5 files changed, 92 insertions, 39 deletions

diff --git a/wiretap/file_access.c b/wiretap/file_access.c
index 1881fc248a..84705e29fd 100644
--- a/wiretap/file_access.c
+++ b/wiretap/file_access.c
@@ -373,6 +373,10 @@ static const struct file_type_info {
 	{ "AIX libpcap (tcpdump)", NULL,
 	  NULL, NULL },
 
+	/* WTAP_FILE_PCAP_NSEC */
+	{ "Nanosecond libpcap (Ethereal)", "nseclibpcap",
+	  libpcap_dump_can_write_encap, libpcap_dump_open },
+
 	/* WTAP_FILE_LANALYZER */
 	{ "Novell LANalyzer","lanalyzer",
 	  lanalyzer_dump_can_write_encap, lanalyzer_dump_open },
diff --git a/wiretap/libpcap.c b/wiretap/libpcap.c
index b1bccc7541..f3cbbe0f73 100644
--- a/wiretap/libpcap.c
+++ b/wiretap/libpcap.c
@@ -649,6 +649,23 @@ int libpcap_open(wtap *wth, int *err, gchar **err_info)
 		wth->tsprecision = WTAP_FILE_TSPREC_USEC;
 		break;
 
+	case PCAP_NSEC_MAGIC:
+		/* Host that wrote it has our byte order, and was running
+		   a program using either standard or ss990417 libpcap. */
+		byte_swapped = FALSE;
+		modified = FALSE;
+		wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
+		break;
+
+	case PCAP_SWAPPED_NSEC_MAGIC:
+		/* Host that wrote it out has a byte order opposite to
+		   ours, and was running a program using either ss990915 
+		   or ss991029 libpcap. */
+		byte_swapped = TRUE;
+		modified = FALSE;
+		wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
+		break;
+
 	default:
 		/* Not a "libpcap" type we know about. */
 		return 0;
@@ -904,7 +921,11 @@ int libpcap_open(wtap *wth, int *err, gchar **err_info)
 		 *
 		 * Try the standard format first.
 		 */
-		wth->file_type = WTAP_FILE_PCAP;
+		if(wth->tsprecision == WTAP_FILE_TSPREC_NSEC) {
+			wth->file_type = WTAP_FILE_PCAP_NSEC;
+		} else {
+			wth->file_type = WTAP_FILE_PCAP;
+		}
 		switch (libpcap_try(wth, err)) {
 
 		case BAD_READ:
@@ -1273,7 +1294,11 @@ static gboolean libpcap_read(wtap *wth, int *err, gchar **err_info,
 	wth->data_offset += packet_size;
 
 	wth->phdr.ts.secs = hdr.hdr.ts_sec;
-	wth->phdr.ts.nsecs = hdr.hdr.ts_usec * 1000;
+	if(wth->tsprecision == WTAP_FILE_TSPREC_NSEC) {
+		wth->phdr.ts.nsecs = hdr.hdr.ts_usec;
+	} else {
+		wth->phdr.ts.nsecs = hdr.hdr.ts_usec * 1000;
+	}
 	wth->phdr.caplen = packet_size;
 	wth->phdr.len = orig_size;
 
@@ -1416,6 +1441,7 @@ static int libpcap_read_header(wtap *wth, int *err, gchar **err_info,
 
 	case WTAP_FILE_PCAP:
 	case WTAP_FILE_PCAP_AIX:
+	case WTAP_FILE_PCAP_NSEC:
 		bytes_to_read = sizeof (struct pcaprec_hdr);
 		break;
 
@@ -1944,11 +1970,18 @@ gboolean libpcap_dump_open(wtap_dumper *wdh, gboolean cant_seek _U_, int *err)
 	case WTAP_FILE_PCAP_SS990417:	/* modified, but with the old magic, sigh */
 	case WTAP_FILE_PCAP_NOKIA:	/* Nokia libpcap of some sort */
 		magic = PCAP_MAGIC;
+		wdh->tsprecision = WTAP_FILE_TSPREC_USEC;
 		break;
 
 	case WTAP_FILE_PCAP_SS990915:	/* new magic, extra crap */
 	case WTAP_FILE_PCAP_SS991029:
 		magic = PCAP_MODIFIED_MAGIC;
+		wdh->tsprecision = WTAP_FILE_TSPREC_USEC;
+		break;
+
+	case WTAP_FILE_PCAP_NSEC:		/* same as WTAP_FILE_PCAP, but nsec precision */
+		magic = PCAP_NSEC_MAGIC;
+		wdh->tsprecision = WTAP_FILE_TSPREC_NSEC;
 		break;
 
 	default:
@@ -2023,12 +2056,17 @@ static gboolean libpcap_dump(wtap_dumper *wdh,
 		hdrsize = 0;
 
 	rec_hdr.hdr.ts_sec = phdr->ts.secs;
-	rec_hdr.hdr.ts_usec = phdr->ts.nsecs / 1000;
+	if(wdh->tsprecision == WTAP_FILE_TSPREC_NSEC) {
+		rec_hdr.hdr.ts_usec = phdr->ts.nsecs;
+	} else {
+		rec_hdr.hdr.ts_usec = phdr->ts.nsecs / 1000;
+	}
 	rec_hdr.hdr.incl_len = phdr->caplen + hdrsize;
 	rec_hdr.hdr.orig_len = phdr->len + hdrsize;
 	switch (wdh->file_type) {
 
 	case WTAP_FILE_PCAP:
+	case WTAP_FILE_PCAP_NSEC:
 		hdr_size = sizeof (struct pcaprec_hdr);
 		break;
 
diff --git a/wiretap/libpcap.h b/wiretap/libpcap.h
index f76b09bb98..401cf343a7 100644
--- a/wiretap/libpcap.h
+++ b/wiretap/libpcap.h
@@ -37,11 +37,18 @@
 
 	http://ftp.sunet.se/pub/os/Linux/ip-routing/lbl-tools/
 
-   applied; PCAP_SWAPPED_MODIFIED_MAGIC is the byte-swapped version. */
+   applied; PCAP_SWAPPED_MODIFIED_MAGIC is the byte-swapped version. 
+
+   PCAP_NSEC_MAGIC is for Ulf Lamping's modified "libpcap" format,
+   which uses the same common file format as PCAP_MAGIC, but the 
+   timestamps are saved in nanosecond resolution instead of microseconds.
+   PCAP_SWAPPED_NSEC_MAGIC is a byte-swapped version of that. */
 #define	PCAP_MAGIC			0xa1b2c3d4
 #define	PCAP_SWAPPED_MAGIC		0xd4c3b2a1
 #define	PCAP_MODIFIED_MAGIC		0xa1b2cd34
 #define	PCAP_SWAPPED_MODIFIED_MAGIC	0x34cdb2a1
+#define	PCAP_NSEC_MAGIC			0xa1b23c4d
+#define	PCAP_SWAPPED_NSEC_MAGIC		0x4d3cb2a1
 
 /* "libpcap" file header (minus magic number). */
 struct pcap_hdr {
@@ -56,7 +63,7 @@ struct pcap_hdr {
 /* "libpcap" record header. */
 struct pcaprec_hdr {
 	guint32	ts_sec;		/* timestamp seconds */
-	guint32	ts_usec;	/* timestamp microseconds */
+	guint32	ts_usec;	/* timestamp microseconds (nsecs for PCAP_NSEC_MAGIC) */
 	guint32	incl_len;	/* number of octets of packet saved in file */
 	guint32	orig_len;	/* actual length of packet */
 };
diff --git a/wiretap/wtap-int.h b/wiretap/wtap-int.h
index b9559bcfa4..6dc3c694aa 100644
--- a/wiretap/wtap-int.h
+++ b/wiretap/wtap-int.h
@@ -242,6 +242,9 @@ struct wtap_dumper {
 
 	subtype_write_func	subtype_write;
 	subtype_close_func	subtype_close;
+
+	int			tsprecision;	/* timestamp precision of the lower 32bits
+							 * e.g. WTAP_FILE_TSPREC_USEC */
 };
 
 
diff --git a/wiretap/wtap.h b/wiretap/wtap.h
index 6a852ef16e..916a7f8b00 100644
--- a/wiretap/wtap.h
+++ b/wiretap/wtap.h
@@ -187,42 +187,43 @@
 #define WTAP_FILE_PCAP_SS991029			5
 #define WTAP_FILE_PCAP_NOKIA			6
 #define WTAP_FILE_PCAP_AIX			7
-#define WTAP_FILE_LANALYZER			8
-#define WTAP_FILE_NGSNIFFER_UNCOMPRESSED	9
-#define WTAP_FILE_NGSNIFFER_COMPRESSED		10
-#define WTAP_FILE_SNOOP				11
-#define WTAP_FILE_SHOMITI			12
-#define WTAP_FILE_IPTRACE_1_0			13
-#define WTAP_FILE_IPTRACE_2_0			14
-#define WTAP_FILE_NETMON_1_x			15
-#define WTAP_FILE_NETMON_2_x			16
-#define WTAP_FILE_NETXRAY_OLD			17
-#define WTAP_FILE_NETXRAY_1_0			18
-#define WTAP_FILE_NETXRAY_1_1			19
-#define WTAP_FILE_NETXRAY_2_00x			20
-#define WTAP_FILE_RADCOM			21
-#define WTAP_FILE_ASCEND			22
-#define WTAP_FILE_NETTL				23
-#define WTAP_FILE_TOSHIBA			24
-#define WTAP_FILE_I4BTRACE			25
-#define WTAP_FILE_CSIDS				26
-#define WTAP_FILE_PPPDUMP			27
-#define WTAP_FILE_ETHERPEEK_V56			28
-#define WTAP_FILE_ETHERPEEK_V7			29
-#define WTAP_FILE_VMS				30
-#define WTAP_FILE_DBS_ETHERWATCH		31
-#define WTAP_FILE_VISUAL_NETWORKS		32
-#define WTAP_FILE_COSINE			33
-#define WTAP_FILE_5VIEWS			34
-#define WTAP_FILE_ERF				35
-#define WTAP_FILE_HCIDUMP			36
-#define WTAP_FILE_NETWORK_INSTRUMENTS_V9	37
-#define WTAP_FILE_AIROPEEK_V9			38
-#define WTAP_FILE_EYESDN			39
-#define WTAP_FILE_K12				40
+#define WTAP_FILE_PCAP_NSEC			8
+#define WTAP_FILE_LANALYZER			9
+#define WTAP_FILE_NGSNIFFER_UNCOMPRESSED	10
+#define WTAP_FILE_NGSNIFFER_COMPRESSED		11
+#define WTAP_FILE_SNOOP				12
+#define WTAP_FILE_SHOMITI			13
+#define WTAP_FILE_IPTRACE_1_0			14
+#define WTAP_FILE_IPTRACE_2_0			15
+#define WTAP_FILE_NETMON_1_x			16
+#define WTAP_FILE_NETMON_2_x			17
+#define WTAP_FILE_NETXRAY_OLD			18
+#define WTAP_FILE_NETXRAY_1_0			19
+#define WTAP_FILE_NETXRAY_1_1			20
+#define WTAP_FILE_NETXRAY_2_00x			21
+#define WTAP_FILE_RADCOM			22
+#define WTAP_FILE_ASCEND			23
+#define WTAP_FILE_NETTL				24
+#define WTAP_FILE_TOSHIBA			25
+#define WTAP_FILE_I4BTRACE			26
+#define WTAP_FILE_CSIDS				27
+#define WTAP_FILE_PPPDUMP			28
+#define WTAP_FILE_ETHERPEEK_V56			29
+#define WTAP_FILE_ETHERPEEK_V7			30
+#define WTAP_FILE_VMS				31
+#define WTAP_FILE_DBS_ETHERWATCH		32
+#define WTAP_FILE_VISUAL_NETWORKS		33
+#define WTAP_FILE_COSINE			34
+#define WTAP_FILE_5VIEWS			35
+#define WTAP_FILE_ERF				36
+#define WTAP_FILE_HCIDUMP			37
+#define WTAP_FILE_NETWORK_INSTRUMENTS_V9	38
+#define WTAP_FILE_AIROPEEK_V9			39
+#define WTAP_FILE_EYESDN			40
+#define WTAP_FILE_K12				41
 
 /* last WTAP_FILE_ value + 1 */
-#define WTAP_NUM_FILE_TYPES			41
+#define WTAP_NUM_FILE_TYPES			42
 
 /* timestamp precision (currently only these values are supported) */
 #define WTAP_FILE_TSPREC_SEC		0