6 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #include "file_wrappers.h"
34 #include "pcap-common.h"
35 #include "pcap-encap.h"
38 /* See source to the "libpcap" library for information on the "libpcap"
42 * Private per-wtap_t data needed to read a file.
51 gboolean byte_swapped;
52 swapped_type_t lengths_swapped;
53 guint16 version_major;
54 guint16 version_minor;
57 /* On some systems, the FDDI MAC addresses are bit-swapped. */
58 #if !defined(ultrix) && !defined(__alpha) && !defined(__bsdi__)
59 #define BIT_SWAPPED_MAC_ADDRS
62 /* Try to read the first two records of the capture file. */
64 THIS_FORMAT, /* the reads succeeded, assume it's this format */
65 BAD_READ, /* the file is probably not valid */
66 OTHER_FORMAT /* the file may be valid, but not in this format */
68 static libpcap_try_t libpcap_try(wtap *wth, int *err);
70 static gboolean libpcap_read(wtap *wth, int *err, gchar **err_info,
72 static gboolean libpcap_seek_read(wtap *wth, gint64 seek_off,
73 union wtap_pseudo_header *pseudo_header, guchar *pd, int length,
74 int *err, gchar **err_info);
75 static int libpcap_read_header(wtap *wth, int *err, gchar **err_info,
76 struct pcaprec_ss990915_hdr *hdr);
77 static void adjust_header(wtap *wth, struct pcaprec_hdr *hdr);
78 static gboolean libpcap_read_rec_data(FILE_T fh, guchar *pd, int length,
79 int *err, gchar **err_info);
80 static gboolean libpcap_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
81 const union wtap_pseudo_header *pseudo_header, const guchar *pd, int *err);
83 int libpcap_open(wtap *wth, int *err, gchar **err_info)
88 gboolean byte_swapped;
94 /* Read in the number that should be at the start of a "libpcap" file */
95 errno = WTAP_ERR_CANT_READ;
96 bytes_read = file_read(&magic, sizeof magic, wth->fh);
97 if (bytes_read != sizeof magic) {
98 *err = file_error(wth->fh, err_info);
103 wth->data_offset += sizeof magic;
108 /* Host that wrote it has our byte order, and was running
109 a program using either standard or ss990417 libpcap. */
110 byte_swapped = FALSE;
112 wth->tsprecision = WTAP_FILE_TSPREC_USEC;
115 case PCAP_MODIFIED_MAGIC:
116 /* Host that wrote it has our byte order, and was running
117 a program using either ss990915 or ss991029 libpcap. */
118 byte_swapped = FALSE;
120 wth->tsprecision = WTAP_FILE_TSPREC_USEC;
123 case PCAP_SWAPPED_MAGIC:
124 /* Host that wrote it has a byte order opposite to ours,
125 and was running a program using either standard or
129 wth->tsprecision = WTAP_FILE_TSPREC_USEC;
132 case PCAP_SWAPPED_MODIFIED_MAGIC:
133 /* Host that wrote it out has a byte order opposite to
134 ours, and was running a program using either ss990915
135 or ss991029 libpcap. */
138 wth->tsprecision = WTAP_FILE_TSPREC_USEC;
141 case PCAP_NSEC_MAGIC:
142 /* Host that wrote it has our byte order, and was writing
143 the file in a format similar to standard libpcap
144 except that the time stamps have nanosecond resolution. */
145 byte_swapped = FALSE;
147 wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
150 case PCAP_SWAPPED_NSEC_MAGIC:
151 /* Host that wrote it out has a byte order opposite to
152 ours, and was writing the file in a format similar to
153 standard libpcap except that the time stamps have
154 nanosecond resolution. */
157 wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
161 /* Not a "libpcap" type we know about. */
165 /* Read the rest of the header. */
166 errno = WTAP_ERR_CANT_READ;
167 bytes_read = file_read(&hdr, sizeof hdr, wth->fh);
168 if (bytes_read != sizeof hdr) {
169 *err = file_error(wth->fh, err_info);
174 wth->data_offset += sizeof hdr;
177 /* Byte-swap the header fields about which we care. */
178 hdr.version_major = BSWAP16(hdr.version_major);
179 hdr.version_minor = BSWAP16(hdr.version_minor);
180 hdr.snaplen = BSWAP32(hdr.snaplen);
181 hdr.network = BSWAP32(hdr.network);
183 if (hdr.version_major < 2) {
184 /* We only support version 2.0 and later. */
185 *err = WTAP_ERR_UNSUPPORTED;
186 *err_info = g_strdup_printf("pcap: major version %u unsupported",
192 * AIX's non-standard tcpdump uses a minor version number of 2.
193 * Unfortunately, older versions of libpcap might have used
196 * The AIX libpcap uses RFC 1573 ifType values rather than
197 * DLT_ values in the header; the ifType values for LAN devices
204 * which correspond to DLT_IEEE802 (used for Token Ring),
205 * DLT_PPP, and DLT_SLIP_BSDOS, respectively. The ifType value
206 * for a loopback interface is 24, which currently isn't
207 * used by any version of libpcap I know about (and, as
208 * tcpdump.org are assigning DLT_ values above 100, and
209 * NetBSD started assigning values starting at 50, and
210 * the values chosen by other libpcaps appear to stop at
211 * 19, it's probably not going to be used by any libpcap
214 * We shall assume that if the minor version number is 2, and
215 * the network type is 6, 9, 15, or 24, that it's AIX libpcap.
217 * I'm assuming those older versions of libpcap didn't
218 * use DLT_IEEE802 for Token Ring, and didn't use DLT_SLIP_BSDOS
219 * as that came later. It may have used DLT_PPP, however, in
220 * which case we're out of luck; we assume it's Token Ring
221 * in AIX libpcap rather than PPP in standard libpcap, as
222 * you're probably more likely to be handing an AIX libpcap
223 * token-ring capture than an old (pre-libpcap 0.4) PPP capture
226 aix = FALSE; /* assume it's not AIX */
227 if (hdr.version_major == 2 && hdr.version_minor == 2) {
228 switch (hdr.network) {
231 hdr.network = 1; /* DLT_EN10MB, Ethernet */
236 hdr.network = 6; /* DLT_IEEE802, Token Ring */
241 hdr.network = 10; /* DLT_FDDI, FDDI */
246 hdr.network = 0; /* DLT_NULL, loopback */
252 file_encap = wtap_pcap_encap_to_wtap_encap(hdr.network);
253 if (file_encap == WTAP_ENCAP_UNKNOWN) {
254 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
255 *err_info = g_strdup_printf("pcap: network type %u unknown or unsupported",
260 /* This is a libpcap file */
261 libpcap = (libpcap_t *)g_malloc(sizeof(libpcap_t));;
262 libpcap->byte_swapped = byte_swapped;
263 libpcap->version_major = hdr.version_major;
264 libpcap->version_minor = hdr.version_minor;
265 wth->priv = (void *)libpcap;
266 wth->subtype_read = libpcap_read;
267 wth->subtype_seek_read = libpcap_seek_read;
268 wth->file_encap = file_encap;
269 wth->snapshot_length = hdr.snaplen;
271 /* In file format version 2.3, the order of the "incl_len" and
272 "orig_len" fields in the per-packet header was reversed,
273 in order to match the BPF header layout.
275 Therefore, in files with versions prior to that, we must swap
278 Unfortunately, some files were, according to a comment in the
279 "libpcap" source, written with version 2.3 in their headers
280 but without the interchanged fields, so if "incl_len" is
281 greater than "orig_len" - which would make no sense - we
282 assume that we need to swap them in version 2.3 files
285 In addition, DG/UX's tcpdump uses version 543.0, and writes
286 the two fields in the pre-2.3 order. */
287 switch (hdr.version_major) {
290 if (hdr.version_minor < 3)
291 libpcap->lengths_swapped = SWAPPED;
292 else if (hdr.version_minor == 3)
293 libpcap->lengths_swapped = MAYBE_SWAPPED;
295 libpcap->lengths_swapped = NOT_SWAPPED;
299 libpcap->lengths_swapped = SWAPPED;
303 libpcap->lengths_swapped = NOT_SWAPPED;
308 * Is this AIX format?
312 * Yes. Skip all the tests for other mutant formats,
313 * and set the precision to nanosecond precision.
315 wth->file_type = WTAP_FILE_PCAP_AIX;
316 wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
321 * No. Let's look at the header for the first record,
322 * and see if, interpreting it as a standard header (if the
323 * magic number was standard) or a modified header (if the
324 * magic number was modified), the position where it says the
325 * header for the *second* record is contains a corrupted header.
329 * If this file had the standard magic number, it may be
330 * an ss990417 capture file - in that version of Alexey's
331 * patch, the packet header format was changed but the
332 * magic number wasn't, and, alas, Red Hat appear to have
333 * picked up that version of the patch for RH 6.1, meaning
334 * RH 6.1 has a tcpdump that writes out files that can't
335 * be read by any software that expects non-modified headers
336 * if the magic number isn't the modified magic number (e.g.,
337 * any normal version of tcpdump, and Wireshark if we don't
338 * do this gross heuristic).
340 * If this file had the modified magic number, it may be
341 * an ss990915 capture file - in that version of Alexey's
342 * patch, the magic number was changed, but the record
343 * header had some extra fields, and, alas, SuSE appear
344 * to have picked up that version of the patch for SuSE
345 * 6.3, meaning that programs expecting the standard per-
346 * packet header in captures with the modified magic number
347 * can't read dumps from its tcpdump.
349 * Oh, and if it has the standard magic number, it might, instead,
350 * be a Nokia libpcap file, so we may need to try that if
351 * neither normal nor ss990417 headers work.
355 * Well, we have the magic number from Alexey's
358 * Try ss991029, the last of his patches, first.
360 wth->file_type = WTAP_FILE_PCAP_SS991029;
361 switch (libpcap_try(wth, err)) {
365 * Well, we couldn't even read it.
373 * Well, it looks as if it might be 991029.
374 * Put the seek pointer back, and return success.
376 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
384 * Try the next format.
390 * Well, it's not completely unreadable,
391 * but it's not ss991029. Try ss990915;
392 * there are no other types to try after that,
393 * so we put the seek pointer back and treat
396 wth->file_type = WTAP_FILE_PCAP_SS990915;
397 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
403 * Well, we have the standard magic number.
405 * Try the standard format first.
407 if(wth->tsprecision == WTAP_FILE_TSPREC_NSEC) {
408 wth->file_type = WTAP_FILE_PCAP_NSEC;
410 wth->file_type = WTAP_FILE_PCAP;
412 switch (libpcap_try(wth, err)) {
416 * Well, we couldn't even read it.
424 * Well, it looks as if it might be a standard
426 * Put the seek pointer back, and return success.
428 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
436 * Try the next format.
442 * Well, it's not completely unreadable, but it's not
443 * a standard file. Put the seek pointer back and try
446 wth->file_type = WTAP_FILE_PCAP_SS990417;
447 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
451 switch (libpcap_try(wth, err)) {
455 * Well, we couldn't even read it.
463 * Well, it looks as if it might be ss990417.
464 * Put the seek pointer back, and return success.
466 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
474 * Try the next format.
480 * Well, it's not completely unreadable,
481 * but it's not a standard file *nor* is it ss990417.
482 * Try it as a Nokia file; there are no other types
483 * to try after that, so we put the seek pointer back
484 * and treat it as a Nokia file.
486 wth->file_type = WTAP_FILE_PCAP_NOKIA;
487 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
494 * We treat a DLT_ value of 13 specially - it appears that in
495 * Nokia libpcap format, it's some form of ATM with what I
496 * suspect is a pseudo-header (even though Nokia's IPSO is
497 * based on FreeBSD, which #defines DLT_SLIP_BSDOS as 13).
499 * If this is a Nokia capture, treat 13 as WTAP_ENCAP_ATM_PDUS,
500 * rather than as what we normally treat it.
502 if (wth->file_type == WTAP_FILE_PCAP_NOKIA && hdr.network == 13)
503 wth->file_encap = WTAP_ENCAP_ATM_PDUS;
508 /* Try to read the first two records of the capture file. */
509 static libpcap_try_t libpcap_try(wtap *wth, int *err)
512 * pcaprec_ss990915_hdr is the largest header type.
514 struct pcaprec_ss990915_hdr first_rec_hdr, second_rec_hdr;
518 * Attempt to read the first record's header.
520 if (libpcap_read_header(wth, err, NULL, &first_rec_hdr) == -1) {
521 if (*err == 0 || *err == WTAP_ERR_SHORT_READ) {
523 * EOF or short read - assume the file is in this
525 * When our client tries to read the first packet
526 * they will presumably get the same EOF or short
532 if (*err == WTAP_ERR_BAD_RECORD) {
534 * The first record is bogus, so this is probably
535 * a corrupt file. Assume the file is in this
536 * format. When our client tries to read the
537 * first packet they will presumably get the
544 * Some other error, e.g. an I/O error; just give up.
550 * Now skip over the first record's data, under the assumption
551 * that the header is sane.
553 if (file_seek(wth->fh, first_rec_hdr.hdr.incl_len, SEEK_CUR, err) == -1)
557 * Now attempt to read the second record's header.
559 if (libpcap_read_header(wth, err, NULL, &second_rec_hdr) == -1) {
560 if (*err == 0 || *err == WTAP_ERR_SHORT_READ) {
562 * EOF or short read - assume the file is in this
564 * When our client tries to read the second packet
565 * they will presumably get the same EOF or short
571 if (*err == WTAP_ERR_BAD_RECORD) {
573 * The second record is bogus; maybe it's a
574 * Capture File From Hell, and what looks like
575 * the "header" of the next packet is actually
576 * random junk from the middle of a packet.
577 * Try the next format; if we run out of formats,
578 * it probably *is* a corrupt file.
584 * Some other error, e.g. an I/O error; just give up.
590 * OK, the first two records look OK; assume this is the
596 /* Read the next packet */
597 static gboolean libpcap_read(wtap *wth, int *err, gchar **err_info,
600 struct pcaprec_ss990915_hdr hdr;
604 guchar fddi_padding[3];
608 bytes_read = libpcap_read_header(wth, err, err_info, &hdr);
609 if (bytes_read == -1) {
611 * We failed to read the header.
616 wth->data_offset += bytes_read;
617 packet_size = hdr.hdr.incl_len;
618 orig_size = hdr.hdr.orig_len;
621 * AIX appears to put 3 bytes of padding in front of FDDI
622 * frames; strip that crap off.
624 if (wth->file_type == WTAP_FILE_PCAP_AIX &&
625 (wth->file_encap == WTAP_ENCAP_FDDI ||
626 wth->file_encap == WTAP_ENCAP_FDDI_BITSWAPPED)) {
628 * The packet size is really a record size and includes
633 wth->data_offset += 3;
638 if (!libpcap_read_rec_data(wth->fh, fddi_padding, 3, err,
640 return FALSE; /* Read error */
643 *data_offset = wth->data_offset;
645 libpcap = (libpcap_t *)wth->priv;
646 phdr_len = pcap_process_pseudo_header(wth->fh, wth->file_type,
647 wth->file_encap, packet_size, TRUE, &wth->phdr,
648 &wth->pseudo_header, err, err_info);
650 return FALSE; /* error */
653 * Don't count any pseudo-header as part of the packet.
655 orig_size -= phdr_len;
656 packet_size -= phdr_len;
657 wth->data_offset += phdr_len;
659 buffer_assure_space(wth->frame_buffer, packet_size);
660 if (!libpcap_read_rec_data(wth->fh, buffer_start_ptr(wth->frame_buffer),
661 packet_size, err, err_info))
662 return FALSE; /* Read error */
663 wth->data_offset += packet_size;
665 /* Update the Timestamp, if not already done */
666 if (wth->file_encap != WTAP_ENCAP_ERF) {
667 wth->phdr.ts.secs = hdr.hdr.ts_sec;
668 if(wth->tsprecision == WTAP_FILE_TSPREC_NSEC) {
669 wth->phdr.ts.nsecs = hdr.hdr.ts_usec;
671 wth->phdr.ts.nsecs = hdr.hdr.ts_usec * 1000;
674 wth->phdr.caplen = packet_size;
675 wth->phdr.len = orig_size;
677 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS) {
678 if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
682 * Guess the traffic type based on the packet
685 atm_guess_traffic_type(buffer_start_ptr(wth->frame_buffer),
686 wth->phdr.caplen, &wth->pseudo_header);
691 * If this is ATM LANE traffic, try to guess what
692 * type of LANE traffic it is based on the packet
695 if (wth->pseudo_header.atm.type == TRAF_LANE) {
696 atm_guess_lane_type(buffer_start_ptr(wth->frame_buffer),
697 wth->phdr.caplen, &wth->pseudo_header);
702 pcap_read_post_process(wth->file_encap, wth->phdr.caplen,
703 libpcap->byte_swapped, buffer_start_ptr(wth->frame_buffer));
708 libpcap_seek_read(wtap *wth, gint64 seek_off,
709 union wtap_pseudo_header *pseudo_header, guchar *pd, int length,
710 int *err, gchar **err_info)
715 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
718 libpcap = (libpcap_t *)wth->priv;
719 phdr_len = pcap_process_pseudo_header(wth->random_fh, wth->file_type,
720 wth->file_encap, length, FALSE, NULL, pseudo_header, err, err_info);
722 return FALSE; /* error */
725 * Read the packet data.
727 if (!libpcap_read_rec_data(wth->random_fh, pd, length, err, err_info))
728 return FALSE; /* failed */
730 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS) {
731 if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
735 * Guess the traffic type based on the packet
738 atm_guess_traffic_type(pd, length, pseudo_header);
743 * If this is ATM LANE traffic, try to guess what
744 * type of LANE traffic it is based on the packet
747 if (pseudo_header->atm.type == TRAF_LANE)
748 atm_guess_lane_type(pd, length, pseudo_header);
751 pcap_read_post_process(wth->file_encap, length,
752 libpcap->byte_swapped, pd);
756 /* Read the header of the next packet.
758 Return -1 on an error, or the number of bytes of header read on success. */
759 static int libpcap_read_header(wtap *wth, int *err, gchar **err_info,
760 struct pcaprec_ss990915_hdr *hdr)
762 int bytes_to_read, bytes_read;
764 /* Read record header. */
765 errno = WTAP_ERR_CANT_READ;
766 switch (wth->file_type) {
769 case WTAP_FILE_PCAP_AIX:
770 case WTAP_FILE_PCAP_NSEC:
771 bytes_to_read = sizeof (struct pcaprec_hdr);
774 case WTAP_FILE_PCAP_SS990417:
775 case WTAP_FILE_PCAP_SS991029:
776 bytes_to_read = sizeof (struct pcaprec_modified_hdr);
779 case WTAP_FILE_PCAP_SS990915:
780 bytes_to_read = sizeof (struct pcaprec_ss990915_hdr);
783 case WTAP_FILE_PCAP_NOKIA:
784 bytes_to_read = sizeof (struct pcaprec_nokia_hdr);
788 g_assert_not_reached();
791 bytes_read = file_read(hdr, bytes_to_read, wth->fh);
792 if (bytes_read != bytes_to_read) {
793 *err = file_error(wth->fh, err_info);
794 if (*err == 0 && bytes_read != 0) {
795 *err = WTAP_ERR_SHORT_READ;
800 adjust_header(wth, &hdr->hdr);
802 if (hdr->hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
804 * Probably a corrupt capture file; return an error,
805 * so that our caller doesn't blow up trying to allocate
806 * space for an immensely-large packet, and so that
807 * the code to try to guess what type of libpcap file
808 * this is can tell when it's not the type we're guessing
811 *err = WTAP_ERR_BAD_RECORD;
812 if (err_info != NULL) {
813 *err_info = g_strdup_printf("pcap: File has %u-byte packet, bigger than maximum of %u",
814 hdr->hdr.incl_len, WTAP_MAX_PACKET_SIZE);
819 if (hdr->hdr.orig_len > WTAP_MAX_PACKET_SIZE) {
821 * Probably a corrupt capture file; return an error,
822 * so that our caller doesn't blow up trying to
823 * cope with a huge "real" packet length, and so that
824 * the code to try to guess what type of libpcap file
825 * this is can tell when it's not the type we're guessing
828 *err = WTAP_ERR_BAD_RECORD;
829 if (err_info != NULL) {
830 *err_info = g_strdup_printf("pcap: File has %u-byte packet, bigger than maximum of %u",
831 hdr->hdr.orig_len, WTAP_MAX_PACKET_SIZE);
840 adjust_header(wtap *wth, struct pcaprec_hdr *hdr)
845 libpcap = (libpcap_t *)wth->priv;
846 if (libpcap->byte_swapped) {
847 /* Byte-swap the record header fields. */
848 hdr->ts_sec = BSWAP32(hdr->ts_sec);
849 hdr->ts_usec = BSWAP32(hdr->ts_usec);
850 hdr->incl_len = BSWAP32(hdr->incl_len);
851 hdr->orig_len = BSWAP32(hdr->orig_len);
854 /* Swap the "incl_len" and "orig_len" fields, if necessary. */
855 switch (libpcap->lengths_swapped) {
861 if (hdr->incl_len <= hdr->orig_len) {
863 * The captured length is <= the actual length,
864 * so presumably they weren't swapped.
871 temp = hdr->orig_len;
872 hdr->orig_len = hdr->incl_len;
873 hdr->incl_len = temp;
879 libpcap_read_rec_data(FILE_T fh, guchar *pd, int length, int *err,
884 errno = WTAP_ERR_CANT_READ;
885 bytes_read = file_read(pd, length, fh);
887 if (bytes_read != length) {
888 *err = file_error(fh, err_info);
890 *err = WTAP_ERR_SHORT_READ;
896 /* Returns 0 if we could write the specified encapsulation type,
897 an error indication otherwise. */
898 int libpcap_dump_can_write_encap(int encap)
900 /* Per-packet encapsulations aren't supported. */
901 if (encap == WTAP_ENCAP_PER_PACKET)
902 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
904 if (wtap_wtap_encap_to_pcap_encap(encap) == -1)
905 return WTAP_ERR_UNSUPPORTED_ENCAP;
910 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
912 gboolean libpcap_dump_open(wtap_dumper *wdh, int *err)
915 struct pcap_hdr file_hdr;
917 /* This is a libpcap file */
918 wdh->subtype_write = libpcap_dump;
919 wdh->subtype_close = NULL;
921 /* Write the file header. */
922 switch (wdh->file_type) {
925 case WTAP_FILE_PCAP_SS990417: /* modified, but with the old magic, sigh */
926 case WTAP_FILE_PCAP_NOKIA: /* Nokia libpcap of some sort */
928 wdh->tsprecision = WTAP_FILE_TSPREC_USEC;
931 case WTAP_FILE_PCAP_SS990915: /* new magic, extra crap */
932 case WTAP_FILE_PCAP_SS991029:
933 magic = PCAP_MODIFIED_MAGIC;
934 wdh->tsprecision = WTAP_FILE_TSPREC_USEC;
937 case WTAP_FILE_PCAP_NSEC: /* same as WTAP_FILE_PCAP, but nsec precision */
938 magic = PCAP_NSEC_MAGIC;
939 wdh->tsprecision = WTAP_FILE_TSPREC_NSEC;
943 /* We should never get here - our open routine
944 should only get called for the types above. */
945 *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE;
949 if (!wtap_dump_file_write(wdh, &magic, sizeof magic, err))
951 wdh->bytes_dumped += sizeof magic;
953 /* current "libpcap" format is 2.4 */
954 file_hdr.version_major = 2;
955 file_hdr.version_minor = 4;
956 file_hdr.thiszone = 0; /* XXX - current offset? */
957 file_hdr.sigfigs = 0; /* unknown, but also apparently unused */
959 * Tcpdump cannot handle capture files with a snapshot length of 0,
960 * as BPF filters return either 0 if they fail or the snapshot length
961 * if they succeed, and a snapshot length of 0 means success is
962 * indistinguishable from failure and the filter expression would
963 * reject all packets.
965 * A snapshot length of 0, inside Wiretap, means "snapshot length
966 * unknown"; if the snapshot length supplied to us is 0, we make
967 * the snapshot length in the header file WTAP_MAX_PACKET_SIZE.
969 file_hdr.snaplen = (wdh->snaplen != 0) ? wdh->snaplen :
970 WTAP_MAX_PACKET_SIZE;
971 file_hdr.network = wtap_wtap_encap_to_pcap_encap(wdh->encap);
972 if (!wtap_dump_file_write(wdh, &file_hdr, sizeof file_hdr, err))
974 wdh->bytes_dumped += sizeof file_hdr;
979 /* Write a record for a packet to a dump file.
980 Returns TRUE on success, FALSE on failure. */
981 static gboolean libpcap_dump(wtap_dumper *wdh,
982 const struct wtap_pkthdr *phdr,
983 const union wtap_pseudo_header *pseudo_header,
984 const guchar *pd, int *err)
986 struct pcaprec_ss990915_hdr rec_hdr;
990 phdrsize = pcap_get_phdr_size(wdh->encap, pseudo_header);
992 rec_hdr.hdr.ts_sec = (guint32) phdr->ts.secs;
993 if(wdh->tsprecision == WTAP_FILE_TSPREC_NSEC) {
994 rec_hdr.hdr.ts_usec = phdr->ts.nsecs;
996 rec_hdr.hdr.ts_usec = phdr->ts.nsecs / 1000;
998 rec_hdr.hdr.incl_len = phdr->caplen + phdrsize;
999 rec_hdr.hdr.orig_len = phdr->len + phdrsize;
1000 switch (wdh->file_type) {
1002 case WTAP_FILE_PCAP:
1003 case WTAP_FILE_PCAP_NSEC:
1004 hdr_size = sizeof (struct pcaprec_hdr);
1007 case WTAP_FILE_PCAP_SS990417: /* modified, but with the old magic, sigh */
1008 case WTAP_FILE_PCAP_SS991029:
1009 /* XXX - what should we supply here?
1011 Alexey's "libpcap" looks up the interface in the system's
1012 interface list if "ifindex" is non-zero, and prints
1013 the interface name. It ignores "protocol", and uses
1014 "pkt_type" to tag the packet as "host", "broadcast",
1015 "multicast", "other host", "outgoing", or "none of the
1016 above", but that's it.
1018 If the capture we're writing isn't a modified or
1019 RH 6.1 capture, we'd have to do some work to
1020 generate the packet type and interface index - and
1021 we can't generate the interface index unless we
1022 just did the capture ourselves in any case.
1024 I'm inclined to continue to punt; systems other than
1025 those with the older patch can read standard "libpcap"
1026 files, and systems with the older patch, e.g. RH 6.1,
1027 will just have to live with this. */
1028 rec_hdr.ifindex = 0;
1029 rec_hdr.protocol = 0;
1030 rec_hdr.pkt_type = 0;
1031 hdr_size = sizeof (struct pcaprec_modified_hdr);
1034 case WTAP_FILE_PCAP_SS990915: /* new magic, extra crap at the end */
1035 rec_hdr.ifindex = 0;
1036 rec_hdr.protocol = 0;
1037 rec_hdr.pkt_type = 0;
1040 hdr_size = sizeof (struct pcaprec_ss990915_hdr);
1043 case WTAP_FILE_PCAP_NOKIA: /* old magic, extra crap at the end */
1044 rec_hdr.ifindex = 0;
1045 rec_hdr.protocol = 0;
1046 rec_hdr.pkt_type = 0;
1049 hdr_size = sizeof (struct pcaprec_nokia_hdr);
1053 /* We should never get here - our open routine
1054 should only get called for the types above. */
1055 g_assert_not_reached();
1056 *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE;
1060 if (!wtap_dump_file_write(wdh, &rec_hdr, hdr_size, err))
1062 wdh->bytes_dumped += hdr_size;
1064 if (!pcap_write_phdr(wdh, wdh->encap, pseudo_header, err))
1067 if (!wtap_dump_file_write(wdh, pd, phdr->caplen, err))
1069 wdh->bytes_dumped += phdr->caplen;