Add support for Cinco Networks NetXRay - which is, after their acquision

by Network General (subsequently merged with McAfee Associates into
Network Associates), called "Sniffer Basic".

A similar format appears to be used by the Windows Sniffer Pro.

svn path=/trunk/; revision=194

6 files changed, 221 insertions, 5 deletions

diff --git a/wiretap/Makefile.am b/wiretap/Makefile.am
index f1cdeb1e2c..2baa634d49 100644
--- a/wiretap/Makefile.am
+++ b/wiretap/Makefile.am
@@ -18,6 +18,8 @@ libwiretap_a_SOURCES = \
 	libpcap.h		\
 	netmon.c		\
 	netmon.h		\
+	netxray.c		\
+	netxray.h		\
 	ngsniffer.c		\
 	ngsniffer.h		\
 	snoop.c			\
diff --git a/wiretap/Makefile.in b/wiretap/Makefile.in
index 98172ea63e..9b84a97eff 100644
--- a/wiretap/Makefile.in
+++ b/wiretap/Makefile.in
@@ -87,6 +87,8 @@ libwiretap_a_SOURCES = \
 	libpcap.h		\
 	netmon.c		\
 	netmon.h		\
+	netxray.c		\
+	netxray.h		\
 	ngsniffer.c		\
 	ngsniffer.h		\
 	snoop.c			\
@@ -106,7 +108,7 @@ LDFLAGS = @LDFLAGS@
 LIBS = @LIBS@
 libwiretap_a_LIBADD = 
 libwiretap_a_OBJECTS =  buffer.o file.o iptrace.o lanalyzer.o libpcap.o \
-netmon.o ngsniffer.o snoop.o wtap.o
+netmon.o netxray.o ngsniffer.o snoop.o wtap.o
 AR = ar
 CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(CPPFLAGS) $(CFLAGS)
@@ -121,8 +123,8 @@ DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
 TAR = tar
 GZIP = --best
 DEP_FILES =  .deps/buffer.P .deps/file.P .deps/iptrace.P \
-.deps/lanalyzer.P .deps/libpcap.P .deps/netmon.P .deps/ngsniffer.P \
-.deps/snoop.P .deps/wtap.P
+.deps/lanalyzer.P .deps/libpcap.P .deps/netmon.P .deps/netxray.P \
+.deps/ngsniffer.P .deps/snoop.P .deps/wtap.P
 SOURCES = $(libwiretap_a_SOURCES)
 OBJECTS = $(libwiretap_a_OBJECTS)
 
diff --git a/wiretap/file.c b/wiretap/file.c
index 041a5c7a46..4003fc6868 100644
--- a/wiretap/file.c
+++ b/wiretap/file.c
@@ -1,6 +1,6 @@
 /* file.c
  *
- * $Id: file.c,v 1.7 1999/01/21 05:03:56 gram Exp $
+ * $Id: file.c,v 1.8 1999/02/20 06:49:26 guy Exp $
  *
  * Wiretap Library
  * Copyright (c) 1998 by Gilbert Ramirez <gram@verdict.uthscsa.edu>
@@ -31,6 +31,7 @@
 #include "snoop.h"
 #include "iptrace.h"
 #include "netmon.h"
+#include "netxray.h"
 
 /* The open_file_* routines should return the WTAP_FILE_* type
  * that they are checking for if the file is successfully recognized
@@ -75,6 +76,10 @@ wtap* wtap_open_offline(char *filename)
 	if ((wth->file_type = netmon_open(wth)) != WTAP_FILE_UNKNOWN) {
 		goto success;
 	}
+	/* WTAP_FILE_NETXRAY */
+	if ((wth->file_type = netxray_open(wth)) != WTAP_FILE_UNKNOWN) {
+		goto success;
+	}
 
 
 /* failure: */
diff --git a/wiretap/netxray.c b/wiretap/netxray.c
new file mode 100644
index 0000000000..35fcacc7b0
--- /dev/null
+++ b/wiretap/netxray.c
@@ -0,0 +1,175 @@
+/* netxray.c
+ *
+ * $Id: netxray.c,v 1.1 1999/02/20 06:49:26 guy Exp $
+ *
+ * Wiretap Library
+ * Copyright (c) 1998 by Gilbert Ramirez <gram@verdict.uthscsa.edu>
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ *
+ */
+
+#include <stdlib.h>
+#include <time.h>
+#include "wtap.h"
+#include "netxray.h"
+
+/* Capture file header, *including* magic number, is padded to 128 bytes. */
+#define	CAPTUREFILE_HEADER_SIZE	128
+
+/* Magic number in NetXRay files. */
+static const char netxray_magic[] = {	/* magic header */
+	'X', 'C', 'P', '\0'
+};
+
+/* NetXRay file header (minus magic number). */
+struct netxray_hdr {
+	char	version[8];	/* version number */
+	guint32	xxx[10];	/* unknown */
+	guint32	timelo;		/* lower 32 bits of time stamp */
+	guint32	timehi;		/* upper 32 bits of time stamp */
+	/*
+	 * XXX - other stuff.
+	 */
+};
+
+/* Version number strings. */
+static const char vers_1_0[] = {
+	'0', '0', '1', '.', '0', '0', '0', '\0'
+};
+
+static const char vers_1_1[] = {
+	'0', '0', '1', '.', '1', '0', '0', '\0'
+};
+
+/* NetXRay data record format - followed by frame data. */
+struct netxrayrec_hdr {
+	guint32	timelo;		/* lower 32 bits of time stamp */
+	guint32	timehi;		/* upper 32 bits of time stamp */
+	guint16	orig_len;	/* packet length */
+	guint16	incl_len;	/* capture length */
+	guint32	xxx[4];		/* unknown */
+};
+
+/* Returns WTAP_FILE_NETXRAY on success, WTAP_FILE_UNKNOWN on failure */
+int netxray_open(wtap *wth)
+{
+	int bytes_read;
+	char magic[sizeof netxray_magic];
+	struct netxray_hdr hdr;
+	double	timeunit;
+	double	t;
+
+	/* Read in the string that should be at the start of a NetXRay
+	 * file */
+	fseek(wth->fh, 0, SEEK_SET);
+	bytes_read = fread(magic, 1, sizeof magic, wth->fh);
+
+	if (bytes_read != sizeof magic) {
+		return WTAP_FILE_UNKNOWN;
+	}
+
+	if (memcmp(magic, netxray_magic, sizeof netxray_magic) != 0) {
+		return WTAP_FILE_UNKNOWN;
+	}
+
+	/* Read the rest of the header. */
+	bytes_read = fread(&hdr, 1, sizeof hdr, wth->fh);
+	if (bytes_read != sizeof hdr) {
+		return WTAP_FILE_UNKNOWN;
+	}
+
+	/* It appears that version 1.1 files (as produced by Windows
+	 * Sniffer Pro) have the time stamp in microseconds, rather
+	 * than the milliseconds version 1.0 files appear to have. */
+	if (memcmp(hdr.version, vers_1_0, sizeof vers_1_0) == 0) {
+		timeunit = 1000.0;
+	} else if (memcmp(hdr.version, vers_1_1, sizeof vers_1_1) == 0) {
+		timeunit = 1000000.0;
+	} else {
+		return WTAP_FILE_UNKNOWN;
+	}
+
+	/* This is a netxray file */
+	wth->capture.netxray = g_malloc(sizeof(netxray_t));
+	wth->subtype_read = netxray_read;
+	wth->encapsulation = WTAP_ENCAP_ETHERNET;	/* XXX - where is it? */
+	wth->snapshot_length = 16384;	/* XXX - not available in header */
+	wth->capture.netxray->timeunit = timeunit;
+	t = (double)pletohl(&hdr.timelo)
+	    + (double)pletohl(&hdr.timehi)*4294967296.0;
+	t = t/timeunit;
+	wth->capture.netxray->starttime = t;
+	/*wth->frame_number = 0;*/
+	/*wth->file_byte_offset = 0x10b;*/
+
+	/* Seek to the beginning of the data records. */
+	fseek(wth->fh, CAPTUREFILE_HEADER_SIZE, SEEK_SET);
+
+	return WTAP_FILE_NETXRAY;
+}
+
+/* Read the next packet */
+int netxray_read(wtap *wth)
+{
+	int	packet_size;
+	int	bytes_read;
+	struct netxrayrec_hdr hdr;
+	int	data_offset;
+	double	t;
+
+	/* Read record header. */
+	bytes_read = fread(&hdr, 1, sizeof hdr, wth->fh);
+	if (bytes_read != sizeof hdr) {
+		if (bytes_read != 0) {
+			g_error("netxray_read: not enough packet header data (%d bytes)",
+					bytes_read);
+			return -1;
+		}
+		return 0;
+	}
+	data_offset += sizeof hdr;
+
+	packet_size = pletohs(&hdr.incl_len);
+	buffer_assure_space(&wth->frame_buffer, packet_size);
+	data_offset = ftell(wth->fh);
+	bytes_read = fread(buffer_start_ptr(&wth->frame_buffer), 1,
+			packet_size, wth->fh);
+
+	if (bytes_read != packet_size) {
+		if (ferror(wth->fh)) {
+			g_error("netxray_read: fread for data: read error\n");
+		} else {
+			g_error("netxray_read: fread for data: %d bytes out of %d",
+				bytes_read, packet_size);
+		}
+		return -1;
+	}
+
+	/* XXX - this isn't the actual date/time the packet was captured,
+	 * but at least it gives you the right relative time stamps. */
+	t = (double)pletohl(&hdr.timelo)
+	    + (double)pletohl(&hdr.timehi)*4294967296.0;
+	t /= wth->capture.netxray->timeunit;
+	t -= wth->capture.netxray->starttime;
+	wth->phdr.ts.tv_sec = (long)t;
+	wth->phdr.ts.tv_usec = (unsigned long)((t-(double)(wth->phdr.ts.tv_sec))
+			*1.0e6);
+	wth->phdr.caplen = packet_size;
+	wth->phdr.len = pletohs(&hdr.orig_len);
+	wth->phdr.pkt_encap = wth->encapsulation;
+
+	return data_offset;
+}
diff --git a/wiretap/netxray.h b/wiretap/netxray.h
new file mode 100644
index 0000000000..e66e324b94
--- /dev/null
+++ b/wiretap/netxray.h
@@ -0,0 +1,25 @@
+/* netxray.h
+ *
+ * $Id: netxray.h,v 1.1 1999/02/20 06:49:27 guy Exp $
+ *
+ * Wiretap Library
+ * Copyright (c) 1998 by Gilbert Ramirez <gram@verdict.uthscsa.edu>
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ *
+ */
+
+int netxray_open(wtap *wth);
+int netxray_read(wtap *wth);
diff --git a/wiretap/wtap.h b/wiretap/wtap.h
index 9a0613268e..12c2c32caa 100644
--- a/wiretap/wtap.h
+++ b/wiretap/wtap.h
@@ -1,6 +1,6 @@
 /* wtap.h
  *
- * $Id: wtap.h,v 1.12 1999/01/21 05:03:56 gram Exp $
+ * $Id: wtap.h,v 1.13 1999/02/20 06:49:26 guy Exp $
  *
  * Wiretap Library
  * Copyright (c) 1998 by Gilbert Ramirez <gram@verdict.uthscsa.edu>
@@ -42,6 +42,7 @@
 #define WTAP_FILE_SNOOP				6
 #define WTAP_FILE_IPTRACE			7
 #define WTAP_FILE_NETMON			8
+#define WTAP_FILE_NETXRAY			9
 
 #include <sys/types.h>
 #include <sys/time.h>
@@ -77,6 +78,11 @@ typedef struct {
 	int	end_offset;
 } netmon_t;
 
+typedef struct {
+	double	timeunit;
+	double	starttime;
+} netxray_t;
+
 struct wtap_pkthdr {
 	struct timeval ts;
 	guint32	caplen;
@@ -103,6 +109,7 @@ typedef struct wtap {
 		lanalyzer_t		*lanalyzer;
 		ngsniffer_t		*ngsniffer;
 		netmon_t		*netmon;
+		netxray_t		*netxray;
 	} capture;
 
 	subtype_func	subtype_read;