| blob | 4b198c801eb0e21cf90043f31e972ff22a04432b |
1 /* ngsniffer.c
2 *
3 * Wiretap Library
4 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
5 *
6 * SPDX-License-Identifier: GPL-2.0-or-later
7 */
9 /* The code in ngsniffer.c that decodes the time fields for each packet in the
10 * Sniffer trace originally came from code from TCPVIEW:
11 *
12 * TCPVIEW
13 *
14 * Author: Martin Hunt
15 * Networks and Distributed Computing
16 * Computing & Communications
17 * University of Washington
18 * Administration Building, AG-44
19 * Seattle, WA 98195
20 * Internet: martinh@cac.washington.edu
21 *
22 *
23 * Copyright 1992 by the University of Washington
24 *
25 * Permission to use, copy, modify, and distribute this software and its
26 * documentation for any purpose and without fee is hereby granted, provided
27 * that the above copyright notice appears in all copies and that both the
28 * above copyright notice and this permission notice appear in supporting
29 * documentation, and that the name of the University of Washington not be
30 * used in advertising or publicity pertaining to distribution of the software
31 * without specific, written prior permission. This software is made
32 * available "as is", and
33 * THE UNIVERSITY OF WASHINGTON DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
34 * WITH REGARD TO THIS SOFTWARE, INCLUDING WITHOUT LIMITATION ALL IMPLIED
35 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND IN
36 * NO EVENT SHALL THE UNIVERSITY OF WASHINGTON BE LIABLE FOR ANY SPECIAL,
37 * INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
38 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, TORT
39 * (INCLUDING NEGLIGENCE) OR STRICT LIABILITY, ARISING OUT OF OR IN CONNECTION
40 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
41 *
42 */
46 #include <string.h>
49 #include <wsutil/ws_assert.h>
51 /* Magic number in Sniffer files. */
55 };
57 /*
58 * Sniffer record types.
59 */
65 /*
66 * and now for some unknown header types
67 */
69 * not yet reverse engineered - some binary,
70 * some strings (Serial numbers? Names
71 * under which the software is registered?
72 * Software version numbers? Mysterious
73 * strings such as "PA-55X" and "PA-30X"
74 * and "PA-57X" and "PA-11X"?), some strings
75 * that are partially overwritten
76 * ("UNSERIALIZED", "Network General
77 * Corporation"), differing from major
78 * version to major version */
81 * info about this capturing session,
82 * in the form of a multi-line string
83 * with NL as the line separator.
84 * Collides with REC_FRAME4 */
91 /*
92 * Sniffer record header structure.
93 */
97 };
99 /*
100 * Sniffer version record format.
101 */
114 };
116 /*
117 * Network types.
118 */
130 /*
131 * Sniffer type 2 data record format - followed by frame data.
132 *
133 * The Expert Sniffer Network Analyzer Operations manual, Release 5.50,
134 * documents some of the values used in "fs" and "flags". "flags" don't
135 * look as if they'd be of much interest to us, as those are internal
136 * flags for state used by the Sniffer, but "fs" gives various status
137 * bits including error indications *and*:
138 *
139 * ISDN channel information for ISDN;
140 *
141 * PPP vs. SLIP information for Async.
142 *
143 * In that section it also refers to "FDDI analyzers using the NPI PCI
144 * FDDI adapter" and "FDDI analyzers using the NPI ISA FDDI adapter",
145 * referring to the first as "F1SNIFF" and the second as "FDSNIFF";
146 * those sound as if they *could* be replacements for "TRSNIFF" in
147 * the file header, but that manual says, earlier, that the header
148 * starts with "TRSNIFF data, no matter where the frames were
149 * collected".
150 *
151 * It also says that a type 2 record has an 8-bit "time_high"
152 * and an 8-bit "time_day" field; the code here used to have a
153 * 16-bit "time_high" value, but that gave wrong time stamps on at
154 * least some captures. Did some older manual have it as a 16-bit
155 * "tstamp_high", so that perhaps it depends on the version number
156 * in the file, or is it "tstamp_high" plus "tstamp_day" in all
157 * versions? (I forget whether this came purely from tcpview, or if
158 * I saw any of it in an NAI document.)
159 *
160 * We interpret them as unsigned, as interpreting them as signed
161 * would appear to allow time stamps that precede the start of the
162 * capture. The description of the record format shows them as
163 * "char", but the section "How the Analyzer Stores Time" shows a
164 * time stamp structure with those fields being "unsigned char".
165 *
166 * In addition, the description of the record format has the comment
167 * for the "time_day" field saying it's the time in days since the
168 * start of the capture, but the "How the Analyzer Stores Time"
169 * section says it's increased by 1 if the capture continues past
170 * midnight - and also says that the time stamp structure has a time
171 * relative to midnight when the capture started, not since the
172 * actual capture start, so that might be a difference between
173 * the internal time stamp in the Sniffer software and the time
174 * stamp in capture files (i.e., the latter might be relative to
175 * the time when the capture starts).
176 */
187 };
189 /*
190 * Bits in "fs".
191 *
192 * The bits differ for different link-layer types.
193 */
195 /*
196 * Ethernet.
197 */
205 /*
206 * FDDI.
207 */
214 /*
215 * Internetwork analyzer (synchronous and asynchronous).
216 */
219 /*
220 * Internetwork analyzer (synchronous).
221 */
230 /*
231 * Internetwork analyzer (asynchronous).
232 * XXX - are some of these synchronous flags? They're listed with the
233 * asynchronous flags in the Sniffer 5.50 Network Analyzer Operations
234 * manual. Is one of the "overrun" errors a synchronous overrun error?
235 */
244 /*
245 * Sniffer type 4 data record format - followed by frame data.
246 *
247 * The ATM Sniffer manual says that the "flags" field holds "buffer flags;
248 * BF_xxxx", but doesn't say what the BF_xxxx flags are. They may
249 * be the same as they are in a type 2 record, in which case they're
250 * probably not of much interest to us.
251 *
252 * XXX - the manual also says there's an 8-byte "ATMTimeStamp" driver
253 * time stamp at the end of "ATMSaveInfo", but, from an ATM Sniffer capture
254 * file I've looked at, that appears not to be the case.
255 */
257 /*
258 * Fields from the AAL5 trailer for the frame, if it's an AAL5 frame
259 * rather than a cell.
260 */
286 /*
287 * Bits in StatusWord.
288 */
305 /*
306 * Bits in AppTrafType.
307 *
308 * For AAL types other than AAL5, the packet data is presumably for a
309 * single cell, not a reassembled frame, as the ATM Sniffer manual says
310 * it doesn't reassemble cells other than AAL5 cells.
311 */
331 /*
332 * Values for AppHLType; the interpretation depends on the ATT_HLTYPE
333 * bits in AppTrafType.
334 */
335 #define AHLT_UNKNOWN 0x0
369 };
371 /*
372 * XXX - I have a version 5.50 file with a bunch of token ring
373 * records listed as type "12". The record format below was
374 * derived from frame4_rec and a bit of experimentation.
375 * - Gerald
376 */
387 };
389 /*
390 * Network type values in some type 7 records.
391 *
392 * Captures with a major version number of 2 appear to have type 7
393 * records with text in them (at least one I have does).
394 *
395 * Captures with a major version of 4, and at least some captures with
396 * a major version of 5, have type 7 records with those values in the
397 * 5th byte.
398 *
399 * However, some captures with a major version number of 5 appear not to
400 * have type 7 records at all (at least one I have doesn't), but do appear
401 * to put non-zero values in the "rsvd" field of the version header (at
402 * least one I have does) - at least some other captures with smaller version
403 * numbers appear to put 0 there, so *maybe* that's where the network
404 * (sub)type is hidden in those captures. The version 5 captures I've seen
405 * that *do* have type 7 records put 0 there, so it's not as if *all* V5
406 * captures have something in the "rsvd" field, however.
407 *
408 * The semantics of these network types is inferred from the Sniffer
409 * documentation, as they correspond to types described in the UI;
410 * in particular, see
411 *
412 * http://www.mcafee.com/common/media/sniffer/support/sdos/operation.pdf
413 *
414 * starting at page 3-10 (56 of 496).
415 *
416 * XXX - I've seen X.25 captures with NET_ROUTER, and I've seen bridge/
417 * router captures with NET_HDLC. Sigh.... Are those just captures for
418 * which the user set the wrong network type when capturing?
419 */
422 things as well, or is it "HDLC then
423 X.25", as referred to by the document
424 cited above, and only used for X.25? */
425 #define NET_FRAME_RELAY 2
427 point-to-point protocols for use between
428 bridges and routers, including PPP as well
429 as various proprietary protocols; also
430 used for ISDN, for reasons not obvious
431 to me, given that a Sniffer knows
432 whether it's using a WAN or an ISDN pod */
435 that's a document for version 5.50 of
436 the Sniffer, and that version might use
437 version 5 in the file format and thus
438 might not be using type 7 records */
440 /*
441 * Values for V.timeunit, in picoseconds, so that they can be represented
442 * as integers. These values must be < 2^(64-40); see below.
443 *
444 * XXX - at least some captures with a V.timeunit value of 2 show
445 * packets with time stamps in 2011 if the time stamp is interpreted
446 * to be in units of 15 microseconds. The capture predates 2008,
447 * so that interpretation is probably wrong. Perhaps the interpretation
448 * of V.timeunit depends on the version number of the file?
449 */
457 /* XXX - Sniffer doc says 0.08 usecs = 80000 psecs */
459 };
460 #define NUM_NGSNIFF_TIMEUNITS array_length(Psec)
462 /* Information for a compressed Sniffer data stream. */
485 /*
486 * DOS date to "struct tm" conversion values.
487 */
488 /* DOS year = upper 7 bits */
490 #define DOS_YEAR_SHIFT 9
491 #define DOS_YEAR_MASK (0x7F<<DOS_YEAR_SHIFT)
492 /* DOS month = next 4 bits */
494 #define DOS_MONTH_SHIFT 5
495 #define DOS_MONTH_MASK (0x0F<<DOS_MONTH_SHIFT)
496 /* DOS day = next 5 bits */
497 #define DOS_DAY_SHIFT 0
498 #define DOS_DAY_MASK (0x1F<<DOS_DAY_SHIFT)
548 wtap_open_return_val
550 {
554 the last 2 are "reserved" and are thrown away */
559 #if 0
561 #endif
563 WTAP_ENCAP_TOKEN_RING,
564 WTAP_ENCAP_ETHERNET,
565 WTAP_ENCAP_ARCNET,
572 WTAP_ENCAP_FDDI_BITSWAPPED,
573 WTAP_ENCAP_ATM_PDUS
574 };
575 #define NUM_NGSNIFF_ENCAPS array_length(sniffer_encap)
580 /* Read in the string that should be at the start of a Sniffer file */
585 }
589 }
591 /*
592 * Read the first record, which the manual says is a version
593 * record.
594 */
606 }
611 /* Check the data link type. */
618 }
620 /* Check the time unit */
625 }
627 /* Set encap type before reading header records because the
628 * header record may change encap type.
629 */
632 /*
633 * We don't know how to handle the remaining header record types,
634 * so we just skip them - except for REC_HEADER2 records, which
635 * we look at, for "Internetwork analyzer" captures, to attempt to
636 * determine what the link-layer encapsulation is.
637 *
638 * XXX - in some version 1.16 internetwork analyzer files
639 * generated by the Windows Sniffer when saving Windows
640 * Sniffer files as DOS Sniffer files, there's no REC_HEADER2
641 * record, but the first "rsvd" word is 1 for PRI ISDN files, 2
642 * for BRI ISDN files, and 0 for non-ISDN files; is that something
643 * the DOS Sniffer understands?
644 */
652 /*
653 * Well, we haven't determined the internetwork analyzer
654 * subtype yet...
655 */
659 /*
660 * ... and this is a version 1 capture; look
661 * at the first "rsvd" word.
662 */
669 }
673 /*
674 * ...and this is a version 3 capture; we've
675 * seen nothing in those that obviously
676 * indicates the capture type, but the only
677 * one we've seen is a Frame Relay capture,
678 * so mark it as Frame Relay for now.
679 */
682 }
683 }
687 /*
688 * Now, if we have a random stream open, position it to the same
689 * location, which should be the beginning of the real data, and
690 * should be the beginning of the compressed data.
691 *
692 * XXX - will we see any records other than REC_FRAME2, REC_FRAME4,
693 * or REC_EOF after this? If not, we can get rid of the loop in
694 * "ngsniffer_read()".
695 */
699 }
701 /* This is a ngsniffer file */
705 /* compressed or uncompressed Sniffer file? */
712 }
717 /* We haven't allocated any uncompression buffers yet. */
725 /* Set the current file offset; the offset in the compressed file
726 and in the uncompressed data stream currently the same. */
732 /* We don't yet have any list of compressed blobs. */
745 /* Get capture start time */
750 /*
751 * The time does not appear to act as an offset; only the date.
752 * XXX - sometimes it does appear to act as an offset; is this
753 * version-dependent?
754 */
755 #if 0
760 #else
764 #endif
767 /*
768 * XXX - what if "secs" is -1? Unlikely,
769 * but if the capture was done in a time
770 * zone that switches between standard and
771 * summer time sometime other than when we
772 * do, and thus the time was one that doesn't
773 * exist here because a switch from standard
774 * to summer time zips over it, it could
775 * happen.
776 *
777 * On the other hand, if the capture was done
778 * in a different time zone, this won't work
779 * right anyway; unfortunately, the time zone
780 * isn't stored in the capture file.
781 */
786 }
788 static int
791 {
794 the last 2 are "reserved" and are thrown away */
804 }
812 /*
813 * Well, this is either some unknown header type
814 * (we ignore this case), an uncompressed data
815 * frame or the length of a compressed blob
816 * which implies data. Seek backwards over the
817 * two bytes we read, and return.
818 */
822 }
830 /*
831 * Is this is an "Internetwork analyzer" capture, and
832 * is this a REC_HEADER2 record?
833 *
834 * If so, it appears to specify the particular type
835 * of network we're on.
836 *
837 * XXX - handle sync and async differently? (E.g.,
838 * does this apply only to sync?)
839 */
842 /*
843 * Yes, get the first up-to-256 bytes of the
844 * record data.
845 */
866 }
868 /*
869 * Skip the rest of the record.
870 */
875 }
877 /* Nope, just skip over the data. */
880 }
881 }
882 }
884 static int
887 {
890 /*
891 * There appears to be a string in a REC_HEADER2 record, with
892 * a list of protocols. In one X.25 capture I've seen, the
893 * string was "HDLC\nX.25\nCLNP\nISO_TP\nSESS\nPRES\nVTP\nACSE".
894 * Presumably CLNP and everything else is per-packet, but
895 * we assume "HDLC\nX.25\n" indicates that it's an X.25 capture.
896 */
898 /*
899 * There's not enough data to compare.
900 */
904 }
907 /*
908 * X.25.
909 */
916 }
918 }
920 static int
923 {
924 /*
925 * The 5th byte of the REC_HEADER2 record appears to be a
926 * network type.
927 */
929 /*
930 * There is no 5th byte; give up.
931 */
935 }
937 /*
938 * The X.25 captures I've seen have a type of NET_HDLC, and the
939 * Sniffer documentation seems to imply that it's used for
940 * X.25, although it could be used for other purposes as well.
941 *
942 * NET_ROUTER is used for all sorts of point-to-point protocols,
943 * including ISDN. It appears, from the documentation, that the
944 * Sniffer attempts to infer the particular protocol by looking
945 * at the traffic; it's not clear whether it stores in the file
946 * an indication of the protocol it inferred was being used.
947 *
948 * Unfortunately, it also appears that NET_HDLC is used for
949 * stuff other than X.25 as well, so we can't just interpret
950 * it unconditionally as X.25.
951 *
952 * For now, we interpret both NET_HDLC and NET_ROUTER as "per-packet
953 * encapsulation". We remember that we saw NET_ROUTER, though,
954 * as it appears that we can infer whether a packet is PPP or
955 * ISDN based on the channel number subfield of the frame error
956 * status bits - if it's 0, it's PPP, otherwise it's ISDN and
957 * the channel number indicates which channel it is. We assume
958 * NET_HDLC isn't used for ISDN.
959 */
975 /*
976 * For most of the version 4 capture files I've seen,
977 * 0xfa in buffer[1] means the file is an ISDN capture,
978 * but there's one PPP file with 0xfa there; does that
979 * mean that the 0xfa has nothing to do with ISDN,
980 * or is that just an ISDN file with no D channel
981 * packets? (The channel number is not 0 in any
982 * of the packets, so perhaps it is.)
983 *
984 * For one version 5 ISDN capture I've seen, there's
985 * a 0x01 in buffer[6]; none of the non-ISDN version
986 * 5 captures have it.
987 */
998 /*
999 * There is no 5th byte; give up.
1000 */
1004 }
1008 }
1016 /*
1017 * Reject these until we can figure them out.
1018 */
1023 }
1025 }
1027 /* Read the next packet */
1028 static bool
1031 {
1038 /*
1039 * We use the uncompressed offset, as that's what
1040 * we need to use for compressed files.
1041 */
1044 /*
1045 * Read the record header.
1046 */
1048 /* Read error or short read */
1050 }
1052 /*
1053 * Process the record.
1054 */
1060 /* Frame record */
1063 /* Read error, short read, or other error */
1065 }
1067 /*
1068 * Skip any extra data in the record.
1069 */
1072 err_info))
1074 }
1078 /*
1079 * End of file. Skip past any data (if any),
1080 * the length of which is in hdr.length, and
1081 * return an EOF indication.
1082 */
1085 err_info))
1087 }
1092 /*
1093 * Well, we don't know what it is, or we know what
1094 * it is but can't handle it. Skip past the data
1095 * portion (if any), the length of which is in
1096 * hdr.length, and keep looping.
1097 */
1100 err_info))
1102 }
1104 }
1105 }
1106 }
1108 static bool
1111 {
1118 /* Read error or short read */
1120 }
1122 /*
1123 * hdr.type is the record type.
1124 */
1130 /* Frame record */
1133 /* Read error, short read, or other error */
1135 }
1139 /*
1140 * Other record type, or EOF.
1141 * This "can't happen".
1142 */
1145 }
1148 }
1150 /*
1151 * Read the record header.
1152 *
1153 * Returns true on success, false on error.
1154 */
1155 static bool
1158 {
1162 /*
1163 * Read the record type.
1164 */
1168 /*
1169 * End-of-file; construct a fake EOF record.
1170 * (A file might have an EOF record at the end, or
1171 * it might just come to an end.)
1172 * (XXX - is that true of all Sniffer files?)
1173 */
1177 }
1179 /*
1180 * Read the record length.
1181 */
1188 }
1190 /*
1191 * Returns true on success, false on error.
1192 * If padding is non-null, sets *padding to the amount of padding at
1193 * the end of the record.
1194 */
1195 static bool
1199 {
1211 /* Initialize - we'll be setting some presence flags below. */
1221 /*
1222 * We shouldn't get a frame2 record in
1223 * an ATM capture.
1224 */
1228 }
1230 /* Do we have an f_frame2_struct worth of data? */
1235 }
1237 /* Read the f_frame2_struct */
1255 /*
1256 * We shouldn't get a frame2 record in
1257 * a non-ATM capture.
1258 */
1262 }
1264 /*
1265 * XXX - it looks as if some version 4 captures have
1266 * a bogus record length, based on the assumption
1267 * that the record is a frame2 record, i.e. the length
1268 * was calculated based on the record being a frame2
1269 * record, so it's too short by (sizeof frame4 - sizeof frame2).
1270 */
1274 /* Do we have an f_frame4_struct worth of data? */
1279 }
1281 /* Read the f_frame4_struct */
1298 /* Do we have an f_frame6_struct worth of data? */
1303 }
1305 /* Read the f_frame6_struct */
1322 /*
1323 * This should never happen.
1324 */
1327 }
1329 /*
1330 * Is the frame data size greater than what's left of the
1331 * record?
1332 */
1334 /*
1335 * Yes - treat this as an error.
1336 */
1340 }
1342 /*
1343 * The maximum value of length is 65535, which is less than
1344 * WTAP_MAX_PACKET_SIZE_STANDARD will ever be, so we don't need to check
1345 * it.
1346 */
1348 /*
1349 * Padding, if the frame data size is less than what's
1350 * left of the record.
1351 */
1353 }
1359 /*
1360 * Read the packet data.
1361 */
1370 /*
1371 * 40-bit time stamp, in units of timeunit picoseconds.
1372 */
1375 /*
1376 * timeunit is always < 2^(64-40), so t * timeunit fits in 64
1377 * bits. That gives a 64-bit time stamp, in units of
1378 * picoseconds.
1379 */
1382 /*
1383 * Convert to seconds and picoseconds.
1384 */
1388 /*
1389 * Add in the time_day value (86400 seconds/day).
1390 */
1393 /*
1394 * Add in the capture start time.
1395 */
1402 }
1404 static void
1406 {
1413 /*
1414 * In one PPP "Internetwork analyzer" capture:
1415 *
1416 * The only bit seen in "frame2.fs" is the 0x80 bit, which
1417 * probably indicates the packet's direction; all other
1418 * bits were zero. The Expert Sniffer Network Analyzer
1419 * 5.50 Operations manual says that bit is the FS_DTE bit
1420 * for async/PPP data. The other bits are error bits
1421 * plus bits indicating whether the frame is PPP or SLIP,
1422 * but the PPP bit isn't set.
1423 *
1424 * All bits in "frame2.flags" were zero.
1425 *
1426 * In one X.25 "Internetwork analyzer" capture:
1427 *
1428 * The only bit seen in "frame2.fs" is the 0x80 bit, which
1429 * probably indicates the packet's direction; all other
1430 * bits were zero.
1431 *
1432 * "frame2.flags" was always 0x18; however, the Sniffer
1433 * manual says that just means that a display filter was
1434 * calculated for the frame, and it should be displayed,
1435 * so perhaps that's just a quirk of that particular capture.
1436 *
1437 * In one Ethernet capture:
1438 *
1439 * "frame2.fs" was always 0; the Sniffer manual says they're
1440 * error bits of various sorts.
1441 *
1442 * "frame2.flags" was either 0 or 0x18, with no obvious
1443 * correlation with anything. See previous comment
1444 * about display filters.
1445 *
1446 * In one Token Ring capture:
1447 *
1448 * "frame2.fs" was either 0 or 0xcc; the Sniffer manual says
1449 * nothing about those bits for Token Ring captures.
1450 *
1451 * "frame2.flags" was either 0 or 0x18, with no obvious
1452 * correlation with anything. See previous comment
1453 * about display filters.
1454 */
1482 }
1488 /*
1489 * XXX - do we ever have an FCS? If not, why do we often
1490 * have 4 extra bytes of stuff at the end? Do some
1491 * PC Ethernet interfaces report the length including the
1492 * FCS but not store the FCS in the packet, or do some
1493 * Ethernet drivers work that way?
1494 */
1528 }
1529 }
1530 }
1532 static void
1535 {
1540 /*
1541 * Map flags from frame4.atm_info.StatusWord.
1542 */
1556 /*
1557 * Map ATT_AAL_UNKNOWN on VPI 0, VCI 5 to ATT_AAL_SIGNALLING,
1558 * as that's the VPCI used for signalling.
1559 *
1560 * XXX - is this necessary, or will frames to 0/5 always
1561 * have ATT_AAL_SIGNALLING?
1562 */
1565 else
1607 TRAF_ST_VCMX_802_3_FCS;
1612 TRAF_ST_VCMX_802_4_FCS;
1617 TRAF_ST_VCMX_802_5_FCS;
1622 TRAF_ST_VCMX_FDDI_FCS;
1627 TRAF_ST_VCMX_802_6_FCS;
1652 TRAF_ST_VCMX_FRAGMENTS;
1662 }
1675 TRAF_ST_LANE_LE_CTRL;
1688 TRAF_ST_LANE_802_3_MC;
1693 TRAF_ST_LANE_802_5_MC;
1699 }
1727 TRAF_ST_IPSILON_FT0;
1732 TRAF_ST_IPSILON_FT1;
1737 TRAF_ST_IPSILON_FT2;
1743 }
1750 }
1776 }
1784 }
1786 static void
1789 {
1790 /* XXX - Once the frame format is divined, something will most likely go here */
1795 /* XXX - is there an FCS? */
1798 }
1799 }
1801 /*
1802 * OK, this capture is from an "Internetwork analyzer", and we either
1803 * didn't see a type 7 record or it had a network type such as NET_HDLC
1804 * that doesn't tell us which *particular* HDLC derivative this is;
1805 * let's look at the first few bytes of the packet, a pointer to which
1806 * was passed to us as an argument, and see whether it looks like PPP,
1807 * Frame Relay, Wellfleet HDLC, Cisco HDLC, or LAPB - or, if it's none
1808 * of those, assume it's LAPD.
1809 *
1810 * (XXX - are there any "Internetwork analyzer" captures that don't
1811 * have type 7 records? If so, is there some other field that will
1812 * tell us what type of capture it is?)
1813 */
1814 static int
1816 {
1820 /*
1821 * Nothing to infer, but it doesn't matter how you
1822 * dissect an empty packet. Let's just say PPP.
1823 */
1825 }
1828 /*
1829 * PPP. (XXX - check for 0xFF 0x03?)
1830 */
1832 }
1836 /*
1837 * Wellfleet HDLC.
1838 */
1842 /*
1843 * Cisco HDLC.
1844 */
1846 }
1848 /*
1849 * Check for Frame Relay. Look for packets with at least
1850 * 3 bytes of header - 2 bytes of DLCI followed by 1 byte
1851 * of control, which, for now, we require to be 0x03 (UI),
1852 * although there might be other frame types as well.
1853 * Scan forward until we see the last DLCI byte, with
1854 * the low-order bit being 1, and then check the next
1855 * byte, if it exists, to see if it's a control byte.
1856 *
1857 * XXX - in version 4 and 5 captures, wouldn't this just
1858 * have a capture subtype of NET_FRAME_RELAY? Or is this
1859 * here only to handle other versions of the capture
1860 * file, where we might just not yet have found where
1861 * the subtype is specified in the capture?
1862 *
1863 * Bay Networks/Nortel Networks had a mechanism in the Optivity
1864 * software for some of their routers to save captures
1865 * in Sniffer format; they use a version number of 4.9, but
1866 * don't put out any header records before the first FRAME2
1867 * record. That means we have to use heuristics to guess
1868 * what type of packet we have.
1869 */
1871 ;
1873 /*
1874 * Either all the bytes have the low-order bit
1875 * clear, so we didn't even find the last DLCI
1876 * byte, or the very last byte had the low-order
1877 * bit set, so, if that's a DLCI, it fills the
1878 * buffer, so there is no control byte after
1879 * the last DLCI byte.
1880 */
1882 }
1886 }
1888 /*
1889 * Assume LAPB, for now. If we support other HDLC encapsulations,
1890 * we can check whether the low-order bit of the first byte is
1891 * set (as it should be for LAPB) if no other checks pass.
1892 *
1893 * Or, if it's truly impossible to distinguish ISDN from non-ISDN
1894 * captures, we could assume it's ISDN if it's not anything
1895 * else.
1896 */
1898 }
1900 static int
1903 {
1910 /*
1911 * Infer the packet type from the first two bytes.
1912 */
1915 /*
1916 * Fix up the pseudo-header to match the new
1917 * encapsulation type.
1918 */
1926 else
1933 else
1936 /*
1937 * XXX - this is currently a per-packet
1938 * encapsulation type, and we can't determine
1939 * whether a capture is an ISDN capture before
1940 * seeing any packets, and B-channel PPP packets
1941 * look like PPP packets and are given
1942 * WTAP_ENCAP_PPP_WITH_PHDR, not WTAP_ENCAP_ISDN,
1943 * so we assume this is a D-channel packet and
1944 * thus give it a channel number of 0.
1945 */
1948 }
1952 /*
1953 * If the Windows Sniffer writes out one of its ATM
1954 * capture files in DOS Sniffer format, it doesn't
1955 * distinguish between LE Control and LANE encapsulated
1956 * LAN frames, it just marks them as LAN frames,
1957 * so we fix that up here.
1958 *
1959 * I've also seen DOS Sniffer captures claiming that
1960 * LANE packets that *don't* start with FF 00 are
1961 * marked as LE Control frames, so we fix that up
1962 * as well.
1963 */
1966 /*
1967 * This must be LE Control.
1968 */
1970 TRAF_ST_LANE_LE_CTRL;
1972 /*
1973 * This can't be LE Control.
1974 */
1976 TRAF_ST_LANE_LE_CTRL) {
1977 /*
1978 * XXX - Ethernet or Token Ring?
1979 */
1981 TRAF_ST_LANE_802_3;
1982 }
1983 }
1984 }
1986 }
1988 }
1990 /* Throw away the buffers used by the sequential I/O stream, but not
1991 those used by the random I/O stream. */
1992 static void
1994 {
2001 }
2002 }
2004 static void
2006 {
2008 }
2010 /* Close stuff used by the random I/O stream, if any, and free up any
2011 private data structures. (If there's a "sequential_close" routine
2012 for a capture file type, it'll be called before the "close" routine
2013 is called, so we don't have to free the sequential buffer here.) */
2014 static void
2016 {
2023 }
2050 };
2051 #define NUM_WTAP_ENCAPS array_length(wtap_encap)
2053 /* Returns 0 if we could write the specified encapsulation type,
2054 an error indication otherwise. */
2055 static int
2057 {
2058 /* Per-packet encapsulations aren't supported. */
2066 }
2068 /* Returns true on success, false on failure; sets "*err" to an error code on
2069 failure */
2070 static bool
2072 {
2076 /* This is a sniffer file */
2085 /* Write the file header. */
2087 err))
2093 }
2095 /* Write a record for a packet to a dump file.
2096 Returns true on success, false on failure. */
2097 static bool
2100 {
2114 /* We can only write packet records. */
2118 }
2120 /*
2121 * Make sure this packet doesn't have a link-layer type that
2122 * differs from the one for the file.
2123 */
2127 }
2129 /* The captured length field is 16 bits, so there's a hard
2130 limit of 65535. */
2134 }
2136 /* Sniffer files have a capture start date in the file header, and
2137 have times relative to the beginning of that day in the packet
2138 headers; pick the date of the first packet as the capture start
2139 date. */
2147 /* record the start date, not the start time */
2152 }
2154 /* "sniffer" version ? */
2171 }
2181 /* Seconds since the start of the capture */
2183 /* Extract the number of days since the start of the capture */
2186 /* Convert to picoseconds */
2189 /* Convert to units of timeunit = 1 */
2225 }
2231 }
2233 rec_hdr.true_size = rec->rec_header.packet_header.len != rec->rec_header.packet_header.caplen ? GUINT16_TO_LE(rec->rec_header.packet_header.len) : 0;
2240 }
2242 /* Finish writing to a dump file.
2243 Returns true on success, false on failure. */
2244 static bool
2246 {
2247 /* EOF record */
2253 }
2255 /*
2256 SnifferDecompress() decompresses a blob of compressed data from a
2257 Sniffer(R) capture file.
2259 This function is Copyright (c) 1999-2999 Tim Farley
2261 Parameters
2262 inbuf - buffer of compressed bytes from file, not including
2263 the preceding length word
2264 inlen - length of inbuf in bytes (max 64k)
2265 outbuf - decompressed contents, could contain a partial Sniffer
2266 record at the end.
2267 outlen - length of outbuf.
2268 err - return error code here
2269 err_info - for WTAP_ERR_DECOMPRESS, return descriptive string here
2271 Return value is the number of bytes in outbuf on return.
2272 */
2274 /*
2275 * Make sure we have at least "length" bytes remaining
2276 * in the input buffer.
2277 */
2278 #define CHECK_INPUT_POINTER( length ) \
2279 if ( pin + (length - 1) >= pin_end ) \
2280 { \
2281 *err = WTAP_ERR_DECOMPRESS; \
2282 *err_info = g_strdup("ngsniffer: Compressed data item goes past the end of the compressed block"); \
2283 return ( -1 ); \
2284 }
2286 /*
2287 * Make sure the byte containing the high order part of a buffer
2288 * offset is present.
2289 *
2290 * If it is, then fetch it and combine it with the low-order part.
2291 */
2292 #define FETCH_OFFSET_HIGH \
2293 CHECK_INPUT_POINTER( 1 ); \
2294 offset = code_low + ((unsigned int)(*pin++) << 4) + 3;
2296 /*
2297 * Make sure the output buffer is big enough to get "length"
2298 * bytes added to it.
2299 */
2300 #define CHECK_OUTPUT_LENGTH( length ) \
2301 if ( pout + length > pout_end ) \
2302 { \
2303 *err = WTAP_ERR_UNC_OVERFLOW; \
2304 return ( -1 ); \
2305 }
2307 /*
2308 * Make sure we have another byte to fetch, and then fetch it and
2309 * append it to the buffer "length" times.
2310 */
2311 #define APPEND_RLE_BYTE( length ) \
2313 CHECK_OUTPUT_LENGTH( length ); \
2314 CHECK_INPUT_POINTER( 1 ); \
2315 memset( pout, *pin++, length ); \
2316 pout += length;
2318 /*
2319 * Make sure the specified offset and length refer, in the output
2320 * buffer, to data that's entirely within the part of the output
2321 * buffer that we've already filled in.
2322 *
2323 * Then append the string from the specified offset, with the
2324 * specified length, to the output buffer.
2325 */
2326 #define APPEND_LZW_STRING( offset, length ) \
2328 CHECK_OUTPUT_LENGTH( length ); \
2330 if ( pout - offset < outbuf ) \
2331 { \
2332 *err = WTAP_ERR_DECOMPRESS; \
2334 return ( -1 ); \
2335 } \
2337 if ( pout - offset + length > pout ) \
2338 { \
2339 *err = WTAP_ERR_DECOMPRESS; \
2341 return ( -1 ); \
2342 } \
2343 /* Copy the string from previous text to output position, \
2345 memcpy( pout, pout - offset, length ); \
2346 pout += length;
2348 static int
2351 {
2365 }
2368 /* Process until we've consumed all the input */
2370 {
2371 /* Shift down the bit mask we use to see what's encoded */
2374 /* If there are no bits left, time to get another 16 bits */
2376 {
2377 /* make sure there are at least *three* bytes
2378 available - the two bytes of the bit value,
2379 plus one byte after it */
2384 }
2386 /* Use the bits in bit_value to see what's encoded and what is raw data */
2388 {
2389 /* bit not set - raw byte we just copy */
2391 /* If length would put us past end of output, avoid overflow */
2394 }
2395 else
2396 {
2397 /* bit set - next item is encoded. Peel off high nybble
2398 of next byte to see the encoding type. Set aside low
2399 nybble while we are at it */
2404 /* Based on the code type, decode the compressed string */
2406 {
2408 /*
2409 Run length is the low nybble of the first code byte.
2410 Byte to repeat immediately follows.
2411 Total code size: 2 bytes.
2412 */
2415 /* check the length and then, if it's OK,
2416 generate the repeated series of bytes */
2420 /*
2421 Low 4 bits of run length is the low nybble of the
2422 first code byte, upper 8 bits of run length is in
2423 the next byte.
2424 Byte to repeat immediately follows.
2425 Total code size: 3 bytes.
2426 */
2430 /* check the length and then, if it's OK,
2431 generate the repeated series of bytes */
2435 /*
2436 Low 4 bits of offset to string is the low nybble of the
2437 first code byte, upper 8 bits of offset is in
2438 the next byte.
2439 Length of string immediately follows.
2440 Total code size: 3 bytes.
2441 */
2442 FETCH_OFFSET_HIGH;
2444 /* get length from next byte, make sure it won't overrun buf */
2448 /* check the offset and length and then, if
2449 they're OK, copy the data */
2453 /*
2454 Low 4 bits of offset to string is the low nybble of the
2455 first code byte, upper 8 bits of offset is in
2456 the next byte.
2457 Length of string to repeat is overloaded into code_type.
2458 Total code size: 2 bytes.
2459 */
2460 FETCH_OFFSET_HIGH;
2462 /* get length from code_type */
2465 /* check the offset and length and then, if
2466 they're OK, copy the data */
2469 }
2470 }
2471 }
2474 }
2476 /*
2477 * XXX - is there any guarantee that 65535 bytes is big enough to hold the
2478 * uncompressed data from any blob?
2479 */
2480 #define OUTBUF_SIZE 65536
2481 #define INBUF_SIZE 65536
2483 /* Information about a compressed blob; we save the offset in the
2484 underlying compressed file, and the offset in the uncompressed data
2485 stream, of the blob. */
2491 static bool
2494 {
2496 FILE_T infile;
2498 unsigned char *outbuffer = (unsigned char *)buffer; /* where to write next decompressed data */
2510 }
2513 /* Uncompressed - just read bytes */
2519 }
2521 /*
2522 * Compressed.
2523 *
2524 * Allocate the stream buffer if it hasn't already been allocated.
2525 */
2530 /* This is the first read of the random file, so we're at
2531 the beginning of the sequence of blobs in the file
2532 (as we've not done any random reads yet to move the
2533 current position in the random stream); set the
2534 current blob to be the first blob. */
2537 /* This is the first sequential read; if we also have a
2538 random stream open, allocate the first element for the
2539 list of blobs, and make it the last element as well. */
2546 blob);
2548 }
2549 }
2551 /* Now read the first blob into the buffer. */
2554 }
2558 /* There's no decompressed stuff left to copy from the current
2559 blob; get the next blob. */
2562 /* Move to the next blob in the list. */
2565 /*
2566 * XXX - this "can't happen"; we should have a
2567 * blob for every byte in the file.
2568 */
2571 }
2573 /* If we also have a random stream open, add a new element,
2574 for this blob, to the list of blobs; we know the list is
2575 non-empty, as we initialized it on the first sequential
2576 read, so we just add the new element at the end, and
2577 adjust the pointer to the last element to refer to it. */
2583 blob);
2584 }
2585 }
2590 }
2596 bytes_to_copy);
2601 }
2603 }
2605 static bool
2608 {
2610 /*
2611 * In this case, even reading zero bytes, because we're at
2612 * the end of the file, is a short read.
2613 */
2617 }
2619 }
2621 /* Read a blob from a compressed stream.
2622 Return false and set "*err" and "*err_info" on error, otherwise return true. */
2623 static bool
2626 {
2634 /* Read one 16-bit word which is length of next compressed blob */
2640 /* Compressed or uncompressed? */
2642 /* Uncompressed blob; blob length is absolute value of the number. */
2648 }
2652 /* Read the blob */
2656 }
2663 /* Decompress the blob */
2666 err_info);
2670 }
2671 }
2677 }
2679 /* Skip some number of bytes forward in the sequential stream. */
2680 static bool
2682 {
2690 /* Uncompressed - just read forward and discard data */
2693 }
2695 /*
2696 * Compressed.
2697 *
2698 * Now read and discard "count" bytes.
2699 */
2704 else
2710 }
2713 }
2717 }
2719 /* Seek to a given offset in the random data stream.
2721 On compressed files, we see whether we're seeking to a position within
2722 the blob we currently have in memory and, if not, we find in the list
2723 of blobs the last blob that starts at or before the position to which
2724 we're seeking, and read that blob in. We can then move to the appropriate
2725 position within the blob we have in memory (whether it's the blob we
2726 already had in memory or, if necessary, the one we read in). */
2727 static bool
2729 {
2738 /* Uncompressed - just seek. */
2742 }
2744 /*
2745 * Compressed.
2746 *
2747 * How many *uncompressed* should we move forward or
2748 * backward?
2749 */
2752 /* Is the place to which we're seeking within the current buffer, or
2753 will we have to read a different blob into the buffer? */
2756 /* We're going forwards.
2757 Is the place to which we're seeking within the current buffer? */
2759 /* No. Search for a blob that contains the target
2760 offset in the uncompressed byte stream. */
2762 /* We haven't read anything from the random
2763 file yet, so we have no current blob;
2764 search all the blobs, starting with
2765 the first one. */
2768 /* We're seeking forward, so start searching
2769 with the blob after the current one. */
2771 }
2775 /* No more blobs; the current one is it. */
2777 }
2780 /* Does the next blob start after the target offset?
2781 If so, the current blob is the one we want. */
2786 }
2788 /*
2789 * We're seeking past the end of what
2790 * we've read so far.
2791 */
2794 }
2795 }
2797 /* We're going backwards.
2798 Is the place to which we're seeking within the current buffer? */
2800 /* No. Search for a blob that contains the target
2801 offset in the uncompressed byte stream. */
2803 /* We haven't read anything from the random
2804 file yet, so we have no current blob;
2805 search all the blobs, starting with
2806 the last one. */
2809 /* We're seeking backward, so start searching
2810 with the blob before the current one. */
2812 }
2814 /* Does this blob start at or before the target offset?
2815 If so, the current blob is the one we want. */
2820 /* It doesn't - skip to the previous blob. */
2822 }
2824 /*
2825 * XXX - shouldn't happen.
2826 */
2829 }
2830 }
2831 }
2834 /* The place to which we're seeking isn't in the current buffer;
2835 move to a new blob. */
2838 /* Seek in the compressed file to the offset in the compressed file
2839 of the beginning of that blob. */
2843 /*
2844 * Do we have a buffer for the random stream yet?
2845 */
2847 /*
2848 * No - allocate it, as we'll be reading into it.
2849 */
2851 }
2853 /* Make the blob we found the current one. */
2856 /* Now set the current offsets to the offsets of the beginning
2857 of the blob. */
2861 /* Now fill the buffer. */
2865 /* Set "delta" to the amount to move within this blob; it had
2866 better be >= 0, and < the amount of uncompressed data in
2867 the blob, as otherwise it'd mean we need to seek before
2868 the beginning or after the end of this blob. */
2871 }
2873 /* OK, the place to which we're seeking is in the buffer; adjust
2874 "ngsniffer->rand.nextout" to point to the place to which
2875 we're seeking, and adjust "ngsniffer->rand.uncomp_offset" to be
2876 the destination offset. */
2881 }
2884 /*
2885 * We support packet blocks, with no comments or other options.
2886 */
2888 };
2894 };
2897 /*
2898 * We support packet blocks, with no comments or other options.
2899 */
2901 };
2907 };
2910 {
2911 ngsniffer_uncompressed_file_type_subtype = wtap_register_file_type_subtype(&ngsniffer_uncompressed_info);
2912 ngsniffer_compressed_file_type_subtype = wtap_register_file_type_subtype(&ngsniffer_compressed_info);
2914 /*
2915 * Register names for backwards compatibility with the
2916 * wtap_filetypes table in Lua.
2917 */
2919 ngsniffer_uncompressed_file_type_subtype);
2921 ngsniffer_compressed_file_type_subtype);
2922 }
2924 /*
2925 * Editor modelines - https://www.wireshark.org/tools/modelines.html
2926 *
2927 * Local variables:
2928 * c-basic-offset: 8
2929 * tab-width: 8
2930 * indent-tabs-mode: t
2931 * End:
2932 *
2933 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
2934 * :indentSize=8:tabSize=8:noTabs=false:
2935 */