Ethereal-users: Re: [Ethereal-users] (no subject)
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Guy Harris <gharris@xxxxxxxxx>
Date: Sun, 07 May 2006 15:27:26 -0700
Tom Aubrey wrote:
Do you have a protocol disector for ATM AAL5?
Yes, but Ethereal has to know that a packet is an AAL5 packet in order to call it.
I used Pcap on a Nortel router to do the capture,
I.e., the Nortel router *itself* has a processor that can run libpcap-based applications? If so, what was the DLT_ value for the packets? If it was your own program that did the capture, it should've used DLT_SUNATM, with each packet's raw data ("raw data" in the sense of the data beginning with 0xaa 0xaa 0x03) preceded by a "struct sunatm_hdr" structure (see wiretap/libpcap.c), containing: flags = 0x02 (LLC multiplexed traffic) vpi = the VPI for the connection; vci = the VCI for the connection. That would then be readable by Ethereal. If it was captured by tcpdump supplied by Nortel as part of the router software, try compiling the attached program and running on the capture, and then having Ethereal read it; that should convert it to something Ethereal can read.
and then converted it to a .atc file.The packet contents start with the LLC snap header “aaaa03…” but I can’t get Ethereal to decode the packets.
How did you convert it? If it's .atc file - i.e., a DOS Sniffer file: the network type should be 10 (for ATM); each packet should begin with a FRAME4 record (record type 8); the record header should include a "struct frame4_rec" record header (see wiretap/ngsniffer.c), and the ATMSaveInfo structure in that header should have an AppTrafType value of 0x13 (for ATT_HL_LLCMX|ATT_AAL5, indicating that the packets are AAL5 packets containing LLC-multiplexed packets). But if you can convert it with the attached program, so much the better.
/* * Some structure definitions come from libpcap: * * Copyright (c) 1993, 1994, 1995, 1996, 1997 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the Computer Systems * Engineering Group at Lawrence Berkeley Laboratory. * 4. Neither the name of the University nor of the Laboratory may be used * to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include <stdio.h> #include <string.h> #include <errno.h> #include <arpa/inet.h> typedef unsigned int uint32; typedef int int32; typedef unsigned short uint16; typedef unsigned char uint8; struct pcap_file_header { uint32 magic; uint16 version_major; uint16 version_minor; int32 thiszone; /* gmt to local correction */ uint32 sigfigs; /* accuracy of timestamps */ uint32 snaplen; /* max length saved portion of each pkt */ uint32 linktype; /* data link type (LINKTYPE_*) */ }; #define TCPDUMP_MAGIC 0xa1b2c3d4 struct pcap_timeval { int32 tv_sec; /* seconds */ int32 tv_usec; /* microseconds */ }; struct pcap_sf_pkthdr { struct pcap_timeval ts; /* time stamp */ uint32 caplen; /* length of portion present */ uint32 len; /* length this packet (off wire) */ }; struct pcap_nokia_pkthdr { struct pcap_sf_pkthdr hdr; /* regular header */ uint8 extra[4]; /* extra stuff */ }; struct atm_phdr { uint8 flags; uint8 vpi; uint16 vci; }; #define SWAPLONG(y) \ ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) #define SWAPSHORT(y) \ ( (((y)&0xff)<<8) | ((uint16)((y)&0xff00)>>8) ) #define PKTLEN_MAX 65535 int main(int argc, char **argv) { FILE *in, *out; struct pcap_file_header hdr; size_t bytes_read; int byte_swapped; uint32 linktype; struct pcap_nokia_pkthdr pkthdr; uint32 len, caplen; struct atm_phdr atm_phdr; uint16 vci; uint8 buf[PKTLEN_MAX]; if (argc != 3) { fprintf(stderr, "Usage: denokify <infile> <outfile>\n"); return 1; }; in = fopen(argv[1], "r"); if (in == NULL) { fprintf(stderr, "denokify: Can't open %s: %s\n", argv[1], strerror(errno)); return 2; } if (fread(&hdr, sizeof hdr, 1, in) != 1) { if (ferror(in)) { fprintf(stderr, "denokify: Error reading %s: %s\n", argv[1], strerror(errno)); } else { fprintf(stderr, "denokify: File %s was cut short\n", argv[1]); } return 2; } if (hdr.magic == TCPDUMP_MAGIC) byte_swapped = 0; else if (hdr.magic == SWAPLONG(TCPDUMP_MAGIC)) byte_swapped = 1; else { fprintf(stderr, "denokify: File %s is not a libpcap file\n", argv[1]); return 2; } if (byte_swapped) hdr.linktype = SWAPLONG(hdr.linktype); switch (hdr.linktype) { case 1: linktype = 1; /* Ethernet (DLT_EN10MB) */ break; case 13: linktype = 123; /* SunATM (DLT_SUNATM) */ break; case 15: linktype = 104; /* Cisco HDLC (DLT_C_HDLC) */ break; default: fprintf(stderr, "denokify: File %s is not a Nokia ATM or Cisco HDLC capture file (type %u)\n", argv[1], hdr.linktype); return 2; } if (byte_swapped) hdr.linktype = SWAPLONG(linktype); else hdr.linktype = linktype; out = fopen(argv[2], "w"); if (out == NULL) { fprintf(stderr, "denokify: Can't create %s: %s\n", argv[2], strerror(errno)); return 2; } if (fwrite(&hdr, sizeof hdr, 1, out) != 1) { if (ferror(out)) { fprintf(stderr, "denokify: Error writing %s: %s\n", argv[2], strerror(errno)); } else { fprintf(stderr, "denokify: Short write on %s\n", argv[2]); } return 2; } while (fread(&pkthdr, sizeof pkthdr, 1, in) == 1) { if (byte_swapped) { caplen = SWAPLONG(pkthdr.hdr.caplen); len = SWAPLONG(pkthdr.hdr.len); } else { caplen = pkthdr.hdr.caplen; len = pkthdr.hdr.len; } if (len > PKTLEN_MAX || caplen > PKTLEN_MAX) { fprintf(stderr, "denokify: %s isn't a valid Nokia capture file\n", argv[1]); return 2; } if (fwrite(&pkthdr.hdr, sizeof pkthdr.hdr, 1, out) != 1) { if (ferror(out)) { fprintf(stderr, "denokify: Error writing %s: %s\n", argv[2], strerror(errno)); } else { fprintf(stderr, "denokify: Short write on %s\n", argv[2]); } return 2; } if (linktype == 123) { /* * Read the Nokia ATM header. */ if (caplen < 4 || len < 4) { /* * There *isn't* a pseudo-header, or * this isn't a Nokia file. */ fprintf(stderr, "denokify: %s isn't a valid Nokia ATM file\n", argv[1]); return 2; } bytes_read = fread(&atm_phdr, 1, sizeof atm_phdr, in); if (bytes_read == 0 && !ferror(in)) break; /* end of file */ if (bytes_read != sizeof atm_phdr) { if (ferror(in)) { fprintf(stderr, "denokify: Error reading %s: %s\n", argv[1], strerror(errno)); } else { fprintf(stderr, "denokify: File %s was cut short\n", argv[1]); } return 2; } caplen -= 4; len -= 4; } bytes_read = fread(buf, 1, caplen, in); if (bytes_read != caplen) { if (ferror(in)) { fprintf(stderr, "denokify: Error reading %s: %s\n", argv[1], strerror(errno)); } else { fprintf(stderr, "denokify: File %s was cut short\n", argv[1]); } return 2; } if (linktype == 123) { /* * Tranform the Nokia ATM header into a * SunATM ATM header. * * Try to guess the traffic type. */ atm_phdr.flags &= 0x7F; /* type is initially unknown */ vci = ntohs(atm_phdr.vci); if (atm_phdr.vpi == 0) { switch (vci) { case 5: atm_phdr.flags |= 0x06; /* Q.2931 */ break; case 16: atm_phdr.flags |= 0x05; /* ILMI */ break; } } if ((atm_phdr.flags & 0x7F) == 0) { if (caplen >= 3) { if (buf[0] == 0xaa && buf[1] == 0xaa && buf[2] == 0x03) { /* * Looks like a SNAP header; * assume it's LLC-multiplexed * RFC 1483. */ atm_phdr.flags |= 0x02; } else { /* * Assume it's LANE. */ atm_phdr.flags |= 0x01; } } } if (fwrite(&atm_phdr, sizeof atm_phdr, 1, out) != 1) { if (ferror(out)) { fprintf(stderr, "denokify: Error writing %s: %s\n", argv[2], strerror(errno)); } else { fprintf(stderr, "denokify: Short write on %s\n", argv[2]); } return 2; } } if (fwrite(buf, 1, caplen, out) != caplen) { if (ferror(out)) { fprintf(stderr, "denokify: Error writing %s: %s\n", argv[2], strerror(errno)); } else { fprintf(stderr, "denokify: Short write on %s\n", argv[2]); } return 2; } } if (fclose(out) == EOF) { fprintf(stderr, "denokify: Error writing %s: %s\n", argv[2], strerror(errno)); return 2; } return 0; }
- References:
- [Ethereal-users] (no subject)
- From: Tom Aubrey
- [Ethereal-users] (no subject)
- Prev by Date: Re: [Ethereal-users] YMSG Override
- Next by Date: [Ethereal-users] Ethereal on SSH
- Previous by thread: [Ethereal-users] (no subject)
- Next by thread: [Ethereal-users] (no subject)
- Index(es):