3 * $Id: libpcap.c,v 1.102 2003/12/18 19:07:13 guy Exp $
6 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #include "file_wrappers.h"
37 # ifdef HAVE_SYS_TYPES_H
38 # include <sys/types.h>
41 #include "wtap-capture.h"
45 * The link-layer header on ATM packets.
48 guint8 flags; /* destination and traffic type */
50 guint16 vci; /* VCI */
54 * The fake link-layer header of IrDA packets as introduced by Jean Tourrilhes
58 guint16 sll_pkttype; /* packet type */
59 guint8 unused[12]; /* usused SLL header fields */
60 guint16 sll_protocol; /* protocol, should be 0x0017 */
63 /* See source to the "libpcap" library for information on the "libpcap"
66 /* On some systems, the FDDI MAC addresses are bit-swapped. */
67 #if !defined(ultrix) && !defined(__alpha) && !defined(__bsdi__)
68 #define BIT_SWAPPED_MAC_ADDRS
71 /* Try to read the first two records of the capture file. */
73 THIS_FORMAT, /* the reads succeeded, assume it's this format */
74 BAD_READ, /* the file is probably not valid */
75 OTHER_FORMAT /* the file may be valid, but not in this format */
77 static libpcap_try_t libpcap_try(wtap *wth, int *err);
79 static gboolean libpcap_read(wtap *wth, int *err, long *data_offset);
80 static gboolean libpcap_seek_read(wtap *wth, long seek_off,
81 union wtap_pseudo_header *pseudo_header, guchar *pd, int length, int *err);
82 static int libpcap_read_header(wtap *wth, int *err,
83 struct pcaprec_ss990915_hdr *hdr, gboolean silent);
84 static void adjust_header(wtap *wth, struct pcaprec_hdr *hdr);
85 static void libpcap_get_atm_pseudoheader(const struct sunatm_hdr *atm_phdr,
86 union wtap_pseudo_header *pseudo_header);
87 static gboolean libpcap_read_atm_pseudoheader(FILE_T fh,
88 union wtap_pseudo_header *pseudo_header, int *err);
89 static gboolean libpcap_get_irda_pseudoheader(const struct irda_sll_hdr *irda_phdr,
90 union wtap_pseudo_header *pseudo_header, int *err);
91 static gboolean libpcap_read_irda_pseudoheader(FILE_T fh,
92 union wtap_pseudo_header *pseudo_header, int *err);
93 static gboolean libpcap_read_rec_data(FILE_T fh, guchar *pd, int length,
95 static void libpcap_close(wtap *wth);
96 static gboolean libpcap_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
97 const union wtap_pseudo_header *pseudo_header, const guchar *pd, int *err);
100 * Either LBL NRG wasn't an adequate central registry (e.g., because of
101 * the slow rate of releases from them), or nobody bothered using them
102 * as a central registry, as many different groups have patched libpcap
103 * (and BPF, on the BSDs) to add new encapsulation types, and have ended
104 * up using the same DLT_ values for different encapsulation types.
106 * For those numerical encapsulation type values that everybody uses for
107 * the same encapsulation type (which inclues those that some platforms
108 * specify different DLT_ names for but don't appear to use), we map
109 * those values to the appropriate Wiretap values.
111 * For those numerical encapsulation type values that different libpcap
112 * variants use for different encapsulation types, we check what
113 * <pcap.h> defined to determine how to interpret them, so that we
114 * interpret them the way the libpcap with which we're building
115 * Ethereal/Wiretap interprets them (which, if it doesn't support
116 * them at all, means we don't support them either - any capture files
117 * using them are foreign, and we don't hazard a guess as to which
118 * platform they came from; we could, I guess, choose the most likely
121 * Note: if you need a new encapsulation type for libpcap files, do
122 * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
123 * add a new encapsulation type by changing an existing entry;
124 * leave the existing entries alone.
126 * Instead, send mail to tcpdump-workers@tcpdump.org, asking for a new
127 * DLT_ value, and specifying the purpose of the new value. When you
128 * get the new DLT_ value, use that numerical value in the "dlt_value"
129 * field of "pcap_to_wtap_map[]".
132 static const struct {
134 int wtap_encap_value;
135 } pcap_to_wtap_map[] = {
137 * These are the values that are almost certainly the same
138 * in all libpcaps (I've yet to find one where the values
139 * in question are used for some purpose other than the
140 * one below, but...), and that Wiretap and Ethereal
143 { 0, WTAP_ENCAP_NULL }, /* null encapsulation */
144 { 1, WTAP_ENCAP_ETHERNET },
145 { 6, WTAP_ENCAP_TOKEN_RING }, /* IEEE 802 Networks - assume token ring */
146 { 7, WTAP_ENCAP_ARCNET },
147 { 8, WTAP_ENCAP_SLIP },
148 { 9, WTAP_ENCAP_PPP },
149 #ifdef BIT_SWAPPED_MAC_ADDRS
150 { 10, WTAP_ENCAP_FDDI_BITSWAPPED },
152 { 10, WTAP_ENCAP_FDDI },
156 * 50 is DLT_PPP_SERIAL in NetBSD; it appears that DLT_PPP
157 * on BSD (at least according to standard tcpdump) has, as
158 * the first octet, an indication of whether the packet was
159 * transmitted or received (rather than having the standard
160 * PPP address value of 0xff), but that DLT_PPP_SERIAL puts
161 * a real live PPP header there, or perhaps a Cisco PPP header
162 * as per section 4.3.1 of RFC 1547 (implementations of this
163 * exist in various BSDs in "sys/net/if_spppsubr.c", and
164 * I think also exist either in standard Linux or in
165 * various Linux patches; the implementations show how to handle
166 * Cisco keepalive packets).
168 * However, I don't see any obvious place in FreeBSD "if_ppp.c"
169 * where anything other than the standard PPP header would be
170 * passed up. I see some stuff that sets the first octet
171 * to 0 for incoming and 1 for outgoing packets before applying
172 * a BPF filter to see whether to drop packets whose protocol
173 * field has the 0x8000 bit set, i.e. network control protocols -
174 * those are handed up to userland - but that code puts the
175 * address field back before passing the packet up.
177 * I also don't see anything immediately obvious that munges
178 * the address field for sync PPP, either.
180 * Ethereal currently assumes that if the first octet of a
181 * PPP frame is 0xFF, it's the address field and is followed
182 * by a control field and a 2-byte protocol, otherwise the
183 * address and control fields are absent and the frame begins
184 * with a protocol field. If we ever see a BSD/OS PPP
185 * capture, we'll have to handle it differently, and we may
186 * have to handle standard BSD captures differently if, in fact,
187 * they don't have 0xff 0x03 as the first two bytes - but, as per
188 * the two paragraphs preceding this, it's not clear that
189 * the address field *is* munged into an incoming/outgoing
190 * field when the packet is handed to the BPF device.
192 * For now, we just map DLT_PPP_SERIAL to WTAP_ENCAP_PPP, as
193 * we treat WTAP_ENCAP_PPP packets as if those beginning with
194 * 0xff have the standard RFC 1662 "PPP in HDLC-like Framing"
195 * 0xff 0x03 address/control header, and DLT_PPP_SERIAL frames
196 * appear to contain that unless they're Cisco frames (if we
197 * ever see a capture with them, we'd need to implement the
198 * RFC 1547 stuff, and the keepalive protocol stuff).
200 * We may have to distinguish between "PPP where if it doesn't
201 * begin with 0xff there's no HDLC encapsulation and the frame
202 * begins with the protocol field" (which is how we handle
203 * WTAP_ENCAP_PPP now) and "PPP where there's either HDLC
204 * encapsulation or Cisco PPP" (which is what DLT_PPP_SERIAL
207 * XXX - NetBSD has DLT_HDLC, which appears to be used for
208 * Cisco HDLC. Ideally, they should use DLT_PPP_SERIAL
209 * only for real live HDLC-encapsulated PPP, not for Cisco
212 { 50, WTAP_ENCAP_PPP },
215 * These are the values that libpcap 0.5 and later use in
216 * capture file headers, in an attempt to work around the
217 * confusion decried above, and that Wiretap and Ethereal
220 { 100, WTAP_ENCAP_ATM_RFC1483 },
221 { 101, WTAP_ENCAP_RAW_IP },
224 * More values used by libpcap 0.5 as DLT_ values and used by the
225 * current CVS version of libpcap in capture file headers.
226 * They are not yet handled in Ethereal.
227 * If we get a capture that contains them, we'll implement them.
229 { 102, WTAP_ENCAP_SLIP_BSDOS },
230 { 103, WTAP_ENCAP_PPP_BSDOS },
234 * These ones are handled in Ethereal, though.
236 { 104, WTAP_ENCAP_CHDLC }, /* Cisco HDLC */
237 { 105, WTAP_ENCAP_IEEE_802_11 }, /* IEEE 802.11 */
238 { 106, WTAP_ENCAP_LINUX_ATM_CLIP },
239 { 107, WTAP_ENCAP_FRELAY }, /* Frame Relay */
240 { 108, WTAP_ENCAP_NULL }, /* OpenBSD loopback */
241 { 109, WTAP_ENCAP_ENC }, /* OpenBSD IPSEC enc */
243 { 110, WTAP_ENCAP_LANE_802_3 },/* ATM LANE 802.3 */
244 { 111, WTAP_ENCAP_HIPPI }, /* NetBSD HIPPI */
246 { 112, WTAP_ENCAP_CHDLC }, /* NetBSD HDLC framing */
249 * Linux "cooked mode" captures, used by the current CVS version
252 { 113, WTAP_ENCAP_SLL }, /* Linux cooked capture */
254 { 114, WTAP_ENCAP_LOCALTALK }, /* Localtalk */
257 * The tcpdump.org version of libpcap uses 117, rather than 17,
258 * for OpenBSD packet filter logging, so as to avoid conflicting
259 * with DLT_LANE8023 in SuSE 6.3 libpcap.
261 { 117, WTAP_ENCAP_PFLOG },
263 { 118, WTAP_ENCAP_CISCO_IOS },
264 { 119, WTAP_ENCAP_PRISM_HEADER }, /* Prism monitor mode hdr */
265 { 121, WTAP_ENCAP_HHDLC }, /* HiPath HDLC */
266 { 122, WTAP_ENCAP_IP_OVER_FC }, /* RFC 2625 IP-over-FC */
267 { 123, WTAP_ENCAP_ATM_PDUS }, /* SunATM */
268 { 127, WTAP_ENCAP_WLAN_HEADER }, /* 802.11 plus WLAN header */
269 { 128, WTAP_ENCAP_TZSP }, /* Tazmen Sniffer Protocol */
270 { 129, WTAP_ENCAP_ARCNET_LINUX },
273 * Values 130 thorugh 137 are reserved for use in Juniper
276 * 138 is reserved for Apple IP-over-IEEE 1394.
279 { 144, WTAP_ENCAP_IRDA }, /* IrDA capture */
281 { 140, WTAP_ENCAP_MTP2 },
282 { 141, WTAP_ENCAP_MTP3 },
287 * If you need a new encapsulation type for libpcap files, do
288 * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
289 * add a new encapsulation type by changing an existing entry;
290 * leave the existing entries alone.
292 * Instead, send mail to tcpdump-workers@tcpdump.org, asking for
293 * a new DLT_ value, and specifying the purpose of the new value.
294 * When you get the new DLT_ value, use that numerical value in
295 * the "dlt_value" field of "pcap_to_wtap_map[]".
299 * The following are entries for libpcap type values that have
300 * different meanings on different OSes.
302 * We put these *after* the entries for the platform-independent
303 * libpcap type values for those Wiretap encapsulation types, so
304 * that Ethereal chooses the platform-independent libpcap type
305 * value for those encapsulatioin types, not the platform-dependent
310 * 11 is DLT_ATM_RFC1483 on most platforms; the only libpcaps I've
311 * seen that define anything other than DLT_ATM_RFC1483 as 11 are
312 * the BSD/OS one, which defines DLT_FR as 11, and libpcap 0.5,
313 * which define it as 100, mapping the kernel's value to 100, in
314 * an attempt to hide the different values used on different
317 * If this is a platform where DLT_FR is defined as 11, we
318 * don't handle 11 at all; otherwise, we handle it as
319 * DLT_ATM_RFC1483 (this means we'd misinterpret Frame Relay
320 * captures from BSD/OS if running on platforms other than BSD/OS,
323 * 1) we don't yet support DLT_FR
327 * 2) nothing short of a heuristic would let us interpret
330 #if defined(DLT_FR) && (DLT_FR == 11)
331 { 11, WTAP_ENCAP_FRELAY },
333 { 11, WTAP_ENCAP_ATM_RFC1483 },
337 * 12 is DLT_RAW on most platforms, but it's DLT_C_HDLC on
338 * BSD/OS, and DLT_LOOP on OpenBSD.
340 * We don't yet handle DLT_C_HDLC, but we can handle DLT_LOOP
341 * (it's just like DLT_NULL, only with the AF_ value in network
342 * rather than host byte order - Ethereal figures out the
343 * byte order from the data, so we don't care what byte order
344 * it's in), so if DLT_LOOP is defined as 12, interpret 12
345 * as WTAP_ENCAP_NULL, otherwise, unless DLT_C_HDLC is defined
346 * as 12, interpret it as WTAP_ENCAP_RAW_IP.
348 #if defined(DLT_LOOP) && (DLT_LOOP == 12)
349 { 12, WTAP_ENCAP_NULL },
350 #elif defined(DLT_C_HDLC) && (DLT_C_HDLC == 12)
352 * Put entry for Cisco HDLC here.
353 * XXX - is this just WTAP_ENCAP_CHDLC, i.e. does the frame
354 * start with a 4-byte Cisco HDLC header?
357 { 12, WTAP_ENCAP_RAW_IP },
361 * 13 is DLT_SLIP_BSDOS on FreeBSD and NetBSD, but those OSes
362 * don't actually generate it. I infer that BSD/OS translates
363 * DLT_SLIP from the kernel BPF code to DLT_SLIP_BSDOS in
364 * libpcap, as the BSD/OS link-layer header is different;
365 * however, in BSD/OS, DLT_SLIP_BSDOS is 15.
367 * From this, I infer that there's no point in handling 13
370 * 13 is DLT_ATM_RFC1483 on BSD/OS.
372 * 13 is DLT_ENC in OpenBSD, which is, I suspect, some kind
373 * of decrypted IPSEC traffic.
375 #if defined(DLT_ATM_RFC1483) && (DLT_ATM_RFC1483 == 13)
376 { 13, WTAP_ENCAP_ATM_RFC1483 },
377 #elif defined(DLT_ENC) && (DLT_ENC == 13)
378 { 13, WTAP_ENCAP_ENC },
382 * 14 is DLT_PPP_BSDOS on FreeBSD and NetBSD, but those OSes
383 * don't actually generate it. I infer that BSD/OS translates
384 * DLT_PPP from the kernel BPF code to DLT_PPP_BSDOS in
385 * libpcap, as the BSD/OS link-layer header is different;
386 * however, in BSD/OS, DLT_PPP_BSDOS is 16.
388 * From this, I infer that there's no point in handling 14
391 * 14 is DLT_RAW on BSD/OS and OpenBSD.
393 { 14, WTAP_ENCAP_RAW_IP },
398 * DLT_SLIP_BSDOS on BSD/OS;
400 * DLT_HIPPI on NetBSD;
402 * DLT_LANE8023 with Alexey Kuznetzov's patches for
405 * DLT_I4L_RAWIP with the ISDN4Linux patches for libpcap
408 * but we don't currently handle any of those.
414 * DLT_PPP_BSDOS on BSD/OS;
416 * DLT_HDLC on NetBSD (Cisco HDLC);
418 * DLT_CIP with Alexey Kuznetzov's patches for
419 * Linux libpcap - this is WTAP_ENCAP_LINUX_ATM_CLIP;
421 * DLT_I4L_IP with the ISDN4Linux patches for libpcap
424 #if defined(DLT_CIP) && (DLT_CIP == 16)
425 { 16, WTAP_ENCAP_LINUX_ATM_CLIP },
427 #if defined(DLT_HDLC) && (DLT_HDLC == 16)
428 { 16, WTAP_ENCAP_CHDLC },
432 * 17 is DLT_LANE8023 in SuSE 6.3 libpcap; we don't currently
434 * It is also used as the PF (Packet Filter) logging format beginning
435 * with OpenBSD 3.0; we use 17 for PF logs unless DLT_LANE8023 is
436 * defined with the value 17.
438 #if !defined(DLT_LANE8023) || (DLT_LANE8023 != 17)
439 { 17, WTAP_ENCAP_OLD_PFLOG },
443 * 18 is DLT_CIP in SuSE 6.3 libpcap; if it's the same as the
444 * DLT_CIP of 16 that the Alexey Kuznetzov patches for
445 * libpcap/tcpdump define, it's WTAP_ENCAP_LINUX_ATM_CLIP.
446 * I've not found any libpcap that uses it for any other purpose -
447 * hopefully nobody will do so in the future.
449 { 18, WTAP_ENCAP_LINUX_ATM_CLIP },
452 * 19 is DLT_ATM_CLIP in the libpcap/tcpdump patches in the
453 * recent versions I've seen of the Linux ATM distribution;
454 * I've not yet found any libpcap that uses it for any other
455 * purpose - hopefully nobody will do so in the future.
457 { 19, WTAP_ENCAP_LINUX_ATM_CLIP },
462 * If you need a new encapsulation type for libpcap files, do
463 * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
464 * add a new encapsulation type by changing an existing entry;
465 * leave the existing entries alone.
467 * Instead, send mail to tcpdump-workers@tcpdump.org, asking for
468 * a new DLT_ value, and specifying the purpose of the new value.
469 * When you get the new DLT_ value, use that numerical value in
470 * the "dlt_value" field of "pcap_to_wtap_map[]".
474 #define NUM_PCAP_ENCAPS (sizeof pcap_to_wtap_map / sizeof pcap_to_wtap_map[0])
476 int wtap_pcap_encap_to_wtap_encap(int encap)
480 for (i = 0; i < NUM_PCAP_ENCAPS; i++) {
481 if (pcap_to_wtap_map[i].dlt_value == encap)
482 return pcap_to_wtap_map[i].wtap_encap_value;
484 return WTAP_ENCAP_UNKNOWN;
488 int libpcap_open(wtap *wth, int *err)
493 gboolean byte_swapped;
498 /* Read in the number that should be at the start of a "libpcap" file */
499 errno = WTAP_ERR_CANT_READ;
500 bytes_read = file_read(&magic, 1, sizeof magic, wth->fh);
501 if (bytes_read != sizeof magic) {
502 *err = file_error(wth->fh);
507 wth->data_offset += sizeof magic;
512 /* Host that wrote it has our byte order, and was running
513 a program using either standard or ss990417 libpcap. */
514 byte_swapped = FALSE;
518 case PCAP_MODIFIED_MAGIC:
519 /* Host that wrote it has our byte order, and was running
520 a program using either ss990915 or ss991029 libpcap. */
521 byte_swapped = FALSE;
525 case PCAP_SWAPPED_MAGIC:
526 /* Host that wrote it has a byte order opposite to ours,
527 and was running a program using either standard or
533 case PCAP_SWAPPED_MODIFIED_MAGIC:
534 /* Host that wrote it out has a byte order opposite to
535 ours, and was running a program using either ss990915
536 or ss991029 libpcap. */
542 /* Not a "libpcap" type we know about. */
546 /* Read the rest of the header. */
547 errno = WTAP_ERR_CANT_READ;
548 bytes_read = file_read(&hdr, 1, sizeof hdr, wth->fh);
549 if (bytes_read != sizeof hdr) {
550 *err = file_error(wth->fh);
555 wth->data_offset += sizeof hdr;
558 /* Byte-swap the header fields about which we care. */
559 hdr.version_major = BSWAP16(hdr.version_major);
560 hdr.version_minor = BSWAP16(hdr.version_minor);
561 hdr.snaplen = BSWAP32(hdr.snaplen);
562 hdr.network = BSWAP32(hdr.network);
564 if (hdr.version_major < 2) {
565 /* We only support version 2.0 and later. */
566 g_message("pcap: major version %u unsupported",
568 *err = WTAP_ERR_UNSUPPORTED;
573 * AIX's non-standard tcpdump uses a minor version number of 2.
574 * Unfortunately, older versions of libpcap might have used
577 * The AIX libpcap uses RFC 1573 ifType values rather than
578 * DLT_ values in the header; the ifType values for LAN devices
585 * which correspond to DLT_IEEE802 (used for Token Ring),
586 * DLT_PPP, and DLT_SLIP_BSDOS, respectively. The ifType value
587 * for a loopback interface is 24, which currently isn't
588 * used by any version of libpcap I know about (and, as
589 * tcpdump.org are assigning DLT_ values above 100, and
590 * NetBSD started assigning values starting at 50, and
591 * the values chosen by other libpcaps appear to stop at
592 * 19, it's probably not going to be used by any libpcap
595 * We shall assume that if the minor version number is 2, and
596 * the network type is 6, 9, 15, or 24, that it's AIX libpcap.
598 * I'm assuming those older versions of libpcap didn't
599 * use DLT_IEEE802 for Token Ring, and didn't use DLT_SLIP_BSDOS
600 * as that came later. It may have used DLT_PPP, however, in
601 * which case we're out of luck; we assume it's Token Ring
602 * in AIX libpcap rather than PPP in standard libpcap, as
603 * you're probably more likely to be handing an AIX libpcap
604 * token-ring capture than an old (pre-libpcap 0.4) PPP capture
607 aix = FALSE; /* assume it's not AIX */
608 if (hdr.version_major == 2 && hdr.version_minor == 2) {
609 switch (hdr.network) {
612 hdr.network = 1; /* DLT_EN10MB, Ethernet */
617 hdr.network = 6; /* DLT_IEEE802, Token Ring */
622 hdr.network = 10; /* DLT_FDDI, FDDI */
627 hdr.network = 0; /* DLT_NULL, loopback */
632 file_encap = wtap_pcap_encap_to_wtap_encap(hdr.network);
633 if (file_encap == WTAP_ENCAP_UNKNOWN) {
634 g_message("pcap: network type %u unknown or unsupported",
636 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
640 /* This is a libpcap file */
641 wth->capture.pcap = g_malloc(sizeof(libpcap_t));
642 wth->capture.pcap->byte_swapped = byte_swapped;
643 wth->capture.pcap->version_major = hdr.version_major;
644 wth->capture.pcap->version_minor = hdr.version_minor;
645 wth->subtype_read = libpcap_read;
646 wth->subtype_seek_read = libpcap_seek_read;
647 wth->subtype_close = libpcap_close;
648 wth->file_encap = file_encap;
649 wth->snapshot_length = hdr.snaplen;
651 /* In file format version 2.3, the order of the "incl_len" and
652 "orig_len" fields in the per-packet header was reversed,
653 in order to match the BPF header layout.
655 Therefore, in files with versions prior to that, we must swap
658 Unfortunately, some files were, according to a comment in the
659 "libpcap" source, written with version 2.3 in their headers
660 but without the interchanged fields, so if "incl_len" is
661 greater than "orig_len" - which would make no sense - we
662 assume that we need to swap them in version 2.3 files
665 In addition, DG/UX's tcpdump uses version 543.0, and writes
666 the two fields in the pre-2.3 order. */
667 switch (hdr.version_major) {
670 if (hdr.version_minor < 3)
671 wth->capture.pcap->lengths_swapped = SWAPPED;
672 else if (hdr.version_minor == 3)
673 wth->capture.pcap->lengths_swapped = MAYBE_SWAPPED;
675 wth->capture.pcap->lengths_swapped = NOT_SWAPPED;
679 wth->capture.pcap->lengths_swapped = SWAPPED;
683 wth->capture.pcap->lengths_swapped = NOT_SWAPPED;
688 * Is this AIX format?
692 * Yes. Skip all the tests for other mutant formats.
694 wth->file_type = WTAP_FILE_PCAP_AIX;
699 * No. Let's look at the header for the first record,
700 * and see if, interpreting it as a standard header (if the
701 * magic number was standard) or a modified header (if the
702 * magic number was modified), the position where it says the
703 * header for the *second* record is contains a corrupted header.
707 * If this file had the standard magic number, it may be
708 * an ss990417 capture file - in that version of Alexey's
709 * patch, the packet header format was changed but the
710 * magic number wasn't, and, alas, Red Hat appear to have
711 * picked up that version of the patch for RH 6.1, meaning
712 * RH 6.1 has a tcpdump that writes out files that can't
713 * be read by any software that expects non-modified headers
714 * if the magic number isn't the modified magic number (e.g.,
715 * any normal version of tcpdump, and Ethereal if we don't
716 * do this gross heuristic).
718 * If this file had the modified magic number, it may be
719 * an ss990915 capture file - in that version of Alexey's
720 * patch, the magic number was changed, but the record
721 * header had some extra fields, and, alas, SuSE appear
722 * to have picked up that version of the patch for SuSE
723 * 6.3, meaning that programs expecting the standard per-
724 * packet header in captures with the modified magic number
725 * can't read dumps from its tcpdump.
727 * Oh, and if it has the standard magic number, it might, instead,
728 * be a Nokia libpcap file, so we may need to try that if
729 * neither normal nor ss990417 headers work.
733 * Well, we have the magic number from Alexey's
736 * Try ss991029, the last of his patches, first.
738 wth->file_type = WTAP_FILE_PCAP_SS991029;
739 switch (libpcap_try(wth, err)) {
743 * Well, we couldn't even read it.
746 g_free(wth->capture.pcap);
751 * Well, it looks as if it might be 991029.
752 * Put the seek pointer back, and return success.
754 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
755 g_free(wth->capture.pcap);
762 * Try the next format.
768 * Well, it's not completely unreadable,
769 * but it's not ss991029. Try ss990915;
770 * there are no other types to try after that,
771 * so we put the seek pointer back and treat
774 wth->file_type = WTAP_FILE_PCAP_SS990915;
775 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
776 g_free(wth->capture.pcap);
781 * Well, we have the standard magic number.
783 * Try the standard format first.
785 wth->file_type = WTAP_FILE_PCAP;
786 switch (libpcap_try(wth, err)) {
790 * Well, we couldn't even read it.
793 g_free(wth->capture.pcap);
798 * Well, it looks as if it might be a standard
800 * Put the seek pointer back, and return success.
802 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
803 g_free(wth->capture.pcap);
810 * Try the next format.
816 * Well, it's not completely unreadable, but it's not
817 * a standard file. Put the seek pointer back and try
820 wth->file_type = WTAP_FILE_PCAP_SS990417;
821 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
822 g_free(wth->capture.pcap);
825 switch (libpcap_try(wth, err)) {
829 * Well, we couldn't even read it.
832 g_free(wth->capture.pcap);
837 * Well, it looks as if it might be ss990417.
838 * Put the seek pointer back, and return success.
840 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
841 g_free(wth->capture.pcap);
848 * Try the next format.
854 * Well, it's not completely unreadable,
855 * but it's not a standard file *nor* is it ss990417.
856 * Try it as a Nokia file; there are no other types
857 * to try after that, so we put the seek pointer back
858 * and treat it as a Nokia file.
860 wth->file_type = WTAP_FILE_PCAP_NOKIA;
861 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
862 g_free(wth->capture.pcap);
870 /* Try to read the first two records of the capture file. */
871 static libpcap_try_t libpcap_try(wtap *wth, int *err)
874 * pcaprec_ss990915_hdr is the largest header type.
876 struct pcaprec_ss990915_hdr first_rec_hdr, second_rec_hdr;
879 * Attempt to read the first record's header.
881 if (libpcap_read_header(wth, err, &first_rec_hdr, TRUE) == -1) {
882 if (*err == 0 || *err == WTAP_ERR_SHORT_READ) {
884 * EOF or short read - assume the file is in this
886 * When our client tries to read the first packet
887 * they will presumably get the same EOF or short
893 if (*err == WTAP_ERR_BAD_RECORD) {
895 * The first record is bogus, so this is probably
896 * a corrupt file. Assume the file is in this
897 * format. When our client tries to read the
898 * first packet they will presumably get the
905 * Some other error, e.g. an I/O error; just give up.
911 * Now skip over the first record's data, under the assumption
912 * that the header is sane.
914 if (file_seek(wth->fh, first_rec_hdr.hdr.incl_len, SEEK_CUR, err) == -1)
918 * Now attempt to read the second record's header.
920 if (libpcap_read_header(wth, err, &second_rec_hdr, TRUE) == -1) {
921 if (*err == 0 || *err == WTAP_ERR_SHORT_READ) {
923 * EOF or short read - assume the file is in this
925 * When our client tries to read the second packet
926 * they will presumably get the same EOF or short
932 if (*err == WTAP_ERR_BAD_RECORD) {
934 * The second record is bogus; maybe it's a
935 * Capture File From Hell, and what looks like
936 * the "header" of the next packet is actually
937 * random junk from the middle of a packet.
938 * Try the next format; if we run out of formats,
939 * it probably *is* a corrupt file.
945 * Some other error, e.g. an I/O error; just give up.
951 * OK, the first two records look OK; assume this is the
957 /* Read the next packet */
958 static gboolean libpcap_read(wtap *wth, int *err, long *data_offset)
960 struct pcaprec_ss990915_hdr hdr;
964 char fddi_padding[3];
966 bytes_read = libpcap_read_header(wth, err, &hdr, FALSE);
967 if (bytes_read == -1) {
969 * We failed to read the header.
974 wth->data_offset += bytes_read;
975 packet_size = hdr.hdr.incl_len;
976 orig_size = hdr.hdr.orig_len;
979 * AIX appears to put 3 bytes of padding in front of FDDI
980 * frames; strip that crap off.
982 if (wth->file_type == WTAP_FILE_PCAP_AIX &&
983 (wth->file_encap == WTAP_ENCAP_FDDI ||
984 wth->file_encap == WTAP_ENCAP_FDDI_BITSWAPPED)) {
986 * The packet size is really a record size and includes
991 wth->data_offset += 3;
996 if (!libpcap_read_rec_data(wth->fh, fddi_padding, 3, err))
997 return FALSE; /* Read error */
1000 *data_offset = wth->data_offset;
1003 * If this is an ATM packet, the first four bytes are the
1004 * direction of the packet (transmit/receive), the VPI, and
1005 * the VCI; read them and generate the pseudo-header from
1008 switch (wth->file_encap) {
1010 case WTAP_ENCAP_ATM_PDUS:
1011 if (packet_size < sizeof (struct sunatm_hdr)) {
1013 * Uh-oh, the packet isn't big enough to even
1014 * have a pseudo-header.
1016 g_message("libpcap: SunATM file has a %u-byte packet, too small to have even an ATM pseudo-header\n",
1018 *err = WTAP_ERR_BAD_RECORD;
1021 if (!libpcap_read_atm_pseudoheader(wth->fh, &wth->pseudo_header,
1023 return FALSE; /* Read error */
1026 * Don't count the pseudo-header as part of the packet.
1028 orig_size -= sizeof (struct sunatm_hdr);
1029 packet_size -= sizeof (struct sunatm_hdr);
1030 wth->data_offset += sizeof (struct sunatm_hdr);
1033 case WTAP_ENCAP_ETHERNET:
1035 * We don't know whether there's an FCS in this frame or not.
1037 wth->pseudo_header.eth.fcs_len = -1;
1040 case WTAP_ENCAP_IRDA:
1041 if (packet_size < sizeof (struct irda_sll_hdr)) {
1043 * Uh-oh, the packet isn't big enough to even
1044 * have a pseudo-header.
1046 g_message("libpcap: IrDA file has a %u-byte packet, too small to have even an IrDA pseudo-header\n",
1048 *err = WTAP_ERR_BAD_RECORD;
1051 if (!libpcap_read_irda_pseudoheader(wth->fh, &wth->pseudo_header,
1053 return FALSE; /* Read error */
1056 * Don't count the pseudo-header as part of the packet.
1058 orig_size -= sizeof (struct irda_sll_hdr);
1059 packet_size -= sizeof (struct irda_sll_hdr);
1060 wth->data_offset += sizeof (struct irda_sll_hdr);
1064 buffer_assure_space(wth->frame_buffer, packet_size);
1065 if (!libpcap_read_rec_data(wth->fh, buffer_start_ptr(wth->frame_buffer),
1067 return FALSE; /* Read error */
1068 wth->data_offset += packet_size;
1070 wth->phdr.ts.tv_sec = hdr.hdr.ts_sec;
1071 wth->phdr.ts.tv_usec = hdr.hdr.ts_usec;
1072 wth->phdr.caplen = packet_size;
1073 wth->phdr.len = orig_size;
1074 wth->phdr.pkt_encap = wth->file_encap;
1077 * If this is ATM LANE traffic, try to guess what type of LANE
1078 * traffic it is based on the packet contents.
1080 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS &&
1081 wth->pseudo_header.atm.type == TRAF_LANE) {
1082 atm_guess_lane_type(buffer_start_ptr(wth->frame_buffer),
1083 wth->phdr.caplen, &wth->pseudo_header);
1090 libpcap_seek_read(wtap *wth, long seek_off,
1091 union wtap_pseudo_header *pseudo_header, guchar *pd, int length, int *err)
1093 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
1096 switch (wth->file_encap) {
1098 case WTAP_ENCAP_ATM_PDUS:
1099 if (!libpcap_read_atm_pseudoheader(wth->random_fh, pseudo_header,
1106 case WTAP_ENCAP_ETHERNET:
1108 * We don't know whether there's an FCS in this frame or not.
1110 pseudo_header->eth.fcs_len = -1;
1113 case WTAP_ENCAP_IRDA:
1114 if (!libpcap_read_irda_pseudoheader(wth->random_fh, pseudo_header,
1123 * Read the packet data.
1125 if (!libpcap_read_rec_data(wth->random_fh, pd, length, err))
1126 return FALSE; /* failed */
1129 * If this is ATM LANE traffic, try to guess what type of LANE
1130 * traffic it is based on the packet contents.
1132 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS &&
1133 pseudo_header->atm.type == TRAF_LANE)
1134 atm_guess_lane_type(pd, length, pseudo_header);
1138 /* Read the header of the next packet; if "silent" is TRUE, don't complain
1139 to the console, as we're testing to see if the file appears to be of a
1142 Return -1 on an error, or the number of bytes of header read on success. */
1143 static int libpcap_read_header(wtap *wth, int *err,
1144 struct pcaprec_ss990915_hdr *hdr, gboolean silent)
1146 int bytes_to_read, bytes_read;
1148 /* Read record header. */
1149 errno = WTAP_ERR_CANT_READ;
1150 switch (wth->file_type) {
1152 case WTAP_FILE_PCAP:
1153 case WTAP_FILE_PCAP_AIX:
1154 bytes_to_read = sizeof (struct pcaprec_hdr);
1157 case WTAP_FILE_PCAP_SS990417:
1158 case WTAP_FILE_PCAP_SS991029:
1159 bytes_to_read = sizeof (struct pcaprec_modified_hdr);
1162 case WTAP_FILE_PCAP_SS990915:
1163 bytes_to_read = sizeof (struct pcaprec_ss990915_hdr);
1166 case WTAP_FILE_PCAP_NOKIA:
1167 bytes_to_read = sizeof (struct pcaprec_nokia_hdr);
1171 g_assert_not_reached();
1174 bytes_read = file_read(hdr, 1, bytes_to_read, wth->fh);
1175 if (bytes_read != bytes_to_read) {
1176 *err = file_error(wth->fh);
1177 if (*err == 0 && bytes_read != 0) {
1178 *err = WTAP_ERR_SHORT_READ;
1183 adjust_header(wth, &hdr->hdr);
1185 if (hdr->hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
1187 * Probably a corrupt capture file; return an error,
1188 * so that our caller doesn't blow up trying to allocate
1189 * space for an immensely-large packet, and so that
1190 * the code to try to guess what type of libpcap file
1191 * this is can tell when it's not the type we're guessing
1195 g_message("pcap: File has %u-byte packet, bigger than maximum of %u",
1196 hdr->hdr.incl_len, WTAP_MAX_PACKET_SIZE);
1198 *err = WTAP_ERR_BAD_RECORD;
1202 if (hdr->hdr.orig_len > WTAP_MAX_PACKET_SIZE) {
1204 * Probably a corrupt capture file; return an error,
1205 * so that our caller doesn't blow up trying to
1206 * cope with a huge "real" packet length, and so that
1207 * the code to try to guess what type of libpcap file
1208 * this is can tell when it's not the type we're guessing
1212 g_message("pcap: File has %u-byte packet, bigger than maximum of %u",
1213 hdr->hdr.orig_len, WTAP_MAX_PACKET_SIZE);
1215 *err = WTAP_ERR_BAD_RECORD;
1223 adjust_header(wtap *wth, struct pcaprec_hdr *hdr)
1227 if (wth->capture.pcap->byte_swapped) {
1228 /* Byte-swap the record header fields. */
1229 hdr->ts_sec = BSWAP32(hdr->ts_sec);
1230 hdr->ts_usec = BSWAP32(hdr->ts_usec);
1231 hdr->incl_len = BSWAP32(hdr->incl_len);
1232 hdr->orig_len = BSWAP32(hdr->orig_len);
1235 /* If this is AIX, convert the time stamp from seconds/nanoseconds
1236 to seconds/microseconds. */
1237 if (wth->file_type == WTAP_FILE_PCAP_AIX)
1238 hdr->ts_usec = hdr->ts_usec/1000;
1240 /* Swap the "incl_len" and "orig_len" fields, if necessary. */
1241 switch (wth->capture.pcap->lengths_swapped) {
1247 if (hdr->incl_len <= hdr->orig_len) {
1249 * The captured length is <= the actual length,
1250 * so presumably they weren't swapped.
1257 temp = hdr->orig_len;
1258 hdr->orig_len = hdr->incl_len;
1259 hdr->incl_len = temp;
1265 libpcap_get_atm_pseudoheader(const struct sunatm_hdr *atm_phdr,
1266 union wtap_pseudo_header *pseudo_header)
1271 vpi = atm_phdr->vpi;
1272 vci = pntohs(&atm_phdr->vci);
1275 * The lower 4 bits of the first byte of the header indicate
1276 * the type of traffic, as per the "atmioctl.h" header in
1279 switch (atm_phdr->flags & 0x0F) {
1281 case 0x01: /* LANE */
1282 pseudo_header->atm.aal = AAL_5;
1283 pseudo_header->atm.type = TRAF_LANE;
1286 case 0x02: /* RFC 1483 LLC multiplexed traffic */
1287 pseudo_header->atm.aal = AAL_5;
1288 pseudo_header->atm.type = TRAF_LLCMX;
1291 case 0x05: /* ILMI */
1292 pseudo_header->atm.aal = AAL_5;
1293 pseudo_header->atm.type = TRAF_ILMI;
1296 case 0x06: /* Q.2931 */
1297 pseudo_header->atm.aal = AAL_SIGNALLING;
1298 pseudo_header->atm.type = TRAF_UNKNOWN;
1301 case 0x03: /* MARS (RFC 2022) */
1302 pseudo_header->atm.aal = AAL_5;
1303 pseudo_header->atm.type = TRAF_UNKNOWN;
1306 case 0x04: /* IFMP (Ipsilon Flow Management Protocol; see RFC 1954) */
1307 pseudo_header->atm.aal = AAL_5;
1308 pseudo_header->atm.type = TRAF_UNKNOWN; /* XXX - TRAF_IPSILON? */
1313 * Assume it's AAL5, unless it's VPI 0 and VCI 5, in which
1314 * case assume it's AAL_SIGNALLING; we know nothing more
1317 * XXX - is this necessary? Or are we guaranteed that
1318 * all signalling traffic has a type of 0x06?
1320 * XXX - is this guaranteed to be AAL5? Or, if the type is
1321 * 0x00 ("raw"), might it be non-AAL5 traffic?
1323 if (vpi == 0 && vci == 5)
1324 pseudo_header->atm.aal = AAL_SIGNALLING;
1326 pseudo_header->atm.aal = AAL_5;
1327 pseudo_header->atm.type = TRAF_UNKNOWN;
1330 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1332 pseudo_header->atm.vpi = vpi;
1333 pseudo_header->atm.vci = vci;
1334 pseudo_header->atm.channel = (atm_phdr->flags & 0x80) ? 0 : 1;
1336 /* We don't have this information */
1337 pseudo_header->atm.flags = 0;
1338 pseudo_header->atm.cells = 0;
1339 pseudo_header->atm.aal5t_u2u = 0;
1340 pseudo_header->atm.aal5t_len = 0;
1341 pseudo_header->atm.aal5t_chksum = 0;
1345 libpcap_read_atm_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header,
1348 struct sunatm_hdr atm_phdr;
1351 errno = WTAP_ERR_CANT_READ;
1352 bytes_read = file_read(&atm_phdr, 1, sizeof (struct sunatm_hdr), fh);
1353 if (bytes_read != sizeof (struct sunatm_hdr)) {
1354 *err = file_error(fh);
1356 *err = WTAP_ERR_SHORT_READ;
1360 libpcap_get_atm_pseudoheader(&atm_phdr, pseudo_header);
1366 libpcap_get_irda_pseudoheader(const struct irda_sll_hdr *irda_phdr,
1367 union wtap_pseudo_header *pseudo_header, int *err)
1369 if (pntohs(&irda_phdr->sll_protocol) != 0x0017) {
1370 g_message("libpcap: IrDA capture has a packet with an invalid sll_protocol field\n");
1371 *err = WTAP_ERR_BAD_RECORD;
1375 pseudo_header->irda.pkttype = pntohs(&irda_phdr->sll_pkttype);
1381 libpcap_read_irda_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header,
1384 struct irda_sll_hdr irda_phdr;
1387 errno = WTAP_ERR_CANT_READ;
1388 bytes_read = file_read(&irda_phdr, 1, sizeof (struct irda_sll_hdr), fh);
1389 if (bytes_read != sizeof (struct irda_sll_hdr)) {
1390 *err = file_error(fh);
1392 *err = WTAP_ERR_SHORT_READ;
1396 return libpcap_get_irda_pseudoheader(&irda_phdr, pseudo_header, err);
1400 libpcap_read_rec_data(FILE_T fh, guchar *pd, int length, int *err)
1404 errno = WTAP_ERR_CANT_READ;
1405 bytes_read = file_read(pd, 1, length, fh);
1407 if (bytes_read != length) {
1408 *err = file_error(fh);
1410 *err = WTAP_ERR_SHORT_READ;
1417 libpcap_close(wtap *wth)
1419 g_free(wth->capture.pcap);
1422 static int wtap_wtap_encap_to_pcap_encap(int encap)
1428 case WTAP_ENCAP_FDDI:
1429 case WTAP_ENCAP_FDDI_BITSWAPPED:
1431 * Special-case WTAP_ENCAP_FDDI and
1432 * WTAP_ENCAP_FDDI_BITSWAPPED; both of them get mapped
1433 * to DLT_FDDI (even though that may mean that the bit
1434 * order in the FDDI MAC addresses is wrong; so it goes
1435 * - libpcap format doesn't record the byte order,
1436 * so that's not fixable).
1438 return 10; /* that's DLT_FDDI */
1440 case WTAP_ENCAP_PPP_WITH_PHDR:
1442 * Also special-case PPP and Frame Relay with direction
1443 * bits; map them to PPP and Frame Relay, even though
1444 * that means that the direction of the packet is lost.
1448 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1452 for (i = 0; i < NUM_PCAP_ENCAPS; i++) {
1453 if (pcap_to_wtap_map[i].wtap_encap_value == encap)
1454 return pcap_to_wtap_map[i].dlt_value;
1461 * Given a Wiretap encapsulation type, and raw packet data and the packet
1462 * header from libpcap, process any pseudo-header in the packet,
1463 * fill in the Wiretap packet header, and return a pointer to the
1464 * beginning of the non-pseudo-header data in the packet.
1467 wtap_process_pcap_packet(gint linktype, const struct pcap_pkthdr *phdr,
1468 const guchar *pd, union wtap_pseudo_header *pseudo_header,
1469 struct wtap_pkthdr *whdr, int *err)
1471 /* "phdr->ts" may not necessarily be a "struct timeval" - it may
1472 be a "struct bpf_timeval", with member sizes wired to 32
1473 bits - and we may go that way ourselves in the future, so
1474 copy the members individually. */
1475 whdr->ts.tv_sec = phdr->ts.tv_sec;
1476 whdr->ts.tv_usec = phdr->ts.tv_usec;
1477 whdr->caplen = phdr->caplen;
1478 whdr->len = phdr->len;
1479 whdr->pkt_encap = linktype;
1482 * If this is an ATM packet, the first four bytes are the
1483 * direction of the packet (transmit/receive), the VPI, and
1484 * the VCI; read them and generate the pseudo-header from
1487 if (linktype == WTAP_ENCAP_ATM_PDUS) {
1488 if (whdr->caplen < sizeof (struct sunatm_hdr)) {
1490 * Uh-oh, the packet isn't big enough to even
1491 * have a pseudo-header.
1493 g_message("libpcap: SunATM capture has a %u-byte packet, too small to have even an ATM pseudo-header\n",
1495 *err = WTAP_ERR_BAD_RECORD;
1498 libpcap_get_atm_pseudoheader((const struct sunatm_hdr *)pd,
1502 * Don't count the pseudo-header as part of the packet.
1504 whdr->len -= sizeof (struct sunatm_hdr);
1505 whdr->caplen -= sizeof (struct sunatm_hdr);
1506 pd += sizeof (struct sunatm_hdr);
1509 * If this is ATM LANE traffic, try to guess what type of
1510 * LANE traffic it is based on the packet contents.
1512 if (pseudo_header->atm.type == TRAF_LANE)
1513 atm_guess_lane_type(pd, whdr->caplen, pseudo_header);
1515 else if (linktype == WTAP_ENCAP_IRDA) {
1516 if (whdr->caplen < sizeof (struct irda_sll_hdr)) {
1518 * Uh-oh, the packet isn't big enough to even
1519 * have a pseudo-header.
1521 g_message("libpcap: IrDA capture has a %u-byte packet, too small to have even an IrDA pseudo-header\n",
1523 *err = WTAP_ERR_BAD_RECORD;
1526 if (!libpcap_get_irda_pseudoheader((const struct irda_sll_hdr *)pd,
1527 pseudo_header, err))
1531 * Don't count the pseudo-header as part of the packet.
1533 whdr->len -= sizeof (struct irda_sll_hdr);
1534 whdr->caplen -= sizeof (struct irda_sll_hdr);
1535 pd += sizeof (struct irda_sll_hdr);
1541 /* Returns 0 if we could write the specified encapsulation type,
1542 an error indication otherwise. */
1543 int libpcap_dump_can_write_encap(int encap)
1545 /* Per-packet encapsulations aren't supported. */
1546 if (encap == WTAP_ENCAP_PER_PACKET)
1547 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1549 if (wtap_wtap_encap_to_pcap_encap(encap) == -1)
1550 return WTAP_ERR_UNSUPPORTED_ENCAP;
1555 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1557 gboolean libpcap_dump_open(wtap_dumper *wdh, gboolean cant_seek _U_, int *err)
1560 struct pcap_hdr file_hdr;
1563 /* This is a libpcap file */
1564 wdh->subtype_write = libpcap_dump;
1565 wdh->subtype_close = NULL;
1567 /* Write the file header. */
1568 switch (wdh->file_type) {
1570 case WTAP_FILE_PCAP:
1571 case WTAP_FILE_PCAP_SS990417: /* modified, but with the old magic, sigh */
1572 case WTAP_FILE_PCAP_NOKIA: /* Nokia libpcap of some sort */
1576 case WTAP_FILE_PCAP_SS990915: /* new magic, extra crap */
1577 case WTAP_FILE_PCAP_SS991029:
1578 magic = PCAP_MODIFIED_MAGIC;
1582 /* We should never get here - our open routine
1583 should only get called for the types above. */
1584 *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE;
1588 nwritten = fwrite(&magic, 1, sizeof magic, wdh->fh);
1589 if (nwritten != sizeof magic) {
1590 if (nwritten == 0 && ferror(wdh->fh))
1593 *err = WTAP_ERR_SHORT_WRITE;
1596 wdh->bytes_dumped += sizeof magic;
1598 /* current "libpcap" format is 2.4 */
1599 file_hdr.version_major = 2;
1600 file_hdr.version_minor = 4;
1601 file_hdr.thiszone = 0; /* XXX - current offset? */
1602 file_hdr.sigfigs = 0; /* unknown, but also apparently unused */
1604 * Tcpdump cannot handle capture files with a snapshot length of 0,
1605 * as BPF filters return either 0 if they fail or the snapshot length
1606 * if they succeed, and a snapshot length of 0 means success is
1607 * indistinguishable from failure and the filter expression would
1608 * reject all packets.
1610 * A snapshot length of 0, inside Wiretap, means "snapshot length
1611 * unknown"; if the snapshot length supplied to us is 0, we make
1612 * the snapshot length in the header file WTAP_MAX_PACKET_SIZE.
1614 file_hdr.snaplen = (wdh->snaplen != 0) ? wdh->snaplen :
1615 WTAP_MAX_PACKET_SIZE;
1616 file_hdr.network = wtap_wtap_encap_to_pcap_encap(wdh->encap);
1617 nwritten = fwrite(&file_hdr, 1, sizeof file_hdr, wdh->fh);
1618 if (nwritten != sizeof file_hdr) {
1619 if (nwritten == 0 && ferror(wdh->fh))
1622 *err = WTAP_ERR_SHORT_WRITE;
1625 wdh->bytes_dumped += sizeof file_hdr;
1630 /* Write a record for a packet to a dump file.
1631 Returns TRUE on success, FALSE on failure. */
1632 static gboolean libpcap_dump(wtap_dumper *wdh,
1633 const struct wtap_pkthdr *phdr,
1634 const union wtap_pseudo_header *pseudo_header _U_,
1635 const guchar *pd, int *err)
1637 struct pcaprec_ss990915_hdr rec_hdr;
1640 struct sunatm_hdr atm_hdr;
1641 struct irda_sll_hdr irda_hdr;
1644 if (wdh->encap == WTAP_ENCAP_ATM_PDUS)
1645 hdrsize = sizeof (struct sunatm_hdr);
1646 else if (wdh->encap == WTAP_ENCAP_IRDA)
1647 hdrsize = sizeof (struct irda_sll_hdr);
1651 rec_hdr.hdr.ts_sec = phdr->ts.tv_sec;
1652 rec_hdr.hdr.ts_usec = phdr->ts.tv_usec;
1653 rec_hdr.hdr.incl_len = phdr->caplen + hdrsize;
1654 rec_hdr.hdr.orig_len = phdr->len + hdrsize;
1655 switch (wdh->file_type) {
1657 case WTAP_FILE_PCAP:
1658 hdr_size = sizeof (struct pcaprec_hdr);
1661 case WTAP_FILE_PCAP_SS990417: /* modified, but with the old magic, sigh */
1662 case WTAP_FILE_PCAP_SS991029:
1663 /* XXX - what should we supply here?
1665 Alexey's "libpcap" looks up the interface in the system's
1666 interface list if "ifindex" is non-zero, and prints
1667 the interface name. It ignores "protocol", and uses
1668 "pkt_type" to tag the packet as "host", "broadcast",
1669 "multicast", "other host", "outgoing", or "none of the
1670 above", but that's it.
1672 If the capture we're writing isn't a modified or
1673 RH 6.1 capture, we'd have to do some work to
1674 generate the packet type and interface index - and
1675 we can't generate the interface index unless we
1676 just did the capture ourselves in any case.
1678 I'm inclined to continue to punt; systems other than
1679 those with the older patch can read standard "libpcap"
1680 files, and systems with the older patch, e.g. RH 6.1,
1681 will just have to live with this. */
1682 rec_hdr.ifindex = 0;
1683 rec_hdr.protocol = 0;
1684 rec_hdr.pkt_type = 0;
1685 hdr_size = sizeof (struct pcaprec_modified_hdr);
1688 case WTAP_FILE_PCAP_SS990915: /* new magic, extra crap at the end */
1689 rec_hdr.ifindex = 0;
1690 rec_hdr.protocol = 0;
1691 rec_hdr.pkt_type = 0;
1694 hdr_size = sizeof (struct pcaprec_ss990915_hdr);
1697 case WTAP_FILE_PCAP_NOKIA: /* old magic, extra crap at the end */
1698 rec_hdr.ifindex = 0;
1699 rec_hdr.protocol = 0;
1700 rec_hdr.pkt_type = 0;
1703 hdr_size = sizeof (struct pcaprec_nokia_hdr);
1707 /* We should never get here - our open routine
1708 should only get called for the types above. */
1709 g_assert_not_reached();
1710 *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE;
1714 nwritten = fwrite(&rec_hdr, 1, hdr_size, wdh->fh);
1715 if (nwritten != hdr_size) {
1716 if (nwritten == 0 && ferror(wdh->fh))
1719 *err = WTAP_ERR_SHORT_WRITE;
1722 wdh->bytes_dumped += hdr_size;
1724 if (wdh->encap == WTAP_ENCAP_ATM_PDUS) {
1726 * Write the ATM header.
1729 (pseudo_header->atm.channel == 0) ? 0x80 : 0x00;
1730 switch (pseudo_header->atm.aal) {
1732 case AAL_SIGNALLING:
1734 atm_hdr.flags |= 0x06;
1738 switch (pseudo_header->atm.type) {
1742 atm_hdr.flags |= 0x01;
1746 /* RFC 1483 LLC multiplexed traffic */
1747 atm_hdr.flags |= 0x02;
1752 atm_hdr.flags |= 0x05;
1757 atm_hdr.vpi = pseudo_header->atm.vpi;
1758 atm_hdr.vci = phtons(&pseudo_header->atm.vci);
1759 nwritten = fwrite(&atm_hdr, 1, sizeof atm_hdr, wdh->fh);
1760 if (nwritten != sizeof atm_hdr) {
1761 if (nwritten == 0 && ferror(wdh->fh))
1764 *err = WTAP_ERR_SHORT_WRITE;
1767 wdh->bytes_dumped += sizeof atm_hdr;
1769 else if (wdh->encap == WTAP_ENCAP_IRDA) {
1771 * Write the IrDA header.
1773 memset(&irda_hdr, 0, sizeof(irda_hdr));
1774 irda_hdr.sll_pkttype = phtons(&pseudo_header->irda.pkttype);
1775 irda_hdr.sll_protocol = htons(0x0017);
1776 nwritten = fwrite(&irda_hdr, 1, sizeof(irda_hdr), wdh->fh);
1777 if (nwritten != sizeof(irda_hdr)) {
1778 if (nwritten == 0 && ferror(wdh->fh))
1781 *err = WTAP_ERR_SHORT_WRITE;
1784 wdh->bytes_dumped += sizeof(irda_hdr);
1787 nwritten = fwrite(pd, 1, phdr->caplen, wdh->fh);
1788 if (nwritten != phdr->caplen) {
1789 if (nwritten == 0 && ferror(wdh->fh))
1792 *err = WTAP_ERR_SHORT_WRITE;
1795 wdh->bytes_dumped += phdr->caplen;