4 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version 2
9 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26 #include <wsutil/buffer.h>
27 #include <wsutil/nstime.h>
28 #include "ws_symbol_export.h"
32 #endif /* __cplusplus */
34 /* Encapsulation types. Choose names that truly reflect
35 * what is contained in the packet trace file.
37 * WTAP_ENCAP_PER_PACKET is a value passed to "wtap_dump_open()" or
38 * "wtap_dump_fd_open()" to indicate that there is no single encapsulation
39 * type for all packets in the file; this may cause those routines to
40 * fail if the capture file format being written can't support that.
41 * It's also returned by "wtap_file_encap()" for capture files that
42 * don't have a single encapsulation type for all packets in the file.
44 * WTAP_ENCAP_UNKNOWN is returned by "wtap_pcap_encap_to_wtap_encap()"
45 * if it's handed an unknown encapsulation.
47 * WTAP_ENCAP_FDDI_BITSWAPPED is for FDDI captures on systems where the
48 * MAC addresses you get from the hardware are bit-swapped. Ideally,
49 * the driver would tell us that, but I know of none that do, so, for
50 * now, we base it on the machine on which we're *reading* the
51 * capture, rather than on the machine on which the capture was taken
52 * (they're probably likely to be the same). We assume that they're
53 * bit-swapped on everything except for systems running Ultrix, Alpha
54 * systems, and BSD/OS systems (that's what "tcpdump" does; I guess
55 * Digital decided to bit-swap addresses in the hardware or in the
56 * driver, and I guess BSDI bit-swapped them in the driver, given that
57 * BSD/OS generally runs on Boring Old PC's). If we create a wiretap
58 * save file format, we'd use the WTAP_ENCAP values to flag the
59 * encapsulation of a packet, so there we'd at least be able to base
60 * it on the machine on which the capture was taken.
62 * WTAP_ENCAP_LINUX_ATM_CLIP is the encapsulation you get with the
63 * ATM on Linux code from <http://linux-atm.sourceforge.net/>;
64 * that code adds a DLT_ATM_CLIP DLT_ code of 19, and that
65 * encapsulation isn't the same as the DLT_ATM_RFC1483 encapsulation
66 * presumably used on some BSD systems, which we turn into
67 * WTAP_ENCAP_ATM_RFC1483.
69 * WTAP_ENCAP_NULL corresponds to DLT_NULL from "libpcap". This
72 * 1) PPP-over-HDLC encapsulation, at least with some versions
73 * of ISDN4BSD (but not the current ones, it appears, unless
74 * I've missed something);
76 * 2) a 4-byte header containing the AF_ address family, in
77 * the byte order of the machine that saved the capture,
78 * for the packet, as used on many BSD systems for the
79 * loopback device and some other devices, or a 4-byte header
80 * containing the AF_ address family in network byte order,
81 * as used on recent OpenBSD systems for the loopback device;
83 * 3) a 4-byte header containing 2 octets of 0 and an Ethernet
84 * type in the byte order from an Ethernet header, that being
85 * what older versions of "libpcap" on Linux turn the Ethernet
86 * header for loopback interfaces into (0.6.0 and later versions
87 * leave the Ethernet header alone and make it DLT_EN10MB). */
88 #define WTAP_ENCAP_PER_PACKET -1
89 #define WTAP_ENCAP_UNKNOWN 0
90 #define WTAP_ENCAP_ETHERNET 1
91 #define WTAP_ENCAP_TOKEN_RING 2
92 #define WTAP_ENCAP_SLIP 3
93 #define WTAP_ENCAP_PPP 4
94 #define WTAP_ENCAP_FDDI 5
95 #define WTAP_ENCAP_FDDI_BITSWAPPED 6
96 #define WTAP_ENCAP_RAW_IP 7
97 #define WTAP_ENCAP_ARCNET 8
98 #define WTAP_ENCAP_ARCNET_LINUX 9
99 #define WTAP_ENCAP_ATM_RFC1483 10
100 #define WTAP_ENCAP_LINUX_ATM_CLIP 11
101 #define WTAP_ENCAP_LAPB 12
102 #define WTAP_ENCAP_ATM_PDUS 13
103 #define WTAP_ENCAP_ATM_PDUS_UNTRUNCATED 14
104 #define WTAP_ENCAP_NULL 15
105 #define WTAP_ENCAP_ASCEND 16
106 #define WTAP_ENCAP_ISDN 17
107 #define WTAP_ENCAP_IP_OVER_FC 18
108 #define WTAP_ENCAP_PPP_WITH_PHDR 19
109 #define WTAP_ENCAP_IEEE_802_11 20
110 #define WTAP_ENCAP_IEEE_802_11_PRISM 21
111 #define WTAP_ENCAP_IEEE_802_11_WITH_RADIO 22
112 #define WTAP_ENCAP_IEEE_802_11_RADIOTAP 23
113 #define WTAP_ENCAP_IEEE_802_11_AVS 24
114 #define WTAP_ENCAP_SLL 25
115 #define WTAP_ENCAP_FRELAY 26
116 #define WTAP_ENCAP_FRELAY_WITH_PHDR 27
117 #define WTAP_ENCAP_CHDLC 28
118 #define WTAP_ENCAP_CISCO_IOS 29
119 #define WTAP_ENCAP_LOCALTALK 30
120 #define WTAP_ENCAP_OLD_PFLOG 31
121 #define WTAP_ENCAP_HHDLC 32
122 #define WTAP_ENCAP_DOCSIS 33
123 #define WTAP_ENCAP_COSINE 34
124 #define WTAP_ENCAP_WFLEET_HDLC 35
125 #define WTAP_ENCAP_SDLC 36
126 #define WTAP_ENCAP_TZSP 37
127 #define WTAP_ENCAP_ENC 38
128 #define WTAP_ENCAP_PFLOG 39
129 #define WTAP_ENCAP_CHDLC_WITH_PHDR 40
130 #define WTAP_ENCAP_BLUETOOTH_H4 41
131 #define WTAP_ENCAP_MTP2 42
132 #define WTAP_ENCAP_MTP3 43
133 #define WTAP_ENCAP_IRDA 44
134 #define WTAP_ENCAP_USER0 45
135 #define WTAP_ENCAP_USER1 46
136 #define WTAP_ENCAP_USER2 47
137 #define WTAP_ENCAP_USER3 48
138 #define WTAP_ENCAP_USER4 49
139 #define WTAP_ENCAP_USER5 50
140 #define WTAP_ENCAP_USER6 51
141 #define WTAP_ENCAP_USER7 52
142 #define WTAP_ENCAP_USER8 53
143 #define WTAP_ENCAP_USER9 54
144 #define WTAP_ENCAP_USER10 55
145 #define WTAP_ENCAP_USER11 56
146 #define WTAP_ENCAP_USER12 57
147 #define WTAP_ENCAP_USER13 58
148 #define WTAP_ENCAP_USER14 59
149 #define WTAP_ENCAP_USER15 60
150 #define WTAP_ENCAP_SYMANTEC 61
151 #define WTAP_ENCAP_APPLE_IP_OVER_IEEE1394 62
152 #define WTAP_ENCAP_BACNET_MS_TP 63
153 #define WTAP_ENCAP_NETTL_RAW_ICMP 64
154 #define WTAP_ENCAP_NETTL_RAW_ICMPV6 65
155 #define WTAP_ENCAP_GPRS_LLC 66
156 #define WTAP_ENCAP_JUNIPER_ATM1 67
157 #define WTAP_ENCAP_JUNIPER_ATM2 68
158 #define WTAP_ENCAP_REDBACK 69
159 #define WTAP_ENCAP_NETTL_RAW_IP 70
160 #define WTAP_ENCAP_NETTL_ETHERNET 71
161 #define WTAP_ENCAP_NETTL_TOKEN_RING 72
162 #define WTAP_ENCAP_NETTL_FDDI 73
163 #define WTAP_ENCAP_NETTL_UNKNOWN 74
164 #define WTAP_ENCAP_MTP2_WITH_PHDR 75
165 #define WTAP_ENCAP_JUNIPER_PPPOE 76
166 #define WTAP_ENCAP_GCOM_TIE1 77
167 #define WTAP_ENCAP_GCOM_SERIAL 78
168 #define WTAP_ENCAP_NETTL_X25 79
169 #define WTAP_ENCAP_K12 80
170 #define WTAP_ENCAP_JUNIPER_MLPPP 81
171 #define WTAP_ENCAP_JUNIPER_MLFR 82
172 #define WTAP_ENCAP_JUNIPER_ETHER 83
173 #define WTAP_ENCAP_JUNIPER_PPP 84
174 #define WTAP_ENCAP_JUNIPER_FRELAY 85
175 #define WTAP_ENCAP_JUNIPER_CHDLC 86
176 #define WTAP_ENCAP_JUNIPER_GGSN 87
177 #define WTAP_ENCAP_LINUX_LAPD 88
178 #define WTAP_ENCAP_CATAPULT_DCT2000 89
179 #define WTAP_ENCAP_BER 90
180 #define WTAP_ENCAP_JUNIPER_VP 91
181 #define WTAP_ENCAP_USB 92
182 #define WTAP_ENCAP_IEEE802_16_MAC_CPS 93
183 #define WTAP_ENCAP_NETTL_RAW_TELNET 94
184 #define WTAP_ENCAP_USB_LINUX 95
185 #define WTAP_ENCAP_MPEG 96
186 #define WTAP_ENCAP_PPI 97
187 #define WTAP_ENCAP_ERF 98
188 #define WTAP_ENCAP_BLUETOOTH_H4_WITH_PHDR 99
189 #define WTAP_ENCAP_SITA 100
190 #define WTAP_ENCAP_SCCP 101
191 #define WTAP_ENCAP_BLUETOOTH_HCI 102 /*raw packets without a transport layer header e.g. H4*/
192 #define WTAP_ENCAP_IPMB 103
193 #define WTAP_ENCAP_IEEE802_15_4 104
194 #define WTAP_ENCAP_X2E_XORAYA 105
195 #define WTAP_ENCAP_FLEXRAY 106
196 #define WTAP_ENCAP_LIN 107
197 #define WTAP_ENCAP_MOST 108
198 #define WTAP_ENCAP_CAN20B 109
199 #define WTAP_ENCAP_LAYER1_EVENT 110
200 #define WTAP_ENCAP_X2E_SERIAL 111
201 #define WTAP_ENCAP_I2C 112
202 #define WTAP_ENCAP_IEEE802_15_4_NONASK_PHY 113
203 #define WTAP_ENCAP_TNEF 114
204 #define WTAP_ENCAP_USB_LINUX_MMAPPED 115
205 #define WTAP_ENCAP_GSM_UM 116
206 #define WTAP_ENCAP_DPNSS 117
207 #define WTAP_ENCAP_PACKETLOGGER 118
208 #define WTAP_ENCAP_NSTRACE_1_0 119
209 #define WTAP_ENCAP_NSTRACE_2_0 120
210 #define WTAP_ENCAP_FIBRE_CHANNEL_FC2 121
211 #define WTAP_ENCAP_FIBRE_CHANNEL_FC2_WITH_FRAME_DELIMS 122
212 #define WTAP_ENCAP_JPEG_JFIF 123 /* obsoleted by WTAP_ENCAP_MIME*/
213 #define WTAP_ENCAP_IPNET 124
214 #define WTAP_ENCAP_SOCKETCAN 125
215 #define WTAP_ENCAP_IEEE_802_11_NETMON 126
216 #define WTAP_ENCAP_IEEE802_15_4_NOFCS 127
217 #define WTAP_ENCAP_RAW_IPFIX 128
218 #define WTAP_ENCAP_RAW_IP4 129
219 #define WTAP_ENCAP_RAW_IP6 130
220 #define WTAP_ENCAP_LAPD 131
221 #define WTAP_ENCAP_DVBCI 132
222 #define WTAP_ENCAP_MUX27010 133
223 #define WTAP_ENCAP_MIME 134
224 #define WTAP_ENCAP_NETANALYZER 135
225 #define WTAP_ENCAP_NETANALYZER_TRANSPARENT 136
226 #define WTAP_ENCAP_IP_OVER_IB 137
227 #define WTAP_ENCAP_MPEG_2_TS 138
228 #define WTAP_ENCAP_PPP_ETHER 139
229 #define WTAP_ENCAP_NFC_LLCP 140
230 #define WTAP_ENCAP_NFLOG 141
231 #define WTAP_ENCAP_V5_EF 142
232 #define WTAP_ENCAP_BACNET_MS_TP_WITH_PHDR 143
233 #define WTAP_ENCAP_IXVERIWAVE 144
234 #define WTAP_ENCAP_IEEE_802_11_AIROPEEK 145
235 #define WTAP_ENCAP_SDH 146
236 #define WTAP_ENCAP_DBUS 147
237 #define WTAP_ENCAP_AX25_KISS 148
238 #define WTAP_ENCAP_AX25 149
239 #define WTAP_ENCAP_SCTP 150
240 #define WTAP_ENCAP_INFINIBAND 151
241 #define WTAP_ENCAP_JUNIPER_SVCS 152
242 #define WTAP_ENCAP_USBPCAP 153
243 #define WTAP_ENCAP_RTAC_SERIAL 154
244 #define WTAP_ENCAP_BLUETOOTH_LE_LL 155
245 #define WTAP_ENCAP_WIRESHARK_UPPER_PDU 156
246 #define WTAP_ENCAP_STANAG_4607 157
247 #define WTAP_ENCAP_STANAG_5066_D_PDU 158
248 #define WTAP_ENCAP_NETLINK 159
249 #define WTAP_ENCAP_BLUETOOTH_LINUX_MONITOR 160
250 #define WTAP_ENCAP_BLUETOOTH_BREDR_BB 161
251 #define WTAP_ENCAP_BLUETOOTH_LE_LL_WITH_PHDR 162
252 #define WTAP_ENCAP_NSTRACE_3_0 163
253 #define WTAP_ENCAP_LOGCAT 164
254 #define WTAP_ENCAP_LOGCAT_BRIEF 165
255 #define WTAP_ENCAP_LOGCAT_PROCESS 166
256 #define WTAP_ENCAP_LOGCAT_TAG 167
257 #define WTAP_ENCAP_LOGCAT_THREAD 168
258 #define WTAP_ENCAP_LOGCAT_TIME 169
259 #define WTAP_ENCAP_LOGCAT_THREADTIME 170
260 #define WTAP_ENCAP_LOGCAT_LONG 171
261 #define WTAP_ENCAP_PKTAP 172
262 #define WTAP_ENCAP_EPON 173
263 #define WTAP_ENCAP_IPMI_TRACE 174
264 #define WTAP_ENCAP_LOOP 175
265 #define WTAP_ENCAP_JSON 176
266 #define WTAP_ENCAP_NSTRACE_3_5 177
267 /* After adding new item here, please also add new item to encap_table_base array */
269 #define WTAP_NUM_ENCAP_TYPES wtap_get_num_encap_types()
271 /* File types/subtypes that can be read by wiretap.
272 We support writing many of these file types, too, so we
273 distinguish between different subtypes of them, as
274 different subtypes need to be written in a different
276 #define WTAP_FILE_TYPE_SUBTYPE_UNKNOWN 0
277 #define WTAP_FILE_TYPE_SUBTYPE_PCAP 1
278 #define WTAP_FILE_TYPE_SUBTYPE_PCAPNG 2
279 #define WTAP_FILE_TYPE_SUBTYPE_PCAP_NSEC 3
280 #define WTAP_FILE_TYPE_SUBTYPE_PCAP_AIX 4
281 #define WTAP_FILE_TYPE_SUBTYPE_PCAP_SS991029 5
282 #define WTAP_FILE_TYPE_SUBTYPE_PCAP_NOKIA 6
283 #define WTAP_FILE_TYPE_SUBTYPE_PCAP_SS990417 7
284 #define WTAP_FILE_TYPE_SUBTYPE_PCAP_SS990915 8
285 #define WTAP_FILE_TYPE_SUBTYPE_5VIEWS 9
286 #define WTAP_FILE_TYPE_SUBTYPE_IPTRACE_1_0 10
287 #define WTAP_FILE_TYPE_SUBTYPE_IPTRACE_2_0 11
288 #define WTAP_FILE_TYPE_SUBTYPE_BER 12
289 #define WTAP_FILE_TYPE_SUBTYPE_HCIDUMP 13
290 #define WTAP_FILE_TYPE_SUBTYPE_CATAPULT_DCT2000 14
291 #define WTAP_FILE_TYPE_SUBTYPE_NETXRAY_OLD 15
292 #define WTAP_FILE_TYPE_SUBTYPE_NETXRAY_1_0 16
293 #define WTAP_FILE_TYPE_SUBTYPE_COSINE 17
294 #define WTAP_FILE_TYPE_SUBTYPE_CSIDS 18
295 #define WTAP_FILE_TYPE_SUBTYPE_DBS_ETHERWATCH 19
296 #define WTAP_FILE_TYPE_SUBTYPE_ERF 20
297 #define WTAP_FILE_TYPE_SUBTYPE_EYESDN 21
298 #define WTAP_FILE_TYPE_SUBTYPE_NETTL 22
299 #define WTAP_FILE_TYPE_SUBTYPE_ISERIES 23
300 #define WTAP_FILE_TYPE_SUBTYPE_ISERIES_UNICODE 24
301 #define WTAP_FILE_TYPE_SUBTYPE_I4BTRACE 25
302 #define WTAP_FILE_TYPE_SUBTYPE_ASCEND 26
303 #define WTAP_FILE_TYPE_SUBTYPE_NETMON_1_x 27
304 #define WTAP_FILE_TYPE_SUBTYPE_NETMON_2_x 28
305 #define WTAP_FILE_TYPE_SUBTYPE_NGSNIFFER_UNCOMPRESSED 29
306 #define WTAP_FILE_TYPE_SUBTYPE_NGSNIFFER_COMPRESSED 30
307 #define WTAP_FILE_TYPE_SUBTYPE_NETXRAY_1_1 31
308 #define WTAP_FILE_TYPE_SUBTYPE_NETXRAY_2_00x 32
309 #define WTAP_FILE_TYPE_SUBTYPE_NETWORK_INSTRUMENTS 33
310 #define WTAP_FILE_TYPE_SUBTYPE_LANALYZER 34
311 #define WTAP_FILE_TYPE_SUBTYPE_PPPDUMP 35
312 #define WTAP_FILE_TYPE_SUBTYPE_RADCOM 36
313 #define WTAP_FILE_TYPE_SUBTYPE_SNOOP 37
314 #define WTAP_FILE_TYPE_SUBTYPE_SHOMITI 38
315 #define WTAP_FILE_TYPE_SUBTYPE_VMS 39
316 #define WTAP_FILE_TYPE_SUBTYPE_K12 40
317 #define WTAP_FILE_TYPE_SUBTYPE_TOSHIBA 41
318 #define WTAP_FILE_TYPE_SUBTYPE_VISUAL_NETWORKS 42
319 #define WTAP_FILE_TYPE_SUBTYPE_PEEKCLASSIC_V56 43
320 #define WTAP_FILE_TYPE_SUBTYPE_PEEKCLASSIC_V7 44
321 #define WTAP_FILE_TYPE_SUBTYPE_PEEKTAGGED 45
322 #define WTAP_FILE_TYPE_SUBTYPE_MPEG 46
323 #define WTAP_FILE_TYPE_SUBTYPE_K12TEXT 47
324 #define WTAP_FILE_TYPE_SUBTYPE_NETSCREEN 48
325 #define WTAP_FILE_TYPE_SUBTYPE_COMMVIEW 49
326 #define WTAP_FILE_TYPE_SUBTYPE_BTSNOOP 50
327 #define WTAP_FILE_TYPE_SUBTYPE_TNEF 51
328 #define WTAP_FILE_TYPE_SUBTYPE_DCT3TRACE 52
329 #define WTAP_FILE_TYPE_SUBTYPE_PACKETLOGGER 53
330 #define WTAP_FILE_TYPE_SUBTYPE_DAINTREE_SNA 54
331 #define WTAP_FILE_TYPE_SUBTYPE_NETSCALER_1_0 55
332 #define WTAP_FILE_TYPE_SUBTYPE_NETSCALER_2_0 56
333 #define WTAP_FILE_TYPE_SUBTYPE_JPEG_JFIF 57 /* obsoleted by WTAP_FILE_TYPE_SUBTYPE_MIME */
334 #define WTAP_FILE_TYPE_SUBTYPE_IPFIX 58
335 #define WTAP_FILE_TYPE_SUBTYPE_MIME 59
336 #define WTAP_FILE_TYPE_SUBTYPE_AETHRA 60
337 #define WTAP_FILE_TYPE_SUBTYPE_MPEG_2_TS 61
338 #define WTAP_FILE_TYPE_SUBTYPE_VWR_80211 62
339 #define WTAP_FILE_TYPE_SUBTYPE_VWR_ETH 63
340 #define WTAP_FILE_TYPE_SUBTYPE_CAMINS 64
341 #define WTAP_FILE_TYPE_SUBTYPE_STANAG_4607 65
342 #define WTAP_FILE_TYPE_SUBTYPE_NETSCALER_3_0 66
343 #define WTAP_FILE_TYPE_SUBTYPE_LOGCAT 67
344 #define WTAP_FILE_TYPE_SUBTYPE_LOGCAT_BRIEF 68
345 #define WTAP_FILE_TYPE_SUBTYPE_LOGCAT_PROCESS 69
346 #define WTAP_FILE_TYPE_SUBTYPE_LOGCAT_TAG 70
347 #define WTAP_FILE_TYPE_SUBTYPE_LOGCAT_THREAD 71
348 #define WTAP_FILE_TYPE_SUBTYPE_LOGCAT_TIME 72
349 #define WTAP_FILE_TYPE_SUBTYPE_LOGCAT_THREADTIME 73
350 #define WTAP_FILE_TYPE_SUBTYPE_LOGCAT_LONG 74
351 #define WTAP_FILE_TYPE_SUBTYPE_COLASOFT_CAPSA 75
352 #define WTAP_FILE_TYPE_SUBTYPE_COLASOFT_PACKET_BUILDER 76
353 #define WTAP_FILE_TYPE_SUBTYPE_JSON 77
354 #define WTAP_FILE_TYPE_SUBTYPE_NETSCALER_3_5 78
355 #define WTAP_FILE_TYPE_SUBTYPE_NETTRACE_3GPP_32_423 79
357 #define WTAP_NUM_FILE_TYPES_SUBTYPES wtap_get_num_file_types_subtypes()
359 /* timestamp precision (currently only these values are supported) */
360 #define WTAP_TSPREC_UNKNOWN -2
361 #define WTAP_TSPREC_PER_PACKET -1 /* as a per-file value, means per-packet */
362 #define WTAP_TSPREC_SEC 0
363 #define WTAP_TSPREC_DSEC 1
364 #define WTAP_TSPREC_CSEC 2
365 #define WTAP_TSPREC_MSEC 3
366 #define WTAP_TSPREC_USEC 6
367 #define WTAP_TSPREC_NSEC 9
370 * Maximum packet size we'll support.
371 * 262144 is the largest snapshot length that libpcap supports, so we
374 #define WTAP_MAX_PACKET_SIZE 262144
377 * "Pseudo-headers" are used to supply to the clients of wiretap
378 * per-packet information that's not part of the packet payload
381 * NOTE: do not use pseudo-header structures to hold information
382 * used by the code to read a particular capture file type; to
383 * keep that sort of state information, add a new structure for
384 * that private information to "wtap-int.h", add a pointer to that
385 * type of structure to the "capture" member of the "struct wtap"
386 * structure, and allocate one of those structures and set that member
387 * in the "open" routine for that capture file type if the open
388 * succeeds. See various other capture file type handlers for examples
393 /* Packet "pseudo-header" information for Ethernet capture files. */
395 gint fcs_len; /* Number of bytes of FCS - -1 means "unknown" */
398 /* Packet "pseudo-header" information for X.25 capture files. */
399 #define FROM_DCE 0x80
401 guint8 flags; /* ENCAP_LAPB, ENCAP_V120 : 1st bit means From DCE */
404 /* Packet "pseudo-header" information for ISDN capture files. */
409 guint8 channel; /* 0 = D-channel; n = B-channel n */
412 /* Packet "pseudo-header" for ATM capture files.
413 Not all of this information is supplied by all capture types.
414 These originally came from the Network General (DOS-based)
415 ATM Sniffer file format, but we've added some additional
421 #define ATM_RAW_CELL 0x01 /* TRUE if the packet is a single cell */
422 #define ATM_NO_HEC 0x02 /* TRUE if the cell has HEC stripped out */
423 #define ATM_AAL2_NOPHDR 0x04 /* TRUE if the AAL2 PDU has no pseudo-header */
424 #define ATM_REASSEMBLY_ERROR 0x08 /* TRUE if this is an incompletely-reassembled PDU */
429 #define AAL_UNKNOWN 0 /* AAL unknown */
430 #define AAL_1 1 /* AAL1 */
431 #define AAL_2 2 /* AAL2 */
432 #define AAL_3_4 3 /* AAL3/4 */
433 #define AAL_5 4 /* AAL5 */
434 #define AAL_USER 5 /* User AAL */
435 #define AAL_SIGNALLING 6 /* Signaling AAL */
436 #define AAL_OAMCELL 7 /* OAM cell */
441 #define TRAF_UNKNOWN 0 /* Unknown */
442 #define TRAF_LLCMX 1 /* LLC multiplexed (RFC 1483) */
443 #define TRAF_VCMX 2 /* VC multiplexed (RFC 1483) */
444 #define TRAF_LANE 3 /* LAN Emulation */
445 #define TRAF_ILMI 4 /* ILMI */
446 #define TRAF_FR 5 /* Frame Relay */
447 #define TRAF_SPANS 6 /* FORE SPANS */
448 #define TRAF_IPSILON 7 /* Ipsilon */
449 #define TRAF_UMTS_FP 8 /* UMTS Frame Protocol */
450 #define TRAF_GPRS_NS 9 /* GPRS Network Services */
451 #define TRAF_SSCOP 10 /* SSCOP */
456 #define TRAF_ST_UNKNOWN 0 /* Unknown */
461 #define TRAF_ST_VCMX_802_3_FCS 1 /* 802.3 with an FCS */
462 #define TRAF_ST_VCMX_802_4_FCS 2 /* 802.4 with an FCS */
463 #define TRAF_ST_VCMX_802_5_FCS 3 /* 802.5 with an FCS */
464 #define TRAF_ST_VCMX_FDDI_FCS 4 /* FDDI with an FCS */
465 #define TRAF_ST_VCMX_802_6_FCS 5 /* 802.6 with an FCS */
466 #define TRAF_ST_VCMX_802_3 7 /* 802.3 without an FCS */
467 #define TRAF_ST_VCMX_802_4 8 /* 802.4 without an FCS */
468 #define TRAF_ST_VCMX_802_5 9 /* 802.5 without an FCS */
469 #define TRAF_ST_VCMX_FDDI 10 /* FDDI without an FCS */
470 #define TRAF_ST_VCMX_802_6 11 /* 802.6 without an FCS */
471 #define TRAF_ST_VCMX_FRAGMENTS 12 /* Fragments */
472 #define TRAF_ST_VCMX_BPDU 13 /* BPDU */
477 #define TRAF_ST_LANE_LE_CTRL 1 /* LANE: LE Ctrl */
478 #define TRAF_ST_LANE_802_3 2 /* LANE: 802.3 */
479 #define TRAF_ST_LANE_802_5 3 /* LANE: 802.5 */
480 #define TRAF_ST_LANE_802_3_MC 4 /* LANE: 802.3 multicast */
481 #define TRAF_ST_LANE_802_5_MC 5 /* LANE: 802.5 multicast */
486 #define TRAF_ST_IPSILON_FT0 1 /* Ipsilon: Flow Type 0 */
487 #define TRAF_ST_IPSILON_FT1 2 /* Ipsilon: Flow Type 1 */
488 #define TRAF_ST_IPSILON_FT2 3 /* Ipsilon: Flow Type 2 */
491 guint32 flags; /* status flags */
492 guint8 aal; /* AAL of the traffic */
493 guint8 type; /* traffic type */
494 guint8 subtype; /* traffic subtype */
495 guint16 vpi; /* virtual path identifier */
496 guint16 vci; /* virtual circuit identifier */
497 guint8 aal2_cid; /* channel id */
498 guint16 channel; /* link: 0 for DTE->DCE, 1 for DCE->DTE */
499 guint16 cells; /* number of cells */
500 guint16 aal5t_u2u; /* user-to-user indicator */
501 guint16 aal5t_len; /* length of the packet */
502 guint32 aal5t_chksum; /* checksum for AAL5 packet */
505 /* Packet "pseudo-header" for the output from "wandsession", "wannext",
506 "wandisplay", and similar commands on Lucent/Ascend access equipment. */
508 #define ASCEND_MAX_STR_LEN 64
510 #define ASCEND_PFX_WDS_X 1
511 #define ASCEND_PFX_WDS_R 2
512 #define ASCEND_PFX_WDD 3
513 #define ASCEND_PFX_ISDN_X 4
514 #define ASCEND_PFX_ISDN_R 5
515 #define ASCEND_PFX_ETHER 6
518 guint16 type; /* ASCEND_PFX_*, as defined above */
519 char user[ASCEND_MAX_STR_LEN]; /* Username, from wandsession header */
520 guint32 sess; /* Session number, from wandsession header */
521 char call_num[ASCEND_MAX_STR_LEN]; /* Called number, from WDD header */
522 guint32 chunk; /* Chunk number, from WDD header */
523 guint32 task; /* Task number */
526 /* Also defined in epan/packet_info.h */
527 #define P2P_DIR_UNKNOWN -1
528 #define P2P_DIR_SENT 0
529 #define P2P_DIR_RECV 1
531 /* Packet "pseudo-header" for point-to-point links with direction flags. */
533 int sent; /* TRUE=sent, FALSE=received, -1=unknown*/
537 * Packet "pseudo-header" information for 802.11.
538 * Radio information is only present in this form for
539 * WTAP_ENCAP_IEEE_802_11_WITH_RADIO. This is used for file formats in
540 * which the radio information isn't provided as a pseudo-header in the
543 * Signal strength, etc. information:
545 * Raw signal strength can be measured in milliwatts.
546 * It can also be represented as dBm, which is 10 times the log base 10
547 * of the signal strength in mW.
549 * The Receive Signal Strength Indicator is an integer in the range 0 to 255.
550 * The actual RSSI value for a given signal strength is dependent on the
551 * vendor (and perhaps on the adapter). The maximum possible RSSI value
552 * is also dependent on the vendor and perhaps the adapter.
554 * The signal strength can be represented as a percentage, which is 100
555 * times the ratio of the RSSI and the maximum RSSI.
557 struct ieee_802_11_phdr {
558 guint32 presence_flags; /* Flags indicating presence of certain fields */
559 guint32 flags_11n; /* Various flags for 802.11n traffic */
560 gint fcs_len; /* Number of bytes of FCS - -1 means "unknown" */
561 gboolean decrypted; /* TRUE if frame is decrypted even if "protected" bit is set */
562 guint16 channel; /* Channel number */
563 guint16 data_rate; /* Data rate, in .5 Mb/s units */
564 guint16 mcs_index; /* MCS index */
565 guint bandwidth:2; /* Bandwidth = 20 MHz, 40 MHz, 20+20L, 20+20U */
566 guint short_gi:1; /* True for short guard interval */
567 guint greenfield:1; /* True for greenfield, short for mixed */
568 guint ldpc:1; /* Tue for LDPC FEC */
569 guint stbc_streams:2; /* Number of STBC streams */
570 guint ness:1; /* Number of extension spatial streams */
571 guint16 mcs_info; /* 11n flags and bandwidth */
572 guint32 frequency; /* Channel center frequency */
573 guint8 signal_percent; /* Signal level, as a percentage */
574 guint8 noise_percent; /* Noise level, as a percentage */
575 gint8 signal_dbm; /* Signal level, in dBm */
576 gint8 noise_dbm; /* Noise level, in dBm */
577 guint64 tsf_timestamp;
580 #define PHDR_802_11_HAS_CHANNEL 0x00000001 /* channel */
581 #define PHDR_802_11_HAS_DATA_RATE 0x00000002 /* data_rate */
582 #define PHDR_802_11_HAS_MCS_INDEX 0x00000004 /* mcs */
583 #define PHDR_802_11_HAS_BANDWIDTH 0x00000008 /* bandwidth */
584 #define PHDR_802_11_HAS_SHORT_GI 0x00000010 /* short_gi */
585 #define PHDR_802_11_HAS_GREENFIELD 0x00000020 /* greenfield */
586 #define PHDR_802_11_HAS_LDPC 0x00000040 /* ldpc */
587 #define PHDR_802_11_HAS_STBC_STREAMS 0x00000080 /* stbc_streams */
588 #define PHDR_802_11_HAS_NESS 0x00000100 /* ness */
589 #define PHDR_802_11_HAS_FREQUENCY 0x00000200 /* frequency */
590 #define PHDR_802_11_HAS_SIGNAL_PERCENT 0x00000400 /* signal_percent */
591 #define PHDR_802_11_HAS_NOISE_PERCENT 0x00000800 /* noise_percent */
592 #define PHDR_802_11_HAS_SIGNAL_DBM 0x00001000 /* signal_dbm */
593 #define PHDR_802_11_HAS_NOISE_DBM 0x00002000 /* noise_dbm */
594 #define PHDR_802_11_HAS_TSF_TIMESTAMP 0x00004000 /* tsf_timestamp */
596 #define PHDR_802_11_BANDWIDTH_20_MHZ 0 /* 20 MHz */
597 #define PHDR_802_11_BANDWIDTH_40_MHZ 1 /* 40 MHz */
598 #define PHDR_802_11_BANDWIDTH_20_20L 2 /* 20 + 20L */
599 #define PHDR_802_11_BANDWIDTH_20_20U 3 /* 20 + 20U */
601 /* Packet "pseudo-header" for the output from CoSine L2 debug output. */
603 #define COSINE_MAX_IF_NAME_LEN 128
605 #define COSINE_ENCAP_TEST 1
606 #define COSINE_ENCAP_PPoATM 2
607 #define COSINE_ENCAP_PPoFR 3
608 #define COSINE_ENCAP_ATM 4
609 #define COSINE_ENCAP_FR 5
610 #define COSINE_ENCAP_HDLC 6
611 #define COSINE_ENCAP_PPP 7
612 #define COSINE_ENCAP_ETH 8
613 #define COSINE_ENCAP_UNKNOWN 99
615 #define COSINE_DIR_TX 1
616 #define COSINE_DIR_RX 2
619 guint8 encap; /* COSINE_ENCAP_* as defined above */
620 guint8 direction; /* COSINE_DIR_*, as defined above */
621 char if_name[COSINE_MAX_IF_NAME_LEN]; /* Encap & Logical I/F name */
622 guint16 pro; /* Protocol */
623 guint16 off; /* Offset */
624 guint16 pri; /* Priority */
625 guint16 rm; /* Rate Marking */
626 guint16 err; /* Error Code */
629 /* Packet "pseudo-header" for IrDA capture files. */
632 * Direction of the packet
634 #define IRDA_INCOMING 0x0000
635 #define IRDA_OUTGOING 0x0004
638 * "Inline" log messages produced by IrCOMM2k on Windows
640 #define IRDA_LOG_MESSAGE 0x0100 /* log message */
641 #define IRDA_MISSED_MSG 0x0101 /* missed log entry or frame */
644 * Differentiate between frames and log messages
646 #define IRDA_CLASS_FRAME 0x0000
647 #define IRDA_CLASS_LOG 0x0100
648 #define IRDA_CLASS_MASK 0xFF00
651 guint16 pkttype; /* packet type */
654 /* Packet "pseudo-header" for nettl (HP-UX) capture files. */
664 /* Packet "pseudo-header" for MTP2 files. */
666 #define MTP2_ANNEX_A_NOT_USED 0
667 #define MTP2_ANNEX_A_USED 1
668 #define MTP2_ANNEX_A_USED_UNKNOWN 2
676 /* Packet "pseudo-header" for K12 files. */
690 const gchar *input_name;
691 const gchar *stack_file;
693 k12_input_info_t input_info;
695 guint32 extra_length;
699 #define K12_PORT_DS0S 0x00010008
700 #define K12_PORT_DS1 0x00100008
701 #define K12_PORT_ATMPVC 0x01020000
704 guint16 pkttype; /* packet type */
709 struct catapult_dct2000_phdr
713 struct isdn_phdr isdn;
716 } inner_pseudo_header;
722 * Endace Record Format pseudo header
725 guint64 ts; /* Time stamp */
738 * ERF pseudo header with optional subheader
739 * (Multichannel or Ethernet)
742 #define MAX_ERF_EHDR 8
745 struct erf_phdr phdr;
746 struct erf_ehdr ehdr_list[MAX_ERF_EHDR];
754 #define SITA_FRAME_DIR_TXED (0x00) /* values of sita_phdr.flags */
755 #define SITA_FRAME_DIR_RXED (0x01)
756 #define SITA_FRAME_DIR (0x01) /* mask */
757 #define SITA_ERROR_NO_BUFFER (0x80)
759 #define SITA_SIG_DSR (0x01) /* values of sita_phdr.signals */
760 #define SITA_SIG_DTR (0x02)
761 #define SITA_SIG_CTS (0x04)
762 #define SITA_SIG_RTS (0x08)
763 #define SITA_SIG_DCD (0x10)
764 #define SITA_SIG_UNDEF1 (0x20)
765 #define SITA_SIG_UNDEF2 (0x40)
766 #define SITA_SIG_UNDEF3 (0x80)
768 #define SITA_ERROR_TX_UNDERRUN (0x01) /* values of sita_phdr.errors2 (if SITA_FRAME_DIR_TXED) */
769 #define SITA_ERROR_TX_CTS_LOST (0x02)
770 #define SITA_ERROR_TX_UART_ERROR (0x04)
771 #define SITA_ERROR_TX_RETX_LIMIT (0x08)
772 #define SITA_ERROR_TX_UNDEF1 (0x10)
773 #define SITA_ERROR_TX_UNDEF2 (0x20)
774 #define SITA_ERROR_TX_UNDEF3 (0x40)
775 #define SITA_ERROR_TX_UNDEF4 (0x80)
777 #define SITA_ERROR_RX_FRAMING (0x01) /* values of sita_phdr.errors1 (if SITA_FRAME_DIR_RXED) */
778 #define SITA_ERROR_RX_PARITY (0x02)
779 #define SITA_ERROR_RX_COLLISION (0x04)
780 #define SITA_ERROR_RX_FRAME_LONG (0x08)
781 #define SITA_ERROR_RX_FRAME_SHORT (0x10)
782 #define SITA_ERROR_RX_UNDEF1 (0x20)
783 #define SITA_ERROR_RX_UNDEF2 (0x40)
784 #define SITA_ERROR_RX_UNDEF3 (0x80)
786 #define SITA_ERROR_RX_NONOCTET_ALIGNED (0x01) /* values of sita_phdr.errors2 (if SITA_FRAME_DIR_RXED) */
787 #define SITA_ERROR_RX_ABORT (0x02)
788 #define SITA_ERROR_RX_CD_LOST (0x04)
789 #define SITA_ERROR_RX_DPLL (0x08)
790 #define SITA_ERROR_RX_OVERRUN (0x10)
791 #define SITA_ERROR_RX_FRAME_LEN_VIOL (0x20)
792 #define SITA_ERROR_RX_CRC (0x40)
793 #define SITA_ERROR_RX_BREAK (0x80)
795 #define SITA_PROTO_UNUSED (0x00) /* values of sita_phdr.proto */
796 #define SITA_PROTO_BOP_LAPB (0x01)
797 #define SITA_PROTO_ETHERNET (0x02)
798 #define SITA_PROTO_ASYNC_INTIO (0x03)
799 #define SITA_PROTO_ASYNC_BLKIO (0x04)
800 #define SITA_PROTO_ALC (0x05)
801 #define SITA_PROTO_UTS (0x06)
802 #define SITA_PROTO_PPP_HDLC (0x07)
803 #define SITA_PROTO_SDLC (0x08)
804 #define SITA_PROTO_TOKENRING (0x09)
805 #define SITA_PROTO_I2C (0x10)
806 #define SITA_PROTO_DPM_LINK (0x11)
807 #define SITA_PROTO_BOP_FRL (0x12)
817 /*pseudo header for Bluetooth HCI*/
823 #define BTHCI_CHANNEL_COMMAND 1
824 #define BTHCI_CHANNEL_ACL 2
825 #define BTHCI_CHANNEL_SCO 3
826 #define BTHCI_CHANNEL_EVENT 4
828 /* pseudo header for WTAP_ENCAP_BLUETOOTH_LINUX_MONITOR */
834 /* pseudo header for WTAP_ENCAP_LAYER1_EVENT */
835 struct l1event_phdr {
839 /* * I2C pseudo header */
846 /* pseudo header for WTAP_ENCAP_GSM_UM */
850 /* The following are only populated for downlink */
858 #define GSM_UM_CHANNEL_UNKNOWN 0
859 #define GSM_UM_CHANNEL_BCCH 1
860 #define GSM_UM_CHANNEL_SDCCH 2
861 #define GSM_UM_CHANNEL_SACCH 3
862 #define GSM_UM_CHANNEL_FACCH 4
863 #define GSM_UM_CHANNEL_CCCH 5
864 #define GSM_UM_CHANNEL_RACH 6
865 #define GSM_UM_CHANNEL_AGCH 7
866 #define GSM_UM_CHANNEL_PCH 8
868 /* Pseudo-header for nstrace packets */
880 guint8 vlantag_offset;
881 guint8 coreid_offset;
882 guint8 srcnodeid_offset;
883 guint8 destnodeid_offset;
884 guint8 clflags_offset;
885 guint8 src_vmname_len_offset;
886 guint8 dst_vmname_len_offset;
887 guint8 ns_activity_offset;
891 /* Packet "pseudo-header" for Nokia output */
894 guint8 stuff[4]; /* mysterious stuff */
897 #define LLCP_PHDR_FLAG_SENT 0
903 /* pseudo header for WTAP_ENCAP_LOGCAT */
908 /* Pseudo-header for file-type-specific records */
909 struct ft_specific_record_phdr {
910 guint record_type; /* the type of record this is */
913 union wtap_pseudo_header {
916 struct isdn_phdr isdn;
918 struct ascend_phdr ascend;
920 struct ieee_802_11_phdr ieee_802_11;
921 struct cosine_phdr cosine;
922 struct irda_phdr irda;
923 struct nettl_phdr nettl;
924 struct mtp2_phdr mtp2;
926 struct lapd_phdr lapd;
927 struct catapult_dct2000_phdr dct2000;
928 struct erf_mc_phdr erf;
929 struct sita_phdr sita;
930 struct bthci_phdr bthci;
931 struct btmon_phdr btmon;
932 struct l1event_phdr l1event;
934 struct gsm_um_phdr gsm_um;
935 struct nstr_phdr nstr;
936 struct nokia_phdr nokia;
937 struct llcp_phdr llcp;
938 struct logcat_phdr logcat;
939 struct ft_specific_record_phdr ftsrec;
943 * Record type values.
945 * This list will expand over time, so don't assume everything will
946 * forever be one of the types listed below.
948 * For file-type-specific records, the "ftsrec" field of the pseudo-header
949 * contains a file-type-specific subtype value, such as a block type for
952 * An "event" is an indication that something happened during the capture
953 * process, such as a status transition of some sort on the network.
954 * These should, ideally, have a time stamp and, if they're relevant to
955 * a particular interface on a multi-interface capture, should also have
956 * an interface ID. The data for the event is file-type-specific and
957 * subtype-specific. These should be dissected and displayed just as
960 * A "report" supplies information not corresponding to an event;
961 * for example, a pcap-ng Interface Statistics Block would be a report,
962 * as it doesn't correspond to something happening on the network.
963 * They may have a time stamp, and should be dissected and displayed
964 * just as packets are.
966 * We distingiush between "events" and "reports" so that, for example,
967 * the packet display can show the delta between a packet and an event
968 * but not show the delta between a packet and a report, as the time
969 * stamp of a report may not correspond to anything interesting on
970 * the network but the time stamp of an event would.
972 * XXX - are there any file-type-specific records that *shouldn't* be
973 * dissected and displayed? If so, they should be parsed and the
974 * information in them stored somewhere, and used somewhere, whether
975 * it's just used when saving the file in its native format or also
976 * used to parse *other* file-type-specific records.
978 #define REC_TYPE_PACKET 0 /**< packet */
979 #define REC_TYPE_FT_SPECIFIC_EVENT 1 /**< file-type-specific event */
980 #define REC_TYPE_FT_SPECIFIC_REPORT 2 /**< file-type-specific report */
983 guint rec_type; /* what type of record is this? */
984 guint32 presence_flags; /* what stuff do we have? */
985 nstime_t ts; /* time stamp */
986 guint32 caplen; /* data length in the file */
987 guint32 len; /* data length on the wire */
988 int pkt_encap; /* WTAP_ENCAP_ value for this packet */
989 int pkt_tsprec; /* WTAP_TSPREC_ value for this packet */
990 /* pcapng variables */
991 guint32 interface_id; /* identifier of the interface. */
993 gchar *opt_comment; /* NULL if not available */
994 guint64 drop_count; /* number of packets lost (by the interface and the
995 operating system) between this packet and the preceding one. */
996 guint32 pack_flags; /* XXX - 0 for now (any value for "we don't have it"?) */
997 Buffer ft_specific_data; /* file-type specific data */
999 union wtap_pseudo_header pseudo_header;
1003 * Bits in presence_flags, indicating which of the fields we have.
1005 * For the time stamp, we may need some more flags to indicate
1006 * whether the time stamp is an absolute date-and-time stamp, an
1007 * absolute time-only stamp (which can make relative time
1008 * calculations tricky, as you could in theory have two time
1009 * stamps separated by an unknown number of days), or a time stamp
1010 * relative to some unspecified time in the past (see mpeg.c).
1012 * There is no presence flag for len - there has to be *some* length
1013 * value for the packet. (The "captured length" can be missing if
1014 * the file format doesn't report a captured length distinct from
1015 * the on-the-network length because the application(s) producing those
1016 * files don't support slicing packets.)
1018 * There could be a presence flag for the packet encapsulation - if it's
1019 * absent, use the file encapsulation - but it's not clear that's useful;
1020 * we currently do that in the module for the file format.
1022 #define WTAP_HAS_TS 0x00000001 /**< time stamp */
1023 #define WTAP_HAS_CAP_LEN 0x00000002 /**< captured length separate from on-the-network length */
1024 #define WTAP_HAS_INTERFACE_ID 0x00000004 /**< interface ID */
1025 #define WTAP_HAS_COMMENTS 0x00000008 /**< comments */
1026 #define WTAP_HAS_DROP_COUNT 0x00000010 /**< drop count */
1027 #define WTAP_HAS_PACK_FLAGS 0x00000020 /**< packet flags */
1030 * Holds the option strings from pcapng:s Section Header block(SHB).
1032 typedef struct wtapng_section_s {
1034 guint64 section_length; /**< 64-bit value specifying the length in bytes of the
1035 * following section.
1036 * Section Length equal -1 (0xFFFFFFFFFFFFFFFF) means
1037 * that the size of the section is not specified
1040 gchar *opt_comment; /**< NULL if not available */
1041 gchar *shb_hardware; /**< NULL if not available
1042 * UTF-8 string containing the description of the
1043 * hardware used to create this section.
1045 gchar *shb_os; /**< NULL if not available, UTF-8 string containing the
1046 * name of the operating system used to create this section.
1048 gchar *shb_user_appl; /**< NULL if not available, UTF-8 string containing the
1049 * name of the application used to create this section.
1054 /** struct holding the information to build IDB:s
1055 * the interface_data array holds an array of wtapng_if_descr_t
1056 * one per interface.
1058 typedef struct wtapng_iface_descriptions_s {
1059 GArray *interface_data;
1060 } wtapng_iface_descriptions_t;
1062 /* Interface Description
1066 * if_name 2 A UTF-8 string containing the name of the device used to capture data.
1067 * "eth0" / "\Device\NPF_{AD1CE675-96D0-47C5-ADD0-2504B9126B68}" / ...
1069 * if_description 3 A UTF-8 string containing the description of the device used
1070 * to capture data. "Broadcom NetXtreme" / "First Ethernet Interface" / ...
1072 * if_IPv4addr 4 Interface network address and netmask. This option can be
1073 * repeated multiple times within the same Interface Description Block
1074 * when multiple IPv4 addresses are assigned to the interface. 192 168 1 1 255 255 255 0
1076 * if_IPv6addr 5 Interface network address and prefix length (stored in the last byte).
1077 * This option can be repeated multiple times within the same Interface
1078 * Description Block when multiple IPv6 addresses are assigned to the interface.
1079 * 2001:0db8:85a3:08d3:1319:8a2e:0370:7344/64 is written (in hex) as
1080 * "20 01 0d b8 85 a3 08 d3 13 19 8a 2e 03 70 73 44 40"
1082 * if_MACaddr 6 Interface Hardware MAC address (48 bits). 00 01 02 03 04 05
1084 * if_EUIaddr 7 Interface Hardware EUI address (64 bits), if available. TODO: give a good example
1086 * if_speed 8 Interface speed (in bps). 100000000 for 100Mbps
1088 * if_tsresol 9 Resolution of timestamps. If the Most Significant Bit is equal to zero,
1089 * the remaining bits indicates the resolution of the timestamp as as a
1090 * negative power of 10 (e.g. 6 means microsecond resolution, timestamps
1091 * are the number of microseconds since 1/1/1970). If the Most Significant Bit
1092 * is equal to one, the remaining bits indicates the resolution has a
1093 * negative power of 2 (e.g. 10 means 1/1024 of second).
1094 * If this option is not present, a resolution of 10^-6 is assumed
1095 * (i.e. timestamps have the same resolution of the standard 'libpcap' timestamps). 6
1097 * if_tzone 10 Time zone for GMT support (TODO: specify better). TODO: give a good example
1099 * if_filter 11 The filter (e.g. "capture only TCP traffic") used to capture traffic.
1100 * The first byte of the Option Data keeps a code of the filter used
1101 * (e.g. if this is a libpcap string, or BPF bytecode, and more).
1102 * More details about this format will be presented in Appendix XXX (TODO).
1103 * (TODO: better use different options for different fields?
1104 * e.g. if_filter_pcap, if_filter_bpf, ...) 00 "tcp port 23 and host 10.0.0.5"
1106 * if_os 12 A UTF-8 string containing the name of the operating system of the
1107 * machine in which this interface is installed.
1108 * This can be different from the same information that can be
1109 * contained by the Section Header Block
1110 * (Section 3.1 (Section Header Block (mandatory))) because
1111 * the capture can have been done on a remote machine.
1112 * "Windows XP SP2" / "openSUSE 10.2" / ...
1114 * if_fcslen 13 An integer value that specified the length of the
1115 * Frame Check Sequence (in bits) for this interface.
1116 * For link layers whose FCS length can change during time,
1117 * the Packet Block Flags Word can be used (see Appendix A (Packet Block Flags Word)). 4
1119 * if_tsoffset 14 A 64 bits integer value that specifies an offset (in seconds)
1120 * that must be added to the timestamp of each packet to obtain
1121 * the absolute timestamp of a packet. If the option is missing,
1122 * the timestamps stored in the packet must be considered absolute
1123 * timestamps. The time zone of the offset can be specified with the
1124 * option if_tzone. TODO: won't a if_tsoffset_low for fractional
1125 * second offsets be useful for highly syncronized capture systems? 1234
1128 * Interface description data
1130 typedef struct wtapng_if_descr_s {
1131 int wtap_encap; /**< link_type translated to wtap_encap */
1132 guint64 time_units_per_second;
1133 int tsprecision; /**< WTAP_TSPREC_ value for this interface */
1140 gchar *opt_comment; /**< NULL if not available */
1141 gchar *if_name; /**< NULL if not available
1143 * A UTF-8 string containing the name of the
1144 * device used to capture data.
1146 gchar *if_description; /**< NULL if not available
1148 * A UTF-8 string containing the description
1149 * of the device used to capture data.
1152 /* XXX: if_IPv4addr opt 4 Interface network address and netmask. */
1153 /* XXX: if_IPv6addr opt 5 Interface network address and prefix length (stored in the last byte).*/
1154 /* XXX: if_MACaddr opt 6 Interface Hardware MAC address (48 bits). */
1155 /* XXX: if_EUIaddr opt 7 Interface Hardware EUI address (64 bits) */
1157 guint64 if_speed; /**< 0xFFFFFFFF if unknown
1159 * Interface speed (in bps). 100000000 for 100Mbps
1161 guint8 if_tsresol; /**< default is 6 for microsecond resolution
1163 * Resolution of timestamps.
1164 * If the Most Significant Bit is equal to zero,
1165 * the remaining bits indicates the resolution of the
1166 * timestamp as as a negative power of 10
1169 /* XXX: if_tzone 10 Time zone for GMT support (TODO: specify better). */
1171 gchar *if_filter_str; /**< NULL if not available
1172 * opt 11 libpcap string.
1174 guint16 bpf_filter_len; /** Opt 11 variant II BPF filter len 0 if not used*/
1175 gchar *if_filter_bpf_bytes; /** Opt 11 BPF filter or NULL */
1176 gchar *if_os; /**< NULL if not available
1177 * 12 A UTF-8 string containing the name of the
1178 * operating system of the machine in which this
1179 * interface is installed.
1181 gint8 if_fcslen; /**< -1 if unknown or changes between packets,
1183 * An integer value that specified the length of
1184 * the Frame Check Sequence (in bits) for this interface. */
1185 /* XXX: guint64 if_tsoffset; opt 14 A 64 bits integer value that specifies an offset (in seconds)...*/
1186 guint8 num_stat_entries;
1187 GArray *interface_statistics; /**< An array holding the interface statistics from
1188 * pcapng ISB:s or equivalent(?)*/
1189 } wtapng_if_descr_t;
1193 * Interface Statistics. pcap-ng Interface Statistics Block (ISB).
1195 typedef struct wtapng_if_stats_s {
1197 guint32 interface_id;
1201 gchar *opt_comment; /**< NULL if not available */
1202 guint64 isb_starttime;
1203 guint64 isb_endtime;
1206 guint64 isb_filteraccept;
1208 guint64 isb_usrdeliv;
1209 } wtapng_if_stats_t;
1212 /** A struct with lists of resolved addresses.
1213 * Used when writing name resoultion blocks (NRB)
1215 typedef struct addrinfo_lists {
1216 GList *ipv4_addr_list; /**< A list of resolved hashipv4_t*/
1217 GList *ipv6_addr_list; /**< A list of resolved hashipv6_t*/
1222 typedef struct wtap wtap;
1223 typedef struct wtap_dumper wtap_dumper;
1225 typedef struct wtap_reader *FILE_T;
1227 /* Similar to the wtap_open_routine_info for open routines, the following
1228 * wtap_wslua_file_info struct is used by wslua code for Lua-based file writers.
1230 * This concept is necessary because when wslua goes to invoke the
1231 * registered dump/write_open routine callback in Lua, it needs the ref number representing
1232 * the hooked function inside Lua. This will be stored in the thing pointed to
1233 * by the void* data here. This 'data' pointer will be copied into the
1234 * wtap_dumper struct's 'void* data' member when calling the dump_open function,
1235 * which is how wslua finally retrieves it. Unlike wtap_dumper's 'priv' member, its
1236 * 'data' member is not free'd in wtap_dump_close().
1238 typedef struct wtap_wslua_file_info {
1239 int (*wslua_can_write_encap)(int, void*); /* a can_write_encap func for wslua uses */
1240 void* wslua_data; /* holds the wslua data */
1241 } wtap_wslua_file_info_t;
1244 * For registering extensions used for capture file formats.
1246 * These items are used in dialogs for opening files, so that
1247 * the user can ask to see all capture files (as identified
1248 * by file extension) or particular types of capture files.
1250 * Each file type has a description and a list of extensions the file
1251 * might have. Some file types aren't real file types, they're
1252 * just generic types, such as "text file" or "XML file", that can
1253 * be used for, among other things, captures we can read, or for
1254 * extensions such as ".cap" that were unimaginatively chosen by
1255 * several different sniffers for their file formats.
1257 struct file_extension_info {
1258 /* the file type name */
1261 /* a semicolon-separated list of file extensions used for this type */
1262 const char *extensions;
1266 * For registering file types that we can open.
1268 * Each file type has an open routine and an optional list of extensions
1269 * the file might have.
1271 * The open routine should return:
1273 * WTAP_OPEN_ERROR on an I/O error;
1275 * WTAP_OPEN_MINE if the file it's reading is one of the types
1278 * WTAP_OPEN_NOT_MINE if the file it's reading isn't one of the
1281 * If the routine handles this type of file, it should set the "file_type"
1282 * field in the "struct wtap" to the type of the file.
1284 * Note that the routine does not have to free the private data pointer on
1285 * error. The caller takes care of that by calling wtap_close on error.
1286 * (See https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8518)
1288 * However, the caller does have to free the private data pointer when
1289 * returning WTAP_OPEN_NOT_MINE, since the next file type will be called
1290 * and will likely just overwrite the pointer.
1293 WTAP_OPEN_NOT_MINE = 0,
1295 WTAP_OPEN_ERROR = -1
1296 } wtap_open_return_val;
1298 typedef wtap_open_return_val (*wtap_open_routine_t)(struct wtap*, int *,
1302 * Some file formats have defined magic numbers at fixed offsets from
1303 * the beginning of the file; those routines should return 1 if and
1304 * only if the file has the magic number at that offset. (pcap-ng
1305 * is a bit of a special case, as it has both the Section Header Block
1306 * type field and its byte-order magic field; it checks for both.)
1307 * Those file formats do not require a file name extension in order
1308 * to recognize them or to avoid recognizing other file types as that
1309 * type, and have no extensions specified for them.
1311 * Other file formats don't have defined magic numbers at fixed offsets,
1312 * so a heuristic is required. If that file format has any file name
1313 * extensions used for it, a list of those extensions should be
1314 * specified, so that, if the name of the file being opened has an
1315 * extension, the file formats that use that extension are tried before
1316 * the ones that don't, to handle the case where a file of one type
1317 * might be recognized by the heuristics for a different file type.
1321 OPEN_INFO_MAGIC = 0,
1322 OPEN_INFO_HEURISTIC = 1
1325 WS_DLL_PUBLIC void init_open_routines(void);
1329 wtap_open_type type;
1330 wtap_open_routine_t open_routine;
1331 const char *extensions;
1332 gchar **extensions_set; /* populated using extensions member during initialization */
1333 void* wslua_data; /* should be NULL for C-code file readers */
1335 WS_DLL_PUBLIC struct open_info *open_routines;
1338 * Types of comments.
1340 #define WTAP_COMMENT_PER_SECTION 0x00000001 /* per-file/per-file-section */
1341 #define WTAP_COMMENT_PER_INTERFACE 0x00000002 /* per-interface */
1342 #define WTAP_COMMENT_PER_PACKET 0x00000004 /* per-packet */
1344 struct file_type_subtype_info {
1345 /* the file type name */
1346 /* should be NULL for all "pseudo" types that are only internally used and not read/writeable */
1349 /* the file type short name, used as a shortcut for the command line tools */
1350 /* should be NULL for all "pseudo" types that are only internally used and not read/writeable */
1351 const char *short_name;
1353 /* the default file extension, used to save this type */
1354 /* should be NULL if no default extension is known */
1355 const char *default_file_extension;
1357 /* a semicolon-separated list of additional file extensions */
1358 /* used for this type */
1359 /* should be NULL if no extensions, or no extensions other */
1360 /* than the default extension, are known */
1361 const char *additional_file_extensions;
1363 /* when writing this file format, is seeking required? */
1364 gboolean writing_must_seek;
1366 /* does this type support name resolution records? */
1367 /* should be FALSE is this file type doesn't support name resolution records */
1368 gboolean has_name_resolution;
1370 /* what types of comment does this file support? */
1371 guint32 supported_comment_types;
1373 /* can this type write this encapsulation format? */
1374 /* should be NULL is this file type doesn't have write support */
1375 int (*can_write_encap)(int);
1377 /* the function to open the capture file for writing */
1378 /* should be NULL is this file type don't have write support */
1379 int (*dump_open)(wtap_dumper *, int *);
1381 /* if can_write_encap returned WTAP_ERR_CHECK_WSLUA, then this is used instead */
1382 /* this should be NULL for everyone except Lua-based file writers */
1383 wtap_wslua_file_info_t *wslua_info;
1386 #define WTAP_TYPE_AUTO 0
1388 /** On failure, "wtap_open_offline()" returns NULL, and puts into the
1389 * "int" pointed to by its second argument:
1391 * @param filename Name of the file to open
1392 * @param type WTAP_TYPE_AUTO for automatic recognize file format or explicit choose format type
1393 * @param err a positive "errno" value if the capture file can't be opened;
1394 * a negative number, indicating the type of error, on other failures.
1395 * @param err_info for some errors, a string giving more details of
1397 * @param do_random TRUE if random access to the file will be done,
1401 struct wtap* wtap_open_offline(const char *filename, unsigned int type, int *err,
1402 gchar **err_info, gboolean do_random);
1405 * If we were compiled with zlib and we're at EOF, unset EOF so that
1406 * wtap_read/gzread has a chance to succeed. This is necessary if
1407 * we're tailing a file.
1410 void wtap_cleareof(wtap *wth);
1413 * Set callback functions to add new hostnames. Currently pcapng-only.
1414 * MUST match add_ipv4_name and add_ipv6_name in addr_resolv.c.
1416 typedef void (*wtap_new_ipv4_callback_t) (const guint addr, const gchar *name);
1418 void wtap_set_cb_new_ipv4(wtap *wth, wtap_new_ipv4_callback_t add_new_ipv4);
1420 typedef void (*wtap_new_ipv6_callback_t) (const void *addrp, const gchar *name);
1422 void wtap_set_cb_new_ipv6(wtap *wth, wtap_new_ipv6_callback_t add_new_ipv6);
1424 /** Returns TRUE if read was successful. FALSE if failure. data_offset is
1425 * set to the offset in the file where the data for the read packet is
1428 gboolean wtap_read(wtap *wth, int *err, gchar **err_info,
1429 gint64 *data_offset);
1432 gboolean wtap_seek_read (wtap *wth, gint64 seek_off,
1433 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
1435 /*** get various information snippets about the current packet ***/
1437 struct wtap_pkthdr *wtap_phdr(wtap *wth);
1439 guint8 *wtap_buf_ptr(wtap *wth);
1441 /*** initialize a wtap_pkthdr structure ***/
1443 void wtap_phdr_init(struct wtap_pkthdr *phdr);
1445 /*** clean up a wtap_pkthdr structure, freeing what wtap_phdr_init() allocated */
1447 void wtap_phdr_cleanup(struct wtap_pkthdr *phdr);
1449 /*** get various information snippets about the current file ***/
1451 /** Return an approximation of the amount of data we've read sequentially
1452 * from the file so far. */
1454 gint64 wtap_read_so_far(wtap *wth);
1456 gint64 wtap_file_size(wtap *wth, int *err);
1458 gboolean wtap_iscompressed(wtap *wth);
1460 guint wtap_snapshot_length(wtap *wth); /* per file */
1462 int wtap_file_type_subtype(wtap *wth);
1464 int wtap_file_encap(wtap *wth);
1466 int wtap_file_tsprec(wtap *wth);
1468 wtapng_section_t* wtap_file_get_shb_info(wtap *wth);
1470 wtapng_iface_descriptions_t *wtap_file_get_idb_info(wtap *wth);
1472 void wtap_write_shb_comment(wtap *wth, gchar *comment);
1474 /*** close the file descriptors for the current file ***/
1476 void wtap_fdclose(wtap *wth);
1478 /*** reopen the random file descriptor for the current file ***/
1480 gboolean wtap_fdreopen(wtap *wth, const char *filename, int *err);
1482 /*** close the current file ***/
1484 void wtap_sequential_close(wtap *wth);
1486 void wtap_close(wtap *wth);
1488 /*** dump packets into a capture file ***/
1490 gboolean wtap_dump_can_open(int filetype);
1493 * Given a GArray of WTAP_ENCAP_ types, return the per-file encapsulation
1494 * type that would be needed to write out a file with those types.
1497 int wtap_dump_file_encap_type(const GArray *file_encaps);
1500 * Return TRUE if we can write this capture file format out in
1501 * compressed form, FALSE if not.
1504 gboolean wtap_dump_can_compress(int filetype);
1507 * Return TRUE if this capture file format supports storing name
1508 * resolution information in it, FALSE if not.
1511 gboolean wtap_dump_has_name_resolution(int filetype);
1514 * Return TRUE if this capture file format supports all the comment
1515 * types specified, FALSE if not.
1518 gboolean wtap_dump_supports_comment_types(int filetype, guint32 comment_types);
1521 wtap_dumper* wtap_dump_open(const char *filename, int filetype, int encap,
1522 int snaplen, gboolean compressed, int *err);
1525 wtap_dumper* wtap_dump_open_ng(const char *filename, int filetype, int encap,
1526 int snaplen, gboolean compressed, wtapng_section_t *shb_hdr, wtapng_iface_descriptions_t *idb_inf, int *err);
1529 wtap_dumper* wtap_dump_fdopen(int fd, int filetype, int encap, int snaplen,
1530 gboolean compressed, int *err);
1533 wtap_dumper* wtap_dump_fdopen_ng(int fd, int filetype, int encap, int snaplen,
1534 gboolean compressed, wtapng_section_t *shb_hdr, wtapng_iface_descriptions_t *idb_inf, int *err);
1538 gboolean wtap_dump(wtap_dumper *, const struct wtap_pkthdr *, const guint8 *,
1539 int *err, gchar **err_info);
1541 void wtap_dump_flush(wtap_dumper *);
1543 gint64 wtap_get_bytes_dumped(wtap_dumper *);
1545 void wtap_set_bytes_dumped(wtap_dumper *wdh, gint64 bytes_dumped);
1548 gboolean wtap_dump_set_addrinfo_list(wtap_dumper *wdh, addrinfo_lists_t *addrinfo_lists);
1550 gboolean wtap_dump_close(wtap_dumper *, int *);
1553 * Return TRUE if we can write a file out with the given GArray of file
1554 * encapsulations and the given bitmask of comment types.
1557 gboolean wtap_dump_can_write(const GArray *file_encaps, guint32 required_comment_types);
1560 * Get a GArray of WTAP_FILE_TYPE_SUBTYPE_ values for file types/subtypes
1561 * that can be used to save a file of a given type with a given GArray of
1562 * WTAP_ENCAP_ types and the given bitmask of comment types.
1565 GArray *wtap_get_savable_file_types_subtypes(int file_type,
1566 const GArray *file_encaps, guint32 required_comment_types);
1568 /*** various string converter functions ***/
1570 const char *wtap_file_type_subtype_string(int file_type_subtype);
1572 const char *wtap_file_type_subtype_short_string(int file_type_subtype);
1574 int wtap_short_string_to_file_type_subtype(const char *short_name);
1576 /*** various file extension functions ***/
1578 GSList *wtap_get_all_file_extensions_list(void);
1580 const char *wtap_default_file_extension(int filetype);
1582 GSList *wtap_get_file_extensions_list(int filetype, gboolean include_compressed);
1584 void wtap_free_extensions_list(GSList *extensions);
1587 const char *wtap_encap_string(int encap);
1589 const char *wtap_encap_short_string(int encap);
1591 int wtap_short_string_to_encap(const char *short_name);
1594 const char *wtap_strerror(int err);
1596 /*** get available number of file types and encapsulations ***/
1598 int wtap_get_num_file_type_extensions(void);
1600 int wtap_get_num_encap_types(void);
1602 int wtap_get_num_file_types_subtypes(void);
1604 /*** get information for file type extension ***/
1606 const char *wtap_get_file_extension_type_name(int extension_type);
1608 GSList *wtap_get_file_extension_type_extensions(guint extension_type);
1610 /*** dynamically register new file types and encapsulations ***/
1612 void wtap_register_plugin_types(void);
1614 void register_all_wiretap_modules(void);
1616 void wtap_register_file_type_extension(const struct file_extension_info *ei);
1619 void wtap_register_open_info(struct open_info *oi, const gboolean first_routine);
1621 gboolean wtap_has_open_info(const gchar *name);
1623 void wtap_deregister_open_info(const gchar *name);
1626 unsigned int open_info_name_to_type(const char *name);
1628 int wtap_register_file_type_subtypes(const struct file_type_subtype_info* fi, const int subtype);
1630 void wtap_deregister_file_type_subtype(const int file_type_subtype);
1633 int wtap_register_encap_type(const char* name, const char* short_name);
1637 * Wiretap error codes.
1639 #define WTAP_ERR_NOT_REGULAR_FILE -1
1640 /** The file being opened for reading isn't a plain file (or pipe) */
1642 #define WTAP_ERR_RANDOM_OPEN_PIPE -2
1643 /** The file is being opened for random access and it's a pipe */
1645 #define WTAP_ERR_FILE_UNKNOWN_FORMAT -3
1646 /** The file being opened is not a capture file in a known format */
1648 #define WTAP_ERR_UNSUPPORTED -4
1649 /** Supported file type, but there's something in the file we
1652 #define WTAP_ERR_CANT_WRITE_TO_PIPE -5
1653 /** Wiretap can't save to a pipe in the specified format */
1655 #define WTAP_ERR_CANT_OPEN -6
1656 /** The file couldn't be opened, reason unknown */
1658 #define WTAP_ERR_UNWRITABLE_FILE_TYPE -7
1659 /** Wiretap can't save files in the specified format */
1661 #define WTAP_ERR_UNWRITABLE_ENCAP -8
1662 /** Wiretap can't read or save files in the specified format with the
1663 specified encapsulation */
1665 #define WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED -9
1666 /** The specified format doesn't support per-packet encapsulations */
1668 #define WTAP_ERR_CANT_WRITE -10
1669 /** An attempt to read failed, reason unknown */
1671 #define WTAP_ERR_CANT_CLOSE -11
1672 /** The file couldn't be closed, reason unknown */
1674 #define WTAP_ERR_SHORT_READ -12
1675 /** An attempt to read read less data than it should have */
1677 #define WTAP_ERR_BAD_FILE -13
1678 /** The file appears to be damaged or corrupted or otherwise bogus */
1680 #define WTAP_ERR_SHORT_WRITE -14
1681 /** An attempt to write wrote less data than it should have */
1683 #define WTAP_ERR_UNC_OVERFLOW -15
1684 /** Uncompressing Sniffer data would overflow buffer */
1686 #define WTAP_ERR_RANDOM_OPEN_STDIN -16
1687 /** We're trying to open the standard input for random access */
1689 #define WTAP_ERR_COMPRESSION_NOT_SUPPORTED -17
1690 /* The filetype doesn't support output compression */
1692 #define WTAP_ERR_CANT_SEEK -18
1693 /** An attempt to seek failed, reason unknown */
1695 #define WTAP_ERR_CANT_SEEK_COMPRESSED -19
1696 /** An attempt to seek on a compressed stream */
1698 #define WTAP_ERR_DECOMPRESS -20
1699 /** Error decompressing */
1701 #define WTAP_ERR_INTERNAL -21
1702 /** "Shouldn't happen" internal errors */
1704 #define WTAP_ERR_PACKET_TOO_LARGE -22
1705 /** Packet being written is larger than we support; do not use when
1706 reading, use WTAP_ERR_BAD_FILE instead */
1708 #define WTAP_ERR_CHECK_WSLUA -23
1709 /** Not really an error: the file type being checked is from a Lua
1710 plugin, so that the code will call wslua_can_write_encap() instead if it gets this */
1712 #define WTAP_ERR_UNWRITABLE_REC_TYPE -24
1713 /** Specified record type can't be written to that file type */
1715 #define WTAP_ERR_UNWRITABLE_REC_DATA -25
1716 /** Something in the record data can't be written to that file type */
1720 #endif /* __cplusplus */
1722 #endif /* __WTAP_H__ */
1725 * Editor modelines - http://www.wireshark.org/tools/modelines.html
1730 * indent-tabs-mode: nil
1733 * vi: set shiftwidth=4 tabstop=8 expandtab:
1734 * :indentSize=4:tabSize=8:noTabs=true: