3 * $Id: libpcap.c,v 1.95 2003/03/25 06:04:54 guy Exp $
6 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
30 #include "file_wrappers.h"
36 # ifdef HAVE_SYS_TYPES_H
37 # include <sys/types.h>
40 #include "wtap-capture.h"
44 * The link-layer header on ATM packets.
47 guint8 flags; /* destination and traffic type */
49 guint16 vci; /* VCI */
52 /* See source to the "libpcap" library for information on the "libpcap"
55 /* On some systems, the FDDI MAC addresses are bit-swapped. */
56 #if !defined(ultrix) && !defined(__alpha) && !defined(__bsdi__)
57 #define BIT_SWAPPED_MAC_ADDRS
60 /* Try to read the first two records of the capture file. */
62 THIS_FORMAT, /* the reads succeeded, assume it's this format */
63 BAD_READ, /* the file is probably not valid */
64 OTHER_FORMAT /* the file may be valid, but not in this format */
66 static libpcap_try_t libpcap_try(wtap *wth, int *err);
68 static gboolean libpcap_read(wtap *wth, int *err, long *data_offset);
69 static gboolean libpcap_seek_read(wtap *wth, long seek_off,
70 union wtap_pseudo_header *pseudo_header, guchar *pd, int length, int *err);
71 static int libpcap_read_header(wtap *wth, int *err,
72 struct pcaprec_ss990915_hdr *hdr, gboolean silent);
73 static void adjust_header(wtap *wth, struct pcaprec_hdr *hdr);
74 static void libpcap_get_atm_pseudoheader(const struct sunatm_hdr *atm_phdr,
75 union wtap_pseudo_header *pseudo_header);
76 static gboolean libpcap_read_atm_pseudoheader(FILE_T fh,
77 union wtap_pseudo_header *pseudo_header, int *err);
78 static gboolean libpcap_read_rec_data(FILE_T fh, guchar *pd, int length,
80 static void libpcap_close(wtap *wth);
81 static gboolean libpcap_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
82 const union wtap_pseudo_header *pseudo_header, const guchar *pd, int *err);
85 * Either LBL NRG wasn't an adequate central registry (e.g., because of
86 * the slow rate of releases from them), or nobody bothered using them
87 * as a central registry, as many different groups have patched libpcap
88 * (and BPF, on the BSDs) to add new encapsulation types, and have ended
89 * up using the same DLT_ values for different encapsulation types.
91 * For those numerical encapsulation type values that everybody uses for
92 * the same encapsulation type (which inclues those that some platforms
93 * specify different DLT_ names for but don't appear to use), we map
94 * those values to the appropriate Wiretap values.
96 * For those numerical encapsulation type values that different libpcap
97 * variants use for different encapsulation types, we check what
98 * <pcap.h> defined to determine how to interpret them, so that we
99 * interpret them the way the libpcap with which we're building
100 * Ethereal/Wiretap interprets them (which, if it doesn't support
101 * them at all, means we don't support them either - any capture files
102 * using them are foreign, and we don't hazard a guess as to which
103 * platform they came from; we could, I guess, choose the most likely
107 static const struct {
109 int wtap_encap_value;
110 } pcap_to_wtap_map[] = {
112 * These are the values that are almost certainly the same
113 * in all libpcaps (I've yet to find one where the values
114 * in question are used for some purpose other than the
115 * one below, but...), and that Wiretap and Ethereal
118 { 0, WTAP_ENCAP_NULL }, /* null encapsulation */
119 { 1, WTAP_ENCAP_ETHERNET },
120 { 6, WTAP_ENCAP_TOKEN_RING }, /* IEEE 802 Networks - assume token ring */
121 { 7, WTAP_ENCAP_ARCNET },
122 { 8, WTAP_ENCAP_SLIP },
123 { 9, WTAP_ENCAP_PPP },
124 #ifdef BIT_SWAPPED_MAC_ADDRS
125 { 10, WTAP_ENCAP_FDDI_BITSWAPPED },
127 { 10, WTAP_ENCAP_FDDI },
131 * 50 is DLT_PPP_SERIAL in NetBSD; it appears that DLT_PPP
132 * on BSD (at least according to standard tcpdump) has, as
133 * the first octet, an indication of whether the packet was
134 * transmitted or received (rather than having the standard
135 * PPP address value of 0xff), but that DLT_PPP_SERIAL puts
136 * a real live PPP header there, or perhaps a Cisco PPP header
137 * as per section 4.3.1 of RFC 1547 (implementations of this
138 * exist in various BSDs in "sys/net/if_spppsubr.c", and
139 * I think also exist either in standard Linux or in
140 * various Linux patches; the implementations show how to handle
141 * Cisco keepalive packets).
143 * However, I don't see any obvious place in FreeBSD "if_ppp.c"
144 * where anything other than the standard PPP header would be
145 * passed up. I see some stuff that sets the first octet
146 * to 0 for incoming and 1 for outgoing packets before applying
147 * a BPF filter to see whether to drop packets whose protocol
148 * field has the 0x8000 bit set, i.e. network control protocols -
149 * those are handed up to userland - but that code puts the
150 * address field back before passing the packet up.
152 * I also don't see anything immediately obvious that munges
153 * the address field for sync PPP, either.
155 * Ethereal currently assumes that if the first octet of a
156 * PPP frame is 0xFF, it's the address field and is followed
157 * by a control field and a 2-byte protocol, otherwise the
158 * address and control fields are absent and the frame begins
159 * with a protocol field. If we ever see a BSD/OS PPP
160 * capture, we'll have to handle it differently, and we may
161 * have to handle standard BSD captures differently if, in fact,
162 * they don't have 0xff 0x03 as the first two bytes - but, as per
163 * the two paragraphs preceding this, it's not clear that
164 * the address field *is* munged into an incoming/outgoing
165 * field when the packet is handed to the BPF device.
167 * For now, we just map DLT_PPP_SERIAL to WTAP_ENCAP_PPP, as
168 * we treat WTAP_ENCAP_PPP packets as if those beginning with
169 * 0xff have the standard RFC 1662 "PPP in HDLC-like Framing"
170 * 0xff 0x03 address/control header, and DLT_PPP_SERIAL frames
171 * appear to contain that unless they're Cisco frames (if we
172 * ever see a capture with them, we'd need to implement the
173 * RFC 1547 stuff, and the keepalive protocol stuff).
175 * We may have to distinguish between "PPP where if it doesn't
176 * begin with 0xff there's no HDLC encapsulation and the frame
177 * begins with the protocol field" (which is how we handle
178 * WTAP_ENCAP_PPP now) and "PPP where there's either HDLC
179 * encapsulation or Cisco PPP" (which is what DLT_PPP_SERIAL
182 * XXX - NetBSD has DLT_HDLC, which appears to be used for
183 * Cisco HDLC. Ideally, they should use DLT_PPP_SERIAL
184 * only for real live HDLC-encapsulated PPP, not for Cisco
187 { 50, WTAP_ENCAP_PPP },
190 * These are the values that libpcap 0.5 and later use in
191 * capture file headers, in an attempt to work around the
192 * confusion decried above, and that Wiretap and Ethereal
195 { 100, WTAP_ENCAP_ATM_RFC1483 },
196 { 101, WTAP_ENCAP_RAW_IP },
199 * More values used by libpcap 0.5 as DLT_ values and used by the
200 * current CVS version of libpcap in capture file headers.
201 * They are not yet handled in Ethereal.
202 * If we get a capture that contains them, we'll implement them.
204 { 102, WTAP_ENCAP_SLIP_BSDOS },
205 { 103, WTAP_ENCAP_PPP_BSDOS },
209 * These ones are handled in Ethereal, though.
211 { 104, WTAP_ENCAP_CHDLC }, /* Cisco HDLC */
212 { 105, WTAP_ENCAP_IEEE_802_11 }, /* IEEE 802.11 */
213 { 106, WTAP_ENCAP_LINUX_ATM_CLIP },
214 { 107, WTAP_ENCAP_FRELAY }, /* Frame Relay */
215 { 108, WTAP_ENCAP_NULL }, /* OpenBSD loopback */
216 { 109, WTAP_ENCAP_ENC }, /* OpenBSD IPSEC enc */
218 { 110, WTAP_ENCAP_LANE_802_3 },/* ATM LANE 802.3 */
219 { 111, WTAP_ENCAP_HIPPI }, /* NetBSD HIPPI */
221 { 112, WTAP_ENCAP_CHDLC }, /* NetBSD HDLC framing */
224 * Linux "cooked mode" captures, used by the current CVS version
227 { 113, WTAP_ENCAP_SLL }, /* Linux cooked capture */
229 { 114, WTAP_ENCAP_LOCALTALK }, /* Localtalk */
232 * The tcpdump.org version of libpcap uses 117, rather than 17,
233 * for OpenBSD packet filter logging, so as to avoid conflicting
234 * with DLT_LANE8023 in SuSE 6.3 libpcap.
236 { 117, WTAP_ENCAP_PFLOG },
238 { 118, WTAP_ENCAP_CISCO_IOS },
239 { 119, WTAP_ENCAP_PRISM_HEADER }, /* Prism monitor mode hdr */
240 { 121, WTAP_ENCAP_HHDLC }, /* HiPath HDLC */
241 { 122, WTAP_ENCAP_IP_OVER_FC }, /* RFC 2625 IP-over-FC */
242 { 123, WTAP_ENCAP_ATM_PDUS }, /* SunATM */
243 { 127, WTAP_ENCAP_WLAN_HEADER }, /* 802.11 plus WLAN header */
244 { 128, WTAP_ENCAP_TZSP }, /* Tazmen Sniffer Protocol */
245 { 129, WTAP_ENCAP_ARCNET_LINUX },
248 * The following are entries for libpcap type values that have
249 * different meanings on different OSes.
251 * We put these *after* the entries for the platform-independent
252 * libpcap type values for those Wiretap encapsulation types, so
253 * that Ethereal chooses the platform-independent libpcap type
254 * value for those encapsulatioin types, not the platform-dependent
259 * 11 is DLT_ATM_RFC1483 on most platforms; the only libpcaps I've
260 * seen that define anything other than DLT_ATM_RFC1483 as 11 are
261 * the BSD/OS one, which defines DLT_FR as 11, and libpcap 0.5,
262 * which define it as 100, mapping the kernel's value to 100, in
263 * an attempt to hide the different values used on different
266 * If this is a platform where DLT_FR is defined as 11, we
267 * don't handle 11 at all; otherwise, we handle it as
268 * DLT_ATM_RFC1483 (this means we'd misinterpret Frame Relay
269 * captures from BSD/OS if running on platforms other than BSD/OS,
272 * 1) we don't yet support DLT_FR
276 * 2) nothing short of a heuristic would let us interpret
279 #if defined(DLT_FR) && (DLT_FR == 11)
280 { 11, WTAP_ENCAP_FRELAY },
282 { 11, WTAP_ENCAP_ATM_RFC1483 },
286 * 12 is DLT_RAW on most platforms, but it's DLT_C_HDLC on
287 * BSD/OS, and DLT_LOOP on OpenBSD.
289 * We don't yet handle DLT_C_HDLC, but we can handle DLT_LOOP
290 * (it's just like DLT_NULL, only with the AF_ value in network
291 * rather than host byte order - Ethereal figures out the
292 * byte order from the data, so we don't care what byte order
293 * it's in), so if DLT_LOOP is defined as 12, interpret 12
294 * as WTAP_ENCAP_NULL, otherwise, unless DLT_C_HDLC is defined
295 * as 12, interpret it as WTAP_ENCAP_RAW_IP.
297 #if defined(DLT_LOOP) && (DLT_LOOP == 12)
298 { 12, WTAP_ENCAP_NULL },
299 #elif defined(DLT_C_HDLC) && (DLT_C_HDLC == 12)
301 * Put entry for Cisco HDLC here.
302 * XXX - is this just WTAP_ENCAP_CHDLC, i.e. does the frame
303 * start with a 4-byte Cisco HDLC header?
306 { 12, WTAP_ENCAP_RAW_IP },
310 * 13 is DLT_SLIP_BSDOS on FreeBSD and NetBSD, but those OSes
311 * don't actually generate it. I infer that BSD/OS translates
312 * DLT_SLIP from the kernel BPF code to DLT_SLIP_BSDOS in
313 * libpcap, as the BSD/OS link-layer header is different;
314 * however, in BSD/OS, DLT_SLIP_BSDOS is 15.
316 * From this, I infer that there's no point in handling 13
319 * 13 is DLT_ATM_RFC1483 on BSD/OS.
321 * 13 is DLT_ENC in OpenBSD, which is, I suspect, some kind
322 * of decrypted IPSEC traffic.
324 #if defined(DLT_ATM_RFC1483) && (DLT_ATM_RFC1483 == 13)
325 { 13, WTAP_ENCAP_ATM_RFC1483 },
326 #elif defined(DLT_ENC) && (DLT_ENC == 13)
327 { 13, WTAP_ENCAP_ENC },
331 * 14 is DLT_PPP_BSDOS on FreeBSD and NetBSD, but those OSes
332 * don't actually generate it. I infer that BSD/OS translates
333 * DLT_PPP from the kernel BPF code to DLT_PPP_BSDOS in
334 * libpcap, as the BSD/OS link-layer header is different;
335 * however, in BSD/OS, DLT_PPP_BSDOS is 16.
337 * From this, I infer that there's no point in handling 14
340 * 14 is DLT_RAW on BSD/OS and OpenBSD.
342 { 14, WTAP_ENCAP_RAW_IP },
347 * DLT_SLIP_BSDOS on BSD/OS;
349 * DLT_HIPPI on NetBSD;
351 * DLT_LANE8023 with Alexey Kuznetzov's patches for
354 * DLT_I4L_RAWIP with the ISDN4Linux patches for libpcap
357 * but we don't currently handle any of those.
363 * DLT_PPP_BSDOS on BSD/OS;
365 * DLT_HDLC on NetBSD (Cisco HDLC);
367 * DLT_CIP with Alexey Kuznetzov's patches for
368 * Linux libpcap - this is WTAP_ENCAP_LINUX_ATM_CLIP;
370 * DLT_I4L_IP with the ISDN4Linux patches for libpcap
373 #if defined(DLT_CIP) && (DLT_CIP == 16)
374 { 16, WTAP_ENCAP_LINUX_ATM_CLIP },
376 #if defined(DLT_HDLC) && (DLT_HDLC == 16)
377 { 16, WTAP_ENCAP_CHDLC },
381 * 17 is DLT_LANE8023 in SuSE 6.3 libpcap; we don't currently
383 * It is also used as the PF (Packet Filter) logging format beginning
384 * with OpenBSD 3.0; we use 17 for PF logs unless DLT_LANE8023 is
385 * defined with the value 17.
387 #if !defined(DLT_LANE8023) || (DLT_LANE8023 != 17)
388 { 17, WTAP_ENCAP_PFLOG },
392 * 18 is DLT_CIP in SuSE 6.3 libpcap; if it's the same as the
393 * DLT_CIP of 16 that the Alexey Kuznetzov patches for
394 * libpcap/tcpdump define, it's WTAP_ENCAP_LINUX_ATM_CLIP.
395 * I've not found any libpcap that uses it for any other purpose -
396 * hopefully nobody will do so in the future.
398 { 18, WTAP_ENCAP_LINUX_ATM_CLIP },
401 * 19 is DLT_ATM_CLIP in the libpcap/tcpdump patches in the
402 * recent versions I've seen of the Linux ATM distribution;
403 * I've not yet found any libpcap that uses it for any other
404 * purpose - hopefully nobody will do so in the future.
406 { 19, WTAP_ENCAP_LINUX_ATM_CLIP },
408 #define NUM_PCAP_ENCAPS (sizeof pcap_to_wtap_map / sizeof pcap_to_wtap_map[0])
410 int wtap_pcap_encap_to_wtap_encap(int encap)
414 for (i = 0; i < NUM_PCAP_ENCAPS; i++) {
415 if (pcap_to_wtap_map[i].dlt_value == encap)
416 return pcap_to_wtap_map[i].wtap_encap_value;
418 return WTAP_ENCAP_UNKNOWN;
422 int libpcap_open(wtap *wth, int *err)
427 gboolean byte_swapped;
432 /* Read in the number that should be at the start of a "libpcap" file */
433 errno = WTAP_ERR_CANT_READ;
434 bytes_read = file_read(&magic, 1, sizeof magic, wth->fh);
435 if (bytes_read != sizeof magic) {
436 *err = file_error(wth->fh);
441 wth->data_offset += sizeof magic;
446 /* Host that wrote it has our byte order, and was running
447 a program using either standard or ss990417 libpcap. */
448 byte_swapped = FALSE;
452 case PCAP_MODIFIED_MAGIC:
453 /* Host that wrote it has our byte order, and was running
454 a program using either ss990915 or ss991029 libpcap. */
455 byte_swapped = FALSE;
459 case PCAP_SWAPPED_MAGIC:
460 /* Host that wrote it has a byte order opposite to ours,
461 and was running a program using either standard or
467 case PCAP_SWAPPED_MODIFIED_MAGIC:
468 /* Host that wrote it out has a byte order opposite to
469 ours, and was running a program using either ss990915
470 or ss991029 libpcap. */
476 /* Not a "libpcap" type we know about. */
480 /* Read the rest of the header. */
481 errno = WTAP_ERR_CANT_READ;
482 bytes_read = file_read(&hdr, 1, sizeof hdr, wth->fh);
483 if (bytes_read != sizeof hdr) {
484 *err = file_error(wth->fh);
489 wth->data_offset += sizeof hdr;
492 /* Byte-swap the header fields about which we care. */
493 hdr.version_major = BSWAP16(hdr.version_major);
494 hdr.version_minor = BSWAP16(hdr.version_minor);
495 hdr.snaplen = BSWAP32(hdr.snaplen);
496 hdr.network = BSWAP32(hdr.network);
498 if (hdr.version_major < 2) {
499 /* We only support version 2.0 and later. */
500 g_message("pcap: major version %u unsupported",
502 *err = WTAP_ERR_UNSUPPORTED;
507 * AIX's non-standard tcpdump uses a minor version number of 2.
508 * Unfortunately, older versions of libpcap might have used
511 * The AIX libpcap uses RFC 1573 ifType values rather than
512 * DLT_ values in the header; the ifType values for LAN devices
519 * which correspond to DLT_IEEE802 (used for Token Ring),
520 * DLT_PPP, and DLT_SLIP_BSDOS, respectively. The ifType value
521 * for a loopback interface is 24, which currently isn't
522 * used by any version of libpcap I know about (and, as
523 * tcpdump.org are assigning DLT_ values above 100, and
524 * NetBSD started assigning values starting at 50, and
525 * the values chosen by other libpcaps appear to stop at
526 * 19, it's probably not going to be used by any libpcap
529 * We shall assume that if the minor version number is 2, and
530 * the network type is 6, 9, 15, or 24, that it's AIX libpcap.
532 * I'm assuming those older versions of libpcap didn't
533 * use DLT_IEEE802 for Token Ring, and didn't use DLT_SLIP_BSDOS
534 * as that came later. It may have used DLT_PPP, however, in
535 * which case we're out of luck; we assume it's Token Ring
536 * in AIX libpcap rather than PPP in standard libpcap, as
537 * you're probably more likely to be handing an AIX libpcap
538 * token-ring capture than an old (pre-libpcap 0.4) PPP capture
541 aix = FALSE; /* assume it's not AIX */
542 if (hdr.version_major == 2 && hdr.version_minor == 2) {
543 switch (hdr.network) {
546 hdr.network = 1; /* DLT_EN10MB, Ethernet */
551 hdr.network = 6; /* DLT_IEEE802, Token Ring */
556 hdr.network = 10; /* DLT_FDDI, FDDI */
561 hdr.network = 0; /* DLT_NULL, loopback */
566 file_encap = wtap_pcap_encap_to_wtap_encap(hdr.network);
567 if (file_encap == WTAP_ENCAP_UNKNOWN) {
568 g_message("pcap: network type %u unknown or unsupported",
570 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
574 /* This is a libpcap file */
575 wth->capture.pcap = g_malloc(sizeof(libpcap_t));
576 wth->capture.pcap->byte_swapped = byte_swapped;
577 wth->capture.pcap->version_major = hdr.version_major;
578 wth->capture.pcap->version_minor = hdr.version_minor;
579 wth->subtype_read = libpcap_read;
580 wth->subtype_seek_read = libpcap_seek_read;
581 wth->subtype_close = libpcap_close;
582 wth->file_encap = file_encap;
583 wth->snapshot_length = hdr.snaplen;
586 * Is this AIX format?
590 * Yes. Skip all the tests for other mutant formats.
592 wth->file_type = WTAP_FILE_PCAP_AIX;
597 * No. Let's look at the header for the first record,
598 * and see if, interpreting it as a standard header (if the
599 * magic number was standard) or a modified header (if the
600 * magic number was modified), the position where it says the
601 * header for the *second* record is contains a corrupted header.
605 * If this file had the standard magic number, it may be
606 * an ss990417 capture file - in that version of Alexey's
607 * patch, the packet header format was changed but the
608 * magic number wasn't, and, alas, Red Hat appear to have
609 * picked up that version of the patch for RH 6.1, meaning
610 * RH 6.1 has a tcpdump that writes out files that can't
611 * be read by any software that expects non-modified headers
612 * if the magic number isn't the modified magic number (e.g.,
613 * any normal version of tcpdump, and Ethereal if we don't
614 * do this gross heuristic).
616 * If this file had the modified magic number, it may be
617 * an ss990915 capture file - in that version of Alexey's
618 * patch, the magic number was changed, but the record
619 * header had some extra fields, and, alas, SuSE appear
620 * to have picked up that version of the patch for SuSE
621 * 6.3, meaning that programs expecting the standard per-
622 * packet header in captures with the modified magic number
623 * can't read dumps from its tcpdump.
625 * Oh, and if it has the standard magic number, it might, instead,
626 * be a Nokia libpcap file, so we may need to try that if
627 * neither normal nor ss990417 headers work.
631 * Well, we have the magic number from Alexey's
634 * Try ss991029, the last of his patches, first.
636 wth->file_type = WTAP_FILE_PCAP_SS991029;
637 switch (libpcap_try(wth, err)) {
641 * Well, we couldn't even read it.
644 g_free(wth->capture.pcap);
649 * Well, it looks as if it might be 991029.
650 * Put the seek pointer back, and return success.
652 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
653 g_free(wth->capture.pcap);
660 * Try the next format.
666 * Well, it's not completely unreadable,
667 * but it's not ss991029. Try ss990915;
668 * there are no other types to try after that,
669 * so we put the seek pointer back and treat
672 wth->file_type = WTAP_FILE_PCAP_SS990915;
673 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
674 g_free(wth->capture.pcap);
679 * Well, we have the standard magic number.
681 * Try the standard format first.
683 wth->file_type = WTAP_FILE_PCAP;
684 switch (libpcap_try(wth, err)) {
688 * Well, we couldn't even read it.
691 g_free(wth->capture.pcap);
696 * Well, it looks as if it might be a standard
698 * Put the seek pointer back, and return success.
700 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
701 g_free(wth->capture.pcap);
708 * Try the next format.
714 * Well, it's not completely unreadable, but it's not
715 * a standard file. Put the seek pointer back and try
718 wth->file_type = WTAP_FILE_PCAP_SS990417;
719 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
720 g_free(wth->capture.pcap);
723 switch (libpcap_try(wth, err)) {
727 * Well, we couldn't even read it.
730 g_free(wth->capture.pcap);
735 * Well, it looks as if it might be ss990417.
736 * Put the seek pointer back, and return success.
738 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
739 g_free(wth->capture.pcap);
746 * Try the next format.
752 * Well, it's not completely unreadable,
753 * but it's not a standard file *nor* is it ss990417.
754 * Try it as a Nokia file; there are no other types
755 * to try after that, so we put the seek pointer back
756 * and treat it as a Nokia file.
758 wth->file_type = WTAP_FILE_PCAP_NOKIA;
759 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
760 g_free(wth->capture.pcap);
768 /* Try to read the first two records of the capture file. */
769 static libpcap_try_t libpcap_try(wtap *wth, int *err)
772 * pcaprec_ss990915_hdr is the largest header type.
774 struct pcaprec_ss990915_hdr first_rec_hdr, second_rec_hdr;
777 * Attempt to read the first record's header.
779 if (libpcap_read_header(wth, err, &first_rec_hdr, TRUE) == -1) {
780 if (*err == 0 || *err == WTAP_ERR_SHORT_READ) {
782 * EOF or short read - assume the file is in this
784 * When our client tries to read the first packet
785 * they will presumably get the same EOF or short
791 if (*err == WTAP_ERR_BAD_RECORD) {
793 * The first record is bogus, so this is probably
794 * a corrupt file. Assume the file is in this
795 * format. When our client tries to read the
796 * first packet they will presumably get the
803 * Some other error, e.g. an I/O error; just give up.
809 * Now skip over the first record's data, under the assumption
810 * that the header is sane.
812 if (file_seek(wth->fh, first_rec_hdr.hdr.incl_len, SEEK_CUR, err) == -1)
816 * Now attempt to read the second record's header.
818 if (libpcap_read_header(wth, err, &second_rec_hdr, TRUE) == -1) {
819 if (*err == 0 || *err == WTAP_ERR_SHORT_READ) {
821 * EOF or short read - assume the file is in this
823 * When our client tries to read the second packet
824 * they will presumably get the same EOF or short
830 if (*err == WTAP_ERR_BAD_RECORD) {
832 * The second record is bogus; maybe it's a
833 * Capture File From Hell, and what looks like
834 * the "header" of the next packet is actually
835 * random junk from the middle of a packet.
836 * Try the next format; if we run out of formats,
837 * it probably *is* a corrupt file.
843 * Some other error, e.g. an I/O error; just give up.
849 * OK, the first two records look OK; assume this is the
855 /* Read the next packet */
856 static gboolean libpcap_read(wtap *wth, int *err, long *data_offset)
858 struct pcaprec_ss990915_hdr hdr;
862 char fddi_padding[3];
864 bytes_read = libpcap_read_header(wth, err, &hdr, FALSE);
865 if (bytes_read == -1) {
867 * We failed to read the header.
872 wth->data_offset += bytes_read;
873 packet_size = hdr.hdr.incl_len;
874 orig_size = hdr.hdr.orig_len;
877 * AIX appears to put 3 bytes of padding in front of FDDI
878 * frames; strip that crap off.
880 if (wth->file_type == WTAP_FILE_PCAP_AIX &&
881 (wth->file_encap == WTAP_ENCAP_FDDI ||
882 wth->file_encap == WTAP_ENCAP_FDDI_BITSWAPPED)) {
884 * The packet size is really a record size and includes
889 wth->data_offset += 3;
894 if (!libpcap_read_rec_data(wth->fh, fddi_padding, 3, err))
895 return FALSE; /* Read error */
898 *data_offset = wth->data_offset;
901 * If this is an ATM packet, the first four bytes are the
902 * direction of the packet (transmit/receive), the VPI, and
903 * the VCI; read them and generate the pseudo-header from
906 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS) {
907 if (packet_size < sizeof (struct sunatm_hdr)) {
909 * Uh-oh, the packet isn't big enough to even
910 * have a pseudo-header.
912 g_message("libpcap: SunATM file has a %u-byte packet, too small to have even an ATM pseudo-header\n",
914 *err = WTAP_ERR_BAD_RECORD;
917 if (!libpcap_read_atm_pseudoheader(wth->fh, &wth->pseudo_header,
919 return FALSE; /* Read error */
922 * Don't count the pseudo-header as part of the packet.
924 orig_size -= sizeof (struct sunatm_hdr);
925 packet_size -= sizeof (struct sunatm_hdr);
926 wth->data_offset += sizeof (struct sunatm_hdr);
929 buffer_assure_space(wth->frame_buffer, packet_size);
930 if (!libpcap_read_rec_data(wth->fh, buffer_start_ptr(wth->frame_buffer),
932 return FALSE; /* Read error */
933 wth->data_offset += packet_size;
935 wth->phdr.ts.tv_sec = hdr.hdr.ts_sec;
936 wth->phdr.ts.tv_usec = hdr.hdr.ts_usec;
937 wth->phdr.caplen = packet_size;
938 wth->phdr.len = orig_size;
939 wth->phdr.pkt_encap = wth->file_encap;
942 * If this is ATM LANE traffic, try to guess what type of LANE
943 * traffic it is based on the packet contents.
945 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS &&
946 wth->pseudo_header.atm.type == TRAF_LANE) {
947 atm_guess_lane_type(buffer_start_ptr(wth->frame_buffer),
948 wth->phdr.caplen, &wth->pseudo_header);
955 libpcap_seek_read(wtap *wth, long seek_off,
956 union wtap_pseudo_header *pseudo_header, guchar *pd, int length, int *err)
958 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
961 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS) {
962 if (!libpcap_read_atm_pseudoheader(wth->random_fh, pseudo_header,
970 * Read the packet data.
972 if (!libpcap_read_rec_data(wth->random_fh, pd, length, err))
973 return FALSE; /* failed */
976 * If this is ATM LANE traffic, try to guess what type of LANE
977 * traffic it is based on the packet contents.
979 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS &&
980 pseudo_header->atm.type == TRAF_LANE)
981 atm_guess_lane_type(pd, length, pseudo_header);
985 /* Read the header of the next packet; if "silent" is TRUE, don't complain
986 to the console, as we're testing to see if the file appears to be of a
989 Return -1 on an error, or the number of bytes of header read on success. */
990 static int libpcap_read_header(wtap *wth, int *err,
991 struct pcaprec_ss990915_hdr *hdr, gboolean silent)
993 int bytes_to_read, bytes_read;
995 /* Read record header. */
996 errno = WTAP_ERR_CANT_READ;
997 switch (wth->file_type) {
1000 case WTAP_FILE_PCAP_AIX:
1001 bytes_to_read = sizeof (struct pcaprec_hdr);
1004 case WTAP_FILE_PCAP_SS990417:
1005 case WTAP_FILE_PCAP_SS991029:
1006 bytes_to_read = sizeof (struct pcaprec_modified_hdr);
1009 case WTAP_FILE_PCAP_SS990915:
1010 bytes_to_read = sizeof (struct pcaprec_ss990915_hdr);
1013 case WTAP_FILE_PCAP_NOKIA:
1014 bytes_to_read = sizeof (struct pcaprec_nokia_hdr);
1018 g_assert_not_reached();
1021 bytes_read = file_read(hdr, 1, bytes_to_read, wth->fh);
1022 if (bytes_read != bytes_to_read) {
1023 *err = file_error(wth->fh);
1024 if (*err == 0 && bytes_read != 0) {
1025 *err = WTAP_ERR_SHORT_READ;
1030 adjust_header(wth, &hdr->hdr);
1032 if (hdr->hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
1034 * Probably a corrupt capture file; return an error,
1035 * so that our caller doesn't blow up trying to allocate
1036 * space for an immensely-large packet, and so that
1037 * the code to try to guess what type of libpcap file
1038 * this is can tell when it's not the type we're guessing
1042 g_message("pcap: File has %u-byte packet, bigger than maximum of %u",
1043 hdr->hdr.incl_len, WTAP_MAX_PACKET_SIZE);
1045 *err = WTAP_ERR_BAD_RECORD;
1049 if (hdr->hdr.orig_len > WTAP_MAX_PACKET_SIZE) {
1051 * Probably a corrupt capture file; return an error,
1052 * so that our caller doesn't blow up trying to
1053 * cope with a huge "real" packet length, and so that
1054 * the code to try to guess what type of libpcap file
1055 * this is can tell when it's not the type we're guessing
1059 g_message("pcap: File has %u-byte packet, bigger than maximum of %u",
1060 hdr->hdr.orig_len, WTAP_MAX_PACKET_SIZE);
1062 *err = WTAP_ERR_BAD_RECORD;
1070 adjust_header(wtap *wth, struct pcaprec_hdr *hdr)
1072 if (wth->capture.pcap->byte_swapped) {
1073 /* Byte-swap the record header fields. */
1074 hdr->ts_sec = BSWAP32(hdr->ts_sec);
1075 hdr->ts_usec = BSWAP32(hdr->ts_usec);
1076 hdr->incl_len = BSWAP32(hdr->incl_len);
1077 hdr->orig_len = BSWAP32(hdr->orig_len);
1080 /* If this is AIX, convert the time stamp from seconds/nanoseconds
1081 to seconds/microseconds. */
1082 if (wth->file_type == WTAP_FILE_PCAP_AIX)
1083 hdr->ts_usec = hdr->ts_usec/1000;
1085 /* In file format version 2.3, the "incl_len" and "orig_len" fields
1086 were swapped, in order to match the BPF header layout.
1088 Unfortunately, some files were, according to a comment in the
1089 "libpcap" source, written with version 2.3 in their headers
1090 but without the interchanged fields, so if "incl_len" is
1091 greater than "orig_len" - which would make no sense - we
1092 assume that we need to swap them. */
1093 if (wth->capture.pcap->version_major == 2 &&
1094 (wth->capture.pcap->version_minor < 3 ||
1095 (wth->capture.pcap->version_minor == 3 &&
1096 hdr->incl_len > hdr->orig_len))) {
1099 temp = hdr->orig_len;
1100 hdr->orig_len = hdr->incl_len;
1101 hdr->incl_len = temp;
1106 libpcap_get_atm_pseudoheader(const struct sunatm_hdr *atm_phdr,
1107 union wtap_pseudo_header *pseudo_header)
1112 vpi = atm_phdr->vpi;
1113 vci = pntohs(&atm_phdr->vci);
1116 * The lower 4 bits of the first byte of the header indicate
1117 * the type of traffic, as per the "atmioctl.h" header in
1120 switch (atm_phdr->flags & 0x0F) {
1122 case 0x01: /* LANE */
1123 pseudo_header->atm.aal = AAL_5;
1124 pseudo_header->atm.type = TRAF_LANE;
1127 case 0x02: /* RFC 1483 LLC multiplexed traffic */
1128 pseudo_header->atm.aal = AAL_5;
1129 pseudo_header->atm.type = TRAF_LLCMX;
1132 case 0x05: /* ILMI */
1133 pseudo_header->atm.aal = AAL_5;
1134 pseudo_header->atm.type = TRAF_ILMI;
1137 case 0x06: /* Q.2931 */
1138 pseudo_header->atm.aal = AAL_SIGNALLING;
1139 pseudo_header->atm.type = TRAF_UNKNOWN;
1142 case 0x03: /* MARS (RFC 2022) */
1143 pseudo_header->atm.aal = AAL_5;
1144 pseudo_header->atm.type = TRAF_UNKNOWN;
1147 case 0x04: /* IFMP (Ipsilon Flow Management Protocol; see RFC 1954) */
1148 pseudo_header->atm.aal = AAL_5;
1149 pseudo_header->atm.type = TRAF_UNKNOWN; /* XXX - TRAF_IPSILON? */
1154 * Assume it's AAL5, unless it's VPI 0 and VCI 5, in which
1155 * case assume it's AAL_SIGNALLING; we know nothing more
1158 * XXX - is this necessary? Or are we guaranteed that
1159 * all signalling traffic has a type of 0x06?
1161 * XXX - is this guaranteed to be AAL5? Or, if the type is
1162 * 0x00 ("raw"), might it be non-AAL5 traffic?
1164 if (vpi == 0 && vci == 5)
1165 pseudo_header->atm.aal = AAL_SIGNALLING;
1167 pseudo_header->atm.aal = AAL_5;
1168 pseudo_header->atm.type = TRAF_UNKNOWN;
1171 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1173 pseudo_header->atm.vpi = vpi;
1174 pseudo_header->atm.vci = vci;
1175 pseudo_header->atm.channel = (atm_phdr->flags & 0x80) ? 0 : 1;
1177 /* We don't have this information */
1178 pseudo_header->atm.flags = 0;
1179 pseudo_header->atm.cells = 0;
1180 pseudo_header->atm.aal5t_u2u = 0;
1181 pseudo_header->atm.aal5t_len = 0;
1182 pseudo_header->atm.aal5t_chksum = 0;
1186 libpcap_read_atm_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header,
1189 struct sunatm_hdr atm_phdr;
1192 errno = WTAP_ERR_CANT_READ;
1193 bytes_read = file_read(&atm_phdr, 1, sizeof (struct sunatm_hdr), fh);
1194 if (bytes_read != sizeof (struct sunatm_hdr)) {
1195 *err = file_error(fh);
1197 *err = WTAP_ERR_SHORT_READ;
1201 libpcap_get_atm_pseudoheader(&atm_phdr, pseudo_header);
1207 libpcap_read_rec_data(FILE_T fh, guchar *pd, int length, int *err)
1211 errno = WTAP_ERR_CANT_READ;
1212 bytes_read = file_read(pd, 1, length, fh);
1214 if (bytes_read != length) {
1215 *err = file_error(fh);
1217 *err = WTAP_ERR_SHORT_READ;
1224 libpcap_close(wtap *wth)
1226 g_free(wth->capture.pcap);
1229 static int wtap_wtap_encap_to_pcap_encap(int encap)
1235 case WTAP_ENCAP_FDDI:
1236 case WTAP_ENCAP_FDDI_BITSWAPPED:
1238 * Special-case WTAP_ENCAP_FDDI and
1239 * WTAP_ENCAP_FDDI_BITSWAPPED; both of them get mapped
1240 * to DLT_FDDI (even though that may mean that the bit
1241 * order in the FDDI MAC addresses is wrong; so it goes
1242 * - libpcap format doesn't record the byte order,
1243 * so that's not fixable).
1245 return 10; /* that's DLT_FDDI */
1247 case WTAP_ENCAP_PPP_WITH_PHDR:
1249 * Also special-case PPP and Frame Relay with direction
1250 * bits; map them to PPP and Frame Relay, even though
1251 * that means that the direction of the packet is lost.
1255 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1259 for (i = 0; i < NUM_PCAP_ENCAPS; i++) {
1260 if (pcap_to_wtap_map[i].wtap_encap_value == encap)
1261 return pcap_to_wtap_map[i].dlt_value;
1268 * Given a Wiretap encapsulation type, and raw packet data and the packet
1269 * header from libpcap, process any pseudo-header in the packet,
1270 * fill in the Wiretap packet header, and return a pointer to the
1271 * beginning of the non-pseudo-header data in the packet.
1274 wtap_process_pcap_packet(gint linktype, const struct pcap_pkthdr *phdr,
1275 const guchar *pd, union wtap_pseudo_header *pseudo_header,
1276 struct wtap_pkthdr *whdr, int *err)
1278 /* "phdr->ts" may not necessarily be a "struct timeval" - it may
1279 be a "struct bpf_timeval", with member sizes wired to 32
1280 bits - and we may go that way ourselves in the future, so
1281 copy the members individually. */
1282 whdr->ts.tv_sec = phdr->ts.tv_sec;
1283 whdr->ts.tv_usec = phdr->ts.tv_usec;
1284 whdr->caplen = phdr->caplen;
1285 whdr->len = phdr->len;
1286 whdr->pkt_encap = linktype;
1289 * If this is an ATM packet, the first four bytes are the
1290 * direction of the packet (transmit/receive), the VPI, and
1291 * the VCI; read them and generate the pseudo-header from
1294 if (linktype == WTAP_ENCAP_ATM_PDUS) {
1295 if (whdr->caplen < sizeof (struct sunatm_hdr)) {
1297 * Uh-oh, the packet isn't big enough to even
1298 * have a pseudo-header.
1300 g_message("libpcap: SunATM capture has a %u-byte packet, too small to have even an ATM pseudo-header\n",
1302 *err = WTAP_ERR_BAD_RECORD;
1305 libpcap_get_atm_pseudoheader((const struct sunatm_hdr *)pd,
1309 * Don't count the pseudo-header as part of the packet.
1311 whdr->len -= sizeof (struct sunatm_hdr);
1312 whdr->caplen -= sizeof (struct sunatm_hdr);
1313 pd += sizeof (struct sunatm_hdr);
1316 * If this is ATM LANE traffic, try to guess what type of
1317 * LANE traffic it is based on the packet contents.
1319 if (pseudo_header->atm.type == TRAF_LANE)
1320 atm_guess_lane_type(pd, whdr->caplen, pseudo_header);
1326 /* Returns 0 if we could write the specified encapsulation type,
1327 an error indication otherwise. */
1328 int libpcap_dump_can_write_encap(int encap)
1330 /* Per-packet encapsulations aren't supported. */
1331 if (encap == WTAP_ENCAP_PER_PACKET)
1332 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1334 if (wtap_wtap_encap_to_pcap_encap(encap) == -1)
1335 return WTAP_ERR_UNSUPPORTED_ENCAP;
1340 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1342 gboolean libpcap_dump_open(wtap_dumper *wdh, gboolean cant_seek _U_, int *err)
1345 struct pcap_hdr file_hdr;
1348 /* This is a libpcap file */
1349 wdh->subtype_write = libpcap_dump;
1350 wdh->subtype_close = NULL;
1352 /* Write the file header. */
1353 switch (wdh->file_type) {
1355 case WTAP_FILE_PCAP:
1356 case WTAP_FILE_PCAP_SS990417: /* modified, but with the old magic, sigh */
1357 case WTAP_FILE_PCAP_NOKIA: /* Nokia libpcap of some sort */
1361 case WTAP_FILE_PCAP_SS990915: /* new magic, extra crap */
1362 case WTAP_FILE_PCAP_SS991029:
1363 magic = PCAP_MODIFIED_MAGIC;
1367 /* We should never get here - our open routine
1368 should only get called for the types above. */
1369 *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE;
1373 nwritten = fwrite(&magic, 1, sizeof magic, wdh->fh);
1374 if (nwritten != sizeof magic) {
1375 if (nwritten == 0 && ferror(wdh->fh))
1378 *err = WTAP_ERR_SHORT_WRITE;
1381 wdh->bytes_dumped += sizeof magic;
1383 /* current "libpcap" format is 2.4 */
1384 file_hdr.version_major = 2;
1385 file_hdr.version_minor = 4;
1386 file_hdr.thiszone = 0; /* XXX - current offset? */
1387 file_hdr.sigfigs = 0; /* unknown, but also apparently unused */
1389 * Tcpdump cannot handle capture files with a snapshot length of 0,
1390 * as BPF filters return either 0 if they fail or the snapshot length
1391 * if they succeed, and a snapshot length of 0 means success is
1392 * indistinguishable from failure and the filter expression would
1393 * reject all packets.
1395 * A snapshot length of 0, inside Wiretap, means "snapshot length
1396 * unknown"; if the snapshot length supplied to us is 0, we make
1397 * the snapshot length in the header file WTAP_MAX_PACKET_SIZE.
1399 file_hdr.snaplen = (wdh->snaplen != 0) ? wdh->snaplen :
1400 WTAP_MAX_PACKET_SIZE;
1401 file_hdr.network = wtap_wtap_encap_to_pcap_encap(wdh->encap);
1402 nwritten = fwrite(&file_hdr, 1, sizeof file_hdr, wdh->fh);
1403 if (nwritten != sizeof file_hdr) {
1404 if (nwritten == 0 && ferror(wdh->fh))
1407 *err = WTAP_ERR_SHORT_WRITE;
1410 wdh->bytes_dumped += sizeof file_hdr;
1415 /* Write a record for a packet to a dump file.
1416 Returns TRUE on success, FALSE on failure. */
1417 static gboolean libpcap_dump(wtap_dumper *wdh,
1418 const struct wtap_pkthdr *phdr,
1419 const union wtap_pseudo_header *pseudo_header _U_,
1420 const guchar *pd, int *err)
1422 struct pcaprec_ss990915_hdr rec_hdr;
1425 struct sunatm_hdr atm_hdr;
1428 if (wdh->encap == WTAP_ENCAP_ATM_PDUS)
1429 atm_hdrsize = sizeof (struct sunatm_hdr);
1433 rec_hdr.hdr.ts_sec = phdr->ts.tv_sec;
1434 rec_hdr.hdr.ts_usec = phdr->ts.tv_usec;
1435 rec_hdr.hdr.incl_len = phdr->caplen + atm_hdrsize;
1436 rec_hdr.hdr.orig_len = phdr->len + atm_hdrsize;
1437 switch (wdh->file_type) {
1439 case WTAP_FILE_PCAP:
1440 hdr_size = sizeof (struct pcaprec_hdr);
1443 case WTAP_FILE_PCAP_SS990417: /* modified, but with the old magic, sigh */
1444 case WTAP_FILE_PCAP_SS991029:
1445 /* XXX - what should we supply here?
1447 Alexey's "libpcap" looks up the interface in the system's
1448 interface list if "ifindex" is non-zero, and prints
1449 the interface name. It ignores "protocol", and uses
1450 "pkt_type" to tag the packet as "host", "broadcast",
1451 "multicast", "other host", "outgoing", or "none of the
1452 above", but that's it.
1454 If the capture we're writing isn't a modified or
1455 RH 6.1 capture, we'd have to do some work to
1456 generate the packet type and interface index - and
1457 we can't generate the interface index unless we
1458 just did the capture ourselves in any case.
1460 I'm inclined to continue to punt; systems other than
1461 those with the older patch can read standard "libpcap"
1462 files, and systems with the older patch, e.g. RH 6.1,
1463 will just have to live with this. */
1464 rec_hdr.ifindex = 0;
1465 rec_hdr.protocol = 0;
1466 rec_hdr.pkt_type = 0;
1467 hdr_size = sizeof (struct pcaprec_modified_hdr);
1470 case WTAP_FILE_PCAP_SS990915: /* new magic, extra crap at the end */
1471 rec_hdr.ifindex = 0;
1472 rec_hdr.protocol = 0;
1473 rec_hdr.pkt_type = 0;
1476 hdr_size = sizeof (struct pcaprec_ss990915_hdr);
1479 case WTAP_FILE_PCAP_NOKIA: /* old magic, extra crap at the end */
1480 rec_hdr.ifindex = 0;
1481 rec_hdr.protocol = 0;
1482 rec_hdr.pkt_type = 0;
1485 hdr_size = sizeof (struct pcaprec_nokia_hdr);
1489 /* We should never get here - our open routine
1490 should only get called for the types above. */
1491 g_assert_not_reached();
1492 *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE;
1496 nwritten = fwrite(&rec_hdr, 1, hdr_size, wdh->fh);
1497 if (nwritten != hdr_size) {
1498 if (nwritten == 0 && ferror(wdh->fh))
1501 *err = WTAP_ERR_SHORT_WRITE;
1504 wdh->bytes_dumped += hdr_size;
1506 if (wdh->encap == WTAP_ENCAP_ATM_PDUS) {
1508 * Write the ATM header.
1511 (pseudo_header->atm.channel == 0) ? 0x80 : 0x00;
1512 switch (pseudo_header->atm.aal) {
1514 case AAL_SIGNALLING:
1516 atm_hdr.flags |= 0x06;
1520 switch (pseudo_header->atm.type) {
1524 atm_hdr.flags |= 0x01;
1528 /* RFC 1483 LLC multiplexed traffic */
1529 atm_hdr.flags |= 0x02;
1534 atm_hdr.flags |= 0x05;
1539 atm_hdr.vpi = pseudo_header->atm.vpi;
1540 atm_hdr.vci = phtons(&pseudo_header->atm.vci);
1541 nwritten = fwrite(&atm_hdr, 1, sizeof atm_hdr, wdh->fh);
1542 if (nwritten != sizeof atm_hdr) {
1543 if (nwritten == 0 && ferror(wdh->fh))
1546 *err = WTAP_ERR_SHORT_WRITE;
1549 wdh->bytes_dumped += sizeof atm_hdr;
1552 nwritten = fwrite(pd, 1, phdr->caplen, wdh->fh);
1553 if (nwritten != phdr->caplen) {
1554 if (nwritten == 0 && ferror(wdh->fh))
1557 *err = WTAP_ERR_SHORT_WRITE;
1560 wdh->bytes_dumped += phdr->caplen;
git.samba.org / obnox / wireshark / wip.git / blob