From fbec15f6f2e668ef3bd7ba04ce701987ba91c9d1 Mon Sep 17 00:00:00 2001 From: Guy Harris Date: Fri, 10 Jan 2003 05:53:00 +0000 Subject: It looks as if a value of 0xfa in the second byte of a REC_HEADER2 record might indicate an ISDN capture; treat that as an indication that a capture is an ISDN capture. svn path=/trunk/; revision=6893 --- wiretap/ngsniffer.c | 98 ++++++++++++++++++++++++++--------------------------- 1 file changed, 48 insertions(+), 50 deletions(-) (limited to 'wiretap/ngsniffer.c') diff --git a/wiretap/ngsniffer.c b/wiretap/ngsniffer.c index 62b44ddf7d..0f9f65eec4 100644 --- a/wiretap/ngsniffer.c +++ b/wiretap/ngsniffer.c @@ -1,6 +1,6 @@ /* ngsniffer.c * - * $Id: ngsniffer.c,v 1.104 2003/01/10 04:04:41 guy Exp $ + * $Id: ngsniffer.c,v 1.105 2003/01/10 05:53:00 guy Exp $ * * Wiretap Library * Copyright (c) 1998 by Gilbert Ramirez @@ -174,7 +174,7 @@ struct frame2_rec { typedef struct _ATM_AAL5Trailer { guint16 aal5t_u2u; /* user-to-user indicator */ guint16 aal5t_len; /* length of the packet */ - guint32 aal5t_chksum; /* checksum for AAL5 packet */ + guint32 aal5t_chksum; /* checksum for AAL5 packet */ } ATM_AAL5Trailer; typedef struct _ATMTimeStamp { @@ -353,12 +353,11 @@ struct frame6_rec { #define NUM_NGSNIFF_TIMEUNITS 7 static double Usec[] = { 15.0, 0.838096, 15.0, 0.5, 2.0, 1.0, 0.1 }; -static int process_header_records(wtap *wth, int *err, gint16 version, - gboolean *is_router); +static int process_header_records(wtap *wth, int *err, gint16 version); static int process_rec_header2_v2(wtap *wth, unsigned char *buffer, guint16 length, int *err); static int process_rec_header2_v45(wtap *wth, unsigned char *buffer, - guint16 length, gboolean *is_router, int *err); + guint16 length, int *err); static gboolean ngsniffer_read(wtap *wth, int *err, long *data_offset); static gboolean ngsniffer_seek_read(wtap *wth, long seek_off, union wtap_pseudo_header *pseudo_header, guchar *pd, int packet_size, @@ -367,7 +366,7 @@ static int ngsniffer_read_rec_header(wtap *wth, gboolean is_random, guint16 *typep, guint16 *lengthp, int *err); static gboolean ngsniffer_read_frame2(wtap *wth, gboolean is_random, struct frame2_rec *frame2, int *err); -static int set_pseudo_header_frame2(wtap *wth, +static void set_pseudo_header_frame2(wtap *wth, union wtap_pseudo_header *pseudo_header, struct frame2_rec *frame2); static gboolean ngsniffer_read_frame4(wtap *wth, gboolean is_random, struct frame4_rec *frame4, int *err); @@ -422,7 +421,6 @@ int ngsniffer_open(wtap *wth, int *err) WTAP_ENCAP_ATM_PDUS }; #define NUM_NGSNIFF_ENCAPS (sizeof sniffer_encap / sizeof sniffer_encap[0]) - gboolean is_router; struct tm tm; /* Read in the string that should be at the start of a Sniffer file */ @@ -508,9 +506,16 @@ int ngsniffer_open(wtap *wth, int *err) * so we just skip them - except for REC_HEADER2 records, which * we look at, for "Internetwork analyzer" captures, to attempt to * determine what the link-layer encapsulation is. + * + * XXX - in some version 1.16 internetwork analyzer files + * generated by the Windows Sniffer when saving Windows + * Sniffer files as DOS Sniffer files, the first "rsvd" word + * is 0x0100 for PRI ISDN files, 0x0200 for BRI ISDN files, + * and 0x0000 for non-ISDN files; is that something the DOS + * Sniffer understands? */ maj_vers = pletohs(&version.maj_vers); - if (process_header_records(wth, err, maj_vers, &is_router) < 0) + if (process_header_records(wth, err, maj_vers) < 0) return -1; /* @@ -556,7 +561,6 @@ int ngsniffer_open(wtap *wth, int *err) wth->capture.ngsniffer->timeunit = Usec[version.timeunit]; wth->capture.ngsniffer->is_atm = (wth->file_encap == WTAP_ENCAP_ATM_PDUS); - wth->capture.ngsniffer->is_router = is_router; /* Get capture start time */ start_time = pletohs(&version.time); @@ -593,7 +597,7 @@ int ngsniffer_open(wtap *wth, int *err) } static int -process_header_records(wtap *wth, int *err, gint16 version, gboolean *is_router) +process_header_records(wtap *wth, int *err, gint16 version) { int bytes_read; char record_type[2]; @@ -603,7 +607,6 @@ process_header_records(wtap *wth, int *err, gint16 version, gboolean *is_router) int bytes_to_read; unsigned char buffer[256]; - *is_router = FALSE; for (;;) { errno = WTAP_ERR_CANT_READ; bytes_read = file_read(record_type, 1, 2, wth->fh); @@ -684,7 +687,7 @@ process_header_records(wtap *wth, int *err, gint16 version, gboolean *is_router) case 4: case 5: if (process_rec_header2_v45(wth, buffer, - length, is_router, err) < 0) + length, err) < 0) return -1; break; } @@ -745,7 +748,7 @@ process_rec_header2_v2(wtap *wth, unsigned char *buffer, guint16 length, static int process_rec_header2_v45(wtap *wth, unsigned char *buffer, guint16 length, - gboolean *is_router, int *err) + int *err) { /* * The 5th byte of the REC_HEADER2 record appears to be a @@ -798,8 +801,19 @@ process_rec_header2_v45(wtap *wth, unsigned char *buffer, guint16 length, break; case NET_ROUTER: - wth->file_encap = WTAP_ENCAP_PER_PACKET; - *is_router = TRUE; + /* + * XXX - for most of the files we've seen, 0xfa in + * buffer[1] means the file is an ISDN capture, but + * there's one PPP file with 0xfa there; does that + * mean that the 0xfa has nothing to do with ISDN, + * or is that just an ISDN file with no D channel + * packets? (The channel number is not 0 in any + * of the packets, so perhaps it is.) + */ + if (buffer[1] == 0xfa) + wth->file_encap = WTAP_ENCAP_ISDN; + else + wth->file_encap = WTAP_ENCAP_PER_PACKET; break; case NET_PPP: @@ -829,7 +843,6 @@ static gboolean ngsniffer_read(wtap *wth, int *err, long *data_offset) double t; guint16 time_low, time_med, time_high, true_size, size; guchar *pd; - int pkt_encap = wth->file_encap; for (;;) { /* @@ -874,8 +887,8 @@ static gboolean ngsniffer_read(wtap *wth, int *err, long *data_offset) t = (double)time_low+(double)(time_med)*65536.0 + (double)time_high*4294967296.0; - pkt_encap = set_pseudo_header_frame2(wth, - &wth->pseudo_header, &frame2); + set_pseudo_header_frame2(wth, &wth->pseudo_header, + &frame2); goto found; case REC_FRAME4: @@ -997,9 +1010,8 @@ found: return FALSE; /* Read error */ wth->data_offset += length; - pkt_encap = fix_pseudo_header(pkt_encap, pd, length, + wth->phdr.pkt_encap = fix_pseudo_header(wth->file_encap, pd, length, &wth->pseudo_header); - wth->phdr.pkt_encap = pkt_encap; t = t/1000000.0 * wth->capture.ngsniffer->timeunit; /* t = # of secs */ t += wth->capture.ngsniffer->start; @@ -1018,7 +1030,6 @@ static gboolean ngsniffer_seek_read(wtap *wth, long seek_off, struct frame2_rec frame2; struct frame4_rec frame4; struct frame6_rec frame6; - int pkt_encap = wth->file_encap; if (ng_file_seek_rand(wth, seek_off, SEEK_SET, err) == -1) return FALSE; @@ -1044,8 +1055,7 @@ static gboolean ngsniffer_seek_read(wtap *wth, long seek_off, length -= sizeof frame2; /* we already read that much */ - pkt_encap = set_pseudo_header_frame2(wth, pseudo_header, - &frame2); + set_pseudo_header_frame2(wth, pseudo_header, &frame2); break; case REC_FRAME4: @@ -1086,7 +1096,7 @@ static gboolean ngsniffer_seek_read(wtap *wth, long seek_off, if (!ngsniffer_read_rec_data(wth, TRUE, pd, packet_size, err)) return FALSE; - fix_pseudo_header(pkt_encap, pd, packet_size, pseudo_header); + fix_pseudo_header(wth->file_encap, pd, packet_size, pseudo_header); return TRUE; } @@ -1139,11 +1149,9 @@ static gboolean ngsniffer_read_frame2(wtap *wth, gboolean is_random, return TRUE; } -static int set_pseudo_header_frame2(wtap *wth, +static void set_pseudo_header_frame2(wtap *wth, union wtap_pseudo_header *pseudo_header, struct frame2_rec *frame2) { - int pkt_encap; - /* * In one PPP "Internetwork analyzer" capture: * @@ -1185,21 +1193,8 @@ static int set_pseudo_header_frame2(wtap *wth, * "frame2.flags" was either 0 or 0x18, with no obvious * correlation with anything. See previous comment * about display filters. - * - * In some NET_ROUTER captures, the 0x18 bits in "frame2.fs" are - * 0 for frames in a non-ISDN capture and non-zero for frames in - * an ISDN capture, specifying the channel number in the fashion - * described in the Sniffer manual, so we use that to distinguish - * between ISDN frames and non-ISDN frames. */ - if (wth->file_encap == WTAP_ENCAP_PER_PACKET && - wth->capture.ngsniffer->is_router && - (frame2->fs & 0x18) != 0) - pkt_encap = WTAP_ENCAP_ISDN; - else - pkt_encap = wth->file_encap; - - switch (pkt_encap) { + switch (wth->file_encap) { case WTAP_ENCAP_PPP_WITH_PHDR: pseudo_header->p2p.sent = (frame2->fs & 0x80) ? TRUE : FALSE; @@ -1232,7 +1227,6 @@ static int set_pseudo_header_frame2(wtap *wth, break; } } - return pkt_encap; } static gboolean ngsniffer_read_frame4(wtap *wth, gboolean is_random, @@ -1612,15 +1606,19 @@ static int infer_pkt_encap(const guint8 *pd, int len) * LAPD. * We report it as WTAP_ENCAP_ISDN. * - * XXX - is there something buried in the header to tell us - * whether the capture was taken with an ISDN pod? + * XXX - there appeared, at least from the captures + * I've seen, to be something buried in REC_HEADER2 + * records in version 4 and 5 captures that indicates + * whether the capture was taken with an ISDN pod, + * and there appeared, from the output of a Windows + * Sniffer writing out ISDN and non-ISDN captures, + * to perhaps be information in the "rsvd" fields + * of the version record of version 1 captures + * that indicates whether the capture was taken with + * an ISDN pod. * - * Or is this here just because some ISDN captures run - * LAPB/X.25 over the B channel(s), so we check for - * LAPB even in NET_ROUTER captures? If so, we should - * perhaps move that heuristic up to the ISDN dissector, - * so that we can infer LAPB traffic in *all* ISDN - * captures, not just DOS Sniffer ISDN captures? + * We leave this heuristic in here, for now, for + * non-version 4 and non-version-5 captures. */ return WTAP_ENCAP_ISDN; } -- cgit v1.2.3