| blob | 58494cc66b32c8396b8a81603036f255124e17af |
1 /*
2 * $Id$
3 */
5 /***************************************************************************
6 network_instruments.c - description
7 -------------------
8 begin : Wed Oct 29 2003
9 copyright : (C) 2003 by root
10 email : scotte[AT}netinst.com
11 ***************************************************************************/
13 /***************************************************************************
14 * *
15 * This program is free software; you can redistribute it and/or modify *
16 * it under the terms of the GNU General Public License as published by *
17 * the Free Software Foundation; either version 2 of the License, or *
18 * (at your option) any later version. *
19 * *
20 ***************************************************************************/
24 #include <stdlib.h>
25 #include <errno.h>
26 #include <string.h>
37 /*
38 * This structure is used to keep state when writing files. An instance is
39 * allocated for each file, and its address is stored in the wtap_dumper.priv
40 * pointer field.
41 */
43 guint64 packet_count;
44 guint8 network_type;
45 guint32 time_format;
48 /*
49 * Some time offsets are calculated in advance here, when the first Observer
50 * file is opened for reading or writing, and are then used to adjust frame
51 * timestamps as they are read or written.
52 *
53 * The Wiretap API expects timestamps in nanoseconds relative to
54 * January 1, 1970, 00:00:00 GMT (the Wiretap epoch).
55 *
56 * Observer versions before 13.10 encode frame timestamps in nanoseconds
57 * relative to January 1, 2000, 00:00:00 local time (the Observer epoch).
58 * Versions 13.10 and later switch over to GMT encoding. Which encoding was used
59 * when saving the file is identified via the time format TLV following
60 * the file header.
61 *
62 * Unfortunately, even though Observer versions before 13.10 saved in local
63 * time, they didn't include the timezone from which the frames were captured,
64 * so converting to GMT correctly from all timezones is impossible. So an
65 * assumption is made that the file is being read from within the same timezone
66 * that it was written.
67 *
68 * All code herein is normalized to versions 13.10 and later, special casing for
69 * versions earlier. In other words, timestamps are worked with as if
70 * they are GMT-encoded, and adjustments from local time are made only if
71 * the source file warrants it.
72 *
73 * All destination files are saved in GMT format.
74 */
79 {
85 /*
86 * Compute the local time zone offset as the number of seconds west
87 * of GMT. There's no obvious cross-platform API for querying this
88 * directly. As a workaround, GMT and local tm structures are populated
89 * relative to the ANSI time_t epoch (plus one day to ensure that
90 * local time stays after 1970/1/1 00:00:00). They are then converted
91 * back to time_t as if they were both local times, resulting in the
92 * time zone offset being the difference between them.
93 */
98 }
99 }
111 static int read_packet_data(FILE_T fh, int offset_to_frame, int current_offset_from_packet_header,
121 {
124 capture_file_header file_header;
125 guint i;
126 tlv_header tlvh;
129 packet_entry_header packet_header;
135 /* read in the buffer file header */
142 }
146 /* check if version info is present */
149 }
151 /* initialize the private state */
156 /* get the location of the first packet */
157 /* v15 and newer uses high byte offset, in previous versions it will be 0 */
158 header_offset = file_header.offset_to_first_packet + ((int)(file_header.offset_to_first_packet_high_byte)<<16);
160 /* process extra information */
162 /* for safety break if we've reached the first packet */
166 /* read the TLV header */
173 }
182 }
184 /* process (or skip over) the current TLV */
187 bytes_read = file_read(&private_state->time_format, sizeof private_state->time_format, wth->fh);
193 }
202 }
204 }
205 }
207 /* get to the first packet */
213 }
218 }
220 /* pull off the packet header */
227 }
230 /* check the packet's magic number */
233 *err_info = g_strdup_printf("Observer: unsupported packet version %ul", packet_header.packet_magic);
235 }
237 /* check the data link type */
240 *err_info = g_strdup_printf("Observer: network type %u unknown or unsupported", packet_header.network_type);
242 }
245 /* set up the rest of the capture parameters */
256 /* reset the pointer to the first packet */
263 }
265 /* Reads the next packet. */
268 {
271 packet_entry_header packet_header;
273 /* skip records other than data records */
277 /* process the packet header, including TLVs */
278 header_bytes_consumed = read_packet_header(wth->fh, &wth->phdr.pseudo_header, &packet_header, err,
279 err_info);
286 /* skip to next packet */
290 }
291 }
296 /* read the frame data */
302 }
304 /* skip over any extra bytes following the frame data */
308 }
311 }
313 /* Reads a packet at an offset. */
317 {
319 packet_entry_header packet_header;
326 /* process the packet header, including TLVs */
328 err_info);
335 /* read the frame data */
340 }
343 }
345 static int
348 {
351 guint i;
352 tlv_header tlvh;
354 tlv_wireless_info wireless_header;
358 /* pull off the packet header */
365 }
369 /* check the packet's magic number */
372 /*
373 * Some files are zero-padded at the end. There is no warning of this
374 * in the previous packet header information, such as setting
375 * offset_to_next_packet to zero. So detect this situation by treating
376 * an all-zero header as a sentinel. Return EOF when it is encountered,
377 * rather than treat it as a bad record.
378 */
382 }
386 }
392 }
394 /* process extra information */
396 /* read the TLV header */
403 }
412 }
414 /* process (or skip over) the current TLV */
423 }
424 /* update the pseudo header */
426 /* set decryption status */
427 pseudo_header->ieee_802_11.decrypted = (wireless_header.conditions & WIRELESS_WEP_SUCCESS) != 0;
434 /* skip the TLV data */
439 }
441 }
442 }
445 }
447 static gboolean
450 {
451 /* set the wiretap packet header fields */
458 /*
459 * XXX - what are those 4 bytes?
460 *
461 * The comment in the code said "neglect frame markers for wiretap",
462 * but in the captures I've seen, there's no actual data corresponding
463 * to them that might be a "frame marker".
464 *
465 * Instead, the packets had a network_size 4 bytes larger than the
466 * captured_size; does the network_size include the CRC, even
467 * though it's not included in a capture? If so, most other
468 * network analyzers that have a "network size" and a "captured
469 * size" don't include the CRC in the "network size" if they
470 * don't include the CRC in a full-length captured packet; the
471 * "captured size" is less than the "network size" only if a
472 * user-specified "snapshot length" caused the packet to be
473 * sliced at a particular point.
474 *
475 * That's the model that wiretap and Wireshark/TShark use, so
476 * we implement that model here.
477 */
483 }
487 }
489 /* set the wiretap timestamp, assuming for the moment that Observer encoded it in GMT */
490 phdr->ts.secs = (time_t) ((packet_header->nano_seconds_since_2000 / 1000000000) + ansi_to_observer_epoch_offset);
493 /* adjust to local time, if necessary, also accounting for DST if the frame
494 was captured while it was in effect */
496 {
501 /* the Observer timestamp was encoded as local time, so add a
502 correction from local time to GMT */
505 /* perform a DST adjustment if necessary */
512 }
513 }
515 /* update the pseudo header */
518 /* There is no FCS in the frame */
522 /* Updated in read_packet_header */
524 }
527 }
529 static int
530 read_packet_data(FILE_T fh, int offset_to_frame, int current_offset_from_packet_header, Buffer *buf,
532 {
536 /* validate offsets */
542 }
544 /* skip to the packet data */
549 }
551 }
553 /* set-up the packet buffer */
556 /* read in the packet data */
562 }
564 static gboolean
565 skip_to_next_packet(wtap *wth, int offset_to_next_packet, int current_offset_from_packet_header, int *err,
567 {
570 /* validate offsets */
576 }
578 /* skip to the next packet header */
583 }
586 }
588 /* Returns 0 if we could write the specified encapsulation type,
589 an error indication otherwise. */
591 {
592 /* per-packet encapsulations aren't supported */
600 }
602 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
603 failure. */
605 {
607 capture_file_header file_header;
609 tlv_header comment_header;
610 tlv_time_info time_header;
616 /* initialize the private state */
622 /* populate the fields of wdh */
626 /* initialize the file header */
632 /* create the file comment TLV */
633 {
643 /* update the file header to account for the comment TLV */
646 }
648 /* create the timestamp encoding TLV */
649 {
654 /* update the file header to account for the timestamp encoding TLV */
657 }
659 /* write the file header, swapping any multibyte fields first */
663 }
666 /* write the comment TLV */
667 {
671 }
676 }
678 }
680 /* write the time info TLV */
681 {
685 }
687 }
692 }
694 /* Write a record for a packet to a dump file.
695 Returns TRUE on success, FALSE on failure. */
699 {
701 packet_entry_header packet_header;
702 guint64 seconds_since_2000;
704 /* convert the number of seconds since epoch from ANSI-relative to
705 Observer-relative */
711 }
714 }
716 /* populate the fields of the packet header */
725 /* XXX - what if this doesn't fit in 16 bits? It's not guaranteed to... */
737 /* write the packet header */
741 }
744 /* write the packet data */
747 }
751 }
754 {
766 }
768 }
771 {
781 }
783 }