1 /* netxray.c 2 * 3 * Wiretap Library 4 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu> 5 * 6 * SPDX-License-Identifier: GPL-2.0-or-later 7 */ 8 9 #include "config.h" 10 11 #include <errno.h> 12 #include <string.h> 13 #include "wtap-int.h" 14 #include "file_wrappers.h" 15 #include "netxray.h" 16 #include "atm.h" 17 18 /* Capture file header, *including* magic number, is padded to 128 bytes. */ 19 #define CAPTUREFILE_HEADER_SIZE 128 20 21 /* Magic number size, in both 1.x and later files. */ 22 #define MAGIC_SIZE 4 23 24 /* Magic number in NetXRay 1.x files. */ 25 static const char old_netxray_magic[MAGIC_SIZE] = { 26 'V', 'L', '\0', '\0' 27 }; 28 29 /* Magic number in NetXRay 2.0 and later, and Windows Sniffer, files. */ 30 static const char netxray_magic[MAGIC_SIZE] = { 31 'X', 'C', 'P', '\0' 32 }; 33 34 /* NetXRay file header (minus magic number). */ 35 /* */ 36 /* As field usages are identified, please revise as needed */ 37 /* Please do *not* use netxray_hdr xxx... names in the code */ 38 /* (Placeholder names for all 'unknown' fields are */ 39 /* of form xxx_x<hex_hdr_offset> */ 40 /* where <hex_hdr_offset> *includes* the magic number) */ 41 42 struct netxray_hdr { 43 char version[8]; /* version number */ 44 guint32 start_time; /* UNIX [UTC] time when capture started */ 45 46 guint32 nframes; /* number of packets */ 47 guint32 xxx_x14; /* unknown [some kind of file offset] */ 48 guint32 start_offset; /* offset of first packet in capture */ 49 guint32 end_offset; /* offset after last packet in capture */ 50 51 guint32 xxx_x20; /* unknown [some kind of file offset] */ 52 guint32 xxx_x24; /* unknown [unused ?] */ 53 guint32 xxx_x28; /* unknown [some kind of file offset] */ 54 guint8 network; /* datalink type */ 55 guint8 network_plus; /* [See code] */ 56 guint8 xxx_x2E[2]; /* unknown */ 57 58 guint8 timeunit; /* encodes length of a tick */ 59 guint8 xxx_x31[3]; /* XXX - upper 3 bytes of timeunit ? */ 60 guint32 timelo; /* lower 32 bits of capture start time stamp */ 61 guint32 timehi; /* upper 32 bits of capture start time stamp */ 62 guint32 linespeed; /* speed of network, in bits/second */ 63 64 guint8 xxx_x40[12]; /* unknown [other stuff] */ 65 guint8 realtick[4]; /* (ticks/sec for Ethernet/Ndis/Timeunit=2 ?) */ 66 /* (realtick[1], realtick[2] also currently */ 67 /* used as flag for 'FCS presence') */ 68 69 guint8 xxx_x50[4]; /* unknown [other stuff] */ 70 guint8 captype; /* capture type */ 71 guint8 xxx_x55[3]; /* unknown [other stuff] */ 72 guint8 xxx_x58[4]; /* unknown [other stuff] */ 73 guint8 wan_hdlc_subsub_captype; /* WAN HDLC subsub_captype */ 74 guint8 xxx_x5D[3]; /* unknown [other stuff] */ 75 76 guint8 xxx_x60[16]; /* unknown [other stuff] */ 77 78 guint8 xxx_x70[14]; /* unknown [other stuff] */ 79 gint16 timezone_hrs; /* timezone hours [at least for version 2.2..]; */ 80 /* positive values = west of UTC: */ 81 /* negative values = east of UTC: */ 82 /* e.g. +5 is American Eastern */ 83 /* [Does not appear to be adjusted for DST ] */ 84 }; 85 86 /* 87 * Capture type, in hdr.captype. 88 * 89 * Values other than 0 are dependent on the network type. 90 * For Ethernet captures, it indicates the type of capture pod. 91 * For WAN captures (all of which are done with a pod), it indicates 92 * the link-layer type. 93 */ 94 #define CAPTYPE_NDIS 0 /* Capture on network interface using NDIS */ 95 96 /* 97 * Ethernet capture types. 98 */ 99 #define ETH_CAPTYPE_GIGPOD 2 /* gigabit Ethernet captured with pod */ 100 #define ETH_CAPTYPE_OTHERPOD 3 /* non-gigabit Ethernet captured with pod */ 101 #define ETH_CAPTYPE_OTHERPOD2 5 /* gigabit Ethernet via pod ?? */ 102 /* Captype 5 seen in capture from Distributed Sniffer with: */ 103 /* Version 4.50.211 software */ 104 /* SysKonnect SK-9843 Gigabit Ethernet Server Adapter */ 105 #define ETH_CAPTYPE_GIGPOD2 6 /* gigabit Ethernet, captured with blade on S6040-model Sniffer */ 106 107 /* 108 * WAN capture types. 109 */ 110 #define WAN_CAPTYPE_BROUTER 1 /* Bridge/router captured with pod */ 111 #define WAN_CAPTYPE_PPP 3 /* PPP captured with pod */ 112 #define WAN_CAPTYPE_FRELAY 4 /* Frame Relay captured with pod */ 113 #define WAN_CAPTYPE_BROUTER2 5 /* Bridge/router captured with pod */ 114 #define WAN_CAPTYPE_HDLC 6 /* HDLC (X.25, ISDN) captured with pod */ 115 #define WAN_CAPTYPE_SDLC 7 /* SDLC captured with pod */ 116 #define WAN_CAPTYPE_HDLC2 8 /* HDLC captured with pod */ 117 #define WAN_CAPTYPE_BROUTER3 9 /* Bridge/router captured with pod */ 118 #define WAN_CAPTYPE_SMDS 10 /* SMDS DXI */ 119 #define WAN_CAPTYPE_BROUTER4 11 /* Bridge/router captured with pod */ 120 #define WAN_CAPTYPE_BROUTER5 12 /* Bridge/router captured with pod */ 121 #define WAN_CAPTYPE_CHDLC 19 /* Cisco router (CHDLC) captured with pod */ 122 123 #define CAPTYPE_ATM 15 /* ATM captured with pod */ 124 125 /* 126 * # of ticks that equal 1 second, in version 002.xxx files other 127 * than Ethernet captures with a captype other than CAPTYPE_NDIS; 128 * the index into this array is hdr.timeunit. 129 * 130 * DO NOT SEND IN PATCHES THAT CHANGE ANY OF THE NON-ZERO VALUES IN 131 * ANY OF THE TpS TABLES. THOSE VALUES ARE CORRECT FOR AT LEAST ONE 132 * CAPTURE, SO CHANGING THEM WILL BREAK AT LEAST SOME CAPTURES. WE 133 * WILL NOT CHECK IN PATCHES THAT CHANGE THESE VALUES. 134 * 135 * Instead, if a value in a TpS table is wrong, check whether captype 136 * has a non-zero value; if so, perhaps we need a new TpS table for the 137 * corresponding network type and captype, or perhaps the 'realtick' 138 * field contains the correct ticks-per-second value. 139 * 140 * TpS...[] entries of 0.0 mean that no capture file for the 141 * corresponding captype/timeunit values has yet been seen, or that 142 * we're using the 'realtick' value. 143 * 144 * XXX - 05/29/07: For Ethernet captype = 0 (NDIS) and timeunit = 2: 145 * Perusal of a number of Sniffer captures 146 * (including those from Wireshark bug reports 147 * and those from the Wireshark 'menagerie') 148 * suggests that 'realtick' for this case 149 * contains the correct ticks/second to be used. 150 * So: we'll use realtick for Ethernet captype=0 and timeunit=2. 151 * (It might be that realtick should be used for Ethernet captype = 0 152 * and timeunit = 1 but I've not yet enough captures to be sure). 153 * Based upon the captures reviewed to date, realtick cannot be used for 154 * any of the other Ethernet captype/timeunit combinations for which there 155 * are non-zero values in the TpS tables. 156 * 157 * In at least one capture where "realtick" doesn't correspond 158 * to the value from the appropriate TpS table, the per-packet header's 159 * "xxx" field is all zero, so it's not as if a 2.x header includes 160 * a "compatibility" time stamp corresponding to the value from the 161 * TpS table and a "real" time stamp corresponding to "realtick". 162 * 163 * XXX - the item corresponding to timeunit = 2 is 1193180.0, presumably 164 * because somebody found it gave the right answer for some captures, but 165 * 3 times that, i.e. 3579540.0, appears to give the right answer for some 166 * other captures. 167 * 168 * Some captures have realtick of 1193182, some have 3579545, and some 169 * have 1193000. Most of those, in one set of captures somebody has, 170 * are wrong. (Did that mean "wrong for some capture files, but not 171 * for the files in which they occurred", or "wrong for the files in 172 * which they occurred? If it's "wrong for some capture files, but 173 * not for the files in which they occurred", perhaps those were Ethernet 174 * captures with a captype of 0 and timeunit = 2, so that we now use 175 * realtick, and perhaps that fixes the problems.) 176 * 177 * XXX - in at least one ATM capture, hdr.realtick is 1193180.0 178 * and hdr.timeunit is 0. Does that capture have a captype of 179 * CAPTYPE_ATM? If so, what should the table for ATM captures with 180 * that captype be? 181 */ 182 static const double TpS[] = { 1e6, 1193000.0, 1193182.0 }; 183 #define NUM_NETXRAY_TIMEUNITS (sizeof TpS / sizeof TpS[0]) 184 185 /* 186 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_GIGPOD. 187 * 0.0 means "unknown". 188 * 189 * It appears that, at least for Ethernet captures, if captype is 190 * ETH_CAPTYPE_GIGPOD, that indicates that it's a gigabit Ethernet 191 * capture, possibly from a special whizzo gigabit pod, and also 192 * indicates that the time stamps have some higher resolution than 193 * in other captures, possibly thanks to a high-resolution timer 194 * on the pod. 195 * 196 * It also appears that the time units might differ for gigabit pod 197 * captures between version 002.001 and 002.002. For 002.001, 198 * the values below are correct; for 002.002, it's claimed that 199 * the right value for TpS_gigpod[2] is 1250000.0, but at least one 200 * 002.002 gigabit pod capture has 31250000.0 as the right value. 201 * XXX: Note that the TpS_otherpod[2] value is 1250000.0; It seems 202 * reasonable to suspect that the original claim might actually 203 * have been for a capture with a captype of 'otherpod'. 204 * (Based upon captures reviewed realtick does not contain the 205 * correct TpS values for the 'gigpod' captype). 206 */ 207 static const double TpS_gigpod[] = { 1e9, 0.0, 31250000.0 }; 208 #define NUM_NETXRAY_TIMEUNITS_GIGPOD (sizeof TpS_gigpod / sizeof TpS_gigpod[0]) 209 210 /* 211 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_OTHERPOD. 212 * (Based upon captures reviewed realtick does not contain the 213 * correct TpS values for the 'otherpod' captype). 214 */ 215 static const double TpS_otherpod[] = { 1e6, 0.0, 1250000.0 }; 216 #define NUM_NETXRAY_TIMEUNITS_OTHERPOD (sizeof TpS_otherpod / sizeof TpS_otherpod[0]) 217 218 /* 219 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_OTHERPOD2. 220 * (Based upon captures reviewed realtick does not contain the 221 * correct TpS values for the 'otherpod2' captype). 222 */ 223 static const double TpS_otherpod2[] = { 1e6, 0.0, 0.0 }; 224 #define NUM_NETXRAY_TIMEUNITS_OTHERPOD2 (sizeof TpS_otherpod2 / sizeof TpS_otherpod2[0]) 225 226 /* 227 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_GIGPOD2. 228 * (Based upon captures reviewed realtick does not contain the 229 * correct TpS values for the 'gigpod2' captype). 230 */ 231 static const double TpS_gigpod2[] = { 1e9, 0.0, 20000000.0 }; 232 #define NUM_NETXRAY_TIMEUNITS_GIGPOD2 (sizeof TpS_gigpod2 / sizeof TpS_gigpod2[0]) 233 234 /* Version number strings. */ 235 static const char vers_1_0[] = { 236 '0', '0', '1', '.', '0', '0', '0', '\0' 237 }; 238 239 static const char vers_1_1[] = { 240 '0', '0', '1', '.', '1', '0', '0', '\0' 241 }; 242 243 static const char vers_2_000[] = { 244 '0', '0', '2', '.', '0', '0', '0', '\0' 245 }; 246 247 static const char vers_2_001[] = { 248 '0', '0', '2', '.', '0', '0', '1', '\0' 249 }; 250 251 static const char vers_2_002[] = { 252 '0', '0', '2', '.', '0', '0', '2', '\0' 253 }; 254 255 static const char vers_2_003[] = { 256 '0', '0', '2', '.', '0', '0', '3', '\0' 257 }; 258 259 /* Old NetXRay data record format - followed by frame data. */ 260 struct old_netxrayrec_hdr { 261 guint32 timelo; /* lower 32 bits of time stamp */ 262 guint32 timehi; /* upper 32 bits of time stamp */ 263 guint16 len; /* packet length */ 264 guint8 xxx[6]; /* unknown */ 265 }; 266 267 /* NetXRay format version 1.x data record format - followed by frame data. */ 268 struct netxrayrec_1_x_hdr { 269 guint32 timelo; /* lower 32 bits of time stamp */ 270 guint32 timehi; /* upper 32 bits of time stamp */ 271 guint16 orig_len; /* packet length */ 272 guint16 incl_len; /* capture length */ 273 guint8 xxx[16]; /* unknown */ 274 }; 275 276 /* 277 * NetXRay format version 2.x data record format - followed by frame data. 278 * 279 * The xxx fields appear to be: 280 * 281 * xxx[0]: ATM traffic type and subtype in the low 3 bits of 282 * each nibble, and flags(?) in the upper bit of each nibble. 283 * Always 0 for 802.11? 284 * 285 * xxx[1]: Always 0 for 802.11? 286 * 287 * xxx[2], xxx[3]: for Ethernet, 802.11, ISDN LAPD, LAPB, 288 * Frame Relay, if both are 0xff, there are 4 bytes of stuff 289 * at the end of the packet data, which might be an FCS or 290 * which might be junk to discard. 291 * 292 * xxx[4-7]: Always 0 for 802.11? 293 * 294 * xxx[8], xxx[9]: 2 bytes of a flag word? If treated as 295 * a 2-byte little-endian flag word: 296 * 297 * 0x0001: Error of some sort, including bad CRC, although 298 * in one ISDN capture it's set in some B2 channel 299 * packets of unknown content (as opposed to the B1 300 * traffic in the capture, which is PPP) 301 * 0x0002: Seen in 802.11 - short preamble? Bad CRC? 302 * 0x0004: Some particular type of error? 303 * 0x0008: For (Gigabit?) Ethernet (with special probe?), 304 * 4 bytes at end are junk rather than CRC? 305 * 0x0100: CRC error on ATM? Protected and Not decrypted 306 * for 802.11? Bad CRC? Short preamble? 307 * 0x0200: Something for ATM? Something else for 802.11? 308 * 0x0400: raw ATM cell 309 * 0x0800: OAM cell? 310 * 0x2000: port on which the packet was captured? 311 * 312 * The Sniffer Portable 4.8 User's Guide lists a set of packet status 313 * flags including: 314 * 315 * packet is marked; 316 * packet was captured from Port A on the pod or adapter card; 317 * packet was captured from Port B on the pod or adapter card; 318 * packet has a symptom or diagnosis associated with it; 319 * packet is an event filter trigger; 320 * CRC error packet with normal packet size; 321 * CRC error packet with oversize error; 322 * packet size < 64 bytes (including CRC) but with valid CRC; 323 * packet size < 64 bytes (including CRC) with CRC error; 324 * packet size > 1518 bytes (including CRC) but with valid CRC; 325 * packet damaged by a collision; 326 * packet length not a multiple of 8 bits; 327 * address conflict in the ring on Token Ring; 328 * packet is not copied (received) by the destination host on 329 * Token Ring; 330 * AAL5 length error; 331 * AAL5 maximum segments error; 332 * ATM timeout error; 333 * ATM buffer error; 334 * ATM unknown error; 335 * and a ton of AAL2 errors. 336 * 337 * Not all those bits necessarily correspond to flag bits in the file, 338 * but some might. 339 * 340 * In one ATM capture, the 0x2000 bit was set for all frames; in another, 341 * it's unset for all frames. This, plus the ATMbook having two ports, 342 * suggests that it *might* be a "port A vs. port B" flag. 343 * 344 * The 0x0001 bit appears to be set for CRC errors on Ethernet and 802.11. 345 * It also appears to be set on ATM for AAL5 PDUs that appear to be 346 * completely reassembled and that have a CRC error and for frames that 347 * appear to be part of a full AAL5 PDU. In at least two files with 348 * frames of the former type, the 0x0100 and 0x0200 flags are set; 349 * in at least one file with frames of the latter type, neither of 350 * those flags are set. 351 * 352 * The field appears to be somewhat random in some captures, 353 * however. 354 * 355 * xxx[10]: for 802.11, always 0? 356 * 357 * xxx[11]: for 802.11, 0x05 if the packet is WEP-encrypted(?). 358 * 359 * xxx[12]: for 802.11, channel number. 360 * 361 * xxx[13]: for 802.11, data rate, in 500 Kb/s units. 362 * 363 * xxx[14]: for 802.11, signal strength. 364 * 365 * xxx[15]: for 802.11, noise level; 0xFF means none reported, 366 * 0x7F means 100%. 367 * 368 * xxx[16-19]: for 802.11, PHY header, at least for {HR/}DSSS, 369 * in at least one capture. 370 * In another capture, xxx[16] appears to be the 371 * data rate in 500 Kb/s units 372 * Chip-dependent stuff? 373 * 374 * xxx[20-25]: for 802.11, MAC address of sending machine(?). 375 * 376 * xxx[26]: for 802.11, one of 0x00, 0x01, 0x03, or 0x0b? 377 * 378 * xxx[27]: for 802.11, one of 0x00 or 0x30? 379 */ 380 struct netxrayrec_2_x_hdr { 381 guint32 timelo; /* lower 32 bits of time stamp */ 382 guint32 timehi; /* upper 32 bits of time stamp */ 383 guint16 orig_len; /* packet length */ 384 guint16 incl_len; /* capture length */ 385 guint8 xxx[28]; /* various data */ 386 }; 387 388 /* 389 * Union of the data record headers. 390 */ 391 union netxrayrec_hdr { 392 struct old_netxrayrec_hdr old_hdr; 393 struct netxrayrec_1_x_hdr hdr_1_x; 394 struct netxrayrec_2_x_hdr hdr_2_x; 395 }; 396 397 typedef struct { 398 time_t start_time; 399 double ticks_per_sec; 400 double start_timestamp; 401 gboolean wrapped; 402 guint32 nframes; 403 gint64 start_offset; 404 gint64 end_offset; 405 int version_major; 406 gboolean fcs_valid; /* if packets have valid FCS at the end */ 407 guint isdn_type; /* 1 = E1 PRI, 2 = T1 PRI, 3 = BRI */ 408 } netxray_t; 409 410 static gboolean netxray_read(wtap *wth, wtap_rec *rec, Buffer *buf, 411 int *err, gchar **err_info, gint64 *data_offset); 412 static gboolean netxray_seek_read(wtap *wth, gint64 seek_off, 413 wtap_rec *rec, Buffer *buf, int *err, gchar **err_info); 414 static int netxray_process_rec_header(wtap *wth, FILE_T fh, 415 wtap_rec *rec, int *err, gchar **err_info); 416 static void netxray_guess_atm_type(wtap *wth, wtap_rec *rec, 417 Buffer *buf); 418 static gboolean netxray_dump_1_1(wtap_dumper *wdh, 419 const wtap_rec *rec, 420 const guint8 *pd, int *err, gchar **err_info); 421 static gboolean netxray_dump_finish_1_1(wtap_dumper *wdh, int *err, 422 gchar **err_info); 423 static gboolean netxray_dump_2_0(wtap_dumper *wdh, 424 const wtap_rec *rec, 425 const guint8 *pd, int *err, gchar **err_info); 426 static gboolean netxray_dump_finish_2_0(wtap_dumper *wdh, int *err, 427 gchar **err_info); 428 429 static int netxray_old_file_type_subtype = -1; 430 static int netxray_1_0_file_type_subtype = -1; 431 static int netxray_1_1_file_type_subtype = -1; 432 static int netxray_2_00x_file_type_subtype = -1; 433 434 void register_netxray(void); 435 436 wtap_open_return_val 437 netxray_open(wtap *wth, int *err, gchar **err_info) 438 { 439 char magic[MAGIC_SIZE]; 440 gboolean is_old; 441 struct netxray_hdr hdr; 442 guint network_type; 443 double ticks_per_sec; 444 int version_major, version_minor; 445 int file_type; 446 double start_timestamp; 447 static const int netxray_encap[] = { 448 WTAP_ENCAP_UNKNOWN, 449 WTAP_ENCAP_ETHERNET, 450 WTAP_ENCAP_TOKEN_RING, 451 WTAP_ENCAP_FDDI_BITSWAPPED, 452 /* 453 * XXX - some PPP captures may look like Ethernet, 454 * perhaps because they're using NDIS to capture on the 455 * same machine and it provides simulated-Ethernet 456 * packets, but captures taken with various serial 457 * pods use the same network type value but aren't 458 * shaped like Ethernet. We handle that below. 459 */ 460 WTAP_ENCAP_ETHERNET, /* WAN(PPP), but shaped like Ethernet */ 461 WTAP_ENCAP_UNKNOWN, /* LocalTalk */ 462 WTAP_ENCAP_UNKNOWN, /* "DIX" - should not occur */ 463 WTAP_ENCAP_UNKNOWN, /* ARCNET raw */ 464 WTAP_ENCAP_UNKNOWN, /* ARCNET 878.2 */ 465 WTAP_ENCAP_ATM_PDUS_UNTRUNCATED,/* ATM */ 466 WTAP_ENCAP_IEEE_802_11_WITH_RADIO, 467 /* Wireless WAN with radio information */ 468 WTAP_ENCAP_UNKNOWN /* IrDA */ 469 }; 470 #define NUM_NETXRAY_ENCAPS (sizeof netxray_encap / sizeof netxray_encap[0]) 471 int file_encap; 472 guint isdn_type = 0; 473 netxray_t *netxray; 474 475 /* Read in the string that should be at the start of a NetXRay 476 * file */ 477 if (!wtap_read_bytes(wth->fh, magic, MAGIC_SIZE, err, err_info)) { 478 if (*err != WTAP_ERR_SHORT_READ) 479 return WTAP_OPEN_ERROR; 480 return WTAP_OPEN_NOT_MINE; 481 } 482 483 if (memcmp(magic, netxray_magic, MAGIC_SIZE) == 0) { 484 is_old = FALSE; 485 } else if (memcmp(magic, old_netxray_magic, MAGIC_SIZE) == 0) { 486 is_old = TRUE; 487 } else { 488 return WTAP_OPEN_NOT_MINE; 489 } 490 491 /* Read the rest of the header. */ 492 if (!wtap_read_bytes(wth->fh, &hdr, sizeof hdr, err, err_info)) 493 return WTAP_OPEN_ERROR; 494 495 if (is_old) { 496 version_major = 0; 497 version_minor = 0; 498 file_type = netxray_old_file_type_subtype; 499 } else { 500 /* It appears that version 1.1 files (as produced by Windows 501 * Sniffer Pro 2.0.01) have the time stamp in microseconds, 502 * rather than the milliseconds version 1.0 files appear to 503 * have. 504 * 505 * It also appears that version 2.00x files have per-packet 506 * headers with some extra fields. */ 507 if (memcmp(hdr.version, vers_1_0, sizeof vers_1_0) == 0) { 508 version_major = 1; 509 version_minor = 0; 510 file_type = netxray_1_0_file_type_subtype; 511 } else if (memcmp(hdr.version, vers_1_1, sizeof vers_1_1) == 0) { 512 version_major = 1; 513 version_minor = 1; 514 file_type = netxray_1_1_file_type_subtype; 515 } else if (memcmp(hdr.version, vers_2_000, sizeof vers_2_000) == 0) { 516 version_major = 2; 517 version_minor = 0; 518 file_type = netxray_2_00x_file_type_subtype; 519 } else if (memcmp(hdr.version, vers_2_001, sizeof vers_2_001) == 0) { 520 version_major = 2; 521 version_minor = 1; 522 file_type = netxray_2_00x_file_type_subtype; 523 } else if (memcmp(hdr.version, vers_2_002, sizeof vers_2_002) == 0) { 524 version_major = 2; 525 version_minor = 2; 526 file_type = netxray_2_00x_file_type_subtype; 527 } else if (memcmp(hdr.version, vers_2_003, sizeof vers_2_003) == 0) { 528 version_major = 2; 529 version_minor = 3; 530 file_type = netxray_2_00x_file_type_subtype; 531 } else { 532 *err = WTAP_ERR_UNSUPPORTED; 533 *err_info = g_strdup_printf("netxray: version \"%.8s\" unsupported", hdr.version); 534 return WTAP_OPEN_ERROR; 535 } 536 } 537 538 switch (hdr.network_plus) { 539 540 case 0: 541 /* 542 * The byte after hdr.network is usually 0, in which case 543 * the hdr.network byte is an NDIS network type value - 1. 544 */ 545 network_type = hdr.network + 1; 546 break; 547 548 case 2: 549 /* 550 * However, in some Ethernet captures, it's 2, and the 551 * hdr.network byte is 1 rather than 0. We assume 552 * that if there's a byte after hdr.network with the value 553 * 2, the hdr.network byte is an NDIS network type, rather 554 * than an NDIS network type - 1. 555 */ 556 network_type = hdr.network; 557 break; 558 559 default: 560 *err = WTAP_ERR_UNSUPPORTED; 561 *err_info = g_strdup_printf("netxray: the byte after the network type has the value %u, which I don't understand", 562 hdr.network_plus); 563 return WTAP_OPEN_ERROR; 564 } 565 566 if (network_type >= NUM_NETXRAY_ENCAPS 567 || netxray_encap[network_type] == WTAP_ENCAP_UNKNOWN) { 568 *err = WTAP_ERR_UNSUPPORTED; 569 *err_info = g_strdup_printf("netxray: network type %u (%u) unknown or unsupported", 570 network_type, hdr.network_plus); 571 return WTAP_OPEN_ERROR; 572 } 573 574 /* 575 * Figure out the time stamp units and start time stamp. 576 */ 577 start_timestamp = (double)pletoh32(&hdr.timelo) 578 + (double)pletoh32(&hdr.timehi)*4294967296.0; 579 if (is_old) { 580 ticks_per_sec = 1000.0; 581 wth->file_tsprec = WTAP_TSPREC_MSEC; 582 } else if (version_major == 1) { 583 switch (version_minor) { 584 585 case 0: 586 ticks_per_sec = 1000.0; 587 wth->file_tsprec = WTAP_TSPREC_MSEC; 588 break; 589 590 case 1: 591 /* 592 * In version 1.1 files (as produced by Windows 593 * Sniffer Pro 2.0.01), the time stamp is in 594 * microseconds, rather than the milliseconds 595 * time stamps in NetXRay and older versions 596 * of Windows Sniffer. 597 */ 598 ticks_per_sec = 1000000.0; 599 wth->file_tsprec = WTAP_TSPREC_USEC; 600 break; 601 602 default: 603 /* "Can't happen" - we rejected that above */ 604 *err = WTAP_ERR_INTERNAL; 605 *err_info = g_strdup_printf("netxray: version %d.%d somehow didn't get rejected", 606 version_major, version_minor); 607 return WTAP_OPEN_ERROR; 608 } 609 } else if (version_major == 2) { 610 /* 611 * Get the time stamp units from the appropriate TpS 612 * table or from the file header. 613 */ 614 switch (network_type) { 615 616 case 1: 617 /* 618 * Ethernet - the table to use depends on whether 619 * this is an NDIS or pod capture. 620 */ 621 switch (hdr.captype) { 622 623 case CAPTYPE_NDIS: 624 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS) { 625 *err = WTAP_ERR_UNSUPPORTED; 626 *err_info = g_strdup_printf( 627 "netxray: Unknown timeunit %u for Ethernet/CAPTYPE_NDIS version %.8s capture", 628 hdr.timeunit, hdr.version); 629 return WTAP_OPEN_ERROR; 630 } 631 /* 632 XXX: 05/29/07: Use 'realtick' instead of TpS table if timeunit=2; 633 Using 'realtick' in this case results 634 in the correct 'ticks per second' for all the captures that 635 I have of this type (including captures from a number of Wireshark 636 bug reports). 637 */ 638 if (hdr.timeunit == 2) { 639 ticks_per_sec = pletoh32(hdr.realtick); 640 } 641 else { 642 ticks_per_sec = TpS[hdr.timeunit]; 643 } 644 break; 645 646 case ETH_CAPTYPE_GIGPOD: 647 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_GIGPOD 648 || TpS_gigpod[hdr.timeunit] == 0.0) { 649 *err = WTAP_ERR_UNSUPPORTED; 650 *err_info = g_strdup_printf( 651 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_GIGPOD version %.8s capture", 652 hdr.timeunit, hdr.version); 653 return WTAP_OPEN_ERROR; 654 } 655 ticks_per_sec = TpS_gigpod[hdr.timeunit]; 656 657 /* 658 * At least for 002.002 and 002.003 659 * captures, the start time stamp is 0, 660 * not the value in the file. 661 */ 662 if (version_minor == 2 || version_minor == 3) 663 start_timestamp = 0.0; 664 break; 665 666 case ETH_CAPTYPE_OTHERPOD: 667 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_OTHERPOD 668 || TpS_otherpod[hdr.timeunit] == 0.0) { 669 *err = WTAP_ERR_UNSUPPORTED; 670 *err_info = g_strdup_printf( 671 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_OTHERPOD version %.8s capture", 672 hdr.timeunit, hdr.version); 673 return WTAP_OPEN_ERROR; 674 } 675 ticks_per_sec = TpS_otherpod[hdr.timeunit]; 676 677 /* 678 * At least for 002.002 and 002.003 679 * captures, the start time stamp is 0, 680 * not the value in the file. 681 */ 682 if (version_minor == 2 || version_minor == 3) 683 start_timestamp = 0.0; 684 break; 685 686 case ETH_CAPTYPE_OTHERPOD2: 687 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_OTHERPOD2 688 || TpS_otherpod2[hdr.timeunit] == 0.0) { 689 *err = WTAP_ERR_UNSUPPORTED; 690 *err_info = g_strdup_printf( 691 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_OTHERPOD2 version %.8s capture", 692 hdr.timeunit, hdr.version); 693 return WTAP_OPEN_ERROR; 694 } 695 ticks_per_sec = TpS_otherpod2[hdr.timeunit]; 696 /* 697 * XXX: start time stamp in the one capture file examined of this type was 0; 698 * We'll assume the start time handling is the same as for other pods. 699 * 700 * At least for 002.002 and 002.003 701 * captures, the start time stamp is 0, 702 * not the value in the file. 703 */ 704 if (version_minor == 2 || version_minor == 3) 705 start_timestamp = 0.0; 706 break; 707 708 case ETH_CAPTYPE_GIGPOD2: 709 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_GIGPOD2 710 || TpS_gigpod2[hdr.timeunit] == 0.0) { 711 *err = WTAP_ERR_UNSUPPORTED; 712 *err_info = g_strdup_printf( 713 "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_GIGPOD2 version %.8s capture", 714 hdr.timeunit, hdr.version); 715 return WTAP_OPEN_ERROR; 716 } 717 ticks_per_sec = TpS_gigpod2[hdr.timeunit]; 718 /* 719 * XXX: start time stamp in the one capture file examined of this type was 0; 720 * We'll assume the start time handling is the same as for other pods. 721 * 722 * At least for 002.002 and 002.003 723 * captures, the start time stamp is 0, 724 * not the value in the file. 725 */ 726 if (version_minor == 2 || version_minor == 3) 727 start_timestamp = 0.0; 728 break; 729 730 default: 731 *err = WTAP_ERR_UNSUPPORTED; 732 *err_info = g_strdup_printf( 733 "netxray: Unknown capture type %u for Ethernet version %.8s capture", 734 hdr.captype, hdr.version); 735 return WTAP_OPEN_ERROR; 736 } 737 break; 738 739 default: 740 if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS) { 741 *err = WTAP_ERR_UNSUPPORTED; 742 *err_info = g_strdup_printf( 743 "netxray: Unknown timeunit %u for %u/%u version %.8s capture", 744 hdr.timeunit, network_type, hdr.captype, 745 hdr.version); 746 return WTAP_OPEN_ERROR; 747 } 748 ticks_per_sec = TpS[hdr.timeunit]; 749 break; 750 } 751 752 /* 753 * If the number of ticks per second is greater than 754 * 1 million, make the precision be nanoseconds rather 755 * than microseconds. 756 * 757 * XXX - do values only slightly greater than one million 758 * correspond to a resolution sufficiently better than 759 * 1 microsecond to display more digits of precision? 760 * XXX - Seems reasonable to use nanosecs only if TPS >= 10M 761 */ 762 if (ticks_per_sec >= 1e7) 763 wth->file_tsprec = WTAP_TSPREC_NSEC; 764 else 765 wth->file_tsprec = WTAP_TSPREC_USEC; 766 } else { 767 /* "Can't happen" - we rejected that above */ 768 *err = WTAP_ERR_INTERNAL; 769 *err_info = g_strdup_printf("netxray: version %d.%d somehow didn't get rejected", 770 version_major, version_minor); 771 return WTAP_OPEN_ERROR; 772 } 773 start_timestamp = start_timestamp/ticks_per_sec; 774 775 if (network_type == 4) { 776 /* 777 * In version 0 and 1, we assume, for now, that all 778 * WAN captures have frames that look like Ethernet 779 * frames (as a result, presumably, of having passed 780 * through NDISWAN). 781 * 782 * In version 2, it looks as if there's stuff in the 783 * file header to specify what particular type of WAN 784 * capture we have. 785 */ 786 if (version_major == 2) { 787 switch (hdr.captype) { 788 789 case WAN_CAPTYPE_PPP: 790 /* 791 * PPP. 792 */ 793 file_encap = WTAP_ENCAP_PPP_WITH_PHDR; 794 break; 795 796 case WAN_CAPTYPE_FRELAY: 797 /* 798 * Frame Relay. 799 * 800 * XXX - in at least one capture, this 801 * is Cisco HDLC, not Frame Relay, but 802 * in another capture, it's Frame Relay. 803 * 804 * [Bytes in each capture: 805 * Cisco HDLC: hdr.xxx_x60[06:10]: 0x02 0x00 0x01 0x00 0x06 806 * Frame Relay: hdr.xxx_x60[06:10] 0x00 0x00 0x00 0x00 0x00 807 808 * Cisco HDLC: hdr.xxx_x60[14:15]: 0xff 0xff 809 * Frame Relay: hdr.xxx_x60[14:15]: 0x00 0x00 810 * ] 811 */ 812 file_encap = WTAP_ENCAP_FRELAY_WITH_PHDR; 813 break; 814 815 case WAN_CAPTYPE_HDLC: 816 case WAN_CAPTYPE_HDLC2: 817 /* 818 * Various HDLC flavors? 819 */ 820 switch (hdr.wan_hdlc_subsub_captype) { 821 822 case 0: /* LAPB/X.25 */ 823 /* 824 * XXX - at least one capture of 825 * this type appears to be PPP. 826 */ 827 file_encap = WTAP_ENCAP_LAPB; 828 break; 829 830 case 1: /* E1 PRI */ 831 case 2: /* T1 PRI */ 832 case 3: /* BRI */ 833 file_encap = WTAP_ENCAP_ISDN; 834 isdn_type = hdr.wan_hdlc_subsub_captype; 835 break; 836 837 default: 838 *err = WTAP_ERR_UNSUPPORTED; 839 *err_info = g_strdup_printf("netxray: WAN HDLC capture subsubtype 0x%02x unknown or unsupported", 840 hdr.wan_hdlc_subsub_captype); 841 return WTAP_OPEN_ERROR; 842 } 843 break; 844 845 case WAN_CAPTYPE_SDLC: 846 /* 847 * SDLC. 848 */ 849 file_encap = WTAP_ENCAP_SDLC; 850 break; 851 852 case WAN_CAPTYPE_CHDLC: 853 /* 854 * Cisco router (CHDLC) captured with pod 855 */ 856 file_encap = WTAP_ENCAP_CHDLC_WITH_PHDR; 857 break; 858 859 default: 860 *err = WTAP_ERR_UNSUPPORTED; 861 *err_info = g_strdup_printf("netxray: WAN capture subtype 0x%02x unknown or unsupported", 862 hdr.captype); 863 return WTAP_OPEN_ERROR; 864 } 865 } else 866 file_encap = WTAP_ENCAP_ETHERNET; 867 } else 868 file_encap = netxray_encap[network_type]; 869 870 /* This is a netxray file */ 871 wth->file_type_subtype = file_type; 872 netxray = g_new(netxray_t, 1); 873 wth->priv = (void *)netxray; 874 wth->subtype_read = netxray_read; 875 wth->subtype_seek_read = netxray_seek_read; 876 wth->file_encap = file_encap; 877 wth->snapshot_length = 0; /* not available in header */ 878 netxray->start_time = pletoh32(&hdr.start_time); 879 netxray->ticks_per_sec = ticks_per_sec; 880 netxray->start_timestamp = start_timestamp; 881 netxray->version_major = version_major; 882 883 /* 884 * If frames have an extra 4 bytes of stuff at the end, is 885 * it an FCS, or just junk? 886 */ 887 netxray->fcs_valid = FALSE; 888 switch (file_encap) { 889 890 case WTAP_ENCAP_ETHERNET: 891 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO: 892 case WTAP_ENCAP_ISDN: 893 case WTAP_ENCAP_LAPB: 894 /* 895 * It appears that, in at least some version 2 Ethernet 896 * captures, for frames that have 0xff in hdr_2_x.xxx[2] 897 * and hdr_2_x.xxx[3] in the per-packet header: 898 * 899 * if, in the file header, hdr.realtick[1] is 0x34 900 * and hdr.realtick[2] is 0x12, the frames have an 901 * FCS at the end; 902 * 903 * otherwise, they have 4 bytes of junk at the end. 904 * 905 * Yes, it's strange that you have to check the *middle* 906 * of the time stamp field; you can't check for any 907 * particular value of the time stamp field. 908 * 909 * For now, we assume that to be true for 802.11 captures 910 * as well; it appears to be the case for at least one 911 * such capture - the file doesn't have 0x34 and 0x12, 912 * and the 4 bytes at the end of the frames with 0xff 913 * are junk, not an FCS. 914 * 915 * For ISDN captures, it appears, at least in some 916 * captures, to be similar, although I haven't yet 917 * checked whether it's a valid FCS. 918 * 919 * XXX - should we do this for all encapsulation types? 920 * 921 * XXX - is there some other field that *really* indicates 922 * whether we have an FCS or not? The check of the time 923 * stamp is bizarre, as we're checking the middle. 924 * Perhaps hdr.realtick[0] is 0x00, in which case time 925 * stamp units in the range 1192960 through 1193215 926 * correspond to captures with an FCS, but that's still 927 * a bit bizarre. 928 * 929 * Note that there are captures with a network type of 0 930 * (Ethernet) and capture type of 0 (NDIS) that do, and 931 * that don't, have 0x34 0x12 in them, and at least one 932 * of the NDIS captures with 0x34 0x12 in it has FCSes, 933 * so it's not as if no NDIS captures have an FCS. 934 * 935 * There are also captures with a network type of 4 (WAN), 936 * capture type of 6 (HDLC), and subtype of 2 (T1 PRI) that 937 * do, and that don't, have 0x34 0x12, so there are at least 938 * some captures taken with a WAN pod that might lack an FCS. 939 * (We haven't yet tried dissecting the 4 bytes at the 940 * end of packets with hdr_2_x.xxx[2] and hdr_2_x.xxx[3] 941 * equal to 0xff as an FCS.) 942 * 943 * All captures I've seen that have 0x34 and 0x12 *and* 944 * have at least one frame with an FCS have a value of 945 * 0x01 in xxx_x40[4]. No captures I've seen with a network 946 * type of 0 (Ethernet) missing 0x34 0x12 have 0x01 there, 947 * however. However, there's at least one capture 948 * without 0x34 and 0x12, with a network type of 0, 949 * and with 0x01 in xxx_x40[4], *without* FCSes in the 950 * frames - the 4 bytes at the end are all zero - so it's 951 * not as simple as "xxx_x40[4] = 0x01 means the 4 bytes at 952 * the end are FCSes". Also, there's also at least one 953 * 802.11 capture with an xxx_x40[4] value of 0x01 with junk 954 * rather than an FCS at the end of the frame, so xxx_x40[4] 955 * isn't an obvious flag to determine whether the 956 * capture has FCSes. 957 * 958 * There don't seem to be any other values in any of the 959 * xxx_x5..., xxx_x6...., xxx_x7.... fields 960 * that obviously correspond to frames having an FCS. 961 * 962 * 05/29/07: Examination of numerous sniffer captures suggests 963 * that the apparent correlation of certain realtick 964 * bytes to 'FCS presence' may actually be 965 * a 'false positive'. 966 * ToDo: Review analysis and update code. 967 * It might be that the ticks-per-second value 968 * is hardware-dependent, and that hardware with 969 * a particular realtick value puts an FCS there 970 * and other hardware doesn't. 971 */ 972 if (version_major == 2) { 973 if (hdr.realtick[1] == 0x34 && hdr.realtick[2] == 0x12) 974 netxray->fcs_valid = TRUE; 975 } 976 break; 977 } 978 979 /* 980 * Remember the ISDN type, as we need it to interpret the 981 * channel number in ISDN captures. 982 */ 983 netxray->isdn_type = isdn_type; 984 985 /* Remember the offset after the last packet in the capture (which 986 * isn't necessarily the last packet in the file), as it appears 987 * there's sometimes crud after it. 988 * XXX: Remember 'start_offset' to help testing for 'short file' at EOF 989 */ 990 netxray->wrapped = FALSE; 991 netxray->nframes = pletoh32(&hdr.nframes); 992 netxray->start_offset = pletoh32(&hdr.start_offset); 993 netxray->end_offset = pletoh32(&hdr.end_offset); 994 995 /* Seek to the beginning of the data records. */ 996 if (file_seek(wth->fh, netxray->start_offset, SEEK_SET, err) == -1) { 997 return WTAP_OPEN_ERROR; 998 } 999 1000 /* 1001 * Add an IDB; we don't know how many interfaces were 1002 * involved, so we just say one interface, about which 1003 * we only know the link-layer type, snapshot length, 1004 * and time stamp resolution. 1005 */ 1006 wtap_add_generated_idb(wth); 1007 1008 return WTAP_OPEN_MINE; 1009 } 1010 1011 /* Read the next packet */ 1012 static gboolean 1013 netxray_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err, 1014 gchar **err_info, gint64 *data_offset) 1015 { 1016 netxray_t *netxray = (netxray_t *)wth->priv; 1017 int padding; 1018 1019 reread: 1020 /* 1021 * Return the offset of the record header, so we can reread it 1022 * if we go back to this frame. 1023 */ 1024 *data_offset = file_tell(wth->fh); 1025 1026 /* Have we reached the end of the packet data? */ 1027 if (*data_offset == netxray->end_offset) { 1028 /* Yes. */ 1029 *err = 0; /* it's just an EOF, not an error */ 1030 return FALSE; 1031 } 1032 1033 /* Read and process record header. */ 1034 padding = netxray_process_rec_header(wth, wth->fh, rec, err, err_info); 1035 if (padding < 0) { 1036 /* 1037 * Error or EOF. 1038 */ 1039 if (*err != 0) { 1040 /* 1041 * Error of some sort; give up. 1042 */ 1043 return FALSE; 1044 } 1045 1046 /* We're at EOF. Wrap? 1047 * XXX: Need to handle 'short file' cases 1048 * (Distributed Sniffer seems to have a 1049 * certain small propensity to generate 'short' files 1050 * i.e. [many] bytes are missing from the end of the file) 1051 * case 1: start_offset < end_offset 1052 * wrap will read already read packets again; 1053 * so: error with "short file" 1054 * case 2: start_offset > end_offset ("circular" file) 1055 * wrap will mean there's a gap (missing packets). 1056 * However, I don't see a good way to identify this 1057 * case so we'll just have to allow the wrap. 1058 * (Maybe there can be an error message after all 1059 * packets are read since there'll be less packets than 1060 * specified in the file header). 1061 * Note that these cases occur *only* if a 'short' eof occurs exactly 1062 * at the expected beginning of a frame header record; If there is a 1063 * partial frame header (or partial frame data) record, then the 1064 * netxray_read... functions will detect the short record. 1065 */ 1066 if (netxray->start_offset < netxray->end_offset) { 1067 *err = WTAP_ERR_SHORT_READ; 1068 return FALSE; 1069 } 1070 1071 if (!netxray->wrapped) { 1072 /* Yes. Remember that we did. */ 1073 netxray->wrapped = TRUE; 1074 if (file_seek(wth->fh, CAPTUREFILE_HEADER_SIZE, 1075 SEEK_SET, err) == -1) 1076 return FALSE; 1077 goto reread; 1078 } 1079 1080 /* We've already wrapped - don't wrap again. */ 1081 return FALSE; 1082 } 1083 1084 /* 1085 * Read the packet data. 1086 */ 1087 if (!wtap_read_packet_bytes(wth->fh, buf, 1088 rec->rec_header.packet_header.caplen, err, err_info)) 1089 return FALSE; 1090 1091 /* 1092 * If there's extra stuff at the end of the record, skip it. 1093 */ 1094 if (!wtap_read_bytes(wth->fh, NULL, padding, err, err_info)) 1095 return FALSE; 1096 1097 /* 1098 * If it's an ATM packet, and we don't have enough information 1099 * from the packet header to determine its type or subtype, 1100 * attempt to guess them from the packet data. 1101 */ 1102 netxray_guess_atm_type(wth, rec, buf); 1103 return TRUE; 1104 } 1105 1106 static gboolean 1107 netxray_seek_read(wtap *wth, gint64 seek_off, 1108 wtap_rec *rec, Buffer *buf, 1109 int *err, gchar **err_info) 1110 { 1111 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1) 1112 return FALSE; 1113 1114 if (netxray_process_rec_header(wth, wth->random_fh, rec, err, 1115 err_info) == -1) { 1116 if (*err == 0) { 1117 /* 1118 * EOF - we report that as a short read, as 1119 * we've read this once and know that it 1120 * should be there. 1121 */ 1122 *err = WTAP_ERR_SHORT_READ; 1123 } 1124 return FALSE; 1125 } 1126 1127 /* 1128 * Read the packet data. 1129 */ 1130 if (!wtap_read_packet_bytes(wth->random_fh, buf, rec->rec_header.packet_header.caplen, err, 1131 err_info)) 1132 return FALSE; 1133 1134 /* 1135 * If it's an ATM packet, and we don't have enough information 1136 * from the packet header to determine its type or subtype, 1137 * attempt to guess them from the packet data. 1138 */ 1139 netxray_guess_atm_type(wth, rec, buf); 1140 return TRUE; 1141 } 1142 1143 static int 1144 netxray_process_rec_header(wtap *wth, FILE_T fh, wtap_rec *rec, 1145 int *err, gchar **err_info) 1146 { 1147 netxray_t *netxray = (netxray_t *)wth->priv; 1148 union netxrayrec_hdr hdr; 1149 int hdr_size = 0; 1150 double t; 1151 int packet_size; 1152 int padding = 0; 1153 1154 /* Read record header. */ 1155 switch (netxray->version_major) { 1156 1157 case 0: 1158 hdr_size = sizeof (struct old_netxrayrec_hdr); 1159 break; 1160 1161 case 1: 1162 hdr_size = sizeof (struct netxrayrec_1_x_hdr); 1163 break; 1164 1165 case 2: 1166 hdr_size = sizeof (struct netxrayrec_2_x_hdr); 1167 break; 1168 } 1169 if (!wtap_read_bytes_or_eof(fh, (void *)&hdr, hdr_size, err, err_info)) { 1170 /* 1171 * If *err is 0, we're at EOF. *err being 0 and a return 1172 * value of -1 tells our caller we're at EOF. 1173 * 1174 * Otherwise, we got an error, and *err *not* being 0 1175 * and a return value tells our caller we have an error. 1176 */ 1177 return -1; 1178 } 1179 1180 /* 1181 * If this is Ethernet, 802.11, ISDN, X.25, or ATM, set the 1182 * pseudo-header. 1183 */ 1184 switch (netxray->version_major) { 1185 1186 case 1: 1187 switch (wth->file_encap) { 1188 1189 case WTAP_ENCAP_ETHERNET: 1190 /* 1191 * XXX - if hdr_1_x.xxx[15] is 1 1192 * the frame appears not to have any extra 1193 * stuff at the end, but if it's 0, 1194 * there appears to be 4 bytes of stuff 1195 * at the end, but it's not an FCS. 1196 * 1197 * Or is that just the low-order bit? 1198 * 1199 * For now, we just say "no FCS". 1200 */ 1201 rec->rec_header.packet_header.pseudo_header.eth.fcs_len = 0; 1202 break; 1203 } 1204 break; 1205 1206 case 2: 1207 switch (wth->file_encap) { 1208 1209 case WTAP_ENCAP_ETHERNET: 1210 /* 1211 * It appears, at least with version 2 captures, 1212 * that we have 4 bytes of stuff (which might be 1213 * a valid FCS or might be junk) at the end of 1214 * the packet if hdr_2_x.xxx[2] and 1215 * hdr_2_x.xxx[3] are 0xff, and we don't if 1216 * they don't. 1217 * 1218 * It also appears that if the low-order bit of 1219 * hdr_2_x.xxx[8] is set, the packet has a 1220 * bad FCS. 1221 */ 1222 if (hdr.hdr_2_x.xxx[2] == 0xff && 1223 hdr.hdr_2_x.xxx[3] == 0xff) { 1224 /* 1225 * We have 4 bytes of stuff at the 1226 * end of the frame - FCS, or junk? 1227 */ 1228 if (netxray->fcs_valid) { 1229 /* 1230 * FCS. 1231 */ 1232 rec->rec_header.packet_header.pseudo_header.eth.fcs_len = 4; 1233 } else { 1234 /* 1235 * Junk. 1236 */ 1237 padding = 4; 1238 } 1239 } else 1240 rec->rec_header.packet_header.pseudo_header.eth.fcs_len = 0; 1241 break; 1242 1243 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO: 1244 /* 1245 * It appears, in one 802.11 capture, that 1246 * we have 4 bytes of junk at the ends of 1247 * frames in which hdr_2_x.xxx[2] and 1248 * hdr_2_x.xxx[3] are 0xff; I haven't 1249 * seen any frames where it's an FCS, but, 1250 * for now, we still check the fcs_valid 1251 * flag - I also haven't seen any capture 1252 * where we'd set it based on the realtick 1253 * value. 1254 * 1255 * It also appears that if the low-order bit of 1256 * hdr_2_x.xxx[8] is set, the packet has a 1257 * bad FCS. According to Ken Mann, the 0x4 bit 1258 * is sometimes also set for errors. 1259 * 1260 * Ken also says that xxx[11] is 0x5 when the 1261 * packet is WEP-encrypted. 1262 */ 1263 memset(&rec->rec_header.packet_header.pseudo_header.ieee_802_11, 0, sizeof(rec->rec_header.packet_header.pseudo_header.ieee_802_11)); 1264 if (hdr.hdr_2_x.xxx[2] == 0xff && 1265 hdr.hdr_2_x.xxx[3] == 0xff) { 1266 /* 1267 * We have 4 bytes of stuff at the 1268 * end of the frame - FCS, or junk? 1269 */ 1270 if (netxray->fcs_valid) { 1271 /* 1272 * FCS. 1273 */ 1274 rec->rec_header.packet_header.pseudo_header.ieee_802_11.fcs_len = 4; 1275 } else { 1276 /* 1277 * Junk. 1278 */ 1279 padding = 4; 1280 } 1281 } else 1282 rec->rec_header.packet_header.pseudo_header.ieee_802_11.fcs_len = 0; 1283 1284 rec->rec_header.packet_header.pseudo_header.ieee_802_11.decrypted = FALSE; 1285 rec->rec_header.packet_header.pseudo_header.ieee_802_11.datapad = FALSE; 1286 rec->rec_header.packet_header.pseudo_header.ieee_802_11.phy = PHDR_802_11_PHY_UNKNOWN; 1287 1288 /* 1289 * XXX - any other information, such as PHY 1290 * type, frequency, 11n/11ac information, 1291 * etc.? 1292 */ 1293 rec->rec_header.packet_header.pseudo_header.ieee_802_11.has_channel = TRUE; 1294 rec->rec_header.packet_header.pseudo_header.ieee_802_11.channel = 1295 hdr.hdr_2_x.xxx[12]; 1296 1297 rec->rec_header.packet_header.pseudo_header.ieee_802_11.has_data_rate = TRUE; 1298 rec->rec_header.packet_header.pseudo_header.ieee_802_11.data_rate = 1299 hdr.hdr_2_x.xxx[13]; 1300 1301 rec->rec_header.packet_header.pseudo_header.ieee_802_11.has_signal_percent = TRUE; 1302 rec->rec_header.packet_header.pseudo_header.ieee_802_11.signal_percent = 1303 hdr.hdr_2_x.xxx[14]; 1304 1305 /* 1306 * According to Ken Mann, at least in the captures 1307 * he's seen, xxx[15] is the noise level, which 1308 * is either 0xFF meaning "none reported" or a value 1309 * from 0x00 to 0x7F for 0 to 100%. 1310 */ 1311 if (hdr.hdr_2_x.xxx[15] != 0xFF) { 1312 rec->rec_header.packet_header.pseudo_header.ieee_802_11.has_noise_percent = TRUE; 1313 rec->rec_header.packet_header.pseudo_header.ieee_802_11.noise_percent = 1314 hdr.hdr_2_x.xxx[15]*100/127; 1315 } 1316 break; 1317 1318 case WTAP_ENCAP_ISDN: 1319 /* 1320 * ISDN. 1321 * 1322 * The bottommost bit of byte 12 of hdr_2_x.xxx 1323 * is the direction flag. 1324 * 1325 * The bottom 5 bits of byte 13 of hdr_2_x.xxx 1326 * are the channel number, but some mapping is 1327 * required for PRI. (Is it really just the time 1328 * slot?) 1329 */ 1330 rec->rec_header.packet_header.pseudo_header.isdn.uton = 1331 (hdr.hdr_2_x.xxx[12] & 0x01); 1332 rec->rec_header.packet_header.pseudo_header.isdn.channel = 1333 hdr.hdr_2_x.xxx[13] & 0x1F; 1334 switch (netxray->isdn_type) { 1335 1336 case 1: 1337 /* 1338 * E1 PRI. Channel numbers 0 and 16 1339 * are the D channel; channel numbers 1 1340 * through 15 are B1 through B15; channel 1341 * numbers 17 through 31 are B16 through 1342 * B31. 1343 */ 1344 if (rec->rec_header.packet_header.pseudo_header.isdn.channel == 16) 1345 rec->rec_header.packet_header.pseudo_header.isdn.channel = 0; 1346 else if (rec->rec_header.packet_header.pseudo_header.isdn.channel > 16) 1347 rec->rec_header.packet_header.pseudo_header.isdn.channel -= 1; 1348 break; 1349 1350 case 2: 1351 /* 1352 * T1 PRI. Channel numbers 0 and 24 1353 * are the D channel; channel numbers 1 1354 * through 23 are B1 through B23. 1355 */ 1356 if (rec->rec_header.packet_header.pseudo_header.isdn.channel == 24) 1357 rec->rec_header.packet_header.pseudo_header.isdn.channel = 0; 1358 else if (rec->rec_header.packet_header.pseudo_header.isdn.channel > 24) 1359 rec->rec_header.packet_header.pseudo_header.isdn.channel -= 1; 1360 break; 1361 } 1362 1363 /* 1364 * It appears, at least with version 2 captures, 1365 * that we have 4 bytes of stuff (which might be 1366 * a valid FCS or might be junk) at the end of 1367 * the packet if hdr_2_x.xxx[2] and 1368 * hdr_2_x.xxx[3] are 0xff, and we don't if 1369 * they don't. 1370 * 1371 * XXX - does the low-order bit of hdr_2_x.xxx[8] 1372 * indicate a bad FCS, as is the case with 1373 * Ethernet? 1374 */ 1375 if (hdr.hdr_2_x.xxx[2] == 0xff && 1376 hdr.hdr_2_x.xxx[3] == 0xff) { 1377 /* 1378 * FCS, or junk, at the end. 1379 * XXX - is it an FCS if "fcs_valid" is 1380 * true? 1381 */ 1382 padding = 4; 1383 } 1384 break; 1385 1386 case WTAP_ENCAP_LAPB: 1387 case WTAP_ENCAP_FRELAY_WITH_PHDR: 1388 /* 1389 * LAPB/X.25 and Frame Relay. 1390 * 1391 * The bottommost bit of byte 12 of hdr_2_x.xxx 1392 * is the direction flag. (Probably true for other 1393 * HDLC encapsulations as well.) 1394 */ 1395 rec->rec_header.packet_header.pseudo_header.dte_dce.flags = 1396 (hdr.hdr_2_x.xxx[12] & 0x01) ? 0x00 : FROM_DCE; 1397 1398 /* 1399 * It appears, at least with version 2 captures, 1400 * that we have 4 bytes of stuff (which might be 1401 * a valid FCS or might be junk) at the end of 1402 * the packet if hdr_2_x.xxx[2] and 1403 * hdr_2_x.xxx[3] are 0xff, and we don't if 1404 * they don't. 1405 * 1406 * XXX - does the low-order bit of hdr_2_x.xxx[8] 1407 * indicate a bad FCS, as is the case with 1408 * Ethernet? 1409 */ 1410 if (hdr.hdr_2_x.xxx[2] == 0xff && 1411 hdr.hdr_2_x.xxx[3] == 0xff) { 1412 /* 1413 * FCS, or junk, at the end. 1414 * XXX - is it an FCS if "fcs_valid" is 1415 * true? 1416 */ 1417 padding = 4; 1418 } 1419 break; 1420 1421 case WTAP_ENCAP_PPP_WITH_PHDR: 1422 case WTAP_ENCAP_SDLC: 1423 case WTAP_ENCAP_CHDLC_WITH_PHDR: 1424 rec->rec_header.packet_header.pseudo_header.p2p.sent = 1425 (hdr.hdr_2_x.xxx[12] & 0x01) ? TRUE : FALSE; 1426 break; 1427 1428 case WTAP_ENCAP_ATM_PDUS_UNTRUNCATED: 1429 /* 1430 * XXX - the low-order bit of hdr_2_x.xxx[8] 1431 * seems to indicate some sort of error. In 1432 * at least one capture, a number of packets 1433 * have that flag set, and they appear either 1434 * to be the beginning part of an incompletely 1435 * reassembled AAL5 PDU, with either checksum 1436 * errors at higher levels (possibly due to 1437 * the packet being reported as shorter than 1438 * it actually is, and checksumming failing 1439 * because it doesn't include all the data) 1440 * or "Malformed frame" errors from being 1441 * too short, or appear to be later parts 1442 * of an incompletely reassembled AAL5 PDU 1443 * with the last one in a sequence of errors 1444 * having what looks like an AAL5 trailer, 1445 * with a length and checksum. 1446 * 1447 * Does it just mean "reassembly failed", 1448 * as appears to be the case in those 1449 * packets, or does it mean "CRC error" 1450 * at the AAL5 layer (which would be the 1451 * case if you were treating an incompletely 1452 * reassembled PDU as a completely reassembled 1453 * PDU, although you'd also expect a length 1454 * error in that case), or does it mean 1455 * "generic error", with some other flag 1456 * or flags indicating what particular 1457 * error occurred? The documentation 1458 * for Sniffer Pro 4.7 indicates a bunch 1459 * of different error types, both in general 1460 * and for ATM in particular. 1461 * 1462 * No obvious bits in hdr_2_x.xxx appear 1463 * to be additional flags of that sort. 1464 * 1465 * XXX - in that capture, I see several 1466 * reassembly errors in a row; should those 1467 * packets be reassembled in the ATM dissector? 1468 * What happens if a reassembly fails because 1469 * a cell is bad? 1470 */ 1471 rec->rec_header.packet_header.pseudo_header.atm.flags = 0; 1472 if (hdr.hdr_2_x.xxx[8] & 0x01) 1473 rec->rec_header.packet_header.pseudo_header.atm.flags |= ATM_REASSEMBLY_ERROR; 1474 /* 1475 * XXX - is 0x08 an "OAM cell" flag? 1476 * Are the 0x01 and 0x02 bits error indications? 1477 * Some packets in one capture that have the 1478 * 0x01 bit set in hdr_2_x.xxx[8] and that 1479 * appear to have been reassembled completely 1480 * but have a bad CRC have 0x03 in hdr_2_x.xxx[9] 1481 * (and don't have the 0x20 bit set). 1482 * 1483 * In the capture with incomplete reassemblies, 1484 * all packets have the 0x20 bit set. In at 1485 * least some of the captures with complete 1486 * reassemblies with CRC errors, no packets 1487 * have the 0x20 bit set. 1488 * 1489 * Are hdr_2_x.xxx[8] and hdr_2_x.xxx[9] a 16-bit 1490 * flag field? 1491 */ 1492 if (hdr.hdr_2_x.xxx[9] & 0x04) 1493 rec->rec_header.packet_header.pseudo_header.atm.flags |= ATM_RAW_CELL; 1494 rec->rec_header.packet_header.pseudo_header.atm.vpi = hdr.hdr_2_x.xxx[11]; 1495 rec->rec_header.packet_header.pseudo_header.atm.vci = pletoh16(&hdr.hdr_2_x.xxx[12]); 1496 rec->rec_header.packet_header.pseudo_header.atm.channel = 1497 (hdr.hdr_2_x.xxx[15] & 0x10)? 1 : 0; 1498 rec->rec_header.packet_header.pseudo_header.atm.cells = 0; 1499 1500 /* 1501 * XXX - the uppermost bit of hdr_2_xxx[0] 1502 * looks as if it might be a flag of some sort. 1503 * The remaining 3 bits appear to be an AAL 1504 * type - 5 is, surprise surprise, AAL5. 1505 */ 1506 switch (hdr.hdr_2_x.xxx[0] & 0x70) { 1507 1508 case 0x00: /* Unknown */ 1509 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_UNKNOWN; 1510 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN; 1511 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN; 1512 break; 1513 1514 case 0x10: /* XXX - AAL1? */ 1515 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_UNKNOWN; 1516 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN; 1517 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN; 1518 break; 1519 1520 case 0x20: /* XXX - AAL2? */ 1521 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_UNKNOWN; 1522 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN; 1523 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN; 1524 break; 1525 1526 case 0x40: /* XXX - AAL3/4? */ 1527 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_UNKNOWN; 1528 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN; 1529 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN; 1530 break; 1531 1532 case 0x30: /* XXX - AAL5 cells seen with this */ 1533 case 0x50: /* AAL5 (including signalling) */ 1534 case 0x60: /* XXX - AAL5 cells seen with this */ 1535 case 0x70: /* XXX - AAL5 cells seen with this */ 1536 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_5; 1537 /* 1538 * XXX - is the 0x08 bit of hdr_2_x.xxx[0] 1539 * a flag? I've not yet seen a case where 1540 * it matters. 1541 */ 1542 switch (hdr.hdr_2_x.xxx[0] & 0x07) { 1543 1544 case 0x01: 1545 case 0x02: /* Signalling traffic */ 1546 rec->rec_header.packet_header.pseudo_header.atm.aal = AAL_SIGNALLING; 1547 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN; 1548 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN; 1549 break; 1550 1551 case 0x03: /* ILMI */ 1552 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_ILMI; 1553 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN; 1554 break; 1555 1556 case 0x00: 1557 case 0x04: 1558 case 0x05: 1559 /* 1560 * I've seen a frame with type 1561 * 0x30 and subtype 0x08 that 1562 * was LANE 802.3, a frame 1563 * with type 0x30 and subtype 1564 * 0x04 that was LANE 802.3, 1565 * and another frame with type 1566 * 0x30 and subtype 0x08 that 1567 * was junk with a string in 1568 * it that had also appeared 1569 * in some CDP and LE Control 1570 * frames, and that was preceded 1571 * by a malformed LE Control 1572 * frame - was that a reassembly 1573 * failure? 1574 * 1575 * I've seen frames with type 1576 * 0x50 and subtype 0x0c, some 1577 * of which were LE Control 1578 * frames, and at least one 1579 * of which was neither an LE 1580 * Control frame nor a LANE 1581 * 802.3 frame, and contained 1582 * the string "ForeThought_6.2.1 1583 * Alpha" - does that imply 1584 * FORE's own encapsulation, 1585 * or was this a reassembly failure? 1586 * The latter frame was preceded 1587 * by a malformed LE Control 1588 * frame. 1589 * 1590 * I've seen a couple of frames 1591 * with type 0x60 and subtype 0x00, 1592 * one of which was LANE 802.3 and 1593 * one of which was LE Control. 1594 * I've seen one frame with type 1595 * 0x60 and subtype 0x0c, which 1596 * was LANE 802.3. 1597 * 1598 * I've seen a couple of frames 1599 * with type 0x70 and subtype 0x00, 1600 * both of which were LANE 802.3. 1601 */ 1602 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_LANE; 1603 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN; 1604 break; 1605 1606 case 0x06: /* XXX - not seen yet */ 1607 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_UNKNOWN; 1608 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN; 1609 break; 1610 1611 case 0x07: /* LLC multiplexed */ 1612 rec->rec_header.packet_header.pseudo_header.atm.type = TRAF_LLCMX; /* XXX */ 1613 rec->rec_header.packet_header.pseudo_header.atm.subtype = TRAF_ST_UNKNOWN; /* XXX */ 1614 break; 1615 } 1616 break; 1617 } 1618 break; 1619 } 1620 break; 1621 } 1622 1623 rec->rec_type = REC_TYPE_PACKET; 1624 rec->block = wtap_block_create(WTAP_BLOCK_PACKET); 1625 if (netxray->version_major == 0) { 1626 rec->presence_flags = WTAP_HAS_TS; 1627 t = (double)pletoh32(&hdr.old_hdr.timelo) 1628 + (double)pletoh32(&hdr.old_hdr.timehi)*4294967296.0; 1629 t /= netxray->ticks_per_sec; 1630 t -= netxray->start_timestamp; 1631 rec->ts.secs = netxray->start_time + (long)t; 1632 rec->ts.nsecs = (int)((t-(double)(unsigned long)(t)) 1633 *1.0e9); 1634 /* 1635 * We subtract the padding from the packet size, so our caller 1636 * doesn't see it. 1637 */ 1638 packet_size = pletoh16(&hdr.old_hdr.len); 1639 rec->rec_header.packet_header.caplen = packet_size - padding; 1640 rec->rec_header.packet_header.len = rec->rec_header.packet_header.caplen; 1641 } else { 1642 rec->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN; 1643 t = (double)pletoh32(&hdr.hdr_1_x.timelo) 1644 + (double)pletoh32(&hdr.hdr_1_x.timehi)*4294967296.0; 1645 t /= netxray->ticks_per_sec; 1646 t -= netxray->start_timestamp; 1647 rec->ts.secs = netxray->start_time + (time_t)t; 1648 rec->ts.nsecs = (int)((t-(double)(unsigned long)(t)) 1649 *1.0e9); 1650 /* 1651 * We subtract the padding from the packet size, so our caller 1652 * doesn't see it. 1653 */ 1654 packet_size = pletoh16(&hdr.hdr_1_x.incl_len); 1655 rec->rec_header.packet_header.caplen = packet_size - padding; 1656 rec->rec_header.packet_header.len = pletoh16(&hdr.hdr_1_x.orig_len) - padding; 1657 } 1658 1659 return padding; 1660 } 1661 1662 static void 1663 netxray_guess_atm_type(wtap *wth, wtap_rec *rec, Buffer *buf) 1664 { 1665 const guint8 *pd; 1666 1667 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS_UNTRUNCATED && 1668 !(rec->rec_header.packet_header.pseudo_header.atm.flags & ATM_REASSEMBLY_ERROR)) { 1669 if (rec->rec_header.packet_header.pseudo_header.atm.aal == AAL_UNKNOWN) { 1670 /* 1671 * Try to guess the type and subtype based 1672 * on the VPI/VCI and packet contents. 1673 */ 1674 pd = ws_buffer_start_ptr(buf); 1675 atm_guess_traffic_type(rec, pd); 1676 } else if (rec->rec_header.packet_header.pseudo_header.atm.aal == AAL_5 && 1677 rec->rec_header.packet_header.pseudo_header.atm.type == TRAF_LANE) { 1678 /* 1679 * Try to guess the subtype based on the 1680 * packet contents. 1681 */ 1682 pd = ws_buffer_start_ptr(buf); 1683 atm_guess_lane_type(rec, pd); 1684 } 1685 } 1686 } 1687 1688 typedef struct { 1689 gboolean first_frame; 1690 nstime_t start; 1691 guint32 nframes; 1692 } netxray_dump_t; 1693 1694 static const struct { 1695 int wtap_encap_value; 1696 int ndis_value; 1697 } wtap_encap_1_1[] = { 1698 { WTAP_ENCAP_ETHERNET, 0 }, /* -> NDIS Ethernet */ 1699 { WTAP_ENCAP_TOKEN_RING, 1 }, /* -> NDIS Token Ring */ 1700 { WTAP_ENCAP_FDDI, 2 }, /* -> NDIS FDDI */ 1701 { WTAP_ENCAP_FDDI_BITSWAPPED, 2 }, /* -> NDIS FDDI */ 1702 }; 1703 #define NUM_WTAP_ENCAPS_1_1 (sizeof wtap_encap_1_1 / sizeof wtap_encap_1_1[0]) 1704 1705 static int 1706 wtap_encap_to_netxray_1_1_encap(int encap) 1707 { 1708 unsigned int i; 1709 1710 for (i = 0; i < NUM_WTAP_ENCAPS_1_1; i++) { 1711 if (encap == wtap_encap_1_1[i].wtap_encap_value) 1712 return wtap_encap_1_1[i].ndis_value; 1713 } 1714 1715 return -1; 1716 } 1717 1718 /* Returns 0 if we could write the specified encapsulation type, 1719 an error indication otherwise. */ 1720 static int 1721 netxray_dump_can_write_encap_1_1(int encap) 1722 { 1723 /* Per-packet encapsulations aren't supported. */ 1724 if (encap == WTAP_ENCAP_PER_PACKET) 1725 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED; 1726 1727 if (wtap_encap_to_netxray_1_1_encap(encap) == -1) 1728 return WTAP_ERR_UNWRITABLE_ENCAP; 1729 1730 return 0; 1731 } 1732 1733 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on 1734 failure */ 1735 static gboolean 1736 netxray_dump_open_1_1(wtap_dumper *wdh, int *err, gchar **err_info _U_) 1737 { 1738 netxray_dump_t *netxray; 1739 1740 wdh->subtype_write = netxray_dump_1_1; 1741 wdh->subtype_finish = netxray_dump_finish_1_1; 1742 1743 /* We can't fill in all the fields in the file header, as we 1744 haven't yet written any packets. As we'll have to rewrite 1745 the header when we've written out all the packets, we just 1746 skip over the header for now. */ 1747 if (wtap_dump_file_seek(wdh, CAPTUREFILE_HEADER_SIZE, SEEK_SET, err) == -1) 1748 return FALSE; 1749 wdh->bytes_dumped += CAPTUREFILE_HEADER_SIZE; 1750 1751 netxray = g_new(netxray_dump_t, 1); 1752 wdh->priv = (void *)netxray; 1753 netxray->first_frame = TRUE; 1754 netxray->start.secs = 0; 1755 netxray->start.nsecs = 0; 1756 netxray->nframes = 0; 1757 1758 return TRUE; 1759 } 1760 1761 /* Write a record for a packet to a dump file. 1762 Returns TRUE on success, FALSE on failure. */ 1763 static gboolean 1764 netxray_dump_1_1(wtap_dumper *wdh, 1765 const wtap_rec *rec, 1766 const guint8 *pd, int *err, gchar **err_info _U_) 1767 { 1768 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv; 1769 guint64 timestamp; 1770 guint32 t32; 1771 struct netxrayrec_1_x_hdr rec_hdr; 1772 1773 /* We can only write packet records. */ 1774 if (rec->rec_type != REC_TYPE_PACKET) { 1775 *err = WTAP_ERR_UNWRITABLE_REC_TYPE; 1776 return FALSE; 1777 } 1778 1779 /* 1780 * Make sure this packet doesn't have a link-layer type that 1781 * differs from the one for the file. 1782 */ 1783 if (wdh->encap != rec->rec_header.packet_header.pkt_encap) { 1784 *err = WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED; 1785 return FALSE; 1786 } 1787 1788 /* The captured length field is 16 bits, so there's a hard 1789 limit of 65535. */ 1790 if (rec->rec_header.packet_header.caplen > 65535) { 1791 *err = WTAP_ERR_PACKET_TOO_LARGE; 1792 return FALSE; 1793 } 1794 1795 /* NetXRay/Windows Sniffer files have a capture start date/time 1796 in the header, in a UNIX-style format, with one-second resolution, 1797 and a start time stamp with microsecond resolution that's just 1798 an arbitrary time stamp relative to some unknown time (boot 1799 time?), and have times relative to the start time stamp in 1800 the packet headers; pick the seconds value of the time stamp 1801 of the first packet as the UNIX-style start date/time, and make 1802 the high-resolution start time stamp 0, with the time stamp of 1803 packets being the delta between the stamp of the packet and 1804 the stamp of the first packet with the microseconds part 0. */ 1805 if (netxray->first_frame) { 1806 netxray->first_frame = FALSE; 1807 netxray->start = rec->ts; 1808 } 1809 1810 /* build the header for each packet */ 1811 memset(&rec_hdr, '\0', sizeof(rec_hdr)); 1812 timestamp = ((guint64)rec->ts.secs - (guint64)netxray->start.secs)*1000000 1813 + ((guint64)rec->ts.nsecs)/1000; 1814 t32 = (guint32)(timestamp%G_GINT64_CONSTANT(4294967296)); 1815 rec_hdr.timelo = GUINT32_TO_LE(t32); 1816 t32 = (guint32)(timestamp/G_GINT64_CONSTANT(4294967296)); 1817 rec_hdr.timehi = GUINT32_TO_LE(t32); 1818 rec_hdr.orig_len = GUINT16_TO_LE(rec->rec_header.packet_header.len); 1819 rec_hdr.incl_len = GUINT16_TO_LE(rec->rec_header.packet_header.caplen); 1820 1821 if (!wtap_dump_file_write(wdh, &rec_hdr, sizeof(rec_hdr), err)) 1822 return FALSE; 1823 wdh->bytes_dumped += sizeof(rec_hdr); 1824 1825 /* write the packet data */ 1826 if (!wtap_dump_file_write(wdh, pd, rec->rec_header.packet_header.caplen, err)) 1827 return FALSE; 1828 wdh->bytes_dumped += rec->rec_header.packet_header.caplen; 1829 1830 netxray->nframes++; 1831 1832 return TRUE; 1833 } 1834 1835 /* Finish writing to a dump file. 1836 Returns TRUE on success, FALSE on failure. */ 1837 static gboolean 1838 netxray_dump_finish_1_1(wtap_dumper *wdh, int *err, gchar **err_info _U_) 1839 { 1840 char hdr_buf[CAPTUREFILE_HEADER_SIZE - sizeof(netxray_magic)]; 1841 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv; 1842 gint64 filelen; 1843 struct netxray_hdr file_hdr; 1844 1845 if (-1 == (filelen = wtap_dump_file_tell(wdh, err))) 1846 return FALSE; 1847 1848 /* Go back to beginning */ 1849 if (wtap_dump_file_seek(wdh, 0, SEEK_SET, err) == -1) 1850 return FALSE; 1851 1852 /* Rewrite the file header. */ 1853 if (!wtap_dump_file_write(wdh, netxray_magic, sizeof netxray_magic, err)) 1854 return FALSE; 1855 1856 /* "sniffer" version ? */ 1857 memset(&file_hdr, '\0', sizeof file_hdr); 1858 memcpy(file_hdr.version, vers_1_1, sizeof vers_1_1); 1859 file_hdr.start_time = GUINT32_TO_LE(netxray->start.secs); 1860 file_hdr.nframes = GUINT32_TO_LE(netxray->nframes); 1861 file_hdr.start_offset = GUINT32_TO_LE(CAPTUREFILE_HEADER_SIZE); 1862 /* XXX - large files? */ 1863 file_hdr.end_offset = GUINT32_TO_LE((guint32)filelen); 1864 file_hdr.network = wtap_encap_to_netxray_1_1_encap(wdh->encap); 1865 file_hdr.timelo = GUINT32_TO_LE(0); 1866 file_hdr.timehi = GUINT32_TO_LE(0); 1867 1868 memset(hdr_buf, '\0', sizeof hdr_buf); 1869 memcpy(hdr_buf, &file_hdr, sizeof(file_hdr)); 1870 if (!wtap_dump_file_write(wdh, hdr_buf, sizeof hdr_buf, err)) 1871 return FALSE; 1872 1873 return TRUE; 1874 } 1875 1876 static const struct { 1877 int wtap_encap_value; 1878 int ndis_value; 1879 } wtap_encap_2_0[] = { 1880 { WTAP_ENCAP_ETHERNET, 0 }, /* -> NDIS Ethernet */ 1881 { WTAP_ENCAP_TOKEN_RING, 1 }, /* -> NDIS Token Ring */ 1882 { WTAP_ENCAP_FDDI, 2 }, /* -> NDIS FDDI */ 1883 { WTAP_ENCAP_FDDI_BITSWAPPED, 2 }, /* -> NDIS FDDI */ 1884 { WTAP_ENCAP_PPP_WITH_PHDR, 3 }, /* -> NDIS WAN */ 1885 { WTAP_ENCAP_FRELAY_WITH_PHDR, 3 }, /* -> NDIS WAN */ 1886 { WTAP_ENCAP_LAPB, 3 }, /* -> NDIS WAN */ 1887 { WTAP_ENCAP_SDLC, 3 }, /* -> NDIS WAN */ 1888 }; 1889 #define NUM_WTAP_ENCAPS_2_0 (sizeof wtap_encap_2_0 / sizeof wtap_encap_2_0[0]) 1890 1891 static int 1892 wtap_encap_to_netxray_2_0_encap(int encap) 1893 { 1894 unsigned int i; 1895 1896 for (i = 0; i < NUM_WTAP_ENCAPS_2_0; i++) { 1897 if (encap == wtap_encap_2_0[i].wtap_encap_value) 1898 return wtap_encap_2_0[i].ndis_value; 1899 } 1900 1901 return -1; 1902 } 1903 1904 /* Returns 0 if we could write the specified encapsulation type, 1905 an error indication otherwise. */ 1906 static int 1907 netxray_dump_can_write_encap_2_0(int encap) 1908 { 1909 /* Per-packet encapsulations aren't supported. */ 1910 if (encap == WTAP_ENCAP_PER_PACKET) 1911 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED; 1912 1913 if (wtap_encap_to_netxray_2_0_encap(encap) == -1) 1914 return WTAP_ERR_UNWRITABLE_ENCAP; 1915 1916 return 0; 1917 } 1918 1919 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on 1920 failure */ 1921 static gboolean 1922 netxray_dump_open_2_0(wtap_dumper *wdh, int *err, gchar **err_info _U_) 1923 { 1924 netxray_dump_t *netxray; 1925 1926 wdh->subtype_write = netxray_dump_2_0; 1927 wdh->subtype_finish = netxray_dump_finish_2_0; 1928 1929 /* We can't fill in all the fields in the file header, as we 1930 haven't yet written any packets. As we'll have to rewrite 1931 the header when we've written out all the packets, we just 1932 skip over the header for now. */ 1933 if (wtap_dump_file_seek(wdh, CAPTUREFILE_HEADER_SIZE, SEEK_SET, err) == -1) 1934 return FALSE; 1935 1936 wdh->bytes_dumped += CAPTUREFILE_HEADER_SIZE; 1937 1938 netxray = g_new(netxray_dump_t, 1); 1939 wdh->priv = (void *)netxray; 1940 netxray->first_frame = TRUE; 1941 netxray->start.secs = 0; 1942 netxray->start.nsecs = 0; 1943 netxray->nframes = 0; 1944 1945 return TRUE; 1946 } 1947 1948 /* Write a record for a packet to a dump file. 1949 Returns TRUE on success, FALSE on failure. */ 1950 static gboolean 1951 netxray_dump_2_0(wtap_dumper *wdh, 1952 const wtap_rec *rec, 1953 const guint8 *pd, int *err, gchar **err_info _U_) 1954 { 1955 const union wtap_pseudo_header *pseudo_header = &rec->rec_header.packet_header.pseudo_header; 1956 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv; 1957 guint64 timestamp; 1958 guint32 t32; 1959 struct netxrayrec_2_x_hdr rec_hdr; 1960 1961 /* We can only write packet records. */ 1962 if (rec->rec_type != REC_TYPE_PACKET) { 1963 *err = WTAP_ERR_UNWRITABLE_REC_TYPE; 1964 return FALSE; 1965 } 1966 1967 /* 1968 * Make sure this packet doesn't have a link-layer type that 1969 * differs from the one for the file. 1970 */ 1971 if (wdh->encap != rec->rec_header.packet_header.pkt_encap) { 1972 *err = WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED; 1973 return FALSE; 1974 } 1975 1976 /* Don't write anything we're not willing to read. */ 1977 if (rec->rec_header.packet_header.caplen > WTAP_MAX_PACKET_SIZE_STANDARD) { 1978 *err = WTAP_ERR_PACKET_TOO_LARGE; 1979 return FALSE; 1980 } 1981 1982 /* NetXRay/Windows Sniffer files have a capture start date/time 1983 in the header, in a UNIX-style format, with one-second resolution, 1984 and a start time stamp with microsecond resolution that's just 1985 an arbitrary time stamp relative to some unknown time (boot 1986 time?), and have times relative to the start time stamp in 1987 the packet headers; pick the seconds value of the time stamp 1988 of the first packet as the UNIX-style start date/time, and make 1989 the high-resolution start time stamp 0, with the time stamp of 1990 packets being the delta between the stamp of the packet and 1991 the stamp of the first packet with the microseconds part 0. */ 1992 if (netxray->first_frame) { 1993 netxray->first_frame = FALSE; 1994 netxray->start = rec->ts; 1995 } 1996 1997 /* build the header for each packet */ 1998 memset(&rec_hdr, '\0', sizeof(rec_hdr)); 1999 timestamp = ((guint64)rec->ts.secs - (guint64)netxray->start.secs)*1000000 2000 + ((guint64)rec->ts.nsecs)/1000; 2001 t32 = (guint32)(timestamp%G_GINT64_CONSTANT(4294967296)); 2002 rec_hdr.timelo = GUINT32_TO_LE(t32); 2003 t32 = (guint32)(timestamp/G_GINT64_CONSTANT(4294967296)); 2004 rec_hdr.timehi = GUINT32_TO_LE(t32); 2005 rec_hdr.orig_len = GUINT16_TO_LE(rec->rec_header.packet_header.len); 2006 rec_hdr.incl_len = GUINT16_TO_LE(rec->rec_header.packet_header.caplen); 2007 2008 switch (rec->rec_header.packet_header.pkt_encap) { 2009 2010 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO: 2011 rec_hdr.xxx[12] = 2012 pseudo_header->ieee_802_11.has_channel ? 2013 pseudo_header->ieee_802_11.channel : 2014 0; 2015 rec_hdr.xxx[13] = 2016 pseudo_header->ieee_802_11.has_data_rate ? 2017 (guint8)pseudo_header->ieee_802_11.data_rate : 2018 0; 2019 rec_hdr.xxx[14] = 2020 pseudo_header->ieee_802_11.has_signal_percent ? 2021 pseudo_header->ieee_802_11.signal_percent : 2022 0; 2023 rec_hdr.xxx[15] = 2024 pseudo_header->ieee_802_11.has_noise_percent ? 2025 pseudo_header->ieee_802_11.noise_percent*127/100 : 2026 0xFF; 2027 break; 2028 2029 case WTAP_ENCAP_PPP_WITH_PHDR: 2030 case WTAP_ENCAP_SDLC: 2031 rec_hdr.xxx[12] |= pseudo_header->p2p.sent ? 0x01 : 0x00; 2032 break; 2033 2034 case WTAP_ENCAP_FRELAY_WITH_PHDR: 2035 rec_hdr.xxx[12] |= (pseudo_header->dte_dce.flags & FROM_DCE) ? 0x00 : 0x01; 2036 break; 2037 } 2038 2039 if (!wtap_dump_file_write(wdh, &rec_hdr, sizeof(rec_hdr), err)) 2040 return FALSE; 2041 wdh->bytes_dumped += sizeof(rec_hdr); 2042 2043 /* write the packet data */ 2044 if (!wtap_dump_file_write(wdh, pd, rec->rec_header.packet_header.caplen, err)) 2045 return FALSE; 2046 wdh->bytes_dumped += rec->rec_header.packet_header.caplen; 2047 2048 netxray->nframes++; 2049 2050 return TRUE; 2051 } 2052 2053 /* Finish writing to a dump file. 2054 Returns TRUE on success, FALSE on failure. */ 2055 static gboolean 2056 netxray_dump_finish_2_0(wtap_dumper *wdh, int *err, gchar **err_info _U_) 2057 { 2058 char hdr_buf[CAPTUREFILE_HEADER_SIZE - sizeof(netxray_magic)]; 2059 netxray_dump_t *netxray = (netxray_dump_t *)wdh->priv; 2060 gint64 filelen; 2061 struct netxray_hdr file_hdr; 2062 2063 if (-1 == (filelen = wtap_dump_file_tell(wdh, err))) 2064 return FALSE; 2065 2066 /* Go back to beginning */ 2067 if (wtap_dump_file_seek(wdh, 0, SEEK_SET, err) == -1) 2068 return FALSE; 2069 2070 /* Rewrite the file header. */ 2071 if (!wtap_dump_file_write(wdh, netxray_magic, sizeof netxray_magic, err)) 2072 return FALSE; 2073 2074 /* "sniffer" version ? */ 2075 memset(&file_hdr, '\0', sizeof file_hdr); 2076 memcpy(file_hdr.version, vers_2_001, sizeof vers_2_001); 2077 file_hdr.start_time = GUINT32_TO_LE(netxray->start.secs); 2078 file_hdr.nframes = GUINT32_TO_LE(netxray->nframes); 2079 file_hdr.start_offset = GUINT32_TO_LE(CAPTUREFILE_HEADER_SIZE); 2080 /* XXX - large files? */ 2081 file_hdr.end_offset = GUINT32_TO_LE((guint32)filelen); 2082 file_hdr.network = wtap_encap_to_netxray_2_0_encap(wdh->encap); 2083 file_hdr.timelo = GUINT32_TO_LE(0); 2084 file_hdr.timehi = GUINT32_TO_LE(0); 2085 switch (wdh->encap) { 2086 2087 case WTAP_ENCAP_PPP_WITH_PHDR: 2088 file_hdr.captype = WAN_CAPTYPE_PPP; 2089 break; 2090 2091 case WTAP_ENCAP_FRELAY_WITH_PHDR: 2092 file_hdr.captype = WAN_CAPTYPE_FRELAY; 2093 break; 2094 2095 case WTAP_ENCAP_LAPB: 2096 file_hdr.captype = WAN_CAPTYPE_HDLC; 2097 file_hdr.wan_hdlc_subsub_captype = 0; 2098 break; 2099 2100 case WTAP_ENCAP_SDLC: 2101 file_hdr.captype = WAN_CAPTYPE_SDLC; 2102 break; 2103 2104 default: 2105 file_hdr.captype = CAPTYPE_NDIS; 2106 break; 2107 } 2108 2109 memset(hdr_buf, '\0', sizeof hdr_buf); 2110 memcpy(hdr_buf, &file_hdr, sizeof(file_hdr)); 2111 if (!wtap_dump_file_write(wdh, hdr_buf, sizeof hdr_buf, err)) 2112 return FALSE; 2113 2114 return TRUE; 2115 } 2116 2117 static const struct supported_block_type netxray_old_blocks_supported[] = { 2118 /* 2119 * We support packet blocks, with no comments or other options. 2120 */ 2121 { WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, NO_OPTIONS_SUPPORTED } 2122 }; 2123 2124 static const struct file_type_subtype_info netxray_old_info = { 2125 "Cinco Networks NetXRay 1.x", "netxray1", "cap", NULL, 2126 TRUE, BLOCKS_SUPPORTED(netxray_old_blocks_supported), 2127 NULL, NULL, NULL 2128 }; 2129 2130 static const struct supported_block_type netxray_1_0_blocks_supported[] = { 2131 /* 2132 * We support packet blocks, with no comments or other options. 2133 */ 2134 { WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, NO_OPTIONS_SUPPORTED } 2135 }; 2136 2137 static const struct file_type_subtype_info netxray_1_0_info = { 2138 "Cinco Networks NetXRay 2.0 or later", "netxray2", "cap", NULL, 2139 TRUE, BLOCKS_SUPPORTED(netxray_1_0_blocks_supported), 2140 NULL, NULL, NULL 2141 }; 2142 2143 static const struct supported_block_type netxray_1_1_blocks_supported[] = { 2144 /* 2145 * We support packet blocks, with no comments or other options. 2146 */ 2147 { WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, NO_OPTIONS_SUPPORTED } 2148 }; 2149 2150 static const struct file_type_subtype_info netxray_1_1_info = { 2151 "NetXray, Sniffer (Windows) 1.1", "ngwsniffer_1_1", "cap", NULL, 2152 TRUE, BLOCKS_SUPPORTED(netxray_1_1_blocks_supported), 2153 netxray_dump_can_write_encap_1_1, netxray_dump_open_1_1, NULL 2154 }; 2155 2156 static const struct supported_block_type netxray_2_00x_blocks_supported[] = { 2157 /* 2158 * We support packet blocks, with no comments or other options. 2159 */ 2160 { WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, NO_OPTIONS_SUPPORTED } 2161 }; 2162 2163 static const struct file_type_subtype_info netxray_2_00x_info = { 2164 "Sniffer (Windows) 2.00x", "ngwsniffer_2_0", "cap", "caz", 2165 TRUE, BLOCKS_SUPPORTED(netxray_2_00x_blocks_supported), 2166 netxray_dump_can_write_encap_2_0, netxray_dump_open_2_0, NULL 2167 }; 2168 2169 void register_netxray(void) 2170 { 2171 netxray_old_file_type_subtype = wtap_register_file_type_subtype(&netxray_old_info); 2172 netxray_1_0_file_type_subtype = wtap_register_file_type_subtype(&netxray_1_0_info); 2173 netxray_1_1_file_type_subtype = wtap_register_file_type_subtype(&netxray_1_1_info); 2174 netxray_2_00x_file_type_subtype = wtap_register_file_type_subtype(&netxray_2_00x_info); 2175 2176 /* 2177 * Register names for backwards compatibility with the 2178 * wtap_filetypes table in Lua. 2179 */ 2180 wtap_register_backwards_compatibility_lua_name("NETXRAY_OLD", 2181 netxray_old_file_type_subtype); 2182 wtap_register_backwards_compatibility_lua_name("NETXRAY_1_0", 2183 netxray_1_0_file_type_subtype); 2184 wtap_register_backwards_compatibility_lua_name("NETXRAY_1_1", 2185 netxray_1_1_file_type_subtype); 2186 wtap_register_backwards_compatibility_lua_name("NETXRAY_2_00x", 2187 netxray_2_00x_file_type_subtype); 2188 } 2189 2190 /* 2191 * Editor modelines - https://www.wireshark.org/tools/modelines.html 2192 * 2193 * Local variables: 2194 * c-basic-offset: 8 2195 * tab-width: 8 2196 * indent-tabs-mode: t 2197 * End: 2198 * 2199 * vi: set shiftwidth=8 tabstop=8 noexpandtab: 2200 * :indentSize=8:tabSize=8:noTabs=false: 2201 */ 2202