Add support for WPFCapture "formats" from Microsoft Analyzer.

Normally a .cap file contains a network type that when masked with 0xFFF will convert to a pcap LINKTYPE_ value. However, Microsoft Analyzer used 0xE080-0xE08A for their own purposes within a .cap file. Add support for the WPFCapture formats and give a "not supported" error message to the few left unsupported. Bug: 10556 Change-Id: I321a75ce769fdec75bdc6b595936c25932950a97 Reviewed-on: https://code.wireshark.org/review/23386 Petri-Dish: Michael Mann <mmann78@netscape.net> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
author: Michael Mann <mmann78@netscape.net> 2017-09-04 10:16:49 -0400
committer: Michael Mann <mmann78@netscape.net> 2017-09-04 18:41:46 +0000
commit: a2b084f6c507d96fe6f0776154537268d60e9428 (patch)
tree: 8638abf6329ce8f297ebff9b12e49cea0b462fdf /wiretap
parent: 9f1c73edac06821987760e03f103c49bb9588d1f (diff)
3 files changed, 60 insertions, 1 deletions
diff --git a/wiretap/netmon.c b/wiretap/netmon.c
index f8b5394ae7..ed35ce7256 100644
--- a/wiretap/netmon.c
+++ b/wiretap/netmon.c
@@ -1016,7 +1016,41 @@ netmon_process_record(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
 			return FAILURE;
 
 		network = pletoh16(trlr.trlr_2_1.network);
-		if ((network & 0xF000) == NETMON_NET_PCAP_BASE) {
+		if ((network >= 0xE080) && (network <= 0xE08A)) {
+			/* These values "violate" the LINKTYPE_ media type values
+			 * in Microsoft Analyzer and are considered a MAExportedMediaType,
+			 * so they need their own WTAP_ types
+			 */
+			switch (network)
+			{
+			case 0xE080:    // "WiFi Message"
+			case 0xE081:    // "Ndis Etw WiFi Channel Message"
+			case 0xE082:    // "Fiddler Netmon Message"
+			case 0xE089:    // "Pef Ndis Msg";
+			case 0xE08A:    // "Pef Ndis Wifi Meta Msg";
+				*err = WTAP_ERR_UNSUPPORTED;
+				*err_info = g_strdup_printf("netmon: network type %u unknown or unsupported", network);
+				return FAILURE;
+			case 0xE083:
+				pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_V4;
+				break;
+			case 0xE084:
+				pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_V6;
+				break;
+			case 0xE085:
+				pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_2V4;
+				break;
+			case 0xE086:
+				pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_2V6;
+				break;
+			case 0xE087:
+				pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_AUTH_V4;
+				break;
+			case 0xE088:
+				pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_AUTH_V6;
+				break;
+			}
+		} else if ((network & 0xF000) == NETMON_NET_PCAP_BASE) {
 			/*
 			 * Converted pcap file - the LINKTYPE_ value
 			 * is the network value with 0xF000 masked off.
diff --git a/wiretap/wtap.c b/wiretap/wtap.c
index 6e80171398..c9257e728e 100644
--- a/wiretap/wtap.c
+++ b/wiretap/wtap.c
@@ -944,6 +944,24 @@ static struct encap_type_info encap_table_base[] = {
 
 	/* WTAP_ENCAP_NETMON_NETWORK_INFO_EX */
 	{ "Network Monitor Network Info", "netmon_network_info" },
+
+	/* WTAP_ENCAP_MA_WFP_CAPTURE_V4 */
+	{ "Message Analyzer WFP Capture v4", "message_analyzer_wfp_capture_v4" },
+
+	/* WTAP_ENCAP_MA_WFP_CAPTURE_V6 */
+	{ "Message Analyzer WFP Capture v6", "message_analyzer_wfp_capture_v6" },
+
+	/* WTAP_ENCAP_MA_WFP_CAPTURE_2V4 */
+	{ "Message Analyzer WFP Capture2 v4", "message_analyzer_wfp_capture2_v4" },
+
+	/* WTAP_ENCAP_MA_WFP_CAPTURE_2V6 */
+	{ "Message Analyzer WFP Capture2 v6", "message_analyzer_wfp_capture2_v6" },
+
+	/* WTAP_ENCAP_MA_WFP_CAPTURE_AUTH_V4 */
+	{ "Message Analyzer WFP Capture Auth v4", "message_analyzer_wfp_capture_auth_v4" },
+
+	/* WTAP_ENCAP_MA_WFP_CAPTURE_AUTH_V6 */
+	{ "Message Analyzer WFP Capture Auth v6", "message_analyzer_wfp_capture_auth_v6" },
 };
 
 WS_DLL_LOCAL
diff --git a/wiretap/wtap.h b/wiretap/wtap.h
index 77a0205aa6..ff3d5dd816 100644
--- a/wiretap/wtap.h
+++ b/wiretap/wtap.h
@@ -278,6 +278,13 @@ extern "C" {
 #define WTAP_ENCAP_NETMON_HEADER                188
 #define WTAP_ENCAP_NETMON_NET_FILTER            189
 #define WTAP_ENCAP_NETMON_NETWORK_INFO_EX       190
+#define WTAP_ENCAP_MA_WFP_CAPTURE_V4            191
+#define WTAP_ENCAP_MA_WFP_CAPTURE_V6            192
+#define WTAP_ENCAP_MA_WFP_CAPTURE_2V4           193
+#define WTAP_ENCAP_MA_WFP_CAPTURE_2V6           194
+#define WTAP_ENCAP_MA_WFP_CAPTURE_AUTH_V4       195
+#define WTAP_ENCAP_MA_WFP_CAPTURE_AUTH_V6       196
+
 /* After adding new item here, please also add new item to encap_table_base array */
 
 #define WTAP_NUM_ENCAP_TYPES                    wtap_get_num_encap_types()
author	Michael Mann <mmann78@netscape.net>	2017-09-04 10:16:49 -0400
committer	Michael Mann <mmann78@netscape.net>	2017-09-04 18:41:46 +0000
commit	a2b084f6c507d96fe6f0776154537268d60e9428 (patch)
tree	8638abf6329ce8f297ebff9b12e49cea0b462fdf /wiretap
parent	9f1c73edac06821987760e03f103c49bb9588d1f (diff)