public dissect_krb5_PAC_NDRHEADERBLOB
[wireshark-sm.git] / wiretap / ngsniffer.c
blob4b198c801eb0e21cf90043f31e972ff22a04432b
1 /* ngsniffer.c
3 * Wiretap Library
4 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
6 * SPDX-License-Identifier: GPL-2.0-or-later
7 */
9 /* The code in ngsniffer.c that decodes the time fields for each packet in the
10 * Sniffer trace originally came from code from TCPVIEW:
12 * TCPVIEW
14 * Author: Martin Hunt
15 * Networks and Distributed Computing
16 * Computing & Communications
17 * University of Washington
18 * Administration Building, AG-44
19 * Seattle, WA 98195
20 * Internet: martinh@cac.washington.edu
23 * Copyright 1992 by the University of Washington
25 * Permission to use, copy, modify, and distribute this software and its
26 * documentation for any purpose and without fee is hereby granted, provided
27 * that the above copyright notice appears in all copies and that both the
28 * above copyright notice and this permission notice appear in supporting
29 * documentation, and that the name of the University of Washington not be
30 * used in advertising or publicity pertaining to distribution of the software
31 * without specific, written prior permission. This software is made
32 * available "as is", and
33 * THE UNIVERSITY OF WASHINGTON DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
34 * WITH REGARD TO THIS SOFTWARE, INCLUDING WITHOUT LIMITATION ALL IMPLIED
35 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND IN
36 * NO EVENT SHALL THE UNIVERSITY OF WASHINGTON BE LIABLE FOR ANY SPECIAL,
37 * INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
38 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, TORT
39 * (INCLUDING NEGLIGENCE) OR STRICT LIABILITY, ARISING OUT OF OR IN CONNECTION
40 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
43 #include "config.h"
44 #include "ngsniffer.h"
46 #include <string.h>
47 #include "wtap-int.h"
48 #include "file_wrappers.h"
49 #include <wsutil/ws_assert.h>
51 /* Magic number in Sniffer files. */
52 static const char ngsniffer_magic[] = {
53 'T', 'R', 'S', 'N', 'I', 'F', 'F', ' ', 'd', 'a', 't', 'a',
54 ' ', ' ', ' ', ' ', 0x1a
58 * Sniffer record types.
60 #define REC_VERS 1 /* Version record (f_vers) */
61 #define REC_FRAME2 4 /* Frame data (f_frame2) */
62 #define REC_FRAME4 8 /* Frame data (f_frame4) */
63 #define REC_FRAME6 12 /* Frame data (f_frame6) (see below) */
64 #define REC_EOF 3 /* End-of-file record (no data follows) */
66 * and now for some unknown header types
68 #define REC_HEADER1 6 /* Header containing various information,
69 * not yet reverse engineered - some binary,
70 * some strings (Serial numbers? Names
71 * under which the software is registered?
72 * Software version numbers? Mysterious
73 * strings such as "PA-55X" and "PA-30X"
74 * and "PA-57X" and "PA-11X"?), some strings
75 * that are partially overwritten
76 * ("UNSERIALIZED", "Network General
77 * Corporation"), differing from major
78 * version to major version */
79 #define REC_HEADER2 7 /* Header containing ??? */
80 #define REC_V2DESC 8 /* In version 2 sniffer traces contains
81 * info about this capturing session,
82 * in the form of a multi-line string
83 * with NL as the line separator.
84 * Collides with REC_FRAME4 */
85 #define REC_HEADER3 13 /* Retransmission counts? */
86 #define REC_HEADER4 14 /* ? */
87 #define REC_HEADER5 15 /* ? */
88 #define REC_HEADER6 16 /* More broadcast/retransmission counts? */
89 #define REC_HEADER7 17 /* ? */
92 * Sniffer record header structure.
94 struct rec_header {
95 uint16_t type; /* record type */
96 uint16_t length; /* record length */
100 * Sniffer version record format.
102 struct vers_rec {
103 int16_t maj_vers; /* major version number */
104 int16_t min_vers; /* minor version number */
105 int16_t time_dos; /* DOS-format time */
106 int16_t date; /* DOS-format date */
107 int8_t type; /* what type of records follow */
108 uint8_t network; /* network type */
109 int8_t format; /* format version */
110 uint8_t timeunit; /* timestamp units */
111 int8_t cmprs_vers; /* compression version */
112 int8_t cmprs_level; /* compression level */
113 int16_t rsvd[2]; /* reserved */
117 * Network types.
119 #define NETWORK_TRING 0 /* Token ring */
120 #define NETWORK_ENET 1 /* Ethernet */
121 #define NETWORK_ARCNET 2 /* ARCNET */
122 #define NETWORK_STARLAN 3 /* StarLAN */
123 #define NETWORK_PCNW 4 /* PC Network broadband (Sytek?) */
124 #define NETWORK_LOCALTALK 5 /* LocalTalk */
125 #define NETWORK_SYNCHRO 7 /* Internetwork analyzer (synchronous) */
126 #define NETWORK_ASYNC 8 /* Internetwork analyzer (asynchronous) */
127 #define NETWORK_FDDI 9 /* FDDI */
128 #define NETWORK_ATM 10 /* ATM */
131 * Sniffer type 2 data record format - followed by frame data.
133 * The Expert Sniffer Network Analyzer Operations manual, Release 5.50,
134 * documents some of the values used in "fs" and "flags". "flags" don't
135 * look as if they'd be of much interest to us, as those are internal
136 * flags for state used by the Sniffer, but "fs" gives various status
137 * bits including error indications *and*:
139 * ISDN channel information for ISDN;
141 * PPP vs. SLIP information for Async.
143 * In that section it also refers to "FDDI analyzers using the NPI PCI
144 * FDDI adapter" and "FDDI analyzers using the NPI ISA FDDI adapter",
145 * referring to the first as "F1SNIFF" and the second as "FDSNIFF";
146 * those sound as if they *could* be replacements for "TRSNIFF" in
147 * the file header, but that manual says, earlier, that the header
148 * starts with "TRSNIFF data, no matter where the frames were
149 * collected".
151 * It also says that a type 2 record has an 8-bit "time_high"
152 * and an 8-bit "time_day" field; the code here used to have a
153 * 16-bit "time_high" value, but that gave wrong time stamps on at
154 * least some captures. Did some older manual have it as a 16-bit
155 * "tstamp_high", so that perhaps it depends on the version number
156 * in the file, or is it "tstamp_high" plus "tstamp_day" in all
157 * versions? (I forget whether this came purely from tcpview, or if
158 * I saw any of it in an NAI document.)
160 * We interpret them as unsigned, as interpreting them as signed
161 * would appear to allow time stamps that precede the start of the
162 * capture. The description of the record format shows them as
163 * "char", but the section "How the Analyzer Stores Time" shows a
164 * time stamp structure with those fields being "unsigned char".
166 * In addition, the description of the record format has the comment
167 * for the "time_day" field saying it's the time in days since the
168 * start of the capture, but the "How the Analyzer Stores Time"
169 * section says it's increased by 1 if the capture continues past
170 * midnight - and also says that the time stamp structure has a time
171 * relative to midnight when the capture started, not since the
172 * actual capture start, so that might be a difference between
173 * the internal time stamp in the Sniffer software and the time
174 * stamp in capture files (i.e., the latter might be relative to
175 * the time when the capture starts).
177 struct frame2_rec {
178 uint16_t time_low; /* low part of time stamp */
179 uint16_t time_med; /* middle part of time stamp */
180 uint8_t time_high; /* high part of the time stamp */
181 uint8_t time_day; /* time in days since start of capture */
182 int16_t size; /* number of bytes of data */
183 uint8_t fs; /* frame error status bits */
184 uint8_t flags; /* buffer flags */
185 int16_t true_size; /* size of original frame, in bytes */
186 int16_t rsvd; /* reserved */
190 * Bits in "fs".
192 * The bits differ for different link-layer types.
196 * Ethernet.
198 #define FS_ETH_CRC 0x80 /* CRC error */
199 #define FS_ETH_ALIGN 0x40 /* bad alignment */
200 #define FS_ETH_RU 0x20 /* "RU out of resources" */
201 #define FS_ETH_OVERRUN 0x10 /* DMA overrun */
202 #define FS_ETH_RUNT 0x08 /* frame too small */
203 #define FS_ETH_COLLISION 0x02 /* collision fragment */
206 * FDDI.
208 #define FS_FDDI_INVALID 0x10 /* frame indicators are invalid */
209 #define FS_FDDI_ERROR 0x20 /* "frame error bit 1" */
210 #define FS_FDDI_PCI_VDL 0x01 /* VDL (Valid Data Length?) error on frame on PCI adapter */
211 #define FS_FDDI_PCI_CRC 0x02 /* CRC error on frame on PCI adapter */
212 #define FS_FDDI_ISA_CRC 0x20 /* CRC error on frame on ISA adapter */
215 * Internetwork analyzer (synchronous and asynchronous).
217 #define FS_WAN_DTE 0x80 /* DTE->DCE frame */
220 * Internetwork analyzer (synchronous).
222 #define FS_SYNC_LOST 0x01 /* some frames were lost */
223 #define FS_SYNC_CRC 0x02 /* CRC error */
224 #define FS_SYNC_ABORT 0x04 /* aborted frame */
225 #define FS_ISDN_CHAN_MASK 0x18 /* ISDN channel */
226 #define FS_ISDN_CHAN_D 0x18 /* ISDN channel D */
227 #define FS_ISDN_CHAN_B1 0x08 /* ISDN channel B1 */
228 #define FS_ISDN_CHAN_B2 0x10 /* ISDN channel B2 */
231 * Internetwork analyzer (asynchronous).
232 * XXX - are some of these synchronous flags? They're listed with the
233 * asynchronous flags in the Sniffer 5.50 Network Analyzer Operations
234 * manual. Is one of the "overrun" errors a synchronous overrun error?
236 #define FS_ASYNC_LOST 0x01 /* some frames were lost */
237 #define FS_ASYNC_OVERRUN 0x02 /* UART overrun, lost bytes */
238 #define FS_ASYNC_FRAMING 0x04 /* bad character (framing error?) */
239 #define FS_ASYNC_PPP 0x08 /* PPP frame */
240 #define FS_ASYNC_SLIP 0x10 /* SLIP frame */
241 #define FS_ASYNC_ALIGN 0x20 /* alignment or DLPP(?) error */
242 #define FS_ASYNC_OVERRUN2 0x40 /* overrun or bad frame length */
245 * Sniffer type 4 data record format - followed by frame data.
247 * The ATM Sniffer manual says that the "flags" field holds "buffer flags;
248 * BF_xxxx", but doesn't say what the BF_xxxx flags are. They may
249 * be the same as they are in a type 2 record, in which case they're
250 * probably not of much interest to us.
252 * XXX - the manual also says there's an 8-byte "ATMTimeStamp" driver
253 * time stamp at the end of "ATMSaveInfo", but, from an ATM Sniffer capture
254 * file I've looked at, that appears not to be the case.
258 * Fields from the AAL5 trailer for the frame, if it's an AAL5 frame
259 * rather than a cell.
261 typedef struct _ATM_AAL5Trailer {
262 uint16_t aal5t_u2u; /* user-to-user indicator */
263 uint16_t aal5t_len; /* length of the packet */
264 uint32_t aal5t_chksum; /* checksum for AAL5 packet */
265 } ATM_AAL5Trailer;
267 typedef struct _ATMTimeStamp {
268 uint32_t msw; /* most significant word */
269 uint32_t lsw; /* least significant word */
270 } ATMTimeStamp;
272 typedef struct _ATMSaveInfo {
273 uint32_t StatusWord; /* status word from driver */
274 ATM_AAL5Trailer Trailer; /* AAL5 trailer */
275 uint8_t AppTrafType; /* traffic type */
276 uint8_t AppHLType; /* protocol type */
277 uint16_t AppReserved; /* reserved */
278 uint16_t Vpi; /* virtual path identifier */
279 uint16_t Vci; /* virtual circuit identifier */
280 uint16_t channel; /* link: 0 for DCE, 1 for DTE */
281 uint16_t cells; /* number of cells */
282 uint32_t AppVal1; /* type-dependent */
283 uint32_t AppVal2; /* type-dependent */
284 } ATMSaveInfo;
287 * Bits in StatusWord.
289 #define SW_ERRMASK 0x0F /* Error mask: */
290 #define SW_RX_FIFO_UNDERRUN 0x01 /* Receive FIFO underrun */
291 #define SW_RX_FIFO_OVERRUN 0x02 /* Receive FIFO overrun */
292 #define SW_RX_PKT_TOO_LONG 0x03 /* Received packet > max size */
293 #define SW_CRC_ERROR 0x04 /* CRC error */
294 #define SW_USER_ABORTED_RX 0x05 /* User aborted receive */
295 #define SW_BUF_LEN_TOO_LONG 0x06 /* buffer len > max buf */
296 #define SW_INTERNAL_T1_ERROR 0x07 /* Internal T1 error */
297 #define SW_RX_CHANNEL_DEACTIV8 0x08 /* Rx channel deactivate */
299 #define SW_ERROR 0x80 /* Error indicator */
300 #define SW_CONGESTION 0x40 /* Congestion indicator */
301 #define SW_CLP 0x20 /* Cell loss priority indicator */
302 #define SW_RAW_CELL 0x100 /* RAW cell indicator */
303 #define SW_OAM_CELL 0x200 /* OAM cell indicator */
306 * Bits in AppTrafType.
308 * For AAL types other than AAL5, the packet data is presumably for a
309 * single cell, not a reassembled frame, as the ATM Sniffer manual says
310 * it doesn't reassemble cells other than AAL5 cells.
312 #define ATT_AALTYPE 0x0F /* AAL type: */
313 #define ATT_AAL_UNKNOWN 0x00 /* Unknown AAL */
314 #define ATT_AAL1 0x01 /* AAL1 */
315 #define ATT_AAL3_4 0x02 /* AAL3/4 */
316 #define ATT_AAL5 0x03 /* AAL5 */
317 #define ATT_AAL_USER 0x04 /* User AAL */
318 #define ATT_AAL_SIGNALLING 0x05 /* Signaling AAL */
319 #define ATT_OAMCELL 0x06 /* OAM cell */
321 #define ATT_HLTYPE 0xF0 /* Higher-layer type: */
322 #define ATT_HL_UNKNOWN 0x00 /* unknown */
323 #define ATT_HL_LLCMX 0x10 /* LLC multiplexed (probably RFC 1483) */
324 #define ATT_HL_VCMX 0x20 /* VC multiplexed (probably RFC 1483) */
325 #define ATT_HL_LANE 0x30 /* LAN Emulation */
326 #define ATT_HL_ILMI 0x40 /* ILMI */
327 #define ATT_HL_FRMR 0x50 /* Frame Relay */
328 #define ATT_HL_SPANS 0x60 /* FORE SPANS */
329 #define ATT_HL_IPSILON 0x70 /* Ipsilon */
332 * Values for AppHLType; the interpretation depends on the ATT_HLTYPE
333 * bits in AppTrafType.
335 #define AHLT_UNKNOWN 0x0
336 #define AHLT_VCMX_802_3_FCS 0x1 /* VCMX: 802.3 FCS */
337 #define AHLT_LANE_LE_CTRL 0x1 /* LANE: LE Ctrl */
338 #define AHLT_IPSILON_FT0 0x1 /* Ipsilon: Flow Type 0 */
339 #define AHLT_VCMX_802_4_FCS 0x2 /* VCMX: 802.4 FCS */
340 #define AHLT_LANE_802_3 0x2 /* LANE: 802.3 */
341 #define AHLT_IPSILON_FT1 0x2 /* Ipsilon: Flow Type 1 */
342 #define AHLT_VCMX_802_5_FCS 0x3 /* VCMX: 802.5 FCS */
343 #define AHLT_LANE_802_5 0x3 /* LANE: 802.5 */
344 #define AHLT_IPSILON_FT2 0x3 /* Ipsilon: Flow Type 2 */
345 #define AHLT_VCMX_FDDI_FCS 0x4 /* VCMX: FDDI FCS */
346 #define AHLT_LANE_802_3_MC 0x4 /* LANE: 802.3 multicast */
347 #define AHLT_VCMX_802_6_FCS 0x5 /* VCMX: 802.6 FCS */
348 #define AHLT_LANE_802_5_MC 0x5 /* LANE: 802.5 multicast */
349 #define AHLT_VCMX_802_3 0x7 /* VCMX: 802.3 */
350 #define AHLT_VCMX_802_4 0x8 /* VCMX: 802.4 */
351 #define AHLT_VCMX_802_5 0x9 /* VCMX: 802.5 */
352 #define AHLT_VCMX_FDDI 0xa /* VCMX: FDDI */
353 #define AHLT_VCMX_802_6 0xb /* VCMX: 802.6 */
354 #define AHLT_VCMX_FRAGMENTS 0xc /* VCMX: Fragments */
355 #define AHLT_VCMX_BPDU 0xe /* VCMX: BPDU */
357 struct frame4_rec {
358 uint16_t time_low; /* low part of time stamp */
359 uint16_t time_med; /* middle part of time stamp */
360 uint8_t time_high; /* high part of time stamp */
361 uint8_t time_day; /* time in days since start of capture */
362 int16_t size; /* number of bytes of data */
363 int8_t fs; /* frame error status bits */
364 int8_t flags; /* buffer flags */
365 int16_t true_size; /* size of original frame, in bytes */
366 int16_t rsvd3; /* reserved */
367 int16_t atm_pad; /* pad to 4-byte boundary */
368 ATMSaveInfo atm_info; /* ATM-specific stuff */
372 * XXX - I have a version 5.50 file with a bunch of token ring
373 * records listed as type "12". The record format below was
374 * derived from frame4_rec and a bit of experimentation.
375 * - Gerald
377 struct frame6_rec {
378 uint16_t time_low; /* low part of time stamp */
379 uint16_t time_med; /* middle part of time stamp */
380 uint8_t time_high; /* high part of time stamp */
381 uint8_t time_day; /* time in days since start of capture */
382 int16_t size; /* number of bytes of data */
383 uint8_t fs; /* frame error status bits */
384 uint8_t flags; /* buffer flags */
385 int16_t true_size; /* size of original frame, in bytes */
386 uint8_t chemical_x[22];/* ? */
390 * Network type values in some type 7 records.
392 * Captures with a major version number of 2 appear to have type 7
393 * records with text in them (at least one I have does).
395 * Captures with a major version of 4, and at least some captures with
396 * a major version of 5, have type 7 records with those values in the
397 * 5th byte.
399 * However, some captures with a major version number of 5 appear not to
400 * have type 7 records at all (at least one I have doesn't), but do appear
401 * to put non-zero values in the "rsvd" field of the version header (at
402 * least one I have does) - at least some other captures with smaller version
403 * numbers appear to put 0 there, so *maybe* that's where the network
404 * (sub)type is hidden in those captures. The version 5 captures I've seen
405 * that *do* have type 7 records put 0 there, so it's not as if *all* V5
406 * captures have something in the "rsvd" field, however.
408 * The semantics of these network types is inferred from the Sniffer
409 * documentation, as they correspond to types described in the UI;
410 * in particular, see
412 * http://www.mcafee.com/common/media/sniffer/support/sdos/operation.pdf
414 * starting at page 3-10 (56 of 496).
416 * XXX - I've seen X.25 captures with NET_ROUTER, and I've seen bridge/
417 * router captures with NET_HDLC. Sigh.... Are those just captures for
418 * which the user set the wrong network type when capturing?
420 #define NET_SDLC 0 /* Probably "SDLC then SNA" */
421 #define NET_HDLC 1 /* Used for X.25; is it used for other
422 things as well, or is it "HDLC then
423 X.25", as referred to by the document
424 cited above, and only used for X.25? */
425 #define NET_FRAME_RELAY 2
426 #define NET_ROUTER 3 /* Probably "Router/Bridge", for various
427 point-to-point protocols for use between
428 bridges and routers, including PPP as well
429 as various proprietary protocols; also
430 used for ISDN, for reasons not obvious
431 to me, given that a Sniffer knows
432 whether it's using a WAN or an ISDN pod */
433 #define NET_PPP 4 /* "Asynchronous", which includes SLIP too */
434 #define NET_SMDS 5 /* Not mentioned in the document, but
435 that's a document for version 5.50 of
436 the Sniffer, and that version might use
437 version 5 in the file format and thus
438 might not be using type 7 records */
441 * Values for V.timeunit, in picoseconds, so that they can be represented
442 * as integers. These values must be < 2^(64-40); see below.
444 * XXX - at least some captures with a V.timeunit value of 2 show
445 * packets with time stamps in 2011 if the time stamp is interpreted
446 * to be in units of 15 microseconds. The capture predates 2008,
447 * so that interpretation is probably wrong. Perhaps the interpretation
448 * of V.timeunit depends on the version number of the file?
450 static const uint32_t Psec[] = {
451 15000000, /* 15.0 usecs = 15000000 psecs */
452 838096, /* .838096 usecs = 838096 psecs */
453 15000000, /* 15.0 usecs = 15000000 psecs */
454 500000, /* 0.5 usecs = 500000 psecs */
455 2000000, /* 2.0 usecs = 2000000 psecs */
456 1000000, /* 1.0 usecs = 1000000 psecs */
457 /* XXX - Sniffer doc says 0.08 usecs = 80000 psecs */
458 100000 /* 0.1 usecs = 100000 psecs */
460 #define NUM_NGSNIFF_TIMEUNITS array_length(Psec)
462 /* Information for a compressed Sniffer data stream. */
463 typedef struct {
464 unsigned char *buf; /* buffer into which we uncompress data */
465 unsigned int nbytes; /* number of bytes of data in that buffer */
466 int nextout; /* offset in that buffer of stream's current position */
467 int64_t comp_offset; /* current offset in compressed data stream */
468 int64_t uncomp_offset; /* current offset in uncompressed data stream */
469 } ngsniffer_comp_stream_t;
471 typedef struct {
472 unsigned maj_vers;
473 unsigned min_vers;
474 bool is_compressed;
475 uint32_t timeunit;
476 time_t start;
477 unsigned network; /* network type */
478 ngsniffer_comp_stream_t seq; /* sequential access */
479 ngsniffer_comp_stream_t rand; /* random access */
480 GList *first_blob; /* list element for first blob */
481 GList *last_blob; /* list element for last blob */
482 GList *current_blob; /* list element for current blob */
483 } ngsniffer_t;
486 * DOS date to "struct tm" conversion values.
488 /* DOS year = upper 7 bits */
489 #define DOS_YEAR_OFFSET (1980-1900) /* tm_year = year+1900, DOS date year year+1980 */
490 #define DOS_YEAR_SHIFT 9
491 #define DOS_YEAR_MASK (0x7F<<DOS_YEAR_SHIFT)
492 /* DOS month = next 4 bits */
493 #define DOS_MONTH_OFFSET (-1) /* tm_mon = month #-1, DOS date month = month # */
494 #define DOS_MONTH_SHIFT 5
495 #define DOS_MONTH_MASK (0x0F<<DOS_MONTH_SHIFT)
496 /* DOS day = next 5 bits */
497 #define DOS_DAY_SHIFT 0
498 #define DOS_DAY_MASK (0x1F<<DOS_DAY_SHIFT)
500 static int process_header_records(wtap *wth, int *err, char **err_info,
501 int16_t maj_vers, uint8_t network);
502 static int process_rec_header2_v2(wtap *wth, unsigned char *buffer,
503 uint16_t length, int *err, char **err_info);
504 static int process_rec_header2_v145(wtap *wth, unsigned char *buffer,
505 uint16_t length, int16_t maj_vers, int *err, char **err_info);
506 static bool ngsniffer_read(wtap *wth, wtap_rec *rec, Buffer *buf,
507 int *err, char **err_info, int64_t *data_offset);
508 static bool ngsniffer_seek_read(wtap *wth, int64_t seek_off,
509 wtap_rec *rec, Buffer *buf, int *err, char **err_info);
510 static bool read_rec_header(wtap *wth, bool is_random,
511 struct rec_header *hdr, int *err, char **err_info);
512 static bool process_frame_record(wtap *wth, bool is_random,
513 unsigned *padding, struct rec_header *hdr, wtap_rec *rec, Buffer *buf,
514 int *err, char **err_info);
515 static void set_metadata_frame2(wtap *wth, wtap_rec *rec,
516 struct frame2_rec *frame2);
517 static void set_pseudo_header_frame4(union wtap_pseudo_header *pseudo_header,
518 struct frame4_rec *frame4);
519 static void set_pseudo_header_frame6(wtap *wth,
520 union wtap_pseudo_header *pseudo_header, struct frame6_rec *frame6);
521 static int infer_pkt_encap(const uint8_t *pd, int len);
522 static int fix_pseudo_header(int encap, Buffer *buf, int len,
523 union wtap_pseudo_header *pseudo_header);
524 static void ngsniffer_sequential_close(wtap *wth);
525 static void ngsniffer_close(wtap *wth);
526 static bool ngsniffer_dump(wtap_dumper *wdh, const wtap_rec *rec,
527 const uint8_t *pd, int *err, char **err_info);
528 static bool ngsniffer_dump_finish(wtap_dumper *wdh, int *err,
529 char **err_info);
530 static int SnifferDecompress( unsigned char * inbuf, size_t inlen,
531 unsigned char * outbuf, size_t outlen, int *err, char **err_info );
532 static bool ng_read_bytes_or_eof(wtap *wth, void *buffer,
533 unsigned int nbytes, bool is_random, int *err, char **err_info);
534 static bool ng_read_bytes(wtap *wth, void *buffer, unsigned int nbytes,
535 bool is_random, int *err, char **err_info);
536 static bool read_blob(FILE_T infile, ngsniffer_comp_stream_t *comp_stream,
537 int *err, char **err_info);
538 static bool ng_skip_bytes_seq(wtap *wth, unsigned int count, int *err,
539 char **err_info);
540 static bool ng_file_seek_rand(wtap *wth, int64_t offset, int *err,
541 char **err_info);
543 static int ngsniffer_uncompressed_file_type_subtype = -1;
544 static int ngsniffer_compressed_file_type_subtype = -1;
546 void register_ngsniffer(void);
548 wtap_open_return_val
549 ngsniffer_open(wtap *wth, int *err, char **err_info)
551 char magic[sizeof ngsniffer_magic];
552 char record_type[2];
553 char record_length[4]; /* only the first 2 bytes are length,
554 the last 2 are "reserved" and are thrown away */
555 uint16_t type;
556 struct vers_rec version;
557 uint16_t maj_vers;
558 uint16_t start_date;
559 #if 0
560 uint16_t start_time;
561 #endif
562 static const int sniffer_encap[] = {
563 WTAP_ENCAP_TOKEN_RING,
564 WTAP_ENCAP_ETHERNET,
565 WTAP_ENCAP_ARCNET,
566 WTAP_ENCAP_UNKNOWN, /* StarLAN */
567 WTAP_ENCAP_UNKNOWN, /* PC Network broadband */
568 WTAP_ENCAP_UNKNOWN, /* LocalTalk */
569 WTAP_ENCAP_UNKNOWN, /* Znet */
570 WTAP_ENCAP_PER_PACKET, /* Internetwork analyzer (synchronous) */
571 WTAP_ENCAP_PER_PACKET, /* Internetwork analyzer (asynchronous) */
572 WTAP_ENCAP_FDDI_BITSWAPPED,
573 WTAP_ENCAP_ATM_PDUS
575 #define NUM_NGSNIFF_ENCAPS array_length(sniffer_encap)
576 struct tm tm;
577 int64_t current_offset;
578 ngsniffer_t *ngsniffer;
580 /* Read in the string that should be at the start of a Sniffer file */
581 if (!wtap_read_bytes(wth->fh, magic, sizeof magic, err, err_info)) {
582 if (*err != WTAP_ERR_SHORT_READ)
583 return WTAP_OPEN_ERROR;
584 return WTAP_OPEN_NOT_MINE;
587 if (memcmp(magic, ngsniffer_magic, sizeof ngsniffer_magic)) {
588 return WTAP_OPEN_NOT_MINE;
592 * Read the first record, which the manual says is a version
593 * record.
595 if (!wtap_read_bytes(wth->fh, record_type, 2, err, err_info))
596 return WTAP_OPEN_ERROR;
597 if (!wtap_read_bytes(wth->fh, record_length, 4, err, err_info))
598 return WTAP_OPEN_ERROR;
600 type = pletoh16(record_type);
602 if (type != REC_VERS) {
603 *err = WTAP_ERR_BAD_FILE;
604 *err_info = g_strdup("ngsniffer: Sniffer file doesn't start with a version record");
605 return WTAP_OPEN_ERROR;
608 if (!wtap_read_bytes(wth->fh, &version, sizeof version, err, err_info))
609 return WTAP_OPEN_ERROR;
611 /* Check the data link type. */
612 if (version.network >= NUM_NGSNIFF_ENCAPS
613 || sniffer_encap[version.network] == WTAP_ENCAP_UNKNOWN) {
614 *err = WTAP_ERR_UNSUPPORTED;
615 *err_info = ws_strdup_printf("ngsniffer: network type %u unknown or unsupported",
616 version.network);
617 return WTAP_OPEN_ERROR;
620 /* Check the time unit */
621 if (version.timeunit >= NUM_NGSNIFF_TIMEUNITS) {
622 *err = WTAP_ERR_UNSUPPORTED;
623 *err_info = ws_strdup_printf("ngsniffer: Unknown timeunit %u", version.timeunit);
624 return WTAP_OPEN_ERROR;
627 /* Set encap type before reading header records because the
628 * header record may change encap type.
630 wth->file_encap = sniffer_encap[version.network];
633 * We don't know how to handle the remaining header record types,
634 * so we just skip them - except for REC_HEADER2 records, which
635 * we look at, for "Internetwork analyzer" captures, to attempt to
636 * determine what the link-layer encapsulation is.
638 * XXX - in some version 1.16 internetwork analyzer files
639 * generated by the Windows Sniffer when saving Windows
640 * Sniffer files as DOS Sniffer files, there's no REC_HEADER2
641 * record, but the first "rsvd" word is 1 for PRI ISDN files, 2
642 * for BRI ISDN files, and 0 for non-ISDN files; is that something
643 * the DOS Sniffer understands?
645 maj_vers = pletoh16(&version.maj_vers);
646 if (process_header_records(wth, err, err_info, maj_vers,
647 version.network) < 0)
648 return WTAP_OPEN_ERROR;
649 if ((version.network == NETWORK_SYNCHRO ||
650 version.network == NETWORK_ASYNC) &&
651 wth->file_encap == WTAP_ENCAP_PER_PACKET) {
653 * Well, we haven't determined the internetwork analyzer
654 * subtype yet...
656 switch (maj_vers) {
658 case 1:
660 * ... and this is a version 1 capture; look
661 * at the first "rsvd" word.
663 switch (pletoh16(&version.rsvd[0])) {
665 case 1:
666 case 2:
667 wth->file_encap = WTAP_ENCAP_ISDN;
668 break;
670 break;
672 case 3:
674 * ...and this is a version 3 capture; we've
675 * seen nothing in those that obviously
676 * indicates the capture type, but the only
677 * one we've seen is a Frame Relay capture,
678 * so mark it as Frame Relay for now.
680 wth->file_encap = WTAP_ENCAP_FRELAY_WITH_PHDR;
681 break;
685 current_offset = file_tell(wth->fh);
688 * Now, if we have a random stream open, position it to the same
689 * location, which should be the beginning of the real data, and
690 * should be the beginning of the compressed data.
692 * XXX - will we see any records other than REC_FRAME2, REC_FRAME4,
693 * or REC_EOF after this? If not, we can get rid of the loop in
694 * "ngsniffer_read()".
696 if (wth->random_fh != NULL) {
697 if (file_seek(wth->random_fh, current_offset, SEEK_SET, err) == -1)
698 return WTAP_OPEN_ERROR;
701 /* This is a ngsniffer file */
702 ngsniffer = g_new(ngsniffer_t, 1);
703 wth->priv = (void *)ngsniffer;
705 /* compressed or uncompressed Sniffer file? */
706 if (version.format != 1) {
707 wth->file_type_subtype = ngsniffer_compressed_file_type_subtype;
708 ngsniffer->is_compressed = true;
709 } else {
710 wth->file_type_subtype = ngsniffer_uncompressed_file_type_subtype;
711 ngsniffer->is_compressed = false;
714 ngsniffer->maj_vers = maj_vers;
715 ngsniffer->min_vers = pletoh16(&version.min_vers);
717 /* We haven't allocated any uncompression buffers yet. */
718 ngsniffer->seq.buf = NULL;
719 ngsniffer->seq.nbytes = 0;
720 ngsniffer->seq.nextout = 0;
721 ngsniffer->rand.buf = NULL;
722 ngsniffer->rand.nbytes = 0;
723 ngsniffer->rand.nextout = 0;
725 /* Set the current file offset; the offset in the compressed file
726 and in the uncompressed data stream currently the same. */
727 ngsniffer->seq.uncomp_offset = current_offset;
728 ngsniffer->seq.comp_offset = current_offset;
729 ngsniffer->rand.uncomp_offset = current_offset;
730 ngsniffer->rand.comp_offset = current_offset;
732 /* We don't yet have any list of compressed blobs. */
733 ngsniffer->first_blob = NULL;
734 ngsniffer->last_blob = NULL;
735 ngsniffer->current_blob = NULL;
737 wth->subtype_read = ngsniffer_read;
738 wth->subtype_seek_read = ngsniffer_seek_read;
739 wth->subtype_sequential_close = ngsniffer_sequential_close;
740 wth->subtype_close = ngsniffer_close;
741 wth->snapshot_length = 0; /* not available in header, only in frame */
742 ngsniffer->timeunit = Psec[version.timeunit];
743 ngsniffer->network = version.network;
745 /* Get capture start time */
746 start_date = pletoh16(&version.date);
747 tm.tm_year = ((start_date&DOS_YEAR_MASK)>>DOS_YEAR_SHIFT) + DOS_YEAR_OFFSET;
748 tm.tm_mon = ((start_date&DOS_MONTH_MASK)>>DOS_MONTH_SHIFT) + DOS_MONTH_OFFSET;
749 tm.tm_mday = ((start_date&DOS_DAY_MASK)>>DOS_DAY_SHIFT);
751 * The time does not appear to act as an offset; only the date.
752 * XXX - sometimes it does appear to act as an offset; is this
753 * version-dependent?
755 #if 0
756 start_time = pletoh16(&version.time_dos);
757 tm.tm_hour = (start_time&0xf800)>>11;
758 tm.tm_min = (start_time&0x7e0)>>5;
759 tm.tm_sec = (start_time&0x1f)<<1;
760 #else
761 tm.tm_hour = 0;
762 tm.tm_min = 0;
763 tm.tm_sec = 0;
764 #endif
765 tm.tm_isdst = -1;
766 ngsniffer->start = mktime(&tm);
768 * XXX - what if "secs" is -1? Unlikely,
769 * but if the capture was done in a time
770 * zone that switches between standard and
771 * summer time sometime other than when we
772 * do, and thus the time was one that doesn't
773 * exist here because a switch from standard
774 * to summer time zips over it, it could
775 * happen.
777 * On the other hand, if the capture was done
778 * in a different time zone, this won't work
779 * right anyway; unfortunately, the time zone
780 * isn't stored in the capture file.
783 wth->file_tsprec = WTAP_TSPREC_NSEC; /* XXX */
785 return WTAP_OPEN_MINE;
788 static int
789 process_header_records(wtap *wth, int *err, char **err_info, int16_t maj_vers,
790 uint8_t network)
792 char record_type[2];
793 char record_length[4]; /* only the first 2 bytes are length,
794 the last 2 are "reserved" and are thrown away */
795 uint16_t rec_type, rec_length_remaining;
796 int bytes_to_read;
797 unsigned char buffer[256];
799 for (;;) {
800 if (!wtap_read_bytes_or_eof(wth->fh, record_type, 2, err, err_info)) {
801 if (*err != 0)
802 return -1;
803 return 0; /* EOF */
806 rec_type = pletoh16(record_type);
807 if ((rec_type != REC_HEADER1) && (rec_type != REC_HEADER2)
808 && (rec_type != REC_HEADER3) && (rec_type != REC_HEADER4)
809 && (rec_type != REC_HEADER5) && (rec_type != REC_HEADER6)
810 && (rec_type != REC_HEADER7)
811 && ((rec_type != REC_V2DESC) || (maj_vers > 2)) ) {
813 * Well, this is either some unknown header type
814 * (we ignore this case), an uncompressed data
815 * frame or the length of a compressed blob
816 * which implies data. Seek backwards over the
817 * two bytes we read, and return.
819 if (file_seek(wth->fh, -2, SEEK_CUR, err) == -1)
820 return -1;
821 return 0;
824 if (!wtap_read_bytes(wth->fh, record_length, 4,
825 err, err_info))
826 return -1;
828 rec_length_remaining = pletoh16(record_length);
831 * Is this is an "Internetwork analyzer" capture, and
832 * is this a REC_HEADER2 record?
834 * If so, it appears to specify the particular type
835 * of network we're on.
837 * XXX - handle sync and async differently? (E.g.,
838 * does this apply only to sync?)
840 if ((network == NETWORK_SYNCHRO || network == NETWORK_ASYNC) &&
841 rec_type == REC_HEADER2) {
843 * Yes, get the first up-to-256 bytes of the
844 * record data.
846 bytes_to_read = MIN(rec_length_remaining, (int)sizeof buffer);
847 if (!wtap_read_bytes(wth->fh, buffer,
848 bytes_to_read, err, err_info))
849 return -1;
851 switch (maj_vers) {
853 case 2:
854 if (process_rec_header2_v2(wth, buffer,
855 rec_length_remaining, err, err_info) < 0)
856 return -1;
857 break;
859 case 1:
860 case 4:
861 case 5:
862 if (process_rec_header2_v145(wth, buffer,
863 rec_length_remaining, maj_vers, err, err_info) < 0)
864 return -1;
865 break;
869 * Skip the rest of the record.
871 if (rec_length_remaining > sizeof buffer) {
872 if (file_seek(wth->fh, rec_length_remaining - sizeof buffer,
873 SEEK_CUR, err) == -1)
874 return -1;
876 } else {
877 /* Nope, just skip over the data. */
878 if (file_seek(wth->fh, rec_length_remaining, SEEK_CUR, err) == -1)
879 return -1;
884 static int
885 process_rec_header2_v2(wtap *wth, unsigned char *buffer, uint16_t length,
886 int *err, char **err_info)
888 static const char x_25_str[] = "HDLC\nX.25\n";
891 * There appears to be a string in a REC_HEADER2 record, with
892 * a list of protocols. In one X.25 capture I've seen, the
893 * string was "HDLC\nX.25\nCLNP\nISO_TP\nSESS\nPRES\nVTP\nACSE".
894 * Presumably CLNP and everything else is per-packet, but
895 * we assume "HDLC\nX.25\n" indicates that it's an X.25 capture.
897 if (length < sizeof x_25_str - 1) {
899 * There's not enough data to compare.
901 *err = WTAP_ERR_UNSUPPORTED;
902 *err_info = g_strdup("ngsniffer: WAN capture has too-short protocol list");
903 return -1;
906 if (strncmp((char *)buffer, x_25_str, sizeof x_25_str - 1) == 0) {
908 * X.25.
910 wth->file_encap = WTAP_ENCAP_LAPB;
911 } else {
912 *err = WTAP_ERR_UNSUPPORTED;
913 *err_info = ws_strdup_printf("ngsniffer: WAN capture protocol string %.*s unknown",
914 length, buffer);
915 return -1;
917 return 0;
920 static int
921 process_rec_header2_v145(wtap *wth, unsigned char *buffer, uint16_t length,
922 int16_t maj_vers, int *err, char **err_info)
925 * The 5th byte of the REC_HEADER2 record appears to be a
926 * network type.
928 if (length < 5) {
930 * There is no 5th byte; give up.
932 *err = WTAP_ERR_UNSUPPORTED;
933 *err_info = g_strdup("ngsniffer: WAN capture has no network subtype");
934 return -1;
938 * The X.25 captures I've seen have a type of NET_HDLC, and the
939 * Sniffer documentation seems to imply that it's used for
940 * X.25, although it could be used for other purposes as well.
942 * NET_ROUTER is used for all sorts of point-to-point protocols,
943 * including ISDN. It appears, from the documentation, that the
944 * Sniffer attempts to infer the particular protocol by looking
945 * at the traffic; it's not clear whether it stores in the file
946 * an indication of the protocol it inferred was being used.
948 * Unfortunately, it also appears that NET_HDLC is used for
949 * stuff other than X.25 as well, so we can't just interpret
950 * it unconditionally as X.25.
952 * For now, we interpret both NET_HDLC and NET_ROUTER as "per-packet
953 * encapsulation". We remember that we saw NET_ROUTER, though,
954 * as it appears that we can infer whether a packet is PPP or
955 * ISDN based on the channel number subfield of the frame error
956 * status bits - if it's 0, it's PPP, otherwise it's ISDN and
957 * the channel number indicates which channel it is. We assume
958 * NET_HDLC isn't used for ISDN.
960 switch (buffer[4]) {
962 case NET_SDLC:
963 wth->file_encap = WTAP_ENCAP_SDLC;
964 break;
966 case NET_HDLC:
967 wth->file_encap = WTAP_ENCAP_PER_PACKET;
968 break;
970 case NET_FRAME_RELAY:
971 wth->file_encap = WTAP_ENCAP_FRELAY_WITH_PHDR;
972 break;
974 case NET_ROUTER:
976 * For most of the version 4 capture files I've seen,
977 * 0xfa in buffer[1] means the file is an ISDN capture,
978 * but there's one PPP file with 0xfa there; does that
979 * mean that the 0xfa has nothing to do with ISDN,
980 * or is that just an ISDN file with no D channel
981 * packets? (The channel number is not 0 in any
982 * of the packets, so perhaps it is.)
984 * For one version 5 ISDN capture I've seen, there's
985 * a 0x01 in buffer[6]; none of the non-ISDN version
986 * 5 captures have it.
988 wth->file_encap = WTAP_ENCAP_PER_PACKET;
989 switch (maj_vers) {
991 case 4:
992 if (buffer[1] == 0xfa)
993 wth->file_encap = WTAP_ENCAP_ISDN;
994 break;
996 case 5:
997 if (length < 7) {
999 * There is no 5th byte; give up.
1001 *err = WTAP_ERR_UNSUPPORTED;
1002 *err_info = g_strdup("ngsniffer: WAN bridge/router capture has no ISDN flag");
1003 return -1;
1005 if (buffer[6] == 0x01)
1006 wth->file_encap = WTAP_ENCAP_ISDN;
1007 break;
1009 break;
1011 case NET_PPP:
1012 wth->file_encap = WTAP_ENCAP_PPP_WITH_PHDR;
1013 break;
1015 default:
1017 * Reject these until we can figure them out.
1019 *err = WTAP_ERR_UNSUPPORTED;
1020 *err_info = ws_strdup_printf("ngsniffer: WAN network subtype %u unknown or unsupported",
1021 buffer[4]);
1022 return -1;
1024 return 0;
1027 /* Read the next packet */
1028 static bool
1029 ngsniffer_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err,
1030 char **err_info, int64_t *data_offset)
1032 ngsniffer_t *ngsniffer;
1033 struct rec_header hdr;
1034 unsigned padding;
1036 ngsniffer = (ngsniffer_t *)wth->priv;
1037 for (;;) {
1039 * We use the uncompressed offset, as that's what
1040 * we need to use for compressed files.
1042 *data_offset = ngsniffer->seq.uncomp_offset;
1045 * Read the record header.
1047 if (!read_rec_header(wth, false, &hdr, err, err_info)) {
1048 /* Read error or short read */
1049 return false;
1053 * Process the record.
1055 switch (hdr.type) {
1057 case REC_FRAME2:
1058 case REC_FRAME4:
1059 case REC_FRAME6:
1060 /* Frame record */
1061 if (!process_frame_record(wth, false, &padding,
1062 &hdr, rec, buf, err, err_info)) {
1063 /* Read error, short read, or other error */
1064 return false;
1068 * Skip any extra data in the record.
1070 if (padding != 0) {
1071 if (!ng_skip_bytes_seq(wth, padding, err,
1072 err_info))
1073 return false;
1075 return true;
1077 case REC_EOF:
1079 * End of file. Skip past any data (if any),
1080 * the length of which is in hdr.length, and
1081 * return an EOF indication.
1083 if (hdr.length != 0) {
1084 if (!ng_skip_bytes_seq(wth, hdr.length, err,
1085 err_info))
1086 return false;
1088 *err = 0; /* EOF, not error */
1089 return false;
1091 default:
1093 * Well, we don't know what it is, or we know what
1094 * it is but can't handle it. Skip past the data
1095 * portion (if any), the length of which is in
1096 * hdr.length, and keep looping.
1098 if (hdr.length != 0) {
1099 if (!ng_skip_bytes_seq(wth, hdr.length, err,
1100 err_info))
1101 return false;
1103 break;
1108 static bool
1109 ngsniffer_seek_read(wtap *wth, int64_t seek_off,
1110 wtap_rec *rec, Buffer *buf, int *err, char **err_info)
1112 struct rec_header hdr;
1114 if (!ng_file_seek_rand(wth, seek_off, err, err_info))
1115 return false;
1117 if (!read_rec_header(wth, true, &hdr, err, err_info)) {
1118 /* Read error or short read */
1119 return false;
1123 * hdr.type is the record type.
1125 switch (hdr.type) {
1127 case REC_FRAME2:
1128 case REC_FRAME4:
1129 case REC_FRAME6:
1130 /* Frame record */
1131 if (!process_frame_record(wth, true, NULL, &hdr, rec, buf,
1132 err, err_info)) {
1133 /* Read error, short read, or other error */
1134 return false;
1136 break;
1138 default:
1140 * Other record type, or EOF.
1141 * This "can't happen".
1143 ws_assert_not_reached();
1144 return false;
1147 return true;
1151 * Read the record header.
1153 * Returns true on success, false on error.
1155 static bool
1156 read_rec_header(wtap *wth, bool is_random, struct rec_header *hdr,
1157 int *err, char **err_info)
1159 char record_type[2];
1160 char record_length[4]; /* only 1st 2 bytes are length */
1163 * Read the record type.
1165 if (!ng_read_bytes_or_eof(wth, record_type, 2, is_random, err, err_info)) {
1166 if (*err != 0)
1167 return false;
1169 * End-of-file; construct a fake EOF record.
1170 * (A file might have an EOF record at the end, or
1171 * it might just come to an end.)
1172 * (XXX - is that true of all Sniffer files?)
1174 hdr->type = REC_EOF;
1175 hdr->length = 0;
1176 return true;
1180 * Read the record length.
1182 if (!ng_read_bytes(wth, record_length, 4, is_random, err, err_info))
1183 return false;
1185 hdr->type = pletoh16(record_type);
1186 hdr->length = pletoh16(record_length);
1187 return true;
1191 * Returns true on success, false on error.
1192 * If padding is non-null, sets *padding to the amount of padding at
1193 * the end of the record.
1195 static bool
1196 process_frame_record(wtap *wth, bool is_random, unsigned *padding,
1197 struct rec_header *hdr, wtap_rec *rec, Buffer *buf, int *err,
1198 char **err_info)
1200 ngsniffer_t *ngsniffer;
1201 unsigned rec_length_remaining;
1202 struct frame2_rec frame2;
1203 struct frame4_rec frame4;
1204 struct frame6_rec frame6;
1205 uint16_t time_low, time_med, true_size, size;
1206 uint8_t time_high, time_day;
1207 uint64_t t, tsecs, tpsecs;
1209 rec_length_remaining = hdr->length;
1211 /* Initialize - we'll be setting some presence flags below. */
1212 rec->rec_type = REC_TYPE_PACKET;
1213 rec->block = wtap_block_create(WTAP_BLOCK_PACKET);
1214 rec->presence_flags = 0;
1216 ngsniffer = (ngsniffer_t *)wth->priv;
1217 switch (hdr->type) {
1219 case REC_FRAME2:
1220 if (ngsniffer->network == NETWORK_ATM) {
1222 * We shouldn't get a frame2 record in
1223 * an ATM capture.
1225 *err = WTAP_ERR_BAD_FILE;
1226 *err_info = g_strdup("ngsniffer: REC_FRAME2 record in an ATM Sniffer file");
1227 return false;
1230 /* Do we have an f_frame2_struct worth of data? */
1231 if (rec_length_remaining < sizeof frame2) {
1232 *err = WTAP_ERR_BAD_FILE;
1233 *err_info = g_strdup("ngsniffer: REC_FRAME2 record length is less than record header length");
1234 return false;
1237 /* Read the f_frame2_struct */
1238 if (!ng_read_bytes(wth, &frame2, (unsigned int)sizeof frame2,
1239 is_random, err, err_info))
1240 return false;
1241 time_low = pletoh16(&frame2.time_low);
1242 time_med = pletoh16(&frame2.time_med);
1243 time_high = frame2.time_high;
1244 time_day = frame2.time_day;
1245 size = pletoh16(&frame2.size);
1246 true_size = pletoh16(&frame2.true_size);
1248 rec_length_remaining -= (unsigned)sizeof frame2; /* we already read that much */
1250 set_metadata_frame2(wth, rec, &frame2);
1251 break;
1253 case REC_FRAME4:
1254 if (ngsniffer->network != NETWORK_ATM) {
1256 * We shouldn't get a frame2 record in
1257 * a non-ATM capture.
1259 *err = WTAP_ERR_BAD_FILE;
1260 *err_info = g_strdup("ngsniffer: REC_FRAME4 record in a non-ATM Sniffer file");
1261 return false;
1265 * XXX - it looks as if some version 4 captures have
1266 * a bogus record length, based on the assumption
1267 * that the record is a frame2 record, i.e. the length
1268 * was calculated based on the record being a frame2
1269 * record, so it's too short by (sizeof frame4 - sizeof frame2).
1271 if (ngsniffer->maj_vers < 5 && ngsniffer->min_vers >= 95)
1272 rec_length_remaining += (unsigned)(sizeof frame4 - sizeof frame2);
1274 /* Do we have an f_frame4_struct worth of data? */
1275 if (rec_length_remaining < sizeof frame4) {
1276 *err = WTAP_ERR_BAD_FILE;
1277 *err_info = g_strdup("ngsniffer: REC_FRAME4 record length is less than record header length");
1278 return false;
1281 /* Read the f_frame4_struct */
1282 if (!ng_read_bytes(wth, &frame4, (unsigned int)sizeof frame4,
1283 is_random, err, err_info))
1284 return false;
1285 time_low = pletoh16(&frame4.time_low);
1286 time_med = pletoh16(&frame4.time_med);
1287 time_high = frame4.time_high;
1288 time_day = frame4.time_day;
1289 size = pletoh16(&frame4.size);
1290 true_size = pletoh16(&frame4.true_size);
1292 rec_length_remaining -= (unsigned)sizeof frame4; /* we already read that much */
1294 set_pseudo_header_frame4(&rec->rec_header.packet_header.pseudo_header, &frame4);
1295 break;
1297 case REC_FRAME6:
1298 /* Do we have an f_frame6_struct worth of data? */
1299 if (rec_length_remaining < sizeof frame6) {
1300 *err = WTAP_ERR_BAD_FILE;
1301 *err_info = g_strdup("ngsniffer: REC_FRAME6 record length is less than record header length");
1302 return false;
1305 /* Read the f_frame6_struct */
1306 if (!ng_read_bytes(wth, &frame6, (unsigned int)sizeof frame6,
1307 is_random, err, err_info))
1308 return false;
1309 time_low = pletoh16(&frame6.time_low);
1310 time_med = pletoh16(&frame6.time_med);
1311 time_high = frame6.time_high;
1312 time_day = frame6.time_day;
1313 size = pletoh16(&frame6.size);
1314 true_size = pletoh16(&frame6.true_size);
1316 rec_length_remaining -= (unsigned)sizeof frame6; /* we already read that much */
1318 set_pseudo_header_frame6(wth, &rec->rec_header.packet_header.pseudo_header, &frame6);
1319 break;
1321 default:
1323 * This should never happen.
1325 ws_assert_not_reached();
1326 return false;
1330 * Is the frame data size greater than what's left of the
1331 * record?
1333 if (size > rec_length_remaining) {
1335 * Yes - treat this as an error.
1337 *err = WTAP_ERR_BAD_FILE;
1338 *err_info = g_strdup("ngsniffer: Record length is less than packet size");
1339 return false;
1343 * The maximum value of length is 65535, which is less than
1344 * WTAP_MAX_PACKET_SIZE_STANDARD will ever be, so we don't need to check
1345 * it.
1347 if (padding != NULL) {
1349 * Padding, if the frame data size is less than what's
1350 * left of the record.
1352 *padding = rec_length_remaining - size;
1355 rec->presence_flags |= true_size ? WTAP_HAS_TS|WTAP_HAS_CAP_LEN : WTAP_HAS_TS;
1356 rec->rec_header.packet_header.len = true_size ? true_size : size;
1357 rec->rec_header.packet_header.caplen = size;
1360 * Read the packet data.
1362 ws_buffer_assure_space(buf, size);
1363 if (!ng_read_bytes(wth, ws_buffer_start_ptr(buf), size, is_random,
1364 err, err_info))
1365 return false;
1367 rec->rec_header.packet_header.pkt_encap = fix_pseudo_header(wth->file_encap,
1368 buf, size, &rec->rec_header.packet_header.pseudo_header);
1371 * 40-bit time stamp, in units of timeunit picoseconds.
1373 t = (((uint64_t)time_high)<<32) | (((uint64_t)time_med) << 16) | time_low;
1376 * timeunit is always < 2^(64-40), so t * timeunit fits in 64
1377 * bits. That gives a 64-bit time stamp, in units of
1378 * picoseconds.
1380 t *= ngsniffer->timeunit;
1383 * Convert to seconds and picoseconds.
1385 tsecs = t/UINT64_C(1000000000000);
1386 tpsecs = t - tsecs*UINT64_C(1000000000000);
1389 * Add in the time_day value (86400 seconds/day).
1391 tsecs += time_day*86400;
1394 * Add in the capture start time.
1396 tsecs += ngsniffer->start;
1398 rec->ts.secs = (time_t)tsecs;
1399 rec->ts.nsecs = (int)(tpsecs/1000); /* psecs to nsecs */
1401 return true; /* success */
1404 static void
1405 set_metadata_frame2(wtap *wth, wtap_rec *rec, struct frame2_rec *frame2)
1407 ngsniffer_t *ngsniffer;
1408 uint32_t pack_flags;
1409 union wtap_pseudo_header *pseudo_header;
1411 ngsniffer = (ngsniffer_t *)wth->priv;
1414 * In one PPP "Internetwork analyzer" capture:
1416 * The only bit seen in "frame2.fs" is the 0x80 bit, which
1417 * probably indicates the packet's direction; all other
1418 * bits were zero. The Expert Sniffer Network Analyzer
1419 * 5.50 Operations manual says that bit is the FS_DTE bit
1420 * for async/PPP data. The other bits are error bits
1421 * plus bits indicating whether the frame is PPP or SLIP,
1422 * but the PPP bit isn't set.
1424 * All bits in "frame2.flags" were zero.
1426 * In one X.25 "Internetwork analyzer" capture:
1428 * The only bit seen in "frame2.fs" is the 0x80 bit, which
1429 * probably indicates the packet's direction; all other
1430 * bits were zero.
1432 * "frame2.flags" was always 0x18; however, the Sniffer
1433 * manual says that just means that a display filter was
1434 * calculated for the frame, and it should be displayed,
1435 * so perhaps that's just a quirk of that particular capture.
1437 * In one Ethernet capture:
1439 * "frame2.fs" was always 0; the Sniffer manual says they're
1440 * error bits of various sorts.
1442 * "frame2.flags" was either 0 or 0x18, with no obvious
1443 * correlation with anything. See previous comment
1444 * about display filters.
1446 * In one Token Ring capture:
1448 * "frame2.fs" was either 0 or 0xcc; the Sniffer manual says
1449 * nothing about those bits for Token Ring captures.
1451 * "frame2.flags" was either 0 or 0x18, with no obvious
1452 * correlation with anything. See previous comment
1453 * about display filters.
1455 switch (ngsniffer->network) {
1457 case NETWORK_ENET:
1458 pack_flags = 0;
1459 if (frame2->fs & FS_ETH_CRC)
1460 pack_flags |= PACK_FLAGS_CRC_ERROR;
1461 if (frame2->fs & FS_ETH_ALIGN)
1462 pack_flags |= PACK_FLAGS_UNALIGNED_FRAME;
1463 if (frame2->fs & FS_ETH_RUNT)
1464 pack_flags |= PACK_FLAGS_PACKET_TOO_SHORT;
1465 wtap_block_add_uint32_option(rec->block, OPT_PKT_FLAGS, pack_flags);
1466 break;
1468 case NETWORK_FDDI:
1469 pack_flags = 0;
1470 if (!(frame2->fs & FS_FDDI_INVALID) &&
1471 (frame2->fs & (FS_FDDI_PCI_CRC|FS_FDDI_ISA_CRC)))
1472 pack_flags |= PACK_FLAGS_CRC_ERROR;
1473 wtap_block_add_uint32_option(rec->block, OPT_PKT_FLAGS, pack_flags);
1474 break;
1476 case NETWORK_SYNCHRO:
1477 pack_flags = 0;
1478 if (frame2->fs & FS_SYNC_CRC)
1479 pack_flags |= PACK_FLAGS_CRC_ERROR;
1480 wtap_block_add_uint32_option(rec->block, OPT_PKT_FLAGS, pack_flags);
1481 break;
1484 pseudo_header = &rec->rec_header.packet_header.pseudo_header;
1485 switch (wth->file_encap) {
1487 case WTAP_ENCAP_ETHERNET:
1489 * XXX - do we ever have an FCS? If not, why do we often
1490 * have 4 extra bytes of stuff at the end? Do some
1491 * PC Ethernet interfaces report the length including the
1492 * FCS but not store the FCS in the packet, or do some
1493 * Ethernet drivers work that way?
1495 pseudo_header->eth.fcs_len = 0;
1496 break;
1498 case WTAP_ENCAP_PPP_WITH_PHDR:
1499 case WTAP_ENCAP_SDLC:
1500 pseudo_header->p2p.sent = (frame2->fs & FS_WAN_DTE) ? true : false;
1501 break;
1503 case WTAP_ENCAP_LAPB:
1504 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1505 case WTAP_ENCAP_PER_PACKET:
1506 pseudo_header->dte_dce.flags = (frame2->fs & FS_WAN_DTE) ? 0x00 : FROM_DCE;
1507 break;
1509 case WTAP_ENCAP_ISDN:
1510 pseudo_header->isdn.uton = (frame2->fs & FS_WAN_DTE) ? false : true;
1511 switch (frame2->fs & FS_ISDN_CHAN_MASK) {
1513 case FS_ISDN_CHAN_D:
1514 pseudo_header->isdn.channel = 0; /* D-channel */
1515 break;
1517 case FS_ISDN_CHAN_B1:
1518 pseudo_header->isdn.channel = 1; /* B1-channel */
1519 break;
1521 case FS_ISDN_CHAN_B2:
1522 pseudo_header->isdn.channel = 2; /* B2-channel */
1523 break;
1525 default:
1526 pseudo_header->isdn.channel = 30; /* XXX */
1527 break;
1532 static void
1533 set_pseudo_header_frame4(union wtap_pseudo_header *pseudo_header,
1534 struct frame4_rec *frame4)
1536 uint32_t StatusWord;
1537 uint8_t aal_type, hl_type;
1538 uint16_t vpi, vci;
1541 * Map flags from frame4.atm_info.StatusWord.
1543 pseudo_header->atm.flags = 0;
1544 StatusWord = pletoh32(&frame4->atm_info.StatusWord);
1545 if (StatusWord & SW_RAW_CELL)
1546 pseudo_header->atm.flags |= ATM_RAW_CELL;
1548 aal_type = frame4->atm_info.AppTrafType & ATT_AALTYPE;
1549 hl_type = frame4->atm_info.AppTrafType & ATT_HLTYPE;
1550 vpi = pletoh16(&frame4->atm_info.Vpi);
1551 vci = pletoh16(&frame4->atm_info.Vci);
1553 switch (aal_type) {
1555 case ATT_AAL_UNKNOWN:
1557 * Map ATT_AAL_UNKNOWN on VPI 0, VCI 5 to ATT_AAL_SIGNALLING,
1558 * as that's the VPCI used for signalling.
1560 * XXX - is this necessary, or will frames to 0/5 always
1561 * have ATT_AAL_SIGNALLING?
1563 if (vpi == 0 && vci == 5)
1564 pseudo_header->atm.aal = AAL_SIGNALLING;
1565 else
1566 pseudo_header->atm.aal = AAL_UNKNOWN;
1567 pseudo_header->atm.type = TRAF_UNKNOWN;
1568 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1569 break;
1571 case ATT_AAL1:
1572 pseudo_header->atm.aal = AAL_1;
1573 pseudo_header->atm.type = TRAF_UNKNOWN;
1574 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1575 break;
1577 case ATT_AAL3_4:
1578 pseudo_header->atm.aal = AAL_3_4;
1579 pseudo_header->atm.type = TRAF_UNKNOWN;
1580 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1581 break;
1583 case ATT_AAL5:
1584 pseudo_header->atm.aal = AAL_5;
1585 switch (hl_type) {
1587 case ATT_HL_UNKNOWN:
1588 pseudo_header->atm.type = TRAF_UNKNOWN;
1589 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1590 break;
1592 case ATT_HL_LLCMX:
1593 pseudo_header->atm.type = TRAF_LLCMX;
1594 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1595 break;
1597 case ATT_HL_VCMX:
1598 pseudo_header->atm.type = TRAF_VCMX;
1599 switch (frame4->atm_info.AppHLType) {
1601 case AHLT_UNKNOWN:
1602 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1603 break;
1605 case AHLT_VCMX_802_3_FCS:
1606 pseudo_header->atm.subtype =
1607 TRAF_ST_VCMX_802_3_FCS;
1608 break;
1610 case AHLT_VCMX_802_4_FCS:
1611 pseudo_header->atm.subtype =
1612 TRAF_ST_VCMX_802_4_FCS;
1613 break;
1615 case AHLT_VCMX_802_5_FCS:
1616 pseudo_header->atm.subtype =
1617 TRAF_ST_VCMX_802_5_FCS;
1618 break;
1620 case AHLT_VCMX_FDDI_FCS:
1621 pseudo_header->atm.subtype =
1622 TRAF_ST_VCMX_FDDI_FCS;
1623 break;
1625 case AHLT_VCMX_802_6_FCS:
1626 pseudo_header->atm.subtype =
1627 TRAF_ST_VCMX_802_6_FCS;
1628 break;
1630 case AHLT_VCMX_802_3:
1631 pseudo_header->atm.subtype = TRAF_ST_VCMX_802_3;
1632 break;
1634 case AHLT_VCMX_802_4:
1635 pseudo_header->atm.subtype = TRAF_ST_VCMX_802_4;
1636 break;
1638 case AHLT_VCMX_802_5:
1639 pseudo_header->atm.subtype = TRAF_ST_VCMX_802_5;
1640 break;
1642 case AHLT_VCMX_FDDI:
1643 pseudo_header->atm.subtype = TRAF_ST_VCMX_FDDI;
1644 break;
1646 case AHLT_VCMX_802_6:
1647 pseudo_header->atm.subtype = TRAF_ST_VCMX_802_6;
1648 break;
1650 case AHLT_VCMX_FRAGMENTS:
1651 pseudo_header->atm.subtype =
1652 TRAF_ST_VCMX_FRAGMENTS;
1653 break;
1655 case AHLT_VCMX_BPDU:
1656 pseudo_header->atm.subtype = TRAF_ST_VCMX_BPDU;
1657 break;
1659 default:
1660 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1661 break;
1663 break;
1665 case ATT_HL_LANE:
1666 pseudo_header->atm.type = TRAF_LANE;
1667 switch (frame4->atm_info.AppHLType) {
1669 case AHLT_UNKNOWN:
1670 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1671 break;
1673 case AHLT_LANE_LE_CTRL:
1674 pseudo_header->atm.subtype =
1675 TRAF_ST_LANE_LE_CTRL;
1676 break;
1678 case AHLT_LANE_802_3:
1679 pseudo_header->atm.subtype = TRAF_ST_LANE_802_3;
1680 break;
1682 case AHLT_LANE_802_5:
1683 pseudo_header->atm.subtype = TRAF_ST_LANE_802_5;
1684 break;
1686 case AHLT_LANE_802_3_MC:
1687 pseudo_header->atm.subtype =
1688 TRAF_ST_LANE_802_3_MC;
1689 break;
1691 case AHLT_LANE_802_5_MC:
1692 pseudo_header->atm.subtype =
1693 TRAF_ST_LANE_802_5_MC;
1694 break;
1696 default:
1697 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1698 break;
1700 break;
1702 case ATT_HL_ILMI:
1703 pseudo_header->atm.type = TRAF_ILMI;
1704 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1705 break;
1707 case ATT_HL_FRMR:
1708 pseudo_header->atm.type = TRAF_FR;
1709 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1710 break;
1712 case ATT_HL_SPANS:
1713 pseudo_header->atm.type = TRAF_SPANS;
1714 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1715 break;
1717 case ATT_HL_IPSILON:
1718 pseudo_header->atm.type = TRAF_IPSILON;
1719 switch (frame4->atm_info.AppHLType) {
1721 case AHLT_UNKNOWN:
1722 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1723 break;
1725 case AHLT_IPSILON_FT0:
1726 pseudo_header->atm.subtype =
1727 TRAF_ST_IPSILON_FT0;
1728 break;
1730 case AHLT_IPSILON_FT1:
1731 pseudo_header->atm.subtype =
1732 TRAF_ST_IPSILON_FT1;
1733 break;
1735 case AHLT_IPSILON_FT2:
1736 pseudo_header->atm.subtype =
1737 TRAF_ST_IPSILON_FT2;
1738 break;
1740 default:
1741 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1742 break;
1744 break;
1746 default:
1747 pseudo_header->atm.type = TRAF_UNKNOWN;
1748 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1749 break;
1751 break;
1753 case ATT_AAL_USER:
1754 pseudo_header->atm.aal = AAL_USER;
1755 pseudo_header->atm.type = TRAF_UNKNOWN;
1756 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1757 break;
1759 case ATT_AAL_SIGNALLING:
1760 pseudo_header->atm.aal = AAL_SIGNALLING;
1761 pseudo_header->atm.type = TRAF_UNKNOWN;
1762 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1763 break;
1765 case ATT_OAMCELL:
1766 pseudo_header->atm.aal = AAL_OAMCELL;
1767 pseudo_header->atm.type = TRAF_UNKNOWN;
1768 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1769 break;
1771 default:
1772 pseudo_header->atm.aal = AAL_UNKNOWN;
1773 pseudo_header->atm.type = TRAF_UNKNOWN;
1774 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1775 break;
1777 pseudo_header->atm.vpi = vpi;
1778 pseudo_header->atm.vci = vci;
1779 pseudo_header->atm.channel = pletoh16(&frame4->atm_info.channel);
1780 pseudo_header->atm.cells = pletoh16(&frame4->atm_info.cells);
1781 pseudo_header->atm.aal5t_u2u = pletoh16(&frame4->atm_info.Trailer.aal5t_u2u);
1782 pseudo_header->atm.aal5t_len = pletoh16(&frame4->atm_info.Trailer.aal5t_len);
1783 pseudo_header->atm.aal5t_chksum = pntoh32(&frame4->atm_info.Trailer.aal5t_chksum);
1786 static void
1787 set_pseudo_header_frame6(wtap *wth, union wtap_pseudo_header *pseudo_header,
1788 struct frame6_rec *frame6 _U_)
1790 /* XXX - Once the frame format is divined, something will most likely go here */
1792 switch (wth->file_encap) {
1794 case WTAP_ENCAP_ETHERNET:
1795 /* XXX - is there an FCS? */
1796 pseudo_header->eth.fcs_len = -1;
1797 break;
1802 * OK, this capture is from an "Internetwork analyzer", and we either
1803 * didn't see a type 7 record or it had a network type such as NET_HDLC
1804 * that doesn't tell us which *particular* HDLC derivative this is;
1805 * let's look at the first few bytes of the packet, a pointer to which
1806 * was passed to us as an argument, and see whether it looks like PPP,
1807 * Frame Relay, Wellfleet HDLC, Cisco HDLC, or LAPB - or, if it's none
1808 * of those, assume it's LAPD.
1810 * (XXX - are there any "Internetwork analyzer" captures that don't
1811 * have type 7 records? If so, is there some other field that will
1812 * tell us what type of capture it is?)
1814 static int
1815 infer_pkt_encap(const uint8_t *pd, int len)
1817 int i;
1819 if (len <= 0) {
1821 * Nothing to infer, but it doesn't matter how you
1822 * dissect an empty packet. Let's just say PPP.
1824 return WTAP_ENCAP_PPP_WITH_PHDR;
1827 if (pd[0] == 0xFF) {
1829 * PPP. (XXX - check for 0xFF 0x03?)
1831 return WTAP_ENCAP_PPP_WITH_PHDR;
1834 if (len >= 2) {
1835 if (pd[0] == 0x07 && pd[1] == 0x03) {
1837 * Wellfleet HDLC.
1839 return WTAP_ENCAP_WFLEET_HDLC;
1840 } else if ((pd[0] == 0x0F && pd[1] == 0x00) ||
1841 (pd[0] == 0x8F && pd[1] == 0x00)) {
1843 * Cisco HDLC.
1845 return WTAP_ENCAP_CHDLC_WITH_PHDR;
1849 * Check for Frame Relay. Look for packets with at least
1850 * 3 bytes of header - 2 bytes of DLCI followed by 1 byte
1851 * of control, which, for now, we require to be 0x03 (UI),
1852 * although there might be other frame types as well.
1853 * Scan forward until we see the last DLCI byte, with
1854 * the low-order bit being 1, and then check the next
1855 * byte, if it exists, to see if it's a control byte.
1857 * XXX - in version 4 and 5 captures, wouldn't this just
1858 * have a capture subtype of NET_FRAME_RELAY? Or is this
1859 * here only to handle other versions of the capture
1860 * file, where we might just not yet have found where
1861 * the subtype is specified in the capture?
1863 * Bay Networks/Nortel Networks had a mechanism in the Optivity
1864 * software for some of their routers to save captures
1865 * in Sniffer format; they use a version number of 4.9, but
1866 * don't put out any header records before the first FRAME2
1867 * record. That means we have to use heuristics to guess
1868 * what type of packet we have.
1870 for (i = 0; i < len && (pd[i] & 0x01) == 0; i++)
1872 if (i >= len - 1) {
1874 * Either all the bytes have the low-order bit
1875 * clear, so we didn't even find the last DLCI
1876 * byte, or the very last byte had the low-order
1877 * bit set, so, if that's a DLCI, it fills the
1878 * buffer, so there is no control byte after
1879 * the last DLCI byte.
1881 return WTAP_ENCAP_LAPB;
1883 i++; /* advance to the byte after the last DLCI byte */
1884 if (pd[i] == 0x03)
1885 return WTAP_ENCAP_FRELAY_WITH_PHDR;
1889 * Assume LAPB, for now. If we support other HDLC encapsulations,
1890 * we can check whether the low-order bit of the first byte is
1891 * set (as it should be for LAPB) if no other checks pass.
1893 * Or, if it's truly impossible to distinguish ISDN from non-ISDN
1894 * captures, we could assume it's ISDN if it's not anything
1895 * else.
1897 return WTAP_ENCAP_LAPB;
1900 static int
1901 fix_pseudo_header(int encap, Buffer *buf, int len,
1902 union wtap_pseudo_header *pseudo_header)
1904 const uint8_t *pd;
1906 pd = ws_buffer_start_ptr(buf);
1907 switch (encap) {
1909 case WTAP_ENCAP_PER_PACKET:
1911 * Infer the packet type from the first two bytes.
1913 encap = infer_pkt_encap(pd, len);
1916 * Fix up the pseudo-header to match the new
1917 * encapsulation type.
1919 switch (encap) {
1921 case WTAP_ENCAP_WFLEET_HDLC:
1922 case WTAP_ENCAP_CHDLC_WITH_PHDR:
1923 case WTAP_ENCAP_PPP_WITH_PHDR:
1924 if (pseudo_header->dte_dce.flags == 0)
1925 pseudo_header->p2p.sent = true;
1926 else
1927 pseudo_header->p2p.sent = false;
1928 break;
1930 case WTAP_ENCAP_ISDN:
1931 if (pseudo_header->dte_dce.flags == 0x00)
1932 pseudo_header->isdn.uton = false;
1933 else
1934 pseudo_header->isdn.uton = true;
1937 * XXX - this is currently a per-packet
1938 * encapsulation type, and we can't determine
1939 * whether a capture is an ISDN capture before
1940 * seeing any packets, and B-channel PPP packets
1941 * look like PPP packets and are given
1942 * WTAP_ENCAP_PPP_WITH_PHDR, not WTAP_ENCAP_ISDN,
1943 * so we assume this is a D-channel packet and
1944 * thus give it a channel number of 0.
1946 pseudo_header->isdn.channel = 0;
1947 break;
1949 break;
1951 case WTAP_ENCAP_ATM_PDUS:
1953 * If the Windows Sniffer writes out one of its ATM
1954 * capture files in DOS Sniffer format, it doesn't
1955 * distinguish between LE Control and LANE encapsulated
1956 * LAN frames, it just marks them as LAN frames,
1957 * so we fix that up here.
1959 * I've also seen DOS Sniffer captures claiming that
1960 * LANE packets that *don't* start with FF 00 are
1961 * marked as LE Control frames, so we fix that up
1962 * as well.
1964 if (pseudo_header->atm.type == TRAF_LANE && len >= 2) {
1965 if (pd[0] == 0xff && pd[1] == 0x00) {
1967 * This must be LE Control.
1969 pseudo_header->atm.subtype =
1970 TRAF_ST_LANE_LE_CTRL;
1971 } else {
1973 * This can't be LE Control.
1975 if (pseudo_header->atm.subtype ==
1976 TRAF_ST_LANE_LE_CTRL) {
1978 * XXX - Ethernet or Token Ring?
1980 pseudo_header->atm.subtype =
1981 TRAF_ST_LANE_802_3;
1985 break;
1987 return encap;
1990 /* Throw away the buffers used by the sequential I/O stream, but not
1991 those used by the random I/O stream. */
1992 static void
1993 ngsniffer_sequential_close(wtap *wth)
1995 ngsniffer_t *ngsniffer;
1997 ngsniffer = (ngsniffer_t *)wth->priv;
1998 if (ngsniffer->seq.buf != NULL) {
1999 g_free(ngsniffer->seq.buf);
2000 ngsniffer->seq.buf = NULL;
2004 static void
2005 free_blob(void *data, void *user_data _U_)
2007 g_free(data);
2010 /* Close stuff used by the random I/O stream, if any, and free up any
2011 private data structures. (If there's a "sequential_close" routine
2012 for a capture file type, it'll be called before the "close" routine
2013 is called, so we don't have to free the sequential buffer here.) */
2014 static void
2015 ngsniffer_close(wtap *wth)
2017 ngsniffer_t *ngsniffer;
2019 ngsniffer = (ngsniffer_t *)wth->priv;
2020 g_free(ngsniffer->rand.buf);
2021 g_list_foreach(ngsniffer->first_blob, free_blob, NULL);
2022 g_list_free(ngsniffer->first_blob);
2025 typedef struct {
2026 bool first_frame;
2027 time_t start;
2028 } ngsniffer_dump_t;
2030 static const int wtap_encap[] = {
2031 -1, /* WTAP_ENCAP_UNKNOWN -> unsupported */
2032 1, /* WTAP_ENCAP_ETHERNET */
2033 0, /* WTAP_ENCAP_TOKEN_RING */
2034 -1, /* WTAP_ENCAP_SLIP -> unsupported */
2035 7, /* WTAP_ENCAP_PPP -> Internetwork analyzer (synchronous) FIXME ! */
2036 9, /* WTAP_ENCAP_FDDI */
2037 9, /* WTAP_ENCAP_FDDI_BITSWAPPED */
2038 -1, /* WTAP_ENCAP_RAW_IP -> unsupported */
2039 2, /* WTAP_ENCAP_ARCNET */
2040 -1, /* WTAP_ENCAP_ARCNET_LINUX -> unsupported */
2041 -1, /* WTAP_ENCAP_ATM_RFC1483 */
2042 -1, /* WTAP_ENCAP_LINUX_ATM_CLIP */
2043 7, /* WTAP_ENCAP_LAPB -> Internetwork analyzer (synchronous) */
2044 -1, /* WTAP_ENCAP_ATM_PDUS */
2045 -1, /* WTAP_ENCAP_NULL -> unsupported */
2046 -1, /* WTAP_ENCAP_ASCEND -> unsupported */
2047 -1, /* WTAP_ENCAP_ISDN -> unsupported */
2048 -1, /* WTAP_ENCAP_IP_OVER_FC -> unsupported */
2049 7, /* WTAP_ENCAP_PPP_WITH_PHDR -> Internetwork analyzer (synchronous) FIXME ! */
2051 #define NUM_WTAP_ENCAPS array_length(wtap_encap)
2053 /* Returns 0 if we could write the specified encapsulation type,
2054 an error indication otherwise. */
2055 static int
2056 ngsniffer_dump_can_write_encap(int encap)
2058 /* Per-packet encapsulations aren't supported. */
2059 if (encap == WTAP_ENCAP_PER_PACKET)
2060 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
2062 if (encap < 0 || (unsigned)encap >= NUM_WTAP_ENCAPS || wtap_encap[encap] == -1)
2063 return WTAP_ERR_UNWRITABLE_ENCAP;
2065 return 0;
2068 /* Returns true on success, false on failure; sets "*err" to an error code on
2069 failure */
2070 static bool
2071 ngsniffer_dump_open(wtap_dumper *wdh, int *err, char **err_info _U_)
2073 ngsniffer_dump_t *ngsniffer;
2074 char buf[6] = {REC_VERS, 0x00, 0x12, 0x00, 0x00, 0x00}; /* version record */
2076 /* This is a sniffer file */
2077 wdh->subtype_write = ngsniffer_dump;
2078 wdh->subtype_finish = ngsniffer_dump_finish;
2080 ngsniffer = g_new(ngsniffer_dump_t, 1);
2081 wdh->priv = (void *)ngsniffer;
2082 ngsniffer->first_frame = true;
2083 ngsniffer->start = 0;
2085 /* Write the file header. */
2086 if (!wtap_dump_file_write(wdh, ngsniffer_magic, sizeof ngsniffer_magic,
2087 err))
2088 return false;
2089 if (!wtap_dump_file_write(wdh, buf, 6, err))
2090 return false;
2092 return true;
2095 /* Write a record for a packet to a dump file.
2096 Returns true on success, false on failure. */
2097 static bool
2098 ngsniffer_dump(wtap_dumper *wdh, const wtap_rec *rec,
2099 const uint8_t *pd, int *err, char **err_info _U_)
2101 const union wtap_pseudo_header *pseudo_header = &rec->rec_header.packet_header.pseudo_header;
2102 ngsniffer_dump_t *ngsniffer = (ngsniffer_dump_t *)wdh->priv;
2103 struct frame2_rec rec_hdr;
2104 char buf[6];
2105 time_t tsecs;
2106 uint64_t t;
2107 uint16_t t_low, t_med;
2108 uint8_t t_high;
2109 struct vers_rec version;
2110 int16_t maj_vers, min_vers;
2111 uint16_t start_date;
2112 struct tm *tm;
2114 /* We can only write packet records. */
2115 if (rec->rec_type != REC_TYPE_PACKET) {
2116 *err = WTAP_ERR_UNWRITABLE_REC_TYPE;
2117 return false;
2121 * Make sure this packet doesn't have a link-layer type that
2122 * differs from the one for the file.
2124 if (wdh->file_encap != rec->rec_header.packet_header.pkt_encap) {
2125 *err = WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
2126 return false;
2129 /* The captured length field is 16 bits, so there's a hard
2130 limit of 65535. */
2131 if (rec->rec_header.packet_header.caplen > 65535) {
2132 *err = WTAP_ERR_PACKET_TOO_LARGE;
2133 return false;
2136 /* Sniffer files have a capture start date in the file header, and
2137 have times relative to the beginning of that day in the packet
2138 headers; pick the date of the first packet as the capture start
2139 date. */
2140 if (ngsniffer->first_frame) {
2141 ngsniffer->first_frame=false;
2142 tm = localtime(&rec->ts.secs);
2143 if (tm != NULL && tm->tm_year >= DOS_YEAR_OFFSET) {
2144 start_date = (tm->tm_year - DOS_YEAR_OFFSET) << DOS_YEAR_SHIFT;
2145 start_date |= (tm->tm_mon - DOS_MONTH_OFFSET) << DOS_MONTH_SHIFT;
2146 start_date |= tm->tm_mday << DOS_DAY_SHIFT;
2147 /* record the start date, not the start time */
2148 ngsniffer->start = rec->ts.secs - (3600*tm->tm_hour + 60*tm->tm_min + tm->tm_sec);
2149 } else {
2150 start_date = 0;
2151 ngsniffer->start = 0;
2154 /* "sniffer" version ? */
2155 maj_vers = 4;
2156 min_vers = 0;
2157 version.maj_vers = GUINT16_TO_LE(maj_vers);
2158 version.min_vers = GUINT16_TO_LE(min_vers);
2159 version.time_dos = 0;
2160 version.date = GUINT16_TO_LE(start_date);
2161 version.type = 4;
2162 version.network = wtap_encap[wdh->file_encap];
2163 version.format = 1;
2164 version.timeunit = 1; /* 0.838096 */
2165 version.cmprs_vers = 0;
2166 version.cmprs_level = 0;
2167 version.rsvd[0] = 0;
2168 version.rsvd[1] = 0;
2169 if (!wtap_dump_file_write(wdh, &version, sizeof version, err))
2170 return false;
2173 buf[0] = REC_FRAME2;
2174 buf[1] = 0x00;
2175 buf[2] = (char)((rec->rec_header.packet_header.caplen + sizeof(struct frame2_rec))%256);
2176 buf[3] = (char)((rec->rec_header.packet_header.caplen + sizeof(struct frame2_rec))/256);
2177 buf[4] = 0x00;
2178 buf[5] = 0x00;
2179 if (!wtap_dump_file_write(wdh, buf, 6, err))
2180 return false;
2181 /* Seconds since the start of the capture */
2182 tsecs = rec->ts.secs - ngsniffer->start;
2183 /* Extract the number of days since the start of the capture */
2184 rec_hdr.time_day = (uint8_t)(tsecs / 86400); /* # days of capture - 86400 secs/day */
2185 tsecs -= rec_hdr.time_day * 86400; /* time within day */
2186 /* Convert to picoseconds */
2187 t = tsecs*UINT64_C(1000000000000) +
2188 rec->ts.nsecs*UINT64_C(1000);
2189 /* Convert to units of timeunit = 1 */
2190 t /= Psec[1];
2191 t_low = (uint16_t)((t >> 0) & 0xFFFF);
2192 t_med = (uint16_t)((t >> 16) & 0xFFFF);
2193 t_high = (uint8_t)((t >> 32) & 0xFF);
2194 rec_hdr.time_low = GUINT16_TO_LE(t_low);
2195 rec_hdr.time_med = GUINT16_TO_LE(t_med);
2196 rec_hdr.time_high = t_high;
2197 rec_hdr.size = GUINT16_TO_LE(rec->rec_header.packet_header.caplen);
2198 switch (wdh->file_encap) {
2200 case WTAP_ENCAP_LAPB:
2201 case WTAP_ENCAP_FRELAY_WITH_PHDR:
2202 rec_hdr.fs = (pseudo_header->dte_dce.flags & FROM_DCE) ? 0x00 : FS_WAN_DTE;
2203 break;
2205 case WTAP_ENCAP_PPP_WITH_PHDR:
2206 case WTAP_ENCAP_SDLC:
2207 rec_hdr.fs = pseudo_header->p2p.sent ? 0x00 : FS_WAN_DTE;
2208 break;
2210 case WTAP_ENCAP_ISDN:
2211 rec_hdr.fs = pseudo_header->isdn.uton ? FS_WAN_DTE : 0x00;
2212 switch (pseudo_header->isdn.channel) {
2214 case 0: /* D-channel */
2215 rec_hdr.fs |= FS_ISDN_CHAN_D;
2216 break;
2218 case 1: /* B1-channel */
2219 rec_hdr.fs |= FS_ISDN_CHAN_B1;
2220 break;
2222 case 2: /* B2-channel */
2223 rec_hdr.fs |= FS_ISDN_CHAN_B2;
2224 break;
2226 break;
2228 default:
2229 rec_hdr.fs = 0;
2230 break;
2232 rec_hdr.flags = 0;
2233 rec_hdr.true_size = rec->rec_header.packet_header.len != rec->rec_header.packet_header.caplen ? GUINT16_TO_LE(rec->rec_header.packet_header.len) : 0;
2234 rec_hdr.rsvd = 0;
2235 if (!wtap_dump_file_write(wdh, &rec_hdr, sizeof rec_hdr, err))
2236 return false;
2237 if (!wtap_dump_file_write(wdh, pd, rec->rec_header.packet_header.caplen, err))
2238 return false;
2239 return true;
2242 /* Finish writing to a dump file.
2243 Returns true on success, false on failure. */
2244 static bool
2245 ngsniffer_dump_finish(wtap_dumper *wdh, int *err, char **err_info _U_)
2247 /* EOF record */
2248 char buf[6] = {REC_EOF, 0x00, 0x00, 0x00, 0x00, 0x00};
2250 if (!wtap_dump_file_write(wdh, buf, 6, err))
2251 return false;
2252 return true;
2256 SnifferDecompress() decompresses a blob of compressed data from a
2257 Sniffer(R) capture file.
2259 This function is Copyright (c) 1999-2999 Tim Farley
2261 Parameters
2262 inbuf - buffer of compressed bytes from file, not including
2263 the preceding length word
2264 inlen - length of inbuf in bytes (max 64k)
2265 outbuf - decompressed contents, could contain a partial Sniffer
2266 record at the end.
2267 outlen - length of outbuf.
2268 err - return error code here
2269 err_info - for WTAP_ERR_DECOMPRESS, return descriptive string here
2271 Return value is the number of bytes in outbuf on return.
2275 * Make sure we have at least "length" bytes remaining
2276 * in the input buffer.
2278 #define CHECK_INPUT_POINTER( length ) \
2279 if ( pin + (length - 1) >= pin_end ) \
2281 *err = WTAP_ERR_DECOMPRESS; \
2282 *err_info = g_strdup("ngsniffer: Compressed data item goes past the end of the compressed block"); \
2283 return ( -1 ); \
2287 * Make sure the byte containing the high order part of a buffer
2288 * offset is present.
2290 * If it is, then fetch it and combine it with the low-order part.
2292 #define FETCH_OFFSET_HIGH \
2293 CHECK_INPUT_POINTER( 1 ); \
2294 offset = code_low + ((unsigned int)(*pin++) << 4) + 3;
2297 * Make sure the output buffer is big enough to get "length"
2298 * bytes added to it.
2300 #define CHECK_OUTPUT_LENGTH( length ) \
2301 if ( pout + length > pout_end ) \
2303 *err = WTAP_ERR_UNC_OVERFLOW; \
2304 return ( -1 ); \
2308 * Make sure we have another byte to fetch, and then fetch it and
2309 * append it to the buffer "length" times.
2311 #define APPEND_RLE_BYTE( length ) \
2312 /* If length would put us past end of output, avoid overflow */ \
2313 CHECK_OUTPUT_LENGTH( length ); \
2314 CHECK_INPUT_POINTER( 1 ); \
2315 memset( pout, *pin++, length ); \
2316 pout += length;
2319 * Make sure the specified offset and length refer, in the output
2320 * buffer, to data that's entirely within the part of the output
2321 * buffer that we've already filled in.
2323 * Then append the string from the specified offset, with the
2324 * specified length, to the output buffer.
2326 #define APPEND_LZW_STRING( offset, length ) \
2327 /* If length would put us past end of output, avoid overflow */ \
2328 CHECK_OUTPUT_LENGTH( length ); \
2329 /* Check if offset would put us back past begin of buffer */ \
2330 if ( pout - offset < outbuf ) \
2332 *err = WTAP_ERR_DECOMPRESS; \
2333 *err_info = g_strdup("ngsniffer: LZ77 compressed data has bad offset to string"); \
2334 return ( -1 ); \
2336 /* Check if offset would cause us to copy on top of ourselves */ \
2337 if ( pout - offset + length > pout ) \
2339 *err = WTAP_ERR_DECOMPRESS; \
2340 *err_info = g_strdup("ngsniffer: LZ77 compressed data has bad offset to string"); \
2341 return ( -1 ); \
2343 /* Copy the string from previous text to output position, \
2344 advance output pointer */ \
2345 memcpy( pout, pout - offset, length ); \
2346 pout += length;
2348 static int
2349 SnifferDecompress(unsigned char *inbuf, size_t inlen, unsigned char *outbuf,
2350 size_t outlen, int *err, char **err_info)
2352 unsigned char * pin = inbuf;
2353 unsigned char * pout = outbuf;
2354 unsigned char * pin_end = pin + inlen;
2355 unsigned char * pout_end = pout + outlen;
2356 unsigned int bit_mask; /* one bit is set in this, to mask with bit_value */
2357 unsigned int bit_value = 0; /* cache the last 16 coding bits we retrieved */
2358 unsigned int code_type; /* encoding type, from high 4 bits of byte */
2359 unsigned int code_low; /* other 4 bits from encoding byte */
2360 int length; /* length of RLE sequence or repeated string */
2361 int offset; /* offset of string to repeat */
2363 if (inlen > UINT16_MAX) {
2364 return ( -1 );
2367 bit_mask = 0; /* don't have any bits yet */
2368 /* Process until we've consumed all the input */
2369 while (pin < pin_end)
2371 /* Shift down the bit mask we use to see what's encoded */
2372 bit_mask = bit_mask >> 1;
2374 /* If there are no bits left, time to get another 16 bits */
2375 if ( 0 == bit_mask )
2377 /* make sure there are at least *three* bytes
2378 available - the two bytes of the bit value,
2379 plus one byte after it */
2380 CHECK_INPUT_POINTER( 3 );
2381 bit_mask = 0x8000; /* start with the high bit */
2382 bit_value = pletoh16(pin); /* get the next 16 bits */
2383 pin += 2; /* skip over what we just grabbed */
2386 /* Use the bits in bit_value to see what's encoded and what is raw data */
2387 if ( !(bit_mask & bit_value) )
2389 /* bit not set - raw byte we just copy */
2391 /* If length would put us past end of output, avoid overflow */
2392 CHECK_OUTPUT_LENGTH( 1 );
2393 *(pout++) = *(pin++);
2395 else
2397 /* bit set - next item is encoded. Peel off high nybble
2398 of next byte to see the encoding type. Set aside low
2399 nybble while we are at it */
2400 code_type = (unsigned int) ((*pin) >> 4 ) & 0xF;
2401 code_low = (unsigned int) ((*pin) & 0xF );
2402 pin++; /* increment over the code byte we just retrieved */
2404 /* Based on the code type, decode the compressed string */
2405 switch ( code_type )
2407 case 0 : /* RLE short runs */
2409 Run length is the low nybble of the first code byte.
2410 Byte to repeat immediately follows.
2411 Total code size: 2 bytes.
2413 length = code_low + 3;
2415 /* check the length and then, if it's OK,
2416 generate the repeated series of bytes */
2417 APPEND_RLE_BYTE( length );
2418 break;
2419 case 1 : /* RLE long runs */
2421 Low 4 bits of run length is the low nybble of the
2422 first code byte, upper 8 bits of run length is in
2423 the next byte.
2424 Byte to repeat immediately follows.
2425 Total code size: 3 bytes.
2427 CHECK_INPUT_POINTER( 1 );
2428 length = code_low + ((unsigned int)(*pin++) << 4) + 19;
2430 /* check the length and then, if it's OK,
2431 generate the repeated series of bytes */
2432 APPEND_RLE_BYTE( length );
2433 break;
2434 case 2 : /* LZ77 long strings */
2436 Low 4 bits of offset to string is the low nybble of the
2437 first code byte, upper 8 bits of offset is in
2438 the next byte.
2439 Length of string immediately follows.
2440 Total code size: 3 bytes.
2442 FETCH_OFFSET_HIGH;
2444 /* get length from next byte, make sure it won't overrun buf */
2445 CHECK_INPUT_POINTER( 1 );
2446 length = (unsigned int)(*pin++) + 16;
2448 /* check the offset and length and then, if
2449 they're OK, copy the data */
2450 APPEND_LZW_STRING( offset, length );
2451 break;
2452 default : /* (3 to 15): LZ77 short strings */
2454 Low 4 bits of offset to string is the low nybble of the
2455 first code byte, upper 8 bits of offset is in
2456 the next byte.
2457 Length of string to repeat is overloaded into code_type.
2458 Total code size: 2 bytes.
2460 FETCH_OFFSET_HIGH;
2462 /* get length from code_type */
2463 length = code_type;
2465 /* check the offset and length and then, if
2466 they're OK, copy the data */
2467 APPEND_LZW_STRING( offset, length );
2468 break;
2473 return (int) ( pout - outbuf ); /* return length of expanded text */
2477 * XXX - is there any guarantee that 65535 bytes is big enough to hold the
2478 * uncompressed data from any blob?
2480 #define OUTBUF_SIZE 65536
2481 #define INBUF_SIZE 65536
2483 /* Information about a compressed blob; we save the offset in the
2484 underlying compressed file, and the offset in the uncompressed data
2485 stream, of the blob. */
2486 typedef struct {
2487 int64_t blob_comp_offset;
2488 int64_t blob_uncomp_offset;
2489 } blob_info_t;
2491 static bool
2492 ng_read_bytes_or_eof(wtap *wth, void *buffer, unsigned int nbytes, bool is_random,
2493 int *err, char **err_info)
2495 ngsniffer_t *ngsniffer;
2496 FILE_T infile;
2497 ngsniffer_comp_stream_t *comp_stream;
2498 unsigned char *outbuffer = (unsigned char *)buffer; /* where to write next decompressed data */
2499 blob_info_t *blob;
2500 unsigned int bytes_to_copy;
2501 unsigned int bytes_left;
2503 ngsniffer = (ngsniffer_t *)wth->priv;
2504 if (is_random) {
2505 infile = wth->random_fh;
2506 comp_stream = &ngsniffer->rand;
2507 } else {
2508 infile = wth->fh;
2509 comp_stream = &ngsniffer->seq;
2512 if (!ngsniffer->is_compressed) {
2513 /* Uncompressed - just read bytes */
2514 if (!wtap_read_bytes_or_eof(infile, buffer, nbytes, err, err_info))
2515 return false;
2516 comp_stream->uncomp_offset += nbytes;
2517 comp_stream->comp_offset += nbytes;
2518 return true;
2522 * Compressed.
2524 * Allocate the stream buffer if it hasn't already been allocated.
2526 if (comp_stream->buf == NULL) {
2527 comp_stream->buf = (unsigned char *)g_malloc(OUTBUF_SIZE);
2529 if (is_random) {
2530 /* This is the first read of the random file, so we're at
2531 the beginning of the sequence of blobs in the file
2532 (as we've not done any random reads yet to move the
2533 current position in the random stream); set the
2534 current blob to be the first blob. */
2535 ngsniffer->current_blob = ngsniffer->first_blob;
2536 } else {
2537 /* This is the first sequential read; if we also have a
2538 random stream open, allocate the first element for the
2539 list of blobs, and make it the last element as well. */
2540 if (wth->random_fh != NULL) {
2541 ws_assert(ngsniffer->first_blob == NULL);
2542 blob = g_new(blob_info_t,1);
2543 blob->blob_comp_offset = comp_stream->comp_offset;
2544 blob->blob_uncomp_offset = comp_stream->uncomp_offset;
2545 ngsniffer->first_blob = g_list_append(ngsniffer->first_blob,
2546 blob);
2547 ngsniffer->last_blob = ngsniffer->first_blob;
2551 /* Now read the first blob into the buffer. */
2552 if (!read_blob(infile, comp_stream, err, err_info))
2553 return false;
2555 while (nbytes > 0) {
2556 bytes_left = comp_stream->nbytes - comp_stream->nextout;
2557 if (bytes_left == 0) {
2558 /* There's no decompressed stuff left to copy from the current
2559 blob; get the next blob. */
2561 if (is_random) {
2562 /* Move to the next blob in the list. */
2563 ngsniffer->current_blob = g_list_next(ngsniffer->current_blob);
2564 if (!ngsniffer->current_blob) {
2566 * XXX - this "can't happen"; we should have a
2567 * blob for every byte in the file.
2569 *err = WTAP_ERR_CANT_SEEK;
2570 return false;
2572 } else {
2573 /* If we also have a random stream open, add a new element,
2574 for this blob, to the list of blobs; we know the list is
2575 non-empty, as we initialized it on the first sequential
2576 read, so we just add the new element at the end, and
2577 adjust the pointer to the last element to refer to it. */
2578 if (wth->random_fh != NULL) {
2579 blob = g_new(blob_info_t,1);
2580 blob->blob_comp_offset = comp_stream->comp_offset;
2581 blob->blob_uncomp_offset = comp_stream->uncomp_offset;
2582 ngsniffer->last_blob = g_list_append(ngsniffer->last_blob,
2583 blob);
2587 if (!read_blob(infile, comp_stream, err, err_info))
2588 return false;
2589 bytes_left = comp_stream->nbytes - comp_stream->nextout;
2592 bytes_to_copy = nbytes;
2593 if (bytes_to_copy > bytes_left)
2594 bytes_to_copy = bytes_left;
2595 memcpy(outbuffer, &comp_stream->buf[comp_stream->nextout],
2596 bytes_to_copy);
2597 nbytes -= bytes_to_copy;
2598 outbuffer += bytes_to_copy;
2599 comp_stream->nextout += bytes_to_copy;
2600 comp_stream->uncomp_offset += bytes_to_copy;
2602 return true;
2605 static bool
2606 ng_read_bytes(wtap *wth, void *buffer, unsigned int nbytes, bool is_random,
2607 int *err, char **err_info)
2609 if (!ng_read_bytes_or_eof(wth, buffer, nbytes, is_random, err, err_info)) {
2611 * In this case, even reading zero bytes, because we're at
2612 * the end of the file, is a short read.
2614 if (*err == 0)
2615 *err = WTAP_ERR_SHORT_READ;
2616 return false;
2618 return true;
2621 /* Read a blob from a compressed stream.
2622 Return false and set "*err" and "*err_info" on error, otherwise return true. */
2623 static bool
2624 read_blob(FILE_T infile, ngsniffer_comp_stream_t *comp_stream, int *err,
2625 char **err_info)
2627 int in_len;
2628 unsigned short blob_len;
2629 int16_t blob_len_host;
2630 bool uncompressed;
2631 unsigned char *file_inbuf;
2632 int out_len;
2634 /* Read one 16-bit word which is length of next compressed blob */
2635 if (!wtap_read_bytes_or_eof(infile, &blob_len, 2, err, err_info))
2636 return false;
2637 comp_stream->comp_offset += 2;
2638 blob_len_host = pletoh16(&blob_len);
2640 /* Compressed or uncompressed? */
2641 if (blob_len_host < 0) {
2642 /* Uncompressed blob; blob length is absolute value of the number. */
2643 in_len = -blob_len_host;
2644 uncompressed = true;
2645 } else {
2646 in_len = blob_len_host;
2647 uncompressed = false;
2650 file_inbuf = (unsigned char *)g_malloc(INBUF_SIZE);
2652 /* Read the blob */
2653 if (!wtap_read_bytes(infile, file_inbuf, in_len, err, err_info)) {
2654 g_free(file_inbuf);
2655 return false;
2657 comp_stream->comp_offset += in_len;
2659 if (uncompressed) {
2660 memcpy(comp_stream->buf, file_inbuf, in_len);
2661 out_len = in_len;
2662 } else {
2663 /* Decompress the blob */
2664 out_len = SnifferDecompress(file_inbuf, in_len,
2665 comp_stream->buf, OUTBUF_SIZE, err,
2666 err_info);
2667 if (out_len < 0) {
2668 g_free(file_inbuf);
2669 return false;
2673 g_free(file_inbuf);
2674 comp_stream->nextout = 0;
2675 comp_stream->nbytes = out_len;
2676 return true;
2679 /* Skip some number of bytes forward in the sequential stream. */
2680 static bool
2681 ng_skip_bytes_seq(wtap *wth, unsigned int count, int *err, char **err_info)
2683 ngsniffer_t *ngsniffer;
2684 char *buf;
2685 unsigned int amount_to_read;
2687 ngsniffer = (ngsniffer_t *)wth->priv;
2689 if (!ngsniffer->is_compressed) {
2690 /* Uncompressed - just read forward and discard data */
2691 ngsniffer->seq.uncomp_offset += count;
2692 return wtap_read_bytes(wth->fh, NULL, count, err, err_info);
2696 * Compressed.
2698 * Now read and discard "count" bytes.
2700 buf = (char *)g_malloc(INBUF_SIZE);
2701 while (count != 0) {
2702 if (count > INBUF_SIZE)
2703 amount_to_read = INBUF_SIZE;
2704 else
2705 amount_to_read = count;
2707 if (!ng_read_bytes(wth, buf, amount_to_read, false, err, err_info)) {
2708 g_free(buf);
2709 return false; /* error */
2712 count -= amount_to_read;
2715 g_free(buf);
2716 return true;
2719 /* Seek to a given offset in the random data stream.
2721 On compressed files, we see whether we're seeking to a position within
2722 the blob we currently have in memory and, if not, we find in the list
2723 of blobs the last blob that starts at or before the position to which
2724 we're seeking, and read that blob in. We can then move to the appropriate
2725 position within the blob we have in memory (whether it's the blob we
2726 already had in memory or, if necessary, the one we read in). */
2727 static bool
2728 ng_file_seek_rand(wtap *wth, int64_t offset, int *err, char **err_info)
2730 ngsniffer_t *ngsniffer;
2731 int64_t delta;
2732 GList *new_list, *next_list;
2733 blob_info_t *next_blob, *new_blob;
2735 ngsniffer = (ngsniffer_t *)wth->priv;
2737 if (!ngsniffer->is_compressed) {
2738 /* Uncompressed - just seek. */
2739 if (file_seek(wth->random_fh, offset, SEEK_SET, err) == -1)
2740 return false;
2741 return true;
2745 * Compressed.
2747 * How many *uncompressed* should we move forward or
2748 * backward?
2750 delta = offset - ngsniffer->rand.uncomp_offset;
2752 /* Is the place to which we're seeking within the current buffer, or
2753 will we have to read a different blob into the buffer? */
2754 new_list = NULL;
2755 if (delta > 0) {
2756 /* We're going forwards.
2757 Is the place to which we're seeking within the current buffer? */
2758 if ((size_t)(ngsniffer->rand.nextout + delta) >= ngsniffer->rand.nbytes) {
2759 /* No. Search for a blob that contains the target
2760 offset in the uncompressed byte stream. */
2761 if (ngsniffer->current_blob == NULL) {
2762 /* We haven't read anything from the random
2763 file yet, so we have no current blob;
2764 search all the blobs, starting with
2765 the first one. */
2766 new_list = ngsniffer->first_blob;
2767 } else {
2768 /* We're seeking forward, so start searching
2769 with the blob after the current one. */
2770 new_list = g_list_next(ngsniffer->current_blob);
2772 while (new_list) {
2773 next_list = g_list_next(new_list);
2774 if (next_list == NULL) {
2775 /* No more blobs; the current one is it. */
2776 break;
2779 next_blob = (blob_info_t *)next_list->data;
2780 /* Does the next blob start after the target offset?
2781 If so, the current blob is the one we want. */
2782 if (next_blob->blob_uncomp_offset > offset)
2783 break;
2785 new_list = next_list;
2787 if (new_list == NULL) {
2789 * We're seeking past the end of what
2790 * we've read so far.
2792 *err = WTAP_ERR_CANT_SEEK;
2793 return false;
2796 } else if (delta < 0) {
2797 /* We're going backwards.
2798 Is the place to which we're seeking within the current buffer? */
2799 if (ngsniffer->rand.nextout + delta < 0) {
2800 /* No. Search for a blob that contains the target
2801 offset in the uncompressed byte stream. */
2802 if (ngsniffer->current_blob == NULL) {
2803 /* We haven't read anything from the random
2804 file yet, so we have no current blob;
2805 search all the blobs, starting with
2806 the last one. */
2807 new_list = ngsniffer->last_blob;
2808 } else {
2809 /* We're seeking backward, so start searching
2810 with the blob before the current one. */
2811 new_list = g_list_previous(ngsniffer->current_blob);
2813 while (new_list) {
2814 /* Does this blob start at or before the target offset?
2815 If so, the current blob is the one we want. */
2816 new_blob = (blob_info_t *)new_list->data;
2817 if (new_blob->blob_uncomp_offset <= offset)
2818 break;
2820 /* It doesn't - skip to the previous blob. */
2821 new_list = g_list_previous(new_list);
2823 if (new_list == NULL) {
2825 * XXX - shouldn't happen.
2827 *err = WTAP_ERR_CANT_SEEK;
2828 return false;
2833 if (new_list != NULL) {
2834 /* The place to which we're seeking isn't in the current buffer;
2835 move to a new blob. */
2836 new_blob = (blob_info_t *)new_list->data;
2838 /* Seek in the compressed file to the offset in the compressed file
2839 of the beginning of that blob. */
2840 if (file_seek(wth->random_fh, new_blob->blob_comp_offset, SEEK_SET, err) == -1)
2841 return false;
2844 * Do we have a buffer for the random stream yet?
2846 if (ngsniffer->rand.buf == NULL) {
2848 * No - allocate it, as we'll be reading into it.
2850 ngsniffer->rand.buf = (unsigned char *)g_malloc(OUTBUF_SIZE);
2853 /* Make the blob we found the current one. */
2854 ngsniffer->current_blob = new_list;
2856 /* Now set the current offsets to the offsets of the beginning
2857 of the blob. */
2858 ngsniffer->rand.uncomp_offset = new_blob->blob_uncomp_offset;
2859 ngsniffer->rand.comp_offset = new_blob->blob_comp_offset;
2861 /* Now fill the buffer. */
2862 if (!read_blob(wth->random_fh, &ngsniffer->rand, err, err_info))
2863 return false;
2865 /* Set "delta" to the amount to move within this blob; it had
2866 better be >= 0, and < the amount of uncompressed data in
2867 the blob, as otherwise it'd mean we need to seek before
2868 the beginning or after the end of this blob. */
2869 delta = offset - ngsniffer->rand.uncomp_offset;
2870 ws_assert(delta >= 0 && (unsigned long)delta < ngsniffer->rand.nbytes);
2873 /* OK, the place to which we're seeking is in the buffer; adjust
2874 "ngsniffer->rand.nextout" to point to the place to which
2875 we're seeking, and adjust "ngsniffer->rand.uncomp_offset" to be
2876 the destination offset. */
2877 ngsniffer->rand.nextout += (int) delta;
2878 ngsniffer->rand.uncomp_offset += delta;
2880 return true;
2883 static const struct supported_block_type ngsniffer_uncompressed_blocks_supported[] = {
2885 * We support packet blocks, with no comments or other options.
2887 { WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, NO_OPTIONS_SUPPORTED }
2890 static const struct file_type_subtype_info ngsniffer_uncompressed_info = {
2891 "Sniffer (DOS)", "ngsniffer", "cap", "enc;trc;fdc;syc",
2892 false, BLOCKS_SUPPORTED(ngsniffer_uncompressed_blocks_supported),
2893 ngsniffer_dump_can_write_encap, ngsniffer_dump_open, NULL
2896 static const struct supported_block_type ngsniffer_compressed_blocks_supported[] = {
2898 * We support packet blocks, with no comments or other options.
2900 { WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, NO_OPTIONS_SUPPORTED }
2903 static const struct file_type_subtype_info ngsniffer_compressed_info = {
2904 "Sniffer (DOS), compressed", "ngsniffer_comp", "cap", "enc;trc;fdc;syc",
2905 false, BLOCKS_SUPPORTED(ngsniffer_compressed_blocks_supported),
2906 NULL, NULL, NULL
2909 void register_ngsniffer(void)
2911 ngsniffer_uncompressed_file_type_subtype = wtap_register_file_type_subtype(&ngsniffer_uncompressed_info);
2912 ngsniffer_compressed_file_type_subtype = wtap_register_file_type_subtype(&ngsniffer_compressed_info);
2915 * Register names for backwards compatibility with the
2916 * wtap_filetypes table in Lua.
2918 wtap_register_backwards_compatibility_lua_name("NGSNIFFER_UNCOMPRESSED",
2919 ngsniffer_uncompressed_file_type_subtype);
2920 wtap_register_backwards_compatibility_lua_name("NGSNIFFER_COMPRESSED",
2921 ngsniffer_compressed_file_type_subtype);
2925 * Editor modelines - https://www.wireshark.org/tools/modelines.html
2927 * Local variables:
2928 * c-basic-offset: 8
2929 * tab-width: 8
2930 * indent-tabs-mode: t
2931 * End:
2933 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
2934 * :indentSize=8:tabSize=8:noTabs=false: