/* snoop.c
- *
- * $Id$
*
* Wiretap Library
* Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
-#ifdef HAVE_CONFIG_H
#include "config.h"
-#endif
#include <errno.h>
#include <string.h>
#include "wtap-int.h"
#define RX_STATUS_FIFO_ERROR 0x0080 /* receive FIFO error */
#define RX_STATUS_TRIGGERED 0x0001 /* frame did trigger */
-static gboolean snoop_read(wtap *wth, int *err, gchar **err_info,
+static int snoop_read(wtap *wth, int *err, gchar **err_info,
gint64 *data_offset);
-static gboolean snoop_seek_read(wtap *wth, gint64 seek_off,
- union wtap_pseudo_header *pseudo_header, guint8 *pd, int length,
- int *err, gchar **err_info);
+static int snoop_seek_read(wtap *wth, gint64 seek_off,
+ struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
+static int snoop_read_packet(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
+ Buffer *buf, int *err, gchar **err_info);
static gboolean snoop_read_atm_pseudoheader(FILE_T fh,
union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info);
static gboolean snoop_read_shomiti_wireless_pseudoheader(FILE_T fh,
union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info,
int *header_size);
-static gboolean snoop_read_rec_data(FILE_T fh, guint8 *pd, int length,
- int *err, gchar **err_info);
static gboolean snoop_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
- const union wtap_pseudo_header *pseudo_header, const guint8 *pd, int *err);
+ const guint8 *pd, int *err);
/*
* See
* for the "dlpi.h" header file specified by The Open Group, which lists
* the DL_ values for various protocols; Solaris 7 uses the same values.
*
+ * See
+ *
+ * http://www.iana.org/assignments/snoop-datalink-types/snoop-datalink-types.xml
+ *
+ * for the IETF list of snoop datalink types.
+ *
* The page at
*
* http://mrpink.lerc.nasa.gov/118x/support.html
*
* Source to an "atmdump" package, which includes a modified version of
* "libpcap" to handle SunATM DLPI and an ATM driver for FreeBSD, and
- * also includes "atmdump", which is a modified "tcpdump", is available
+ * also includes "atmdump", which is a modified "tcpdump", was available
* at
*
* ftp://ftp.cs.ndsu.nodak.edu/pub/freebsd/atm/atm-bpf.tgz
*
- * and that code also indicates that DL_IPATM is used, and that an
- * ATM packet handed up from the Sun driver for the Sun SBus ATM card on
- * Solaris 2.5.1 has 1 byte of direction, 1 byte of VPI, 2 bytes of VCI,
- * and then the ATM PDU, and suggests that the direction flag is 0x80 for
- * "transmitted" (presumably meaning DTE->DCE) and presumably not 0x80 for
- * "received" (presumably meaning DCE->DTE). That code was used as the
- * basis for the SunATM support in current CVS versions of libpcap and
- * tcpdump, and it works.
+ * (the host name is no longer valid) and that code also indicated that
+ * DL_IPATM is used, and that an ATM packet handed up from the Sun driver
+ * for the Sun SBus ATM card on Solaris 2.5.1 has 1 byte of direction,
+ * 1 byte of VPI, 2 bytes of VCI, and then the ATM PDU, and suggests that
+ * the direction flag is 0x80 for "transmitted" (presumably meaning
+ * DTE->DCE) and presumably not 0x80 for "received" (presumably meaning
+ * DCE->DTE). That code was used as the basis for the SunATM support in
+ * later versions of libpcap and tcpdump, and it worked at the time the
+ * development was done with the SunATM code on the system on which the
+ * development was done.
*
* In fact, the "direction" byte appears to have some other stuff, perhaps
* a traffic type, in the lower 7 bits, with the 8th bit indicating the
* if it can't, this may be useful reference information for anybody doing
* code to use DLPI to do raw packet captures on those network types.
*
- * See
+ * Once upon a time
*
* http://web.archive.org/web/20010906213807/http://www.shomiti.com/support/TNCapFileFormat.htm
*
- * for information on Shomiti's mutant flavor of snoop. For some unknown
- * unknown reason, they decided not to just Go With The DLPI Flow, and
- * instead used the types unspecified in RFC 1461 for their own nefarious
- * purposes, such as distinguishing 10MB from 100MB from 1000MB Ethernet
- * and distinguishing 4MB from 16MB Token Ring, and distinguishing both
- * of them from the "Shomiti" versions of same.
+ * gave information on Shomiti's mutant flavor of snoop; Shomiti's Web site
+ * is no longer available on the Wayback Machine. For some unknown reason,
+ * they decided not to just Go With The DLPI Flow, and instead used the types
+ * unspecified in RFC 1461 for their own nefarious purposes, such as
+ * distinguishing 10MB from 100MB from 1000MB Ethernet and distinguishing
+ * 4MB from 16MB Token Ring, and distinguishing both of them from the
+ * "Shomiti" versions of same.
*/
int snoop_open(wtap *wth, int *err, gchar **err_info)
{
};
#define NUM_SHOMITI_ENCAPS (sizeof shomiti_encap / sizeof shomiti_encap[0])
int file_encap;
+ gint64 saved_offset;
/* Read in the string that should be at the start of a "snoop" file */
errno = WTAP_ERR_CANT_READ;
bytes_read = file_read(magic, sizeof magic, wth->fh);
if (bytes_read != sizeof magic) {
*err = file_error(wth->fh, err_info);
- if (*err != 0)
+ if (*err != 0 && *err != WTAP_ERR_SHORT_READ)
return -1;
return 0;
}
- wth->data_offset += sizeof magic;
if (memcmp(magic, snoop_magic, sizeof snoop_magic) != 0) {
return 0;
bytes_read = file_read(&hdr, sizeof hdr, wth->fh);
if (bytes_read != sizeof hdr) {
*err = file_error(wth->fh, err_info);
- if (*err != 0)
- return -1;
- return 0;
+ if (*err == 0)
+ *err = WTAP_ERR_SHORT_READ;
+ return -1;
}
- wth->data_offset += sizeof hdr;
/*
* Make sure it's a version we support.
is_shomiti = FALSE;
/* Read first record header. */
+ saved_offset = file_tell(wth->fh);
errno = WTAP_ERR_CANT_READ;
bytes_read = file_read(&rec_hdr, sizeof rec_hdr, wth->fh);
if (bytes_read != sizeof rec_hdr) {
*err = file_error(wth->fh, err_info);
- if (*err == 0 && bytes_read != 0)
+ if (*err == 0)
*err = WTAP_ERR_SHORT_READ;
- if (*err != 0) {
- /*
- * A real-live error.
- */
- return -1;
- }
+ return -1;
/*
* The file ends after the record header, which means this
/*
* Seek back to the beginning of the first record.
*/
- if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1)
+ if (file_seek(wth->fh, saved_offset, SEEK_SET, err) == -1)
return -1;
hdr.network = g_ntohl(hdr.network);
file_encap = shomiti_encap[hdr.network];
/* This is a Shomiti file */
- wth->file_type = WTAP_FILE_SHOMITI;
+ wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_SHOMITI;
} else if (hdr.network & SNOOP_PRIVATE_BIT) {
if ((hdr.network^SNOOP_PRIVATE_BIT) >= NUM_SNOOP_PRIVATE_ENCAPS
|| snoop_private_encap[hdr.network^SNOOP_PRIVATE_BIT] == WTAP_ENCAP_UNKNOWN) {
file_encap = snoop_private_encap[hdr.network^SNOOP_PRIVATE_BIT];
/* This is a snoop file */
- wth->file_type = WTAP_FILE_SNOOP;
+ wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_SNOOP;
} else {
if (hdr.network >= NUM_SNOOP_ENCAPS
|| snoop_encap[hdr.network] == WTAP_ENCAP_UNKNOWN) {
file_encap = snoop_encap[hdr.network];
/* This is a snoop file */
- wth->file_type = WTAP_FILE_SNOOP;
+ wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_SNOOP;
}
/*
/* Read the next packet */
-static gboolean snoop_read(wtap *wth, int *err, gchar **err_info,
+static int snoop_read(wtap *wth, int *err, gchar **err_info,
gint64 *data_offset)
{
- guint32 rec_size;
- guint32 packet_size;
- guint32 orig_size;
+ int padbytes;
int bytes_read;
- struct snooprec_hdr hdr;
char padbuf[4];
- guint padbytes;
int bytes_to_read;
+
+ *data_offset = file_tell(wth->fh);
+
+ padbytes = snoop_read_packet(wth, wth->fh, &wth->phdr,
+ wth->frame_buffer, err, err_info);
+ if (padbytes == -1)
+ return -1;
+
+ /*
+ * Skip over the padding (don't "fseek()", as the standard
+ * I/O library on some platforms discards buffered data if
+ * you do that, which means it does a lot more reads).
+ *
+ * XXX - is that still true?
+ *
+ * There's probably not much padding (it's probably padded only
+ * to a 4-byte boundary), so we probably need only do one read.
+ */
+ while (padbytes != 0) {
+ bytes_to_read = padbytes;
+ if ((unsigned)bytes_to_read > sizeof padbuf)
+ bytes_to_read = sizeof padbuf;
+ errno = WTAP_ERR_CANT_READ;
+ bytes_read = file_read(padbuf, bytes_to_read, wth->fh);
+ if (bytes_read != bytes_to_read) {
+ *err = file_error(wth->fh, err_info);
+ if (*err == 0)
+ *err = WTAP_ERR_SHORT_READ;
+ return -1;
+ }
+ padbytes -= bytes_read;
+ }
+
+ return REC_TYPE_PACKET;
+}
+
+static int
+snoop_seek_read(wtap *wth, gint64 seek_off,
+ struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info)
+{
+ if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
+ return -1;
+
+ if (snoop_read_packet(wth, wth->random_fh, phdr, buf, err, err_info) == -1) {
+ if (*err == 0)
+ *err = WTAP_ERR_SHORT_READ;
+ return -1;
+ }
+ return REC_TYPE_PACKET;
+}
+
+static int
+snoop_read_packet(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
+ Buffer *buf, int *err, gchar **err_info)
+{
+ struct snooprec_hdr hdr;
+ int bytes_read;
+ guint32 rec_size;
+ guint32 packet_size;
+ guint32 orig_size;
int header_size;
/* Read record header. */
errno = WTAP_ERR_CANT_READ;
- bytes_read = file_read(&hdr, sizeof hdr, wth->fh);
+ bytes_read = file_read(&hdr, sizeof hdr, fh);
if (bytes_read != sizeof hdr) {
- *err = file_error(wth->fh, err_info);
+ *err = file_error(fh, err_info);
if (*err == 0 && bytes_read != 0)
*err = WTAP_ERR_SHORT_READ;
- return FALSE;
+ return -1;
}
- wth->data_offset += sizeof hdr;
rec_size = g_ntohl(hdr.rec_len);
orig_size = g_ntohl(hdr.orig_len);
* Probably a corrupt capture file; don't blow up trying
* to allocate space for an immensely-large packet.
*/
- *err = WTAP_ERR_BAD_RECORD;
+ *err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("snoop: File has %u-byte original length, bigger than maximum of %u",
orig_size, WTAP_MAX_PACKET_SIZE);
- return FALSE;
+ return -1;
}
if (packet_size > WTAP_MAX_PACKET_SIZE) {
/*
* Probably a corrupt capture file; don't blow up trying
* to allocate space for an immensely-large packet.
*/
- *err = WTAP_ERR_BAD_RECORD;
+ *err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("snoop: File has %u-byte packet, bigger than maximum of %u",
packet_size, WTAP_MAX_PACKET_SIZE);
- return FALSE;
+ return -1;
}
if (packet_size > rec_size) {
/*
* Probably a corrupt capture file.
*/
- *err = WTAP_ERR_BAD_RECORD;
+ *err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("snoop: File has %u-byte packet, bigger than record size %u",
packet_size, rec_size);
- return FALSE;
+ return -1;
}
- *data_offset = wth->data_offset;
-
- /*
- * If this is an ATM packet, the first four bytes are the
- * direction of the packet (transmit/receive), the VPI, and
- * the VCI; read them and generate the pseudo-header from
- * them.
- */
switch (wth->file_encap) {
case WTAP_ENCAP_ATM_PDUS:
+ /*
+ * This is an ATM packet, so the first four bytes are
+ * the direction of the packet (transmit/receive), the
+ * VPI, and the VCI; read them and generate the
+ * pseudo-header from them.
+ */
if (packet_size < sizeof (struct snoop_atm_hdr)) {
/*
* Uh-oh, the packet isn't big enough to even
* have a pseudo-header.
*/
- *err = WTAP_ERR_BAD_RECORD;
+ *err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("snoop: atmsnoop file has a %u-byte packet, too small to have even an ATM pseudo-header",
packet_size);
- return FALSE;
+ return -1;
}
- if (!snoop_read_atm_pseudoheader(wth->fh, &wth->pseudo_header,
+ if (!snoop_read_atm_pseudoheader(fh, &phdr->pseudo_header,
err, err_info))
- return FALSE; /* Read error */
+ return -1; /* Read error */
/*
* Don't count the pseudo-header as part of the packet.
rec_size -= (guint32)sizeof (struct snoop_atm_hdr);
orig_size -= (guint32)sizeof (struct snoop_atm_hdr);
packet_size -= (guint32)sizeof (struct snoop_atm_hdr);
- wth->data_offset += sizeof (struct snoop_atm_hdr);
break;
case WTAP_ENCAP_ETHERNET:
* this frame; if this is a Shomit file, we assume there
* is. (XXX - or should we treat it a "maybe"?)
*/
- if (wth->file_type == WTAP_FILE_SHOMITI)
- wth->pseudo_header.eth.fcs_len = 4;
+ if (wth->file_type_subtype == WTAP_FILE_TYPE_SUBTYPE_SHOMITI)
+ phdr->pseudo_header.eth.fcs_len = 4;
else
- wth->pseudo_header.eth.fcs_len = 0;
+ phdr->pseudo_header.eth.fcs_len = 0;
break;
case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
* Uh-oh, the packet isn't big enough to even
* have a pseudo-header.
*/
- *err = WTAP_ERR_BAD_RECORD;
+ *err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("snoop: Shomiti wireless file has a %u-byte packet, too small to have even a wireless pseudo-header",
packet_size);
- return FALSE;
+ return -1;
}
- if (!snoop_read_shomiti_wireless_pseudoheader(wth->fh,
- &wth->pseudo_header, err, err_info, &header_size))
- return FALSE; /* Read error */
+ if (!snoop_read_shomiti_wireless_pseudoheader(fh,
+ &phdr->pseudo_header, err, err_info, &header_size))
+ return -1; /* Read error */
/*
* Don't count the pseudo-header as part of the packet.
rec_size -= header_size;
orig_size -= header_size;
packet_size -= header_size;
- wth->data_offset += header_size;
break;
}
- buffer_assure_space(wth->frame_buffer, packet_size);
- if (!snoop_read_rec_data(wth->fh, buffer_start_ptr(wth->frame_buffer),
- packet_size, err, err_info))
- return FALSE; /* Read error */
- wth->data_offset += packet_size;
-
- wth->phdr.ts.secs = g_ntohl(hdr.ts_sec);
- wth->phdr.ts.nsecs = g_ntohl(hdr.ts_usec) * 1000;
- wth->phdr.caplen = packet_size;
- wth->phdr.len = orig_size;
-
- /*
- * If this is ATM LANE traffic, try to guess what type of LANE
- * traffic it is based on the packet contents.
- */
- if (wth->file_encap == WTAP_ENCAP_ATM_PDUS &&
- wth->pseudo_header.atm.type == TRAF_LANE) {
- atm_guess_lane_type(buffer_start_ptr(wth->frame_buffer),
- wth->phdr.caplen, &wth->pseudo_header);
- }
+ phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
+ phdr->ts.secs = g_ntohl(hdr.ts_sec);
+ phdr->ts.nsecs = g_ntohl(hdr.ts_usec) * 1000;
+ phdr->caplen = packet_size;
+ phdr->len = orig_size;
- /*
- * Skip over the padding (don't "fseek()", as the standard
- * I/O library on some platforms discards buffered data if
- * you do that, which means it does a lot more reads).
- * There's probably not much padding (it's probably padded only
- * to a 4-byte boundary), so we probably need only do one read.
- */
if (rec_size < (sizeof hdr + packet_size)) {
/*
* What, *negative* padding? Bogus.
*/
- *err = WTAP_ERR_BAD_RECORD;
+ *err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("snoop: File has %u-byte record with packet size of %u",
rec_size, packet_size);
- return FALSE;
- }
- padbytes = rec_size - ((guint)sizeof hdr + packet_size);
- while (padbytes != 0) {
- bytes_to_read = padbytes;
- if ((unsigned)bytes_to_read > sizeof padbuf)
- bytes_to_read = sizeof padbuf;
- errno = WTAP_ERR_CANT_READ;
- bytes_read = file_read(padbuf, bytes_to_read, wth->fh);
- if (bytes_read != bytes_to_read) {
- *err = file_error(wth->fh, err_info);
- if (*err == 0)
- *err = WTAP_ERR_SHORT_READ;
- return FALSE;
- }
- wth->data_offset += bytes_read;
- padbytes -= bytes_read;
- }
-
- return TRUE;
-}
-
-static gboolean
-snoop_seek_read(wtap *wth, gint64 seek_off,
- union wtap_pseudo_header *pseudo_header, guint8 *pd, int length,
- int *err, gchar **err_info)
-{
- if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
- return FALSE;
-
- switch (wth->file_encap) {
-
- case WTAP_ENCAP_ATM_PDUS:
- if (!snoop_read_atm_pseudoheader(wth->random_fh, pseudo_header,
- err, err_info)) {
- /* Read error */
- return FALSE;
- }
- break;
-
- case WTAP_ENCAP_ETHERNET:
- /*
- * If this is a snoop file, we assume there's no FCS in
- * this frame; if this is a Shomit file, we assume there
- * is. (XXX - or should we treat it a "maybe"?)
- */
- if (wth->file_type == WTAP_FILE_SHOMITI)
- pseudo_header->eth.fcs_len = 4;
- else
- pseudo_header->eth.fcs_len = 0;
- break;
-
- case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
- if (!snoop_read_shomiti_wireless_pseudoheader(wth->random_fh,
- pseudo_header, err, err_info, NULL)) {
- /* Read error */
- return FALSE;
- }
- break;
+ return -1;
}
/*
* Read the packet data.
*/
- if (!snoop_read_rec_data(wth->random_fh, pd, length, err, err_info))
- return FALSE; /* failed */
+ if (!wtap_read_packet_bytes(fh, buf, packet_size, err, err_info))
+ return -1; /* failed */
/*
* If this is ATM LANE traffic, try to guess what type of LANE
* traffic it is based on the packet contents.
*/
if (wth->file_encap == WTAP_ENCAP_ATM_PDUS &&
- pseudo_header->atm.type == TRAF_LANE)
- atm_guess_lane_type(pd, length, pseudo_header);
- return TRUE;
+ phdr->pseudo_header.atm.type == TRAF_LANE) {
+ atm_guess_lane_type(phdr, buffer_start_ptr(buf));
+ }
+
+ return rec_size - ((guint)sizeof hdr + packet_size);
}
static gboolean
}
vpi = atm_phdr.vpi;
- vci = pntohs(&atm_phdr.vci);
+ vci = pntoh16(&atm_phdr.vci);
/*
* The lower 4 bits of the first byte of the header indicate
* 4 bytes of length plus 8 bytes of information?
*/
if (whdr.pad[3] < 8) {
- *err = WTAP_ERR_BAD_RECORD;
+ *err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup_printf("snoop: Header length in Surveyor record is %u, less than minimum of 8",
whdr.pad[3]);
return FALSE;
pseudo_header->ieee_802_11.signal_level = whdr.signal;
/* add back the header and don't forget the pad as well */
- if(header_size != NULL)
- *header_size = rsize + 8 + 4;
-
- return TRUE;
-}
+ *header_size = rsize + 8 + 4;
-static gboolean
-snoop_read_rec_data(FILE_T fh, guint8 *pd, int length, int *err,
- gchar **err_info)
-{
- int bytes_read;
-
- errno = WTAP_ERR_CANT_READ;
- bytes_read = file_read(pd, length, fh);
-
- if (bytes_read != length) {
- *err = file_error(fh, err_info);
- if (*err == 0)
- *err = WTAP_ERR_SHORT_READ;
- return FALSE;
- }
return TRUE;
}
0x08, /* WTAP_ENCAP_FDDI_BITSWAPPED -> DL_FDDI */
-1, /* WTAP_ENCAP_RAW_IP -> unsupported */
-1, /* WTAP_ENCAP_ARCNET -> unsupported */
+ -1, /* WTAP_ENCAP_ARCNET_LINUX -> unsupported */
-1, /* WTAP_ENCAP_ATM_RFC1483 -> unsupported */
-1, /* WTAP_ENCAP_LINUX_ATM_CLIP -> unsupported */
-1, /* WTAP_ENCAP_LAPB -> unsupported*/
0x12, /* WTAP_ENCAP_ATM_PDUS -> DL_IPATM */
- -1 /* WTAP_ENCAP_NULL -> unsupported */
};
#define NUM_WTAP_ENCAPS (sizeof wtap_encap / sizeof wtap_encap[0])
Returns TRUE on success, FALSE on failure. */
static gboolean snoop_dump(wtap_dumper *wdh,
const struct wtap_pkthdr *phdr,
- const union wtap_pseudo_header *pseudo_header _U_,
const guint8 *pd, int *err)
{
+ const union wtap_pseudo_header *pseudo_header = &phdr->pseudo_header;
struct snooprec_hdr rec_hdr;
int reclen;
guint padlen;
- static char zeroes[4];
+ static const char zeroes[4] = {0};
struct snoop_atm_hdr atm_hdr;
int atm_hdrsize;
/* Record length = header length plus data length... */
reclen = (int)sizeof rec_hdr + phdr->caplen + atm_hdrsize;
+
/* ... plus enough bytes to pad it to a 4-byte boundary. */
padlen = ((reclen + 3) & ~3) - reclen;
reclen += padlen;
+ /* Don't write anything we're not willing to read. */
+ if (phdr->caplen + atm_hdrsize > WTAP_MAX_PACKET_SIZE) {
+ *err = WTAP_ERR_PACKET_TOO_LARGE;
+ return FALSE;
+ }
+
rec_hdr.orig_len = g_htonl(phdr->len + atm_hdrsize);
rec_hdr.incl_len = g_htonl(phdr->caplen + atm_hdrsize);
rec_hdr.rec_len = g_htonl(reclen);