Re: [Ethereal-dev] aix fddi tcpdump tracefile

Wed, 03 Dec 2003 18:01:50 -0800 

On Fri, Nov 15, 2002 at 09:39:40PM +0100, J.Smith wrote:
> I am having some troubles with displaying an AIX 4.3.3 'tcpdump' format fddi
> capture in Ethereal.

The troubles were exactly what I suspected they were.  I've checked in a
fix, which strips off the 3 padding bytes; I've attached a patch that
contains the fix.

> Although Ethereal can read the captures, the data does
> not get displayed correctly, and gets interpreted as 'void frame'. I am not
> sure if this is because the 'AIX-tcpdump' file-format is different from the
> 'standard-tcpdump' file-format, or if Ethereal is just not able to interpret
> tcpdump FDDI captures correctly yet.

It's not really either one.  The file format differences are:

        1) they don't use DLT_ values in the file header to indicate
           link-layer types (we work around that);

        2) they store time stamps in seconds/nanoseconds rather than
           seconds/microseconds form (we work around that);

but the problem is that

        3) in the packet payload (which I don't consider part of the
           file format, in the strict sense) they put in padding.

Ethereal has no trouble with normal tcpdump FDDI captures.

Index: wiretap/libpcap.c
===================================================================
RCS file: /usr/local/cvsroot/ethereal/wiretap/libpcap.c,v
retrieving revision 1.83
diff -c -r1.83 wiretap/libpcap.c
*** wiretap/libpcap.c   22 Oct 2002 09:11:13 -0000      1.83
--- wiretap/libpcap.c   16 Nov 2002 20:18:59 -0000
***************
*** 843,848 ****
--- 843,849 ----
        guint packet_size;
        guint orig_size;
        int bytes_read;
+       char fddi_padding[3];
  
        bytes_read = libpcap_read_header(wth, err, &hdr, FALSE);
        if (bytes_read == -1) {
***************
*** 855,860 ****
--- 856,883 ----
        wth->data_offset += bytes_read;
        packet_size = hdr.hdr.incl_len;
        orig_size = hdr.hdr.orig_len;
+ 
+       /*
+        * AIX appears to put 3 bytes of padding in front of FDDI
+        * frames; strip that crap off.
+        */
+       if (wth->file_type == WTAP_FILE_PCAP_AIX &&
+           (wth->file_encap == WTAP_ENCAP_FDDI ||
+            wth->file_encap == WTAP_ENCAP_FDDI_BITSWAPPED)) {
+               /*
+                * The packet size is really a record size and includes
+                * the padding.
+                */
+               packet_size -= 3;
+               orig_size -= 3;
+               wth->data_offset += 3;
+ 
+               /*
+                * Read the padding.
+                */
+               if (!libpcap_read_rec_data(wth->fh, fddi_padding, 3, err))
+                       return FALSE;   /* Read error */
+       }
  
        *data_offset = wth->data_offset;

Reply via email to