4 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version 2
9 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
27 #include "file_wrappers.h"
28 #include "pcap-common.h"
29 #include "pcap-encap.h"
33 /* See source to the "libpcap" library for information on the "libpcap"
37 * Private per-wtap_t data needed to read a file.
46 gboolean byte_swapped;
47 swapped_type_t lengths_swapped;
48 guint16 version_major;
49 guint16 version_minor;
53 /* On some systems, the FDDI MAC addresses are bit-swapped. */
54 #if !defined(ultrix) && !defined(__alpha) && !defined(__bsdi__)
55 #define BIT_SWAPPED_MAC_ADDRS
58 /* Try to read the first two records of the capture file. */
59 static int libpcap_try(wtap *wth, int *err, gchar **err_info);
60 static int libpcap_try_header(wtap *wth, FILE_T fh, int *err, gchar **err_info,
61 struct pcaprec_ss990915_hdr *hdr);
63 static gboolean libpcap_read(wtap *wth, int *err, gchar **err_info,
65 static gboolean libpcap_seek_read(wtap *wth, gint64 seek_off,
66 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
67 static gboolean libpcap_read_packet(wtap *wth, FILE_T fh,
68 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
69 static gboolean libpcap_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
70 const guint8 *pd, int *err, gchar **err_info);
71 static int libpcap_read_header(wtap *wth, FILE_T fh, int *err, gchar **err_info,
72 struct pcaprec_ss990915_hdr *hdr);
73 static void libpcap_close(wtap *wth);
75 wtap_open_return_val libpcap_open(wtap *wth, int *err, gchar **err_info)
79 gboolean byte_swapped;
83 gint64 first_packet_offset;
85 static const int subtypes_modified[] = {
86 WTAP_FILE_TYPE_SUBTYPE_PCAP_SS991029,
87 WTAP_FILE_TYPE_SUBTYPE_PCAP_SS990915
89 #define N_SUBTYPES_MODIFIED G_N_ELEMENTS(subtypes_modified)
90 static const int subtypes_standard[] = {
91 WTAP_FILE_TYPE_SUBTYPE_PCAP,
92 WTAP_FILE_TYPE_SUBTYPE_PCAP_SS990417,
93 WTAP_FILE_TYPE_SUBTYPE_PCAP_NOKIA
95 #define N_SUBTYPES_STANDARD G_N_ELEMENTS(subtypes_standard)
96 static const int subtypes_nsec[] = {
97 WTAP_FILE_TYPE_SUBTYPE_PCAP_NSEC
99 #define N_SUBTYPES_NSEC G_N_ELEMENTS(subtypes_nsec)
100 #define MAX_FIGURES_OF_MERIT \
101 MAX(MAX(N_SUBTYPES_MODIFIED, N_SUBTYPES_STANDARD), N_SUBTYPES_NSEC)
102 int figures_of_merit[MAX_FIGURES_OF_MERIT];
108 /* Read in the number that should be at the start of a "libpcap" file */
109 if (!wtap_read_bytes(wth->fh, &magic, sizeof magic, err, err_info)) {
110 if (*err != WTAP_ERR_SHORT_READ)
111 return WTAP_OPEN_ERROR;
112 return WTAP_OPEN_NOT_MINE;
118 /* Host that wrote it has our byte order, and was running
119 a program using either standard or ss990417 libpcap. */
120 byte_swapped = FALSE;
122 wth->file_tsprec = WTAP_TSPREC_USEC;
125 case PCAP_MODIFIED_MAGIC:
126 /* Host that wrote it has our byte order, and was running
127 a program using either ss990915 or ss991029 libpcap. */
128 byte_swapped = FALSE;
130 wth->file_tsprec = WTAP_TSPREC_USEC;
133 case PCAP_SWAPPED_MAGIC:
134 /* Host that wrote it has a byte order opposite to ours,
135 and was running a program using either standard or
139 wth->file_tsprec = WTAP_TSPREC_USEC;
142 case PCAP_SWAPPED_MODIFIED_MAGIC:
143 /* Host that wrote it out has a byte order opposite to
144 ours, and was running a program using either ss990915
145 or ss991029 libpcap. */
148 wth->file_tsprec = WTAP_TSPREC_USEC;
151 case PCAP_NSEC_MAGIC:
152 /* Host that wrote it has our byte order, and was writing
153 the file in a format similar to standard libpcap
154 except that the time stamps have nanosecond resolution. */
155 byte_swapped = FALSE;
157 wth->file_tsprec = WTAP_TSPREC_NSEC;
160 case PCAP_SWAPPED_NSEC_MAGIC:
161 /* Host that wrote it out has a byte order opposite to
162 ours, and was writing the file in a format similar to
163 standard libpcap except that the time stamps have
164 nanosecond resolution. */
167 wth->file_tsprec = WTAP_TSPREC_NSEC;
171 /* Not a "libpcap" type we know about. */
172 return WTAP_OPEN_NOT_MINE;
175 /* Read the rest of the header. */
176 if (!wtap_read_bytes(wth->fh, &hdr, sizeof hdr, err, err_info))
177 return WTAP_OPEN_ERROR;
180 /* Byte-swap the header fields about which we care. */
181 hdr.version_major = GUINT16_SWAP_LE_BE(hdr.version_major);
182 hdr.version_minor = GUINT16_SWAP_LE_BE(hdr.version_minor);
183 hdr.snaplen = GUINT32_SWAP_LE_BE(hdr.snaplen);
184 hdr.network = GUINT32_SWAP_LE_BE(hdr.network);
186 if (hdr.version_major < 2) {
187 /* We only support version 2.0 and later. */
188 *err = WTAP_ERR_UNSUPPORTED;
189 *err_info = g_strdup_printf("pcap: major version %u unsupported",
191 return WTAP_OPEN_ERROR;
195 * AIX's non-standard tcpdump uses a minor version number of 2.
196 * Unfortunately, older versions of libpcap might have used
199 * The AIX libpcap uses RFC 1573 ifType values rather than
200 * DLT_ values in the header; the ifType values for LAN devices
207 * which correspond to DLT_IEEE802 (used for Token Ring),
208 * DLT_PPP, and DLT_SLIP_BSDOS, respectively. The ifType value
209 * for a loopback interface is 24, which currently isn't
210 * used by any version of libpcap I know about (and, as
211 * tcpdump.org are assigning DLT_ values above 100, and
212 * NetBSD started assigning values starting at 50, and
213 * the values chosen by other libpcaps appear to stop at
214 * 19, it's probably not going to be used by any libpcap
217 * We shall assume that if the minor version number is 2, and
218 * the network type is 6, 9, 15, or 24, that it's AIX libpcap.
220 * I'm assuming those older versions of libpcap didn't
221 * use DLT_IEEE802 for Token Ring, and didn't use DLT_SLIP_BSDOS
222 * as that came later. It may have used DLT_PPP, however, in
223 * which case we're out of luck; we assume it's Token Ring
224 * in AIX libpcap rather than PPP in standard libpcap, as
225 * you're probably more likely to be handing an AIX libpcap
226 * token-ring capture than an old (pre-libpcap 0.4) PPP capture
229 aix = FALSE; /* assume it's not AIX */
230 if (hdr.version_major == 2 && hdr.version_minor == 2) {
231 switch (hdr.network) {
234 hdr.network = 1; /* DLT_EN10MB, Ethernet */
239 hdr.network = 6; /* DLT_IEEE802, Token Ring */
244 hdr.network = 10; /* DLT_FDDI, FDDI */
249 hdr.network = 0; /* DLT_NULL, loopback */
255 file_encap = wtap_pcap_encap_to_wtap_encap(hdr.network);
256 if (file_encap == WTAP_ENCAP_UNKNOWN) {
257 *err = WTAP_ERR_UNSUPPORTED;
258 *err_info = g_strdup_printf("pcap: network type %u unknown or unsupported",
260 return WTAP_OPEN_ERROR;
263 /* This is a libpcap file */
264 libpcap = (libpcap_t *)g_malloc(sizeof(libpcap_t));
265 libpcap->byte_swapped = byte_swapped;
266 libpcap->version_major = hdr.version_major;
267 libpcap->version_minor = hdr.version_minor;
268 libpcap->encap_priv = NULL;
269 wth->priv = (void *)libpcap;
270 wth->subtype_read = libpcap_read;
271 wth->subtype_seek_read = libpcap_seek_read;
272 wth->subtype_close = libpcap_close;
273 wth->file_encap = file_encap;
274 wth->snapshot_length = hdr.snaplen;
276 /* In file format version 2.3, the order of the "incl_len" and
277 "orig_len" fields in the per-packet header was reversed,
278 in order to match the BPF header layout.
280 Therefore, in files with versions prior to that, we must swap
283 Unfortunately, some files were, according to a comment in the
284 "libpcap" source, written with version 2.3 in their headers
285 but without the interchanged fields, so if "incl_len" is
286 greater than "orig_len" - which would make no sense - we
287 assume that we need to swap them in version 2.3 files
290 In addition, DG/UX's tcpdump uses version 543.0, and writes
291 the two fields in the pre-2.3 order. */
292 switch (hdr.version_major) {
295 if (hdr.version_minor < 3)
296 libpcap->lengths_swapped = SWAPPED;
297 else if (hdr.version_minor == 3)
298 libpcap->lengths_swapped = MAYBE_SWAPPED;
300 libpcap->lengths_swapped = NOT_SWAPPED;
304 libpcap->lengths_swapped = SWAPPED;
308 libpcap->lengths_swapped = NOT_SWAPPED;
313 * Is this AIX format?
317 * Yes. Skip all the tests for other mutant formats,
318 * and for the ERF link-layer header type, and set the
319 * precision to nanosecond precision.
321 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_PCAP_AIX;
322 wth->file_tsprec = WTAP_TSPREC_NSEC;
323 return WTAP_OPEN_MINE;
327 * No. Let's look at the header for the first record,
328 * and see if, interpreting it as a standard header (if the
329 * magic number was standard) or a modified header (if the
330 * magic number was modified), the position where it says the
331 * header for the *second* record is contains a corrupted header.
335 * If this file had the standard magic number, it may be
336 * an ss990417 capture file - in that version of Alexey's
337 * patch, the packet header format was changed but the
338 * magic number wasn't, and, alas, Red Hat appear to have
339 * picked up that version of the patch for RH 6.1, meaning
340 * RH 6.1 has a tcpdump that writes out files that can't
341 * be read by any software that expects non-modified headers
342 * if the magic number isn't the modified magic number (e.g.,
343 * any normal version of tcpdump, and Wireshark if we don't
344 * do this gross heuristic).
346 * If this file had the modified magic number, it may be
347 * an ss990915 capture file - in that version of Alexey's
348 * patch, the magic number was changed, but the record
349 * header had some extra fields, and, alas, SuSE appear
350 * to have picked up that version of the patch for SuSE
351 * 6.3, meaning that programs expecting the standard per-
352 * packet header in captures with the modified magic number
353 * can't read dumps from its tcpdump.
355 * Oh, and if it has the standard magic number, it might, instead,
356 * be a Nokia libpcap file, so we may need to try that if
357 * neither normal nor ss990417 headers work.
361 * Well, we have the magic number from Alexey's
362 * later two patches. Try the subtypes for that.
364 subtypes = subtypes_modified;
365 n_subtypes = N_SUBTYPES_MODIFIED;
367 if (wth->file_tsprec == WTAP_TSPREC_NSEC) {
369 * We have nanosecond-format libpcap's magic
370 * number. Try the subtypes for that.
372 subtypes = subtypes_nsec;
373 n_subtypes = N_SUBTYPES_NSEC;
376 * We have the regular libpcap magic number.
377 * Try the subtypes for that.
379 subtypes = subtypes_standard;
380 n_subtypes = N_SUBTYPES_STANDARD;
385 * Try all the subtypes.
387 first_packet_offset = file_tell(wth->fh);
388 for (i = 0; i < n_subtypes; i++) {
389 wth->file_type_subtype = subtypes[i];
390 figures_of_merit[i] = libpcap_try(wth, err, err_info);
391 if (figures_of_merit[i] == -1) {
393 * Well, we couldn't even read it.
396 return WTAP_OPEN_ERROR;
398 if (figures_of_merit[i] == 0) {
400 * This format doesn't have any issues.
401 * Put the seek pointer back, and finish.
403 if (file_seek(wth->fh, first_packet_offset, SEEK_SET, err) == -1) {
404 return WTAP_OPEN_ERROR;
410 * OK, we've recorded the figure of merit for this one;
411 * go back to the first packet and try the next one.
413 if (file_seek(wth->fh, first_packet_offset, SEEK_SET, err) == -1) {
414 return WTAP_OPEN_ERROR;
419 * OK, none are perfect; let's see which one is least bad.
421 best_subtype = INT_MAX;
422 for (i = 0; i < n_subtypes; i++) {
424 * Is this subtype better than the last one we saw?
426 if (figures_of_merit[i] < best_subtype) {
428 * Yes. Choose it until we find a better one.
430 wth->file_type_subtype = subtypes[i];
431 best_subtype = figures_of_merit[i];
437 * We treat a DLT_ value of 13 specially - it appears that in
438 * Nokia libpcap format, it's some form of ATM with what I
439 * suspect is a pseudo-header (even though Nokia's IPSO is
440 * based on FreeBSD, which #defines DLT_SLIP_BSDOS as 13).
442 * If this is a Nokia capture, treat 13 as WTAP_ENCAP_ATM_PDUS,
443 * rather than as what we normally treat it.
445 if (wth->file_type_subtype == WTAP_FILE_TYPE_SUBTYPE_PCAP_NOKIA &&
447 wth->file_encap = WTAP_ENCAP_ATM_PDUS;
449 if (wth->file_encap == WTAP_ENCAP_ERF) {
450 /*Reset the ERF interface lookup table*/
451 libpcap->encap_priv = erf_priv_create();
453 return WTAP_OPEN_MINE;
456 /* Try to read the first two records of the capture file. */
457 static int libpcap_try(wtap *wth, int *err, gchar **err_info)
462 * pcaprec_ss990915_hdr is the largest header type.
464 struct pcaprec_ss990915_hdr first_rec_hdr, second_rec_hdr;
468 * Attempt to read the first record's header.
470 ret = libpcap_try_header(wth, wth->fh, err, err_info, &first_rec_hdr);
472 if (*err == 0 || *err == WTAP_ERR_SHORT_READ) {
474 * EOF or short read - assume the file is in this
476 * When our client tries to read the first packet
477 * they will presumably get the same EOF or short
487 * Probably a mismatch; return the figure of merit
494 * Now skip over the first record's data, under the assumption
495 * that the header is sane.
497 if (file_seek(wth->fh, first_rec_hdr.hdr.incl_len, SEEK_CUR, err) == -1)
501 * Now attempt to read the second record's header.
503 ret = libpcap_try_header(wth, wth->fh, err, err_info, &second_rec_hdr);
505 if (*err == 0 || *err == WTAP_ERR_SHORT_READ) {
507 * EOF or short read - assume the file is in this
509 * When our client tries to read the second packet
510 * they will presumably get the same EOF or short
522 /* Read the header of the next packet.
524 Return -1 on an I/O error, 0 on success, or a positive number if the
525 header looks corrupt. The higher the positive number, the more things
526 are wrong with the header; this is used by the heuristics that try to
527 guess what type of file it is, with the type with the fewest problems
529 static int libpcap_try_header(wtap *wth, FILE_T fh, int *err, gchar **err_info,
530 struct pcaprec_ss990915_hdr *hdr)
534 if (!libpcap_read_header(wth, fh, err, err_info, hdr))
537 ret = 0; /* start out presuming everything's OK */
538 switch (wth->file_type_subtype) {
540 case WTAP_FILE_TYPE_SUBTYPE_PCAP_NSEC:
541 case WTAP_FILE_TYPE_SUBTYPE_PCAP_AIX:
543 * Nanosecond resolution; treat fractions-of-a-second
544 * values >= 1 000 000 000 as an indication that
545 * the header format might not be what we think it is.
547 if (hdr->hdr.ts_usec >= 1000000000)
553 * Microsecond resolution; treat fractions-of-a-second
554 * values >= 1 000 000 as an indication that the header
555 * format might not be what we think it is.
557 if (hdr->hdr.ts_usec >= 1000000)
561 if (hdr->hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
563 * Probably either a corrupt capture file or a file
564 * of a type different from the one we're trying.
569 if (hdr->hdr.orig_len > 64*1024*1024) {
571 * In theory I guess the on-the-wire packet size can be
572 * arbitrarily large, and it can certainly be larger than the
573 * maximum snapshot length which bounds the snapshot size,
574 * but any file claiming 64MB in a single packet is *probably*
575 * corrupt, and treating them as such makes the heuristics
576 * much more reliable. See, for example,
578 * https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9634
580 * (64MB is an arbitrary size at this point).
585 if (hdr->hdr.incl_len > wth->snapshot_length) {
587 * This is not a fatal error, and packets that have one
588 * such packet probably have thousands. For discussion,
590 * https://www.wireshark.org/lists/wireshark-dev/201307/msg00076.html
591 * and related messages.
593 * The packet contents will be copied to a Buffer, which
594 * expands as necessary to hold the contents; we don't have
595 * to worry about fixed-length buffers allocated based on
596 * the original snapshot length.
598 * We just treat this as an indication that we might be
599 * trying the wrong file type here.
604 if (hdr->hdr.incl_len > hdr->hdr.orig_len) {
606 * Another hint that this might be the wrong file type.
614 /* Read the next packet */
615 static gboolean libpcap_read(wtap *wth, int *err, gchar **err_info,
618 *data_offset = file_tell(wth->fh);
620 return libpcap_read_packet(wth, wth->fh, &wth->phdr,
621 wth->frame_buffer, err, err_info);
625 libpcap_seek_read(wtap *wth, gint64 seek_off, struct wtap_pkthdr *phdr,
626 Buffer *buf, int *err, gchar **err_info)
628 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
631 if (!libpcap_read_packet(wth, wth->random_fh, phdr, buf, err,
634 *err = WTAP_ERR_SHORT_READ;
641 libpcap_read_packet(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
642 Buffer *buf, int *err, gchar **err_info)
644 struct pcaprec_ss990915_hdr hdr;
650 libpcap = (libpcap_t *)wth->priv;
652 if (!libpcap_read_header(wth, fh, err, err_info, &hdr))
655 if (hdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
657 * Probably a corrupt capture file; return an error,
658 * so that our caller doesn't blow up trying to allocate
659 * space for an immensely-large packet.
661 *err = WTAP_ERR_BAD_FILE;
662 if (err_info != NULL) {
663 *err_info = g_strdup_printf("pcap: File has %u-byte packet, bigger than maximum of %u",
664 hdr.hdr.incl_len, WTAP_MAX_PACKET_SIZE);
669 packet_size = hdr.hdr.incl_len;
670 orig_size = hdr.hdr.orig_len;
673 * AIX appears to put 3 bytes of padding in front of FDDI
674 * frames; strip that crap off.
676 if (wth->file_type_subtype == WTAP_FILE_TYPE_SUBTYPE_PCAP_AIX &&
677 (wth->file_encap == WTAP_ENCAP_FDDI ||
678 wth->file_encap == WTAP_ENCAP_FDDI_BITSWAPPED)) {
680 * The packet size is really a record size and includes
689 if (!file_skip(fh, 3, err))
693 phdr_len = pcap_process_pseudo_header(fh, wth->file_type_subtype,
694 wth->file_encap, packet_size, TRUE, phdr, err, err_info);
696 return FALSE; /* error */
699 * Don't count any pseudo-header as part of the packet.
701 orig_size -= phdr_len;
702 packet_size -= phdr_len;
704 phdr->rec_type = REC_TYPE_PACKET;
705 phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
707 /* Update the timestamp, if not already done */
708 if (wth->file_encap != WTAP_ENCAP_ERF) {
709 phdr->ts.secs = hdr.hdr.ts_sec;
710 if (wth->file_tsprec == WTAP_TSPREC_NSEC)
711 phdr->ts.nsecs = hdr.hdr.ts_usec;
713 phdr->ts.nsecs = hdr.hdr.ts_usec * 1000;
716 /* Set interface ID for ERF format */
717 phdr->presence_flags |= WTAP_HAS_INTERFACE_ID;
718 if ((interface_id = erf_populate_interface_from_header((erf_t*) libpcap->encap_priv, wth, &phdr->pseudo_header)) < 0)
721 phdr->interface_id = (guint) interface_id;
723 phdr->caplen = packet_size;
724 phdr->len = orig_size;
727 * Read the packet data.
729 if (!wtap_read_packet_bytes(fh, buf, packet_size, err, err_info))
730 return FALSE; /* failed */
732 pcap_read_post_process(wth->file_type_subtype, wth->file_encap,
733 phdr, ws_buffer_start_ptr(buf), libpcap->byte_swapped, -1);
737 /* Read the header of the next packet.
739 Return FALSE on an error, TRUE on success. */
740 static int libpcap_read_header(wtap *wth, FILE_T fh, int *err, gchar **err_info,
741 struct pcaprec_ss990915_hdr *hdr)
747 switch (wth->file_type_subtype) {
749 case WTAP_FILE_TYPE_SUBTYPE_PCAP:
750 case WTAP_FILE_TYPE_SUBTYPE_PCAP_AIX:
751 case WTAP_FILE_TYPE_SUBTYPE_PCAP_NSEC:
752 bytes_to_read = sizeof (struct pcaprec_hdr);
755 case WTAP_FILE_TYPE_SUBTYPE_PCAP_SS990417:
756 case WTAP_FILE_TYPE_SUBTYPE_PCAP_SS991029:
757 bytes_to_read = sizeof (struct pcaprec_modified_hdr);
760 case WTAP_FILE_TYPE_SUBTYPE_PCAP_SS990915:
761 bytes_to_read = sizeof (struct pcaprec_ss990915_hdr);
764 case WTAP_FILE_TYPE_SUBTYPE_PCAP_NOKIA:
765 bytes_to_read = sizeof (struct pcaprec_nokia_hdr);
769 g_assert_not_reached();
772 if (!wtap_read_bytes_or_eof(fh, hdr, bytes_to_read, err, err_info))
775 libpcap = (libpcap_t *)wth->priv;
776 if (libpcap->byte_swapped) {
777 /* Byte-swap the record header fields. */
778 hdr->hdr.ts_sec = GUINT32_SWAP_LE_BE(hdr->hdr.ts_sec);
779 hdr->hdr.ts_usec = GUINT32_SWAP_LE_BE(hdr->hdr.ts_usec);
780 hdr->hdr.incl_len = GUINT32_SWAP_LE_BE(hdr->hdr.incl_len);
781 hdr->hdr.orig_len = GUINT32_SWAP_LE_BE(hdr->hdr.orig_len);
784 /* Swap the "incl_len" and "orig_len" fields, if necessary. */
785 switch (libpcap->lengths_swapped) {
791 if (hdr->hdr.incl_len <= hdr->hdr.orig_len) {
793 * The captured length is <= the actual length,
794 * so presumably they weren't swapped.
801 temp = hdr->hdr.orig_len;
802 hdr->hdr.orig_len = hdr->hdr.incl_len;
803 hdr->hdr.incl_len = temp;
810 /* Returns 0 if we could write the specified encapsulation type,
811 an error indication otherwise. */
812 int libpcap_dump_can_write_encap(int encap)
814 /* Per-packet encapsulations aren't supported. */
815 if (encap == WTAP_ENCAP_PER_PACKET)
816 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
818 if (wtap_wtap_encap_to_pcap_encap(encap) == -1)
819 return WTAP_ERR_UNWRITABLE_ENCAP;
824 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
826 gboolean libpcap_dump_open(wtap_dumper *wdh, int *err)
829 struct pcap_hdr file_hdr;
831 /* This is a libpcap file */
832 wdh->subtype_write = libpcap_dump;
834 /* Write the file header. */
835 switch (wdh->file_type_subtype) {
837 case WTAP_FILE_TYPE_SUBTYPE_PCAP:
838 case WTAP_FILE_TYPE_SUBTYPE_PCAP_SS990417: /* modified, but with the old magic, sigh */
839 case WTAP_FILE_TYPE_SUBTYPE_PCAP_NOKIA: /* Nokia libpcap of some sort */
841 wdh->tsprecision = WTAP_TSPREC_USEC;
844 case WTAP_FILE_TYPE_SUBTYPE_PCAP_SS990915: /* new magic, extra crap */
845 case WTAP_FILE_TYPE_SUBTYPE_PCAP_SS991029:
846 magic = PCAP_MODIFIED_MAGIC;
847 wdh->tsprecision = WTAP_TSPREC_USEC;
850 case WTAP_FILE_TYPE_SUBTYPE_PCAP_NSEC: /* same as WTAP_FILE_TYPE_SUBTYPE_PCAP, but nsec precision */
851 magic = PCAP_NSEC_MAGIC;
852 wdh->tsprecision = WTAP_TSPREC_NSEC;
856 /* We should never get here - our open routine
857 should only get called for the types above. */
858 *err = WTAP_ERR_UNWRITABLE_FILE_TYPE;
862 if (!wtap_dump_file_write(wdh, &magic, sizeof magic, err))
864 wdh->bytes_dumped += sizeof magic;
866 /* current "libpcap" format is 2.4 */
867 file_hdr.version_major = 2;
868 file_hdr.version_minor = 4;
869 file_hdr.thiszone = 0; /* XXX - current offset? */
870 file_hdr.sigfigs = 0; /* unknown, but also apparently unused */
872 * Tcpdump cannot handle capture files with a snapshot length of 0,
873 * as BPF filters return either 0 if they fail or the snapshot length
874 * if they succeed, and a snapshot length of 0 means success is
875 * indistinguishable from failure and the filter expression would
876 * reject all packets.
878 * A snapshot length of 0, inside Wiretap, means "snapshot length
879 * unknown"; if the snapshot length supplied to us is 0, we make
880 * the snapshot length in the header file WTAP_MAX_PACKET_SIZE.
882 file_hdr.snaplen = (wdh->snaplen != 0) ? wdh->snaplen :
883 WTAP_MAX_PACKET_SIZE;
884 file_hdr.network = wtap_wtap_encap_to_pcap_encap(wdh->encap);
885 if (!wtap_dump_file_write(wdh, &file_hdr, sizeof file_hdr, err))
887 wdh->bytes_dumped += sizeof file_hdr;
892 /* Write a record for a packet to a dump file.
893 Returns TRUE on success, FALSE on failure. */
894 static gboolean libpcap_dump(wtap_dumper *wdh,
895 const struct wtap_pkthdr *phdr,
896 const guint8 *pd, int *err, gchar **err_info _U_)
898 const union wtap_pseudo_header *pseudo_header = &phdr->pseudo_header;
899 struct pcaprec_ss990915_hdr rec_hdr;
903 phdrsize = pcap_get_phdr_size(wdh->encap, pseudo_header);
905 /* We can only write packet records. */
906 if (phdr->rec_type != REC_TYPE_PACKET) {
907 *err = WTAP_ERR_UNWRITABLE_REC_TYPE;
911 /* Don't write anything we're not willing to read. */
912 if (phdr->caplen + phdrsize > WTAP_MAX_PACKET_SIZE) {
913 *err = WTAP_ERR_PACKET_TOO_LARGE;
917 rec_hdr.hdr.ts_sec = (guint32) phdr->ts.secs;
918 if(wdh->tsprecision == WTAP_TSPREC_NSEC) {
919 rec_hdr.hdr.ts_usec = phdr->ts.nsecs;
921 rec_hdr.hdr.ts_usec = phdr->ts.nsecs / 1000;
923 rec_hdr.hdr.incl_len = phdr->caplen + phdrsize;
924 rec_hdr.hdr.orig_len = phdr->len + phdrsize;
926 if (rec_hdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
927 *err = WTAP_ERR_BAD_FILE;
931 switch (wdh->file_type_subtype) {
933 case WTAP_FILE_TYPE_SUBTYPE_PCAP:
934 case WTAP_FILE_TYPE_SUBTYPE_PCAP_NSEC:
935 hdr_size = sizeof (struct pcaprec_hdr);
938 case WTAP_FILE_TYPE_SUBTYPE_PCAP_SS990417: /* modified, but with the old magic, sigh */
939 case WTAP_FILE_TYPE_SUBTYPE_PCAP_SS991029:
940 /* XXX - what should we supply here?
942 Alexey's "libpcap" looks up the interface in the system's
943 interface list if "ifindex" is non-zero, and prints
944 the interface name. It ignores "protocol", and uses
945 "pkt_type" to tag the packet as "host", "broadcast",
946 "multicast", "other host", "outgoing", or "none of the
947 above", but that's it.
949 If the capture we're writing isn't a modified or
950 RH 6.1 capture, we'd have to do some work to
951 generate the packet type and interface index - and
952 we can't generate the interface index unless we
953 just did the capture ourselves in any case.
955 I'm inclined to continue to punt; systems other than
956 those with the older patch can read standard "libpcap"
957 files, and systems with the older patch, e.g. RH 6.1,
958 will just have to live with this. */
960 rec_hdr.protocol = 0;
961 rec_hdr.pkt_type = 0;
962 hdr_size = sizeof (struct pcaprec_modified_hdr);
965 case WTAP_FILE_TYPE_SUBTYPE_PCAP_SS990915: /* new magic, extra crap at the end */
967 rec_hdr.protocol = 0;
968 rec_hdr.pkt_type = 0;
971 hdr_size = sizeof (struct pcaprec_ss990915_hdr);
974 case WTAP_FILE_TYPE_SUBTYPE_PCAP_NOKIA: /* old magic, extra crap at the end */
975 /* restore the "mysterious stuff" that came with the packet */
976 memcpy(&rec_hdr.ifindex, pseudo_header->nokia.stuff, 4);
978 rec_hdr.protocol = 0;
979 rec_hdr.pkt_type = 0;
982 hdr_size = sizeof (struct pcaprec_nokia_hdr);
986 /* We should never get here - our open routine
987 should only get called for the types above. */
988 g_assert_not_reached();
989 *err = WTAP_ERR_UNWRITABLE_FILE_TYPE;
993 if (!wtap_dump_file_write(wdh, &rec_hdr, hdr_size, err))
995 wdh->bytes_dumped += hdr_size;
997 if (!pcap_write_phdr(wdh, wdh->encap, pseudo_header, err))
1000 if (!wtap_dump_file_write(wdh, pd, phdr->caplen, err))
1002 wdh->bytes_dumped += phdr->caplen;
1006 static void libpcap_close(wtap *wth)
1008 libpcap_t *libpcap = (libpcap_t *)wth->priv;
1010 if (libpcap->encap_priv) {
1011 switch (wth->file_encap) {
1013 case WTAP_ENCAP_ERF:
1014 erf_priv_free((erf_t*) libpcap->encap_priv);
1018 g_free(libpcap->encap_priv);
1025 * Editor modelines - http://www.wireshark.org/tools/modelines.html
1030 * indent-tabs-mode: t
1033 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
1034 * :indentSize=8:tabSize=8:noTabs=false: