| blob | d61925191fbac4554519b1372ea986922702a4ac |
1 /* peektagged.c
2 * Routines for opening files in what WildPackets calls the tagged file
3 * format in the description of their "PeekRdr Sample Application" (C++
4 * source code to read their capture files, downloading of which requires
5 * a maintenance contract, so it's not free as in beer and probably not
6 * as in speech, either).
7 *
8 * As that description says, it's used by AiroPeek and AiroPeek NX 2.0
9 * and later, EtherPeek 6.0 and later, EtherPeek NX 3.0 and later,
10 * EtherPeek VX 1.0 and later, GigaPeek NX 1.0 and later, Omni3 1.0
11 * and later (both OmniPeek and the Remote Engine), and WANPeek NX
12 * 1.0 and later. They also say it'll be used by future WildPackets
13 * products.
14 *
15 * $Id$
16 *
17 * Wiretap Library
18 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
19 *
20 * This program is free software; you can redistribute it and/or
21 * modify it under the terms of the GNU General Public License
22 * as published by the Free Software Foundation; either version 2
23 * of the License, or (at your option) any later version.
24 *
25 * This program is distributed in the hope that it will be useful,
26 * but WITHOUT ANY WARRANTY; without even the implied warranty of
27 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
28 * GNU General Public License for more details.
29 *
30 * You should have received a copy of the GNU General Public License
31 * along with this program; if not, write to the Free Software
32 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
33 */
36 #include <errno.h>
37 #include <string.h>
38 #include <stdlib.h>
44 /* CREDITS
45 *
46 * This file decoder could not have been writen without examining
47 * http://www.varsanofiev.com/inside/airopeekv9.htm, the help from
48 * Martin Regner and Guy Harris, and the etherpeek.c file (as it
49 * was called before renaming it to peekclassic.c).
50 */
52 /*
53 * Section header.
54 *
55 * A Peek tagged file consists of multiple sections, each of which begins
56 * with a header in the following format.
57 *
58 * The section ID is a 4-character string saying what type of section
59 * it is. The section length is a little-endian field giving the
60 * length of the section, in bytes, including the section header
61 * itself. The other field of the section header is a little-endian
62 * constant that always appears to be 0x00000200.
63 *
64 * Files we've seen have the following sections, in order:
65 *
66 * "\177vers" - version information. The contents are XML, giving
67 * the file format version and application version information.
68 *
69 * "sess" - capture session information. The contents are XML, giving
70 * various information about the capture session.
71 *
72 * "pkts" - captured packets. The contents are binary records, one for
73 * each packet, with the record being a list of tagged values followed
74 * by the raw packet data.
75 */
82 /*
83 * Network subtype values.
84 *
85 * XXX - do different network subtype values for 802.11 indicate different
86 * network adapter types, with some adapters supplying the FCS and others
87 * not supplying the FCS?
88 */
89 #define PEEKTAGGED_NST_ETHERNET 0
94 /* tags for fields in packet header */
95 #define TAG_PEEKTAGGED_LENGTH 0x0000
96 #define TAG_PEEKTAGGED_TIMESTAMP_LOWER 0x0001
97 #define TAG_PEEKTAGGED_TIMESTAMP_UPPER 0x0002
98 #define TAG_PEEKTAGGED_FLAGS_AND_STATUS 0x0003
99 #define TAG_PEEKTAGGED_CHANNEL 0x0004
100 #define TAG_PEEKTAGGED_RATE 0x0005
101 #define TAG_PEEKTAGGED_SIGNAL_PERC 0x0006
102 #define TAG_PEEKTAGGED_SIGNAL_DBM 0x0007
103 #define TAG_PEEKTAGGED_NOISE_PERC 0x0008
104 #define TAG_PEEKTAGGED_NOISE_DBM 0x0009
105 #define TAG_PEEKTAGGED_UNKNOWN_0x000D 0x000D
106 #define TAG_PEEKTAGGED_SLICE_LENGTH 0xffff
108 /* 64-bit time in nanoseconds from the (Windows FILETIME) epoch */
110 guint32 upper;
111 guint32 lower;
115 gboolean has_fcs;
126 {
132 {
135 {
140 }
142 cp++;
143 else
144 {
147 else
149 }
150 }
152 }
158 {
164 {
167 {
172 }
174 {
177 }
178 else
180 }
182 }
187 {
196 /* 0 means EOF, which means "not a valid Peek tagged file";
197 -1 means error, and "err" has been set. */
199 }
205 }
209 {
210 peektagged_section_header_t ap_hdr;
213 guint32 fileVersion;
214 guint32 mediaType;
218 WTAP_ENCAP_ETHERNET,
219 WTAP_ENCAP_IEEE_802_11_WITH_RADIO,
220 WTAP_ENCAP_IEEE_802_11_WITH_RADIO,
221 WTAP_ENCAP_IEEE_802_11_WITH_RADIO
222 };
223 #define NUM_PEEKTAGGED_ENCAPS (sizeof peektagged_encap / sizeof peektagged_encap[0])
232 }
237 /*
238 * XXX - we should get the length of the "\177ver" section, check
239 * that it's followed by a little-endian 0x00000200, and then,
240 * when reading the XML, make sure we don't go past the end of
241 * that section, and skip to the end of that section when
242 * we have the file version (and possibly check to make sure all
243 * tags are properly opened and closed).
244 */
247 /* 0 means EOF, which means "not a valid Peek tagged file";
248 -1 means error, and "err" has been set. */
250 }
253 /* 0 means EOF, which means "not a valid Peek tagged file";
254 -1 means error, and "err" has been set. */
256 }
258 /* If we got this far, we assume it's a Peek tagged file. */
260 /* We only support version 9. */
263 fileVersion);
265 }
267 /*
268 * XXX - once we've skipped the "\177ver" section, we should
269 * check for a "sess" section and fail if we don't see it.
270 * Then we should get the length of the "sess" section, check
271 * that it's followed by a little-endian 0x00000200, and then,
272 * when reading the XML, make sure we don't go past the end of
273 * that section, and skip to the end of the section when
274 * we have the file version (and possibly check to make sure all
275 * tags are properly opened and closed).
276 */
284 }
285 /* XXX - this appears to be 0 in both the EtherPeek and AiroPeek
286 files we've seen; should we require it to be 0? */
294 }
303 }
311 }
316 mediaSubType);
318 }
326 }
328 /* skip 8 zero bytes */
332 /*
333 * This is an Peek tagged file.
334 */
356 }
361 }
364 guint32 length;
365 guint32 sliceLength;
366 peektagged_utime timestamp;
370 /*
371 * Time stamps appear to be in nanoseconds since the Windows epoch
372 * as used in FILETIMEs, i.e. midnight, January 1, 1601.
373 *
374 * This magic number came from "nt_time_to_nstime()" in "packet-smb.c".
375 * 1970-1601 is 369; I'm not sure what the extra 3 days and 6 hours are
376 * that are being subtracted.
377 */
378 #define TIME_FIXUP_CONSTANT (369.0*365.25*24*60*60-(3.0*24*60*60+6.0*60*60))
380 /*
381 * Read the packet.
382 *
383 * XXX - we should supply the additional radio information;
384 * the pseudo-header should probably be supplied in a fashion
385 * similar to the radiotap radio header, so that the 802.11
386 * dissector can determine which, if any, information items
387 * are present.
388 */
389 static int
392 {
394 hdr_info_t hdr_info;
398 guint16 tag;
407 /* Extract the fields from the packet header */
409 /* Get the tag and value.
410 XXX - this assumes all values are 4 bytes long. */
418 /*
419 * Short read if we've read something already;
420 * just an EOF if we haven't.
421 */
424 }
425 }
427 }
437 }
447 }
457 }
463 /* XXX - not used yet */
479 /* XXX - not used yet */
483 /* XXX - not used yet */
487 /* XXX - not used yet */
491 /* XXX - seen in an EtherPeek capture; value unknown */
500 }
507 }
512 }
517 }
519 /*
520 * If sliceLength is 0, force it to be the actual length of the packet.
521 */
526 /*
527 * Probably a corrupt capture file; don't blow up trying
528 * to allocate space for an immensely-large packet.
529 */
534 }
540 /* calculate and fill in packet time stamp */
559 }
564 }
569 /*
570 * The last 4 bytes appear to be 0 in the captures I've seen;
571 * are there any captures where it's an FCS?
572 */
577 }
583 }
585 /* Read the packet data. */
590 }
594 {
599 /* Read the packet. */
606 /* Skip extra junk at the end of the packet data. */
609 }
612 }
614 static gboolean
618 {
622 /* Read the packet. */
627 }
629 }