[Joerg Mayer <jmayer@xxxxxxxxxxxxxxxxxxxxxx>]

Hello,

I've made some minor patches:
- When trying to decode a sample trace from the NG offline sniffer
  installation, one trace resulted in a "corrupted" error. The reason
  was, that the file was a version 2 file format. That format used
  type 8 for header purposes while version 4 uses it for FRAME4.
- Differentiate between LAPB and LAPD sync sniffer traces. Personally
  I think there must be a better way to find out which protocol is
  in the trace but I currently lack the time to look at the remaining
  frame info.
- Make "tethereal -h" look as similar to "ethereal -h" as possible.
  The ethereal help was the "better" of the two.

Ciao
      J�rg

--
Joerg Mayer                                 eMail: <jmayer@xxxxxxxxxxxxx>
Give an engineer a problem and a curious form of time dilation occurs /AC

Changelog: <jmayer@xxxxxxxxxxxxxxxxxxxxxx>
	Skipping header frames didn't work with v2 capture files.

--- wiretap/ngsniffer.c.distrib	Wed Jun 14 19:17:05 2000
+++ wiretap/ngsniffer.c	Wed Jun 14 20:29:38 2000
@@ -81,6 +81,14 @@
 #define REC_FRAME2	4	/* Frame data (f_frame2) */
 #define	REC_FRAME4	8	/* Frame data (f_frame4) */
 #define REC_EOF		3	/* End-of-file record (no data follows) */
+/*
+ * and now for some unknown header types
+ */
+#define REC_HEADER1	6	/* Header containing serial numbers? */
+#define REC_HEADER2	7	/* Header containing ??? */
+#define REC_V2DESC	8	/* In version 2 sniffer traces contains
+				 * infos about this capturing session.
+				 * Collides with REC_FRAME4 */
 
 /*
  * Sniffer version record format.
@@ -242,7 +250,7 @@
 #define NUM_NGSNIFF_TIMEUNITS 7
 static double Usec[] = { 15.0, 0.838096, 15.0, 0.5, 2.0, 1.0, 0.1 };
 
-static int skip_uncompressed_records(wtap *wth, int *err);
+static int skip_header_records(wtap *wth, int *err, gint16 version);
 static int ngsniffer_read(wtap *wth, int *err);
 static int ngsniffer_seek_read(wtap *wth, int seek_off,
     union wtap_pseudo_header *pseudo_header, u_char *pd, int packet_size);
@@ -383,32 +391,18 @@
 	if (version.format != 1) {
 		wth->file_type = WTAP_FILE_NGSNIFFER_COMPRESSED;
 
-		/*
-		 * Compressed Sniffer files may have some uncompressed
-		 * records at the beginning, containing various bits of
-		 * header information.
-		 *
-		 * We skip over them, so we're positioned at the beginning
-		 * of the compressed data; records for packet data are in
-		 * the compressed part of the file, and the code to
-		 * read sequentially through the packet data, and
-		 * the code to seek to the beginning of a packet record
-		 * and read it, work, in a compressed file, only in
-		 * the compressed region of the file.
-		 *
-		 * We read and ignore all records with record types
-		 * in the range 0-16; if we see a "record" with a
-		 * type outside that range, we assume it's a compressed
-		 * blob, with the the 2-byte field at the beginning
-		 * being the blob size rather than being a record type.
-		 */
-		if (skip_uncompressed_records(wth, err) < 0)
-			return -1;
 	} else {
 		wth->file_type = WTAP_FILE_NGSNIFFER_UNCOMPRESSED;
 	}
 
 	/*
+	 * We don't know how to handle the remaining header record types,
+	 * so we just skip them
+	 */
+	if (skip_header_records(wth, err, version.maj_vers) < 0)
+		return -1;
+
+	/*
 	 * Now position the random stream to the same location, which
 	 * should be the beginning of the real data, and should
 	 * be the beginning of the compressed data.
@@ -476,7 +470,7 @@
 }
 
 static int
-skip_uncompressed_records(wtap *wth, int *err)
+skip_header_records(wtap *wth, int *err, gint16 version)
 {
 	int bytes_read;
 	char record_type[2];
@@ -499,10 +493,13 @@
 		}
 
 		type = pletohs(record_type);
-		if (type > 16) {
+		if ((type != REC_HEADER1) && (type != REC_HEADER2)
+			&& ((type != REC_V2DESC) || (version > 2)) ) {
 			/*
-			 * Well, this is probably the length of a
-			 * compressed blob.  Seek backwards over the
+			 * Well, this is either some unknown header type
+			 * (we ignore this case), an uncompressed data
+			 * frame or the length of a compressed blob
+			 * which implies data. Seek backwards over the
 			 * two bytes we read, and return.
 			 */
 			file_seek(wth->fh, -2, SEEK_CUR);

Changelog: <jmayer@xxxxxxxxxxxxxxxxxxxxxx>
	(im-?)properly detect LAPD frames.

--- wiretap/ngsniffer.c.2	Wed Jun 14 20:55:29 2000
+++ wiretap/ngsniffer.c	Wed Jun 14 20:48:19 2000
@@ -359,11 +359,11 @@
 
 	/* Check the data link type.
 	   If "version.network" is 7, that's "Internetwork analyzer";
-	   Sniffers appear to write out both LAPB and PPP captures
+	   Sniffers appear to write out LAPB, LAPD and PPP captures
 	   (and perhaps other types of captures) in that fashion,
 	   and, so far, the only way we know of distinguishing them
 	   is to look at the first byte of the packet - if it's 0xFF,
-	   it's PPP, otherwise it's LAPB.
+	   it's PPP, otherwise if it's odd, it's LAPB else it's LAPD.
 	   Therefore, we treat it as WTAP_ENCAP_UNKNOWN for now, but
 	   don't treat that as an error.
 
@@ -655,18 +655,23 @@
 		/*
 		 * OK, this is from an "Internetwork analyzer"; let's
 		 * look at the first byte of the packet, and figure
-		 * out whether it's LAPB or PPP.
+		 * out whether it's LAPB, LAPD or PPP.
 		 */
 		if (pd[0] == 0xFF) {
 			/*
 			 * PPP.
 			 */
 			wth->file_encap = WTAP_ENCAP_PPP;
-		} else {
+		} else if (pd[0] & 1) {
 			/*
 			 * LAPB.
 			 */
 			wth->file_encap = WTAP_ENCAP_LAPB;
+		} else {
+			/*
+			 * LAPD.
+			 */
+			wth->file_encap = WTAP_ENCAP_LAPD;
 		}
 	}
 

--- tethereal.c.distrib	Wed Jun 14 21:09:08 2000
+++ tethereal.c	Wed Jun 14 21:11:26 2000
@@ -130,9 +130,9 @@
   fprintf(stderr, "This is GNU t%s %s, compiled with %s\n", PACKAGE,
 	  VERSION, comp_info_str);
 #ifdef HAVE_LIBPCAP
-  fprintf(stderr, "t%s [ -vVh ] [ -c count ] [ -D ] [ -f <filter expression> ]\n", PACKAGE);
-  fprintf(stderr, "\t[ -F <capture file type> ] [ -i iface ] [ -n ] [ -r infile ]\n");
-  fprintf(stderr, "\t[ -R <filter expression> ] [ -s snaplen ] [ -t <time stamp format> ]\n");
+  fprintf(stderr, "t%s [ -vVh ] [ -c count ] [ -D ] [ -f <capture filter> ]\n", PACKAGE);
+  fprintf(stderr, "\t[ -F <capture file type> ] [ -i interface ] [ -n ] [ -r infile ]\n");
+  fprintf(stderr, "\t[ -R <read filter> ] [ -s snaplen ] [ -t <time stamp format> ]\n");
   fprintf(stderr, "\t[ -w savefile ] [ -x ]\n");
 #else
   fprintf(stderr, "t%s [ -vVh ] [ -D ] [ -F <capture file type> ] [ -n ] [ -r infile ]\n", PACKAGE);