static int peekclassic_read_packet_v7(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info) { guint8 ep_pkt[PEEKCLASSIC_V7_PKT_SIZE]; int bytes_read; #if 0 guint16 protoNum; #endif guint16 length; guint16 sliceLength; #if 0 guint8 flags; #endif guint8 status; guint64 timestamp; time_t tsecs; guint32 tusecs; bytes_read = file_read(ep_pkt, sizeof(ep_pkt), fh); if (bytes_read != (int) sizeof(ep_pkt)) { *err = file_error(fh, err_info); if (*err == 0 && bytes_read > 0) *err = WTAP_ERR_SHORT_READ; return -1; } /* Extract the fields from the packet */ #if 0 protoNum = pntohs(&ep_pkt[PEEKCLASSIC_V7_PROTONUM_OFFSET]); #endif length = pntohs(&ep_pkt[PEEKCLASSIC_V7_LENGTH_OFFSET]); sliceLength = pntohs(&ep_pkt[PEEKCLASSIC_V7_SLICE_LENGTH_OFFSET]); #if 0 flags = ep_pkt[PEEKCLASSIC_V7_FLAGS_OFFSET]; #endif status = ep_pkt[PEEKCLASSIC_V7_STATUS_OFFSET]; timestamp = pntohll(&ep_pkt[PEEKCLASSIC_V7_TIMESTAMP_OFFSET]); /* force sliceLength to be the actual length of the packet */ if (0 == sliceLength) { sliceLength = length; } /* fill in packet header values */ phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN; tsecs = (time_t) (timestamp/1000000); tusecs = (guint32) (timestamp - tsecs*1000000); phdr->ts.secs = tsecs - mac2unix; phdr->ts.nsecs = tusecs * 1000; phdr->len = length; phdr->caplen = sliceLength; switch (wth->file_encap) { case WTAP_ENCAP_IEEE_802_11_AIROPEEK: phdr->pseudo_header.ieee_802_11.fcs_len = 0; /* no FCS */ phdr->pseudo_header.ieee_802_11.decrypted = FALSE; /* * The last 4 bytes appear to be random data - the length * might include the FCS - so we reduce the length by 4. * * Or maybe this is just the same kind of random 4 bytes * of junk at the end you get in Wireless Sniffer * captures. */ if (phdr->len < 4 || phdr->caplen < 4) { *err = WTAP_ERR_BAD_FILE; *err_info = g_strdup_printf("peekclassic: 802.11 packet has length < 4"); return -1; } phdr->len -= 4; phdr->caplen -= 4; break; case WTAP_ENCAP_ETHERNET: /* XXX - it appears that if the low-order bit of "status" is 0, there's an FCS in this frame, and if it's 1, there's 4 bytes of 0. */ phdr->pseudo_header.eth.fcs_len = (status & 0x01) ? 0 : 4; break; } /* read the packet data */ if (!wtap_read_packet_bytes(fh, buf, phdr->caplen, err, err_info)) return -1; return sliceLength; }
static gboolean k12_read(wtap *wth, int *err, gchar **err_info, gint64 *data_offset) { k12_t *k12 = (k12_t *)wth->priv; k12_src_desc_t* src_desc; guint8* buffer = NULL; gint64 offset; gint len; guint32 type; guint32 src_id; guint64 ts; guint32 extra_len; offset = wth->data_offset; /* ignore the record if it isn't a packet */ do { K12_DBG(5,("k12_read: offset=%i",offset)); *data_offset = offset; len = get_record(&buffer, wth->fh, offset, err, err_info); if (len < 0) { return FALSE; } else if (len == 0) { *err = 0; return FALSE; } type = pntohl(buffer + K12_RECORD_TYPE); src_id = pntohl(buffer + K12_RECORD_SRC_ID); if ( ! (src_desc = g_hash_table_lookup(k12->src_by_id,GUINT_TO_POINTER(src_id))) ) { /* * Some records from K15 files have a port ID of an undeclared * interface which happens to be the only one with the first byte changed. * It is still unknown how to recognize when this happens. * If the lookup of the interface record fails we'll mask it * and retry. */ src_desc = g_hash_table_lookup(k12->src_by_id,GUINT_TO_POINTER(src_id&K12_RECORD_SRC_ID_MASK)); } K12_DBG(5,("k12_read: record type=%x src_id=%x",type,src_id)); offset += len; } while ( ((type & K12_MASK_PACKET) != K12_REC_PACKET) || !src_id || !src_desc ); wth->data_offset = offset; wth->phdr.presence_flags = WTAP_HAS_TS; ts = pntohll(buffer + K12_PACKET_TIMESTAMP); wth->phdr.ts.secs = (guint32) ((ts / 2000000) + 631152000); wth->phdr.ts.nsecs = (guint32) ( (ts % 2000000) * 500 ); K12_DBG(3,("k12_read: PACKET RECORD type=%x src_id=%x secs=%u nsecs=%u",type,src_id, wth->phdr.ts.secs,wth->phdr.ts.nsecs)); wth->phdr.len = wth->phdr.caplen = pntohl(buffer + K12_RECORD_FRAME_LEN) & 0x00001FFF; extra_len = len - K12_PACKET_FRAME - wth->phdr.caplen; /* the frame */ buffer_assure_space(wth->frame_buffer, wth->phdr.caplen); memcpy(buffer_start_ptr(wth->frame_buffer), buffer + K12_PACKET_FRAME, wth->phdr.caplen); /* extra information need by some protocols */ buffer_assure_space(&(k12->extra_info), extra_len); memcpy(buffer_start_ptr(&(k12->extra_info)), buffer + K12_PACKET_FRAME + wth->phdr.caplen, extra_len); wth->pseudo_header.k12.extra_info = (void*)buffer_start_ptr(&(k12->extra_info)); wth->pseudo_header.k12.extra_length = extra_len; wth->pseudo_header.k12.input = src_id; K12_DBG(5,("k12_read: wth->pseudo_header.k12.input=%x wth->phdr.len=%i input_name='%s' stack_file='%s' type=%x", wth->pseudo_header.k12.input,wth->phdr.len,src_desc->input_name,src_desc->stack_file,src_desc->input_type));\ wth->pseudo_header.k12.input_name = src_desc->input_name; wth->pseudo_header.k12.stack_file = src_desc->stack_file; wth->pseudo_header.k12.input_type = src_desc->input_type; switch(src_desc->input_type) { case K12_PORT_ATMPVC: if ((long)(K12_PACKET_FRAME + wth->phdr.len + K12_PACKET_OFFSET_CID) < len) { wth->pseudo_header.k12.input_info.atm.vp = pntohs(buffer + (K12_PACKET_FRAME + wth->phdr.caplen + K12_PACKET_OFFSET_VP)); wth->pseudo_header.k12.input_info.atm.vc = pntohs(buffer + (K12_PACKET_FRAME + wth->phdr.caplen + K12_PACKET_OFFSET_VC)); wth->pseudo_header.k12.input_info.atm.cid = *((unsigned char*)(buffer + K12_PACKET_FRAME + wth->phdr.len + K12_PACKET_OFFSET_CID)); break; } /* Fall through */ default: memcpy(&(wth->pseudo_header.k12.input_info),&(src_desc->input_info),sizeof(src_desc->input_info)); break; } wth->pseudo_header.k12.stuff = k12; return TRUE; }
static gboolean peekclassic_read_v7(wtap *wth, int *err, gchar **err_info, gint64 *data_offset) { guint8 ep_pkt[PEEKCLASSIC_V7_PKT_SIZE]; #if 0 guint16 protoNum; #endif guint16 length; guint16 sliceLength; #if 0 guint8 flags; #endif guint8 status; guint64 timestamp; time_t tsecs; guint32 tusecs; *data_offset = file_tell(wth->fh); wtap_file_read_expected_bytes(ep_pkt, sizeof(ep_pkt), wth->fh, err, err_info); /* Extract the fields from the packet */ #if 0 protoNum = pntohs(&ep_pkt[PEEKCLASSIC_V7_PROTONUM_OFFSET]); #endif length = pntohs(&ep_pkt[PEEKCLASSIC_V7_LENGTH_OFFSET]); sliceLength = pntohs(&ep_pkt[PEEKCLASSIC_V7_SLICE_LENGTH_OFFSET]); #if 0 flags = ep_pkt[PEEKCLASSIC_V7_FLAGS_OFFSET]; #endif status = ep_pkt[PEEKCLASSIC_V7_STATUS_OFFSET]; timestamp = pntohll(&ep_pkt[PEEKCLASSIC_V7_TIMESTAMP_OFFSET]); /* force sliceLength to be the actual length of the packet */ if (0 == sliceLength) { sliceLength = length; } wth->phdr.presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN; /* fill in packet header length values before slicelength may be adjusted */ wth->phdr.len = length; wth->phdr.caplen = sliceLength; if (sliceLength % 2) /* packets are padded to an even length */ sliceLength++; switch (wth->file_encap) { case WTAP_ENCAP_IEEE_802_11_AIROPEEK: wth->phdr.pseudo_header.ieee_802_11.fcs_len = 0; /* no FCS */ wth->phdr.pseudo_header.ieee_802_11.decrypted = FALSE; break; case WTAP_ENCAP_ETHERNET: /* XXX - it appears that if the low-order bit of "status" is 0, there's an FCS in this frame, and if it's 1, there's 4 bytes of 0. */ wth->phdr.pseudo_header.eth.fcs_len = (status & 0x01) ? 0 : 4; break; } /* read the frame data */ buffer_assure_space(wth->frame_buffer, sliceLength); wtap_file_read_expected_bytes(buffer_start_ptr(wth->frame_buffer), sliceLength, wth->fh, err, err_info); /* fill in packet header values */ tsecs = (time_t) (timestamp/1000000); tusecs = (guint32) (timestamp - tsecs*1000000); wth->phdr.ts.secs = tsecs - mac2unix; wth->phdr.ts.nsecs = tusecs * 1000; if (wth->file_encap == WTAP_ENCAP_IEEE_802_11_AIROPEEK) { /* * The last 4 bytes appear to be random data - the length * might include the FCS - so we reduce the length by 4. * * Or maybe this is just the same kind of random 4 bytes * of junk at the end you get in Wireless Sniffer * captures. */ wth->phdr.len -= 4; wth->phdr.caplen -= 4; } return TRUE; }