| blob | 4e7104c6d18f492a4462665016930d2ad68069cb |
1 /* lanalyzer.c
2 *
3 * $Id$
4 *
5 * Wiretap Library
6 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
7 *
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
24 #include <stdlib.h>
25 #include <errno.h>
31 /* The LANalyzer format is documented (at least in part) in Novell document
32 TID022037, which can be found at, among other places:
34 http://www.windowsecurity.com/whitepapers/Description_of_the_LANalysers_output_file.html
35 */
37 /* Record header format */
44 #define LA_RecordHeaderSize 4
46 /* Record type codes: */
48 #define RT_HeaderRegular 0x1001
49 #define RT_HeaderCyclic 0x1007
50 #define RT_RxChannelName 0x1006
51 #define RT_TxChannelName 0x100b
52 #define RT_FilterName 0x1032
53 #define RT_RxTemplateName 0x1035
54 #define RT_TxTemplateName 0x1036
55 #define RT_DisplayOptions 0x100a
56 #define RT_Summary 0x1002
57 #define RT_SubfileSummary 0x1003
58 #define RT_CyclicInformation 0x1009
59 #define RT_Index 0x1004
60 #define RT_PacketData 0x1005
62 #define LA_ProFileLimit (1024 * 1024 * 32)
67 /*
68 * These records have only 2-byte alignment for 4-byte quantities,
69 * so the structures aren't necessarily valid; they're kept as comments
70 * for reference purposes.
71 */
73 /*
74 * typedef struct {
75 * guint8 day;
76 * guint8 mon;
77 * gint16 year;
78 * } Date;
79 */
81 /*
82 * typedef struct {
83 * guint8 second;
84 * guint8 minute;
85 * guint8 hour;
86 * guint8 day;
87 * gint16 reserved;
88 * } Time;
89 */
91 /*
92 * RT_Summary:
93 *
94 * typedef struct {
95 * Date datcre;
96 * Date datclo;
97 * Time timeopn;
98 * Time timeclo;
99 * Eadr statadr;
100 * gint16 mxseqno;
101 * gint16 slcoff;
102 * gint16 mxslc;
103 * gint32 totpktt;
104 * gint32 statrg;
105 * gint32 stptrg;
106 * gint32 mxpkta[36];
107 * gint16 board_type;
108 * gint16 board_version;
109 * gint8 reserved[18];
110 * } Summary;
111 */
113 #define SummarySize (18+22+(4*36)+6+6+6+4+4)
115 /*
116 * typedef struct {
117 * gint16 rid;
118 * gint16 rlen;
119 * Summary s;
120 * } LA_SummaryRecord;
121 */
123 #define LA_SummaryRecordSize (SummarySize + 4)
125 /* LANalyzer board types (which indicate the type of network on which
126 the capture was done). */
131 /*
132 * typedef struct {
133 * gint16 rid;
134 * gint16 rlen;
135 * gint16 seqno;
136 * gint32 totpktf;
137 * } LA_SubfileSummaryRecord;
138 */
140 #define LA_SubfileSummaryRecordSize 10
143 #define LA_IndexSize 500
145 /*
146 * typedef struct {
147 * gint16 rid;
148 * gint16 rlen;
149 * gint16 idxsp; = LA_IndexSize
150 * gint16 idxct;
151 * gint8 idxgranu;
152 * gint8 idxvd;
153 * gint32 trcidx[LA_IndexSize + 2]; +2 undocumented but used by La 2.2
154 * } LA_IndexRecord;
155 */
157 #define LA_IndexRecordSize (10 + 4 * (LA_IndexSize + 2))
160 /*
161 * typedef struct {
162 * guint16 rx_channels;
163 * guint16 rx_errors;
164 * gint16 rx_frm_len;
165 * gint16 rx_frm_sln;
166 * TimeStamp rx_time;
167 * guint32 pktno;
168 * gint16 prvlen;
169 * gint16 offset;
170 * gint16 tx_errs;
171 * gint16 rx_filters;
172 * gint8 unused[2];
173 * gint16 hwcolls;
174 * gint16 hwcollschans;
175 * Packetdata ....;
176 * } LA_PacketRecord;
177 */
179 #define LA_PacketRecordSize 32
182 gboolean init;
184 guint32 pkts;
195 };
207 };
214 };
228 };
235 };
256 };
262 };
269 };
283 {
285 LA_RecordHeader rec_header;
292 guint16 cr_year;
303 }
309 }
311 /* Read the major and minor version numbers */
313 /*
314 * Not enough room for the major and minor version numbers.
315 * Just treat that as a "not a LANalyzer file" indication.
316 */
318 }
325 }
329 /* Read the rest of the record as a comment. */
337 }
340 }
342 /* If we made it this far, then the file is a LANAlyzer file.
343 * Let's get some info from it. Note that we get wth->snapshot_length
344 * from a record later in the file. */
353 /* Read records until we find the start of packets */
362 }
367 /*g_message("Record 0x%04X Length %d", record_type, record_length);*/
369 /* Trace Summary Record */
379 }
381 /* Assume that the date of the creation of the trace file
382 * is the same date of the trace. Lanalyzer doesn't
383 * store the creation date/time of the trace, but only of
384 * the file. Unless you traced at 11:55 PM and saved at 00:05
385 * AM, the assumption that trace.date == file.date is true.
386 */
390 /*g_message("Day %d Month %d Year %d (%04X)", cr_day, cr_month,
391 cr_year, cr_year);*/
393 /* Get capture start time. I learned how to do
394 * this from Guy's code in ngsniffer.c
395 */
404 /*g_message("Day %d Month %d Year %d", tm.tm_mday,
405 tm.tm_mon, tm.tm_year);*/
420 board_type);
422 }
425 /* Trace Packet Data Record */
427 /* Go back header number of bytes so that lanalyzer_read
428 * can read this header */
431 }
437 }
439 }
440 }
441 }
443 #define DESCRIPTOR_LEN 32
447 {
457 guint64 t;
460 /* read the record type and length. */
467 }
469 }
476 }
481 /* Only Trace Packet Data Records should occur now that we're in
482 * the middle of reading packets. If any other record type exists
483 * after a Trace Packet Data Record, mark it as an error. */
487 record_type);
489 }
492 /*
493 * Uh-oh, the record isn't big enough to even have a
494 * descriptor.
495 */
497 *err_info = g_strdup_printf("lanalyzer: file has a %u-byte record, too small to have even a packet descriptor",
498 record_length);
500 }
503 /* Read the descriptor data */
511 }
516 /*
517 * OK, is the frame data size greater than than what's left of the
518 * record?
519 */
521 /*
522 * Yes - treat this as an error.
523 */
527 }
542 /*
543 * It appears that the "true size" includes the FCS;
544 * make it reflect the non-FCS size (the "packet size"
545 * appears never to include the FCS, even if no slicing
546 * is done).
547 */
549 }
556 /* We assume there's no FCS in this frame. */
559 }
561 /* Read the packet data */
563 }
565 /* Read the next packet */
568 {
571 /* Read the record */
574 }
579 {
583 /* Read the record */
589 }
591 }
593 /*---------------------------------------------------
594 * Returns TRUE on success, FALSE on error
595 * Write "cnt" bytes of zero with error control
596 *---------------------------------------------------*/
598 {
607 }
609 }
611 /*---------------------------------------------------
612 * Returns TRUE on success, FALSE on error
613 * Write an 8-bit value with error control
614 *---------------------------------------------------*/
616 {
618 }
619 /*---------------------------------------------------
620 * Returns TRUE on success, FALSE on error
621 * Write a 16-bit value with error control
622 *---------------------------------------------------*/
624 {
626 }
627 /*---------------------------------------------------
628 * Returns TRUE on success, FALSE on error
629 * Write a 32-bit value with error control
630 *---------------------------------------------------*/
632 {
634 }
635 /*---------------------------------------------------
636 *
637 * calculates C.c = A.a - B.b
638 *---------------------------------------------------*/
642 {
649 }
651 }
652 /*---------------------------------------------------
653 * Write a record for a packet to a dump file.
654 * Returns TRUE on success, FALSE on failure.
655 *---------------------------------------------------*/
659 {
670 /* printf(" LA_ProFileLimit reached\n"); */
673 }
686 /* collect some information for the
687 * finally written header
688 */
689 /* XXX - this conversion could probably improved, if the start uses ns */
695 }
716 }
733 }
735 /*---------------------------------------------------
736 * Returns 0 if we could write the specified encapsulation type,
737 * an error indication otherwise.
738 *---------------------------------------------------*/
740 {
741 /* Per-packet encapsulations aren't supported. */
748 /*
749 * printf("lanalyzer_dump_can_write_encap(%d)\n",encap);
750 */
752 }
754 /*---------------------------------------------------
755 * Returns TRUE on success, FALSE on failure; sets "*err" to an
756 * error code on failure
757 *---------------------------------------------------*/
759 {
767 }
774 /* Some of the fields in the file header aren't known yet so
775 just skip over it for now. It will be created after all
776 of the packets have been written. */
784 + LA_SummaryRecordSize
785 + LA_SubfileSummaryRecordSize
794 }
796 /*---------------------------------------------------
797 *
798 *---------------------------------------------------*/
800 {
808 /* The secs variable is needed to work around 32/64-bit time_t issues.
809 itmp->start is a timeval struct, which declares its tv_sec field
810 (itmp->start.tv_sec) as a long (typically 32 bits). time_t can be 32
811 or 64 bits, depending on the platform. Invoking as follows could
812 pass a pointer to a 32-bit long where a pointer to a 64-bit time_t
813 is expected: localtime((time_t*) &(itmp->start.tv_sec)) */
840 /*-----------------------------------------------------------------*/
887 /*
888 * statrg == 0; ? -1
889 * stptrg == 0; ? -1
890 * s.mxpkta[0]=0
891 */
902 /*-----------------------------------------------------------------*/
911 /*-----------------------------------------------------------------*/
915 /*-----------------------------------------------------------------*/
926 }
928 /*---------------------------------------------------
929 * Finish writing to a dump file.
930 * Returns TRUE on success, FALSE on failure.
931 *---------------------------------------------------*/
933 {
936 }