Add support for slightly modified libpcap file format with nanosecond resolution (currently supported by Ethereal only). Support for both read and write was added.

The file format stays the same as the common libpcap format, only the lower part of the timestamp field uses nanoseconds instead of microseconds.

This file format uses the libpcap magic number 0xa1b23c4d.

svn path=/trunk/; revision=15623

wiretap/file_access.c

@@ -373,6 +373,10 @@ static const struct file_type_info {
 	{ "AIX libpcap (tcpdump)", NULL,
 	  NULL, NULL },
 
+	/* WTAP_FILE_PCAP_NSEC */
+	{ "Nanosecond libpcap (Ethereal)", "nseclibpcap",
+	  libpcap_dump_can_write_encap, libpcap_dump_open },
+
 	/* WTAP_FILE_LANALYZER */
 	{ "Novell LANalyzer","lanalyzer",
 	  lanalyzer_dump_can_write_encap, lanalyzer_dump_open },

wiretap/libpcap.c

@@ -649,6 +649,23 @@ int libpcap_open(wtap *wth, int *err, gchar **err_info)
 		wth->tsprecision = WTAP_FILE_TSPREC_USEC;
 		break;
 
+	case PCAP_NSEC_MAGIC:
+		/* Host that wrote it has our byte order, and was running
+		   a program using either standard or ss990417 libpcap. */
+		byte_swapped = FALSE;
+		modified = FALSE;
+		wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
+		break;
+
+	case PCAP_SWAPPED_NSEC_MAGIC:
+		/* Host that wrote it out has a byte order opposite to
+		   ours, and was running a program using either ss990915 
+		   or ss991029 libpcap. */
+		byte_swapped = TRUE;
+		modified = FALSE;
+		wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
+		break;
+
 	default:
 		/* Not a "libpcap" type we know about. */
 		return 0;
@@ -904,7 +921,11 @@ int libpcap_open(wtap *wth, int *err, gchar **err_info)
 		 *
 		 * Try the standard format first.
 		 */
-		wth->file_type = WTAP_FILE_PCAP;
+		if(wth->tsprecision == WTAP_FILE_TSPREC_NSEC) {
+			wth->file_type = WTAP_FILE_PCAP_NSEC;
+		} else {
+			wth->file_type = WTAP_FILE_PCAP;
+		}
 		switch (libpcap_try(wth, err)) {
 
 		case BAD_READ:
@@ -1273,7 +1294,11 @@ static gboolean libpcap_read(wtap *wth, int *err, gchar **err_info,
 	wth->data_offset += packet_size;
 
 	wth->phdr.ts.secs = hdr.hdr.ts_sec;
-	wth->phdr.ts.nsecs = hdr.hdr.ts_usec * 1000;
+	if(wth->tsprecision == WTAP_FILE_TSPREC_NSEC) {
+		wth->phdr.ts.nsecs = hdr.hdr.ts_usec;
+	} else {
+		wth->phdr.ts.nsecs = hdr.hdr.ts_usec * 1000;
+	}
 	wth->phdr.caplen = packet_size;
 	wth->phdr.len = orig_size;
 
@@ -1416,6 +1441,7 @@ static int libpcap_read_header(wtap *wth, int *err, gchar **err_info,
 
 	case WTAP_FILE_PCAP:
 	case WTAP_FILE_PCAP_AIX:
+	case WTAP_FILE_PCAP_NSEC:
 		bytes_to_read = sizeof (struct pcaprec_hdr);
 		break;
 
@@ -1944,11 +1970,18 @@ gboolean libpcap_dump_open(wtap_dumper *wdh, gboolean cant_seek _U_, int *err)
 	case WTAP_FILE_PCAP_SS990417:	/* modified, but with the old magic, sigh */
 	case WTAP_FILE_PCAP_NOKIA:	/* Nokia libpcap of some sort */
 		magic = PCAP_MAGIC;
+		wdh->tsprecision = WTAP_FILE_TSPREC_USEC;
 		break;
 
 	case WTAP_FILE_PCAP_SS990915:	/* new magic, extra crap */
 	case WTAP_FILE_PCAP_SS991029:
 		magic = PCAP_MODIFIED_MAGIC;
+		wdh->tsprecision = WTAP_FILE_TSPREC_USEC;
+		break;
+
+	case WTAP_FILE_PCAP_NSEC:		/* same as WTAP_FILE_PCAP, but nsec precision */
+		magic = PCAP_NSEC_MAGIC;
+		wdh->tsprecision = WTAP_FILE_TSPREC_NSEC;
 		break;
 
 	default:
@@ -2023,12 +2056,17 @@ static gboolean libpcap_dump(wtap_dumper *wdh,
 		hdrsize = 0;
 
 	rec_hdr.hdr.ts_sec = phdr->ts.secs;
-	rec_hdr.hdr.ts_usec = phdr->ts.nsecs / 1000;
+	if(wdh->tsprecision == WTAP_FILE_TSPREC_NSEC) {
+		rec_hdr.hdr.ts_usec = phdr->ts.nsecs;
+	} else {
+		rec_hdr.hdr.ts_usec = phdr->ts.nsecs / 1000;
+	}
 	rec_hdr.hdr.incl_len = phdr->caplen + hdrsize;
 	rec_hdr.hdr.orig_len = phdr->len + hdrsize;
 	switch (wdh->file_type) {
 
 	case WTAP_FILE_PCAP:
+	case WTAP_FILE_PCAP_NSEC:
 		hdr_size = sizeof (struct pcaprec_hdr);
 		break;
 

wiretap/libpcap.h

@@ -37,11 +37,18 @@
 
 	http://ftp.sunet.se/pub/os/Linux/ip-routing/lbl-tools/
 
-   applied; PCAP_SWAPPED_MODIFIED_MAGIC is the byte-swapped version. */
+   applied; PCAP_SWAPPED_MODIFIED_MAGIC is the byte-swapped version. 
+
+   PCAP_NSEC_MAGIC is for Ulf Lamping's modified "libpcap" format,
+   which uses the same common file format as PCAP_MAGIC, but the 
+   timestamps are saved in nanosecond resolution instead of microseconds.
+   PCAP_SWAPPED_NSEC_MAGIC is a byte-swapped version of that. */
 #define	PCAP_MAGIC			0xa1b2c3d4
 #define	PCAP_SWAPPED_MAGIC		0xd4c3b2a1
 #define	PCAP_MODIFIED_MAGIC		0xa1b2cd34
 #define	PCAP_SWAPPED_MODIFIED_MAGIC	0x34cdb2a1
+#define	PCAP_NSEC_MAGIC			0xa1b23c4d
+#define	PCAP_SWAPPED_NSEC_MAGIC		0x4d3cb2a1
 
 /* "libpcap" file header (minus magic number). */
 struct pcap_hdr {
@@ -56,7 +63,7 @@ struct pcap_hdr {
 /* "libpcap" record header. */
 struct pcaprec_hdr {
 	guint32	ts_sec;		/* timestamp seconds */
-	guint32	ts_usec;	/* timestamp microseconds */
+	guint32	ts_usec;	/* timestamp microseconds (nsecs for PCAP_NSEC_MAGIC) */
 	guint32	incl_len;	/* number of octets of packet saved in file */
 	guint32	orig_len;	/* actual length of packet */
 };

wiretap/wtap-int.h

@@ -242,6 +242,9 @@ struct wtap_dumper {
 
 	subtype_write_func	subtype_write;
 	subtype_close_func	subtype_close;
+
+	int			tsprecision;	/* timestamp precision of the lower 32bits
+							 * e.g. WTAP_FILE_TSPREC_USEC */
 };
 
 

wiretap/wtap.h

@@ -187,42 +187,43 @@
 #define WTAP_FILE_PCAP_SS991029			5
 #define WTAP_FILE_PCAP_NOKIA			6
 #define WTAP_FILE_PCAP_AIX			7
-#define WTAP_FILE_LANALYZER			8
-#define WTAP_FILE_NGSNIFFER_UNCOMPRESSED	9
-#define WTAP_FILE_NGSNIFFER_COMPRESSED		10
-#define WTAP_FILE_SNOOP				11
-#define WTAP_FILE_SHOMITI			12
-#define WTAP_FILE_IPTRACE_1_0			13
-#define WTAP_FILE_IPTRACE_2_0			14
-#define WTAP_FILE_NETMON_1_x			15
-#define WTAP_FILE_NETMON_2_x			16
-#define WTAP_FILE_NETXRAY_OLD			17
-#define WTAP_FILE_NETXRAY_1_0			18
-#define WTAP_FILE_NETXRAY_1_1			19
-#define WTAP_FILE_NETXRAY_2_00x			20
-#define WTAP_FILE_RADCOM			21
-#define WTAP_FILE_ASCEND			22
-#define WTAP_FILE_NETTL				23
-#define WTAP_FILE_TOSHIBA			24
-#define WTAP_FILE_I4BTRACE			25
-#define WTAP_FILE_CSIDS				26
-#define WTAP_FILE_PPPDUMP			27
-#define WTAP_FILE_ETHERPEEK_V56			28
-#define WTAP_FILE_ETHERPEEK_V7			29
-#define WTAP_FILE_VMS				30
-#define WTAP_FILE_DBS_ETHERWATCH		31
-#define WTAP_FILE_VISUAL_NETWORKS		32
-#define WTAP_FILE_COSINE			33
-#define WTAP_FILE_5VIEWS			34
-#define WTAP_FILE_ERF				35
-#define WTAP_FILE_HCIDUMP			36
-#define WTAP_FILE_NETWORK_INSTRUMENTS_V9	37
-#define WTAP_FILE_AIROPEEK_V9			38
-#define WTAP_FILE_EYESDN			39
-#define WTAP_FILE_K12				40
+#define WTAP_FILE_PCAP_NSEC			8
+#define WTAP_FILE_LANALYZER			9
+#define WTAP_FILE_NGSNIFFER_UNCOMPRESSED	10
+#define WTAP_FILE_NGSNIFFER_COMPRESSED		11
+#define WTAP_FILE_SNOOP				12
+#define WTAP_FILE_SHOMITI			13
+#define WTAP_FILE_IPTRACE_1_0			14
+#define WTAP_FILE_IPTRACE_2_0			15
+#define WTAP_FILE_NETMON_1_x			16
+#define WTAP_FILE_NETMON_2_x			17
+#define WTAP_FILE_NETXRAY_OLD			18
+#define WTAP_FILE_NETXRAY_1_0			19
+#define WTAP_FILE_NETXRAY_1_1			20
+#define WTAP_FILE_NETXRAY_2_00x			21
+#define WTAP_FILE_RADCOM			22
+#define WTAP_FILE_ASCEND			23
+#define WTAP_FILE_NETTL				24
+#define WTAP_FILE_TOSHIBA			25
+#define WTAP_FILE_I4BTRACE			26
+#define WTAP_FILE_CSIDS				27
+#define WTAP_FILE_PPPDUMP			28
+#define WTAP_FILE_ETHERPEEK_V56			29
+#define WTAP_FILE_ETHERPEEK_V7			30
+#define WTAP_FILE_VMS				31
+#define WTAP_FILE_DBS_ETHERWATCH		32
+#define WTAP_FILE_VISUAL_NETWORKS		33
+#define WTAP_FILE_COSINE			34
+#define WTAP_FILE_5VIEWS			35
+#define WTAP_FILE_ERF				36
+#define WTAP_FILE_HCIDUMP			37
+#define WTAP_FILE_NETWORK_INSTRUMENTS_V9	38
+#define WTAP_FILE_AIROPEEK_V9			39
+#define WTAP_FILE_EYESDN			40
+#define WTAP_FILE_K12				41
 
 /* last WTAP_FILE_ value + 1 */
-#define WTAP_NUM_FILE_TYPES			41
+#define WTAP_NUM_FILE_TYPES			42
 
 /* timestamp precision (currently only these values are supported) */
 #define WTAP_FILE_TSPREC_SEC		0