summaryrefslogtreecommitdiffstats
path: root/wiretap/netmon.c
diff options
context:
space:
mode:
Diffstat (limited to 'wiretap/netmon.c')
-rw-r--r--wiretap/netmon.c2038
1 files changed, 2038 insertions, 0 deletions
diff --git a/wiretap/netmon.c b/wiretap/netmon.c
new file mode 100644
index 00000000..861b1f90
--- /dev/null
+++ b/wiretap/netmon.c
@@ -0,0 +1,2038 @@
+/* netmon.c
+ *
+ * Wiretap Library
+ * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "config.h"
+#include <errno.h>
+#include <string.h>
+#include <wsutil/unicode-utils.h>
+#include "wtap-int.h"
+#include "file_wrappers.h"
+#include "atm.h"
+#include "pcap-encap.h"
+#include "netmon.h"
+
+/* The file at
+ *
+ * ftp://ftp.microsoft.com/developr/drg/cifs/cifs/Bhfile.zip
+ *
+ * contains "STRUCT.H", which declares the typedef CAPTUREFILE_HEADER
+ * for the header of a Microsoft Network Monitor 1.x capture file.
+ *
+ * The help files for Network Monitor 3.x document the 2.x file format.
+ */
+
+/* Capture file header, *including* magic number, is padded to 128 bytes. */
+#define CAPTUREFILE_HEADER_SIZE 128
+
+/* Magic number size, for both 1.x and 2.x. */
+#define MAGIC_SIZE 4
+
+/* Magic number in Network Monitor 1.x files. */
+static const char netmon_1_x_magic[MAGIC_SIZE] = {
+ 'R', 'T', 'S', 'S'
+};
+
+/* Magic number in Network Monitor 2.x files. */
+static const char netmon_2_x_magic[MAGIC_SIZE] = {
+ 'G', 'M', 'B', 'U'
+};
+
+/* Network Monitor file header (minus magic number). */
+struct netmon_hdr {
+ guint8 ver_minor; /* minor version number */
+ guint8 ver_major; /* major version number */
+ guint16 network; /* network type */
+ guint16 ts_year; /* year of capture start */
+ guint16 ts_month; /* month of capture start (January = 1) */
+ guint16 ts_dow; /* day of week of capture start (Sun = 0) */
+ guint16 ts_day; /* day of month of capture start */
+ guint16 ts_hour; /* hour of capture start */
+ guint16 ts_min; /* minute of capture start */
+ guint16 ts_sec; /* second of capture start */
+ guint16 ts_msec; /* millisecond of capture start */
+ guint32 frametableoffset; /* frame index table offset */
+ guint32 frametablelength; /* frame index table size */
+ guint32 userdataoffset; /* user data offset */
+ guint32 userdatalength; /* user data size */
+ guint32 commentdataoffset; /* comment data offset */
+ guint32 commentdatalength; /* comment data size */
+ guint32 processinfooffset; /* offset to process info structure */
+ guint32 processinfocount; /* number of process info structures */
+ guint32 networkinfooffset; /* offset to network info structure */
+ guint32 networkinfolength; /* length of network info structure */
+};
+
+/* Network Monitor 1.x record header; not defined in STRUCT.H, but deduced by
+ * looking at capture files. */
+struct netmonrec_1_x_hdr {
+ guint32 ts_delta; /* time stamp - msecs since start of capture */
+ guint16 orig_len; /* actual length of packet */
+ guint16 incl_len; /* number of octets captured in file */
+};
+
+/*
+ * Network Monitor 2.x record header, as documented in NetMon 3.x's
+ * help files.
+ */
+struct netmonrec_2_x_hdr {
+ guint64 ts_delta; /* time stamp - usecs since start of capture */
+ guint32 orig_len; /* actual length of packet */
+ guint32 incl_len; /* number of octets captured in file */
+};
+
+/*
+ * Network Monitor 2.1 and later record trailers; documented in the Network
+ * Monitor 3.x help files, for 3.3 and later, although they don't clearly
+ * state how the trailer format changes from version to version.
+ *
+ * Some fields are multi-byte integers, but they're not aligned on their
+ * natural boundaries.
+ */
+struct netmonrec_2_1_trlr {
+ guint8 network[2]; /* network type for this packet */
+};
+
+struct netmonrec_2_2_trlr {
+ guint8 network[2]; /* network type for this packet */
+ guint8 process_info_index[4]; /* index into the process info table */
+};
+
+struct netmonrec_2_3_trlr {
+ guint8 network[2]; /* network type for this packet */
+ guint8 process_info_index[4]; /* index into the process info table */
+ guint8 utc_timestamp[8]; /* packet time stamp, as .1 us units since January 1, 1601, 00:00:00 UTC */
+ guint8 timezone_index; /* index of time zone information */
+};
+
+struct netmonrec_comment {
+ guint32 numFramePerComment; /* Currently, this is always set to 1. Each comment is attached to only one frame. */
+ guint32 frameOffset; /* Offset in the capture file table that indicates the beginning of the frame. Key used to match comment with frame */
+ guint8* title; /* Comment title */
+ guint32 descLength; /* Number of bytes in the comment description. Must be at least zero. */
+ guint8* description; /* Comment description */
+};
+
+/* Just the first few fields of netmonrec_comment so it can be read sequentially from file */
+struct netmonrec_comment_header {
+ guint32 numFramePerComment;
+ guint32 frameOffset;
+ guint32 titleLength;
+};
+
+union ip_address {
+ guint32 ipv4;
+ ws_in6_addr ipv6;
+};
+
+struct netmonrec_process_info {
+ guint8* path; /* A Unicode string of length PathSize */
+ guint32 iconSize;
+ guint8* iconData;
+ guint32 pid;
+ guint16 localPort;
+ guint16 remotePort;
+ gboolean isIPv6;
+ union ip_address localAddr;
+ union ip_address remoteAddr;
+};
+
+/*
+ * The link-layer header on ATM packets.
+ */
+struct netmon_atm_hdr {
+ guint8 dest[6]; /* "Destination address" - what is it? */
+ guint8 src[6]; /* "Source address" - what is it? */
+ guint16 vpi; /* VPI */
+ guint16 vci; /* VCI */
+};
+
+typedef struct {
+ time_t start_secs;
+ guint32 start_nsecs;
+ guint8 version_major;
+ guint8 version_minor;
+ guint32 *frame_table;
+ guint32 frame_table_size;
+ GHashTable* comment_table;
+ GHashTable* process_info_table;
+ guint current_frame;
+} netmon_t;
+
+/*
+ * Maximum pathname length supported in the process table; the length
+ * is in a 32-bit field, so we impose a limit to prevent attempts to
+ * allocate too much memory.
+ *
+ * See
+ *
+ * https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file#maximum-path-length-limitation
+ *
+ * The NetMon 3.4 "Capture File Format" documentation says "PathSize must be
+ * greater than 0, and less than MAX_PATH (260 characters)", but, as per that
+ * link above, that limit has been raised in more recent systems.
+ *
+ * We pick a limit of 65536, as that should handle a path length of 32767
+ * UTF-16 octet pairs plus a trailing NUL octet pair.
+ */
+#define MATH_PROCINFO_PATH_SIZE 65536
+
+/*
+ * XXX - at least in some NetMon 3.4 VPN captures, the per-packet
+ * link-layer type is 0, but the packets have Ethernet headers.
+ * We handle this by mapping 0 to WTAP_ENCAP_ETHERNET; should we,
+ * instead, use the per-file link-layer type?
+ */
+static const int netmon_encap[] = {
+ WTAP_ENCAP_ETHERNET,
+ WTAP_ENCAP_ETHERNET,
+ WTAP_ENCAP_TOKEN_RING,
+ WTAP_ENCAP_FDDI_BITSWAPPED,
+ WTAP_ENCAP_ATM_PDUS, /* NDIS WAN - this is what's used for ATM */
+ WTAP_ENCAP_UNKNOWN, /* NDIS LocalTalk, but format 2.x uses it for IP-over-IEEE 1394 */
+ WTAP_ENCAP_IEEE_802_11_NETMON,
+ /* NDIS "DIX", but format 2.x uses it for 802.11 */
+ WTAP_ENCAP_RAW_IP, /* NDIS ARCNET raw, but format 2.x uses it for "Tunneling interfaces" */
+ WTAP_ENCAP_RAW_IP, /* NDIS ARCNET 878.2, but format 2.x uses it for "Wireless WAN" */
+ WTAP_ENCAP_RAW_IP, /* NDIS ATM (no, this is NOT used for ATM); format 2.x uses it for "Raw IP Frames" */
+ WTAP_ENCAP_UNKNOWN, /* NDIS Wireless WAN */
+ WTAP_ENCAP_UNKNOWN /* NDIS IrDA */
+};
+#define NUM_NETMON_ENCAPS (sizeof netmon_encap / sizeof netmon_encap[0])
+
+/*
+ * Special link-layer types.
+ */
+#define NETMON_NET_PCAP_BASE 0xE000
+#define NETMON_NET_NETEVENT 0xFFE0
+#define NETMON_NET_NETWORK_INFO_EX 0xFFFB
+#define NETMON_NET_PAYLOAD_HEADER 0xFFFC
+#define NETMON_NET_NETWORK_INFO 0xFFFD
+#define NETMON_NET_DNS_CACHE 0xFFFE
+#define NETMON_NET_NETMON_FILTER 0xFFFF
+
+static gboolean netmon_read(wtap *wth, wtap_rec *rec, Buffer *buf,
+ int *err, gchar **err_info, gint64 *data_offset);
+static gboolean netmon_seek_read(wtap *wth, gint64 seek_off,
+ wtap_rec *rec, Buffer *buf, int *err, gchar **err_info);
+static gboolean netmon_read_atm_pseudoheader(FILE_T fh,
+ union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info);
+static void netmon_close(wtap *wth);
+static gboolean netmon_dump(wtap_dumper *wdh, const wtap_rec *rec,
+ const guint8 *pd, int *err, gchar **err_info);
+static gboolean netmon_dump_finish(wtap_dumper *wdh, int *err,
+ gchar **err_info);
+
+static int netmon_1_x_file_type_subtype = -1;
+static int netmon_2_x_file_type_subtype = -1;
+
+void register_netmon(void);
+
+/*
+ * Convert a counted UTF-16 string, which is probably also null-terminated
+ * but is not guaranteed to be null-terminated (as it came from a file),
+ * to a null-terminated UTF-8 string.
+ */
+static guint8 *
+utf_16_to_utf_8(const guint8 *in, guint32 length)
+{
+ guint8 *result, *out;
+ gunichar2 uchar2;
+ gunichar uchar;
+ size_t n_bytes;
+ guint32 i;
+
+ /*
+ * Get the length of the resulting UTF-8 string, and validate
+ * the input string in the process.
+ */
+ n_bytes = 0;
+ for (i = 0; i + 1 < length && (uchar2 = pletoh16(in + i)) != '\0';
+ i += 2) {
+ if (IS_LEAD_SURROGATE(uchar2)) {
+ /*
+ * Lead surrogate. Must be followed by a trail
+ * surrogate.
+ */
+ gunichar2 lead_surrogate;
+
+ i += 2;
+ if (i + 1 >= length) {
+ /*
+ * Oops, string ends with a lead surrogate.
+ * Ignore this for now.
+ * XXX - insert "substitute" character?
+ * Report the error in some other fashion?
+ */
+ break;
+ }
+ lead_surrogate = uchar2;
+ uchar2 = pletoh16(in + i);
+ if (uchar2 == '\0') {
+ /*
+ * Oops, string ends with a lead surrogate.
+ * Ignore this for now.
+ * XXX - insert "substitute" character?
+ * Report the error in some other fashion?
+ */
+ break;
+ }
+ if (IS_TRAIL_SURROGATE(uchar2)) {
+ /* Trail surrogate. */
+ uchar = SURROGATE_VALUE(lead_surrogate, uchar2);
+ n_bytes += g_unichar_to_utf8(uchar, NULL);
+ } else {
+ /*
+ * Not a trail surrogate.
+ * Ignore the entire pair.
+ * XXX - insert "substitute" character?
+ * Report the error in some other fashion?
+ */
+ ;
+ }
+ } else {
+ if (IS_TRAIL_SURROGATE(uchar2)) {
+ /*
+ * Trail surrogate without a preceding
+ * lead surrogate. Ignore it.
+ * XXX - insert "substitute" character?
+ * Report the error in some other fashion?
+ */
+ ;
+ } else {
+ /*
+ * Non-surrogate; just count it.
+ */
+ n_bytes += g_unichar_to_utf8(uchar2, NULL);
+ }
+ }
+ }
+
+ /*
+ * Now allocate a buffer big enough for the UTF-8 string plus a
+ * trailing NUL, and generate the string.
+ */
+ result = (guint8 *)g_malloc(n_bytes + 1);
+
+ out = result;
+ for (i = 0; i + 1 < length && (uchar2 = pletoh16(in + i)) != '\0';
+ i += 2) {
+ if (IS_LEAD_SURROGATE(uchar2)) {
+ /*
+ * Lead surrogate. Must be followed by a trail
+ * surrogate.
+ */
+ gunichar2 lead_surrogate;
+
+ i += 2;
+ if (i + 1 >= length) {
+ /*
+ * Oops, string ends with a lead surrogate.
+ * Ignore this for now.
+ * XXX - insert "substitute" character?
+ * Report the error in some other fashion?
+ */
+ break;
+ }
+ lead_surrogate = uchar2;
+ uchar2 = pletoh16(in + i);
+ if (uchar2 == '\0') {
+ /*
+ * Oops, string ends with a lead surrogate.
+ * Ignore this for now.
+ * XXX - insert "substitute" character?
+ * Report the error in some other fashion?
+ */
+ break;
+ }
+ if (IS_TRAIL_SURROGATE(uchar2)) {
+ /* Trail surrogate. */
+ uchar = SURROGATE_VALUE(lead_surrogate, uchar2);
+ out += g_unichar_to_utf8(uchar, out);
+ } else {
+ /*
+ * Not a trail surrogate.
+ * Ignore the entire pair.
+ * XXX - insert "substitute" character?
+ * Report the error in some other fashion?
+ */
+ ;
+ }
+ } else {
+ if (IS_TRAIL_SURROGATE(uchar2)) {
+ /*
+ * Trail surrogate without a preceding
+ * lead surrogate. Ignore it.
+ * XXX - insert "substitute" character?
+ * Report the error in some other fashion?
+ */
+ ;
+ } else {
+ /*
+ * Non-surrogate; just count it.
+ */
+ out += g_unichar_to_utf8(uchar2, out);
+ }
+ }
+ }
+ *out = '\0';
+
+ /*
+ * XXX - if i < length, this means we were handed an odd
+ * number of bytes, so it was not a valid UTF-16 string.
+ */
+ return result;
+}
+
+
+static void netmonrec_comment_destroy(gpointer key) {
+ struct netmonrec_comment *comment = (struct netmonrec_comment*) key;
+
+ g_free(comment->title);
+ g_free(comment->description);
+ g_free(comment);
+}
+
+static void netmonrec_process_info_destroy(gpointer key) {
+ struct netmonrec_process_info *process_info = (struct netmonrec_process_info*) key;
+
+ g_free(process_info->path);
+ g_free(process_info->iconData);
+ g_free(process_info);
+}
+
+wtap_open_return_val netmon_open(wtap *wth, int *err, gchar **err_info)
+{
+ char magic[MAGIC_SIZE];
+ struct netmon_hdr hdr;
+ int file_type;
+ struct tm tm;
+ guint32 frame_table_offset;
+ guint32 frame_table_length;
+ guint32 frame_table_size;
+ guint32 *frame_table;
+ guint32 comment_table_offset, process_info_table_offset;
+ guint32 comment_table_size, process_info_table_count;
+ GHashTable *comment_table, *process_info_table;
+ struct netmonrec_comment* comment_rec;
+ gint64 file_size = wtap_file_size(wth, err);
+#if G_BYTE_ORDER == G_BIG_ENDIAN
+ unsigned int i;
+#endif
+ netmon_t *netmon;
+
+ /* Read in the string that should be at the start of a Network
+ * Monitor file */
+ if (!wtap_read_bytes(wth->fh, magic, MAGIC_SIZE, err, err_info)) {
+ if (*err != WTAP_ERR_SHORT_READ)
+ return WTAP_OPEN_ERROR;
+ return WTAP_OPEN_NOT_MINE;
+ }
+
+ if (memcmp(magic, netmon_1_x_magic, MAGIC_SIZE) != 0 &&
+ memcmp(magic, netmon_2_x_magic, MAGIC_SIZE) != 0) {
+ return WTAP_OPEN_NOT_MINE;
+ }
+
+ /* Read the rest of the header. */
+ if (!wtap_read_bytes(wth->fh, &hdr, sizeof hdr, err, err_info))
+ return WTAP_OPEN_ERROR;
+
+ switch (hdr.ver_major) {
+
+ case 1:
+ file_type = netmon_1_x_file_type_subtype;
+ break;
+
+ case 2:
+ file_type = netmon_2_x_file_type_subtype;
+ break;
+
+ default:
+ *err = WTAP_ERR_UNSUPPORTED;
+ *err_info = ws_strdup_printf("netmon: major version %u unsupported", hdr.ver_major);
+ return WTAP_OPEN_ERROR;
+ }
+
+ hdr.network = pletoh16(&hdr.network);
+ if (hdr.network >= NUM_NETMON_ENCAPS
+ || netmon_encap[hdr.network] == WTAP_ENCAP_UNKNOWN) {
+ *err = WTAP_ERR_UNSUPPORTED;
+ *err_info = ws_strdup_printf("netmon: network type %u unknown or unsupported",
+ hdr.network);
+ return WTAP_OPEN_ERROR;
+ }
+
+ /* This is a netmon file */
+ wth->file_type_subtype = file_type;
+ netmon = g_new0(netmon_t, 1);
+ wth->priv = (void *)netmon;
+ wth->subtype_read = netmon_read;
+ wth->subtype_seek_read = netmon_seek_read;
+ wth->subtype_close = netmon_close;
+
+ /* NetMon capture file formats v2.1+ use per-packet encapsulation types. NetMon 3 sets the value in
+ * the header to 1 (Ethernet) for backwards compatibility. */
+ if((hdr.ver_major == 2 && hdr.ver_minor >= 1) || hdr.ver_major > 2)
+ wth->file_encap = WTAP_ENCAP_PER_PACKET;
+ else
+ wth->file_encap = netmon_encap[hdr.network];
+
+ wth->snapshot_length = 0; /* not available in header */
+ /*
+ * Convert the time stamp to a "time_t" and a number of
+ * milliseconds.
+ */
+ tm.tm_year = pletoh16(&hdr.ts_year) - 1900;
+ tm.tm_mon = pletoh16(&hdr.ts_month) - 1;
+ tm.tm_mday = pletoh16(&hdr.ts_day);
+ tm.tm_hour = pletoh16(&hdr.ts_hour);
+ tm.tm_min = pletoh16(&hdr.ts_min);
+ tm.tm_sec = pletoh16(&hdr.ts_sec);
+ tm.tm_isdst = -1;
+ netmon->start_secs = mktime(&tm);
+ /*
+ * XXX - what if "secs" is -1? Unlikely, but if the capture was
+ * done in a time zone that switches between standard and summer
+ * time sometime other than when we do, and thus the time was one
+ * that doesn't exist here because a switch from standard to summer
+ * time zips over it, it could happen.
+ *
+ * On the other hand, if the capture was done in a different time
+ * zone, this won't work right anyway; unfortunately, the time
+ * zone isn't stored in the capture file (why the hell didn't
+ * they stuff a FILETIME, which is the number of 100-nanosecond
+ * intervals since 1601-01-01 00:00:00 "UTC", there, instead
+ * of stuffing a SYSTEMTIME, which is time-zone-dependent, there?).
+ *
+ * Eventually they went with per-packet FILETIMEs in a later
+ * version.
+ */
+ netmon->start_nsecs = pletoh16(&hdr.ts_msec)*1000000;
+
+ netmon->version_major = hdr.ver_major;
+ netmon->version_minor = hdr.ver_minor;
+
+ /*
+ * Get the offset of the frame index table.
+ */
+ frame_table_offset = pletoh32(&hdr.frametableoffset);
+
+ /*
+ * For NetMon 2.2 format and later, get the offset and length of
+ * the comment index table and process info table.
+ *
+ * For earlier versions, set them to zero; they appear to be
+ * uninitialized, so they're not necessarily zero.
+ */
+ if ((netmon->version_major == 2 && netmon->version_minor >= 2) ||
+ netmon->version_major > 2) {
+ comment_table_offset = pletoh32(&hdr.commentdataoffset);
+ comment_table_size = pletoh32(&hdr.commentdatalength);
+ process_info_table_offset = pletoh32(&hdr.processinfooffset);
+ process_info_table_count = pletoh32(&hdr.processinfocount);
+ } else {
+ comment_table_offset = 0;
+ comment_table_size = 0;
+ process_info_table_offset = 0;
+ process_info_table_count = 0;
+ }
+
+ /*
+ * It appears that some NetMon 2.x files don't have the
+ * first packet starting exactly 128 bytes into the file.
+ *
+ * Furthermore, it also appears that there are "holes" in
+ * the file, i.e. frame N+1 doesn't always follow immediately
+ * after frame N.
+ *
+ * Therefore, we must read the frame table, and use the offsets
+ * in it as the offsets of the frames.
+ */
+ frame_table_length = pletoh32(&hdr.frametablelength);
+ frame_table_size = frame_table_length / (guint32)sizeof (guint32);
+ if ((frame_table_size * sizeof (guint32)) != frame_table_length) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = ws_strdup_printf("netmon: frame table length is %u, which is not a multiple of the size of an entry",
+ frame_table_length);
+ return WTAP_OPEN_ERROR;
+ }
+ if (frame_table_size == 0) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = ws_strdup_printf("netmon: frame table length is %u, which means it's less than one entry in size",
+ frame_table_length);
+ return WTAP_OPEN_ERROR;
+ }
+ /*
+ * XXX - clamp the size of the frame table, so that we don't
+ * attempt to allocate a huge frame table and fail.
+ *
+ * Given that file offsets in the frame table are 32-bit,
+ * a NetMon file cannot be bigger than 2^32 bytes.
+ * Given that a NetMon 1.x-format packet header is 8 bytes,
+ * that means a NetMon file cannot have more than
+ * 512*2^20 packets. We'll pick that as the limit for
+ * now; it's 1/8th of a 32-bit address space, which is
+ * probably not going to exhaust the address space all by
+ * itself, and probably won't exhaust the backing store.
+ */
+ if (frame_table_size > 512*1024*1024) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = ws_strdup_printf("netmon: frame table length is %u, which is larger than we support",
+ frame_table_length);
+ return WTAP_OPEN_ERROR;
+ }
+ if (file_seek(wth->fh, frame_table_offset, SEEK_SET, err) == -1) {
+ return WTAP_OPEN_ERROR;
+ }
+
+ /*
+ * Sanity check the comment table information before we bother to allocate
+ * large chunks of memory for the frame table
+ */
+ if (comment_table_size > 0) {
+ /*
+ * XXX - clamp the size of the comment table, so that we don't
+ * attempt to allocate a huge comment table and fail.
+ *
+ * Just use same size requires as frame table
+ */
+ if (comment_table_size > 512*1024*1024) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = ws_strdup_printf("netmon: comment table size is %u, which is larger than we support",
+ comment_table_size);
+ return WTAP_OPEN_ERROR;
+ }
+
+ if (comment_table_size < 17) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = ws_strdup_printf("netmon: comment table size is %u, which is too small to use",
+ comment_table_size);
+ return WTAP_OPEN_ERROR;
+ }
+
+ if (comment_table_offset > file_size) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = ws_strdup_printf("netmon: comment table offset (%u) is larger than file",
+ comment_table_offset);
+ return WTAP_OPEN_ERROR;
+ }
+ }
+
+ /*
+ * Sanity check the process info table information before we bother to allocate
+ * large chunks of memory for the frame table
+ */
+ if ((process_info_table_offset > 0) && (process_info_table_count > 0)) {
+ /*
+ * XXX - clamp the size of the process info table, so that we don't
+ * attempt to allocate a huge process info table and fail.
+ */
+ if (process_info_table_count > 512*1024) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = ws_strdup_printf("netmon: process info table size is %u, which is larger than we support",
+ process_info_table_count);
+ return WTAP_OPEN_ERROR;
+ }
+
+ if (process_info_table_offset > file_size) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = ws_strdup_printf("netmon: process info table offset (%u) is larger than file",
+ process_info_table_offset);
+ return WTAP_OPEN_ERROR;
+ }
+ }
+
+ /*
+ * Return back to the frame table offset
+ */
+ if (file_seek(wth->fh, frame_table_offset, SEEK_SET, err) == -1) {
+ return WTAP_OPEN_ERROR;
+ }
+
+ /*
+ * Sanity check the process info table information before we bother to allocate
+ * large chunks of memory for the frame table
+ */
+
+ frame_table = (guint32 *)g_try_malloc(frame_table_length);
+ if (frame_table_length != 0 && frame_table == NULL) {
+ *err = ENOMEM; /* we assume we're out of memory */
+ return WTAP_OPEN_ERROR;
+ }
+ if (!wtap_read_bytes(wth->fh, frame_table, frame_table_length,
+ err, err_info)) {
+ g_free(frame_table);
+ return WTAP_OPEN_ERROR;
+ }
+ netmon->frame_table_size = frame_table_size;
+ netmon->frame_table = frame_table;
+
+ if (comment_table_size > 0) {
+ comment_table = g_hash_table_new_full(g_direct_hash, g_direct_equal, NULL, netmonrec_comment_destroy);
+ if (comment_table == NULL) {
+ *err = ENOMEM; /* we assume we're out of memory */
+ return WTAP_OPEN_ERROR;
+ }
+
+ /* Make sure the file contains the full comment section */
+ if (file_seek(wth->fh, comment_table_offset+comment_table_size, SEEK_SET, err) == -1) {
+ g_hash_table_destroy(comment_table);
+ return WTAP_OPEN_ERROR;
+ }
+
+ if (file_seek(wth->fh, comment_table_offset, SEEK_SET, err) == -1) {
+ /* Shouldn't fail... */
+ g_hash_table_destroy(comment_table);
+ return WTAP_OPEN_ERROR;
+ }
+
+ while (comment_table_size > 16) {
+ struct netmonrec_comment_header comment_header;
+ guint32 title_length;
+ guint32 desc_length;
+ guint8 *utf16_str;
+
+ /* Read the first 12 bytes of the structure */
+ if (!wtap_read_bytes(wth->fh, &comment_header, 12, err, err_info)) {
+ g_hash_table_destroy(comment_table);
+ return WTAP_OPEN_ERROR;
+ }
+ comment_table_size -= 12;
+
+ /* Make sure comment size is sane */
+ title_length = pletoh32(&comment_header.titleLength);
+ if (title_length == 0) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = g_strdup("netmon: comment title size can't be 0");
+ g_hash_table_destroy(comment_table);
+ return WTAP_OPEN_ERROR;
+ }
+ if (title_length > comment_table_size) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = ws_strdup_printf("netmon: comment title size is %u, which is larger than the amount remaining in the comment section (%u)",
+ title_length, comment_table_size);
+ g_hash_table_destroy(comment_table);
+ return WTAP_OPEN_ERROR;
+ }
+
+ comment_rec = g_new0(struct netmonrec_comment, 1);
+ comment_rec->numFramePerComment = pletoh32(&comment_header.numFramePerComment);
+ comment_rec->frameOffset = pletoh32(&comment_header.frameOffset);
+
+ g_hash_table_insert(comment_table, GUINT_TO_POINTER(comment_rec->frameOffset), comment_rec);
+
+ /*
+ * Read in the comment title.
+ *
+ * It is in UTF-16-encoded Unicode, and the title
+ * size is a count of octets, not octet pairs or
+ * Unicode characters.
+ */
+ utf16_str = (guint8*)g_malloc(title_length);
+ if (!wtap_read_bytes(wth->fh, utf16_str, title_length,
+ err, err_info)) {
+ g_hash_table_destroy(comment_table);
+ return WTAP_OPEN_ERROR;
+ }
+ comment_table_size -= title_length;
+
+ /*
+ * Now convert it to UTF-8 for internal use.
+ */
+ comment_rec->title = utf_16_to_utf_8(utf16_str,
+ title_length);
+ g_free(utf16_str);
+
+ if (comment_table_size < 4) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = g_strdup("netmon: corrupt comment section");
+ g_hash_table_destroy(comment_table);
+ return WTAP_OPEN_ERROR;
+ }
+
+ if (!wtap_read_bytes(wth->fh, &desc_length, 4, err, err_info)) {
+ g_hash_table_destroy(comment_table);
+ return WTAP_OPEN_ERROR;
+ }
+ comment_table_size -= 4;
+
+ comment_rec->descLength = pletoh32(&desc_length);
+ if (comment_rec->descLength > 0) {
+ /* Make sure comment size is sane */
+ if (comment_rec->descLength > comment_table_size) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = ws_strdup_printf("netmon: comment description size is %u, which is larger than the amount remaining in the comment section (%u)",
+ comment_rec->descLength, comment_table_size);
+ g_hash_table_destroy(comment_table);
+ return WTAP_OPEN_ERROR;
+ }
+
+ comment_rec->description = (guint8*)g_malloc(comment_rec->descLength);
+
+ /* Read the comment description */
+ if (!wtap_read_bytes(wth->fh, comment_rec->description, comment_rec->descLength, err, err_info)) {
+ g_hash_table_destroy(comment_table);
+ return WTAP_OPEN_ERROR;
+ }
+
+ comment_table_size -= comment_rec->descLength;
+ }
+ }
+ netmon->comment_table = comment_table;
+ }
+
+ if ((process_info_table_offset > 0) && (process_info_table_count > 0)) {
+ guint16 version;
+
+ /* Go to the process table offset */
+ if (file_seek(wth->fh, process_info_table_offset, SEEK_SET, err) == -1) {
+ return WTAP_OPEN_ERROR;
+ }
+
+ process_info_table = g_hash_table_new_full(g_direct_hash, g_direct_equal, NULL, netmonrec_process_info_destroy);
+ if (process_info_table == NULL) {
+ *err = ENOMEM; /* we assume we're out of memory */
+ return WTAP_OPEN_ERROR;
+ }
+
+ /* Read the version (ignored for now) */
+ if (!wtap_read_bytes(wth->fh, &version, 2, err, err_info)) {
+ g_hash_table_destroy(process_info_table);
+ return WTAP_OPEN_ERROR;
+ }
+
+ while (process_info_table_count > 0)
+ {
+ struct netmonrec_process_info* process_info;
+ guint32 tmp32;
+ guint16 tmp16;
+ guint32 path_size;
+ guint8 *utf16_str;
+
+ process_info = g_new0(struct netmonrec_process_info, 1);
+
+ /* Read path */
+ if (!wtap_read_bytes(wth->fh, &tmp32, 4, err, err_info)) {
+ g_free(process_info);
+ g_hash_table_destroy(process_info_table);
+ return WTAP_OPEN_ERROR;
+ }
+
+ path_size = pletoh32(&tmp32);
+ if (path_size > MATH_PROCINFO_PATH_SIZE) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = ws_strdup_printf("netmon: Path size for process info record is %u, which is larger than allowed max value (%u)",
+ path_size, MATH_PROCINFO_PATH_SIZE);
+ g_free(process_info);
+ g_hash_table_destroy(process_info_table);
+ return WTAP_OPEN_ERROR;
+ }
+
+ /*
+ * Read in the path string.
+ *
+ * It is in UTF-16-encoded Unicode, and the path
+ * size is a count of octets, not octet pairs or
+ * Unicode characters.
+ */
+ utf16_str = (guint8*)g_malloc(path_size);
+ if (!wtap_read_bytes(wth->fh, utf16_str, path_size,
+ err, err_info)) {
+ g_free(process_info);
+ g_hash_table_destroy(process_info_table);
+ return WTAP_OPEN_ERROR;
+ }
+
+ /*
+ * Now convert it to UTF-8 for internal use.
+ */
+ process_info->path = utf_16_to_utf_8(utf16_str,
+ path_size);
+ g_free(utf16_str);
+
+ /* Read icon (currently not saved) */
+ if (!wtap_read_bytes(wth->fh, &tmp32, 4, err, err_info)) {
+ g_free(process_info);
+ g_hash_table_destroy(process_info_table);
+ return WTAP_OPEN_ERROR;
+ }
+
+ process_info->iconSize = pletoh32(&tmp32);
+
+ /* XXX - skip the icon for now */
+ if (file_seek(wth->fh, process_info->iconSize, SEEK_CUR, err) == -1) {
+ g_free(process_info);
+ g_hash_table_destroy(process_info_table);
+ return WTAP_OPEN_ERROR;
+ }
+ process_info->iconSize = 0;
+
+ if (!wtap_read_bytes(wth->fh, &tmp32, 4, err, err_info)) {
+ g_free(process_info);
+ g_hash_table_destroy(process_info_table);
+ return WTAP_OPEN_ERROR;
+ }
+ process_info->pid = pletoh32(&tmp32);
+
+ /* XXX - Currently index process information by PID */
+ g_hash_table_insert(process_info_table, GUINT_TO_POINTER(process_info->pid), process_info);
+
+ /* Read local port */
+ if (!wtap_read_bytes(wth->fh, &tmp16, 2, err, err_info)) {
+ g_hash_table_destroy(process_info_table);
+ return WTAP_OPEN_ERROR;
+ }
+ process_info->localPort = pletoh16(&tmp16);
+
+ /* Skip padding */
+ if (!wtap_read_bytes(wth->fh, &tmp16, 2, err, err_info)) {
+ g_hash_table_destroy(process_info_table);
+ return WTAP_OPEN_ERROR;
+ }
+
+ /* Read remote port */
+ if (!wtap_read_bytes(wth->fh, &tmp16, 2, err, err_info)) {
+ g_hash_table_destroy(process_info_table);
+ return WTAP_OPEN_ERROR;
+ }
+ process_info->remotePort = pletoh16(&tmp16);
+
+ /* Skip padding */
+ if (!wtap_read_bytes(wth->fh, &tmp16, 2, err, err_info)) {
+ g_hash_table_destroy(process_info_table);
+ return WTAP_OPEN_ERROR;
+ }
+
+ /* Determine IP version */
+ if (!wtap_read_bytes(wth->fh, &tmp32, 4, err, err_info)) {
+ g_hash_table_destroy(process_info_table);
+ return WTAP_OPEN_ERROR;
+ }
+ process_info->isIPv6 = ((pletoh32(&tmp32) == 0) ? FALSE : TRUE);
+
+ if (process_info->isIPv6) {
+ if (!wtap_read_bytes(wth->fh, &process_info->localAddr.ipv6, 16, err, err_info)) {
+ g_hash_table_destroy(process_info_table);
+ return WTAP_OPEN_ERROR;
+ }
+ if (!wtap_read_bytes(wth->fh, &process_info->remoteAddr.ipv6, 16, err, err_info)) {
+ g_hash_table_destroy(process_info_table);
+ return WTAP_OPEN_ERROR;
+ }
+ } else {
+ guint8 ipbuffer[16];
+ if (!wtap_read_bytes(wth->fh, ipbuffer, 16, err, err_info)) {
+ g_hash_table_destroy(process_info_table);
+ return WTAP_OPEN_ERROR;
+ }
+ process_info->localAddr.ipv4 = pletoh32(ipbuffer);
+
+ if (!wtap_read_bytes(wth->fh, ipbuffer, 16, err, err_info)) {
+ g_hash_table_destroy(process_info_table);
+ return WTAP_OPEN_ERROR;
+ }
+ process_info->remoteAddr.ipv4 = pletoh32(ipbuffer);
+ }
+
+ process_info_table_count--;
+ }
+
+ netmon->process_info_table = process_info_table;
+ }
+
+#if G_BYTE_ORDER == G_BIG_ENDIAN
+ /*
+ * OK, now byte-swap the frame table.
+ */
+ for (i = 0; i < frame_table_size; i++)
+ frame_table[i] = pletoh32(&frame_table[i]);
+#endif
+
+ /* Set up to start reading at the first frame. */
+ netmon->current_frame = 0;
+ switch (netmon->version_major) {
+
+ case 1:
+ /*
+ * Version 1.x of the file format supports
+ * millisecond precision.
+ */
+ wth->file_tsprec = WTAP_TSPREC_MSEC;
+ break;
+
+ case 2:
+ /*
+ * Versions 2.0 through 2.2 support microsecond
+ * precision; version 2.3 supports 100-nanosecond
+ * precision (2.3 was the last version).
+ */
+ if (netmon->version_minor >= 3)
+ wth->file_tsprec = WTAP_TSPREC_100_NSEC;
+ else
+ wth->file_tsprec = WTAP_TSPREC_USEC;
+ break;
+ }
+ return WTAP_OPEN_MINE;
+}
+
+static void
+netmon_set_pseudo_header_info(wtap_rec *rec, Buffer *buf)
+{
+ switch (rec->rec_header.packet_header.pkt_encap) {
+
+ case WTAP_ENCAP_ATM_PDUS:
+ /*
+ * Attempt to guess from the packet data, the VPI, and
+ * the VCI information about the type of traffic.
+ */
+ atm_guess_traffic_type(rec, ws_buffer_start_ptr(buf));
+ break;
+
+ case WTAP_ENCAP_ETHERNET:
+ /*
+ * We assume there's no FCS in this frame.
+ */
+ rec->rec_header.packet_header.pseudo_header.eth.fcs_len = 0;
+ break;
+
+ case WTAP_ENCAP_IEEE_802_11_NETMON:
+ /*
+ * The 802.11 metadata at the beginnning of the frame data
+ * is processed by a dissector, which fills in a pseudo-
+ * header and passes it to the 802.11 radio dissector,
+ * just as is done with other 802.11 radio metadata headers
+ * that are part of the packet data, such as radiotap.
+ */
+ break;
+ }
+}
+
+typedef enum {
+ SUCCESS,
+ FAILURE,
+ RETRY
+} process_record_retval;
+
+static process_record_retval
+netmon_process_record(wtap *wth, FILE_T fh, wtap_rec *rec,
+ Buffer *buf, int *err, gchar **err_info)
+{
+ netmon_t *netmon = (netmon_t *)wth->priv;
+ int hdr_size = 0;
+ union {
+ struct netmonrec_1_x_hdr hdr_1_x;
+ struct netmonrec_2_x_hdr hdr_2_x;
+ } hdr;
+ gint64 delta = 0; /* signed - frame times can be before the nominal start */
+ gint64 t;
+ time_t secs;
+ int nsecs;
+ guint32 packet_size = 0;
+ guint32 orig_size = 0;
+ int trlr_size;
+ union {
+ struct netmonrec_2_1_trlr trlr_2_1;
+ struct netmonrec_2_2_trlr trlr_2_2;
+ struct netmonrec_2_3_trlr trlr_2_3;
+ } trlr;
+ guint16 network;
+ int pkt_encap;
+ struct netmonrec_comment* comment_rec = NULL;
+
+ /* Read record header. */
+ switch (netmon->version_major) {
+
+ case 1:
+ hdr_size = sizeof (struct netmonrec_1_x_hdr);
+ break;
+
+ case 2:
+ hdr_size = sizeof (struct netmonrec_2_x_hdr);
+ break;
+ }
+ if (!wtap_read_bytes_or_eof(fh, &hdr, hdr_size, err, err_info))
+ return FAILURE;
+
+ switch (netmon->version_major) {
+
+ case 1:
+ orig_size = pletoh16(&hdr.hdr_1_x.orig_len);
+ packet_size = pletoh16(&hdr.hdr_1_x.incl_len);
+ break;
+
+ case 2:
+ orig_size = pletoh32(&hdr.hdr_2_x.orig_len);
+ packet_size = pletoh32(&hdr.hdr_2_x.incl_len);
+ break;
+ }
+ if (packet_size > WTAP_MAX_PACKET_SIZE_STANDARD) {
+ /*
+ * Probably a corrupt capture file; don't blow up trying
+ * to allocate space for an immensely-large packet.
+ */
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = ws_strdup_printf("netmon: File has %u-byte packet, bigger than maximum of %u",
+ packet_size, WTAP_MAX_PACKET_SIZE_STANDARD);
+ return FAILURE;
+ }
+
+ rec->rec_type = REC_TYPE_PACKET;
+ rec->block = wtap_block_create(WTAP_BLOCK_PACKET);
+
+ /*
+ * If this is an ATM packet, the first
+ * "sizeof (struct netmon_atm_hdr)" bytes have destination and
+ * source addresses (6 bytes - MAC addresses of some sort?)
+ * and the VPI and VCI; read them and generate the pseudo-header
+ * from them.
+ */
+ switch (wth->file_encap) {
+
+ case WTAP_ENCAP_ATM_PDUS:
+ if (packet_size < sizeof (struct netmon_atm_hdr)) {
+ /*
+ * Uh-oh, the packet isn't big enough to even
+ * have a pseudo-header.
+ */
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = ws_strdup_printf("netmon: ATM file has a %u-byte packet, too small to have even an ATM pseudo-header",
+ packet_size);
+ return FAILURE;
+ }
+ if (!netmon_read_atm_pseudoheader(fh, &rec->rec_header.packet_header.pseudo_header,
+ err, err_info))
+ return FAILURE; /* Read error */
+
+ /*
+ * Don't count the pseudo-header as part of the packet.
+ */
+ orig_size -= (guint)sizeof (struct netmon_atm_hdr);
+ packet_size -= (guint)sizeof (struct netmon_atm_hdr);
+ break;
+
+ default:
+ break;
+ }
+
+ switch (netmon->version_major) {
+
+ case 1:
+ /*
+ * According to Paul Long, this offset is unsigned.
+ * It's 32 bits, so the maximum value will fit in
+ * a gint64 such as delta, even after multiplying
+ * it by 1000000.
+ *
+ * pletoh32() returns a guint32; we cast it to gint64
+ * before multiplying, so that the product doesn't
+ * overflow a guint32.
+ */
+ delta = ((gint64)pletoh32(&hdr.hdr_1_x.ts_delta))*1000000;
+ break;
+
+ case 2:
+ /*
+ * OK, this is weird. Microsoft's documentation
+ * says this is in microseconds and is a 64-bit
+ * unsigned number, but it can be negative; they
+ * say what appears to amount to "treat it as an
+ * unsigned number, multiply it by 10, and then
+ * interpret the resulting 64-bit quantity as a
+ * signed number". That operation can turn a
+ * value with the uppermost bit 0 to a value with
+ * the uppermost bit 1, hence turning a large
+ * positive number-of-microseconds into a small
+ * negative number-of-100-nanosecond-increments.
+ */
+ delta = pletoh64(&hdr.hdr_2_x.ts_delta)*10;
+
+ /*
+ * OK, it's now a signed value in 100-nanosecond
+ * units. Now convert it to nanosecond units.
+ */
+ delta *= 100;
+ break;
+ }
+ secs = 0;
+ t = netmon->start_nsecs + delta;
+ while (t < 0) {
+ /*
+ * Propagate a borrow into the seconds.
+ * The seconds is a time_t, and can be < 0
+ * (unlikely, as Windows didn't exist before
+ * January 1, 1970, 00:00:00 UTC), while the
+ * nanoseconds should be positive, as in
+ * "nanoseconds since the instant of time
+ * represented by the seconds".
+ *
+ * We do not want t to be negative, as, according
+ * to the C90 standard, "if either operand [of /
+ * or %] is negative, whether the result of the
+ * / operator is the largest integer less than or
+ * equal to the algebraic quotient or the smallest
+ * greater than or equal to the algebraic quotient
+ * is implementation-defined, as is the sign of
+ * the result of the % operator", and we want
+ * the result of the division and remainder
+ * operations to be the same on all platforms.
+ */
+ t += 1000000000;
+ secs--;
+ }
+ secs += (time_t)(t/1000000000);
+ nsecs = (int)(t%1000000000);
+ rec->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
+ rec->ts.secs = netmon->start_secs + secs;
+ rec->ts.nsecs = nsecs;
+ rec->rec_header.packet_header.caplen = packet_size;
+ rec->rec_header.packet_header.len = orig_size;
+
+ /*
+ * Read the packet data.
+ */
+ if (!wtap_read_packet_bytes(fh, buf, rec->rec_header.packet_header.caplen, err, err_info))
+ return FAILURE;
+
+ /*
+ * For version 2.1 and later, there's additional information
+ * after the frame data.
+ */
+ if (netmon->version_major == 2 && netmon->version_minor >= 1) {
+ switch (netmon->version_minor) {
+
+ case 1:
+ trlr_size = (int)sizeof (struct netmonrec_2_1_trlr);
+ break;
+
+ case 2:
+ trlr_size = (int)sizeof (struct netmonrec_2_2_trlr);
+ break;
+
+ default:
+ trlr_size = (int)sizeof (struct netmonrec_2_3_trlr);
+ break;
+ }
+
+ if (!wtap_read_bytes(fh, &trlr, trlr_size, err, err_info))
+ return FAILURE;
+
+ network = pletoh16(trlr.trlr_2_1.network);
+ if ((network >= 0xE080) && (network <= 0xE08A)) {
+ /* These values "violate" the LINKTYPE_ media type values
+ * in Microsoft Analyzer and are considered a MAExportedMediaType,
+ * so they need their own WTAP_ types
+ */
+ switch (network)
+ {
+ case 0xE080: // "WiFi Message"
+ pkt_encap = WTAP_ENCAP_IEEE_802_11;
+ break;
+ case 0xE081: // "Ndis Etw WiFi Channel Message"
+ case 0xE082: // "Fiddler Netmon Message"
+ case 0xE089: // "Pef Ndis Msg";
+ case 0xE08A: // "Pef Ndis Wifi Meta Msg";
+ *err = WTAP_ERR_UNSUPPORTED;
+ *err_info = ws_strdup_printf("netmon: network type %u unknown or unsupported", network);
+ return FAILURE;
+ case 0xE083:
+ pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_V4;
+ break;
+ case 0xE084:
+ pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_V6;
+ break;
+ case 0xE085:
+ pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_2V4;
+ break;
+ case 0xE086:
+ pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_2V6;
+ break;
+ case 0xE087:
+ pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_AUTH_V4;
+ break;
+ case 0xE088:
+ pkt_encap = WTAP_ENCAP_MA_WFP_CAPTURE_AUTH_V6;
+ break;
+ default:
+ pkt_encap = WTAP_ENCAP_UNKNOWN;
+ break;
+ }
+ } else if ((network & 0xF000) == NETMON_NET_PCAP_BASE) {
+ /*
+ * Converted pcap file - the LINKTYPE_ value
+ * is the network value with 0xF000 masked off.
+ */
+ network &= 0x0FFF;
+ pkt_encap = wtap_pcap_encap_to_wtap_encap(network);
+ if (pkt_encap == WTAP_ENCAP_UNKNOWN) {
+ *err = WTAP_ERR_UNSUPPORTED;
+ *err_info = ws_strdup_printf("netmon: converted pcap network type %u unknown or unsupported",
+ network);
+ return FAILURE;
+ }
+ } else if (network < NUM_NETMON_ENCAPS) {
+ /*
+ * Regular NetMon encapsulation.
+ */
+ pkt_encap = netmon_encap[network];
+ if (pkt_encap == WTAP_ENCAP_UNKNOWN) {
+ *err = WTAP_ERR_UNSUPPORTED;
+ *err_info = ws_strdup_printf("netmon: network type %u unknown or unsupported",
+ network);
+ return FAILURE;
+ }
+ } else {
+ /*
+ * Special packet type for metadata.
+ */
+ switch (network) {
+
+ case NETMON_NET_NETEVENT:
+ /*
+ * Event Tracing event.
+ *
+ * https://docs.microsoft.com/en-us/windows/win32/api/evntcons/ns-evntcons-event_header
+ */
+ pkt_encap = WTAP_ENCAP_NETMON_NET_NETEVENT;
+ break;
+
+ case NETMON_NET_NETWORK_INFO_EX:
+ /*
+ * List of adapters on which the capture
+ * was done.
+ * XXX - this could be translated into pcapng
+ * blocks but for now, just treat as a frame.
+ */
+ pkt_encap = WTAP_ENCAP_NETMON_NETWORK_INFO_EX;
+ break;
+
+ case NETMON_NET_PAYLOAD_HEADER:
+ /*
+ * Header for a fake frame constructed
+ * by reassembly.
+ */
+ return RETRY;
+
+ case NETMON_NET_NETWORK_INFO:
+ /*
+ * List of adapters on which the capture
+ * was done.
+ */
+ return RETRY;
+
+ case NETMON_NET_DNS_CACHE:
+ /*
+ * List of resolved IP addresses.
+ */
+ return RETRY;
+
+ case NETMON_NET_NETMON_FILTER:
+ /*
+ * NetMon capture or display filter
+ * string.
+ */
+ pkt_encap = WTAP_ENCAP_NETMON_NET_FILTER;
+ break;
+
+ default:
+ *err = WTAP_ERR_UNSUPPORTED;
+ *err_info = ws_strdup_printf("netmon: network type %u unknown or unsupported",
+ network);
+ return FAILURE;
+ }
+ }
+
+ rec->rec_header.packet_header.pkt_encap = pkt_encap;
+ if (netmon->version_minor >= 3) {
+ /*
+ * This is a 2.3 or later file. That format
+ * contains a UTC per-packet time stamp; use
+ * that instead of the start time and offset.
+ */
+ guint64 d;
+
+ d = pletoh64(trlr.trlr_2_3.utc_timestamp);
+
+ /*
+ * Get the time as seconds and nanoseconds.
+ * and overwrite the time stamp obtained
+ * from the record header.
+ */
+ if (!filetime_to_nstime(&rec->ts, d)) {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = g_strdup("netmon: time stamp outside supported range");
+ return FAILURE;
+ }
+ }
+ }
+
+ netmon_set_pseudo_header_info(rec, buf);
+
+ /* If any header specific information is present, set it as pseudo header data
+ * and set the encapsulation type, so it can be handled to the netmon_header
+ * dissector for further processing
+ */
+ if (netmon->comment_table != NULL) {
+ comment_rec = (struct netmonrec_comment*)g_hash_table_lookup(netmon->comment_table, GUINT_TO_POINTER(netmon->frame_table[netmon->current_frame-1]));
+ }
+
+ if (comment_rec != NULL) {
+ union wtap_pseudo_header temp_header;
+
+ /* These are the current encapsulation types that NetMon uses.
+ * Save them off so they can be copied to the NetMon pseudoheader
+ */
+ switch (rec->rec_header.packet_header.pkt_encap)
+ {
+ case WTAP_ENCAP_ATM_PDUS:
+ memcpy(&temp_header.atm, &rec->rec_header.packet_header.pseudo_header.atm, sizeof(temp_header.atm));
+ break;
+ case WTAP_ENCAP_ETHERNET:
+ memcpy(&temp_header.eth, &rec->rec_header.packet_header.pseudo_header.eth, sizeof(temp_header.eth));
+ break;
+ case WTAP_ENCAP_IEEE_802_11_NETMON:
+ memcpy(&temp_header.ieee_802_11, &rec->rec_header.packet_header.pseudo_header.ieee_802_11, sizeof(temp_header.ieee_802_11));
+ break;
+ }
+ memset(&rec->rec_header.packet_header.pseudo_header.netmon, 0, sizeof(rec->rec_header.packet_header.pseudo_header.netmon));
+
+ /* Save the current encapsulation type to the NetMon pseudoheader */
+ rec->rec_header.packet_header.pseudo_header.netmon.sub_encap = rec->rec_header.packet_header.pkt_encap;
+
+ /* Copy the comment data */
+ rec->rec_header.packet_header.pseudo_header.netmon.title = comment_rec->title;
+ rec->rec_header.packet_header.pseudo_header.netmon.descLength = comment_rec->descLength;
+ rec->rec_header.packet_header.pseudo_header.netmon.description = comment_rec->description;
+
+ /* Copy the saved pseudoheaders to the netmon pseudoheader structure */
+ switch (rec->rec_header.packet_header.pkt_encap)
+ {
+ case WTAP_ENCAP_ATM_PDUS:
+ memcpy(&rec->rec_header.packet_header.pseudo_header.netmon.subheader.atm, &temp_header.atm, sizeof(temp_header.atm));
+ break;
+ case WTAP_ENCAP_ETHERNET:
+ memcpy(&rec->rec_header.packet_header.pseudo_header.netmon.subheader.eth, &temp_header.eth, sizeof(temp_header.eth));
+ break;
+ case WTAP_ENCAP_IEEE_802_11_NETMON:
+ memcpy(&rec->rec_header.packet_header.pseudo_header.netmon.subheader.ieee_802_11, &temp_header.ieee_802_11, sizeof(temp_header.ieee_802_11));
+ break;
+ }
+
+ /* Encapsulation type is now something that can be passed to netmon_header dissector */
+ rec->rec_header.packet_header.pkt_encap = WTAP_ENCAP_NETMON_HEADER;
+ }
+
+ return SUCCESS;
+}
+
+/* Read the next packet */
+static gboolean netmon_read(wtap *wth, wtap_rec *rec, Buffer *buf,
+ int *err, gchar **err_info, gint64 *data_offset)
+{
+ netmon_t *netmon = (netmon_t *)wth->priv;
+ gint64 rec_offset;
+
+ for (;;) {
+ /* Have we reached the end of the packet data? */
+ if (netmon->current_frame >= netmon->frame_table_size) {
+ *err = 0; /* it's just an EOF, not an error */
+ return FALSE;
+ }
+
+ /* Seek to the beginning of the current record, if we're
+ not there already (seeking to the current position
+ may still cause a seek and a read of the underlying file,
+ so we don't want to do it unconditionally).
+
+ Yes, the current record could be before the previous
+ record. At least some captures put the trailer record
+ with statistics as the first physical record in the
+ file, but set the frame table up so it's the last
+ record in sequence. */
+ rec_offset = netmon->frame_table[netmon->current_frame];
+ if (file_tell(wth->fh) != rec_offset) {
+ if (file_seek(wth->fh, rec_offset, SEEK_SET, err) == -1)
+ return FALSE;
+ }
+ netmon->current_frame++;
+
+ *data_offset = file_tell(wth->fh);
+
+ switch (netmon_process_record(wth, wth->fh, rec, buf, err,
+ err_info)) {
+
+ case RETRY:
+ continue;
+
+ case SUCCESS:
+ return TRUE;
+
+ case FAILURE:
+ return FALSE;
+ }
+ }
+}
+
+static gboolean
+netmon_seek_read(wtap *wth, gint64 seek_off,
+ wtap_rec *rec, Buffer *buf, int *err, gchar **err_info)
+{
+ if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
+ return FALSE;
+
+ switch (netmon_process_record(wth, wth->random_fh, rec, buf, err,
+ err_info)) {
+
+ default:
+ /*
+ * This should not happen.
+ */
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = g_strdup("netmon: saw metadata in netmon_seek_read");
+ return FALSE;
+
+ case SUCCESS:
+ return TRUE;
+
+ case FAILURE:
+ return FALSE;
+ }
+}
+
+static gboolean
+netmon_read_atm_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header,
+ int *err, gchar **err_info)
+{
+ struct netmon_atm_hdr atm_phdr;
+ guint16 vpi, vci;
+
+ if (!wtap_read_bytes(fh, &atm_phdr, sizeof (struct netmon_atm_hdr),
+ err, err_info))
+ return FALSE;
+
+ vpi = g_ntohs(atm_phdr.vpi);
+ vci = g_ntohs(atm_phdr.vci);
+
+ pseudo_header->atm.vpi = vpi;
+ pseudo_header->atm.vci = vci;
+
+ /* We don't have this information */
+ pseudo_header->atm.flags = 0;
+ pseudo_header->atm.channel = 0;
+ pseudo_header->atm.cells = 0;
+ pseudo_header->atm.aal5t_u2u = 0;
+ pseudo_header->atm.aal5t_len = 0;
+ pseudo_header->atm.aal5t_chksum = 0;
+
+ return TRUE;
+}
+
+/* Throw away the frame table used by the sequential I/O stream. */
+static void
+netmon_close(wtap *wth)
+{
+ netmon_t *netmon = (netmon_t *)wth->priv;
+
+ if (netmon->frame_table != NULL) {
+ g_free(netmon->frame_table);
+ netmon->frame_table = NULL;
+ }
+
+ if (netmon->comment_table != NULL) {
+ g_hash_table_destroy(netmon->comment_table);
+ netmon->comment_table = NULL;
+ }
+
+ if (netmon->process_info_table != NULL) {
+ g_hash_table_destroy(netmon->process_info_table);
+ netmon->process_info_table = NULL;
+ }
+}
+
+typedef struct {
+ gboolean is_v2;
+ gboolean got_first_record_time;
+ nstime_t first_record_time;
+ guint32 frame_table_offset;
+ guint32 *frame_table;
+ guint frame_table_index;
+ guint frame_table_size;
+ gboolean no_more_room; /* TRUE if no more records can be written */
+} netmon_dump_t;
+
+static const int wtap_encap[] = {
+ -1, /* WTAP_ENCAP_UNKNOWN -> unsupported */
+ 1, /* WTAP_ENCAP_ETHERNET -> NDIS Ethernet */
+ 2, /* WTAP_ENCAP_TOKEN_RING -> NDIS Token Ring */
+ -1, /* WTAP_ENCAP_SLIP -> unsupported */
+ -1, /* WTAP_ENCAP_PPP -> unsupported */
+ 3, /* WTAP_ENCAP_FDDI -> NDIS FDDI */
+ 3, /* WTAP_ENCAP_FDDI_BITSWAPPED -> NDIS FDDI */
+ -1, /* WTAP_ENCAP_RAW_IP -> unsupported */
+ -1, /* WTAP_ENCAP_ARCNET -> unsupported */
+ -1, /* WTAP_ENCAP_ARCNET_LINUX -> unsupported */
+ -1, /* WTAP_ENCAP_ATM_RFC1483 -> unsupported */
+ -1, /* WTAP_ENCAP_LINUX_ATM_CLIP -> unsupported */
+ -1, /* WTAP_ENCAP_LAPB -> unsupported*/
+ 4, /* WTAP_ENCAP_ATM_PDUS -> NDIS WAN (*NOT* ATM!) */
+};
+#define NUM_WTAP_ENCAPS (sizeof wtap_encap / sizeof wtap_encap[0])
+
+/* Returns 0 if we could write the specified encapsulation type,
+ an error indication otherwise. */
+static int netmon_dump_can_write_encap_1_x(int encap)
+{
+ /*
+ * Per-packet encapsulations are *not* supported in NetMon 1.x
+ * format.
+ */
+ if (encap < 0 || (unsigned) encap >= NUM_WTAP_ENCAPS || wtap_encap[encap] == -1)
+ return WTAP_ERR_UNWRITABLE_ENCAP;
+
+ return 0;
+}
+
+static int netmon_dump_can_write_encap_2_x(int encap)
+{
+ /*
+ * Per-packet encapsulations are supported in NetMon 2.1
+ * format.
+ */
+ if (encap == WTAP_ENCAP_PER_PACKET)
+ return 0;
+
+ if (encap < 0 || (unsigned) encap >= NUM_WTAP_ENCAPS || wtap_encap[encap] == -1)
+ return WTAP_ERR_UNWRITABLE_ENCAP;
+
+ return 0;
+}
+
+/* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
+ failure */
+static gboolean netmon_dump_open(wtap_dumper *wdh, gboolean is_v2,
+ int *err, gchar **err_info _U_)
+{
+ netmon_dump_t *netmon;
+
+ /* We can't fill in all the fields in the file header, as we
+ haven't yet written any packets. As we'll have to rewrite
+ the header when we've written out all the packets, we just
+ skip over the header for now. */
+ if (wtap_dump_file_seek(wdh, CAPTUREFILE_HEADER_SIZE, SEEK_SET, err) == -1)
+ return FALSE;
+
+ wdh->bytes_dumped = CAPTUREFILE_HEADER_SIZE;
+ wdh->subtype_write = netmon_dump;
+ wdh->subtype_finish = netmon_dump_finish;
+
+ netmon = g_new(netmon_dump_t, 1);
+ wdh->priv = (void *)netmon;
+ netmon->is_v2 = is_v2;
+ netmon->frame_table_offset = CAPTUREFILE_HEADER_SIZE;
+ netmon->got_first_record_time = FALSE;
+ netmon->frame_table = NULL;
+ netmon->frame_table_index = 0;
+ netmon->frame_table_size = 0;
+ netmon->no_more_room = FALSE;
+
+ return TRUE;
+}
+
+static gboolean netmon_dump_open_1_x(wtap_dumper *wdh, int *err, gchar **err_info _U_)
+{
+ return netmon_dump_open(wdh, FALSE, err, err_info);
+}
+
+static gboolean netmon_dump_open_2_x(wtap_dumper *wdh, int *err, gchar **err_info _U_)
+{
+ return netmon_dump_open(wdh, TRUE, err, err_info);
+}
+
+/* Write a record for a packet to a dump file.
+ Returns TRUE on success, FALSE on failure. */
+static gboolean netmon_dump(wtap_dumper *wdh, const wtap_rec *rec,
+ const guint8 *pd, int *err, gchar **err_info _U_)
+{
+ const union wtap_pseudo_header *pseudo_header = &rec->rec_header.packet_header.pseudo_header;
+ netmon_dump_t *netmon = (netmon_dump_t *)wdh->priv;
+ struct netmonrec_1_x_hdr rec_1_x_hdr;
+ struct netmonrec_2_x_hdr rec_2_x_hdr;
+ void *hdrp;
+ size_t rec_size;
+ struct netmonrec_2_1_trlr rec_2_x_trlr;
+ size_t hdr_size;
+ struct netmon_atm_hdr atm_hdr;
+ int atm_hdrsize;
+ gint64 secs;
+ gint32 nsecs;
+
+ /* We can only write packet records. */
+ if (rec->rec_type != REC_TYPE_PACKET) {
+ *err = WTAP_ERR_UNWRITABLE_REC_TYPE;
+ return FALSE;
+ }
+
+ if (netmon->is_v2) {
+ /* Don't write anything we're not willing to read. */
+ if (rec->rec_header.packet_header.caplen > WTAP_MAX_PACKET_SIZE_STANDARD) {
+ *err = WTAP_ERR_PACKET_TOO_LARGE;
+ return FALSE;
+ }
+ } else {
+ /*
+ * Make sure this packet doesn't have a link-layer type that
+ * differs from the one for the file.
+ */
+ if (wdh->file_encap != rec->rec_header.packet_header.pkt_encap) {
+ *err = WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
+ return FALSE;
+ }
+
+ /*
+ * The length fields are 16-bit, so there's a hard limit
+ * of 65535.
+ */
+ if (rec->rec_header.packet_header.caplen > 65535) {
+ *err = WTAP_ERR_PACKET_TOO_LARGE;
+ return FALSE;
+ }
+ }
+
+ if (wdh->file_encap == WTAP_ENCAP_PER_PACKET) {
+ /*
+ * Is this network type supported?
+ */
+ if (rec->rec_header.packet_header.pkt_encap < 0 ||
+ (unsigned) rec->rec_header.packet_header.pkt_encap >= NUM_WTAP_ENCAPS ||
+ wtap_encap[rec->rec_header.packet_header.pkt_encap] == -1) {
+ /*
+ * No. Fail.
+ */
+ *err = WTAP_ERR_UNWRITABLE_ENCAP;
+ return FALSE;
+ }
+
+ /*
+ * Fill in the trailer with the network type.
+ */
+ phtoles(rec_2_x_trlr.network, wtap_encap[rec->rec_header.packet_header.pkt_encap]);
+ }
+
+ /*
+ * Will the file offset of this frame fit in a 32-bit unsigned
+ * integer?
+ */
+ if (netmon->no_more_room) {
+ /*
+ * No, so the file is too big for NetMon format to
+ * handle.
+ */
+ *err = EFBIG;
+ return FALSE;
+ }
+
+ /*
+ * NetMon files have a capture start time in the file header,
+ * and have times relative to that in the packet headers;
+ * pick the time of the first packet as the capture start
+ * time.
+ *
+ * That time has millisecond resolution, so chop any
+ * sub-millisecond part of the time stamp off.
+ */
+ if (!netmon->got_first_record_time) {
+ netmon->first_record_time.secs = rec->ts.secs;
+ netmon->first_record_time.nsecs =
+ (rec->ts.nsecs/1000000)*1000000;
+ netmon->got_first_record_time = TRUE;
+ }
+
+ if (wdh->file_encap == WTAP_ENCAP_ATM_PDUS)
+ atm_hdrsize = sizeof (struct netmon_atm_hdr);
+ else
+ atm_hdrsize = 0;
+ secs = (gint64)(rec->ts.secs - netmon->first_record_time.secs);
+ nsecs = rec->ts.nsecs - netmon->first_record_time.nsecs;
+ while (nsecs < 0) {
+ /*
+ * Propagate a borrow into the seconds.
+ * The seconds is a time_t, and can be < 0
+ * (unlikely, as neither UN*X nor DOS
+ * nor the original Mac System existed
+ * before January 1, 1970, 00:00:00 UTC),
+ * while the nanoseconds should be positive,
+ * as in "nanoseconds since the instant of time
+ * represented by the seconds".
+ *
+ * We do not want t to be negative, as, according
+ * to the C90 standard, "if either operand [of /
+ * or %] is negative, whether the result of the
+ * / operator is the largest integer less than or
+ * equal to the algebraic quotient or the smallest
+ * greater than or equal to the algebraic quotient
+ * is implementation-defined, as is the sign of
+ * the result of the % operator", and we want
+ * the result of the division and remainder
+ * operations to be the same on all platforms.
+ */
+ nsecs += 1000000000;
+ secs--;
+ }
+ if (netmon->is_v2) {
+ rec_2_x_hdr.ts_delta = GUINT64_TO_LE(secs*1000000 + (nsecs + 500)/1000);
+ rec_2_x_hdr.orig_len = GUINT32_TO_LE(rec->rec_header.packet_header.len + atm_hdrsize);
+ rec_2_x_hdr.incl_len = GUINT32_TO_LE(rec->rec_header.packet_header.caplen + atm_hdrsize);
+ hdrp = &rec_2_x_hdr;
+ hdr_size = sizeof rec_2_x_hdr;
+ } else {
+ rec_1_x_hdr.ts_delta = GUINT32_TO_LE(secs*1000 + (nsecs + 500000)/1000000);
+ rec_1_x_hdr.orig_len = GUINT16_TO_LE(rec->rec_header.packet_header.len + atm_hdrsize);
+ rec_1_x_hdr.incl_len = GUINT16_TO_LE(rec->rec_header.packet_header.caplen + atm_hdrsize);
+ hdrp = &rec_1_x_hdr;
+ hdr_size = sizeof rec_1_x_hdr;
+ }
+
+ /*
+ * Keep track of the record size, as we need to update
+ * the current file offset.
+ */
+ rec_size = 0;
+
+ if (!wtap_dump_file_write(wdh, hdrp, hdr_size, err))
+ return FALSE;
+ rec_size += hdr_size;
+
+ if (wdh->file_encap == WTAP_ENCAP_ATM_PDUS) {
+ /*
+ * Write the ATM header.
+ * We supply all-zero destination and source addresses.
+ */
+ memset(&atm_hdr.dest, 0, sizeof atm_hdr.dest);
+ memset(&atm_hdr.src, 0, sizeof atm_hdr.src);
+ atm_hdr.vpi = g_htons(pseudo_header->atm.vpi);
+ atm_hdr.vci = g_htons(pseudo_header->atm.vci);
+ if (!wtap_dump_file_write(wdh, &atm_hdr, sizeof atm_hdr, err))
+ return FALSE;
+ rec_size += sizeof atm_hdr;
+ }
+
+ if (!wtap_dump_file_write(wdh, pd, rec->rec_header.packet_header.caplen, err))
+ return FALSE;
+ rec_size += rec->rec_header.packet_header.caplen;
+
+ if (wdh->file_encap == WTAP_ENCAP_PER_PACKET) {
+ /*
+ * Write out the trailer.
+ */
+ if (!wtap_dump_file_write(wdh, &rec_2_x_trlr,
+ sizeof rec_2_x_trlr, err))
+ return FALSE;
+ rec_size += sizeof rec_2_x_trlr;
+ }
+
+ /*
+ * Stash the file offset of this frame.
+ */
+ if (netmon->frame_table_size == 0) {
+ /*
+ * Haven't yet allocated the buffer for the frame table.
+ */
+ netmon->frame_table = (guint32 *)g_malloc(1024 * sizeof *netmon->frame_table);
+ netmon->frame_table_size = 1024;
+ } else {
+ /*
+ * We've allocated it; are we at the end?
+ */
+ if (netmon->frame_table_index >= netmon->frame_table_size) {
+ /*
+ * Yes - double the size of the frame table.
+ */
+ netmon->frame_table_size *= 2;
+ netmon->frame_table = (guint32 *)g_realloc(netmon->frame_table,
+ netmon->frame_table_size * sizeof *netmon->frame_table);
+ }
+ }
+
+ netmon->frame_table[netmon->frame_table_index] =
+ GUINT32_TO_LE(netmon->frame_table_offset);
+
+ /*
+ * Is this the last record we can write?
+ * I.e., will the frame table offset of the next record not fit
+ * in a 32-bit frame table offset entry?
+ *
+ * (We don't bother checking whether the number of frames
+ * will fit in a 32-bit value, as, even if each record were
+ * 1 byte, if there were more than 2^32-1 packets, the frame
+ * table offset of at least one of those packets will be >
+ * 2^32 - 1.)
+ *
+ * Note: this also catches the unlikely possibility that
+ * the record itself is > 2^32 - 1 bytes long.
+ */
+ if ((guint64)netmon->frame_table_offset + rec_size > G_MAXUINT32) {
+ /*
+ * Yup, too big.
+ */
+ netmon->no_more_room = TRUE;
+ }
+ netmon->frame_table_index++;
+ netmon->frame_table_offset += (guint32) rec_size;
+
+ return TRUE;
+}
+
+/* Finish writing to a dump file.
+ Returns TRUE on success, FALSE on failure. */
+static gboolean netmon_dump_finish(wtap_dumper *wdh, int *err,
+ gchar **err_info _U_)
+{
+ netmon_dump_t *netmon = (netmon_dump_t *)wdh->priv;
+ size_t n_to_write;
+ struct netmon_hdr file_hdr;
+ const char *magicp;
+ size_t magic_size;
+ struct tm *tm;
+ gint64 saved_bytes_dumped;
+
+ /* Write out the frame table. "netmon->frame_table_index" is
+ the number of entries we've put into it. */
+ n_to_write = netmon->frame_table_index * sizeof *netmon->frame_table;
+ if (!wtap_dump_file_write(wdh, netmon->frame_table, n_to_write, err))
+ return FALSE;
+
+ /* Now go fix up the file header. */
+ if (wtap_dump_file_seek(wdh, 0, SEEK_SET, err) == -1)
+ return FALSE;
+ /* Save bytes_dumped since following calls to wtap_dump_file_write()
+ * will still (mistakenly) increase it.
+ */
+ saved_bytes_dumped = wdh->bytes_dumped;
+ memset(&file_hdr, '\0', sizeof file_hdr);
+ if (netmon->is_v2) {
+ magicp = netmon_2_x_magic;
+ magic_size = sizeof netmon_2_x_magic;
+ /*
+ * NetMon file version, for 2.x, is 2.0;
+ * for 3.0, it's 2.1.
+ *
+ * If the file encapsulation is WTAP_ENCAP_PER_PACKET,
+ * we need version 2.1.
+ *
+ * XXX - version 2.3 supports UTC time stamps; when
+ * should we use it? According to the file format
+ * documentation, NetMon 3.3 "cannot properly
+ * interpret" the UTC timestamp information; does
+ * that mean it ignores it and uses the local-time
+ * start time and time deltas, or mishandles them?
+ * Also, NetMon 3.1 and earlier can't read version
+ * 2.2, much less version 2.3.
+ */
+ file_hdr.ver_major = 2;
+ file_hdr.ver_minor =
+ (wdh->file_encap == WTAP_ENCAP_PER_PACKET) ? 1 : 0;
+ } else {
+ magicp = netmon_1_x_magic;
+ magic_size = sizeof netmon_1_x_magic;
+ /* NetMon file version, for 1.x, is 1.1 */
+ file_hdr.ver_major = 1;
+ file_hdr.ver_minor = 1;
+ }
+ if (!wtap_dump_file_write(wdh, magicp, magic_size, err))
+ return FALSE;
+
+ if (wdh->file_encap == WTAP_ENCAP_PER_PACKET) {
+ /*
+ * We're writing NetMon 2.1 format, so the media
+ * type in the file header is irrelevant. Set it
+ * to 1, just as Network Monitor does.
+ */
+ file_hdr.network = GUINT16_TO_LE(1);
+ } else
+ file_hdr.network = GUINT16_TO_LE(wtap_encap[wdh->file_encap]);
+ tm = localtime(&netmon->first_record_time.secs);
+ if (tm != NULL) {
+ file_hdr.ts_year = GUINT16_TO_LE(1900 + tm->tm_year);
+ file_hdr.ts_month = GUINT16_TO_LE(tm->tm_mon + 1);
+ file_hdr.ts_dow = GUINT16_TO_LE(tm->tm_wday);
+ file_hdr.ts_day = GUINT16_TO_LE(tm->tm_mday);
+ file_hdr.ts_hour = GUINT16_TO_LE(tm->tm_hour);
+ file_hdr.ts_min = GUINT16_TO_LE(tm->tm_min);
+ file_hdr.ts_sec = GUINT16_TO_LE(tm->tm_sec);
+ } else {
+ file_hdr.ts_year = GUINT16_TO_LE(1900 + 0);
+ file_hdr.ts_month = GUINT16_TO_LE(0 + 1);
+ file_hdr.ts_dow = GUINT16_TO_LE(0);
+ file_hdr.ts_day = GUINT16_TO_LE(0);
+ file_hdr.ts_hour = GUINT16_TO_LE(0);
+ file_hdr.ts_min = GUINT16_TO_LE(0);
+ file_hdr.ts_sec = GUINT16_TO_LE(0);
+ }
+ file_hdr.ts_msec = GUINT16_TO_LE(netmon->first_record_time.nsecs/1000000);
+ file_hdr.frametableoffset = GUINT32_TO_LE(netmon->frame_table_offset);
+ file_hdr.frametablelength =
+ GUINT32_TO_LE(netmon->frame_table_index * sizeof *netmon->frame_table);
+ if (!wtap_dump_file_write(wdh, &file_hdr, sizeof file_hdr, err))
+ return FALSE;
+
+ wdh->bytes_dumped = saved_bytes_dumped;
+ return TRUE;
+}
+
+static const struct supported_block_type netmon_1_x_blocks_supported[] = {
+ /*
+ * We support packet blocks, with no comments or other options.
+ */
+ { WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, NO_OPTIONS_SUPPORTED }
+};
+
+static const struct file_type_subtype_info netmon_1_x_info = {
+ "Microsoft NetMon 1.x", "netmon1", "cap", NULL,
+ TRUE, BLOCKS_SUPPORTED(netmon_1_x_blocks_supported),
+ netmon_dump_can_write_encap_1_x, netmon_dump_open_1_x, NULL
+};
+
+static const struct supported_block_type netmon_2_x_blocks_supported[] = {
+ /*
+ * We support packet blocks, with no comments or other options.
+ */
+ { WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, NO_OPTIONS_SUPPORTED }
+};
+
+static const struct file_type_subtype_info netmon_2_x_info = {
+ "Microsoft NetMon 2.x", "netmon2", "cap", NULL,
+ TRUE, BLOCKS_SUPPORTED(netmon_2_x_blocks_supported),
+ netmon_dump_can_write_encap_2_x, netmon_dump_open_2_x, NULL
+};
+
+void register_netmon(void)
+{
+ netmon_1_x_file_type_subtype = wtap_register_file_type_subtype(&netmon_1_x_info);
+ netmon_2_x_file_type_subtype = wtap_register_file_type_subtype(&netmon_2_x_info);
+
+ /*
+ * Register names for backwards compatibility with the
+ * wtap_filetypes table in Lua.
+ */
+ wtap_register_backwards_compatibility_lua_name("NETMON_1_x",
+ netmon_1_x_file_type_subtype);
+ wtap_register_backwards_compatibility_lua_name("NETMON_2_x",
+ netmon_2_x_file_type_subtype);
+}
+
+/*
+ * Editor modelines - https://www.wireshark.org/tools/modelines.html
+ *
+ * Local variables:
+ * c-basic-offset: 8
+ * tab-width: 8
+ * indent-tabs-mode: t
+ * End:
+ *
+ * vi: set shiftwidth=8 tabstop=8 noexpandtab:
+ * :indentSize=8:tabSize=8:noTabs=false:
+ */