6 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #include "file_wrappers.h"
38 * Various pseudo-headers that appear at the beginning of packet data.
40 * We represent them as sets of offsets, as they might not be aligned on
41 * an appropriate structure boundary in the buffer, and as that makes them
42 * independent of the way the compiler might align fields.
46 * The link-layer header on SunATM packets.
48 #define SUNATM_FLAGS 0 /* destination and traffic type - 1 byte */
49 #define SUNATM_VPI 1 /* VPI - 1 byte */
50 #define SUNATM_VCI 2 /* VCI - 2 bytes */
51 #define SUNATM_LEN 4 /* length of the header */
54 * The link-layer header on Nokia IPSO ATM packets.
56 #define NOKIAATM_FLAGS 0 /* destination - 1 byte */
57 #define NOKIAATM_VPI 1 /* VPI - 1 byte */
58 #define NOKIAATM_VCI 2 /* VCI - 2 bytes */
59 #define NOKIAATM_LEN 4 /* length of the header */
62 * The fake link-layer header of IrDA packets as introduced by Jean Tourrilhes
65 #define IRDA_SLL_PKTTYPE_OFFSET 0 /* packet type - 2 bytes */
67 #define IRDA_SLL_PROTOCOL_OFFSET 14 /* protocol, should be ETH_P_LAPD - 2 bytes */
68 #define IRDA_SLL_LEN 16 /* length of the header */
71 * A header containing additional MTP information.
73 #define MTP2_SENT_OFFSET 0 /* 1 byte */
74 #define MTP2_ANNEX_A_USED_OFFSET 1 /* 1 byte */
75 #define MTP2_LINK_NUMBER_OFFSET 2 /* 2 bytes */
76 #define MTP2_HDR_LEN 4 /* length of the header */
79 * A header containing additional SITA WAN information.
81 #define SITA_FLAGS_OFFSET 0 /* 1 byte */
82 #define SITA_SIGNALS_OFFSET 1 /* 1 byte */
83 #define SITA_ERRORS1_OFFSET 2 /* 1 byte */
84 #define SITA_ERRORS2_OFFSET 3 /* 1 byte */
85 #define SITA_PROTO_OFFSET 4 /* 1 byte */
86 #define SITA_HDR_LEN 5 /* length of the header */
89 * The fake link-layer header of LAPD packets.
92 #define ETH_P_LAPD 0x0030
95 #define LAPD_SLL_PKTTYPE_OFFSET 0 /* packet type - 2 bytes */
96 #define LAPD_SLL_HATYPE_OFFSET 2 /* hardware address type - 2 bytes */
97 #define LAPD_SLL_HALEN_OFFSET 4 /* hardware address length - 2 bytes */
98 #define LAPD_SLL_ADDR_OFFSET 6 /* address - 8 bytes */
99 #define LAPD_SLL_PROTOCOL_OFFSET 14 /* protocol, should be ETH_P_LAPD - 2 bytes */
100 #define LAPD_SLL_LEN 16 /* length of the header */
102 /* See source to the "libpcap" library for information on the "libpcap"
105 /* On some systems, the FDDI MAC addresses are bit-swapped. */
106 #if !defined(ultrix) && !defined(__alpha) && !defined(__bsdi__)
107 #define BIT_SWAPPED_MAC_ADDRS
110 /* Try to read the first two records of the capture file. */
112 THIS_FORMAT, /* the reads succeeded, assume it's this format */
113 BAD_READ, /* the file is probably not valid */
114 OTHER_FORMAT /* the file may be valid, but not in this format */
116 static libpcap_try_t libpcap_try(wtap *wth, int *err);
118 static gboolean libpcap_read(wtap *wth, int *err, gchar **err_info,
119 gint64 *data_offset);
120 static gboolean libpcap_seek_read(wtap *wth, gint64 seek_off,
121 union wtap_pseudo_header *pseudo_header, guchar *pd, int length,
122 int *err, gchar **err_info);
123 static int libpcap_read_header(wtap *wth, int *err, gchar **err_info,
124 struct pcaprec_ss990915_hdr *hdr);
125 static void adjust_header(wtap *wth, struct pcaprec_hdr *hdr);
126 static void libpcap_get_sunatm_pseudoheader(const guint8 *atm_phdr,
127 union wtap_pseudo_header *pseudo_header);
128 static gboolean libpcap_read_sunatm_pseudoheader(FILE_T fh,
129 union wtap_pseudo_header *pseudo_header, int *err);
130 static gboolean libpcap_read_nokiaatm_pseudoheader(FILE_T fh,
131 union wtap_pseudo_header *pseudo_header, int *err);
132 static gboolean libpcap_get_irda_pseudoheader(const guint8 *irda_phdr,
133 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info);
134 static gboolean libpcap_read_irda_pseudoheader(FILE_T fh,
135 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info);
136 static gboolean libpcap_get_mtp2_pseudoheader(const guint8 *mtp2_hdr,
137 union wtap_pseudo_header *pseudo_header);
138 static gboolean libpcap_read_mtp2_pseudoheader(FILE_T fh,
139 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info);
140 static gboolean libpcap_get_sita_pseudoheader(const guint8 *sita_phdr,
141 union wtap_pseudo_header *pseudo_header);
142 static gboolean libpcap_read_sita_pseudoheader(FILE_T fh,
143 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info);
144 static gboolean libpcap_get_lapd_pseudoheader(const guint8 *lapd_phdr,
145 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info);
146 static gboolean libpcap_read_lapd_pseudoheader(FILE_T fh,
147 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info);
148 static gboolean libpcap_read_linux_usb_pseudoheader(wtap *wth, FILE_T fh,
149 union wtap_pseudo_header *pseudo_header, int *err);
150 static gboolean libpcap_read_bt_pseudoheader(FILE_T fh,
151 union wtap_pseudo_header *pseudo_header, int *err);
152 static gboolean libpcap_get_erf_pseudoheader(const guint8 *erf_hdr, struct wtap_pkthdr *whdr,
153 union wtap_pseudo_header *pseudo_header);
154 static gboolean libpcap_read_erf_pseudoheader(FILE_T fh, struct wtap_pkthdr *whdr,
155 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info);
156 static gboolean libpcap_get_erf_subheader(const guint8 *erf_subhdr,
157 union wtap_pseudo_header *pseudo_header, guint * size);
158 static gboolean libpcap_read_erf_subheader(FILE_T fh,
159 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info _U_, guint * size);
160 static gboolean libpcap_read_rec_data(FILE_T fh, guchar *pd, int length,
162 static void libpcap_close(wtap *wth);
163 static gboolean libpcap_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
164 const union wtap_pseudo_header *pseudo_header, const guchar *pd, int *err);
167 * Either LBL NRG wasn't an adequate central registry (e.g., because of
168 * the slow rate of releases from them), or nobody bothered using them
169 * as a central registry, as many different groups have patched libpcap
170 * (and BPF, on the BSDs) to add new encapsulation types, and have ended
171 * up using the same DLT_ values for different encapsulation types.
173 * For those numerical encapsulation type values that everybody uses for
174 * the same encapsulation type (which inclues those that some platforms
175 * specify different DLT_ names for but don't appear to use), we map
176 * those values to the appropriate Wiretap values.
178 * For those numerical encapsulation type values that different libpcap
179 * variants use for different encapsulation types, we check what
180 * <pcap.h> defined to determine how to interpret them, so that we
181 * interpret them the way the libpcap with which we're building
182 * Wireshark/Wiretap interprets them (which, if it doesn't support
183 * them at all, means we don't support them either - any capture files
184 * using them are foreign, and we don't hazard a guess as to which
185 * platform they came from; we could, I guess, choose the most likely
188 * Note: if you need a new encapsulation type for libpcap files, do
189 * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
190 * add a new encapsulation type by changing an existing entry;
191 * leave the existing entries alone.
193 * Instead, send mail to tcpdump-workers@tcpdump.org, asking for a new
194 * DLT_ value, and specifying the purpose of the new value. When you
195 * get the new DLT_ value, use that numerical value in the "dlt_value"
196 * field of "pcap_to_wtap_map[]".
199 static const struct {
201 int wtap_encap_value;
202 } pcap_to_wtap_map[] = {
204 * These are the values that are almost certainly the same
205 * in all libpcaps (I've yet to find one where the values
206 * in question are used for some purpose other than the
207 * one below, but...), and that Wiretap and Wireshark
210 { 0, WTAP_ENCAP_NULL }, /* null encapsulation */
211 { 1, WTAP_ENCAP_ETHERNET },
212 { 6, WTAP_ENCAP_TOKEN_RING }, /* IEEE 802 Networks - assume token ring */
213 { 7, WTAP_ENCAP_ARCNET },
214 { 8, WTAP_ENCAP_SLIP },
215 { 9, WTAP_ENCAP_PPP },
216 #ifdef BIT_SWAPPED_MAC_ADDRS
217 { 10, WTAP_ENCAP_FDDI_BITSWAPPED },
219 { 10, WTAP_ENCAP_FDDI },
222 { 32, WTAP_ENCAP_REDBACK },
225 * 50 is DLT_PPP_SERIAL in NetBSD; it appears that DLT_PPP
226 * on BSD (at least according to standard tcpdump) has, as
227 * the first octet, an indication of whether the packet was
228 * transmitted or received (rather than having the standard
229 * PPP address value of 0xff), but that DLT_PPP_SERIAL puts
230 * a real live PPP header there, or perhaps a Cisco PPP header
231 * as per section 4.3.1 of RFC 1547 (implementations of this
232 * exist in various BSDs in "sys/net/if_spppsubr.c", and
233 * I think also exist either in standard Linux or in
234 * various Linux patches; the implementations show how to handle
235 * Cisco keepalive packets).
237 * However, I don't see any obvious place in FreeBSD "if_ppp.c"
238 * where anything other than the standard PPP header would be
239 * passed up. I see some stuff that sets the first octet
240 * to 0 for incoming and 1 for outgoing packets before applying
241 * a BPF filter to see whether to drop packets whose protocol
242 * field has the 0x8000 bit set, i.e. network control protocols -
243 * those are handed up to userland - but that code puts the
244 * address field back before passing the packet up.
246 * I also don't see anything immediately obvious that munges
247 * the address field for sync PPP, either.
249 * Wireshark currently assumes that if the first octet of a
250 * PPP frame is 0xFF, it's the address field and is followed
251 * by a control field and a 2-byte protocol, otherwise the
252 * address and control fields are absent and the frame begins
253 * with a protocol field. If we ever see a BSD/OS PPP
254 * capture, we'll have to handle it differently, and we may
255 * have to handle standard BSD captures differently if, in fact,
256 * they don't have 0xff 0x03 as the first two bytes - but, as per
257 * the two paragraphs preceding this, it's not clear that
258 * the address field *is* munged into an incoming/outgoing
259 * field when the packet is handed to the BPF device.
261 * For now, we just map DLT_PPP_SERIAL to WTAP_ENCAP_PPP, as
262 * we treat WTAP_ENCAP_PPP packets as if those beginning with
263 * 0xff have the standard RFC 1662 "PPP in HDLC-like Framing"
264 * 0xff 0x03 address/control header, and DLT_PPP_SERIAL frames
265 * appear to contain that unless they're Cisco frames (if we
266 * ever see a capture with them, we'd need to implement the
267 * RFC 1547 stuff, and the keepalive protocol stuff).
269 * We may have to distinguish between "PPP where if it doesn't
270 * begin with 0xff there's no HDLC encapsulation and the frame
271 * begins with the protocol field" (which is how we handle
272 * WTAP_ENCAP_PPP now) and "PPP where there's either HDLC
273 * encapsulation or Cisco PPP" (which is what DLT_PPP_SERIAL
276 * XXX - NetBSD has DLT_HDLC, which appears to be used for
277 * Cisco HDLC. Ideally, they should use DLT_PPP_SERIAL
278 * only for real live HDLC-encapsulated PPP, not for Cisco
281 { 50, WTAP_ENCAP_PPP },
284 * Apparently used by the Axent Raptor firewall (now Symantec
285 * Enterprise Firewall).
286 * Thanks, Axent, for not reserving that type with tcpdump.org
287 * and not telling anybody about it.
289 { 99, WTAP_ENCAP_SYMANTEC },
292 * These are the values that libpcap 0.5 and later use in
293 * capture file headers, in an attempt to work around the
294 * confusion decried above, and that Wiretap and Wireshark
297 { 100, WTAP_ENCAP_ATM_RFC1483 },
298 { 101, WTAP_ENCAP_RAW_IP },
301 * More values used by libpcap 0.5 as DLT_ values and used by the
302 * current CVS version of libpcap in capture file headers.
303 * They are not yet handled in Wireshark.
304 * If we get a capture that contains them, we'll implement them.
306 { 102, WTAP_ENCAP_SLIP_BSDOS },
307 { 103, WTAP_ENCAP_PPP_BSDOS },
311 * These ones are handled in Wireshark, though.
313 { 104, WTAP_ENCAP_CHDLC }, /* Cisco HDLC */
314 { 105, WTAP_ENCAP_IEEE_802_11 }, /* IEEE 802.11 */
315 { 106, WTAP_ENCAP_LINUX_ATM_CLIP },
316 { 107, WTAP_ENCAP_FRELAY }, /* Frame Relay */
317 { 108, WTAP_ENCAP_NULL }, /* OpenBSD loopback */
318 { 109, WTAP_ENCAP_ENC }, /* OpenBSD IPSEC enc */
320 { 110, WTAP_ENCAP_LANE_802_3 },/* ATM LANE 802.3 */
321 { 111, WTAP_ENCAP_HIPPI }, /* NetBSD HIPPI */
323 { 112, WTAP_ENCAP_CHDLC }, /* NetBSD HDLC framing */
326 * Linux "cooked mode" captures, used by the current CVS version
329 * it could be a packet in Cisco's ERSPAN encapsulation which uses
330 * this number as well (why can't people stick to protocols when it
331 * comes to allocating/using DLT types).
333 { 113, WTAP_ENCAP_SLL }, /* Linux cooked capture */
335 { 114, WTAP_ENCAP_LOCALTALK }, /* Localtalk */
338 * The tcpdump.org version of libpcap uses 117, rather than 17,
339 * for OpenBSD packet filter logging, so as to avoid conflicting
340 * with DLT_LANE8023 in SuSE 6.3 libpcap.
342 { 117, WTAP_ENCAP_PFLOG },
344 { 118, WTAP_ENCAP_CISCO_IOS },
345 { 119, WTAP_ENCAP_PRISM_HEADER }, /* Prism monitor mode hdr */
346 { 121, WTAP_ENCAP_HHDLC }, /* HiPath HDLC */
347 { 122, WTAP_ENCAP_IP_OVER_FC }, /* RFC 2625 IP-over-FC */
348 { 123, WTAP_ENCAP_ATM_PDUS }, /* SunATM */
349 { 127, WTAP_ENCAP_IEEE_802_11_WLAN_RADIOTAP }, /* 802.11 plus radiotap WLAN header */
350 { 128, WTAP_ENCAP_TZSP }, /* Tazmen Sniffer Protocol */
351 { 129, WTAP_ENCAP_ARCNET_LINUX },
352 { 130, WTAP_ENCAP_JUNIPER_MLPPP }, /* Juniper MLPPP on ML-, LS-, AS- PICs */
353 { 131, WTAP_ENCAP_JUNIPER_MLFR }, /* Juniper MLFR (FRF.15) on ML-, LS-, AS- PICs */
354 { 133, WTAP_ENCAP_JUNIPER_GGSN},
356 * Values 132-134, 136 not listed here are reserved for use
357 * in Juniper hardware.
359 { 135, WTAP_ENCAP_JUNIPER_ATM2 }, /* various encapsulations captured on the ATM2 PIC */
360 { 137, WTAP_ENCAP_JUNIPER_ATM1 }, /* various encapsulations captured on the ATM1 PIC */
362 { 138, WTAP_ENCAP_APPLE_IP_OVER_IEEE1394 },
363 /* Apple IP-over-IEEE 1394 */
365 { 139, WTAP_ENCAP_MTP2_WITH_PHDR },
366 { 140, WTAP_ENCAP_MTP2 },
367 { 141, WTAP_ENCAP_MTP3 },
368 { 142, WTAP_ENCAP_SCCP },
369 { 143, WTAP_ENCAP_DOCSIS },
370 { 144, WTAP_ENCAP_IRDA }, /* IrDA capture */
372 /* Reserved for private use. */
373 { 147, WTAP_ENCAP_USER0 },
374 { 148, WTAP_ENCAP_USER1 },
375 { 149, WTAP_ENCAP_USER2 },
376 { 150, WTAP_ENCAP_USER3 },
377 { 151, WTAP_ENCAP_USER4 },
378 { 152, WTAP_ENCAP_USER5 },
379 { 153, WTAP_ENCAP_USER6 },
380 { 154, WTAP_ENCAP_USER7 },
381 { 155, WTAP_ENCAP_USER8 },
382 { 156, WTAP_ENCAP_USER9 },
383 { 157, WTAP_ENCAP_USER10 },
384 { 158, WTAP_ENCAP_USER11 },
385 { 159, WTAP_ENCAP_USER12 },
386 { 160, WTAP_ENCAP_USER13 },
387 { 161, WTAP_ENCAP_USER14 },
388 { 162, WTAP_ENCAP_USER15 },
390 { 163, WTAP_ENCAP_IEEE_802_11_WLAN_AVS }, /* 802.11 plus AVS WLAN header */
393 * 164 is reserved for Juniper-private chassis-internal
394 * meta-information such as QoS profiles, etc..
397 { 165, WTAP_ENCAP_BACNET_MS_TP },
400 * 166 is reserved for a PPP variant in which the first byte
401 * of the 0xff03 header, the 0xff, is replaced by a direction
402 * byte. I don't know whether any captures look like that,
403 * but it is used for some Linux IP filtering (ipfilter?).
406 /* Ethernet PPPoE frames captured on a service PIC */
407 { 167, WTAP_ENCAP_JUNIPER_PPPOE },
410 * 168 is reserved for more Juniper private-chassis-
411 * internal meta-information.
414 { 169, WTAP_ENCAP_GPRS_LLC },
417 * 170 and 171 are reserved for ITU-T G.7041/Y.1303 Generic
421 /* Registered by Gcom, Inc. */
422 { 172, WTAP_GCOM_TIE1 },
423 { 173, WTAP_GCOM_SERIAL },
425 { 177, WTAP_ENCAP_LINUX_LAPD },
427 /* Ethernet frames prepended with meta-information */
428 { 178, WTAP_ENCAP_JUNIPER_ETHER },
429 /* PPP frames prepended with meta-information */
430 { 179, WTAP_ENCAP_JUNIPER_PPP },
431 /* Frame-Relay frames prepended with meta-information */
432 { 180, WTAP_ENCAP_JUNIPER_FRELAY },
433 /* C-HDLC frames prepended with meta-information */
434 { 181, WTAP_ENCAP_JUNIPER_CHDLC },
435 /* VOIP Frames prepended with meta-information */
436 { 183, WTAP_ENCAP_JUNIPER_VP },
437 /* raw USB packets */
438 { 186, WTAP_ENCAP_USB },
439 /* Bluetooth HCI UART transport (part H:4) frames, like hcidump */
440 { 187, WTAP_ENCAP_BLUETOOTH_H4 },
441 /* IEEE 802.16 MAC Common Part Sublayer */
442 { 188, WTAP_ENCAP_IEEE802_16_MAC_CPS },
443 /* USB packets with Linux-specified header */
444 { 189, WTAP_ENCAP_USB_LINUX },
446 { 190, WTAP_ENCAP_CAN20B },
447 /* Per-Packet Information header */
448 { 192, WTAP_ENCAP_PPI },
449 /* IEEE 802.15.4 Wireless PAN */
450 { 195, WTAP_ENCAP_IEEE802_15_4 },
451 /* SITA File Encapsulation */
452 { 196, WTAP_ENCAP_SITA },
453 /* Endace Record File Encapsulation */
454 { 197, WTAP_ENCAP_ERF },
455 { 199, WTAP_ENCAP_IPMB },
456 /* Bluetooth HCI UART transport (part H:4) frames, like hcidump */
457 { 201, WTAP_ENCAP_BLUETOOTH_H4_WITH_PHDR },
459 { 210, WTAP_ENCAP_FLEXRAY },
461 { 211, WTAP_ENCAP_MOST },
463 { 212, WTAP_ENCAP_LIN },
464 /* X2E Xoraya serial frame */
465 { 213, WTAP_ENCAP_X2E_SERIAL },
466 /* X2E Xoraya frame */
467 { 214, WTAP_ENCAP_X2E_XORAYA },
472 * If you need a new encapsulation type for libpcap files, do
473 * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
474 * add a new encapsulation type by changing an existing entry;
475 * leave the existing entries alone.
477 * Instead, send mail to tcpdump-workers@tcpdump.org, asking for
478 * a new DLT_ value, and specifying the purpose of the new value.
479 * When you get the new DLT_ value, use that numerical value in
480 * the "dlt_value" field of "pcap_to_wtap_map[]".
484 * The following are entries for libpcap type values that have
485 * different meanings on different OSes.
487 * We put these *after* the entries for the platform-independent
488 * libpcap type values for those Wiretap encapsulation types, so
489 * that Wireshark chooses the platform-independent libpcap type
490 * value for those encapsulatioin types, not the platform-dependent
495 * 11 is DLT_ATM_RFC1483 on most platforms; the only libpcaps I've
496 * seen that define anything other than DLT_ATM_RFC1483 as 11 are
497 * the BSD/OS one, which defines DLT_FR as 11, and libpcap 0.5,
498 * which define it as 100, mapping the kernel's value to 100, in
499 * an attempt to hide the different values used on different
502 * If this is a platform where DLT_FR is defined as 11, we
503 * don't handle 11 at all; otherwise, we handle it as
504 * DLT_ATM_RFC1483 (this means we'd misinterpret Frame Relay
505 * captures from BSD/OS if running on platforms other than BSD/OS,
508 * 1) we don't yet support DLT_FR
512 * 2) nothing short of a heuristic would let us interpret
515 #if defined(DLT_FR) && (DLT_FR == 11)
516 { 11, WTAP_ENCAP_FRELAY },
518 { 11, WTAP_ENCAP_ATM_RFC1483 },
522 * 12 is DLT_RAW on most platforms, but it's DLT_C_HDLC on
523 * BSD/OS, and DLT_LOOP on OpenBSD.
525 * We don't yet handle DLT_C_HDLC, but we can handle DLT_LOOP
526 * (it's just like DLT_NULL, only with the AF_ value in network
527 * rather than host byte order - Wireshark figures out the
528 * byte order from the data, so we don't care what byte order
529 * it's in), so if DLT_LOOP is defined as 12, interpret 12
530 * as WTAP_ENCAP_NULL, otherwise, unless DLT_C_HDLC is defined
531 * as 12, interpret it as WTAP_ENCAP_RAW_IP.
533 #if defined(DLT_LOOP) && (DLT_LOOP == 12)
534 { 12, WTAP_ENCAP_NULL },
535 #elif defined(DLT_C_HDLC) && (DLT_C_HDLC == 12)
537 * Put entry for Cisco HDLC here.
538 * XXX - is this just WTAP_ENCAP_CHDLC, i.e. does the frame
539 * start with a 4-byte Cisco HDLC header?
542 { 12, WTAP_ENCAP_RAW_IP },
546 * 13 is DLT_SLIP_BSDOS on FreeBSD and NetBSD, but those OSes
547 * don't actually generate it. I infer that BSD/OS translates
548 * DLT_SLIP from the kernel BPF code to DLT_SLIP_BSDOS in
549 * libpcap, as the BSD/OS link-layer header is different;
550 * however, in BSD/OS, DLT_SLIP_BSDOS is 15.
552 * From this, I infer that there's no point in handling 13
555 * 13 is DLT_ATM_RFC1483 on BSD/OS.
557 * 13 is DLT_ENC in OpenBSD, which is, I suspect, some kind
558 * of decrypted IPSEC traffic.
560 #if defined(DLT_ATM_RFC1483) && (DLT_ATM_RFC1483 == 13)
561 { 13, WTAP_ENCAP_ATM_RFC1483 },
562 #elif defined(DLT_ENC) && (DLT_ENC == 13)
563 { 13, WTAP_ENCAP_ENC },
567 * 14 is DLT_PPP_BSDOS on FreeBSD and NetBSD, but those OSes
568 * don't actually generate it. I infer that BSD/OS translates
569 * DLT_PPP from the kernel BPF code to DLT_PPP_BSDOS in
570 * libpcap, as the BSD/OS link-layer header is different;
571 * however, in BSD/OS, DLT_PPP_BSDOS is 16.
573 * From this, I infer that there's no point in handling 14
576 * 14 is DLT_RAW on BSD/OS and OpenBSD.
578 { 14, WTAP_ENCAP_RAW_IP },
583 * DLT_SLIP_BSDOS on BSD/OS;
585 * DLT_HIPPI on NetBSD;
587 * DLT_LANE8023 with Alexey Kuznetzov's patches for
590 * DLT_I4L_RAWIP with the ISDN4Linux patches for libpcap
593 * but we don't currently handle any of those.
599 * DLT_PPP_BSDOS on BSD/OS;
601 * DLT_HDLC on NetBSD (Cisco HDLC);
603 * DLT_CIP with Alexey Kuznetzov's patches for
604 * Linux libpcap - this is WTAP_ENCAP_LINUX_ATM_CLIP;
606 * DLT_I4L_IP with the ISDN4Linux patches for libpcap
609 #if defined(DLT_CIP) && (DLT_CIP == 16)
610 { 16, WTAP_ENCAP_LINUX_ATM_CLIP },
612 #if defined(DLT_HDLC) && (DLT_HDLC == 16)
613 { 16, WTAP_ENCAP_CHDLC },
617 * 17 is DLT_LANE8023 in SuSE 6.3 libpcap; we don't currently
619 * It is also used as the PF (Packet Filter) logging format beginning
620 * with OpenBSD 3.0; we use 17 for PF logs unless DLT_LANE8023 is
621 * defined with the value 17.
623 #if !defined(DLT_LANE8023) || (DLT_LANE8023 != 17)
624 { 17, WTAP_ENCAP_OLD_PFLOG },
628 * 18 is DLT_CIP in SuSE 6.3 libpcap; if it's the same as the
629 * DLT_CIP of 16 that the Alexey Kuznetzov patches for
630 * libpcap/tcpdump define, it's WTAP_ENCAP_LINUX_ATM_CLIP.
631 * I've not found any libpcap that uses it for any other purpose -
632 * hopefully nobody will do so in the future.
634 { 18, WTAP_ENCAP_LINUX_ATM_CLIP },
637 * 19 is DLT_ATM_CLIP in the libpcap/tcpdump patches in the
638 * recent versions I've seen of the Linux ATM distribution;
639 * I've not yet found any libpcap that uses it for any other
640 * purpose - hopefully nobody will do so in the future.
642 { 19, WTAP_ENCAP_LINUX_ATM_CLIP },
645 * nettl (HP-UX) mappings to standard DLT values
648 { 1, WTAP_ENCAP_NETTL_ETHERNET },
649 { 6, WTAP_ENCAP_NETTL_TOKEN_RING },
650 { 10, WTAP_ENCAP_NETTL_FDDI },
651 { 70, WTAP_ENCAP_RAW_IP },
652 { 101, WTAP_ENCAP_NETTL_RAW_IP },
657 * If you need a new encapsulation type for libpcap files, do
658 * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
659 * add a new encapsulation type by changing an existing entry;
660 * leave the existing entries alone.
662 * Instead, send mail to tcpdump-workers@tcpdump.org, asking for
663 * a new DLT_ value, and specifying the purpose of the new value.
664 * When you get the new DLT_ value, use that numerical value in
665 * the "dlt_value" field of "pcap_to_wtap_map[]".
669 #define NUM_PCAP_ENCAPS (sizeof pcap_to_wtap_map / sizeof pcap_to_wtap_map[0])
671 int wtap_pcap_encap_to_wtap_encap(int encap)
675 for (i = 0; i < NUM_PCAP_ENCAPS; i++) {
676 if (pcap_to_wtap_map[i].dlt_value == encap)
677 return pcap_to_wtap_map[i].wtap_encap_value;
679 return WTAP_ENCAP_UNKNOWN;
683 int libpcap_open(wtap *wth, int *err, gchar **err_info)
688 gboolean byte_swapped;
693 /* Read in the number that should be at the start of a "libpcap" file */
694 errno = WTAP_ERR_CANT_READ;
695 bytes_read = file_read(&magic, 1, sizeof magic, wth->fh);
696 if (bytes_read != sizeof magic) {
697 *err = file_error(wth->fh);
702 wth->data_offset += sizeof magic;
707 /* Host that wrote it has our byte order, and was running
708 a program using either standard or ss990417 libpcap. */
709 byte_swapped = FALSE;
711 wth->tsprecision = WTAP_FILE_TSPREC_USEC;
714 case PCAP_MODIFIED_MAGIC:
715 /* Host that wrote it has our byte order, and was running
716 a program using either ss990915 or ss991029 libpcap. */
717 byte_swapped = FALSE;
719 wth->tsprecision = WTAP_FILE_TSPREC_USEC;
722 case PCAP_SWAPPED_MAGIC:
723 /* Host that wrote it has a byte order opposite to ours,
724 and was running a program using either standard or
728 wth->tsprecision = WTAP_FILE_TSPREC_USEC;
731 case PCAP_SWAPPED_MODIFIED_MAGIC:
732 /* Host that wrote it out has a byte order opposite to
733 ours, and was running a program using either ss990915
734 or ss991029 libpcap. */
737 wth->tsprecision = WTAP_FILE_TSPREC_USEC;
740 case PCAP_NSEC_MAGIC:
741 /* Host that wrote it has our byte order, and was running
742 a program using either standard or ss990417 libpcap. */
743 byte_swapped = FALSE;
745 wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
748 case PCAP_SWAPPED_NSEC_MAGIC:
749 /* Host that wrote it out has a byte order opposite to
750 ours, and was running a program using either ss990915
751 or ss991029 libpcap. */
754 wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
758 /* Not a "libpcap" type we know about. */
762 /* Read the rest of the header. */
763 errno = WTAP_ERR_CANT_READ;
764 bytes_read = file_read(&hdr, 1, sizeof hdr, wth->fh);
765 if (bytes_read != sizeof hdr) {
766 *err = file_error(wth->fh);
771 wth->data_offset += sizeof hdr;
774 /* Byte-swap the header fields about which we care. */
775 hdr.version_major = BSWAP16(hdr.version_major);
776 hdr.version_minor = BSWAP16(hdr.version_minor);
777 hdr.snaplen = BSWAP32(hdr.snaplen);
778 hdr.network = BSWAP32(hdr.network);
780 if (hdr.version_major < 2) {
781 /* We only support version 2.0 and later. */
782 *err = WTAP_ERR_UNSUPPORTED;
783 *err_info = g_strdup_printf("pcap: major version %u unsupported",
789 * AIX's non-standard tcpdump uses a minor version number of 2.
790 * Unfortunately, older versions of libpcap might have used
793 * The AIX libpcap uses RFC 1573 ifType values rather than
794 * DLT_ values in the header; the ifType values for LAN devices
801 * which correspond to DLT_IEEE802 (used for Token Ring),
802 * DLT_PPP, and DLT_SLIP_BSDOS, respectively. The ifType value
803 * for a loopback interface is 24, which currently isn't
804 * used by any version of libpcap I know about (and, as
805 * tcpdump.org are assigning DLT_ values above 100, and
806 * NetBSD started assigning values starting at 50, and
807 * the values chosen by other libpcaps appear to stop at
808 * 19, it's probably not going to be used by any libpcap
811 * We shall assume that if the minor version number is 2, and
812 * the network type is 6, 9, 15, or 24, that it's AIX libpcap.
814 * I'm assuming those older versions of libpcap didn't
815 * use DLT_IEEE802 for Token Ring, and didn't use DLT_SLIP_BSDOS
816 * as that came later. It may have used DLT_PPP, however, in
817 * which case we're out of luck; we assume it's Token Ring
818 * in AIX libpcap rather than PPP in standard libpcap, as
819 * you're probably more likely to be handing an AIX libpcap
820 * token-ring capture than an old (pre-libpcap 0.4) PPP capture
823 aix = FALSE; /* assume it's not AIX */
824 if (hdr.version_major == 2 && hdr.version_minor == 2) {
825 switch (hdr.network) {
828 hdr.network = 1; /* DLT_EN10MB, Ethernet */
833 hdr.network = 6; /* DLT_IEEE802, Token Ring */
838 hdr.network = 10; /* DLT_FDDI, FDDI */
843 hdr.network = 0; /* DLT_NULL, loopback */
850 * We treat a DLT_ value of 13 specially - it appears that in
851 * Nokia libpcap format, it's some form of ATM with what I
852 * suspect is a pseudo-header (even though Nokia's IPSO is
853 * based on FreeBSD, which #defines DLT_SLIP_BSDOS as 13).
855 * We don't yet know whether this is a Nokia capture, so if
856 * "wtap_pcap_encap_to_wtap_encap()" returned WTAP_ENCAP_UNKNOWN
857 * but "hdr.network" is 13, we don't treat that as an error yet.
859 file_encap = wtap_pcap_encap_to_wtap_encap(hdr.network);
860 if (file_encap == WTAP_ENCAP_UNKNOWN && hdr.network != 13) {
861 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
862 *err_info = g_strdup_printf("pcap: network type %u unknown or unsupported",
867 /* This is a libpcap file */
868 wth->capture.pcap = g_malloc(sizeof(libpcap_t));
869 wth->capture.pcap->byte_swapped = byte_swapped;
870 wth->capture.pcap->version_major = hdr.version_major;
871 wth->capture.pcap->version_minor = hdr.version_minor;
872 wth->subtype_read = libpcap_read;
873 wth->subtype_seek_read = libpcap_seek_read;
874 wth->subtype_close = libpcap_close;
875 wth->file_encap = file_encap;
876 wth->snapshot_length = hdr.snaplen;
878 /* In file format version 2.3, the order of the "incl_len" and
879 "orig_len" fields in the per-packet header was reversed,
880 in order to match the BPF header layout.
882 Therefore, in files with versions prior to that, we must swap
885 Unfortunately, some files were, according to a comment in the
886 "libpcap" source, written with version 2.3 in their headers
887 but without the interchanged fields, so if "incl_len" is
888 greater than "orig_len" - which would make no sense - we
889 assume that we need to swap them in version 2.3 files
892 In addition, DG/UX's tcpdump uses version 543.0, and writes
893 the two fields in the pre-2.3 order. */
894 switch (hdr.version_major) {
897 if (hdr.version_minor < 3)
898 wth->capture.pcap->lengths_swapped = SWAPPED;
899 else if (hdr.version_minor == 3)
900 wth->capture.pcap->lengths_swapped = MAYBE_SWAPPED;
902 wth->capture.pcap->lengths_swapped = NOT_SWAPPED;
906 wth->capture.pcap->lengths_swapped = SWAPPED;
910 wth->capture.pcap->lengths_swapped = NOT_SWAPPED;
915 * Is this AIX format?
919 * Yes. Skip all the tests for other mutant formats,
920 * and set the precision to nanosecond precision.
922 wth->file_type = WTAP_FILE_PCAP_AIX;
923 wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
928 * No. Let's look at the header for the first record,
929 * and see if, interpreting it as a standard header (if the
930 * magic number was standard) or a modified header (if the
931 * magic number was modified), the position where it says the
932 * header for the *second* record is contains a corrupted header.
936 * If this file had the standard magic number, it may be
937 * an ss990417 capture file - in that version of Alexey's
938 * patch, the packet header format was changed but the
939 * magic number wasn't, and, alas, Red Hat appear to have
940 * picked up that version of the patch for RH 6.1, meaning
941 * RH 6.1 has a tcpdump that writes out files that can't
942 * be read by any software that expects non-modified headers
943 * if the magic number isn't the modified magic number (e.g.,
944 * any normal version of tcpdump, and Wireshark if we don't
945 * do this gross heuristic).
947 * If this file had the modified magic number, it may be
948 * an ss990915 capture file - in that version of Alexey's
949 * patch, the magic number was changed, but the record
950 * header had some extra fields, and, alas, SuSE appear
951 * to have picked up that version of the patch for SuSE
952 * 6.3, meaning that programs expecting the standard per-
953 * packet header in captures with the modified magic number
954 * can't read dumps from its tcpdump.
956 * Oh, and if it has the standard magic number, it might, instead,
957 * be a Nokia libpcap file, so we may need to try that if
958 * neither normal nor ss990417 headers work.
962 * Well, we have the magic number from Alexey's
965 * Try ss991029, the last of his patches, first.
967 wth->file_type = WTAP_FILE_PCAP_SS991029;
968 switch (libpcap_try(wth, err)) {
972 * Well, we couldn't even read it.
975 g_free(wth->capture.pcap);
980 * Well, it looks as if it might be 991029.
981 * Put the seek pointer back, and return success.
983 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
984 g_free(wth->capture.pcap);
991 * Try the next format.
997 * Well, it's not completely unreadable,
998 * but it's not ss991029. Try ss990915;
999 * there are no other types to try after that,
1000 * so we put the seek pointer back and treat
1003 wth->file_type = WTAP_FILE_PCAP_SS990915;
1004 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
1005 g_free(wth->capture.pcap);
1010 * Well, we have the standard magic number.
1012 * Try the standard format first.
1014 if(wth->tsprecision == WTAP_FILE_TSPREC_NSEC) {
1015 wth->file_type = WTAP_FILE_PCAP_NSEC;
1017 wth->file_type = WTAP_FILE_PCAP;
1019 switch (libpcap_try(wth, err)) {
1023 * Well, we couldn't even read it.
1026 g_free(wth->capture.pcap);
1031 * Well, it looks as if it might be a standard
1033 * Put the seek pointer back, and return success.
1035 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
1036 g_free(wth->capture.pcap);
1043 * Try the next format.
1049 * Well, it's not completely unreadable, but it's not
1050 * a standard file. Put the seek pointer back and try
1053 wth->file_type = WTAP_FILE_PCAP_SS990417;
1054 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
1055 g_free(wth->capture.pcap);
1058 switch (libpcap_try(wth, err)) {
1062 * Well, we couldn't even read it.
1065 g_free(wth->capture.pcap);
1070 * Well, it looks as if it might be ss990417.
1071 * Put the seek pointer back, and return success.
1073 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
1074 g_free(wth->capture.pcap);
1081 * Try the next format.
1087 * Well, it's not completely unreadable,
1088 * but it's not a standard file *nor* is it ss990417.
1089 * Try it as a Nokia file; there are no other types
1090 * to try after that, so we put the seek pointer back
1091 * and treat it as a Nokia file.
1093 wth->file_type = WTAP_FILE_PCAP_NOKIA;
1094 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
1095 g_free(wth->capture.pcap);
1100 if (hdr.network == 13) {
1102 * OK, if this was a Nokia capture, make it
1103 * WTAP_ENCAP_ATM_PDUS, otherwise return
1106 if (wth->file_type == WTAP_FILE_PCAP_NOKIA)
1107 wth->file_encap = WTAP_ENCAP_ATM_PDUS;
1109 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
1110 *err_info = g_strdup_printf("pcap: network type %u unknown or unsupported",
1112 g_free(wth->capture.pcap);
1120 /* Try to read the first two records of the capture file. */
1121 static libpcap_try_t libpcap_try(wtap *wth, int *err)
1124 * pcaprec_ss990915_hdr is the largest header type.
1126 struct pcaprec_ss990915_hdr first_rec_hdr, second_rec_hdr;
1129 * Attempt to read the first record's header.
1131 if (libpcap_read_header(wth, err, NULL, &first_rec_hdr) == -1) {
1132 if (*err == 0 || *err == WTAP_ERR_SHORT_READ) {
1134 * EOF or short read - assume the file is in this
1136 * When our client tries to read the first packet
1137 * they will presumably get the same EOF or short
1143 if (*err == WTAP_ERR_BAD_RECORD) {
1145 * The first record is bogus, so this is probably
1146 * a corrupt file. Assume the file is in this
1147 * format. When our client tries to read the
1148 * first packet they will presumably get the
1149 * same bogus record.
1155 * Some other error, e.g. an I/O error; just give up.
1161 * Now skip over the first record's data, under the assumption
1162 * that the header is sane.
1164 if (file_seek(wth->fh, first_rec_hdr.hdr.incl_len, SEEK_CUR, err) == -1)
1168 * Now attempt to read the second record's header.
1170 if (libpcap_read_header(wth, err, NULL, &second_rec_hdr) == -1) {
1171 if (*err == 0 || *err == WTAP_ERR_SHORT_READ) {
1173 * EOF or short read - assume the file is in this
1175 * When our client tries to read the second packet
1176 * they will presumably get the same EOF or short
1182 if (*err == WTAP_ERR_BAD_RECORD) {
1184 * The second record is bogus; maybe it's a
1185 * Capture File From Hell, and what looks like
1186 * the "header" of the next packet is actually
1187 * random junk from the middle of a packet.
1188 * Try the next format; if we run out of formats,
1189 * it probably *is* a corrupt file.
1191 return OTHER_FORMAT;
1195 * Some other error, e.g. an I/O error; just give up.
1201 * OK, the first two records look OK; assume this is the
1207 /* Read the next packet */
1208 static gboolean libpcap_read(wtap *wth, int *err, gchar **err_info,
1209 gint64 *data_offset)
1211 struct pcaprec_ss990915_hdr hdr;
1213 guint orig_size, size;
1215 guchar fddi_padding[3];
1217 bytes_read = libpcap_read_header(wth, err, err_info, &hdr);
1218 if (bytes_read == -1) {
1220 * We failed to read the header.
1225 wth->data_offset += bytes_read;
1226 packet_size = hdr.hdr.incl_len;
1227 orig_size = hdr.hdr.orig_len;
1230 * AIX appears to put 3 bytes of padding in front of FDDI
1231 * frames; strip that crap off.
1233 if (wth->file_type == WTAP_FILE_PCAP_AIX &&
1234 (wth->file_encap == WTAP_ENCAP_FDDI ||
1235 wth->file_encap == WTAP_ENCAP_FDDI_BITSWAPPED)) {
1237 * The packet size is really a record size and includes
1242 wth->data_offset += 3;
1247 if (!libpcap_read_rec_data(wth->fh, fddi_padding, 3, err))
1248 return FALSE; /* Read error */
1251 *data_offset = wth->data_offset;
1254 * If this is an ATM packet, the first four bytes are the
1255 * direction of the packet (transmit/receive), the VPI, and
1256 * the VCI; read them and generate the pseudo-header from
1259 switch (wth->file_encap) {
1261 case WTAP_ENCAP_ATM_PDUS:
1262 if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
1266 if (packet_size < NOKIAATM_LEN) {
1268 * Uh-oh, the packet isn't big enough to even
1269 * have a pseudo-header.
1271 *err = WTAP_ERR_BAD_RECORD;
1272 *err_info = g_strdup_printf("libpcap: Nokia IPSO ATM file has a %u-byte packet, too small to have even an ATM pseudo-header\n",
1276 if (!libpcap_read_nokiaatm_pseudoheader(wth->fh,
1277 &wth->pseudo_header, err))
1278 return FALSE; /* Read error */
1281 * Don't count the pseudo-header as part of the
1284 orig_size -= NOKIAATM_LEN;
1285 packet_size -= NOKIAATM_LEN;
1286 wth->data_offset += NOKIAATM_LEN;
1291 if (packet_size < SUNATM_LEN) {
1293 * Uh-oh, the packet isn't big enough to even
1294 * have a pseudo-header.
1296 *err = WTAP_ERR_BAD_RECORD;
1297 *err_info = g_strdup_printf("libpcap: SunATM file has a %u-byte packet, too small to have even an ATM pseudo-header\n",
1301 if (!libpcap_read_sunatm_pseudoheader(wth->fh,
1302 &wth->pseudo_header, err))
1303 return FALSE; /* Read error */
1306 * Don't count the pseudo-header as part of the
1309 orig_size -= SUNATM_LEN;
1310 packet_size -= SUNATM_LEN;
1311 wth->data_offset += SUNATM_LEN;
1315 case WTAP_ENCAP_ETHERNET:
1317 * We don't know whether there's an FCS in this frame or not.
1319 wth->pseudo_header.eth.fcs_len = -1;
1322 case WTAP_ENCAP_IEEE_802_11:
1323 case WTAP_ENCAP_PRISM_HEADER:
1324 case WTAP_ENCAP_IEEE_802_11_WLAN_RADIOTAP:
1325 case WTAP_ENCAP_IEEE_802_11_WLAN_AVS:
1327 * We don't know whether there's an FCS in this frame or not.
1328 * XXX - are there any OSes where the capture mechanism
1331 wth->pseudo_header.ieee_802_11.fcs_len = -1;
1332 wth->pseudo_header.ieee_802_11.channel = 0;
1333 wth->pseudo_header.ieee_802_11.data_rate = 0;
1334 wth->pseudo_header.ieee_802_11.signal_level = 0;
1337 case WTAP_ENCAP_IRDA:
1338 if (packet_size < IRDA_SLL_LEN) {
1340 * Uh-oh, the packet isn't big enough to even
1341 * have a pseudo-header.
1343 *err = WTAP_ERR_BAD_RECORD;
1344 *err_info = g_strdup_printf("libpcap: IrDA file has a %u-byte packet, too small to have even an IrDA pseudo-header\n",
1348 if (!libpcap_read_irda_pseudoheader(wth->fh, &wth->pseudo_header,
1350 return FALSE; /* Read error */
1353 * Don't count the pseudo-header as part of the packet.
1355 orig_size -= IRDA_SLL_LEN;
1356 packet_size -= IRDA_SLL_LEN;
1357 wth->data_offset += IRDA_SLL_LEN;
1360 case WTAP_ENCAP_MTP2_WITH_PHDR:
1361 if (packet_size < MTP2_HDR_LEN) {
1363 * Uh-oh, the packet isn't big enough to even
1364 * have a pseudo-header.
1366 *err = WTAP_ERR_BAD_RECORD;
1367 *err_info = g_strdup_printf("libpcap: MTP2 file has a %u-byte packet, too small to have even an MTP2 pseudo-header\n",
1371 if (!libpcap_read_mtp2_pseudoheader(wth->fh, &wth->pseudo_header,
1373 return FALSE; /* Read error */
1376 * Don't count the pseudo-header as part of the packet.
1378 orig_size -= MTP2_HDR_LEN;
1379 packet_size -= MTP2_HDR_LEN;
1380 wth->data_offset += MTP2_HDR_LEN;
1383 case WTAP_ENCAP_LINUX_LAPD:
1384 if (packet_size < LAPD_SLL_LEN) {
1386 * Uh-oh, the packet isn't big enough to even
1387 * have a pseudo-header.
1389 *err = WTAP_ERR_BAD_RECORD;
1390 *err_info = g_strdup_printf("libpcap: LAPD file has a %u-byte packet, too small to have even a LAPD pseudo-header\n",
1394 if (!libpcap_read_lapd_pseudoheader(wth->fh, &wth->pseudo_header,
1396 return FALSE; /* Read error */
1399 * Don't count the pseudo-header as part of the packet.
1401 orig_size -= LAPD_SLL_LEN;
1402 packet_size -= LAPD_SLL_LEN;
1403 wth->data_offset += LAPD_SLL_LEN;
1406 case WTAP_ENCAP_SITA:
1407 if (packet_size < SITA_HDR_LEN) {
1409 * Uh-oh, the packet isn't big enough to even
1410 * have a pseudo-header.
1412 *err = WTAP_ERR_BAD_RECORD;
1413 *err_info = g_strdup_printf("libpcap: SITA file has a %u-byte packet, too small to have even a SITA pseudo-header\n",
1417 if (!libpcap_read_sita_pseudoheader(wth->fh, &wth->pseudo_header,
1419 return FALSE; /* Read error */
1422 * Don't count the pseudo-header as part of the packet.
1424 orig_size -= SITA_HDR_LEN;
1425 packet_size -= SITA_HDR_LEN;
1426 wth->data_offset += SITA_HDR_LEN;
1429 case WTAP_ENCAP_USB_LINUX:
1430 if (packet_size < sizeof (struct linux_usb_phdr)) {
1432 * Uh-oh, the packet isn't big enough to even
1433 * have a pseudo-header.
1435 *err = WTAP_ERR_BAD_RECORD;
1436 *err_info = g_strdup_printf("libpcap: Linux USB file has a %u-byte packet, too small to have even a Linux USB pseudo-header\n",
1440 if (!libpcap_read_linux_usb_pseudoheader(wth, wth->fh,
1441 &wth->pseudo_header, err))
1442 return FALSE; /* Read error */
1445 * Don't count the pseudo-header as part of the packet.
1447 orig_size -= sizeof (struct linux_usb_phdr);
1448 packet_size -= sizeof (struct linux_usb_phdr);
1449 wth->data_offset += sizeof (struct linux_usb_phdr);
1452 case WTAP_ENCAP_BLUETOOTH_H4_WITH_PHDR:
1453 if (packet_size < sizeof (struct libpcap_bt_phdr)) {
1455 * Uh-oh, the packet isn't big enough to even
1456 * have a pseudo-header.
1458 *err = WTAP_ERR_BAD_RECORD;
1459 *err_info = g_strdup_printf("libpcap: lipcap bluetooth file has a %u-byte packet, too small to have even a pseudo-header\n",
1463 if (!libpcap_read_bt_pseudoheader(wth->fh,
1464 &wth->pseudo_header, err))
1465 return FALSE; /* Read error */
1468 * Don't count the pseudo-header as part of the packet.
1470 orig_size -= sizeof (struct libpcap_bt_phdr);
1471 packet_size -= sizeof (struct libpcap_bt_phdr);
1472 wth->data_offset += sizeof (struct libpcap_bt_phdr);
1475 case WTAP_ENCAP_ERF:
1476 if (packet_size < sizeof(struct erf_phdr) ) {
1478 * Uh-oh, the packet isn't big enough to even
1479 * have a pseudo-header.
1481 *err = WTAP_ERR_BAD_RECORD;
1482 *err_info = g_strdup_printf("libpcap: ERF file has a %u-byte packet, too small to have even an ERF pseudo-header\n",
1486 if (!libpcap_read_erf_pseudoheader(wth->fh, &wth->phdr, &wth->pseudo_header,
1488 return FALSE; /* Read error */
1491 * Don't count the pseudo-header as part of the packet.
1493 orig_size -= sizeof(struct erf_phdr);
1494 packet_size -= sizeof(struct erf_phdr);
1495 wth->data_offset += sizeof(struct erf_phdr);
1497 if (!libpcap_read_erf_subheader(wth->fh, &wth->pseudo_header,
1498 err, err_info, &size))
1499 return FALSE; /* Read error */
1502 * Don't count the optional mc-header as part of the packet.
1505 packet_size -= size;
1506 wth->data_offset += size;
1511 buffer_assure_space(wth->frame_buffer, packet_size);
1512 if (!libpcap_read_rec_data(wth->fh, buffer_start_ptr(wth->frame_buffer),
1514 return FALSE; /* Read error */
1515 wth->data_offset += packet_size;
1517 /* Update the Timestamp, if not already done */
1518 if (wth->file_encap != WTAP_ENCAP_ERF) {
1519 wth->phdr.ts.secs = hdr.hdr.ts_sec;
1520 if(wth->tsprecision == WTAP_FILE_TSPREC_NSEC) {
1521 wth->phdr.ts.nsecs = hdr.hdr.ts_usec;
1523 wth->phdr.ts.nsecs = hdr.hdr.ts_usec * 1000;
1526 wth->phdr.caplen = packet_size;
1527 wth->phdr.len = orig_size;
1529 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS) {
1530 if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
1534 * Guess the traffic type based on the packet
1537 atm_guess_traffic_type(buffer_start_ptr(wth->frame_buffer),
1538 wth->phdr.caplen, &wth->pseudo_header);
1543 * If this is ATM LANE traffic, try to guess what
1544 * type of LANE traffic it is based on the packet
1547 if (wth->pseudo_header.atm.type == TRAF_LANE) {
1548 atm_guess_lane_type(buffer_start_ptr(wth->frame_buffer),
1549 wth->phdr.caplen, &wth->pseudo_header);
1558 libpcap_seek_read(wtap *wth, gint64 seek_off,
1559 union wtap_pseudo_header *pseudo_header, guchar *pd, int length,
1560 int *err, gchar **err_info)
1564 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
1567 switch (wth->file_encap) {
1569 case WTAP_ENCAP_ATM_PDUS:
1570 if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
1574 if (!libpcap_read_nokiaatm_pseudoheader(wth->random_fh,
1575 pseudo_header, err)) {
1583 if (!libpcap_read_sunatm_pseudoheader(wth->random_fh,
1584 pseudo_header, err)) {
1591 case WTAP_ENCAP_ETHERNET:
1593 * We don't know whether there's an FCS in this frame or not.
1595 pseudo_header->eth.fcs_len = -1;
1598 case WTAP_ENCAP_IEEE_802_11:
1599 case WTAP_ENCAP_PRISM_HEADER:
1600 case WTAP_ENCAP_IEEE_802_11_WLAN_RADIOTAP:
1601 case WTAP_ENCAP_IEEE_802_11_WLAN_AVS:
1603 * We don't know whether there's an FCS in this frame or not.
1604 * XXX - are there any OSes where the capture mechanism
1607 pseudo_header->ieee_802_11.fcs_len = -1;
1610 case WTAP_ENCAP_IRDA:
1611 if (!libpcap_read_irda_pseudoheader(wth->random_fh, pseudo_header,
1618 case WTAP_ENCAP_MTP2_WITH_PHDR:
1619 if (!libpcap_read_mtp2_pseudoheader(wth->random_fh, pseudo_header,
1626 case WTAP_ENCAP_LINUX_LAPD:
1627 if (!libpcap_read_lapd_pseudoheader(wth->random_fh, pseudo_header,
1634 case WTAP_ENCAP_SITA:
1635 if (!libpcap_read_sita_pseudoheader(wth->random_fh, pseudo_header,
1642 case WTAP_ENCAP_USB_LINUX:
1643 if (!libpcap_read_linux_usb_pseudoheader(wth, wth->random_fh,
1644 pseudo_header, err))
1645 return FALSE; /* Read error */
1648 case WTAP_ENCAP_BLUETOOTH_H4_WITH_PHDR:
1649 if (!libpcap_read_bt_pseudoheader(wth->random_fh,
1650 pseudo_header, err))
1651 return FALSE; /* Read error */
1654 case WTAP_ENCAP_ERF:
1655 if (!libpcap_read_erf_pseudoheader(wth->random_fh, NULL, pseudo_header,
1660 /* check the optional Multi Channel header */
1661 if (!libpcap_read_erf_subheader(wth->random_fh, pseudo_header,
1662 err, err_info, &size)) {
1670 * Read the packet data.
1672 if (!libpcap_read_rec_data(wth->random_fh, pd, length, err))
1673 return FALSE; /* failed */
1675 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS) {
1676 if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
1680 * Guess the traffic type based on the packet
1683 atm_guess_traffic_type(pd, length, pseudo_header);
1688 * If this is ATM LANE traffic, try to guess what
1689 * type of LANE traffic it is based on the packet
1692 if (pseudo_header->atm.type == TRAF_LANE)
1693 atm_guess_lane_type(pd, length, pseudo_header);
1699 /* Read the header of the next packet.
1701 Return -1 on an error, or the number of bytes of header read on success. */
1702 static int libpcap_read_header(wtap *wth, int *err, gchar **err_info,
1703 struct pcaprec_ss990915_hdr *hdr)
1705 int bytes_to_read, bytes_read;
1707 /* Read record header. */
1708 errno = WTAP_ERR_CANT_READ;
1709 switch (wth->file_type) {
1711 case WTAP_FILE_PCAP:
1712 case WTAP_FILE_PCAP_AIX:
1713 case WTAP_FILE_PCAP_NSEC:
1714 bytes_to_read = sizeof (struct pcaprec_hdr);
1717 case WTAP_FILE_PCAP_SS990417:
1718 case WTAP_FILE_PCAP_SS991029:
1719 bytes_to_read = sizeof (struct pcaprec_modified_hdr);
1722 case WTAP_FILE_PCAP_SS990915:
1723 bytes_to_read = sizeof (struct pcaprec_ss990915_hdr);
1726 case WTAP_FILE_PCAP_NOKIA:
1727 bytes_to_read = sizeof (struct pcaprec_nokia_hdr);
1731 g_assert_not_reached();
1734 bytes_read = file_read(hdr, 1, bytes_to_read, wth->fh);
1735 if (bytes_read != bytes_to_read) {
1736 *err = file_error(wth->fh);
1737 if (*err == 0 && bytes_read != 0) {
1738 *err = WTAP_ERR_SHORT_READ;
1743 adjust_header(wth, &hdr->hdr);
1745 if (hdr->hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
1747 * Probably a corrupt capture file; return an error,
1748 * so that our caller doesn't blow up trying to allocate
1749 * space for an immensely-large packet, and so that
1750 * the code to try to guess what type of libpcap file
1751 * this is can tell when it's not the type we're guessing
1754 *err = WTAP_ERR_BAD_RECORD;
1755 if (err_info != NULL) {
1756 *err_info = g_strdup_printf("pcap: File has %u-byte packet, bigger than maximum of %u",
1757 hdr->hdr.incl_len, WTAP_MAX_PACKET_SIZE);
1762 if (hdr->hdr.orig_len > WTAP_MAX_PACKET_SIZE) {
1764 * Probably a corrupt capture file; return an error,
1765 * so that our caller doesn't blow up trying to
1766 * cope with a huge "real" packet length, and so that
1767 * the code to try to guess what type of libpcap file
1768 * this is can tell when it's not the type we're guessing
1771 *err = WTAP_ERR_BAD_RECORD;
1772 if (err_info != NULL) {
1773 *err_info = g_strdup_printf("pcap: File has %u-byte packet, bigger than maximum of %u",
1774 hdr->hdr.orig_len, WTAP_MAX_PACKET_SIZE);
1783 adjust_header(wtap *wth, struct pcaprec_hdr *hdr)
1787 if (wth->capture.pcap->byte_swapped) {
1788 /* Byte-swap the record header fields. */
1789 hdr->ts_sec = BSWAP32(hdr->ts_sec);
1790 hdr->ts_usec = BSWAP32(hdr->ts_usec);
1791 hdr->incl_len = BSWAP32(hdr->incl_len);
1792 hdr->orig_len = BSWAP32(hdr->orig_len);
1795 /* Swap the "incl_len" and "orig_len" fields, if necessary. */
1796 switch (wth->capture.pcap->lengths_swapped) {
1802 if (hdr->incl_len <= hdr->orig_len) {
1804 * The captured length is <= the actual length,
1805 * so presumably they weren't swapped.
1812 temp = hdr->orig_len;
1813 hdr->orig_len = hdr->incl_len;
1814 hdr->incl_len = temp;
1820 libpcap_get_sunatm_pseudoheader(const guint8 *atm_phdr,
1821 union wtap_pseudo_header *pseudo_header)
1826 vpi = atm_phdr[SUNATM_VPI];
1827 vci = pntohs(&atm_phdr[SUNATM_VCI]);
1829 switch (atm_phdr[SUNATM_FLAGS] & 0x0F) {
1831 case 0x01: /* LANE */
1832 pseudo_header->atm.aal = AAL_5;
1833 pseudo_header->atm.type = TRAF_LANE;
1836 case 0x02: /* RFC 1483 LLC multiplexed traffic */
1837 pseudo_header->atm.aal = AAL_5;
1838 pseudo_header->atm.type = TRAF_LLCMX;
1841 case 0x05: /* ILMI */
1842 pseudo_header->atm.aal = AAL_5;
1843 pseudo_header->atm.type = TRAF_ILMI;
1846 case 0x06: /* Q.2931 */
1847 pseudo_header->atm.aal = AAL_SIGNALLING;
1848 pseudo_header->atm.type = TRAF_UNKNOWN;
1851 case 0x03: /* MARS (RFC 2022) */
1852 pseudo_header->atm.aal = AAL_5;
1853 pseudo_header->atm.type = TRAF_UNKNOWN;
1856 case 0x04: /* IFMP (Ipsilon Flow Management Protocol; see RFC 1954) */
1857 pseudo_header->atm.aal = AAL_5;
1858 pseudo_header->atm.type = TRAF_UNKNOWN; /* XXX - TRAF_IPSILON? */
1863 * Assume it's AAL5, unless it's VPI 0 and VCI 5, in which
1864 * case assume it's AAL_SIGNALLING; we know nothing more
1867 * XXX - is this necessary? Or are we guaranteed that
1868 * all signalling traffic has a type of 0x06?
1870 * XXX - is this guaranteed to be AAL5? Or, if the type is
1871 * 0x00 ("raw"), might it be non-AAL5 traffic?
1873 if (vpi == 0 && vci == 5)
1874 pseudo_header->atm.aal = AAL_SIGNALLING;
1876 pseudo_header->atm.aal = AAL_5;
1877 pseudo_header->atm.type = TRAF_UNKNOWN;
1880 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1882 pseudo_header->atm.vpi = vpi;
1883 pseudo_header->atm.vci = vci;
1884 pseudo_header->atm.channel = (atm_phdr[SUNATM_FLAGS] & 0x80) ? 0 : 1;
1886 /* We don't have this information */
1887 pseudo_header->atm.flags = 0;
1888 pseudo_header->atm.cells = 0;
1889 pseudo_header->atm.aal5t_u2u = 0;
1890 pseudo_header->atm.aal5t_len = 0;
1891 pseudo_header->atm.aal5t_chksum = 0;
1895 libpcap_read_sunatm_pseudoheader(FILE_T fh,
1896 union wtap_pseudo_header *pseudo_header, int *err)
1898 guint8 atm_phdr[SUNATM_LEN];
1901 errno = WTAP_ERR_CANT_READ;
1902 bytes_read = file_read(atm_phdr, 1, SUNATM_LEN, fh);
1903 if (bytes_read != SUNATM_LEN) {
1904 *err = file_error(fh);
1906 *err = WTAP_ERR_SHORT_READ;
1910 libpcap_get_sunatm_pseudoheader(atm_phdr, pseudo_header);
1916 libpcap_read_nokiaatm_pseudoheader(FILE_T fh,
1917 union wtap_pseudo_header *pseudo_header, int *err)
1919 guint8 atm_phdr[NOKIAATM_LEN];
1924 errno = WTAP_ERR_CANT_READ;
1925 bytes_read = file_read(atm_phdr, 1, NOKIAATM_LEN, fh);
1926 if (bytes_read != NOKIAATM_LEN) {
1927 *err = file_error(fh);
1929 *err = WTAP_ERR_SHORT_READ;
1933 vpi = atm_phdr[NOKIAATM_VPI];
1934 vci = pntohs(&atm_phdr[NOKIAATM_VCI]);
1936 pseudo_header->atm.vpi = vpi;
1937 pseudo_header->atm.vci = vci;
1938 pseudo_header->atm.channel = (atm_phdr[NOKIAATM_FLAGS] & 0x80) ? 0 : 1;
1940 /* We don't have this information */
1941 pseudo_header->atm.flags = 0;
1942 pseudo_header->atm.cells = 0;
1943 pseudo_header->atm.aal5t_u2u = 0;
1944 pseudo_header->atm.aal5t_len = 0;
1945 pseudo_header->atm.aal5t_chksum = 0;
1951 libpcap_get_irda_pseudoheader(const guint8 *irda_phdr,
1952 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info)
1954 if (pntohs(&irda_phdr[IRDA_SLL_PROTOCOL_OFFSET]) != 0x0017) {
1955 *err = WTAP_ERR_BAD_RECORD;
1956 if (err_info != NULL)
1957 *err_info = g_strdup("libpcap: IrDA capture has a packet with an invalid sll_protocol field\n");
1961 pseudo_header->irda.pkttype = pntohs(&irda_phdr[IRDA_SLL_PKTTYPE_OFFSET]);
1967 libpcap_read_irda_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header,
1968 int *err, gchar **err_info)
1970 guint8 irda_phdr[IRDA_SLL_LEN];
1973 errno = WTAP_ERR_CANT_READ;
1974 bytes_read = file_read(irda_phdr, 1, IRDA_SLL_LEN, fh);
1975 if (bytes_read != IRDA_SLL_LEN) {
1976 *err = file_error(fh);
1978 *err = WTAP_ERR_SHORT_READ;
1982 return libpcap_get_irda_pseudoheader(irda_phdr, pseudo_header, err,
1987 libpcap_get_mtp2_pseudoheader(const guint8 *mtp2_hdr, union wtap_pseudo_header *pseudo_header)
1989 pseudo_header->mtp2.sent = mtp2_hdr[MTP2_SENT_OFFSET];
1990 pseudo_header->mtp2.annex_a_used = mtp2_hdr[MTP2_ANNEX_A_USED_OFFSET];
1991 pseudo_header->mtp2.link_number = pntohs(&mtp2_hdr[MTP2_LINK_NUMBER_OFFSET]);
1997 libpcap_read_mtp2_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info _U_)
1999 guint8 mtp2_hdr[MTP2_HDR_LEN];
2002 errno = WTAP_ERR_CANT_READ;
2003 bytes_read = file_read(mtp2_hdr, 1, MTP2_HDR_LEN, fh);
2004 if (bytes_read != MTP2_HDR_LEN) {
2005 *err = file_error(fh);
2007 *err = WTAP_ERR_SHORT_READ;
2011 return libpcap_get_mtp2_pseudoheader(mtp2_hdr, pseudo_header);
2016 libpcap_get_lapd_pseudoheader(const guint8 *lapd_phdr,
2017 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info)
2019 if (pntohs(&lapd_phdr[LAPD_SLL_PROTOCOL_OFFSET]) != ETH_P_LAPD) {
2020 *err = WTAP_ERR_BAD_RECORD;
2021 if (err_info != NULL)
2022 *err_info = g_strdup("libpcap: LAPD capture has a packet with an invalid sll_protocol field\n");
2026 pseudo_header->lapd.pkttype = pntohs(&lapd_phdr[LAPD_SLL_PKTTYPE_OFFSET]);
2027 pseudo_header->lapd.we_network = !!lapd_phdr[LAPD_SLL_ADDR_OFFSET+0];
2033 libpcap_read_lapd_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header,
2034 int *err, gchar **err_info)
2036 guint8 lapd_phdr[LAPD_SLL_LEN];
2039 errno = WTAP_ERR_CANT_READ;
2040 bytes_read = file_read(lapd_phdr, 1, LAPD_SLL_LEN, fh);
2041 if (bytes_read != LAPD_SLL_LEN) {
2042 *err = file_error(fh);
2044 *err = WTAP_ERR_SHORT_READ;
2048 return libpcap_get_lapd_pseudoheader(lapd_phdr, pseudo_header, err,
2053 libpcap_get_sita_pseudoheader(const guint8 *sita_phdr,
2054 union wtap_pseudo_header *pseudo_header)
2056 pseudo_header->sita.flags = sita_phdr[SITA_FLAGS_OFFSET];
2057 pseudo_header->sita.signals = sita_phdr[SITA_SIGNALS_OFFSET];
2058 pseudo_header->sita.errors1 = sita_phdr[SITA_ERRORS1_OFFSET];
2059 pseudo_header->sita.errors2 = sita_phdr[SITA_ERRORS2_OFFSET];
2060 pseudo_header->sita.proto = sita_phdr[SITA_PROTO_OFFSET];
2065 libpcap_read_sita_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info _U_)
2067 guint8 sita_phdr[SITA_HDR_LEN];
2070 errno = WTAP_ERR_CANT_READ;
2071 bytes_read = file_read(sita_phdr, 1, SITA_HDR_LEN, fh);
2072 if (bytes_read != SITA_HDR_LEN) {
2073 *err = file_error(fh);
2075 *err = WTAP_ERR_SHORT_READ;
2079 return libpcap_get_sita_pseudoheader(sita_phdr, pseudo_header);
2083 libpcap_swap_linux_usb_pseudoheader(struct linux_usb_phdr *phdr)
2085 phdr->id = GUINT64_SWAP_LE_BE(phdr->id);
2086 phdr->bus_id = GUINT16_SWAP_LE_BE(phdr->bus_id);
2087 phdr->ts_sec = GUINT64_SWAP_LE_BE(phdr->ts_sec);
2088 phdr->ts_usec = GUINT32_SWAP_LE_BE(phdr->ts_usec);
2089 phdr->status = GUINT32_SWAP_LE_BE(phdr->status);
2090 phdr->urb_len = GUINT32_SWAP_LE_BE(phdr->urb_len);
2091 phdr->data_len = GUINT32_SWAP_LE_BE(phdr->data_len);
2095 libpcap_read_linux_usb_pseudoheader(wtap *wth, FILE_T fh,
2096 union wtap_pseudo_header *pseudo_header, int *err)
2100 errno = WTAP_ERR_CANT_READ;
2101 bytes_read = file_read(&pseudo_header->linux_usb, 1,
2102 sizeof (struct linux_usb_phdr), fh);
2103 if (bytes_read != sizeof (struct linux_usb_phdr)) {
2104 *err = file_error(fh);
2106 *err = WTAP_ERR_SHORT_READ;
2109 if (wth->capture.pcap->byte_swapped)
2110 libpcap_swap_linux_usb_pseudoheader(&pseudo_header->linux_usb);
2115 libpcap_read_bt_pseudoheader(FILE_T fh,
2116 union wtap_pseudo_header *pseudo_header, int *err)
2119 struct libpcap_bt_phdr phdr;
2121 errno = WTAP_ERR_CANT_READ;
2122 bytes_read = file_read(&phdr, 1,
2123 sizeof (struct libpcap_bt_phdr), fh);
2124 if (bytes_read != sizeof (struct libpcap_bt_phdr)) {
2125 *err = file_error(fh);
2127 *err = WTAP_ERR_SHORT_READ;
2130 pseudo_header->p2p.sent = ((g_ntohl(phdr.direction) & 0x1) == 0)? TRUE: FALSE;
2136 libpcap_get_erf_pseudoheader(const guint8 *erf_hdr, struct wtap_pkthdr *whdr,
2137 union wtap_pseudo_header *pseudo_header)
2139 pseudo_header->erf.phdr.ts = pletohll(&erf_hdr[0]); /* timestamp */
2140 pseudo_header->erf.phdr.type = erf_hdr[8];
2141 pseudo_header->erf.phdr.flags = erf_hdr[9];
2142 pseudo_header->erf.phdr.rlen = pntohs(&erf_hdr[10]);
2143 pseudo_header->erf.phdr.lctr = pntohs(&erf_hdr[12]);
2144 pseudo_header->erf.phdr.wlen = pntohs(&erf_hdr[14]);
2146 /* The high 32 bits of the timestamp contain the integer number of seconds
2147 * while the lower 32 bits contain the binary fraction of the second.
2148 * This allows an ultimate resolution of 1/(2^32) seconds, or approximately 233 picoseconds */
2150 guint64 ts = pseudo_header->erf.phdr.ts;
2151 whdr->ts.secs = (guint32) (ts >> 32);
2152 ts = ((ts & 0xffffffff) * 1000 * 1000 * 1000);
2153 ts += (ts & 0x80000000) << 1; /* rounding */
2154 whdr->ts.nsecs = ((guint32) (ts >> 32));
2155 if ( whdr->ts.nsecs >= 1000000000) {
2156 whdr->ts.nsecs -= 1000000000;
2164 libpcap_read_erf_pseudoheader(FILE_T fh, struct wtap_pkthdr *whdr,
2165 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info _U_)
2167 guint8 erf_hdr[sizeof(struct erf_phdr)];
2170 errno = WTAP_ERR_CANT_READ;
2171 bytes_read = file_read(erf_hdr, 1, sizeof(struct erf_phdr), fh);
2172 if (bytes_read != sizeof(struct erf_phdr)) {
2173 *err = file_error(fh);
2175 *err = WTAP_ERR_SHORT_READ;
2178 return libpcap_get_erf_pseudoheader(erf_hdr, whdr, pseudo_header);
2182 libpcap_get_erf_subheader(const guint8 *erf_subhdr,
2183 union wtap_pseudo_header *pseudo_header, guint * psize)
2186 switch(pseudo_header->erf.phdr.type) {
2187 case ERF_TYPE_MC_HDLC:
2188 case ERF_TYPE_MC_RAW:
2189 case ERF_TYPE_MC_ATM:
2190 case ERF_TYPE_MC_RAW_CHANNEL:
2191 case ERF_TYPE_MC_AAL5:
2192 case ERF_TYPE_MC_AAL2:
2193 case ERF_TYPE_COLOR_MC_HDLC_POS:
2194 /* Extract the Multi Channel header to include it in the pseudo header part */
2195 pseudo_header->erf.subhdr.mc_hdr = pntohl(&erf_subhdr[0]);
2196 *psize = sizeof(erf_mc_header_t);
2199 case ERF_TYPE_COLOR_ETH:
2200 case ERF_TYPE_DSM_COLOR_ETH:
2201 /* Extract the Ethernet additional header to include it in the pseudo header part */
2202 pseudo_header->erf.subhdr.eth_hdr = pntohs(&erf_subhdr[0]);
2203 *psize = sizeof(erf_eth_header_t);
2206 /* No optional pseudo header for this ERF type */
2213 * If the type of record given in the pseudo header indicate the precense of a subheader
2214 * then, read this optional subheader
2217 libpcap_read_erf_subheader(FILE_T fh, union wtap_pseudo_header *pseudo_header,
2218 int *err, gchar **err_info _U_, guint * psize)
2220 guint8 erf_subhdr[sizeof(union erf_subhdr)];
2224 switch(pseudo_header->erf.phdr.type) {
2225 case ERF_TYPE_MC_HDLC:
2226 case ERF_TYPE_MC_RAW:
2227 case ERF_TYPE_MC_ATM:
2228 case ERF_TYPE_MC_RAW_CHANNEL:
2229 case ERF_TYPE_MC_AAL5:
2230 case ERF_TYPE_MC_AAL2:
2231 case ERF_TYPE_COLOR_MC_HDLC_POS:
2232 /* Extract the Multi Channel header to include it in the pseudo header part */
2233 errno = WTAP_ERR_CANT_READ;
2234 bytes_read = file_read(erf_subhdr, 1, sizeof(erf_mc_header_t), fh);
2235 if (bytes_read != sizeof(erf_mc_header_t) ) {
2236 *err = file_error(fh);
2238 *err = WTAP_ERR_SHORT_READ;
2241 *psize = sizeof(erf_mc_header_t);
2244 case ERF_TYPE_COLOR_ETH:
2245 case ERF_TYPE_DSM_COLOR_ETH:
2246 /* Extract the Ethernet additional header to include it in the pseudo header part */
2247 errno = WTAP_ERR_CANT_READ;
2248 bytes_read = file_read(erf_subhdr, 1, sizeof(erf_eth_header_t), fh);
2249 if (bytes_read != sizeof(erf_eth_header_t) ) {
2250 *err = file_error(fh);
2252 *err = WTAP_ERR_SHORT_READ;
2255 *psize = sizeof(erf_eth_header_t);
2258 /* No optional pseudo header for this ERF type */
2261 return libpcap_get_erf_subheader(erf_subhdr, pseudo_header, psize);
2265 libpcap_read_rec_data(FILE_T fh, guchar *pd, int length, int *err)
2269 errno = WTAP_ERR_CANT_READ;
2270 bytes_read = file_read(pd, 1, length, fh);
2272 if (bytes_read != length) {
2273 *err = file_error(fh);
2275 *err = WTAP_ERR_SHORT_READ;
2282 libpcap_close(wtap *wth)
2284 g_free(wth->capture.pcap);
2287 static int wtap_wtap_encap_to_pcap_encap(int encap)
2293 case WTAP_ENCAP_FDDI:
2294 case WTAP_ENCAP_FDDI_BITSWAPPED:
2295 case WTAP_ENCAP_NETTL_FDDI:
2297 * Special-case WTAP_ENCAP_FDDI and
2298 * WTAP_ENCAP_FDDI_BITSWAPPED; both of them get mapped
2299 * to DLT_FDDI (even though that may mean that the bit
2300 * order in the FDDI MAC addresses is wrong; so it goes
2301 * - libpcap format doesn't record the byte order,
2302 * so that's not fixable).
2304 return 10; /* that's DLT_FDDI */
2306 case WTAP_ENCAP_PPP_WITH_PHDR:
2308 * Also special-case PPP with direction bits; map it to
2309 * PPP, even though that means that the direction of the
2314 case WTAP_ENCAP_FRELAY_WITH_PHDR:
2316 * Do the same with Frame Relay.
2320 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
2322 * Map this to DLT_IEEE802_11, for now, even though
2323 * that means the radio information will be lost.
2324 * Once tcpdump support for the BSD radiotap header
2325 * is sufficiently widespread, we should probably
2326 * use that, instead - although we should probably
2327 * ultimately just have WTAP_ENCAP_IEEE_802_11
2328 * as the only Wiretap encapsulation for 802.11,
2329 * and have the pseudo-header include a radiotap-style
2330 * list of attributes. If we do that, though, we
2331 * should probably bypass the regular Wiretap code
2332 * when writing out packets during a capture, and just
2333 * do the equivalent of a libpcap write (unfortunately,
2334 * libpcap doesn't have an "open dump by file descriptor"
2335 * function, so we can't just use "pcap_dump()"), so
2336 * that we don't spend cycles mapping from libpcap to
2337 * Wiretap and then back to libpcap. (There are other
2338 * reasons to do that, e.g. to handle AIX libpcap better.)
2343 for (i = 0; i < NUM_PCAP_ENCAPS; i++) {
2344 if (pcap_to_wtap_map[i].wtap_encap_value == encap)
2345 return pcap_to_wtap_map[i].dlt_value;
2350 /* Returns 0 if we could write the specified encapsulation type,
2351 an error indication otherwise. */
2352 int libpcap_dump_can_write_encap(int encap)
2354 /* Per-packet encapsulations aren't supported. */
2355 if (encap == WTAP_ENCAP_PER_PACKET)
2356 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
2358 if (wtap_wtap_encap_to_pcap_encap(encap) == -1)
2359 return WTAP_ERR_UNSUPPORTED_ENCAP;
2364 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
2366 gboolean libpcap_dump_open(wtap_dumper *wdh, gboolean cant_seek _U_, int *err)
2369 struct pcap_hdr file_hdr;
2372 /* This is a libpcap file */
2373 wdh->subtype_write = libpcap_dump;
2374 wdh->subtype_close = NULL;
2376 /* Write the file header. */
2377 switch (wdh->file_type) {
2379 case WTAP_FILE_PCAP:
2380 case WTAP_FILE_PCAP_SS990417: /* modified, but with the old magic, sigh */
2381 case WTAP_FILE_PCAP_NOKIA: /* Nokia libpcap of some sort */
2383 wdh->tsprecision = WTAP_FILE_TSPREC_USEC;
2386 case WTAP_FILE_PCAP_SS990915: /* new magic, extra crap */
2387 case WTAP_FILE_PCAP_SS991029:
2388 magic = PCAP_MODIFIED_MAGIC;
2389 wdh->tsprecision = WTAP_FILE_TSPREC_USEC;
2392 case WTAP_FILE_PCAP_NSEC: /* same as WTAP_FILE_PCAP, but nsec precision */
2393 magic = PCAP_NSEC_MAGIC;
2394 wdh->tsprecision = WTAP_FILE_TSPREC_NSEC;
2398 /* We should never get here - our open routine
2399 should only get called for the types above. */
2400 *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE;
2404 nwritten = wtap_dump_file_write(wdh, &magic, sizeof magic);
2405 if (nwritten != sizeof magic) {
2406 if (nwritten == 0 && wtap_dump_file_ferror(wdh))
2407 *err = wtap_dump_file_ferror(wdh);
2409 *err = WTAP_ERR_SHORT_WRITE;
2412 wdh->bytes_dumped += sizeof magic;
2414 /* current "libpcap" format is 2.4 */
2415 file_hdr.version_major = 2;
2416 file_hdr.version_minor = 4;
2417 file_hdr.thiszone = 0; /* XXX - current offset? */
2418 file_hdr.sigfigs = 0; /* unknown, but also apparently unused */
2420 * Tcpdump cannot handle capture files with a snapshot length of 0,
2421 * as BPF filters return either 0 if they fail or the snapshot length
2422 * if they succeed, and a snapshot length of 0 means success is
2423 * indistinguishable from failure and the filter expression would
2424 * reject all packets.
2426 * A snapshot length of 0, inside Wiretap, means "snapshot length
2427 * unknown"; if the snapshot length supplied to us is 0, we make
2428 * the snapshot length in the header file WTAP_MAX_PACKET_SIZE.
2430 file_hdr.snaplen = (wdh->snaplen != 0) ? wdh->snaplen :
2431 WTAP_MAX_PACKET_SIZE;
2432 file_hdr.network = wtap_wtap_encap_to_pcap_encap(wdh->encap);
2433 nwritten = wtap_dump_file_write(wdh, &file_hdr, sizeof file_hdr);
2434 if (nwritten != sizeof file_hdr) {
2435 if (nwritten == 0 && wtap_dump_file_ferror(wdh))
2436 *err = wtap_dump_file_ferror(wdh);
2438 *err = WTAP_ERR_SHORT_WRITE;
2441 wdh->bytes_dumped += sizeof file_hdr;
2446 /* Write a record for a packet to a dump file.
2447 Returns TRUE on success, FALSE on failure. */
2448 static gboolean libpcap_dump(wtap_dumper *wdh,
2449 const struct wtap_pkthdr *phdr,
2450 const union wtap_pseudo_header *pseudo_header _U_,
2451 const guchar *pd, int *err)
2453 struct pcaprec_ss990915_hdr rec_hdr;
2456 guint8 atm_hdr[SUNATM_LEN];
2457 guint8 irda_hdr[IRDA_SLL_LEN];
2458 guint8 lapd_hdr[LAPD_SLL_LEN];
2459 guint8 mtp2_hdr[MTP2_HDR_LEN];
2460 guint8 sita_hdr[SITA_HDR_LEN];
2461 guint8 erf_hdr[ sizeof(struct erf_mc_phdr)];
2464 switch (wdh->encap) {
2466 case WTAP_ENCAP_ATM_PDUS:
2467 hdrsize = SUNATM_LEN;
2470 case WTAP_ENCAP_IRDA:
2471 hdrsize = IRDA_SLL_LEN;
2474 case WTAP_ENCAP_MTP2_WITH_PHDR:
2475 hdrsize = MTP2_HDR_LEN;
2478 case WTAP_ENCAP_LINUX_LAPD:
2479 hdrsize = LAPD_SLL_LEN;
2482 case WTAP_ENCAP_SITA:
2483 hdrsize = SITA_HDR_LEN;
2486 case WTAP_ENCAP_USB_LINUX:
2487 hdrsize = sizeof (struct linux_usb_phdr);
2490 case WTAP_ENCAP_ERF:
2491 hdrsize = sizeof (struct erf_phdr);
2492 switch(pseudo_header->erf.phdr.type) {
2493 case ERF_TYPE_MC_HDLC:
2494 case ERF_TYPE_MC_RAW:
2495 case ERF_TYPE_MC_ATM:
2496 case ERF_TYPE_MC_RAW_CHANNEL:
2497 case ERF_TYPE_MC_AAL5:
2498 case ERF_TYPE_MC_AAL2:
2499 case ERF_TYPE_COLOR_MC_HDLC_POS:
2500 hdrsize += sizeof(struct erf_mc_hdr);
2503 case ERF_TYPE_COLOR_ETH:
2504 case ERF_TYPE_DSM_COLOR_ETH:
2505 hdrsize += sizeof(struct erf_eth_hdr);
2517 rec_hdr.hdr.ts_sec = (guint32) phdr->ts.secs;
2518 if(wdh->tsprecision == WTAP_FILE_TSPREC_NSEC) {
2519 rec_hdr.hdr.ts_usec = phdr->ts.nsecs;
2521 rec_hdr.hdr.ts_usec = phdr->ts.nsecs / 1000;
2523 rec_hdr.hdr.incl_len = phdr->caplen + hdrsize;
2524 rec_hdr.hdr.orig_len = phdr->len + hdrsize;
2525 switch (wdh->file_type) {
2527 case WTAP_FILE_PCAP:
2528 case WTAP_FILE_PCAP_NSEC:
2529 hdr_size = sizeof (struct pcaprec_hdr);
2532 case WTAP_FILE_PCAP_SS990417: /* modified, but with the old magic, sigh */
2533 case WTAP_FILE_PCAP_SS991029:
2534 /* XXX - what should we supply here?
2536 Alexey's "libpcap" looks up the interface in the system's
2537 interface list if "ifindex" is non-zero, and prints
2538 the interface name. It ignores "protocol", and uses
2539 "pkt_type" to tag the packet as "host", "broadcast",
2540 "multicast", "other host", "outgoing", or "none of the
2541 above", but that's it.
2543 If the capture we're writing isn't a modified or
2544 RH 6.1 capture, we'd have to do some work to
2545 generate the packet type and interface index - and
2546 we can't generate the interface index unless we
2547 just did the capture ourselves in any case.
2549 I'm inclined to continue to punt; systems other than
2550 those with the older patch can read standard "libpcap"
2551 files, and systems with the older patch, e.g. RH 6.1,
2552 will just have to live with this. */
2553 rec_hdr.ifindex = 0;
2554 rec_hdr.protocol = 0;
2555 rec_hdr.pkt_type = 0;
2556 hdr_size = sizeof (struct pcaprec_modified_hdr);
2559 case WTAP_FILE_PCAP_SS990915: /* new magic, extra crap at the end */
2560 rec_hdr.ifindex = 0;
2561 rec_hdr.protocol = 0;
2562 rec_hdr.pkt_type = 0;
2565 hdr_size = sizeof (struct pcaprec_ss990915_hdr);
2568 case WTAP_FILE_PCAP_NOKIA: /* old magic, extra crap at the end */
2569 rec_hdr.ifindex = 0;
2570 rec_hdr.protocol = 0;
2571 rec_hdr.pkt_type = 0;
2574 hdr_size = sizeof (struct pcaprec_nokia_hdr);
2578 /* We should never get here - our open routine
2579 should only get called for the types above. */
2580 g_assert_not_reached();
2581 *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE;
2585 nwritten = wtap_dump_file_write(wdh, &rec_hdr, hdr_size);
2586 if (nwritten != hdr_size) {
2587 if (nwritten == 0 && wtap_dump_file_ferror(wdh))
2588 *err = wtap_dump_file_ferror(wdh);
2590 *err = WTAP_ERR_SHORT_WRITE;
2593 wdh->bytes_dumped += hdr_size;
2595 switch (wdh->encap) {
2597 case WTAP_ENCAP_ATM_PDUS:
2599 * Write the ATM header.
2601 atm_hdr[SUNATM_FLAGS] =
2602 (pseudo_header->atm.channel == 0) ? 0x80 : 0x00;
2603 switch (pseudo_header->atm.aal) {
2605 case AAL_SIGNALLING:
2607 atm_hdr[SUNATM_FLAGS] |= 0x06;
2611 switch (pseudo_header->atm.type) {
2615 atm_hdr[SUNATM_FLAGS] |= 0x01;
2619 /* RFC 1483 LLC multiplexed traffic */
2620 atm_hdr[SUNATM_FLAGS] |= 0x02;
2625 atm_hdr[SUNATM_FLAGS] |= 0x05;
2630 atm_hdr[SUNATM_VPI] = (guint8)pseudo_header->atm.vpi;
2631 phtons(&atm_hdr[SUNATM_VCI], pseudo_header->atm.vci);
2632 nwritten = wtap_dump_file_write(wdh, atm_hdr, sizeof atm_hdr);
2633 if (nwritten != sizeof atm_hdr) {
2634 if (nwritten == 0 && wtap_dump_file_ferror(wdh))
2635 *err = wtap_dump_file_ferror(wdh);
2637 *err = WTAP_ERR_SHORT_WRITE;
2640 wdh->bytes_dumped += sizeof atm_hdr;
2643 case WTAP_ENCAP_IRDA:
2645 * Write the IrDA header.
2647 memset(irda_hdr, 0, sizeof(irda_hdr));
2648 phtons(&irda_hdr[IRDA_SLL_PKTTYPE_OFFSET],
2649 pseudo_header->irda.pkttype);
2650 phtons(&irda_hdr[IRDA_SLL_PROTOCOL_OFFSET], 0x0017);
2651 nwritten = wtap_dump_file_write(wdh, irda_hdr, sizeof(irda_hdr));
2652 if (nwritten != sizeof(irda_hdr)) {
2653 if (nwritten == 0 && wtap_dump_file_ferror(wdh))
2654 *err = wtap_dump_file_ferror(wdh);
2656 *err = WTAP_ERR_SHORT_WRITE;
2659 wdh->bytes_dumped += sizeof(irda_hdr);
2662 case WTAP_ENCAP_MTP2_WITH_PHDR:
2664 * Write the MTP2 header.
2666 memset(&mtp2_hdr, 0, sizeof(mtp2_hdr));
2667 mtp2_hdr[MTP2_SENT_OFFSET] = pseudo_header->mtp2.sent;
2668 mtp2_hdr[MTP2_ANNEX_A_USED_OFFSET] = pseudo_header->mtp2.annex_a_used;
2669 phtons(&mtp2_hdr[MTP2_LINK_NUMBER_OFFSET],
2670 pseudo_header->mtp2.link_number);
2671 nwritten = wtap_dump_file_write(wdh, mtp2_hdr, sizeof(mtp2_hdr));
2672 if (nwritten != sizeof(mtp2_hdr)) {
2673 if (nwritten == 0 && wtap_dump_file_ferror(wdh))
2674 *err = wtap_dump_file_ferror(wdh);
2676 *err = WTAP_ERR_SHORT_WRITE;
2679 wdh->bytes_dumped += sizeof(mtp2_hdr);
2682 case WTAP_ENCAP_LINUX_LAPD:
2684 * Write the LAPD header.
2686 memset(&lapd_hdr, 0, sizeof(lapd_hdr));
2687 phtons(&lapd_hdr[LAPD_SLL_PKTTYPE_OFFSET],
2688 pseudo_header->lapd.pkttype);
2689 phtons(&lapd_hdr[LAPD_SLL_PROTOCOL_OFFSET], ETH_P_LAPD);
2690 lapd_hdr[LAPD_SLL_ADDR_OFFSET + 0] =
2691 pseudo_header->lapd.we_network?0x01:0x00;
2692 nwritten = fwrite(&lapd_hdr, 1, sizeof(lapd_hdr), wdh->fh);
2693 if (nwritten != sizeof(lapd_hdr)) {
2694 if (nwritten == 0 && ferror(wdh->fh))
2697 *err = WTAP_ERR_SHORT_WRITE;
2700 wdh->bytes_dumped += sizeof(lapd_hdr);
2703 case WTAP_ENCAP_SITA:
2705 * Write the SITA header.
2707 memset(&sita_hdr, 0, sizeof(sita_hdr));
2708 sita_hdr[SITA_FLAGS_OFFSET] = pseudo_header->sita.flags;
2709 sita_hdr[SITA_SIGNALS_OFFSET] = pseudo_header->sita.signals;
2710 sita_hdr[SITA_ERRORS1_OFFSET] = pseudo_header->sita.errors1;
2711 sita_hdr[SITA_ERRORS2_OFFSET] = pseudo_header->sita.errors2;
2712 sita_hdr[SITA_PROTO_OFFSET] = pseudo_header->sita.proto;
2713 nwritten = fwrite(&sita_hdr, 1, sizeof(sita_hdr), wdh->fh);
2714 if (nwritten != sizeof(sita_hdr)) {
2715 if (nwritten == 0 && ferror(wdh->fh))
2718 *err = WTAP_ERR_SHORT_WRITE;
2721 wdh->bytes_dumped += sizeof(sita_hdr);
2724 case WTAP_ENCAP_USB_LINUX:
2726 * Write out the pseudo-header; it has the same format
2727 * as the Linux USB header, and that header is supposed
2728 * to be written in the host byte order of the machine
2731 nwritten = fwrite(&pseudo_header->linux_usb, 1,
2732 sizeof(pseudo_header->linux_usb), wdh->fh);
2733 if (nwritten != sizeof(pseudo_header->linux_usb)) {
2734 if (nwritten == 0 && ferror(wdh->fh))
2737 *err = WTAP_ERR_SHORT_WRITE;
2740 wdh->bytes_dumped += sizeof(lapd_hdr);
2743 case WTAP_ENCAP_ERF:
2745 * Write the ERF header.
2747 memset(&erf_hdr, 0, sizeof(erf_hdr));
2748 pletonll(&erf_hdr[0], pseudo_header->erf.phdr.ts);
2749 erf_hdr[8] = pseudo_header->erf.phdr.type;
2750 erf_hdr[9] = pseudo_header->erf.phdr.flags;
2751 phtons(&erf_hdr[10], pseudo_header->erf.phdr.rlen);
2752 phtons(&erf_hdr[12], pseudo_header->erf.phdr.lctr);
2753 phtons(&erf_hdr[14], pseudo_header->erf.phdr.wlen);
2754 size = sizeof(struct erf_phdr);
2756 switch(pseudo_header->erf.phdr.type) {
2757 case ERF_TYPE_MC_HDLC:
2758 case ERF_TYPE_MC_RAW:
2759 case ERF_TYPE_MC_ATM:
2760 case ERF_TYPE_MC_RAW_CHANNEL:
2761 case ERF_TYPE_MC_AAL5:
2762 case ERF_TYPE_MC_AAL2:
2763 case ERF_TYPE_COLOR_MC_HDLC_POS:
2764 phtonl(&erf_hdr[16], pseudo_header->erf.subhdr.mc_hdr);
2765 size += sizeof(struct erf_mc_hdr);
2768 case ERF_TYPE_COLOR_ETH:
2769 case ERF_TYPE_DSM_COLOR_ETH:
2770 phtons(&erf_hdr[16], pseudo_header->erf.subhdr.eth_hdr);
2771 size += sizeof(struct erf_eth_hdr);
2776 nwritten = wtap_dump_file_write(wdh, erf_hdr, size);
2777 if (nwritten != (guint) size) {
2778 if (nwritten == 0 && wtap_dump_file_ferror(wdh))
2779 *err = wtap_dump_file_ferror(wdh);
2781 *err = WTAP_ERR_SHORT_WRITE;
2784 wdh->bytes_dumped += size;
2788 nwritten = wtap_dump_file_write(wdh, pd, phdr->caplen);
2789 if (nwritten != phdr->caplen) {
2790 if (nwritten == 0 && wtap_dump_file_ferror(wdh))
2791 *err = wtap_dump_file_ferror(wdh);
2793 *err = WTAP_ERR_SHORT_WRITE;
2796 wdh->bytes_dumped += phdr->caplen;