Move file format definitions to the header file.

Put the code to read the packet header and the packet data into routines
(which also fixes some places where observer_seek_read() was using the
sequential file handle rather than the random file handle), make the
packet header reader skip over the TLVs,

Do some additional sanity checking.

Wiretap supports nanosecond resolution; provide nanosecond resolution
time stamps.

Rename some structure members to match their purpose (they're TLV
counts, not flags).

Remove the TLV header from the TLV structures (and eliminate TLV
structures if we don't have the contents or they're just a string); if
we process them, we'll probably end up reading the header and data
separately.

Add some information about some of the TLVs in expert information packets.

svn path=/trunk/; revision=17870

1 files changed, 62 insertions, 40 deletions

diff --git a/wiretap/network_instruments.h b/wiretap/network_instruments.h
index 3d847d6d38..93d5948f2d 100644
--- a/wiretap/network_instruments.h
+++ b/wiretap/network_instruments.h
@@ -31,25 +31,20 @@ typedef struct capture_file_header
 	char	observer_version[32];
 	guint16	offset_to_first_packet;
 	char	probe_instance;
-	char	extra_information_present;
+	guint8	number_of_information_elements;	/* number of TLVs in the header */
 } capture_file_header;
 
-#define TYPE_DATA_PACKET		0
-#define TYPE_EXPERT_INFORMATION_PACKET	1
+typedef struct tlv_header
+{
+	guint16	type;
+	guint16	length;		/* includes the length of the TLV header */
+} tlv_header;
 
 /*
- * The Observer document indicates that the types of expert information
- * packets are:
- *
- *	Network Load (markers used by Expert Time Interval and What If
- *	analysis modes)
- *
- *	Start/Stop Packet Capture marker frames (with time stamps when
- *	captures start and stop)
- *
- *	Wireless Channel Change (markers showing what channel was being
- *	currently listened to)
+ * TLV type values.
  */
+#define INFORMATION_TYPE_ALIAS_LIST 0x01
+#define INFORMATION_TYPE_COMMENT    0x02	/* ASCII text */
 
 typedef struct packet_entry_header
 {
@@ -61,7 +56,7 @@ typedef struct packet_entry_header
 	guint16 offset_to_next_packet;
 	guint8 network_type;
 	guint8 flags;
-	guint8 extra_information;
+	guint8 number_of_information_elements;	/* number of TLVs in the header */
 	guint8 packet_type;
 	guint16 errors;
 	guint16 reserved;
@@ -70,36 +65,63 @@ typedef struct packet_entry_header
 	guint64 nano_seconds_since_2000;
 } packet_entry_header;
 
-typedef struct tlv_header
-{
-	guint16	type;
-	guint16	length;
-} tlv_header;
-
-typedef struct tlv_alias_list
-{
-	tlv_header header;
-	char alias_list[1];
-} tlv_alias_list;
-
-typedef struct tlv_user_commnent
-{
-	tlv_header header;
-	char user_comment[1];
-} tlv_user_comment;
+/*
+ * Network type values.
+ */
+#define OBSERVER_UNDEFINED 0xFF
+#define OBSERVER_ETHERNET  0x00
+#define OBSERVER_TOKENRING 0x01
+#define OBSERVER_FDDI      0x02
 
-typedef struct observer_time
-{
-	guint64 ns_since2000;		/* given in packet_entry_header */
+/*
+ * Packet type values.
+ */
+#define PACKET_TYPE_DATA_PACKET			0
+#define PACKET_TYPE_EXPERT_INFORMATION_PACKET	1
 
-	guint64 us_since2000;		/* Micro-Seconds since 1-1-2000 */
-	guint64 sec_since2000;		/* Seconds since 1-1-2000 */
+/*
+ * The Observer document indicates that the types of expert information
+ * packets are:
+ *
+ *	Network Load (markers used by Expert Time Interval and What If
+ *	analysis modes)
+ *
+ *	Start/Stop Packet Capture marker frames (with time stamps when
+ *	captures start and stop)
+ *
+ *	Wireless Channel Change (markers showing what channel was being
+ *	currently listened to)
+ *
+ * That information appears to be contained in TLVs.
+ */
 
-	time_t seconds_from_1970;
-	guint64 useconds_from_1970;
+/*
+ * TLV type values.
+ */
+#define INFORMATION_TYPE_NETWORK_LOAD		0x0100
+#define INFORMATION_TYPE_CAPTURE_START_STOP	0x0104
 
-} observer_time;
+/*
+ * Might some of these be broadcast and multicast packet counts?
+ */
+typedef struct tlv_network_load
+{
+	guint32 unknown1;
+	guint32 unknown2;
+	guint32 unknown3;
+	guint32 packets_per_second;
+	guint32 unknown4;
+	guint32 bytes_per_second;
+	guint32 unknown5;
+} tlv_network_load;
+
+typedef struct tlv_capture_start_stop
+{
+	guint32 start_stop;
+} tlv_capture_start_stop;
 
+#define START_STOP_TYPE_STOP	0
+#define START_STOP_TYPE_START	1
 
 #endif