Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] header alignment fix for wiretap/nettl.c

From: Kenichi Okuyama <kenichi.okuyama@xxxxxxxxx>
Date: Thu, 22 Sep 2011 01:57:21 +0900
Dear list,

I was wondering around with the reason why my customer's TRC0 file
captured by HPUX 10.20 can not be analyzed using Wireshark 1.6.2.

I think I found a way to make it work, but I really don't know if this
works for other versions of HPUX.
So, I'd like to disclose it here asking for someone to test if this
works for TRC0 files captured by other than HPUX 10.20.
# diff files are attached. This patch work for both 1.6.2 and trunc.


In short, in old magic number ( HPUX till 9 ) header is aligned to 2
bytes. On other hand, in new magic number, header is aligned to 4
bytes.
That seems to be the reason why we need extra 2 bytes for padding
(probably). The reason why old code didn't work, was because it
assumed that extra 2 bytes were necessary only for HPUX 11. But it was
really for all the TRC0 files with new header....

I really don't know if my guess is correct, but at least, it's working
on my data so far...
Hope this will be a hint for someone who concur this problem.

best regards,
-- 
Kenichi Okuyama
URL: http://www.dd.iij4u.or.jp/~okuyamak/
Index: wiretap/nettl.c
===================================================================
--- wiretap/nettl.c	(revision 39072)
+++ wiretap/nettl.c	(working copy)
@@ -176,7 +176,7 @@
 /* header is followed by data and once again the total length (2 bytes) ! */
 
 typedef struct {
-	gboolean is_hpux_11;
+	int	 align;
 } nettl_t;
 
 static gboolean nettl_read(wtap *wth, int *err, gchar **err_info,
@@ -231,10 +231,16 @@
     wth->file_type = WTAP_FILE_NETTL;
     nettl = g_malloc(sizeof(nettl_t));
     wth->priv = (void *)nettl;
-    if (file_hdr.os_vers[2] == '1' && file_hdr.os_vers[3] == '1')
-	nettl->is_hpux_11 = TRUE;
-    else
-	nettl->is_hpux_11 = FALSE;
+
+    if ( memcmp(file_hdr.magic, nettl_magic_hpux9, MAGIC_SIZE) == 0 ) {
+      nettl->align	= 2;
+    } else if ( memcmp(file_hdr.magic, nettl_magic_hpux10, MAGIC_SIZE) == 0 ) {
+      nettl->align	= 4;
+    } else {
+      // You shouldn't be coming here.
+      nettl->align	= 1;
+    }
+
     wth->subtype_read = nettl_read;
     wth->subtype_seek_read = nettl_seek_read;
     wth->snapshot_length = 0;	/* not available */
@@ -575,11 +581,22 @@
 	     * nettl files from HP-UX 11?
 	     *
 	     * And what are the extra two bytes?
+	     *
+	     * OKKY: seems like this extra two bytes are to align header size
+	     *       to 4 bytes in case of HPUX 10 and 11.
 	     */
-            if (nettl->is_hpux_11) {
-                if (file_seek(fh, 2, SEEK_CUR, err) == -1) return -1;
-	        offset += 2;
-            }
+	    {
+	      int alignment_offset;
+
+	      alignment_offset	= ( nettl->align - (( offset ) % nettl->align )) % nettl->align;
+	      if ( alignment_offset != 0 ) {
+		if ( file_seek( fh, alignment_offset, SEEK_CUR, err ) == -1 )
+		  return -1;
+	      }
+
+	      offset	+= alignment_offset;
+	    }
+
 	    padlen = 0;
 	    break;