Ethereal-dev: Re: [Ethereal-dev] AIX 'iptrace' format and FDDI
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Guy Harris <guy@xxxxxxxxxx>
Date: Fri, 1 Nov 2002 12:44:56 -0800
On Fri, Nov 01, 2002 at 08:24:31PM +0100, Martin Regner wrote: > Guy is correct. > There seems to be 3 bytes of padding in front of the raw FDDI data (50 > 10 00 5a ...) I've checked in a change that skips those 3 bytes in FDDI captures, so it'll be in the next release. I've attached the patch to "wiretap/iptrace.c", in case the person who sent the capture built Ethereal from source.
Index: wiretap/iptrace.c =================================================================== RCS file: /usr/local/cvsroot/ethereal/wiretap/iptrace.c,v retrieving revision 1.44 diff -c -r1.44 wiretap/iptrace.c *** wiretap/iptrace.c 28 Aug 2002 20:30:44 -0000 1.44 --- wiretap/iptrace.c 1 Nov 2002 20:38:39 -0000 *************** *** 87,93 **** * iptrace 1.0 * ***********************************************************/ ! /* iptrace 1.0, discovered through inspection */ typedef struct { /* 0-3 */ guint32 pkt_length; /* packet length + 0x16 */ /* 4-7 */ guint32 tv_sec; /* time stamp, seconds since the Epoch */ --- 87,110 ---- * iptrace 1.0 * ***********************************************************/ ! /* ! * iptrace 1.0, discovered through inspection ! * ! * Packet record contains: ! * ! * an initial header, with a length field and a time stamp, in ! * seconds since the Epoch; ! * ! * data, with the specified length. ! * ! * The data contains: ! * ! * a bunch of information about the packet; ! * ! * padding, at least for FDDI; ! * ! * the raw packet data. ! */ typedef struct { /* 0-3 */ guint32 pkt_length; /* packet length + 0x16 */ /* 4-7 */ guint32 tv_sec; /* time stamp, seconds since the Epoch */ *************** *** 98,123 **** /* 29 */ guint8 tx_flag; /* 0=receive, 1=transmit */ } iptrace_1_0_phdr; /* Read the next packet */ static gboolean iptrace_read_1_0(wtap *wth, int *err, long *data_offset) { int ret; guint32 packet_size; ! guint8 header[30]; guint8 *data_ptr; iptrace_1_0_phdr pkt_hdr; /* Read the descriptor data */ *data_offset = wth->data_offset; ! ret = iptrace_read_rec_header(wth->fh, header, 30, err); if (ret <= 0) { /* Read error or EOF */ return FALSE; } ! wth->data_offset += 30; /* Read the packet data */ ! packet_size = pntohl(&header[0]) - 0x16; buffer_assure_space( wth->frame_buffer, packet_size ); data_ptr = buffer_start_ptr( wth->frame_buffer ); if (!iptrace_read_rec_data(wth->fh, data_ptr, packet_size, err)) --- 115,173 ---- /* 29 */ guint8 tx_flag; /* 0=receive, 1=transmit */ } iptrace_1_0_phdr; + #define IPTRACE_1_0_PHDR_SIZE 30 /* initial header plus packet data */ + #define IPTRACE_1_0_PDATA_SIZE 22 /* packet data */ + /* Read the next packet */ static gboolean iptrace_read_1_0(wtap *wth, int *err, long *data_offset) { int ret; guint32 packet_size; ! guint8 header[IPTRACE_1_0_PHDR_SIZE]; guint8 *data_ptr; iptrace_1_0_phdr pkt_hdr; + char fddi_padding[3]; /* Read the descriptor data */ *data_offset = wth->data_offset; ! ret = iptrace_read_rec_header(wth->fh, header, IPTRACE_1_0_PHDR_SIZE, ! err); if (ret <= 0) { /* Read error or EOF */ return FALSE; } ! wth->data_offset += IPTRACE_1_0_PHDR_SIZE; ! ! /* ! * Byte 28 of the frame header appears to be a BSD-style IFT_xxx ! * value giving the type of the interface. Check out the ! * <net/if_types.h> header file. ! */ ! pkt_hdr.if_type = header[28]; ! wth->phdr.pkt_encap = wtap_encap_ift(pkt_hdr.if_type); /* Read the packet data */ ! packet_size = pntohl(&header[0]) - IPTRACE_1_0_PDATA_SIZE; ! ! /* ! * AIX appears to put 3 bytes of padding in front of FDDI ! * frames; strip that crap off. ! */ ! if (wth->phdr.pkt_encap == WTAP_ENCAP_FDDI_BITSWAPPED) { ! /* ! * The packet size is really a record size and includes ! * the padding. ! */ ! packet_size -= 3; ! wth->data_offset += 3; ! ! /* ! * Read the padding. ! */ ! if (!iptrace_read_rec_data(wth->fh, fddi_padding, 3, err)) ! return FALSE; /* Read error */ ! } ! buffer_assure_space( wth->frame_buffer, packet_size ); data_ptr = buffer_start_ptr( wth->frame_buffer ); if (!iptrace_read_rec_data(wth->fh, data_ptr, packet_size, err)) *************** *** 129,142 **** wth->phdr.ts.tv_sec = pntohl(&header[4]); wth->phdr.ts.tv_usec = 0; - /* - * Byte 28 of the frame header appears to be a BSD-style IFT_xxx - * value giving the type of the interface. Check out the - * <net/if_types.h> header file. - */ - pkt_hdr.if_type = header[28]; - wth->phdr.pkt_encap = wtap_encap_ift(pkt_hdr.if_type); - if (wth->phdr.pkt_encap == WTAP_ENCAP_UNKNOWN) { g_message("iptrace: interface type IFT=0x%02x unknown or unsupported", pkt_hdr.if_type); --- 179,184 ---- *************** *** 170,182 **** int *err) { int ret; ! guint8 header[30]; if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1) return FALSE; /* Read the descriptor data */ ! ret = iptrace_read_rec_header(wth->random_fh, header, 30, err); if (ret <= 0) { /* Read error or EOF */ if (ret == 0) { --- 212,227 ---- int *err) { int ret; ! guint8 header[IPTRACE_1_0_PHDR_SIZE]; ! int pkt_encap; ! char fddi_padding[3]; if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1) return FALSE; /* Read the descriptor data */ ! ret = iptrace_read_rec_header(wth->random_fh, header, ! IPTRACE_1_0_PHDR_SIZE, err); if (ret <= 0) { /* Read error or EOF */ if (ret == 0) { *************** *** 186,197 **** return FALSE; } /* Get the packet data */ if (!iptrace_read_rec_data(wth->random_fh, pd, packet_size, err)) return FALSE; /* Get the ATM pseudo-header, if this is ATM traffic. */ ! if (wtap_encap_ift(header[28]) == WTAP_ENCAP_ATM_SNIFFER) get_atm_pseudo_header(pd, packet_size, pseudo_header, header); return TRUE; --- 231,259 ---- return FALSE; } + /* + * Get the interface type. + */ + pkt_encap = wtap_encap_ift(header[28]); + + /* + * AIX appears to put 3 bytes of padding in front of FDDI + * frames; strip that crap off. + */ + if (pkt_encap == WTAP_ENCAP_FDDI_BITSWAPPED) { + /* + * Read the padding. + */ + if (!iptrace_read_rec_data(wth->random_fh, fddi_padding, 3, err)) + return FALSE; /* Read error */ + } + /* Get the packet data */ if (!iptrace_read_rec_data(wth->random_fh, pd, packet_size, err)) return FALSE; /* Get the ATM pseudo-header, if this is ATM traffic. */ ! if (pkt_encap == WTAP_ENCAP_ATM_SNIFFER) get_atm_pseudo_header(pd, packet_size, pseudo_header, header); return TRUE; *************** *** 201,207 **** * iptrace 2.0 * ***********************************************************/ ! /* iptrace 2.0, discovered through inspection */ typedef struct { /* 0-3 */ guint32 pkt_length; /* packet length + 32 */ /* 4-7 */ guint32 tv_sec0; /* time stamp, seconds since the Epoch */ --- 263,286 ---- * iptrace 2.0 * ***********************************************************/ ! /* ! * iptrace 2.0, discovered through inspection ! * ! * Packet record contains: ! * ! * an initial header, with a length field and a time stamp, in ! * seconds since the Epoch; ! * ! * data, with the specified length. ! * ! * The data contains: ! * ! * a bunch of information about the packet; ! * ! * padding, at least for FDDI; ! * ! * the raw packet data. ! */ typedef struct { /* 0-3 */ guint32 pkt_length; /* packet length + 32 */ /* 4-7 */ guint32 tv_sec0; /* time stamp, seconds since the Epoch */ *************** *** 215,240 **** /* 36-39 */ guint32 tv_nsec; /* nanoseconds since that second */ } iptrace_2_0_phdr; /* Read the next packet */ static gboolean iptrace_read_2_0(wtap *wth, int *err, long *data_offset) { int ret; guint32 packet_size; ! guint8 header[40]; guint8 *data_ptr; iptrace_2_0_phdr pkt_hdr; /* Read the descriptor data */ *data_offset = wth->data_offset; ! ret = iptrace_read_rec_header(wth->fh, header, 40, err); if (ret <= 0) { /* Read error or EOF */ return FALSE; } ! wth->data_offset += 40; /* Read the packet data */ ! packet_size = pntohl(&header[0]) - 32; buffer_assure_space( wth->frame_buffer, packet_size ); data_ptr = buffer_start_ptr( wth->frame_buffer ); if (!iptrace_read_rec_data(wth->fh, data_ptr, packet_size, err)) --- 294,352 ---- /* 36-39 */ guint32 tv_nsec; /* nanoseconds since that second */ } iptrace_2_0_phdr; + #define IPTRACE_2_0_PHDR_SIZE 40 /* initial header plus packet data */ + #define IPTRACE_2_0_PDATA_SIZE 32 /* packet data */ + /* Read the next packet */ static gboolean iptrace_read_2_0(wtap *wth, int *err, long *data_offset) { int ret; guint32 packet_size; ! guint8 header[IPTRACE_2_0_PHDR_SIZE]; guint8 *data_ptr; iptrace_2_0_phdr pkt_hdr; + char fddi_padding[3]; /* Read the descriptor data */ *data_offset = wth->data_offset; ! ret = iptrace_read_rec_header(wth->fh, header, IPTRACE_2_0_PHDR_SIZE, ! err); if (ret <= 0) { /* Read error or EOF */ return FALSE; } ! wth->data_offset += IPTRACE_2_0_PHDR_SIZE; ! ! /* ! * Byte 28 of the frame header appears to be a BSD-style IFT_xxx ! * value giving the type of the interface. Check out the ! * <net/if_types.h> header file. ! */ ! pkt_hdr.if_type = header[28]; ! wth->phdr.pkt_encap = wtap_encap_ift(pkt_hdr.if_type); /* Read the packet data */ ! packet_size = pntohl(&header[0]) - IPTRACE_2_0_PDATA_SIZE; ! ! /* ! * AIX appears to put 3 bytes of padding in front of FDDI ! * frames; strip that crap off. ! */ ! if (wth->phdr.pkt_encap == WTAP_ENCAP_FDDI_BITSWAPPED) { ! /* ! * The packet size is really a record size and includes ! * the padding. ! */ ! packet_size -= 3; ! wth->data_offset += 3; ! ! /* ! * Read the padding. ! */ ! if (!iptrace_read_rec_data(wth->fh, fddi_padding, 3, err)) ! return FALSE; /* Read error */ ! } ! buffer_assure_space( wth->frame_buffer, packet_size ); data_ptr = buffer_start_ptr( wth->frame_buffer ); if (!iptrace_read_rec_data(wth->fh, data_ptr, packet_size, err)) *************** *** 250,263 **** wth->phdr.ts.tv_sec = pntohl(&header[32]); wth->phdr.ts.tv_usec = pntohl(&header[36]) / 1000; - /* - * Byte 28 of the frame header appears to be a BSD-style IFT_xxx - * value giving the type of the interface. Check out the - * <net/if_types.h> header file. - */ - pkt_hdr.if_type = header[28]; - wth->phdr.pkt_encap = wtap_encap_ift(pkt_hdr.if_type); - if (wth->phdr.pkt_encap == WTAP_ENCAP_UNKNOWN) { g_message("iptrace: interface type IFT=0x%02x unknown or unsupported", pkt_hdr.if_type); --- 362,367 ---- *************** *** 291,303 **** int *err) { int ret; ! guint8 header[40]; if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1) return FALSE; /* Read the descriptor data */ ! ret = iptrace_read_rec_header(wth->random_fh, header, 40, err); if (ret <= 0) { /* Read error or EOF */ if (ret == 0) { --- 395,410 ---- int *err) { int ret; ! guint8 header[IPTRACE_2_0_PHDR_SIZE]; ! int pkt_encap; ! char fddi_padding[3]; if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1) return FALSE; /* Read the descriptor data */ ! ret = iptrace_read_rec_header(wth->random_fh, header, ! IPTRACE_2_0_PHDR_SIZE, err); if (ret <= 0) { /* Read error or EOF */ if (ret == 0) { *************** *** 307,318 **** return FALSE; } /* Get the packet data */ if (!iptrace_read_rec_data(wth->random_fh, pd, packet_size, err)) return FALSE; /* Get the ATM pseudo-header, if this is ATM traffic. */ ! if (wtap_encap_ift(header[28]) == WTAP_ENCAP_ATM_SNIFFER) get_atm_pseudo_header(pd, packet_size, pseudo_header, header); return TRUE; --- 414,442 ---- return FALSE; } + /* + * Get the interface type. + */ + pkt_encap = wtap_encap_ift(header[28]); + + /* + * AIX appears to put 3 bytes of padding in front of FDDI + * frames; strip that crap off. + */ + if (pkt_encap == WTAP_ENCAP_FDDI_BITSWAPPED) { + /* + * Read the padding. + */ + if (!iptrace_read_rec_data(wth->random_fh, fddi_padding, 3, err)) + return FALSE; /* Read error */ + } + /* Get the packet data */ if (!iptrace_read_rec_data(wth->random_fh, pd, packet_size, err)) return FALSE; /* Get the ATM pseudo-header, if this is ATM traffic. */ ! if (pkt_encap == WTAP_ENCAP_ATM_SNIFFER) get_atm_pseudo_header(pd, packet_size, pseudo_header, header); return TRUE;
- Follow-Ups:
- Re: [Ethereal-dev] AIX 'iptrace' format and FDDI
- From: J.Smith
- Re: [Ethereal-dev] AIX 'iptrace' format and FDDI
- References:
- SV: [Ethereal-dev] AIX 'iptrace' format and FDDI
- From: Martin Regner
- SV: [Ethereal-dev] AIX 'iptrace' format and FDDI
- Prev by Date: SV: [Ethereal-dev] AIX 'iptrace' format and FDDI
- Next by Date: [Ethereal-dev] [PATCH] New dissector, yet another 802.11 sniff header
- Previous by thread: SV: [Ethereal-dev] AIX 'iptrace' format and FDDI
- Next by thread: Re: [Ethereal-dev] AIX 'iptrace' format and FDDI
- Index(es):