From Network Instruments by Tom Brezinski When a Network Instruments wireless capture is decrypted a flag is set on the packet in the BFR file indicating that the packet is decrypted instead of modifying the protected flag in the frame control flags of the packet header. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7478

svn path=/trunk/; revision=43727

wiretap/network_instruments.c

@@ -106,7 +106,7 @@ static gboolean observer_seek_read(wtap *wth, gint64 seek_off,
     union wtap_pseudo_header *pseudo_header, guint8 *pd, int length,
     int *err, gchar **err_info);
 static int read_packet_header(FILE_T fh, union wtap_pseudo_header *pseudo_header, 
-    packet_entry_header *packet_header, int *err, gchar **err_info);
+    packet_entry_header *packet_header, gboolean *decrypted_wireless, int *err, gchar **err_info);
 static int read_packet_data(FILE_T fh, int offset_to_frame, int current_offset_from_packet_header,
     guint8 *pd, int length, int *err, char **err_info);
 static gboolean skip_to_next_packet(wtap *wth, int offset_to_next_packet,
@@ -265,6 +265,7 @@ int network_instruments_open(wtap *wth, int *err, gchar **err_info)
 static gboolean observer_read(wtap *wth, int *err, gchar **err_info,
     gint64 *data_offset)
 {
+	gboolean decrypted_wireless;
     int header_bytes_consumed;
     int data_bytes_consumed;
     packet_entry_header packet_header;
@@ -274,8 +275,8 @@ static gboolean observer_read(wtap *wth, int *err, gchar **err_info,
         *data_offset = file_tell(wth->fh);
 
         /* process the packet header, including TLVs */
-        header_bytes_consumed = read_packet_header(wth->fh, &wth->pseudo_header, &packet_header, err,
-            err_info);
+        header_bytes_consumed = read_packet_header(wth->fh, &wth->pseudo_header, &packet_header, &decrypted_wireless, 
+            err, err_info);
         if (header_bytes_consumed <= 0)
             return FALSE;    /* EOF or error */
 
@@ -356,6 +357,11 @@ static gboolean observer_read(wtap *wth, int *err, gchar **err_info,
         return FALSE;
     }
 
+	/* clear the protected flag in the wireless header if needed */
+	if (decrypted_wireless && data_bytes_consumed > 1) {
+		*(buffer_start_ptr(wth->frame_buffer)+1) = (*(buffer_start_ptr(wth->frame_buffer)+1) & 0xbf);
+	}
+
     /* skip over any extra bytes following the frame data */
     if (!skip_to_next_packet(wth, packet_header.offset_to_next_packet,
             header_bytes_consumed + data_bytes_consumed, err, err_info)) {
@@ -370,15 +376,17 @@ static gboolean observer_seek_read(wtap *wth, gint64 seek_off,
     union wtap_pseudo_header *pseudo_header, guint8 *pd, int length,
     int *err, gchar **err_info)
 {
+	gboolean decrypted_wireless;
     packet_entry_header packet_header;
     int offset;
+	int data_bytes_consumed;
 
     if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
         return FALSE;
 
     /* process the packet header, including TLVs */
-    offset = read_packet_header(wth->random_fh, pseudo_header, &packet_header, err,
-        err_info);
+    offset = read_packet_header(wth->random_fh, pseudo_header, &packet_header, &decrypted_wireless,
+		err, err_info);
     if (offset <= 0)
         return FALSE;    /* EOF or error */
 
@@ -395,16 +403,23 @@ static gboolean observer_seek_read(wtap *wth, gint64 seek_off,
     }
 
     /* read the frame data */
-    if (!read_packet_data(wth->random_fh, packet_header.offset_to_frame,
-        offset, pd, length, err, err_info))
+	data_bytes_consumed = read_packet_data(wth->random_fh, packet_header.offset_to_frame,
+        offset, pd, length, err, err_info);
+    if (data_bytes_consumed < 0) {
         return FALSE;
+    }
+
+	/* clear the protected flag in the wireless header if needed */
+	if (decrypted_wireless && data_bytes_consumed > 1) {
+		*(pd+1) = (*(pd+1) & 0xbf);
+	}
 
     return TRUE;
 }
 
 static int
 read_packet_header(FILE_T fh, union wtap_pseudo_header *pseudo_header, 
-    packet_entry_header *packet_header, int *err, gchar **err_info)
+    packet_entry_header *packet_header, gboolean *decrypted_wireless, int *err, gchar **err_info)
 {
     int offset;
     int bytes_read;
@@ -486,6 +501,8 @@ read_packet_header(FILE_T fh, union wtap_pseudo_header *pseudo_header,
             pseudo_header->ieee_802_11.channel = wireless_header.frequency;
             pseudo_header->ieee_802_11.data_rate = wireless_header.rate;
             pseudo_header->ieee_802_11.signal_level = wireless_header.strengthPercent;
+			/* set decryption status */
+			*decrypted_wireless = (wireless_header.conditions & WIRELESS_WEP_SUCCESS) > 0;
             offset += bytes_read;
             break;
         default:

wiretap/network_instruments.h

@@ -90,6 +90,11 @@ typedef struct tlv_wireless_info {
     guint8 reserved;
 } tlv_wireless_info;
 
+/*
+ * Wireless conditions
+ */
+#define WIRELESS_WEP_SUCCESS		0x80
+
 /*
  * TLV type values.
  */