diff options
author | Guy Harris <guy@alum.mit.edu> | 2003-10-31 00:43:21 +0000 |
---|---|---|
committer | Guy Harris <guy@alum.mit.edu> | 2003-10-31 00:43:21 +0000 |
commit | 0247fbeb1554b58b434f7c8722d4b7ba3bcc5013 (patch) | |
tree | 5a53e326f6692d879d2277af6107a9906020de5c | |
parent | 6f7c4c683658a06676cd892fa103318d972a337c (diff) |
From Scott Emberley: support for reading Network Instruments version 9
capture files.
svn path=/trunk/; revision=8840
-rw-r--r-- | AUTHORS | 4 | ||||
-rw-r--r-- | doc/editcap.pod | 37 | ||||
-rw-r--r-- | doc/ethereal.pod | 38 | ||||
-rw-r--r-- | doc/mergecap.pod | 37 | ||||
-rw-r--r-- | doc/tethereal.pod | 40 | ||||
-rw-r--r-- | wiretap/AUTHORS | 2 | ||||
-rw-r--r-- | wiretap/Makefile.am | 4 | ||||
-rw-r--r-- | wiretap/Makefile.nmake | 3 | ||||
-rw-r--r-- | wiretap/file_access.c | 8 | ||||
-rw-r--r-- | wiretap/network_instruments.c | 290 | ||||
-rw-r--r-- | wiretap/network_instruments.h | 87 | ||||
-rw-r--r-- | wiretap/wtap.h | 5 |
12 files changed, 480 insertions, 75 deletions
@@ -1900,6 +1900,10 @@ Marcel Holtmann <marcel [AT] holtmann.org> { traces } +Scott Emberley <scotte [AT] netinst.com> { + Support for reading Network Instruments version 9 capture files +} + And assorted fixes and enhancements by the people listed above and by: Pavel Roskin <proski [AT] gnu.org> diff --git a/doc/editcap.pod b/doc/editcap.pod index 70a66ca25f..94093b4e7b 100644 --- a/doc/editcap.pod +++ b/doc/editcap.pod @@ -24,25 +24,28 @@ or all of the packets in that capture file to another capture file. B<Editcap> knows how to read B<libpcap> capture files, including those of B<tcpdump>, B<Ethereal>, and other tools that write captures in that format. In addition, B<Editcap> can read capture files from B<snoop> -and B<atmsnoop>, Shomiti/Finisar B<Surveyor>, Novell B<LANalyzer>, -Network General/Network Associates DOS-based B<Sniffer> (compressed or -uncompressed), Microsoft B<Network Monitor>, AIX's B<iptrace>, Cinco -Networks B<NetXRay>, Network Associates Windows-based B<Sniffer>, AG -Group/WildPackets B<EtherPeek>/B<TokenPeek>/B<AiroPeek>, B<RADCOM>'s -WAN/LAN analyzer, B<Lucent/Ascend> router debug output, HP-UX's -B<nettl>, the dump output from B<Toshiba's> ISDN routers, the output -from B<i4btrace> from the ISDN4BSD project, the output in B<IPLog> -format from the Cisco Secure Intrusion Detection System, B<pppd logs> -(pppdump format), the output from VMS's +and B<atmsnoop>, Shomiti/Finisar B<Surveyor> captures, Novell +B<LANalyzer> captures, Network General/Network Associates DOS-based +B<Sniffer> (compressed or uncompressed) captures, Microsoft B<Network +Monitor> captures, files from AIX's B<iptrace>, Cinco Networks +B<NetXRay> captures, captures from Network Associates Windows-based +B<Sniffer>, AG Group/WildPackets B<EtherPeek>/B<TokenPeek>/B<AiroPeek> +captures, captures from B<RADCOM>'s WAN/LAN analyzer, B<Lucent/Ascend> +router debug output, files from HP-UX's B<nettl>, the dump output from +B<Toshiba's> ISDN routers, the output from B<i4btrace> from the ISDN4BSD +project, the output in B<IPLog> format from the Cisco Secure Intrusion +Detection System, B<pppd logs> (pppdump format), the output from VMS's B<TCPIPtrace>/B<TCPtrace>/B<UCX$TRACE> utilities, the text output from the B<DBS Etherwatch> VMS utility, traffic capture files from Visual -Networks' Visual UpTime, the output from B<CoSine> L2 debug, and the -output from Accellent's 5Views LAN agents. There is no need to tell -B<Editcap> what type of file you are reading; it will determine the file -type by itself. B<Editcap> is also capable of reading any of these file -formats if they are compressed using gzip. B<Editcap> recognizes this -directly from the file; the '.gz' extension is not required for this -purpose. +Networks' Visual UpTime, the output from B<CoSine> L2 debug, the output +from Accellent's 5Views LAN agents, captures in Endace Measurement +Systems' ERF format, Linux Bluez Bluetooth stack "hcidump -w" traces, +and captures from Network Instruments Observer version 9. There is no +need to tell B<Editcap> what type of file you are reading; it will +determine the file type by itself. B<Editcap> is also capable of +reading any of these file formats if they are compressed using gzip. +B<Editcap> recognizes this directly from the file; the '.gz' extension +is not required for this purpose. By default, it writes the capture file in B<libpcap> format, and writes all of the packets in the capture file to the output file. The B<-F> diff --git a/doc/ethereal.pod b/doc/ethereal.pod index 860a213096..19add19543 100644 --- a/doc/ethereal.pod +++ b/doc/ethereal.pod @@ -40,25 +40,28 @@ interactively browse packet data from a live network or from a previously saved capture file. B<Ethereal>'s native capture file format is B<libpcap> format, which is also the format used by B<tcpdump> and various other tools. In addition, B<Ethereal> can read capture files -from B<snoop> and B<atmsnoop>, Shomiti/Finisar B<Surveyor>, Novell -B<LANalyzer>, Network General/Network Associates DOS-based B<Sniffer> -(compressed or uncompressed), Microsoft B<Network Monitor>, AIX's -B<iptrace>, Cinco Networks B<NetXRay>, Network Associates Windows-based -B<Sniffer>, AG Group/WildPackets B<EtherPeek>/B<TokenPeek>/B<AiroPeek>, -B<RADCOM>'s WAN/LAN analyzer, B<Lucent/Ascend> router debug output, -HP-UX's B<nettl>, the dump output from B<Toshiba's> ISDN routers, the -output from B<i4btrace> from the ISDN4BSD project, the output in -B<IPLog> format from the Cisco Secure Intrusion Detection System, B<pppd -logs> (pppdump format), the output from VMS's +from B<snoop> and B<atmsnoop>, Shomiti/Finisar B<Surveyor> captures, +Novell B<LANalyzer> captures, Network General/Network Associates +DOS-based B<Sniffer> (compressed or uncompressed) captures, Microsoft +B<Network Monitor> captures, files from AIX's B<iptrace>, Cinco Networks +B<NetXRay> captures, captures from Network Associates Windows-based +B<Sniffer>, AG Group/WildPackets B<EtherPeek>/B<TokenPeek>/B<AiroPeek> +captures, captures from B<RADCOM>'s WAN/LAN analyzer, B<Lucent/Ascend> +router debug output, files from HP-UX's B<nettl>, the dump output from +B<Toshiba's> ISDN routers, the output from B<i4btrace> from the ISDN4BSD +project, the output in B<IPLog> format from the Cisco Secure Intrusion +Detection System, B<pppd logs> (pppdump format), the output from VMS's B<TCPIPtrace>/B<TCPtrace>/B<UCX$TRACE> utilities, the text output from the B<DBS Etherwatch> VMS utility, traffic capture files from Visual -Networks' Visual UpTime, the output from B<CoSine> L2 debug, and the -output from Accellent's 5Views LAN agents. There is no need to tell -B<Ethereal> what type of file you are reading; it will determine the -file type by itself. B<Ethereal> is also capable of reading any of -these file formats if they are compressed using gzip. B<Ethereal> -recognizes this directly from the file; the '.gz' extension is not -required for this purpose. +Networks' Visual UpTime, the output from B<CoSine> L2 debug, the output +from Accellent's 5Views LAN agents, captures in Endace Measurement +Systems' ERF format, Linux Bluez Bluetooth stack "hcidump -w" traces, +and captures from Network Instruments Observer version 9. There is no +need to tell B<Ethereal> what type of file you are reading; it will +determine the file type by itself. B<Ethereal> is also capable of +reading any of these file formats if they are compressed using gzip. +B<Ethereal> recognizes this directly from the file; the '.gz' extension +is not required for this purpose. Like other protocol analyzers, B<Ethereal>'s main window shows 3 views of a packet. It shows a summary line, briefly describing what the @@ -1947,6 +1950,7 @@ B<http://www.ethereal.com>. Baktha Muralitharan <muralidb [AT] cisco.com> Loïc Minier <lool [AT] dooz.org> Marcel Holtmann <marcel [AT] holtmann.org> + Scott Emberley <scotte [AT] netinst.com> Pavel Roskin <proski [AT] gnu.org> Georgi Guninski <guninski [AT] guninski.com> Jason Copenhaver <jcopenha [AT] typedef.org> diff --git a/doc/mergecap.pod b/doc/mergecap.pod index e91b75b3c2..9b62d10bf1 100644 --- a/doc/mergecap.pod +++ b/doc/mergecap.pod @@ -21,25 +21,28 @@ a single output file specified by the B<-w> argument. B<Mergecap> knows how to read B<libpcap> capture files, including those of B<tcpdump>, B<Ethereal>, and other tools that write captures in that format. In addition, B<Mergecap> can read capture files from B<snoop> and -B<atmsnoop>, Shomiti/Finisar B<Surveyor>, Novell B<LANalyzer>, Network -General/Network Associates DOS-based B<Sniffer> (compressed or -uncompressed), Microsoft B<Network Monitor>, AIX's B<iptrace>, Cinco -Networks B<NetXRay>, Network Associates Windows-based B<Sniffer>, AG -Group/WildPackets B<EtherPeek>/B<TokenPeek>/B<AiroPeek>, B<RADCOM>'s -WAN/LAN analyzer, B<Lucent/Ascend> router debug output, HP-UX's -B<nettl>, the dump output from B<Toshiba's> ISDN routers, the output -from B<i4btrace> from the ISDN4BSD project, the output in B<IPLog> -format from the Cisco Secure Intrusion Detection System, B<pppd logs> -(pppdump format), the output from VMS's +B<atmsnoop>, Shomiti/Finisar B<Surveyor> captures, Novell B<LANalyzer> +captures, Network General/Network Associates DOS-based B<Sniffer> +(compressed or uncompressed) captures, Microsoft B<Network Monitor> +captures, files from AIX's B<iptrace>, Cinco Networks B<NetXRay> +captures, captures from Network Associates Windows-based B<Sniffer>, AG +Group/WildPackets B<EtherPeek>/B<TokenPeek>/B<AiroPeek> captures, +captures from B<RADCOM>'s WAN/LAN analyzer, B<Lucent/Ascend> router +debug output, files from HP-UX's B<nettl>, the dump output from +B<Toshiba's> ISDN routers, the output from B<i4btrace> from the ISDN4BSD +project, the output in B<IPLog> format from the Cisco Secure Intrusion +Detection System, B<pppd logs> (pppdump format), the output from VMS's B<TCPIPtrace>/B<TCPtrace>/B<UCX$TRACE> utilities, the text output from the B<DBS Etherwatch> VMS utility, traffic capture files from Visual -Networks' Visual UpTime, the output from B<CoSine> L2 debug, and the -output from Accellent's 5Views LAN agents. There is no need to tell -B<Mergecap> what type of file you are reading; it will determine the -file type by itself. B<Mergecap> is also capable of reading any of -these file formats if they are compressed using gzip. B<Mergecap> -recognizes this directly from the file; the '.gz' extension is not -required for this purpose. +Networks' Visual UpTime, the output from B<CoSine> L2 debug, the output +from Accellent's 5Views LAN agents, captures in Endace Measurement +Systems' ERF format, Linux Bluez Bluetooth stack "hcidump -w" traces, +and captures from Network Instruments Observer version 9. There is no +need to tell B<Mergecap> what type of file you are reading; it will +determine the file type by itself. B<Mergecap> is also capable of +reading any of these file formats if they are compressed using gzip. +B<Mergecap> recognizes this directly from the file; the '.gz' extension +is not required for this purpose. By default, it writes the capture file in B<libpcap> format, and writes all of the packets in both input capture files to the output file. The diff --git a/doc/tethereal.pod b/doc/tethereal.pod index 1e20fa8c8f..75fbba81d0 100644 --- a/doc/tethereal.pod +++ b/doc/tethereal.pod @@ -42,24 +42,28 @@ standard output or writing the packets to a file. B<Tethereal>'s native capture file format is B<libpcap> format, which is also the format used by B<tcpdump> and various other tools. In addition, B<Tethereal> can read capture files from B<snoop> and B<atmsnoop>, Shomiti/Finisar -B<Surveyor>, Novell B<LANalyzer>, Network General/Network Associates -DOS-based B<Sniffer> (compressed or uncompressed), Microsoft B<Network -Monitor>, AIX's B<iptrace>, Cinco Networks B<NetXRay>, Network -Associates Windows-based B<Sniffer>, AG Group/WildPackets -B<EtherPeek>/B<TokenPeek>/B<AiroPeek>, B<RADCOM>'s WAN/LAN analyzer, -B<Lucent/Ascend> router debug output, HP-UX's B<nettl>, the dump output -from B<Toshiba's> ISDN routers, the output from B<i4btrace> from the -ISDN4BSD project, the output in B<IPLog> format from the Cisco Secure -Intrusion Detection System, B<pppd logs> (pppdump format), the output -from VMS's B<TCPIPtrace>/B<TCPtrace>/B<UCX$TRACE> utilities, the text -output from the B<DBS Etherwatch> VMS utility, traffic capture files -from Visual Networks' Visual UpTime, the output from B<CoSine> L2 debug, -and the output from Accellent's 5Views LAN agents. There is no need to -tell B<Tethereal> what type of file you are reading; it will determine -the file type by itself. B<Tethereal> is also capable of reading any of -these file formats if they are compressed using gzip. B<Tethereal> -recognizes this directly from the file; the '.gz' extension is not -required for this purpose. +B<Surveyor> captures, Novell B<LANalyzer> captures, Network +General/Network Associates DOS-based B<Sniffer> (compressed or +uncompressed) captures, Microsoft B<Network Monitor> captures, files +from AIX's B<iptrace>, Cinco Networks B<NetXRay> captures, captures from +Network Associates Windows-based B<Sniffer>, AG Group/WildPackets +B<EtherPeek>/B<TokenPeek>/B<AiroPeek> captures, captures from +B<RADCOM>'s WAN/LAN analyzer, B<Lucent/Ascend> router debug output, +files from HP-UX's B<nettl>, the dump output from B<Toshiba's> ISDN +routers, the output from B<i4btrace> from the ISDN4BSD project, the +output in B<IPLog> format from the Cisco Secure Intrusion Detection +System, B<pppd logs> (pppdump format), the output from VMS's +B<TCPIPtrace>/B<TCPtrace>/B<UCX$TRACE> utilities, the text output from +the B<DBS Etherwatch> VMS utility, traffic capture files from Visual +Networks' Visual UpTime, the output from B<CoSine> L2 debug, the output +from Accellent's 5Views LAN agents, captures in Endace Measurement +Systems' ERF format, Linux Bluez Bluetooth stack "hcidump -w" traces, +and captures from Network Instruments Observer version 9. There is no +need to tell B<Tethereal> what type of file you are reading; it will +determine the file type by itself. B<Tethereal> is also capable of +reading any of these file formats if they are compressed using gzip. +B<Tethereal> recognizes this directly from the file; the '.gz' extension +is not required for this purpose. If the B<-w> flag is not specified, B<Tethereal> prints a decoded form of the packets it captures or reads; otherwise, it writes those packets diff --git a/wiretap/AUTHORS b/wiretap/AUTHORS index 8194ce4ddd..5216c86a3d 100644 --- a/wiretap/AUTHORS +++ b/wiretap/AUTHORS @@ -20,4 +20,4 @@ Martin Warnes <martin.warnes[AT]ntlworld.com> Thierry Martin <thierry.martin[AT]accellent-group.com> Jesper Peterson <jesper[AT]endace.com> Marcel Holtmann <marcel[AT]holtmann.org> - +Scott Emberley <scotte[AT]netinst.com> diff --git a/wiretap/Makefile.am b/wiretap/Makefile.am index 9780aff8e4..7b7acb9ee6 100644 --- a/wiretap/Makefile.am +++ b/wiretap/Makefile.am @@ -1,7 +1,7 @@ # Makefile.am # Automake file for Wiretap # -# $Id: Makefile.am,v 1.46 2003/10/30 03:11:02 guy Exp $ +# $Id: Makefile.am,v 1.47 2003/10/31 00:43:21 guy Exp $ # # Ethereal - Network traffic analyzer # By Gerald Combs <gerald@ethereal.com> @@ -69,6 +69,8 @@ libwiretap_a_SOURCES = \ netmon.h \ nettl.c \ nettl.h \ + network_instruments.c \ + network_instruments.h \ netxray.c \ netxray.h \ ngsniffer.c \ diff --git a/wiretap/Makefile.nmake b/wiretap/Makefile.nmake index 9e38b2f7b6..ed2d3f41b2 100644 --- a/wiretap/Makefile.nmake +++ b/wiretap/Makefile.nmake @@ -1,5 +1,5 @@ # -# $Id: Makefile.nmake,v 1.36 2003/10/30 03:11:02 guy Exp $ +# $Id: Makefile.nmake,v 1.37 2003/10/31 00:43:21 guy Exp $ # include ..\config.nmake @@ -32,6 +32,7 @@ OBJECTS=ascend-grammar.obj \ libpcap.obj \ netmon.obj \ nettl.obj \ + network_instruments.obj \ netxray.obj \ ngsniffer.obj \ radcom.obj \ diff --git a/wiretap/file_access.c b/wiretap/file_access.c index f5ef156da1..5efc3fb735 100644 --- a/wiretap/file_access.c +++ b/wiretap/file_access.c @@ -1,6 +1,6 @@ /* file_access.c * - * $Id: file_access.c,v 1.4 2003/10/30 03:11:02 guy Exp $ + * $Id: file_access.c,v 1.5 2003/10/31 00:43:21 guy Exp $ * * Wiretap Library * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu> @@ -71,6 +71,7 @@ #include "5views.h" #include "erf.h" #include "hcidump.h" +#include "network_instruments.h" /* The open_file_* routines should return: * @@ -104,6 +105,7 @@ static int (*const open_routines[])(wtap *, int *) = { nettl_open, visual_open, _5views_open, + network_instruments_open, /* Files that don't have magic bytes at a fixed location, * but that instead require a heuristic of some sort to @@ -441,6 +443,10 @@ static const struct file_type_info { /* WTAP_FILE_HCIDUMP */ { "Bluetooth HCI dump", "hcidump", NULL, NULL }, + + /* WTAP_FILE_NETWORK_INSTRUMENTS_V9 */ + { "Network Instruments Observer version 9", "niobserverv9", + NULL, NULL }, }; /* Name that should be somewhat descriptive. */ diff --git a/wiretap/network_instruments.c b/wiretap/network_instruments.c new file mode 100644 index 0000000000..bc74ea20e6 --- /dev/null +++ b/wiretap/network_instruments.c @@ -0,0 +1,290 @@ +/* + * $Id: network_instruments.c,v 1.1 2003/10/31 00:43:21 guy Exp $ + */ + +/*************************************************************************** + NetworkInstruments.c - description + ------------------- + begin : Wed Oct 29 2003 + copyright : (C) 2003 by root + email : scotte[AT}netinst.com + ***************************************************************************/ + +/*************************************************************************** + * * + * This program is free software; you can redistribute it and/or modify * + * it under the terms of the GNU General Public License as published by * + * the Free Software Foundation; either version 2 of the License, or * + * (at your option) any later version. * + * * + ***************************************************************************/ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include <stdlib.h> +#include <errno.h> +#include <string.h> +#include "wtap-int.h" +#include "file_wrappers.h" +#include "buffer.h" +#include "network_instruments.h" + +static const char network_instruments_magic[] = {"ObserverPktBufferVersion=09.00"}; +static const int true_magic_length = 17; + +static const guint32 observer_packet_magic = 0x88888888; + + static const int observer_encap[] = { + WTAP_ENCAP_ETHERNET, + WTAP_ENCAP_TOKEN_RING + }; +#define NUM_OBSERVER_ENCAPS (sizeof observer_encap / sizeof observer_encap[0]) + +static gboolean fill_time_struct(guint64 ns_since2000, observer_time* time_conversion); +static gboolean observer_read(wtap *wth, int *err, long *data_offset); +static gboolean observer_seek_read(wtap *wth, long seek_off, + union wtap_pseudo_header *pseudo_header, guchar *pd, int length, int *err); + +int network_instruments_open(wtap *wth, int *err) +{ + int bytes_read; + long seek_value; + + capture_file_header file_header; + packet_entry_header packet_header; + + errno = WTAP_ERR_CANT_READ; + + /* Read in the buffer file header */ + bytes_read = file_read(&file_header, sizeof file_header, 1, wth->fh); + if (bytes_read != sizeof file_header) { + *err = file_error(wth->fh); + if (*err != 0) + return -1; + return 0; + } + + /* check the magic number */ + if (memcmp(file_header.observer_version, network_instruments_magic, true_magic_length)!=0) { + return 0; + } + + /* check the version */ + if (strncmp(network_instruments_magic, file_header.observer_version, 30)!=0) { + g_message("Observer: unsupported file version %s", file_header.observer_version); + *err = WTAP_ERR_UNSUPPORTED_ENCAP; + return -1; + } + + /* get to the first packet */ + file_header.offset_to_first_packet = + GUINT16_FROM_LE(file_header.offset_to_first_packet); + seek_value = file_seek(wth->fh, file_header.offset_to_first_packet, SEEK_SET, err); + if (seek_value != file_header.offset_to_first_packet) { + *err = file_error(wth->fh); + if (*err != 0) + return -1; + return 0; + } + + /* pull off the packet header */ + bytes_read = file_read(&packet_header, sizeof packet_header, 1, wth->fh); + if (bytes_read != sizeof packet_header) { + *err = file_error(wth->fh); + if (*err != 0) + return -1; + return 0; + } + + /* check the packet's magic number; the magic number is all 8's, + so the byte order doesn't matter */ + if (packet_header.packet_magic != observer_packet_magic) { + g_message("Observer: unsupported packet version %ul", packet_header.packet_magic); + *err = WTAP_ERR_UNSUPPORTED_ENCAP; + return -1; + } + + /* Check the data link type. */ + if (packet_header.network_type >= NUM_OBSERVER_ENCAPS) { + g_message("observer: network type %u unknown or unsupported", packet_header.network_type); + *err = WTAP_ERR_UNSUPPORTED_ENCAP; + return -1; + } + wth->file_encap = observer_encap[packet_header.network_type]; + + wth->file_type = WTAP_FILE_NETWORK_INSTRUMENTS_V9; + + /* set up the rest of the capture parameters */ + wth->subtype_read = observer_read; + wth->subtype_seek_read = observer_seek_read; + wth->subtype_close = NULL; + wth->subtype_sequential_close = NULL; + wth->snapshot_length = 0; + + /* reset the pointer to the first packet */ + seek_value = file_seek(wth->fh, file_header.offset_to_first_packet, SEEK_SET, err); + if (seek_value != file_header.offset_to_first_packet) { + *err = file_error(wth->fh); + if (*err != 0) + return -1; + return 0; + } + wth->data_offset = file_header.offset_to_first_packet; + + return 1; +} + +/* reads the next packet */ +static gboolean observer_read(wtap *wth, int *err, long *data_offset) +{ + int bytes_read; + long seek_value, seek_increment; + long seconds, useconds; + + packet_entry_header packet_header; + + observer_time packet_time; + + *data_offset = wth->data_offset; + + /* pull off the packet header */ + bytes_read = file_read(&packet_header, sizeof packet_header, 1, wth->fh); + if (bytes_read != sizeof packet_header) { + *err = file_error(wth->fh); + if (*err != 0) + return -1; + return 0; + } + wth->data_offset += bytes_read; + + /* check the packet's magic number; the magic number is all 8's, + so the byte order doesn't matter */ + if (packet_header.packet_magic != observer_packet_magic) { + g_message("Observer: bad record"); + *err = WTAP_ERR_BAD_RECORD; + return FALSE; + } + + /* convert from observer time to wiretap time */ + packet_header.nano_seconds_since_2000 = + GUINT64_FROM_LE(packet_header.nano_seconds_since_2000); + fill_time_struct(packet_header.nano_seconds_since_2000, &packet_time); + useconds = (long)(packet_time.useconds_from_1970 - ((guint64)packet_time.seconds_from_1970)*1000000); + seconds = (long)packet_time.seconds_from_1970 - packet_time.time_stamp.tm_gmtoff; + + /* set-up the packet header */ + packet_header.network_size = + GUINT16_FROM_LE(packet_header.network_size); + packet_header.captured_size = + GUINT16_FROM_LE(packet_header.captured_size); + wth->phdr.pkt_encap = observer_encap[packet_header.network_type]; + wth->phdr.len = packet_header.network_size-4; /* neglect frame markers for wiretap */ + wth->phdr.caplen = MIN(packet_header.captured_size, wth->phdr.len); + wth->phdr.ts.tv_sec = seconds; + wth->phdr.ts.tv_usec = useconds; + + /* get to the frame data */ + packet_header.offset_to_frame = + GUINT16_FROM_LE(packet_header.offset_to_frame); + if (packet_header.offset_to_frame < sizeof(packet_header)) { + g_message("Observer: bad record (offset to frame %u < %lu)", + packet_header.offset_to_frame, + (unsigned long)sizeof(packet_header)); + *err = WTAP_ERR_BAD_RECORD; + return FALSE; + } + seek_increment = packet_header.offset_to_frame - sizeof(packet_header); + if(seek_increment>0) { + seek_value = file_seek(wth->fh, seek_increment, SEEK_CUR, err); + if (seek_value != seek_increment) { + *err = file_error(wth->fh); + g_message("Observer: bad record"); + *err = WTAP_ERR_BAD_RECORD; + return FALSE; + } + } + wth->data_offset += seek_increment; + + /* set-up the packet buffer */ + buffer_assure_space(wth->frame_buffer, packet_header.captured_size); + wtap_file_read_expected_bytes(buffer_start_ptr(wth->frame_buffer), packet_header.captured_size, wth->fh, err); + wth->data_offset += packet_header.captured_size; + + /* update the pseudo header */ + switch (wth->file_encap) { + + case WTAP_ENCAP_ETHERNET: + /* There is no FCS in the frame */ + wth->pseudo_header.eth.fcs_len = 0; + break; + } + + return TRUE; +} + +/* reads a packet at an offset */ +static gboolean observer_seek_read(wtap *wth, long seek_off, + union wtap_pseudo_header *pseudo_header, guchar *pd, int length, int *err) +{ + packet_entry_header packet_header; + + int bytes_read; + + if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1) + return FALSE; + + /* pull off the packet header */ + bytes_read = file_read(&packet_header, sizeof packet_header, 1, wth->random_fh); + if (bytes_read != sizeof packet_header) { + *err = file_error(wth->fh); + if (*err != 0) + return -1; + return 0; + } + + /* check the packets magic number */ + if (packet_header.packet_magic != observer_packet_magic) { + g_message("Observer: bad record in observer_seek_read"); + *err = WTAP_ERR_BAD_RECORD; + return FALSE; + } + + /* read in the packet */ + bytes_read = file_read(pd, 1, length, wth->random_fh); + if (bytes_read != length) { + *err = file_error(wth->fh); + g_message("Observer: read error in observer_seek_read"); + return FALSE; + } + + /* update the pseudo header */ + switch (wth->file_encap) { + + case WTAP_ENCAP_ETHERNET: + /* There is no FCS in the frame */ + pseudo_header->eth.fcs_len = 0; + break; + } + + return TRUE; +} + +static guint32 seconds1970to2000 = (((30*365)+7)*24*60*60); /* 7 leap years */ +gboolean fill_time_struct(guint64 ns_since2000, observer_time* time_conversion) +{ + time_conversion->ns_since2000 = ns_since2000; + time_conversion->us_since2000 = ns_since2000/1000; + time_conversion->sec_since2000 = ns_since2000/1000000000; + + time_conversion->seconds_from_1970 = seconds1970to2000 + time_conversion->sec_since2000; + time_conversion->useconds_from_1970 = ((guint64)seconds1970to2000*1000000)+time_conversion->us_since2000; + +#if 0 + time_conversion->time_stamp = *localtime(&time_conversion->seconds_from_1970); +#endif + + return TRUE; +} + diff --git a/wiretap/network_instruments.h b/wiretap/network_instruments.h new file mode 100644 index 0000000000..be151976c5 --- /dev/null +++ b/wiretap/network_instruments.h @@ -0,0 +1,87 @@ +/* + * $Id: network_instruments.h,v 1.1 2003/10/31 00:43:21 guy Exp $ + */ + +/*************************************************************************** + NetworkInstruments.h - description + ------------------- + begin : Wed Oct 29 2003 + copyright : (C) 2003 by root + email : scotte[AT}netinst.com + ***************************************************************************/ + +/*************************************************************************** + * * + * This program is free software; you can redistribute it and/or modify * + * it under the terms of the GNU General Public License as published by * + * the Free Software Foundation; either version 2 of the License, or * + * (at your option) any later version. * + * * + ***************************************************************************/ + +#ifndef __NETWORK_INSTRUMENTS_H__ +#define __NETWORK_INSTRUMENTS_H__ + +int network_instruments_open(wtap *wth, int *err); + +typedef struct capture_file_header +{ + char observer_version[32]; + guint16 offset_to_first_packet; + char probe_instance; + char extra_information_present; +} capture_file_header; + +typedef struct packet_entry_header +{ + guint32 packet_magic; + guint32 network_speed; + guint16 captured_size; + guint16 network_size; + guint16 offset_to_frame; + guint16 offset_to_next_packet; + guint8 network_type; + guint8 flags; + guint8 extra_information; + guint8 packet_type; + guint16 errors; + guint16 reserved; + guint64 packet_number; + guint64 original_packet_number; + guint64 nano_seconds_since_2000; +} packet_entry_header; + +typedef struct tlv_header +{ + guint16 type; + guint16 length; +} tlv_header; + +typedef struct tlv_alias_list +{ + tlv_header header; + char alias_list[1]; +} tlv_alias_list; + +typedef struct tlv_user_commnent +{ + tlv_header header; + char user_comment[1]; +} tlv_user_comment; + +typedef struct observer_time +{ + guint64 ns_since2000; /* given in packet_entry_header */ + struct tm time_stamp; + + guint64 us_since2000; /* Micro-Seconds since 1-1-2000 */ + guint64 sec_since2000; /* Seconds since 1-1-2000 */ + + time_t seconds_from_1970; + guint64 useconds_from_1970; + +} observer_time; + + +#endif + diff --git a/wiretap/wtap.h b/wiretap/wtap.h index b752515843..cdc174b7e8 100644 --- a/wiretap/wtap.h +++ b/wiretap/wtap.h @@ -1,6 +1,6 @@ /* wtap.h * - * $Id: wtap.h,v 1.143 2003/10/30 03:11:03 guy Exp $ + * $Id: wtap.h,v 1.144 2003/10/31 00:43:21 guy Exp $ * * Wiretap Library * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu> @@ -174,9 +174,10 @@ #define WTAP_FILE_5VIEWS 34 #define WTAP_FILE_ERF 35 #define WTAP_FILE_HCIDUMP 36 +#define WTAP_FILE_NETWORK_INSTRUMENTS_V9 37 /* last WTAP_FILE_ value + 1 */ -#define WTAP_NUM_FILE_TYPES 37 +#define WTAP_NUM_FILE_TYPES 38 /* * Maximum packet size we'll support. |