Added the iptrace (AIX's packet-capture tool) file format to wiretap.

This necessitated a change in ethereal because iptrace supports multi-NIC
packet capturing, including multi-datalink-type capturing.

svn path=/trunk/; revision=145

file.c

@@ -1,7 +1,7 @@
 /* file.c
  * File I/O routines
  *
- * $Id: file.c,v 1.15 1998/12/29 04:05:35 gerald Exp $
+ * $Id: file.c,v 1.16 1999/01/02 06:10:52 gram Exp $
  *
  * Ethereal - Network traffic analyzer
  * By Gerald Combs <gerald@zing.org>
@@ -330,6 +330,7 @@ pcap_dispatch_cb(u_char *user, const struct pcap_pkthdr *phdr,
 #endif
   fdata->abs_secs  = phdr->ts.tv_sec;
   fdata->abs_usecs = phdr->ts.tv_usec;
+  fdata->lnk_t = phdr->pkt_encap;
 
   /* If we don't have the time stamp of the first packet, it's because this
      is the first packet.  Save the time stamp of this packet as the time

file.h

@@ -1,7 +1,7 @@
 /* file.h
  * Definitions for file structures and routines
  *
- * $Id: file.h,v 1.7 1998/11/17 04:28:47 gerald Exp $
+ * $Id: file.h,v 1.8 1999/01/02 06:10:53 gram Exp $
  *
  * Ethereal - Network traffic analyzer
  * By Gerald Combs <gerald@zing.org>
@@ -88,6 +88,7 @@ typedef struct _capture_file {
 
 /* Taken from RFC 1761 */
 
+#ifndef WITH_WIRETAP
 typedef struct _snoop_file_hdr {
   guint32 magic1;
   guint32 magic2;
@@ -103,6 +104,7 @@ typedef struct _snoop_frame_hdr {
   guint32 secs;
   guint32 usecs;
 } snoop_frame_hdr;
+#endif
 
 int  open_cap_file(char *, capture_file *);
 void close_cap_file(capture_file *, GtkWidget *, guint);

packet.c

@@ -1,7 +1,7 @@
 /* packet.c
  * Routines for packet disassembly
  *
- * $Id: packet.c,v 1.15 1998/12/29 04:05:36 gerald Exp $
+ * $Id: packet.c,v 1.16 1999/01/02 06:10:53 gram Exp $
  *
  * Ethereal - Network traffic analyzer
  * By Gerald Combs <gerald@zing.org>
@@ -310,6 +310,9 @@ dissect_packet(const u_char *pd, frame_data *fd, GtkTree *tree)
 	GtkWidget *fh_tree, *ti;
 	struct tm *tmp;
 	time_t then;
+#ifdef WITH_WIRETAP
+	guint32 lnk_t;
+#endif
 
 	/* Put in frame header information. */
 	if (check_col(fd, COL_ABS_TIME)) {
@@ -354,7 +357,14 @@ dissect_packet(const u_char *pd, frame_data *fd, GtkTree *tree)
 	}
 
 #ifdef WITH_WIRETAP
-	switch (cf.lnk_t) {
+	if (cf.lnk_t == WTAP_ENCAP_PER_PACKET) {
+		lnk_t = fd->lnk_t;
+	}
+	else {
+		lnk_t = cf.lnk_t;
+	}
+
+	switch (lnk_t) {
 		case WTAP_ENCAP_ETHERNET :
 			dissect_eth(pd, fd, tree);
 			break;

packet.h

@@ -1,7 +1,7 @@
 /* packet.h
  * Definitions for packet disassembly structures and routines
  *
- * $Id: packet.h,v 1.29 1998/12/29 04:05:36 gerald Exp $
+ * $Id: packet.h,v 1.30 1999/01/02 06:10:54 gram Exp $
  *
  * Ethereal - Network traffic analyzer
  * By Gerald Combs <gerald@zing.org>
@@ -79,6 +79,9 @@ typedef struct _frame_data {
   guint32      del_usecs; /* Delta microseconds */
   long         file_off;  /* File offset */
   column_info *cinfo;     /* Column formatting information */
+#ifdef WITH_WIRETAP
+  int		lnk_t;     /* Per-packet encapsulation/data-link type */
+#endif
 } frame_data;
 
 typedef struct _packet_info {

wiretap/ChangeLog

@@ -1,3 +1,5 @@
+January 1, 1999
+	Added iptrace file format.
 
 December 10, 1998
 	Proper timestamp calculations added to ngsniffer.c and lanalyzer.c

wiretap/Makefile.am

@@ -6,6 +6,7 @@ libwiretap_a_SOURCES = \
 	config.h		\
 	debug.h			\
 	file.c			\
+	iptrace.c		\
 	lanalyzer.c		\
 	lanalyzer.h		\
 	libpcap.c		\

wiretap/Makefile.in

@@ -74,6 +74,7 @@ libwiretap_a_SOURCES = \
 	config.h		\
 	debug.h			\
 	file.c			\
+	iptrace.c		\
 	lanalyzer.c		\
 	lanalyzer.h		\
 	libpcap.c		\
@@ -96,7 +97,7 @@ CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
 LIBS = @LIBS@
 libwiretap_a_LIBADD = 
-libwiretap_a_OBJECTS =  buffer.o file.o lanalyzer.o libpcap.o \
+libwiretap_a_OBJECTS =  buffer.o file.o iptrace.o lanalyzer.o libpcap.o \
 ngsniffer.o snoop.o wtap.o
 AR = ar
 CFLAGS = @CFLAGS@
@@ -111,8 +112,9 @@ DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
 
 TAR = tar
 GZIP = --best
-DEP_FILES =  .deps/buffer.P .deps/file.P .deps/lanalyzer.P \
-.deps/libpcap.P .deps/ngsniffer.P .deps/snoop.P .deps/wtap.P
+DEP_FILES =  .deps/buffer.P .deps/file.P .deps/iptrace.P \
+.deps/lanalyzer.P .deps/libpcap.P .deps/ngsniffer.P .deps/snoop.P \
+.deps/wtap.P
 SOURCES = $(libwiretap_a_SOURCES)
 OBJECTS = $(libwiretap_a_OBJECTS)
 

wiretap/README

@@ -1,4 +1,4 @@
-$Id: README,v 1.4 1998/11/21 05:08:39 gram Exp $
+$Id: README,v 1.5 1999/01/02 06:10:55 gram Exp $
 
 Wiretap is a library that is being developed as a future replacement for
 libpcap, the current standard Unix library for packet capturing. Libpcap is
@@ -27,6 +27,10 @@ LAN's firewall.
 5. I want to look into the possibility of compressing packet data when saved
 to a file, like Sniffer.
 
+6. The packet-filter can be optimized for the host OS. Not all OSes have BPF;
+SunOS has NIT and Solaris has DLPI, which both use the CMU/Stanford
+packet-filter psuedomachine. RMON has another type of packet-filter syntax
+which we could support.
 
 Currently, only #2 is available. Wiretap doesn't even do any filtering yet. It
 can only be used to read packet capture files.
@@ -42,23 +46,33 @@ using the "libpcap" library's code to read it.
 
 Sniffer (uncompressed)
 -------
-The Sniffer format, at least for Token-Ring, is documented in the
-Sniffer manual.  Unfortunately, Sniffer manuals tend to document only
-the format for the Sniffer model they document. Ethernet seems to work well,
-though. If you have an ATM Sniffer file, both Guy and I would be *very*
+The Sniffer format is documented in the Sniffer manual.  Unfortunately,
+Sniffer manuals tend to document only the format for the Sniffer model
+they document. Token-Ring and ethernet seems to work well, though.
+If you have an ATM Sniffer file, both Guy and I would be *very*
 interested in receiving a sample. (see 'AUTHORS' file for our e-mail
-addresses)
+addresses). When using LANE, the ATM Sniffer appears to record the emulated
+LAN information; that is, only the ethernet or token-ring information is
+stored in the trace file, not any information about ATM cells.
 
 LANalyzer
 ---------
 The LANalyzer format is available from http://www.novell.com. Search their
-knowledge base for "Trace File Format". The code in wiretap so far only dumps
-the packet data; I have yet to decode the timestamp for each packet. At least
-I have the format for this, so it will be supported soon.
+knowledge base for "Trace File Format". 
 
 "snoop"
 -------
 The Solaris 2.x "snoop" program's format is documented in RFC 1761.
 
+"iptrace"
+---------
+This is the capture program that comes with AIX 3.x and 4.x. It has an
+undocumented, yet very simple, file format. The interesting thing about
+iptrace is that it will record packets coming in from all network interfaces;
+a single iptrace file can contain multiple datalink types. I have tested
+iptrace on ethernet and token-ring; if you can provide an iptrace file with
+any other datalink type, I would appreciate a copy. (with the output from
+'ipreport' too, if possible).
+
 Gilbert Ramirez
 <gram@verdict.uthscsa.edu>

wiretap/file.c

@@ -1,6 +1,6 @@
 /* file.c
  *
- * $Id: file.c,v 1.4 1998/11/15 05:29:09 guy Exp $
+ * $Id: file.c,v 1.5 1999/01/02 06:10:55 gram Exp $
  *
  * Wiretap Library
  * Copyright (c) 1998 by Gilbert Ramirez <gram@verdict.uthscsa.edu>
@@ -29,6 +29,7 @@
 #include "ngsniffer.h"
 #include "libpcap.h"
 #include "snoop.h"
+#include "iptrace.h"
 
 /* The open_file_* routines should return the WTAP_FILE_* type
  * that they are checking for if the file is successfully recognized
@@ -65,6 +66,10 @@ wtap* wtap_open_offline(char *filename, int filetype)
 		if ((wth->file_type = snoop_open(wth)) != WTAP_FILE_UNKNOWN) {
 			goto success;
 		}
+		/* WTAP_FILE_IPTRACE */
+		if ((wth->file_type = iptrace_open(wth)) != WTAP_FILE_UNKNOWN) {
+			goto success;
+		}
 
 		printf("failed\n");
 		/* WTAP_FILE_UNKNOWN */
@@ -93,6 +98,11 @@ wtap* wtap_open_offline(char *filename, int filetype)
 				goto success;
 			}
 			break;
+		case WTAP_FILE_IPTRACE:
+			if ((wth->file_type = iptrace_open(wth)) != WTAP_FILE_UNKNOWN) {
+				goto success;
+			}
+			break;
 		default:
 			goto failure;
 	}

wiretap/wtap.h

@@ -1,6 +1,6 @@
 /* wtap.h
  *
- * $Id: wtap.h,v 1.8 1998/12/17 06:39:13 gram Exp $
+ * $Id: wtap.h,v 1.9 1999/01/02 06:10:55 gram Exp $
  *
  * Wiretap Library
  * Copyright (c) 1998 by Gilbert Ramirez <gram@verdict.uthscsa.edu>
@@ -32,6 +32,7 @@
 #define WTAP_ENCAP_RAW_IP			6
 #define WTAP_ENCAP_ARCNET			7
 #define WTAP_ENCAP_ATM_RFC1483			8
+#define WTAP_ENCAP_PER_PACKET			9
 
 /* File types that can be read by wiretap */
 #define WTAP_FILE_UNKNOWN			0
@@ -74,6 +75,7 @@ struct wtap_pkthdr {
 	struct timeval ts;
 	guint32	caplen;
 	guint32 len;
+	int pkt_encap;
 };
 
 typedef void (*wtap_handler)(u_char*, const struct wtap_pkthdr*,