Now that I know where to find the file format of Sniffer trace files, wiretap

now *properly* reads Sniffer files. I now know the field in the file header
which denotes link type.

svn path=/trunk/; revision=88

1 files changed, 114 insertions, 43 deletions

diff --git a/wiretap/ngsniffer.c b/wiretap/ngsniffer.c
index 9c292cb5ea..26fd0508e5 100644
--- a/wiretap/ngsniffer.c
+++ b/wiretap/ngsniffer.c
@@ -1,6 +1,6 @@
 /* ngsniffer.c
  *
- * $Id: ngsniffer.c,v 1.2 1998/11/12 06:01:24 gram Exp $
+ * $Id: ngsniffer.c,v 1.3 1998/11/13 05:57:38 gram Exp $
  *
  * Wiretap Library
  * Copyright (c) 1998 by Gilbert Ramirez <gram@verdict.uthscsa.edu>
@@ -27,75 +27,146 @@
 int ngsniffer_open(wtap *wth)
 {
 	int bytes_read;
-	char magic[33];
-
+	char magic[18];
+	char record_type[2];
+	char record_length[4]; /* only the first 2 bytes are length,
+							  the last 2 are "reserved" and are thrown away */
+	guint16 type, length = 0;
+	char	network;
+	char	version[18]; /* to hold the entire version record */
+
+	#define NUM_NGSNIFF_ENCAPS 10
+	int		sniffer_encap[] = {
+		WTAP_ENCAP_TR,
+		WTAP_ENCAP_ETHERNET,
+		WTAP_ENCAP_ARCNET,
+		WTAP_ENCAP_NONE,	/* StarLAN */
+		WTAP_ENCAP_NONE,	/* PC Network broadband */
+		WTAP_ENCAP_NONE,	/* LocalTalk */
+		WTAP_ENCAP_NONE,	/* type 6 not defined in Sniffer */
+		WTAP_ENCAP_NONE,	/* Internetwork analyzer */
+		WTAP_ENCAP_NONE,	/* type 8 not defined in Sniffer */
+		WTAP_ENCAP_FDDI
+	};
+
+	/* Read in the string that should be at the start of a Sniffer file */
 	fseek(wth->fh, 0, SEEK_SET);
-	bytes_read = fread(magic, 1, 32, wth->fh);
+	bytes_read = fread(magic, 1, 17, wth->fh);
 
-	if (bytes_read != 32) {
+	if (bytes_read != 17) {
 		return WTAP_FILE_UNKNOWN;
 	}
 
-	magic[16] = 0;
+	magic[17] = 0;
 
-	if (strcmp(magic, "TRSNIFF data    ")) {
+	if (strcmp(magic, "TRSNIFF data    \x1a")) {
 		return WTAP_FILE_UNKNOWN;
 	}
 
 	/* This is a ngsniffer file */
-	wth->frame_number = 0;
-	wth->file_byte_offset = 0x10b;
+	wth->capture.ngsniffer = g_malloc(sizeof(ngsniffer_t));
 	wth->subtype_read = ngsniffer_read;
+	/*wth->frame_number = 0;*/
+	/*wth->file_byte_offset = 0x10b;*/
+
+	/* Read records until we find the start of packets */
+	while (1) {
+		fseek(wth->fh, length, SEEK_CUR);
+		bytes_read = fread(record_type, 1, 2, wth->fh);
+		bytes_read += fread(record_length, 1, 4, wth->fh);
+		if (bytes_read != 6) {
+			return WTAP_FILE_UNKNOWN;
+		}
 
-	/* I think this is link type */
-	if (magic[30] == 0x25) {
-		wth->encapsulation = WTAP_ENCAP_ETHERNET;
-	}
-	else if (magic[30] == 0x24) {
-		wth->encapsulation = WTAP_ENCAP_TR;
-	}
-	else {
-		g_error("The magic byte that I think tells DLT is 0x%02X\n", magic[30]);
-		exit(-1);
+		type = pletohs(record_type);
+		length = pletohs(record_length);
+
+		switch (type) {
+			/* Version Record */
+			case REC_VERS:
+				fread(version, 1, 18, wth->fh);
+				length = 0; /* to fake the next iteration of while() */
+				network = version[9];
+				if (network >= NUM_NGSNIFF_ENCAPS) {
+					g_error("ngsniffer: network type %d unknown", network);
+					return WTAP_FILE_UNKNOWN;
+				}
+				else {
+					wth->encapsulation = sniffer_encap[network];
+				}
+				break;
+
+			case REC_FRAME2:
+				wth->capture.ngsniffer->pkt_len = length - 14;
+				return WTAP_FILE_NGSNIFFER;
+
+			default:
+				/* Continue with while() loop */
+		}
 	}
 
-	if (fseek(wth->fh, 0x10b, SEEK_SET) < 0) {
-		return WTAP_FILE_UNKNOWN; /* I should exit(-1) here */
-	}
+	/* never gets here */
 	return WTAP_FILE_NGSNIFFER;
 }
 
 /* Read the next packet */
 int ngsniffer_read(wtap *wth)
 {
-	struct ngsniffer_hdr frame_hdr;
-	int	bytes_read, packet_size;
-
-	bytes_read = fread(&frame_hdr, 1, sizeof(struct ngsniffer_hdr), wth->fh);
-
-	if (bytes_read == sizeof(struct ngsniffer_hdr)) {
-		wth->frame_number++;
-		packet_size = frame_hdr.bytes;
-		buffer_assure_space(&wth->frame_buffer, packet_size);
+	int	packet_size = wth->capture.ngsniffer->pkt_len;
+	int	bytes_read;
+	char record_type[2];
+	char record_length[4]; /* only 1st 2 bytes are length */
+	guint16 type, length;
+	char frame2[14];
+
+	/* if this is the very first packet, then the fh cursor will be at the
+	 * start of a f_frame2_struct instead of at the start of the record.
+	 * Check for this */
+	if (!packet_size) {
+
+		/* Read record info */
+		bytes_read = fread(record_type, 1, 2, wth->fh);
+		bytes_read += fread(record_length, 1, 4, wth->fh);
+		if (bytes_read != 6) {
+			return 0;
+		}
 
-		bytes_read = fread(buffer_start_ptr(&wth->frame_buffer), 1,
-						frame_hdr.bytes, wth->fh);
+		type = pletohs(record_type);
+		length = pletohs(record_length);
 
-		if (bytes_read != packet_size) {
-			g_error("ngsniffer_read: fread for data: %d bytes out of %d read\n",
-				bytes_read, packet_size);
+		if (type != REC_FRAME2) {
 			return 0;
 		}
+		else {
+			packet_size = length - 14;
+		}
+	}
+	else {
+		wth->capture.ngsniffer->pkt_len = 0;
+	}
 
-		wth->file_byte_offset += sizeof(struct ngsniffer_hdr) + packet_size;
+	/* Read the f_frame2_struct */
+	bytes_read = fread(frame2, 1, 14, wth->fh);
+	if (bytes_read != 14) {
+		g_error("ngsniffer_read: not enough frame2 data (%d bytes)",
+				bytes_read);
+		return 0;
+	}
 
-		wth->phdr.ts.tv_sec = 0;
-		wth->phdr.ts.tv_usec = 0;
-		wth->phdr.caplen = packet_size;
-		wth->phdr.len = packet_size;
+	buffer_assure_space(&wth->frame_buffer, packet_size);
+	bytes_read = fread(buffer_start_ptr(&wth->frame_buffer), 1,
+			packet_size, wth->fh);
 
-		return 1;
+	if (bytes_read != packet_size) {
+		g_error("ngsniffer_read: fread for data: %d bytes out of %d",
+				bytes_read, packet_size);
+		return 0;
 	}
 
-	return 0;
+	wth->phdr.ts.tv_sec = 0;
+	wth->phdr.ts.tv_usec = 0;
+	wth->phdr.caplen = packet_size;
+	wth->phdr.len = packet_size;
+
+	return 1;
 }