Wireshark 4.7.0
The Wireshark network protocol analyzer
Loading...
Searching...
No Matches
observer.h
Go to the documentation of this file.
1
9/***************************************************************************
10 * *
11 * SPDX-License-Identifier: GPL-2.0-or-later *
12 * *
13 ***************************************************************************/
14
15#ifndef __NETWORK_INSTRUMENTS_H__
16#define __NETWORK_INSTRUMENTS_H__
17
18#include "wtap.h"
19
30wtap_open_return_val observer_open(wtap *wth, int *err, char **err_info);
31
32/*
33 * In v15 the high_byte was added to allow a larger offset This was done by
34 * reducing the size of observer_version by 1 byte. Since version strings are
35 * only 30 characters the high_byte will always be 0 in previous versions.
36 */
37typedef struct capture_file_header
38{
39 char observer_version[31];
40 uint8_t offset_to_first_packet_high_byte; /* allows to extend the offset to the first packet to 256*0x10000 = 16 MB */
41 uint16_t offset_to_first_packet;
42 char probe_instance;
43 uint8_t number_of_information_elements; /* number of TLVs in the header */
44} capture_file_header;
45
46#define CAPTURE_FILE_HEADER_FROM_LE_IN_PLACE(_capture_file_header) \
47 _capture_file_header.offset_to_first_packet = GUINT16_FROM_LE((_capture_file_header).offset_to_first_packet)
48
49#define CAPTURE_FILE_HEADER_TO_LE_IN_PLACE(_capture_file_header) \
50 _capture_file_header.offset_to_first_packet = GUINT16_TO_LE((_capture_file_header).offset_to_first_packet)
51
52typedef struct tlv_header
53{
54 uint16_t type;
55 uint16_t length; /* includes the length of the TLV header */
56} tlv_header;
57
58#define TLV_HEADER_FROM_LE_IN_PLACE(_tlv_header) \
59 (_tlv_header).type = GUINT16_FROM_LE((_tlv_header).type); \
60 (_tlv_header).length = GUINT16_FROM_LE((_tlv_header).length)
61
62#define TLV_HEADER_TO_LE_IN_PLACE(_tlv_header) \
63 (_tlv_header).type = GUINT16_TO_LE((_tlv_header).type); \
64 (_tlv_header).length = GUINT16_TO_LE((_tlv_header).length)
65
66/*
67 * TLV type values.
68 *
69 * Do TLVs without the 0x0100 bit set show up in packets, and
70 * do TLVs with that set show up in the file header, or are
71 * there two separate types of TLV?
72 *
73 * ALIAS_LIST contains an ASCII string (null-terminated, but
74 * we can't trust that, of course) that is the pathname of
75 * a file containing the alias list. Not much use to us.
76 *
77 * COMMENT contains an ASCII string (null-terminated, but
78 * we can't trust that, of course); in all the captures
79 * I've seen, it appears to be a note about the file added
80 * by Observer, not by a user. It appears to end with 0x0a
81 * 0x2e, i.e. '\n' '.'.
82 *
83 * REMOTE_PROBE contains, in all the captures I've seen, an
84 * ASCII string (null-terminated, but we cna't trust that,
85 * of course) of the form "Remote Probe [hex string]". THe
86 * hex string has 8 characters, i.e. 4 octets.
87 *
88 * The Observer document indicates that the types of expert information
89 * packets are:
90 *
91 * Network Load (markers used by Expert Time Interval and What If
92 * analysis modes)
93 *
94 * Start/Stop Packet Capture marker frames (with time stamps when
95 * captures start and stop)
96 *
97 * Wireless Channel Change (markers showing what channel was being
98 * currently listened to)
99 *
100 * That information appears to be contained in TLVs.
101 */
102#define INFORMATION_TYPE_ALIAS_LIST 0x0001
103#define INFORMATION_TYPE_COMMENT 0x0002 /* ASCII text */
104#define INFORMATION_TYPE_TIME_INFO 0x0004
105#define INFORMATION_TYPE_REMOTE_PROBE 0x0005
106#define INFORMATION_TYPE_NETWORK_LOAD 0x0100
107#define INFORMATION_TYPE_WIRELESS 0x0101
108#define INFORMATION_TYPE_CAPTURE_START_STOP 0x0104
109
110/*
111 * See in Fibre Channel captures; not seen elsewhere.
112 *
113 * It has 4 bytes of data in all captures I've seen.
114 */
115/* 0x0106 */
116
117typedef struct tlv_time_info {
118 uint32_t time_format;
119} tlv_time_info;
120
121/*
122 * TIME_INFO time_format values.
123 */
124#define TIME_INFO_LOCAL 0
125#define TIME_INFO_GMT 1
126
127#define TLV_TIME_INFO_FROM_LE_IN_PLACE(_tlv_time_info) \
128 (_tlv_time_info).time_format = GUINT32_FROM_LE((_tlv_time_info).time_format)
129
130#define TLV_TIME_INFO_TO_LE_IN_PLACE(_tlv_time_info) \
131 (_tlv_time_info).time_format = GUINT32_TO_LE((_tlv_time_info).time_format)
132
133/*
134 * Might some of these be broadcast and multicast packet counts, or
135 * error counts, or both?
136 */
137typedef struct tlv_network_load
138{
139 uint32_t utilization; /* network utilization, in .1% units */
140 uint32_t unknown1; /* zero in all captures I've seen */
141 uint32_t unknown2; /* zero in all captures I've seen */
142 uint32_t packets_per_second;
143 uint32_t unknown3; /* zero in all captures I've seen */
144 uint32_t bytes_per_second;
145 uint32_t unknown4; /* zero in all captures I've seen */
146} tlv_network_load;
147
148#define TLV_NETWORK_LOAD_FROM_LE_IN_PLACE(_tlv_network_load) \
149 (_tlv_network_load).utilization = GUINT32_FROM_LE((_tlv_network_load).utilization); \
150 (_tlv_network_load).unknown1 = GUINT32_FROM_LE((_tlv_network_load).unknown1); \
151 (_tlv_network_load).unknown2 = GUINT32_FROM_LE((_tlv_network_load).unknown2); \
152 (_tlv_network_load).packets_per_second = GUINT32_FROM_LE((_tlv_network_load).packets_per_second); \
153 (_tlv_network_load).unknown3 = GUINT32_FROM_LE((_tlv_network_load).unknown3); \
154 (_tlv_network_load).bytes_per_second = GUINT32_FROM_LE((_tlv_network_load).bytes_per_second); \
155 (_tlv_network_load).unknown4 = GUINT32_FROM_LE((_tlv_network_load).unknown4) \
156
157#define TLV_NETWORK_LOAD_TO_LE_IN_PLACE(_tlv_network_load) \
158 (_tlv_network_load).utilization = GUINT32_TO_LE((_tlv_network_load).utilization); \
159 (_tlv_network_load).unknown1 = GUINT32_TO_LE((_tlv_network_load).unknown1); \
160 (_tlv_network_load).unknown2 = GUINT32_TO_LE((_tlv_network_load).unknown2); \
161 (_tlv_network_load).packets_per_second = GUINT32_TO_LE((_tlv_network_load).packets_per_second); \
162 (_tlv_network_load).unknown3 = GUINT32_TO_LE((_tlv_network_load).unknown3); \
163 (_tlv_network_load).bytes_per_second = GUINT32_TO_LE((_tlv_network_load).bytes_per_second); \
164 (_tlv_network_load).unknown4 = GUINT32_TO_LE((_tlv_network_load).unknown4) \
165
166/*
167 * quality is presumably some measure of signal quality; in
168 * the captures I've seen, it has values of 15, 20-27, 50-54,
169 * 208, and 213.
170 *
171 * conditions has values of 0x00, 0x02, and 0x90.
172 *
173 * reserved is either 0x00 or 0x80; the 0x80 values
174 * are for TLVs where conditions is 0x90.
175 */
176typedef struct tlv_wireless_info {
177 uint8_t quality;
178 uint8_t signalStrength;
179 uint8_t rate;
180 uint8_t frequency;
181 uint8_t qualityPercent;
182 uint8_t strengthPercent;
183 uint8_t conditions;
184 uint8_t reserved;
185} tlv_wireless_info;
186
187/*
188 * Wireless conditions
189 */
190#define WIRELESS_WEP_SUCCESS 0x80
191/* 0x10 */
192/* 0x02 */
193
194typedef struct tlv_capture_start_stop
195{
196 uint32_t start_stop;
197} tlv_capture_start_stop;
198
199#define START_STOP_TYPE_STOP 0
200#define START_STOP_TYPE_START 1
201
202typedef struct packet_entry_header
203{
204 uint32_t packet_magic;
205 uint32_t network_speed;
206 uint16_t captured_size;
207 uint16_t network_size;
208 uint16_t offset_to_frame;
209 uint16_t offset_to_next_packet;
210 uint8_t network_type;
211 uint8_t flags;
212 uint8_t number_of_information_elements; /* number of TLVs in the header */
213 uint8_t packet_type;
214 uint16_t errors;
215 uint16_t reserved;
216 uint64_t packet_number;
217 uint64_t original_packet_number;
218 uint64_t nano_seconds_since_2000;
219} packet_entry_header;
220
221#define PACKET_ENTRY_HEADER_FROM_LE_IN_PLACE(_packet_entry_header) \
222 (_packet_entry_header).packet_magic = GUINT32_FROM_LE((_packet_entry_header).packet_magic); \
223 (_packet_entry_header).network_speed = GUINT32_FROM_LE((_packet_entry_header).network_speed); \
224 (_packet_entry_header).captured_size = GUINT16_FROM_LE((_packet_entry_header).captured_size); \
225 (_packet_entry_header).network_size = GUINT16_FROM_LE((_packet_entry_header).network_size); \
226 (_packet_entry_header).offset_to_frame = GUINT16_FROM_LE((_packet_entry_header).offset_to_frame); \
227 (_packet_entry_header).offset_to_next_packet = GUINT16_FROM_LE((_packet_entry_header).offset_to_next_packet); \
228 (_packet_entry_header).errors = GUINT16_FROM_LE((_packet_entry_header).errors); \
229 (_packet_entry_header).reserved = GUINT16_FROM_LE((_packet_entry_header).reserved); \
230 (_packet_entry_header).packet_number = GUINT64_FROM_LE((_packet_entry_header).packet_number); \
231 (_packet_entry_header).original_packet_number = GUINT64_FROM_LE((_packet_entry_header).original_packet_number); \
232 (_packet_entry_header).nano_seconds_since_2000 = GUINT64_FROM_LE((_packet_entry_header).nano_seconds_since_2000)
233
234#define PACKET_ENTRY_HEADER_TO_LE_IN_PLACE(_packet_entry_header) \
235 (_packet_entry_header).packet_magic = GUINT32_TO_LE((_packet_entry_header).packet_magic); \
236 (_packet_entry_header).network_speed = GUINT32_TO_LE((_packet_entry_header).network_speed); \
237 (_packet_entry_header).captured_size = GUINT16_TO_LE((_packet_entry_header).captured_size); \
238 (_packet_entry_header).network_size = GUINT16_TO_LE((_packet_entry_header).network_size); \
239 (_packet_entry_header).offset_to_frame = GUINT16_TO_LE((_packet_entry_header).offset_to_frame); \
240 (_packet_entry_header).offset_to_next_packet = GUINT16_TO_LE((_packet_entry_header).offset_to_next_packet); \
241 (_packet_entry_header).errors = GUINT16_TO_LE((_packet_entry_header).errors); \
242 (_packet_entry_header).reserved = GUINT16_TO_LE((_packet_entry_header).reserved); \
243 (_packet_entry_header).packet_number = GUINT64_TO_LE((_packet_entry_header).packet_number); \
244 (_packet_entry_header).original_packet_number = GUINT64_TO_LE((_packet_entry_header).original_packet_number); \
245 (_packet_entry_header).nano_seconds_since_2000 = GUINT64_TO_LE((_packet_entry_header).nano_seconds_since_2000)
246
247/*
248 * Network type values.
249 */
250#define OBSERVER_UNDEFINED 0xFF
251#define OBSERVER_ETHERNET 0x00
252#define OBSERVER_TOKENRING 0x01
253#define OBSERVER_FIBRE_CHANNEL 0x08
254#define OBSERVER_WIRELESS_802_11 0x09
255
256/*
257 * Packet type values.
258 */
259#define PACKET_TYPE_DATA_PACKET 0
260#define PACKET_TYPE_EXPERT_INFORMATION_PACKET 1
261
262#endif
observer_open
wtap_open_return_val observer_open(wtap *wth, int *err, char **err_info)
Opens a capture file using the observer format.
Definition observer.c:123
capture_file_header
Definition observer.h:38
packet_entry_header
Definition observer.h:203
tlv_capture_start_stop
Definition observer.h:195
tlv_header
Definition observer.h:53
tlv_network_load
Definition observer.h:138
tlv_time_info
Definition observer.h:117
tlv_wireless_info
Definition observer.h:176
wtap
Definition wtap_module.h:58
wtap_open_return_val
wtap_open_return_val
For registering file types that we can open.
Definition wtap.h:1751
Generated by doxygen 1.9.8