Wireshark · Ethereal-dev: [Ethereal-dev] netxray.c patches

Ethereal-dev: [Ethereal-dev] netxray.c patches

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Bill Meier" <wmeier@xxxxxxxxxxx>

Date: Sun, 28 Aug 2005 17:00:48 -0500

Patches below are for netxray.c

1. Use the new (good work!) 'nanosec' precision only for gig pods;
2. Rework 'struct netxray_hdr' to make it (somewhat) easier
   to maintain and revise:
   a. Declare known hdr fields such as 'captype' instead
      of using offsets in 'xxx placeholder' fields.
   d. Define 'unknown' hdr fields using placeholder names
      based upon hex-offset in the netxray header record.
      (This isn't perfect, but I hope it will make things 
       more manageable).
3. Update hdr field info (based upon examination of various
   capture files):
   a. Define a hdr field which appears to be 'time-zone' 
      [offset in hours from UTC] for the machine doing
      the capture.
      (Maybe this field can eventually be used for Ethereal
       to display the (local) time as it was at the time
       of the capture).
   b. Describe certain hdr fields as being "file offsets"
      (altho the exact use is still unclear).

Comments are welcome.

Bill Meier


3c3
<  * $Id: netxray.c 15534 2005-08-25 21:29:54Z ulfl $
---
>  * $Id$
48a49
> #if 0
49a51
> /* See below for updated;                    */
68a71,120
> #endif
> 
> /* NetXRay file header (minus magic number).			*/
> /*								*/
> /* As field usages are identified, please revise as needed	*/
> /* Please do *not* use netxray_hdr xxx... names in the code	*/
> /* (Placeholder names for all 'unknown' fields are		*/
> /*   of form xxx_x<hex_hdr_offset>				*/
> /*   where <hex_hdr_offset> *includes* the magic number)	*/
> 
> struct netxray_hdr {
> 	char	version[8];	/* version number				*/
> 	guint32	start_time;	/* UNIX [UTC] time when capture started		*/
> 
> 	guint32	nframes;	/* number of packets				*/
> 	guint32	xxx_x14;	/* unknown [some kind of file offset]		*/
> 	guint32	start_offset;	/* offset of first packet in capture		*/
> 	guint32	end_offset;	/* offset after last packet in capture		*/
> 
> 	guint32 xxx_x20;	/* unknown [some kind of file offset]		*/
> 	guint32 xxx_x24;	/* unknown [unused ?]				*/
> 	guint32 xxx_x28;	/* unknown [some kind of file offset]		*/
> 	guint8	network;	/* datalink type				*/
> 	guint8	network_plus;	/* [See code]					*/
> 	guint8	xxx_x2E[2];	/* unknown					*/
> 
> 	guint8	timeunit;	/* encodes length of a tick			*/
> 	guint8	xxx_x31[3];	/* XXX - upper 3 bytes of timeunit ?		*/
> 	guint32	timelo;		/* lower 32 bits of capture start time stamp	*/
> 	guint32	timehi;		/* upper 32 bits of time capture start stamp	*/
> 	guint32 linespeed;	/* speed of network, in bits/second		*/
> 
> 	guint8	xxx_x40[12];	/* unknown [other stuff]			*/
> 	guint8	realtick[4];	/* in v2, means ???                     	*/
> 
> 	guint8	xxx_x50[4];	/* unknown [other stuff]			*/
> 	guint8	captype;	/* capture type					*/
> 	guint8  xxx_x55[3];	/* unknown [other stuff]			*/
> 	guint8  xxx_x58[4];	/* unknown [other stuff]			*/
> 	guint8  wan_hdlc_subsub_captype; /* WAN HDLC subsub_captype		*/
> 	guint8  xxx_x5D[3];	/* unknown [other stuff]			*/
> 
> 	guint8	xxx_x60[16];	/* unknown [other stuff]			*/
> 
> 	guint8  xxx_x70[14];    /* unknown [other stuff]			*/
> 	guint16 timezone_hrs;	/* timezone hours [at least for version 2...];	*/
> 				/*  positive values = west of UTC:		*/
> 				/*  e.g. +5 is American Eastern			*/
> };
> 
71c123
<  * Capture type, in xxc[4].
---
>  * Capture type, in hdr.captype.
74c126
<  * Etherneet captures, and some other Ethernet captures had a capture
---
>  * Ethernet captures, and some other Ethernet captures had a capture
274,279c326,331
< 		WTAP_ENCAP_ETHERNET,	/* WAN(PPP), but shaped like Ethernet */
< 		WTAP_ENCAP_UNKNOWN,	/* LocalTalk */
< 		WTAP_ENCAP_UNKNOWN,	/* "DIX" - should not occur */
< 		WTAP_ENCAP_UNKNOWN,	/* ARCNET raw */
< 		WTAP_ENCAP_UNKNOWN,	/* ARCNET 878.2 */
< 		WTAP_ENCAP_ATM_PDUS_UNTRUNCATED,	/* ATM */
---
> 		WTAP_ENCAP_ETHERNET,		/* WAN(PPP), but shaped like Ethernet */
> 		WTAP_ENCAP_UNKNOWN,		/* LocalTalk */
> 		WTAP_ENCAP_UNKNOWN,		/* "DIX" - should not occur */
> 		WTAP_ENCAP_UNKNOWN,		/* ARCNET raw */
> 		WTAP_ENCAP_UNKNOWN,		/* ARCNET 878.2 */
> 		WTAP_ENCAP_ATM_PDUS_UNTRUNCATED,/* ATM */
281,282c333,334
< 					/* Wireless WAN with radio information */
< 		WTAP_ENCAP_UNKNOWN	/* IrDA */
---
> 						/* Wireless WAN with radio information */
> 		WTAP_ENCAP_UNKNOWN		/* IrDA */
362c414
< 	switch (hdr.xxz[0]) {
---
> 	switch (hdr.network_plus) {
386c438
< 		    hdr.xxz[0]);
---
> 		    hdr.network_plus);
394c446
< 		    network_type, hdr.xxz[0]);
---
> 		    network_type, hdr.network_plus);
438c490
< 			switch (hdr.xxc[4]) {
---
> 			switch (hdr.captype) {
449c501
< 				wth->tsprecision = WTAP_FILE_TSPREC_NSEC;	/* XXX */
---
> 				wth->tsprecision = WTAP_FILE_TSPREC_USEC;	/* XXX */
483c535
< 				wth->tsprecision = WTAP_FILE_TSPREC_NSEC;	/* XXX */
---
> 				wth->tsprecision = WTAP_FILE_TSPREC_USEC;	/* XXX */
511c563
< 				    hdr.xxc[4], hdr.version);
---
> 				    hdr.captype, hdr.version);
521c573
< 				    hdr.timeunit, network_type, hdr.xxc[4],
---
> 				    hdr.timeunit, network_type, hdr.captype,
526c578
< 			wth->tsprecision = WTAP_FILE_TSPREC_NSEC;	/* XXX */
---
> 				wth->tsprecision = WTAP_FILE_TSPREC_USEC;	/* XXX */
544,545c596,597
< 		 * In version 2, it looks as if there's stuff in the "xxc"
< 		 * words of the file header to specify what particular
---
> 		 * In version 2, it looks as if there's stuff in the 
> 		 * file header to specify what particular
549c601
< 			switch (hdr.xxc[4]) {
---
> 			switch (hdr.captype) {
574a627
> 				 *  [XXX: xxc[46:47] appear to be Timezone]
584c637
< 				switch (hdr.xxc[12]) {
---
> 				switch (hdr.wan_hdlc_subsub_captype) {
594c647
< 					isdn_type = hdr.xxc[12];
---
> 					isdn_type = hdr.wan_hdlc_subsub_captype;
600c653
< 					   hdr.xxc[12]);
---
> 					   hdr.wan_hdlc_subsub_captype);
615c668
< 				   hdr.xxc[4]);
---
> 				   hdr.captype);
1627c1680
< 	file_hdr.xxc[4] = WAN_CAPTYPE_PPP;
---
> 	file_hdr.captype = WAN_CAPTYPE_PPP;
1631c1684
< 	file_hdr.xxc[4] = WAN_CAPTYPE_FRELAY;
---
> 	file_hdr.captype = WAN_CAPTYPE_FRELAY;
1635,1636c1688,1689
< 	file_hdr.xxc[4] = WAN_CAPTYPE_HDLC;
< 	file_hdr.xxc[12] = 0;
---
> 	file_hdr.captype = WAN_CAPTYPE_HDLC;
> 	file_hdr.wan_hdlc_subsub_captype = 0;
1640c1693
< 	file_hdr.xxc[4] = WAN_CAPTYPE_SDLC;
---
> 	file_hdr.captype = WAN_CAPTYPE_SDLC;
1644c1697
< 	file_hdr.xxc[4] = CAPTYPE_NDIS;
---
> 	file_hdr.captype = CAPTYPE_NDIS;

Follow-Ups:
- Re: [Ethereal-dev] netxray.c patches
  - From: Guy Harris
- Re: [Ethereal-dev] netxray.c patches
  - From: Kevin Johnson

Prev by Date: [Ethereal-dev] default tcp port
Next by Date: Re: [Ethereal-dev] netxray.c patches
Previous by thread: [Ethereal-dev] default tcp port
Next by thread: Re: [Ethereal-dev] netxray.c patches
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$