Wireshark 4.7.0
The Wireshark network protocol analyzer
Loading...
Searching...
No Matches
observer.h
Go to the documentation of this file.
1
9/***************************************************************************
10 * *
11 * SPDX-License-Identifier: GPL-2.0-or-later *
12 * *
13 ***************************************************************************/
14
15#ifndef __NETWORK_INSTRUMENTS_H__
16#define __NETWORK_INSTRUMENTS_H__
17
18#include "wtap.h"
19
20wtap_open_return_val observer_open(wtap *wth, int *err, char **err_info);
21
22/*
23 * In v15 the high_byte was added to allow a larger offset This was done by
24 * reducing the size of observer_version by 1 byte. Since version strings are
25 * only 30 characters the high_byte will always be 0 in previous versions.
26 */
27typedef struct capture_file_header
28{
29 char observer_version[31];
30 uint8_t offset_to_first_packet_high_byte; /* allows to extend the offset to the first packet to 256*0x10000 = 16 MB */
31 uint16_t offset_to_first_packet;
32 char probe_instance;
33 uint8_t number_of_information_elements; /* number of TLVs in the header */
34} capture_file_header;
35
36#define CAPTURE_FILE_HEADER_FROM_LE_IN_PLACE(_capture_file_header) \
37 _capture_file_header.offset_to_first_packet = GUINT16_FROM_LE((_capture_file_header).offset_to_first_packet)
38
39#define CAPTURE_FILE_HEADER_TO_LE_IN_PLACE(_capture_file_header) \
40 _capture_file_header.offset_to_first_packet = GUINT16_TO_LE((_capture_file_header).offset_to_first_packet)
41
42typedef struct tlv_header
43{
44 uint16_t type;
45 uint16_t length; /* includes the length of the TLV header */
46} tlv_header;
47
48#define TLV_HEADER_FROM_LE_IN_PLACE(_tlv_header) \
49 (_tlv_header).type = GUINT16_FROM_LE((_tlv_header).type); \
50 (_tlv_header).length = GUINT16_FROM_LE((_tlv_header).length)
51
52#define TLV_HEADER_TO_LE_IN_PLACE(_tlv_header) \
53 (_tlv_header).type = GUINT16_TO_LE((_tlv_header).type); \
54 (_tlv_header).length = GUINT16_TO_LE((_tlv_header).length)
55
56/*
57 * TLV type values.
58 *
59 * Do TLVs without the 0x0100 bit set show up in packets, and
60 * do TLVs with that set show up in the file header, or are
61 * there two separate types of TLV?
62 *
63 * ALIAS_LIST contains an ASCII string (null-terminated, but
64 * we can't trust that, of course) that is the pathname of
65 * a file containing the alias list. Not much use to us.
66 *
67 * COMMENT contains an ASCII string (null-terminated, but
68 * we can't trust that, of course); in all the captures
69 * I've seen, it appears to be a note about the file added
70 * by Observer, not by a user. It appears to end with 0x0a
71 * 0x2e, i.e. '\n' '.'.
72 *
73 * REMOTE_PROBE contains, in all the captures I've seen, an
74 * ASCII string (null-terminated, but we cna't trust that,
75 * of course) of the form "Remote Probe [hex string]". THe
76 * hex string has 8 characters, i.e. 4 octets.
77 *
78 * The Observer document indicates that the types of expert information
79 * packets are:
80 *
81 * Network Load (markers used by Expert Time Interval and What If
82 * analysis modes)
83 *
84 * Start/Stop Packet Capture marker frames (with time stamps when
85 * captures start and stop)
86 *
87 * Wireless Channel Change (markers showing what channel was being
88 * currently listened to)
89 *
90 * That information appears to be contained in TLVs.
91 */
92#define INFORMATION_TYPE_ALIAS_LIST 0x0001
93#define INFORMATION_TYPE_COMMENT 0x0002 /* ASCII text */
94#define INFORMATION_TYPE_TIME_INFO 0x0004
95#define INFORMATION_TYPE_REMOTE_PROBE 0x0005
96#define INFORMATION_TYPE_NETWORK_LOAD 0x0100
97#define INFORMATION_TYPE_WIRELESS 0x0101
98#define INFORMATION_TYPE_CAPTURE_START_STOP 0x0104
99
100/*
101 * See in Fibre Channel captures; not seen elsewhere.
102 *
103 * It has 4 bytes of data in all captures I've seen.
104 */
105/* 0x0106 */
106
107typedef struct tlv_time_info {
108 uint32_t time_format;
109} tlv_time_info;
110
111/*
112 * TIME_INFO time_format values.
113 */
114#define TIME_INFO_LOCAL 0
115#define TIME_INFO_GMT 1
116
117#define TLV_TIME_INFO_FROM_LE_IN_PLACE(_tlv_time_info) \
118 (_tlv_time_info).time_format = GUINT32_FROM_LE((_tlv_time_info).time_format)
119
120#define TLV_TIME_INFO_TO_LE_IN_PLACE(_tlv_time_info) \
121 (_tlv_time_info).time_format = GUINT32_TO_LE((_tlv_time_info).time_format)
122
123/*
124 * Might some of these be broadcast and multicast packet counts, or
125 * error counts, or both?
126 */
127typedef struct tlv_network_load
128{
129 uint32_t utilization; /* network utilization, in .1% units */
130 uint32_t unknown1; /* zero in all captures I've seen */
131 uint32_t unknown2; /* zero in all captures I've seen */
132 uint32_t packets_per_second;
133 uint32_t unknown3; /* zero in all captures I've seen */
134 uint32_t bytes_per_second;
135 uint32_t unknown4; /* zero in all captures I've seen */
136} tlv_network_load;
137
138#define TLV_NETWORK_LOAD_FROM_LE_IN_PLACE(_tlv_network_load) \
139 (_tlv_network_load).utilization = GUINT32_FROM_LE((_tlv_network_load).utilization); \
140 (_tlv_network_load).unknown1 = GUINT32_FROM_LE((_tlv_network_load).unknown1); \
141 (_tlv_network_load).unknown2 = GUINT32_FROM_LE((_tlv_network_load).unknown2); \
142 (_tlv_network_load).packets_per_second = GUINT32_FROM_LE((_tlv_network_load).packets_per_second); \
143 (_tlv_network_load).unknown3 = GUINT32_FROM_LE((_tlv_network_load).unknown3); \
144 (_tlv_network_load).bytes_per_second = GUINT32_FROM_LE((_tlv_network_load).bytes_per_second); \
145 (_tlv_network_load).unknown4 = GUINT32_FROM_LE((_tlv_network_load).unknown4) \
146
147#define TLV_NETWORK_LOAD_TO_LE_IN_PLACE(_tlv_network_load) \
148 (_tlv_network_load).utilization = GUINT32_TO_LE((_tlv_network_load).utilization); \
149 (_tlv_network_load).unknown1 = GUINT32_TO_LE((_tlv_network_load).unknown1); \
150 (_tlv_network_load).unknown2 = GUINT32_TO_LE((_tlv_network_load).unknown2); \
151 (_tlv_network_load).packets_per_second = GUINT32_TO_LE((_tlv_network_load).packets_per_second); \
152 (_tlv_network_load).unknown3 = GUINT32_TO_LE((_tlv_network_load).unknown3); \
153 (_tlv_network_load).bytes_per_second = GUINT32_TO_LE((_tlv_network_load).bytes_per_second); \
154 (_tlv_network_load).unknown4 = GUINT32_TO_LE((_tlv_network_load).unknown4) \
155
156/*
157 * quality is presumably some measure of signal quality; in
158 * the captures I've seen, it has values of 15, 20-27, 50-54,
159 * 208, and 213.
160 *
161 * conditions has values of 0x00, 0x02, and 0x90.
162 *
163 * reserved is either 0x00 or 0x80; the 0x80 values
164 * are for TLVs where conditions is 0x90.
165 */
166typedef struct tlv_wireless_info {
167 uint8_t quality;
168 uint8_t signalStrength;
169 uint8_t rate;
170 uint8_t frequency;
171 uint8_t qualityPercent;
172 uint8_t strengthPercent;
173 uint8_t conditions;
174 uint8_t reserved;
175} tlv_wireless_info;
176
177/*
178 * Wireless conditions
179 */
180#define WIRELESS_WEP_SUCCESS 0x80
181/* 0x10 */
182/* 0x02 */
183
184typedef struct tlv_capture_start_stop
185{
186 uint32_t start_stop;
187} tlv_capture_start_stop;
188
189#define START_STOP_TYPE_STOP 0
190#define START_STOP_TYPE_START 1
191
192typedef struct packet_entry_header
193{
194 uint32_t packet_magic;
195 uint32_t network_speed;
196 uint16_t captured_size;
197 uint16_t network_size;
198 uint16_t offset_to_frame;
199 uint16_t offset_to_next_packet;
200 uint8_t network_type;
201 uint8_t flags;
202 uint8_t number_of_information_elements; /* number of TLVs in the header */
203 uint8_t packet_type;
204 uint16_t errors;
205 uint16_t reserved;
206 uint64_t packet_number;
207 uint64_t original_packet_number;
208 uint64_t nano_seconds_since_2000;
209} packet_entry_header;
210
211#define PACKET_ENTRY_HEADER_FROM_LE_IN_PLACE(_packet_entry_header) \
212 (_packet_entry_header).packet_magic = GUINT32_FROM_LE((_packet_entry_header).packet_magic); \
213 (_packet_entry_header).network_speed = GUINT32_FROM_LE((_packet_entry_header).network_speed); \
214 (_packet_entry_header).captured_size = GUINT16_FROM_LE((_packet_entry_header).captured_size); \
215 (_packet_entry_header).network_size = GUINT16_FROM_LE((_packet_entry_header).network_size); \
216 (_packet_entry_header).offset_to_frame = GUINT16_FROM_LE((_packet_entry_header).offset_to_frame); \
217 (_packet_entry_header).offset_to_next_packet = GUINT16_FROM_LE((_packet_entry_header).offset_to_next_packet); \
218 (_packet_entry_header).errors = GUINT16_FROM_LE((_packet_entry_header).errors); \
219 (_packet_entry_header).reserved = GUINT16_FROM_LE((_packet_entry_header).reserved); \
220 (_packet_entry_header).packet_number = GUINT64_FROM_LE((_packet_entry_header).packet_number); \
221 (_packet_entry_header).original_packet_number = GUINT64_FROM_LE((_packet_entry_header).original_packet_number); \
222 (_packet_entry_header).nano_seconds_since_2000 = GUINT64_FROM_LE((_packet_entry_header).nano_seconds_since_2000)
223
224#define PACKET_ENTRY_HEADER_TO_LE_IN_PLACE(_packet_entry_header) \
225 (_packet_entry_header).packet_magic = GUINT32_TO_LE((_packet_entry_header).packet_magic); \
226 (_packet_entry_header).network_speed = GUINT32_TO_LE((_packet_entry_header).network_speed); \
227 (_packet_entry_header).captured_size = GUINT16_TO_LE((_packet_entry_header).captured_size); \
228 (_packet_entry_header).network_size = GUINT16_TO_LE((_packet_entry_header).network_size); \
229 (_packet_entry_header).offset_to_frame = GUINT16_TO_LE((_packet_entry_header).offset_to_frame); \
230 (_packet_entry_header).offset_to_next_packet = GUINT16_TO_LE((_packet_entry_header).offset_to_next_packet); \
231 (_packet_entry_header).errors = GUINT16_TO_LE((_packet_entry_header).errors); \
232 (_packet_entry_header).reserved = GUINT16_TO_LE((_packet_entry_header).reserved); \
233 (_packet_entry_header).packet_number = GUINT64_TO_LE((_packet_entry_header).packet_number); \
234 (_packet_entry_header).original_packet_number = GUINT64_TO_LE((_packet_entry_header).original_packet_number); \
235 (_packet_entry_header).nano_seconds_since_2000 = GUINT64_TO_LE((_packet_entry_header).nano_seconds_since_2000)
236
237/*
238 * Network type values.
239 */
240#define OBSERVER_UNDEFINED 0xFF
241#define OBSERVER_ETHERNET 0x00
242#define OBSERVER_TOKENRING 0x01
243#define OBSERVER_FIBRE_CHANNEL 0x08
244#define OBSERVER_WIRELESS_802_11 0x09
245
246/*
247 * Packet type values.
248 */
249#define PACKET_TYPE_DATA_PACKET 0
250#define PACKET_TYPE_EXPERT_INFORMATION_PACKET 1
251
252#endif
capture_file_header
Definition observer.h:28
packet_entry_header
Definition observer.h:193
tlv_capture_start_stop
Definition observer.h:185
tlv_header
Definition observer.h:43
tlv_network_load
Definition observer.h:128
tlv_time_info
Definition observer.h:107
tlv_wireless_info
Definition observer.h:166
wtap
Definition wtap_module.h:58
wtap_open_return_val
wtap_open_return_val
For registering file types that we can open.
Definition wtap.h:1750
Generated by doxygen 1.9.8