/* netxray.c

 *

 * Wiretap Library

 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>

 *

 * SPDX-License-Identifier: GPL-2.0-or-later

 */

#include "config.h"

#include "netxray.h"

#include <string.h>

#include <wsutil/array.h>

#include <wsutil/pint.h>

#include "wtap_module.h"

#include "file_wrappers.h"

#include "atm.h"

/*

 * Sniffer Basic (NetXRay)/Windows Sniffer Pro

 *

 * Network Associates' Sniffer Basic (formerly NetXRay from Cinco Networks)

 * file format is now supported, at least for Ethernet and token-ring.

 * Network Associates' Windows Sniffer Pro appears to use a variant of that

 * format; it's supported to the same extent.

*/

/* Capture file header, *including* magic number, is padded to 128 bytes. */

#define CAPTUREFILE_HEADER_SIZE 128

/* Magic number size, in both 1.x and later files. */

#define MAGIC_SIZE  4

/* Magic number in NetXRay 1.x files. */

static const char old_netxray_magic[MAGIC_SIZE] = {

  'V', 'L', '\0', '\0'

};

/* Magic number in NetXRay 2.0 and later, and Windows Sniffer, files. */

static const char netxray_magic[MAGIC_SIZE] = {

  'X', 'C', 'P', '\0'

};

/* NetXRay file header (minus magic number).      */

/*                */

/* As field usages are identified, please revise as needed  */

/* Please do *not* use netxray_hdr xxx... names in the code */

/* (Placeholder names for all 'unknown' fields are    */

/*   of form xxx_x<hex_hdr_offset>        */

/*   where <hex_hdr_offset> *includes* the magic number)  */

struct netxray_hdr {

  char   version[8];  /* version number       */

  uint32_t start_time;  /* UNIX [UTC] time when capture started   */

  uint32_t nframes; /* number of packets        */

  uint32_t xxx_x14; /* unknown [some kind of file offset]   */

  uint32_t start_offset;  /* offset of first packet in capture    */

  uint32_t end_offset;  /* offset after last packet in capture    */

  uint32_t xxx_x20; /* unknown [some kind of file offset]   */

  uint32_t xxx_x24; /* unknown [unused ?]       */

  uint32_t xxx_x28; /* unknown [some kind of file offset]   */

  uint8_t  network; /* datalink type        */

  uint8_t  network_plus;  /* [See code]         */

  uint8_t  xxx_x2E[2];  /* unknown          */

  uint8_t  timeunit;  /* encodes length of a tick     */

  uint8_t  xxx_x31[3];  /* XXX - upper 3 bytes of timeunit ?    */

  uint32_t timelo;  /* lower 32 bits of capture start time stamp  */

  uint32_t timehi;  /* upper 32 bits of capture start time stamp  */

  uint32_t linespeed; /* speed of network, in bits/second   */

  uint8_t  xxx_x40[12]; /* unknown [other stuff]      */

  uint8_t  realtick[4]; /* (ticks/sec for Ethernet/Ndis/Timeunit=2 ?) */

        /* (realtick[1], realtick[2] also currently */

        /*  used as flag for 'FCS presence')    */

  uint8_t  xxx_x50[4];  /* unknown [other stuff]      */

  uint8_t  captype; /* capture type         */

  uint8_t  xxx_x55[3];  /* unknown [other stuff]      */

  uint8_t  xxx_x58[4];  /* unknown [other stuff]      */

  uint8_t  wan_hdlc_subsub_captype; /* WAN HDLC subsub_captype    */

  uint8_t  xxx_x5D[3];  /* unknown [other stuff]      */

  uint8_t  xxx_x60[16]; /* unknown [other stuff]      */

  uint8_t  xxx_x70[14]; /* unknown [other stuff]      */

  int16_t  timezone_hrs;  /* timezone hours [at least for version 2.2..]; */

        /*  positive values = west of UTC:    */

        /*  negative values = east of UTC:    */

        /*  e.g. +5 is American Eastern     */

        /* [Does not appear to be adjusted for DST ]  */

};

/*

 * Capture type, in hdr.captype.

 *

 * Values other than 0 are dependent on the network type.

 * For Ethernet captures, it indicates the type of capture pod.

 * For WAN captures (all of which are done with a pod), it indicates

 * the link-layer type.

 */

#define CAPTYPE_NDIS  0    /* Capture on network interface using NDIS      */

/*

 * Ethernet capture types.

 */

#define ETH_CAPTYPE_GIGPOD  2  /* gigabit Ethernet captured with pod       */

#define ETH_CAPTYPE_OTHERPOD  3  /* non-gigabit Ethernet captured with pod     */

#define ETH_CAPTYPE_OTHERPOD2 5  /* gigabit Ethernet via pod ??          */

          /*  Captype 5 seen in capture from Distributed Sniffer with:  */

          /*    Version 4.50.211 software         */

          /*    SysKonnect SK-9843 Gigabit Ethernet Server Adapter  */

#define ETH_CAPTYPE_GIGPOD2 6  /* gigabit Ethernet, captured with blade on S6040-model Sniffer */

/*

 * WAN capture types.

 */

#define WAN_CAPTYPE_BROUTER 1 /* Bridge/router captured with pod */

#define WAN_CAPTYPE_PPP   3  /* PPP captured with pod */

#define WAN_CAPTYPE_FRELAY  4  /* Frame Relay captured with pod */

#define WAN_CAPTYPE_BROUTER2  5 /* Bridge/router captured with pod */

#define WAN_CAPTYPE_HDLC  6  /* HDLC (X.25, ISDN) captured with pod */

#define WAN_CAPTYPE_SDLC  7  /* SDLC captured with pod */

#define WAN_CAPTYPE_HDLC2 8  /* HDLC captured with pod */

#define WAN_CAPTYPE_BROUTER3  9 /* Bridge/router captured with pod */

#define WAN_CAPTYPE_SMDS  10  /* SMDS DXI */

#define WAN_CAPTYPE_BROUTER4  11  /* Bridge/router captured with pod */

#define WAN_CAPTYPE_BROUTER5  12  /* Bridge/router captured with pod */

#define WAN_CAPTYPE_CHDLC 19  /* Cisco router (CHDLC) captured with pod */

#define CAPTYPE_ATM   15  /* ATM captured with pod */

/*

 * # of ticks that equal 1 second, in version 002.xxx files other

 * than Ethernet captures with a captype other than CAPTYPE_NDIS;

 * the index into this array is hdr.timeunit.

 *

 * DO NOT SEND IN PATCHES THAT CHANGE ANY OF THE NON-ZERO VALUES IN

 * ANY OF THE TpS TABLES.  THOSE VALUES ARE CORRECT FOR AT LEAST ONE

 * CAPTURE, SO CHANGING THEM WILL BREAK AT LEAST SOME CAPTURES.  WE

 * WILL NOT CHECK IN PATCHES THAT CHANGE THESE VALUES.

 *

 * Instead, if a value in a TpS table is wrong, check whether captype

 * has a non-zero value; if so, perhaps we need a new TpS table for the

 * corresponding network type and captype, or perhaps the 'realtick'

 * field contains the correct ticks-per-second value.

 *

 * TpS...[] entries of 0.0 mean that no capture file for the

 * corresponding captype/timeunit values has yet been seen, or that

 * we're using the 'realtick' value.

 *

 * XXX - 05/29/07: For Ethernet captype = 0 (NDIS) and timeunit = 2:

 *  Perusal of a number of Sniffer captures

 *  (including those from Wireshark bug reports

 *  and those from the Wireshark 'menagerie')

 *  suggests that 'realtick' for this case

 *  contains the correct ticks/second to be used.

 *  So: we'll use realtick for Ethernet captype=0 and timeunit=2.

 *  (It might be that realtick should be used for Ethernet captype = 0

 *  and timeunit = 1 but I've not yet enough captures to be sure).

 *   Based upon the captures reviewed to date, realtick cannot be used for

 *   any of the other Ethernet captype/timeunit combinations for which there

 *   are non-zero values in the TpS tables.

 *

 *  In at least one capture where "realtick" doesn't correspond

 *  to the value from the appropriate TpS table, the per-packet header's

 *  "xxx" field is all zero, so it's not as if a 2.x header includes

 *  a "compatibility" time stamp corresponding to the value from the

 *  TpS table and a "real" time stamp corresponding to "realtick".

 *

 * XXX - the item corresponding to timeunit = 2 is 1193180.0, presumably

 *  because somebody found it gave the right answer for some captures, but

 *  3 times that, i.e. 3579540.0, appears to give the right answer for some

 *  other captures.

 *

 *  Some captures have realtick of 1193182, some have 3579545, and some

 *  have 1193000.  Most of those, in one set of captures somebody has,

 *  are wrong.  (Did that mean "wrong for some capture files, but not

 *  for the files in which they occurred", or "wrong for the files in

 *  which they occurred?  If it's "wrong for some capture files, but

 *  not for the files in which they occurred", perhaps those were Ethernet

 *  captures with a captype of 0 and timeunit = 2, so that we now use

 *  realtick, and perhaps that fixes the problems.)

 *

 * XXX - in at least one ATM capture, hdr.realtick is 1193180.0

 *  and hdr.timeunit is 0.  Does that capture have a captype of

 *  CAPTYPE_ATM?  If so, what should the table for ATM captures with

 *  that captype be?

 */

static const double TpS[] = { 1e6, 1193000.0, 1193182.0 };

#define NUM_NETXRAY_TIMEUNITS array_length(TpS)

/*

 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_GIGPOD.

 * 0.0 means "unknown".

 *

 * It appears that, at least for Ethernet captures, if captype is

 * ETH_CAPTYPE_GIGPOD, that indicates that it's a gigabit Ethernet

 * capture, possibly from a special whizzo gigabit pod, and also

 * indicates that the time stamps have some higher resolution than

 * in other captures, possibly thanks to a high-resolution timer

 * on the pod.

 *

 * It also appears that the time units might differ for gigabit pod

 * captures between version 002.001 and 002.002.  For 002.001,

 * the values below are correct; for 002.002, it's claimed that

 * the right value for TpS_gigpod[2] is 1250000.0, but at least one

 * 002.002 gigabit pod capture has 31250000.0 as the right value.

 * XXX: Note that the TpS_otherpod[2] value is 1250000.0; It seems

 *  reasonable to suspect that the original claim might actually

 *  have been for a capture with a captype of 'otherpod'.

 * (Based upon captures reviewed realtick does not contain the

 *   correct TpS values for the 'gigpod' captype).

 */

static const double TpS_gigpod[] = { 1e9, 0.0, 31250000.0 };

#define NUM_NETXRAY_TIMEUNITS_GIGPOD array_length(TpS_gigpod)

/*

 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_OTHERPOD.

 *  (Based upon captures reviewed realtick does not contain the

 *   correct TpS values for the 'otherpod' captype).

 */

static const double TpS_otherpod[] = { 1e6, 0.0, 1250000.0 };

#define NUM_NETXRAY_TIMEUNITS_OTHERPOD array_length(TpS_otherpod)

/*

 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_OTHERPOD2.

 * (Based upon captures reviewed realtick does not contain the

 *   correct TpS values for the 'otherpod2' captype).

 */

static const double TpS_otherpod2[] = { 1e6, 0.0, 0.0 };

#define NUM_NETXRAY_TIMEUNITS_OTHERPOD2 array_length(TpS_otherpod2)

/*

 * Table of time units for Ethernet captures with captype ETH_CAPTYPE_GIGPOD2.

 * (Based upon captures reviewed realtick does not contain the

 *   correct TpS values for the 'gigpod2' captype).

 */

static const double TpS_gigpod2[] = { 1e9, 0.0, 20000000.0 };

#define NUM_NETXRAY_TIMEUNITS_GIGPOD2 array_length(TpS_gigpod2)

/* Version number strings. */

static const char vers_1_0[] = {

  '0', '0', '1', '.', '0', '0', '0', '\0'

};

static const char vers_1_1[] = {

  '0', '0', '1', '.', '1', '0', '0', '\0'

};

static const char vers_2_000[] = {

  '0', '0', '2', '.', '0', '0', '0', '\0'

};

static const char vers_2_001[] = {

  '0', '0', '2', '.', '0', '0', '1', '\0'

};

static const char vers_2_002[] = {

  '0', '0', '2', '.', '0', '0', '2', '\0'

};

static const char vers_2_003[] = {

  '0', '0', '2', '.', '0', '0', '3', '\0'

};

/* Old NetXRay data record format - followed by frame data. */

struct old_netxrayrec_hdr {

  uint32_t timelo;  /* lower 32 bits of time stamp */

  uint32_t timehi;  /* upper 32 bits of time stamp */

  uint16_t len;   /* packet length */

  uint8_t  xxx[6];  /* unknown */

};

/* NetXRay format version 1.x data record format - followed by frame data. */

struct netxrayrec_1_x_hdr {

  uint32_t timelo;  /* lower 32 bits of time stamp */

  uint32_t timehi;  /* upper 32 bits of time stamp */

  uint16_t orig_len;  /* packet length */

  uint16_t incl_len;  /* capture length */

  uint8_t  xxx[16]; /* unknown */

};

/*

 * NetXRay format version 2.x data record format - followed by frame data.

 *

 * The xxx fields appear to be:

 *

 *  xxx[0]: ATM traffic type and subtype in the low 3 bits of

 *  each nibble, and flags(?) in the upper bit of each nibble.

 *  Always 0 for 802.11?

 *

 *  xxx[1]: Always 0 for 802.11?

 *

 *  xxx[2], xxx[3]: for Ethernet, 802.11, ISDN LAPD, LAPB,

 *  Frame Relay, if both are 0xff, there are 4 bytes of stuff

 *  at the end of the packet data, which might be an FCS or

 *  which might be junk to discard.

 *

 *  xxx[4-7]: Always 0 for 802.11?

 *

 *  xxx[8], xxx[9]: 2 bytes of a flag word?  If treated as

 *  a 2-byte little-endian flag word:

 *

 *    0x0001: Error of some sort, including bad CRC, although

 *        in one ISDN capture it's set in some B2 channel

 *        packets of unknown content (as opposed to the B1

 *        traffic in the capture, which is PPP)

 *              0x0002: Seen in 802.11 - short preamble?  Bad CRC?

 *    0x0004: Some particular type of error?

 *    0x0008: For (Gigabit?) Ethernet (with special probe?),

 *        4 bytes at end are junk rather than CRC?

 *    0x0100: CRC error on ATM?  Protected and Not decrypted

 *        for 802.11?  Bad CRC?  Short preamble?

 *    0x0200: Something for ATM? Something else for 802.11?

 *    0x0400: raw ATM cell

 *    0x0800: OAM cell?

 *    0x2000: port on which the packet was captured?

 *

 *  The Sniffer Portable 4.8 User's Guide lists a set of packet status

 *  flags including:

 *

 *    packet is marked;

 *    packet was captured from Port A on the pod or adapter card;

 *    packet was captured from Port B on the pod or adapter card;

 *    packet has a symptom or diagnosis associated with it;

 *    packet is an event filter trigger;

 *    CRC error packet with normal packet size;

 *    CRC error packet with oversize error;

 *    packet size < 64 bytes (including CRC) but with valid CRC;

 *    packet size < 64 bytes (including CRC) with CRC error;

 *    packet size > 1518 bytes (including CRC) but with valid CRC;

 *    packet damaged by a collision;

 *    packet length not a multiple of 8 bits;

 *    address conflict in the ring on Token Ring;

 *    packet is not copied (received) by the destination host on

 *        Token Ring;

 *    AAL5 length error;

 *    AAL5 maximum segments error;

 *    ATM timeout error;

 *    ATM buffer error;

 *    ATM unknown error;

 *    and a ton of AAL2 errors.

 *

 *  Not all those bits necessarily correspond to flag bits in the file,

 *  but some might.

 *

 *  In one ATM capture, the 0x2000 bit was set for all frames; in another,

 *  it's unset for all frames.  This, plus the ATMbook having two ports,

 *  suggests that it *might* be a "port A vs. port B" flag.

 *

 *  The 0x0001 bit appears to be set for CRC errors on Ethernet and 802.11.

 *  It also appears to be set on ATM for AAL5 PDUs that appear to be

 *  completely reassembled and that have a CRC error and for frames that

 *  appear to be part of a full AAL5 PDU.  In at least two files with

 *  frames of the former type, the 0x0100 and 0x0200 flags are set;

 *  in at least one file with frames of the latter type, neither of

 *  those flags are set.

 *

 *  The field appears to be somewhat random in some captures,

 *  however.

 *

 *  xxx[10]: for 802.11, always 0?

 *

 *  xxx[11]: for 802.11, 0x05 if the packet is WEP-encrypted(?).

 *

 *  xxx[12]: for 802.11, channel number.

 *

 *  xxx[13]: for 802.11, data rate, in 500 Kb/s units.

 *

 *  xxx[14]: for 802.11, signal strength.

 *

 *  xxx[15]: for 802.11, noise level; 0xFF means none reported,

 *      0x7F means 100%.

 *

 *  xxx[16-19]: for 802.11, PHY header, at least for {HR/}DSSS,

 *              in at least one capture.

 *              In another capture, xxx[16] appears to be the

 *              data rate in 500 Kb/s units

 *              Chip-dependent stuff?

 *

 *  xxx[20-25]: for 802.11, MAC address of sending machine(?).

 *

 *  xxx[26]: for 802.11, one of 0x00, 0x01, 0x03, or 0x0b?

 *

 *  xxx[27]: for 802.11, one of 0x00 or 0x30?

 */

struct netxrayrec_2_x_hdr {

  uint32_t timelo;  /* lower 32 bits of time stamp */

  uint32_t timehi;  /* upper 32 bits of time stamp */

  uint16_t orig_len;  /* packet length */

  uint16_t incl_len;  /* capture length */

  uint8_t  xxx[28]; /* various data */

};

/*

 * Union of the data record headers.

 */

union netxrayrec_hdr {

  struct old_netxrayrec_hdr old_hdr;

  struct netxrayrec_1_x_hdr hdr_1_x;

  struct netxrayrec_2_x_hdr hdr_2_x;

};

typedef struct {

  time_t    start_time;

  double    ticks_per_sec;

  double    start_timestamp;

  bool    wrapped;

  uint32_t  nframes;

  int64_t   start_offset;

  int64_t   end_offset;

  int   version_major;

  bool    fcs_valid;  /* if packets have valid FCS at the end */

  unsigned  isdn_type;  /* 1 = E1 PRI, 2 = T1 PRI, 3 = BRI */

} netxray_t;

static bool netxray_read(wtap *wth, wtap_rec *rec,

    int *err, char **err_info, int64_t *data_offset);

static bool netxray_seek_read(wtap *wth, int64_t seek_off,

    wtap_rec *rec, int *err, char **err_info);

static int netxray_process_rec_header(wtap *wth, FILE_T fh,

    wtap_rec *rec, int *err, char **err_info);

static void netxray_guess_atm_type(wtap *wth, wtap_rec *rec);

static bool netxray_dump_1_1(wtap_dumper *wdh, const wtap_rec *rec,

    int *err, char **err_info);

static bool netxray_dump_finish_1_1(wtap_dumper *wdh, int *err,

    char **err_info);

static bool netxray_dump_2_0(wtap_dumper *wdh, const wtap_rec *rec,

    int *err, char **err_info);

static bool netxray_dump_finish_2_0(wtap_dumper *wdh, int *err,

    char **err_info);

static int netxray_old_file_type_subtype = -1;

static int netxray_1_0_file_type_subtype = -1;

static int netxray_1_1_file_type_subtype = -1;

static int netxray_2_00x_file_type_subtype = -1;

void register_netxray(void);

wtap_open_return_val

netxray_open(wtap *wth, int *err, char **err_info)

{

  char magic[MAGIC_SIZE];

  bool is_old;

  struct netxray_hdr hdr;

  unsigned network_type;

  double ticks_per_sec;

  int version_major, version_minor;

  int file_type;

  double start_timestamp;

  static const int netxray_encap[] = {

    WTAP_ENCAP_UNKNOWN,

    WTAP_ENCAP_ETHERNET,

    WTAP_ENCAP_TOKEN_RING,

    WTAP_ENCAP_FDDI_BITSWAPPED,

    /*

     * XXX - some PPP captures may look like Ethernet,

     * perhaps because they're using NDIS to capture on the

     * same machine and it provides simulated-Ethernet

     * packets, but captures taken with various serial

     * pods use the same network type value but aren't

     * shaped like Ethernet.  We handle that below.

     */

    WTAP_ENCAP_ETHERNET,   /* WAN(PPP), but shaped like Ethernet */

    WTAP_ENCAP_UNKNOWN,   /* LocalTalk */

    WTAP_ENCAP_UNKNOWN,   /* "DIX" - should not occur */

    WTAP_ENCAP_UNKNOWN,   /* ARCNET raw */

    WTAP_ENCAP_UNKNOWN,   /* ARCNET 878.2 */

    WTAP_ENCAP_ATM_PDUS_UNTRUNCATED,/* ATM */

    WTAP_ENCAP_IEEE_802_11_WITH_RADIO,

            /* Wireless WAN with radio information */

    WTAP_ENCAP_UNKNOWN    /* IrDA */

  };

  #define NUM_NETXRAY_ENCAPS array_length(netxray_encap)

  int file_encap;

  unsigned isdn_type = 0;

  netxray_t *netxray;

  /* Read in the string that should be at the start of a NetXRay

   * file */

  if (!wtap_read_bytes(wth->fh, magic, MAGIC_SIZE, err, err_info)) {

    if (*err != WTAP_ERR_SHORT_READ)

      return WTAP_OPEN_ERROR;

    return WTAP_OPEN_NOT_MINE;

  }

  if (memcmp(magic, netxray_magic, MAGIC_SIZE) == 0) {

    is_old = false;

  } else if (memcmp(magic, old_netxray_magic, MAGIC_SIZE) == 0) {

    is_old = true;

  } else {

    return WTAP_OPEN_NOT_MINE;

  }

  /* Read the rest of the header. */

  if (!wtap_read_bytes(wth->fh, &hdr, sizeof hdr, err, err_info))

    return WTAP_OPEN_ERROR;

  if (is_old) {

    version_major = 0;

    version_minor = 0;

    file_type = netxray_old_file_type_subtype;

  } else {

    /* It appears that version 1.1 files (as produced by Windows

     * Sniffer Pro 2.0.01) have the time stamp in microseconds,

     * rather than the milliseconds version 1.0 files appear to

     * have.

     *

     * It also appears that version 2.00x files have per-packet

     * headers with some extra fields. */

    if (memcmp(hdr.version, vers_1_0, sizeof vers_1_0) == 0) {

      version_major = 1;

      version_minor = 0;

      file_type = netxray_1_0_file_type_subtype;

    } else if (memcmp(hdr.version, vers_1_1, sizeof vers_1_1) == 0) {

      version_major = 1;

      version_minor = 1;

      file_type = netxray_1_1_file_type_subtype;

    } else if (memcmp(hdr.version, vers_2_000, sizeof vers_2_000) == 0) {

      version_major = 2;

      version_minor = 0;

      file_type = netxray_2_00x_file_type_subtype;

    } else if (memcmp(hdr.version, vers_2_001, sizeof vers_2_001) == 0) {

      version_major = 2;

      version_minor = 1;

      file_type = netxray_2_00x_file_type_subtype;

    } else if (memcmp(hdr.version, vers_2_002, sizeof vers_2_002) == 0) {

      version_major = 2;

      version_minor = 2;

      file_type = netxray_2_00x_file_type_subtype;

    } else if (memcmp(hdr.version, vers_2_003, sizeof vers_2_003) == 0) {

      version_major = 2;

      version_minor = 3;

      file_type = netxray_2_00x_file_type_subtype;

    } else {

      *err = WTAP_ERR_UNSUPPORTED;

      *err_info = ws_strdup_printf("netxray: version \"%.8s\" unsupported", hdr.version);

      return WTAP_OPEN_ERROR;

    }

  }

  switch (hdr.network_plus) {

  case 0:

    /*

     * The byte after hdr.network is usually 0, in which case

     * the hdr.network byte is an NDIS network type value - 1.

     */

    network_type = hdr.network + 1;

    break;

  case 2:

    /*

     * However, in some Ethernet captures, it's 2, and the

     * hdr.network byte is 1 rather than 0.  We assume

     * that if there's a byte after hdr.network with the value

     * 2, the hdr.network byte is an NDIS network type, rather

     * than an NDIS network type - 1.

     */

    network_type = hdr.network;

    break;

  default:

    *err = WTAP_ERR_UNSUPPORTED;

    *err_info = ws_strdup_printf("netxray: the byte after the network type has the value %u, which I don't understand",

        hdr.network_plus);

    return WTAP_OPEN_ERROR;

  }

  if (network_type >= NUM_NETXRAY_ENCAPS

      || netxray_encap[network_type] == WTAP_ENCAP_UNKNOWN) {

    *err = WTAP_ERR_UNSUPPORTED;

    *err_info = ws_strdup_printf("netxray: network type %u (%u) unknown or unsupported",

        network_type, hdr.network_plus);

    return WTAP_OPEN_ERROR;

  }

  /*

   * Figure out the time stamp units and start time stamp.

   */

  start_timestamp = (double)pletohu32(&hdr.timelo)

      + (double)pletohu32(&hdr.timehi)*4294967296.0;

  if (is_old) {

    ticks_per_sec = 1000.0;

    wth->file_tsprec = WTAP_TSPREC_MSEC;

  } else if (version_major == 1) {

    switch (version_minor) {

    case 0:

      ticks_per_sec = 1000.0;

      wth->file_tsprec = WTAP_TSPREC_MSEC;

      break;

    case 1:

      /*

       * In version 1.1 files (as produced by Windows

       * Sniffer Pro 2.0.01), the time stamp is in

       * microseconds, rather than the milliseconds

       * time stamps in NetXRay and older versions

       * of Windows Sniffer.

       */

      ticks_per_sec = 1000000.0;

      wth->file_tsprec = WTAP_TSPREC_USEC;

      break;

    default:

      /* "Can't happen" - we rejected that above */

      *err = WTAP_ERR_INTERNAL;

      *err_info = ws_strdup_printf("netxray: version %d.%d somehow didn't get rejected",

                                  version_major, version_minor);

      return WTAP_OPEN_ERROR;

    }

  } else if (version_major == 2) {

    /*

     * Get the time stamp units from the appropriate TpS

     * table or from the file header.

     */

    switch (network_type) {

    case 1:

      /*

       * Ethernet - the table to use depends on whether

       * this is an NDIS or pod capture.

       */

      switch (hdr.captype) {

      case CAPTYPE_NDIS:

        if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS) {

          *err = WTAP_ERR_UNSUPPORTED;

          *err_info = ws_strdup_printf(

              "netxray: Unknown timeunit %u for Ethernet/CAPTYPE_NDIS version %.8s capture",

              hdr.timeunit, hdr.version);

          return WTAP_OPEN_ERROR;

        }

        /*

        XXX: 05/29/07: Use 'realtick' instead of TpS table if timeunit=2;

          Using 'realtick' in this case results

          in the correct 'ticks per second' for all the captures that

          I have of this type (including captures from a number of Wireshark

          bug reports).

        */

        if (hdr.timeunit == 2) {

          ticks_per_sec = pletohu32(hdr.realtick);

        }

        else {

          ticks_per_sec = TpS[hdr.timeunit];

        }

        break;

      case ETH_CAPTYPE_GIGPOD:

        if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_GIGPOD

            || TpS_gigpod[hdr.timeunit] == 0.0) {

          *err = WTAP_ERR_UNSUPPORTED;

          *err_info = ws_strdup_printf(

              "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_GIGPOD version %.8s capture",

              hdr.timeunit, hdr.version);

          return WTAP_OPEN_ERROR;

        }

        ticks_per_sec = TpS_gigpod[hdr.timeunit];

        /*

         * At least for 002.002 and 002.003

         * captures, the start time stamp is 0,

         * not the value in the file.

         */

        if (version_minor == 2 || version_minor == 3)

          start_timestamp = 0.0;

        break;

      case ETH_CAPTYPE_OTHERPOD:

        if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_OTHERPOD

            || TpS_otherpod[hdr.timeunit] == 0.0) {

          *err = WTAP_ERR_UNSUPPORTED;

          *err_info = ws_strdup_printf(

              "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_OTHERPOD version %.8s capture",

              hdr.timeunit, hdr.version);

          return WTAP_OPEN_ERROR;

        }

        ticks_per_sec = TpS_otherpod[hdr.timeunit];

        /*

         * At least for 002.002 and 002.003

         * captures, the start time stamp is 0,

         * not the value in the file.

         */

        if (version_minor == 2 || version_minor == 3)

          start_timestamp = 0.0;

        break;

      case ETH_CAPTYPE_OTHERPOD2:

        if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_OTHERPOD2

            || TpS_otherpod2[hdr.timeunit] == 0.0) {

          *err = WTAP_ERR_UNSUPPORTED;

          *err_info = ws_strdup_printf(

              "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_OTHERPOD2 version %.8s capture",

              hdr.timeunit, hdr.version);

          return WTAP_OPEN_ERROR;

        }

        ticks_per_sec = TpS_otherpod2[hdr.timeunit];

        /*

         * XXX: start time stamp in the one capture file examined of this type was 0;

         *      We'll assume the start time handling is the same as for other pods.

         *

         * At least for 002.002 and 002.003

         * captures, the start time stamp is 0,

         * not the value in the file.

         */

        if (version_minor == 2 || version_minor == 3)

          start_timestamp = 0.0;

        break;

      case ETH_CAPTYPE_GIGPOD2:

        if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS_GIGPOD2

            || TpS_gigpod2[hdr.timeunit] == 0.0) {

          *err = WTAP_ERR_UNSUPPORTED;

          *err_info = ws_strdup_printf(

              "netxray: Unknown timeunit %u for Ethernet/ETH_CAPTYPE_GIGPOD2 version %.8s capture",

              hdr.timeunit, hdr.version);

          return WTAP_OPEN_ERROR;

        }

        ticks_per_sec = TpS_gigpod2[hdr.timeunit];

        /*

         * XXX: start time stamp in the one capture file examined of this type was 0;

         *  We'll assume the start time handling is the same as for other pods.

         *

         * At least for 002.002 and 002.003

         * captures, the start time stamp is 0,

         * not the value in the file.

         */

        if (version_minor == 2 || version_minor == 3)

          start_timestamp = 0.0;

        break;

      default:

        *err = WTAP_ERR_UNSUPPORTED;

        *err_info = ws_strdup_printf(

            "netxray: Unknown capture type %u for Ethernet version %.8s capture",

            hdr.captype, hdr.version);

        return WTAP_OPEN_ERROR;

      }

      break;

    default:

      if (hdr.timeunit >= NUM_NETXRAY_TIMEUNITS) {

        *err = WTAP_ERR_UNSUPPORTED;

        *err_info = ws_strdup_printf(

            "netxray: Unknown timeunit %u for %u/%u version %.8s capture",

            hdr.timeunit, network_type, hdr.captype,

            hdr.version);

        return WTAP_OPEN_ERROR;

      }

      ticks_per_sec = TpS[hdr.timeunit];

      break;

    }

    /*

     * If the number of ticks per second is greater than

     * 1 million, make the precision be nanoseconds rather

     * than microseconds.

     *

     * XXX - do values only slightly greater than one million

     * correspond to a resolution sufficiently better than

     * 1 microsecond to display more digits of precision?

     * XXX - Seems reasonable to use nanosecs only if TPS >= 10M

     */

    if (ticks_per_sec >= 1e7)

      wth->file_tsprec = WTAP_TSPREC_NSEC;

    else

      wth->file_tsprec = WTAP_TSPREC_USEC;

  } else {

    /* "Can't happen" - we rejected that above */

    *err = WTAP_ERR_INTERNAL;

    *err_info = ws_strdup_printf("netxray: version %d.%d somehow didn't get rejected",

                                version_major, version_minor);

    return WTAP_OPEN_ERROR;

  }

  start_timestamp = start_timestamp/ticks_per_sec;

  if (network_type == 4) {

    /*

     * In version 0 and 1, we assume, for now, that all

     * WAN captures have frames that look like Ethernet

     * frames (as a result, presumably, of having passed

     * through NDISWAN).

     *

     * In version 2, it looks as if there's stuff in the

     * file header to specify what particular type of WAN

     * capture we have.

     */

    if (version_major == 2) {

      switch (hdr.captype) {

      case WAN_CAPTYPE_PPP:

        /*

         * PPP.

         */

        file_encap = WTAP_ENCAP_PPP_WITH_PHDR;

        break;

      case WAN_CAPTYPE_FRELAY:

        /*

         * Frame Relay.

         *

         * XXX - in at least one capture, this

         * is Cisco HDLC, not Frame Relay, but

         * in another capture, it's Frame Relay.

         *

         * [Bytes in each capture:

         * Cisco HDLC:  hdr.xxx_x60[06:10]: 0x02 0x00 0x01 0x00 0x06

         * Frame Relay: hdr.xxx_x60[06:10]  0x00 0x00 0x00 0x00 0x00

         * Cisco HDLC:  hdr.xxx_x60[14:15]: 0xff 0xff

         * Frame Relay: hdr.xxx_x60[14:15]: 0x00 0x00

         * ]

         */

        file_encap = WTAP_ENCAP_FRELAY_WITH_PHDR;

        break;

      case WAN_CAPTYPE_HDLC:

      case WAN_CAPTYPE_HDLC2:

        /*

         * Various HDLC flavors?

         */

        switch (hdr.wan_hdlc_subsub_captype) {

        case 0: /* LAPB/X.25 */

          /*

           * XXX - at least one capture of

           * this type appears to be PPP.

           */

          file_encap = WTAP_ENCAP_LAPB;

          break;

        case 1: /* E1 PRI */

        case 2: /* T1 PRI */

        case 3: /* BRI */

          file_encap = WTAP_ENCAP_ISDN;

          isdn_type = hdr.wan_hdlc_subsub_captype;

          break;

        default:

          *err = WTAP_ERR_UNSUPPORTED;

          *err_info = ws_strdup_printf("netxray: WAN HDLC capture subsubtype 0x%02x unknown or unsupported",

             hdr.wan_hdlc_subsub_captype);

          return WTAP_OPEN_ERROR;

        }

        break;

      case WAN_CAPTYPE_SDLC:

        /*

         * SDLC.

         */

        file_encap = WTAP_ENCAP_SDLC;

        break;

      case WAN_CAPTYPE_CHDLC:

        /*

         *  Cisco router (CHDLC) captured with pod

         */

        file_encap = WTAP_ENCAP_CHDLC_WITH_PHDR;

        break;

      default:

        *err = WTAP_ERR_UNSUPPORTED;

        *err_info = ws_strdup_printf("netxray: WAN capture subtype 0x%02x unknown or unsupported",

           hdr.captype);

        return WTAP_OPEN_ERROR;

      }

    } else

      file_encap = WTAP_ENCAP_ETHERNET;

  } else

    file_encap = netxray_encap[network_type];

  /* This is a netxray file */

  wth->file_type_subtype = file_type;

  netxray = g_new(netxray_t, 1);

  wth->priv = (void *)netxray;

  wth->subtype_read = netxray_read;

  wth->subtype_seek_read = netxray_seek_read;

  wth->file_encap = file_encap;

  wth->snapshot_length = 0; /* not available in header */

  netxray->start_time = pletohu32(&hdr.start_time);

  netxray->ticks_per_sec = ticks_per_sec;

  netxray->start_timestamp = start_timestamp;

  netxray->version_major = version_major;

  /*

   * If frames have an extra 4 bytes of stuff at the end, is

   * it an FCS, or just junk?

   */

  netxray->fcs_valid = false;

  switch (file_encap) {

  case WTAP_ENCAP_ETHERNET:

  case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:

  case WTAP_ENCAP_ISDN:

  case WTAP_ENCAP_LAPB:

    /*

     * It appears that, in at least some version 2 Ethernet

     * captures, for frames that have 0xff in hdr_2_x.xxx[2]

     * and hdr_2_x.xxx[3] in the per-packet header:

     *

     *  if, in the file header, hdr.realtick[1] is 0x34

     *  and hdr.realtick[2] is 0x12, the frames have an

     *  FCS at the end;

     *

     *  otherwise, they have 4 bytes of junk at the end.

     *

     * Yes, it's strange that you have to check the *middle*

     * of the time stamp field; you can't check for any

     * particular value of the time stamp field.

     *

     * For now, we assume that to be true for 802.11 captures

     * as well; it appears to be the case for at least one

     * such capture - the file doesn't have 0x34 and 0x12,

     * and the 4 bytes at the end of the frames with 0xff

     * are junk, not an FCS.

     *

     * For ISDN captures, it appears, at least in some

     * captures, to be similar, although I haven't yet

     * checked whether it's a valid FCS.

     *

     * XXX - should we do this for all encapsulation types?

     *

     * XXX - is there some other field that *really* indicates

     * whether we have an FCS or not?  The check of the time

     * stamp is bizarre, as we're checking the middle.

     * Perhaps hdr.realtick[0] is 0x00, in which case time

     * stamp units in the range 1192960 through 1193215

     * correspond to captures with an FCS, but that's still

     * a bit bizarre.

     *

     * Note that there are captures with a network type of 0

     * (Ethernet) and capture type of 0 (NDIS) that do, and

     * that don't, have 0x34 0x12 in them, and at least one

     * of the NDIS captures with 0x34 0x12 in it has FCSes,

     * so it's not as if no NDIS captures have an FCS.

     *

     * There are also captures with a network type of 4 (WAN),

     * capture type of 6 (HDLC), and subtype of 2 (T1 PRI) that

     * do, and that don't, have 0x34 0x12, so there are at least

     * some captures taken with a WAN pod that might lack an FCS.

     * (We haven't yet tried dissecting the 4 bytes at the

     * end of packets with hdr_2_x.xxx[2] and hdr_2_x.xxx[3]

     * equal to 0xff as an FCS.)

     *

     * All captures I've seen that have 0x34 and 0x12 *and*

     * have at least one frame with an FCS have a value of

     * 0x01 in xxx_x40[4].  No captures I've seen with a network

     * type of 0 (Ethernet) missing 0x34 0x12 have 0x01 there,

     * however.  However, there's at least one capture

     * without 0x34 and 0x12, with a network type of 0,

     * and with 0x01 in xxx_x40[4], *without* FCSes in the

     * frames - the 4 bytes at the end are all zero - so it's

     * not as simple as "xxx_x40[4] = 0x01 means the 4 bytes at

     * the end are FCSes".  Also, there's also at least one

     * 802.11 capture with an xxx_x40[4] value of 0x01 with junk

     * rather than an FCS at the end of the frame, so xxx_x40[4]

     * isn't an obvious flag to determine whether the

     * capture has FCSes.

     *

     * There don't seem to be any other values in any of the

     * xxx_x5..., xxx_x6...., xxx_x7.... fields

     * that obviously correspond to frames having an FCS.

     *

     * 05/29/07: Examination of numerous sniffer captures suggests

     *            that the apparent correlation of certain realtick

     *            bytes to 'FCS presence' may actually be

     *            a 'false positive'.

     *           ToDo: Review analysis and update code.

     *           It might be that the ticks-per-second value

     *           is hardware-dependent, and that hardware with

     *           a particular realtick value puts an FCS there

     *       and other hardware doesn't.

     */

    if (version_major == 2) {

      if (hdr.realtick[1] == 0x34 && hdr.realtick[2] == 0x12)

        netxray->fcs_valid = true;

    }

    break;

  }

  /*

   * Remember the ISDN type, as we need it to interpret the

   * channel number in ISDN captures.

   */

  netxray->isdn_type = isdn_type;

  /* Remember the offset after the last packet in the capture (which

   * isn't necessarily the last packet in the file), as it appears

   * there's sometimes crud after it.

   * XXX: Remember 'start_offset' to help testing for 'short file' at EOF

   */

  netxray->wrapped      = false;

  netxray->nframes      = pletohu32(&hdr.nframes);

  netxray->start_offset = pletohu32(&hdr.start_offset);