Ethereal-dev: Re: [Ethereal-dev] aix fddi tcpdump tracefile

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Sat, 16 Nov 2002 12:23:43 -0800
On Fri, Nov 15, 2002 at 09:39:40PM +0100, J.Smith wrote:
> I am having some troubles with displaying an AIX 4.3.3 'tcpdump' format fddi
> capture in Ethereal.

The troubles were exactly what I suspected they were.  I've checked in a
fix, which strips off the 3 padding bytes; I've attached a patch that
contains the fix.

> Although Ethereal can read the captures, the data does
> not get displayed correctly, and gets interpreted as 'void frame'. I am not
> sure if this is because the 'AIX-tcpdump' file-format is different from the
> 'standard-tcpdump' file-format, or if Ethereal is just not able to interpret
> tcpdump FDDI captures correctly yet.

It's not really either one.  The file format differences are:

	1) they don't use DLT_ values in the file header to indicate
	   link-layer types (we work around that);

	2) they store time stamps in seconds/nanoseconds rather than
	   seconds/microseconds form (we work around that);

but the problem is that

	3) in the packet payload (which I don't consider part of the
	   file format, in the strict sense) they put in padding.

Ethereal has no trouble with normal tcpdump FDDI captures.

Index: wiretap/libpcap.c
===================================================================
RCS file: /usr/local/cvsroot/ethereal/wiretap/libpcap.c,v
retrieving revision 1.83
diff -c -r1.83 wiretap/libpcap.c
*** wiretap/libpcap.c	22 Oct 2002 09:11:13 -0000	1.83
--- wiretap/libpcap.c	16 Nov 2002 20:18:59 -0000
***************
*** 843,848 ****
--- 843,849 ----
  	guint packet_size;
  	guint orig_size;
  	int bytes_read;
+ 	char fddi_padding[3];
  
  	bytes_read = libpcap_read_header(wth, err, &hdr, FALSE);
  	if (bytes_read == -1) {
***************
*** 855,860 ****
--- 856,883 ----
  	wth->data_offset += bytes_read;
  	packet_size = hdr.hdr.incl_len;
  	orig_size = hdr.hdr.orig_len;
+ 
+ 	/*
+ 	 * AIX appears to put 3 bytes of padding in front of FDDI
+ 	 * frames; strip that crap off.
+ 	 */
+ 	if (wth->file_type == WTAP_FILE_PCAP_AIX &&
+ 	    (wth->file_encap == WTAP_ENCAP_FDDI ||
+ 	     wth->file_encap == WTAP_ENCAP_FDDI_BITSWAPPED)) {
+ 		/*
+ 		 * The packet size is really a record size and includes
+ 		 * the padding.
+ 		 */
+ 		packet_size -= 3;
+ 		orig_size -= 3;
+ 		wth->data_offset += 3;
+ 
+ 		/*
+ 		 * Read the padding.
+ 		 */
+ 		if (!libpcap_read_rec_data(wth->fh, fddi_padding, 3, err))
+ 			return FALSE;	/* Read error */
+ 	}
  
  	*data_offset = wth->data_offset;