Wireshark · Ethereal-dev: RE: [Ethereal-dev] Ethereal 0.9.16 doesn't read AiroPeek 2.0 files

["Martijn Schipper" <mschipper@xxxxxxxxxxxxxxxxxxx>]

Thanks Martin!

Ok, so I started to make a file decoder for AiroPeek version 9 files.
Find attached the diff file (against 0.9.16) and the new decoder.
It seems that only AiroPeek moved to this new file format, so that is
why I called it airopeek9. (I downloaded the latest demo version of
Etherpeek and the samples that came with this version are still version
7 files). Does anyone know if EtherPeek also uses V9 files?

There is still one problem with this version: the time stamp is NOT
correct. It is still about 31 years in the future. The time difference
between packets is OK. Has anybody a suggestion what could be the magic
with the time stamps in these files?

Best regards,

Martijn Schipper.



-----Original Message-----
From: Martin Regner [mailto:martin.regner@xxxxxxxxx] 
Sent: dinsdag 25 november 2003 0:02
To: Martijn Schipper; Guy Harris
Cc: ethereal-dev@xxxxxxxxxxxx
Subject: Re: [Ethereal-dev] Ethereal 0.9.16 doesn't read AiroPeek 2.0
files

Martin Regner wrote:
>
> I found the following page with some observations about the new
format.
>
> http://www.varsanofiev.com/inside/airopeekv9.htm
>

I made some own investigations based on his observations and I think
that
the frame data means something like below.
However this is just very preliminar information based on a few sample
captures, some experiments and some guessing.

0x00 0x00   (Tag: Packet length)
   0x47 0x00 0x00 0x00   (64 octets)

0x01 0x00  (Tag: Timestamp LSB)
   0x68 0x3b 0x2e 0xec

0x02 0x00  (Tag: Timestamp MSB)
   0x11 0x46 0x5d 0xaf

0x03 0x00  (Tag: Flags and Status  - Not sure about exactly what the bit
mask means completely)
2 bytes for Flags and 2 bytes for Status

  0x02 0x00
      (FLAGS   0x02=>CRC Error, 0x04=>Frame Eror, 0x40=>Trigger,
0x06=0x04
OR 0x02=>CRC Error+Frame Error, ...)
                  0x02 0x00
                        (STATUS 0x02=>Truncated, 0x04=>Encrypted, 0x08=>
Decryption error, 0x40=> Short preamble)
Note: the value shown for FLAGS and STATUS shown in Airopeek doesn't
always
correspond to the values stored in the file.

0x04 0x00  (Tag:  Channel number)
   0x0b 0x00 0x00 0x00     (Channel 11)

0x05 0x00  (Tag: Rate)
    0x02 0x00 0x00 0x00

0x06 0x00  (Tag: Signal level %)
    0x4a 0x00 0x00 0x00

0x07 0x00  (Tag: Signal level dBm)
   0x01 0x80 0xff 0xff

0x08 0x00  (Tag: Noise level %)
   0x00 0x00 0x00 0x00  (Setting the octets to 0x3d 0x00 0x00 0x00 and
you
will get "Noise level: 61 %")

0x09 0x00 (Tag: Noise level dBm)
   0x01 0x80 0xff 0xff
(The value is not shown if it has this value, but if the value is 0xdd
0xff
0xff 0xff then you will see "Noise Level: -35 dBm")

0xff 0xff  (Tag: Slice length)
   0x47 0x00 0x00 0x00   This value is shown as "slice length" if less
than
"packet length" (Status byte will then be ORed by 0x20 and you will see
"Sliced" for Status).

then followed by the packet slice data








******************Legal Disclaimer**************************
"This email may contain confidential and privileged material for the sole use of the intended recipient.  Any unauthorized review, use or distribution by others is strictly prohibited.  If you have received the message in error, please advise the sender by reply email help@xxxxxxxxxxxxxxxxxxx, and delete the message. Thank you."
****************************************************************

diff -c ../ethereal-0.9.16-org/wiretap/Makefile.nmake wiretap/Makefile.nmake
*** ../ethereal-0.9.16-org/wiretap/Makefile.nmake	Tue Dec  2 16:35:55 2003
--- wiretap/Makefile.nmake	Tue Dec  2 09:24:37 2003
***************
*** 13,19 ****
  .c.obj::
     $(CC) $(cvarsdll) $(CFLAGS) -Fd.\ -c $<
  
! OBJECTS=ascend-grammar.obj \
  	ascend-scanner.obj \
  	ascend.obj \
  	atm.obj \
--- 13,20 ----
  .c.obj::
     $(CC) $(cvarsdll) $(CFLAGS) -Fd.\ -c $<
  
! OBJECTS=airopeek9.obj \
! 	ascend-grammar.obj \
  	ascend-scanner.obj \
  	ascend.obj \
  	atm.obj \
Only in wiretap/: airopeek9.c
Only in wiretap/: airopeek9.h
diff -c ../ethereal-0.9.16-org/wiretap/file_access.c wiretap/file_access.c
*** ../ethereal-0.9.16-org/wiretap/file_access.c	Sun Nov  2 18:15:28 2003
--- wiretap/file_access.c	Mon Dec  1 21:39:42 2003
***************
*** 50,55 ****
--- 50,56 ----
  #include "file_wrappers.h"
  #include "buffer.h"
  #include "lanalyzer.h"
+ #include "airopeek9.h"
  #include "ngsniffer.h"
  #include "radcom.h"
  #include "ascend.h"
***************
*** 106,111 ****
--- 107,113 ----
  	visual_open,
  	_5views_open,
  	network_instruments_open,
+ 	airopeek9_open,
  
  	/* Files that don't have magic bytes at a fixed location,
  	 * but that instead require a heuristic of some sort to
***************
*** 447,452 ****
--- 449,458 ----
  	/* WTAP_FILE_NETWORK_INSTRUMENTS_V9 */
  	{ "Network Instruments Observer version 9", "niobserverv9",
  	  NULL, NULL },
+ 
+ 	/* WTAP_FILE_AIROPEEK_V9 */
+ 	{ "AiroPeek trace (V9 file format)", NULL,
+ 	  NULL, NULL },
  };
  
  /* Name that should be somewhat descriptive. */
diff -c ../ethereal-0.9.16-org/wiretap/wtap.h wiretap/wtap.h
*** ../ethereal-0.9.16-org/wiretap/wtap.h	Sun Nov  2 18:15:28 2003
--- wiretap/wtap.h	Mon Dec  1 21:34:10 2003
***************
*** 175,183 ****
  #define WTAP_FILE_ERF				35
  #define WTAP_FILE_HCIDUMP			36
  #define WTAP_FILE_NETWORK_INSTRUMENTS_V9	37
  
  /* last WTAP_FILE_ value + 1 */
! #define WTAP_NUM_FILE_TYPES			38
  
  /*
   * Maximum packet size we'll support.
--- 175,184 ----
  #define WTAP_FILE_ERF				35
  #define WTAP_FILE_HCIDUMP			36
  #define WTAP_FILE_NETWORK_INSTRUMENTS_V9	37
+ #define WTAP_FILE_AIROPEEK_V9			38
  
  /* last WTAP_FILE_ value + 1 */
! #define WTAP_NUM_FILE_TYPES			39
  
  /*
   * Maximum packet size we'll support.

Attachment: airopeek9.h
Description: airopeek9.h

Attachment: airopeek9.c
Description: airopeek9.c