diff options
| author | guy <guy@f5534014-38df-0310-8fa8-9805f1628bb7> | 1999-11-26 22:50:51 +0000 |
|---|---|---|
| committer | guy <guy@f5534014-38df-0310-8fa8-9805f1628bb7> | 1999-11-26 22:50:51 +0000 |
| commit | 7bb5c9d4ff8d5cb7e41adc46943a0e5815ccf7ea (patch) | |
| tree | fde897bbe10c38972e8a8ebf44fcebcdd6af9e4d /wiretap/netmon.c | |
| parent | 46b8b84262fe6a8ecdd24852d6b56035ccc8a25d (diff) | |
It appears that the first frame in a NetMon 2.0 capture file doesn't
necessarily start at an offset of 128 into the file; we have to read the
first entry in the frame table to find the offset in the file of the
first frame. (That also works on NetMon 1.0.)
Keep the header size around, though, as we'll need it if we add code to
*write* NetMon files.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@1119 f5534014-38df-0310-8fa8-9805f1628bb7
Diffstat (limited to 'wiretap/netmon.c')
| -rw-r--r-- | wiretap/netmon.c | 45 |
1 files changed, 41 insertions, 4 deletions
diff --git a/wiretap/netmon.c b/wiretap/netmon.c index 614660433f..56a9c27f34 100644 --- a/wiretap/netmon.c +++ b/wiretap/netmon.c @@ -1,6 +1,6 @@ /* netmon.c * - * $Id: netmon.c,v 1.16 1999/10/05 07:06:06 guy Exp $ + * $Id: netmon.c,v 1.17 1999/11/26 22:50:51 guy Exp $ * * Wiretap Library * Copyright (c) 1998 by Gilbert Ramirez <gram@verdict.uthscsa.edu> @@ -76,7 +76,7 @@ struct netmon_hdr { guint32 networkinfolength; /* length of network info structure */ }; -/* Network Monitor record header; not defined in STRUCT.H, but deduced by +/* Network Monitor 1.x record header; not defined in STRUCT.H, but deduced by * looking at capture files. */ struct netmonrec_1_x_hdr { guint32 ts_delta; /* time stamp - msecs since start of capture */ @@ -84,6 +84,8 @@ struct netmonrec_1_x_hdr { guint16 incl_len; /* number of octets captured in file */ }; +/* Network Monitor 2.x record header; not defined in STRUCT.H, but deduced by + * looking at capture files. */ struct netmonrec_2_x_hdr { guint32 ts_delta_lo; /* time stamp - usecs since start of capture */ guint32 ts_delta_hi; /* time stamp - usecs since start of capture */ @@ -115,6 +117,8 @@ int netmon_open(wtap *wth, int *err) }; #define NUM_NETMON_ENCAPS (sizeof netmon_encap / sizeof netmon_encap[0]) struct tm tm; + guint32 frame_table_length; + guint32 first_frame_table_entry; /* Read in the string that should be at the start of a Network * Monitor file */ @@ -211,9 +215,42 @@ int netmon_open(wtap *wth, int *err) */ wth->capture.netmon->end_offset = pletohl(&hdr.frametableoffset); + /* + * It appears that some NetMon 2.x files don't have the + * first packet starting exactly 128 bytes into the file. + * So we read the first entry from the frame table, and + * use that as the offset of the first packet. + * + * First, make sure the frame table has at least one entry + * in it.... + */ + frame_table_length = pletohl(&hdr.frametablelength); + if (frame_table_length < sizeof first_frame_table_entry) { + g_message("netmon: frame table length is %u, which means it's less than one entry in size", + frame_table_length); + *err = WTAP_ERR_UNSUPPORTED; + return -1; + } + + /* + * Now read that entry. (It appears that the N+1st frame immediately + * follows the Nth frame, so we don't need any entries after the + * first entry.) + */ + errno = WTAP_ERR_CANT_READ; + file_seek(wth->fh, wth->capture.netmon->end_offset, SEEK_SET); + bytes_read = file_read(&first_frame_table_entry, 1, + sizeof first_frame_table_entry, wth->fh); + if (bytes_read != sizeof first_frame_table_entry) { + *err = file_error(wth->fh); + if (*err != 0) + return -1; + return 0; + } + /* Seek to the beginning of the data records. */ - file_seek(wth->fh, CAPTUREFILE_HEADER_SIZE, SEEK_SET); - wth->data_offset = CAPTUREFILE_HEADER_SIZE; + wth->data_offset = pletohl(&first_frame_table_entry); + file_seek(wth->fh, wth->data_offset, SEEK_SET); return 1; } |