static gboolean process_packet_data(wtap_rec *rec, Buffer *target, guint8 *buffer, guint record_len, k12_t *k12, int *err, gchar **err_info) { guint32 type; guint buffer_offset; guint64 ts; guint32 length; guint32 extra_len; guint32 src_id; k12_src_desc_t* src_desc; type = pntoh32(buffer + K12_RECORD_TYPE); buffer_offset = (type == K12_REC_D0020) ? K12_PACKET_FRAME_D0020 : K12_PACKET_FRAME; if (buffer_offset > record_len) { *err = WTAP_ERR_BAD_FILE; *err_info = g_strdup_printf("k12: Frame data offset %u > record length %u", buffer_offset, record_len); return FALSE; } length = pntoh32(buffer + K12_RECORD_FRAME_LEN) & 0x00001FFF; if (length > record_len - buffer_offset) { *err = WTAP_ERR_BAD_FILE; *err_info = g_strdup_printf("k12: Frame length %u > record frame data %u", length, record_len - buffer_offset); return FALSE; } rec->rec_type = REC_TYPE_PACKET; rec->presence_flags = WTAP_HAS_TS; ts = pntoh64(buffer + K12_PACKET_TIMESTAMP); rec->ts.secs = (guint32) ((ts / 2000000) + 631152000); rec->ts.nsecs = (guint32) ( (ts % 2000000) * 500 ); rec->rec_header.packet_header.len = rec->rec_header.packet_header.caplen = length; ws_buffer_assure_space(target, length); memcpy(ws_buffer_start_ptr(target), buffer + buffer_offset, length); /* extra information need by some protocols */ extra_len = record_len - buffer_offset - length; ws_buffer_assure_space(&(k12->extra_info), extra_len); memcpy(ws_buffer_start_ptr(&(k12->extra_info)), buffer + buffer_offset + length, extra_len); rec->rec_header.packet_header.pseudo_header.k12.extra_info = (guint8*)ws_buffer_start_ptr(&(k12->extra_info)); rec->rec_header.packet_header.pseudo_header.k12.extra_length = extra_len; src_id = pntoh32(buffer + K12_RECORD_SRC_ID); K12_DBG(5,("process_packet_data: src_id=%.8x",src_id)); rec->rec_header.packet_header.pseudo_header.k12.input = src_id; if ( ! (src_desc = (k12_src_desc_t*)g_hash_table_lookup(k12->src_by_id,GUINT_TO_POINTER(src_id))) ) { /* * Some records from K15 files have a port ID of an undeclared * interface which happens to be the only one with the first byte changed. * It is still unknown how to recognize when this happens. * If the lookup of the interface record fails we'll mask it * and retry. */ src_desc = (k12_src_desc_t*)g_hash_table_lookup(k12->src_by_id,GUINT_TO_POINTER(src_id&K12_RECORD_SRC_ID_MASK)); } if (src_desc) { K12_DBG(5,("process_packet_data: input_name='%s' stack_file='%s' type=%x",src_desc->input_name,src_desc->stack_file,src_desc->input_type)); rec->rec_header.packet_header.pseudo_header.k12.input_name = src_desc->input_name; rec->rec_header.packet_header.pseudo_header.k12.stack_file = src_desc->stack_file; rec->rec_header.packet_header.pseudo_header.k12.input_type = src_desc->input_type; switch(src_desc->input_type) { case K12_PORT_ATMPVC: if (buffer_offset + length + K12_PACKET_OFFSET_CID < record_len) { rec->rec_header.packet_header.pseudo_header.k12.input_info.atm.vp = pntoh16(buffer + buffer_offset + length + K12_PACKET_OFFSET_VP); rec->rec_header.packet_header.pseudo_header.k12.input_info.atm.vc = pntoh16(buffer + buffer_offset + length + K12_PACKET_OFFSET_VC); rec->rec_header.packet_header.pseudo_header.k12.input_info.atm.cid = *((unsigned char*)(buffer + buffer_offset + length + K12_PACKET_OFFSET_CID)); break; } /* Fall through */ default: memcpy(&(rec->rec_header.packet_header.pseudo_header.k12.input_info),&(src_desc->input_info),sizeof(src_desc->input_info)); break; } } else { K12_DBG(5,("process_packet_data: NO SRC_RECORD FOUND")); memset(&(rec->rec_header.packet_header.pseudo_header.k12),0,sizeof(rec->rec_header.packet_header.pseudo_header.k12)); rec->rec_header.packet_header.pseudo_header.k12.input_name = "unknown port"; rec->rec_header.packet_header.pseudo_header.k12.stack_file = "unknown stack file"; } rec->rec_header.packet_header.pseudo_header.k12.input = src_id; rec->rec_header.packet_header.pseudo_header.k12.stuff = k12; return TRUE; }
static void process_packet_data(struct wtap_pkthdr *phdr, Buffer *target, guint8 *buffer, gint len, k12_t *k12) { guint32 type; guint buffer_offset; guint64 ts; guint32 length; guint32 extra_len; guint32 src_id; k12_src_desc_t* src_desc; phdr->presence_flags = WTAP_HAS_TS; ts = pntoh64(buffer + K12_PACKET_TIMESTAMP); phdr->ts.secs = (guint32) ((ts / 2000000) + 631152000); phdr->ts.nsecs = (guint32) ( (ts % 2000000) * 500 ); length = pntoh32(buffer + K12_RECORD_FRAME_LEN) & 0x00001FFF; phdr->len = phdr->caplen = length; type = pntoh32(buffer + K12_RECORD_TYPE); buffer_offset = (type == K12_REC_D0020) ? K12_PACKET_FRAME_D0020 : K12_PACKET_FRAME; buffer_assure_space(target, length); memcpy(buffer_start_ptr(target), buffer + buffer_offset, length); /* extra information need by some protocols */ extra_len = len - buffer_offset - length; buffer_assure_space(&(k12->extra_info), extra_len); memcpy(buffer_start_ptr(&(k12->extra_info)), buffer + buffer_offset + length, extra_len); phdr->pseudo_header.k12.extra_info = (guint8*)buffer_start_ptr(&(k12->extra_info)); phdr->pseudo_header.k12.extra_length = extra_len; src_id = pntoh32(buffer + K12_RECORD_SRC_ID); K12_DBG(5,("process_packet_data: src_id=%.8x",src_id)); phdr->pseudo_header.k12.input = src_id; if ( ! (src_desc = (k12_src_desc_t*)g_hash_table_lookup(k12->src_by_id,GUINT_TO_POINTER(src_id))) ) { /* * Some records from K15 files have a port ID of an undeclared * interface which happens to be the only one with the first byte changed. * It is still unknown how to recognize when this happens. * If the lookup of the interface record fails we'll mask it * and retry. */ src_desc = (k12_src_desc_t*)g_hash_table_lookup(k12->src_by_id,GUINT_TO_POINTER(src_id&K12_RECORD_SRC_ID_MASK)); } if (src_desc) { K12_DBG(5,("process_packet_data: input_name='%s' stack_file='%s' type=%x",src_desc->input_name,src_desc->stack_file,src_desc->input_type)); phdr->pseudo_header.k12.input_name = src_desc->input_name; phdr->pseudo_header.k12.stack_file = src_desc->stack_file; phdr->pseudo_header.k12.input_type = src_desc->input_type; switch(src_desc->input_type) { case K12_PORT_ATMPVC: if ((long)(buffer_offset + length + K12_PACKET_OFFSET_CID) < len) { phdr->pseudo_header.k12.input_info.atm.vp = pntoh16(buffer + buffer_offset + length + K12_PACKET_OFFSET_VP); phdr->pseudo_header.k12.input_info.atm.vc = pntoh16(buffer + buffer_offset + length + K12_PACKET_OFFSET_VC); phdr->pseudo_header.k12.input_info.atm.cid = *((unsigned char*)(buffer + buffer_offset + length + K12_PACKET_OFFSET_CID)); break; } /* Fall through */ default: memcpy(&(phdr->pseudo_header.k12.input_info),&(src_desc->input_info),sizeof(src_desc->input_info)); break; } } else { K12_DBG(5,("process_packet_data: NO SRC_RECORD FOUND")); memset(&(phdr->pseudo_header.k12),0,sizeof(phdr->pseudo_header.k12)); phdr->pseudo_header.k12.input_name = "unknown port"; phdr->pseudo_header.k12.stack_file = "unknown stack file"; } phdr->pseudo_header.k12.input = src_id; phdr->pseudo_header.k12.stuff = k12; }
static int peekclassic_read_packet_v7(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info) { guint8 ep_pkt[PEEKCLASSIC_V7_PKT_SIZE]; #if 0 guint16 protoNum; #endif guint16 length; guint16 sliceLength; #if 0 guint8 flags; #endif guint8 status; guint64 timestamp; time_t tsecs; guint32 tusecs; if (!wtap_read_bytes_or_eof(fh, ep_pkt, sizeof(ep_pkt), err, err_info)) return -1; /* Extract the fields from the packet */ #if 0 protoNum = pntoh16(&ep_pkt[PEEKCLASSIC_V7_PROTONUM_OFFSET]); #endif length = pntoh16(&ep_pkt[PEEKCLASSIC_V7_LENGTH_OFFSET]); sliceLength = pntoh16(&ep_pkt[PEEKCLASSIC_V7_SLICE_LENGTH_OFFSET]); #if 0 flags = ep_pkt[PEEKCLASSIC_V7_FLAGS_OFFSET]; #endif status = ep_pkt[PEEKCLASSIC_V7_STATUS_OFFSET]; timestamp = pntoh64(&ep_pkt[PEEKCLASSIC_V7_TIMESTAMP_OFFSET]); /* force sliceLength to be the actual length of the packet */ if (0 == sliceLength) { sliceLength = length; } /* fill in packet header values */ phdr->rec_type = REC_TYPE_PACKET; phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN; tsecs = (time_t) (timestamp/1000000); tusecs = (guint32) (timestamp - tsecs*1000000); phdr->ts.secs = tsecs - mac2unix; phdr->ts.nsecs = tusecs * 1000; phdr->len = length; phdr->caplen = sliceLength; switch (wth->file_encap) { case WTAP_ENCAP_IEEE_802_11_AIROPEEK: phdr->pseudo_header.ieee_802_11.fcs_len = 0; /* no FCS */ phdr->pseudo_header.ieee_802_11.decrypted = FALSE; phdr->pseudo_header.ieee_802_11.datapad = FALSE; phdr->pseudo_header.ieee_802_11.phy = PHDR_802_11_PHY_UNKNOWN; phdr->pseudo_header.ieee_802_11.presence_flags = 0; /* not present */ /* * The last 4 bytes appear to be random data - the length * might include the FCS - so we reduce the length by 4. * * Or maybe this is just the same kind of random 4 bytes * of junk at the end you get in Wireless Sniffer * captures. */ if (phdr->len < 4 || phdr->caplen < 4) { *err = WTAP_ERR_BAD_FILE; *err_info = g_strdup_printf("peekclassic: 802.11 packet has length < 4"); return -1; } phdr->len -= 4; phdr->caplen -= 4; break; case WTAP_ENCAP_ETHERNET: /* XXX - it appears that if the low-order bit of "status" is 0, there's an FCS in this frame, and if it's 1, there's 4 bytes of 0. */ phdr->pseudo_header.eth.fcs_len = (status & 0x01) ? 0 : 4; break; } /* read the packet data */ if (!wtap_read_packet_bytes(fh, buf, phdr->caplen, err, err_info)) return -1; return sliceLength; }
uint64_t Tvbuff::tvb_get_ntoh64(tvbuff_t *tvb,int offset) { const uint8_t* ptr; ptr = ensure_contiguous(tvb,offset,sizeof(uint64_t)); return pntoh64(ptr); }
static int peekclassic_read_packet_v7(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info) { guint8 ep_pkt[PEEKCLASSIC_V7_PKT_SIZE]; #if 0 guint16 protoNum; #endif guint16 length; guint16 sliceLength; #if 0 guint8 flags; #endif guint8 status; guint64 timestamp; time_t tsecs; guint32 tusecs; guint8 radio_info[RADIO_INFO_SIZE]; if (!wtap_read_bytes_or_eof(fh, ep_pkt, sizeof(ep_pkt), err, err_info)) return -1; /* Extract the fields from the packet */ #if 0 protoNum = pntoh16(&ep_pkt[PEEKCLASSIC_V7_PROTONUM_OFFSET]); #endif length = pntoh16(&ep_pkt[PEEKCLASSIC_V7_LENGTH_OFFSET]); sliceLength = pntoh16(&ep_pkt[PEEKCLASSIC_V7_SLICE_LENGTH_OFFSET]); #if 0 flags = ep_pkt[PEEKCLASSIC_V7_FLAGS_OFFSET]; #endif status = ep_pkt[PEEKCLASSIC_V7_STATUS_OFFSET]; timestamp = pntoh64(&ep_pkt[PEEKCLASSIC_V7_TIMESTAMP_OFFSET]); /* force sliceLength to be the actual length of the packet */ if (0 == sliceLength) { sliceLength = length; } /* * The maximum value of sliceLength and length are 65535, which * are less than WTAP_MAX_PACKET_SIZE_STANDARD will ever be, so we don't * need to check them. */ /* fill in packet header values */ phdr->rec_type = REC_TYPE_PACKET; phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN; tsecs = (time_t) (timestamp/1000000); tusecs = (guint32) (timestamp - tsecs*1000000); phdr->ts.secs = tsecs - mac2unix; phdr->ts.nsecs = tusecs * 1000; phdr->len = length; phdr->caplen = sliceLength; switch (wth->file_encap) { case WTAP_ENCAP_IEEE_802_11_WITH_RADIO: memset(&phdr->pseudo_header.ieee_802_11, 0, sizeof(phdr->pseudo_header.ieee_802_11)); phdr->pseudo_header.ieee_802_11.fcs_len = 0; /* no FCS */ phdr->pseudo_header.ieee_802_11.decrypted = FALSE; phdr->pseudo_header.ieee_802_11.datapad = FALSE; phdr->pseudo_header.ieee_802_11.phy = PHDR_802_11_PHY_UNKNOWN; /* * Now process the radio information pseudo-header. * It's a 4-byte pseudo-header, consisting of: * * 1 byte of data rate, in units of 500 kb/s; * * 1 byte of channel number; * * 1 byte of signal strength as a percentage of * the maximum, i.e. (RXVECTOR RSSI/RXVECTOR RSSI_Max)*100, * or, at least, that's what I infer it is, given what * the WildPackets note "Converting Signal Strength * Percentage to dBm Values" says (it also says that * the conversion the percentage to a dBm value is * an adapter-dependent process, so, as we don't know * what type of adapter was used to do the capture, * we can't do the conversion); * * 1 byte of unknown content (padding?). */ if (phdr->len < RADIO_INFO_SIZE || phdr->caplen < RADIO_INFO_SIZE) { *err = WTAP_ERR_BAD_FILE; *err_info = g_strdup_printf("peekclassic: 802.11 packet has length < 4"); return -1; } phdr->len -= RADIO_INFO_SIZE; phdr->caplen -= RADIO_INFO_SIZE; sliceLength -= RADIO_INFO_SIZE; /* read the pseudo-header */ if (!wtap_read_bytes(fh, radio_info, RADIO_INFO_SIZE, err, err_info)) return -1; phdr->pseudo_header.ieee_802_11.has_data_rate = TRUE; phdr->pseudo_header.ieee_802_11.data_rate = radio_info[0]; phdr->pseudo_header.ieee_802_11.has_channel = TRUE; phdr->pseudo_header.ieee_802_11.channel = radio_info[1]; phdr->pseudo_header.ieee_802_11.has_signal_percent = TRUE; phdr->pseudo_header.ieee_802_11.signal_percent = radio_info[2]; /* * The last 4 bytes appear to be random data - the length * might include the FCS - so we reduce the length by 4. * * Or maybe this is just the same kind of random 4 bytes * of junk at the end you get in Wireless Sniffer * captures. */ if (phdr->len < 4 || phdr->caplen < 4) { *err = WTAP_ERR_BAD_FILE; *err_info = g_strdup_printf("peekclassic: 802.11 packet has length < 8"); return -1; } phdr->len -= 4; phdr->caplen -= 4; break; case WTAP_ENCAP_ETHERNET: /* XXX - it appears that if the low-order bit of "status" is 0, there's an FCS in this frame, and if it's 1, there's 4 bytes of 0. */ phdr->pseudo_header.eth.fcs_len = (status & 0x01) ? 0 : 4; break; } /* read the packet data */ if (!wtap_read_packet_bytes(fh, buf, phdr->caplen, err, err_info)) return -1; return sliceLength; }