1 /* netxray.c
2 *
3 * Wiretap Library
4 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
5 *
6 * SPDX-License-Identifier: GPL-2.0-or-later
7 */
8
9 #include "config.h"
10
11 #include <errno.h>
12 #include <string.h>
13 #include "wtap-int.h"
14 #include "file_wrappers.h"
15 #include "netxray.h"
16 #include "atm.h"
17
18 /* Capture file header, *including* magic number, is padded to 128 bytes. */
19 #define CAPTUREFILE_HEADER_SIZE 128
20
21 /* Magic number size, in both 1.x and later files. */
22 #define MAGIC_SIZE 4
23
24 /* Magic number in NetXRay 1.x files. */
25 static const char old_netxray_magic[MAGIC_SIZE] = {
26 'V', 'L', '\0', '\0'
27 };
28
29 /* Magic number in NetXRay 2.0 and later, and Windows Sniffer, files. */
30 static const char netxray_magic[MAGIC_SIZE] = {
31 'X', 'C', 'P', '\0'
callboost::fusion::extension::begin_impl::apply32 };
33
34 /* NetXRay file header (minus magic number). */
35 /* */
36 /* As field usages are identified, please revise as needed */
37 /* Please do *not* use netxray_hdr xxx... names in the code */
38 /* (Placeholder names for all 'unknown' fields are */
39 /* of form xxx_x<hex_hdr_offset> */
40 /* where <hex_hdr_offset> *includes* the magic number) */
41
42 struct netxray_hdr {
43 char version[8]; /* version number */
44 guint32 start_time; /* UNIX [UTC] time when capture started */
45
46 guint32 nframes; /* number of packets */
47 guint32 xxx_x14; /* unknown [some kind of file offset] */
48 guint32 start_offset; /* offset of first packet in capture */
49 guint32 end_offset; /* offset after last packet in capture */
50
51 guint32 xxx_x20; /* unknown [some kind of file offset] */
52 guint32 xxx_x24; /* unknown [unused ?] */
53 guint32 xxx_x28; /* unknown [some kind of file offset] */
54 guint8 network; /* datalink type */
55 guint8 network_plus; /* [See code] */
56 guint8 xxx_x2E[2]; /* unknown */
57
58 guint8 timeunit; /* encodes length of a tick */
59 guint8 xxx_x31[3]; /* XXX - upper 3 bytes of timeunit ? */
60 guint32 timelo; /* lower 32 bits of capture start time stamp */
61 guint32 timehi; /* upper 32 bits of capture start time stamp */
62 guint32 linespeed; /* speed of network, in bits/second */
63
64 guint8 xxx_x40[12]; /* unknown [other stuff] */
65 guint8 realtick[4]; /* (ticks/sec for Ethernet/Ndis/Timeunit=2 ?) */
66 /* (realtick[1], realtick[2] also currently */
67 /* used as flag for 'FCS presence') */
68
69 guint8 xxx_x50[4]; /* unknown [other stuff] */
70 guint8 captype; /* capture type */
71 guint8 xxx_x55[3]; /* unknown [other stuff] */
72 guint8 xxx_x58[4]; /* unknown [other stuff] */
73 guint8 wan_hdlc_subsub_captype; /* WAN HDLC subsub_captype */
74 guint8 xxx_x5D[3]; /* unknown [other stuff] */
75
76 guint8 xxx_x60[16]; /* unknown [other stuff] */
77
78 guint8 xxx_x70[14]; /* unknown [other stuff] */
79 gint16 timezone_hrs; /* timezone hours [at least for version 2.2..]; */
80 /* positive values = west of UTC: */
81 /* negative values = east of UTC: */
82 /* e.g. +5 is American Eastern */
83 /* [Does not appear to be adjusted for DST ] */
84 };
85
86 /*
87 * Capture type, in hdr.captype.
88 *
89 * Values other than 0 are dependent on the network type.
90 * For Ethernet captures, it indicates the type of capture pod.
91 * For WAN captures (all of which are done with a pod), it indicates
92 * the link-layer type.
93 */
94 #define CAPTYPE_NDIS 0 /* Capture on network interface using NDIS */
95
96 /*
97 * Ethernet capture types.
98 */
99 #define ETH_CAPTYPE_GIGPOD 2 /* gigabit Ethernet captured with pod */
100 #define ETH_CAPTYPE_OTHERPOD 3 /* non-gigabit Ethernet captured with pod */
101 #define ETH_CAPTYPE_OTHERPOD2 5 /* gigabit Ethernet via pod ?? */
102 /* Captype 5 seen in capture from Distributed Sniffer with: */
103 /* Version 4.50.211 software */
104 /* SysKonnect SK-9843 Gigabit Ethernet Server Adapter */
105 #define ETH_CAPTYPE_GIGPOD2 6 /* gigabit Ethernet, captured with blade on S6040-model Sniffer */
106
107 /*
108 * WAN capture types.
109 */
110 #define WAN_CAPTYPE_BROUTER 1 /* Bridge/router captured with pod */
111 #define WAN_CAPTYPE_PPP 3 /* PPP captured with pod */
112 #define WAN_CAPTYPE_FRELAY 4 /* Frame Relay captured with pod */
113 #define WAN_CAPTYPE_BROUTER2 5 /* Bridge/router captured with pod */
114 #define WAN_CAPTYPE_HDLC 6 /* HDLC (X.25, ISDN) captured with pod */
115 #define WAN_CAPTYPE_SDLC 7 /* SDLC captured with pod */
116 #define WAN_CAPTYPE_HDLC2 8 /* HDLC captured with pod */
117 #define WAN_CAPTYPE_BROUTER3 9 /* Bridge/router captured with pod */
118 #define WAN_CAPTYPE_SMDS 10 /* SMDS DXI */
119 #define WAN_CAPTYPE_BROUTER4 11 /* Bridge/router captured with pod */
120 #define WAN_CAPTYPE_BROUTER5 12 /* Bridge/router captured with pod */
121 #define WAN_CAPTYPE_CHDLC 19 /* Cisco router (CHDLC) captured with pod */
122
123 #define CAPTYPE_ATM 15 /* ATM captured with pod */
124
125 /*
126 * # of ticks that equal 1 second, in version 002.xxx files other
127 * than Ethernet captures with a captype other than CAPTYPE_NDIS;
128 * the index into this array is hdr.timeunit.
129 *
130 * DO NOT SEND IN PATCHES THAT CHANGE ANY OF THE NON-ZERO VALUES IN
131 * ANY OF THE TpS TABLES. THOSE VALUES ARE CORRECT FOR AT LEAST ONE
132 * CAPTURE, SO CHANGING THEM WILL BREAK AT LEAST SOME CAPTURES. WE
133 * WILL NOT CHECK IN PATCHES THAT CHANGE THESE VALUES.
134 *
135 * Instead, if a value in a TpS table is wrong, check whether captype
136 * has a non-zero value; if so, perhaps we need a new TpS table for the
137 * corresponding network type and captype, or perhaps the 'realtick'
138 * field contains the correct ticks-per-second value.
139 *
140 * TpS...[] entries of 0.0 mean that no capture file for the
141 * corresponding captype/timeunit values has yet been seen, or that
142 * we're using the 'realtick' value.
143 *
144 * XXX - 05/29/07: For Ethernet captype = 0 (NDIS) and timeunit = 2:
145 * Perusal of a number of Sniffer captures
146 * (including those from Wireshark bug reports
147 * and those from the Wireshark 'menagerie')
148 * suggests that 'realtick' for this case
149 * contains the correct ticks/second to be used.
150 * So: we'll use realtick for Ethernet captype=0 and timeunit=2.
151 * (It might be that realtick should be used for Ethernet captype = 0
152 * and timeunit = 1 but I've not yet enough captures to be sure).
153 * Based upon the captures reviewed to date, realtick cannot be used for
154 * any of the other Ethernet captype/timeunit combinations for which there
155 * are non-zero values in the TpS tables.
156 *
157 * In at least one capture where "realtick" doesn't correspond
158 * to the value from the appropriate TpS table, the per-packet header's
159 * "xxx" field is all zero, so it's not as if a 2.x header includes
160 * a "compatibility" time stamp corresponding to the value from the
161 * TpS table and a "real" time stamp corresponding to "realtick".
162 *
163 * XXX - the item corresponding to timeunit = 2 is 1193180.0, presumably
164 * because somebody found it gave the right answer for some captures, but
165 * 3 times that, i.e. 3579540.0, appears to give the right answer for some
166 * other captures.
167 *
168 * Some captures have realtick of 1193182, some have 3579545, and some
169 * have 1193000. Most of those, in one set of captures somebody has,
170 * are wrong. (Did that mean "wrong for some capture files, but not
171 * for the files in which they occurred", or "wrong for the files in
172 * which they occurred? If it's "wrong for some capture files, but
173 * not for the files in which they occurred", perhaps those were Ethernet
174 * captures with a captype of 0 and timeunit = 2, so that we now use
175 * realtick, and perhaps that fixes the problems.)
176 *
177 * XXX - in at least one ATM capture, hdr.realtick is 1193180.0
178 * and hdr.timeunit is 0. Does that capture have a captype of
179 * CAPTYPE_ATM? If so, what should the table for ATM captures with
180 * that captype be?
181 */
182 static const double TpS[] = { 1e6, 1193000.0, 1193182.0 };
183 #define NUM_NETXRAY_TIMEUNITS (sizeof TpS / sizeof TpS[0])
184
185 /*
186 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_GIGPOD.
187 * 0.0 means "unknown".
188 *
189 * It appears that, at least for Ethernet captures, if captype is
190 * ETH_CAPTYPE_GIGPOD, that indicates that it's a gigabit Ethernet
191 * capture, possibly from a special whizzo gigabit pod, and also
192 * indicates that the time stamps have some higher resolution than
193 * in other captures, possibly thanks to a high-resolution timer
194 * on the pod.
195 *
196 * It also appears that the time units might differ for gigabit pod
197 * captures between version 002.001 and 002.002. For 002.001,
198 * the values below are correct; for 002.002, it's claimed that
199 * the right value for TpS_gigpod[2] is 1250000.0, but at least one
200 * 002.002 gigabit pod capture has 31250000.0 as the right value.
201 * XXX: Note that the TpS_otherpod[2] value is 1250000.0; It seems
202 * reasonable to suspect that the original claim might actually
203 * have been for a capture with a captype of 'otherpod'.
204 * (Based upon captures reviewed realtick does not contain the
205 * correct TpS values for the 'gigpod' captype).
206 */
207 static const double TpS_gigpod[] = { 1e9, 0.0, 31250000.0 };
208 #define NUM_NETXRAY_TIMEUNITS_GIGPOD (sizeof TpS_gigpod / sizeof TpS_gigpod[0])
209
210 /*
211 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_OTHERPOD.
212 * (Based upon captures reviewed realtick does not contain the
213 * correct TpS values for the 'otherpod' captype).
214 */
215 static const double TpS_otherpod[] = { 1e6, 0.0, 1250000.0 };
216 #define NUM_NETXRAY_TIMEUNITS_OTHERPOD (sizeof TpS_otherpod / sizeof TpS_otherpod[0])
217
218 /*
219 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_OTHERPOD2.
220 * (Based upon captures reviewed realtick does not contain the
221 * correct TpS values for the 'otherpod2' captype).
222 */
223 static const double TpS_otherpod2[] = { 1e6, 0.0, 0.0 };
224 #define NUM_NETXRAY_TIMEUNITS_OTHERPOD2 (sizeof TpS_otherpod2 / sizeof TpS_otherpod2[0])
225
226 /*
227 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_GIGPOD2.
228 * (Based upon captures reviewed realtick does not contain the
229 * correct TpS values for the 'gigpod2' captype).
230 */
231 static const double TpS_gigpod2[] = { 1e9, 0.0, 20000000.0 };
232 #define NUM_NETXRAY_TIMEUNITS_GIGPOD2 (sizeof TpS_gigpod2 / sizeof TpS_gigpod2[0])
233
234 /* Version number strings. */
235 static const char vers_1_0[] = {
236 '0', '0', '1', '.', '0', '0', '0', '\0'
237 };
238
239 static const char vers_1_1[] = {
240 '0', '0', '1', '.', '1', '0', '0', '\0'
241 };
242
243 static const char vers_2_000[] = {
244 '0', '0', '2', '.', '0', '0', '0', '\0'
245 };
246
247 static const char vers_2_001[] = {
248 '0', '0', '2', '.', '0', '0', '1', '\0'
249 };
250
251 static const char vers_2_002[] = {
252 '0', '0', '2', '.', '0', '0', '2', '\0'
253 };
254
255 static const char vers_2_003[] = {
256 '0', '0', '2', '.', '0', '0', '3', '\0'
257 };
258
259 /* Old NetXRay data record format - followed by frame data. */
260 struct old_netxrayrec_hdr {
261 guint32 timelo; /* lower 32 bits of time stamp */
262 guint32 timehi; /* upper 32 bits of time stamp */
263 guint16 len; /* packet length */
264 guint8 xxx[6]; /* unknown */
265 };
266
267 /* NetXRay format version 1.x data record format - followed by frame data. */
268 struct netxrayrec_1_x_hdr {
269 guint32 timelo; /* lower 32 bits of time stamp */
270 guint32 timehi; /* upper 32 bits of time stamp */
271 guint16 orig_len; /* packet length */
272 guint16 incl_len; /* capture length */
273 guint8 xxx[16]; /* unknown */
274 };
275
276 /*
277 * NetXRay format version 2.x data record format - followed by frame data.
278 *
279 * The xxx fields appear to be:
280 *
281 * xxx[0]: ATM traffic type and subtype in the low 3 bits of
282 * each nibble, and flags(?) in the upper bit of each nibble.
283 * Always 0 for 802.11?
284 *
285 * xxx[1]: Always 0 for 802.11?
286 *
287 * xxx[2], xxx[3]: for Ethernet, 802.11, ISDN LAPD, LAPB,
288 * Frame Relay, if both are 0xff, there are 4 bytes of stuff
289 * at the end of the packet data, which might be an FCS or
290 * which might be junk to discard.
291 *
292 * xxx[4-7]: Always 0 for 802.11?
293 *
294 * xxx[8], xxx[9]: 2 bytes of a flag word? If treated as
295 * a 2-byte little-endian flag word:
296 *
297 * 0x0001: Error of some sort, including bad CRC, although
298 * in one ISDN capture it's set in some B2 channel
299 * packets of unknown content (as opposed to the B1
300 * traffic in the capture, which is PPP)
301 * 0x0002: Seen in 802.11 - short preamble? Bad CRC?
302 * 0x0004: Some particular type of error?
303 * 0x0008: For (Gigabit?) Ethernet (with special probe?),
304 * 4 bytes at end are junk rather than CRC?
305 * 0x0100: CRC error on ATM? Protected and Not decrypted
306 * for 802.11? Bad CRC? Short preamble?
307 * 0x0200: Something for ATM? Something else for 802.11?
308 * 0x0400: raw ATM cell
309 * 0x0800: OAM cell?
310 * 0x2000: port on which the packet was captured?
311 *
312 * The Sniffer Portable 4.8 User's Guide lists a set of packet status
313 * flags including:
314 *
315 * packet is marked;
316 * packet was captured from Port A on the pod or adapter card;
317 * packet was captured from Port B on the pod or adapter card;
318 * packet has a symptom or diagnosis associated with it;
319 * packet is an event filter trigger;
320 * CRC error packet with normal packet size;
321 * CRC error packet with oversize error;
322 * packet size < 64 bytes (including CRC) but with valid CRC;
323 * packet size < 64 bytes (including CRC) with CRC error;
324 * packet size > 1518 bytes (including CRC) but with valid CRC;
325 * packet damaged by a collision;
326 * packet length not a multiple of 8 bits;
327 * address conflict in the ring on Token Ring;
328 * packet is not copied (received) by the destination host on
329 * Token Ring;
330 * AAL5 length error;
331 * AAL5 maximum segments error;
332 * ATM timeout error;
333 * ATM buffer error;
334 * ATM unknown error;
335 * and a ton of AAL2 errors.
336 *
337 * Not all those bits necessarily correspond to flag bits in the file,
338 * but some might.
339 *
340 * In one ATM capture, the 0x2000 bit was set for all frames; in another,
341 * it's unset for all frames. This, plus the ATMbook having two ports,
342 * suggests that it *might* be a "port A vs. port B" flag.
343 *
344 * The 0x0001 bit appears to be set for CRC errors on Ethernet and 802.11.
345 * It also appears to be set on ATM for AAL5 PDUs that appear to be
346 * completely reassembled and that have a CRC error and for frames that
347 * appear to be part of a full AAL5 PDU. In at least two files with
348 * frames of the former type, the 0x0100 and 0x0200 flags are set;
349 * in at least one file with frames of the latter type, neither of
350 * those flags are set.
351 *
352 * The field appears to be somewhat random in some captures,
353 * however.
354 *
355 * xxx[10]: for 802.11, always 0?
356 *
357 * xxx[11]: for 802.11, 0x05 if the packet is WEP-encrypted(?).
358 *
359 * xxx[12]: for 802.11, channel number.
360 *
361 * xxx[13]: for 802.11, data rate, in 500 Kb/s units.
362 *
363 * xxx[14]: for 802.11, signal strength.
364 *
365 * xxx[15]: for 802.11, noise level; 0xFF means none reported,
366 * 0x7F means 100%.
367 *
368 * xxx[16-19]: for 802.11, PHY header, at least for {HR/}DSSS,
369 * in at least one capture.
370 * In another capture, xxx[16] appears to be the
371 * data rate in 500 Kb/s units
372 * Chip-dependent stuff?
373 *
374 * xxx[20-25]: for 802.11, MAC address of sending machine(?).
375 *
376 * xxx[26]: for 802.11, one of 0x00, 0x01, 0x03, or 0x0b?
377 *
378 * xxx[27]: for 802.11, one of 0x00 or 0x30?
379 */
380 struct netxrayrec_2_x_hdr {
381 guint32 timelo; /* lower 32 bits of time stamp */
382 guint32 timehi; /* upper 32 bits of time stamp */
383 guint16 orig_len; /* packet length */
384 guint16 incl_len; /* capture length */
385 guint8 xxx[28]; /* various data */
386 };
387
388 /*
389 * Union of the data record headers.
390 */
391 union netxrayrec_hdr {
392 struct old_netxrayrec_hdr old_hdr;
393 struct netxrayrec_1_x_hdr hdr_1_x;
394 struct netxrayrec_2_x_hdr hdr_2_x;
395 };
396
397 typedef struct {
398 time_t start_time;
399 double ticks_per_sec;
400 double start_timestamp;
401 gboolean wrapped;
402 guint32 nframes;
403 gint64 start_offset;
404 gint64 end_offset;
405 int version_major;
406 gboolean fcs_valid; /* if packets have valid FCS at the end */
407 guint isdn_type; /* 1 = E1 PRI, 2 = T1 PRI, 3 = BRI */
408 } netxray_t;
409
410 static gboolean netxray_read(wtap *wth, wtap_rec *rec, Buffer *buf,
411 int *err, gchar **err_info, gint64 *data_offset);
412 static gboolean netxray_seek_read(wtap *wth, gint64 seek_off,
413 wtap_rec *rec, Buffer *buf, int *err, gchar **err_info);
414 static int netxray_process_rec_header(wtap *wth, FILE_T fh,
415 wtap_rec *rec, int *err, gchar **err_info);
416 static void netxray_guess_atm_type(wtap *wth, wtap_rec *rec,
417 Buffer *buf);
418 static gboolean netxray_dump_1_1(wtap_dumper *wdh,
419 const wtap_rec *rec,
420 const guint8 *pd, int *err, gchar **err_info);
421 static gboolean netxray_dump_finish_1_1(wtap_dumper *wdh, int *err,
422 gchar **err_info);
423 static gboolean netxray_dump_2_0(wtap_dumper *wdh,
424 const wtap_rec *rec,
425 const guint8 *pd, int *err, gchar **err_info);
426 static gboolean netxray_dump_finish_2_0(wtap_dumper *wdh, int *err,
427 gchar **err_info);
428
429 static int netxray_old_file_type_subtype = -1;
430 static int netxray_1_0_file_type_subtype = -1;
431 static int netxray_1_1_file_type_subtype = -1;
432 static int netxray_2_00x_file_type_subtype = -1;
433
434 void register_netxray(void);
435
436 wtap_open_return_val
437 netxray_open(wtap *wth, int *err, gchar **err_info)
438 {
439 char magic[MAGIC_SIZE];
440 gboolean is_old;
441 struct netxray_hdr hdr;
442 guint network_type;
443 double ticks_per_sec;
444 int version_major, version_minor;
445 int file_type;
446 double start_timestamp;
447 static const int netxray_encap[] = {
448 WTAP_ENCAP_UNKNOWN,
449 WTAP_ENCAP_ETHERNET,
450 WTAP_ENCAP_TOKEN_RING,
451 WTAP_ENCAP_FDDI_BITSWAPPED,
452 /*
453 * XXX - some PPP captures may look like Ethernet,
454 * perhaps because they're using NDIS to capture on the
455 * same machine and it provides simulated-Ethernet
456 * packets, but captures taken with various serial
457 * pods use the same network type value but aren't
458 * shaped like Ethernet. We handle that below.
459 */
460 WTAP_ENCAP_ETHERNET, /* WAN(PPP), but shaped like Ethernet */
461 WTAP_ENCAP_UNKNOWN, /* LocalTalk */
462 WTAP_ENCAP_UNKNOWN, /* "DIX" - should not occur */
463 WTAP_ENCAP_UNKNOWN, /* ARCNET raw */
464 WTAP_ENCAP_UNKNOWN, /* ARCNET 878.2 */
465 WTAP_ENCAP_ATM_PDUS_UNTRUNCATED,/* ATM */
466 WTAP_ENCAP_IEEE_802_11_WITH_RADIO,
467 /* Wireless WAN with radio information */
468 WTAP_ENCAP_UNKNOWN /* IrDA */
469 };
470 #define NUM_NETXRAY_ENCAPS (sizeof netxray_encap / sizeof netxray_encap[0])
471 int file_encap;
472 guint isdn_type = 0;
473 netxray_t *netxray;
474
475 /* Read in the string that should be at the start of a NetXRay
476 * file */
477 if (!wtap_read_bytes(wth->fh, magic, MAGIC_SIZE, err, err_info)) {
478 if (*err != WTAP_ERR_SHORT_READ)
479 return WTAP_OPEN_ERROR;
480 return WTAP_OPEN_NOT_MINE;
481 }
482
483 if (memcmp(magic, netxray_magic, MAGIC_SIZE) == 0) {
484 is_old = FALSE;
485 } else if (memcmp(magic, old_netxray_magic, MAGIC_SIZE) == 0) {
486 is_old = TRUE;
487 } else {
488 return WTAP_OPEN_NOT_MINE;
489 }
490
491 /* Read the rest of the header. */
492 if (!wtap_read_bytes(wth->fh, &hdr, sizeof hdr, err, err_info))
493 return WTAP_OPEN_ERROR;
494
495 if (is_old) {
496 version_major = 0;
497 version_minor = 0;
498 file_type = netxray_old_file_type_subtype;
499 } else {
500 /* It appears that version 1.1 files (as produced by Windows
501 * Sniffer Pro 2.0.01) have the time stamp in microseconds,
502 * rather than the milliseconds version 1.0 files appear to
503 * have.
504 *
505 * It also appears that version 2.00x files have per-packet
506 * headers with some extra fields. */
507 if (memcmp(hdr.version, vers_1_0, sizeof vers_1_0) == 0) {
508 version_major = 1;
509 version_minor = 0;
510 file_type = netxray_1_0_file_type_subtype;
511 } else if (memcmp(hdr.version, vers_1_1, sizeof vers_1_1) == 0) {
512 version_major = 1;
513 version_minor = 1;
514 file_type = netxray_1_1_file_type_subtype;
515 } else if (memcmp(hdr.version, vers_2_000, sizeof vers_2_000) == 0) {
516 version_major = 2;
517 version_minor = 0;
518 file_type = netxray_2_00x_file_type_subtype;
519 } else if (memcmp(hdr.version, vers_2_001, sizeof vers_2_001) == 0) {
520 version_major = 2;
521 version_minor = 1;
522 file_type = netxray_2_00x_file_type_subtype;
523 } else if (memcmp(hdr.version, vers_2_002, sizeof vers_2_002) == 0) {
524 version_major = 2;
525 version_minor = 2;
526 file_type = netxray_2_00x_file_type_subtype;
527 } else if (memcmp(hdr.version, vers_2_003, sizeof vers_2_003) == 0) {
528 version_major = 2;
529 version_minor = 3;
530 file_type = netxray_2_00x_file_type_subtype;
531 } else {
532 *err = WTAP_ERR_UNSUPPORTED;
533 *err_info = g_strdup_printf("netxray: version \"%.8s\" unsupported", hdr.version);
534 return WTAP_OPEN_ERROR;
535 }
536 }
537
538 switch (hdr.network_plus) {
539
540 case 0:
541 /*
542 * The byte after hdr.network is usually 0, in which case
543 * the hdr.network byte is an NDIS network type value - 1.
544 */
545 network_type = hdr.network + 1;
546 break;
547
548 case 2:
549 /*
550 * However, in some Ethernet captures, it's 2, and the
551 * hdr.network byte is 1 rather than 0. We assume
552 * that if there's a byte after hdr.network with the value
553 * 2, the hdr.network byte is an NDIS network type, rather
554 * than an NDIS network type - 1.
555 */
556 network_type = hdr.network;
557 break;
558
559 default:
560 *err = WTAP_ERR_UNSUPPORTED;
561 *err_info = g_strdup_printf("netxray: the byte after the network type has the value %u, which I don't understand",
562 hdr.network_plus);
563 return WTAP_OPEN_ERROR;
564 }
565
566 if (network_type >= NUM_NETXRAY_ENCAPS
567 || netxray_encap[network_type] == WTAP_ENCAP_UNKNOWN) {
568 *err = WTAP_ERR_UNSUPPORTED;
569 *err_info = g_strdup_printf("netxray: network type %u (%u) unknown or unsupported",
570 network_type, hdr.network_plus);
571 return WTAP_OPEN_ERROR;
572 }
573
574 /*
575 * Figure out the time stamp units and start time stamp.
576 */
577 start_timestamp = (double)pletoh32(&hdr.timelo)
578 + (double)pletoh32(&hdr.timehi)*4294967296.0;
579 if (is_old) {
580 ticks_per_sec = 1000.0;
581 wth->file_tsprec = WTAP_TSPREC_MSEC;
582 } else if (version_major == 1) {
583 switch (version_minor) {
584
585 case 0:
586 ticks_per_sec = 1000.0;
587 wth->file_tsprec = WTAP_TSPREC_MSEC;
588 break;
589
590 case 1:
591 /*
592 * In version 1.1 files (as produced by Windows
593 * Sniffer Pro 2.0.01), the time stamp is in
594 * microseconds, rather than the milliseconds
595 * time stamps in NetXRay and older versions
596 * of Windows Sniffer.
597 */
598 ticks_per_sec = 1000000.0;
599 wth->file_tsprec = WTAP_TSPREC_USEC;
600 break;
601
602 default:
603 /* "Can't happen" - we rejected that above */
604 *err = WTAP_ERR_INTERNAL;
605 *err_info = g_strdup_printf("netxray: version %d.%d somehow didn't get rejected",
606 version_major, version_minor);
607 return WTAP_OPEN_ERROR;
608 }
609 } else if (version_major == 2) {
610 /*
611 * Get the time stamp units from the appropriate TpS
612 * table or from the file header.
613 */
614 switch (network_type) {
615
616 case 1:
617 /*
618 * Ethernet - the table to use depends on whether
619 * this is an NDIS or pod capture.
620 */
621 switch (hdr.captype) {
622
623 case CAPTYPE_NDIS:
624 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS) {
625 *err = WTAP_ERR_UNSUPPORTED;
626 *err_info = g_strdup_printf(
627 "netxray: Unknown timeunit %u for Ethernet/CAPTYPE_NDIS version %.8s capture",
628 hdr.timeunit, hdr.version);
629 return WTAP_OPEN_ERROR;
630 }
631 /*
632 XXX: 05/29/07: Use 'realtick' instead of TpS table if timeunit=2;
633 Using 'realtick' in this case results
634 in the correct 'ticks per second' for all the captures that
635 I have of this type (including captures from a number of Wireshark
636 bug reports).
637 */
638 if (hdr.timeunit == 2) {
639 ticks_per_sec = pletoh32(hdr.realtick);
640 }
641 else {
642 ticks_per_sec = TpS[hdr.timeunit];
643 }
644 break;
645
646 case ETH_CAPTYPE_GIGPOD:
647 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_GIGPOD
648 || TpS_gigpod[hdr.timeunit] == 0.0) {
649 *err = WTAP_ERR_UNSUPPORTED;
650 *err_info = g_strdup_printf(
651 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_GIGPOD version %.8s capture",
652 hdr.timeunit, hdr.version);
653 return WTAP_OPEN_ERROR;
654 }
655 ticks_per_sec = TpS_gigpod[hdr.timeunit];
656
657 /*
658 * At least for 002.002 and 002.003
659 * captures, the start time stamp is 0,
660 * not the value in the file.
661 */
662 if (version_minor == 2 || version_minor == 3)
663 start_timestamp = 0.0;
664 break;
665
666 case ETH_CAPTYPE_OTHERPOD:
667 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_OTHERPOD
668 || TpS_otherpod[hdr.timeunit] == 0.0) {
669 *err = WTAP_ERR_UNSUPPORTED;
670 *err_info = g_strdup_printf(
671 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_OTHERPOD version %.8s capture",
672 hdr.timeunit, hdr.version);
673 return WTAP_OPEN_ERROR;
674 }
675 ticks_per_sec = TpS_otherpod[hdr.timeunit];
676
677 /*
678 * At least for 002.002 and 002.003
679 * captures, the start time stamp is 0,
680 * not the value in the file.
681 */
682 if (version_minor == 2 || version_minor == 3)
683 start_timestamp = 0.0;
684 break;
685
686 case ETH_CAPTYPE_OTHERPOD2:
687 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_OTHERPOD2
688 || TpS_otherpod2[hdr.timeunit] == 0.0) {
689 *err = WTAP_ERR_UNSUPPORTED;
690 *err_info = g_strdup_printf(
691 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_OTHERPOD2 version %.8s capture",
692 hdr.timeunit, hdr.version);
693 return WTAP_OPEN_ERROR;
694 }
695 ticks_per_sec = TpS_otherpod2[hdr.timeunit];
696 /*
697 * XXX: start time stamp in the one capture file examined of this type was 0;
698 * We'll assume the start time handling is the same as for other pods.
699 *
700 * At least for 002.002 and 002.003
701 * captures, the start time stamp is 0,
702 * not the value in the file.
703 */
704 if (version_minor == 2 || version_minor == 3)
705 start_timestamp = 0.0;
706 break;
707
708 case ETH_CAPTYPE_GIGPOD2:
709 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_GIGPOD2
710 || TpS_gigpod2[hdr.timeunit] == 0.0) {
711 *err = WTAP_ERR_UNSUPPORTED;
712 *err_info = g_strdup_printf(
713 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_GIGPOD2 version %.8s capture",
714 hdr.timeunit, hdr.version);
715 return WTAP_OPEN_ERROR;
716 }
717 ticks_per_sec = TpS_gigpod2[hdr.timeunit];
718 /*
719 * XXX: start time stamp in the one capture file examined of this type was 0;
720 * We'll assume the start time handling is the same as for other pods.
721 *
722 * At least for 002.002 and 002.003
723 * captures, the start time stamp is 0,
724 * not the value in the file.
725 */
726 if (version_minor == 2 || version_minor == 3)
727 start_timestamp = 0.0;
728 break;
729
730 default:
731 *err = WTAP_ERR_UNSUPPORTED;
732 *err_info = g_strdup_printf(
733 "netxray: Unknown capture type %u for Ethernet version %.8s capture",
734 hdr.captype, hdr.version);
735 return WTAP_OPEN_ERROR;
736 }
737 break;
738
739 default:
740 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS) {
741 *err = WTAP_ERR_UNSUPPORTED;
742 *err_info = g_strdup_printf(
743 "netxray: Unknown timeunit %u for %u/%u version %.8s capture",
744 hdr.timeunit, network_type, hdr.captype,
745 hdr.version);
746 return WTAP_OPEN_ERROR;
747 }
748 ticks_per_sec = TpS[hdr.timeunit];
749 break;
750 }
751
752 /*
753 * If the number of ticks per second is greater than
754 * 1 million, make the precision be nanoseconds rather
755 * than microseconds.
756 *
757 * XXX - do values only slightly greater than one million
758 * correspond to a resolution sufficiently better than
759 * 1 microsecond to display more digits of precision?
760 * XXX - Seems reasonable to use nanosecs only if TPS >= 10M
761 */
762 if (ticks_per_sec >= 1e7)
763 wth->file_tsprec = WTAP_TSPREC_NSEC;
764 else
765 wth->file_tsprec = WTAP_TSPREC_USEC;
766 } else {
767 /* "Can't happen" - we rejected that above */
768 *err = WTAP_ERR_INTERNAL;
769 *err_info = g_strdup_printf("netxray: version %d.%d somehow didn't get rejected",
770 version_major, version_minor);
771 return WTAP_OPEN_ERROR;
772 }
773 start_timestamp = start_timestamp/ticks_per_sec;
774
775 if (network_type == 4) {
776 /*
777 * In version 0 and 1, we assume, for now, that all
778 * WAN captures have frames that look like Ethernet
779 * frames (as a result, presumably, of having passed
780 * through NDISWAN).
781 *
782 * In version 2, it looks as if there's stuff in the
783 * file header to specify what particular type of WAN
784 * capture we have.
785 */
786 if (version_major == 2) {
787 switch (hdr.captype) {
788
789 case WAN_CAPTYPE_PPP:
790 /*
791 * PPP.
792 */
793 file_encap = WTAP_ENCAP_PPP_WITH_PHDR;
794 break;
795
796 case WAN_CAPTYPE_FRELAY:
797 /*
798 * Frame Relay.
799 *
800 * XXX - in at least one capture, this
801 * is Cisco HDLC, not Frame Relay, but
802 * in another capture, it's Frame Relay.
803 *
804 * [Bytes in each capture:
805 * Cisco HDLC: hdr.xxx_x60[06:10]: 0x02 0x00 0x01 0x00 0x06
806 * Frame Relay: hdr.xxx_x60[06:10] 0x00 0x00 0x00 0x00 0x00
807
808 * Cisco HDLC: hdr.xxx_x60[14:15]: 0xff 0xff
809 * Frame Relay: hdr.xxx_x60[14:15]: 0x00 0x00
810 * ]
811 */
812 file_encap = WTAP_ENCAP_FRELAY_WITH_PHDR;
813 break;
814
815 case WAN_CAPTYPE_HDLC:
816 case WAN_CAPTYPE_HDLC2:
817 /*
818 * Various HDLC flavors?
819 */
820 switch (hdr.wan_hdlc_subsub_captype) {
821
822 case 0: /* LAPB/X.25 */
823 /*
824 * XXX - at least one capture of
825 * this type appears to be PPP.
826 */
827 file_encap = WTAP_ENCAP_LAPB;
828 break;
829
830 case 1: /* E1 PRI */
831 case 2: /* T1 PRI */
832 case 3: /* BRI */
833 file_encap = WTAP_ENCAP_ISDN;
834 isdn_type = hdr.wan_hdlc_subsub_captype;
835 break;
836
837 default:
838 *err = WTAP_ERR_UNSUPPORTED;
839 *err_info = g_strdup_printf("netxray: WAN HDLC capture subsubtype 0x%02x unknown or unsupported",
840 hdr.wan_hdlc_subsub_captype);
841 return WTAP_OPEN_ERROR;
842 }
843 break;
844
845 case WAN_CAPTYPE_SDLC:
846 /*
847 * SDLC.
848 */
849 file_encap = WTAP_ENCAP_SDLC;
850 break;
851
852 case WAN_CAPTYPE_CHDLC:
853 /*
854 * Cisco router (CHDLC) captured with pod
855 */
856 file_encap = WTAP_ENCAP_CHDLC_WITH_PHDR;
857 break;
858
859 default:
860 *err = WTAP_ERR_UNSUPPORTED;
861 *err_info = g_strdup_printf("netxray: WAN capture subtype 0x%02x unknown or unsupported",
862 hdr.captype);
863 return WTAP_OPEN_ERROR;
864 }
865 } else
866 file_encap = WTAP_ENCAP_ETHERNET;
867 } else
868 file_encap = netxray_encap[network_type];
869
870 /* This is a netxray file */
871 wth->file_type_subtype = file_type;
872 netxray = g_new(netxray_t, 1);
873 wth->priv = (void *)netxray;
874 wth->subtype_read = netxray_read;
875 wth->subtype_seek_read = netxray_seek_read;
876 wth->file_encap = file_encap;
877 wth->snapshot_length = 0; /* not available in header */
878 netxray->start_time = pletoh32(&hdr.start_time);
879 netxray->ticks_per_sec = ticks_per_sec;
880 netxray->start_timestamp = start_timestamp;
881 netxray->version_major = version_major;
882
883 /*
884 * If frames have an extra 4 bytes of stuff at the end, is
885 * it an FCS, or just junk?
886 */
887 netxray->fcs_valid = FALSE;
888 switch (file_encap) {
889
890 case WTAP_ENCAP_ETHERNET:
891 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
892 case WTAP_ENCAP_ISDN:
893 case WTAP_ENCAP_LAPB:
894 /*
895 * It appears that, in at least some version 2 Ethernet
896 * captures, for frames that have 0xff in hdr_2_x.xxx[2]
897 * and hdr_2_x.xxx[3] in the per-packet header:
898 *
899 * if, in the file header, hdr.realtick[1] is 0x34
900 * and hdr.realtick[2] is 0x12, the frames have an
901 * FCS at the end;
902 *
903 * otherwise, they have 4 bytes of junk at the end.
904 *
905 * Yes, it's strange that you have to check the *middle*
906 * of the time stamp field; you can't check for any
907 * particular value of the time stamp field.
908 *
909 * For now, we assume that to be true for 802.11 captures
910 * as well; it appears to be the case for at least one
911 * such capture - the file doesn't have 0x34 and 0x12,
912 * and the 4 bytes at the end of the frames with 0xff
913 * are junk, not an FCS.
914 *
915 * For ISDN captures, it appears, at least in some
916 * captures, to be similar, although I haven't yet
917 * checked whether it's a valid FCS.
918 *
919 * XXX - should we do this for all encapsulation types?
920 *
921 * XXX - is there some other field that *really* indicates
922 * whether we have an FCS or not? The check of the time
923 * stamp is bizarre, as we're checking the middle.
924 * Perhaps hdr.realtick[0] is 0x00, in which case time
925 * stamp units in the range 1192960 through 1193215
926 * correspond to captures with an FCS, but that's still
927 * a bit bizarre.
928 *
929 * Note that there are captures with a network type of 0
930 * (Ethernet) and capture type of 0 (NDIS) that do, and
931 * that don't, have 0x34 0x12 in them, and at least one
932 * of the NDIS captures with 0x34 0x12 in it has FCSes,
933 * so it's not as if no NDIS captures have an FCS.
934 *
935 * There are also captures with a network type of 4 (WAN),
936 * capture type of 6 (HDLC), and subtype of 2 (T1 PRI) that
937 * do, and that don't, have 0x34 0x12, so there are at least
938 * some captures taken with a WAN pod that might lack an FCS.
939 * (We haven't yet tried dissecting the 4 bytes at the
940 * end of packets with hdr_2_x.xxx[2] and hdr_2_x.xxx[3]
941 * equal to 0xff as an FCS.)
942 *
943 * All captures I've seen that have 0x34 and 0x12 *and*
944 * have at least one frame with an FCS have a value of
945 * 0x01 in xxx_x40[4]. No captures I've seen with a network
946 * type of 0 (Ethernet) missing 0x34 0x12 have 0x01 there,
947 * however. However, there's at least one capture
948 * without 0x34 and 0x12, with a network type of 0,
949 * and with 0x01 in xxx_x40[4], *without* FCSes in the
950 * frames - the 4 bytes at the end are all zero - so it's
951 * not as simple as "xxx_x40[4] = 0x01 means the 4 bytes at
952 * the end are FCSes". Also, there's also at least one
953 * 802.11 capture with an xxx_x40[4] value of 0x01 with junk
954 * rather than an FCS at the end of the frame, so xxx_x40[4]
955 * isn't an obvious flag to determine whether the
956 * capture has FCSes.
957 *
958 * There don't seem to be any other values in any of the
959 * xxx_x5..., xxx_x6...., xxx_x7.... fields
960 * that obviously correspond to frames having an FCS.
961 *
962 * 05/29/07: Examination of numerous sniffer captures suggests
963 * that the apparent correlation of certain realtick
964 * bytes to 'FCS presence' may actually be
965 * a 'false positive'.
966 * ToDo: Review analysis and update code.
967 * It might be that the ticks-per-second value
968 * is hardware-dependent, and that hardware with
969 * a particular realtick value puts an FCS there
970 * and other hardware doesn't.
971 */
972 if (version_major == 2) {
973 if (hdr.realtick[1] == 0x34 && hdr.realtick[2] == 0x12)
974 netxray->fcs_valid = TRUE;
975 }
976 break;
977 }
978
979 /*
980 * Remember the ISDN type, as we need it to interpret the
981 * channel number in ISDN captures.
982 */
983 netxray->isdn_type = isdn_type;
984
985 /* Remember the offset after the last packet in the capture (which
986 * isn't necessarily the last packet in the file), as it appears
987 * there's sometimes crud after it.
988 * XXX: Remember 'start_offset' to help testing for 'short file' at EOF
989 */
990 netxray->wrapped = FALSE;
991 netxray->nframes = pletoh32(&hdr.nframes);
992 netxray->start_offset = pletoh32(&hdr.start_offset);
993 netxray->end_offset = pletoh32(&hdr.end_offset);
994
995 /* Seek to the beginning of the data records. */
996 if (file_seek(wth->fh, netxray->start_offset, SEEK_SET, err) == -1) {
997 return WTAP_OPEN_ERROR;
998 }
999
1000 /*
1001 * Add an IDB; we don't know how many interfaces were
1002 * involved, so we just say one interface, about which
1003 * we only know the link-layer type, snapshot length,
1004 * and time stamp resolution.
1005 */
1006 wtap_add_generated_idb(wth);
1007
1008 return WTAP_OPEN_MINE;
1009 }
1010
1011 /* Read the next packet */
1012 static gboolean
1013 netxray_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err,
1014 gchar **err_info, gint64 *data_offset)
1015 {
1016 netxray_t *netxray = (netxray_t *)wth->priv;
1017 int padding;
1018
1019 reread:
1020 /*
1021 * Return the offset of the record header, so we can reread it
1022 * if we go back to this frame.
1023 */
1024 *data_offset = file_tell(wth->fh);
1025
1026 /* Have we reached the end of the packet data? */
1027 if (*data_offset == netxray->end_offset) {
1028 /* Yes. */
1029 *err = 0; /* it's just an EOF, not an error */
1030 return FALSE;
1031 }
1032
1033 /* Read and process record header. */
1034 padding = netxray_process_rec_header(wth, wth->fh, rec, err, err_info);
1035 if (padding < 0) {
1036 /*
1037 * Error or EOF.
1038 */
1039 if (*err != 0) {
1040 /*
1041 * Error of some sort; give up.
1042 */
1043 return FALSE;
1044 }
1045
1046 /* We're at EOF. Wrap?
1047 * XXX: Need to handle 'short file' cases
1048 * (Distributed Sniffer seems to have a
1049 * certain small propensity to generate 'short' files
1050 * i.e. [many] bytes are missing from the end of the file)
1051 * case 1: start_offset < end_offset
1052 * wrap will read already read packets again;
1053 * so: error with "short file"
1054 * case 2: start_offset > end_offset ("circular" file)
1055 * wrap will mean there's a gap (missing packets).
1056 * However, I don't see a good way to identify this
1057 * case so we'll just have to allow the wrap.
1058 * (Maybe there can be an error message after all
1059 * packets are read since there'll be less packets than
1060 * specified in the file header).
1061 * Note that these cases occur *only* if a 'short' eof occurs exactly
1062 * at the expected beginning of a frame header record; If there is a
1063 * partial frame header (or partial frame data) record, then the
1064 * netxray_read... functions will detect the short record.
1065 */
1066 if (netxray->start_offset < netxray->end_offset) {
1067 *err = WTAP_ERR_SHORT_READ;
1068 return FALSE;
1069 }
1070
1071 if (!netxray->wrapped) {
1072 /* Yes. Remember that we did. */
1073 netxray->wrapped = TRUE;
1074 if (file_seek(wth->fh, CAPTUREFILE_HEADER_SIZE,
1075 SEEK_SET, err) == -1)
1076 return FALSE;
1077 goto reread;
1078 }
1079
1080 /* We've already wrapped - don't wrap again. */
1081 return FALSE;
1082 }
1083
1084 /*
1085 * Read the packet data.
1086 */
1087 if (!wtap_read_packet_bytes(wth->fh, buf,
1088 rec->rec_header.packet_header.caplen, err, err_info))
1089 return FALSE;
1090
1091 /*
1092 * If there's extra stuff at the end of the record, skip it.
1093 */
1094 if (!wtap_read_bytes(wth->fh, NULL, padding, err, err_info))
1095 return FALSE;
1096
1097 /*
1098 * If it's an ATM packet, and we don't have enough information
1099 * from the packet header to determine its type or subtype,
1100 * attempt to guess them from the packet data.
1101 */
1102 netxray_guess_atm_type(wth, rec, buf);
1103 return TRUE;
1104 }
1105
1106 static gboolean
1107 netxray_seek_read(wtap *wth, gint64 seek_off,
1108 wtap_rec *rec, Buffer *buf,
1109 int *err, gchar **err_info)
1110 {
1111 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
1112 return FALSE;
1113
1114 if (netxray_process_rec_header(wth, wth->random_fh, rec, err,
1115 err_info) == -1) {
1116 if (*err == 0) {
1117 /*
1118 * EOF - we report that as a short read, as
1119 * we've read this once and know that it
1120 * should be there.
1121 */
1122 *err = WTAP_ERR_SHORT_READ;
1123 }
1124 return FALSE;
1125 }
1126
1127 /*
1128 * Read the packet data.
1129 */
1130 if (!wtap_read_packet_bytes(wth->random_fh, buf, rec->rec_header.packet_header.caplen, err,
1131 err_info))
1132 return FALSE;
1133
1134 /*
1135 * If it's an ATM packet, and we don't have enough information
1136 * from the packet header to determine its type or subtype,
1137 * attempt to guess them from the packet data.
1138 */
1139 netxray_guess_atm_type(wth, rec, buf);
1140 return TRUE;
1141 }
1142
1143 static int
1144 netxray_process_rec_header(wtap *wth, FILE_T fh, wtap_rec *rec,
1145 int *err, gchar **err_info)
1146 {
1147 netxray_t *netxray = (netxray_t *)wth->priv;
1148 union netxrayrec_hdr hdr;
1149 int hdr_size = 0;
1150 double t;
1151 int packet_size;
1152 int padding = 0;
1153
1154 /* Read record header. */
1155 switch (netxray->version_major) {
1156
1157 case 0:
1158 hdr_size = sizeof (struct old_netxrayrec_hdr);
1159 break;
1160
1161 case 1:
1162 hdr_size = sizeof (struct netxrayrec_1_x_hdr);
1163 break;
1164
1165 case 2:
1166 hdr_size = sizeof (struct netxrayrec_2_x_hdr);
1167 break;
1168 }
1169 if (!wtap_read_bytes_or_eof(fh, (void *)&hdr, hdr_size, err, err_info)) {
1170 /*
1171 * If *err is 0, we're at EOF. *err being 0 and a return
1172 * value of -1 tells our caller we're at EOF.
1173 *
1174 * Otherwise, we got an error, and *err *not* being 0
1175 * and a return value tells our caller we have an error.
1176 */
1177 return -1;
1178 }
1179
1180 /*
1181 * If this is Ethernet, 802.11, ISDN, X.25, or ATM, set the
1182 * pseudo-header.
1183 */
1184 switch (netxray->version_major) {
1185
1186 case 1:
1187 switch (wth->file_encap) {
1188
1189 case WTAP_ENCAP_ETHERNET:
1190 /*
1191 * XXX - if hdr_1_x.xxx[15] is 1
1192 * the frame appears not to have any extra
1193 * stuff at the end, but if it's 0,
1194 * there appears to be 4 bytes of stuff
1195 * at the end, but it's not an FCS.
1196 *
1197 * Or is that just the low-order bit?
1198 *
1199 * For now, we just say "no FCS".
1200 */
1201 rec->rec_header.packet_header.pseudo_header.eth.fcs_len = 0;
1202 break;
1203 }
1204 break;
1205
1206 case 2:
1207 switch (wth->file_encap) {
1208
1209 case WTAP_ENCAP_ETHERNET:
1210 /*
1211 * It appears, at least with version 2 captures,
1212 * that we have 4 bytes of stuff (which might be
1213 * a valid FCS or might be junk) at the end of
1214 * the packet if hdr_2_x.xxx[2] and
1215 * hdr_2_x.xxx[3] are 0xff, and we don't if
1216 * they don't.
1217 *
1218 * It also appears that if the low-order bit of
1219 * hdr_2_x.xxx[8] is set, the packet has a
1220 * bad FCS.
1221 */
1222 if (hdr.hdr_2_x.xxx[2] == 0xff &&
1223 hdr.hdr_2_x.xxx[3] == 0xff) {
1224 /*
1225 * We have 4 bytes of stuff at the
1226 * end of the frame - FCS, or junk?
1227 */
1228 if (netxray->fcs_valid) {
1229 /*
1230 * FCS.
1231 */
1232 rec->rec_header.packet_header.pseudo_header.eth.fcs_len = 4;
1233 } else {
1234 /*
1235 * Junk.
1236 */
1237 padding = 4;
1238 }
1239 } else
1240 rec->rec_header.packet_header.pseudo_header.eth.fcs_len = 0;
1241 break;
1242
1243 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
1244 /*
1245 * It appears, in one 802.11 capture, that
1246 * we have 4 bytes of junk at the ends of
1247 * frames in which hdr_2_x.xxx[2] and
1248 * hdr_2_x.xxx[3] are 0xff; I haven't
1249 * seen any frames where it's an FCS, but,
1250 * for now, we still check the fcs_valid
1251 * flag - I also haven't seen any capture
1252 * where we'd set it based on the realtick
1253 * value.
1254 *
1255 * It also appears that if the low-order bit of
1256 * hdr_2_x.xxx[8] is set, the packet has a
1257 * bad FCS. According to Ken Mann, the 0x4 bit
1258 * is sometimes also set for errors.
1259 *
1260 * Ken also says that xxx[11] is 0x5 when the
1261 * packet is WEP-encrypted.
1262 */
1263 memset(&rec->rec_header.packet_header.pseudo_header.ieee_802_11, 0, sizeof(rec->rec_header.packet_header.pseudo_header.ieee_802_11));
1264 if (hdr.hdr_2_x.xxx[2] == 0xff &&
1265 hdr.hdr_2_x.xxx[3] == 0xff) {
1266 /*
1267 * We have 4 bytes of stuff at the
1268 * end of the frame - FCS, or junk?
1269 */
1270 if (netxray->fcs_valid) {
1271 /*
1272 * FCS.
1273 */
1274 rec->rec_header.packet_header.pseudo_header.ieee_802_11.fcs_len = 4;
1275 } else {
1276 /*
1277 * Junk.
1278 */
1279 padding = 4;
1280 }
1281 } else
1282 rec->rec_header.packet_header.pseudo_header.ieee_802_11.fcs_len = 0;
1283
1284 rec->rec_header.packet_header.pseudo_header.ieee_802_11.decrypted = FALSE;
1285 rec->rec_header.packet_header.pseudo_header.ieee_802_11.datapad = FALSE;
1286 rec->rec_header.packet_header.pseudo_header.ieee_802_11.phy = PHDR_802_11_PHY_UNKNOWN;
1287
1288 /*
1289 * XXX - any other information, such as PHY
1290 * type, frequency, 11n/11ac information,
1291 * etc.?
1292 */
1293 rec->rec_header.packet_header.pseudo_header.ieee_802_11.has_channel = TRUE;
1294 rec->rec_header.packet_header.pseudo_header.ieee_802_11.channel =
1295 hdr.hdr_2_x.xxx[12];
1296
1297 rec->rec_header.packet_header.pseudo_header.ieee_802_11.has_data_rate = TRUE;
1298 rec->rec_header.packet_header.pseudo_header.ieee_802_11.data_rate =
1299 hdr.hdr_2_x.xxx[13];
1300
1301 rec->rec_header.packet_header.pseudo_header.ieee_802_11.has_signal_percent = TRUE;
1302 rec->rec_header.packet_header.pseudo_header.ieee_802_11.signal_percent =
1303 hdr.hdr_2_x.xxx[14];
1304
1305 /*
1306 * According to Ken Mann, at least in the captures
1307 * he's seen, xxx[15] is the noise level, which
1308 * is either 0xFF meaning "none reported" or a value
1309 * from 0x00 to 0x7F for 0 to 100%.
1310 */
1311 if (hdr.hdr_2_x.xxx[15] != 0xFF) {
1312 rec->rec_header.packet_header.pseudo_header.ieee_802_11.has_noise_percent = TRUE;
1313 rec->rec_header.packet_header.pseudo_header.ieee_802_11.noise_percent =
1314 hdr.hdr_2_x.xxx[15]*100/127;
1315 }
1316 break;
1317
1318 case WTAP_ENCAP_ISDN:
1319 /*
1320 * ISDN.
1321 *
1322 * The bottommost bit of byte 12 of hdr_2_x.xxx
1323 * is the direction flag.
1324 *
1325 * The bottom 5 bits of byte 13 of hdr_2_x.xxx
1326 * are the channel number, but some mapping is
1327 * required for PRI. (Is it really just the time
1328 * slot?)
1329 */
1330 rec->rec_header.packet_header.pseudo_header.isdn.uton =
1331 (hdr.hdr_2_x.xxx[12] & 0x01);
1332 rec->rec_header.packet_header.pseudo_header.isdn.channel =
1333 hdr.hdr_2_x.xxx[13] & 0x1F;
1334 switch (netxray->isdn_type) {
1335
1336 case 1:
1337 /*
1338 * E1 PRI. Channel numbers 0 and 16
1339 * are the D channel; channel numbers 1
1340 * through 15 are B1 through B15; channel
1341 * numbers 17 through 31 are B16 through
1342 * B31.
1343 */
1344 if (rec->rec_header.packet_header.pseudo_header.isdn.channel == 16)
1345 rec->rec_header.packet_header.pseudo_header.isdn.channel = 0;
1346 else if (rec->rec_header.packet_header.pseudo_header.isdn.channel > 16)
1347 rec->rec_header.packet_header.pseudo_header.isdn.channel -= 1;
1348 break;
1349
1350 case 2:
1351 /*
1352 * T1 PRI. Channel numbers 0 and 24
1353 * are the D channel; channel numbers 1
1354 * through 23 are B1 through B23.
1355 */
1356 if (rec->rec_header.packet_header.pseudo_header.isdn.channel == 24)
1357 rec->rec_header.packet_header.pseudo_header.isdn.channel = 0;
1358 else if (rec->rec_header.packet_header.pseudo_header.isdn.channel > 24)
1359 rec->rec_header.packet_header.pseudo_header.isdn.channel -= 1;
1360 break;
1361 }
1362
1363 /*
1364 * It appears, at least with version 2 captures,
1365 * that we have 4 bytes of stuff (which might be
1366 * a valid FCS or might be junk) at the end of
1367 * the packet if hdr_2_x.xxx[2] and
1368 * hdr_2_x.xxx[3] are 0xff, and we don't if
1369 * they don't.
1370 *
1371 * XXX - does the low-order bit of hdr_2_x.xxx[8]
1372 * indicate a bad FCS, as is the case with
1373 * Ethernet?
1374 */
1375 if (hdr.hdr_2_x.xxx[2] == 0xff &&
1376 hdr.hdr_2_x.xxx[3] == 0xff) {
1377 /*
1378 * FCS, or junk, at the end.
1379 * XXX - is it an FCS if "fcs_valid" is
1380 * true?
1381 */
1382 padding = 4;
1383 }
1384 break;
1385
1386 case WTAP_ENCAP_LAPB:
1387 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1388 /*
1389 * LAPB/X.25 and Frame Relay.
1390 *
1391 * The bottommost bit of byte 12 of hdr_2_x.xxx
1392 * is the direction flag. (Probably true for other
1393 * HDLC encapsulations as well.)
1394 */
1395 rec->rec_header.packet_header.pseudo_header.dte_dce.flags =
1396 (hdr.hdr_2_x.xxx[12] & 0x01) ? 0x00 : FROM_DCE;
1397
1398 /*
1399 * It appears, at least with version 2 captures,
1400 * that we have 4 bytes of stuff (which might be
1401 * a valid FCS or might be junk) at the end of
1402 * the packet if hdr_2_x.xxx[2] and
1403 * hdr_2_x.xxx[3] are 0xff, and we don't if
1404 * they don't.
1405 *
1406 * XXX - does the low-order bit of hdr_2_x.xxx[8]
1407 * indicate a bad FCS, as is the case with
1408 * Ethernet?
1409 */
1410 if (hdr.hdr_2_x.xxx[2] == 0xff &&
1411 hdr.hdr_2_x.xxx[3] == 0xff) {
1412 /*
1413 * FCS, or junk, at the end.
1414 * XXX - is it an FCS if "fcs_valid" is
1415 * true?
1416 */
1417 padding = 4;
1418 }
1419 break;
1420
1421 case WTAP_ENCAP_PPP_WITH_PHDR:
1422 case WTAP_ENCAP_SDLC:
1423 case WTAP_ENCAP_CHDLC_WITH_PHDR:
1424 rec->rec_header.packet_header.pseudo_header.p2p.sent =
1425 (hdr.hdr_2_x.xxx[12] & 0x01) ? TRUE : FALSE;
1426 break;
1427
1428 case WTAP_ENCAP_ATM_PDUS_UNTRUNCATED:
1429 /*
1430 * XXX - the low-order bit of hdr_2_x.xxx[8]
1431 * seems to indicate some sort of error. In
1432 * at least one capture, a number of packets
1433 * have that flag set, and they appear either
1434 * to be the beginning part of an incompletely
1435 * reassembled AAL5 PDU, with either checksum
1436 * errors at higher levels (possibly due to
1437 * the packet being reported as shorter than
1438 * it actually is, and checksumming failing
1439 * because it doesn't include all the data)
1440 * or "Malformed frame" errors from being
1441 * too short, or appear to be later parts
1442 * of an incompletely reassembled AAL5 PDU
1443 * with the last one in a sequence of errors
1444 * having what looks like an AAL5 trailer,
1445 * with a length and checksum.
1446 *
1447 * Does it just mean "reassembly failed",
1448 * as appears to be the case in those
1449 * packets, or does it mean "CRC error"
1450 * at the AAL5 layer (which would be the
1451 * case if you were treating an incompletely
1452 * reassembled PDU as a completely reassembled
1453 * PDU, although you'd also expect a length
1454 * error in that case), or does it mean
1455 * "generic error", with some other flag
1456 * or flags indicating what particular
1457 * error occurred? The documentation
1458 * for Sniffer Pro 4.7 indicates a bunch
1459 * of different error types, both in general
1460 * and for ATM in particular.
1461 *
1462 * No obvious bits in hdr_2_x.xxx appear
1463 * to be additional flags of that sort.
1464 *
1465 * XXX - in that capture, I see several
1466 * reassembly errors in a row; should those
1467 * packets be reassembled in the ATM dissector?
1468 * What happens if a reassembly fails because
1469 * a cell is bad?
1470 */
1471 rec->rec_header.packet_header.pseudo_header.atm.flags = 0;
1472 if (hdr.hdr_2_x.xxx[8] & 0x01)
1473 rec->rec_header.packet_header.pseudo_header.atm.flags |= ATM_REASSEMBLY_ERROR;
1474 /*
1475 * XXX - is 0x08 an "OAM cell" flag?
1476 * Are the 0x01 and 0x02 bits error indications?
1477 * Some packets in one capture that have the
1478 * 0x01 bit set in hdr_2_x.xxx[8] and that
1479 * appear to have been reassembled completely
1480 * but have a bad CRC have 0x03 in hdr_2_x.xxx[9]
1481 * (and don't have the 0x20 bit set).
1482 *
1483 * In the capture with incomplete reassemblies,
1484 * all packets have the 0x20 bit set. In at
1485 * least some of the captures with complete
1486 * reassemblies with CRC errors, no packets
1487 * have the 0x20 bit set.
1488 *
1489 * Are hdr_2_x.xxx[8] and hdr_2_x.xxx[9] a 16-bit
1490 * flag field?
1491 */
1492 if (hdr.hdr_2_x.xxx[9] & 0x04)
1493 rec->rec_header.packet_header.pseudo_header.atm.flags |= ATM_RAW_CELL;
1494 rec->rec_header.packet_header.pseudo_header.atm.vpi = hdr.hdr_2_x.xxx[11];
1495 rec->rec_header.packet_header.pseudo_header.atm.vci = pletoh16(&hdr.hdr_2_x.xxx[12]);
1496 rec->rec_header.packet_header.pseudo_header.atm.channel =
1497 (hdr.hdr_2_x.xxx[15] & 0x10)? 1 : 0;
1498 rec->rec_header.packet_header.pseudo_header.atm.cells = 0;
1499
1500 /*
1501 * XXX - the uppermost bit of hdr_2_xxx[0]
1502 * looks as if it might be a flag of some sort.
1503 * The remaining 3 bits appear to be an AAL
1504 * type - 5 is, surprise surprise, AAL5.
1505 */
1506 switch (hdr.hdr_2_x.xxx[0] & 0x70) {
1507
1508 case 0x00: /* Unknown */
1509 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_UNKNOWN;
1510 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN;
1511 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1512 break;
1513
1514 case 0x10: /* XXX - AAL1? */
1515 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_UNKNOWN;
1516 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN;
1517 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1518 break;
1519
1520 case 0x20: /* XXX - AAL2? */
1521 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_UNKNOWN;
1522 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN;
1523 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1524 break;
1525
1526 case 0x40: /* XXX - AAL3/4? */
1527 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_UNKNOWN;
1528 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN;
1529 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1530 break;
1531
1532 case 0x30: /* XXX - AAL5 cells seen with this */
1533 case 0x50: /* AAL5 (including signalling) */
1534 case 0x60: /* XXX - AAL5 cells seen with this */
1535 case 0x70: /* XXX - AAL5 cells seen with this */
1536 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_5;
1537 /*
1538 * XXX - is the 0x08 bit of hdr_2_x.xxx[0]
1539 * a flag? I've not yet seen a case where
1540 * it matters.
1541 */
1542 switch (hdr.hdr_2_x.xxx[0] & 0x07) {
1543
1544 case 0x01:
1545 case 0x02: /* Signalling traffic */
1546 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_SIGNALLING;
1547 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN;
1548 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1549 break;
1550
1551 case 0x03: /* ILMI */
1552 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_ILMI;
1553 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1554 break;
1555
1556 case 0x00:
1557 case 0x04:
1558 case 0x05:
1559 /*
1560 * I've seen a frame with type
1561 * 0x30 and subtype 0x08 that
1562 * was LANE 802.3, a frame
1563 * with type 0x30 and subtype
1564 * 0x04 that was LANE 802.3,
1565 * and another frame with type
1566 * 0x30 and subtype 0x08 that
1567 * was junk with a string in
1568 * it that had also appeared
1569 * in some CDP and LE Control
1570 * frames, and that was preceded
1571 * by a malformed LE Control
1572 * frame - was that a reassembly
1573 * failure?
1574 *
1575 * I've seen frames with type
1576 * 0x50 and subtype 0x0c, some
1577 * of which were LE Control
1578 * frames, and at least one
1579 * of which was neither an LE
1580 * Control frame nor a LANE
1581 * 802.3 frame, and contained
1582 * the string "ForeThought_6.2.1
1583 * Alpha" - does that imply
1584 * FORE's own encapsulation,
1585 * or was this a reassembly failure?
1586 * The latter frame was preceded
1587 * by a malformed LE Control
1588 * frame.
1589 *
1590 * I've seen a couple of frames
1591 * with type 0x60 and subtype 0x00,
1592 * one of which was LANE 802.3 and
1593 * one of which was LE Control.
1594 * I've seen one frame with type
1595 * 0x60 and subtype 0x0c, which
1596 * was LANE 802.3.
1597 *
1598 * I've seen a couple of frames
1599 * with type 0x70 and subtype 0x00,
1600 * both of which were LANE 802.3.
1601 */
1602 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_LANE;
1603 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1604 break;
1605
1606 case 0x06: /* XXX - not seen yet */
1607 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN;
1608 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN;
1609 break;
1610
1611 case 0x07: /* LLC multiplexed */
1612 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_LLCMX; /* XXX */
1613 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN; /* XXX */
1614 break;
1615 }
1616 break;
1617 }
1618 break;
1619 }
1620 break;
1621 }
1622
1623 rec->rec_type = REC_TYPE_PACKET;
1624 rec->block = wtap_block_create(WTAP_BLOCK_PACKET);
1625 if (netxray->version_major == 0) {
1626 rec->presence_flags = WTAP_HAS_TS;
1627 t = (double)pletoh32(&hdr.old_hdr.timelo)
1628 + (double)pletoh32(&hdr.old_hdr.timehi)*4294967296.0;
1629 t /= netxray->ticks_per_sec;
1630 t -= netxray->start_timestamp;
1631 rec->ts.secs = netxray->start_time + (long)t;
1632 rec->ts.nsecs = (int)((t-(double)(unsigned long)(t))
1633 *1.0e9);
1634 /*
1635 * We subtract the padding from the packet size, so our caller
1636 * doesn't see it.
1637 */
1638 packet_size = pletoh16(&hdr.old_hdr.len);
1639 rec->rec_header.packet_header.caplen = packet_size - padding;
1640 rec->rec_header.packet_header.len = rec->rec_header.packet_header.caplen;
1641 } else {
1642 rec->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
1643 t = (double)pletoh32(&hdr.hdr_1_x.timelo)
1644 + (double)pletoh32(&hdr.hdr_1_x.timehi)*4294967296.0;
1645 t /= netxray->ticks_per_sec;
1646 t -= netxray->start_timestamp;
1647 rec->ts.secs = netxray->start_time + (time_t)t;
1648 rec->ts.nsecs = (int)((t-(double)(unsigned long)(t))
1649 *1.0e9);
1650 /*
1651 * We subtract the padding from the packet size, so our caller
1652 * doesn't see it.
1653 */
1654 packet_size = pletoh16(&hdr.hdr_1_x.incl_len);
1655 rec->rec_header.packet_header.caplen = packet_size - padding;
1656 rec->rec_header.packet_header.len = pletoh16(&hdr.hdr_1_x.orig_len) - padding;
1657 }
1658
1659 return padding;
1660 }
1661
1662 static void
1663 netxray_guess_atm_type(wtap *wth, wtap_rec *rec, Buffer *buf)
1664 {
1665 const guint8 *pd;
1666
1667 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS_UNTRUNCATED &&
1668 !(rec->rec_header.packet_header.pseudo_header.atm.flags & ATM_REASSEMBLY_ERROR)) {
1669 if (rec->rec_header.packet_header.pseudo_header.atm.aal == AAL_UNKNOWN) {
1670 /*
1671 * Try to guess the type and subtype based
1672 * on the VPI/VCI and packet contents.
1673 */
1674 pd = ws_buffer_start_ptr(buf);
1675 atm_guess_traffic_type(rec, pd);
1676 } else if (rec->rec_header.packet_header.pseudo_header.atm.aal == AAL_5 &&
1677 rec->rec_header.packet_header.pseudo_header.atm.type == TRAF_LANE) {
1678 /*
1679 * Try to guess the subtype based on the
1680 * packet contents.
1681 */
1682 pd = ws_buffer_start_ptr(buf);
1683 atm_guess_lane_type(rec, pd);
1684 }
1685 }
1686 }
1687
1688 typedef struct {
1689 gboolean first_frame;
1690 nstime_t start;
1691 guint32 nframes;
1692 } netxray_dump_t;
1693
1694 static const struct {
1695 int wtap_encap_value;
1696 int ndis_value;
1697 } wtap_encap_1_1[] = {
1698 { WTAP_ENCAP_ETHERNET, 0 }, /* -> NDIS Ethernet */
1699 { WTAP_ENCAP_TOKEN_RING, 1 }, /* -> NDIS Token Ring */
1700 { WTAP_ENCAP_FDDI, 2 }, /* -> NDIS FDDI */
1701 { WTAP_ENCAP_FDDI_BITSWAPPED, 2 }, /* -> NDIS FDDI */
1702 };
1703 #define NUM_WTAP_ENCAPS_1_1 (sizeof wtap_encap_1_1 / sizeof wtap_encap_1_1[0])
1704
1705 static int
1706 wtap_encap_to_netxray_1_1_encap(int encap)
1707 {
1708 unsigned int i;
1709
1710 for (i = 0; i < NUM_WTAP_ENCAPS_1_1; i++) {
1711 if (encap == wtap_encap_1_1[i].wtap_encap_value)
1712 return wtap_encap_1_1[i].ndis_value;
1713 }
1714
1715 return -1;
1716 }
1717
1718 /* Returns 0 if we could write the specified encapsulation type,
1719 an error indication otherwise. */
1720 static int
1721 netxray_dump_can_write_encap_1_1(int encap)
1722 {
1723 /* Per-packet encapsulations aren't supported. */
1724 if (encap == WTAP_ENCAP_PER_PACKET)
1725 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1726
1727 if (wtap_encap_to_netxray_1_1_encap(encap) == -1)
1728 return WTAP_ERR_UNWRITABLE_ENCAP;
1729
1730 return 0;
1731 }
1732
1733 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1734 failure */
1735 static gboolean
1736 netxray_dump_open_1_1(wtap_dumper *wdh, int *err, gchar **err_info _U_)
1737 {
1738 netxray_dump_t *netxray;
1739
1740 wdh->subtype_write = netxray_dump_1_1;
1741 wdh->subtype_finish = netxray_dump_finish_1_1;
1742
1743 /* We can't fill in all the fields in the file header, as we
1744 haven't yet written any packets. As we'll have to rewrite
1745 the header when we've written out all the packets, we just
1746 skip over the header for now. */
1747 if (wtap_dump_file_seek(wdh, CAPTUREFILE_HEADER_SIZE, SEEK_SET, err) == -1)
1748 return FALSE;
1749 wdh->bytes_dumped += CAPTUREFILE_HEADER_SIZE;
1750
1751 netxray = g_new(netxray_dump_t, 1);
1752 wdh->priv = (void *)netxray;
1753 netxray->first_frame = TRUE;
1754 netxray->start.secs = 0;
1755 netxray->start.nsecs = 0;
1756 netxray->nframes = 0;
1757
1758 return TRUE;
1759 }
1760
1761 /* Write a record for a packet to a dump file.
1762 Returns TRUE on success, FALSE on failure. */
1763 static gboolean
1764 netxray_dump_1_1(wtap_dumper *wdh,
1765 const wtap_rec *rec,
1766 const guint8 *pd, int *err, gchar **err_info _U_)
1767 {
1768 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
1769 guint64 timestamp;
1770 guint32 t32;
1771 struct netxrayrec_1_x_hdr rec_hdr;
1772
1773 /* We can only write packet records. */
1774 if (rec->rec_type != REC_TYPE_PACKET) {
1775 *err = WTAP_ERR_UNWRITABLE_REC_TYPE;
1776 return FALSE;
1777 }
1778
1779 /*
1780 * Make sure this packet doesn't have a link-layer type that
1781 * differs from the one for the file.
1782 */
1783 if (wdh->encap != rec->rec_header.packet_header.pkt_encap) {
1784 *err = WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1785 return FALSE;
1786 }
1787
1788 /* The captured length field is 16 bits, so there's a hard
1789 limit of 65535. */
1790 if (rec->rec_header.packet_header.caplen > 65535) {
1791 *err = WTAP_ERR_PACKET_TOO_LARGE;
1792 return FALSE;
1793 }
1794
1795 /* NetXRay/Windows Sniffer files have a capture start date/time
1796 in the header, in a UNIX-style format, with one-second resolution,
1797 and a start time stamp with microsecond resolution that's just
1798 an arbitrary time stamp relative to some unknown time (boot
1799 time?), and have times relative to the start time stamp in
1800 the packet headers; pick the seconds value of the time stamp
1801 of the first packet as the UNIX-style start date/time, and make
1802 the high-resolution start time stamp 0, with the time stamp of
1803 packets being the delta between the stamp of the packet and
1804 the stamp of the first packet with the microseconds part 0. */
1805 if (netxray->first_frame) {
1806 netxray->first_frame = FALSE;
1807 netxray->start = rec->ts;
1808 }
1809
1810 /* build the header for each packet */
1811 memset(&rec_hdr, '\0', sizeof(rec_hdr));
1812 timestamp = ((guint64)rec->ts.secs - (guint64)netxray->start.secs)*1000000
1813 + ((guint64)rec->ts.nsecs)/1000;
1814 t32 = (guint32)(timestamp%G_GINT64_CONSTANT(4294967296));
1815 rec_hdr.timelo = GUINT32_TO_LE(t32);
1816 t32 = (guint32)(timestamp/G_GINT64_CONSTANT(4294967296));
1817 rec_hdr.timehi = GUINT32_TO_LE(t32);
1818 rec_hdr.orig_len = GUINT16_TO_LE(rec->rec_header.packet_header.len);
1819 rec_hdr.incl_len = GUINT16_TO_LE(rec->rec_header.packet_header.caplen);
1820
1821 if (!wtap_dump_file_write(wdh, &rec_hdr, sizeof(rec_hdr), err))
1822 return FALSE;
1823 wdh->bytes_dumped += sizeof(rec_hdr);
1824
1825 /* write the packet data */
1826 if (!wtap_dump_file_write(wdh, pd, rec->rec_header.packet_header.caplen, err))
1827 return FALSE;
1828 wdh->bytes_dumped += rec->rec_header.packet_header.caplen;
1829
1830 netxray->nframes++;
1831
1832 return TRUE;
1833 }
1834
1835 /* Finish writing to a dump file.
1836 Returns TRUE on success, FALSE on failure. */
1837 static gboolean
1838 netxray_dump_finish_1_1(wtap_dumper *wdh, int *err, gchar **err_info _U_)
1839 {
1840 char hdr_buf[CAPTUREFILE_HEADER_SIZE - sizeof(netxray_magic)];
1841 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
1842 gint64 filelen;
1843 struct netxray_hdr file_hdr;
1844
1845 if (-1 == (filelen = wtap_dump_file_tell(wdh, err)))
1846 return FALSE;
1847
1848 /* Go back to beginning */
1849 if (wtap_dump_file_seek(wdh, 0, SEEK_SET, err) == -1)
1850 return FALSE;
1851
1852 /* Rewrite the file header. */
1853 if (!wtap_dump_file_write(wdh, netxray_magic, sizeof netxray_magic, err))
1854 return FALSE;
1855
1856 /* "sniffer" version ? */
1857 memset(&file_hdr, '\0', sizeof file_hdr);
1858 memcpy(file_hdr.version, vers_1_1, sizeof vers_1_1);
1859 file_hdr.start_time = GUINT32_TO_LE(netxray->start.secs);
1860 file_hdr.nframes = GUINT32_TO_LE(netxray->nframes);
1861 file_hdr.start_offset = GUINT32_TO_LE(CAPTUREFILE_HEADER_SIZE);
1862 /* XXX - large files? */
1863 file_hdr.end_offset = GUINT32_TO_LE((guint32)filelen);
1864 file_hdr.network = wtap_encap_to_netxray_1_1_encap(wdh->encap);
1865 file_hdr.timelo = GUINT32_TO_LE(0);
1866 file_hdr.timehi = GUINT32_TO_LE(0);
1867
1868 memset(hdr_buf, '\0', sizeof hdr_buf);
1869 memcpy(hdr_buf, &file_hdr, sizeof(file_hdr));
1870 if (!wtap_dump_file_write(wdh, hdr_buf, sizeof hdr_buf, err))
1871 return FALSE;
1872
1873 return TRUE;
1874 }
1875
1876 static const struct {
1877 int wtap_encap_value;
1878 int ndis_value;
1879 } wtap_encap_2_0[] = {
1880 { WTAP_ENCAP_ETHERNET, 0 }, /* -> NDIS Ethernet */
1881 { WTAP_ENCAP_TOKEN_RING, 1 }, /* -> NDIS Token Ring */
1882 { WTAP_ENCAP_FDDI, 2 }, /* -> NDIS FDDI */
1883 { WTAP_ENCAP_FDDI_BITSWAPPED, 2 }, /* -> NDIS FDDI */
1884 { WTAP_ENCAP_PPP_WITH_PHDR, 3 }, /* -> NDIS WAN */
1885 { WTAP_ENCAP_FRELAY_WITH_PHDR, 3 }, /* -> NDIS WAN */
1886 { WTAP_ENCAP_LAPB, 3 }, /* -> NDIS WAN */
1887 { WTAP_ENCAP_SDLC, 3 }, /* -> NDIS WAN */
1888 };
1889 #define NUM_WTAP_ENCAPS_2_0 (sizeof wtap_encap_2_0 / sizeof wtap_encap_2_0[0])
1890
1891 static int
1892 wtap_encap_to_netxray_2_0_encap(int encap)
1893 {
1894 unsigned int i;
1895
1896 for (i = 0; i < NUM_WTAP_ENCAPS_2_0; i++) {
1897 if (encap == wtap_encap_2_0[i].wtap_encap_value)
1898 return wtap_encap_2_0[i].ndis_value;
1899 }
1900
1901 return -1;
1902 }
1903
1904 /* Returns 0 if we could write the specified encapsulation type,
1905 an error indication otherwise. */
1906 static int
1907 netxray_dump_can_write_encap_2_0(int encap)
1908 {
1909 /* Per-packet encapsulations aren't supported. */
1910 if (encap == WTAP_ENCAP_PER_PACKET)
1911 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1912
1913 if (wtap_encap_to_netxray_2_0_encap(encap) == -1)
1914 return WTAP_ERR_UNWRITABLE_ENCAP;
1915
1916 return 0;
1917 }
1918
1919 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1920 failure */
1921 static gboolean
1922 netxray_dump_open_2_0(wtap_dumper *wdh, int *err, gchar **err_info _U_)
1923 {
1924 netxray_dump_t *netxray;
1925
1926 wdh->subtype_write = netxray_dump_2_0;
1927 wdh->subtype_finish = netxray_dump_finish_2_0;
1928
1929 /* We can't fill in all the fields in the file header, as we
1930 haven't yet written any packets. As we'll have to rewrite
1931 the header when we've written out all the packets, we just
1932 skip over the header for now. */
1933 if (wtap_dump_file_seek(wdh, CAPTUREFILE_HEADER_SIZE, SEEK_SET, err) == -1)
1934 return FALSE;
1935
1936 wdh->bytes_dumped += CAPTUREFILE_HEADER_SIZE;
1937
1938 netxray = g_new(netxray_dump_t, 1);
1939 wdh->priv = (void *)netxray;
1940 netxray->first_frame = TRUE;
1941 netxray->start.secs = 0;
1942 netxray->start.nsecs = 0;
1943 netxray->nframes = 0;
1944
1945 return TRUE;
1946 }
1947
1948 /* Write a record for a packet to a dump file.
1949 Returns TRUE on success, FALSE on failure. */
1950 static gboolean
1951 netxray_dump_2_0(wtap_dumper *wdh,
1952 const wtap_rec *rec,
1953 const guint8 *pd, int *err, gchar **err_info _U_)
1954 {
1955 const union wtap_pseudo_header *pseudo_header = &rec->rec_header.packet_header.pseudo_header;
1956 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
1957 guint64 timestamp;
1958 guint32 t32;
1959 struct netxrayrec_2_x_hdr rec_hdr;
1960
1961 /* We can only write packet records. */
1962 if (rec->rec_type != REC_TYPE_PACKET) {
1963 *err = WTAP_ERR_UNWRITABLE_REC_TYPE;
1964 return FALSE;
1965 }
1966
1967 /*
1968 * Make sure this packet doesn't have a link-layer type that
1969 * differs from the one for the file.
1970 */
1971 if (wdh->encap != rec->rec_header.packet_header.pkt_encap) {
1972 *err = WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1973 return FALSE;
1974 }
1975
1976 /* Don't write anything we're not willing to read. */
1977 if (rec->rec_header.packet_header.caplen > WTAP_MAX_PACKET_SIZE_STANDARD) {
1978 *err = WTAP_ERR_PACKET_TOO_LARGE;
1979 return FALSE;
1980 }
1981
1982 /* NetXRay/Windows Sniffer files have a capture start date/time
1983 in the header, in a UNIX-style format, with one-second resolution,
1984 and a start time stamp with microsecond resolution that's just
1985 an arbitrary time stamp relative to some unknown time (boot
1986 time?), and have times relative to the start time stamp in
1987 the packet headers; pick the seconds value of the time stamp
1988 of the first packet as the UNIX-style start date/time, and make
1989 the high-resolution start time stamp 0, with the time stamp of
1990 packets being the delta between the stamp of the packet and
1991 the stamp of the first packet with the microseconds part 0. */
1992 if (netxray->first_frame) {
1993 netxray->first_frame = FALSE;
1994 netxray->start = rec->ts;
1995 }
1996
1997 /* build the header for each packet */
1998 memset(&rec_hdr, '\0', sizeof(rec_hdr));
1999 timestamp = ((guint64)rec->ts.secs - (guint64)netxray->start.secs)*1000000
2000 + ((guint64)rec->ts.nsecs)/1000;
2001 t32 = (guint32)(timestamp%G_GINT64_CONSTANT(4294967296));
2002 rec_hdr.timelo = GUINT32_TO_LE(t32);
2003 t32 = (guint32)(timestamp/G_GINT64_CONSTANT(4294967296));
2004 rec_hdr.timehi = GUINT32_TO_LE(t32);
2005 rec_hdr.orig_len = GUINT16_TO_LE(rec->rec_header.packet_header.len);
2006 rec_hdr.incl_len = GUINT16_TO_LE(rec->rec_header.packet_header.caplen);
2007
2008 switch (rec->rec_header.packet_header.pkt_encap) {
2009
2010 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
2011 rec_hdr.xxx[12] =
2012 pseudo_header->ieee_802_11.has_channel ?
2013 pseudo_header->ieee_802_11.channel :
2014 0;
2015 rec_hdr.xxx[13] =
2016 pseudo_header->ieee_802_11.has_data_rate ?
2017 (guint8)pseudo_header->ieee_802_11.data_rate :
2018 0;
2019 rec_hdr.xxx[14] =
2020 pseudo_header->ieee_802_11.has_signal_percent ?
2021 pseudo_header->ieee_802_11.signal_percent :
2022 0;
2023 rec_hdr.xxx[15] =
2024 pseudo_header->ieee_802_11.has_noise_percent ?
2025 pseudo_header->ieee_802_11.noise_percent*127/100 :
2026 0xFF;
2027 break;
2028
2029 case WTAP_ENCAP_PPP_WITH_PHDR:
2030 case WTAP_ENCAP_SDLC:
2031 rec_hdr.xxx[12] |= pseudo_header->p2p.sent ? 0x01 : 0x00;
2032 break;
2033
2034 case WTAP_ENCAP_FRELAY_WITH_PHDR:
2035 rec_hdr.xxx[12] |= (pseudo_header->dte_dce.flags & FROM_DCE) ? 0x00 : 0x01;
2036 break;
2037 }
2038
2039 if (!wtap_dump_file_write(wdh, &rec_hdr, sizeof(rec_hdr), err))
2040 return FALSE;
2041 wdh->bytes_dumped += sizeof(rec_hdr);
2042
2043 /* write the packet data */
2044 if (!wtap_dump_file_write(wdh, pd, rec->rec_header.packet_header.caplen, err))
2045 return FALSE;
2046 wdh->bytes_dumped += rec->rec_header.packet_header.caplen;
2047
2048 netxray->nframes++;
2049
2050 return TRUE;
2051 }
2052
2053 /* Finish writing to a dump file.
2054 Returns TRUE on success, FALSE on failure. */
2055 static gboolean
2056 netxray_dump_finish_2_0(wtap_dumper *wdh, int *err, gchar **err_info _U_)
2057 {
2058 char hdr_buf[CAPTUREFILE_HEADER_SIZE - sizeof(netxray_magic)];
2059 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv;
2060 gint64 filelen;
2061 struct netxray_hdr file_hdr;
2062
2063 if (-1 == (filelen = wtap_dump_file_tell(wdh, err)))
2064 return FALSE;
2065
2066 /* Go back to beginning */
2067 if (wtap_dump_file_seek(wdh, 0, SEEK_SET, err) == -1)
2068 return FALSE;
2069
2070 /* Rewrite the file header. */
2071 if (!wtap_dump_file_write(wdh, netxray_magic, sizeof netxray_magic, err))
2072 return FALSE;
2073
2074 /* "sniffer" version ? */
2075 memset(&file_hdr, '\0', sizeof file_hdr);
2076 memcpy(file_hdr.version, vers_2_001, sizeof vers_2_001);
2077 file_hdr.start_time = GUINT32_TO_LE(netxray->start.secs);
2078 file_hdr.nframes = GUINT32_TO_LE(netxray->nframes);
2079 file_hdr.start_offset = GUINT32_TO_LE(CAPTUREFILE_HEADER_SIZE);
2080 /* XXX - large files? */
2081 file_hdr.end_offset = GUINT32_TO_LE((guint32)filelen);
2082 file_hdr.network = wtap_encap_to_netxray_2_0_encap(wdh->encap);
2083 file_hdr.timelo = GUINT32_TO_LE(0);
2084 file_hdr.timehi = GUINT32_TO_LE(0);
2085 switch (wdh->encap) {
2086
2087 case WTAP_ENCAP_PPP_WITH_PHDR:
2088 file_hdr.captype = WAN_CAPTYPE_PPP;
2089 break;
2090
2091 case WTAP_ENCAP_FRELAY_WITH_PHDR:
2092 file_hdr.captype = WAN_CAPTYPE_FRELAY;
2093 break;
2094
2095 case WTAP_ENCAP_LAPB:
2096 file_hdr.captype = WAN_CAPTYPE_HDLC;
2097 file_hdr.wan_hdlc_subsub_captype = 0;
2098 break;
2099
2100 case WTAP_ENCAP_SDLC:
2101 file_hdr.captype = WAN_CAPTYPE_SDLC;
2102 break;
2103
2104 default:
2105 file_hdr.captype = CAPTYPE_NDIS;
2106 break;
2107 }
2108
2109 memset(hdr_buf, '\0', sizeof hdr_buf);
2110 memcpy(hdr_buf, &file_hdr, sizeof(file_hdr));
2111 if (!wtap_dump_file_write(wdh, hdr_buf, sizeof hdr_buf, err))
2112 return FALSE;
2113
2114 return TRUE;
2115 }
2116
2117 static const struct supported_block_type netxray_old_blocks_supported[] = {
2118 /*
2119 * We support packet blocks, with no comments or other options.
2120 */
2121 { WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, NO_OPTIONS_SUPPORTED }
2122 };
2123
2124 static const struct file_type_subtype_info netxray_old_info = {
2125 "Cinco Networks NetXRay 1.x", "netxray1", "cap", NULL,
2126 TRUE, BLOCKS_SUPPORTED(netxray_old_blocks_supported),
2127 NULL, NULL, NULL
2128 };
2129
2130 static const struct supported_block_type netxray_1_0_blocks_supported[] = {
2131 /*
2132 * We support packet blocks, with no comments or other options.
2133 */
2134 { WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, NO_OPTIONS_SUPPORTED }
2135 };
2136
2137 static const struct file_type_subtype_info netxray_1_0_info = {
2138 "Cinco Networks NetXRay 2.0 or later", "netxray2", "cap", NULL,
2139 TRUE, BLOCKS_SUPPORTED(netxray_1_0_blocks_supported),
2140 NULL, NULL, NULL
2141 };
2142
2143 static const struct supported_block_type netxray_1_1_blocks_supported[] = {
2144 /*
2145 * We support packet blocks, with no comments or other options.
2146 */
2147 { WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, NO_OPTIONS_SUPPORTED }
2148 };
2149
2150 static const struct file_type_subtype_info netxray_1_1_info = {
2151 "NetXray, Sniffer (Windows) 1.1", "ngwsniffer_1_1", "cap", NULL,
2152 TRUE, BLOCKS_SUPPORTED(netxray_1_1_blocks_supported),
2153 netxray_dump_can_write_encap_1_1, netxray_dump_open_1_1, NULL
2154 };
2155
2156 static const struct supported_block_type netxray_2_00x_blocks_supported[] = {
2157 /*
2158 * We support packet blocks, with no comments or other options.
2159 */
2160 { WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, NO_OPTIONS_SUPPORTED }
2161 };
2162
2163 static const struct file_type_subtype_info netxray_2_00x_info = {
2164 "Sniffer (Windows) 2.00x", "ngwsniffer_2_0", "cap", "caz",
2165 TRUE, BLOCKS_SUPPORTED(netxray_2_00x_blocks_supported),
2166 netxray_dump_can_write_encap_2_0, netxray_dump_open_2_0, NULL
2167 };
2168
2169 void register_netxray(void)
2170 {
2171 netxray_old_file_type_subtype = wtap_register_file_type_subtype(&netxray_old_info);
2172 netxray_1_0_file_type_subtype = wtap_register_file_type_subtype(&netxray_1_0_info);
2173 netxray_1_1_file_type_subtype = wtap_register_file_type_subtype(&netxray_1_1_info);
2174 netxray_2_00x_file_type_subtype = wtap_register_file_type_subtype(&netxray_2_00x_info);
2175
2176 /*
2177 * Register names for backwards compatibility with the
2178 * wtap_filetypes table in Lua.
2179 */
2180 wtap_register_backwards_compatibility_lua_name("NETXRAY_OLD",
2181 netxray_old_file_type_subtype);
2182 wtap_register_backwards_compatibility_lua_name("NETXRAY_1_0",
2183 netxray_1_0_file_type_subtype);
2184 wtap_register_backwards_compatibility_lua_name("NETXRAY_1_1",
2185 netxray_1_1_file_type_subtype);
2186 wtap_register_backwards_compatibility_lua_name("NETXRAY_2_00x",
2187 netxray_2_00x_file_type_subtype);
2188 }
2189
2190 /*
2191 * Editor modelines - https://www.wireshark.org/tools/modelines.html
2192 *
2193 * Local variables:
2194 * c-basic-offset: 8
2195 * tab-width: 8
2196 * indent-tabs-mode: t
2197 * End:
2198 *
2199 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
2200 * :indentSize=8:tabSize=8:noTabs=false:
2201 */
2202