static void
netmon_set_pseudo_header_info(int pkt_encap,
union wtap_pseudo_header *pseudo_header, guint8 *pd, int length)
{
switch (pkt_encap) {
case WTAP_ENCAP_ATM_PDUS:
/*
* Attempt to guess from the packet data, the VPI, and
* the VCIinformation about the type of traffic.
*/
atm_guess_traffic_type(pd, length, pseudo_header);
break;
case WTAP_ENCAP_ETHERNET:
/*
* We assume there's no FCS in this frame.
*/
pseudo_header->eth.fcs_len = 0;
break;
case WTAP_ENCAP_IEEE802_11_NETMON_RADIO:
/*
* It appears to be the case that management
* frames have an FCS and data frames don't;
* I'm not sure about control frames. An
* "FCS length" of -2 means "NetMon weirdness".
*/
pseudo_header->ieee_802_11.fcs_len = -2;
break;
}
}
static void
netmon_set_pseudo_header_info(int pkt_encap, struct wtap_pkthdr *phdr,
Buffer *buf)
{
guint8 *pd = buffer_start_ptr(buf);
switch (pkt_encap) {
case WTAP_ENCAP_ATM_PDUS:
/*
* Attempt to guess from the packet data, the VPI, and
* the VCI information about the type of traffic.
*/
atm_guess_traffic_type(phdr, pd);
break;
case WTAP_ENCAP_ETHERNET:
/*
* We assume there's no FCS in this frame.
*/
phdr->pseudo_header.eth.fcs_len = 0;
break;
case WTAP_ENCAP_IEEE_802_11_NETMON:
/*
* It appears to be the case that management
* frames have an FCS and data frames don't;
* I'm not sure about control frames. An
* "FCS length" of -2 means "NetMon weirdness".
*/
phdr->pseudo_header.ieee_802_11.fcs_len = -2;
phdr->pseudo_header.ieee_802_11.decrypted = FALSE;
break;
}
}
/*
* Fill in the pseudo-header information we can.
*
* For ATM traffic, "iptrace", alas, doesn't tell us what type of traffic
* is in the packet - it was presumably run on a machine that was one of
* the endpoints of the connection, so in theory it could presumably have
* told us, but, for whatever reason, it failed to do so - perhaps the
* low-level mechanism that feeds the presumably-AAL5 frames to us doesn't
* have access to that information (e.g., because it's in the ATM driver,
* and the ATM driver merely knows that stuff on VPI/VCI X.Y should be
* handed up to some particular client, it doesn't know what that client is).
*
* We let our caller try to figure out what kind of traffic it is, either
* by guessing based on the VPI/VCI, guessing based on the header of the
* packet, seeing earlier traffic that set up the circuit and specified
* in some fashion what sort of traffic it is, or being told by the user.
*/
static void
fill_in_pseudo_header(int encap, const guint8 *pd, guint32 len,
union wtap_pseudo_header *pseudo_header, guint8 *header)
{
char if_text[9];
char *decimal;
int Vpi = 0;
int Vci = 0;
switch (encap) {
case WTAP_ENCAP_ATM_PDUS:
/* Rip apart the "x.y" text into Vpi/Vci numbers */
memcpy(if_text, &header[20], 8);
if_text[8] = '\0';
decimal = strchr(if_text, '.');
if (decimal) {
*decimal = '\0';
Vpi = (int)strtoul(if_text, NULL, 10);
decimal++;
Vci = (int)strtoul(decimal, NULL, 10);
}
/*
* OK, which value means "DTE->DCE" and which value means
* "DCE->DTE"?
*/
pseudo_header->atm.channel = header[29];
pseudo_header->atm.vpi = Vpi;
pseudo_header->atm.vci = Vci;
/*
* Attempt to guess from the packet data, the VPI,
* and the VCI information about the type of traffic.
*/
atm_guess_traffic_type(pd, len, pseudo_header);
/* We don't have this information */
pseudo_header->atm.flags = 0;
pseudo_header->atm.cells = 0;
pseudo_header->atm.aal5t_u2u = 0;
pseudo_header->atm.aal5t_len = 0;
pseudo_header->atm.aal5t_chksum = 0;
break;
case WTAP_ENCAP_ETHERNET:
/* We assume there's no FCS in this frame. */
pseudo_header->eth.fcs_len = 0;
break;
}
}
static gboolean
libpcap_seek_read(wtap *wth, gint64 seek_off,
union wtap_pseudo_header *pseudo_header, guchar *pd, int length,
int *err, gchar **err_info)
{
int phdr_len;
libpcap_t *libpcap;
if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
return FALSE;
libpcap = (libpcap_t *)wth->priv;
phdr_len = pcap_process_pseudo_header(wth->random_fh, wth->file_type,
wth->file_encap, libpcap->byte_swapped, length,
FALSE, NULL, pseudo_header, err, err_info);
if (phdr_len < 0)
return FALSE; /* error */
/*
* Read the packet data.
*/
if (!libpcap_read_rec_data(wth->random_fh, pd, length, err))
return FALSE; /* failed */
if (wth->file_encap == WTAP_ENCAP_ATM_PDUS) {
if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
/*
* Nokia IPSO ATM.
*
* Guess the traffic type based on the packet
* contents.
*/
atm_guess_traffic_type(pd, length, pseudo_header);
} else {
/*
* SunATM.
*
* If this is ATM LANE traffic, try to guess what
* type of LANE traffic it is based on the packet
* contents.
*/
if (pseudo_header->atm.type == TRAF_LANE)
atm_guess_lane_type(pd, length, pseudo_header);
}
}
return TRUE;
}
static gboolean
iptrace_read_rec_data(FILE_T fh, Buffer *buf, struct wtap_pkthdr *phdr,
int *err, gchar **err_info)
{
if (!wtap_read_packet_bytes(fh, buf, phdr->caplen, err, err_info))
return FALSE;
if (phdr->pkt_encap == WTAP_ENCAP_ATM_PDUS) {
/*
* Attempt to guess from the packet data, the VPI,
* and the VCI information about the type of traffic.
*/
atm_guess_traffic_type(phdr, buffer_start_ptr(buf));
}
return TRUE;
}
/* Read the next packet */
static gboolean netmon_read(wtap *wth, int *err, gchar **err_info,
gint64 *data_offset)
{
netmon_t *netmon = (netmon_t *)wth->priv;
guint32 packet_size = 0;
guint32 orig_size = 0;
int bytes_read;
union {
struct netmonrec_1_x_hdr hdr_1_x;
struct netmonrec_2_x_hdr hdr_2_x;
} hdr;
union {
struct netmonrec_2_1_trlr trlr_2_1;
struct netmonrec_2_2_trlr trlr_2_2;
struct netmonrec_2_3_trlr trlr_2_3;
} trlr;
int hdr_size = 0;
int trlr_size = 0;
int rec_offset;
guint8 *data_ptr;
gint64 delta = 0; /* signed - frame times can be before the nominal start */
time_t secs;
guint32 usecs;
double t;
guint16 network;
again:
/* Have we reached the end of the packet data? */
if (netmon->current_frame >= netmon->frame_table_size) {
/* Yes. We won't need the frame table any more;
free it. */
g_free(netmon->frame_table);
netmon->frame_table = NULL;
*err = 0; /* it's just an EOF, not an error */
return FALSE;
}
/* Seek to the beginning of the current record, if we're
not there already (seeking to the current position
may still cause a seek and a read of the underlying file,
so we don't want to do it unconditionally).
Yes, the current record could be before the previous
record. At least some captures put the trailer record
with statistics as the first physical record in the
file, but set the frame table up so it's the last
record in sequence. */
rec_offset = netmon->frame_table[netmon->current_frame];
if (wth->data_offset != rec_offset) {
wth->data_offset = rec_offset;
if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1)
return FALSE;
}
netmon->current_frame++;
/* Read record header. */
switch (netmon->version_major) {
case 1:
hdr_size = sizeof (struct netmonrec_1_x_hdr);
break;
case 2:
hdr_size = sizeof (struct netmonrec_2_x_hdr);
break;
}
errno = WTAP_ERR_CANT_READ;
bytes_read = file_read(&hdr, hdr_size, wth->fh);
if (bytes_read != hdr_size) {
*err = file_error(wth->fh);
if (*err == 0 && bytes_read != 0) {
*err = WTAP_ERR_SHORT_READ;
}
return FALSE;
}
wth->data_offset += hdr_size;
switch (netmon->version_major) {
case 1:
orig_size = pletohs(&hdr.hdr_1_x.orig_len);
packet_size = pletohs(&hdr.hdr_1_x.incl_len);
break;
case 2:
orig_size = pletohl(&hdr.hdr_2_x.orig_len);
packet_size = pletohl(&hdr.hdr_2_x.incl_len);
break;
}
if (packet_size > WTAP_MAX_PACKET_SIZE) {
/*
* Probably a corrupt capture file; don't blow up trying
* to allocate space for an immensely-large packet.
*/
*err = WTAP_ERR_BAD_RECORD;
*err_info = g_strdup_printf("netmon: File has %u-byte packet, bigger than maximum of %u",
packet_size, WTAP_MAX_PACKET_SIZE);
return FALSE;
}
*data_offset = wth->data_offset;
/*
* If this is an ATM packet, the first
* "sizeof (struct netmon_atm_hdr)" bytes have destination and
* source addresses (6 bytes - MAC addresses of some sort?)
* and the VPI and VCI; read them and generate the pseudo-header
* from them.
*/
switch (wth->file_encap) {
case WTAP_ENCAP_ATM_PDUS:
if (packet_size < sizeof (struct netmon_atm_hdr)) {
/*
* Uh-oh, the packet isn't big enough to even
* have a pseudo-header.
*/
*err = WTAP_ERR_BAD_RECORD;
*err_info = g_strdup_printf("netmon: ATM file has a %u-byte packet, too small to have even an ATM pseudo-header",
packet_size);
return FALSE;
}
if (!netmon_read_atm_pseudoheader(wth->fh, &wth->pseudo_header,
err))
return FALSE; /* Read error */
/*
* Don't count the pseudo-header as part of the packet.
*/
orig_size -= (guint)sizeof (struct netmon_atm_hdr);
packet_size -= (guint)sizeof (struct netmon_atm_hdr);
wth->data_offset += sizeof (struct netmon_atm_hdr);
break;
case WTAP_ENCAP_ETHERNET:
/*
* We assume there's no FCS in this frame.
*/
wth->pseudo_header.eth.fcs_len = 0;
break;
}
buffer_assure_space(wth->frame_buffer, packet_size);
data_ptr = buffer_start_ptr(wth->frame_buffer);
if (!netmon_read_rec_data(wth->fh, data_ptr, packet_size, err))
return FALSE; /* Read error */
wth->data_offset += packet_size;
t = (double)netmon->start_usecs;
switch (netmon->version_major) {
case 1:
/*
* According to Paul Long, this offset is unsigned.
* It's 32 bits, so the maximum value will fit in
* a gint64 such as delta, even after multiplying
* it by 1000.
*
* pletohl() returns a guint32; we cast it to gint64
* before multiplying, so that the product doesn't
* overflow a guint32.
*/
delta = ((gint64)pletohl(&hdr.hdr_1_x.ts_delta))*1000;
break;
case 2:
delta = pletohl(&hdr.hdr_2_x.ts_delta_lo)
| (((guint64)pletohl(&hdr.hdr_2_x.ts_delta_hi)) << 32);
break;
}
t += (double)delta;
secs = (time_t)(t/1000000);
usecs = (guint32)(t - (double)secs*1000000);
wth->phdr.ts.secs = netmon->start_secs + secs;
wth->phdr.ts.nsecs = usecs * 1000;
wth->phdr.caplen = packet_size;
wth->phdr.len = orig_size;
/*
* Attempt to guess from the packet data, the VPI, and the VCI
* information about the type of traffic.
*/
if (wth->file_encap == WTAP_ENCAP_ATM_PDUS) {
atm_guess_traffic_type(data_ptr, packet_size,
&wth->pseudo_header);
}
/*
* For version 2.1 and later, there's additional information
* after the frame data.
*/
if ((netmon->version_major == 2 && netmon->version_minor >= 1) ||
netmon->version_major > 2) {
if (netmon->version_major > 2) {
/*
* Asssume 2.3 format, for now.
*/
trlr_size = sizeof (struct netmonrec_2_3_trlr);
} else {
switch (netmon->version_minor) {
case 1:
trlr_size = sizeof (struct netmonrec_2_1_trlr);
break;
case 2:
trlr_size = sizeof (struct netmonrec_2_2_trlr);
break;
default:
trlr_size = sizeof (struct netmonrec_2_3_trlr);
break;
}
}
errno = WTAP_ERR_CANT_READ;
bytes_read = file_read(&trlr, trlr_size, wth->fh);
if (bytes_read != trlr_size) {
*err = file_error(wth->fh);
if (*err == 0 && bytes_read != 0) {
*err = WTAP_ERR_SHORT_READ;
}
return FALSE;
}
wth->data_offset += trlr_size;
network = pletohs(trlr.trlr_2_1.network);
if ((network & 0xF000) == NETMON_NET_PCAP_BASE) {
/*
* Converted pcap file - the LINKTYPE_ value
* is the network value with 0xF000 masked off.
*/
network &= 0x0FFF;
wth->phdr.pkt_encap =
wtap_pcap_encap_to_wtap_encap(network);
if (wth->phdr.pkt_encap == WTAP_ENCAP_UNKNOWN) {
*err = WTAP_ERR_UNSUPPORTED_ENCAP;
*err_info = g_strdup_printf("netmon: converted pcap network type %u unknown or unsupported",
network);
return FALSE;
}
} else if (network < NUM_NETMON_ENCAPS) {
/*
* Regular NetMon encapsulation.
*/
wth->phdr.pkt_encap = netmon_encap[network];
if (wth->phdr.pkt_encap == WTAP_ENCAP_UNKNOWN) {
*err = WTAP_ERR_UNSUPPORTED_ENCAP;
*err_info = g_strdup_printf("netmon: network type %u unknown or unsupported",
network);
return FALSE;
}
} else {
/*
* Special packet type for metadata.
*/
switch (network) {
case NETMON_NET_NETEVENT:
case NETMON_NET_NETWORK_INFO_EX:
case NETMON_NET_PAYLOAD_HEADER:
case NETMON_NET_NETWORK_INFO:
case NETMON_NET_DNS_CACHE:
case NETMON_NET_NETMON_FILTER:
/*
* Just ignore those record types, for
* now. Read the next record.
*/
goto again;
default:
*err = WTAP_ERR_UNSUPPORTED_ENCAP;
*err_info = g_strdup_printf("netmon: network type %u unknown or unsupported",
network);
return FALSE;
}
}
}
return TRUE;
}
/* Read the next packet */
static gboolean libpcap_read(wtap *wth, int *err, gchar **err_info,
gint64 *data_offset)
{
struct pcaprec_ss990915_hdr hdr;
guint packet_size;
guint orig_size;
int bytes_read;
guchar fddi_padding[3];
int phdr_len;
libpcap_t *libpcap;
bytes_read = libpcap_read_header(wth, err, err_info, &hdr);
if (bytes_read == -1) {
/*
* We failed to read the header.
*/
return FALSE;
}
wth->data_offset += bytes_read;
packet_size = hdr.hdr.incl_len;
orig_size = hdr.hdr.orig_len;
/*
* AIX appears to put 3 bytes of padding in front of FDDI
* frames; strip that crap off.
*/
if (wth->file_type == WTAP_FILE_PCAP_AIX &&
(wth->file_encap == WTAP_ENCAP_FDDI ||
wth->file_encap == WTAP_ENCAP_FDDI_BITSWAPPED)) {
/*
* The packet size is really a record size and includes
* the padding.
*/
packet_size -= 3;
orig_size -= 3;
wth->data_offset += 3;
/*
* Read the padding.
*/
if (!libpcap_read_rec_data(wth->fh, fddi_padding, 3, err))
return FALSE; /* Read error */
}
*data_offset = wth->data_offset;
libpcap = (libpcap_t *)wth->priv;
phdr_len = pcap_process_pseudo_header(wth->fh, wth->file_type,
wth->file_encap, libpcap->byte_swapped, packet_size,
TRUE, &wth->phdr, &wth->pseudo_header, err, err_info);
if (phdr_len < 0)
return FALSE; /* error */
/*
* Don't count any pseudo-header as part of the packet.
*/
orig_size -= phdr_len;
packet_size -= phdr_len;
wth->data_offset += phdr_len;
buffer_assure_space(wth->frame_buffer, packet_size);
if (!libpcap_read_rec_data(wth->fh, buffer_start_ptr(wth->frame_buffer),
packet_size, err))
return FALSE; /* Read error */
wth->data_offset += packet_size;
/* Update the Timestamp, if not already done */
if (wth->file_encap != WTAP_ENCAP_ERF) {
wth->phdr.ts.secs = hdr.hdr.ts_sec;
if(wth->tsprecision == WTAP_FILE_TSPREC_NSEC) {
wth->phdr.ts.nsecs = hdr.hdr.ts_usec;
} else {
wth->phdr.ts.nsecs = hdr.hdr.ts_usec * 1000;
}
}
wth->phdr.caplen = packet_size;
wth->phdr.len = orig_size;
if (wth->file_encap == WTAP_ENCAP_ATM_PDUS) {
if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
/*
* Nokia IPSO ATM.
*
* Guess the traffic type based on the packet
* contents.
*/
atm_guess_traffic_type(buffer_start_ptr(wth->frame_buffer),
wth->phdr.caplen, &wth->pseudo_header);
} else {
/*
* SunATM.
*
* If this is ATM LANE traffic, try to guess what
* type of LANE traffic it is based on the packet
* contents.
*/
if (wth->pseudo_header.atm.type == TRAF_LANE) {
atm_guess_lane_type(buffer_start_ptr(wth->frame_buffer),
wth->phdr.caplen, &wth->pseudo_header);
}
}
}
return TRUE;
}
/* Read the next packet */
static gboolean netmon_read(wtap *wth, int *err, gchar **err_info,
gint64 *data_offset)
{
netmon_t *netmon = (netmon_t *)wth->priv;
guint32 packet_size = 0;
guint32 orig_size = 0;
int bytes_read;
union {
struct netmonrec_1_x_hdr hdr_1_x;
struct netmonrec_2_x_hdr hdr_2_x;
} hdr;
int hdr_size = 0;
int rec_offset;
guint8 *data_ptr;
time_t secs;
guint32 usecs;
double t;
/* Have we reached the end of the packet data? */
if (netmon->current_frame >= netmon->frame_table_size) {
/* Yes. We won't need the frame table any more;
free it. */
g_free(netmon->frame_table);
netmon->frame_table = NULL;
*err = 0; /* it's just an EOF, not an error */
return FALSE;
}
/* Seek to the beginning of the current record, if we're
not there already (seeking to the current position
may still cause a seek and a read of the underlying file,
so we don't want to do it unconditionally). */
rec_offset = netmon->frame_table[netmon->current_frame];
if (wth->data_offset != rec_offset) {
wth->data_offset = rec_offset;
if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1)
return FALSE;
}
netmon->current_frame++;
/* Read record header. */
switch (netmon->version_major) {
case 1:
hdr_size = sizeof (struct netmonrec_1_x_hdr);
break;
case 2:
hdr_size = sizeof (struct netmonrec_2_x_hdr);
break;
}
errno = WTAP_ERR_CANT_READ;
bytes_read = file_read(&hdr, 1, hdr_size, wth->fh);
if (bytes_read != hdr_size) {
*err = file_error(wth->fh);
if (*err == 0 && bytes_read != 0) {
*err = WTAP_ERR_SHORT_READ;
}
return FALSE;
}
wth->data_offset += hdr_size;
switch (netmon->version_major) {
case 1:
orig_size = pletohs(&hdr.hdr_1_x.orig_len);
packet_size = pletohs(&hdr.hdr_1_x.incl_len);
break;
case 2:
orig_size = pletohl(&hdr.hdr_2_x.orig_len);
packet_size = pletohl(&hdr.hdr_2_x.incl_len);
break;
}
if (packet_size > WTAP_MAX_PACKET_SIZE) {
/*
* Probably a corrupt capture file; don't blow up trying
* to allocate space for an immensely-large packet.
*/
*err = WTAP_ERR_BAD_RECORD;
*err_info = g_strdup_printf("netmon: File has %u-byte packet, bigger than maximum of %u",
packet_size, WTAP_MAX_PACKET_SIZE);
return FALSE;
}
*data_offset = wth->data_offset;
/*
* If this is an ATM packet, the first
* "sizeof (struct netmon_atm_hdr)" bytes have destination and
* source addresses (6 bytes - MAC addresses of some sort?)
* and the VPI and VCI; read them and generate the pseudo-header
* from them.
*/
switch (wth->file_encap) {
case WTAP_ENCAP_ATM_PDUS:
if (packet_size < sizeof (struct netmon_atm_hdr)) {
/*
* Uh-oh, the packet isn't big enough to even
* have a pseudo-header.
*/
*err = WTAP_ERR_BAD_RECORD;
*err_info = g_strdup_printf("netmon: ATM file has a %u-byte packet, too small to have even an ATM pseudo-header",
packet_size);
return FALSE;
}
if (!netmon_read_atm_pseudoheader(wth->fh, &wth->pseudo_header,
err))
return FALSE; /* Read error */
/*
* Don't count the pseudo-header as part of the packet.
*/
orig_size -= (guint)sizeof (struct netmon_atm_hdr);
packet_size -= (guint)sizeof (struct netmon_atm_hdr);
wth->data_offset += sizeof (struct netmon_atm_hdr);
break;
case WTAP_ENCAP_ETHERNET:
/*
* We assume there's no FCS in this frame.
*/
wth->pseudo_header.eth.fcs_len = 0;
break;
}
buffer_assure_space(wth->frame_buffer, packet_size);
data_ptr = buffer_start_ptr(wth->frame_buffer);
if (!netmon_read_rec_data(wth->fh, data_ptr, packet_size, err))
return FALSE; /* Read error */
wth->data_offset += packet_size;
t = (double)netmon->start_usecs;
switch (netmon->version_major) {
case 1:
t += ((double)pletohl(&hdr.hdr_1_x.ts_delta))*1000;
break;
case 2:
t += (double)pletohl(&hdr.hdr_2_x.ts_delta_lo)
+ (double)pletohl(&hdr.hdr_2_x.ts_delta_hi)*4294967296.0;
break;
}
secs = (time_t)(t/1000000);
usecs = (guint32)(t - (double)secs*1000000);
wth->phdr.ts.secs = netmon->start_secs + secs;
wth->phdr.ts.nsecs = usecs * 1000;
wth->phdr.caplen = packet_size;
wth->phdr.len = orig_size;
/*
* Attempt to guess from the packet data, the VPI, and the VCI
* information about the type of traffic.
*/
if (wth->file_encap == WTAP_ENCAP_ATM_PDUS) {
atm_guess_traffic_type(data_ptr, packet_size,
&wth->pseudo_header);
}
return TRUE;
}
