Wireshark 4.7.0
The Wireshark network protocol analyzer
Loading...
Searching...
No Matches
observer.h
Go to the documentation of this file.
1
9/***************************************************************************
10 * *
11 * SPDX-License-Identifier: GPL-2.0-or-later *
12 * *
13 ***************************************************************************/
14
15#ifndef __NETWORK_INSTRUMENTS_H__
16#define __NETWORK_INSTRUMENTS_H__
17
18#include "wtap.h"
19
20wtap_open_return_val observer_open(wtap *wth, int *err, char **err_info);
21
22/*
23 * In v15 the high_byte was added to allow a larger offset This was done by
24 * reducing the size of observer_version by 1 byte. Since version strings are
25 * only 30 characters the high_byte will always be 0 in previous versions.
26 */
27typedef struct capture_file_header
28{
29 char observer_version[31];
30 uint8_t offset_to_first_packet_high_byte; /* allows to extend the offset to the first packet to 256*0x10000 = 16 MB */
31 uint16_t offset_to_first_packet;
32 char probe_instance;
33 uint8_t number_of_information_elements; /* number of TLVs in the header */
34} capture_file_header;
35
36#define CAPTURE_FILE_HEADER_FROM_LE_IN_PLACE(_capture_file_header) \
37 _capture_file_header.offset_to_first_packet = GUINT16_FROM_LE((_capture_file_header).offset_to_first_packet)
38
39#define CAPTURE_FILE_HEADER_TO_LE_IN_PLACE(_capture_file_header) \
40 _capture_file_header.offset_to_first_packet = GUINT16_TO_LE((_capture_file_header).offset_to_first_packet)
41
42typedef struct tlv_header
43{
44 uint16_t type;
45 uint16_t length; /* includes the length of the TLV header */
46} tlv_header;
47
48#define TLV_HEADER_FROM_LE_IN_PLACE(_tlv_header) \
49 (_tlv_header).type = GUINT16_FROM_LE((_tlv_header).type); \
50 (_tlv_header).length = GUINT16_FROM_LE((_tlv_header).length)
51
52#define TLV_HEADER_TO_LE_IN_PLACE(_tlv_header) \
53 (_tlv_header).type = GUINT16_TO_LE((_tlv_header).type); \
54 (_tlv_header).length = GUINT16_TO_LE((_tlv_header).length)
55
56/*
57 * TLV type values.
58 *
59 * Do TLVs without the 0x0100 bit set show up in packets, and
60 * do TLVs with that set show up in the file header, or are
61 * there two separate types of TLV?
62 *
63 * ALIAS_LIST contains an ASCII string (null-terminated, but
64 * we can't trust that, of course) that is the pathname of
65 * a file containing the alias list. Not much use to us.
66 *
67 * COMMENT contains an ASCII string (null-terminated, but
68 * we can't trust that, of course); in all the captures
69 * I've seen, it appears to be a note about the file added
70 * by Observer, not by a user. It appears to end with 0x0a
71 * 0x2e, i.e. '\n' '.'.
72 *
73 * REMOTE_PROBE contains, in all the captures I've seen, an
74 * ASCII string (null-terminated, but we cna't trust that,
75 * of course) of the form "Remote Probe [hex string]". THe
76 * hex string has 8 characters, i.e. 4 octets.
77 *
78 * The Observer document indicates that the types of expert information
79 * packets are:
80 *
81 * Network Load (markers used by Expert Time Interval and What If
82 * analysis modes)
83 *
84 * Start/Stop Packet Capture marker frames (with time stamps when
85 * captures start and stop)
86 *
87 * Wireless Channel Change (markers showing what channel was being
88 * currently listened to)
89 *
90 * That information appears to be contained in TLVs.
91 */
92#define INFORMATION_TYPE_ALIAS_LIST 0x0001
93#define INFORMATION_TYPE_COMMENT 0x0002 /* ASCII text */
94#define INFORMATION_TYPE_TIME_INFO 0x0004
95#define INFORMATION_TYPE_REMOTE_PROBE 0x0005
96#define INFORMATION_TYPE_NETWORK_LOAD 0x0100
97#define INFORMATION_TYPE_WIRELESS 0x0101
98#define INFORMATION_TYPE_CAPTURE_START_STOP 0x0104
99
100/*
101 * See in Fibre Channel captures; not seen elsewhere.
102 *
103 * It has 4 bytes of data in all captures I've seen.
104 */
105/* 0x0106 */
106
107typedef struct tlv_time_info {
108 uint16_t type;
109 uint16_t length;
110 uint32_t time_format;
111} tlv_time_info;
112
113/*
114 * TIME_INFO time_format values.
115 */
116#define TIME_INFO_LOCAL 0
117#define TIME_INFO_GMT 1
118
119#define TLV_TIME_INFO_FROM_LE_IN_PLACE(_tlv_time_info) \
120 (_tlv_time_info).time_format = GUINT32_FROM_LE((_tlv_time_info).time_format)
121
122#define TLV_TIME_INFO_TO_LE_IN_PLACE(_tlv_time_info) \
123 (_tlv_time_info).time_format = GUINT32_TO_LE((_tlv_time_info).time_format)
124
125/*
126 * Might some of these be broadecast and multicast packet counts, or
127 * error counts, or both?
128 */
129typedef struct tlv_network_load
130{
131 uint32_t utilization; /* network utilization, in .1% units */
132 uint32_t unknown1; /* zero in all captures I've seen */
133 uint32_t unknown2; /* zero in all captures I've seen */
134 uint32_t packets_per_second;
135 uint32_t unknown3; /* zero in all captures I've seen */
136 uint32_t bytes_per_second;
137 uint32_t unknown4; /* zero in all captures I've seen */
138} tlv_network_load;
139
140#define TLV_NETWORK_LOAD_FROM_LE_IN_PLACE(_tlv_network_load) \
141 (_tlv_network_load).utilization = GUINT32_FROM_LE((_tlv_network_load).utilization); \
142 (_tlv_network_load).unknown1 = GUINT32_FROM_LE((_tlv_network_load).unknown1); \
143 (_tlv_network_load).unknown2 = GUINT32_FROM_LE((_tlv_network_load).unknown2); \
144 (_tlv_network_load).packets_per_second = GUINT32_FROM_LE((_tlv_network_load).packets_per_second); \
145 (_tlv_network_load).unknown3 = GUINT32_FROM_LE((_tlv_network_load).unknown3); \
146 (_tlv_network_load).bytes_per_second = GUINT32_FROM_LE((_tlv_network_load).bytes_per_second); \
147 (_tlv_network_load).unknown4 = GUINT32_FROM_LE((_tlv_network_load).unknown4) \
148
149#define TLV_NETWORK_LOAD_TO_LE_IN_PLACE(_tlv_network_load) \
150 (_tlv_network_load).utilization = GUINT32_TO_LE((_tlv_network_load).utilization); \
151 (_tlv_network_load).unknown1 = GUINT32_TO_LE((_tlv_network_load).unknown1); \
152 (_tlv_network_load).unknown2 = GUINT32_TO_LE((_tlv_network_load).unknown2); \
153 (_tlv_network_load).packets_per_second = GUINT32_TO_LE((_tlv_network_load).packets_per_second); \
154 (_tlv_network_load).unknown3 = GUINT32_TO_LE((_tlv_network_load).unknown3); \
155 (_tlv_network_load).bytes_per_second = GUINT32_TO_LE((_tlv_network_load).bytes_per_second); \
156 (_tlv_network_load).unknown4 = GUINT32_TO_LE((_tlv_network_load).unknown4) \
157
158/*
159 * quality is presumably some measure of signal quality; in
160 * the captures I've seen, it has values of 15, 20-27, 50-54,
161 * 208, and 213.
162 *
163 * conditions has values of 0x00, 0x02, and 0x90.
164 *
165 * reserved is either 0x00 or 0x80; the 0x80 values
166 * are for TLVs where conditions is 0x90.
167 */
168typedef struct tlv_wireless_info {
169 uint8_t quality;
170 uint8_t signalStrength;
171 uint8_t rate;
172 uint8_t frequency;
173 uint8_t qualityPercent;
174 uint8_t strengthPercent;
175 uint8_t conditions;
176 uint8_t reserved;
177} tlv_wireless_info;
178
179/*
180 * Wireless conditions
181 */
182#define WIRELESS_WEP_SUCCESS 0x80
183/* 0x10 */
184/* 0x02 */
185
186typedef struct tlv_capture_start_stop
187{
188 uint32_t start_stop;
189} tlv_capture_start_stop;
190
191#define START_STOP_TYPE_STOP 0
192#define START_STOP_TYPE_START 1
193
194typedef struct packet_entry_header
195{
196 uint32_t packet_magic;
197 uint32_t network_speed;
198 uint16_t captured_size;
199 uint16_t network_size;
200 uint16_t offset_to_frame;
201 uint16_t offset_to_next_packet;
202 uint8_t network_type;
203 uint8_t flags;
204 uint8_t number_of_information_elements; /* number of TLVs in the header */
205 uint8_t packet_type;
206 uint16_t errors;
207 uint16_t reserved;
208 uint64_t packet_number;
209 uint64_t original_packet_number;
210 uint64_t nano_seconds_since_2000;
211} packet_entry_header;
212
213#define PACKET_ENTRY_HEADER_FROM_LE_IN_PLACE(_packet_entry_header) \
214 (_packet_entry_header).packet_magic = GUINT32_FROM_LE((_packet_entry_header).packet_magic); \
215 (_packet_entry_header).network_speed = GUINT32_FROM_LE((_packet_entry_header).network_speed); \
216 (_packet_entry_header).captured_size = GUINT16_FROM_LE((_packet_entry_header).captured_size); \
217 (_packet_entry_header).network_size = GUINT16_FROM_LE((_packet_entry_header).network_size); \
218 (_packet_entry_header).offset_to_frame = GUINT16_FROM_LE((_packet_entry_header).offset_to_frame); \
219 (_packet_entry_header).offset_to_next_packet = GUINT16_FROM_LE((_packet_entry_header).offset_to_next_packet); \
220 (_packet_entry_header).errors = GUINT16_FROM_LE((_packet_entry_header).errors); \
221 (_packet_entry_header).reserved = GUINT16_FROM_LE((_packet_entry_header).reserved); \
222 (_packet_entry_header).packet_number = GUINT64_FROM_LE((_packet_entry_header).packet_number); \
223 (_packet_entry_header).original_packet_number = GUINT64_FROM_LE((_packet_entry_header).original_packet_number); \
224 (_packet_entry_header).nano_seconds_since_2000 = GUINT64_FROM_LE((_packet_entry_header).nano_seconds_since_2000)
225
226#define PACKET_ENTRY_HEADER_TO_LE_IN_PLACE(_packet_entry_header) \
227 (_packet_entry_header).packet_magic = GUINT32_TO_LE((_packet_entry_header).packet_magic); \
228 (_packet_entry_header).network_speed = GUINT32_TO_LE((_packet_entry_header).network_speed); \
229 (_packet_entry_header).captured_size = GUINT16_TO_LE((_packet_entry_header).captured_size); \
230 (_packet_entry_header).network_size = GUINT16_TO_LE((_packet_entry_header).network_size); \
231 (_packet_entry_header).offset_to_frame = GUINT16_TO_LE((_packet_entry_header).offset_to_frame); \
232 (_packet_entry_header).offset_to_next_packet = GUINT16_TO_LE((_packet_entry_header).offset_to_next_packet); \
233 (_packet_entry_header).errors = GUINT16_TO_LE((_packet_entry_header).errors); \
234 (_packet_entry_header).reserved = GUINT16_TO_LE((_packet_entry_header).reserved); \
235 (_packet_entry_header).packet_number = GUINT64_TO_LE((_packet_entry_header).packet_number); \
236 (_packet_entry_header).original_packet_number = GUINT64_TO_LE((_packet_entry_header).original_packet_number); \
237 (_packet_entry_header).nano_seconds_since_2000 = GUINT64_TO_LE((_packet_entry_header).nano_seconds_since_2000)
238
239/*
240 * Network type values.
241 */
242#define OBSERVER_UNDEFINED 0xFF
243#define OBSERVER_ETHERNET 0x00
244#define OBSERVER_TOKENRING 0x01
245#define OBSERVER_FIBRE_CHANNEL 0x08
246#define OBSERVER_WIRELESS_802_11 0x09
247
248/*
249 * Packet type values.
250 */
251#define PACKET_TYPE_DATA_PACKET 0
252#define PACKET_TYPE_EXPERT_INFORMATION_PACKET 1
253
254#endif
capture_file_header
Definition observer.h:28
packet_entry_header
Definition observer.h:195
tlv_capture_start_stop
Definition observer.h:187
tlv_header
Definition observer.h:43
tlv_network_load
Definition observer.h:130
tlv_time_info
Definition observer.h:107
tlv_wireless_info
Definition observer.h:168
wtap
Definition wtap-int.h:37
Generated by doxygen 1.9.8