Ethereal-dev: RE: [ethereal-dev] wiretap request - if it's not too much trouble

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Eichert, Diana" <deicher@xxxxxxxxxx>
Date: Thu, 9 Dec 1999 15:03:29 -0700
I applied this patch (changed major/minor to 2/.00), saved the capture as
sniffer file, moved over to my EnTee box, opened in SnifferPro.

it works

there was x, rtp, snmp, dns, arp, sap, bpdu, icmp, pmap
in the few seconds that I captured

there was alot of ip traffic using at tcp port 6004, which i knew was a VNC
server, anyone familiar with VNC?

one request, is there anyway to get the absolute time stamps correct in the
sniffer file, all dates were set to:
12/03/1979  07:07:05 PM

thanks

diana



-----Original Message-----
From: Olivier Abad [mailto:abad@xxxxxxxxxxxxx]
Sent: December 09, 1999 3:40 AM
To: Eichert, Diana; ethereal-dev@xxxxxxxx
Cc: 'Guy Harris'
Subject: Re: [ethereal-dev] wiretap request - if it's not too much
trouble


On Wed, Dec 08, 1999 at 04:46:57PM -0700, Eichert, Diana wrote:
> I've got SnifferPro here, so i'd be interested in looking at it.
> 
> BTW, I am one of the people that requested this ability, thanks for the
> work.
> 
> diana eichert

Here is the patch. It doesn't include ATM support, and was tested only
with X.25 captures.
I used 4.40 as the version in the REC_VERS record. It is the version of
my DOS based sniffer, but it doesn't seem to work.
I noticed two records between the REC_VERS and the first REC_FRAME2 in
the files written by my sniffer. However, these record types (07 and 06)
are not documented.

Olivier

diff -Nru ethereal/wiretap/file.c ethereal.sniff/wiretap/file.c
--- ethereal/wiretap/file.c	Mon Dec  6 10:05:16 1999
+++ ethereal.sniff/wiretap/file.c	Thu Dec  9 11:03:25 1999
@@ -199,8 +199,8 @@
 	  NULL, NULL },
 
 	/* WTAP_FILE_NGSNIFFER */
-	{ "Network Associates Sniffer (DOS-based)", NULL,
-	  NULL, NULL },
+	{ "Network Associates Sniffer (DOS-based)", "ngsniffer",
+	  ngsniffer_dump_can_write_encap, ngsniffer_dump_open },
 
 	/* WTAP_FILE_SNOOP */
 	{ "Sun snoop", "snoop",
diff -Nru ethereal/wiretap/ngsniffer.c ethereal.sniff/wiretap/ngsniffer.c
--- ethereal/wiretap/ngsniffer.c	Mon Nov 29 09:00:58 1999
+++ ethereal.sniff/wiretap/ngsniffer.c	Thu Dec  9 11:03:18 1999
@@ -62,6 +62,7 @@
 #include <stdlib.h>
 #include <errno.h>
 #include <time.h>
+#include <string.h>
 #include "wtap.h"
 #include "file.h"
 #include "buffer.h"
@@ -240,6 +241,9 @@
 static double Usec[] = { 15.0, 0.838096, 15.0, 0.5, 2.0, 1.0, 0.1 };
 
 static int ngsniffer_read(wtap *wth, int *err);
+static gboolean ngsniffer_dump(wtap_dumper *wdh, const struct wtap_pkthdr
*phdr,
+	const u_char *pd, int *err);
+static gboolean ngsniffer_dump_close(wtap_dumper *wdh, int *err);
 
 int ngsniffer_open(wtap *wth, int *err)
 {
@@ -627,4 +631,173 @@
 			*1.0e6);
 	wth->phdr.pkt_encap = wth->file_encap;
 	return data_offset;
+}
+
+static const int wtap_encap[] = {
+    -1,		/* WTAP_ENCAP_UNKNOWN -> unsupported */
+    1,		/* WTAP_ENCAP_ETHERNET */
+    0,		/* WTAP_ENCAP_TR */
+    -1,		/* WTAP_ENCAP_SLIP -> unsupported */
+    7,		/* WTAP_ENCAP_PPP -> Internetwork analyzer (synchronous)
FIXME ! */
+    -1,		/* WTAP_ENCAP_FDDI -> unsupported */
+    9,		/* WTAP_ENCAP_FDDI_BITSWAPPED */
+    -1,		/* WTAP_ENCAP_RAW_IP -> unsupported */
+    2,		/* WTAP_ENCAP_ARCNET */
+    -1,		/* WTAP_ENCAP_ATM_RFC1483 */
+    -1,		/* WTAP_ENCAP_LINUX_ATM_CLIP */
+    7,		/* WTAP_ENCAP_LAPB -> Internetwork analyzer (synchronous) */
+    -1,		/* WTAP_ENCAP_ATM_SNIFFER */
+    -1		/* WTAP_ENCAP_NULL -> unsupported */
+};
+#define NUM_WTAP_ENCAPS (sizeof wtap_encap / sizeof wtap_encap[0])
+
+/* Returns 0 if we could write the specified encapsulation type,
+   an error indication otherwise. */
+int ngsniffer_dump_can_write_encap(int filetype, int encap)
+{
+    /* Per-packet encapsulations aren't supported. */
+    if (encap == WTAP_ENCAP_PER_PACKET)
+	return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
+
+    if (encap < 0 || encap >= NUM_WTAP_ENCAPS || wtap_encap[encap] == -1)
+	return WTAP_ERR_UNSUPPORTED_ENCAP;
+
+    return 0;
+}
+
+/* Returns TRUE on success, FALSE on failure; sets "*err" to an error code
on
+   failure */
+gboolean ngsniffer_dump_open(wtap_dumper *wdh, int *err)
+{
+    struct vers_rec version;
+    int nwritten;
+    char buf[6] = {0x01, 0x00, 0x12, 0x00, 0x00, 0x00}; /* version record
*/
+    gint16 maj_vers, min_vers;
+
+    /* This is a sniffer file */
+    wdh->subtype_write = ngsniffer_dump;
+    wdh->subtype_close = ngsniffer_dump_close;
+
+    /* Write the file header. */
+    nwritten = fwrite("TRSNIFF data    \x1a", 1, 17, wdh->fh);
+    if (nwritten != 17) {
+	if (nwritten < 0)
+	    *err = errno;
+	else
+	    *err = WTAP_ERR_SHORT_WRITE;
+	return FALSE;
+    }
+    nwritten = fwrite(buf, 1, 6, wdh->fh);
+    if (nwritten != 6) {
+	if (nwritten < 0)
+	    *err = errno;
+	else
+	    *err = WTAP_ERR_SHORT_WRITE;
+	return FALSE;
+    }
+
+    /* "sniffer" version ? */
+    maj_vers = 4;
+    min_vers = 40;
+    version.maj_vers = pletohs(&maj_vers);
+    version.min_vers = pletohs(&min_vers);
+    version.time = 0;
+    version.date = 0;
+    version.type = 4;
+    version.network = wtap_encap[wdh->encap];
+    version.format = 1;
+    version.timeunit = 1; /* 0.838096 */
+    version.cmprs_vers = 0;
+    version.cmprs_level = 0;
+    version.rsvd[0] = 0;
+    version.rsvd[1] = 0;
+    nwritten = fwrite(&version, 1, sizeof version, wdh->fh);
+    if (nwritten != sizeof version) {
+	if (nwritten < 0)
+	    *err = errno;
+	else
+	    *err = WTAP_ERR_SHORT_WRITE;
+	return FALSE;
+    }
+
+    return TRUE;
+}
+
+/* Write a record for a packet to a dump file.
+   Returns TRUE on success, FALSE on failure. */
+static gboolean ngsniffer_dump(wtap_dumper *wdh, const struct wtap_pkthdr
*phdr,
+    const u_char *pd, int *err)
+{
+    struct frame2_rec rec_hdr;
+    int nwritten;
+    char buf[6];
+    double t;
+    guint16 t_low, t_med, t_high;
+
+    buf[0] = 0x04;
+    buf[1] = 0x00;
+    buf[2] = (char)((phdr->caplen + sizeof(struct frame2_rec))%256);
+    buf[3] = (char)((phdr->caplen + sizeof(struct frame2_rec))/256);
+    buf[4] = 0x00;
+    buf[5] = 0x00;
+    nwritten = fwrite(buf, 1, 6, wdh->fh);
+    if (nwritten != 6) {
+	if (nwritten < 0)
+	    *err = errno;
+	else
+	    *err = WTAP_ERR_SHORT_WRITE;
+	return FALSE;
+    }
+    t = (double)phdr->ts.tv_sec + (double)phdr->ts.tv_usec/1.0e6;
+    t = t * (1.0e6 / Usec[1]); /* timeunit = 1 */
+    t_low = (guint16)(t-(double)((guint32)(t/65536.0))*65536.0);
+    t_med = (guint16)((guint32)(t/65536.0) % 65536);
+    t_high = (guint16)((guint32)(t/4294967296.0));
+    rec_hdr.time_low = pletohs(&t_low);
+    rec_hdr.time_med = pletohs(&t_med);
+    rec_hdr.time_high = pletohs(&t_high);
+    rec_hdr.size = pletohs(&phdr->caplen);
+    if (wdh->encap == WTAP_ENCAP_LAPB || wdh->encap == WTAP_ENCAP_PPP)
+	rec_hdr.fs = phdr->pseudo_header.x25.flags & 0x80;
+    else
+	rec_hdr.fs = 0;
+    rec_hdr.flags = 0;
+    rec_hdr.true_size = phdr->len != phdr->caplen ? pletohs(&phdr->len) :
0;
+    rec_hdr.rsvd = 0;
+    nwritten = fwrite(&rec_hdr, 1, sizeof rec_hdr, wdh->fh);
+    if (nwritten != sizeof rec_hdr) {
+	if (nwritten < 0)
+	    *err = errno;
+	else
+	    *err = WTAP_ERR_SHORT_WRITE;
+	return FALSE;
+    }
+    nwritten = fwrite(pd, 1, phdr->caplen, wdh->fh);
+    if (nwritten != phdr->caplen) {
+	if (nwritten < 0)
+	    *err = errno;
+	else
+	    *err = WTAP_ERR_SHORT_WRITE;
+	return FALSE;
+    }
+    return TRUE;
+}
+
+/* Finish writing to a dump file.
+   Returns TRUE on success, FALSE on failure. */
+static gboolean ngsniffer_dump_close(wtap_dumper *wdh, int *err)
+{
+    /* EOF record */
+    char buf[6] = {0x03, 0x00, 0x00, 0x00, 0x00, 0x00};
+    int nwritten;
+
+    nwritten = fwrite(buf, 1, 6, wdh->fh);
+    if (nwritten != 6) {
+	if (nwritten < 0)
+	    *err = errno;
+	else
+	    *err = WTAP_ERR_SHORT_WRITE;
+	return FALSE;
+    }
+    return TRUE;
 }
diff -Nru ethereal/wiretap/ngsniffer.h ethereal.sniff/wiretap/ngsniffer.h
--- ethereal/wiretap/ngsniffer.h	Thu Aug 19 07:52:55 1999
+++ ethereal.sniff/wiretap/ngsniffer.h	Thu Dec  9 11:03:18 1999
@@ -22,3 +22,5 @@
  */
 
 int ngsniffer_open(wtap *wth, int *err);
+gboolean ngsniffer_dump_open(wtap_dumper *wdh, int *err);
+int ngsniffer_dump_can_write_encap(int filetype, int encap);


-- 
There are two kinds of egotists: 1) Those who admit it  2) The rest of us