1 files changed, 255 insertions, 0 deletions
diff --git a/wiretap/observer.h b/wiretap/observer.h
new file mode 100644
index 00000000..d203841d
--- /dev/null
+++ b/wiretap/observer.h
@@ -0,0 +1,255 @@
+/** @file
+                          observer.h  -  description
+                             -------------------
+    begin                : Wed Oct 29 2003
+    copyright            : (C) 2003 by root
+    email                : scotte[AT}netinst.com
+ ***************************************************************************/
+
+/***************************************************************************
+ *                                                                         *
+ *  SPDX-License-Identifier: GPL-2.0-or-later                              *
+ *                                                                         *
+ ***************************************************************************/
+
+#ifndef __NETWORK_INSTRUMENTS_H__
+#define __NETWORK_INSTRUMENTS_H__
+
+#include <glib.h>
+#include "wtap.h"
+
+wtap_open_return_val observer_open(wtap *wth, int *err, gchar **err_info);
+
+/*
+ * In v15 the high_byte was added to allow a larger offset This was done by
+ * reducing the size of observer_version by 1 byte.  Since version strings are
+ * only 30 characters the high_byte will always be 0 in previous versions.
+ */
+typedef struct capture_file_header
+{
+    char    observer_version[31];
+    guint8  offset_to_first_packet_high_byte; /* allows to extend the offset to the first packet to 256*0x10000 = 16 MB */
+    guint16 offset_to_first_packet;
+    char    probe_instance;
+    guint8  number_of_information_elements;   /* number of TLVs in the header */
+} capture_file_header;
+
+#define CAPTURE_FILE_HEADER_FROM_LE_IN_PLACE(_capture_file_header) \
+    _capture_file_header.offset_to_first_packet = GUINT16_FROM_LE((_capture_file_header).offset_to_first_packet)
+
+#define CAPTURE_FILE_HEADER_TO_LE_IN_PLACE(_capture_file_header) \
+    _capture_file_header.offset_to_first_packet = GUINT16_TO_LE((_capture_file_header).offset_to_first_packet)
+
+typedef struct tlv_header
+{
+    guint16 type;
+    guint16 length;        /* includes the length of the TLV header */
+} tlv_header;
+
+#define TLV_HEADER_FROM_LE_IN_PLACE(_tlv_header) \
+    (_tlv_header).type   = GUINT16_FROM_LE((_tlv_header).type); \
+    (_tlv_header).length = GUINT16_FROM_LE((_tlv_header).length)
+
+#define TLV_HEADER_TO_LE_IN_PLACE(_tlv_header) \
+    (_tlv_header).type   = GUINT16_TO_LE((_tlv_header).type); \
+    (_tlv_header).length = GUINT16_TO_LE((_tlv_header).length)
+
+/*
+ * TLV type values.
+ *
+ * Do TLVs without the 0x0100 bit set show up in packets, and
+ * do TLVs with that set show up in the file header, or are
+ * there two separate types of TLV?
+ *
+ * ALIAS_LIST contains an ASCII string (null-terminated, but
+ * we can't trust that, of course) that is the pathname of
+ * a file containing the alias list.  Not much use to us.
+ *
+ * COMMENT contains an ASCII string (null-terminated, but
+ * we can't trust that, of course); in all the captures
+ * I've seen, it appears to be a note about the file added
+ * by Observer, not by a user.  It appears to end with 0x0a
+ * 0x2e, i.e. '\n' '.'.
+ *
+ * REMOTE_PROBE contains, in all the captures I've seen, an
+ * ASCII string (null-terminated, but we cna't trust that,
+ * of course) of the form "Remote Probe [hex string]".  THe
+ * hex string has 8 characters, i.e. 4 octets.
+ *
+ * The Observer document indicates that the types of expert information
+ * packets are:
+ *
+ *    Network Load (markers used by Expert Time Interval and What If
+ *    analysis modes)
+ *
+ *    Start/Stop Packet Capture marker frames (with time stamps when
+ *    captures start and stop)
+ *
+ *    Wireless Channel Change (markers showing what channel was being
+ *    currently listened to)
+ *
+ * That information appears to be contained in TLVs.
+ */
+#define INFORMATION_TYPE_ALIAS_LIST         0x0001
+#define INFORMATION_TYPE_COMMENT            0x0002 /* ASCII text */
+#define INFORMATION_TYPE_TIME_INFO          0x0004
+#define INFORMATION_TYPE_REMOTE_PROBE       0x0005
+#define INFORMATION_TYPE_NETWORK_LOAD       0x0100
+#define INFORMATION_TYPE_WIRELESS           0x0101
+#define INFORMATION_TYPE_CAPTURE_START_STOP 0x0104
+
+/*
+ * See in Fibre Channel captures; not seen elsewhere.
+ *
+ * It has 4 bytes of data in all captures I've seen.
+ */
+/*                                          0x0106 */
+
+typedef struct tlv_time_info {
+    guint16 type;
+    guint16 length;
+    guint32 time_format;
+} tlv_time_info;
+
+/*
+ * TIME_INFO time_format values.
+ */
+#define TIME_INFO_LOCAL 0
+#define TIME_INFO_GMT   1
+
+#define TLV_TIME_INFO_FROM_LE_IN_PLACE(_tlv_time_info) \
+    (_tlv_time_info).time_format = GUINT32_FROM_LE((_tlv_time_info).time_format)
+
+#define TLV_TIME_INFO_TO_LE_IN_PLACE(_tlv_time_info) \
+    (_tlv_time_info).time_format = GUINT32_TO_LE((_tlv_time_info).time_format)
+
+/*
+ * Might some of these be broadecast and multicast packet counts, or
+ * error counts, or both?
+ */
+typedef struct tlv_network_load
+{
+    guint32 utilization;        /* network utilization, in .1% units */
+    guint32 unknown1;           /* zero in all captures I've seen */
+    guint32 unknown2;           /* zero in all captures I've seen */
+    guint32 packets_per_second;
+    guint32 unknown3;           /* zero in all captures I've seen */
+    guint32 bytes_per_second;
+    guint32 unknown4;           /* zero in all captures I've seen */
+} tlv_network_load;
+
+#define TLV_NETWORK_LOAD_FROM_LE_IN_PLACE(_tlv_network_load) \
+    (_tlv_network_load).utilization = GUINT32_FROM_LE((_tlv_network_load).utilization); \
+    (_tlv_network_load).unknown1 = GUINT32_FROM_LE((_tlv_network_load).unknown1); \
+    (_tlv_network_load).unknown2 = GUINT32_FROM_LE((_tlv_network_load).unknown2); \
+    (_tlv_network_load).packets_per_second = GUINT32_FROM_LE((_tlv_network_load).packets_per_second); \
+    (_tlv_network_load).unknown3 = GUINT32_FROM_LE((_tlv_network_load).unknown3); \
+    (_tlv_network_load).bytes_per_second = GUINT32_FROM_LE((_tlv_network_load).bytes_per_second); \
+    (_tlv_network_load).unknown4 = GUINT32_FROM_LE((_tlv_network_load).unknown4) \
+
+#define TLV_NETWORK_LOAD_TO_LE_IN_PLACE(_tlv_network_load) \
+    (_tlv_network_load).utilization = GUINT32_TO_LE((_tlv_network_load).utilization); \
+    (_tlv_network_load).unknown1 = GUINT32_TO_LE((_tlv_network_load).unknown1); \
+    (_tlv_network_load).unknown2 = GUINT32_TO_LE((_tlv_network_load).unknown2); \
+    (_tlv_network_load).packets_per_second = GUINT32_TO_LE((_tlv_network_load).packets_per_second); \
+    (_tlv_network_load).unknown3 = GUINT32_TO_LE((_tlv_network_load).unknown3); \
+    (_tlv_network_load).bytes_per_second = GUINT32_TO_LE((_tlv_network_load).bytes_per_second); \
+    (_tlv_network_load).unknown4 = GUINT32_TO_LE((_tlv_network_load).unknown4) \
+
+/*
+ * quality is presumably some measure of signal quality; in
+ * the captures I've seen, it has values of 15, 20-27, 50-54,
+ * 208, and 213.
+ *
+ * conditions has values of 0x00, 0x02, and 0x90.
+ *
+ * reserved is either 0x00 or 0x80; the 0x80 values
+ * are for TLVs where conditions is 0x90.
+ */
+typedef struct tlv_wireless_info {
+    guint8 quality;
+    guint8 signalStrength;
+    guint8 rate;
+    guint8 frequency;
+    guint8 qualityPercent;
+    guint8 strengthPercent;
+    guint8 conditions;
+    guint8 reserved;
+} tlv_wireless_info;
+
+/*
+ * Wireless conditions
+ */
+#define WIRELESS_WEP_SUCCESS		0x80
+/*                                      0x10 */
+/*                                      0x02 */
+
+typedef struct tlv_capture_start_stop
+{
+    guint32 start_stop;
+} tlv_capture_start_stop;
+
+#define START_STOP_TYPE_STOP   0
+#define START_STOP_TYPE_START  1
+
+typedef struct packet_entry_header
+{
+    guint32 packet_magic;
+    guint32 network_speed;
+    guint16 captured_size;
+    guint16 network_size;
+    guint16 offset_to_frame;
+    guint16 offset_to_next_packet;
+    guint8 network_type;
+    guint8 flags;
+    guint8 number_of_information_elements;    /* number of TLVs in the header */
+    guint8 packet_type;
+    guint16 errors;
+    guint16 reserved;
+    guint64 packet_number;
+    guint64 original_packet_number;
+    guint64 nano_seconds_since_2000;
+} packet_entry_header;
+
+#define PACKET_ENTRY_HEADER_FROM_LE_IN_PLACE(_packet_entry_header) \
+    (_packet_entry_header).packet_magic            = GUINT32_FROM_LE((_packet_entry_header).packet_magic); \
+    (_packet_entry_header).network_speed           = GUINT32_FROM_LE((_packet_entry_header).network_speed); \
+    (_packet_entry_header).captured_size           = GUINT16_FROM_LE((_packet_entry_header).captured_size); \
+    (_packet_entry_header).network_size            = GUINT16_FROM_LE((_packet_entry_header).network_size); \
+    (_packet_entry_header).offset_to_frame         = GUINT16_FROM_LE((_packet_entry_header).offset_to_frame); \
+    (_packet_entry_header).offset_to_next_packet   = GUINT16_FROM_LE((_packet_entry_header).offset_to_next_packet); \
+    (_packet_entry_header).errors                  = GUINT16_FROM_LE((_packet_entry_header).errors); \
+    (_packet_entry_header).reserved                = GUINT16_FROM_LE((_packet_entry_header).reserved); \
+    (_packet_entry_header).packet_number           = GUINT64_FROM_LE((_packet_entry_header).packet_number); \
+    (_packet_entry_header).original_packet_number  = GUINT64_FROM_LE((_packet_entry_header).original_packet_number); \
+    (_packet_entry_header).nano_seconds_since_2000 = GUINT64_FROM_LE((_packet_entry_header).nano_seconds_since_2000)
+
+#define PACKET_ENTRY_HEADER_TO_LE_IN_PLACE(_packet_entry_header) \
+    (_packet_entry_header).packet_magic            = GUINT32_TO_LE((_packet_entry_header).packet_magic); \
+    (_packet_entry_header).network_speed           = GUINT32_TO_LE((_packet_entry_header).network_speed); \
+    (_packet_entry_header).captured_size           = GUINT16_TO_LE((_packet_entry_header).captured_size); \
+    (_packet_entry_header).network_size            = GUINT16_TO_LE((_packet_entry_header).network_size); \
+    (_packet_entry_header).offset_to_frame         = GUINT16_TO_LE((_packet_entry_header).offset_to_frame); \
+    (_packet_entry_header).offset_to_next_packet   = GUINT16_TO_LE((_packet_entry_header).offset_to_next_packet); \
+    (_packet_entry_header).errors                  = GUINT16_TO_LE((_packet_entry_header).errors); \
+    (_packet_entry_header).reserved                = GUINT16_TO_LE((_packet_entry_header).reserved); \
+    (_packet_entry_header).packet_number           = GUINT64_TO_LE((_packet_entry_header).packet_number); \
+    (_packet_entry_header).original_packet_number  = GUINT64_TO_LE((_packet_entry_header).original_packet_number); \
+    (_packet_entry_header).nano_seconds_since_2000 = GUINT64_TO_LE((_packet_entry_header).nano_seconds_since_2000)
+
+/*
+ * Network type values.
+ */
+#define OBSERVER_UNDEFINED       0xFF
+#define OBSERVER_ETHERNET        0x00
+#define OBSERVER_TOKENRING       0x01
+#define OBSERVER_FIBRE_CHANNEL   0x08
+#define OBSERVER_WIRELESS_802_11 0x09
+
+/*
+ * Packet type values.
+ */
+#define PACKET_TYPE_DATA_PACKET               0
+#define PACKET_TYPE_EXPERT_INFORMATION_PACKET 1
+
+#endif