2 * Our own private code for writing libpcap files when capturing.
4 * We have these because we want a way to open a stream for output given
5 * only a file descriptor. libpcap 0.9[.x] has "pcap_dump_fopen()", which
8 * 1) earlier versions of libpcap doesn't have it
12 * 2) WinPcap doesn't have it, because a file descriptor opened
13 * by code built for one version of the MSVC++ C library
14 * can't be used by library routines built for another version
15 * (e.g., threaded vs. unthreaded).
17 * Libpcap's pcap_dump() also doesn't return any error indications.
21 * Wireshark - Network traffic analyzer
22 * By Gerald Combs <gerald@wireshark.org>
23 * Copyright 1998 Gerald Combs
25 * Derived from code in the Wiretap Library
26 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
28 * This program is free software; you can redistribute it and/or
29 * modify it under the terms of the GNU General Public License
30 * as published by the Free Software Foundation; either version 2
31 * of the License, or (at your option) any later version.
33 * This program is distributed in the hope that it will be useful,
34 * but WITHOUT ANY WARRANTY; without even the implied warranty of
35 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
36 * GNU General Public License for more details.
38 * You should have received a copy of the GNU General Public License
39 * along with this program; if not, write to the Free Software
40 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
60 /* Magic numbers in "libpcap" files.
62 "libpcap" file records are written in the byte order of the host that
63 writes them, and the reader is expected to fix this up.
65 PCAP_MAGIC is the magic number, in host byte order; PCAP_SWAPPED_MAGIC
66 is a byte-swapped version of that.
68 PCAP_NSEC_MAGIC is for Ulf Lamping's modified "libpcap" format,
69 which uses the same common file format as PCAP_MAGIC, but the
70 timestamps are saved in nanosecond resolution instead of microseconds.
71 PCAP_SWAPPED_NSEC_MAGIC is a byte-swapped version of that. */
72 #define PCAP_MAGIC 0xa1b2c3d4
73 #define PCAP_SWAPPED_MAGIC 0xd4c3b2a1
74 #define PCAP_NSEC_MAGIC 0xa1b23c4d
75 #define PCAP_SWAPPED_NSEC_MAGIC 0x4d3cb2a1
77 /* "libpcap" file header. */
79 guint32 magic; /* magic number */
80 guint16 version_major; /* major version number */
81 guint16 version_minor; /* minor version number */
82 gint32 thiszone; /* GMT to local correction */
83 guint32 sigfigs; /* accuracy of timestamps */
84 guint32 snaplen; /* max length of captured packets, in octets */
85 guint32 network; /* data link type */
88 /* "libpcap" record header. */
90 guint32 ts_sec; /* timestamp seconds */
91 guint32 ts_usec; /* timestamp microseconds (nsecs for PCAP_NSEC_MAGIC) */
92 guint32 incl_len; /* number of octets of packet saved in file */
93 guint32 orig_len; /* actual length of packet */
96 /* Magic numbers in ".pcapng" files.
98 * .pcapng file records are written in the byte order of the host that
99 * writes them, and the reader is expected to fix this up.
100 * PCAPNG_MAGIC is the magic number, in host byte order;
101 * PCAPNG_SWAPPED_MAGIC is a byte-swapped version of that.
103 #define PCAPNG_MAGIC 0x1A2B3C4D
104 #define PCAPNG_SWAPPED_MAGIC 0xD4C3B2A1
106 /* Currently we are only supporting the initial version of
108 #define PCAPNG_MAJOR_VERSION 1
109 #define PCAPNG_MINOR_VERSION 0
111 /* Section Header Block without options and trailing Block Total Length */
114 guint32 block_total_length;
115 guint32 byte_order_magic;
116 guint16 major_version;
117 guint16 minor_version;
118 guint64 section_length;
120 #define SECTION_HEADER_BLOCK_TYPE 0x0A0D0D0A
122 /* Interface Decription Block without options and trailing Block Total Length */
125 guint32 block_total_length;
130 #define INTERFACE_DESCRIPTION_BLOCK_TYPE 0x00000001
132 /* Interface Statistics Block without actual packet, options, and trailing
133 Block Total Length */
136 guint32 block_total_length;
137 guint32 interface_id;
138 guint32 timestamp_high;
139 guint32 timestamp_low;
141 #define INTERFACE_STATISTICS_BLOCK_TYPE 0x00000005
143 /* Enhanced Packet Block without actual packet, options, and trailing
144 Block Total Length */
147 guint32 block_total_length;
148 guint32 interface_id;
149 guint32 timestamp_high;
150 guint32 timestamp_low;
151 guint32 captured_len;
154 #define ENHANCED_PACKET_BLOCK_TYPE 0x00000006
158 guint16 value_length;
160 #define OPT_ENDOFOPT 0
161 #define OPT_COMMENT 1 /* currently not used */
162 #define SHB_HARDWARE 2 /* currently not used */
163 #define SHB_OS 3 /* currently not used */
164 #define SHB_USERAPPL 4
166 #define IDB_FILTER 11
169 #define ISB_FILTERACCEPT 6
171 #define ADD_PADDING(x) ((((x) + 3) >> 2) << 2)
173 #define WRITE_DATA(file_pointer, data_pointer, data_length, written_length, error_pointer) \
178 nwritten = fwrite(data_pointer, 1, data_length, file_pointer); \
179 if (nwritten != data_length) { \
180 if (nwritten == 0 && ferror(file_pointer)) { \
181 *error_pointer = errno; \
183 *error_pointer = 0; \
187 written_length += (long)nwritten; \
191 /* Returns a FILE * to write to on success, NULL on failure */
193 libpcap_fdopen(int fd, int *err)
197 fp = fdopen(fd, "wb");
204 /* Write the file header to a dump file.
205 Returns TRUE on success, FALSE on failure.
206 Sets "*err" to an error code, or 0 for a short write, on failure*/
208 libpcap_write_file_header(FILE *fp, int linktype, int snaplen, long *bytes_written, int *err)
210 struct pcap_hdr file_hdr;
213 file_hdr.magic = PCAP_MAGIC;
214 /* current "libpcap" format is 2.4 */
215 file_hdr.version_major = 2;
216 file_hdr.version_minor = 4;
217 file_hdr.thiszone = 0; /* XXX - current offset? */
218 file_hdr.sigfigs = 0; /* unknown, but also apparently unused */
219 file_hdr.snaplen = snaplen;
220 file_hdr.network = linktype;
221 nwritten = fwrite(&file_hdr, 1, sizeof(file_hdr), fp);
222 if (nwritten != sizeof(file_hdr)) {
223 if (nwritten == 0 && ferror(fp))
226 *err = 0; /* short write */
229 *bytes_written += sizeof(file_hdr);
234 /* Write a record for a packet to a dump file.
235 Returns TRUE on success, FALSE on failure. */
237 libpcap_write_packet(FILE *fp, const struct pcap_pkthdr *phdr, const u_char *pd,
238 long *bytes_written, int *err)
240 struct pcaprec_hdr rec_hdr;
243 rec_hdr.ts_sec = phdr->ts.tv_sec;
244 rec_hdr.ts_usec = phdr->ts.tv_usec;
245 rec_hdr.incl_len = phdr->caplen;
246 rec_hdr.orig_len = phdr->len;
247 nwritten = fwrite(&rec_hdr, 1, sizeof rec_hdr, fp);
248 if (nwritten != sizeof rec_hdr) {
249 if (nwritten == 0 && ferror(fp))
252 *err = 0; /* short write */
255 *bytes_written += sizeof rec_hdr;
257 nwritten = fwrite(pd, 1, phdr->caplen, fp);
258 if (nwritten != phdr->caplen) {
259 if (nwritten == 0 && ferror(fp))
262 *err = 0; /* short write */
265 *bytes_written += phdr->caplen;
270 libpcap_write_session_header_block(FILE *fp,
276 struct option option;
277 guint32 block_total_length;
278 const guint32 padding = 0;
280 block_total_length = sizeof(struct shb) +
282 if ((strlen(appname) > 0) && (strlen(appname) < G_MAXUINT16)) {
283 block_total_length += 2 * sizeof(struct option) +
284 (guint16)(ADD_PADDING(strlen(appname) + 1));
286 /* write shb header */
287 shb.block_type = SECTION_HEADER_BLOCK_TYPE;
288 shb.block_total_length = block_total_length;
289 shb.byte_order_magic = PCAPNG_MAGIC;
290 shb.major_version = PCAPNG_MAJOR_VERSION;
291 shb.minor_version = PCAPNG_MINOR_VERSION;
292 shb.section_length = -1;
293 WRITE_DATA(fp, &shb, sizeof(struct shb), *bytes_written, err);
295 if ((strlen(appname) > 0) && (strlen(appname) < G_MAXUINT16)) {
296 /* write shb_userappl options */
297 option.type = SHB_USERAPPL;
298 option.value_length = (guint16)(strlen(appname) + 1);
299 WRITE_DATA(fp, &option, sizeof(struct option), *bytes_written, err);
300 WRITE_DATA(fp, appname, strlen(appname) + 1, *bytes_written, err);
301 if ((strlen(appname) + 1) % 4) {
302 WRITE_DATA(fp, &padding, 4 - (strlen(appname) + 1) % 4, *bytes_written, err);
304 /* write last option */
305 option.type = OPT_ENDOFOPT;
306 option.value_length = 0;
307 WRITE_DATA(fp, &option, sizeof(struct option), *bytes_written, err);
309 /* write the trailing block total length */
310 WRITE_DATA(fp, &block_total_length, sizeof(guint32), *bytes_written, err);
315 libpcap_write_interface_description_block(FILE *fp,
324 struct option option;
325 guint32 block_total_length;
326 const guint32 padding = 0;
328 block_total_length = sizeof(struct idb) + sizeof(guint32);
329 if ((strlen(name) > 0) && (strlen(name) < G_MAXUINT16)) {
330 block_total_length += sizeof(struct option) +
331 (guint16)(ADD_PADDING(strlen(name) + 1));
333 if ((strlen(filter) > 0) && (strlen(name) < G_MAXUINT16)) {
334 block_total_length += sizeof(struct option) +
335 (guint16)(ADD_PADDING(strlen(filter) + 1));
337 if (((strlen(name) > 0) && (strlen(name) < G_MAXUINT16)) ||
338 ((strlen(filter) > 0) && (strlen(name) < G_MAXUINT16))) {
339 block_total_length += sizeof(struct option);
341 /* write block header */
342 idb.block_type = INTERFACE_DESCRIPTION_BLOCK_TYPE;
343 idb.block_total_length = block_total_length;
344 idb.link_type = link_type;
346 idb.snap_len = snap_len;
347 WRITE_DATA(fp, &idb, sizeof(struct idb), *bytes_written, err);
348 /* write interface name string if applicable */
349 if ((strlen(name) > 0) && (strlen(name) < G_MAXUINT16)) {
350 option.type = IDB_NAME;
351 option.value_length = (guint16)(strlen(name) + 1);
352 WRITE_DATA(fp, &option, sizeof(struct option), *bytes_written, err);
353 WRITE_DATA(fp, name, strlen(name) + 1, *bytes_written, err);
354 if ((strlen(name) + 1) % 4) {
355 WRITE_DATA(fp, &padding, 4 - (strlen(name) + 1) % 4 , *bytes_written, err);
358 /* write filter string if applicable */
359 if ((strlen(filter) > 0) && (strlen(filter) < G_MAXUINT16)) {
360 option.type = IDB_FILTER;
361 option.value_length = (guint16)(strlen(filter) + 1);
362 WRITE_DATA(fp, &option, sizeof(struct option), *bytes_written, err);
363 WRITE_DATA(fp, filter, strlen(filter) + 1, *bytes_written, err);
364 if ((strlen(filter) + 1) % 4) {
365 WRITE_DATA(fp, &padding, 4 - (strlen(filter) + 1) % 4 , *bytes_written, err);
368 /* write endofopt option if there were any options */
369 if (((strlen(name) > 0) && (strlen(name) < G_MAXUINT16)) ||
370 ((strlen(filter) > 0) && (strlen(filter) < G_MAXUINT16))) {
371 option.type = OPT_ENDOFOPT;
372 option.value_length = 0;
373 WRITE_DATA(fp, &option, sizeof(struct option), *bytes_written, err);
375 /* write the trailing Block Total Length */
376 WRITE_DATA(fp, &block_total_length, sizeof(guint32), *bytes_written, err);
380 /* Write a record for a packet to a dump file.
381 Returns TRUE on success, FALSE on failure. */
383 libpcap_write_enhanced_packet_block(FILE *fp,
384 const struct pcap_pkthdr *phdr,
385 guint32 interface_id,
391 guint32 block_total_length;
393 const guint32 padding = 0;
395 block_total_length = sizeof(struct epb) +
396 ADD_PADDING(phdr->caplen) +
398 timestamp = (guint64)(phdr->ts.tv_sec) * 1000000 +
399 (guint64)(phdr->ts.tv_usec);
400 epb.block_type = ENHANCED_PACKET_BLOCK_TYPE;
401 epb.block_total_length = block_total_length;
402 epb.interface_id = interface_id;
403 epb.timestamp_high = (guint32)((timestamp>>32) & 0xffffffff);
404 epb.timestamp_low = (guint32)(timestamp & 0xffffffff);
405 epb.captured_len = phdr->caplen;
406 epb.packet_len = phdr->len;
407 WRITE_DATA(fp, &epb, sizeof(struct epb), *bytes_written, err);
408 WRITE_DATA(fp, pd, phdr->caplen, *bytes_written, err);
409 if (phdr->caplen % 4) {
410 WRITE_DATA(fp, &padding, 4 - phdr->caplen % 4, *bytes_written, err);
412 WRITE_DATA(fp, &block_total_length, sizeof(guint32), *bytes_written, err);
417 libpcap_write_interface_statistics_block(FILE *fp,
418 guint32 interface_id,
429 struct option option;
430 struct pcap_stat stats;
431 guint32 block_total_length;
434 gboolean stats_retrieved;
438 * Current time, represented as 100-nanosecond intervals since
439 * January 1, 1601, 00:00:00 UTC.
441 * I think DWORD might be signed, so cast both parts of "now"
442 * to guint32 so that the sign bit doesn't get treated specially.
444 GetSystemTimeAsFileTime(&now);
445 timestamp = (((guint64)(guint32)now.dwHighDateTime) << 32) +
446 (guint32)now.dwLowDateTime;
449 * Convert to same thing but as 1-microsecond, i.e. 1000-nanosecond,
455 * Subtract difference, in microseconds, between January 1, 1601
456 * 00:00:00 UTC and January 1, 1970, 00:00:00 UTC.
458 timestamp -= G_GINT64_CONSTANT(11644473600000000U);
461 * Current time, represented as seconds and microseconds since
462 * January 1, 1970, 00:00:00 UTC.
464 gettimeofday(&now, NULL);
467 * Convert to delta in microseconds.
469 timestamp = (guint64)(now.tv_sec) * 1000000 +
470 (guint64)(now.tv_usec);
472 if (pcap_stats(pd, &stats) < 0) {
473 stats_retrieved = FALSE;
474 g_warning("pcap_stats() failed.");
476 stats_retrieved = TRUE;
478 block_total_length = sizeof(struct isb) +
480 if (stats_retrieved) {
481 block_total_length += 3 * sizeof(struct option) + 2 * sizeof(guint64);
483 isb.block_type = INTERFACE_STATISTICS_BLOCK_TYPE;
484 isb.block_total_length = block_total_length;
485 isb.interface_id = interface_id;
486 isb.timestamp_high = (guint32)((timestamp>>32) & 0xffffffff);
487 isb.timestamp_low = (guint32)(timestamp & 0xffffffff);
488 WRITE_DATA(fp, &isb, sizeof(struct isb), *bytes_written, err);
489 if (stats_retrieved) {
491 option.type = ISB_IFRECV;
492 option.value_length = sizeof(guint64);
493 counter = stats.ps_recv;
494 WRITE_DATA(fp, &option, sizeof(struct option), *bytes_written, err);
495 WRITE_DATA(fp, &counter, sizeof(guint64), *bytes_written, err);
497 option.type = ISB_IFDROP;
498 option.value_length = sizeof(guint64);
499 counter = stats.ps_drop;
500 WRITE_DATA(fp, &option, sizeof(struct option), *bytes_written, err);
501 WRITE_DATA(fp, &counter, sizeof(guint64), *bytes_written, err);
503 option.type = OPT_ENDOFOPT;
504 option.value_length = 0;
505 WRITE_DATA(fp, &option, sizeof(struct option), *bytes_written, err);
507 WRITE_DATA(fp, &block_total_length, sizeof(guint32), *bytes_written, err);
513 libpcap_dump_flush(FILE *pd, int *err)
515 if (fflush(pd) == EOF) {
524 libpcap_dump_close(FILE *pd, int *err)
526 if (fclose(pd) == EOF) {
534 #endif /* HAVE_LIBPCAP */
git.samba.org / obnox / wireshark / wip.git / blob