6 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
35 #include "file_wrappers.h"
41 # ifdef HAVE_SYS_TYPES_H
42 # include <sys/types.h>
44 #include "wtap-capture.h"
48 * The link-layer header on SunATM packets.
51 guint8 flags; /* destination and traffic type */
53 guint16 vci; /* VCI */
57 * The link-layer header on Nokia IPSO ATM packets.
60 guint8 flags; /* destination */
62 guint16 vci; /* VCI */
66 * The fake link-layer header of IrDA packets as introduced by Jean Tourrilhes
70 guint16 sll_pkttype; /* packet type */
71 guint8 unused[12]; /* usused SLL header fields */
72 guint16 sll_protocol; /* protocol, should be 0x0017 */
76 * A header containing additional MTP information.
84 /* See source to the "libpcap" library for information on the "libpcap"
87 /* On some systems, the FDDI MAC addresses are bit-swapped. */
88 #if !defined(ultrix) && !defined(__alpha) && !defined(__bsdi__)
89 #define BIT_SWAPPED_MAC_ADDRS
92 /* Try to read the first two records of the capture file. */
94 THIS_FORMAT, /* the reads succeeded, assume it's this format */
95 BAD_READ, /* the file is probably not valid */
96 OTHER_FORMAT /* the file may be valid, but not in this format */
98 static libpcap_try_t libpcap_try(wtap *wth, int *err);
100 static gboolean libpcap_read(wtap *wth, int *err, gchar **err_info,
102 static gboolean libpcap_seek_read(wtap *wth, long seek_off,
103 union wtap_pseudo_header *pseudo_header, guchar *pd, int length,
104 int *err, gchar **err_info);
105 static int libpcap_read_header(wtap *wth, int *err, gchar **err_info,
106 struct pcaprec_ss990915_hdr *hdr);
107 static void adjust_header(wtap *wth, struct pcaprec_hdr *hdr);
108 static void libpcap_get_sunatm_pseudoheader(const struct sunatm_hdr *atm_phdr,
109 union wtap_pseudo_header *pseudo_header);
110 static gboolean libpcap_read_sunatm_pseudoheader(FILE_T fh,
111 union wtap_pseudo_header *pseudo_header, int *err);
112 static gboolean libpcap_read_nokiaatm_pseudoheader(FILE_T fh,
113 union wtap_pseudo_header *pseudo_header, int *err);
114 static gboolean libpcap_get_irda_pseudoheader(const struct irda_sll_hdr *irda_phdr,
115 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info);
116 static gboolean libpcap_read_irda_pseudoheader(FILE_T fh,
117 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info);
118 static gboolean libpcap_get_mtp2_pseudoheader(const struct mtp2_hdr *mtp2_hdr,
119 union wtap_pseudo_header *pseudo_header);
120 static gboolean libpcap_read_mtp2_pseudoheader(FILE_T fh,
121 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info);
122 static gboolean libpcap_read_rec_data(FILE_T fh, guchar *pd, int length,
124 static void libpcap_close(wtap *wth);
125 static gboolean libpcap_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
126 const union wtap_pseudo_header *pseudo_header, const guchar *pd, int *err);
129 * Either LBL NRG wasn't an adequate central registry (e.g., because of
130 * the slow rate of releases from them), or nobody bothered using them
131 * as a central registry, as many different groups have patched libpcap
132 * (and BPF, on the BSDs) to add new encapsulation types, and have ended
133 * up using the same DLT_ values for different encapsulation types.
135 * For those numerical encapsulation type values that everybody uses for
136 * the same encapsulation type (which inclues those that some platforms
137 * specify different DLT_ names for but don't appear to use), we map
138 * those values to the appropriate Wiretap values.
140 * For those numerical encapsulation type values that different libpcap
141 * variants use for different encapsulation types, we check what
142 * <pcap.h> defined to determine how to interpret them, so that we
143 * interpret them the way the libpcap with which we're building
144 * Ethereal/Wiretap interprets them (which, if it doesn't support
145 * them at all, means we don't support them either - any capture files
146 * using them are foreign, and we don't hazard a guess as to which
147 * platform they came from; we could, I guess, choose the most likely
150 * Note: if you need a new encapsulation type for libpcap files, do
151 * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
152 * add a new encapsulation type by changing an existing entry;
153 * leave the existing entries alone.
155 * Instead, send mail to tcpdump-workers@tcpdump.org, asking for a new
156 * DLT_ value, and specifying the purpose of the new value. When you
157 * get the new DLT_ value, use that numerical value in the "dlt_value"
158 * field of "pcap_to_wtap_map[]".
161 static const struct {
163 int wtap_encap_value;
164 } pcap_to_wtap_map[] = {
166 * These are the values that are almost certainly the same
167 * in all libpcaps (I've yet to find one where the values
168 * in question are used for some purpose other than the
169 * one below, but...), and that Wiretap and Ethereal
172 { 0, WTAP_ENCAP_NULL }, /* null encapsulation */
173 { 1, WTAP_ENCAP_ETHERNET },
174 { 6, WTAP_ENCAP_TOKEN_RING }, /* IEEE 802 Networks - assume token ring */
175 { 7, WTAP_ENCAP_ARCNET },
176 { 8, WTAP_ENCAP_SLIP },
177 { 9, WTAP_ENCAP_PPP },
178 #ifdef BIT_SWAPPED_MAC_ADDRS
179 { 10, WTAP_ENCAP_FDDI_BITSWAPPED },
181 { 10, WTAP_ENCAP_FDDI },
184 { 32, WTAP_ENCAP_REDBACK },
187 * 50 is DLT_PPP_SERIAL in NetBSD; it appears that DLT_PPP
188 * on BSD (at least according to standard tcpdump) has, as
189 * the first octet, an indication of whether the packet was
190 * transmitted or received (rather than having the standard
191 * PPP address value of 0xff), but that DLT_PPP_SERIAL puts
192 * a real live PPP header there, or perhaps a Cisco PPP header
193 * as per section 4.3.1 of RFC 1547 (implementations of this
194 * exist in various BSDs in "sys/net/if_spppsubr.c", and
195 * I think also exist either in standard Linux or in
196 * various Linux patches; the implementations show how to handle
197 * Cisco keepalive packets).
199 * However, I don't see any obvious place in FreeBSD "if_ppp.c"
200 * where anything other than the standard PPP header would be
201 * passed up. I see some stuff that sets the first octet
202 * to 0 for incoming and 1 for outgoing packets before applying
203 * a BPF filter to see whether to drop packets whose protocol
204 * field has the 0x8000 bit set, i.e. network control protocols -
205 * those are handed up to userland - but that code puts the
206 * address field back before passing the packet up.
208 * I also don't see anything immediately obvious that munges
209 * the address field for sync PPP, either.
211 * Ethereal currently assumes that if the first octet of a
212 * PPP frame is 0xFF, it's the address field and is followed
213 * by a control field and a 2-byte protocol, otherwise the
214 * address and control fields are absent and the frame begins
215 * with a protocol field. If we ever see a BSD/OS PPP
216 * capture, we'll have to handle it differently, and we may
217 * have to handle standard BSD captures differently if, in fact,
218 * they don't have 0xff 0x03 as the first two bytes - but, as per
219 * the two paragraphs preceding this, it's not clear that
220 * the address field *is* munged into an incoming/outgoing
221 * field when the packet is handed to the BPF device.
223 * For now, we just map DLT_PPP_SERIAL to WTAP_ENCAP_PPP, as
224 * we treat WTAP_ENCAP_PPP packets as if those beginning with
225 * 0xff have the standard RFC 1662 "PPP in HDLC-like Framing"
226 * 0xff 0x03 address/control header, and DLT_PPP_SERIAL frames
227 * appear to contain that unless they're Cisco frames (if we
228 * ever see a capture with them, we'd need to implement the
229 * RFC 1547 stuff, and the keepalive protocol stuff).
231 * We may have to distinguish between "PPP where if it doesn't
232 * begin with 0xff there's no HDLC encapsulation and the frame
233 * begins with the protocol field" (which is how we handle
234 * WTAP_ENCAP_PPP now) and "PPP where there's either HDLC
235 * encapsulation or Cisco PPP" (which is what DLT_PPP_SERIAL
238 * XXX - NetBSD has DLT_HDLC, which appears to be used for
239 * Cisco HDLC. Ideally, they should use DLT_PPP_SERIAL
240 * only for real live HDLC-encapsulated PPP, not for Cisco
243 { 50, WTAP_ENCAP_PPP },
246 * Apparently used by the Axent Raptor firewall (now Symantec
247 * Enterprise Firewall).
248 * Thanks, Axent, for not reserving that type with tcpdump.org
249 * and not telling anybody about it.
251 { 99, WTAP_ENCAP_SYMANTEC },
254 * These are the values that libpcap 0.5 and later use in
255 * capture file headers, in an attempt to work around the
256 * confusion decried above, and that Wiretap and Ethereal
259 { 100, WTAP_ENCAP_ATM_RFC1483 },
260 { 101, WTAP_ENCAP_RAW_IP },
263 * More values used by libpcap 0.5 as DLT_ values and used by the
264 * current CVS version of libpcap in capture file headers.
265 * They are not yet handled in Ethereal.
266 * If we get a capture that contains them, we'll implement them.
268 { 102, WTAP_ENCAP_SLIP_BSDOS },
269 { 103, WTAP_ENCAP_PPP_BSDOS },
273 * These ones are handled in Ethereal, though.
275 { 104, WTAP_ENCAP_CHDLC }, /* Cisco HDLC */
276 { 105, WTAP_ENCAP_IEEE_802_11 }, /* IEEE 802.11 */
277 { 106, WTAP_ENCAP_LINUX_ATM_CLIP },
278 { 107, WTAP_ENCAP_FRELAY }, /* Frame Relay */
279 { 108, WTAP_ENCAP_NULL }, /* OpenBSD loopback */
280 { 109, WTAP_ENCAP_ENC }, /* OpenBSD IPSEC enc */
282 { 110, WTAP_ENCAP_LANE_802_3 },/* ATM LANE 802.3 */
283 { 111, WTAP_ENCAP_HIPPI }, /* NetBSD HIPPI */
285 { 112, WTAP_ENCAP_CHDLC }, /* NetBSD HDLC framing */
288 * Linux "cooked mode" captures, used by the current CVS version
291 { 113, WTAP_ENCAP_SLL }, /* Linux cooked capture */
293 { 114, WTAP_ENCAP_LOCALTALK }, /* Localtalk */
296 * The tcpdump.org version of libpcap uses 117, rather than 17,
297 * for OpenBSD packet filter logging, so as to avoid conflicting
298 * with DLT_LANE8023 in SuSE 6.3 libpcap.
300 { 117, WTAP_ENCAP_PFLOG },
302 { 118, WTAP_ENCAP_CISCO_IOS },
303 { 119, WTAP_ENCAP_PRISM_HEADER }, /* Prism monitor mode hdr */
304 { 121, WTAP_ENCAP_HHDLC }, /* HiPath HDLC */
305 { 122, WTAP_ENCAP_IP_OVER_FC }, /* RFC 2625 IP-over-FC */
306 { 123, WTAP_ENCAP_ATM_PDUS }, /* SunATM */
307 { 127, WTAP_ENCAP_IEEE_802_11_WLAN_RADIOTAP }, /* 802.11 plus radiotap WLAN header */
308 { 128, WTAP_ENCAP_TZSP }, /* Tazmen Sniffer Protocol */
309 { 129, WTAP_ENCAP_ARCNET_LINUX },
310 { 130, WTAP_ENCAP_JUNIPER_MLPPP }, /* Juniper MLPPP on ML-, LS-, AS- PICs */
312 * Values 131-134, 136 not listed here are reserved for use
313 * in Juniper hardware.
315 { 135, WTAP_ENCAP_JUNIPER_ATM2 }, /* various encapsulations captured on the ATM2 PIC */
316 { 137, WTAP_ENCAP_JUNIPER_ATM1 }, /* various encapsulations captured on the ATM1 PIC */
318 { 138, WTAP_ENCAP_APPLE_IP_OVER_IEEE1394 },
319 /* Apple IP-over-IEEE 1394 */
321 { 139, WTAP_ENCAP_MTP2_WITH_PHDR },
322 { 140, WTAP_ENCAP_MTP2 },
323 { 141, WTAP_ENCAP_MTP3 },
324 { 143, WTAP_ENCAP_DOCSIS },
325 { 144, WTAP_ENCAP_IRDA }, /* IrDA capture */
327 /* Reserved for private use. */
328 { 147, WTAP_ENCAP_USER0 },
329 { 148, WTAP_ENCAP_USER1 },
330 { 149, WTAP_ENCAP_USER2 },
331 { 150, WTAP_ENCAP_USER3 },
332 { 151, WTAP_ENCAP_USER4 },
333 { 152, WTAP_ENCAP_USER5 },
334 { 153, WTAP_ENCAP_USER6 },
335 { 154, WTAP_ENCAP_USER7 },
336 { 155, WTAP_ENCAP_USER8 },
337 { 156, WTAP_ENCAP_USER9 },
338 { 157, WTAP_ENCAP_USER10 },
339 { 158, WTAP_ENCAP_USER11 },
340 { 159, WTAP_ENCAP_USER12 },
341 { 160, WTAP_ENCAP_USER13 },
342 { 161, WTAP_ENCAP_USER14 },
343 { 162, WTAP_ENCAP_USER15 },
345 { 163, WTAP_ENCAP_IEEE_802_11_WLAN_AVS }, /* 802.11 plus AVS WLAN header */
348 * 164 is reserved for Juniper-private chassis-internal
349 * meta-information such as QoS profiles, etc..
352 { 165, WTAP_ENCAP_BACNET_MS_TP },
355 * 166 is reserved for a PPP variant in which the first byte
356 * of the 0xff03 header, the 0xff, is replaced by a direction
357 * byte. I don't know whether any captures look like that,
358 * but it is used for some Linux IP filtering (ipfilter?).
361 /* Ethernet PPPoE frames captured on a service PIC */
362 { 167, WTAP_ENCAP_JUNIPER_PPPOE },
365 * 168 is reserved for more Juniper private-chassis-
366 * internal meta-information.
369 { 169, WTAP_ENCAP_GPRS_LLC },
372 * 170 and 171 are reserved for ITU-T G.7041/Y.1303 Generic
376 /* Registered by Gcom, Inc. */
377 { 172, WTAP_GCOM_TIE1 },
378 { 173, WTAP_GCOM_SERIAL },
383 * If you need a new encapsulation type for libpcap files, do
384 * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
385 * add a new encapsulation type by changing an existing entry;
386 * leave the existing entries alone.
388 * Instead, send mail to tcpdump-workers@tcpdump.org, asking for
389 * a new DLT_ value, and specifying the purpose of the new value.
390 * When you get the new DLT_ value, use that numerical value in
391 * the "dlt_value" field of "pcap_to_wtap_map[]".
395 * The following are entries for libpcap type values that have
396 * different meanings on different OSes.
398 * We put these *after* the entries for the platform-independent
399 * libpcap type values for those Wiretap encapsulation types, so
400 * that Ethereal chooses the platform-independent libpcap type
401 * value for those encapsulatioin types, not the platform-dependent
406 * 11 is DLT_ATM_RFC1483 on most platforms; the only libpcaps I've
407 * seen that define anything other than DLT_ATM_RFC1483 as 11 are
408 * the BSD/OS one, which defines DLT_FR as 11, and libpcap 0.5,
409 * which define it as 100, mapping the kernel's value to 100, in
410 * an attempt to hide the different values used on different
413 * If this is a platform where DLT_FR is defined as 11, we
414 * don't handle 11 at all; otherwise, we handle it as
415 * DLT_ATM_RFC1483 (this means we'd misinterpret Frame Relay
416 * captures from BSD/OS if running on platforms other than BSD/OS,
419 * 1) we don't yet support DLT_FR
423 * 2) nothing short of a heuristic would let us interpret
426 #if defined(DLT_FR) && (DLT_FR == 11)
427 { 11, WTAP_ENCAP_FRELAY },
429 { 11, WTAP_ENCAP_ATM_RFC1483 },
433 * 12 is DLT_RAW on most platforms, but it's DLT_C_HDLC on
434 * BSD/OS, and DLT_LOOP on OpenBSD.
436 * We don't yet handle DLT_C_HDLC, but we can handle DLT_LOOP
437 * (it's just like DLT_NULL, only with the AF_ value in network
438 * rather than host byte order - Ethereal figures out the
439 * byte order from the data, so we don't care what byte order
440 * it's in), so if DLT_LOOP is defined as 12, interpret 12
441 * as WTAP_ENCAP_NULL, otherwise, unless DLT_C_HDLC is defined
442 * as 12, interpret it as WTAP_ENCAP_RAW_IP.
444 #if defined(DLT_LOOP) && (DLT_LOOP == 12)
445 { 12, WTAP_ENCAP_NULL },
446 #elif defined(DLT_C_HDLC) && (DLT_C_HDLC == 12)
448 * Put entry for Cisco HDLC here.
449 * XXX - is this just WTAP_ENCAP_CHDLC, i.e. does the frame
450 * start with a 4-byte Cisco HDLC header?
453 { 12, WTAP_ENCAP_RAW_IP },
457 * 13 is DLT_SLIP_BSDOS on FreeBSD and NetBSD, but those OSes
458 * don't actually generate it. I infer that BSD/OS translates
459 * DLT_SLIP from the kernel BPF code to DLT_SLIP_BSDOS in
460 * libpcap, as the BSD/OS link-layer header is different;
461 * however, in BSD/OS, DLT_SLIP_BSDOS is 15.
463 * From this, I infer that there's no point in handling 13
466 * 13 is DLT_ATM_RFC1483 on BSD/OS.
468 * 13 is DLT_ENC in OpenBSD, which is, I suspect, some kind
469 * of decrypted IPSEC traffic.
471 #if defined(DLT_ATM_RFC1483) && (DLT_ATM_RFC1483 == 13)
472 { 13, WTAP_ENCAP_ATM_RFC1483 },
473 #elif defined(DLT_ENC) && (DLT_ENC == 13)
474 { 13, WTAP_ENCAP_ENC },
478 * 14 is DLT_PPP_BSDOS on FreeBSD and NetBSD, but those OSes
479 * don't actually generate it. I infer that BSD/OS translates
480 * DLT_PPP from the kernel BPF code to DLT_PPP_BSDOS in
481 * libpcap, as the BSD/OS link-layer header is different;
482 * however, in BSD/OS, DLT_PPP_BSDOS is 16.
484 * From this, I infer that there's no point in handling 14
487 * 14 is DLT_RAW on BSD/OS and OpenBSD.
489 { 14, WTAP_ENCAP_RAW_IP },
494 * DLT_SLIP_BSDOS on BSD/OS;
496 * DLT_HIPPI on NetBSD;
498 * DLT_LANE8023 with Alexey Kuznetzov's patches for
501 * DLT_I4L_RAWIP with the ISDN4Linux patches for libpcap
504 * but we don't currently handle any of those.
510 * DLT_PPP_BSDOS on BSD/OS;
512 * DLT_HDLC on NetBSD (Cisco HDLC);
514 * DLT_CIP with Alexey Kuznetzov's patches for
515 * Linux libpcap - this is WTAP_ENCAP_LINUX_ATM_CLIP;
517 * DLT_I4L_IP with the ISDN4Linux patches for libpcap
520 #if defined(DLT_CIP) && (DLT_CIP == 16)
521 { 16, WTAP_ENCAP_LINUX_ATM_CLIP },
523 #if defined(DLT_HDLC) && (DLT_HDLC == 16)
524 { 16, WTAP_ENCAP_CHDLC },
528 * 17 is DLT_LANE8023 in SuSE 6.3 libpcap; we don't currently
530 * It is also used as the PF (Packet Filter) logging format beginning
531 * with OpenBSD 3.0; we use 17 for PF logs unless DLT_LANE8023 is
532 * defined with the value 17.
534 #if !defined(DLT_LANE8023) || (DLT_LANE8023 != 17)
535 { 17, WTAP_ENCAP_OLD_PFLOG },
539 * 18 is DLT_CIP in SuSE 6.3 libpcap; if it's the same as the
540 * DLT_CIP of 16 that the Alexey Kuznetzov patches for
541 * libpcap/tcpdump define, it's WTAP_ENCAP_LINUX_ATM_CLIP.
542 * I've not found any libpcap that uses it for any other purpose -
543 * hopefully nobody will do so in the future.
545 { 18, WTAP_ENCAP_LINUX_ATM_CLIP },
548 * 19 is DLT_ATM_CLIP in the libpcap/tcpdump patches in the
549 * recent versions I've seen of the Linux ATM distribution;
550 * I've not yet found any libpcap that uses it for any other
551 * purpose - hopefully nobody will do so in the future.
553 { 19, WTAP_ENCAP_LINUX_ATM_CLIP },
556 * nettl (HP-UX) mappings to standard DLT values
559 { 1, WTAP_ENCAP_NETTL_ETHERNET },
560 { 6, WTAP_ENCAP_NETTL_TOKEN_RING },
561 { 10, WTAP_ENCAP_NETTL_FDDI },
562 { 101, WTAP_ENCAP_NETTL_RAW_IP },
567 * If you need a new encapsulation type for libpcap files, do
568 * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
569 * add a new encapsulation type by changing an existing entry;
570 * leave the existing entries alone.
572 * Instead, send mail to tcpdump-workers@tcpdump.org, asking for
573 * a new DLT_ value, and specifying the purpose of the new value.
574 * When you get the new DLT_ value, use that numerical value in
575 * the "dlt_value" field of "pcap_to_wtap_map[]".
579 #define NUM_PCAP_ENCAPS (sizeof pcap_to_wtap_map / sizeof pcap_to_wtap_map[0])
581 int wtap_pcap_encap_to_wtap_encap(int encap)
585 for (i = 0; i < NUM_PCAP_ENCAPS; i++) {
586 if (pcap_to_wtap_map[i].dlt_value == encap)
587 return pcap_to_wtap_map[i].wtap_encap_value;
589 return WTAP_ENCAP_UNKNOWN;
593 int libpcap_open(wtap *wth, int *err, gchar **err_info)
598 gboolean byte_swapped;
603 /* Read in the number that should be at the start of a "libpcap" file */
604 errno = WTAP_ERR_CANT_READ;
605 bytes_read = file_read(&magic, 1, sizeof magic, wth->fh);
606 if (bytes_read != sizeof magic) {
607 *err = file_error(wth->fh);
612 wth->data_offset += sizeof magic;
617 /* Host that wrote it has our byte order, and was running
618 a program using either standard or ss990417 libpcap. */
619 byte_swapped = FALSE;
623 case PCAP_MODIFIED_MAGIC:
624 /* Host that wrote it has our byte order, and was running
625 a program using either ss990915 or ss991029 libpcap. */
626 byte_swapped = FALSE;
630 case PCAP_SWAPPED_MAGIC:
631 /* Host that wrote it has a byte order opposite to ours,
632 and was running a program using either standard or
638 case PCAP_SWAPPED_MODIFIED_MAGIC:
639 /* Host that wrote it out has a byte order opposite to
640 ours, and was running a program using either ss990915
641 or ss991029 libpcap. */
647 /* Not a "libpcap" type we know about. */
651 /* Read the rest of the header. */
652 errno = WTAP_ERR_CANT_READ;
653 bytes_read = file_read(&hdr, 1, sizeof hdr, wth->fh);
654 if (bytes_read != sizeof hdr) {
655 *err = file_error(wth->fh);
660 wth->data_offset += sizeof hdr;
663 /* Byte-swap the header fields about which we care. */
664 hdr.version_major = BSWAP16(hdr.version_major);
665 hdr.version_minor = BSWAP16(hdr.version_minor);
666 hdr.snaplen = BSWAP32(hdr.snaplen);
667 hdr.network = BSWAP32(hdr.network);
669 if (hdr.version_major < 2) {
670 /* We only support version 2.0 and later. */
671 *err = WTAP_ERR_UNSUPPORTED;
672 *err_info = g_strdup_printf("pcap: major version %u unsupported",
678 * AIX's non-standard tcpdump uses a minor version number of 2.
679 * Unfortunately, older versions of libpcap might have used
682 * The AIX libpcap uses RFC 1573 ifType values rather than
683 * DLT_ values in the header; the ifType values for LAN devices
690 * which correspond to DLT_IEEE802 (used for Token Ring),
691 * DLT_PPP, and DLT_SLIP_BSDOS, respectively. The ifType value
692 * for a loopback interface is 24, which currently isn't
693 * used by any version of libpcap I know about (and, as
694 * tcpdump.org are assigning DLT_ values above 100, and
695 * NetBSD started assigning values starting at 50, and
696 * the values chosen by other libpcaps appear to stop at
697 * 19, it's probably not going to be used by any libpcap
700 * We shall assume that if the minor version number is 2, and
701 * the network type is 6, 9, 15, or 24, that it's AIX libpcap.
703 * I'm assuming those older versions of libpcap didn't
704 * use DLT_IEEE802 for Token Ring, and didn't use DLT_SLIP_BSDOS
705 * as that came later. It may have used DLT_PPP, however, in
706 * which case we're out of luck; we assume it's Token Ring
707 * in AIX libpcap rather than PPP in standard libpcap, as
708 * you're probably more likely to be handing an AIX libpcap
709 * token-ring capture than an old (pre-libpcap 0.4) PPP capture
712 aix = FALSE; /* assume it's not AIX */
713 if (hdr.version_major == 2 && hdr.version_minor == 2) {
714 switch (hdr.network) {
717 hdr.network = 1; /* DLT_EN10MB, Ethernet */
722 hdr.network = 6; /* DLT_IEEE802, Token Ring */
727 hdr.network = 10; /* DLT_FDDI, FDDI */
732 hdr.network = 0; /* DLT_NULL, loopback */
739 * We treat a DLT_ value of 13 specially - it appears that in
740 * Nokia libpcap format, it's some form of ATM with what I
741 * suspect is a pseudo-header (even though Nokia's IPSO is
742 * based on FreeBSD, which #defines DLT_SLIP_BSDOS as 13).
744 * We don't yet know whether this is a Nokia capture, so if
745 * "wtap_pcap_encap_to_wtap_encap()" returned WTAP_ENCAP_UNKNOWN
746 * but "hdr.network" is 13, we don't treat that as an error yet.
748 file_encap = wtap_pcap_encap_to_wtap_encap(hdr.network);
749 if (file_encap == WTAP_ENCAP_UNKNOWN && hdr.network != 13) {
750 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
751 *err_info = g_strdup_printf("pcap: network type %u unknown or unsupported",
756 /* This is a libpcap file */
757 wth->capture.pcap = g_malloc(sizeof(libpcap_t));
758 wth->capture.pcap->byte_swapped = byte_swapped;
759 wth->capture.pcap->version_major = hdr.version_major;
760 wth->capture.pcap->version_minor = hdr.version_minor;
761 wth->subtype_read = libpcap_read;
762 wth->subtype_seek_read = libpcap_seek_read;
763 wth->subtype_close = libpcap_close;
764 wth->file_encap = file_encap;
765 wth->snapshot_length = hdr.snaplen;
767 /* In file format version 2.3, the order of the "incl_len" and
768 "orig_len" fields in the per-packet header was reversed,
769 in order to match the BPF header layout.
771 Therefore, in files with versions prior to that, we must swap
774 Unfortunately, some files were, according to a comment in the
775 "libpcap" source, written with version 2.3 in their headers
776 but without the interchanged fields, so if "incl_len" is
777 greater than "orig_len" - which would make no sense - we
778 assume that we need to swap them in version 2.3 files
781 In addition, DG/UX's tcpdump uses version 543.0, and writes
782 the two fields in the pre-2.3 order. */
783 switch (hdr.version_major) {
786 if (hdr.version_minor < 3)
787 wth->capture.pcap->lengths_swapped = SWAPPED;
788 else if (hdr.version_minor == 3)
789 wth->capture.pcap->lengths_swapped = MAYBE_SWAPPED;
791 wth->capture.pcap->lengths_swapped = NOT_SWAPPED;
795 wth->capture.pcap->lengths_swapped = SWAPPED;
799 wth->capture.pcap->lengths_swapped = NOT_SWAPPED;
804 * Is this AIX format?
808 * Yes. Skip all the tests for other mutant formats.
810 wth->file_type = WTAP_FILE_PCAP_AIX;
815 * No. Let's look at the header for the first record,
816 * and see if, interpreting it as a standard header (if the
817 * magic number was standard) or a modified header (if the
818 * magic number was modified), the position where it says the
819 * header for the *second* record is contains a corrupted header.
823 * If this file had the standard magic number, it may be
824 * an ss990417 capture file - in that version of Alexey's
825 * patch, the packet header format was changed but the
826 * magic number wasn't, and, alas, Red Hat appear to have
827 * picked up that version of the patch for RH 6.1, meaning
828 * RH 6.1 has a tcpdump that writes out files that can't
829 * be read by any software that expects non-modified headers
830 * if the magic number isn't the modified magic number (e.g.,
831 * any normal version of tcpdump, and Ethereal if we don't
832 * do this gross heuristic).
834 * If this file had the modified magic number, it may be
835 * an ss990915 capture file - in that version of Alexey's
836 * patch, the magic number was changed, but the record
837 * header had some extra fields, and, alas, SuSE appear
838 * to have picked up that version of the patch for SuSE
839 * 6.3, meaning that programs expecting the standard per-
840 * packet header in captures with the modified magic number
841 * can't read dumps from its tcpdump.
843 * Oh, and if it has the standard magic number, it might, instead,
844 * be a Nokia libpcap file, so we may need to try that if
845 * neither normal nor ss990417 headers work.
849 * Well, we have the magic number from Alexey's
852 * Try ss991029, the last of his patches, first.
854 wth->file_type = WTAP_FILE_PCAP_SS991029;
855 switch (libpcap_try(wth, err)) {
859 * Well, we couldn't even read it.
862 g_free(wth->capture.pcap);
867 * Well, it looks as if it might be 991029.
868 * Put the seek pointer back, and return success.
870 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
871 g_free(wth->capture.pcap);
878 * Try the next format.
884 * Well, it's not completely unreadable,
885 * but it's not ss991029. Try ss990915;
886 * there are no other types to try after that,
887 * so we put the seek pointer back and treat
890 wth->file_type = WTAP_FILE_PCAP_SS990915;
891 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
892 g_free(wth->capture.pcap);
897 * Well, we have the standard magic number.
899 * Try the standard format first.
901 wth->file_type = WTAP_FILE_PCAP;
902 switch (libpcap_try(wth, err)) {
906 * Well, we couldn't even read it.
909 g_free(wth->capture.pcap);
914 * Well, it looks as if it might be a standard
916 * Put the seek pointer back, and return success.
918 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
919 g_free(wth->capture.pcap);
926 * Try the next format.
932 * Well, it's not completely unreadable, but it's not
933 * a standard file. Put the seek pointer back and try
936 wth->file_type = WTAP_FILE_PCAP_SS990417;
937 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
938 g_free(wth->capture.pcap);
941 switch (libpcap_try(wth, err)) {
945 * Well, we couldn't even read it.
948 g_free(wth->capture.pcap);
953 * Well, it looks as if it might be ss990417.
954 * Put the seek pointer back, and return success.
956 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
957 g_free(wth->capture.pcap);
964 * Try the next format.
970 * Well, it's not completely unreadable,
971 * but it's not a standard file *nor* is it ss990417.
972 * Try it as a Nokia file; there are no other types
973 * to try after that, so we put the seek pointer back
974 * and treat it as a Nokia file.
976 wth->file_type = WTAP_FILE_PCAP_NOKIA;
977 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
978 g_free(wth->capture.pcap);
983 if (hdr.network == 13) {
985 * OK, if this was a Nokia capture, make it
986 * WTAP_ENCAP_ATM_PDUS, otherwise return
989 if (wth->file_type == WTAP_FILE_PCAP_NOKIA)
990 wth->file_encap = WTAP_ENCAP_ATM_PDUS;
992 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
993 *err_info = g_strdup_printf("pcap: network type %u unknown or unsupported",
995 g_free(wth->capture.pcap);
1003 /* Try to read the first two records of the capture file. */
1004 static libpcap_try_t libpcap_try(wtap *wth, int *err)
1007 * pcaprec_ss990915_hdr is the largest header type.
1009 struct pcaprec_ss990915_hdr first_rec_hdr, second_rec_hdr;
1012 * Attempt to read the first record's header.
1014 if (libpcap_read_header(wth, err, NULL, &first_rec_hdr) == -1) {
1015 if (*err == 0 || *err == WTAP_ERR_SHORT_READ) {
1017 * EOF or short read - assume the file is in this
1019 * When our client tries to read the first packet
1020 * they will presumably get the same EOF or short
1026 if (*err == WTAP_ERR_BAD_RECORD) {
1028 * The first record is bogus, so this is probably
1029 * a corrupt file. Assume the file is in this
1030 * format. When our client tries to read the
1031 * first packet they will presumably get the
1032 * same bogus record.
1038 * Some other error, e.g. an I/O error; just give up.
1044 * Now skip over the first record's data, under the assumption
1045 * that the header is sane.
1047 if (file_seek(wth->fh, first_rec_hdr.hdr.incl_len, SEEK_CUR, err) == -1)
1051 * Now attempt to read the second record's header.
1053 if (libpcap_read_header(wth, err, NULL, &second_rec_hdr) == -1) {
1054 if (*err == 0 || *err == WTAP_ERR_SHORT_READ) {
1056 * EOF or short read - assume the file is in this
1058 * When our client tries to read the second packet
1059 * they will presumably get the same EOF or short
1065 if (*err == WTAP_ERR_BAD_RECORD) {
1067 * The second record is bogus; maybe it's a
1068 * Capture File From Hell, and what looks like
1069 * the "header" of the next packet is actually
1070 * random junk from the middle of a packet.
1071 * Try the next format; if we run out of formats,
1072 * it probably *is* a corrupt file.
1074 return OTHER_FORMAT;
1078 * Some other error, e.g. an I/O error; just give up.
1084 * OK, the first two records look OK; assume this is the
1090 /* Read the next packet */
1091 static gboolean libpcap_read(wtap *wth, int *err, gchar **err_info,
1094 struct pcaprec_ss990915_hdr hdr;
1098 guchar fddi_padding[3];
1100 bytes_read = libpcap_read_header(wth, err, err_info, &hdr);
1101 if (bytes_read == -1) {
1103 * We failed to read the header.
1108 wth->data_offset += bytes_read;
1109 packet_size = hdr.hdr.incl_len;
1110 orig_size = hdr.hdr.orig_len;
1113 * AIX appears to put 3 bytes of padding in front of FDDI
1114 * frames; strip that crap off.
1116 if (wth->file_type == WTAP_FILE_PCAP_AIX &&
1117 (wth->file_encap == WTAP_ENCAP_FDDI ||
1118 wth->file_encap == WTAP_ENCAP_FDDI_BITSWAPPED)) {
1120 * The packet size is really a record size and includes
1125 wth->data_offset += 3;
1130 if (!libpcap_read_rec_data(wth->fh, fddi_padding, 3, err))
1131 return FALSE; /* Read error */
1134 *data_offset = wth->data_offset;
1137 * If this is an ATM packet, the first four bytes are the
1138 * direction of the packet (transmit/receive), the VPI, and
1139 * the VCI; read them and generate the pseudo-header from
1142 switch (wth->file_encap) {
1144 case WTAP_ENCAP_ATM_PDUS:
1145 if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
1149 if (packet_size < sizeof (struct nokiaatm_hdr)) {
1151 * Uh-oh, the packet isn't big enough to even
1152 * have a pseudo-header.
1154 *err = WTAP_ERR_BAD_RECORD;
1155 *err_info = g_strdup_printf("libpcap: Nokia IPSO ATM file has a %u-byte packet, too small to have even an ATM pseudo-header\n",
1159 if (!libpcap_read_nokiaatm_pseudoheader(wth->fh,
1160 &wth->pseudo_header, err))
1161 return FALSE; /* Read error */
1164 * Don't count the pseudo-header as part of the
1167 orig_size -= sizeof (struct nokiaatm_hdr);
1168 packet_size -= sizeof (struct nokiaatm_hdr);
1169 wth->data_offset += sizeof (struct nokiaatm_hdr);
1174 if (packet_size < sizeof (struct sunatm_hdr)) {
1176 * Uh-oh, the packet isn't big enough to even
1177 * have a pseudo-header.
1179 *err = WTAP_ERR_BAD_RECORD;
1180 *err_info = g_strdup_printf("libpcap: SunATM file has a %u-byte packet, too small to have even an ATM pseudo-header\n",
1184 if (!libpcap_read_sunatm_pseudoheader(wth->fh,
1185 &wth->pseudo_header, err))
1186 return FALSE; /* Read error */
1189 * Don't count the pseudo-header as part of the
1192 orig_size -= sizeof (struct sunatm_hdr);
1193 packet_size -= sizeof (struct sunatm_hdr);
1194 wth->data_offset += sizeof (struct sunatm_hdr);
1198 case WTAP_ENCAP_ETHERNET:
1200 * We don't know whether there's an FCS in this frame or not.
1202 wth->pseudo_header.eth.fcs_len = -1;
1205 case WTAP_ENCAP_IEEE_802_11:
1206 case WTAP_ENCAP_PRISM_HEADER:
1207 case WTAP_ENCAP_IEEE_802_11_WLAN_RADIOTAP:
1208 case WTAP_ENCAP_IEEE_802_11_WLAN_AVS:
1210 * We don't know whether there's an FCS in this frame or not.
1211 * XXX - are there any OSes where the capture mechanism
1214 wth->pseudo_header.ieee_802_11.fcs_len = -1;
1217 case WTAP_ENCAP_IRDA:
1218 if (packet_size < sizeof (struct irda_sll_hdr)) {
1220 * Uh-oh, the packet isn't big enough to even
1221 * have a pseudo-header.
1223 *err = WTAP_ERR_BAD_RECORD;
1224 *err_info = g_strdup_printf("libpcap: IrDA file has a %u-byte packet, too small to have even an IrDA pseudo-header\n",
1228 if (!libpcap_read_irda_pseudoheader(wth->fh, &wth->pseudo_header,
1230 return FALSE; /* Read error */
1233 * Don't count the pseudo-header as part of the packet.
1235 orig_size -= sizeof (struct irda_sll_hdr);
1236 packet_size -= sizeof (struct irda_sll_hdr);
1237 wth->data_offset += sizeof (struct irda_sll_hdr);
1239 case WTAP_ENCAP_MTP2_WITH_PHDR:
1240 if (packet_size < sizeof (struct mtp2_hdr)) {
1242 * Uh-oh, the packet isn't big enough to even
1243 * have a pseudo-header.
1245 *err = WTAP_ERR_BAD_RECORD;
1246 *err_info = g_strdup_printf("libpcap: MTP2 file has a %u-byte packet, too small to have even an MTP2 pseudo-header\n",
1250 if (!libpcap_read_mtp2_pseudoheader(wth->fh, &wth->pseudo_header,
1252 return FALSE; /* Read error */
1255 * Don't count the pseudo-header as part of the packet.
1257 orig_size -= sizeof (struct mtp2_hdr);
1258 packet_size -= sizeof (struct mtp2_hdr);
1259 wth->data_offset += sizeof (struct mtp2_hdr);
1263 buffer_assure_space(wth->frame_buffer, packet_size);
1264 if (!libpcap_read_rec_data(wth->fh, buffer_start_ptr(wth->frame_buffer),
1266 return FALSE; /* Read error */
1267 wth->data_offset += packet_size;
1269 wth->phdr.ts.tv_sec = hdr.hdr.ts_sec;
1270 wth->phdr.ts.tv_usec = hdr.hdr.ts_usec;
1271 wth->phdr.caplen = packet_size;
1272 wth->phdr.len = orig_size;
1274 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS) {
1275 if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
1279 * Guess the traffic type based on the packet
1282 atm_guess_traffic_type(buffer_start_ptr(wth->frame_buffer),
1283 wth->phdr.caplen, &wth->pseudo_header);
1288 * If this is ATM LANE traffic, try to guess what
1289 * type of LANE traffic it is based on the packet
1292 if (wth->pseudo_header.atm.type == TRAF_LANE) {
1293 atm_guess_lane_type(buffer_start_ptr(wth->frame_buffer),
1294 wth->phdr.caplen, &wth->pseudo_header);
1303 libpcap_seek_read(wtap *wth, long seek_off,
1304 union wtap_pseudo_header *pseudo_header, guchar *pd, int length,
1305 int *err, gchar **err_info)
1307 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
1310 switch (wth->file_encap) {
1312 case WTAP_ENCAP_ATM_PDUS:
1313 if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
1317 if (!libpcap_read_nokiaatm_pseudoheader(wth->random_fh,
1318 pseudo_header, err)) {
1326 if (!libpcap_read_sunatm_pseudoheader(wth->random_fh,
1327 pseudo_header, err)) {
1334 case WTAP_ENCAP_ETHERNET:
1336 * We don't know whether there's an FCS in this frame or not.
1338 pseudo_header->eth.fcs_len = -1;
1341 case WTAP_ENCAP_IEEE_802_11:
1342 case WTAP_ENCAP_PRISM_HEADER:
1343 case WTAP_ENCAP_IEEE_802_11_WLAN_RADIOTAP:
1344 case WTAP_ENCAP_IEEE_802_11_WLAN_AVS:
1346 * We don't know whether there's an FCS in this frame or not.
1347 * XXX - are there any OSes where the capture mechanism
1350 pseudo_header->ieee_802_11.fcs_len = -1;
1353 case WTAP_ENCAP_IRDA:
1354 if (!libpcap_read_irda_pseudoheader(wth->random_fh, pseudo_header,
1360 case WTAP_ENCAP_MTP2_WITH_PHDR:
1361 if (!libpcap_read_mtp2_pseudoheader(wth->random_fh, pseudo_header,
1370 * Read the packet data.
1372 if (!libpcap_read_rec_data(wth->random_fh, pd, length, err))
1373 return FALSE; /* failed */
1375 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS) {
1376 if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
1380 * Guess the traffic type based on the packet
1383 atm_guess_traffic_type(pd, length, pseudo_header);
1388 * If this is ATM LANE traffic, try to guess what
1389 * type of LANE traffic it is based on the packet
1392 if (pseudo_header->atm.type == TRAF_LANE)
1393 atm_guess_lane_type(pd, length, pseudo_header);
1399 /* Read the header of the next packet.
1401 Return -1 on an error, or the number of bytes of header read on success. */
1402 static int libpcap_read_header(wtap *wth, int *err, gchar **err_info,
1403 struct pcaprec_ss990915_hdr *hdr)
1405 int bytes_to_read, bytes_read;
1407 /* Read record header. */
1408 errno = WTAP_ERR_CANT_READ;
1409 switch (wth->file_type) {
1411 case WTAP_FILE_PCAP:
1412 case WTAP_FILE_PCAP_AIX:
1413 bytes_to_read = sizeof (struct pcaprec_hdr);
1416 case WTAP_FILE_PCAP_SS990417:
1417 case WTAP_FILE_PCAP_SS991029:
1418 bytes_to_read = sizeof (struct pcaprec_modified_hdr);
1421 case WTAP_FILE_PCAP_SS990915:
1422 bytes_to_read = sizeof (struct pcaprec_ss990915_hdr);
1425 case WTAP_FILE_PCAP_NOKIA:
1426 bytes_to_read = sizeof (struct pcaprec_nokia_hdr);
1430 g_assert_not_reached();
1433 bytes_read = file_read(hdr, 1, bytes_to_read, wth->fh);
1434 if (bytes_read != bytes_to_read) {
1435 *err = file_error(wth->fh);
1436 if (*err == 0 && bytes_read != 0) {
1437 *err = WTAP_ERR_SHORT_READ;
1442 adjust_header(wth, &hdr->hdr);
1444 if (hdr->hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
1446 * Probably a corrupt capture file; return an error,
1447 * so that our caller doesn't blow up trying to allocate
1448 * space for an immensely-large packet, and so that
1449 * the code to try to guess what type of libpcap file
1450 * this is can tell when it's not the type we're guessing
1453 *err = WTAP_ERR_BAD_RECORD;
1454 if (err_info != NULL) {
1455 *err_info = g_strdup_printf("pcap: File has %u-byte packet, bigger than maximum of %u",
1456 hdr->hdr.incl_len, WTAP_MAX_PACKET_SIZE);
1461 if (hdr->hdr.orig_len > WTAP_MAX_PACKET_SIZE) {
1463 * Probably a corrupt capture file; return an error,
1464 * so that our caller doesn't blow up trying to
1465 * cope with a huge "real" packet length, and so that
1466 * the code to try to guess what type of libpcap file
1467 * this is can tell when it's not the type we're guessing
1470 *err = WTAP_ERR_BAD_RECORD;
1471 if (err_info != NULL) {
1472 *err_info = g_strdup_printf("pcap: File has %u-byte packet, bigger than maximum of %u",
1473 hdr->hdr.orig_len, WTAP_MAX_PACKET_SIZE);
1482 adjust_header(wtap *wth, struct pcaprec_hdr *hdr)
1486 if (wth->capture.pcap->byte_swapped) {
1487 /* Byte-swap the record header fields. */
1488 hdr->ts_sec = BSWAP32(hdr->ts_sec);
1489 hdr->ts_usec = BSWAP32(hdr->ts_usec);
1490 hdr->incl_len = BSWAP32(hdr->incl_len);
1491 hdr->orig_len = BSWAP32(hdr->orig_len);
1494 /* If this is AIX, convert the time stamp from seconds/nanoseconds
1495 to seconds/microseconds. */
1496 if (wth->file_type == WTAP_FILE_PCAP_AIX)
1497 hdr->ts_usec = hdr->ts_usec/1000;
1499 /* Swap the "incl_len" and "orig_len" fields, if necessary. */
1500 switch (wth->capture.pcap->lengths_swapped) {
1506 if (hdr->incl_len <= hdr->orig_len) {
1508 * The captured length is <= the actual length,
1509 * so presumably they weren't swapped.
1516 temp = hdr->orig_len;
1517 hdr->orig_len = hdr->incl_len;
1518 hdr->incl_len = temp;
1524 libpcap_get_sunatm_pseudoheader(const struct sunatm_hdr *atm_phdr,
1525 union wtap_pseudo_header *pseudo_header)
1530 vpi = atm_phdr->vpi;
1531 vci = pntohs(&atm_phdr->vci);
1533 switch (atm_phdr->flags & 0x0F) {
1535 case 0x01: /* LANE */
1536 pseudo_header->atm.aal = AAL_5;
1537 pseudo_header->atm.type = TRAF_LANE;
1540 case 0x02: /* RFC 1483 LLC multiplexed traffic */
1541 pseudo_header->atm.aal = AAL_5;
1542 pseudo_header->atm.type = TRAF_LLCMX;
1545 case 0x05: /* ILMI */
1546 pseudo_header->atm.aal = AAL_5;
1547 pseudo_header->atm.type = TRAF_ILMI;
1550 case 0x06: /* Q.2931 */
1551 pseudo_header->atm.aal = AAL_SIGNALLING;
1552 pseudo_header->atm.type = TRAF_UNKNOWN;
1555 case 0x03: /* MARS (RFC 2022) */
1556 pseudo_header->atm.aal = AAL_5;
1557 pseudo_header->atm.type = TRAF_UNKNOWN;
1560 case 0x04: /* IFMP (Ipsilon Flow Management Protocol; see RFC 1954) */
1561 pseudo_header->atm.aal = AAL_5;
1562 pseudo_header->atm.type = TRAF_UNKNOWN; /* XXX - TRAF_IPSILON? */
1567 * Assume it's AAL5, unless it's VPI 0 and VCI 5, in which
1568 * case assume it's AAL_SIGNALLING; we know nothing more
1571 * XXX - is this necessary? Or are we guaranteed that
1572 * all signalling traffic has a type of 0x06?
1574 * XXX - is this guaranteed to be AAL5? Or, if the type is
1575 * 0x00 ("raw"), might it be non-AAL5 traffic?
1577 if (vpi == 0 && vci == 5)
1578 pseudo_header->atm.aal = AAL_SIGNALLING;
1580 pseudo_header->atm.aal = AAL_5;
1581 pseudo_header->atm.type = TRAF_UNKNOWN;
1584 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1586 pseudo_header->atm.vpi = vpi;
1587 pseudo_header->atm.vci = vci;
1588 pseudo_header->atm.channel = (atm_phdr->flags & 0x80) ? 0 : 1;
1590 /* We don't have this information */
1591 pseudo_header->atm.flags = 0;
1592 pseudo_header->atm.cells = 0;
1593 pseudo_header->atm.aal5t_u2u = 0;
1594 pseudo_header->atm.aal5t_len = 0;
1595 pseudo_header->atm.aal5t_chksum = 0;
1599 libpcap_read_sunatm_pseudoheader(FILE_T fh,
1600 union wtap_pseudo_header *pseudo_header, int *err)
1602 struct sunatm_hdr atm_phdr;
1605 errno = WTAP_ERR_CANT_READ;
1606 bytes_read = file_read(&atm_phdr, 1, sizeof (struct sunatm_hdr), fh);
1607 if (bytes_read != sizeof (struct sunatm_hdr)) {
1608 *err = file_error(fh);
1610 *err = WTAP_ERR_SHORT_READ;
1614 libpcap_get_sunatm_pseudoheader(&atm_phdr, pseudo_header);
1620 libpcap_read_nokiaatm_pseudoheader(FILE_T fh,
1621 union wtap_pseudo_header *pseudo_header, int *err)
1623 struct nokiaatm_hdr atm_phdr;
1628 errno = WTAP_ERR_CANT_READ;
1629 bytes_read = file_read(&atm_phdr, 1, sizeof (struct nokiaatm_hdr), fh);
1630 if (bytes_read != sizeof (struct nokiaatm_hdr)) {
1631 *err = file_error(fh);
1633 *err = WTAP_ERR_SHORT_READ;
1638 vci = pntohs(&atm_phdr.vci);
1640 pseudo_header->atm.vpi = vpi;
1641 pseudo_header->atm.vci = vci;
1642 pseudo_header->atm.channel = (atm_phdr.flags & 0x80) ? 0 : 1;
1644 /* We don't have this information */
1645 pseudo_header->atm.flags = 0;
1646 pseudo_header->atm.cells = 0;
1647 pseudo_header->atm.aal5t_u2u = 0;
1648 pseudo_header->atm.aal5t_len = 0;
1649 pseudo_header->atm.aal5t_chksum = 0;
1655 libpcap_get_irda_pseudoheader(const struct irda_sll_hdr *irda_phdr,
1656 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info)
1658 if (pntohs(&irda_phdr->sll_protocol) != 0x0017) {
1659 *err = WTAP_ERR_BAD_RECORD;
1660 if (err_info != NULL)
1661 *err_info = g_strdup("libpcap: IrDA capture has a packet with an invalid sll_protocol field\n");
1665 pseudo_header->irda.pkttype = pntohs(&irda_phdr->sll_pkttype);
1671 libpcap_read_irda_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header,
1672 int *err, gchar **err_info)
1674 struct irda_sll_hdr irda_phdr;
1677 errno = WTAP_ERR_CANT_READ;
1678 bytes_read = file_read(&irda_phdr, 1, sizeof (struct irda_sll_hdr), fh);
1679 if (bytes_read != sizeof (struct irda_sll_hdr)) {
1680 *err = file_error(fh);
1682 *err = WTAP_ERR_SHORT_READ;
1686 return libpcap_get_irda_pseudoheader(&irda_phdr, pseudo_header, err,
1691 libpcap_get_mtp2_pseudoheader(const struct mtp2_hdr *mtp2_hdr, union wtap_pseudo_header *pseudo_header)
1693 pseudo_header->mtp2.sent = mtp2_hdr->sent;
1694 pseudo_header->mtp2.annex_a_used = mtp2_hdr->annex_a_used;
1695 pseudo_header->mtp2.link_number = pntohs(&mtp2_hdr->link_number);
1701 libpcap_read_mtp2_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info _U_)
1703 struct mtp2_hdr mtp2_hdr;
1706 errno = WTAP_ERR_CANT_READ;
1707 bytes_read = file_read(&mtp2_hdr, 1, sizeof (struct mtp2_hdr), fh);
1708 if (bytes_read != sizeof (struct mtp2_hdr)) {
1709 *err = file_error(fh);
1711 *err = WTAP_ERR_SHORT_READ;
1715 return libpcap_get_mtp2_pseudoheader(&mtp2_hdr, pseudo_header);
1720 libpcap_read_rec_data(FILE_T fh, guchar *pd, int length, int *err)
1724 errno = WTAP_ERR_CANT_READ;
1725 bytes_read = file_read(pd, 1, length, fh);
1727 if (bytes_read != length) {
1728 *err = file_error(fh);
1730 *err = WTAP_ERR_SHORT_READ;
1737 libpcap_close(wtap *wth)
1739 g_free(wth->capture.pcap);
1742 static int wtap_wtap_encap_to_pcap_encap(int encap)
1748 case WTAP_ENCAP_FDDI:
1749 case WTAP_ENCAP_FDDI_BITSWAPPED:
1750 case WTAP_ENCAP_NETTL_FDDI:
1752 * Special-case WTAP_ENCAP_FDDI and
1753 * WTAP_ENCAP_FDDI_BITSWAPPED; both of them get mapped
1754 * to DLT_FDDI (even though that may mean that the bit
1755 * order in the FDDI MAC addresses is wrong; so it goes
1756 * - libpcap format doesn't record the byte order,
1757 * so that's not fixable).
1759 return 10; /* that's DLT_FDDI */
1761 case WTAP_ENCAP_PPP_WITH_PHDR:
1763 * Also special-case PPP with direction bits; map it to
1764 * PPP, even though that means that the direction of the
1769 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1771 * Do the same with Frame Relay.
1775 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
1777 * Map this to DLT_IEEE802_11, for now, even though
1778 * that means the radio information will be lost.
1779 * Once tcpdump support for the BSD radiotap header
1780 * is sufficiently widespread, we should probably
1781 * use that, instead - although we should probably
1782 * ultimately just have WTAP_ENCAP_IEEE_802_11
1783 * as the only Wiretap encapsulation for 802.11,
1784 * and have the pseudo-header include a radiotap-style
1785 * list of attributes. If we do that, though, we
1786 * should probably bypass the regular Wiretap code
1787 * when writing out packets during a capture, and just
1788 * do the equivalent of a libpcap write (unfortunately,
1789 * libpcap doesn't have an "open dump by file descriptor"
1790 * function, so we can't just use "pcap_dump()"), so
1791 * that we don't spend cycles mapping from libpcap to
1792 * Wiretap and then back to libpcap. (There are other
1793 * reasons to do that, e.g. to handle AIX libpcap better.)
1798 for (i = 0; i < NUM_PCAP_ENCAPS; i++) {
1799 if (pcap_to_wtap_map[i].wtap_encap_value == encap)
1800 return pcap_to_wtap_map[i].dlt_value;
1807 * Given a Wiretap encapsulation type, and raw packet data and the packet
1808 * header from libpcap, process any pseudo-header in the packet,
1809 * fill in the Wiretap packet header, and return a pointer to the
1810 * beginning of the non-pseudo-header data in the packet.
1813 wtap_process_pcap_packet(gint linktype, const struct pcap_pkthdr *phdr,
1814 const guchar *pd, union wtap_pseudo_header *pseudo_header,
1815 struct wtap_pkthdr *whdr, int *err)
1817 /* "phdr->ts" may not necessarily be a "struct timeval" - it may
1818 be a "struct bpf_timeval", with member sizes wired to 32
1819 bits - and we may go that way ourselves in the future, so
1820 copy the members individually. */
1821 whdr->ts.tv_sec = phdr->ts.tv_sec;
1822 whdr->ts.tv_usec = phdr->ts.tv_usec;
1823 whdr->caplen = phdr->caplen;
1824 whdr->len = phdr->len;
1825 whdr->pkt_encap = linktype;
1828 * If this is an ATM packet, the first four bytes are the
1829 * direction of the packet (transmit/receive), the VPI, and
1830 * the VCI; read them and generate the pseudo-header from
1833 if (linktype == WTAP_ENCAP_ATM_PDUS) {
1834 if (whdr->caplen < sizeof (struct sunatm_hdr)) {
1836 * Uh-oh, the packet isn't big enough to even
1837 * have a pseudo-header.
1839 g_message("libpcap: SunATM capture has a %u-byte packet, too small to have even an ATM pseudo-header\n",
1841 *err = WTAP_ERR_BAD_RECORD;
1844 libpcap_get_sunatm_pseudoheader((const struct sunatm_hdr *)pd,
1848 * Don't count the pseudo-header as part of the packet.
1850 whdr->len -= sizeof (struct sunatm_hdr);
1851 whdr->caplen -= sizeof (struct sunatm_hdr);
1852 pd += sizeof (struct sunatm_hdr);
1855 * If this is ATM LANE traffic, try to guess what type of
1856 * LANE traffic it is based on the packet contents.
1858 if (pseudo_header->atm.type == TRAF_LANE)
1859 atm_guess_lane_type(pd, whdr->caplen, pseudo_header);
1861 else if (linktype == WTAP_ENCAP_IRDA) {
1862 if (whdr->caplen < sizeof (struct irda_sll_hdr)) {
1864 * Uh-oh, the packet isn't big enough to even
1865 * have a pseudo-header.
1867 g_message("libpcap: IrDA capture has a %u-byte packet, too small to have even an IrDA pseudo-header\n",
1869 *err = WTAP_ERR_BAD_RECORD;
1872 if (!libpcap_get_irda_pseudoheader((const struct irda_sll_hdr *)pd,
1873 pseudo_header, err, NULL))
1877 * Don't count the pseudo-header as part of the packet.
1879 whdr->len -= sizeof (struct irda_sll_hdr);
1880 whdr->caplen -= sizeof (struct irda_sll_hdr);
1881 pd += sizeof (struct irda_sll_hdr);
1883 else if (linktype == WTAP_ENCAP_MTP2_WITH_PHDR) {
1884 if (whdr->caplen < sizeof (struct mtp2_hdr)) {
1886 * Uh-oh, the packet isn't big enough to even
1887 * have a pseudo-header.
1889 g_message("libpcap: MTP2 capture has a %u-byte packet, too small to have even an MTP2 pseudo-header\n",
1891 *err = WTAP_ERR_BAD_RECORD;
1894 if (!libpcap_get_mtp2_pseudoheader((const struct mtp2_hdr *)pd, pseudo_header))
1898 * Don't count the pseudo-header as part of the packet.
1900 whdr->len -= sizeof (struct mtp2_hdr);
1901 whdr->caplen -= sizeof (struct mtp2_hdr);
1902 pd += sizeof (struct mtp2_hdr);
1908 /* Returns 0 if we could write the specified encapsulation type,
1909 an error indication otherwise. */
1910 int libpcap_dump_can_write_encap(int encap)
1912 /* Per-packet encapsulations aren't supported. */
1913 if (encap == WTAP_ENCAP_PER_PACKET)
1914 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1916 if (wtap_wtap_encap_to_pcap_encap(encap) == -1)
1917 return WTAP_ERR_UNSUPPORTED_ENCAP;
1922 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1924 gboolean libpcap_dump_open(wtap_dumper *wdh, gboolean cant_seek _U_, int *err)
1927 struct pcap_hdr file_hdr;
1930 /* This is a libpcap file */
1931 wdh->subtype_write = libpcap_dump;
1932 wdh->subtype_close = NULL;
1934 /* Write the file header. */
1935 switch (wdh->file_type) {
1937 case WTAP_FILE_PCAP:
1938 case WTAP_FILE_PCAP_SS990417: /* modified, but with the old magic, sigh */
1939 case WTAP_FILE_PCAP_NOKIA: /* Nokia libpcap of some sort */
1943 case WTAP_FILE_PCAP_SS990915: /* new magic, extra crap */
1944 case WTAP_FILE_PCAP_SS991029:
1945 magic = PCAP_MODIFIED_MAGIC;
1949 /* We should never get here - our open routine
1950 should only get called for the types above. */
1951 *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE;
1955 nwritten = fwrite(&magic, 1, sizeof magic, wdh->fh);
1956 if (nwritten != sizeof magic) {
1957 if (nwritten == 0 && ferror(wdh->fh))
1960 *err = WTAP_ERR_SHORT_WRITE;
1963 wdh->bytes_dumped += sizeof magic;
1965 /* current "libpcap" format is 2.4 */
1966 file_hdr.version_major = 2;
1967 file_hdr.version_minor = 4;
1968 file_hdr.thiszone = 0; /* XXX - current offset? */
1969 file_hdr.sigfigs = 0; /* unknown, but also apparently unused */
1971 * Tcpdump cannot handle capture files with a snapshot length of 0,
1972 * as BPF filters return either 0 if they fail or the snapshot length
1973 * if they succeed, and a snapshot length of 0 means success is
1974 * indistinguishable from failure and the filter expression would
1975 * reject all packets.
1977 * A snapshot length of 0, inside Wiretap, means "snapshot length
1978 * unknown"; if the snapshot length supplied to us is 0, we make
1979 * the snapshot length in the header file WTAP_MAX_PACKET_SIZE.
1981 file_hdr.snaplen = (wdh->snaplen != 0) ? wdh->snaplen :
1982 WTAP_MAX_PACKET_SIZE;
1983 file_hdr.network = wtap_wtap_encap_to_pcap_encap(wdh->encap);
1984 nwritten = fwrite(&file_hdr, 1, sizeof file_hdr, wdh->fh);
1985 if (nwritten != sizeof file_hdr) {
1986 if (nwritten == 0 && ferror(wdh->fh))
1989 *err = WTAP_ERR_SHORT_WRITE;
1992 wdh->bytes_dumped += sizeof file_hdr;
1997 /* Write a record for a packet to a dump file.
1998 Returns TRUE on success, FALSE on failure. */
1999 static gboolean libpcap_dump(wtap_dumper *wdh,
2000 const struct wtap_pkthdr *phdr,
2001 const union wtap_pseudo_header *pseudo_header _U_,
2002 const guchar *pd, int *err)
2004 struct pcaprec_ss990915_hdr rec_hdr;
2007 struct sunatm_hdr atm_hdr;
2008 struct irda_sll_hdr irda_hdr;
2009 struct mtp2_hdr mtp2_hdr;
2012 if (wdh->encap == WTAP_ENCAP_ATM_PDUS)
2013 hdrsize = sizeof (struct sunatm_hdr);
2014 else if (wdh->encap == WTAP_ENCAP_IRDA)
2015 hdrsize = sizeof (struct irda_sll_hdr);
2019 rec_hdr.hdr.ts_sec = phdr->ts.tv_sec;
2020 rec_hdr.hdr.ts_usec = phdr->ts.tv_usec;
2021 rec_hdr.hdr.incl_len = phdr->caplen + hdrsize;
2022 rec_hdr.hdr.orig_len = phdr->len + hdrsize;
2023 switch (wdh->file_type) {
2025 case WTAP_FILE_PCAP:
2026 hdr_size = sizeof (struct pcaprec_hdr);
2029 case WTAP_FILE_PCAP_SS990417: /* modified, but with the old magic, sigh */
2030 case WTAP_FILE_PCAP_SS991029:
2031 /* XXX - what should we supply here?
2033 Alexey's "libpcap" looks up the interface in the system's
2034 interface list if "ifindex" is non-zero, and prints
2035 the interface name. It ignores "protocol", and uses
2036 "pkt_type" to tag the packet as "host", "broadcast",
2037 "multicast", "other host", "outgoing", or "none of the
2038 above", but that's it.
2040 If the capture we're writing isn't a modified or
2041 RH 6.1 capture, we'd have to do some work to
2042 generate the packet type and interface index - and
2043 we can't generate the interface index unless we
2044 just did the capture ourselves in any case.
2046 I'm inclined to continue to punt; systems other than
2047 those with the older patch can read standard "libpcap"
2048 files, and systems with the older patch, e.g. RH 6.1,
2049 will just have to live with this. */
2050 rec_hdr.ifindex = 0;
2051 rec_hdr.protocol = 0;
2052 rec_hdr.pkt_type = 0;
2053 hdr_size = sizeof (struct pcaprec_modified_hdr);
2056 case WTAP_FILE_PCAP_SS990915: /* new magic, extra crap at the end */
2057 rec_hdr.ifindex = 0;
2058 rec_hdr.protocol = 0;
2059 rec_hdr.pkt_type = 0;
2062 hdr_size = sizeof (struct pcaprec_ss990915_hdr);
2065 case WTAP_FILE_PCAP_NOKIA: /* old magic, extra crap at the end */
2066 rec_hdr.ifindex = 0;
2067 rec_hdr.protocol = 0;
2068 rec_hdr.pkt_type = 0;
2071 hdr_size = sizeof (struct pcaprec_nokia_hdr);
2075 /* We should never get here - our open routine
2076 should only get called for the types above. */
2077 g_assert_not_reached();
2078 *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE;
2082 nwritten = fwrite(&rec_hdr, 1, hdr_size, wdh->fh);
2083 if (nwritten != hdr_size) {
2084 if (nwritten == 0 && ferror(wdh->fh))
2087 *err = WTAP_ERR_SHORT_WRITE;
2090 wdh->bytes_dumped += hdr_size;
2092 if (wdh->encap == WTAP_ENCAP_ATM_PDUS) {
2094 * Write the ATM header.
2097 (pseudo_header->atm.channel == 0) ? 0x80 : 0x00;
2098 switch (pseudo_header->atm.aal) {
2100 case AAL_SIGNALLING:
2102 atm_hdr.flags |= 0x06;
2106 switch (pseudo_header->atm.type) {
2110 atm_hdr.flags |= 0x01;
2114 /* RFC 1483 LLC multiplexed traffic */
2115 atm_hdr.flags |= 0x02;
2120 atm_hdr.flags |= 0x05;
2125 atm_hdr.vpi = (guint8) pseudo_header->atm.vpi;
2126 atm_hdr.vci = phtons(&pseudo_header->atm.vci);
2127 nwritten = fwrite(&atm_hdr, 1, sizeof atm_hdr, wdh->fh);
2128 if (nwritten != sizeof atm_hdr) {
2129 if (nwritten == 0 && ferror(wdh->fh))
2132 *err = WTAP_ERR_SHORT_WRITE;
2135 wdh->bytes_dumped += sizeof atm_hdr;
2137 else if (wdh->encap == WTAP_ENCAP_IRDA) {
2139 * Write the IrDA header.
2141 memset(&irda_hdr, 0, sizeof(irda_hdr));
2142 irda_hdr.sll_pkttype = phtons(&pseudo_header->irda.pkttype);
2143 irda_hdr.sll_protocol = g_htons(0x0017);
2144 nwritten = fwrite(&irda_hdr, 1, sizeof(irda_hdr), wdh->fh);
2145 if (nwritten != sizeof(irda_hdr)) {
2146 if (nwritten == 0 && ferror(wdh->fh))
2149 *err = WTAP_ERR_SHORT_WRITE;
2152 wdh->bytes_dumped += sizeof(irda_hdr);
2154 else if (wdh->encap == WTAP_ENCAP_MTP2_WITH_PHDR) {
2156 * Write the MTP2 header.
2158 memset(&mtp2_hdr, 0, sizeof(mtp2_hdr));
2159 mtp2_hdr.sent = pseudo_header->mtp2.sent;
2160 mtp2_hdr.annex_a_used = pseudo_header->mtp2.annex_a_used;
2161 mtp2_hdr.link_number = phtons(&pseudo_header->mtp2.link_number);
2162 nwritten = fwrite(&mtp2_hdr, 1, sizeof(mtp2_hdr), wdh->fh);
2163 if (nwritten != sizeof(mtp2_hdr)) {
2164 if (nwritten == 0 && ferror(wdh->fh))
2167 *err = WTAP_ERR_SHORT_WRITE;
2170 wdh->bytes_dumped += sizeof(mtp2_hdr);
2173 nwritten = fwrite(pd, 1, phdr->caplen, wdh->fh);
2174 if (nwritten != phdr->caplen) {
2175 if (nwritten == 0 && ferror(wdh->fh))
2178 *err = WTAP_ERR_SHORT_WRITE;
2181 wdh->bytes_dumped += phdr->caplen;