| blob | a1d34cd6b057485fcd4d76fb9826f73d866897f4 |
1 /* ngsniffer.c
2 *
3 * $Id$
4 *
5 * Wiretap Library
6 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
7 *
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
23 /* The code in ngsniffer.c that decodes the time fields for each packet in the
24 * Sniffer trace originally came from code from TCPVIEW:
25 *
26 * TCPVIEW
27 *
28 * Author: Martin Hunt
29 * Networks and Distributed Computing
30 * Computing & Communications
31 * University of Washington
32 * Administration Building, AG-44
33 * Seattle, WA 98195
34 * Internet: martinh@cac.washington.edu
35 *
36 *
37 * Copyright 1992 by the University of Washington
38 *
39 * Permission to use, copy, modify, and distribute this software and its
40 * documentation for any purpose and without fee is hereby granted, provided
41 * that the above copyright notice appears in all copies and that both the
42 * above copyright notice and this permission notice appear in supporting
43 * documentation, and that the name of the University of Washington not be
44 * used in advertising or publicity pertaining to distribution of the software
45 * without specific, written prior permission. This software is made
46 * available "as is", and
47 * THE UNIVERSITY OF WASHINGTON DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
48 * WITH REGARD TO THIS SOFTWARE, INCLUDING WITHOUT LIMITATION ALL IMPLIED
49 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND IN
50 * NO EVENT SHALL THE UNIVERSITY OF WASHINGTON BE LIABLE FOR ANY SPECIAL,
51 * INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
52 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, TORT
53 * (INCLUDING NEGLIGENCE) OR STRICT LIABILITY, ARISING OUT OF OR IN CONNECTION
54 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
55 *
56 */
59 #include <errno.h>
60 #include <string.h>
67 /* Magic number in Sniffer files. */
71 };
73 /*
74 * Sniffer record types.
75 */
81 /*
82 * and now for some unknown header types
83 */
85 * not yet reverse engineered - some binary,
86 * some strings (Serial numbers? Names
87 * under which the software is registered?
88 * Software version numbers? Mysterious
89 * strings such as "PA-55X" and "PA-30X"
90 * and "PA-57X" and "PA-11X"?), some strings
91 * that are partially overwritten
92 * ("UNSERIALIZED", "Network General
93 * Corporation"), differing from major
94 * version to major version */
97 * info about this capturing session,
98 * in the form of a multi-line string
99 * with NL as the line separator.
100 * Collides with REC_FRAME4 */
108 /*
109 * Sniffer version record format.
110 */
123 };
125 /*
126 * Network types.
127 */
139 /*
140 * Sniffer type 2 data record format - followed by frame data.
141 *
142 * The Expert Sniffer Network Analyzer Operations manual, Release 5.50,
143 * documents some of the values used in "fs" and "flags". "flags" don't
144 * look as if they'd be of much interest to us, as those are internal
145 * flags for state used by the Sniffer, but "fs" gives various status
146 * bits including error indications *and*:
147 *
148 * ISDN channel information for ISDN;
149 *
150 * PPP vs. SLIP information for Async.
151 *
152 * In that section it also refers to "FDDI analyzers using the NPI PCI
153 * FDDI adapter" and "FDDI analyzers using the NPI ISA FDDI adapter",
154 * referring to the first as "F1SNIFF" and the second as "FDSNIFF";
155 * those sound as if they *could* be replacements for "TRSNIFF" in
156 * the file header, but that manual says, earlier, that the header
157 * starts with "TRSNIFF data, no matter where the frames were
158 * collected".
159 *
160 * It also says that a type 2 record has an 8-bit "time_high"
161 * and an 8-bit "time_day" field; the code here used to have a
162 * 16-bit "time_high" value, but that gave wrong time stamps on at
163 * least some captures. Did some older manual have it as a 16-bit
164 * "tstamp_high", so that perhaps it depends on the version number
165 * in the file, or is it "tstamp_high" plus "tstamp_day" in all
166 * versions? (I forget whether this came purely from tcpview, or if
167 * I saw any of it in an NAI document.)
168 *
169 * We interpret them as unsigned, as interpreting them as signed
170 * would appear to allow time stamps that precede the start of the
171 * capture. The description of the record format shows them as
172 * "char", but the section "How the Analyzer Stores Time" shows a
173 * time stamp structure with those fields being "unsigned char".
174 *
175 * In addition, the description of the record format has the comment
176 * for the "time_day" field saying it's the time in days since the
177 * start of the capture, but the "How the Analyzer Stores Time"
178 * section says it's increased by 1 if the capture continues past
179 * midnight - and also says that the time stamp structure has a time
180 * relative to midnight when the capture started, not since the
181 * actual capture start, so that might be a difference between
182 * the internal time stamp in the Sniffer software and the time
183 * stamp in capture files (i.e., the latter might be relative to
184 * the time when the capture starts).
185 */
196 };
198 /*
199 * Bits in "fs".
200 *
201 * The bits differ for different link-layer types.
202 */
204 /*
205 * Ethernet.
206 */
214 /*
215 * FDDI.
216 */
223 /*
224 * Internetwork analyzer (synchronous and asynchronous).
225 */
228 /*
229 * Internetwork analyzer (synchronous).
230 */
239 /*
240 * Internetwork analyzer (asynchronous).
241 * XXX - are some of these synchronous flags? They're listed with the
242 * asynchronous flags in the Sniffer 5.50 Network Analyzer Operations
243 * manual. Is one of the "overrun" errors a synchronous overrun error?
244 */
253 /*
254 * Sniffer type 4 data record format - followed by frame data.
255 *
256 * The ATM Sniffer manual says that the "flags" field holds "buffer flags;
257 * BF_xxxx", but doesn't say what the BF_xxxx flags are. They may
258 * be the same as they are in a type 2 record, in which case they're
259 * probably not of much interest to us.
260 *
261 * XXX - the manual also says there's an 8-byte "ATMTimeStamp" driver
262 * time stamp at the end of "ATMSaveInfo", but, from an ATM Sniffer capture
263 * file I've looked at, that appears not to be the case.
264 */
266 /*
267 * Fields from the AAL5 trailer for the frame, if it's an AAL5 frame
268 * rather than a cell.
269 */
295 /*
296 * Bits in StatusWord.
297 */
314 /*
315 * Bits in AppTrafType.
316 *
317 * For AAL types other than AAL5, the packet data is presumably for a
318 * single cell, not a reassembled frame, as the ATM Sniffer manual says
319 * it dosn't reassemble cells other than AAL5 cells.
320 */
340 /*
341 * Values for AppHLType; the interpretation depends on the ATT_HLTYPE
342 * bits in AppTrafType.
343 */
344 #define AHLT_UNKNOWN 0x0
378 };
380 /*
381 * XXX - I have a version 5.50 file with a bunch of token ring
382 * records listed as type "12". The record format below was
383 * derived from frame4_rec and a bit of experimentation.
384 * - Gerald
385 */
396 };
398 /*
399 * Network type values in some type 7 records.
400 *
401 * Captures with a major version number of 2 appear to have type 7
402 * records with text in them (at least one I have does).
403 *
404 * Captures with a major version of 4, and at least some captures with
405 * a major version of 5, have type 7 records with those values in the
406 * 5th byte.
407 *
408 * However, some captures with a major version number of 5 appear not to
409 * have type 7 records at all (at least one I have doesn't), but do appear
410 * to put non-zero values in the "rsvd" field of the version header (at
411 * least one I have does) - at least some other captures with smaller version
412 * numbers appear to put 0 there, so *maybe* that's where the network
413 * (sub)type is hidden in those captures. The version 5 captures I've seen
414 * that *do* have type 7 records put 0 there, so it's not as if *all* V5
415 * captures have something in the "rsvd" field, however.
416 *
417 * The semantics of these network types is inferred from the Sniffer
418 * documentation, as they correspond to types described in the UI;
419 * in particular, see
420 *
421 * http://www.mcafee.com/common/media/sniffer/support/sdos/operation.pdf
422 *
423 * starting at page 3-10 (56 of 496).
424 *
425 * XXX - I've seen X.25 captures with NET_ROUTER, and I've seen bridge/
426 * router captures with NET_HDLC. Sigh.... Are those just captures for
427 * which the user set the wrong network type when capturing?
428 */
431 things as well, or is it "HDLC then
432 X.25", as referred to by the document
433 cited above, and only used for X.25? */
434 #define NET_FRAME_RELAY 2
436 point-to-point protocols for use between
437 bridges and routers, including PPP as well
438 as various proprietary protocols; also
439 used for ISDN, for reasons not obvious
440 to me, given that a Sniffer knows
441 whether it's using a WAN or an ISDN pod */
444 that's a document for version 5.50 of
445 the Sniffer, and that version might use
446 version 5 in the file format and thus
447 might not be using type 7 records */
449 /*
450 * Values for V.timeunit, in picoseconds, so that they can be represented
451 * as integers. These values must be < 2^(64-40); see below.
452 *
453 * XXX - at least some captures with a V.timeunit value of 2 show
454 * packets with time stamps in 2011 if the time stamp is interpreted
455 * to be in units of 15 microseconds. The capture predates 2008,
456 * so that interpretation is probably wrong. Perhaps the interpretation
457 * of V.timeunit depends on the version number of the file?
458 */
466 /* XXX - Sniffer doc says 0.08 usecs = 80000 psecs */
468 };
469 #define NUM_NGSNIFF_TIMEUNITS (sizeof Psec / sizeof Psec[0])
471 /* Information for a compressed Sniffer data stream. */
481 guint maj_vers;
482 guint min_vers;
483 guint32 timeunit;
493 /*
494 * DOS date to "struct tm" conversion values.
495 */
496 /* DOS year = upper 7 bits */
498 #define DOS_YEAR_SHIFT 9
499 #define DOS_YEAR_MASK (0x7F<<DOS_YEAR_SHIFT)
500 /* DOS month = next 4 bits */
502 #define DOS_MONTH_SHIFT 5
503 #define DOS_MONTH_MASK (0x0F<<DOS_MONTH_SHIFT)
504 /* DOS day = next 5 bits */
505 #define DOS_DAY_SHIFT 0
506 #define DOS_DAY_MASK (0x1F<<DOS_DAY_SHIFT)
554 int
556 {
561 the last 2 are "reserved" and are thrown away */
562 guint16 type;
564 guint16 maj_vers;
565 guint16 start_date;
566 #if 0
567 guint16 start_time;
568 #endif
570 WTAP_ENCAP_TOKEN_RING,
571 WTAP_ENCAP_ETHERNET,
572 WTAP_ENCAP_ARCNET,
579 WTAP_ENCAP_FDDI_BITSWAPPED,
580 WTAP_ENCAP_ATM_PDUS
581 };
582 #define NUM_NGSNIFF_ENCAPS (sizeof sniffer_encap / sizeof sniffer_encap[0])
584 gint64 current_offset;
587 /* Read in the string that should be at the start of a Sniffer file */
595 }
599 }
601 /*
602 * Read the first record, which the manual says is a version
603 * record.
604 */
612 }
619 }
627 }
636 }
638 /* Check the data link type. */
645 }
647 /* Check the time unit */
652 }
654 /* compressed or uncompressed Sniffer file? */
659 }
661 /* Set encap type before reading header records because the
662 * header record may change encap type.
663 */
666 /*
667 * We don't know how to handle the remaining header record types,
668 * so we just skip them - except for REC_HEADER2 records, which
669 * we look at, for "Internetwork analyzer" captures, to attempt to
670 * determine what the link-layer encapsulation is.
671 *
672 * XXX - in some version 1.16 internetwork analyzer files
673 * generated by the Windows Sniffer when saving Windows
674 * Sniffer files as DOS Sniffer files, there's no REC_HEADER2
675 * record, but the first "rsvd" word is 1 for PRI ISDN files, 2
676 * for BRI ISDN files, and 0 for non-ISDN files; is that something
677 * the DOS Sniffer understands?
678 */
686 /*
687 * Well, we haven't determined the internetwork analyzer
688 * subtype yet...
689 */
693 /*
694 * ... and this is a version 1 capture; look
695 * at the first "rsvd" word.
696 */
703 }
707 /*
708 * ...and this is a version 3 capture; we've
709 * seen nothing in those that obviously
710 * indicates the capture type, but the only
711 * one we've seen is a Frame Relay capture,
712 * so mark it as Frame Relay for now.
713 */
716 }
717 }
721 /*
722 * Now, if we have a random stream open, position it to the same
723 * location, which should be the beginning of the real data, and
724 * should be the beginning of the compressed data.
725 *
726 * XXX - will we see any records other than REC_FRAME2, REC_FRAME4,
727 * or REC_EOF after this? If not, we can get rid of the loop in
728 * "ngsniffer_read()".
729 */
733 }
735 /* This is a ngsniffer file */
741 /* We haven't allocated any uncompression buffers yet. */
745 /* Set the current file offset; the offset in the compressed file
746 and in the uncompressed data stream currently the same. */
752 /* We don't yet have any list of compressed blobs. */
765 /* Get capture start time */
770 #if 0
771 /* The time does not appear to act as an offset; only the date */
776 #endif
782 /*
783 * XXX - what if "secs" is -1? Unlikely,
784 * but if the capture was done in a time
785 * zone that switches between standard and
786 * summer time sometime other than when we
787 * do, and thus the time was one that doesn't
788 * exist here because a switch from standard
789 * to summer time zips over it, it could
790 * happen.
791 *
792 * On the other hand, if the capture was done
793 * in a different time zone, this won't work
794 * right anyway; unfortunately, the time zone
795 * isn't stored in the capture file.
796 */
801 }
803 static int
805 guint8 network)
806 {
810 the last 2 are "reserved" and are thrown away */
825 }
827 }
835 /*
836 * Well, this is either some unknown header type
837 * (we ignore this case), an uncompressed data
838 * frame or the length of a compressed blob
839 * which implies data. Seek backwards over the
840 * two bytes we read, and return.
841 */
845 }
854 }
858 /*
859 * Is this is an "Internetwork analyzer" capture, and
860 * is this a REC_HEADER2 record?
861 *
862 * If so, it appears to specify the particular type
863 * of network we're on.
864 *
865 * XXX - handle sync and async differently? (E.g.,
866 * does this apply only to sync?)
867 */
870 /*
871 * Yes, get the first up-to-256 bytes of the
872 * record data.
873 */
882 }
883 }
900 }
902 /*
903 * Skip the rest of the record.
904 */
909 }
911 /* Nope, just skip over the data. */
914 }
915 }
916 }
918 static int
921 {
924 /*
925 * There appears to be a string in a REC_HEADER2 record, with
926 * a list of protocols. In one X.25 capture I've seen, the
927 * string was "HDLC\nX.25\nCLNP\nISO_TP\nSESS\nPRES\nVTP\nACSE".
928 * Presumably CLNP and everything else is per-packet, but
929 * we assume "HDLC\nX.25\n" indicates that it's an X.25 capture.
930 */
932 /*
933 * There's not enough data to compare.
934 */
938 }
941 /*
942 * X.25.
943 */
950 }
952 }
954 static int
957 {
958 /*
959 * The 5th byte of the REC_HEADER2 record appears to be a
960 * network type.
961 */
963 /*
964 * There is no 5th byte; give up.
965 */
969 }
971 /*
972 * The X.25 captures I've seen have a type of NET_HDLC, and the
973 * Sniffer documentation seems to imply that it's used for
974 * X.25, although it could be used for other purposes as well.
975 *
976 * NET_ROUTER is used for all sorts of point-to-point protocols,
977 * including ISDN. It appears, from the documentation, that the
978 * Sniffer attempts to infer the particular protocol by looking
979 * at the traffic; it's not clear whether it stores in the file
980 * an indication of the protocol it inferred was being used.
981 *
982 * Unfortunately, it also appears that NET_HDLC is used for
983 * stuff other than X.25 as well, so we can't just interpret
984 * it unconditionally as X.25.
985 *
986 * For now, we interpret both NET_HDLC and NET_ROUTER as "per-packet
987 * encapsulation". We remember that we saw NET_ROUTER, though,
988 * as it appears that we can infer whether a packet is PPP or
989 * ISDN based on the channel number subfield of the frame error
990 * status bits - if it's 0, it's PPP, otherwise it's ISDN and
991 * the channel number indicates which channel it is. We assume
992 * NET_HDLC isn't used for ISDN.
993 */
1009 /*
1010 * For most of the version 4 capture files I've seen,
1011 * 0xfa in buffer[1] means the file is an ISDN capture,
1012 * but there's one PPP file with 0xfa there; does that
1013 * mean that the 0xfa has nothing to do with ISDN,
1014 * or is that just an ISDN file with no D channel
1015 * packets? (The channel number is not 0 in any
1016 * of the packets, so perhaps it is.)
1017 *
1018 * For one version 5 ISDN capture I've seen, there's
1019 * a 0x01 in buffer[6]; none of the non-ISDN version
1020 * 5 captures have it.
1021 */
1032 /*
1033 * There is no 5th byte; give up.
1034 */
1038 }
1042 }
1050 /*
1051 * Reject these until we can figure them out.
1052 */
1057 }
1059 }
1061 /* Read the next packet */
1062 static gboolean
1064 {
1077 /*
1078 * We use the uncompressed offset, as that's what
1079 * we need to use for compressed files.
1080 */
1083 /*
1084 * Read the record header.
1085 */
1089 /* Read error or EOF */
1091 }
1097 /*
1098 * We shouldn't get a frame2 record in
1099 * an ATM capture.
1100 */
1104 }
1106 /* Read the f_frame2_struct */
1108 err_info)) {
1109 /* Read error */
1111 }
1127 /*
1128 * We shouldn't get a frame2 record in
1129 * a non-ATM capture.
1130 */
1134 }
1136 /* Read the f_frame4_struct */
1138 err_info)) {
1139 /* Read error */
1141 }
1149 /*
1150 * XXX - it looks as if some version 4 captures have
1151 * a bogus record length, based on the assumption
1152 * that the record is a frame2 record.
1153 */
1159 else
1161 }
1167 /* Read the f_frame6_struct */
1169 err_info)) {
1170 /* Read error */
1172 }
1187 /*
1188 * End of file. Return an EOF indication.
1189 */
1195 }
1197 /*
1198 * Well, we don't know what it is, or we know what
1199 * it is but can't handle it. Skip past the data
1200 * portion, and keep looping.
1201 */
1204 }
1206 found:
1207 /*
1208 * OK, is the frame data size greater than than what's left of the
1209 * record?
1210 */
1212 /*
1213 * Yes - treat this as an error.
1214 */
1218 }
1224 /*
1225 * Read the packet data.
1226 */
1234 /*
1235 * 40-bit time stamp, in units of timeunit picoseconds.
1236 */
1239 /*
1240 * timeunit is always < 2^(64-40), so t * timeunit fits in 64
1241 * bits. That gives a 64-bit time stamp, in units of
1242 * picoseconds.
1243 */
1246 /*
1247 * Convert to seconds and picoseconds.
1248 */
1252 /*
1253 * Add in the time_day value (86400 seconds/day).
1254 */
1257 /*
1258 * Add in the capture start time.
1259 */
1265 }
1267 static gboolean
1271 {
1283 err_info);
1285 /* Read error or EOF */
1287 /* EOF means "short read" in random-access mode */
1289 }
1291 }
1296 /* Read the f_frame2_struct */
1298 /* Read error */
1300 }
1308 /* Read the f_frame4_struct */
1310 /* Read error */
1312 }
1320 /* Read the f_frame6_struct */
1322 /* Read error */
1324 }
1332 /*
1333 * "Can't happen".
1334 */
1337 }
1339 /*
1340 * Got the pseudo-header (if any), now get the data.
1341 */
1348 }
1350 static int
1353 {
1354 gint64 bytes_read;
1358 /*
1359 * Read the record header.
1360 */
1362 err_info);
1369 }
1371 }
1373 err_info);
1378 }
1383 }
1385 static gboolean
1388 {
1389 gint64 bytes_read;
1391 /* Read the f_frame2_struct */
1398 }
1400 }
1402 static void
1405 {
1406 /*
1407 * In one PPP "Internetwork analyzer" capture:
1408 *
1409 * The only bit seen in "frame2.fs" is the 0x80 bit, which
1410 * probably indicates the packet's direction; all other
1411 * bits were zero. The Expert Sniffer Network Analyzer
1412 * 5.50 Operations manual says that bit is the FS_DTE bit
1413 * for async/PPP data. The other bits are error bits
1414 * plus bits indicating whether the frame is PPP or SLIP,
1415 * but the PPP bit isn't set.
1416 *
1417 * All bits in "frame2.flags" were zero.
1418 *
1419 * In one X.25 "Internetwork analyzer" capture:
1420 *
1421 * The only bit seen in "frame2.fs" is the 0x80 bit, which
1422 * probably indicates the packet's direction; all other
1423 * bits were zero.
1424 *
1425 * "frame2.flags" was always 0x18; however, the Sniffer
1426 * manual says that just means that a display filter was
1427 * calculated for the frame, and it should be displayed,
1428 * so perhaps that's just a quirk of that particular capture.
1429 *
1430 * In one Ethernet capture:
1431 *
1432 * "frame2.fs" was always 0; the Sniffer manual says they're
1433 * error bits of various sorts.
1434 *
1435 * "frame2.flags" was either 0 or 0x18, with no obvious
1436 * correlation with anything. See previous comment
1437 * about display filters.
1438 *
1439 * In one Token Ring capture:
1440 *
1441 * "frame2.fs" was either 0 or 0xcc; the Sniffer manual says
1442 * nothing about those bits for Token Ring captures.
1443 *
1444 * "frame2.flags" was either 0 or 0x18, with no obvious
1445 * correlation with anything. See previous comment
1446 * about display filters.
1447 */
1451 /*
1452 * XXX - do we ever have an FCS? If not, why do we often
1453 * have 4 extra bytes of stuff at the end? Do some
1454 * PC Ethernet interfaces report the length including the
1455 * FCS but not store the FCS in the packet, or do some
1456 * Ethernet drivers work that way?
1457 */
1491 }
1492 }
1493 }
1495 static gboolean
1498 {
1499 gint64 bytes_read;
1501 /* Read the f_frame4_struct */
1508 }
1510 }
1512 static void
1515 {
1516 guint32 StatusWord;
1520 /*
1521 * Map flags from frame4.atm_info.StatusWord.
1522 */
1536 /*
1537 * Map ATT_AAL_UNKNOWN on VPI 0, VCI 5 to ATT_AAL_SIGNALLING,
1538 * as that's the VPCI used for signalling.
1539 *
1540 * XXX - is this necessary, or will frames to 0/5 always
1541 * have ATT_AAL_SIGNALLING?
1542 */
1545 else
1587 TRAF_ST_VCMX_802_3_FCS;
1592 TRAF_ST_VCMX_802_4_FCS;
1597 TRAF_ST_VCMX_802_5_FCS;
1602 TRAF_ST_VCMX_FDDI_FCS;
1607 TRAF_ST_VCMX_802_6_FCS;
1632 TRAF_ST_VCMX_FRAGMENTS;
1642 }
1655 TRAF_ST_LANE_LE_CTRL;
1668 TRAF_ST_LANE_802_3_MC;
1673 TRAF_ST_LANE_802_5_MC;
1679 }
1707 TRAF_ST_IPSILON_FT0;
1712 TRAF_ST_IPSILON_FT1;
1717 TRAF_ST_IPSILON_FT2;
1723 }
1730 }
1756 }
1764 }
1766 static gboolean
1769 {
1770 gint64 bytes_read;
1772 /* Read the f_frame6_struct */
1779 }
1781 }
1783 static void
1786 {
1787 /* XXX - Once the frame format is divined, something will most likely go here */
1792 /* XXX - is there an FCS? */
1795 }
1796 }
1798 static gboolean
1801 {
1802 gint64 bytes_read;
1812 }
1814 }
1816 /*
1817 * OK, this capture is from an "Internetwork analyzer", and we either
1818 * didn't see a type 7 record or it had a network type such as NET_HDLC
1819 * that doesn't tell us which *particular* HDLC derivative this is;
1820 * let's look at the first few bytes of the packet, a pointer to which
1821 * was passed to us as an argument, and see whether it looks like PPP,
1822 * Frame Relay, Wellfleet HDLC, Cisco HDLC, or LAPB - or, if it's none
1823 * of those, assume it's LAPD.
1824 *
1825 * (XXX - are there any "Internetwork analyzer" captures that don't
1826 * have type 7 records? If so, is there some other field that will
1827 * tell us what type of capture it is?)
1828 */
1829 static int
1831 {
1835 /*
1836 * Nothing to infer, but it doesn't matter how you
1837 * dissect an empty packet. Let's just say PPP.
1838 */
1840 }
1843 /*
1844 * PPP. (XXX - check for 0xFF 0x03?)
1845 */
1847 }
1851 /*
1852 * Wellfleet HDLC.
1853 */
1857 /*
1858 * Cisco HDLC.
1859 */
1861 }
1863 /*
1864 * Check for Frame Relay. Look for packets with at least
1865 * 3 bytes of header - 2 bytes of DLCI followed by 1 byte
1866 * of control, which, for now, we require to be 0x03 (UI),
1867 * although there might be other frame types as well.
1868 * Scan forward until we see the last DLCI byte, with
1869 * the low-order bit being 1, and then check the next
1870 * byte to see if it's a control byte.
1871 *
1872 * XXX - in version 4 and 5 captures, wouldn't this just
1873 * have a capture subtype of NET_FRAME_RELAY? Or is this
1874 * here only to handle other versions of the capture
1875 * file, where we might just not yet have found where
1876 * the subtype is specified in the capture?
1877 *
1878 * Bay^H^H^HNortel Networks has a mechanism in the Optivity
1879 * software for some of their routers to save captures
1880 * in Sniffer format; they use a version number of 4.9, but
1881 * don't put out any header records before the first FRAME2
1882 * record. That means we have to use heuristics to guess
1883 * what type of packet we have.
1884 */
1886 ;
1889 /*
1890 * No control byte.
1891 */
1893 }
1896 }
1898 /*
1899 * Assume LAPB, for now. If we support other HDLC encapsulations,
1900 * we can check whether the low-order bit of the first byte is
1901 * set (as it should be for LAPB) if no other checks pass.
1902 *
1903 * Or, if it's truly impossible to distinguish ISDN from non-ISDN
1904 * captures, we could assume it's ISDN if it's not anything
1905 * else.
1906 */
1908 }
1910 static int
1913 {
1920 /*
1921 * Infer the packet type from the first two bytes.
1922 */
1925 /*
1926 * Fix up the pseudo-header to match the new
1927 * encapsulation type.
1928 */
1936 else
1943 else
1946 /*
1947 * XXX - this is currently a per-packet
1948 * encapsulation type, and we can't determine
1949 * whether a capture is an ISDN capture before
1950 * seeing any packets, and B-channel PPP packets
1951 * look like PPP packets and are given
1952 * WTAP_ENCAP_PPP_WITH_PHDR, not WTAP_ENCAP_ISDN,
1953 * so we assume this is a D-channel packet and
1954 * thus give it a channel number of 0.
1955 */
1958 }
1962 /*
1963 * If the Windows Sniffer writes out one of its ATM
1964 * capture files in DOS Sniffer format, it doesn't
1965 * distinguish between LE Control and LANE encapsulated
1966 * LAN frames, it just marks them as LAN frames,
1967 * so we fix that up here.
1968 *
1969 * I've also seen DOS Sniffer captures claiming that
1970 * LANE packets that *don't* start with FF 00 are
1971 * marked as LE Control frames, so we fix that up
1972 * as well.
1973 */
1976 /*
1977 * This must be LE Control.
1978 */
1980 TRAF_ST_LANE_LE_CTRL;
1982 /*
1983 * This can't be LE Control.
1984 */
1986 TRAF_ST_LANE_LE_CTRL) {
1987 /*
1988 * XXX - Ethernet or Token Ring?
1989 */
1991 TRAF_ST_LANE_802_3;
1992 }
1993 }
1994 }
1996 }
1998 }
2000 /* Throw away the buffers used by the sequential I/O stream, but not
2001 those used by the random I/O stream. */
2002 static void
2004 {
2011 }
2012 }
2014 static void
2016 {
2018 }
2020 /* Close stuff used by the random I/O stream, if any, and free up any
2021 private data structures. (If there's a "sequential_close" routine
2022 for a capture file type, it'll be called before the "close" routine
2023 is called, so we don't have to free the sequential buffer here.) */
2024 static void
2026 {
2035 }
2036 }
2039 gboolean first_frame;
2063 };
2064 #define NUM_WTAP_ENCAPS (sizeof wtap_encap / sizeof wtap_encap[0])
2066 /* Returns 0 if we could write the specified encapsulation type,
2067 an error indication otherwise. */
2068 int
2070 {
2071 /* Per-packet encapsulations aren't supported. */
2079 }
2081 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
2082 failure */
2083 gboolean
2085 {
2089 /* This is a sniffer file */
2098 /* Write the file header. */
2100 err))
2106 }
2108 /* Write a record for a packet to a dump file.
2109 Returns TRUE on success, FALSE on failure. */
2110 static gboolean
2113 {
2119 guint64 t;
2121 guint8 t_high;
2124 guint16 start_date;
2127 /* Sniffer files have a capture start date in the file header, and
2128 have times relative to the beginning of that day in the packet
2129 headers; pick the date of the first packet as the capture start
2130 date. */
2133 #if (defined _WIN32) && (_MSC_VER < 1500)
2134 /* calling localtime() on MSVC 2005 with huge values causes it to crash */
2135 /* XXX - find the exact value that still does work */
2136 /* XXX - using _USE_32BIT_TIME_T might be another way to circumvent this problem */
2139 else
2140 #endif
2146 /* record the start date, not the start time */
2151 }
2153 /* "sniffer" version ? */
2170 }
2180 /* Seconds since the start of the capture */
2182 /* Extract the number of days since the start of the capture */
2185 /* Convert to picoseconds */
2188 /* Convert to units of timeunit = 1 */
2224 }
2230 }
2239 }
2241 /* Finish writing to a dump file.
2242 Returns TRUE on success, FALSE on failure. */
2243 static gboolean
2245 {
2246 /* EOF record */
2252 }
2254 /*
2255 SnifferDecompress() decompresses a blob of compressed data from a
2256 Sniffer(R) capture file.
2258 This function is Copyright (c) 1999-2999 Tim Farley
2260 Parameters
2261 inbuf - buffer of compressed bytes from file, not including
2262 the preceding length word
2263 inlen - length of inbuf in bytes (max 64k)
2264 outbuf - decompressed contents, could contain a partial Sniffer
2265 record at the end.
2266 outlen - length of outbuf.
2268 Return value is the number of bytes in outbuf on return.
2269 */
2270 static int
2273 {
2287 }
2291 {
2292 /* Shift down the bit mask we use to see whats encoded */
2295 /* If there are no bits left, time to get another 16 bits */
2297 {
2302 {
2305 }
2306 }
2308 /* Use the bits in bit_value to see what's encoded and what is raw data */
2310 {
2311 /* bit not set - raw byte we just copy */
2313 }
2314 else
2315 {
2316 /* bit set - next item is encoded. Peel off high nybble
2317 of next byte to see the encoding type. Set aside low
2318 nybble while we are at it */
2323 {
2326 }
2328 /* Based on the code type, decode the compressed string */
2330 {
2332 /*
2333 Run length is the low nybble of the first code byte.
2334 Byte to repeat immediately follows.
2335 Total code size: 2 bytes.
2336 */
2338 /* If length would put us past end of output, avoid overflow */
2340 {
2343 }
2345 /* generate the repeated series of bytes */
2350 /*
2351 Low 4 bits of run length is the low nybble of the
2352 first code byte, upper 8 bits of run length is in
2353 the next byte.
2354 Byte to repeat immediately follows.
2355 Total code size: 3 bytes.
2356 */
2358 /* If we are already at end of input, there is no byte
2359 to repeat */
2361 {
2364 }
2365 /* If length would put us past end of output, avoid overflow */
2367 {
2370 }
2372 /* generate the repeated series of bytes */
2377 /*
2378 Low 4 bits of offset to string is the low nybble of the
2379 first code byte, upper 8 bits of offset is in
2380 the next byte.
2381 Length of string immediately follows.
2382 Total code size: 3 bytes.
2383 */
2385 /* If we are already at end of input, there is no byte
2386 to repeat */
2388 {
2391 }
2392 /* Check if offset would put us back past begin of buffer */
2394 {
2397 }
2399 /* get length from next byte, make sure it won't overrun buf */
2402 {
2405 }
2407 /* Copy the string from previous text to output position,
2408 advance output pointer */
2413 /*
2414 Low 4 bits of offset to string is the low nybble of the
2415 first code byte, upper 8 bits of offset is in
2416 the next byte.
2417 Length of string to repeat is overloaded into code_type.
2418 Total code size: 2 bytes.
2419 */
2421 /* Check if offset would put us back past begin of buffer */
2423 {
2426 }
2428 /* get length from code_type, make sure it won't overrun buf */
2431 {
2434 }
2436 /* Copy the string from previous text to output position,
2437 advance output pointer */
2441 }
2442 }
2444 /* If we've consumed all the input, we are done */
2447 }
2450 }
2452 /*
2453 * XXX - is there any guarantee that this is big enough to hold the
2454 * uncompressed data from any blob?
2455 */
2456 #define OUTBUF_SIZE 65536
2457 #define INBUF_SIZE 65536
2459 /* Information about a compressed blob; we save the offset in the
2460 underlying compressed file, and the offset in the uncompressed data
2461 stream, of the blob. */
2463 gint64 blob_comp_offset;
2464 gint64 blob_uncomp_offset;
2467 static gint64
2470 {
2472 FILE_T infile;
2476 unsigned char *outbuffer = (unsigned char *)buffer; /* where to write next decompressed data */
2488 }
2498 }
2500 }
2502 /* Allocate the stream buffer if it hasn't already been allocated. */
2507 /* This is the first read of the random file, so we're at
2508 the beginning of the sequence of blobs in the file
2509 (as we've not done any random reads yet to move the
2510 current position in the random stream); set the
2511 current blob to be the first blob. */
2514 /* This is the first sequential read; if we also have a
2515 random stream open, allocate the first element for the
2516 list of blobs, and make it the last element as well. */
2523 blob);
2525 }
2526 }
2528 /* Now read the first blob into the buffer. */
2531 }
2535 /* There's no decompressed stuff left to copy from the current
2536 blob; get the next blob. */
2539 /* Move to the next blob in the list. */
2542 /*
2543 * XXX - this "can't happen"; we should have a
2544 * blob for every byte in the file.
2545 */
2548 }
2550 /* If we also have a random stream open, add a new element,
2551 for this blob, to the list of blobs; we know the list is
2552 non-empty, as we initialized it on the first sequential
2553 read, so we just add the new element at the end, and
2554 adjust the pointer to the last element to refer to it. */
2560 blob);
2561 }
2562 }
2567 }
2573 bytes_to_copy);
2579 }
2581 }
2583 /* Read a blob from a compressed stream.
2584 Return -1 and set "*err" and "*err_info" on error, otherwise return 0. */
2585 static int
2588 {
2592 gint16 blob_len_host;
2593 gboolean uncompressed;
2597 /* Read one 16-bit word which is length of next compressed blob */
2603 }
2607 /* Compressed or uncompressed? */
2609 /* Uncompressed blob; blob length is absolute value of the number. */
2615 }
2619 /* Read the blob */
2626 }
2633 /* Decompress the blob */
2639 }
2640 }
2646 }
2648 /* Skip some number of bytes forward in the sequential stream. */
2649 static gboolean
2651 {
2661 }
2665 /* Ok, now read and discard "delta" bytes. */
2670 else
2676 }
2679 }
2683 }
2685 /* Seek to a given offset in the random data stream.
2687 On compressed files, we see whether we're seeking to a position within
2688 the blob we currently have in memory and, if not, we find in the list
2689 of blobs the last blob that starts at or before the position to which
2690 we're seeking, and read that blob in. We can then move to the appropriate
2691 position within the blob we have in memory (whether it's the blob we
2692 already had in memory or, if necessary, the one we read in). */
2693 static gboolean
2695 {
2697 gint64 delta;
2707 }
2711 /* Is the place to which we're seeking within the current buffer, or
2712 will we have to read a different blob into the buffer? */
2715 /* We're going forwards.
2716 Is the place to which we're seeking within the current buffer? */
2718 /* No. Search for a blob that contains the target
2719 offset in the uncompressed byte stream. */
2721 /* We haven't read anything from the random
2722 file yet, so we have no current blob;
2723 search all the blobs, starting with
2724 the first one. */
2727 /* We're seeking forward, so start searching
2728 with the blob after the current one. */
2730 }
2734 /* No more blobs; the current one is it. */
2736 }
2739 /* Does the next blob start after the target offset?
2740 If so, the current blob is the one we want. */
2745 }
2747 /*
2748 * We're seeking past the end of what
2749 * we've read so far.
2750 */
2753 }
2754 }
2756 /* We're going backwards.
2757 Is the place to which we're seeking within the current buffer? */
2759 /* No. Search for a blob that contains the target
2760 offset in the uncompressed byte stream. */
2762 /* We haven't read anything from the random
2763 file yet, so we have no current blob;
2764 search all the blobs, starting with
2765 the last one. */
2768 /* We're seeking backward, so start searching
2769 with the blob before the current one. */
2771 }
2773 /* Does this blob start at or before the target offset?
2774 If so, the current blob is the one we want. */
2779 /* It doesn't - skip to the previous blob. */
2781 }
2783 /*
2784 * XXX - shouldn't happen.
2785 */
2788 }
2789 }
2790 }
2793 /* The place to which we're seeking isn't in the current buffer;
2794 move to a new blob. */
2797 /* Seek in the compressed file to the offset in the compressed file
2798 of the beginning of that blob. */
2802 /*
2803 * Do we have a buffer for the random stream yet?
2804 */
2806 /*
2807 * No - allocate it, as we'll be reading into it.
2808 */
2810 }
2812 /* Make the blob we found the current one. */
2815 /* Now set the current offsets to the offsets of the beginning
2816 of the blob. */
2820 /* Now fill the buffer. */
2824 /* Set "delta" to the amount to move within this blob; it had
2825 better be >= 0, and < the amount of uncompressed data in
2826 the blob, as otherwise it'd mean we need to seek before
2827 the beginning or after the end of this blob. */
2830 }
2832 /* OK, the place to which we're seeking is in the buffer; adjust
2833 "ngsniffer->rand.nextout" to point to the place to which
2834 we're seeking, and adjust "ngsniffer->rand.uncomp_offset" to be
2835 the destination offset. */
2840 }