REC_HEADER2 encapsulation type.
Modified skip_header_records to accept REC_HEADER3-REC_HEADER7.
These header records would cause file read error if the capture file was
compressed.
svn path=/trunk/; revision=2910
"Internetwork analyzer" capture, from Jeff Foster. (It's not a
replacement for the heuristics, as
1) at least one PPP capture doesn't have a type 7 record
and
2) LAPB/X.25 and LAPD/ISDN might both be "HDLC" captures and
we'd need to figure out how to tell them apart.)
svn path=/trunk/; revision=2902
version of libpcap; that's used on Linux for captures on the "any"
device (which captures from all interfaces simultaneously) and for
captures on devices whose link-layer type libpcap doesn't (yet) support
natively.
The spanning tree code, when checking for GV{M,R,...}P packets, must
first check whether the link-layer destination address is, in fact, an
Ethernet-style address; on Linux cooked captures, there *is* no
destination address, so it's of type AT_NONE, not AT_ETHER.
svn path=/trunk/; revision=2772
packet is too small to contain all the data that the frame header claims
was captured for the packet; treat that as a bad record, and return an
error.
svn path=/trunk/; revision=2711
in order to check whether to use ANSI C features such as "const".
GCC defines it as 1 even if extensions that render the implementation
non-conformant are enabled; Sun's C compiler (and, I think, other
AT&T-derived C compilers) define it as 0 if extensions that render
the implementation non-conformant are enabled; Microsoft Visual C++
6.0 doesn't define it at all if extensions that render the implementation
non-conformant are enabled.
We define it as 0 in "config.h.win32", so that those generated files will use
those features (and thus not get type warnings when compiled with
MSVC++).
svn path=/trunk/; revision=2698
just an EOF, it should set "*err" to 0. Fix up a bunch of read routines
for various capture file types to set "*err" appropriately.
svn path=/trunk/; revision=2667
Add in stuff for a bunch of libpcap formats either in libpcap 0.5.2 or
in the current CVS version; we don't implement all of them in
Ethereal/Wiretap (those are "#if 0"ed out), but we do implement the IEEE
802.11 stuff (which isn't yet in libpcap or tcpdump, but the CVS version
of libpcap *does* reserve 105 as the encapsulation type number for
802.11).
svn path=/trunk/; revision=2646
don't need to work around that.
The offset, for a given packet, at which "ascend_seek()" should start
searching for that packet's header must be computed separately from the
offset, for that packet, at which "ascend_seek()" should start searching
for the *next* packet - if the file is a "wdd" capture, and the packet
has a "Date:" header and a WD_DIALOUT_DISP header, the search for that
packet should start at the beginning of the "Date:" header, but the
search for the next packet should start after the WD_DIALOUT_DISP
header, as if we start it after the "Date:" header, the search will stop
at the packet's own WD_DIALOUT_DISP header, as a packet could have a
WD_DIALOUT_DISP header but no "Date:" header.
svn path=/trunk/; revision=2620
place call to" header (I presume this can happen if there was a call in
progress when the packet was sent or received); don't require the
Date: 01/12/1990. Time: 12:22:33
Cause an attempt to place call to 14082750382
to be present in every packet.
(Only the date on the first packet is used, and only if it's present in
the first packet; if the first packet doesn't have a date, we can't
easily go back and fix up the previous packets, *especially* in programs
such as Tethereal and editcap which make only one pass through the
capture.
We set the called number to a null string if that's the case; we could
assume, in the sequential pass, that it's the phone number from the last
call, and remember that for use when doing random access.)
svn path=/trunk/; revision=2617
is WTAP_ENCAP_LAPB *or* WTAP_ENCAP_V120, and we have to set "p2p.sent"
in the capture file for *all* WTAP_ENCAP_LAPD captures; fix the
i4btrace and Sniffer capture file readers to do so.
(XXX - should we eliminate "x25.flags", and use "p2p.sent" instead? The
directions for X.25 are DTE->DCE and DCE->DTE, not "sent" and
"received", but I suspect that "sent" and "received" should be thought
of from the point of view of the DTE, so DTE->DCE is "sent" and DCE->DTE
is "received"; the directions for ISDN are user->network and
network->user, but I suspect that "sent" and "received" should be
thought of from the standpoint of the user equipment, so user->network
is "sent" and network->user is "received".)
svn path=/trunk/; revision=2606
fix the interpretation of the date and time reported in capture
files;
use that date and time only to set the start date and time of
the capture, not to generate the time stamp for every packet.
Make the "struct tm" used for that local to the code to handle that
production in the grammar, rather than global.
For all captures, we *can* now fstat a compressed file (and have been
able to do so for a while, in fact), so revert to doing so and using the
ctime of the capture file if we can't get a date and time from the
file's contents.
svn path=/trunk/; revision=2605
Remove what appear to be a pair of dangling "else"s.
Before calling "mktime()" on a "struct tm", you have to set "tm_isdst",
so it knows what to do about daylight savings time; set it to -1, so it
picks the appropriate time (except, presumably, for those times that
don't exist, when the clock is moved forward, where there is no
appropriate time, and those times that exist twice, when the clock is
moved backward, where there are *two* times and you can't tell which is
appropriate).
svn path=/trunk/; revision=2604
these other than a trace file a client sent me. The header appears to
be similar to frame2 and frame4 records, but with extra bytes at the end.
The trace file also contains record types 13 - 17 which appear to contain
metainformation such as retransmit counts.
svn path=/trunk/; revision=2508
bundled with GTK+ 1.0[.x]), it works only with 1.2[.x] and later, so we
no longer need to check for 1.0[.x] and define HAVE_GLIB10.
svn path=/trunk/; revision=2500
8, which is NDIS's ATM type. At least one capture appears to have
LLC-encapsulated frames in it; for now, we'll map it to
WTAP_ENCAP_ATM_RFC1483 - and make Ethereal dissect
WTAP_ENCAP_ATM_RFC1483 by handing the frames to "dissect_llc()".
While we're at it, we'll have Ethereal panic if handed a Wiretap packet
type it doesn't dissect, rather than giving you a rather blank
dissection.
svn path=/trunk/; revision=2457
pseudo_header.
Use generic "p2p_phdr" instead of "lapd_phdr". Modify toshiba.c and
packet-lapd.c to take that into account.
Add frame.p2p_dir, a filterable field, 0=sent, 1=recvd
Make p2p_dir available in packe_info, as I think it will be needed
in VJ COMP and UNCOMP dissection.
Rename WTAP_ENCAP_TR to WTAP_ENCAP_TOKEN_RING.
Mention pppd-log support in man page.
Mention atmsnoop in README.
svn path=/trunk/; revision=2455
file header to 4; fortunately, as they appear to put their extensions to
snoop into the padding at the end of the record, all their capture files
look alike to programs such as snoop and Ethereal that ignore the
padding, so we can just treat version 4 just like version 2 (unless and
until Brent decides a new snoop format is called for, changes the record
header, and picks a version number that's the same as one used by
Shomiti).
svn path=/trunk/; revision=2447
objects are reference-counted so that won't make it disappear if
Ethereal is also linked with it as a shared SNMP library.
svn path=/trunk/; revision=2444
is, for now, handled as WTAP_ENCAP_PPP (although we may have to split
WTAP_ENCAP_PPP into more than one type at some point).
svn path=/trunk/; revision=2423
a "keep reading" boolean value is returned from the function.
This avoids having to hack around the fact that some file formats truly
do have records that start at offset 0. (i4btrace and csids have no
file header. Neither does the pppdump-style file that I'm looking at right now).
svn path=/trunk/; revision=2392
that these calls work on Win32. I still don't have a good reason as to
why this is necessary, but it fixes the problem. I'll continue looking
for a reason.
svn path=/trunk/; revision=2386
encapsulation type codes - for those libpcap type codes whose numerical
value is interpreted differently by different versions of libpcap,
include <pcap.h> if you can and, if you can, use what it defines to
control which Wiretap code we map those type codes to.
Also, map the new libpcap type codes introduced by libpcap 0.5.
svn path=/trunk/; revision=2369
Set "current_blob" when the first read is done from the random file, as
"current_blob" is the current blob in the random file.
svn path=/trunk/; revision=2262
- add <stdarg.h> or <varargs.h> in snprintf.h
and remove those inclusions in the other #ifdef NEED_SNPRINTF_H codes
- remove the check of multiple inclusions in source (.c) code
(there is a bit loss of _cpp_ performance, but I prefer the gain of
code reading and maintenance; and nowadays, disk caches and VM are
correctly optimized ;-).
- protect all (well almost) header files against multiple inclusions
- add header (i.e. GPL license) in some include files
- reorganize a bit the way header files are included:
First:
#include <system_include_files>
#include <external_package_include_files (e.g. gtk, glib etc.)>
Then
#include "ethereal_include_files"
with the correct HAVE_XXX or NEED_XXX protections.
- add some HAVE_XXX checks before including some system header files
- add the same HAVE_XXX in wiretap as in ethereal
Please forgive me, if I break something (I've only compiled and regression
tested on Linux).
svn path=/trunk/; revision=2254
sequential pass through the file build a list of information about the
compressed blobs, with the starting offset in the compressed file and in
the uncompressed byte stream for each blob.
When seeking on the random stream, check whether the target location is
within the uncompressed buffer we currently have; if not, use that list
to figure out which blob contains the target location, and read that
blob into the buffer. Then, as we now know that the target location is
within the uncompressed buffer we currently have, just move the current
pointer into that buffer to the target location.
This means we don't have to read forwards through any uninteresting
blobs in order to seek forwards, and don't have to go all the way back
to the beginning and seek forwards in order to seek backwards.
svn path=/trunk/; revision=2251
the C run-time library sets "statb.st_mode" appropriately, at least for
plain files and directories; it just doesn't offer the POSIX "S_ISxxx()"
macros to test the file type.
If those macros aren't defined (which might also be the case on really
ancient UNIX systems), define them appropriately, and use them even on
Win32 systems, so that we can properly report attempts by a user to read
from a directory on Win32, just as we do on UNIX.
svn path=/trunk/; revision=2188
defined on Win32 systems - it's not defined in <sys/types.h> on those
systems.
In "buffer.c", include "config.h", to cause HAVE_WINSOCK_H to be
defined, on systems that have it, so that we include it in <buffer.h>.
svn path=/trunk/; revision=2187
capture.c :
- modified capture() to try to open an interface as a pipe if pcap_open_live()
failed, and then read data in libpcap format from this pipe ;
- add new functions used by capture() : pipe_open_live() and pipe_dispatch()
which are equivalents to the pcap_ functions.
libpcap.[ch] :
- moved the MAGIC and headers definitions from libpcap.c to libpcap.h
because capture() now needs it.
svn path=/trunk/; revision=2181
1) aclocal expects autoconf/automake macros to be hidden;
2) GTK+ hid its autoconf/automake macros;
and, if both places exist but aren't the same directory, returns a "-I"
flag to tell aclocal to look in GTK+'s directory.
Then have "autogen.sh", and Makefiles in directories with "acinclude.m4"
files, use that script and pass what flag it supplies, if any, to
aclocal.
This should, I hope, avoid problems such as those FreeBSD systems where
GTK+ was installed from a port or package (and thus stuck its macros in
"/usr/X11R6/share/aclocal") but aclocal doesn't look there.
(It doesn't solve the problem of somebody downloading and installing,
say, libtool from source - which means it probably shows up under
"/usr/local", with its macros in "/usr/local/share/aclocal" - on a
system that comes with aclocal (meaning it probably just looks in
"/usr/share/aclocal", but that may be best fixed by, whenever you
download a source tarball for something that's part of your OS,
configuring it to install in the standard system directories and
*overwriting* your OS's version.)
svn path=/trunk/; revision=2165
is finally dead, and you're walking away, it springs up again and
attacks.
It appears that the ss990915 version of Alexey Kuznetzov's libpcap patch
has some extra stuff in the per-packet header for some sort of SMP
debugging, and that SuSE Linux 6.3 picked it up.
Thus, even if a libpcap file has the modified magic number, we *still*
have to go through the usual heuristic hell to figure out what type of
file it is.
svn path=/trunk/; revision=2164
When capturing, report errors trying to create the output file
with "file_open_error_message()".
Make the "for_writing" argument to "file_open_error_message()" a
"gboolean", as it's either TRUE (if the file is being opened for
writing) or FALSE (if it's being opened for reading).
Report EISDIR as "XXX is a directory (folder), not a file.".
When checking whether an "open()" of a capture file succeeded, check
whether "open()" returns a negative number, not whether it returns 0.
In "wtap_open_offline()", if the file to be opened is a directory,
return EISDIR, not WTAP_ERR_NOT_REGULAR_FILE, so that the error message
can say "that's a directory, not a file".
If "wtap_open_offline()" returns WTAP_ERR_NOT_REGULAR_FILE, don't just
say the file is "invalid", say it's a "special file" or socket or some
other weird type of file.
svn path=/trunk/; revision=2144
a pointer to the "wtap_pkthdr" structure for an open capture
file;
a pointer to the "wtap_pseudo_header" union for an open capture
file;
a pointer to the packet buffer for an open capture file;
so that a program using "wtap_read()" in a loop can get at those items.
Keep, in a "capture_file" structure, an indicator of whether:
no file is open;
a file is open, and being read;
a file is open, and is being read, but the user tried to quit
out of reading the file (e.g., by doing "File/Quit");
a file is open, and has been completely read.
Abort if we try to close a capture that's being read if the user hasn't
tried to quit out of the read.
Have "File/Quit" check if a file is being read; if so, just set the
state indicator to "user tried to quit out of it", so that the code
reading the file can do what's appropriate to clean up, rather than
closing the file out from under that code and causing crashes.
Have "read_cap_file()" read the capture file with a loop using
"wtap_read()", rather than by using "wtap_loop()"; have it check after
reading each packet whether the user tried to abort the read and, if so,
close the capture and return an indication that the read was aborted by
the user. Otherwise, return an indication of whether the read
completely succeeded or failed in the middle (and, if it failed, return
the error code through a pointer).
Have "continue_tail_cap_file()" read the capture file with a loop using
"wtap_read()", rather than by using "wtap_loop()"; have it check after
reading each packet whether the user tried to abort the read and, if so,
quit the loop, and after the loop finishes (even if it read no packets),
return an indication that the read was aborted by the user if that
happened. Otherwise, return an indication of whether the read
completely succeeded or failed in the middle (and, if it failed, return
the error code through a pointer).
Have "finish_tail_cap_file()" read the capture file with a loop using
"wtap_read()", rather than by using "wtap_loop()"; have it check after
reading each packet whether the user tried to abort the read and, if so,
quit the loop, and after the loop finishes (even if it read no packets),
close the capture and return an indication that the read was aborted by
the user if that happened. Otherwise, return an indication of whether
the read completely succeeded or failed in the middle (and, if it
failed, return the error code through a pointer).
Have their callers check whether the read was aborted or not and, if it
was, bail out in the appropriate fashion (exit if it's reading a file
specified by "-r" on the command line; exit the main loop if it's
reading a file specified with File->Open; kill the capture child if it's
"continue_tail_cap_file()"; exit the main loop if it's
"finish_tail_cap_file()".
svn path=/trunk/; revision=2095
2.002, as used by release 3.50 of the Network Associates Sniffer for
Windows; currently, we treat it just like the 2.001 version, so we
rename the version #define WTAP_FILE_NETXRAY_2_001 to
WTAP_FILE_NETXRAY_2_00x and use that for both 2.001 and 2.002.
svn path=/trunk/; revision=2087
Differentiate between LAPB and LAPD sync sniffer traces.
Personally I think there must be a better way to find out which
protocol is in the trace but I currently lack the time to look
at the remaining frame info.
svn path=/trunk/; revision=2072
When trying to decode a sample trace from the NG offline sniffer
installation, one trace resulted in a "corrupted" error. The
reason was, that the file was a version 2 file format. That
format used type 8 for header purposes while version 4 uses it
for FRAME4.
svn path=/trunk/; revision=2071
to that file, leave public definitions in wtap.h.
Rename "union pseudo_header" to "union wtap_pseudo_header".
Make the wtap_pseudo_header pointer available in packet_info struct.
svn path=/trunk/; revision=1989
"FILE_T" is either a "gzFile" or a "FILE *", depending on whether zlib
support is enabled or not). Fix various function declarations and
definitions.
svn path=/trunk/; revision=1984
there's no need to keep it around in memory - when the frame data is
read in when handing a frame, read in the information, if any, necessary
to reconstruct the frame header, and reconstruct it. This saves some
memory.
This requires that the seek-and-read function be implemented inside
Wiretap, and that the Wiretap handle remain open even after we've
finished reading the file sequentially.
This also points out that we can't really do X.25-over-Ethernet
correctly, as we don't know where the direction (DTE->DCE or DCE->DTE)
flag is stored; it's not clear how the Ethernet type 0x0805 for X.25
Layer 3 is supposed to be handled in any case. We eliminate
X.25-over-Ethernet support (until we find out what we're supposed to
do).
svn path=/trunk/; revision=1975
to little-endian shorts - and to convert host-byte-order longs to
little-endian shorts (if the host-byte-order long will fit into a short,
"htoles()" does the right thing; if it doesn't, there is no right thing
to do - perhaps we should return a wiretap error, although, at least at
present, it's unlikely that we'll have packets bigger than 65535 bytes,
so it's unlikely that the values won't fit into a short).
svn path=/trunk/; revision=1953
Tethereal was dying on me because err was initialized to some random value.
It was this section of code that would exit even if wtap_loop was successful
(returned TRUE) because err was never initialized or set to anything.
err = load_cap_file(&cf, out_file_type);
if (err != 0) {
dissect_cleanup();
exit(2);
}
<BIGGER sheepish grin>
Fixed even more errors in LLC dissector. I had inadvertantly used the
wrong tvbuff_t* when calling dissect_data_tvb(). There is no way we are going
to be successful in this tvbuff conversion w/o regression testing. I'm
working on setting up a simple Makefile for regression testing tonight.
That's why I'm finding so many bugs in my LLC conversion.
</BIGGER sheepish grin>
svn path=/trunk/; revision=1946
build "register.c" in the top-level Makefile;
set path in "config.nmake" to include the Cygwin directory for
tools - those tools are needed to build "register.c";
remove constructed source files, and some additional object
files, when doing "nmake clean".
svn path=/trunk/; revision=1896
and nettl captures - a "start" field is used for capture files where the
time stamps on packets are relative to some initial time stamp, e.g. the
time the capture started, but those file formats use absolute time
stamps, so no "start" field is needed.
Make the "this is an HP-UX 11.x nettl capture" flag a member of the
private data structure for a nettl capture, rather than a global - it's
per-capture-file state.
Once the "start" field is removed from the RADCOM private data
structure, there's nothing left, so eliminate the private data
structure.
svn path=/trunk/; revision=1863
standard output, in the rules to get Flex to produce scanner code; that
way, if Flex fails to run for some reason, we don't leave around a
zero-length or otherwise incorrect "XXX-scanner.c" file that might
keep a subsequent make from thinking it has to generate that file.
svn path=/trunk/; revision=1808
be built as multi-threaded programs; add "/MT" to the list of compiler
flags.
Add "clean" rules in subdirectories, and run subdirectory "nmake -f
Makefile.nmake clean" when "nmake -f Makefile.nmake clean" is done in
the top-level directory, so that "nmake -f Makefile.nmake clean" cleans
everything up.
svn path=/trunk/; revision=1791
standard output, in the rules to get Flex to produce scanner code; that
way, if Flex fails to run for some reason, we don't leave around a
zero-length or otherwise incorrect "XXX-scanner.c" file that might
keep a subsequent make from thinking it has to generate that file.
svn path=/trunk/; revision=1763
Free it as soon as we're at the end of the sequential pass through the
file; that way, if we keep the capture file open with Wiretap even after
that's done (as I may do as part of some stuff I'm working on), we
at least aren't hanging on to the frame table memory after that point.
svn path=/trunk/; revision=1741
from the frame table - Network Monitor 2.x, at least, doesn't always
write frame N+1 right after frame N.
To do that, we need to mallocate a big array to hold the frame table,
and free it when we close the capture file; this requires that we have
capture-file-type-specific close routines as well as
capture-file-type-specific read routines - we let it the pointer to that
routine be null if it's not needed. Given that, we might as well get
rid of the switch statement in "wtap_close()", in favor of using
capture-file-type-specific close routines, as per the comment before
that switch statement.
svn path=/trunk/; revision=1740
unlike FreeBSD and older versions of NetBSD, which give "gzseek()" and
"gztell()" signatures with "long" file-offset arguments, and thus, on
some versions, requires that "HAVE_UNISTD_H" *not* be defined before
including "zlib.h" if you want the functions declared with a signature
that matches what's actually in the library, it requires that it *be*
defined before including "zlib.h" if you want the functions declared
with a signature that matches what's actually in the library.
svn path=/trunk/; revision=1719
"save session" feature in many Windows-based telnet apps. CRT, by VanDyke,
in particular, will put in newlines at 80 columns.
svn path=/trunk/; revision=1692
capture file for an unsupported link-layer encapsulation type (as the
nettl reader does), and report it correctly if it occurs on an open or
read attempt rather than a save attempt.
svn path=/trunk/; revision=1647
This change allows you to add a new packet-*.c file and not cause a
recompilation of everything that #include's packet.h
Add the plugin_api.[ch] files ot the plugins/Makefile.am packaging list.
Add #define YY_NO_UNPUT 1 to the lex source so that the yyunput symbol
is not defined, squelching a compiler complaint when compiling the generated
C file.
svn path=/trunk/; revision=1637
eliminated the check in the top-level "configure.in", and leaving it in
the Wiretap one means that, on NetBSD, Ethereal gets built with zlib
support if zlib is present, but Wiretap doesn't - now they both get
built with zlib support. Thanks to Itojun for catching this one.
Put into the Wiretap "configure.in" code to note that, if the test for
"gzgets()" in zlib fails, we're disabling compressed capture file
support, as is done in the top-level "configure.in".
svn path=/trunk/; revision=1625
have top-level Makefile.nmake call Makefile.nmake's in subdirectories.
Build plugins, and build generated source (lex, yacc). The only thing we
can't build is register.c; I need to re-work the top-level Makefile.nmake
because it lists object files, not C files, which make-reg-dotc needs.
svn path=/trunk/; revision=1608
traces. The trace we got from Tom Poe (tomp@intrex.net) contains PPP
data which NetXRay has transformed into looking like Ethernet frames.
The hardware addresses are the bytes for the ASCII reprsentation of
"SRC" and "DEST", with null pad bytes at the end. Interesting.
svn path=/trunk/; revision=1576
supposed to look like "ftell()".
If you don't have zlib, just define "file_seek" as an alias for "fseek",
rather than defining it as a routine.
svn path=/trunk/; revision=1571
is bigger than a "long"; this is itojun's fix for that, turning
"file_tell()" into a wrapper function in "file_wrappers.c", just like
"file_seek()".
svn path=/trunk/; revision=1554
with MSVC 6.0 and 'nmake', the make tool that comes with MSVC.
It compiles, links, and runs. It doesn't run correctly. There's a problem
when reading files. I'm getting short reads. I'm not linking in zlib or
libsnmp because it first needs to be debugged.
I changed the plugin code to use gmodule instead of libltdl, but the
Unix build still links ethereal against libltdl. I'll fix that tonight; sorry
about leaving it in such a sad state, but I wanted to check in this code
before I left work on a Friday night. Ethereal still works, but the
building is less than optimal.
svn path=/trunk/; revision=1479
hideous problem on FreeBSD 3.[23] (and perhaps other BSDs) if
HAVE_UNISTD_H is defined before "zlib.h" is included, turn "file_seek()"
into a subroutine defined in a file that *undefines* HAVE_UNISTD_H
before including "zlib.h", so that the *only* call to "gzseek()" is made
from a file that does not have HAVE_UNISTD_H defined when it includes
"zlib.h".
Move "file_error()" to that file while you're at it, so it holds all the
wrappers that hide the presence or absence of zlib from routines to read
capture files.
Turn "file.h", which declared those wrapper functions as well as wrapper
macros, into "file_wrapper.h" - it belongs with the "file_wrapper.c"
file that defines the wrapper functions, not with "file.c" which handles
higher-layer file access functions.
Remove the comment in "configure.in" that explained why defining
HAVE_UNISTD_H was a bad idea, as we're not obliged to define it and work
around the problem. (The comment in "file_wrapper.c" explains the
workaround.)
svn path=/trunk/; revision=1463
Added lots of #ifdef HAVE_*_H wrappers.
Added some #defines in config.h.win32
Check for more headers in configure.in
Added prototype for inet_aton() in inet_v6defs.h.
Changed "BYTE" token (i.e., #define) in ascend-gramamr.y because it
conflicts with a windows definition. Use HEXBYTE instead.
svn path=/trunk/; revision=1448
Linux systems with the isdn4linux patches; they help make DLT types even
less useful than they were after the various flavors of BSD proceeded to
add their own types past 14, with no coordination whatosever, so that
they overlapped, rendering it impossible to read a libpcap capture file
without knowing what particular OS generated it.
svn path=/trunk/; revision=1442
as the Ascend routers; those little buggers don't remember time very well.
The only timestamp available in the trace is relative to the beginning
of the trace.
So, right now I'm just using this relative timestamp as the absoulte time.
All my times are in 1969 (my timezone is GMT - 6), but all I care about
for now is the relative time, which is preserved even if the absolute time
is in the wrong decade.
svn path=/trunk/; revision=1404
the capture; set it to that when writing the capture.
Support Token Ring and FDDI captures (as per the network type in the
file header appearing to be either the NDIS network type, or the NDIS
network type minus 1 - I forget whether Ethernet has an NDIS type of 0
or 1).
Don't write the file header twice, keeping a static copy of it around,
as Wiretap code isn't supposed to keep any static data around; instead,
write it only when we're done writing out all the records (as we do on
Network Monitor captures).
Compute the time stamps when writing the file.
Give Windows Sniffer 1.1-format a short name, so "editcap" doesn't dump
core or print "(null)" in its usage message.
WTAP_ENCAP_NULL isn't supported by NetMon; don't write it.
svn path=/trunk/; revision=1336
instead of from DCE).
I can now open a RADCOM X.25 capture in ethereal, save it as sniffer, and
read it with a sniffer. The frame directions are correct. (BTW, the
snifconv.exe tool provided by RADCOM doesn't work with X.25 captures).
svn path=/trunk/; revision=1331
It's very basic, and doesn't write out the timestamps currently. It also
only handles WTAP_ENCAP_ETHERNET, although it can probably do the others,
but I don't have a good way to test them. This code has not yet been tested
against a Sniffer Pro, although wiretap can read the files just fine.
svn path=/trunk/; revision=1318
the "this is the first frame" flag, and the time stamp of the first
frame, used when writing Sniffer files, so that more than one could be
open at a time (Wiretap doesn't forbid that) and so that they're
initialized when you start writing a capture.
svn path=/trunk/; revision=1292
files (the former have a different per-packet header, and a different
magic number, from the standard "libpcap"; the latter have the same
per-packet header as "modified" "libpcap" files, but the same magic
number as standard "libpcap" files, sigh).
Support writing "libpcap" captures in all three formats (so that, for
example, people running Ethereal on RH 6.1 can write out captures that
the "tcpdump" that comes with RH 6.1 can read, although that's not the
default format we save in - there's no way to tell whether you're
running on RH 6.1, as far as I know; "uname()" just tells you, on Linux
systems, that the kernel is Linux 2.x, and what "x" is, it doesn't say
what the *rest* of the system is).
Fix the table in "file.c" to use Olivier's code for writing Sniffer
files.
svn path=/trunk/; revision=1288
I'm using 4.0 as the version in the REC_VERS record. It seems to work
with sniffer versions 4.40 and 5.0
No ATM support yet.
svn path=/trunk/; revision=1270
encapsulation types, and routines to translate encapsulation types to
names and short names to encapsulation types, for the benefit of
"editcap".
svn path=/trunk/; revision=1212
to, for example, specify on a command line the format that a program
should write; provide a routine to translate a file type to its short
name, and to translate a short name to the corresponding file type.
svn path=/trunk/; revision=1207
"wtap_file_type_string()" take, as its argument, a file type, rather
than a "wtap *".
Fix some range checks of file types to check against WTAP_NUM_FILE_TYPES
rather than WTAP_NUM_ENCAP_TYPES.
svn path=/trunk/; revision=1201
of all the file types in which a file can be saved.
Giving each dumpable file type a routine that checks whether a file of a
given file type and encapsulation can be written lets us hoist some
checks into common code from out of the open routines.
If the "dump close" routine for a dump stream is NULL, have that mean
that there's no action that needs to be taken on a close by the code to
handle that file type; some file types don't need that, as they can be
written purely sequentially.
svn path=/trunk/; revision=1200
structure before calling the "dump_open" routine for the file type; it
either has to be null or point to something that can be freed, as the
dump close routine frees what it points to if it's not null.
svn path=/trunk/; revision=1196
files.
Make the return type of a number of routines that return 1 (for "true")
on success and 0 (for "false") on failure to "gboolean", and make the 1's
and 0's TRUEs and FALSEs.
svn path=/trunk/; revision=1195
files.
Make the return type of a number of routines that return 1 (for "true")
on success and 0 (for "false") on failure to "gboolean", and make the 1's
and 0's TRUEs and FALSEs.
svn path=/trunk/; revision=1194
by pre-2.13 "autoconf", and there may be other problems with pre-2.12
"autoconf" as well; require "autoconf" 2.13 or later.
svn path=/trunk/; revision=1187
"gzgets()" is the one most recently added; it was added in 1.0.9.
Check for it, rather than for a list of functions, when checking for
"zlib" support - if you check for N functions, and they're all there,
you get N "-lz"s added to the list of libraries with which to link.
Indicate in the README that "zlib" versions prior to 1.0.9 definitely
won't work.
svn path=/trunk/; revision=1144
"gzseek()" *and* "gztell()" *and* "gzgets()" *and* "zError()" are all in
Zlib - we use all of them, and it appears that some older versions of
Zlib that some users had on their systems don't have some of them.
svn path=/trunk/; revision=1134
both LAPB and PPP captures get written out with that network type.
Flag it as WTAP_ENCAP_UNKNOWN when the file is opened, and, when we see
the first packet, check whether the address field is 0xFF, in which case
we flag it as PPP, or anything else, in which case we flag it as LAPB.
svn path=/trunk/; revision=1129
