From 6910b84deb396cd81f6f7ca4e68dce3da67121f3 Mon Sep 17 00:00:00 2001
From: Guy Harris <guy@alum.mit.edu>
Date: Tue, 6 Nov 2001 01:55:14 +0000
Subject: [PATCH] Add in some heuristics to try to detect AIX libpcap format. 
 (This works with one capture I've seen, but perhaps that was done with an old
 version of AIX, and newer versions use a minor version number, in the file,
 of 4.

However, libpcap hasn't used a minor version of 2 for ages, so perhaps
AIX hasn't updated their libpcap in ages, and aren't about to do so
soon.  If they do, let's hope they change the magic number.  The capture
file in question *does* have the capture length and real length in the
old, pre-2.3, order, so it really looks as if it's an old version,
rather than IBM trying to be "helpful" by using a different minor
version number so that you can distinguish between normal libpcap and
AIX libpcap formats.)

svn path=/trunk/; revision=4164
---
 wiretap/file.c    |  6 ++++-
 wiretap/libpcap.c | 65 +++++++++++++++++++++++++++++++++++++++++++++--
 wiretap/wtap.h    | 49 ++++++++++++++++++-----------------
 3 files changed, 93 insertions(+), 27 deletions(-)

diff --git a/wiretap/file.c b/wiretap/file.c
index ca0ee5b19a..6ba90083a2 100644
--- a/wiretap/file.c
+++ b/wiretap/file.c
@@ -1,6 +1,6 @@
 /* file.c
  *
- * $Id: file.c,v 1.72 2001/10/28 01:51:46 guy Exp $
+ * $Id: file.c,v 1.73 2001/11/06 01:55:14 guy Exp $
  *
  * Wiretap Library
  * Copyright (c) 1998 by Gilbert Ramirez <gram@xiexie.org>
@@ -294,6 +294,10 @@ static const struct file_type_info {
 	{ "Nokia libpcap (tcpdump)", "nokialibpcap",
 	  libpcap_dump_can_write_encap, libpcap_dump_open },
 
+	/* WTAP_FILE_PCAP_AIX */
+	{ "AIX libpcap (tcpdump)", NULL,
+	  NULL, NULL },
+
 	/* WTAP_FILE_LANALYZER */
 	{ "Novell LANalyzer", NULL,
 	  NULL, NULL },
diff --git a/wiretap/libpcap.c b/wiretap/libpcap.c
index a92787a9a9..a692ebe145 100644
--- a/wiretap/libpcap.c
+++ b/wiretap/libpcap.c
@@ -1,6 +1,6 @@
 /* libpcap.c
  *
- * $Id: libpcap.c,v 1.53 2001/11/02 13:00:30 gram Exp $
+ * $Id: libpcap.c,v 1.54 2001/11/06 01:55:14 guy Exp $
  *
  * Wiretap Library
  * Copyright (c) 1998 by Gilbert Ramirez <gram@xiexie.org>
@@ -375,6 +375,7 @@ int libpcap_open(wtap *wth, int *err)
 	struct pcap_hdr hdr;
 	gboolean byte_swapped;
 	gboolean modified;
+	gboolean aix;
 	int file_encap;
 
 	/* Read in the number that should be at the start of a "libpcap" file */
@@ -450,6 +451,45 @@ int libpcap_open(wtap *wth, int *err)
 		*err = WTAP_ERR_UNSUPPORTED;
 		return -1;
 	}
+
+	/*
+	 * AIX's non-standard tcpdump uses a minor version number of 2.
+	 * Unfortunately, older versions of libpcap might have used
+	 * that as well.
+	 *
+	 * The AIX libpcap uses RFC 1573 ifType values rather than
+	 * DLT_ values in the header; the ifType values for LAN devices
+	 * are:
+	 *
+	 *	Ethernet	6
+	 *	Token Ring	8
+	 *	FDDI		15
+	 *
+	 * which correspond to DLT_IEEE802 (used for Token Ring),
+	 * DLT_SLIP, and DLT_SLIP_BSDOS, respectively.  We shall
+	 * assume that if the minor version number is 2, and
+	 * the network type is 6, 8, or 15, that it's AIX libpcap.
+	 */
+	aix = FALSE;	/* assume it's not AIX */
+	if (hdr.version_major == 2 && hdr.version_minor == 2) {
+		switch (hdr.network) {
+
+		case 6:
+			hdr.network = 1;	/* DLT_EN10MB, Ethernet */
+			aix = TRUE;
+			break;
+
+		case 8:
+			hdr.network = 6;	/* DLT_IEEE802, Token Ring */
+			aix = TRUE;
+			break;
+
+		case 15:
+			hdr.network = 10;	/* DLT_FDDI, FDDI */
+			aix = TRUE;
+			break;
+		}
+	}
 	file_encap = wtap_pcap_encap_to_wtap_encap(hdr.network);
 	if (file_encap == WTAP_ENCAP_UNKNOWN) {
 		g_message("pcap: network type %u unknown or unsupported",
@@ -470,7 +510,18 @@ int libpcap_open(wtap *wth, int *err)
 	wth->snapshot_length = hdr.snaplen;
 
 	/*
-	 * Yes.  Let's look at the header for the first record,
+	 * Is this AIX format?
+	 */
+	if (aix) {
+		/*
+		 * Yes.  Skip all the tests for other mutant formats.
+		 */
+		wth->file_type = WTAP_FILE_PCAP_AIX;
+		return 1;
+	}
+
+	/*
+	 * No.  Let's look at the header for the first record,
 	 * and see if, interpreting it as a standard header (if the
 	 * magic number was standard) or a modified header (if the
 	 * magic number was modified), the position where it says the
@@ -501,6 +552,10 @@ int libpcap_open(wtap *wth, int *err)
 	 * Oh, and if it has the standard magic number, it might, instead,
 	 * be a Nokia libpcap file, so we may need to try that if
 	 * neither normal nor ss990417 headers work.
+	 *
+	 * XXX - have Nokia been kind enough to change the major or
+	 * minor version number?  If so, hopefully they didn't go
+	 * with 2.2....
 	 */
 	if (modified) {
 		/*
@@ -762,6 +817,7 @@ static int libpcap_read_header(wtap *wth, int *err,
 	switch (wth->file_type) {
 
 	case WTAP_FILE_PCAP:
+	case WTAP_FILE_PCAP_AIX:
 		bytes_to_read = sizeof (struct pcaprec_hdr);
 		break;
 
@@ -841,6 +897,11 @@ adjust_header(wtap *wth, struct pcaprec_hdr *hdr)
 		hdr->orig_len = BSWAP32(hdr->orig_len);
 	}
 
+	/* If this is AIX, convert the time stamp from seconds/nanoseconds
+	   to seconds/microseconds.  */
+	if (wth->file_type == WTAP_FILE_PCAP_AIX)
+		hdr->ts_usec = hdr->ts_usec/1000;
+
 	/* In file format version 2.3, the "incl_len" and "orig_len" fields
 	   were swapped, in order to match the BPF header layout.
 
diff --git a/wiretap/wtap.h b/wiretap/wtap.h
index 45b7b6532c..994c1389e4 100644
--- a/wiretap/wtap.h
+++ b/wiretap/wtap.h
@@ -1,6 +1,6 @@
 /* wtap.h
  *
- * $Id: wtap.h,v 1.92 2001/11/02 13:00:30 gram Exp $
+ * $Id: wtap.h,v 1.93 2001/11/06 01:55:14 guy Exp $
  *
  * Wiretap Library
  * Copyright (c) 1998 by Gilbert Ramirez <gram@xiexie.org>
@@ -113,31 +113,32 @@
 #define WTAP_FILE_PCAP_SS990915			4
 #define WTAP_FILE_PCAP_SS991029			5
 #define WTAP_FILE_PCAP_NOKIA			6
-#define WTAP_FILE_LANALYZER			7
-#define WTAP_FILE_NGSNIFFER_UNCOMPRESSED	8
-#define WTAP_FILE_NGSNIFFER_COMPRESSED		9
-#define WTAP_FILE_SNOOP				10
-#define WTAP_FILE_IPTRACE_1_0			11
-#define WTAP_FILE_IPTRACE_2_0			12
-#define WTAP_FILE_NETMON_1_x			13
-#define WTAP_FILE_NETMON_2_x			14
-#define WTAP_FILE_NETXRAY_1_0			15
-#define WTAP_FILE_NETXRAY_1_1			16
-#define WTAP_FILE_NETXRAY_2_00x			17
-#define WTAP_FILE_RADCOM			18
-#define WTAP_FILE_ASCEND			19
-#define WTAP_FILE_NETTL				20
-#define WTAP_FILE_TOSHIBA			21
-#define WTAP_FILE_I4BTRACE			22
-#define WTAP_FILE_CSIDS				23
-#define WTAP_FILE_PPPDUMP			24
-#define WTAP_FILE_ETHERPEEK_MAC_V56		25
-#define WTAP_FILE_ETHERPEEK_MAC_V7		26
-#define WTAP_FILE_VMS				27
-#define WTAP_FILE_DBS_ETHERWATCH		28
+#define WTAP_FILE_PCAP_AIX			7
+#define WTAP_FILE_LANALYZER			8
+#define WTAP_FILE_NGSNIFFER_UNCOMPRESSED	9
+#define WTAP_FILE_NGSNIFFER_COMPRESSED		10
+#define WTAP_FILE_SNOOP				11
+#define WTAP_FILE_IPTRACE_1_0			12
+#define WTAP_FILE_IPTRACE_2_0			13
+#define WTAP_FILE_NETMON_1_x			14
+#define WTAP_FILE_NETMON_2_x			15
+#define WTAP_FILE_NETXRAY_1_0			16
+#define WTAP_FILE_NETXRAY_1_1			17
+#define WTAP_FILE_NETXRAY_2_00x			18
+#define WTAP_FILE_RADCOM			19
+#define WTAP_FILE_ASCEND			20
+#define WTAP_FILE_NETTL				21
+#define WTAP_FILE_TOSHIBA			22
+#define WTAP_FILE_I4BTRACE			23
+#define WTAP_FILE_CSIDS				24
+#define WTAP_FILE_PPPDUMP			25
+#define WTAP_FILE_ETHERPEEK_MAC_V56		26
+#define WTAP_FILE_ETHERPEEK_MAC_V7		27
+#define WTAP_FILE_VMS				28
+#define WTAP_FILE_DBS_ETHERWATCH		29
 
 /* last WTAP_FILE_ value + 1 */
-#define WTAP_NUM_FILE_TYPES			29
+#define WTAP_NUM_FILE_TYPES			30
 
 /*
  * Maximum packet size we'll support.