It looks as if a value of 0xfa in the second byte of a REC_HEADER2

record might indicate an ISDN capture; treat that as an indication that
a capture is an ISDN capture.

svn path=/trunk/; revision=6893

1 files changed, 48 insertions, 50 deletions

diff --git a/wiretap/ngsniffer.c b/wiretap/ngsniffer.c
index 62b44ddf7d..0f9f65eec4 100644
--- a/wiretap/ngsniffer.c
+++ b/wiretap/ngsniffer.c
@@ -1,6 +1,6 @@
 /* ngsniffer.c
  *
- * $Id: ngsniffer.c,v 1.104 2003/01/10 04:04:41 guy Exp $
+ * $Id: ngsniffer.c,v 1.105 2003/01/10 05:53:00 guy Exp $
  *
  * Wiretap Library
  * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
@@ -174,7 +174,7 @@ struct frame2_rec {
 typedef struct _ATM_AAL5Trailer {
 	guint16	aal5t_u2u;	/* user-to-user indicator */
 	guint16	aal5t_len;	/* length of the packet */
-	guint32	aal5t_chksum; /* checksum for AAL5 packet */
+	guint32	aal5t_chksum;	/* checksum for AAL5 packet */
 } ATM_AAL5Trailer;
 
 typedef struct _ATMTimeStamp {
@@ -353,12 +353,11 @@ struct frame6_rec {
 #define NUM_NGSNIFF_TIMEUNITS 7
 static double Usec[] = { 15.0, 0.838096, 15.0, 0.5, 2.0, 1.0, 0.1 };
 
-static int process_header_records(wtap *wth, int *err, gint16 version,
-    gboolean *is_router);
+static int process_header_records(wtap *wth, int *err, gint16 version);
 static int process_rec_header2_v2(wtap *wth, unsigned char *buffer,
     guint16 length, int *err);
 static int process_rec_header2_v45(wtap *wth, unsigned char *buffer,
-    guint16 length, gboolean *is_router, int *err);
+    guint16 length, int *err);
 static gboolean ngsniffer_read(wtap *wth, int *err, long *data_offset);
 static gboolean ngsniffer_seek_read(wtap *wth, long seek_off,
     union wtap_pseudo_header *pseudo_header, guchar *pd, int packet_size,
@@ -367,7 +366,7 @@ static int ngsniffer_read_rec_header(wtap *wth, gboolean is_random,
     guint16 *typep, guint16 *lengthp, int *err);
 static gboolean ngsniffer_read_frame2(wtap *wth, gboolean is_random,
     struct frame2_rec *frame2, int *err);
-static int set_pseudo_header_frame2(wtap *wth,
+static void set_pseudo_header_frame2(wtap *wth,
     union wtap_pseudo_header *pseudo_header, struct frame2_rec *frame2);
 static gboolean ngsniffer_read_frame4(wtap *wth, gboolean is_random,
     struct frame4_rec *frame4, int *err);
@@ -422,7 +421,6 @@ int ngsniffer_open(wtap *wth, int *err)
 		WTAP_ENCAP_ATM_PDUS
 	};
 	#define NUM_NGSNIFF_ENCAPS (sizeof sniffer_encap / sizeof sniffer_encap[0])
-	gboolean is_router;
 	struct tm tm;
 
 	/* Read in the string that should be at the start of a Sniffer file */
@@ -508,9 +506,16 @@ int ngsniffer_open(wtap *wth, int *err)
 	 * so we just skip them - except for REC_HEADER2 records, which
 	 * we look at, for "Internetwork analyzer" captures, to attempt to
 	 * determine what the link-layer encapsulation is.
+	 *
+	 * XXX - in some version 1.16 internetwork analyzer files
+	 * generated by the Windows Sniffer when saving Windows
+	 * Sniffer files as DOS Sniffer files, the first "rsvd" word
+	 * is 0x0100 for PRI ISDN files, 0x0200 for BRI ISDN files,
+	 * and 0x0000 for non-ISDN files; is that something the DOS
+	 * Sniffer understands?
 	 */
 	maj_vers = pletohs(&version.maj_vers);
-	if (process_header_records(wth, err, maj_vers, &is_router) < 0)
+	if (process_header_records(wth, err, maj_vers) < 0)
 		return -1;
 
 	/*
@@ -556,7 +561,6 @@ int ngsniffer_open(wtap *wth, int *err)
 	wth->capture.ngsniffer->timeunit = Usec[version.timeunit];
 	wth->capture.ngsniffer->is_atm =
 	    (wth->file_encap == WTAP_ENCAP_ATM_PDUS);
-	wth->capture.ngsniffer->is_router = is_router;
 
 	/* Get capture start time */
 	start_time = pletohs(&version.time);
@@ -593,7 +597,7 @@ int ngsniffer_open(wtap *wth, int *err)
 }
 
 static int
-process_header_records(wtap *wth, int *err, gint16 version, gboolean *is_router)
+process_header_records(wtap *wth, int *err, gint16 version)
 {
 	int bytes_read;
 	char record_type[2];
@@ -603,7 +607,6 @@ process_header_records(wtap *wth, int *err, gint16 version, gboolean *is_router)
 	int bytes_to_read;
 	unsigned char buffer[256];
 
-	*is_router = FALSE;
 	for (;;) {
 		errno = WTAP_ERR_CANT_READ;
 		bytes_read = file_read(record_type, 1, 2, wth->fh);
@@ -684,7 +687,7 @@ process_header_records(wtap *wth, int *err, gint16 version, gboolean *is_router)
 			case 4:
 			case 5:
 				if (process_rec_header2_v45(wth, buffer,
-				    length, is_router, err) < 0)
+				    length, err) < 0)
 					return -1;
 				break;
 			}
@@ -745,7 +748,7 @@ process_rec_header2_v2(wtap *wth, unsigned char *buffer, guint16 length,
 
 static int
 process_rec_header2_v45(wtap *wth, unsigned char *buffer, guint16 length,
-    gboolean *is_router, int *err)
+    int *err)
 {
 	/*
 	 * The 5th byte of the REC_HEADER2 record appears to be a
@@ -798,8 +801,19 @@ process_rec_header2_v45(wtap *wth, unsigned char *buffer, guint16 length,
 		break;
 
 	case NET_ROUTER:
-		wth->file_encap = WTAP_ENCAP_PER_PACKET;
-		*is_router = TRUE;
+		/*
+		 * XXX - for most of the files we've seen, 0xfa in
+		 * buffer[1] means the file is an ISDN capture, but
+		 * there's one PPP file with 0xfa there; does that
+		 * mean that the 0xfa has nothing to do with ISDN,
+		 * or is that just an ISDN file with no D channel
+		 * packets?  (The channel number is not 0 in any
+		 * of the packets, so perhaps it is.)
+		 */
+		if (buffer[1] == 0xfa)
+			wth->file_encap = WTAP_ENCAP_ISDN;
+		else
+			wth->file_encap = WTAP_ENCAP_PER_PACKET;
 		break;
 
 	case NET_PPP:
@@ -829,7 +843,6 @@ static gboolean ngsniffer_read(wtap *wth, int *err, long *data_offset)
 	double	t;
 	guint16	time_low, time_med, time_high, true_size, size;
 	guchar	*pd;
-	int pkt_encap = wth->file_encap;
 
 	for (;;) {
 		/*
@@ -874,8 +887,8 @@ static gboolean ngsniffer_read(wtap *wth, int *err, long *data_offset)
 			t = (double)time_low+(double)(time_med)*65536.0 +
 			    (double)time_high*4294967296.0;
 
-			pkt_encap = set_pseudo_header_frame2(wth,
-			    &wth->pseudo_header, &frame2);
+			set_pseudo_header_frame2(wth, &wth->pseudo_header,
+			    &frame2);
 			goto found;
 
 		case REC_FRAME4:
@@ -997,9 +1010,8 @@ found:
 		return FALSE;	/* Read error */
 	wth->data_offset += length;
 
-	pkt_encap = fix_pseudo_header(pkt_encap, pd, length,
+	wth->phdr.pkt_encap = fix_pseudo_header(wth->file_encap, pd, length,
 	    &wth->pseudo_header);
-	wth->phdr.pkt_encap = pkt_encap;
 
 	t = t/1000000.0 * wth->capture.ngsniffer->timeunit; /* t = # of secs */
 	t += wth->capture.ngsniffer->start;
@@ -1018,7 +1030,6 @@ static gboolean ngsniffer_seek_read(wtap *wth, long seek_off,
 	struct frame2_rec frame2;
 	struct frame4_rec frame4;
 	struct frame6_rec frame6;
-	int	pkt_encap = wth->file_encap;
 
 	if (ng_file_seek_rand(wth, seek_off, SEEK_SET, err) == -1)
 		return FALSE;
@@ -1044,8 +1055,7 @@ static gboolean ngsniffer_seek_read(wtap *wth, long seek_off,
 
 		length -= sizeof frame2;	/* we already read that much */
 
-		pkt_encap = set_pseudo_header_frame2(wth, pseudo_header,
-		    &frame2);
+		set_pseudo_header_frame2(wth, pseudo_header, &frame2);
 		break;
 
 	case REC_FRAME4:
@@ -1086,7 +1096,7 @@ static gboolean ngsniffer_seek_read(wtap *wth, long seek_off,
 	if (!ngsniffer_read_rec_data(wth, TRUE, pd, packet_size, err))
 		return FALSE;
 
-	fix_pseudo_header(pkt_encap, pd, packet_size, pseudo_header);
+	fix_pseudo_header(wth->file_encap, pd, packet_size, pseudo_header);
 
 	return TRUE;
 }
@@ -1139,11 +1149,9 @@ static gboolean ngsniffer_read_frame2(wtap *wth, gboolean is_random,
 	return TRUE;
 }
 
-static int set_pseudo_header_frame2(wtap *wth,
+static void set_pseudo_header_frame2(wtap *wth,
     union wtap_pseudo_header *pseudo_header, struct frame2_rec *frame2)
 {
-	int pkt_encap;
-
 	/*
 	 * In one PPP "Internetwork analyzer" capture:
 	 *
@@ -1185,21 +1193,8 @@ static int set_pseudo_header_frame2(wtap *wth,
 	 *	"frame2.flags" was either 0 or 0x18, with no obvious
 	 *	correlation with anything.  See previous comment
 	 *	about display filters.
-	 *
-	 * In some NET_ROUTER captures, the 0x18 bits in "frame2.fs" are
-	 * 0 for frames in a non-ISDN capture and non-zero for frames in
-	 * an ISDN capture, specifying the channel number in the fashion
-	 * described in the Sniffer manual, so we use that to distinguish
-	 * between ISDN frames and non-ISDN frames.
 	 */
-	if (wth->file_encap == WTAP_ENCAP_PER_PACKET &&
-	    wth->capture.ngsniffer->is_router &&
-	    (frame2->fs & 0x18) != 0)
-		pkt_encap = WTAP_ENCAP_ISDN;
-	else
-		pkt_encap = wth->file_encap;
-
-	switch (pkt_encap) {
+	switch (wth->file_encap) {
 
 	case WTAP_ENCAP_PPP_WITH_PHDR:
 		pseudo_header->p2p.sent = (frame2->fs & 0x80) ? TRUE : FALSE;
@@ -1232,7 +1227,6 @@ static int set_pseudo_header_frame2(wtap *wth,
 			break;
 		}
 	}
-	return pkt_encap;
 }
 
 static gboolean ngsniffer_read_frame4(wtap *wth, gboolean is_random,
@@ -1612,15 +1606,19 @@ static int infer_pkt_encap(const guint8 *pd, int len)
 		 * LAPD.
 		 * We report it as WTAP_ENCAP_ISDN.
 		 *
-		 * XXX - is there something buried in the header to tell us
-		 * whether the capture was taken with an ISDN pod?
+		 * XXX - there appeared, at least from the captures
+		 * I've seen, to be something buried in REC_HEADER2
+		 * records in version 4 and 5 captures that indicates
+		 * whether the capture was taken with an ISDN pod,
+		 * and there appeared, from the output of a Windows
+		 * Sniffer writing out ISDN and non-ISDN captures,
+		 * to perhaps be information in the "rsvd" fields
+		 * of the version record of version 1 captures
+		 * that indicates whether the capture was taken with
+		 * an ISDN pod.
 		 *
-		 * Or is this here just because some ISDN captures run
-		 * LAPB/X.25 over the B channel(s), so we check for
-		 * LAPB even in NET_ROUTER captures?  If so, we should
-		 * perhaps move that heuristic up to the ISDN dissector,
-		 * so that we can infer LAPB traffic in *all* ISDN
-		 * captures, not just DOS Sniffer ISDN captures?
+		 * We leave this heuristic in here, for now, for
+		 * non-version 4 and non-version-5 captures.
 		 */
 		return WTAP_ENCAP_ISDN;
 	}