3 * $Id: libpcap.c,v 1.99 2003/10/24 10:52:04 sahlberg Exp $
6 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
30 #include "file_wrappers.h"
36 # ifdef HAVE_SYS_TYPES_H
37 # include <sys/types.h>
40 #include "wtap-capture.h"
44 * The link-layer header on ATM packets.
47 guint8 flags; /* destination and traffic type */
49 guint16 vci; /* VCI */
52 /* See source to the "libpcap" library for information on the "libpcap"
55 /* On some systems, the FDDI MAC addresses are bit-swapped. */
56 #if !defined(ultrix) && !defined(__alpha) && !defined(__bsdi__)
57 #define BIT_SWAPPED_MAC_ADDRS
60 /* Try to read the first two records of the capture file. */
62 THIS_FORMAT, /* the reads succeeded, assume it's this format */
63 BAD_READ, /* the file is probably not valid */
64 OTHER_FORMAT /* the file may be valid, but not in this format */
66 static libpcap_try_t libpcap_try(wtap *wth, int *err);
68 static gboolean libpcap_read(wtap *wth, int *err, long *data_offset);
69 static gboolean libpcap_seek_read(wtap *wth, long seek_off,
70 union wtap_pseudo_header *pseudo_header, guchar *pd, int length, int *err);
71 static int libpcap_read_header(wtap *wth, int *err,
72 struct pcaprec_ss990915_hdr *hdr, gboolean silent);
73 static void adjust_header(wtap *wth, struct pcaprec_hdr *hdr);
74 static void libpcap_get_atm_pseudoheader(const struct sunatm_hdr *atm_phdr,
75 union wtap_pseudo_header *pseudo_header);
76 static gboolean libpcap_read_atm_pseudoheader(FILE_T fh,
77 union wtap_pseudo_header *pseudo_header, int *err);
78 static gboolean libpcap_read_rec_data(FILE_T fh, guchar *pd, int length,
80 static void libpcap_close(wtap *wth);
81 static gboolean libpcap_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
82 const union wtap_pseudo_header *pseudo_header, const guchar *pd, int *err);
85 * Either LBL NRG wasn't an adequate central registry (e.g., because of
86 * the slow rate of releases from them), or nobody bothered using them
87 * as a central registry, as many different groups have patched libpcap
88 * (and BPF, on the BSDs) to add new encapsulation types, and have ended
89 * up using the same DLT_ values for different encapsulation types.
91 * For those numerical encapsulation type values that everybody uses for
92 * the same encapsulation type (which inclues those that some platforms
93 * specify different DLT_ names for but don't appear to use), we map
94 * those values to the appropriate Wiretap values.
96 * For those numerical encapsulation type values that different libpcap
97 * variants use for different encapsulation types, we check what
98 * <pcap.h> defined to determine how to interpret them, so that we
99 * interpret them the way the libpcap with which we're building
100 * Ethereal/Wiretap interprets them (which, if it doesn't support
101 * them at all, means we don't support them either - any capture files
102 * using them are foreign, and we don't hazard a guess as to which
103 * platform they came from; we could, I guess, choose the most likely
106 * Note: if you need a new encapsulation type for libpcap files, do
107 * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
108 * add a new encapsulation type by changing an existing entry;
109 * leave the existing entries alone.
111 * Instead, send mail to tcpdump-workers@tcpdump.org, asking for a new
112 * DLT_ value, and specifying the purpose of the new value. When you
113 * get the new DLT_ value, use that numerical value in the "dlt_value"
114 * field of "pcap_to_wtap_map[]".
117 static const struct {
119 int wtap_encap_value;
120 } pcap_to_wtap_map[] = {
122 * These are the values that are almost certainly the same
123 * in all libpcaps (I've yet to find one where the values
124 * in question are used for some purpose other than the
125 * one below, but...), and that Wiretap and Ethereal
128 { 0, WTAP_ENCAP_NULL }, /* null encapsulation */
129 { 1, WTAP_ENCAP_ETHERNET },
130 { 6, WTAP_ENCAP_TOKEN_RING }, /* IEEE 802 Networks - assume token ring */
131 { 7, WTAP_ENCAP_ARCNET },
132 { 8, WTAP_ENCAP_SLIP },
133 { 9, WTAP_ENCAP_PPP },
134 #ifdef BIT_SWAPPED_MAC_ADDRS
135 { 10, WTAP_ENCAP_FDDI_BITSWAPPED },
137 { 10, WTAP_ENCAP_FDDI },
141 * 50 is DLT_PPP_SERIAL in NetBSD; it appears that DLT_PPP
142 * on BSD (at least according to standard tcpdump) has, as
143 * the first octet, an indication of whether the packet was
144 * transmitted or received (rather than having the standard
145 * PPP address value of 0xff), but that DLT_PPP_SERIAL puts
146 * a real live PPP header there, or perhaps a Cisco PPP header
147 * as per section 4.3.1 of RFC 1547 (implementations of this
148 * exist in various BSDs in "sys/net/if_spppsubr.c", and
149 * I think also exist either in standard Linux or in
150 * various Linux patches; the implementations show how to handle
151 * Cisco keepalive packets).
153 * However, I don't see any obvious place in FreeBSD "if_ppp.c"
154 * where anything other than the standard PPP header would be
155 * passed up. I see some stuff that sets the first octet
156 * to 0 for incoming and 1 for outgoing packets before applying
157 * a BPF filter to see whether to drop packets whose protocol
158 * field has the 0x8000 bit set, i.e. network control protocols -
159 * those are handed up to userland - but that code puts the
160 * address field back before passing the packet up.
162 * I also don't see anything immediately obvious that munges
163 * the address field for sync PPP, either.
165 * Ethereal currently assumes that if the first octet of a
166 * PPP frame is 0xFF, it's the address field and is followed
167 * by a control field and a 2-byte protocol, otherwise the
168 * address and control fields are absent and the frame begins
169 * with a protocol field. If we ever see a BSD/OS PPP
170 * capture, we'll have to handle it differently, and we may
171 * have to handle standard BSD captures differently if, in fact,
172 * they don't have 0xff 0x03 as the first two bytes - but, as per
173 * the two paragraphs preceding this, it's not clear that
174 * the address field *is* munged into an incoming/outgoing
175 * field when the packet is handed to the BPF device.
177 * For now, we just map DLT_PPP_SERIAL to WTAP_ENCAP_PPP, as
178 * we treat WTAP_ENCAP_PPP packets as if those beginning with
179 * 0xff have the standard RFC 1662 "PPP in HDLC-like Framing"
180 * 0xff 0x03 address/control header, and DLT_PPP_SERIAL frames
181 * appear to contain that unless they're Cisco frames (if we
182 * ever see a capture with them, we'd need to implement the
183 * RFC 1547 stuff, and the keepalive protocol stuff).
185 * We may have to distinguish between "PPP where if it doesn't
186 * begin with 0xff there's no HDLC encapsulation and the frame
187 * begins with the protocol field" (which is how we handle
188 * WTAP_ENCAP_PPP now) and "PPP where there's either HDLC
189 * encapsulation or Cisco PPP" (which is what DLT_PPP_SERIAL
192 * XXX - NetBSD has DLT_HDLC, which appears to be used for
193 * Cisco HDLC. Ideally, they should use DLT_PPP_SERIAL
194 * only for real live HDLC-encapsulated PPP, not for Cisco
197 { 50, WTAP_ENCAP_PPP },
200 * These are the values that libpcap 0.5 and later use in
201 * capture file headers, in an attempt to work around the
202 * confusion decried above, and that Wiretap and Ethereal
205 { 100, WTAP_ENCAP_ATM_RFC1483 },
206 { 101, WTAP_ENCAP_RAW_IP },
209 * More values used by libpcap 0.5 as DLT_ values and used by the
210 * current CVS version of libpcap in capture file headers.
211 * They are not yet handled in Ethereal.
212 * If we get a capture that contains them, we'll implement them.
214 { 102, WTAP_ENCAP_SLIP_BSDOS },
215 { 103, WTAP_ENCAP_PPP_BSDOS },
219 * These ones are handled in Ethereal, though.
221 { 104, WTAP_ENCAP_CHDLC }, /* Cisco HDLC */
222 { 105, WTAP_ENCAP_IEEE_802_11 }, /* IEEE 802.11 */
223 { 106, WTAP_ENCAP_LINUX_ATM_CLIP },
224 { 107, WTAP_ENCAP_FRELAY }, /* Frame Relay */
225 { 108, WTAP_ENCAP_NULL }, /* OpenBSD loopback */
226 { 109, WTAP_ENCAP_ENC }, /* OpenBSD IPSEC enc */
228 { 110, WTAP_ENCAP_LANE_802_3 },/* ATM LANE 802.3 */
229 { 111, WTAP_ENCAP_HIPPI }, /* NetBSD HIPPI */
231 { 112, WTAP_ENCAP_CHDLC }, /* NetBSD HDLC framing */
234 * Linux "cooked mode" captures, used by the current CVS version
237 { 113, WTAP_ENCAP_SLL }, /* Linux cooked capture */
239 { 114, WTAP_ENCAP_LOCALTALK }, /* Localtalk */
242 * The tcpdump.org version of libpcap uses 117, rather than 17,
243 * for OpenBSD packet filter logging, so as to avoid conflicting
244 * with DLT_LANE8023 in SuSE 6.3 libpcap.
246 { 117, WTAP_ENCAP_PFLOG },
248 { 118, WTAP_ENCAP_CISCO_IOS },
249 { 119, WTAP_ENCAP_PRISM_HEADER }, /* Prism monitor mode hdr */
250 { 121, WTAP_ENCAP_HHDLC }, /* HiPath HDLC */
251 { 122, WTAP_ENCAP_IP_OVER_FC }, /* RFC 2625 IP-over-FC */
252 { 123, WTAP_ENCAP_ATM_PDUS }, /* SunATM */
253 { 127, WTAP_ENCAP_WLAN_HEADER }, /* 802.11 plus WLAN header */
254 { 128, WTAP_ENCAP_TZSP }, /* Tazmen Sniffer Protocol */
255 { 129, WTAP_ENCAP_ARCNET_LINUX },
258 * Values 130 thorugh 137 are reserved for use in Juniper
261 * 138 is reserved for Apple IP-over-IEEE 1394.
267 * If you need a new encapsulation type for libpcap files, do
268 * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
269 * add a new encapsulation type by changing an existing entry;
270 * leave the existing entries alone.
272 * Instead, send mail to tcpdump-workers@tcpdump.org, asking for
273 * a new DLT_ value, and specifying the purpose of the new value.
274 * When you get the new DLT_ value, use that numerical value in
275 * the "dlt_value" field of "pcap_to_wtap_map[]".
279 * The following are entries for libpcap type values that have
280 * different meanings on different OSes.
282 * We put these *after* the entries for the platform-independent
283 * libpcap type values for those Wiretap encapsulation types, so
284 * that Ethereal chooses the platform-independent libpcap type
285 * value for those encapsulatioin types, not the platform-dependent
290 * 11 is DLT_ATM_RFC1483 on most platforms; the only libpcaps I've
291 * seen that define anything other than DLT_ATM_RFC1483 as 11 are
292 * the BSD/OS one, which defines DLT_FR as 11, and libpcap 0.5,
293 * which define it as 100, mapping the kernel's value to 100, in
294 * an attempt to hide the different values used on different
297 * If this is a platform where DLT_FR is defined as 11, we
298 * don't handle 11 at all; otherwise, we handle it as
299 * DLT_ATM_RFC1483 (this means we'd misinterpret Frame Relay
300 * captures from BSD/OS if running on platforms other than BSD/OS,
303 * 1) we don't yet support DLT_FR
307 * 2) nothing short of a heuristic would let us interpret
310 #if defined(DLT_FR) && (DLT_FR == 11)
311 { 11, WTAP_ENCAP_FRELAY },
313 { 11, WTAP_ENCAP_ATM_RFC1483 },
317 * 12 is DLT_RAW on most platforms, but it's DLT_C_HDLC on
318 * BSD/OS, and DLT_LOOP on OpenBSD.
320 * We don't yet handle DLT_C_HDLC, but we can handle DLT_LOOP
321 * (it's just like DLT_NULL, only with the AF_ value in network
322 * rather than host byte order - Ethereal figures out the
323 * byte order from the data, so we don't care what byte order
324 * it's in), so if DLT_LOOP is defined as 12, interpret 12
325 * as WTAP_ENCAP_NULL, otherwise, unless DLT_C_HDLC is defined
326 * as 12, interpret it as WTAP_ENCAP_RAW_IP.
328 #if defined(DLT_LOOP) && (DLT_LOOP == 12)
329 { 12, WTAP_ENCAP_NULL },
330 #elif defined(DLT_C_HDLC) && (DLT_C_HDLC == 12)
332 * Put entry for Cisco HDLC here.
333 * XXX - is this just WTAP_ENCAP_CHDLC, i.e. does the frame
334 * start with a 4-byte Cisco HDLC header?
337 { 12, WTAP_ENCAP_RAW_IP },
341 * 13 is DLT_SLIP_BSDOS on FreeBSD and NetBSD, but those OSes
342 * don't actually generate it. I infer that BSD/OS translates
343 * DLT_SLIP from the kernel BPF code to DLT_SLIP_BSDOS in
344 * libpcap, as the BSD/OS link-layer header is different;
345 * however, in BSD/OS, DLT_SLIP_BSDOS is 15.
347 * From this, I infer that there's no point in handling 13
350 * 13 is DLT_ATM_RFC1483 on BSD/OS.
352 * 13 is DLT_ENC in OpenBSD, which is, I suspect, some kind
353 * of decrypted IPSEC traffic.
355 #if defined(DLT_ATM_RFC1483) && (DLT_ATM_RFC1483 == 13)
356 { 13, WTAP_ENCAP_ATM_RFC1483 },
357 #elif defined(DLT_ENC) && (DLT_ENC == 13)
358 { 13, WTAP_ENCAP_ENC },
362 * 14 is DLT_PPP_BSDOS on FreeBSD and NetBSD, but those OSes
363 * don't actually generate it. I infer that BSD/OS translates
364 * DLT_PPP from the kernel BPF code to DLT_PPP_BSDOS in
365 * libpcap, as the BSD/OS link-layer header is different;
366 * however, in BSD/OS, DLT_PPP_BSDOS is 16.
368 * From this, I infer that there's no point in handling 14
371 * 14 is DLT_RAW on BSD/OS and OpenBSD.
373 { 14, WTAP_ENCAP_RAW_IP },
378 * DLT_SLIP_BSDOS on BSD/OS;
380 * DLT_HIPPI on NetBSD;
382 * DLT_LANE8023 with Alexey Kuznetzov's patches for
385 * DLT_I4L_RAWIP with the ISDN4Linux patches for libpcap
388 * but we don't currently handle any of those.
394 * DLT_PPP_BSDOS on BSD/OS;
396 * DLT_HDLC on NetBSD (Cisco HDLC);
398 * DLT_CIP with Alexey Kuznetzov's patches for
399 * Linux libpcap - this is WTAP_ENCAP_LINUX_ATM_CLIP;
401 * DLT_I4L_IP with the ISDN4Linux patches for libpcap
404 #if defined(DLT_CIP) && (DLT_CIP == 16)
405 { 16, WTAP_ENCAP_LINUX_ATM_CLIP },
407 #if defined(DLT_HDLC) && (DLT_HDLC == 16)
408 { 16, WTAP_ENCAP_CHDLC },
412 * 17 is DLT_LANE8023 in SuSE 6.3 libpcap; we don't currently
414 * It is also used as the PF (Packet Filter) logging format beginning
415 * with OpenBSD 3.0; we use 17 for PF logs unless DLT_LANE8023 is
416 * defined with the value 17.
418 #if !defined(DLT_LANE8023) || (DLT_LANE8023 != 17)
419 { 17, WTAP_ENCAP_OLD_PFLOG },
423 * 18 is DLT_CIP in SuSE 6.3 libpcap; if it's the same as the
424 * DLT_CIP of 16 that the Alexey Kuznetzov patches for
425 * libpcap/tcpdump define, it's WTAP_ENCAP_LINUX_ATM_CLIP.
426 * I've not found any libpcap that uses it for any other purpose -
427 * hopefully nobody will do so in the future.
429 { 18, WTAP_ENCAP_LINUX_ATM_CLIP },
432 * 19 is DLT_ATM_CLIP in the libpcap/tcpdump patches in the
433 * recent versions I've seen of the Linux ATM distribution;
434 * I've not yet found any libpcap that uses it for any other
435 * purpose - hopefully nobody will do so in the future.
437 { 19, WTAP_ENCAP_LINUX_ATM_CLIP },
442 * If you need a new encapsulation type for libpcap files, do
443 * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
444 * add a new encapsulation type by changing an existing entry;
445 * leave the existing entries alone.
447 * Instead, send mail to tcpdump-workers@tcpdump.org, asking for
448 * a new DLT_ value, and specifying the purpose of the new value.
449 * When you get the new DLT_ value, use that numerical value in
450 * the "dlt_value" field of "pcap_to_wtap_map[]".
454 #define NUM_PCAP_ENCAPS (sizeof pcap_to_wtap_map / sizeof pcap_to_wtap_map[0])
456 int wtap_pcap_encap_to_wtap_encap(int encap)
460 for (i = 0; i < NUM_PCAP_ENCAPS; i++) {
461 if (pcap_to_wtap_map[i].dlt_value == encap)
462 return pcap_to_wtap_map[i].wtap_encap_value;
464 return WTAP_ENCAP_UNKNOWN;
468 int libpcap_open(wtap *wth, int *err)
473 gboolean byte_swapped;
478 /* Read in the number that should be at the start of a "libpcap" file */
479 errno = WTAP_ERR_CANT_READ;
480 bytes_read = file_read(&magic, 1, sizeof magic, wth->fh);
481 if (bytes_read != sizeof magic) {
482 *err = file_error(wth->fh);
487 wth->data_offset += sizeof magic;
492 /* Host that wrote it has our byte order, and was running
493 a program using either standard or ss990417 libpcap. */
494 byte_swapped = FALSE;
498 case PCAP_MODIFIED_MAGIC:
499 /* Host that wrote it has our byte order, and was running
500 a program using either ss990915 or ss991029 libpcap. */
501 byte_swapped = FALSE;
505 case PCAP_SWAPPED_MAGIC:
506 /* Host that wrote it has a byte order opposite to ours,
507 and was running a program using either standard or
513 case PCAP_SWAPPED_MODIFIED_MAGIC:
514 /* Host that wrote it out has a byte order opposite to
515 ours, and was running a program using either ss990915
516 or ss991029 libpcap. */
522 /* Not a "libpcap" type we know about. */
526 /* Read the rest of the header. */
527 errno = WTAP_ERR_CANT_READ;
528 bytes_read = file_read(&hdr, 1, sizeof hdr, wth->fh);
529 if (bytes_read != sizeof hdr) {
530 *err = file_error(wth->fh);
535 wth->data_offset += sizeof hdr;
538 /* Byte-swap the header fields about which we care. */
539 hdr.version_major = BSWAP16(hdr.version_major);
540 hdr.version_minor = BSWAP16(hdr.version_minor);
541 hdr.snaplen = BSWAP32(hdr.snaplen);
542 hdr.network = BSWAP32(hdr.network);
544 if (hdr.version_major < 2) {
545 /* We only support version 2.0 and later. */
546 g_message("pcap: major version %u unsupported",
548 *err = WTAP_ERR_UNSUPPORTED;
553 * AIX's non-standard tcpdump uses a minor version number of 2.
554 * Unfortunately, older versions of libpcap might have used
557 * The AIX libpcap uses RFC 1573 ifType values rather than
558 * DLT_ values in the header; the ifType values for LAN devices
565 * which correspond to DLT_IEEE802 (used for Token Ring),
566 * DLT_PPP, and DLT_SLIP_BSDOS, respectively. The ifType value
567 * for a loopback interface is 24, which currently isn't
568 * used by any version of libpcap I know about (and, as
569 * tcpdump.org are assigning DLT_ values above 100, and
570 * NetBSD started assigning values starting at 50, and
571 * the values chosen by other libpcaps appear to stop at
572 * 19, it's probably not going to be used by any libpcap
575 * We shall assume that if the minor version number is 2, and
576 * the network type is 6, 9, 15, or 24, that it's AIX libpcap.
578 * I'm assuming those older versions of libpcap didn't
579 * use DLT_IEEE802 for Token Ring, and didn't use DLT_SLIP_BSDOS
580 * as that came later. It may have used DLT_PPP, however, in
581 * which case we're out of luck; we assume it's Token Ring
582 * in AIX libpcap rather than PPP in standard libpcap, as
583 * you're probably more likely to be handing an AIX libpcap
584 * token-ring capture than an old (pre-libpcap 0.4) PPP capture
587 aix = FALSE; /* assume it's not AIX */
588 if (hdr.version_major == 2 && hdr.version_minor == 2) {
589 switch (hdr.network) {
592 hdr.network = 1; /* DLT_EN10MB, Ethernet */
597 hdr.network = 6; /* DLT_IEEE802, Token Ring */
602 hdr.network = 10; /* DLT_FDDI, FDDI */
607 hdr.network = 0; /* DLT_NULL, loopback */
612 file_encap = wtap_pcap_encap_to_wtap_encap(hdr.network);
613 if (file_encap == WTAP_ENCAP_UNKNOWN) {
614 g_message("pcap: network type %u unknown or unsupported",
616 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
620 /* This is a libpcap file */
621 wth->capture.pcap = g_malloc(sizeof(libpcap_t));
622 wth->capture.pcap->byte_swapped = byte_swapped;
623 wth->capture.pcap->version_major = hdr.version_major;
624 wth->capture.pcap->version_minor = hdr.version_minor;
625 wth->subtype_read = libpcap_read;
626 wth->subtype_seek_read = libpcap_seek_read;
627 wth->subtype_close = libpcap_close;
628 wth->file_encap = file_encap;
629 wth->snapshot_length = hdr.snaplen;
632 * Is this AIX format?
636 * Yes. Skip all the tests for other mutant formats.
638 wth->file_type = WTAP_FILE_PCAP_AIX;
643 * No. Let's look at the header for the first record,
644 * and see if, interpreting it as a standard header (if the
645 * magic number was standard) or a modified header (if the
646 * magic number was modified), the position where it says the
647 * header for the *second* record is contains a corrupted header.
651 * If this file had the standard magic number, it may be
652 * an ss990417 capture file - in that version of Alexey's
653 * patch, the packet header format was changed but the
654 * magic number wasn't, and, alas, Red Hat appear to have
655 * picked up that version of the patch for RH 6.1, meaning
656 * RH 6.1 has a tcpdump that writes out files that can't
657 * be read by any software that expects non-modified headers
658 * if the magic number isn't the modified magic number (e.g.,
659 * any normal version of tcpdump, and Ethereal if we don't
660 * do this gross heuristic).
662 * If this file had the modified magic number, it may be
663 * an ss990915 capture file - in that version of Alexey's
664 * patch, the magic number was changed, but the record
665 * header had some extra fields, and, alas, SuSE appear
666 * to have picked up that version of the patch for SuSE
667 * 6.3, meaning that programs expecting the standard per-
668 * packet header in captures with the modified magic number
669 * can't read dumps from its tcpdump.
671 * Oh, and if it has the standard magic number, it might, instead,
672 * be a Nokia libpcap file, so we may need to try that if
673 * neither normal nor ss990417 headers work.
677 * Well, we have the magic number from Alexey's
680 * Try ss991029, the last of his patches, first.
682 wth->file_type = WTAP_FILE_PCAP_SS991029;
683 switch (libpcap_try(wth, err)) {
687 * Well, we couldn't even read it.
690 g_free(wth->capture.pcap);
695 * Well, it looks as if it might be 991029.
696 * Put the seek pointer back, and return success.
698 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
699 g_free(wth->capture.pcap);
706 * Try the next format.
712 * Well, it's not completely unreadable,
713 * but it's not ss991029. Try ss990915;
714 * there are no other types to try after that,
715 * so we put the seek pointer back and treat
718 wth->file_type = WTAP_FILE_PCAP_SS990915;
719 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
720 g_free(wth->capture.pcap);
725 * Well, we have the standard magic number.
727 * Try the standard format first.
729 wth->file_type = WTAP_FILE_PCAP;
730 switch (libpcap_try(wth, err)) {
734 * Well, we couldn't even read it.
737 g_free(wth->capture.pcap);
742 * Well, it looks as if it might be a standard
744 * Put the seek pointer back, and return success.
746 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
747 g_free(wth->capture.pcap);
754 * Try the next format.
760 * Well, it's not completely unreadable, but it's not
761 * a standard file. Put the seek pointer back and try
764 wth->file_type = WTAP_FILE_PCAP_SS990417;
765 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
766 g_free(wth->capture.pcap);
769 switch (libpcap_try(wth, err)) {
773 * Well, we couldn't even read it.
776 g_free(wth->capture.pcap);
781 * Well, it looks as if it might be ss990417.
782 * Put the seek pointer back, and return success.
784 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
785 g_free(wth->capture.pcap);
792 * Try the next format.
798 * Well, it's not completely unreadable,
799 * but it's not a standard file *nor* is it ss990417.
800 * Try it as a Nokia file; there are no other types
801 * to try after that, so we put the seek pointer back
802 * and treat it as a Nokia file.
804 wth->file_type = WTAP_FILE_PCAP_NOKIA;
805 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
806 g_free(wth->capture.pcap);
814 /* Try to read the first two records of the capture file. */
815 static libpcap_try_t libpcap_try(wtap *wth, int *err)
818 * pcaprec_ss990915_hdr is the largest header type.
820 struct pcaprec_ss990915_hdr first_rec_hdr, second_rec_hdr;
823 * Attempt to read the first record's header.
825 if (libpcap_read_header(wth, err, &first_rec_hdr, TRUE) == -1) {
826 if (*err == 0 || *err == WTAP_ERR_SHORT_READ) {
828 * EOF or short read - assume the file is in this
830 * When our client tries to read the first packet
831 * they will presumably get the same EOF or short
837 if (*err == WTAP_ERR_BAD_RECORD) {
839 * The first record is bogus, so this is probably
840 * a corrupt file. Assume the file is in this
841 * format. When our client tries to read the
842 * first packet they will presumably get the
849 * Some other error, e.g. an I/O error; just give up.
855 * Now skip over the first record's data, under the assumption
856 * that the header is sane.
858 if (file_seek(wth->fh, first_rec_hdr.hdr.incl_len, SEEK_CUR, err) == -1)
862 * Now attempt to read the second record's header.
864 if (libpcap_read_header(wth, err, &second_rec_hdr, TRUE) == -1) {
865 if (*err == 0 || *err == WTAP_ERR_SHORT_READ) {
867 * EOF or short read - assume the file is in this
869 * When our client tries to read the second packet
870 * they will presumably get the same EOF or short
876 if (*err == WTAP_ERR_BAD_RECORD) {
878 * The second record is bogus; maybe it's a
879 * Capture File From Hell, and what looks like
880 * the "header" of the next packet is actually
881 * random junk from the middle of a packet.
882 * Try the next format; if we run out of formats,
883 * it probably *is* a corrupt file.
889 * Some other error, e.g. an I/O error; just give up.
895 * OK, the first two records look OK; assume this is the
901 /* Read the next packet */
902 static gboolean libpcap_read(wtap *wth, int *err, long *data_offset)
904 struct pcaprec_ss990915_hdr hdr;
908 char fddi_padding[3];
910 bytes_read = libpcap_read_header(wth, err, &hdr, FALSE);
911 if (bytes_read == -1) {
913 * We failed to read the header.
918 wth->data_offset += bytes_read;
919 packet_size = hdr.hdr.incl_len;
920 orig_size = hdr.hdr.orig_len;
923 * AIX appears to put 3 bytes of padding in front of FDDI
924 * frames; strip that crap off.
926 if (wth->file_type == WTAP_FILE_PCAP_AIX &&
927 (wth->file_encap == WTAP_ENCAP_FDDI ||
928 wth->file_encap == WTAP_ENCAP_FDDI_BITSWAPPED)) {
930 * The packet size is really a record size and includes
935 wth->data_offset += 3;
940 if (!libpcap_read_rec_data(wth->fh, fddi_padding, 3, err))
941 return FALSE; /* Read error */
944 *data_offset = wth->data_offset;
947 * If this is an ATM packet, the first four bytes are the
948 * direction of the packet (transmit/receive), the VPI, and
949 * the VCI; read them and generate the pseudo-header from
952 switch (wth->file_encap) {
954 case WTAP_ENCAP_ATM_PDUS:
955 if (packet_size < sizeof (struct sunatm_hdr)) {
957 * Uh-oh, the packet isn't big enough to even
958 * have a pseudo-header.
960 g_message("libpcap: SunATM file has a %u-byte packet, too small to have even an ATM pseudo-header\n",
962 *err = WTAP_ERR_BAD_RECORD;
965 if (!libpcap_read_atm_pseudoheader(wth->fh, &wth->pseudo_header,
967 return FALSE; /* Read error */
970 * Don't count the pseudo-header as part of the packet.
972 orig_size -= sizeof (struct sunatm_hdr);
973 packet_size -= sizeof (struct sunatm_hdr);
974 wth->data_offset += sizeof (struct sunatm_hdr);
977 case WTAP_ENCAP_ETHERNET:
979 * We don't know whether there's an FCS in this frame or not.
981 wth->pseudo_header.eth.fcs_len = -1;
985 buffer_assure_space(wth->frame_buffer, packet_size);
986 if (!libpcap_read_rec_data(wth->fh, buffer_start_ptr(wth->frame_buffer),
988 return FALSE; /* Read error */
989 wth->data_offset += packet_size;
991 wth->phdr.ts.tv_sec = hdr.hdr.ts_sec;
992 wth->phdr.ts.tv_usec = hdr.hdr.ts_usec;
993 wth->phdr.caplen = packet_size;
994 wth->phdr.len = orig_size;
995 wth->phdr.pkt_encap = wth->file_encap;
998 * If this is ATM LANE traffic, try to guess what type of LANE
999 * traffic it is based on the packet contents.
1001 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS &&
1002 wth->pseudo_header.atm.type == TRAF_LANE) {
1003 atm_guess_lane_type(buffer_start_ptr(wth->frame_buffer),
1004 wth->phdr.caplen, &wth->pseudo_header);
1011 libpcap_seek_read(wtap *wth, long seek_off,
1012 union wtap_pseudo_header *pseudo_header, guchar *pd, int length, int *err)
1014 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
1017 switch (wth->file_encap) {
1019 case WTAP_ENCAP_ATM_PDUS:
1020 if (!libpcap_read_atm_pseudoheader(wth->random_fh, pseudo_header,
1027 case WTAP_ENCAP_ETHERNET:
1029 * We don't know whether there's an FCS in this frame or not.
1031 pseudo_header->eth.fcs_len = -1;
1036 * Read the packet data.
1038 if (!libpcap_read_rec_data(wth->random_fh, pd, length, err))
1039 return FALSE; /* failed */
1042 * If this is ATM LANE traffic, try to guess what type of LANE
1043 * traffic it is based on the packet contents.
1045 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS &&
1046 pseudo_header->atm.type == TRAF_LANE)
1047 atm_guess_lane_type(pd, length, pseudo_header);
1051 /* Read the header of the next packet; if "silent" is TRUE, don't complain
1052 to the console, as we're testing to see if the file appears to be of a
1055 Return -1 on an error, or the number of bytes of header read on success. */
1056 static int libpcap_read_header(wtap *wth, int *err,
1057 struct pcaprec_ss990915_hdr *hdr, gboolean silent)
1059 int bytes_to_read, bytes_read;
1061 /* Read record header. */
1062 errno = WTAP_ERR_CANT_READ;
1063 switch (wth->file_type) {
1065 case WTAP_FILE_PCAP:
1066 case WTAP_FILE_PCAP_AIX:
1067 bytes_to_read = sizeof (struct pcaprec_hdr);
1070 case WTAP_FILE_PCAP_SS990417:
1071 case WTAP_FILE_PCAP_SS991029:
1072 bytes_to_read = sizeof (struct pcaprec_modified_hdr);
1075 case WTAP_FILE_PCAP_SS990915:
1076 bytes_to_read = sizeof (struct pcaprec_ss990915_hdr);
1079 case WTAP_FILE_PCAP_NOKIA:
1080 bytes_to_read = sizeof (struct pcaprec_nokia_hdr);
1084 g_assert_not_reached();
1087 bytes_read = file_read(hdr, 1, bytes_to_read, wth->fh);
1088 if (bytes_read != bytes_to_read) {
1089 *err = file_error(wth->fh);
1090 if (*err == 0 && bytes_read != 0) {
1091 *err = WTAP_ERR_SHORT_READ;
1096 adjust_header(wth, &hdr->hdr);
1098 if (hdr->hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
1100 * Probably a corrupt capture file; return an error,
1101 * so that our caller doesn't blow up trying to allocate
1102 * space for an immensely-large packet, and so that
1103 * the code to try to guess what type of libpcap file
1104 * this is can tell when it's not the type we're guessing
1108 g_message("pcap: File has %u-byte packet, bigger than maximum of %u",
1109 hdr->hdr.incl_len, WTAP_MAX_PACKET_SIZE);
1111 *err = WTAP_ERR_BAD_RECORD;
1115 if (hdr->hdr.orig_len > WTAP_MAX_PACKET_SIZE) {
1117 * Probably a corrupt capture file; return an error,
1118 * so that our caller doesn't blow up trying to
1119 * cope with a huge "real" packet length, and so that
1120 * the code to try to guess what type of libpcap file
1121 * this is can tell when it's not the type we're guessing
1125 g_message("pcap: File has %u-byte packet, bigger than maximum of %u",
1126 hdr->hdr.orig_len, WTAP_MAX_PACKET_SIZE);
1128 *err = WTAP_ERR_BAD_RECORD;
1136 adjust_header(wtap *wth, struct pcaprec_hdr *hdr)
1138 if (wth->capture.pcap->byte_swapped) {
1139 /* Byte-swap the record header fields. */
1140 hdr->ts_sec = BSWAP32(hdr->ts_sec);
1141 hdr->ts_usec = BSWAP32(hdr->ts_usec);
1142 hdr->incl_len = BSWAP32(hdr->incl_len);
1143 hdr->orig_len = BSWAP32(hdr->orig_len);
1146 /* If this is AIX, convert the time stamp from seconds/nanoseconds
1147 to seconds/microseconds. */
1148 if (wth->file_type == WTAP_FILE_PCAP_AIX)
1149 hdr->ts_usec = hdr->ts_usec/1000;
1151 /* In file format version 2.3, the "incl_len" and "orig_len" fields
1152 were swapped, in order to match the BPF header layout.
1154 Unfortunately, some files were, according to a comment in the
1155 "libpcap" source, written with version 2.3 in their headers
1156 but without the interchanged fields, so if "incl_len" is
1157 greater than "orig_len" - which would make no sense - we
1158 assume that we need to swap them. */
1159 if (wth->capture.pcap->version_major == 2 &&
1160 (wth->capture.pcap->version_minor < 3 ||
1161 (wth->capture.pcap->version_minor == 3 &&
1162 hdr->incl_len > hdr->orig_len))) {
1165 temp = hdr->orig_len;
1166 hdr->orig_len = hdr->incl_len;
1167 hdr->incl_len = temp;
1169 /* DG/UX use v 543.0 and also swap these fields */
1170 if(wth->capture.pcap->version_major == 543 &&
1171 wth->capture.pcap->version_minor == 0){
1174 temp = hdr->orig_len;
1175 hdr->orig_len = hdr->incl_len;
1176 hdr->incl_len = temp;
1181 libpcap_get_atm_pseudoheader(const struct sunatm_hdr *atm_phdr,
1182 union wtap_pseudo_header *pseudo_header)
1187 vpi = atm_phdr->vpi;
1188 vci = pntohs(&atm_phdr->vci);
1191 * The lower 4 bits of the first byte of the header indicate
1192 * the type of traffic, as per the "atmioctl.h" header in
1195 switch (atm_phdr->flags & 0x0F) {
1197 case 0x01: /* LANE */
1198 pseudo_header->atm.aal = AAL_5;
1199 pseudo_header->atm.type = TRAF_LANE;
1202 case 0x02: /* RFC 1483 LLC multiplexed traffic */
1203 pseudo_header->atm.aal = AAL_5;
1204 pseudo_header->atm.type = TRAF_LLCMX;
1207 case 0x05: /* ILMI */
1208 pseudo_header->atm.aal = AAL_5;
1209 pseudo_header->atm.type = TRAF_ILMI;
1212 case 0x06: /* Q.2931 */
1213 pseudo_header->atm.aal = AAL_SIGNALLING;
1214 pseudo_header->atm.type = TRAF_UNKNOWN;
1217 case 0x03: /* MARS (RFC 2022) */
1218 pseudo_header->atm.aal = AAL_5;
1219 pseudo_header->atm.type = TRAF_UNKNOWN;
1222 case 0x04: /* IFMP (Ipsilon Flow Management Protocol; see RFC 1954) */
1223 pseudo_header->atm.aal = AAL_5;
1224 pseudo_header->atm.type = TRAF_UNKNOWN; /* XXX - TRAF_IPSILON? */
1229 * Assume it's AAL5, unless it's VPI 0 and VCI 5, in which
1230 * case assume it's AAL_SIGNALLING; we know nothing more
1233 * XXX - is this necessary? Or are we guaranteed that
1234 * all signalling traffic has a type of 0x06?
1236 * XXX - is this guaranteed to be AAL5? Or, if the type is
1237 * 0x00 ("raw"), might it be non-AAL5 traffic?
1239 if (vpi == 0 && vci == 5)
1240 pseudo_header->atm.aal = AAL_SIGNALLING;
1242 pseudo_header->atm.aal = AAL_5;
1243 pseudo_header->atm.type = TRAF_UNKNOWN;
1246 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1248 pseudo_header->atm.vpi = vpi;
1249 pseudo_header->atm.vci = vci;
1250 pseudo_header->atm.channel = (atm_phdr->flags & 0x80) ? 0 : 1;
1252 /* We don't have this information */
1253 pseudo_header->atm.flags = 0;
1254 pseudo_header->atm.cells = 0;
1255 pseudo_header->atm.aal5t_u2u = 0;
1256 pseudo_header->atm.aal5t_len = 0;
1257 pseudo_header->atm.aal5t_chksum = 0;
1261 libpcap_read_atm_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header,
1264 struct sunatm_hdr atm_phdr;
1267 errno = WTAP_ERR_CANT_READ;
1268 bytes_read = file_read(&atm_phdr, 1, sizeof (struct sunatm_hdr), fh);
1269 if (bytes_read != sizeof (struct sunatm_hdr)) {
1270 *err = file_error(fh);
1272 *err = WTAP_ERR_SHORT_READ;
1276 libpcap_get_atm_pseudoheader(&atm_phdr, pseudo_header);
1282 libpcap_read_rec_data(FILE_T fh, guchar *pd, int length, int *err)
1286 errno = WTAP_ERR_CANT_READ;
1287 bytes_read = file_read(pd, 1, length, fh);
1289 if (bytes_read != length) {
1290 *err = file_error(fh);
1292 *err = WTAP_ERR_SHORT_READ;
1299 libpcap_close(wtap *wth)
1301 g_free(wth->capture.pcap);
1304 static int wtap_wtap_encap_to_pcap_encap(int encap)
1310 case WTAP_ENCAP_FDDI:
1311 case WTAP_ENCAP_FDDI_BITSWAPPED:
1313 * Special-case WTAP_ENCAP_FDDI and
1314 * WTAP_ENCAP_FDDI_BITSWAPPED; both of them get mapped
1315 * to DLT_FDDI (even though that may mean that the bit
1316 * order in the FDDI MAC addresses is wrong; so it goes
1317 * - libpcap format doesn't record the byte order,
1318 * so that's not fixable).
1320 return 10; /* that's DLT_FDDI */
1322 case WTAP_ENCAP_PPP_WITH_PHDR:
1324 * Also special-case PPP and Frame Relay with direction
1325 * bits; map them to PPP and Frame Relay, even though
1326 * that means that the direction of the packet is lost.
1330 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1334 for (i = 0; i < NUM_PCAP_ENCAPS; i++) {
1335 if (pcap_to_wtap_map[i].wtap_encap_value == encap)
1336 return pcap_to_wtap_map[i].dlt_value;
1343 * Given a Wiretap encapsulation type, and raw packet data and the packet
1344 * header from libpcap, process any pseudo-header in the packet,
1345 * fill in the Wiretap packet header, and return a pointer to the
1346 * beginning of the non-pseudo-header data in the packet.
1349 wtap_process_pcap_packet(gint linktype, const struct pcap_pkthdr *phdr,
1350 const guchar *pd, union wtap_pseudo_header *pseudo_header,
1351 struct wtap_pkthdr *whdr, int *err)
1353 /* "phdr->ts" may not necessarily be a "struct timeval" - it may
1354 be a "struct bpf_timeval", with member sizes wired to 32
1355 bits - and we may go that way ourselves in the future, so
1356 copy the members individually. */
1357 whdr->ts.tv_sec = phdr->ts.tv_sec;
1358 whdr->ts.tv_usec = phdr->ts.tv_usec;
1359 whdr->caplen = phdr->caplen;
1360 whdr->len = phdr->len;
1361 whdr->pkt_encap = linktype;
1364 * If this is an ATM packet, the first four bytes are the
1365 * direction of the packet (transmit/receive), the VPI, and
1366 * the VCI; read them and generate the pseudo-header from
1369 if (linktype == WTAP_ENCAP_ATM_PDUS) {
1370 if (whdr->caplen < sizeof (struct sunatm_hdr)) {
1372 * Uh-oh, the packet isn't big enough to even
1373 * have a pseudo-header.
1375 g_message("libpcap: SunATM capture has a %u-byte packet, too small to have even an ATM pseudo-header\n",
1377 *err = WTAP_ERR_BAD_RECORD;
1380 libpcap_get_atm_pseudoheader((const struct sunatm_hdr *)pd,
1384 * Don't count the pseudo-header as part of the packet.
1386 whdr->len -= sizeof (struct sunatm_hdr);
1387 whdr->caplen -= sizeof (struct sunatm_hdr);
1388 pd += sizeof (struct sunatm_hdr);
1391 * If this is ATM LANE traffic, try to guess what type of
1392 * LANE traffic it is based on the packet contents.
1394 if (pseudo_header->atm.type == TRAF_LANE)
1395 atm_guess_lane_type(pd, whdr->caplen, pseudo_header);
1401 /* Returns 0 if we could write the specified encapsulation type,
1402 an error indication otherwise. */
1403 int libpcap_dump_can_write_encap(int encap)
1405 /* Per-packet encapsulations aren't supported. */
1406 if (encap == WTAP_ENCAP_PER_PACKET)
1407 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1409 if (wtap_wtap_encap_to_pcap_encap(encap) == -1)
1410 return WTAP_ERR_UNSUPPORTED_ENCAP;
1415 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1417 gboolean libpcap_dump_open(wtap_dumper *wdh, gboolean cant_seek _U_, int *err)
1420 struct pcap_hdr file_hdr;
1423 /* This is a libpcap file */
1424 wdh->subtype_write = libpcap_dump;
1425 wdh->subtype_close = NULL;
1427 /* Write the file header. */
1428 switch (wdh->file_type) {
1430 case WTAP_FILE_PCAP:
1431 case WTAP_FILE_PCAP_SS990417: /* modified, but with the old magic, sigh */
1432 case WTAP_FILE_PCAP_NOKIA: /* Nokia libpcap of some sort */
1436 case WTAP_FILE_PCAP_SS990915: /* new magic, extra crap */
1437 case WTAP_FILE_PCAP_SS991029:
1438 magic = PCAP_MODIFIED_MAGIC;
1442 /* We should never get here - our open routine
1443 should only get called for the types above. */
1444 *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE;
1448 nwritten = fwrite(&magic, 1, sizeof magic, wdh->fh);
1449 if (nwritten != sizeof magic) {
1450 if (nwritten == 0 && ferror(wdh->fh))
1453 *err = WTAP_ERR_SHORT_WRITE;
1456 wdh->bytes_dumped += sizeof magic;
1458 /* current "libpcap" format is 2.4 */
1459 file_hdr.version_major = 2;
1460 file_hdr.version_minor = 4;
1461 file_hdr.thiszone = 0; /* XXX - current offset? */
1462 file_hdr.sigfigs = 0; /* unknown, but also apparently unused */
1464 * Tcpdump cannot handle capture files with a snapshot length of 0,
1465 * as BPF filters return either 0 if they fail or the snapshot length
1466 * if they succeed, and a snapshot length of 0 means success is
1467 * indistinguishable from failure and the filter expression would
1468 * reject all packets.
1470 * A snapshot length of 0, inside Wiretap, means "snapshot length
1471 * unknown"; if the snapshot length supplied to us is 0, we make
1472 * the snapshot length in the header file WTAP_MAX_PACKET_SIZE.
1474 file_hdr.snaplen = (wdh->snaplen != 0) ? wdh->snaplen :
1475 WTAP_MAX_PACKET_SIZE;
1476 file_hdr.network = wtap_wtap_encap_to_pcap_encap(wdh->encap);
1477 nwritten = fwrite(&file_hdr, 1, sizeof file_hdr, wdh->fh);
1478 if (nwritten != sizeof file_hdr) {
1479 if (nwritten == 0 && ferror(wdh->fh))
1482 *err = WTAP_ERR_SHORT_WRITE;
1485 wdh->bytes_dumped += sizeof file_hdr;
1490 /* Write a record for a packet to a dump file.
1491 Returns TRUE on success, FALSE on failure. */
1492 static gboolean libpcap_dump(wtap_dumper *wdh,
1493 const struct wtap_pkthdr *phdr,
1494 const union wtap_pseudo_header *pseudo_header _U_,
1495 const guchar *pd, int *err)
1497 struct pcaprec_ss990915_hdr rec_hdr;
1500 struct sunatm_hdr atm_hdr;
1503 if (wdh->encap == WTAP_ENCAP_ATM_PDUS)
1504 atm_hdrsize = sizeof (struct sunatm_hdr);
1508 rec_hdr.hdr.ts_sec = phdr->ts.tv_sec;
1509 rec_hdr.hdr.ts_usec = phdr->ts.tv_usec;
1510 rec_hdr.hdr.incl_len = phdr->caplen + atm_hdrsize;
1511 rec_hdr.hdr.orig_len = phdr->len + atm_hdrsize;
1512 switch (wdh->file_type) {
1514 case WTAP_FILE_PCAP:
1515 hdr_size = sizeof (struct pcaprec_hdr);
1518 case WTAP_FILE_PCAP_SS990417: /* modified, but with the old magic, sigh */
1519 case WTAP_FILE_PCAP_SS991029:
1520 /* XXX - what should we supply here?
1522 Alexey's "libpcap" looks up the interface in the system's
1523 interface list if "ifindex" is non-zero, and prints
1524 the interface name. It ignores "protocol", and uses
1525 "pkt_type" to tag the packet as "host", "broadcast",
1526 "multicast", "other host", "outgoing", or "none of the
1527 above", but that's it.
1529 If the capture we're writing isn't a modified or
1530 RH 6.1 capture, we'd have to do some work to
1531 generate the packet type and interface index - and
1532 we can't generate the interface index unless we
1533 just did the capture ourselves in any case.
1535 I'm inclined to continue to punt; systems other than
1536 those with the older patch can read standard "libpcap"
1537 files, and systems with the older patch, e.g. RH 6.1,
1538 will just have to live with this. */
1539 rec_hdr.ifindex = 0;
1540 rec_hdr.protocol = 0;
1541 rec_hdr.pkt_type = 0;
1542 hdr_size = sizeof (struct pcaprec_modified_hdr);
1545 case WTAP_FILE_PCAP_SS990915: /* new magic, extra crap at the end */
1546 rec_hdr.ifindex = 0;
1547 rec_hdr.protocol = 0;
1548 rec_hdr.pkt_type = 0;
1551 hdr_size = sizeof (struct pcaprec_ss990915_hdr);
1554 case WTAP_FILE_PCAP_NOKIA: /* old magic, extra crap at the end */
1555 rec_hdr.ifindex = 0;
1556 rec_hdr.protocol = 0;
1557 rec_hdr.pkt_type = 0;
1560 hdr_size = sizeof (struct pcaprec_nokia_hdr);
1564 /* We should never get here - our open routine
1565 should only get called for the types above. */
1566 g_assert_not_reached();
1567 *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE;
1571 nwritten = fwrite(&rec_hdr, 1, hdr_size, wdh->fh);
1572 if (nwritten != hdr_size) {
1573 if (nwritten == 0 && ferror(wdh->fh))
1576 *err = WTAP_ERR_SHORT_WRITE;
1579 wdh->bytes_dumped += hdr_size;
1581 if (wdh->encap == WTAP_ENCAP_ATM_PDUS) {
1583 * Write the ATM header.
1586 (pseudo_header->atm.channel == 0) ? 0x80 : 0x00;
1587 switch (pseudo_header->atm.aal) {
1589 case AAL_SIGNALLING:
1591 atm_hdr.flags |= 0x06;
1595 switch (pseudo_header->atm.type) {
1599 atm_hdr.flags |= 0x01;
1603 /* RFC 1483 LLC multiplexed traffic */
1604 atm_hdr.flags |= 0x02;
1609 atm_hdr.flags |= 0x05;
1614 atm_hdr.vpi = pseudo_header->atm.vpi;
1615 atm_hdr.vci = phtons(&pseudo_header->atm.vci);
1616 nwritten = fwrite(&atm_hdr, 1, sizeof atm_hdr, wdh->fh);
1617 if (nwritten != sizeof atm_hdr) {
1618 if (nwritten == 0 && ferror(wdh->fh))
1621 *err = WTAP_ERR_SHORT_WRITE;
1624 wdh->bytes_dumped += sizeof atm_hdr;
1627 nwritten = fwrite(pd, 1, phdr->caplen, wdh->fh);
1628 if (nwritten != phdr->caplen) {
1629 if (nwritten == 0 && ferror(wdh->fh))
1632 *err = WTAP_ERR_SHORT_WRITE;
1635 wdh->bytes_dumped += phdr->caplen;