6 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
35 #include "file_wrappers.h"
41 # ifdef HAVE_SYS_TYPES_H
42 # include <sys/types.h>
44 #include "wtap-capture.h"
48 * The link-layer header on SunATM packets.
51 guint8 flags; /* destination and traffic type */
53 guint16 vci; /* VCI */
57 * The link-layer header on Nokia IPSO ATM packets.
60 guint8 flags; /* destination */
62 guint16 vci; /* VCI */
66 * The fake link-layer header of IrDA packets as introduced by Jean Tourrilhes
70 guint16 sll_pkttype; /* packet type */
71 guint8 unused[12]; /* usused SLL header fields */
72 guint16 sll_protocol; /* protocol, should be 0x0017 */
75 /* See source to the "libpcap" library for information on the "libpcap"
78 /* On some systems, the FDDI MAC addresses are bit-swapped. */
79 #if !defined(ultrix) && !defined(__alpha) && !defined(__bsdi__)
80 #define BIT_SWAPPED_MAC_ADDRS
83 /* Try to read the first two records of the capture file. */
85 THIS_FORMAT, /* the reads succeeded, assume it's this format */
86 BAD_READ, /* the file is probably not valid */
87 OTHER_FORMAT /* the file may be valid, but not in this format */
89 static libpcap_try_t libpcap_try(wtap *wth, int *err);
91 static gboolean libpcap_read(wtap *wth, int *err, gchar **err_info,
93 static gboolean libpcap_seek_read(wtap *wth, long seek_off,
94 union wtap_pseudo_header *pseudo_header, guchar *pd, int length,
95 int *err, gchar **err_info);
96 static int libpcap_read_header(wtap *wth, int *err, gchar **err_info,
97 struct pcaprec_ss990915_hdr *hdr);
98 static void adjust_header(wtap *wth, struct pcaprec_hdr *hdr);
99 static void libpcap_get_sunatm_pseudoheader(const struct sunatm_hdr *atm_phdr,
100 union wtap_pseudo_header *pseudo_header);
101 static gboolean libpcap_read_sunatm_pseudoheader(FILE_T fh,
102 union wtap_pseudo_header *pseudo_header, int *err);
103 static gboolean libpcap_read_nokiaatm_pseudoheader(FILE_T fh,
104 union wtap_pseudo_header *pseudo_header, int *err);
105 static gboolean libpcap_get_irda_pseudoheader(const struct irda_sll_hdr *irda_phdr,
106 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info);
107 static gboolean libpcap_read_irda_pseudoheader(FILE_T fh,
108 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info);
109 static gboolean libpcap_read_rec_data(FILE_T fh, guchar *pd, int length,
111 static void libpcap_close(wtap *wth);
112 static gboolean libpcap_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
113 const union wtap_pseudo_header *pseudo_header, const guchar *pd, int *err);
116 * Either LBL NRG wasn't an adequate central registry (e.g., because of
117 * the slow rate of releases from them), or nobody bothered using them
118 * as a central registry, as many different groups have patched libpcap
119 * (and BPF, on the BSDs) to add new encapsulation types, and have ended
120 * up using the same DLT_ values for different encapsulation types.
122 * For those numerical encapsulation type values that everybody uses for
123 * the same encapsulation type (which inclues those that some platforms
124 * specify different DLT_ names for but don't appear to use), we map
125 * those values to the appropriate Wiretap values.
127 * For those numerical encapsulation type values that different libpcap
128 * variants use for different encapsulation types, we check what
129 * <pcap.h> defined to determine how to interpret them, so that we
130 * interpret them the way the libpcap with which we're building
131 * Ethereal/Wiretap interprets them (which, if it doesn't support
132 * them at all, means we don't support them either - any capture files
133 * using them are foreign, and we don't hazard a guess as to which
134 * platform they came from; we could, I guess, choose the most likely
137 * Note: if you need a new encapsulation type for libpcap files, do
138 * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
139 * add a new encapsulation type by changing an existing entry;
140 * leave the existing entries alone.
142 * Instead, send mail to tcpdump-workers@tcpdump.org, asking for a new
143 * DLT_ value, and specifying the purpose of the new value. When you
144 * get the new DLT_ value, use that numerical value in the "dlt_value"
145 * field of "pcap_to_wtap_map[]".
148 static const struct {
150 int wtap_encap_value;
151 } pcap_to_wtap_map[] = {
153 * These are the values that are almost certainly the same
154 * in all libpcaps (I've yet to find one where the values
155 * in question are used for some purpose other than the
156 * one below, but...), and that Wiretap and Ethereal
159 { 0, WTAP_ENCAP_NULL }, /* null encapsulation */
160 { 1, WTAP_ENCAP_ETHERNET },
161 { 6, WTAP_ENCAP_TOKEN_RING }, /* IEEE 802 Networks - assume token ring */
162 { 7, WTAP_ENCAP_ARCNET },
163 { 8, WTAP_ENCAP_SLIP },
164 { 9, WTAP_ENCAP_PPP },
165 #ifdef BIT_SWAPPED_MAC_ADDRS
166 { 10, WTAP_ENCAP_FDDI_BITSWAPPED },
168 { 10, WTAP_ENCAP_FDDI },
171 { 32, WTAP_ENCAP_REDBACK },
174 * 50 is DLT_PPP_SERIAL in NetBSD; it appears that DLT_PPP
175 * on BSD (at least according to standard tcpdump) has, as
176 * the first octet, an indication of whether the packet was
177 * transmitted or received (rather than having the standard
178 * PPP address value of 0xff), but that DLT_PPP_SERIAL puts
179 * a real live PPP header there, or perhaps a Cisco PPP header
180 * as per section 4.3.1 of RFC 1547 (implementations of this
181 * exist in various BSDs in "sys/net/if_spppsubr.c", and
182 * I think also exist either in standard Linux or in
183 * various Linux patches; the implementations show how to handle
184 * Cisco keepalive packets).
186 * However, I don't see any obvious place in FreeBSD "if_ppp.c"
187 * where anything other than the standard PPP header would be
188 * passed up. I see some stuff that sets the first octet
189 * to 0 for incoming and 1 for outgoing packets before applying
190 * a BPF filter to see whether to drop packets whose protocol
191 * field has the 0x8000 bit set, i.e. network control protocols -
192 * those are handed up to userland - but that code puts the
193 * address field back before passing the packet up.
195 * I also don't see anything immediately obvious that munges
196 * the address field for sync PPP, either.
198 * Ethereal currently assumes that if the first octet of a
199 * PPP frame is 0xFF, it's the address field and is followed
200 * by a control field and a 2-byte protocol, otherwise the
201 * address and control fields are absent and the frame begins
202 * with a protocol field. If we ever see a BSD/OS PPP
203 * capture, we'll have to handle it differently, and we may
204 * have to handle standard BSD captures differently if, in fact,
205 * they don't have 0xff 0x03 as the first two bytes - but, as per
206 * the two paragraphs preceding this, it's not clear that
207 * the address field *is* munged into an incoming/outgoing
208 * field when the packet is handed to the BPF device.
210 * For now, we just map DLT_PPP_SERIAL to WTAP_ENCAP_PPP, as
211 * we treat WTAP_ENCAP_PPP packets as if those beginning with
212 * 0xff have the standard RFC 1662 "PPP in HDLC-like Framing"
213 * 0xff 0x03 address/control header, and DLT_PPP_SERIAL frames
214 * appear to contain that unless they're Cisco frames (if we
215 * ever see a capture with them, we'd need to implement the
216 * RFC 1547 stuff, and the keepalive protocol stuff).
218 * We may have to distinguish between "PPP where if it doesn't
219 * begin with 0xff there's no HDLC encapsulation and the frame
220 * begins with the protocol field" (which is how we handle
221 * WTAP_ENCAP_PPP now) and "PPP where there's either HDLC
222 * encapsulation or Cisco PPP" (which is what DLT_PPP_SERIAL
225 * XXX - NetBSD has DLT_HDLC, which appears to be used for
226 * Cisco HDLC. Ideally, they should use DLT_PPP_SERIAL
227 * only for real live HDLC-encapsulated PPP, not for Cisco
230 { 50, WTAP_ENCAP_PPP },
233 * Apparently used by the Axent Raptor firewall (now Symantec
234 * Enterprise Firewall).
235 * Thanks, Axent, for not reserving that type with tcpdump.org
236 * and not telling anybody about it.
238 { 99, WTAP_ENCAP_SYMANTEC },
241 * These are the values that libpcap 0.5 and later use in
242 * capture file headers, in an attempt to work around the
243 * confusion decried above, and that Wiretap and Ethereal
246 { 100, WTAP_ENCAP_ATM_RFC1483 },
247 { 101, WTAP_ENCAP_RAW_IP },
250 * More values used by libpcap 0.5 as DLT_ values and used by the
251 * current CVS version of libpcap in capture file headers.
252 * They are not yet handled in Ethereal.
253 * If we get a capture that contains them, we'll implement them.
255 { 102, WTAP_ENCAP_SLIP_BSDOS },
256 { 103, WTAP_ENCAP_PPP_BSDOS },
260 * These ones are handled in Ethereal, though.
262 { 104, WTAP_ENCAP_CHDLC }, /* Cisco HDLC */
263 { 105, WTAP_ENCAP_IEEE_802_11 }, /* IEEE 802.11 */
264 { 106, WTAP_ENCAP_LINUX_ATM_CLIP },
265 { 107, WTAP_ENCAP_FRELAY }, /* Frame Relay */
266 { 108, WTAP_ENCAP_NULL }, /* OpenBSD loopback */
267 { 109, WTAP_ENCAP_ENC }, /* OpenBSD IPSEC enc */
269 { 110, WTAP_ENCAP_LANE_802_3 },/* ATM LANE 802.3 */
270 { 111, WTAP_ENCAP_HIPPI }, /* NetBSD HIPPI */
272 { 112, WTAP_ENCAP_CHDLC }, /* NetBSD HDLC framing */
275 * Linux "cooked mode" captures, used by the current CVS version
278 { 113, WTAP_ENCAP_SLL }, /* Linux cooked capture */
280 { 114, WTAP_ENCAP_LOCALTALK }, /* Localtalk */
283 * The tcpdump.org version of libpcap uses 117, rather than 17,
284 * for OpenBSD packet filter logging, so as to avoid conflicting
285 * with DLT_LANE8023 in SuSE 6.3 libpcap.
287 { 117, WTAP_ENCAP_PFLOG },
289 { 118, WTAP_ENCAP_CISCO_IOS },
290 { 119, WTAP_ENCAP_PRISM_HEADER }, /* Prism monitor mode hdr */
291 { 121, WTAP_ENCAP_HHDLC }, /* HiPath HDLC */
292 { 122, WTAP_ENCAP_IP_OVER_FC }, /* RFC 2625 IP-over-FC */
293 { 123, WTAP_ENCAP_ATM_PDUS }, /* SunATM */
294 { 127, WTAP_ENCAP_IEEE_802_11_WLAN_RADIOTAP }, /* 802.11 plus radiotap WLAN header */
295 { 128, WTAP_ENCAP_TZSP }, /* Tazmen Sniffer Protocol */
296 { 129, WTAP_ENCAP_ARCNET_LINUX },
299 * Values 130 through 137 not listed here are reserved for use
300 * in Juniper hardware.
302 { 135, WTAP_ENCAP_JUNIPER_ATM2 }, /* various encapsulations captured on the ATM2 PIC */
303 { 137, WTAP_ENCAP_JUNIPER_ATM1 }, /* various encapsulations captured on the ATM1 PIC */
305 { 138, WTAP_ENCAP_APPLE_IP_OVER_IEEE1394 },
306 /* Apple IP-over-IEEE 1394 */
308 /* 139 is reserved for SS7 */
310 { 140, WTAP_ENCAP_MTP2 },
311 { 141, WTAP_ENCAP_MTP3 },
312 { 143, WTAP_ENCAP_DOCSIS },
313 { 144, WTAP_ENCAP_IRDA }, /* IrDA capture */
315 /* Reserved for private use. */
316 { 147, WTAP_ENCAP_USER0 },
317 { 148, WTAP_ENCAP_USER1 },
318 { 149, WTAP_ENCAP_USER2 },
319 { 150, WTAP_ENCAP_USER3 },
320 { 151, WTAP_ENCAP_USER4 },
321 { 152, WTAP_ENCAP_USER5 },
322 { 153, WTAP_ENCAP_USER6 },
323 { 154, WTAP_ENCAP_USER7 },
324 { 155, WTAP_ENCAP_USER8 },
325 { 156, WTAP_ENCAP_USER9 },
326 { 157, WTAP_ENCAP_USER10 },
327 { 158, WTAP_ENCAP_USER11 },
328 { 159, WTAP_ENCAP_USER12 },
329 { 160, WTAP_ENCAP_USER13 },
330 { 161, WTAP_ENCAP_USER14 },
331 { 162, WTAP_ENCAP_USER15 },
333 { 163, WTAP_ENCAP_IEEE_802_11_WLAN_AVS }, /* 802.11 plus AVS WLAN header */
336 * 164 is reserved for Juniper-private chassis-internal
337 * meta-information such as QoS profiles, etc..
340 { 165, WTAP_ENCAP_BACNET_MS_TP },
343 * 166 is reserved for a PPP variant in which the first byte
344 * of the 0xff03 header, the 0xff, is replaced by a direction
345 * byte. I don't know whether any captures look like that,
346 * but it is used for some Linux IP filtering (ipfilter?).
348 * 167 and 168 are reserved for more Juniper private-chassis-
349 * internal meta-information.
352 { 169, WTAP_ENCAP_GPRS_LLC },
355 * 170 and 171 are reserved for ITU-T G.7041/Y.1303 Generic
362 * If you need a new encapsulation type for libpcap files, do
363 * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
364 * add a new encapsulation type by changing an existing entry;
365 * leave the existing entries alone.
367 * Instead, send mail to tcpdump-workers@tcpdump.org, asking for
368 * a new DLT_ value, and specifying the purpose of the new value.
369 * When you get the new DLT_ value, use that numerical value in
370 * the "dlt_value" field of "pcap_to_wtap_map[]".
374 * The following are entries for libpcap type values that have
375 * different meanings on different OSes.
377 * We put these *after* the entries for the platform-independent
378 * libpcap type values for those Wiretap encapsulation types, so
379 * that Ethereal chooses the platform-independent libpcap type
380 * value for those encapsulatioin types, not the platform-dependent
385 * 11 is DLT_ATM_RFC1483 on most platforms; the only libpcaps I've
386 * seen that define anything other than DLT_ATM_RFC1483 as 11 are
387 * the BSD/OS one, which defines DLT_FR as 11, and libpcap 0.5,
388 * which define it as 100, mapping the kernel's value to 100, in
389 * an attempt to hide the different values used on different
392 * If this is a platform where DLT_FR is defined as 11, we
393 * don't handle 11 at all; otherwise, we handle it as
394 * DLT_ATM_RFC1483 (this means we'd misinterpret Frame Relay
395 * captures from BSD/OS if running on platforms other than BSD/OS,
398 * 1) we don't yet support DLT_FR
402 * 2) nothing short of a heuristic would let us interpret
405 #if defined(DLT_FR) && (DLT_FR == 11)
406 { 11, WTAP_ENCAP_FRELAY },
408 { 11, WTAP_ENCAP_ATM_RFC1483 },
412 * 12 is DLT_RAW on most platforms, but it's DLT_C_HDLC on
413 * BSD/OS, and DLT_LOOP on OpenBSD.
415 * We don't yet handle DLT_C_HDLC, but we can handle DLT_LOOP
416 * (it's just like DLT_NULL, only with the AF_ value in network
417 * rather than host byte order - Ethereal figures out the
418 * byte order from the data, so we don't care what byte order
419 * it's in), so if DLT_LOOP is defined as 12, interpret 12
420 * as WTAP_ENCAP_NULL, otherwise, unless DLT_C_HDLC is defined
421 * as 12, interpret it as WTAP_ENCAP_RAW_IP.
423 #if defined(DLT_LOOP) && (DLT_LOOP == 12)
424 { 12, WTAP_ENCAP_NULL },
425 #elif defined(DLT_C_HDLC) && (DLT_C_HDLC == 12)
427 * Put entry for Cisco HDLC here.
428 * XXX - is this just WTAP_ENCAP_CHDLC, i.e. does the frame
429 * start with a 4-byte Cisco HDLC header?
432 { 12, WTAP_ENCAP_RAW_IP },
436 * 13 is DLT_SLIP_BSDOS on FreeBSD and NetBSD, but those OSes
437 * don't actually generate it. I infer that BSD/OS translates
438 * DLT_SLIP from the kernel BPF code to DLT_SLIP_BSDOS in
439 * libpcap, as the BSD/OS link-layer header is different;
440 * however, in BSD/OS, DLT_SLIP_BSDOS is 15.
442 * From this, I infer that there's no point in handling 13
445 * 13 is DLT_ATM_RFC1483 on BSD/OS.
447 * 13 is DLT_ENC in OpenBSD, which is, I suspect, some kind
448 * of decrypted IPSEC traffic.
450 #if defined(DLT_ATM_RFC1483) && (DLT_ATM_RFC1483 == 13)
451 { 13, WTAP_ENCAP_ATM_RFC1483 },
452 #elif defined(DLT_ENC) && (DLT_ENC == 13)
453 { 13, WTAP_ENCAP_ENC },
457 * 14 is DLT_PPP_BSDOS on FreeBSD and NetBSD, but those OSes
458 * don't actually generate it. I infer that BSD/OS translates
459 * DLT_PPP from the kernel BPF code to DLT_PPP_BSDOS in
460 * libpcap, as the BSD/OS link-layer header is different;
461 * however, in BSD/OS, DLT_PPP_BSDOS is 16.
463 * From this, I infer that there's no point in handling 14
466 * 14 is DLT_RAW on BSD/OS and OpenBSD.
468 { 14, WTAP_ENCAP_RAW_IP },
473 * DLT_SLIP_BSDOS on BSD/OS;
475 * DLT_HIPPI on NetBSD;
477 * DLT_LANE8023 with Alexey Kuznetzov's patches for
480 * DLT_I4L_RAWIP with the ISDN4Linux patches for libpcap
483 * but we don't currently handle any of those.
489 * DLT_PPP_BSDOS on BSD/OS;
491 * DLT_HDLC on NetBSD (Cisco HDLC);
493 * DLT_CIP with Alexey Kuznetzov's patches for
494 * Linux libpcap - this is WTAP_ENCAP_LINUX_ATM_CLIP;
496 * DLT_I4L_IP with the ISDN4Linux patches for libpcap
499 #if defined(DLT_CIP) && (DLT_CIP == 16)
500 { 16, WTAP_ENCAP_LINUX_ATM_CLIP },
502 #if defined(DLT_HDLC) && (DLT_HDLC == 16)
503 { 16, WTAP_ENCAP_CHDLC },
507 * 17 is DLT_LANE8023 in SuSE 6.3 libpcap; we don't currently
509 * It is also used as the PF (Packet Filter) logging format beginning
510 * with OpenBSD 3.0; we use 17 for PF logs unless DLT_LANE8023 is
511 * defined with the value 17.
513 #if !defined(DLT_LANE8023) || (DLT_LANE8023 != 17)
514 { 17, WTAP_ENCAP_OLD_PFLOG },
518 * 18 is DLT_CIP in SuSE 6.3 libpcap; if it's the same as the
519 * DLT_CIP of 16 that the Alexey Kuznetzov patches for
520 * libpcap/tcpdump define, it's WTAP_ENCAP_LINUX_ATM_CLIP.
521 * I've not found any libpcap that uses it for any other purpose -
522 * hopefully nobody will do so in the future.
524 { 18, WTAP_ENCAP_LINUX_ATM_CLIP },
527 * 19 is DLT_ATM_CLIP in the libpcap/tcpdump patches in the
528 * recent versions I've seen of the Linux ATM distribution;
529 * I've not yet found any libpcap that uses it for any other
530 * purpose - hopefully nobody will do so in the future.
532 { 19, WTAP_ENCAP_LINUX_ATM_CLIP },
537 * If you need a new encapsulation type for libpcap files, do
538 * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
539 * add a new encapsulation type by changing an existing entry;
540 * leave the existing entries alone.
542 * Instead, send mail to tcpdump-workers@tcpdump.org, asking for
543 * a new DLT_ value, and specifying the purpose of the new value.
544 * When you get the new DLT_ value, use that numerical value in
545 * the "dlt_value" field of "pcap_to_wtap_map[]".
549 #define NUM_PCAP_ENCAPS (sizeof pcap_to_wtap_map / sizeof pcap_to_wtap_map[0])
551 int wtap_pcap_encap_to_wtap_encap(int encap)
555 for (i = 0; i < NUM_PCAP_ENCAPS; i++) {
556 if (pcap_to_wtap_map[i].dlt_value == encap)
557 return pcap_to_wtap_map[i].wtap_encap_value;
559 return WTAP_ENCAP_UNKNOWN;
563 int libpcap_open(wtap *wth, int *err, gchar **err_info)
568 gboolean byte_swapped;
573 /* Read in the number that should be at the start of a "libpcap" file */
574 errno = WTAP_ERR_CANT_READ;
575 bytes_read = file_read(&magic, 1, sizeof magic, wth->fh);
576 if (bytes_read != sizeof magic) {
577 *err = file_error(wth->fh);
582 wth->data_offset += sizeof magic;
587 /* Host that wrote it has our byte order, and was running
588 a program using either standard or ss990417 libpcap. */
589 byte_swapped = FALSE;
593 case PCAP_MODIFIED_MAGIC:
594 /* Host that wrote it has our byte order, and was running
595 a program using either ss990915 or ss991029 libpcap. */
596 byte_swapped = FALSE;
600 case PCAP_SWAPPED_MAGIC:
601 /* Host that wrote it has a byte order opposite to ours,
602 and was running a program using either standard or
608 case PCAP_SWAPPED_MODIFIED_MAGIC:
609 /* Host that wrote it out has a byte order opposite to
610 ours, and was running a program using either ss990915
611 or ss991029 libpcap. */
617 /* Not a "libpcap" type we know about. */
621 /* Read the rest of the header. */
622 errno = WTAP_ERR_CANT_READ;
623 bytes_read = file_read(&hdr, 1, sizeof hdr, wth->fh);
624 if (bytes_read != sizeof hdr) {
625 *err = file_error(wth->fh);
630 wth->data_offset += sizeof hdr;
633 /* Byte-swap the header fields about which we care. */
634 hdr.version_major = BSWAP16(hdr.version_major);
635 hdr.version_minor = BSWAP16(hdr.version_minor);
636 hdr.snaplen = BSWAP32(hdr.snaplen);
637 hdr.network = BSWAP32(hdr.network);
639 if (hdr.version_major < 2) {
640 /* We only support version 2.0 and later. */
641 *err = WTAP_ERR_UNSUPPORTED;
642 *err_info = g_strdup_printf("pcap: major version %u unsupported",
648 * AIX's non-standard tcpdump uses a minor version number of 2.
649 * Unfortunately, older versions of libpcap might have used
652 * The AIX libpcap uses RFC 1573 ifType values rather than
653 * DLT_ values in the header; the ifType values for LAN devices
660 * which correspond to DLT_IEEE802 (used for Token Ring),
661 * DLT_PPP, and DLT_SLIP_BSDOS, respectively. The ifType value
662 * for a loopback interface is 24, which currently isn't
663 * used by any version of libpcap I know about (and, as
664 * tcpdump.org are assigning DLT_ values above 100, and
665 * NetBSD started assigning values starting at 50, and
666 * the values chosen by other libpcaps appear to stop at
667 * 19, it's probably not going to be used by any libpcap
670 * We shall assume that if the minor version number is 2, and
671 * the network type is 6, 9, 15, or 24, that it's AIX libpcap.
673 * I'm assuming those older versions of libpcap didn't
674 * use DLT_IEEE802 for Token Ring, and didn't use DLT_SLIP_BSDOS
675 * as that came later. It may have used DLT_PPP, however, in
676 * which case we're out of luck; we assume it's Token Ring
677 * in AIX libpcap rather than PPP in standard libpcap, as
678 * you're probably more likely to be handing an AIX libpcap
679 * token-ring capture than an old (pre-libpcap 0.4) PPP capture
682 aix = FALSE; /* assume it's not AIX */
683 if (hdr.version_major == 2 && hdr.version_minor == 2) {
684 switch (hdr.network) {
687 hdr.network = 1; /* DLT_EN10MB, Ethernet */
692 hdr.network = 6; /* DLT_IEEE802, Token Ring */
697 hdr.network = 10; /* DLT_FDDI, FDDI */
702 hdr.network = 0; /* DLT_NULL, loopback */
709 * We treat a DLT_ value of 13 specially - it appears that in
710 * Nokia libpcap format, it's some form of ATM with what I
711 * suspect is a pseudo-header (even though Nokia's IPSO is
712 * based on FreeBSD, which #defines DLT_SLIP_BSDOS as 13).
714 * We don't yet know whether this is a Nokia capture, so if
715 * "wtap_pcap_encap_to_wtap_encap()" returned WTAP_ENCAP_UNKNOWN
716 * but "hdr.network" is 13, we don't treat that as an error yet.
718 file_encap = wtap_pcap_encap_to_wtap_encap(hdr.network);
719 if (file_encap == WTAP_ENCAP_UNKNOWN && hdr.network != 13) {
720 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
721 *err_info = g_strdup_printf("pcap: network type %u unknown or unsupported",
726 /* This is a libpcap file */
727 wth->capture.pcap = g_malloc(sizeof(libpcap_t));
728 wth->capture.pcap->byte_swapped = byte_swapped;
729 wth->capture.pcap->version_major = hdr.version_major;
730 wth->capture.pcap->version_minor = hdr.version_minor;
731 wth->subtype_read = libpcap_read;
732 wth->subtype_seek_read = libpcap_seek_read;
733 wth->subtype_close = libpcap_close;
734 wth->file_encap = file_encap;
735 wth->snapshot_length = hdr.snaplen;
737 /* In file format version 2.3, the order of the "incl_len" and
738 "orig_len" fields in the per-packet header was reversed,
739 in order to match the BPF header layout.
741 Therefore, in files with versions prior to that, we must swap
744 Unfortunately, some files were, according to a comment in the
745 "libpcap" source, written with version 2.3 in their headers
746 but without the interchanged fields, so if "incl_len" is
747 greater than "orig_len" - which would make no sense - we
748 assume that we need to swap them in version 2.3 files
751 In addition, DG/UX's tcpdump uses version 543.0, and writes
752 the two fields in the pre-2.3 order. */
753 switch (hdr.version_major) {
756 if (hdr.version_minor < 3)
757 wth->capture.pcap->lengths_swapped = SWAPPED;
758 else if (hdr.version_minor == 3)
759 wth->capture.pcap->lengths_swapped = MAYBE_SWAPPED;
761 wth->capture.pcap->lengths_swapped = NOT_SWAPPED;
765 wth->capture.pcap->lengths_swapped = SWAPPED;
769 wth->capture.pcap->lengths_swapped = NOT_SWAPPED;
774 * Is this AIX format?
778 * Yes. Skip all the tests for other mutant formats.
780 wth->file_type = WTAP_FILE_PCAP_AIX;
785 * No. Let's look at the header for the first record,
786 * and see if, interpreting it as a standard header (if the
787 * magic number was standard) or a modified header (if the
788 * magic number was modified), the position where it says the
789 * header for the *second* record is contains a corrupted header.
793 * If this file had the standard magic number, it may be
794 * an ss990417 capture file - in that version of Alexey's
795 * patch, the packet header format was changed but the
796 * magic number wasn't, and, alas, Red Hat appear to have
797 * picked up that version of the patch for RH 6.1, meaning
798 * RH 6.1 has a tcpdump that writes out files that can't
799 * be read by any software that expects non-modified headers
800 * if the magic number isn't the modified magic number (e.g.,
801 * any normal version of tcpdump, and Ethereal if we don't
802 * do this gross heuristic).
804 * If this file had the modified magic number, it may be
805 * an ss990915 capture file - in that version of Alexey's
806 * patch, the magic number was changed, but the record
807 * header had some extra fields, and, alas, SuSE appear
808 * to have picked up that version of the patch for SuSE
809 * 6.3, meaning that programs expecting the standard per-
810 * packet header in captures with the modified magic number
811 * can't read dumps from its tcpdump.
813 * Oh, and if it has the standard magic number, it might, instead,
814 * be a Nokia libpcap file, so we may need to try that if
815 * neither normal nor ss990417 headers work.
819 * Well, we have the magic number from Alexey's
822 * Try ss991029, the last of his patches, first.
824 wth->file_type = WTAP_FILE_PCAP_SS991029;
825 switch (libpcap_try(wth, err)) {
829 * Well, we couldn't even read it.
832 g_free(wth->capture.pcap);
837 * Well, it looks as if it might be 991029.
838 * Put the seek pointer back, and return success.
840 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
841 g_free(wth->capture.pcap);
848 * Try the next format.
854 * Well, it's not completely unreadable,
855 * but it's not ss991029. Try ss990915;
856 * there are no other types to try after that,
857 * so we put the seek pointer back and treat
860 wth->file_type = WTAP_FILE_PCAP_SS990915;
861 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
862 g_free(wth->capture.pcap);
867 * Well, we have the standard magic number.
869 * Try the standard format first.
871 wth->file_type = WTAP_FILE_PCAP;
872 switch (libpcap_try(wth, err)) {
876 * Well, we couldn't even read it.
879 g_free(wth->capture.pcap);
884 * Well, it looks as if it might be a standard
886 * Put the seek pointer back, and return success.
888 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
889 g_free(wth->capture.pcap);
896 * Try the next format.
902 * Well, it's not completely unreadable, but it's not
903 * a standard file. Put the seek pointer back and try
906 wth->file_type = WTAP_FILE_PCAP_SS990417;
907 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
908 g_free(wth->capture.pcap);
911 switch (libpcap_try(wth, err)) {
915 * Well, we couldn't even read it.
918 g_free(wth->capture.pcap);
923 * Well, it looks as if it might be ss990417.
924 * Put the seek pointer back, and return success.
926 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
927 g_free(wth->capture.pcap);
934 * Try the next format.
940 * Well, it's not completely unreadable,
941 * but it's not a standard file *nor* is it ss990417.
942 * Try it as a Nokia file; there are no other types
943 * to try after that, so we put the seek pointer back
944 * and treat it as a Nokia file.
946 wth->file_type = WTAP_FILE_PCAP_NOKIA;
947 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
948 g_free(wth->capture.pcap);
953 if (hdr.network == 13) {
955 * OK, if this was a Nokia capture, make it
956 * WTAP_ENCAP_ATM_PDUS, otherwise return
959 if (wth->file_type == WTAP_FILE_PCAP_NOKIA)
960 wth->file_encap = WTAP_ENCAP_ATM_PDUS;
962 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
963 *err_info = g_strdup_printf("pcap: network type %u unknown or unsupported",
972 /* Try to read the first two records of the capture file. */
973 static libpcap_try_t libpcap_try(wtap *wth, int *err)
976 * pcaprec_ss990915_hdr is the largest header type.
978 struct pcaprec_ss990915_hdr first_rec_hdr, second_rec_hdr;
981 * Attempt to read the first record's header.
983 if (libpcap_read_header(wth, err, NULL, &first_rec_hdr) == -1) {
984 if (*err == 0 || *err == WTAP_ERR_SHORT_READ) {
986 * EOF or short read - assume the file is in this
988 * When our client tries to read the first packet
989 * they will presumably get the same EOF or short
995 if (*err == WTAP_ERR_BAD_RECORD) {
997 * The first record is bogus, so this is probably
998 * a corrupt file. Assume the file is in this
999 * format. When our client tries to read the
1000 * first packet they will presumably get the
1001 * same bogus record.
1007 * Some other error, e.g. an I/O error; just give up.
1013 * Now skip over the first record's data, under the assumption
1014 * that the header is sane.
1016 if (file_seek(wth->fh, first_rec_hdr.hdr.incl_len, SEEK_CUR, err) == -1)
1020 * Now attempt to read the second record's header.
1022 if (libpcap_read_header(wth, err, NULL, &second_rec_hdr) == -1) {
1023 if (*err == 0 || *err == WTAP_ERR_SHORT_READ) {
1025 * EOF or short read - assume the file is in this
1027 * When our client tries to read the second packet
1028 * they will presumably get the same EOF or short
1034 if (*err == WTAP_ERR_BAD_RECORD) {
1036 * The second record is bogus; maybe it's a
1037 * Capture File From Hell, and what looks like
1038 * the "header" of the next packet is actually
1039 * random junk from the middle of a packet.
1040 * Try the next format; if we run out of formats,
1041 * it probably *is* a corrupt file.
1043 return OTHER_FORMAT;
1047 * Some other error, e.g. an I/O error; just give up.
1053 * OK, the first two records look OK; assume this is the
1059 /* Read the next packet */
1060 static gboolean libpcap_read(wtap *wth, int *err, gchar **err_info,
1063 struct pcaprec_ss990915_hdr hdr;
1067 guchar fddi_padding[3];
1069 bytes_read = libpcap_read_header(wth, err, err_info, &hdr);
1070 if (bytes_read == -1) {
1072 * We failed to read the header.
1077 wth->data_offset += bytes_read;
1078 packet_size = hdr.hdr.incl_len;
1079 orig_size = hdr.hdr.orig_len;
1082 * AIX appears to put 3 bytes of padding in front of FDDI
1083 * frames; strip that crap off.
1085 if (wth->file_type == WTAP_FILE_PCAP_AIX &&
1086 (wth->file_encap == WTAP_ENCAP_FDDI ||
1087 wth->file_encap == WTAP_ENCAP_FDDI_BITSWAPPED)) {
1089 * The packet size is really a record size and includes
1094 wth->data_offset += 3;
1099 if (!libpcap_read_rec_data(wth->fh, fddi_padding, 3, err))
1100 return FALSE; /* Read error */
1103 *data_offset = wth->data_offset;
1106 * If this is an ATM packet, the first four bytes are the
1107 * direction of the packet (transmit/receive), the VPI, and
1108 * the VCI; read them and generate the pseudo-header from
1111 switch (wth->file_encap) {
1113 case WTAP_ENCAP_ATM_PDUS:
1114 if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
1118 if (packet_size < sizeof (struct nokiaatm_hdr)) {
1120 * Uh-oh, the packet isn't big enough to even
1121 * have a pseudo-header.
1123 *err = WTAP_ERR_BAD_RECORD;
1124 *err_info = g_strdup_printf("libpcap: Nokia IPSO ATM file has a %u-byte packet, too small to have even an ATM pseudo-header\n",
1128 if (!libpcap_read_nokiaatm_pseudoheader(wth->fh,
1129 &wth->pseudo_header, err))
1130 return FALSE; /* Read error */
1133 * Don't count the pseudo-header as part of the
1136 orig_size -= sizeof (struct nokiaatm_hdr);
1137 packet_size -= sizeof (struct nokiaatm_hdr);
1138 wth->data_offset += sizeof (struct nokiaatm_hdr);
1143 if (packet_size < sizeof (struct sunatm_hdr)) {
1145 * Uh-oh, the packet isn't big enough to even
1146 * have a pseudo-header.
1148 *err = WTAP_ERR_BAD_RECORD;
1149 *err_info = g_strdup_printf("libpcap: SunATM file has a %u-byte packet, too small to have even an ATM pseudo-header\n",
1153 if (!libpcap_read_sunatm_pseudoheader(wth->fh,
1154 &wth->pseudo_header, err))
1155 return FALSE; /* Read error */
1158 * Don't count the pseudo-header as part of the
1161 orig_size -= sizeof (struct sunatm_hdr);
1162 packet_size -= sizeof (struct sunatm_hdr);
1163 wth->data_offset += sizeof (struct sunatm_hdr);
1167 case WTAP_ENCAP_ETHERNET:
1169 * We don't know whether there's an FCS in this frame or not.
1171 wth->pseudo_header.eth.fcs_len = -1;
1174 case WTAP_ENCAP_IEEE_802_11:
1175 case WTAP_ENCAP_PRISM_HEADER:
1176 case WTAP_ENCAP_IEEE_802_11_WLAN_RADIOTAP:
1177 case WTAP_ENCAP_IEEE_802_11_WLAN_AVS:
1179 * We don't know whether there's an FCS in this frame or not.
1180 * XXX - are there any OSes where the capture mechanism
1183 wth->pseudo_header.ieee_802_11.fcs_len = -1;
1186 case WTAP_ENCAP_IRDA:
1187 if (packet_size < sizeof (struct irda_sll_hdr)) {
1189 * Uh-oh, the packet isn't big enough to even
1190 * have a pseudo-header.
1192 *err = WTAP_ERR_BAD_RECORD;
1193 *err_info = g_strdup_printf("libpcap: IrDA file has a %u-byte packet, too small to have even an IrDA pseudo-header\n",
1197 if (!libpcap_read_irda_pseudoheader(wth->fh, &wth->pseudo_header,
1199 return FALSE; /* Read error */
1202 * Don't count the pseudo-header as part of the packet.
1204 orig_size -= sizeof (struct irda_sll_hdr);
1205 packet_size -= sizeof (struct irda_sll_hdr);
1206 wth->data_offset += sizeof (struct irda_sll_hdr);
1210 buffer_assure_space(wth->frame_buffer, packet_size);
1211 if (!libpcap_read_rec_data(wth->fh, buffer_start_ptr(wth->frame_buffer),
1213 return FALSE; /* Read error */
1214 wth->data_offset += packet_size;
1216 wth->phdr.ts.tv_sec = hdr.hdr.ts_sec;
1217 wth->phdr.ts.tv_usec = hdr.hdr.ts_usec;
1218 wth->phdr.caplen = packet_size;
1219 wth->phdr.len = orig_size;
1221 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS) {
1222 if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
1226 * Guess the traffic type based on the packet
1229 atm_guess_traffic_type(buffer_start_ptr(wth->frame_buffer),
1230 wth->phdr.caplen, &wth->pseudo_header);
1235 * If this is ATM LANE traffic, try to guess what
1236 * type of LANE traffic it is based on the packet
1239 if (wth->pseudo_header.atm.type == TRAF_LANE) {
1240 atm_guess_lane_type(buffer_start_ptr(wth->frame_buffer),
1241 wth->phdr.caplen, &wth->pseudo_header);
1250 libpcap_seek_read(wtap *wth, long seek_off,
1251 union wtap_pseudo_header *pseudo_header, guchar *pd, int length,
1252 int *err, gchar **err_info)
1254 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
1257 switch (wth->file_encap) {
1259 case WTAP_ENCAP_ATM_PDUS:
1260 if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
1264 if (!libpcap_read_nokiaatm_pseudoheader(wth->random_fh,
1265 pseudo_header, err)) {
1273 if (!libpcap_read_sunatm_pseudoheader(wth->random_fh,
1274 pseudo_header, err)) {
1281 case WTAP_ENCAP_ETHERNET:
1283 * We don't know whether there's an FCS in this frame or not.
1285 pseudo_header->eth.fcs_len = -1;
1288 case WTAP_ENCAP_IEEE_802_11:
1289 case WTAP_ENCAP_PRISM_HEADER:
1290 case WTAP_ENCAP_IEEE_802_11_WLAN_RADIOTAP:
1291 case WTAP_ENCAP_IEEE_802_11_WLAN_AVS:
1293 * We don't know whether there's an FCS in this frame or not.
1294 * XXX - are there any OSes where the capture mechanism
1297 pseudo_header->ieee_802_11.fcs_len = -1;
1300 case WTAP_ENCAP_IRDA:
1301 if (!libpcap_read_irda_pseudoheader(wth->random_fh, pseudo_header,
1310 * Read the packet data.
1312 if (!libpcap_read_rec_data(wth->random_fh, pd, length, err))
1313 return FALSE; /* failed */
1315 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS) {
1316 if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
1320 * Guess the traffic type based on the packet
1323 atm_guess_traffic_type(pd, length, pseudo_header);
1328 * If this is ATM LANE traffic, try to guess what
1329 * type of LANE traffic it is based on the packet
1332 if (pseudo_header->atm.type == TRAF_LANE)
1333 atm_guess_lane_type(pd, length, pseudo_header);
1339 /* Read the header of the next packet.
1341 Return -1 on an error, or the number of bytes of header read on success. */
1342 static int libpcap_read_header(wtap *wth, int *err, gchar **err_info,
1343 struct pcaprec_ss990915_hdr *hdr)
1345 int bytes_to_read, bytes_read;
1347 /* Read record header. */
1348 errno = WTAP_ERR_CANT_READ;
1349 switch (wth->file_type) {
1351 case WTAP_FILE_PCAP:
1352 case WTAP_FILE_PCAP_AIX:
1353 bytes_to_read = sizeof (struct pcaprec_hdr);
1356 case WTAP_FILE_PCAP_SS990417:
1357 case WTAP_FILE_PCAP_SS991029:
1358 bytes_to_read = sizeof (struct pcaprec_modified_hdr);
1361 case WTAP_FILE_PCAP_SS990915:
1362 bytes_to_read = sizeof (struct pcaprec_ss990915_hdr);
1365 case WTAP_FILE_PCAP_NOKIA:
1366 bytes_to_read = sizeof (struct pcaprec_nokia_hdr);
1370 g_assert_not_reached();
1373 bytes_read = file_read(hdr, 1, bytes_to_read, wth->fh);
1374 if (bytes_read != bytes_to_read) {
1375 *err = file_error(wth->fh);
1376 if (*err == 0 && bytes_read != 0) {
1377 *err = WTAP_ERR_SHORT_READ;
1382 adjust_header(wth, &hdr->hdr);
1384 if (hdr->hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
1386 * Probably a corrupt capture file; return an error,
1387 * so that our caller doesn't blow up trying to allocate
1388 * space for an immensely-large packet, and so that
1389 * the code to try to guess what type of libpcap file
1390 * this is can tell when it's not the type we're guessing
1393 *err = WTAP_ERR_BAD_RECORD;
1394 if (err_info != NULL) {
1395 *err_info = g_strdup_printf("pcap: File has %u-byte packet, bigger than maximum of %u",
1396 hdr->hdr.incl_len, WTAP_MAX_PACKET_SIZE);
1401 if (hdr->hdr.orig_len > WTAP_MAX_PACKET_SIZE) {
1403 * Probably a corrupt capture file; return an error,
1404 * so that our caller doesn't blow up trying to
1405 * cope with a huge "real" packet length, and so that
1406 * the code to try to guess what type of libpcap file
1407 * this is can tell when it's not the type we're guessing
1410 *err = WTAP_ERR_BAD_RECORD;
1411 if (err_info != NULL) {
1412 *err_info = g_strdup_printf("pcap: File has %u-byte packet, bigger than maximum of %u",
1413 hdr->hdr.orig_len, WTAP_MAX_PACKET_SIZE);
1422 adjust_header(wtap *wth, struct pcaprec_hdr *hdr)
1426 if (wth->capture.pcap->byte_swapped) {
1427 /* Byte-swap the record header fields. */
1428 hdr->ts_sec = BSWAP32(hdr->ts_sec);
1429 hdr->ts_usec = BSWAP32(hdr->ts_usec);
1430 hdr->incl_len = BSWAP32(hdr->incl_len);
1431 hdr->orig_len = BSWAP32(hdr->orig_len);
1434 /* If this is AIX, convert the time stamp from seconds/nanoseconds
1435 to seconds/microseconds. */
1436 if (wth->file_type == WTAP_FILE_PCAP_AIX)
1437 hdr->ts_usec = hdr->ts_usec/1000;
1439 /* Swap the "incl_len" and "orig_len" fields, if necessary. */
1440 switch (wth->capture.pcap->lengths_swapped) {
1446 if (hdr->incl_len <= hdr->orig_len) {
1448 * The captured length is <= the actual length,
1449 * so presumably they weren't swapped.
1456 temp = hdr->orig_len;
1457 hdr->orig_len = hdr->incl_len;
1458 hdr->incl_len = temp;
1464 libpcap_get_sunatm_pseudoheader(const struct sunatm_hdr *atm_phdr,
1465 union wtap_pseudo_header *pseudo_header)
1470 vpi = atm_phdr->vpi;
1471 vci = pntohs(&atm_phdr->vci);
1473 switch (atm_phdr->flags & 0x0F) {
1475 case 0x01: /* LANE */
1476 pseudo_header->atm.aal = AAL_5;
1477 pseudo_header->atm.type = TRAF_LANE;
1480 case 0x02: /* RFC 1483 LLC multiplexed traffic */
1481 pseudo_header->atm.aal = AAL_5;
1482 pseudo_header->atm.type = TRAF_LLCMX;
1485 case 0x05: /* ILMI */
1486 pseudo_header->atm.aal = AAL_5;
1487 pseudo_header->atm.type = TRAF_ILMI;
1490 case 0x06: /* Q.2931 */
1491 pseudo_header->atm.aal = AAL_SIGNALLING;
1492 pseudo_header->atm.type = TRAF_UNKNOWN;
1495 case 0x03: /* MARS (RFC 2022) */
1496 pseudo_header->atm.aal = AAL_5;
1497 pseudo_header->atm.type = TRAF_UNKNOWN;
1500 case 0x04: /* IFMP (Ipsilon Flow Management Protocol; see RFC 1954) */
1501 pseudo_header->atm.aal = AAL_5;
1502 pseudo_header->atm.type = TRAF_UNKNOWN; /* XXX - TRAF_IPSILON? */
1507 * Assume it's AAL5, unless it's VPI 0 and VCI 5, in which
1508 * case assume it's AAL_SIGNALLING; we know nothing more
1511 * XXX - is this necessary? Or are we guaranteed that
1512 * all signalling traffic has a type of 0x06?
1514 * XXX - is this guaranteed to be AAL5? Or, if the type is
1515 * 0x00 ("raw"), might it be non-AAL5 traffic?
1517 if (vpi == 0 && vci == 5)
1518 pseudo_header->atm.aal = AAL_SIGNALLING;
1520 pseudo_header->atm.aal = AAL_5;
1521 pseudo_header->atm.type = TRAF_UNKNOWN;
1524 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1526 pseudo_header->atm.vpi = vpi;
1527 pseudo_header->atm.vci = vci;
1528 pseudo_header->atm.channel = (atm_phdr->flags & 0x80) ? 0 : 1;
1530 /* We don't have this information */
1531 pseudo_header->atm.flags = 0;
1532 pseudo_header->atm.cells = 0;
1533 pseudo_header->atm.aal5t_u2u = 0;
1534 pseudo_header->atm.aal5t_len = 0;
1535 pseudo_header->atm.aal5t_chksum = 0;
1539 libpcap_read_sunatm_pseudoheader(FILE_T fh,
1540 union wtap_pseudo_header *pseudo_header, int *err)
1542 struct sunatm_hdr atm_phdr;
1545 errno = WTAP_ERR_CANT_READ;
1546 bytes_read = file_read(&atm_phdr, 1, sizeof (struct sunatm_hdr), fh);
1547 if (bytes_read != sizeof (struct sunatm_hdr)) {
1548 *err = file_error(fh);
1550 *err = WTAP_ERR_SHORT_READ;
1554 libpcap_get_sunatm_pseudoheader(&atm_phdr, pseudo_header);
1560 libpcap_read_nokiaatm_pseudoheader(FILE_T fh,
1561 union wtap_pseudo_header *pseudo_header, int *err)
1563 struct nokiaatm_hdr atm_phdr;
1568 errno = WTAP_ERR_CANT_READ;
1569 bytes_read = file_read(&atm_phdr, 1, sizeof (struct nokiaatm_hdr), fh);
1570 if (bytes_read != sizeof (struct nokiaatm_hdr)) {
1571 *err = file_error(fh);
1573 *err = WTAP_ERR_SHORT_READ;
1578 vci = pntohs(&atm_phdr.vci);
1580 pseudo_header->atm.vpi = vpi;
1581 pseudo_header->atm.vci = vci;
1582 pseudo_header->atm.channel = (atm_phdr.flags & 0x80) ? 0 : 1;
1584 /* We don't have this information */
1585 pseudo_header->atm.flags = 0;
1586 pseudo_header->atm.cells = 0;
1587 pseudo_header->atm.aal5t_u2u = 0;
1588 pseudo_header->atm.aal5t_len = 0;
1589 pseudo_header->atm.aal5t_chksum = 0;
1595 libpcap_get_irda_pseudoheader(const struct irda_sll_hdr *irda_phdr,
1596 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info)
1598 if (pntohs(&irda_phdr->sll_protocol) != 0x0017) {
1599 *err = WTAP_ERR_BAD_RECORD;
1600 if (err_info != NULL)
1601 *err_info = g_strdup("libpcap: IrDA capture has a packet with an invalid sll_protocol field\n");
1605 pseudo_header->irda.pkttype = pntohs(&irda_phdr->sll_pkttype);
1611 libpcap_read_irda_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header,
1612 int *err, gchar **err_info)
1614 struct irda_sll_hdr irda_phdr;
1617 errno = WTAP_ERR_CANT_READ;
1618 bytes_read = file_read(&irda_phdr, 1, sizeof (struct irda_sll_hdr), fh);
1619 if (bytes_read != sizeof (struct irda_sll_hdr)) {
1620 *err = file_error(fh);
1622 *err = WTAP_ERR_SHORT_READ;
1626 return libpcap_get_irda_pseudoheader(&irda_phdr, pseudo_header, err,
1631 libpcap_read_rec_data(FILE_T fh, guchar *pd, int length, int *err)
1635 errno = WTAP_ERR_CANT_READ;
1636 bytes_read = file_read(pd, 1, length, fh);
1638 if (bytes_read != length) {
1639 *err = file_error(fh);
1641 *err = WTAP_ERR_SHORT_READ;
1648 libpcap_close(wtap *wth)
1650 g_free(wth->capture.pcap);
1653 static int wtap_wtap_encap_to_pcap_encap(int encap)
1659 case WTAP_ENCAP_FDDI:
1660 case WTAP_ENCAP_FDDI_BITSWAPPED:
1662 * Special-case WTAP_ENCAP_FDDI and
1663 * WTAP_ENCAP_FDDI_BITSWAPPED; both of them get mapped
1664 * to DLT_FDDI (even though that may mean that the bit
1665 * order in the FDDI MAC addresses is wrong; so it goes
1666 * - libpcap format doesn't record the byte order,
1667 * so that's not fixable).
1669 return 10; /* that's DLT_FDDI */
1671 case WTAP_ENCAP_PPP_WITH_PHDR:
1673 * Also special-case PPP with direction bits; map it to
1674 * PPP, even though that means that the direction of the
1679 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1681 * Do the same with Frame Relay.
1685 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
1687 * Map this to DLT_IEEE802_11, for now, even though
1688 * that means the radio information will be lost.
1689 * Once tcpdump support for the BSD radiotap header
1690 * is sufficiently widespread, we should probably
1691 * use that, instead - although we should probably
1692 * ultimately just have WTAP_ENCAP_IEEE_802_11
1693 * as the only Wiretap encapsulation for 802.11,
1694 * and have the pseudo-header include a radiotap-style
1695 * list of attributes. If we do that, though, we
1696 * should probably bypass the regular Wiretap code
1697 * when writing out packets during a capture, and just
1698 * do the equivalent of a libpcap write (unfortunately,
1699 * libpcap doesn't have an "open dump by file descriptor"
1700 * function, so we can't just use "pcap_dump()"), so
1701 * that we don't spend cycles mapping from libpcap to
1702 * Wiretap and then back to libpcap. (There are other
1703 * reasons to do that, e.g. to handle AIX libpcap better.)
1708 for (i = 0; i < NUM_PCAP_ENCAPS; i++) {
1709 if (pcap_to_wtap_map[i].wtap_encap_value == encap)
1710 return pcap_to_wtap_map[i].dlt_value;
1717 * Given a Wiretap encapsulation type, and raw packet data and the packet
1718 * header from libpcap, process any pseudo-header in the packet,
1719 * fill in the Wiretap packet header, and return a pointer to the
1720 * beginning of the non-pseudo-header data in the packet.
1723 wtap_process_pcap_packet(gint linktype, const struct pcap_pkthdr *phdr,
1724 const guchar *pd, union wtap_pseudo_header *pseudo_header,
1725 struct wtap_pkthdr *whdr, int *err)
1727 /* "phdr->ts" may not necessarily be a "struct timeval" - it may
1728 be a "struct bpf_timeval", with member sizes wired to 32
1729 bits - and we may go that way ourselves in the future, so
1730 copy the members individually. */
1731 whdr->ts.tv_sec = phdr->ts.tv_sec;
1732 whdr->ts.tv_usec = phdr->ts.tv_usec;
1733 whdr->caplen = phdr->caplen;
1734 whdr->len = phdr->len;
1735 whdr->pkt_encap = linktype;
1738 * If this is an ATM packet, the first four bytes are the
1739 * direction of the packet (transmit/receive), the VPI, and
1740 * the VCI; read them and generate the pseudo-header from
1743 if (linktype == WTAP_ENCAP_ATM_PDUS) {
1744 if (whdr->caplen < sizeof (struct sunatm_hdr)) {
1746 * Uh-oh, the packet isn't big enough to even
1747 * have a pseudo-header.
1749 g_message("libpcap: SunATM capture has a %u-byte packet, too small to have even an ATM pseudo-header\n",
1751 *err = WTAP_ERR_BAD_RECORD;
1754 libpcap_get_sunatm_pseudoheader((const struct sunatm_hdr *)pd,
1758 * Don't count the pseudo-header as part of the packet.
1760 whdr->len -= sizeof (struct sunatm_hdr);
1761 whdr->caplen -= sizeof (struct sunatm_hdr);
1762 pd += sizeof (struct sunatm_hdr);
1765 * If this is ATM LANE traffic, try to guess what type of
1766 * LANE traffic it is based on the packet contents.
1768 if (pseudo_header->atm.type == TRAF_LANE)
1769 atm_guess_lane_type(pd, whdr->caplen, pseudo_header);
1771 else if (linktype == WTAP_ENCAP_IRDA) {
1772 if (whdr->caplen < sizeof (struct irda_sll_hdr)) {
1774 * Uh-oh, the packet isn't big enough to even
1775 * have a pseudo-header.
1777 g_message("libpcap: IrDA capture has a %u-byte packet, too small to have even an IrDA pseudo-header\n",
1779 *err = WTAP_ERR_BAD_RECORD;
1782 if (!libpcap_get_irda_pseudoheader((const struct irda_sll_hdr *)pd,
1783 pseudo_header, err, NULL))
1787 * Don't count the pseudo-header as part of the packet.
1789 whdr->len -= sizeof (struct irda_sll_hdr);
1790 whdr->caplen -= sizeof (struct irda_sll_hdr);
1791 pd += sizeof (struct irda_sll_hdr);
1797 /* Returns 0 if we could write the specified encapsulation type,
1798 an error indication otherwise. */
1799 int libpcap_dump_can_write_encap(int encap)
1801 /* Per-packet encapsulations aren't supported. */
1802 if (encap == WTAP_ENCAP_PER_PACKET)
1803 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1805 if (wtap_wtap_encap_to_pcap_encap(encap) == -1)
1806 return WTAP_ERR_UNSUPPORTED_ENCAP;
1811 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1813 gboolean libpcap_dump_open(wtap_dumper *wdh, gboolean cant_seek _U_, int *err)
1816 struct pcap_hdr file_hdr;
1819 /* This is a libpcap file */
1820 wdh->subtype_write = libpcap_dump;
1821 wdh->subtype_close = NULL;
1823 /* Write the file header. */
1824 switch (wdh->file_type) {
1826 case WTAP_FILE_PCAP:
1827 case WTAP_FILE_PCAP_SS990417: /* modified, but with the old magic, sigh */
1828 case WTAP_FILE_PCAP_NOKIA: /* Nokia libpcap of some sort */
1832 case WTAP_FILE_PCAP_SS990915: /* new magic, extra crap */
1833 case WTAP_FILE_PCAP_SS991029:
1834 magic = PCAP_MODIFIED_MAGIC;
1838 /* We should never get here - our open routine
1839 should only get called for the types above. */
1840 *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE;
1844 nwritten = fwrite(&magic, 1, sizeof magic, wdh->fh);
1845 if (nwritten != sizeof magic) {
1846 if (nwritten == 0 && ferror(wdh->fh))
1849 *err = WTAP_ERR_SHORT_WRITE;
1852 wdh->bytes_dumped += sizeof magic;
1854 /* current "libpcap" format is 2.4 */
1855 file_hdr.version_major = 2;
1856 file_hdr.version_minor = 4;
1857 file_hdr.thiszone = 0; /* XXX - current offset? */
1858 file_hdr.sigfigs = 0; /* unknown, but also apparently unused */
1860 * Tcpdump cannot handle capture files with a snapshot length of 0,
1861 * as BPF filters return either 0 if they fail or the snapshot length
1862 * if they succeed, and a snapshot length of 0 means success is
1863 * indistinguishable from failure and the filter expression would
1864 * reject all packets.
1866 * A snapshot length of 0, inside Wiretap, means "snapshot length
1867 * unknown"; if the snapshot length supplied to us is 0, we make
1868 * the snapshot length in the header file WTAP_MAX_PACKET_SIZE.
1870 file_hdr.snaplen = (wdh->snaplen != 0) ? wdh->snaplen :
1871 WTAP_MAX_PACKET_SIZE;
1872 file_hdr.network = wtap_wtap_encap_to_pcap_encap(wdh->encap);
1873 nwritten = fwrite(&file_hdr, 1, sizeof file_hdr, wdh->fh);
1874 if (nwritten != sizeof file_hdr) {
1875 if (nwritten == 0 && ferror(wdh->fh))
1878 *err = WTAP_ERR_SHORT_WRITE;
1881 wdh->bytes_dumped += sizeof file_hdr;
1886 /* Write a record for a packet to a dump file.
1887 Returns TRUE on success, FALSE on failure. */
1888 static gboolean libpcap_dump(wtap_dumper *wdh,
1889 const struct wtap_pkthdr *phdr,
1890 const union wtap_pseudo_header *pseudo_header _U_,
1891 const guchar *pd, int *err)
1893 struct pcaprec_ss990915_hdr rec_hdr;
1896 struct sunatm_hdr atm_hdr;
1897 struct irda_sll_hdr irda_hdr;
1900 if (wdh->encap == WTAP_ENCAP_ATM_PDUS)
1901 hdrsize = sizeof (struct sunatm_hdr);
1902 else if (wdh->encap == WTAP_ENCAP_IRDA)
1903 hdrsize = sizeof (struct irda_sll_hdr);
1907 rec_hdr.hdr.ts_sec = phdr->ts.tv_sec;
1908 rec_hdr.hdr.ts_usec = phdr->ts.tv_usec;
1909 rec_hdr.hdr.incl_len = phdr->caplen + hdrsize;
1910 rec_hdr.hdr.orig_len = phdr->len + hdrsize;
1911 switch (wdh->file_type) {
1913 case WTAP_FILE_PCAP:
1914 hdr_size = sizeof (struct pcaprec_hdr);
1917 case WTAP_FILE_PCAP_SS990417: /* modified, but with the old magic, sigh */
1918 case WTAP_FILE_PCAP_SS991029:
1919 /* XXX - what should we supply here?
1921 Alexey's "libpcap" looks up the interface in the system's
1922 interface list if "ifindex" is non-zero, and prints
1923 the interface name. It ignores "protocol", and uses
1924 "pkt_type" to tag the packet as "host", "broadcast",
1925 "multicast", "other host", "outgoing", or "none of the
1926 above", but that's it.
1928 If the capture we're writing isn't a modified or
1929 RH 6.1 capture, we'd have to do some work to
1930 generate the packet type and interface index - and
1931 we can't generate the interface index unless we
1932 just did the capture ourselves in any case.
1934 I'm inclined to continue to punt; systems other than
1935 those with the older patch can read standard "libpcap"
1936 files, and systems with the older patch, e.g. RH 6.1,
1937 will just have to live with this. */
1938 rec_hdr.ifindex = 0;
1939 rec_hdr.protocol = 0;
1940 rec_hdr.pkt_type = 0;
1941 hdr_size = sizeof (struct pcaprec_modified_hdr);
1944 case WTAP_FILE_PCAP_SS990915: /* new magic, extra crap at the end */
1945 rec_hdr.ifindex = 0;
1946 rec_hdr.protocol = 0;
1947 rec_hdr.pkt_type = 0;
1950 hdr_size = sizeof (struct pcaprec_ss990915_hdr);
1953 case WTAP_FILE_PCAP_NOKIA: /* old magic, extra crap at the end */
1954 rec_hdr.ifindex = 0;
1955 rec_hdr.protocol = 0;
1956 rec_hdr.pkt_type = 0;
1959 hdr_size = sizeof (struct pcaprec_nokia_hdr);
1963 /* We should never get here - our open routine
1964 should only get called for the types above. */
1965 g_assert_not_reached();
1966 *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE;
1970 nwritten = fwrite(&rec_hdr, 1, hdr_size, wdh->fh);
1971 if (nwritten != hdr_size) {
1972 if (nwritten == 0 && ferror(wdh->fh))
1975 *err = WTAP_ERR_SHORT_WRITE;
1978 wdh->bytes_dumped += hdr_size;
1980 if (wdh->encap == WTAP_ENCAP_ATM_PDUS) {
1982 * Write the ATM header.
1985 (pseudo_header->atm.channel == 0) ? 0x80 : 0x00;
1986 switch (pseudo_header->atm.aal) {
1988 case AAL_SIGNALLING:
1990 atm_hdr.flags |= 0x06;
1994 switch (pseudo_header->atm.type) {
1998 atm_hdr.flags |= 0x01;
2002 /* RFC 1483 LLC multiplexed traffic */
2003 atm_hdr.flags |= 0x02;
2008 atm_hdr.flags |= 0x05;
2013 atm_hdr.vpi = (guint8) pseudo_header->atm.vpi;
2014 atm_hdr.vci = phtons(&pseudo_header->atm.vci);
2015 nwritten = fwrite(&atm_hdr, 1, sizeof atm_hdr, wdh->fh);
2016 if (nwritten != sizeof atm_hdr) {
2017 if (nwritten == 0 && ferror(wdh->fh))
2020 *err = WTAP_ERR_SHORT_WRITE;
2023 wdh->bytes_dumped += sizeof atm_hdr;
2025 else if (wdh->encap == WTAP_ENCAP_IRDA) {
2027 * Write the IrDA header.
2029 memset(&irda_hdr, 0, sizeof(irda_hdr));
2030 irda_hdr.sll_pkttype = phtons(&pseudo_header->irda.pkttype);
2031 irda_hdr.sll_protocol = g_htons(0x0017);
2032 nwritten = fwrite(&irda_hdr, 1, sizeof(irda_hdr), wdh->fh);
2033 if (nwritten != sizeof(irda_hdr)) {
2034 if (nwritten == 0 && ferror(wdh->fh))
2037 *err = WTAP_ERR_SHORT_WRITE;
2040 wdh->bytes_dumped += sizeof(irda_hdr);
2043 nwritten = fwrite(pd, 1, phdr->caplen, wdh->fh);
2044 if (nwritten != phdr->caplen) {
2045 if (nwritten == 0 && ferror(wdh->fh))
2048 *err = WTAP_ERR_SHORT_WRITE;
2051 wdh->bytes_dumped += phdr->caplen;