aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--AUTHORS1
-rw-r--r--wiretap/AUTHORS1
-rw-r--r--wiretap/netxray.c125
3 files changed, 93 insertions, 34 deletions
diff --git a/AUTHORS b/AUTHORS
index b89569682c..b70d68e8b0 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -2261,6 +2261,7 @@ Francesco Fondelli <fondelli.francesco [AT] tiscali.it> {
Bill Meier <wmeier [AT] newsguy.com> {
TDS4/TDS5 enhancements
+ NetXRay/Windows Sniffer file enhancements
}
Susanne Edlund <Susanne.Edlund [AT] ericsson.com> {
diff --git a/wiretap/AUTHORS b/wiretap/AUTHORS
index 16ba863713..3e0aec509d 100644
--- a/wiretap/AUTHORS
+++ b/wiretap/AUTHORS
@@ -10,6 +10,7 @@ Bert Driehuis <driehuis[AT]playbeing.org>
Mike Hall <mlh[AT]io.com>
Daniel Thompson <daniel.thompson[AT]st.com>
Chris Jepeway <thai-dragon[AT]eleven29.com>
+Bill Meier <wmeier[AT]newsguy.com>
Marc Milgram <ethereal[AT]mmilgram.NOSPAMmail.net>
Tom Nisbet <Tnisbet[AT]VisualNetworks.com>
Ronnie Sahlberg <sahlberg[AT]optushome.com.au>
diff --git a/wiretap/netxray.c b/wiretap/netxray.c
index f477ef70fc..ea20ef83e2 100644
--- a/wiretap/netxray.c
+++ b/wiretap/netxray.c
@@ -46,7 +46,9 @@ static const char netxray_magic[] = { /* magic header */
'X', 'C', 'P', '\0'
};
+#if 0
/* NetXRay file header (minus magic number). */
+/* See below for updated; */
struct netxray_hdr {
char version[8]; /* version number */
guint32 start_time; /* UNIX time when capture started */
@@ -66,12 +68,61 @@ struct netxray_hdr {
guint8 realtick[4]; /* in version 2, units of the timestamps */
guint8 xxc[48]; /* other unknown stuff */
};
+#endif
+
+/* NetXRay file header (minus magic number). */
+/* */
+/* As field usages are identified, please revise as needed */
+/* Please do *not* use netxray_hdr xxx... names in the code */
+/* (Placeholder names for all 'unknown' fields are */
+/* of form xxx_x<hex_hdr_offset> */
+/* where <hex_hdr_offset> *includes* the magic number) */
+
+struct netxray_hdr {
+ char version[8]; /* version number */
+ guint32 start_time; /* UNIX [UTC] time when capture started */
+
+ guint32 nframes; /* number of packets */
+ guint32 xxx_x14; /* unknown [some kind of file offset] */
+ guint32 start_offset; /* offset of first packet in capture */
+ guint32 end_offset; /* offset after last packet in capture */
+
+ guint32 xxx_x20; /* unknown [some kind of file offset] */
+ guint32 xxx_x24; /* unknown [unused ?] */
+ guint32 xxx_x28; /* unknown [some kind of file offset] */
+ guint8 network; /* datalink type */
+ guint8 network_plus; /* [See code] */
+ guint8 xxx_x2E[2]; /* unknown */
+
+ guint8 timeunit; /* encodes length of a tick */
+ guint8 xxx_x31[3]; /* XXX - upper 3 bytes of timeunit ? */
+ guint32 timelo; /* lower 32 bits of capture start time stamp */
+ guint32 timehi; /* upper 32 bits of capture start time stamp */
+ guint32 linespeed; /* speed of network, in bits/second */
+
+ guint8 xxx_x40[12]; /* unknown [other stuff] */
+ guint8 realtick[4]; /* in v2, means ??? */
+
+ guint8 xxx_x50[4]; /* unknown [other stuff] */
+ guint8 captype; /* capture type */
+ guint8 xxx_x55[3]; /* unknown [other stuff] */
+ guint8 xxx_x58[4]; /* unknown [other stuff] */
+ guint8 wan_hdlc_subsub_captype; /* WAN HDLC subsub_captype */
+ guint8 xxx_x5D[3]; /* unknown [other stuff] */
+
+ guint8 xxx_x60[16]; /* unknown [other stuff] */
+
+ guint8 xxx_x70[14]; /* unknown [other stuff] */
+ guint16 timezone_hrs; /* timezone hours [at least for version 2...]; */
+ /* positive values = west of UTC: */
+ /* e.g. +5 is American Eastern */
+};
/*
- * Capture type, in xxc[4].
+ * Capture type, in hdr.captype.
*
* XXX - S6040-model Sniffers with gigabit blades store 6 here for
- * Etherneet captures, and some other Ethernet captures had a capture
+ * Ethernet captures, and some other Ethernet captures had a capture
* type of 3, so presumably the interpretation of the capture type
* depends on the network type. We prefix all the capture types
* for WAN captures with WAN_.
@@ -112,12 +163,17 @@ struct netxray_hdr {
* CAPTURE, SO CHANGING THEM WILL BREAK AT LEAST SOME CAPTURES. WE
* WILL NOT CHECK IN PATCHES THAT CHANGE THESE VALUES.
*
- * Instead, if a value in TpS is wrong, check whether captype has a
- * non-zero value; if so, perhaps we need a new TpS table for the
+ * Instead, if a value in a TpS table is wrong, check whether captype
+ * has a non-zero value; if so, perhaps we need a new TpS table for the
* corresponding network type and captype.
*
* Note that the "realtick" value is wrong in many captures, so
* we no longer use it. We don't know what significance it has.
+ * In at least one capture where "realtick" doesn't correspond
+ * to the value from the appropriate TpS table, the per-packet header's
+ * "xxx" field is all zero, so it's not as if a 2.x header includes
+ * a "compatibility" time stamp corresponding to the value from the
+ * TpS table and a "real" time stamp corresponding to "realtick".
*
* XXX - the third item is 1193180.0, presumably because somebody found
* it gave the right answer for some captures, but 3 times that, i.e.
@@ -271,15 +327,15 @@ int netxray_open(wtap *wth, int *err, gchar **err_info)
* pods use the same network type value but aren't
* shaped like Ethernet. We handle that below.
*/
- WTAP_ENCAP_ETHERNET, /* WAN(PPP), but shaped like Ethernet */
- WTAP_ENCAP_UNKNOWN, /* LocalTalk */
- WTAP_ENCAP_UNKNOWN, /* "DIX" - should not occur */
- WTAP_ENCAP_UNKNOWN, /* ARCNET raw */
- WTAP_ENCAP_UNKNOWN, /* ARCNET 878.2 */
- WTAP_ENCAP_ATM_PDUS_UNTRUNCATED, /* ATM */
+ WTAP_ENCAP_ETHERNET, /* WAN(PPP), but shaped like Ethernet */
+ WTAP_ENCAP_UNKNOWN, /* LocalTalk */
+ WTAP_ENCAP_UNKNOWN, /* "DIX" - should not occur */
+ WTAP_ENCAP_UNKNOWN, /* ARCNET raw */
+ WTAP_ENCAP_UNKNOWN, /* ARCNET 878.2 */
+ WTAP_ENCAP_ATM_PDUS_UNTRUNCATED,/* ATM */
WTAP_ENCAP_IEEE_802_11_WITH_RADIO,
- /* Wireless WAN with radio information */
- WTAP_ENCAP_UNKNOWN /* IrDA */
+ /* Wireless WAN with radio information */
+ WTAP_ENCAP_UNKNOWN /* IrDA */
};
#define NUM_NETXRAY_ENCAPS (sizeof netxray_encap / sizeof netxray_encap[0])
int file_encap;
@@ -359,7 +415,7 @@ int netxray_open(wtap *wth, int *err, gchar **err_info)
}
}
- switch (hdr.xxz[0]) {
+ switch (hdr.network_plus) {
case 0:
/*
@@ -383,7 +439,7 @@ int netxray_open(wtap *wth, int *err, gchar **err_info)
default:
*err = WTAP_ERR_UNSUPPORTED;
*err_info = g_strdup_printf("netxray: the byte after the network type has the value %u, which I don't understand",
- hdr.xxz[0]);
+ hdr.network_plus);
return -1;
}
@@ -391,7 +447,7 @@ int netxray_open(wtap *wth, int *err, gchar **err_info)
|| netxray_encap[network_type] == WTAP_ENCAP_UNKNOWN) {
*err = WTAP_ERR_UNSUPPORTED_ENCAP;
*err_info = g_strdup_printf("netxray: network type %u (%u) unknown or unsupported",
- network_type, hdr.xxz[0]);
+ network_type, hdr.network_plus);
return -1;
}
@@ -435,7 +491,7 @@ int netxray_open(wtap *wth, int *err, gchar **err_info)
* Ethernet - the table to use depends on whether
* this is an NDIS or pod capture.
*/
- switch (hdr.xxc[4]) {
+ switch (hdr.captype) {
case CAPTYPE_NDIS:
if (hdr.timeunit > NUM_NETXRAY_TIMEUNITS) {
@@ -446,7 +502,7 @@ int netxray_open(wtap *wth, int *err, gchar **err_info)
return -1;
}
timeunit = TpS[hdr.timeunit];
- wth->tsprecision = WTAP_FILE_TSPREC_NSEC; /* XXX */
+ wth->tsprecision = WTAP_FILE_TSPREC_USEC; /* XXX */
break;
case ETH_CAPTYPE_GIGPOD:
@@ -480,7 +536,7 @@ int netxray_open(wtap *wth, int *err, gchar **err_info)
return -1;
}
timeunit = TpS_otherpod[hdr.timeunit];
- wth->tsprecision = WTAP_FILE_TSPREC_NSEC; /* XXX */
+ wth->tsprecision = WTAP_FILE_TSPREC_USEC; /* XXX */
/*
* At least for 002.002 and 002.003
@@ -508,7 +564,7 @@ int netxray_open(wtap *wth, int *err, gchar **err_info)
*err = WTAP_ERR_UNSUPPORTED;
*err_info = g_strdup_printf(
"netxray: Unknown capture type %u for Ethernet version %.8s capture",
- hdr.xxc[4], hdr.version);
+ hdr.captype, hdr.version);
return -1;
}
break;
@@ -518,12 +574,12 @@ int netxray_open(wtap *wth, int *err, gchar **err_info)
*err = WTAP_ERR_UNSUPPORTED;
*err_info = g_strdup_printf(
"netxray: Unknown timeunit %u for %u/%u version %.8s capture",
- hdr.timeunit, network_type, hdr.xxc[4],
+ hdr.timeunit, network_type, hdr.captype,
hdr.version);
return -1;
}
timeunit = TpS[hdr.timeunit];
- wth->tsprecision = WTAP_FILE_TSPREC_NSEC; /* XXX */
+ wth->tsprecision = WTAP_FILE_TSPREC_USEC; /* XXX */
break;
}
break;
@@ -541,12 +597,12 @@ int netxray_open(wtap *wth, int *err, gchar **err_info)
* frames (as a result, presumably, of having passed
* through NDISWAN).
*
- * In version 2, it looks as if there's stuff in the "xxc"
- * words of the file header to specify what particular
+ * In version 2, it looks as if there's stuff in the
+ * file header to specify what particular
* type of WAN capture we have.
*/
if (version_major == 2) {
- switch (hdr.xxc[4]) {
+ switch (hdr.captype) {
case WAN_CAPTYPE_PPP:
/*
@@ -572,6 +628,7 @@ int netxray_open(wtap *wth, int *err, gchar **err_info)
* and hdr.xxc[46:47] is 0xff 0xff in the
* Cisco HDLC capture and 0x05 0x00 in the
* Frame Relay capture.
+ * [XXX: xxc[46:47] appear to be Timezone]
*/
file_encap = WTAP_ENCAP_FRELAY_WITH_PHDR;
break;
@@ -581,7 +638,7 @@ int netxray_open(wtap *wth, int *err, gchar **err_info)
/*
* Various HDLC flavors?
*/
- switch (hdr.xxc[12]) {
+ switch (hdr.wan_hdlc_subsub_captype) {
case 0: /* LAPB/X.25 */
file_encap = WTAP_ENCAP_LAPB;
@@ -591,13 +648,13 @@ int netxray_open(wtap *wth, int *err, gchar **err_info)
case 2: /* T1 PRI */
case 3: /* BRI */
file_encap = WTAP_ENCAP_ISDN;
- isdn_type = hdr.xxc[12];
+ isdn_type = hdr.wan_hdlc_subsub_captype;
break;
default:
*err = WTAP_ERR_UNSUPPORTED_ENCAP;
*err_info = g_strdup_printf("netxray: WAN HDLC capture subsubtype 0x%02x unknown or unsupported",
- hdr.xxc[12]);
+ hdr.wan_hdlc_subsub_captype);
return -1;
}
break;
@@ -612,7 +669,7 @@ int netxray_open(wtap *wth, int *err, gchar **err_info)
default:
*err = WTAP_ERR_UNSUPPORTED_ENCAP;
*err_info = g_strdup_printf("netxray: WAN capture subtype 0x%02x unknown or unsupported",
- hdr.xxc[4]);
+ hdr.captype);
return -1;
}
} else
@@ -1624,24 +1681,24 @@ static gboolean netxray_dump_close_2_0(wtap_dumper *wdh, int *err)
switch (wdh->encap) {
case WTAP_ENCAP_PPP_WITH_PHDR:
- file_hdr.xxc[4] = WAN_CAPTYPE_PPP;
+ file_hdr.captype = WAN_CAPTYPE_PPP;
break;
case WTAP_ENCAP_FRELAY_WITH_PHDR:
- file_hdr.xxc[4] = WAN_CAPTYPE_FRELAY;
+ file_hdr.captype = WAN_CAPTYPE_FRELAY;
break;
case WTAP_ENCAP_LAPB:
- file_hdr.xxc[4] = WAN_CAPTYPE_HDLC;
- file_hdr.xxc[12] = 0;
+ file_hdr.captype = WAN_CAPTYPE_HDLC;
+ file_hdr.wan_hdlc_subsub_captype = 0;
break;
case WTAP_ENCAP_SDLC:
- file_hdr.xxc[4] = WAN_CAPTYPE_SDLC;
+ file_hdr.captype = WAN_CAPTYPE_SDLC;
break;
default:
- file_hdr.xxc[4] = CAPTYPE_NDIS;
+ file_hdr.captype = CAPTYPE_NDIS;
break;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-15 18:24:42 +0000