/* Read the next packet */
static gboolean snoop_read(wtap *wth, int *err, gchar **err_info,
gint64 *data_offset)
{
guint32 rec_size;
guint32 packet_size;
guint32 orig_size;
int bytes_read;
struct snooprec_hdr hdr;
char padbuf[4];
guint padbytes;
int bytes_to_read;
int header_size;
/* Read record header. */
errno = WTAP_ERR_CANT_READ;
bytes_read = file_read(&hdr, sizeof hdr, wth->fh);
if (bytes_read != sizeof hdr) {
*err = file_error(wth->fh, err_info);
if (*err == 0 && bytes_read != 0)
*err = WTAP_ERR_SHORT_READ;
return FALSE;
}
rec_size = g_ntohl(hdr.rec_len);
orig_size = g_ntohl(hdr.orig_len);
packet_size = g_ntohl(hdr.incl_len);
if (orig_size > WTAP_MAX_PACKET_SIZE) {
/*
* Probably a corrupt capture file; don't blow up trying
* to allocate space for an immensely-large packet.
*/
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("snoop: File has %u-byte original length, bigger than maximum of %u",
orig_size, WTAP_MAX_PACKET_SIZE);
return FALSE;
}
if (packet_size > WTAP_MAX_PACKET_SIZE) {
/*
* Probably a corrupt capture file; don't blow up trying
* to allocate space for an immensely-large packet.
*/
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("snoop: File has %u-byte packet, bigger than maximum of %u",
packet_size, WTAP_MAX_PACKET_SIZE);
return FALSE;
}
if (packet_size > rec_size) {
/*
* Probably a corrupt capture file.
*/
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("snoop: File has %u-byte packet, bigger than record size %u",
packet_size, rec_size);
return FALSE;
}
*data_offset = file_tell(wth->fh);
/*
* If this is an ATM packet, the first four bytes are the
* direction of the packet (transmit/receive), the VPI, and
* the VCI; read them and generate the pseudo-header from
* them.
*/
switch (wth->file_encap) {
case WTAP_ENCAP_ATM_PDUS:
if (packet_size < sizeof (struct snoop_atm_hdr)) {
/*
* Uh-oh, the packet isn't big enough to even
* have a pseudo-header.
*/
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("snoop: atmsnoop file has a %u-byte packet, too small to have even an ATM pseudo-header",
packet_size);
return FALSE;
}
if (!snoop_read_atm_pseudoheader(wth->fh, &wth->pseudo_header,
err, err_info))
return FALSE; /* Read error */
/*
* Don't count the pseudo-header as part of the packet.
*/
rec_size -= (guint32)sizeof (struct snoop_atm_hdr);
orig_size -= (guint32)sizeof (struct snoop_atm_hdr);
packet_size -= (guint32)sizeof (struct snoop_atm_hdr);
break;
case WTAP_ENCAP_ETHERNET:
/*
* If this is a snoop file, we assume there's no FCS in
* this frame; if this is a Shomit file, we assume there
* is. (XXX - or should we treat it a "maybe"?)
*/
if (wth->file_type == WTAP_FILE_SHOMITI)
wth->pseudo_header.eth.fcs_len = 4;
else
wth->pseudo_header.eth.fcs_len = 0;
break;
case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
if (packet_size < sizeof (shomiti_wireless_header)) {
/*
* Uh-oh, the packet isn't big enough to even
* have a pseudo-header.
*/
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("snoop: Shomiti wireless file has a %u-byte packet, too small to have even a wireless pseudo-header",
packet_size);
return FALSE;
}
if (!snoop_read_shomiti_wireless_pseudoheader(wth->fh,
&wth->pseudo_header, err, err_info, &header_size))
return FALSE; /* Read error */
/*
* Don't count the pseudo-header as part of the packet.
*/
rec_size -= header_size;
orig_size -= header_size;
packet_size -= header_size;
break;
}
buffer_assure_space(wth->frame_buffer, packet_size);
if (!snoop_read_rec_data(wth->fh, buffer_start_ptr(wth->frame_buffer),
packet_size, err, err_info))
return FALSE; /* Read error */
wth->phdr.presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
wth->phdr.ts.secs = g_ntohl(hdr.ts_sec);
wth->phdr.ts.nsecs = g_ntohl(hdr.ts_usec) * 1000;
wth->phdr.caplen = packet_size;
wth->phdr.len = orig_size;
/*
* If this is ATM LANE traffic, try to guess what type of LANE
* traffic it is based on the packet contents.
*/
if (wth->file_encap == WTAP_ENCAP_ATM_PDUS &&
wth->pseudo_header.atm.type == TRAF_LANE) {
atm_guess_lane_type(buffer_start_ptr(wth->frame_buffer),
wth->phdr.caplen, &wth->pseudo_header);
}
/*
* Skip over the padding (don't "fseek()", as the standard
* I/O library on some platforms discards buffered data if
* you do that, which means it does a lot more reads).
* There's probably not much padding (it's probably padded only
* to a 4-byte boundary), so we probably need only do one read.
*/
if (rec_size < (sizeof hdr + packet_size)) {
/*
* What, *negative* padding? Bogus.
*/
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("snoop: File has %u-byte record with packet size of %u",
rec_size, packet_size);
return FALSE;
}
padbytes = rec_size - ((guint)sizeof hdr + packet_size);
while (padbytes != 0) {
bytes_to_read = padbytes;
if ((unsigned)bytes_to_read > sizeof padbuf)
bytes_to_read = sizeof padbuf;
errno = WTAP_ERR_CANT_READ;
bytes_read = file_read(padbuf, bytes_to_read, wth->fh);
if (bytes_read != bytes_to_read) {
*err = file_error(wth->fh, err_info);
if (*err == 0)
*err = WTAP_ERR_SHORT_READ;
return FALSE;
}
padbytes -= bytes_read;
}
return TRUE;
}
/* Read the next packet */
static gboolean lanalyzer_read(wtap *wth, int *err, gchar **err_info,
gint64 *data_offset)
{
int packet_size = 0;
int bytes_read;
char LE_record_type[2];
char LE_record_length[2];
guint16 record_type, record_length;
gchar descriptor[DESCRIPTOR_LEN];
guint16 time_low, time_med, time_high, true_size;
guint64 t;
time_t tsecs;
lanalyzer_t *lanalyzer;
/* read the record type and length. */
errno = WTAP_ERR_CANT_READ;
bytes_read = file_read(LE_record_type, 2, wth->fh);
if (bytes_read != 2) {
*err = file_error(wth->fh, err_info);
if (*err == 0 && bytes_read != 0) {
*err = WTAP_ERR_SHORT_READ;
}
return FALSE;
}
bytes_read = file_read(LE_record_length, 2, wth->fh);
if (bytes_read != 2) {
*err = file_error(wth->fh, err_info);
if (*err == 0)
*err = WTAP_ERR_SHORT_READ;
return FALSE;
}
record_type = pletohs(LE_record_type);
record_length = pletohs(LE_record_length);
/* Only Trace Packet Data Records should occur now that we're in
* the middle of reading packets. If any other record type exists
* after a Trace Packet Data Record, mark it as an error. */
if (record_type != RT_PacketData) {
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("lanalyzer: record type %u seen after trace summary record",
record_type);
return FALSE;
}
else {
if (record_length < DESCRIPTOR_LEN) {
/*
* Uh-oh, the record isn't big enough to even have a
* descriptor.
*/
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("lanalyzer: file has a %u-byte record, too small to have even a packet descriptor",
record_length);
return FALSE;
}
packet_size = record_length - DESCRIPTOR_LEN;
}
/* Read the descriptor data */
errno = WTAP_ERR_CANT_READ;
bytes_read = file_read(descriptor, DESCRIPTOR_LEN, wth->fh);
if (bytes_read != DESCRIPTOR_LEN) {
*err = file_error(wth->fh, err_info);
if (*err == 0)
*err = WTAP_ERR_SHORT_READ;
return FALSE;
}
/* Read the packet data */
buffer_assure_space(wth->frame_buffer, packet_size);
*data_offset = file_tell(wth->fh);
errno = WTAP_ERR_CANT_READ;
bytes_read = file_read(buffer_start_ptr(wth->frame_buffer),
packet_size, wth->fh);
if (bytes_read != packet_size) {
*err = file_error(wth->fh, err_info);
if (*err == 0)
*err = WTAP_ERR_SHORT_READ;
return FALSE;
}
true_size = pletohs(&descriptor[4]);
packet_size = pletohs(&descriptor[6]);
/*
* OK, is the frame data size greater than than what's left of the
* record?
*/
if (packet_size > record_length - DESCRIPTOR_LEN) {
/*
* Yes - treat this as an error.
*/
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup("lanalyzer: Record length is less than packet size");
return FALSE;
}
wth->phdr.presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
time_low = pletohs(&descriptor[8]);
time_med = pletohs(&descriptor[10]);
time_high = pletohs(&descriptor[12]);
t = (((guint64)time_low) << 0) + (((guint64)time_med) << 16) +
(((guint64)time_high) << 32);
tsecs = (time_t) (t/2000000);
lanalyzer = (lanalyzer_t *)wth->priv;
wth->phdr.ts.secs = tsecs + lanalyzer->start;
wth->phdr.ts.nsecs = ((guint32) (t - tsecs*2000000)) * 500;
if (true_size - 4 >= packet_size) {
/*
* It appears that the "true size" includes the FCS;
* make it reflect the non-FCS size (the "packet size"
* appears never to include the FCS, even if no slicing
* is done).
*/
true_size -= 4;
}
wth->phdr.len = true_size;
wth->phdr.caplen = packet_size;
switch (wth->file_encap) {
case WTAP_ENCAP_ETHERNET:
/* We assume there's no FCS in this frame. */
wth->phdr.pseudo_header.eth.fcs_len = 0;
break;
}
return TRUE;
}
/*
* See
*
* http://www.opengroup.org/onlinepubs/9638599/apdxf.htm
*
* for the "dlpi.h" header file specified by The Open Group, which lists
* the DL_ values for various protocols; Solaris 7 uses the same values.
*
* See
*
* http://www.iana.org/assignments/snoop-datalink-types/snoop-datalink-types.xml
*
* for the IETF list of snoop datalink types.
*
* The page at
*
* http://mrpink.lerc.nasa.gov/118x/support.html
*
* had links to modified versions of "tcpdump" and "libpcap" for SUNatm
* DLPI support; they suggested that the 3.0 verson of SUNatm uses those
* values. The Wayback Machine archived that page, but not the stuff
* to which it linked, unfortunately.
*
* It also has a link to "convert.c", which is a program to convert files
* from the format written by the "atmsnoop" program that comes with the
* SunATM package to regular "snoop" format, claims that "SunATM 2.1 claimed
* to be DL_FDDI (don't ask why). SunATM 3.0 claims to be DL_IPATM, which
* is 0x12".
*
* It also says that "ATM Mac header is 12 bytes long.", and seems to imply
* that in an "atmsnoop" file, the header contains 2 bytes (direction and
* VPI?), 2 bytes of VCI, 6 bytes of something, and 2 bytes of Ethernet
* type; if those 6 bytes are 2 bytes of DSAP, 2 bytes of LSAP, 1 byte
* of LLC control, and 3 bytes of SNAP OUI, that'd mean that an ATM
* pseudo-header in an "atmsnoop" file is probably 1 byte of direction,
* 1 byte of VPI, and 2 bytes of VCI.
*
* The aforementioned page also has a link to some capture files from
* "atmsnoop"; this version of "snoop.c" appears to be able to read them.
*
* Source to an "atmdump" package, which includes a modified version of
* "libpcap" to handle SunATM DLPI and an ATM driver for FreeBSD, and
* also includes "atmdump", which is a modified "tcpdump", was available
* at
*
* ftp://ftp.cs.ndsu.nodak.edu/pub/freebsd/atm/atm-bpf.tgz
*
* (the host name is no longer valid) and that code also indicated that
* DL_IPATM is used, and that an ATM packet handed up from the Sun driver
* for the Sun SBus ATM card on Solaris 2.5.1 has 1 byte of direction,
* 1 byte of VPI, 2 bytes of VCI, and then the ATM PDU, and suggests that
* the direction flag is 0x80 for "transmitted" (presumably meaning
* DTE->DCE) and presumably not 0x80 for "received" (presumably meaning
* DCE->DTE). That code was used as the basis for the SunATM support in
* later versions of libpcap and tcpdump, and it worked at the time the
* development was done with the SunATM code on the system on which the
* development was done.
*
* In fact, the "direction" byte appears to have some other stuff, perhaps
* a traffic type, in the lower 7 bits, with the 8th bit indicating the
* direction. That appears to be the case.
*
* I don't know what the encapsulation of any of the other types is, so I
* leave them all as WTAP_ENCAP_UNKNOWN, except for those for which Brian
* Ginsbach has supplied information about the way UNICOS/mp uses them.
* I also don't know whether "snoop" can handle any of them (it presumably
* can't handle ATM, otherwise Sun wouldn't have supplied "atmsnoop"; even
* if it can't, this may be useful reference information for anybody doing
* code to use DLPI to do raw packet captures on those network types.
*
* Once upon a time
*
* http://web.archive.org/web/20010906213807/http://www.shomiti.com/support/TNCapFileFormat.htm
*
* gave information on Shomiti's mutant flavor of snoop; Shomiti's Web site
* is no longer available on the Wayback Machine. For some unknown reason,
* they decided not to just Go With The DLPI Flow, and instead used the types
* unspecified in RFC 1461 for their own nefarious purposes, such as
* distinguishing 10MB from 100MB from 1000MB Ethernet and distinguishing
* 4MB from 16MB Token Ring, and distinguishing both of them from the
* "Shomiti" versions of same.
*/
int snoop_open(wtap *wth, int *err, gchar **err_info)
{
int bytes_read;
char magic[sizeof snoop_magic];
struct snoop_hdr hdr;
struct snooprec_hdr rec_hdr;
guint padbytes;
gboolean is_shomiti;
static const int snoop_encap[] = {
WTAP_ENCAP_ETHERNET, /* IEEE 802.3 */
WTAP_ENCAP_UNKNOWN, /* IEEE 802.4 Token Bus */
WTAP_ENCAP_TOKEN_RING,
WTAP_ENCAP_UNKNOWN, /* IEEE 802.6 Metro Net */
WTAP_ENCAP_ETHERNET,
WTAP_ENCAP_UNKNOWN, /* HDLC */
WTAP_ENCAP_UNKNOWN, /* Character Synchronous, e.g. bisync */
WTAP_ENCAP_UNKNOWN, /* IBM Channel-to-Channel */
WTAP_ENCAP_FDDI_BITSWAPPED,
WTAP_ENCAP_NULL, /* Other */
WTAP_ENCAP_UNKNOWN, /* Frame Relay LAPF */
WTAP_ENCAP_UNKNOWN, /* Multi-protocol over Frame Relay */
WTAP_ENCAP_UNKNOWN, /* Character Async (e.g., SLIP and PPP?) */
WTAP_ENCAP_UNKNOWN, /* X.25 Classical IP */
WTAP_ENCAP_NULL, /* software loopback */
WTAP_ENCAP_UNKNOWN, /* not defined in "dlpi.h" */
WTAP_ENCAP_IP_OVER_FC, /* Fibre Channel */
WTAP_ENCAP_UNKNOWN, /* ATM */
WTAP_ENCAP_ATM_PDUS, /* ATM Classical IP */
WTAP_ENCAP_UNKNOWN, /* X.25 LAPB */
WTAP_ENCAP_UNKNOWN, /* ISDN */
WTAP_ENCAP_UNKNOWN, /* HIPPI */
WTAP_ENCAP_UNKNOWN, /* 100VG-AnyLAN Ethernet */
WTAP_ENCAP_UNKNOWN, /* 100VG-AnyLAN Token Ring */
WTAP_ENCAP_UNKNOWN, /* "ISO 8802/3 and Ethernet" */
WTAP_ENCAP_UNKNOWN, /* 100BaseT (but that's just Ethernet) */
WTAP_ENCAP_IP_OVER_IB, /* Infiniband */
};
#define NUM_SNOOP_ENCAPS (sizeof snoop_encap / sizeof snoop_encap[0])
#define SNOOP_PRIVATE_BIT 0x80000000
static const int snoop_private_encap[] = {
WTAP_ENCAP_UNKNOWN, /* Not Used */
WTAP_ENCAP_UNKNOWN, /* IPv4 Tunnel Link */
WTAP_ENCAP_UNKNOWN, /* IPv6 Tunnel Link */
WTAP_ENCAP_UNKNOWN, /* Virtual network interface */
WTAP_ENCAP_UNKNOWN, /* IEEE 802.11 */
WTAP_ENCAP_IPNET, /* ipnet(7D) link */
WTAP_ENCAP_UNKNOWN, /* IPMP stub interface */
WTAP_ENCAP_UNKNOWN, /* 6to4 Tunnel Link */
};
#define NUM_SNOOP_PRIVATE_ENCAPS (sizeof snoop_private_encap / sizeof snoop_private_encap[0])
static const int shomiti_encap[] = {
WTAP_ENCAP_ETHERNET, /* IEEE 802.3 */
WTAP_ENCAP_UNKNOWN, /* IEEE 802.4 Token Bus */
WTAP_ENCAP_TOKEN_RING,
WTAP_ENCAP_UNKNOWN, /* IEEE 802.6 Metro Net */
WTAP_ENCAP_ETHERNET,
WTAP_ENCAP_UNKNOWN, /* HDLC */
WTAP_ENCAP_UNKNOWN, /* Character Synchronous, e.g. bisync */
WTAP_ENCAP_UNKNOWN, /* IBM Channel-to-Channel */
WTAP_ENCAP_FDDI_BITSWAPPED,
WTAP_ENCAP_UNKNOWN, /* Other */
WTAP_ENCAP_ETHERNET, /* Fast Ethernet */
WTAP_ENCAP_TOKEN_RING, /* 4MB 802.5 token ring */
WTAP_ENCAP_ETHERNET, /* Gigabit Ethernet */
WTAP_ENCAP_TOKEN_RING, /* "IEEE 802.5 Shomiti" */
WTAP_ENCAP_TOKEN_RING, /* "4MB IEEE 802.5 Shomiti" */
WTAP_ENCAP_UNKNOWN, /* Other */
WTAP_ENCAP_UNKNOWN, /* Other */
WTAP_ENCAP_UNKNOWN, /* Other */
WTAP_ENCAP_IEEE_802_11_WITH_RADIO, /* IEEE 802.11 with Radio Header */
WTAP_ENCAP_ETHERNET, /* 10 Gigabit Ethernet */
};
#define NUM_SHOMITI_ENCAPS (sizeof shomiti_encap / sizeof shomiti_encap[0])
int file_encap;
gint64 saved_offset;
/* Read in the string that should be at the start of a "snoop" file */
errno = WTAP_ERR_CANT_READ;
bytes_read = file_read(magic, sizeof magic, wth->fh);
if (bytes_read != sizeof magic) {
*err = file_error(wth->fh, err_info);
if (*err != 0)
return -1;
return 0;
}
if (memcmp(magic, snoop_magic, sizeof snoop_magic) != 0) {
return 0;
}
/* Read the rest of the header. */
errno = WTAP_ERR_CANT_READ;
bytes_read = file_read(&hdr, sizeof hdr, wth->fh);
if (bytes_read != sizeof hdr) {
*err = file_error(wth->fh, err_info);
if (*err != 0)
return -1;
return 0;
}
/*
* Make sure it's a version we support.
*/
hdr.version = g_ntohl(hdr.version);
switch (hdr.version) {
case 2: /* Solaris 2.x and later snoop, and Shomiti
Surveyor prior to 3.0, or 3.0 and later
with NDIS card */
case 3: /* Surveyor 3.0 and later, with Shomiti CMM2 hardware */
case 4: /* Surveyor 3.0 and later, with Shomiti GAM hardware */
case 5: /* Surveyor 3.0 and later, with Shomiti THG hardware */
break;
default:
*err = WTAP_ERR_UNSUPPORTED;
*err_info = g_strdup_printf("snoop: version %u unsupported", hdr.version);
return -1;
}
/*
* Oh, this is lovely.
*
* I suppose Shomiti could give a bunch of lawyerly noise about
* how "well, RFC 1761 said they were unassigned, and that's
* the standard, not the DLPI header file, so it's perfectly OK
* for us to use them, blah blah blah", but it's still irritating
* as hell that they used the unassigned-in-RFC-1761 values for
* their own purposes - especially given that Sun also used
* one of them in atmsnoop.
*
* We can't determine whether it's a Shomiti capture based on
* the version number, as, according to their documentation on
* their capture file format, Shomiti uses a version number of 2
* if the data "was captured using an NDIS card", which presumably
* means "captured with an ordinary boring network card via NDIS"
* as opposed to "captured with our whizzo special capture
* hardware".
*
* The only way I can see to determine that is to check how much
* padding there is in the first packet - if there's enough
* padding for a Shomiti trailer, it's probably a Shomiti
* capture, and otherwise, it's probably from Snoop.
*/
/*
* Start out assuming it's not a Shomiti capture.
*/
is_shomiti = FALSE;
/* Read first record header. */
saved_offset = file_tell(wth->fh);
errno = WTAP_ERR_CANT_READ;
bytes_read = file_read(&rec_hdr, sizeof rec_hdr, wth->fh);
if (bytes_read != sizeof rec_hdr) {
*err = file_error(wth->fh, err_info);
if (*err == 0 && bytes_read != 0)
*err = WTAP_ERR_SHORT_READ;
if (*err != 0) {
/*
* A real-live error.
*/
return -1;
}
/*
* The file ends after the record header, which means this
* is a capture with no packets.
*
* We assume it's a snoop file; the actual type of file is
* irrelevant, as there are no records in it, and thus no
* extra information if it's a Shomiti capture, and no
* link-layer headers whose type we have to know, and no
* Ethernet frames that might have an FCS.
*/
} else {
/*
* Compute the number of bytes of padding in the
* record. If it's at least the size of a Shomiti
* trailer record, we assume this is a Shomiti
* capture. (Some atmsnoop captures appear
* to have 4 bytes of padding, and at least one
* snoop capture appears to have 6 bytes of padding;
* the Shomiti header is larger than either of those.)
*/
if (g_ntohl(rec_hdr.rec_len) >
(sizeof rec_hdr + g_ntohl(rec_hdr.incl_len))) {
/*
* Well, we have padding; how much?
*/
padbytes = g_ntohl(rec_hdr.rec_len) -
((guint)sizeof rec_hdr + g_ntohl(rec_hdr.incl_len));
/*
* Is it at least the size of a Shomiti trailer?
*/
is_shomiti =
(padbytes >= sizeof (struct shomiti_trailer));
}
}
/*
* Seek back to the beginning of the first record.
*/
if (file_seek(wth->fh, saved_offset, SEEK_SET, err) == -1)
return -1;
hdr.network = g_ntohl(hdr.network);
if (is_shomiti) {
if (hdr.network >= NUM_SHOMITI_ENCAPS
|| shomiti_encap[hdr.network] == WTAP_ENCAP_UNKNOWN) {
*err = WTAP_ERR_UNSUPPORTED_ENCAP;
*err_info = g_strdup_printf("snoop: Shomiti network type %u unknown or unsupported",
hdr.network);
return -1;
}
file_encap = shomiti_encap[hdr.network];
/* This is a Shomiti file */
wth->file_type = WTAP_FILE_SHOMITI;
} else if (hdr.network & SNOOP_PRIVATE_BIT) {
if ((hdr.network^SNOOP_PRIVATE_BIT) >= NUM_SNOOP_PRIVATE_ENCAPS
|| snoop_private_encap[hdr.network^SNOOP_PRIVATE_BIT] == WTAP_ENCAP_UNKNOWN) {
*err = WTAP_ERR_UNSUPPORTED_ENCAP;
*err_info = g_strdup_printf("snoop: private network type %u unknown or unsupported",
hdr.network);
return -1;
}
file_encap = snoop_private_encap[hdr.network^SNOOP_PRIVATE_BIT];
/* This is a snoop file */
wth->file_type = WTAP_FILE_SNOOP;
} else {
if (hdr.network >= NUM_SNOOP_ENCAPS
|| snoop_encap[hdr.network] == WTAP_ENCAP_UNKNOWN) {
*err = WTAP_ERR_UNSUPPORTED_ENCAP;
*err_info = g_strdup_printf("snoop: network type %u unknown or unsupported",
hdr.network);
return -1;
}
file_encap = snoop_encap[hdr.network];
/* This is a snoop file */
wth->file_type = WTAP_FILE_SNOOP;
}
/*
* We don't currently use the extra information in Shomiti
* records, so we use the same routines to read snoop and
* Shomiti files.
*/
wth->subtype_read = snoop_read;
wth->subtype_seek_read = snoop_seek_read;
wth->file_encap = file_encap;
wth->snapshot_length = 0; /* not available in header */
wth->tsprecision = WTAP_FILE_TSPREC_USEC;
return 1;
}
int libpcap_open(wtap *wth, int *err, gchar **err_info)
{
int bytes_read;
guint32 magic;
struct pcap_hdr hdr;
gboolean byte_swapped;
gboolean modified;
gboolean aix;
int file_encap;
gint64 first_packet_offset;
libpcap_t *libpcap;
/* Read in the number that should be at the start of a "libpcap" file */
errno = WTAP_ERR_CANT_READ;
bytes_read = file_read(&magic, sizeof magic, wth->fh);
if (bytes_read != sizeof magic) {
*err = file_error(wth->fh, err_info);
if (*err != 0 && *err != WTAP_ERR_SHORT_READ)
return -1;
return 0;
}
switch (magic) {
case PCAP_MAGIC:
/* Host that wrote it has our byte order, and was running
a program using either standard or ss990417 libpcap. */
byte_swapped = FALSE;
modified = FALSE;
wth->tsprecision = WTAP_FILE_TSPREC_USEC;
break;
case PCAP_MODIFIED_MAGIC:
/* Host that wrote it has our byte order, and was running
a program using either ss990915 or ss991029 libpcap. */
byte_swapped = FALSE;
modified = TRUE;
wth->tsprecision = WTAP_FILE_TSPREC_USEC;
break;
case PCAP_SWAPPED_MAGIC:
/* Host that wrote it has a byte order opposite to ours,
and was running a program using either standard or
ss990417 libpcap. */
byte_swapped = TRUE;
modified = FALSE;
wth->tsprecision = WTAP_FILE_TSPREC_USEC;
break;
case PCAP_SWAPPED_MODIFIED_MAGIC:
/* Host that wrote it out has a byte order opposite to
ours, and was running a program using either ss990915
or ss991029 libpcap. */
byte_swapped = TRUE;
modified = TRUE;
wth->tsprecision = WTAP_FILE_TSPREC_USEC;
break;
case PCAP_NSEC_MAGIC:
/* Host that wrote it has our byte order, and was writing
the file in a format similar to standard libpcap
except that the time stamps have nanosecond resolution. */
byte_swapped = FALSE;
modified = FALSE;
wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
break;
case PCAP_SWAPPED_NSEC_MAGIC:
/* Host that wrote it out has a byte order opposite to
ours, and was writing the file in a format similar to
standard libpcap except that the time stamps have
nanosecond resolution. */
byte_swapped = TRUE;
modified = FALSE;
wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
break;
default:
/* Not a "libpcap" type we know about. */
return 0;
}
/* Read the rest of the header. */
errno = WTAP_ERR_CANT_READ;
bytes_read = file_read(&hdr, sizeof hdr, wth->fh);
if (bytes_read != sizeof hdr) {
*err = file_error(wth->fh, err_info);
if (*err == 0)
*err = WTAP_ERR_SHORT_READ;
return -1;
}
if (byte_swapped) {
/* Byte-swap the header fields about which we care. */
hdr.version_major = BSWAP16(hdr.version_major);
hdr.version_minor = BSWAP16(hdr.version_minor);
hdr.snaplen = BSWAP32(hdr.snaplen);
hdr.network = BSWAP32(hdr.network);
}
if (hdr.version_major < 2) {
/* We only support version 2.0 and later. */
*err = WTAP_ERR_UNSUPPORTED;
*err_info = g_strdup_printf("pcap: major version %u unsupported",
hdr.version_major);
return -1;
}
/*
* AIX's non-standard tcpdump uses a minor version number of 2.
* Unfortunately, older versions of libpcap might have used
* that as well.
*
* The AIX libpcap uses RFC 1573 ifType values rather than
* DLT_ values in the header; the ifType values for LAN devices
* are:
*
* Ethernet 6
* Token Ring 9
* FDDI 15
*
* which correspond to DLT_IEEE802 (used for Token Ring),
* DLT_PPP, and DLT_SLIP_BSDOS, respectively. The ifType value
* for a loopback interface is 24, which currently isn't
* used by any version of libpcap I know about (and, as
* tcpdump.org are assigning DLT_ values above 100, and
* NetBSD started assigning values starting at 50, and
* the values chosen by other libpcaps appear to stop at
* 19, it's probably not going to be used by any libpcap
* in the future).
*
* We shall assume that if the minor version number is 2, and
* the network type is 6, 9, 15, or 24, that it's AIX libpcap.
*
* I'm assuming those older versions of libpcap didn't
* use DLT_IEEE802 for Token Ring, and didn't use DLT_SLIP_BSDOS
* as that came later. It may have used DLT_PPP, however, in
* which case we're out of luck; we assume it's Token Ring
* in AIX libpcap rather than PPP in standard libpcap, as
* you're probably more likely to be handing an AIX libpcap
* token-ring capture than an old (pre-libpcap 0.4) PPP capture
* to Wireshark.
*/
aix = FALSE; /* assume it's not AIX */
if (hdr.version_major == 2 && hdr.version_minor == 2) {
switch (hdr.network) {
case 6:
hdr.network = 1; /* DLT_EN10MB, Ethernet */
aix = TRUE;
break;
case 9:
hdr.network = 6; /* DLT_IEEE802, Token Ring */
aix = TRUE;
break;
case 15:
hdr.network = 10; /* DLT_FDDI, FDDI */
aix = TRUE;
break;
case 24:
hdr.network = 0; /* DLT_NULL, loopback */
aix = TRUE;
break;
}
}
file_encap = wtap_pcap_encap_to_wtap_encap(hdr.network);
if (file_encap == WTAP_ENCAP_UNKNOWN) {
*err = WTAP_ERR_UNSUPPORTED_ENCAP;
*err_info = g_strdup_printf("pcap: network type %u unknown or unsupported",
hdr.network);
return -1;
}
/* This is a libpcap file */
libpcap = (libpcap_t *)g_malloc(sizeof(libpcap_t));
libpcap->byte_swapped = byte_swapped;
libpcap->version_major = hdr.version_major;
libpcap->version_minor = hdr.version_minor;
wth->priv = (void *)libpcap;
wth->subtype_read = libpcap_read;
wth->subtype_seek_read = libpcap_seek_read;
wth->file_encap = file_encap;
wth->snapshot_length = hdr.snaplen;
/* In file format version 2.3, the order of the "incl_len" and
"orig_len" fields in the per-packet header was reversed,
in order to match the BPF header layout.
Therefore, in files with versions prior to that, we must swap
those two fields.
Unfortunately, some files were, according to a comment in the
"libpcap" source, written with version 2.3 in their headers
but without the interchanged fields, so if "incl_len" is
greater than "orig_len" - which would make no sense - we
assume that we need to swap them in version 2.3 files
as well.
In addition, DG/UX's tcpdump uses version 543.0, and writes
the two fields in the pre-2.3 order. */
switch (hdr.version_major) {
case 2:
if (hdr.version_minor < 3)
libpcap->lengths_swapped = SWAPPED;
else if (hdr.version_minor == 3)
libpcap->lengths_swapped = MAYBE_SWAPPED;
else
libpcap->lengths_swapped = NOT_SWAPPED;
break;
case 543:
libpcap->lengths_swapped = SWAPPED;
break;
default:
libpcap->lengths_swapped = NOT_SWAPPED;
break;
}
/*
* Is this AIX format?
*/
if (aix) {
/*
* Yes. Skip all the tests for other mutant formats,
* and for the ERF link-layer header type, and set the
* precision to nanosecond precision.
*/
wth->file_type = WTAP_FILE_PCAP_AIX;
wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
return 1;
}
/*
* No. Let's look at the header for the first record,
* and see if, interpreting it as a standard header (if the
* magic number was standard) or a modified header (if the
* magic number was modified), the position where it says the
* header for the *second* record is contains a corrupted header.
*
* If so, then:
*
* If this file had the standard magic number, it may be
* an ss990417 capture file - in that version of Alexey's
* patch, the packet header format was changed but the
* magic number wasn't, and, alas, Red Hat appear to have
* picked up that version of the patch for RH 6.1, meaning
* RH 6.1 has a tcpdump that writes out files that can't
* be read by any software that expects non-modified headers
* if the magic number isn't the modified magic number (e.g.,
* any normal version of tcpdump, and Wireshark if we don't
* do this gross heuristic).
*
* If this file had the modified magic number, it may be
* an ss990915 capture file - in that version of Alexey's
* patch, the magic number was changed, but the record
* header had some extra fields, and, alas, SuSE appear
* to have picked up that version of the patch for SuSE
* 6.3, meaning that programs expecting the standard per-
* packet header in captures with the modified magic number
* can't read dumps from its tcpdump.
*
* Oh, and if it has the standard magic number, it might, instead,
* be a Nokia libpcap file, so we may need to try that if
* neither normal nor ss990417 headers work.
*/
if (modified) {
/*
* Well, we have the magic number from Alexey's
* later two patches.
*
* Try ss991029, the last of his patches, first.
*/
wth->file_type = WTAP_FILE_PCAP_SS991029;
first_packet_offset = file_tell(wth->fh);
switch (libpcap_try(wth, err)) {
case BAD_READ:
/*
* Well, we couldn't even read it.
* Give up.
*/
return -1;
case THIS_FORMAT:
/*
* Well, it looks as if it might be 991029.
* Put the seek pointer back, and finish.
*/
if (file_seek(wth->fh, first_packet_offset, SEEK_SET, err) == -1) {
return -1;
}
goto done;
case OTHER_FORMAT:
/*
* Try the next format.
*/
break;
}
/*
* Well, it's not completely unreadable,
* but it's not ss991029. Try ss990915;
* there are no other types to try after that,
* so we put the seek pointer back and treat
* it as 990915.
*/
wth->file_type = WTAP_FILE_PCAP_SS990915;
if (file_seek(wth->fh, first_packet_offset, SEEK_SET, err) == -1) {
return -1;
}
} else {
/*
* Well, we have the standard magic number.
*
* Try the standard format first.
*/
if(wth->tsprecision == WTAP_FILE_TSPREC_NSEC) {
wth->file_type = WTAP_FILE_PCAP_NSEC;
} else {
wth->file_type = WTAP_FILE_PCAP;
}
first_packet_offset = file_tell(wth->fh);
switch (libpcap_try(wth, err)) {
case BAD_READ:
/*
* Well, we couldn't even read it.
* Give up.
*/
return -1;
case THIS_FORMAT:
/*
* Well, it looks as if it might be a standard
* libpcap file.
* Put the seek pointer back, and finish.
*/
if (file_seek(wth->fh, first_packet_offset, SEEK_SET, err) == -1) {
return -1;
}
goto done;
case OTHER_FORMAT:
/*
* Try the next format.
*/
break;
}
/*
* Well, it's not completely unreadable, but it's not
* a standard file. Put the seek pointer back and try
* ss990417.
*/
wth->file_type = WTAP_FILE_PCAP_SS990417;
if (file_seek(wth->fh, first_packet_offset, SEEK_SET, err) == -1) {
return -1;
}
switch (libpcap_try(wth, err)) {
case BAD_READ:
/*
* Well, we couldn't even read it.
* Give up.
*/
return -1;
case THIS_FORMAT:
/*
* Well, it looks as if it might be ss990417.
* Put the seek pointer back, and finish.
*/
if (file_seek(wth->fh, first_packet_offset, SEEK_SET, err) == -1) {
return -1;
}
goto done;
case OTHER_FORMAT:
/*
* Try the next format.
*/
break;
}
/*
* Well, it's not completely unreadable,
* but it's not a standard file *nor* is it ss990417.
* Try it as a Nokia file; there are no other types
* to try after that, so we put the seek pointer back
* and treat it as a Nokia file.
*/
wth->file_type = WTAP_FILE_PCAP_NOKIA;
if (file_seek(wth->fh, first_packet_offset, SEEK_SET, err) == -1) {
return -1;
}
}
done:
/*
* We treat a DLT_ value of 13 specially - it appears that in
* Nokia libpcap format, it's some form of ATM with what I
* suspect is a pseudo-header (even though Nokia's IPSO is
* based on FreeBSD, which #defines DLT_SLIP_BSDOS as 13).
*
* If this is a Nokia capture, treat 13 as WTAP_ENCAP_ATM_PDUS,
* rather than as what we normally treat it.
*/
if (wth->file_type == WTAP_FILE_PCAP_NOKIA && hdr.network == 13)
wth->file_encap = WTAP_ENCAP_ATM_PDUS;
if (wth->file_encap == WTAP_ENCAP_ERF) {
/*
* Populate set of interface IDs for ERF format.
* Currently, this *has* to be done at open time.
*/
erf_populate_interfaces(wth);
}
return 1;
}
/* Seeks to the beginning of the next packet, and returns the
byte offset at which the header for that packet begins.
Returns -1 on failure. */
static gint64 ascend_seek(wtap *wth, int *err, gchar **err_info)
{
int byte;
gint64 date_off = -1, cur_off, packet_off;
size_t string_level[ASCEND_MAGIC_STRINGS];
guint string_i = 0, type = 0;
static const gchar ascend_date[] = ASCEND_DATE;
size_t ascend_date_len = sizeof ascend_date - 1; /* strlen of a constant string */
size_t ascend_date_string_level;
guint excessive_read_count = 262144;
memset(&string_level, 0, sizeof(string_level));
ascend_date_string_level = 0;
while (((byte = file_getc(wth->fh)) != EOF)) {
excessive_read_count--;
if (!excessive_read_count) {
*err = 0;
return -1;
}
/*
* See whether this is the string_level[string_i]th character of
* Ascend magic string string_i.
*/
for (string_i = 0; string_i < ASCEND_MAGIC_STRINGS; string_i++) {
const gchar *strptr = ascend_magic[string_i].strptr;
size_t len = ascend_magic[string_i].strlength;
if (byte == *(strptr + string_level[string_i])) {
/*
* Yes, it is, so we need to check for the next character of
* that string.
*/
string_level[string_i]++;
/*
* Have we matched the entire string?
*/
if (string_level[string_i] >= len) {
/*
* Yes.
*/
cur_off = file_tell(wth->fh);
if (cur_off == -1) {
/* Error. */
*err = file_error(wth->fh, err_info);
return -1;
}
/* We matched some other type of header. */
if (date_off == -1) {
/* We haven't yet seen a date header, so this packet
doesn't have one.
Back up over the header we just read; that's where a read
of this packet should start. */
packet_off = cur_off - len;
} else {
/* This packet has a date/time header; a read of it should
start at the beginning of *that* header. */
packet_off = date_off;
}
type = ascend_magic[string_i].type;
goto found;
}
} else {
/*
* Not a match for this string, so reset the match process.
*/
string_level[string_i] = 0;
}
}
/*
* See whether this is the date_string_level'th character of
* ASCEND_DATE.
*/
if (byte == *(ascend_date + ascend_date_string_level)) {
/*
* Yes, it is, so we need to check for the next character of
* that string.
*/
ascend_date_string_level++;
/*
* Have we matched the entire string?
*/
if (ascend_date_string_level >= ascend_date_len) {
/* We matched a Date: header. It's a special case;
remember the offset, but keep looking for other
headers.
Reset the amount of Date: header that we've matched,
so that we start the process of matching a Date:
header all over again.
XXX - what if we match multiple Date: headers before
matching some other header? */
cur_off = file_tell(wth->fh);
if (cur_off == -1) {
/* Error. */
*err = file_error(wth->fh, err_info);
return -1;
}
date_off = cur_off - ascend_date_len;
ascend_date_string_level = 0;
}
} else {
/*
* Not a match for the Date: string, so reset the match process.
*/
ascend_date_string_level = 0;
}
}
*err = file_error(wth->fh, err_info);
return -1;
found:
/*
* Move to where the read for this packet should start, and return
* that seek offset.
*/
if (file_seek(wth->fh, packet_off, SEEK_SET, err) == -1)
return -1;
wth->phdr.pseudo_header.ascend.type = type;
return packet_off;
}
static gboolean etherpeek_read_v56(wtap *wth, int *err, gchar **err_info,
gint64 *data_offset)
{
etherpeek_t *etherpeek = (etherpeek_t *)wth->priv;
guint8 ep_pkt[ETHERPEEK_V56_PKT_SIZE];
guint16 length;
guint16 sliceLength;
#if 0
guint8 flags;
guint8 status;
#endif
guint32 timestamp;
#if 0
guint16 destNum;
guint16 srcNum;
#endif
guint16 protoNum;
char protoStr[8];
unsigned int i;
/*
* XXX - in order to figure out whether this packet is an
* Ethernet packet or not, we have to look at the packet
* header, so we have to remember the address of the header,
* not the address of the data, for random access.
*
* If we can determine that from the file header, rather than
* the packet header, we can remember the offset of the data,
* and not have the seek_read routine read the header.
*/
*data_offset = file_tell(wth->fh);
wtap_file_read_expected_bytes(ep_pkt, sizeof(ep_pkt), wth->fh, err,
err_info);
/* Extract the fields from the packet */
length = pntohs(&ep_pkt[ETHERPEEK_V56_LENGTH_OFFSET]);
sliceLength = pntohs(&ep_pkt[ETHERPEEK_V56_SLICE_LENGTH_OFFSET]);
#if 0
flags = ep_pkt[ETHERPEEK_V56_FLAGS_OFFSET];
status = ep_pkt[ETHERPEEK_V56_STATUS_OFFSET];
#endif
timestamp = pntohl(&ep_pkt[ETHERPEEK_V56_TIMESTAMP_OFFSET]);
#if 0
destNum = pntohs(&ep_pkt[ETHERPEEK_V56_DESTNUM_OFFSET]);
srcNum = pntohs(&ep_pkt[ETHERPEEK_V56_SRCNUM_OFFSET]);
#endif
protoNum = pntohs(&ep_pkt[ETHERPEEK_V56_PROTONUM_OFFSET]);
memcpy(protoStr, &ep_pkt[ETHERPEEK_V56_PROTOSTR_OFFSET],
sizeof protoStr);
/*
* XXX - is the captured packet data padded to a multiple
* of 2 bytes?
*/
/* force sliceLength to be the actual length of the packet */
if (0 == sliceLength) {
sliceLength = length;
}
/* read the frame data */
buffer_assure_space(wth->frame_buffer, sliceLength);
wtap_file_read_expected_bytes(buffer_start_ptr(wth->frame_buffer),
sliceLength, wth->fh, err, err_info);
/* fill in packet header values */
wth->phdr.len = length;
wth->phdr.caplen = sliceLength;
/* timestamp is in milliseconds since reference_time */
wth->phdr.ts.secs = etherpeek->reference_time.tv_sec
+ (timestamp / 1000);
wth->phdr.ts.nsecs = 1000 * (timestamp % 1000) * 1000;
wth->phdr.pkt_encap = WTAP_ENCAP_UNKNOWN;
for (i=0; i<NUM_ETHERPEEK_ENCAPS; i++) {
if (etherpeek_encap[i].protoNum == protoNum) {
wth->phdr.pkt_encap = etherpeek_encap[i].encap;
}
}
switch (wth->phdr.pkt_encap) {
case WTAP_ENCAP_ETHERNET:
/* We assume there's no FCS in this frame. */
wth->pseudo_header.eth.fcs_len = 0;
break;
}
return TRUE;
}
static gint detect_version(wtap *wth, int *err, gchar **err_info)
{
gint bytes_read;
guint16 payload_length;
guint16 try_header_size;
guint8 *buffer;
gint64 file_offset;
guint32 log_length;
guint32 tag_length;
guint16 tmp;
file_offset = file_tell(wth->fh);
bytes_read = file_read(&tmp, 2, wth->fh);
if (bytes_read != 2) {
*err = file_error(wth->fh, err_info);
if (*err == 0 && bytes_read != 0)
*err = WTAP_ERR_SHORT_READ;
return -1;
}
payload_length = pletoh16(&tmp);
bytes_read = file_read(&tmp, 2, wth->fh);
if (bytes_read != 2) {
*err = file_error(wth->fh, err_info);
if (*err == 0 && bytes_read != 0)
*err = WTAP_ERR_SHORT_READ;
return -1;
}
try_header_size = pletoh16(&tmp);
buffer = (guint8 *) g_malloc(5 * 4 + payload_length);
bytes_read = file_read(buffer, 5 * 4 + payload_length, wth->fh);
if (bytes_read != 5 * 4 + payload_length) {
if (bytes_read != 4 * 4 + payload_length) {
*err = file_error(wth->fh, err_info);
if (*err == 0 && bytes_read != 0)
*err = WTAP_ERR_SHORT_READ;
g_free(buffer);
return -1;
}
}
if (try_header_size == 24) {
tag_length = (guint32)strlen(buffer + 5 * 4 + 1) + 1;
log_length = (guint32)strlen(buffer + 5 * 4 + 1 + tag_length) + 1;
if (payload_length == 1 + tag_length + log_length) {
g_free(buffer);
return 2;
}
}
tag_length = (guint32)strlen(buffer + 4 * 4 + 1) + 1;
log_length = (guint32)strlen(buffer + 4 * 4 + 1 + tag_length) + 1;
if (payload_length == 1 + tag_length + log_length) {
if (file_seek(wth->fh, file_offset + 4 * 4 + 1 + tag_length + log_length, SEEK_SET, err) == -1) {
g_free(buffer);
return -1;
}
g_free(buffer);
return 1;
}
g_free(buffer);
return 0;
}
#include <stdlib.h>
#include <string.h>
#include <time.h>
#define PES_PREFIX 1
#define PES_VALID(n) (((n) >> 8 & 0xffffff) == PES_PREFIX)
typedef struct {
struct wtap_nstime now;
time_t t0;
} mpeg_t;
static int
mpeg_resync(wtap *wth, int *err, gchar **err_info _U_)
{
gint64 offset = file_tell(wth->fh);
int count = 0;
int byte = file_getc(wth->fh);
while (byte != EOF) {
if (byte == 0xff && count > 0) {
byte = file_getc(wth->fh);
if (byte != EOF && (byte & 0xe0) == 0xe0)
break;
} else
byte = file_getc(wth->fh);
count++;
}
if (file_seek(wth->fh, offset, SEEK_SET, err) == -1)
return 0;
return count;
/* Read the next packet */
static gboolean netmon_read(wtap *wth, int *err, gchar **err_info,
gint64 *data_offset)
{
netmon_t *netmon = (netmon_t *)wth->priv;
guint32 packet_size = 0;
guint32 orig_size = 0;
int bytes_read;
union {
struct netmonrec_1_x_hdr hdr_1_x;
struct netmonrec_2_x_hdr hdr_2_x;
} hdr;
int hdr_size = 0;
int trlr_size;
gint64 rec_offset;
guint8 *data_ptr;
gint64 delta = 0; /* signed - frame times can be before the nominal start */
gint64 t;
time_t secs;
guint32 nsecs;
again:
/* Have we reached the end of the packet data? */
if (netmon->current_frame >= netmon->frame_table_size) {
/* Yes. We won't need the frame table any more;
free it. */
g_free(netmon->frame_table);
netmon->frame_table = NULL;
*err = 0; /* it's just an EOF, not an error */
return FALSE;
}
/* Seek to the beginning of the current record, if we're
not there already (seeking to the current position
may still cause a seek and a read of the underlying file,
so we don't want to do it unconditionally).
Yes, the current record could be before the previous
record. At least some captures put the trailer record
with statistics as the first physical record in the
file, but set the frame table up so it's the last
record in sequence. */
rec_offset = netmon->frame_table[netmon->current_frame];
if (file_tell(wth->fh) != rec_offset) {
if (file_seek(wth->fh, rec_offset, SEEK_SET, err) == -1)
return FALSE;
}
netmon->current_frame++;
/* Read record header. */
switch (netmon->version_major) {
case 1:
hdr_size = sizeof (struct netmonrec_1_x_hdr);
break;
case 2:
hdr_size = sizeof (struct netmonrec_2_x_hdr);
break;
}
errno = WTAP_ERR_CANT_READ;
bytes_read = file_read(&hdr, hdr_size, wth->fh);
if (bytes_read != hdr_size) {
*err = file_error(wth->fh, err_info);
if (*err == 0 && bytes_read != 0) {
*err = WTAP_ERR_SHORT_READ;
}
return FALSE;
}
switch (netmon->version_major) {
case 1:
orig_size = pletohs(&hdr.hdr_1_x.orig_len);
packet_size = pletohs(&hdr.hdr_1_x.incl_len);
break;
case 2:
orig_size = pletohl(&hdr.hdr_2_x.orig_len);
packet_size = pletohl(&hdr.hdr_2_x.incl_len);
break;
}
if (packet_size > WTAP_MAX_PACKET_SIZE) {
/*
* Probably a corrupt capture file; don't blow up trying
* to allocate space for an immensely-large packet.
*/
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("netmon: File has %u-byte packet, bigger than maximum of %u",
packet_size, WTAP_MAX_PACKET_SIZE);
return FALSE;
}
*data_offset = file_tell(wth->fh);
/*
* If this is an ATM packet, the first
* "sizeof (struct netmon_atm_hdr)" bytes have destination and
* source addresses (6 bytes - MAC addresses of some sort?)
* and the VPI and VCI; read them and generate the pseudo-header
* from them.
*/
switch (wth->file_encap) {
case WTAP_ENCAP_ATM_PDUS:
if (packet_size < sizeof (struct netmon_atm_hdr)) {
/*
* Uh-oh, the packet isn't big enough to even
* have a pseudo-header.
*/
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("netmon: ATM file has a %u-byte packet, too small to have even an ATM pseudo-header",
packet_size);
return FALSE;
}
if (!netmon_read_atm_pseudoheader(wth->fh, &wth->phdr.pseudo_header,
err, err_info))
return FALSE; /* Read error */
/*
* Don't count the pseudo-header as part of the packet.
*/
orig_size -= (guint)sizeof (struct netmon_atm_hdr);
packet_size -= (guint)sizeof (struct netmon_atm_hdr);
break;
default:
break;
}
buffer_assure_space(wth->frame_buffer, packet_size);
data_ptr = buffer_start_ptr(wth->frame_buffer);
if (!netmon_read_rec_data(wth->fh, data_ptr, packet_size, err,
err_info))
return FALSE; /* Read error */
switch (netmon->version_major) {
case 1:
/*
* According to Paul Long, this offset is unsigned.
* It's 32 bits, so the maximum value will fit in
* a gint64 such as delta, even after multiplying
* it by 1000000.
*
* pletohl() returns a guint32; we cast it to gint64
* before multiplying, so that the product doesn't
* overflow a guint32.
*/
delta = ((gint64)pletohl(&hdr.hdr_1_x.ts_delta))*1000000;
break;
case 2:
/*
* OK, this is weird. Microsoft's documentation
* says this is in microseconds and is a 64-bit
* unsigned number, but it can be negative; they
* say what appears to amount to "treat it as an
* unsigned number, multiply it by 10, and then
* interpret the resulting 64-bit quantity as a
* signed number". That operation can turn a
* value with the uppermost bit 0 to a value with
* the uppermost bit 1, hence turning a large
* positive number-of-microseconds into a small
* negative number-of-100-nanosecond-increments.
*/
delta = pletohll(&hdr.hdr_2_x.ts_delta)*10;
/*
* OK, it's now a signed value in 100-nanosecond
* units. Now convert it to nanosecond units.
*/
delta *= 100;
break;
}
secs = 0;
t = netmon->start_nsecs + delta;
while (t < 0) {
/*
* Propagate a borrow into the seconds.
* The seconds is a time_t, and can be < 0
* (unlikely, as Windows didn't exist before
* January 1, 1970, 00:00:00 UTC), while the
* nanoseconds should be positive, as in
* "nanoseconds since the instant of time
* represented by the seconds".
*
* We do not want t to be negative, as, according
* to the C90 standard, "if either operand [of /
* or %] is negative, whether the result of the
* / operator is the largest integer less than or
* equal to the algebraic quotient or the smallest
* greater than or equal to the algebraic quotient
* is implementation-defined, as is the sign of
* the result of the % operator", and we want
* the result of the division and remainder
* operations to be the same on all platforms.
*/
t += 1000000000;
secs--;
}
secs += (time_t)(t/1000000000);
nsecs = (guint32)(t%1000000000);
wth->phdr.presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
wth->phdr.ts.secs = netmon->start_secs + secs;
wth->phdr.ts.nsecs = nsecs;
wth->phdr.caplen = packet_size;
wth->phdr.len = orig_size;
/*
* For version 2.1 and later, there's additional information
* after the frame data.
*/
trlr_size = (int)netmon_trailer_size(netmon);
if (trlr_size != 0) {
/*
* I haz a trailer.
*/
wth->phdr.pkt_encap = netmon_read_rec_trailer(wth->fh,
trlr_size, err, err_info);
if (wth->phdr.pkt_encap == -1)
return FALSE; /* error */
if (wth->phdr.pkt_encap == 0)
goto again;
netmon_set_pseudo_header_info(wth->phdr.pkt_encap,
&wth->phdr.pseudo_header, data_ptr, packet_size);
} else {
netmon_set_pseudo_header_info(wth->file_encap,
&wth->phdr.pseudo_header, data_ptr, packet_size);
}
return TRUE;
}
/* Read the next packet */
static gboolean libpcap_read(wtap *wth, int *err, gchar **err_info,
gint64 *data_offset)
{
struct pcaprec_ss990915_hdr hdr;
guint packet_size;
guint orig_size;
int bytes_read;
guint8 fddi_padding[3];
int phdr_len;
libpcap_t *libpcap;
bytes_read = libpcap_read_header(wth, err, err_info, &hdr);
if (bytes_read == -1) {
/*
* We failed to read the header.
*/
return FALSE;
}
packet_size = hdr.hdr.incl_len;
orig_size = hdr.hdr.orig_len;
/*
* AIX appears to put 3 bytes of padding in front of FDDI
* frames; strip that crap off.
*/
if (wth->file_type == WTAP_FILE_PCAP_AIX &&
(wth->file_encap == WTAP_ENCAP_FDDI ||
wth->file_encap == WTAP_ENCAP_FDDI_BITSWAPPED)) {
/*
* The packet size is really a record size and includes
* the padding.
*/
packet_size -= 3;
orig_size -= 3;
/*
* Read the padding.
*/
if (!libpcap_read_rec_data(wth->fh, fddi_padding, 3, err,
err_info))
return FALSE; /* Read error */
}
*data_offset = file_tell(wth->fh);
libpcap = (libpcap_t *)wth->priv;
phdr_len = pcap_process_pseudo_header(wth->fh, wth->file_type,
wth->file_encap, packet_size, TRUE, &wth->phdr,
&wth->phdr.pseudo_header, err, err_info);
if (phdr_len < 0)
return FALSE; /* error */
/*
* Don't count any pseudo-header as part of the packet.
*/
orig_size -= phdr_len;
packet_size -= phdr_len;
buffer_assure_space(wth->frame_buffer, packet_size);
if (!libpcap_read_rec_data(wth->fh, buffer_start_ptr(wth->frame_buffer),
packet_size, err, err_info))
return FALSE; /* Read error */
wth->phdr.presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
/* Update the Timestamp, if not already done */
if (wth->file_encap != WTAP_ENCAP_ERF) {
wth->phdr.ts.secs = hdr.hdr.ts_sec;
if(wth->tsprecision == WTAP_FILE_TSPREC_NSEC) {
wth->phdr.ts.nsecs = hdr.hdr.ts_usec;
} else {
wth->phdr.ts.nsecs = hdr.hdr.ts_usec * 1000;
}
} else {
/* Set interface ID for ERF format */
wth->phdr.presence_flags |= WTAP_HAS_INTERFACE_ID;
wth->phdr.interface_id = wth->phdr.pseudo_header.erf.phdr.flags & 0x03;
}
wth->phdr.caplen = packet_size;
wth->phdr.len = orig_size;
pcap_read_post_process(wth->file_type, wth->file_encap,
&wth->phdr.pseudo_header, buffer_start_ptr(wth->frame_buffer),
wth->phdr.caplen, libpcap->byte_swapped, -1);
return TRUE;
}
/* Parses a record. */
static gboolean
read_eyesdn_rec(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err,
gchar **err_info)
{
union wtap_pseudo_header *pseudo_header = &rec->rec_header.packet_header.pseudo_header;
guint8 hdr[EYESDN_HDR_LENGTH];
time_t secs;
int usecs;
int pkt_len;
guint8 channel, direction;
guint8 *pd;
/* Our file pointer should be at the summary information header
* for a packet. Read in that header and extract the useful
* information.
*/
if (!esc_read(fh, hdr, EYESDN_HDR_LENGTH, err, err_info))
return FALSE;
/* extract information from header */
usecs = pntoh24(&hdr[0]);
#ifdef TV64BITS
secs = hdr[3];
#else
secs = 0;
#endif
secs = (secs << 8) | hdr[4];
secs = (secs << 8) | hdr[5];
secs = (secs << 8) | hdr[6];
secs = (secs << 8) | hdr[7];
channel = hdr[8];
direction = hdr[9];
pkt_len = pntoh16(&hdr[10]);
switch(direction >> 1) {
default:
case EYESDN_ENCAP_ISDN: /* ISDN */
pseudo_header->isdn.uton = direction & 1;
pseudo_header->isdn.channel = channel;
if(channel) { /* bearer channels */
rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_ISDN; /* recognises PPP */
pseudo_header->isdn.uton=!pseudo_header->isdn.uton; /* bug */
} else { /* D channel */
rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_ISDN;
}
break;
case EYESDN_ENCAP_MSG: /* Layer 1 message */
rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_LAYER1_EVENT;
pseudo_header->l1event.uton = (direction & 1);
break;
case EYESDN_ENCAP_LAPB: /* X.25 via LAPB */
rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_LAPB;
pseudo_header->dte_dce.flags = (direction & 1) ? 0 : 0x80;
break;
case EYESDN_ENCAP_ATM: { /* ATM cells */
#define CELL_LEN 53
unsigned char cell[CELL_LEN];
gint64 cur_off;
if(pkt_len != CELL_LEN) {
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf(
"eyesdn: ATM cell has a length != 53 (%u)",
pkt_len);
return FALSE;
}
cur_off = file_tell(fh);
if (!esc_read(fh, cell, CELL_LEN, err, err_info))
return FALSE;
if (file_seek(fh, cur_off, SEEK_SET, err) == -1)
return FALSE;
rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_ATM_PDUS_UNTRUNCATED;
pseudo_header->atm.flags=ATM_RAW_CELL;
pseudo_header->atm.aal=AAL_UNKNOWN;
pseudo_header->atm.type=TRAF_UMTS_FP;
pseudo_header->atm.subtype=TRAF_ST_UNKNOWN;
pseudo_header->atm.vpi=((cell[0]&0xf)<<4) + (cell[0]&0xf);
pseudo_header->atm.vci=((cell[0]&0xf)<<4) + cell[0]; /* from cell */
pseudo_header->atm.channel=direction & 1;
}
break;
case EYESDN_ENCAP_MTP2: /* SS7 frames */
pseudo_header->mtp2.sent = direction & 1;
pseudo_header->mtp2.annex_a_used = MTP2_ANNEX_A_USED_UNKNOWN;
pseudo_header->mtp2.link_number = channel;
rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_MTP2_WITH_PHDR;
break;
case EYESDN_ENCAP_DPNSS: /* DPNSS */
pseudo_header->isdn.uton = direction & 1;
pseudo_header->isdn.channel = channel;
rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_DPNSS;
break;
case EYESDN_ENCAP_DASS2: /* DASS2 frames */
pseudo_header->isdn.uton = direction & 1;
pseudo_header->isdn.channel = channel;
rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_DPNSS;
break;
case EYESDN_ENCAP_BACNET: /* BACNET async over HDLC frames */
pseudo_header->isdn.uton = direction & 1;
pseudo_header->isdn.channel = channel;
rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_BACNET_MS_TP_WITH_PHDR;
break;
case EYESDN_ENCAP_V5_EF: /* V5EF */
pseudo_header->isdn.uton = direction & 1;
pseudo_header->isdn.channel = channel;
rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_V5_EF;
break;
}
if(pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) {
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("eyesdn: File has %u-byte packet, bigger than maximum of %u",
pkt_len, WTAP_MAX_PACKET_SIZE_STANDARD);
return FALSE;
}
rec->rec_type = REC_TYPE_PACKET;
rec->presence_flags = WTAP_HAS_TS;
rec->ts.secs = secs;
rec->ts.nsecs = usecs * 1000;
rec->rec_header.packet_header.caplen = pkt_len;
rec->rec_header.packet_header.len = pkt_len;
/* Make sure we have enough room for the packet */
ws_buffer_assure_space(buf, pkt_len);
pd = ws_buffer_start_ptr(buf);
if (!esc_read(fh, pd, pkt_len, err, err_info))
return FALSE;
return TRUE;
}
/* Read the next packet */
static gboolean netmon_read(wtap *wth, int *err, gchar **err_info,
gint64 *data_offset)
{
netmon_t *netmon = (netmon_t *)wth->priv;
gint64 rec_offset;
again:
/* Have we reached the end of the packet data? */
if (netmon->current_frame >= netmon->frame_table_size) {
/* Yes. We won't need the frame table any more;
free it. */
g_free(netmon->frame_table);
netmon->frame_table = NULL;
*err = 0; /* it's just an EOF, not an error */
return FALSE;
}
/* Seek to the beginning of the current record, if we're
not there already (seeking to the current position
may still cause a seek and a read of the underlying file,
so we don't want to do it unconditionally).
Yes, the current record could be before the previous
record. At least some captures put the trailer record
with statistics as the first physical record in the
file, but set the frame table up so it's the last
record in sequence. */
rec_offset = netmon->frame_table[netmon->current_frame];
if (file_tell(wth->fh) != rec_offset) {
if (file_seek(wth->fh, rec_offset, SEEK_SET, err) == -1)
return FALSE;
}
netmon->current_frame++;
*data_offset = file_tell(wth->fh);
if (!netmon_process_rec_header(wth, wth->fh, &wth->phdr,
err, err_info))
return FALSE;
if (!wtap_read_packet_bytes(wth->fh, wth->frame_buffer,
wth->phdr.caplen, err, err_info))
return FALSE; /* Read error */
/*
* For version 2.1 and later, there's additional information
* after the frame data.
*/
switch (netmon_process_rec_trailer(netmon, wth->fh, &wth->phdr,
err, err_info)) {
case RETRY:
goto again;
case SUCCESS:
break;
case FAILURE:
return FALSE;
}
netmon_set_pseudo_header_info(wth->phdr.pkt_encap, &wth->phdr,
wth->frame_buffer);
return TRUE;
}
/* Read the next packet */
static gboolean capsa_read(wtap *wth, int *err, gchar **err_info,
gint64 *data_offset)
{
capsa_t *capsa = (capsa_t *)wth->priv;
guint32 frame_within_block;
int padbytes;
if (capsa->frame_count == capsa->number_of_frames) {
/*
* No more frames left. Return an EOF.
*/
*err = 0;
return FALSE;
}
frame_within_block = capsa->frame_count % N_RECORDS_PER_GROUP;
if (frame_within_block == 0) {
/*
* Here's a record offset block.
* Get the offset of the block, and then skip the
* first byte.
*/
capsa->base_offset = file_tell(wth->fh);
if (!file_skip(wth->fh, 1, err))
return FALSE;
/*
* Now read the record offsets.
*/
if (!wtap_read_bytes(wth->fh, &capsa->record_offsets,
sizeof capsa->record_offsets, err, err_info))
return FALSE;
/*
* And finish processing all 805 bytes by skipping
* the last 4 bytes.
*/
if (!file_skip(wth->fh, 4, err))
return FALSE;
}
*data_offset = capsa->base_offset +
GUINT32_FROM_LE(capsa->record_offsets[frame_within_block]);
if (!file_seek(wth->fh, *data_offset, SEEK_SET, err))
return FALSE;
padbytes = capsa_read_packet(wth, wth->fh, &wth->phdr,
wth->frame_buffer, err, err_info);
if (padbytes == -1)
return FALSE;
/*
* Skip over the padding, if any.
*/
if (padbytes != 0) {
if (!file_skip(wth->fh, padbytes, err))
return FALSE;
}
capsa->frame_count++;
return TRUE;
}
int main(l4_threadid_t tasksvr, int taskobj)
{
CORBA_Environment env = idl4_default_environment;
l4_threadid_t rootsvr, memsvr;
int rootobj, memobj;
int x,y,z;
unsigned int dummyint;
l4_threadid_t mypagerid, dummyid, t;
char *buf;
myid = l4_myself();
printf("Test client started (%X), ",myid.raw);
dummyid = mypagerid = L4_INVALID_ID;dummyint=0xFFFFFFFF;
l4_thread_ex_regs(myid, 0xffffffff, 0xffffffff, &dummyid, &mypagerid,
&dummyint, &dummyint, &dummyint);
printf("pager is %X\n\n",mypagerid.raw);
dummyid = mypagerid = L4_INVALID_ID;
l4_thread_ex_regs(myid, 0xffffffff, 0xffffffff, &dummyid, &mypagerid,
&dummyint, &dummyint, &dummyint);
printf("========================== chacmOS tester V1.00 ==========================\n");
printf(" T01 task object is <%Xh,%d>\n",tasksvr.raw,taskobj);
if (generic_implements(tasksvr,taskobj,sizeof(api_task)/sizeof(int),(sdword*)&api_task,&env)!=ESUCCESS)
fail("task server does not implement generic or task api");
if (task_get_root(tasksvr,taskobj,&rootsvr,&rootobj,&env)!=ESUCCESS)
fail("cannot get root from task server");
printf(" T02 root is <%Xh,%d>\n",rootsvr.raw,rootobj);
if (generic_implements(rootsvr,rootobj,sizeof(api_directory)/sizeof(int),(sdword*)&api_directory,&env)!=ESUCCESS)
fail("root does not implement generic or file or directory api");
if (task_get_memory(tasksvr,taskobj,&memsvr,&memobj,&env)!=ESUCCESS)
fail("cannot get memory object from task server");
printf(" T03 this task's memory object is <%Xh,%d>\n",memsvr.raw,memobj);
if (generic_implements(memsvr,memobj,sizeof(api_memory)/sizeof(int),(sdword*)&api_memory,&env)!=ESUCCESS)
fail("memory server does not implement generic or memory api");
if (memory_get_pagerid(memsvr,memobj,&x,&env)!=ESUCCESS)
fail("memory server won't tell me my pager id");
if (x!=(int)mypagerid.raw)
fail("my pager id does not match the memory server");
if (task_get_cmdline(tasksvr,taskobj,&x,&buf,&env)!=ESUCCESS)
fail("cannot read my command line");
printf(" T04 my command line is '%s'\n",buf);
CORBA_free(buf);
if (task_get_threadid(tasksvr,taskobj,&t,&env)!=ESUCCESS)
fail("task server won't tell me my thread id");
if (t != myid)
fail("task server lied about my thread id");
if (file_open(rootsvr,rootobj,0,&env)!=ESUCCESS)
fail("cannot open root directory");
if (file_tell(rootsvr,rootobj,&x,&env)!=ESUCCESS)
fail("cannot get file pointer position");
if (x!=0)
fail("file pointer is not reset upon open");
if (file_seek(rootsvr,rootobj,-1,&env)!=ESUCCESS)
fail("cannot set file pointer to end of file");
if (file_tell(rootsvr,rootobj,&x,&env)!=ESUCCESS)
fail("cannot get file pointer position (second time)");
if (file_seek(rootsvr,rootobj,0,&env)!=ESUCCESS)
fail("cannot set file pointer to beginning of file");
printf(" N01 root directory has %d bytes\n",x);
if (x>79) x=79;
y=file_read(rootsvr,rootobj,x,&z,&buf,&env);
if (y<=0)
{
printf("err code %d\n",y);
fail("cannot read root directory");
}
if (z!=y)
fail("return value of open() and data length don't match");
if (z!=x)
fail("cannot read all of root directory");
buf[z]=0;
printf(" N02 files contained: (");
x=0;
while (z>0)
{
printf("'%s'",&buf[x]);
while (buf[x++]) z--;
}
printf(")\n");
if (file_close(rootsvr,rootobj,&env)!=ESUCCESS)
fail("cannot close root directory\n");
CORBA_free(buf);
printf("\n");
#ifdef TEST_FILESVR
handle_t fatfs, dev, hda;
if (directory_resolve(rootsvr,rootobj,3,"dev",&dev.svr,&dev.obj,&env)!=ESUCCESS)
fail("cannot find /dev");
if (generic_implements(dev.svr,dev.obj,sizeof(api_directory)/sizeof(int),(sdword*)&api_directory,&env)!=ESUCCESS)
fail("/dev does not implement directory or file or generic api");
if (directory_resolve(dev.svr,dev.obj,3,"hda",&hda.svr,&hda.obj,&env)!=ESUCCESS)
fail("cannot find /dev/hda");
if (generic_implements(hda.svr,hda.obj,sizeof(api_block)/sizeof(int),(sdword*)&api_block,&env)!=ESUCCESS)
fail("/dev/hda does not implement block or generic api");
printf(" F01 found /dev/hda at <%X,%d>\n",hda.svr.raw,hda.obj);
if (directory_resolve(dev.svr,dev.obj,5,"fatfs",&fatfs.svr,&fatfs.obj,&env)!=ESUCCESS)
fail("cannot find /dev/fatfs");
if (generic_implements(fatfs.svr,fatfs.obj,sizeof(api_filesys)/sizeof(int),(sdword*)&api_filesys,&env)!=ESUCCESS)
fail("/dev/fatfs does not implement filesystem or generic api");
printf(" F02 located /dev/fatfs at <%X,%d>\n",hda.svr.raw,hda.obj);
if (filesystem_mount(fatfs.svr,fatfs.obj,&hda.svr,hda.obj,&env)!=ESUCCESS)
fail("cannot mount /dev/hda into /dev/fatfs");
printf(" F03 mounted filesystem\n");
x=79;
y=file_read(fatfs.svr,fatfs.obj,x,&z,&buf,&env);
if (y<=0)
fail("cannot read root directory of /dev/fatfs");
if (z>79) z=79;
buf[z]=0;
printf(" N02 files contained: (");
x=0;
while (z>0)
{
printf("'%s'",&buf[x]);
while (buf[x++]) z--;
}
printf(")\n");
if (file_close(fatfs.svr,fatfs.obj,&env)!=ESUCCESS)
fail("cannot close root directory of /dev/fatfs\n");
CORBA_free(buf);
printf("\n");
#endif /*TEST_FILESVR*/
#ifdef TEST_BLOCKDEVICE
int capacity, blksize, size;
if (directory_resolve(rootsvr,rootobj,3,"dev",&dev.svr,&dev.obj,&env)!=ESUCCESS)
fail("cannot find /dev");
if (generic_implements(dev.svr,dev.obj,sizeof(api_directory)/sizeof(int),(sdword*)&api_directory,&env)!=ESUCCESS)
fail("/dev does not implement directory or file or generic api");
if (directory_resolve(dev.svr,dev.obj,3,"hda",&hda.svr,&hda.obj,&env)!=ESUCCESS)
fail("cannot find /dev/hda");
if (generic_implements(hda.svr,hda.obj,sizeof(api_block)/sizeof(int),(sdword*)&api_block,&env)!=ESUCCESS)
fail("/dev/hda does not implement block or generic api");
printf(" B01 found /dev/hda at <%X,%d>\n",hda.svr.raw,hda.obj);
if (block_get_capacity(hda.svr,hda.obj,&capacity,&env)!=ESUCCESS)
fail("/dev/hda won't tell me its capacity");
if (block_get_blocksize(hda.svr,hda.obj,&blksize,&env)!=ESUCCESS)
fail("/dev/hda won't tell me its block size");
printf(" B02 device reports %d blocks of %d bytes each (%dk)\n",capacity,blksize,(capacity*blksize)/1024);
if (block_read(hda.svr,hda.obj,1,1,&size,&buf,&env)!=ESUCCESS)
fail("cannot read block 1 of /dev/hda");
buf[10]=0;
printf(" B03 block 1 reads '%s'\n",buf);
strcpy((char*)&buf[3],"Variatio delectat");
if (block_write(hda.svr,hda.obj,1,1,21,buf,&env)!=ESUCCESS)
fail("cannot write block 1 of /dev/hda");
CORBA_free(buf);
if (block_read(hda.svr,hda.obj,1,1,&size,&buf,&env)!=ESUCCESS)
fail("cannot reread block 1 of /dev/hda");
buf[10]=0;
printf(" B04 after write, it is '%s'\n",buf);
CORBA_free(buf);
#endif /*TEST_BLOCKDEVICE*/
printf(" X01 test completed successfully\n");
while (42);
}
/* Reads the next packet. */
static gboolean observer_read(wtap *wth, int *err, gchar **err_info,
gint64 *data_offset)
{
int header_bytes_consumed;
int data_bytes_consumed;
packet_entry_header packet_header;
/* skip records other than data records */
for (;;) {
*data_offset = file_tell(wth->fh);
/* process the packet header, including TLVs */
header_bytes_consumed = read_packet_header(wth->fh, &wth->phdr.pseudo_header, &packet_header, err,
err_info);
if (header_bytes_consumed <= 0)
return FALSE; /* EOF or error */
if (packet_header.packet_type == PACKET_TYPE_DATA_PACKET)
break;
/* skip to next packet */
if (!skip_to_next_packet(wth, packet_header.offset_to_next_packet,
header_bytes_consumed, err, err_info)) {
return FALSE; /* EOF or error */
}
}
/* neglect frame markers for wiretap */
if (packet_header.network_size < 4) {
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("Observer: bad record: Packet length %u < 4",
packet_header.network_size);
return FALSE;
}
/* set the wiretap packet header fields */
wth->phdr.presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
wth->phdr.pkt_encap = observer_to_wtap_encap(packet_header.network_type);
if(wth->file_encap == WTAP_ENCAP_FIBRE_CHANNEL_FC2_WITH_FRAME_DELIMS) {
wth->phdr.len = packet_header.network_size;
wth->phdr.caplen = packet_header.captured_size;
} else {
wth->phdr.len = packet_header.network_size - 4;
wth->phdr.caplen = MIN(packet_header.captured_size, wth->phdr.len);
}
/* set the wiretap timestamp, assuming for the moment that Observer encoded it in GMT */
wth->phdr.ts.secs = (time_t) ((packet_header.nano_seconds_since_2000 / 1000000000) + ansi_to_observer_epoch_offset);
wth->phdr.ts.nsecs = (int) (packet_header.nano_seconds_since_2000 % 1000000000);
/* adjust to local time, if necessary, also accounting for DST if the frame
was captured while it was in effect */
if (((observer_dump_private_state*)wth->priv)->time_format == TIME_INFO_LOCAL)
{
struct tm daylight_tm;
struct tm standard_tm;
time_t dst_offset;
/* the Observer timestamp was encoded as local time, so add a
correction from local time to GMT */
wth->phdr.ts.secs += gmt_to_localtime_offset;
/* perform a DST adjustment if necessary */
standard_tm = *localtime(&wth->phdr.ts.secs);
if (standard_tm.tm_isdst > 0) {
daylight_tm = standard_tm;
standard_tm.tm_isdst = 0;
dst_offset = mktime(&standard_tm) - mktime(&daylight_tm);
wth->phdr.ts.secs -= dst_offset;
}
}
/* update the pseudo header */
switch (wth->file_encap) {
case WTAP_ENCAP_ETHERNET:
/* There is no FCS in the frame */
wth->phdr.pseudo_header.eth.fcs_len = 0;
break;
case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
/* Updated in read_packet_header */
break;
}
/* set-up the packet buffer */
buffer_assure_space(wth->frame_buffer, packet_header.captured_size);
/* read the frame data */
data_bytes_consumed = read_packet_data(wth->fh, packet_header.offset_to_frame,
header_bytes_consumed, buffer_start_ptr(wth->frame_buffer),
packet_header.captured_size, err, err_info);
if (data_bytes_consumed < 0) {
return FALSE;
}
/* skip over any extra bytes following the frame data */
if (!skip_to_next_packet(wth, packet_header.offset_to_next_packet,
header_bytes_consumed + data_bytes_consumed, err, err_info)) {
return FALSE;
}
return TRUE;
}
/* Read the next packet */
static gboolean aethra_read(wtap *wth, int *err, gchar **err_info,
gint64 *data_offset)
{
struct aethrarec_hdr hdr;
/*
* Keep reading until we see an AETHRA_ISDN_LINK with a subtype
* of AETHRA_ISDN_LINK_LAPD record or get an end-of-file.
*/
for (;;) {
*data_offset = file_tell(wth->fh);
/* Read record header. */
if (!aethra_read_rec_header(wth, wth->fh, &hdr, &wth->phdr, err, err_info))
return FALSE;
/*
* XXX - if this is big, we might waste memory by
* growing the buffer to handle it.
*/
if (wth->phdr.caplen != 0) {
if (!wtap_read_packet_bytes(wth->fh, wth->frame_buffer,
wth->phdr.caplen, err, err_info))
return FALSE; /* Read error */
}
#if 0
packet++;
#endif
switch (hdr.rec_type) {
case AETHRA_ISDN_LINK:
#if 0
fprintf(stderr, "Packet %u: type 0x%02x (AETHRA_ISDN_LINK)\n",
packet, hdr.rec_type);
#endif
switch (hdr.flags & AETHRA_ISDN_LINK_SUBTYPE) {
case AETHRA_ISDN_LINK_LAPD:
/*
* The data is a LAPD frame.
*/
#if 0
fprintf(stderr, " subtype 0x%02x (AETHRA_ISDN_LINK_LAPD)\n", hdr.flags & AETHRA_ISDN_LINK_SUBTYPE);
#endif
goto found;
case AETHRA_ISDN_LINK_SA_BITS:
/*
* These records have one data byte, which
* has the Sa bits in the lower 5 bits.
*
* XXX - what about stuff other than 2048K
* PRI lines?
*/
#if 0
fprintf(stderr, " subtype 0x%02x (AETHRA_ISDN_LINK_SA_BITS)\n", hdr.flags & AETHRA_ISDN_LINK_SUBTYPE);
#endif
break;
case AETHRA_ISDN_LINK_ALL_ALARMS_CLEARED:
/*
* No data, just an "all alarms cleared"
* indication.
*/
#if 0
fprintf(stderr, " subtype 0x%02x (AETHRA_ISDN_LINK_ALL_ALARMS_CLEARED)\n", hdr.flags & AETHRA_ISDN_LINK_SUBTYPE);
#endif
break;
default:
#if 0
fprintf(stderr, " subtype 0x%02x, packet_size %u, direction 0x%02x\n",
hdr.flags & AETHRA_ISDN_LINK_SUBTYPE, wth->phdr.caplen, hdr.flags & AETHRA_U_TO_N);
#endif
break;
}
break;
default:
#if 0
fprintf(stderr, "Packet %u: type 0x%02x, packet_size %u, flags 0x%02x\n",
packet, hdr.rec_type, wth->phdr.caplen, hdr.flags);
#endif
break;
}
}
found:
return TRUE;
}
static gboolean etherpeek_read_v7(wtap *wth, int *err, gchar **err_info,
gint64 *data_offset)
{
guint8 ep_pkt[ETHERPEEK_V7_PKT_SIZE];
#if 0
guint16 protoNum;
#endif
guint16 length;
guint16 sliceLength;
#if 0
guint8 flags;
#endif
guint8 status;
guint64 timestamp;
time_t tsecs;
guint32 tusecs;
*data_offset = file_tell(wth->fh);
wtap_file_read_expected_bytes(ep_pkt, sizeof(ep_pkt), wth->fh, err,
err_info);
/* Extract the fields from the packet */
#if 0
protoNum = pntohs(&ep_pkt[ETHERPEEK_V7_PROTONUM_OFFSET]);
#endif
length = pntohs(&ep_pkt[ETHERPEEK_V7_LENGTH_OFFSET]);
sliceLength = pntohs(&ep_pkt[ETHERPEEK_V7_SLICE_LENGTH_OFFSET]);
#if 0
flags = ep_pkt[ETHERPEEK_V7_FLAGS_OFFSET];
#endif
status = ep_pkt[ETHERPEEK_V7_STATUS_OFFSET];
timestamp = pntohll(&ep_pkt[ETHERPEEK_V7_TIMESTAMP_OFFSET]);
/* force sliceLength to be the actual length of the packet */
if (0 == sliceLength) {
sliceLength = length;
}
wth->phdr.presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
/* fill in packet header length values before slicelength may be
adjusted */
wth->phdr.len = length;
wth->phdr.caplen = sliceLength;
if (sliceLength % 2) /* packets are padded to an even length */
sliceLength++;
switch (wth->file_encap) {
case WTAP_ENCAP_IEEE_802_11_AIROPEEK:
wth->pseudo_header.ieee_802_11.fcs_len = 0; /* no FCS */
break;
case WTAP_ENCAP_ETHERNET:
/* XXX - it appears that if the low-order bit of
"status" is 0, there's an FCS in this frame,
and if it's 1, there's 4 bytes of 0. */
wth->pseudo_header.eth.fcs_len = (status & 0x01) ? 0 : 4;
break;
}
/* read the frame data */
buffer_assure_space(wth->frame_buffer, sliceLength);
wtap_file_read_expected_bytes(buffer_start_ptr(wth->frame_buffer),
sliceLength, wth->fh, err, err_info);
/* fill in packet header values */
tsecs = (time_t) (timestamp/1000000);
tusecs = (guint32) (timestamp - tsecs*1000000);
wth->phdr.ts.secs = tsecs - mac2unix;
wth->phdr.ts.nsecs = tusecs * 1000;
if (wth->file_encap == WTAP_ENCAP_IEEE_802_11_AIROPEEK) {
/*
* The last 4 bytes appear to be random data - the length
* might include the FCS - so we reduce the length by 4.
*
* Or maybe this is just the same kind of random 4 bytes
* of junk at the end you get in Wireless Sniffer
* captures.
*/
wth->phdr.len -= 4;
wth->phdr.caplen -= 4;
}
return TRUE;
}
int airopeek9_open(wtap *wth, int *err, gchar **err_info)
{
airopeek_section_header_t ap_hdr;
int ret;
guint32 fileVersion;
guint32 mediaType;
guint32 mediaSubType = 0;
int file_encap;
static const int airopeek9_encap[] = {
WTAP_ENCAP_ETHERNET,
WTAP_ENCAP_IEEE_802_11_WITH_RADIO,
WTAP_ENCAP_IEEE_802_11_WITH_RADIO,
WTAP_ENCAP_IEEE_802_11_WITH_RADIO
};
#define NUM_AIROPEEK9_ENCAPS (sizeof airopeek9_encap / sizeof airopeek9_encap[0])
airopeek9_t *airopeek9;
wtap_file_read_unknown_bytes(&ap_hdr, sizeof(ap_hdr), wth->fh, err);
if (memcmp (ap_hdr.section_id, "\177ver", sizeof(ap_hdr.section_id)) != 0)
return 0; /* doesn't begin with a "\177ver" section */
/*
* XXX - we should get the length of the "\177ver" section, check
* that it's followed by a little-endian 0x00000200, and then,
* when reading the XML, make sure we don't go past the end of
* that section, and skip to the end of that section when
* we have the file version (and possibly check to make sure all
* tags are properly opened and closed).
*/
ret = wtap_file_read_pattern (wth, "<FileVersion>", err);
if (ret != 1) {
/* 0 means EOF, which means "not a valid AiroPeek V9 file";
-1 means error, and "err" has been set. */
return ret;
}
ret = wtap_file_read_number (wth, &fileVersion, err);
if (ret != 1) {
/* 0 means EOF, which means "not a valid AiroPeek V9 file";
-1 means error, and "err" has been set. */
return ret;
}
/* If we got this far, we assume it's an AiroPeek V9 file. */
if (fileVersion != 9) {
/* We only support version 9. */
*err = WTAP_ERR_UNSUPPORTED;
*err_info = g_strdup_printf("airopeekv9: version %u unsupported",
fileVersion);
return -1;
}
/*
* XXX - once we've skipped the "\177ver" section, we should
* check for a "sess" section and fail if we don't see it.
* Then we should get the length of the "sess" section, check
* that it's followed by a little-endian 0x00000200, and then,
* when reading the XML, make sure we don't go past the end of
* that section, and skip to the end of the section when
* we have the file version (and possibly check to make sure all
* tags are properly opened and closed).
*/
ret = wtap_file_read_pattern (wth, "<MediaType>", err);
if (ret == -1)
return -1;
if (ret == 0) {
*err = WTAP_ERR_UNSUPPORTED;
*err_info = g_strdup("airopeekv9: <MediaType> tag not found");
return -1;
}
/* XXX - this appears to be 0 in both the EtherPeek and AiroPeek
files we've seen; should we require it to be 0? */
ret = wtap_file_read_number (wth, &mediaType, err);
if (ret == -1)
return -1;
if (ret == 0) {
*err = WTAP_ERR_UNSUPPORTED;
*err_info = g_strdup("airopeekv9: <MediaType> value not found");
return -1;
}
ret = wtap_file_read_pattern (wth, "<MediaSubType>", err);
if (ret == -1)
return -1;
if (ret == 0) {
*err = WTAP_ERR_UNSUPPORTED;
*err_info = g_strdup("airopeekv9: <MediaSubType> tag not found");
return -1;
}
ret = wtap_file_read_number (wth, &mediaSubType, err);
if (ret == -1)
return -1;
if (ret == 0) {
*err = WTAP_ERR_UNSUPPORTED;
*err_info = g_strdup("airopeekv9: <MediaSubType> value not found");
return -1;
}
if (mediaSubType >= NUM_AIROPEEK9_ENCAPS
|| airopeek9_encap[mediaSubType] == WTAP_ENCAP_UNKNOWN) {
*err = WTAP_ERR_UNSUPPORTED_ENCAP;
*err_info = g_strdup_printf("airopeekv9: network type %u unknown or unsupported",
mediaSubType);
return -1;
}
ret = wtap_file_read_pattern (wth, "pkts", err);
if (ret == -1)
return -1;
if (ret == 0) {
*err = WTAP_ERR_SHORT_READ;
return -1;
}
/* skip 8 zero bytes */
if (file_seek (wth->fh, 8L, SEEK_CUR, err) == -1)
return 0;
/*
* This is an EtherPeek or AiroPeek V9 file.
*/
wth->data_offset = file_tell (wth->fh);
file_encap = airopeek9_encap[mediaSubType];
wth->file_type = WTAP_FILE_AIROPEEK_V9;
wth->file_encap = file_encap;
wth->subtype_read = airopeekv9_read;
wth->subtype_seek_read = airopeekv9_seek_read;
wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
airopeek9 = (airopeek9_t *)g_malloc(sizeof(airopeek9_t));
wth->priv = (void *)airopeek9;
switch (mediaSubType) {
case AIROPEEK_V9_NST_ETHERNET:
case AIROPEEK_V9_NST_802_11:
case AIROPEEK_V9_NST_802_11_2:
airopeek9->has_fcs = FALSE;
break;
case AIROPEEK_V9_NST_802_11_WITH_FCS:
airopeek9->has_fcs = TRUE;
break;
}
wth->snapshot_length = 0; /* not available in header */
return 1;
}
/* Tell system call. */
static int
sys_tell (int handle)
{
return file_tell (lookup_file_fd (handle)->file);
}
/* Seeks to the beginning of the next packet, and returns the
byte offset at which the header for that packet begins.
Returns -1 on failure. */
static gint64 ascend_seek(wtap *wth, int *err, gchar **err_info)
{
int byte;
gint64 date_off = -1, cur_off, packet_off;
size_t string_level[ASCEND_MAGIC_STRINGS];
guint string_i = 0, type = 0;
guint excessive_read_count = 262144;
memset(&string_level, 0, sizeof(string_level));
while (((byte = file_getc(wth->fh)) != EOF)) {
excessive_read_count--;
if (!excessive_read_count) {
*err = 0;
return -1;
}
for (string_i = 0; string_i < ASCEND_MAGIC_STRINGS; string_i++) {
const gchar *strptr = ascend_magic[string_i].strptr;
size_t len = strlen(strptr);
if (byte == *(strptr + string_level[string_i])) {
string_level[string_i]++;
if (string_level[string_i] >= len) {
cur_off = file_tell(wth->fh);
if (cur_off == -1) {
/* Error. */
*err = file_error(wth->fh, err_info);
return -1;
}
/* Date: header is a special case. Remember the offset,
but keep looking for other headers. */
if (strcmp(strptr, ASCEND_DATE) == 0) {
date_off = cur_off - len;
} else {
if (date_off == -1) {
/* Back up over the header we just read; that's where a read
of this packet should start. */
packet_off = cur_off - len;
} else {
/* This packet has a date/time header; a read of it should
start at the beginning of *that* header. */
packet_off = date_off;
}
type = ascend_magic[string_i].type;
goto found;
}
}
} else {
string_level[string_i] = 0;
}
}
}
if (byte != EOF || file_eof(wth->fh)) {
/* Either we didn't find the offset, or we got an EOF. */
*err = 0;
} else {
/* We (presumably) got an error (there's no equivalent to "ferror()"
in zlib, alas, so we don't have a wrapper to check for an error). */
*err = file_error(wth->fh, err_info);
}
return -1;
found:
/*
* Move to where the read for this packet should start, and return
* that seek offset.
*/
if (file_seek(wth->fh, packet_off, SEEK_SET, err) == -1)
return -1;
wth->phdr.pseudo_header.ascend.type = type;
return packet_off;
}
/* Read the next packet */
static gboolean radcom_read(wtap *wth, int *err, gchar **err_info,
gint64 *data_offset)
{
int ret;
struct radcomrec_hdr hdr;
guint16 data_length, real_length, length;
guint32 sec;
int bytes_read;
struct tm tm;
guint8 phdr[8];
char fcs[2];
/* Read record header. */
*data_offset = file_tell(wth->fh);
ret = radcom_read_rec_header(wth->fh, &hdr, err, err_info);
if (ret <= 0) {
/* Read error or EOF */
return FALSE;
}
data_length = pletohs(&hdr.data_length);
if (data_length == 0) {
/*
* The last record appears to have 0 in its "data_length"
* field, but non-zero values in other fields, so we
* check for that and treat it as an EOF indication.
*/
*err = 0;
return FALSE;
}
length = pletohs(&hdr.length);
real_length = pletohs(&hdr.real_length);
if (wth->file_encap == WTAP_ENCAP_LAPB) {
length -= 2; /* FCS */
real_length -= 2;
}
wth->phdr.presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
wth->phdr.len = real_length;
wth->phdr.caplen = length;
tm.tm_year = pletohs(&hdr.date.year)-1900;
tm.tm_mon = (hdr.date.month&0x0f)-1;
tm.tm_mday = hdr.date.day;
sec = pletohl(&hdr.date.sec);
tm.tm_hour = sec/3600;
tm.tm_min = (sec%3600)/60;
tm.tm_sec = sec%60;
tm.tm_isdst = -1;
wth->phdr.ts.secs = mktime(&tm);
wth->phdr.ts.nsecs = pletohl(&hdr.date.usec) * 1000;
switch (wth->file_encap) {
case WTAP_ENCAP_ETHERNET:
/* XXX - is there an FCS? */
wth->phdr.pseudo_header.eth.fcs_len = -1;
break;
case WTAP_ENCAP_LAPB:
wth->phdr.pseudo_header.x25.flags = (hdr.dce & 0x1) ?
0x00 : FROM_DCE;
break;
case WTAP_ENCAP_ATM_RFC1483:
/*
* XXX - is this stuff a pseudo-header?
* The direction appears to be in the "hdr.dce" field.
*/
if (!radcom_read_rec_data(wth->fh, phdr, sizeof phdr, err,
err_info))
return FALSE; /* Read error */
length -= 8;
wth->phdr.len -= 8;
wth->phdr.caplen -= 8;
break;
}
/*
* Read the packet data.
*/
buffer_assure_space(wth->frame_buffer, length);
if (!radcom_read_rec_data(wth->fh,
buffer_start_ptr(wth->frame_buffer), length, err, err_info))
return FALSE; /* Read error */
if (wth->file_encap == WTAP_ENCAP_LAPB) {
/* Read the FCS.
XXX - should we have some way of indicating the
presence and size of an FCS to our caller?
That'd let us handle other file types as well. */
errno = WTAP_ERR_CANT_READ;
bytes_read = file_read(&fcs, sizeof fcs, wth->fh);
if (bytes_read != sizeof fcs) {
*err = file_error(wth->fh, err_info);
if (*err == 0)
*err = WTAP_ERR_SHORT_READ;
return FALSE;
}
}
return TRUE;
}
/* Read the next packet */
static gboolean aethra_read(wtap *wth, int *err, gchar **err_info,
gint64 *data_offset)
{
aethra_t *aethra = (aethra_t *)wth->priv;
struct aethrarec_hdr hdr;
guint32 rec_size;
guint32 packet_size;
guint32 msecs;
/*
* Keep reading until we see an AETHRA_ISDN_LINK with a subtype
* of AETHRA_ISDN_LINK_LAPD record or get an end-of-file.
*/
for (;;) {
*data_offset = file_tell(wth->fh);
/* Read record header. */
if (!aethra_read_rec_header(wth->fh, &hdr, &wth->pseudo_header,
err, err_info))
return FALSE;
rec_size = pletohs(hdr.rec_size);
if (rec_size < (sizeof hdr - sizeof hdr.rec_size)) {
/* The record is shorter than a record header. */
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("aethra: File has %u-byte record, less than minimum of %u",
rec_size, (unsigned int)(sizeof hdr - sizeof hdr.rec_size));
return FALSE;
}
/*
* XXX - if this is big, we might waste memory by
* growing the buffer to handle it.
*/
packet_size = rec_size - (sizeof hdr - sizeof hdr.rec_size);
if (packet_size != 0) {
buffer_assure_space(wth->frame_buffer, packet_size);
if (!aethra_read_rec_data(wth->fh, buffer_start_ptr(wth->frame_buffer),
packet_size, err, err_info))
return FALSE; /* Read error */
}
#if 0
packet++;
#endif
switch (hdr.rec_type) {
case AETHRA_ISDN_LINK:
#if 0
fprintf(stderr, "Packet %u: type 0x%02x (AETHRA_ISDN_LINK)\n",
packet, hdr.rec_type);
#endif
switch (hdr.flags & AETHRA_ISDN_LINK_SUBTYPE) {
case AETHRA_ISDN_LINK_LAPD:
/*
* The data is a LAPD frame.
*/
#if 0
fprintf(stderr, " subtype 0x%02x (AETHRA_ISDN_LINK_LAPD)\n", hdr.flags & AETHRA_ISDN_LINK_SUBTYPE);
#endif
goto found;
case AETHRA_ISDN_LINK_SA_BITS:
/*
* These records have one data byte, which
* has the Sa bits in the lower 5 bits.
*
* XXX - what about stuff other than 2048K
* PRI lines?
*/
#if 0
fprintf(stderr, " subtype 0x%02x (AETHRA_ISDN_LINK_SA_BITS)\n", hdr.flags & AETHRA_ISDN_LINK_SUBTYPE);
#endif
break;
case AETHRA_ISDN_LINK_ALL_ALARMS_CLEARED:
/*
* No data, just an "all alarms cleared"
* indication.
*/
#if 0
fprintf(stderr, " subtype 0x%02x (AETHRA_ISDN_LINK_ALL_ALARMS_CLEARED)\n", hdr.flags & AETHRA_ISDN_LINK_SUBTYPE);
#endif
break;
default:
#if 0
fprintf(stderr, " subtype 0x%02x, packet_size %u, direction 0x%02x\n",
hdr.flags & AETHRA_ISDN_LINK_SUBTYPE, packet_size, hdr.flags & AETHRA_U_TO_N);
#endif
break;
}
break;
default:
#if 0
fprintf(stderr, "Packet %u: type 0x%02x, packet_size %u, flags 0x%02x\n",
packet, hdr.rec_type, packet_size, hdr.flags);
#endif
break;
}
}
found:
msecs = pletohl(hdr.timestamp);
wth->phdr.presence_flags = WTAP_HAS_TS;
wth->phdr.ts.secs = aethra->start + (msecs / 1000);
wth->phdr.ts.nsecs = (msecs % 1000) * 1000000;
wth->phdr.caplen = packet_size;
wth->phdr.len = packet_size;
return TRUE;
}
/* Parses a packet. */
static gboolean
iseries_parse_packet (wtap * wth, FILE_T fh, struct wtap_pkthdr *phdr,
Buffer *buf, int *err, gchar **err_info)
{
iseries_t *iseries = (iseries_t *)wth->priv;
gint64 cur_off;
gboolean isValid, isCurrentPacket;
int num_items_scanned, line, pktline, buflen;
int pkt_len, pktnum, hr, min, sec;
char direction[2], destmac[13], srcmac[13], type[5], csec[9+1];
char data[ISERIES_LINE_LENGTH * 2];
int offset;
char *ascii_buf;
int ascii_offset;
struct tm tm;
/*
* Check for packet headers in first 3 lines this should handle page breaks
* situations and the header lines output at each page throw and ensure we
* read both the captured and packet lengths.
*/
isValid = FALSE;
for (line = 1; line < ISERIES_PKT_LINES_TO_CHECK; line++)
{
if (file_gets (data, ISERIES_LINE_LENGTH, fh) == NULL)
{
*err = file_error (fh, err_info);
return FALSE;
}
/* Convert UNICODE data to ASCII */
if (iseries->format == ISERIES_FORMAT_UNICODE)
{
iseries_UNICODE_to_ASCII ((guint8 *)data, ISERIES_LINE_LENGTH);
}
ascii_strup_inplace (data);
num_items_scanned =
sscanf (data,
"%*[ \n\t]%6d%*[ *\n\t]%1s%*[ \n\t]%6d%*[ \n\t]%2d:%2d:%2d.%9[0-9]%*[ \n\t]"
"%12s%*[ \n\t]%12s%*[ \n\t]ETHV2%*[ \n\t]TYPE:%*[ \n\t]%4s",
&pktnum, direction, &pkt_len, &hr, &min, &sec, csec, destmac,
srcmac, type);
if (num_items_scanned == 10)
{
/* OK! We found the packet header line */
isValid = TRUE;
/*
* XXX - The Capture length returned by the iSeries trace doesn't
* seem to include the Ethernet header, so we add its length here.
*/
pkt_len += 14;
break;
}
}
/*
* If no packet header found we exit at this point and inform the user.
*/
if (!isValid)
{
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup ("iseries: packet header isn't valid");
return FALSE;
}
phdr->presence_flags = WTAP_HAS_CAP_LEN;
/*
* If we have Wiretap Header then populate it here
*
* Timer resolution on the iSeries is hardware dependent. We determine
* the resolution based on how many digits we see.
*/
if (iseries->have_date)
{
phdr->presence_flags |= WTAP_HAS_TS;
tm.tm_year = 100 + iseries->year;
tm.tm_mon = iseries->month - 1;
tm.tm_mday = iseries->day;
tm.tm_hour = hr;
tm.tm_min = min;
tm.tm_sec = sec;
tm.tm_isdst = -1;
phdr->ts.secs = mktime (&tm);
switch (strlen(csec))
{
case 0:
phdr->ts.nsecs = 0;
break;
case 1:
phdr->ts.nsecs = atoi(csec) * 100000000;
break;
case 2:
phdr->ts.nsecs = atoi(csec) * 10000000;
break;
case 3:
phdr->ts.nsecs = atoi(csec) * 1000000;
break;
case 4:
phdr->ts.nsecs = atoi(csec) * 100000;
break;
case 5:
phdr->ts.nsecs = atoi(csec) * 10000;
break;
case 6:
phdr->ts.nsecs = atoi(csec) * 1000;
break;
case 7:
phdr->ts.nsecs = atoi(csec) * 100;
break;
case 8:
phdr->ts.nsecs = atoi(csec) * 10;
break;
case 9:
phdr->ts.nsecs = atoi(csec);
break;
}
}
phdr->len = pkt_len;
phdr->pkt_encap = WTAP_ENCAP_ETHERNET;
phdr->pseudo_header.eth.fcs_len = -1;
ascii_buf = (char *)g_malloc (ISERIES_PKT_ALLOC_SIZE);
g_snprintf(ascii_buf, ISERIES_PKT_ALLOC_SIZE, "%s%s%s", destmac, srcmac, type);
ascii_offset = 14*2; /* 14-byte Ethernet header, 2 characters per byte */
/*
* Start reading packet contents
*/
isCurrentPacket = TRUE;
/* loop through packet lines and breakout when the next packet header is read */
pktline = 0;
while (isCurrentPacket)
{
pktline++;
/* Read the next line */
if (file_gets (data, ISERIES_LINE_LENGTH, fh) == NULL)
{
*err = file_error (fh, err_info);
if (*err == 0)
{
/* Hit the EOF without an error */
break;
}
goto errxit;
}
/* Convert UNICODE data to ASCII and determine line length */
if (iseries->format == ISERIES_FORMAT_UNICODE)
{
buflen = iseries_UNICODE_to_ASCII ((guint8 *)data, ISERIES_LINE_LENGTH);
}
else
{
/* Else bytes to rewind is just length of ASCII string */
buflen = (int) strlen (data);
}
/*
* Skip leading white space.
*/
for (offset = 0; isspace(data[offset]); offset++)
;
/*
* The higher-level header information starts at an offset of
* 22 characters. The header tags are 14 characters long.
*
* XXX - for IPv6, if the next header isn't the last header,
* the intermediate headers do *NOT* appear to be shown in
* the dump file *at all*, so the packet *cannot* be
* reconstructed!
*/
if (offset == 22)
{
if (strncmp(data + 22, "IP Header : ", 14) == 0 ||
strncmp(data + 22, "IPv6 Header: ", 14) == 0 ||
strncmp(data + 22, "ARP Header : ", 14) == 0 ||
strncmp(data + 22, "TCP Header : ", 14) == 0 ||
strncmp(data + 22, "UDP Header : ", 14) == 0 ||
strncmp(data + 22, "ICMP Header: ", 14) == 0 ||
strncmp(data + 22, "ICMPv6 Hdr: ", 14) == 0 ||
strncmp(data + 22, "Option Hdr: ", 14) == 0)
{
ascii_offset = append_hex_digits(ascii_buf, ascii_offset,
ISERIES_PKT_ALLOC_SIZE - 1,
data + 22 + 14, err,
err_info);
if (ascii_offset == -1)
{
/* Bad line. */
return FALSE;
}
continue;
}
}
/*
* Is this a data line?
*
* The "Data" starts at an offset of 8.
*/
if (offset == 9)
{
if (strncmp(data + 9, "Data . . . . . : ", 18) == 0)
{
ascii_offset = append_hex_digits(ascii_buf, ascii_offset,
ISERIES_PKT_ALLOC_SIZE - 1,
data + 9 + 18, err,
err_info);
if (ascii_offset == -1)
{
/* Bad line. */
return FALSE;
}
continue;
}
}
/*
* Is this a continuation of a previous header or data line?
* That's blanks followed by hex digits; first try the
* "no column separators" form.
*
* Continuations of header lines begin at an offset of 36;
* continuations of data lines begin at an offset of 27.
*/
if (offset == 36 || offset == 27)
{
ascii_offset = append_hex_digits(ascii_buf, ascii_offset,
ISERIES_PKT_ALLOC_SIZE - 1,
data + offset, err,
err_info);
if (ascii_offset == -1)
{
/* Bad line. */
return FALSE;
}
continue;
}
/*
* If we see the identifier for the next packet then rewind and set
* isCurrentPacket FALSE
*/
ascii_strup_inplace (data);
/* If packet header found return the offset */
num_items_scanned =
sscanf (data+78,
"%*[ \n\t]ETHV2%*[ .:\n\t]TYPE%*[ .:\n\t]%4s",type);
if ((num_items_scanned == 1) && pktline > 1)
{
isCurrentPacket = FALSE;
cur_off = file_tell( fh);
if (cur_off == -1)
{
/* Error. */
*err = file_error (fh, err_info);
goto errxit;
}
if (file_seek (fh, cur_off - buflen, SEEK_SET, err) == -1)
{
/* XXX: need to set err_info ?? */
goto errxit;
}
}
}
ascii_buf[ascii_offset] = '\0';
/*
* Make the captured length be the amount of bytes we've read (which
* is half the number of characters of hex dump we have).
*
* XXX - this can happen for IPv6 packets if the next header isn't the
* last header.
*/
phdr->caplen = ((guint32) strlen (ascii_buf))/2;
/* Make sure we have enough room for the packet. */
buffer_assure_space (buf, ISERIES_MAX_PACKET_LEN);
/* Convert ascii data to binary and return in the frame buffer */
iseries_parse_hex_string (ascii_buf, buffer_start_ptr (buf), strlen (ascii_buf));
/* free buffer allocs and return */
*err = 0;
g_free (ascii_buf);
return TRUE;
errxit:
g_free (ascii_buf);
return FALSE;
}
/* Parse the capture file.
Returns TRUE if we got a packet, FALSE otherwise. */
static gboolean
parse_ascend(ascend_t *ascend, FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
guint length, int *err, gchar **err_info)
{
ascend_state_t parser_state;
int retval;
ws_buffer_assure_space(buf, length);
retval = run_ascend_parser(fh, phdr, ws_buffer_start_ptr(buf), &parser_state,
err, err_info);
/* did we see any data (hex bytes)? if so, tip off ascend_seek()
as to where to look for the next packet, if any. If we didn't,
maybe this record was broken. Advance so we don't get into
an infinite loop reading a broken trace. */
if (parser_state.first_hexbyte) {
ascend->next_packet_seek_start = parser_state.first_hexbyte;
} else {
/* Sometimes, a header will be printed but the data will be omitted, or
worse -- two headers will be printed, followed by the data for each.
Because of this, we need to be fairly tolerant of what we accept
here. If we didn't find any hex bytes, skip over what we've read so
far so we can try reading a new packet. */
ascend->next_packet_seek_start = file_tell(fh);
retval = 0;
}
/* if we got at least some data, return success even if the parser
reported an error. This is because the debug header gives the number
of bytes on the wire, not actually how many bytes are in the trace.
We won't know where the data ends until we run into the next packet. */
if (parser_state.caplen) {
if (! ascend->adjusted) {
ascend->adjusted = TRUE;
if (parser_state.saw_timestamp) {
/*
* Capture file contained a date and time.
* We do this only if this is the very first packet we've seen -
* i.e., if "ascend->adjusted" is false - because
* if we get a date and time after the first packet, we can't
* go back and adjust the time stamps of the packets we've already
* processed, and basing the time stamps of this and following
* packets on the time stamp from the file text rather than the
* ctime of the capture file means times before this and after
* this can't be compared.
*/
ascend->inittime = parser_state.timestamp;
}
if (ascend->inittime > parser_state.secs)
ascend->inittime -= parser_state.secs;
}
phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
phdr->ts.secs = parser_state.secs + ascend->inittime;
phdr->ts.nsecs = parser_state.usecs * 1000;
phdr->caplen = parser_state.caplen;
phdr->len = parser_state.wirelen;
/*
* For these types, the encapsulation we use is not WTAP_ENCAP_ASCEND,
* so set the pseudo-headers appropriately for the type (WTAP_ENCAP_ISDN
* or WTAP_ENCAP_ETHERNET).
*/
switch(phdr->pseudo_header.ascend.type) {
case ASCEND_PFX_ISDN_X:
phdr->pseudo_header.isdn.uton = TRUE;
phdr->pseudo_header.isdn.channel = 0;
break;
case ASCEND_PFX_ISDN_R:
phdr->pseudo_header.isdn.uton = FALSE;
phdr->pseudo_header.isdn.channel = 0;
break;
case ASCEND_PFX_ETHER:
phdr->pseudo_header.eth.fcs_len = 0;
break;
}
return TRUE;
}
/* Didn't see any data. Still, perhaps the parser was happy. */
if (retval) {
if (*err == 0) {
/* Parser failed, but didn't report an I/O error, so a parse error.
Return WTAP_ERR_BAD_FILE, with the parse error as the error string. */
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup((parser_state.ascend_parse_error != NULL) ? parser_state.ascend_parse_error : "parse error");
}
} else {
if (*err == 0) {
/* Parser succeeded, but got no data, and didn't report an I/O error.
Return WTAP_ERR_BAD_FILE, with a "got no data" error string. */
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup("no data returned by parse");
}
}
return FALSE;
}
