On Fri, Jun 28, 2002 at 05:18:27PM +0200, Alfred Koebler wrote:
> > > Well, that has a record length of 0x0000010c, or 268, and a packet data
> > > length of 0x000000f3, or 243, in the first packet; snoop just puts
> > > padding there, but I wouldn't be surprised if FW1 puts some extra
> > > information there, just as Shomiti Surveyor does.
> > >
> > > So, while it might be possible to guess which type of file it is based
> > > on the size of the extra stuff hidden in the padding, I don't have the
> > > Shomiti documentation to know for sure whether Shomiti, in any Surveyor
> > > release, stuck exactly 24 bytes of extra information in the padding.
> >
> > OK - I have to look to see for a deterministic way to detect
> > a FW1 monitor file.
>
> So far as I can determine there is no deterministic way that the file
> is a FW1 monitor file.
> The format is exactly a snoop format.
> There is no info in the padding area.
Well, it might be possible to infer that the file is an FW1 monitor file
from the *length* of the padding area - or, rather, from
length of padding area - (length of padding area % 4)
which is the amount of "padding" that's presumably additional data
rather than padding.
If that value is 0, it's presumably a snoop file. In at least one
capture from Shomiti Surveyor, the value appears to be 16. (I really
wish
http://www.shomiti.com/support/TNCapFileFormat.htm
still existed, or that I'd saved a copy of it, as it documented what was
in the additional data. It looks as if Finisar wants you to contact
them to get information such as that; I don't see anything about
Surveyor file formats in any obvious place on their Web site.)
So perhaps if it's 24, the file can be treated as a FW1 monitor file.
(It may also be that there's interesting information in those 24 bytes
of additional information.)
At least on
http://www.checkpoint.com/products/protect/firewall-1_sysreq.html
they mention network interface types other than Ethernet (ATM, FDDI,
Token Ring); I don't know whether this means that they have monitor
files for those other network types or not or, if they do, where they
put the relevant information.
Unfortunately, you can't determine whether the file is an FW1 monitor
file by looking at the file header; you could only do it by looking at
the packet itself.
I'd be inclined, for now, to add a new WTAP_ENCAP_ETHERNET_FW1
encapsulation type ot "wiretap/wtap.h", have "wiretap/snoop.c" set
"wth->phdr.pkt_encap" to WTAP_ENCAP_ETHERNET_FW1 if the link-layer type
of the file is WTAP_ENCAP_ETHERNET and the additional data in the
padding area is 24 bytes, and have the FW1 dissector register itself
with a "dissector_add()" call with a first argument of "wtap_encap" and
a second argument of WTAP_ENCAP_ETHERNET_FW1.