The way that I determine if a Sniffer capture is Frame Relay is wrong.
I have been looking at some Sniffer traces and the fifth byte of header
record type 7 appears to contain the capture type for the file.
I have determined the following values
00 = SDLC
01 = HDLC
02 = Frame Relay
03 = Router
04 = PPP
05 = SMDS (Switched Multimegabit Data Service)
Please verify this information, if you have Sniffer files available
Based upon this information I recommend the following changes to
the skip_header_records routine in ngsniffer.c
In the data definition section
unsigned char buffer[32];
After the length is read from file and converted to integer
/* If unknown encap type and this is a type 7 header record */
/* Determine the network type from the 5th byte. */
/* Currently only decodes a value of 2, Frame relay */
if ((type == REC_HEADER2)
&& (wth->file_encap == WTAP_ENCAP_UNKNOWN)) {
bytes_read = file_read( buffer, 1, MIN( length,32),
wth->fh);
if (bytes_read != MIN( length,32)) {
*err = file_error(wth->fh);
if (*err == 0)
*err = WTAP_ERR_SHORT_READ;
return -1;
}
if ( buffer[4] == 2)
wth->file_encap = WTAP_ENCAP_FRELAY;
if ( length > 32)
file_seek(wth->fh, length-32, SEEK_CUR);
wth->data_offset += length;
}
}else {
/* OK, now skip over it the data. */
file_seek(wth->fh, length, SEEK_CUR);
wth->data_offset += length;
}
Jeff Foster
jfoste@xxxxxxxxxxxx
