherpod'.
203 * (Based upon captures reviewed realtick does not contain the
204 * correct TpS values for the 'gigpod' captype).
205 */
207 #define NUM_NETXRAY_TIMEUNITS_GIGPOD array_length(TpS_gigpod)
209 /*
210 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_OTHERPOD.
211 * (Based upon captures reviewed realtick does not contain the
212 * correct TpS values for the 'otherpod' captype).
213 */
215 #define NUM_NETXRAY_TIMEUNITS_OTHERPOD array_length(TpS_otherpod)
217 /*
218 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_OTHERPOD2.
219 * (Based upon captures reviewed realtick does not contain the
220 * correct TpS values for the 'otherpod2' captype).
221 */
223 #define NUM_NETXRAY_TIMEUNITS_OTHERPOD2 array_length(TpS_otherpod2)
225 /*
226 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_GIGPOD2.
227 * (Based upon captures reviewed realtick does not contain the
228 * correct TpS values for the 'gigpod2' captype).
229 */
231 #define NUM_NETXRAY_TIMEUNITS_GIGPOD2 array_length(TpS_gigpod2)
233 /* Version number strings. */
236 };
240 };
244 };
248 };
252 };
256 };
258 /* Old NetXRay data record format - followed by frame data. */
264 };
266 /* NetXRay format version 1.x data record format - followed by frame data. */
273 };
275 /*
276 * NetXRay format version 2.x data record format - followed by frame data.
277 *
278 * The xxx fields appear to be:
279 *
280 * xxx[0]: ATM traffic type and subtype in the low 3 bits of
281 * each nibble, and flags(?) in the upper bit of each nibble.
282 * Always 0 for 802.11?
283 *
284 * xxx[1]: Always 0 for 802.11?
285 *
286 * xxx[2], xxx[3]: for Ethernet, 802.11, ISDN LAPD, LAPB,
287 * Frame Relay, if both are 0xff, there are 4 bytes of stuff
288 * at the end of the packet data, which might be an FCS or
289 * which might be junk to discard.
290 *
291 * xxx[4-7]: Always 0 for 802.11?
292 *
293 * xxx[8], xxx[9]: 2 bytes of a flag word? If treated as
294 * a 2-byte little-endian flag word:
295 *
296 * 0x0001: Error of some sort, including bad CRC, although
297 * in one ISDN capture it's set in some B2 channel
298 * packets of unknown content (as opposed to the B1
299 * traffic in the capture, which is PPP)
300 * 0x0002: Seen in 802.11 - short preamble? Bad CRC?
301 * 0x0004: Some particular type of error?
302 * 0x0008: For (Gigabit?) Ethernet (with special probe?),
303 * 4 bytes at end are junk rather than CRC?
304 * 0x0100: CRC error on ATM? Protected and Not decrypted
305 * for 802.11? Bad CRC? Short preamble?
306 * 0x0200: Something for ATM? Something else for 802.11?
307 * 0x0400: raw ATM cell
308 * 0x0800: OAM cell?
309 * 0x2000: port on which the packet was captured?
310 *
311 * The Sniffer Portable 4.8 User's Guide lists a set of packet status
312 * flags including:
313 *
314 * packet is marked;
315 * packet was captured from Port A on the pod or adapter card;
316 * packet was captured from Port B on the pod or adapter card;
317 * packet has a symptom or diagnosis associated with it;
318 * packet is an event filter trigger;
319 * CRC error packet with normal packet size;
320 * CRC error packet with oversize error;
321 * packet size < 64 bytes (including CRC) but with valid CRC;
322 * packet size < 64 bytes (including CRC) with CRC error;
323 * packet size > 1518 bytes (including CRC) but with valid CRC;
324 * packet damaged by a collision;
325 * packet length not a multiple of 8 bits;
326 * address conflict in the ring on Token Ring;
327 * packet is not copied (received) by the destination host on
328 * Token Ring;
329 * AAL5 length error;
330 * AAL5 maximum segments error;
331 * ATM timeout error;
332 * ATM buffer error;
333 * ATM unknown error;
334 * and a ton of AAL2 errors.
335 *
336 * Not all those bits necessarily correspond to flag bits in the file,
337 * but some might.
338 *
339 * In one ATM capture, the 0x2000 bit was set for all frames; in another,
340 * it's unset for all frames. This, plus the ATMbook having two ports,
341 * suggests that it *might* be a "port A vs. port B" flag.
342 *
343 * The 0x0001 bit appears to be set for CRC errors on Ethernet and 802.11.
344 * It also appears to be set on ATM for AAL5 PDUs that appear to be
345 * completely reassembled and that have a CRC error and for frames that
346 * appear to be part of a full AAL5 PDU. In at least two files with
347 * frames of the former type, the 0x0100 and 0x0200 flags are set;
348 * in at least one file with frames of the latter type, neither of
349 * those flags are set.
350 *
351 * The field appears to be somewhat random in some captures,
352 * however.
353 *
354 * xxx[10]: for 802.11, always 0?
355 *
356 * xxx[11]: for 802.11, 0x05 if the packet is WEP-encrypted(?).
357 *
358 * xxx[12]: for 802.11, channel number.
359 *
360 * xxx[13]: for 802.11, data rate, in 500 Kb/s units.
361 *
362 * xxx[14]: for 802.11, signal strength.
363 *
364 * xxx[15]: for 802.11, noise level; 0xFF means none reported,
365 * 0x7F means 100%.
366 *
367 * xxx[16-19]: for 802.11, PHY header, at least for {HR/}DSSS,
368 * in at least one capture.
369 * In another capture, xxx[16] appears to be the
370 * data rate in 500 Kb/s units
371 * Chip-dependent stuff?
372 *
373 * xxx[20-25]: for 802.11, MAC address of sending machine(?).
374 *
375 * xxx[26]: for 802.11, one of 0x00, 0x01, 0x03, or 0x0b?
376 *
377 * xxx[27]: for 802.11, one of 0x00 or 0x30?
378 */
385 };
387 /*
388 * Union of the data record headers.
389 */
394 };
435 wtap_open_return_val
437 {
447 WTAP_ENCAP_UNKNOWN,
448 WTAP_ENCAP_ETHERNET,
449 WTAP_ENCAP_TOKEN_RING,
450 WTAP_ENCAP_FDDI_BITSWAPPED,
451 /*
452 * XXX - some PPP captures may look like Ethernet,
453 * perhaps because they're using NDIS to capture on the
454 * same machine and it provides simulated-Ethernet
455 * packets, but captures taken with various serial
456 * pods use the same network type value but aren't
457 * shaped like Ethernet. We handle that below.
458 */
465 WTAP_ENCAP_IEEE_802_11_WITH_RADIO,
466 /* Wireless WAN with radio information */
467 WTAP_ENCAP_UNKNOWN /* IrDA */
468 };
469 #define NUM_NETXRAY_ENCAPS array_length(netxray_encap)
474 /* Read in the string that should be at the start of a NetXRay
475 * file */
480 }
488 }
490 /* Read the rest of the header. */
499 /* It appears that version 1.1 files (as produced by Windows
500 * Sniffer Pro 2.0.01) have the time stamp in microseconds,
501 * rather than the milliseconds version 1.0 files appear to
502 * have.
503 *
504 * It also appears that version 2.00x files have per-packet
505 * headers with some extra fields. */
534 }
535 }
540 /*
541 * The byte after hdr.network is usually 0, in which case
542 * the hdr.network byte is an NDIS network type value - 1.
543 */
548 /*
549 * However, in some Ethernet captures, it's 2, and the
550 * hdr.network byte is 1 rather than 0. We assume
551 * that if there's a byte after hdr.network with the value
552 * 2, the hdr.network byte is an NDIS network type, rather
553 * than an NDIS network type - 1.
554 */
560 *err_info = ws_strdup_printf("netxray: the byte after the network type has the value %u, which I don't understand",
563 }
571 }
573 /*
574 * Figure out the time stamp units and start time stamp.
575 */
590 /*
591 * In version 1.1 files (as produced by Windows
592 * Sniffer Pro 2.0.01), the time stamp is in
593 * microseconds, rather than the milliseconds
594 * time stamps in NetXRay and older versions
595 * of Windows Sniffer.
596 */
602 /* "Can't happen" - we rejected that above */
607 }
609 /*
610 * Get the time stamp units from the appropriate TpS
611 * table or from the file header.
612 */
616 /*
617 * Ethernet - the table to use depends on whether
618 * this is an NDIS or pod capture.
619 */
629 }
630 /*
631 XXX: 05/29/07: Use 'realtick' instead of TpS table if timeunit=2;
632 Using 'realtick' in this case results
633 in the correct 'ticks per second' for all the captures that
634 I have of this type (including captures from a number of Wireshark
635 bug reports).
636 */
639 }
642 }
653 }
656 /*
657 * At least for 002.002 and 002.003
658 * captures, the start time stamp is 0,
659 * not the value in the file.
660 */
673 }
676 /*
677 * At least for 002.002 and 002.003
678 * captures, the start time stamp is 0,
679 * not the value in the file.
680 */
693 }
695 /*
696 * XXX: start time stamp in the one capture file examined of this type was 0;
697 * We'll assume the start time handling is the same as for other pods.
698 *
699 * At least for 002.002 and 002.003
700 * captures, the start time stamp is 0,
701 * not the value in the file.
702 */
715 }
717 /*
718 * XXX: start time stamp in the one capture file examined of this type was 0;
719 * We'll assume the start time handling is the same as for other pods.
720 *
721 * At least for 002.002 and 002.003
722 * captures, the start time stamp is 0,
723 * not the value in the file.
724 */
735 }
746 }
749 }
751 /*
752 * If the number of ticks per second is greater than
753 * 1 million, make the precision be nanoseconds rather
754 * than microseconds.
755 *
756 * XXX - do values only slightly greater than one million
757 * correspond to a resolution sufficiently better than
758 * 1 microsecond to display more digits of precision?
759 * XXX - Seems reasonable to use nanosecs only if TPS >= 10M
760 */
763 else
766 /* "Can't happen" - we rejected that above */
771 }
775 /*
776 * In version 0 and 1, we assume, for now, that all
777 * WAN captures have frames that look like Ethernet
778 * frames (as a result, presumably, of having passed
779 * through NDISWAN).
780 *
781 * In version 2, it looks as if there's stuff in the
782 * file header to specify what particular type of WAN
783 * capture we have.
784 */
789 /*
790 * PPP.
791 */
796 /*
797 * Frame Relay.
798 *
799 * XXX - in at least one capture, this
800 * is Cisco HDLC, not Frame Relay, but
801 * in another capture, it's Frame Relay.
802 *
803 * [Bytes in each capture:
804 * Cisco HDLC: hdr.xxx_x60[06:10]: 0x02 0x00 0x01 0x00 0x06
805 * Frame Relay: hdr.xxx_x60[06:10] 0x00 0x00 0x00 0x00 0x00
807 * Cisco HDLC: hdr.xxx_x60[14:15]: 0xff 0xff
808 * Frame Relay: hdr.xxx_x60[14:15]: 0x00 0x00
809 * ]
810 */
816 /*
817 * Various HDLC flavors?
818 */
822 /*
823 * XXX - at least one capture of
824 * this type appears to be PPP.
825 */
838 *err_info = ws_strdup_printf("netxray: WAN HDLC capture subsubtype 0x%02x unknown or unsupported",
841 }
845 /*
846 * SDLC.
847 */
852 /*
853 * Cisco router (CHDLC) captured with pod
854 */
863 }
869 /* This is a netxray file */
882 /*
883 * If frames have an extra 4 bytes of stuff at the end, is
884 * it an FCS, or just junk?
885 */
893 /*
894 * It appears that, in at least some version 2 Ethernet
895 * captures, for frames that have 0xff in hdr_2_x.xxx[2]
896 * and hdr_2_x.xxx[3] in the per-packet header:
897 *
898 * if, in the file header, hdr.realtick[1] is 0x34
899 * and hdr.realtick[2] is 0x12, the frames have an
900 * FCS at the end;
901 *
902 * otherwise, they have 4 bytes of junk at the end.
903 *
904 * Yes, it's strange that you have to check the *middle*
905 * of the time stamp field; you can't check for any
906 * particular value of the time stamp field.
907 *
908 * For now, we assume that to be true for 802.11 captures
909 * as well; it appears to be the case for at least one
910 * such capture - the file doesn't have 0x34 and 0x12,
911 * and the 4 bytes at the end of the frames with 0xff
912 * are junk, not an FCS.
913 *
914 * For ISDN captures, it appears, at least in some
915 * captures, to be similar, although I haven't yet
916 * checked whether it's a valid FCS.
917 *
918 * XXX - should we do this for all encapsulation types?
919 *
920 * XXX - is there some other field that *really* indicates
921 * whether we have an FCS or not? The check of the time
922 * stamp is bizarre, as we're checking the middle.
923 * Perhaps hdr.realtick[0] is 0x00, in which case time
924 * stamp units in the range 1192960 through 1193215
925 * correspond to captures with an FCS, but that's still
926 * a bit bizarre.
927 *
928 * Note that there are captures with a network type of 0
929 * (Ethernet) and capture type of 0 (NDIS) that do, and
930 * that don't, have 0x34 0x12 in them, and at least one
931 * of the NDIS captures with 0x34 0x12 in it has FCSes,
932 * so it's not as if no NDIS captures have an FCS.
933 *
934 * There are also captures with a network type of 4 (WAN),
935 * capture type of 6 (HDLC), and subtype of 2 (T1 PRI) that
936 * do, and that don't, have 0x34 0x12, so there are at least
937 * some captures taken with a WAN pod that might lack an FCS.
938 * (We haven't yet tried dissecting the 4 bytes at the
939 * end of packets with hdr_2_x.xxx[2] and hdr_2_x.xxx[3]
940 * equal to 0xff as an FCS.)
941 *
942 * All captures I've seen that have 0x34 and 0x12 *and*
943 * have at least one frame with an FCS have a value of
944 * 0x01 in xxx_x40[4]. No captures I've seen with a network
945 * type of 0 (Ethernet) missing 0x34 0x12 have 0x01 there,
946 * however. However, there's at least one capture
947 * without 0x34 and 0x12, with a network type of 0,
948 * and with 0x01 in xxx_x40[4], *without* FCSes in the
949 * frames - the 4 bytes at the end are all zero - so it's
950 * not as simple as "xxx_x40[4] = 0x01 means the 4 bytes at
951 * the end are FCSes". Also, there's also at least one
952 * 802.11 capture with an xxx_x40[4] value of 0x01 with junk
953 * rather than an FCS at the end of the frame, so xxx_x40[4]
954 * isn't an obvious flag to determine whether the
955 * capture has FCSes.
956 *
957 * There don't seem to be any other values in any of the
958 * xxx_x5..., xxx_x6...., xxx_x7.... fields
959 * that obviously correspond to frames having an FCS.
960 *
961 * 05/29/07: Examination of numerous sniffer captures suggests
962 * that the apparent correlation of certain realtick
963 * bytes to 'FCS presence' may actually be
964 * a 'false positive'.
965 * ToDo: Review analysis and update code.
966 * It might be that the ticks-per-second value
967 * is hardware-dependent, and that hardware with
968 * a particular realtick value puts an FCS there
969 * and other hardware doesn't.
970 */
974 }
976 }
978 /*
979 * Remember the ISDN type, as we need it to interpret the
980 * channel number in ISDN captures.
981 */
984 /* Remember the offset after the last packet in the capture (which
985 * isn't necessarily the last packet in the file), as it appears
986 * there's sometimes crud after it.
987 * XXX: Remember 'start_offset' to help testing for 'short file' at EOF
988 */
994 /* Seek to the beginning of the data records. */
997 }
999 /*
1000 * Add an IDB; we don't know how many interfaces were
1001 * involved, so we just say one interface, about which
1002 * we only know the link-layer type, snapshot length,
1003 * and time stamp resolution.
1004 */
1008 }
1010 /* Read the next packet */
1011 static bool
1014 {
1018 reread:
1019 /*
1020 * Return the offset of the record header, so we can reread it
1021 * if we go back to this frame.
1022 */
1025 /* Have we reached the end of the packet data? */
1027 /* Yes. */
1030 }
1032 /* Read and process record header. */
1035 /*
1036 * Error or EOF.
1037 */
1039 /*
1040 * Error of some sort; give up.
1041 */
1043 }
1045 /* We're at EOF. Wrap?
1046 * XXX: Need to handle 'short file' cases
1047 * (Distributed Sniffer seems to have a
1048 * certain small propensity to generate 'short' files
1049 * i.e. [many] bytes are missing from the end of the file)
1050 * case 1: start_offset < end_offset
1051 * wrap will read already read packets again;
1052 * so: error with "short file"
1053 * case 2: start_offset > end_offset ("circular" file)
1054 * wrap will mean there's a gap (missing packets).
1055 * However, I don't see a good way to identify this
1056 * case so we'll just have to allow the wrap.
1057 * (Maybe there can be an error message after all
1058 * packets are read since there'll be less packets than
1059 * specified in the file header).
1060 * Note that these cases occur *only* if a 'short' eof occurs exactly
1061 * at the expected beginning of a frame header record; If there is a
1062 * partial frame header (or partial frame data) record, then the
1063 * netxray_read... functions will detect the short record.
1064 */
1068 }
1071 /* Yes. Remember that we did. */
1077 }
1079 /* We've already wrapped - don't wrap again. */
1081 }
1083 /*
1084 * Read the packet data.
1085 */
1090 /*
1091 * If there's extra stuff at the end of the record, skip it.
1092 */
1096 /*
1097 * If it's an ATM packet, and we don't have enough information
1098 * from the packet header to determine its type or subtype,
1099 * attempt to guess them from the packet data.
1100 */
1103 }
1105 static bool
1109 {
1116 /*
1117 * EOF - we report that as a short read, as
1118 * we've read this once and know that it
1119 * should be there.
1120 */
1122 }
1124 }
1126 /*
1127 * Read the packet data.
1128 */
1130 err_info))
1133 /*
1134 * If it's an ATM packet, and we don't have enough information
1135 * from the packet header to determine its type or subtype,
1136 * attempt to guess them from the packet data.
1137 */
1140 }
1142 static int
1145 {
1153 /* Read record header. */
1167 }
1169 /*
1170 * If *err is 0, we're at EOF. *err being 0 and a return
1171 * value of -1 tells our caller we're at EOF.
1172 *
1173 * Otherwise, we got an error, and *err *not* being 0
1174 * and a return value tells our caller we have an error.
1175 */
1177 }
1179 /*
1180 * If this is Ethernet, 802.11, ISDN, X.25, or ATM, set the
1181 * pseudo-header.
1182 */
1189 /*
1190 * XXX - if hdr_1_x.xxx[15] is 1
1191 * the frame appears not to have any extra
1192 * stuff at the end, but if it's 0,
1193 * there appears to be 4 bytes of stuff
1194 * at the end, but it's not an FCS.
1195 *
1196 * Or is that just the low-order bit?
1197 *
1198 * For now, we just say "no FCS".
1199 */
1202 }
1209 /*
1210 * It appears, at least with version 2 captures,
1211 * that we have 4 bytes of stuff (which might be
1212 * a valid FCS or might be junk) at the end of
1213 * the packet if hdr_2_x.xxx[2] and
1214 * hdr_2_x.xxx[3] are 0xff, and we don't if
1215 * they don't.
1216 *
1217 * It also appears that if the low-order bit of
1218 * hdr_2_x.xxx[8] is set, the packet has a
1219 * bad FCS.
1220 */
1223 /*
1224 * We have 4 bytes of stuff at the
1225 * end of the frame - FCS, or junk?
1226 */
1228 /*
1229 * FCS.
1230 */
1233 /*
1234 * Junk.
1235 */
1237 }
1243 /*
1244 * It appears, in one 802.11 capture, that
1245 * we have 4 bytes of junk at the ends of
1246 * frames in which hdr_2_x.xxx[2] and
1247 * hdr_2_x.xxx[3] are 0xff; I haven't
1248 * seen any frames where it's an FCS, but,
1249 * for now, we still check the fcs_valid
1250 * flag - I also haven't seen any capture
1251 * where we'd set it based on the realtick
1252 * value.
1253 *
1254 * It also appears that if the low-order bit of
1255 * hdr_2_x.xxx[8] is set, the packet has a
1256 * bad FCS. According to Ken Mann, the 0x4 bit
1257 * is sometimes also set for errors.
1258 *
1259 * Ken also says that xxx[11] is 0x5 when the
1260 * packet is WEP-encrypted.
1261 */
1262 memset(&rec->rec_header.packet_header.pseudo_header.ieee_802_11, 0, sizeof(rec->rec_header.packet_header.pseudo_header.ieee_802_11));
1265 /*
1266 * We have 4 bytes of stuff at the
1267 * end of the frame - FCS, or junk?
1268 */
1270 /*
1271 * FCS.
1272 */
1275 /*
1276 * Junk.
1277 */
1279 }
1287 /*
1288 * XXX - any other information, such as PHY
1289 * type, frequency, 11n/11ac information,
1290 * etc.?
1291 */
1304 /*
1305 * According to Ken Mann, at least in the captures
1306 * he's seen, xxx[15] is the noise level, which
1307 * is either 0xFF meaning "none reported" or a value
1308 * from 0x00 to 0x7F for 0 to 100%.
1309 */
1314 }
1318 /*
1319 * ISDN.
1320 *
1321 * The bottommost bit of byte 12 of hdr_2_x.xxx
1322 * is the direction flag.
1323 *
1324 * The bottom 5 bits of byte 13 of hdr_2_x.xxx
1325 * are the channel number, but some mapping is
1326 * required for PRI. (Is it really just the time
1327 * slot?)
1328 */
1336 /*
1337 * E1 PRI. Channel numbers 0 and 16
1338 * are the D channel; channel numbers 1
1339 * through 15 are B1 through B15; channel
1340 * numbers 17 through 31 are B16 through
1341 * B31.
1342 */
1350 /*
1351 * T1 PRI. Channel numbers 0 and 24
1352 * are the D channel; channel numbers 1
1353 * through 23 are B1 through B23.
1354 */
1360 }
1362 /*
1363 * It appears, at least with version 2 captures,
1364 * that we have 4 bytes of stuff (which might be
1365 * a valid FCS or might be junk) at the end of
1366 * the packet if hdr_2_x.xxx[2] and
1367 * hdr_2_x.xxx[3] are 0xff, and we don't if
1368 * they don't.
1369 *
1370 * XXX - does the low-order bit of hdr_2_x.xxx[8]
1371 * indicate a bad FCS, as is the case with
1372 * Ethernet?
1373 */
1376 /*
1377 * FCS, or junk, at the end.
1378 * XXX - is it an FCS if "fcs_valid" is
1379 * true?
1380 */
1382 }
1387 /*
1388 * LAPB/X.25 and Frame Relay.
1389 *
1390 * The bottommost bit of byte 12 of hdr_2_x.xxx
1391 * is the direction flag. (Probably true for other
1392 * HDLC encapsulations as well.)
1393 */
1397 /*
1398 * It appears, at least with version 2 captures,
1399 * that we have 4 bytes of stuff (which might be
1400 * a valid FCS or might be junk) at the end of
1401 * the packet if hdr_2_x.xxx[2] and
1402 * hdr_2_x.xxx[3] are 0xff, and we don't if
1403 * they don't.
1404 *
1405 * XXX - does the low-order bit of hdr_2_x.xxx[8]
1406 * indicate a bad FCS, as is the case with
1407 * Ethernet?
1408 */
1411 /*
1412 * FCS, or junk, at the end.
1413 * XXX - is it an FCS if "fcs_valid" is
1414 * true?
1415 */
1417 }
1428 /*
1429 * XXX - the low-order bit of hdr_2_x.xxx[8]
1430 * seems to indicate some sort of error. In
1431 * at least one capture, a number of packets
1432 * have that flag set, and they appear either
1433 * to be the beginning part of an incompletely
1434 * reassembled AAL5 PDU, with either checksum
1435 * errors at higher levels (possibly due to
1436 * the packet being reported as shorter than
1437 * it actually is, and checksumming failing
1438 * because it doesn't include all the data)
1439 * or "Malformed frame" errors from being
1440 * too short, or appear to be later parts
1441 * of an incompletely reassembled AAL5 PDU
1442 * with the last one in a sequence of errors
1443 * having what looks like an AAL5 trailer,
1444 * with a length and checksum.
1445 *
1446 * Does it just mean "reassembly failed",
1447 * as appears to be the case in those
1448 * packets, or does it mean "CRC error"
1449 * at the AAL5 layer (which would be the
1450 * case if you were treating an incompletely
1451 * reassembled PDU as a completely reassembled
1452 * PDU, although you'd also expect a length
1453 * error in that case), or does it mean
1454 * "generic error", with some other flag
1455 * or flags indicating what particular
1456 * error occurred? The documentation
1457 * for Sniffer Pro 4.7 indicates a bunch
1458 * of different error types, both in general
1459 * and for ATM in particular.
1460 *
1461 * No obvious bits in hdr_2_x.xxx appear
1462 * to be additional flags of that sort.
1463 *
1464 * XXX - in that capture, I see several
1465 * reassembly errors in a row; should those
1466 * packets be reassembled in the ATM dissector?
1467 * What happens if a reassembly fails because
1468 * a cell is bad?
1469 */
1473 /*
1474 * XXX - is 0x08 an "OAM cell" flag?
1475 * Are the 0x01 and 0x02 bits error indications?
1476 * Some packets in one capture that have the
1477 * 0x01 bit set in hdr_2_x.xxx[8] and that
1478 * appear to have been reassembled completely
1479 * but have a bad CRC have 0x03 in hdr_2_x.xxx[9]
1480 * (and don't have the 0x20 bit set).
1481 *
1482 * In the capture with incomplete reassemblies,
1483 * all packets have the 0x20 bit set. In at
1484 * least some of the captures with complete
1485 * reassemblies with CRC errors, no packets
1486 * have the 0x20 bit set.
1487 *
1488 * Are hdr_2_x.xxx[8] and hdr_2_x.xxx[9] a 16-bit
1489 * flag field?
1490 */
1499 /*
1500 * XXX - the uppermost bit of hdr_2_xxx[0]
1501 * looks as if it might be a flag of some sort.
1502 * The remaining 3 bits appear to be an AAL
1503 * type - 5 is, surprise surprise, AAL5.
1504 */
1536 /*
1537 * XXX - is the 0x08 bit of hdr_2_x.xxx[0]
1538 * a flag? I've not yet seen a case where
1539 * it matters.
1540 */
1558 /*
1559 * I've seen a frame with type
1560 * 0x30 and subtype 0x08 that
1561 * was LANE 802.3, a frame
1562 * with type 0x30 and subtype
1563 * 0x04 that was LANE 802.3,
1564 * and another frame with type
1565 * 0x30 and subtype 0x08 that
1566 * was junk with a string in
1567 * it that had also appeared
1568 * in some CDP and LE Control
1569 * frames, and that was preceded
1570 * by a malformed LE Control
1571 * frame - was that a reassembly
1572 * failure?
1573 *
1574 * I've seen frames with type
1575 * 0x50 and subtype 0x0c, some
1576 * of which were LE Control
1577 * frames, and at least one
1578 * of which was neither an LE
1579 * Control frame nor a LANE
1580 * 802.3 frame, and contained
1581 * the string "ForeThought_6.2.1
1582 * Alpha" - does that imply
1583 * FORE's own encapsulation,
1584 * or was this a reassembly failure?
1585 * The latter frame was preceded
1586 * by a malformed LE Control
1587 * frame.
1588 *
1589 * I've seen a couple of frames
1590 * with type 0x60 and subtype 0x00,
1591 * one of which was LANE 802.3 and
1592 * one of which was LE Control.
1593 * I've seen one frame with type
1594 * 0x60 and subtype 0x0c, which
1595 * was LANE 802.3.
1596 *
1597 * I've seen a couple of frames
1598 * with type 0x70 and subtype 0x00,
1599 * both of which were LANE 802.3.
1600 */
1614 }
1616 }
1618 }
1620 }
1633 /*
1634 * We subtract the padding from the packet size, so our caller
1635 * doesn't see it.
1636 */
1649 /*
1650 * We subtract the padding from the packet size, so our caller
1651 * doesn't see it.
1652 */
1656 }
1659 }
1661 static void
1663 {
1669 /*
1670 * Try to guess the type and subtype based
1671 * on the VPI/VCI and packet contents.
1672 */
1677 /*
1678 * Try to guess the subtype based on the
1679 * packet contents.
1680 */
1683 }
1684 }
1685 }
1701 };
1702 #define NUM_WTAP_ENCAPS_1_1 array_length(wtap_encap_1_1)
1704 static int
1706 {
1712 }
1715 }
1717 /* Returns 0 if we could write the specified encapsulation type,
1718 an error indication otherwise. */
1719 static int
1721 {
1722 /* Per-packet encapsulations aren't supported. */
1730 }
1732 /* Returns true on success, false on failure; sets "*err" to an error code on
1733 failure */
1734 static bool
1736 {
1742 /* We can't fill in all the fields in the file header, as we
1743 haven't yet written any packets. As we'll have to rewrite
1744 the header when we've written out all the packets, we just
1745 skip over the header for now. */
1757 }
1759 /* Write a record for a packet to a dump file.
1760 Returns true on success, false on failure. */
1761 static bool
1765 {
1771 /* We can only write packet records. */
1775 }
1777 /*
1778 * Make sure this packet doesn't have a link-layer type that
1779 * differs from the one for the file.
1780 */
1784 }
1786 /* The captured length field is 16 bits, so there's a hard
1787 limit of 65535. */
1791 }
1793 /* NetXRay/Windows Sniffer files have a capture start date/time
1794 in the header, in a UNIX-style format, with one-second resolution,
1795 and a start time stamp with microsecond resolution that's just
1796 an arbitrary time stamp relative to some unknown time (boot
1797 time?), and have times relative to the start time stamp in
1798 the packet headers; pick the seconds value of the time stamp
1799 of the first packet as the UNIX-style start date/time, and make
1800 the high-resolution start time stamp 0, with the time stamp of
1801 packets being the delta between the stamp of the packet and
1802 the stamp of the first packet with the microseconds part 0. */
1805 /*
1806 * XXX - NetXRay ran on Windows, where MSVC's localtime()
1807 * can't handle time_t < 0, so *maybe* it makes sense
1808 * to allow time stamps up to 2^32-1 "seconds since the
1809 * Epoch", but maybe the start time in those files is
1810 * signed, in which case we should check against
1811 * INT32_MIN and INT32_MAX and make start_secs a
1812 * int32_t.
1813 */
1817 }
1819 }
1821 /* build the header for each packet */
1835 /* write the packet data */
1842 }
1844 /* Finish writing to a dump file.
1845 Returns true on success, false on failure. */
1846 static bool
1848 {
1857 /* Go back to beginning */
1861 /* Rewrite the file header. */
1865 /* "sniffer" version ? */
1871 /* XXX - large files? */
1882 /* Don't double-count the size of the file header */
1885 }
1899 };
1900 #define NUM_WTAP_ENCAPS_2_0 array_length(wtap_encap_2_0)
1902 static int
1904 {
1910 }
1913 }
1915 /* Returns 0 if we could write the specified encapsulation type,
1916 an error indication otherwise. */
1917 static int
1919 {
1920 /* Per-packet encapsulations aren't supported. */
1928 }
1930 /* Returns true on success, false on failure; sets "*err" to an error code on
1931 failure */
1932 static bool
1934 {
1940 /* We can't fill in all the fields in the file header, as we
1941 haven't yet written any packets. As we'll have to rewrite
1942 the header when we've written out all the packets, we just
1943 skip over the header for now. */
1955 }
1957 /* Write a record for a packet to a dump file.
1958 Returns true on success, false on failure. */
1959 static bool
1963 {
1970 /* We can only write packet records. */
1974 }
1976 /*
1977 * Make sure this packet doesn't have a link-layer type that
1978 * differs from the one for the file.
1979 */
1983 }
1985 /* Don't write anything we're not willing to read. */
1989 }
1991 /* NetXRay/Windows Sniffer files have a capture start date/time
1992 in the header, in a UNIX-style format, with one-second resolution,
1993 and a start time stamp with microsecond resolution that's just
1994 an arbitrary time stamp relative to some unknown time (boot
1995 time?), and have times relative to the start time stamp in
1996 the packet headers; pick the seconds value of the time stamp
1997 of the first packet as the UNIX-style start date/time, and make
1998 the high-resolution start time stamp 0, with the time stamp of
1999 packets being the delta between the stamp of the packet and
2000 the stamp of the first packet with the microseconds part 0. */
2003 /*
2004 * XXX - NetXRay ran on Windows, where MSVC's localtime()
2005 * can't handle time_t < 0, so *maybe* it makes sense
2006 * to allow time stamps up to 2^32-1 "seconds since the
2007 * Epoch", but maybe the start time in those files is
2008 * signed, in which case we should check against
2009 * INT32_MIN and INT32_MAX and make start_secs a
2010 * int32_t.
2011 */
2015 }
2017 }
2019 /* build the header for each packet */
2059 }
2064 /* write the packet data */
2071 }
2073 /* Finish writing to a dump file.
2074 Returns true on success, false on failure. */
2075 static bool
2077 {
2086 /* Go back to beginning */
2090 /* Rewrite the file header. */
2094 /* "sniffer" version ? */
2100 /* XXX - large files? */
2127 }
2134 /* Don't double-count the size of the file header */
2137 }
2140 /*
2141 * We support packet blocks, with no comments or other options.
2142 */
2144 };
2150 };
2153 /*
2154 * We support packet blocks, with no comments or other options.
2155 */
2157 };
2163 };
2166 /*
2167 * We support packet blocks, with no comments or other options.
2168 */
2170 };
2176 };
2179 /*
2180 * We support packet blocks, with no comments or other options.
2181 */
2183 };
2189 };
2192 {
2198 /*
2199 * Register names for backwards compatibility with the
2200 * wtap_filetypes table in Lua.
2201 */
2203 netxray_old_file_type_subtype);
2205 netxray_1_0_file_type_subtype);
2207 netxray_1_1_file_type_subtype);
2209 netxray_2_00x_file_type_subtype);
2210 }
2212 /*
2213 * Editor modelines - https://www.wireshark.org/tools/modelines.html
2214 *
2215 * Local variables:
2216 * c-basic-offset: 8
2217 * tab-width: 8
2218 * indent-tabs-mode: t
2219 * End:
2220 *
2221 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
2222 * :indentSize=8:tabSize=8:noTabs=false:
2223 */