diff options
author | Ronnie Sahlberg <ronnie_sahlberg@ozemail.com.au> | 2002-05-17 09:53:20 +0000 |
---|---|---|
committer | Ronnie Sahlberg <ronnie_sahlberg@ozemail.com.au> | 2002-05-17 09:53:20 +0000 |
commit | bd351e37095352735732cd300c67eb17ffb98a9d (patch) | |
tree | 51e9da1e99ec58a4396780634f16122dec06bbf7 /wiretap/nettl.c | |
parent | f58590ef4c0b9999b3f1e054ab4630e8168040e5 (diff) |
Added support for HPUX11 NETTL captures for the NS_LS_DRIVER type.
It works for such captures containing 100baseT captures. It may explode on
other link types.
svn path=/trunk/; revision=5496
Diffstat (limited to 'wiretap/nettl.c')
-rw-r--r-- | wiretap/nettl.c | 109 |
1 files changed, 108 insertions, 1 deletions
diff --git a/wiretap/nettl.c b/wiretap/nettl.c index 7f6bf20b36..56e64b1d03 100644 --- a/wiretap/nettl.c +++ b/wiretap/nettl.c @@ -1,6 +1,6 @@ /* nettl.c * - * $Id: nettl.c,v 1.26 2002/04/09 08:15:04 guy Exp $ + * $Id: nettl.c,v 1.27 2002/05/17 09:53:20 sahlberg Exp $ * * Wiretap Library * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu> @@ -66,6 +66,71 @@ struct nettlrec_ns_ls_ip_hdr { /* header is followed by data and once again the total length (2 bytes) ! */ + +/* NL_LS_DRIVER : +The following shows what the header looks like for NS_LS_DRIVER +The capture was taken on HPUX11 and for a 100baseT interface. + +000080 00 44 00 0b 00 00 00 02 00 00 00 00 20 00 00 00 +000090 00 00 00 00 00 00 04 06 00 00 00 00 00 00 00 00 +0000a0 00 00 00 74 00 00 00 74 3c e3 76 19 00 06 34 63 +0000b0 ff ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff +0000c0 00 00 00 00 00 00 01 02 00 5c 00 5c ff ff ff ff +0000d0 3c e3 76 19 00 06 34 5a 00 0b 00 14 <here starts the MAC heder> + +Each entry starts with 0x0044000b + +The values 0x005c at position 0x0000c8 and 0x0000ca matches the number of bytes in +the packet up to the next entry, which starts with 0x00440b again. These probably +indicate the real and captured length of the packet (order unknown) + +The values 0x00000074 at positions 0x0000a0 and 0x0000a4 seems to indicate +the same number as positions 0x0000c8 and 0x0000ca but added with 24. +Perhaps we have here two layers of headers. +The first layer is fixed and consists of all the bytes from 0x000084 up to and +including 0x0000c3 which is a generic header for all packets captured from any +device. This header might be of fixed size 64 bytes and there might be something in +it which indicates the type of the next header which is link type specific. +Following this header there is another header for the 100baseT interface which +in this case is 24 bytes long spanning positions 0x0000c4 to 0x0000db. + +When someone reports that the loading of the captures breaks, we can compare +this header above with what he/she got to learn how to distinguish between different +types of link specific headers. + + +For now: +The first header seems to be + 0-27 unknown + 28-31 length1 + 32-35 length2 + 36-39 secs + 40-43 100 x nsecs + 44-63 unknown + +The header for 100baseT seems to be + 0-3 unknown + 4-5 length1 these are probably total/captured len. unknown which. + 6-7 length2 + 8-11 unknown + 12-15 secs + 16-19 100 x nsec + 20-23 unknown +*/ +struct nettlrec_ns_ls_drv_hdr { + guint8 xxa[64]; +}; +struct nettlrec_ns_ls_drv_eth_hdr { + guint8 xxa[4]; + guint8 length[2]; + guint8 length2[2]; + guint8 xxb[4]; + guint8 sec[4]; + guint8 cnsec[4]; /* unit of 100 nsec */ + guint8 xxc[4]; +}; + + static gboolean nettl_read(wtap *wth, int *err, long *data_offset); static gboolean nettl_seek_read(wtap *wth, long seek_off, union wtap_pseudo_header *pseudo_header, u_char *pd, @@ -195,6 +260,8 @@ nettl_read_rec_header(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr, int bytes_read; struct nettlrec_sx25l2_hdr lapb_hdr; struct nettlrec_ns_ls_ip_hdr ip_hdr; + struct nettlrec_ns_ls_drv_hdr drv_hdr; + struct nettlrec_ns_ls_drv_eth_hdr drv_eth_hdr; guint16 length; int offset = 0; guint8 encap[4]; @@ -263,6 +330,46 @@ nettl_read_rec_header(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr, phdr->ts.tv_sec = pntohl(&ip_hdr.sec); phdr->ts.tv_usec = pntohl(&ip_hdr.usec); break; + case NETTL_SUBSYS_NS_LS_DRIVER : + bytes_read = file_read(&drv_hdr, 1, sizeof drv_hdr, fh); + if (bytes_read != sizeof drv_hdr) { + *err = file_error(fh); + if (*err != 0) + return -1; + if (bytes_read != 0) { + *err = WTAP_ERR_SHORT_READ; + return -1; + } + return 0; + } + offset += sizeof drv_hdr; + + /* XXX we dont know how to identify this as ehternet frames, so + we assumes everything is. We will crash and burn for anything else */ + /* for encapsulated 100baseT we do this */ + phdr->pkt_encap = WTAP_ENCAP_ETHERNET; + bytes_read = file_read(&drv_eth_hdr, 1, sizeof drv_eth_hdr, fh); + if (bytes_read != sizeof drv_eth_hdr) { + *err = file_error(fh); + if (*err != 0) + return -1; + if (bytes_read != 0) { + *err = WTAP_ERR_SHORT_READ; + return -1; + } + return 0; + } + offset += sizeof drv_eth_hdr; + + length = pntohl(&drv_eth_hdr.length); + if (length <= 0) return 0; + phdr->len = length; + phdr->caplen = length; + + phdr->ts.tv_sec = pntohl(&drv_eth_hdr.sec); + phdr->ts.tv_usec = pntohl(&drv_eth_hdr.cnsec)/10; + + break; case NETTL_SUBSYS_SX25L2 : phdr->pkt_encap = WTAP_ENCAP_LAPB; bytes_read = file_read(&lapb_hdr, 1, sizeof lapb_hdr, fh); |