[File] [PATCH] Magdir/sniffer Novell LANalyzer misidentfies some Commodore BASIC program

Jörg Jenderek joerg.jen.der.ek at gmx.net
Tue Nov 1 00:46:28 UTC 2022 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

some weeks ago ago i send patch for 5View capture files. Such
examples are created by wireshark tool. This can open and save
captures also in other file formats. One format has the file
name extension TR1.

When running file command version 5.43 on such captures examples and
some "compiled" Commodore Basic Programs (*.prg) then i get an
output like:

Microzodiac.prg:      Novell LANalyzer capture file
Minefield.prg:        Novell LANalyzer capture file
Vic-tac-toe.prg:      Novell LANalyzer capture file
breakvic_joy.bas:     ASCII text, with CRLF line terminators
breakvic_joy.prg:     Novell LANalyzer capture file
breakvic_key.bas:     ASCII text, with CRLF line terminators
breakvic_key.prg:     Novell LANalyzer capture file
novell-2.tr1:         Novell LANalyzer capture file
novell-lanalyzer.tr1: Novell LANalyzer capture file
novell-win10.tr1:     Novell LANalyzer capture file

Furthermore with -i option only generic application/octet-stream is
shown. With option --extension only 3 byte sequence ??? is shown.

For comparison reason i run the file format identification utility
TrID ( See https://mark0.net/soft-trid-e.html). This identifies
all such capture examples and many Commodore BASIC programs as
"Commodore Plus/4 BASIC V3.5 program" by prg-plus4.trid.xml and as
"Commodore VIC-20 BASIC V2 program by prg-vic20.trid.xml because
these files start with 2 byte sequence 0110h.

Luckily some information can be found in NOVELL TECHNICAL
INFORMATION DOCUMENT. Some details can be found in Wireshark source
lanalyzer.c
That is now expressed by lines like:
# URL:		http://www.blacksheepnetworks.com/security/info/nw/
#		lan/trace.txt
# Reference:	https://github.com/wireshark/wireshark/blob/master/
#		wiretap/lanalyzer.c

The description happens inside Magdir/sniffer by lines like:
0	leshort		0x1001		Novell LANalyzer capture file
0	leshort		0x1007		Novell LANalyzer capture file

I installed Wireshark on window and a Linux system.  Afterwards the
examples are called "Wireshark capture file" and "Novell LANalyzer"
on Windows system and "Novell LANalyzer" on Linux. There the
information is based or correlates with description of shared
MIME-info database. There it is called "Packet Capture (Novell
LANalyzer)". This information can for example be found on web site
reposcope.com.

So i put displaying part in sub routine that starts like:
 0	name	novell-lanalyzer
 >0	leshort		x		Novell LANalyzer capture file
 !:mime	application/x-lanalyzer
 !:ext	tr1
 >4		ubyte	x		\b, version %u
 >5		ubyte	x		\b.%u
 >0	        leshort	!0x1001		\b, record type %4.4x
 >2		leshort	x		\b, record length %#4.4x

This information can for example be found on web site
reposcope.com. So the HP captures get their own mime type. My
examples are all uncompressed and have file name extension TR1. But
according to Novell document for trace files the extension is TRn.
The n indicates the sub file within the file; n has a range of 1 to
9 and then A to Z, for a total of 35 sub files. So maybe there
exist samples with other suffix ( like R2 .. TR9 TRA .. TRZ).

The trace header record start with a 2 byte type.
This can be a regular or cyclic trace file ( RT_HeaderRegular =
1001h or RT_HeaderCyclic = 1007h). In my examples this was value
1001h. Afterwards comes the length of data part of record. (the
length does not include the "record type" and the "record length"
fields; that are 4 bytes). In my capture examples i got value
0x004c whereas in my PRG examples i get "high" values ( above 1001
hexadecimal like 100a 100e 1017 1024 1042 104d 123b). But i found
no information if size for captures is always "low". So i could not
use it reliable as additional test.
Afterwards comes 1 byte for the major version. This is followed by
minor version byte. In my examples i get version 1.5. The mentioned
Product names ( like "LANalyzer for NetWare 1.0" "LANalyzer for
Windows 2.0" "LANalyzer for Windows 2.1") implies that major
version number probably is 1 or 2. Whereas for many Basic programs
( like
Hangman.prg Microzodiac.prg Star Wars IRQ.prg U-boat.f.prg) i get
here "high" values ( like 10 100). Unfortunately for few PRG samples
i get also "low" value (like 0 in Vic-tac-toe.prg or 1 in
Minefield.prg). So i could not use it reliable as additional test.

With the help of the first length value i can jump to second record
and inspect this record by lines like:
 >(2.s+4)	leshort	!0x1006h	\b, 2nd record type %#4.4x
 >(2.s+6)	leshort	x		\b, 2nd record length %#x
 >(2.s+8)	string	x		\b, names %.9s
 >(2.s+17)	string	x		%.9s ...

According to Novell Document the type of second record is always
1006H. That is for "Trace receive channel name record". For the
misidentified BAsis programs here i get other value (like 0). The
data part contains channel names, where each channel name is a
null-terminated, eight-byte ASCII string. In my examples i get
names ( starting like Channel1 Channel2). So i skip misidentified
Basic programs with invalid second record type by test lines
starting like:
 0	leshort		0x1001
 >(2.s+4)	leshort	=0x1006h
 >>0	use	novell-lanalyzer

After applying the above mentioned modifications by patch
file-5.43-sniffer-novell.diff then my Novell captures are still
described but misidentification of Commodore BASIC program vanish
and more details are shown. This now looks like:

Microzodiac.prg:      data
Minefield.prg:        data
Vic-tac-toe.prg:      data
breakvic_joy.bas:     ASCII text, with CRLF line terminators
breakvic_joy.prg:     data
breakvic_key.bas:     ASCII text, with CRLF line terminators
breakvic_key.prg:     data
novell-2.tr1:         Novell LANalyzer capture file, version 1.5,
		      record length 0x4c, 2nd record length 0x80
		      , names Channel1 Channel2 ...
novell-lanalyzer.tr1: Novell LANalyzer capture file, version 1.5,
		      record length 0x4c, 2nd record length 0x80
		      , names Channel1 Channel2 ...
novell-win10.tr1:     Novell LANalyzer capture file, version 1.5,
		      record length 0x4c, 2nd record length 0x80
		      , names Channel1 Channel2 ...

I hope my diff file can be applied in future version of file
utility.

There is something to do. Create/modify magic for Commodore BASIC
program. I will try to do this in a future session.

With best wishes,
Jörg Jenderek
- --
Jörg Jenderek
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCY2BsZAAKCRCv8rHJQhrU
1k6KAKCkX79ZYjI2E5Y5tqM55xTBVxlDJgCg3BEalp/ROUphiFxESk4Jyj8QJ3k=
=Jnsz
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trid-v-prg.txt.gz
Type: application/x-gzip
Size: 553 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20221101/2c10ac41/attachment.bin>
-------------- next part --------------
--- file-5.43/magic/Magdir/sniffer.old	2022-08-16 13:15:19.000000000 +0200
+++ file-5.43/magic/Magdir/sniffer	2022-11-01 01:27:28.505690300 +0100
@@ -328,7 +328,40 @@
 #
 # Novell LANalyzer capture files.
-#
-0	leshort		0x1001		Novell LANalyzer capture file
-0	leshort		0x1007		Novell LANalyzer capture file
+# URL:		http://www.blacksheepnetworks.com/security/info/nw/lan/trace.txt
+# Reference:	https://github.com/wireshark/wireshark/blob/master/wiretap/lanalyzer.c
+# Update:	Joerg Jenderek
+# 
+# regular trace header record (RT_HeaderRegular)
+0	leshort		0x1001
+# GRR: line above is too generic because it matches Commodore Plus/4 BASIC V3.5
+# and VIC-20 BASIC V2 program
+# skip many Commodore Basic program (Microzodiac.prg Minefield.prg Vic-tac-toe.prg breakvic_joy.prg)
+# with invalid second record type 0 instead of "Trace receive channel name record"
+>(2.s+4)	leshort	=0x1006h
+>>0	use	novell-lanalyzer
+# cyclic trace header record (RT_HeaderCyclic)
+0	leshort		0x1007
+>0	use	novell-lanalyzer
+0	name	novell-lanalyzer
+>0	leshort		x		Novell LANalyzer capture file
+# https://reposcope.com/mimetype/application/x-lanalyzer
+!:mime	application/x-lanalyzer
+# maybe also TR2 .. TR9 TRA .. TRZ
+!:ext	tr1
+# version like: 1.5
+>4		ubyte	x		\b, version %u
+# minor version; one byte identifying the trace file minor version number
+>5		ubyte	x		\b.%u
+# Trace header record type like: 1001~regular or 1007~cyclic
+>0	leshort		!0x1001		\b, record type %4.4x
+# record_length[2] is the length of the data part of 1st reorcd (without "type" and "length" fields) like: 4Ch
+>2		leshort	x		\b, record length %#x
+# second record type like: 1006h~Trace receive channel name record
+>(2.s+4)	leshort	!0x1006h	\b, 2nd record type %#4.4x
+>(2.s+6)	leshort	x		\b, 2nd record length %#x
+# each channel name is a null-terminated, eight-byte ASCII string like: Channel1
+>(2.s+8)	string	x		\b, names %.9s
+# 2nd channel name like: Channel2
+>(2.s+17)	string	x		%.9s ...
 
 #
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.43-sniffer-novell.diff.sig
Type: application/octet-stream
Size: 1112 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20221101/2c10ac41/attachment.obj>

More information about the File mailing list