wiretap/observer.h

   1 /** @file
   2                           observer.h  -  description
   3                              -------------------
   4     begin                : Wed Oct 29 2003
   5     copyright            : (C) 2003 by root
   6     email                : scotte[AT}netinst.com
   7  ***************************************************************************/
   8
   9 /***************************************************************************
  10  *                                                                         *
  11  *  SPDX-License-Identifier: GPL-2.0-or-later                              *
  12  *                                                                         *
  13  ***************************************************************************/
  14
  15 #ifndef __NETWORK_INSTRUMENTS_H__
  16 #define __NETWORK_INSTRUMENTS_H__
  17
  18 #include <glib.h>
  19 #include "wtap.h"
  20
  21 wtap_open_return_val observer_open(wtap *wth, int *err, char **err_info);
  22
  23 /*
  24  * In v15 the high_byte was added to allow a larger offset This was done by
  25  * reducing the size of observer_version by 1 byte.  Since version strings are
  26  * only 30 characters the high_byte will always be 0 in previous versions.
  27  */
  28 typedef struct capture_file_header
  29 {
  30     char    observer_version[31];
  31     uint8_t offset_to_first_packet_high_byte; /* allows to extend the offset to the first packet to 256*0x10000 = 16 MB */
  32     uint16_t offset_to_first_packet;
  33     char    probe_instance;
  34     uint8_t number_of_information_elements;   /* number of TLVs in the header */
  35 } capture_file_header;
  36
  37 #define CAPTURE_FILE_HEADER_FROM_LE_IN_PLACE(_capture_file_header) \
  38     _capture_file_header.offset_to_first_packet = GUINT16_FROM_LE((_capture_file_header).offset_to_first_packet)
  39
  40 #define CAPTURE_FILE_HEADER_TO_LE_IN_PLACE(_capture_file_header) \
  41     _capture_file_header.offset_to_first_packet = GUINT16_TO_LE((_capture_file_header).offset_to_first_packet)
  42
  43 typedef struct tlv_header
  44 {
  45     uint16_t type;
  46     uint16_t length;        /* includes the length of the TLV header */
  47 } tlv_header;
  48
  49 #define TLV_HEADER_FROM_LE_IN_PLACE(_tlv_header) \
  50     (_tlv_header).type   = GUINT16_FROM_LE((_tlv_header).type); \
  51     (_tlv_header).length = GUINT16_FROM_LE((_tlv_header).length)
  52
  53 #define TLV_HEADER_TO_LE_IN_PLACE(_tlv_header) \
  54     (_tlv_header).type   = GUINT16_TO_LE((_tlv_header).type); \
  55     (_tlv_header).length = GUINT16_TO_LE((_tlv_header).length)
  56
  57 /*
  58  * TLV type values.
  59  *
  60  * Do TLVs without the 0x0100 bit set show up in packets, and
  61  * do TLVs with that set show up in the file header, or are
  62  * there two separate types of TLV?
  63  *
  64  * ALIAS_LIST contains an ASCII string (null-terminated, but
  65  * we can't trust that, of course) that is the pathname of
  66  * a file containing the alias list.  Not much use to us.
  67  *
  68  * COMMENT contains an ASCII string (null-terminated, but
  69  * we can't trust that, of course); in all the captures
  70  * I've seen, it appears to be a note about the file added
  71  * by Observer, not by a user.  It appears to end with 0x0a
  72  * 0x2e, i.e. '\n' '.'.
  73  *
  74  * REMOTE_PROBE contains, in all the captures I've seen, an
  75  * ASCII string (null-terminated, but we cna't trust that,
  76  * of course) of the form "Remote Probe [hex string]".  THe
  77  * hex string has 8 characters, i.e. 4 octets.
  78  *
  79  * The Observer document indicates that the types of expert information
  80  * packets are:
  81  *
  82  *    Network Load (markers used by Expert Time Interval and What If
  83  *    analysis modes)
  84  *
  85  *    Start/Stop Packet Capture marker frames (with time stamps when
  86  *    captures start and stop)
  87  *
  88  *    Wireless Channel Change (markers showing what channel was being
  89  *    currently listened to)
  90  *
  91  * That information appears to be contained in TLVs.
  92  */
  93 #define INFORMATION_TYPE_ALIAS_LIST         0x0001
  94 #define INFORMATION_TYPE_COMMENT            0x0002 /* ASCII text */
  95 #define INFORMATION_TYPE_TIME_INFO          0x0004
  96 #define INFORMATION_TYPE_REMOTE_PROBE       0x0005
  97 #define INFORMATION_TYPE_NETWORK_LOAD       0x0100
  98 #define INFORMATION_TYPE_WIRELESS           0x0101
  99 #define INFORMATION_TYPE_CAPTURE_START_STOP 0x0104
 100
 101 /*
 102  * See in Fibre Channel captures; not seen elsewhere.
 103  *
 104  * It has 4 bytes of data in all captures I've seen.
 105  */
 106 /*                                          0x0106 */
 107
 108 typedef struct tlv_time_info {
 109     uint16_t type;
 110     uint16_t length;
 111     uint32_t time_format;
 112 } tlv_time_info;
 113
 114 /*
 115  * TIME_INFO time_format values.
 116  */
 117 #define TIME_INFO_LOCAL 0
 118 #define TIME_INFO_GMT   1
 119
 120 #define TLV_TIME_INFO_FROM_LE_IN_PLACE(_tlv_time_info) \
 121     (_tlv_time_info).time_format = GUINT32_FROM_LE((_tlv_time_info).time_format)
 122
 123 #define TLV_TIME_INFO_TO_LE_IN_PLACE(_tlv_time_info) \
 124     (_tlv_time_info).time_format = GUINT32_TO_LE((_tlv_time_info).time_format)
 125
 126 /*
 127  * Might some of these be broadecast and multicast packet counts, or
 128  * error counts, or both?
 129  */
 130 typedef struct tlv_network_load
 131 {
 132     uint32_t utilization;        /* network utilization, in .1% units */
 133     uint32_t unknown1;           /* zero in all captures I've seen */
 134     uint32_t unknown2;           /* zero in all captures I've seen */
 135     uint32_t packets_per_second;
 136     uint32_t unknown3;           /* zero in all captures I've seen */
 137     uint32_t bytes_per_second;
 138     uint32_t unknown4;           /* zero in all captures I've seen */
 139 } tlv_network_load;
 140
 141 #define TLV_NETWORK_LOAD_FROM_LE_IN_PLACE(_tlv_network_load) \
 142     (_tlv_network_load).utilization = GUINT32_FROM_LE((_tlv_network_load).utilization); \
 143     (_tlv_network_load).unknown1 = GUINT32_FROM_LE((_tlv_network_load).unknown1); \
 144     (_tlv_network_load).unknown2 = GUINT32_FROM_LE((_tlv_network_load).unknown2); \
 145     (_tlv_network_load).packets_per_second = GUINT32_FROM_LE((_tlv_network_load).packets_per_second); \
 146     (_tlv_network_load).unknown3 = GUINT32_FROM_LE((_tlv_network_load).unknown3); \
 147     (_tlv_network_load).bytes_per_second = GUINT32_FROM_LE((_tlv_network_load).bytes_per_second); \
 148     (_tlv_network_load).unknown4 = GUINT32_FROM_LE((_tlv_network_load).unknown4) \
 149
 150 #define TLV_NETWORK_LOAD_TO_LE_IN_PLACE(_tlv_network_load) \
 151     (_tlv_network_load).utilization = GUINT32_TO_LE((_tlv_network_load).utilization); \
 152     (_tlv_network_load).unknown1 = GUINT32_TO_LE((_tlv_network_load).unknown1); \
 153     (_tlv_network_load).unknown2 = GUINT32_TO_LE((_tlv_network_load).unknown2); \
 154     (_tlv_network_load).packets_per_second = GUINT32_TO_LE((_tlv_network_load).packets_per_second); \
 155     (_tlv_network_load).unknown3 = GUINT32_TO_LE((_tlv_network_load).unknown3); \
 156     (_tlv_network_load).bytes_per_second = GUINT32_TO_LE((_tlv_network_load).bytes_per_second); \
 157     (_tlv_network_load).unknown4 = GUINT32_TO_LE((_tlv_network_load).unknown4) \
 158
 159 /*
 160  * quality is presumably some measure of signal quality; in
 161  * the captures I've seen, it has values of 15, 20-27, 50-54,
 162  * 208, and 213.
 163  *
 164  * conditions has values of 0x00, 0x02, and 0x90.
 165  *
 166  * reserved is either 0x00 or 0x80; the 0x80 values
 167  * are for TLVs where conditions is 0x90.
 168  */
 169 typedef struct tlv_wireless_info {
 170     uint8_t quality;
 171     uint8_t signalStrength;
 172     uint8_t rate;
 173     uint8_t frequency;
 174     uint8_t qualityPercent;
 175     uint8_t strengthPercent;
 176     uint8_t conditions;
 177     uint8_t reserved;
 178 } tlv_wireless_info;
 179
 180 /*
 181  * Wireless conditions
 182  */
 183 #define WIRELESS_WEP_SUCCESS            0x80
 184 /*                                      0x10 */
 185 /*                                      0x02 */
 186
 187 typedef struct tlv_capture_start_stop
 188 {
 189     uint32_t start_stop;
 190 } tlv_capture_start_stop;
 191
 192 #define START_STOP_TYPE_STOP   0
 193 #define START_STOP_TYPE_START  1
 194
 195 typedef struct packet_entry_header
 196 {
 197     uint32_t packet_magic;
 198     uint32_t network_speed;
 199     uint16_t captured_size;
 200     uint16_t network_size;
 201     uint16_t offset_to_frame;
 202     uint16_t offset_to_next_packet;
 203     uint8_t network_type;
 204     uint8_t flags;
 205     uint8_t number_of_information_elements;    /* number of TLVs in the header */
 206     uint8_t packet_type;
 207     uint16_t errors;
 208     uint16_t reserved;
 209     uint64_t packet_number;
 210     uint64_t original_packet_number;
 211     uint64_t nano_seconds_since_2000;
 212 } packet_entry_header;
 213
 214 #define PACKET_ENTRY_HEADER_FROM_LE_IN_PLACE(_packet_entry_header) \
 215     (_packet_entry_header).packet_magic            = GUINT32_FROM_LE((_packet_entry_header).packet_magic); \
 216     (_packet_entry_header).network_speed           = GUINT32_FROM_LE((_packet_entry_header).network_speed); \
 217     (_packet_entry_header).captured_size           = GUINT16_FROM_LE((_packet_entry_header).captured_size); \
 218     (_packet_entry_header).network_size            = GUINT16_FROM_LE((_packet_entry_header).network_size); \
 219     (_packet_entry_header).offset_to_frame         = GUINT16_FROM_LE((_packet_entry_header).offset_to_frame); \
 220     (_packet_entry_header).offset_to_next_packet   = GUINT16_FROM_LE((_packet_entry_header).offset_to_next_packet); \
 221     (_packet_entry_header).errors                  = GUINT16_FROM_LE((_packet_entry_header).errors); \
 222     (_packet_entry_header).reserved                = GUINT16_FROM_LE((_packet_entry_header).reserved); \
 223     (_packet_entry_header).packet_number           = GUINT64_FROM_LE((_packet_entry_header).packet_number); \
 224     (_packet_entry_header).original_packet_number  = GUINT64_FROM_LE((_packet_entry_header).original_packet_number); \
 225     (_packet_entry_header).nano_seconds_since_2000 = GUINT64_FROM_LE((_packet_entry_header).nano_seconds_since_2000)
 226
 227 #define PACKET_ENTRY_HEADER_TO_LE_IN_PLACE(_packet_entry_header) \
 228     (_packet_entry_header).packet_magic            = GUINT32_TO_LE((_packet_entry_header).packet_magic); \
 229     (_packet_entry_header).network_speed           = GUINT32_TO_LE((_packet_entry_header).network_speed); \
 230     (_packet_entry_header).captured_size           = GUINT16_TO_LE((_packet_entry_header).captured_size); \
 231     (_packet_entry_header).network_size            = GUINT16_TO_LE((_packet_entry_header).network_size); \
 232     (_packet_entry_header).offset_to_frame         = GUINT16_TO_LE((_packet_entry_header).offset_to_frame); \
 233     (_packet_entry_header).offset_to_next_packet   = GUINT16_TO_LE((_packet_entry_header).offset_to_next_packet); \
 234     (_packet_entry_header).errors                  = GUINT16_TO_LE((_packet_entry_header).errors); \
 235     (_packet_entry_header).reserved                = GUINT16_TO_LE((_packet_entry_header).reserved); \
 236     (_packet_entry_header).packet_number           = GUINT64_TO_LE((_packet_entry_header).packet_number); \
 237     (_packet_entry_header).original_packet_number  = GUINT64_TO_LE((_packet_entry_header).original_packet_number); \
 238     (_packet_entry_header).nano_seconds_since_2000 = GUINT64_TO_LE((_packet_entry_header).nano_seconds_since_2000)
 239
 240 /*
 241  * Network type values.
 242  */
 243 #define OBSERVER_UNDEFINED       0xFF
 244 #define OBSERVER_ETHERNET        0x00
 245 #define OBSERVER_TOKENRING       0x01
 246 #define OBSERVER_FIBRE_CHANNEL   0x08
 247 #define OBSERVER_WIRELESS_802_11 0x09
 248
 249 /*
 250  * Packet type values.
 251  */
 252 #define PACKET_TYPE_DATA_PACKET               0
 253 #define PACKET_TYPE_EXPERT_INFORMATION_PACKET 1
 254
 255 #endif