6 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
35 #include "file_wrappers.h"
41 # ifdef HAVE_SYS_TYPES_H
42 # include <sys/types.h>
44 #include "wtap-capture.h"
48 * The link-layer header on SunATM packets.
51 guint8 flags; /* destination and traffic type */
53 guint16 vci; /* VCI */
57 * The link-layer header on Nokia IPSO ATM packets.
60 guint8 flags; /* destination */
62 guint16 vci; /* VCI */
66 * The fake link-layer header of IrDA packets as introduced by Jean Tourrilhes
70 guint16 sll_pkttype; /* packet type */
71 guint8 unused[12]; /* usused SLL header fields */
72 guint16 sll_protocol; /* protocol, should be 0x0017 */
76 * A header containing additional MTP information.
84 /* See source to the "libpcap" library for information on the "libpcap"
87 /* On some systems, the FDDI MAC addresses are bit-swapped. */
88 #if !defined(ultrix) && !defined(__alpha) && !defined(__bsdi__)
89 #define BIT_SWAPPED_MAC_ADDRS
92 /* Try to read the first two records of the capture file. */
94 THIS_FORMAT, /* the reads succeeded, assume it's this format */
95 BAD_READ, /* the file is probably not valid */
96 OTHER_FORMAT /* the file may be valid, but not in this format */
98 static libpcap_try_t libpcap_try(wtap *wth, int *err);
100 static gboolean libpcap_read(wtap *wth, int *err, gchar **err_info,
102 static gboolean libpcap_seek_read(wtap *wth, long seek_off,
103 union wtap_pseudo_header *pseudo_header, guchar *pd, int length,
104 int *err, gchar **err_info);
105 static int libpcap_read_header(wtap *wth, int *err, gchar **err_info,
106 struct pcaprec_ss990915_hdr *hdr);
107 static void adjust_header(wtap *wth, struct pcaprec_hdr *hdr);
108 static void libpcap_get_sunatm_pseudoheader(const struct sunatm_hdr *atm_phdr,
109 union wtap_pseudo_header *pseudo_header);
110 static gboolean libpcap_read_sunatm_pseudoheader(FILE_T fh,
111 union wtap_pseudo_header *pseudo_header, int *err);
112 static gboolean libpcap_read_nokiaatm_pseudoheader(FILE_T fh,
113 union wtap_pseudo_header *pseudo_header, int *err);
114 static gboolean libpcap_get_irda_pseudoheader(const struct irda_sll_hdr *irda_phdr,
115 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info);
116 static gboolean libpcap_read_irda_pseudoheader(FILE_T fh,
117 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info);
118 static gboolean libpcap_get_mtp2_pseudoheader(const struct mtp2_hdr *mtp2_hdr,
119 union wtap_pseudo_header *pseudo_header);
120 static gboolean libpcap_read_mtp2_pseudoheader(FILE_T fh,
121 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info);
122 static gboolean libpcap_read_rec_data(FILE_T fh, guchar *pd, int length,
124 static void libpcap_close(wtap *wth);
125 static gboolean libpcap_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
126 const union wtap_pseudo_header *pseudo_header, const guchar *pd, int *err);
129 * Either LBL NRG wasn't an adequate central registry (e.g., because of
130 * the slow rate of releases from them), or nobody bothered using them
131 * as a central registry, as many different groups have patched libpcap
132 * (and BPF, on the BSDs) to add new encapsulation types, and have ended
133 * up using the same DLT_ values for different encapsulation types.
135 * For those numerical encapsulation type values that everybody uses for
136 * the same encapsulation type (which inclues those that some platforms
137 * specify different DLT_ names for but don't appear to use), we map
138 * those values to the appropriate Wiretap values.
140 * For those numerical encapsulation type values that different libpcap
141 * variants use for different encapsulation types, we check what
142 * <pcap.h> defined to determine how to interpret them, so that we
143 * interpret them the way the libpcap with which we're building
144 * Ethereal/Wiretap interprets them (which, if it doesn't support
145 * them at all, means we don't support them either - any capture files
146 * using them are foreign, and we don't hazard a guess as to which
147 * platform they came from; we could, I guess, choose the most likely
150 * Note: if you need a new encapsulation type for libpcap files, do
151 * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
152 * add a new encapsulation type by changing an existing entry;
153 * leave the existing entries alone.
155 * Instead, send mail to tcpdump-workers@tcpdump.org, asking for a new
156 * DLT_ value, and specifying the purpose of the new value. When you
157 * get the new DLT_ value, use that numerical value in the "dlt_value"
158 * field of "pcap_to_wtap_map[]".
161 static const struct {
163 int wtap_encap_value;
164 } pcap_to_wtap_map[] = {
166 * These are the values that are almost certainly the same
167 * in all libpcaps (I've yet to find one where the values
168 * in question are used for some purpose other than the
169 * one below, but...), and that Wiretap and Ethereal
172 { 0, WTAP_ENCAP_NULL }, /* null encapsulation */
173 { 1, WTAP_ENCAP_ETHERNET },
174 { 6, WTAP_ENCAP_TOKEN_RING }, /* IEEE 802 Networks - assume token ring */
175 { 7, WTAP_ENCAP_ARCNET },
176 { 8, WTAP_ENCAP_SLIP },
177 { 9, WTAP_ENCAP_PPP },
178 #ifdef BIT_SWAPPED_MAC_ADDRS
179 { 10, WTAP_ENCAP_FDDI_BITSWAPPED },
181 { 10, WTAP_ENCAP_FDDI },
184 { 32, WTAP_ENCAP_REDBACK },
187 * 50 is DLT_PPP_SERIAL in NetBSD; it appears that DLT_PPP
188 * on BSD (at least according to standard tcpdump) has, as
189 * the first octet, an indication of whether the packet was
190 * transmitted or received (rather than having the standard
191 * PPP address value of 0xff), but that DLT_PPP_SERIAL puts
192 * a real live PPP header there, or perhaps a Cisco PPP header
193 * as per section 4.3.1 of RFC 1547 (implementations of this
194 * exist in various BSDs in "sys/net/if_spppsubr.c", and
195 * I think also exist either in standard Linux or in
196 * various Linux patches; the implementations show how to handle
197 * Cisco keepalive packets).
199 * However, I don't see any obvious place in FreeBSD "if_ppp.c"
200 * where anything other than the standard PPP header would be
201 * passed up. I see some stuff that sets the first octet
202 * to 0 for incoming and 1 for outgoing packets before applying
203 * a BPF filter to see whether to drop packets whose protocol
204 * field has the 0x8000 bit set, i.e. network control protocols -
205 * those are handed up to userland - but that code puts the
206 * address field back before passing the packet up.
208 * I also don't see anything immediately obvious that munges
209 * the address field for sync PPP, either.
211 * Ethereal currently assumes that if the first octet of a
212 * PPP frame is 0xFF, it's the address field and is followed
213 * by a control field and a 2-byte protocol, otherwise the
214 * address and control fields are absent and the frame begins
215 * with a protocol field. If we ever see a BSD/OS PPP
216 * capture, we'll have to handle it differently, and we may
217 * have to handle standard BSD captures differently if, in fact,
218 * they don't have 0xff 0x03 as the first two bytes - but, as per
219 * the two paragraphs preceding this, it's not clear that
220 * the address field *is* munged into an incoming/outgoing
221 * field when the packet is handed to the BPF device.
223 * For now, we just map DLT_PPP_SERIAL to WTAP_ENCAP_PPP, as
224 * we treat WTAP_ENCAP_PPP packets as if those beginning with
225 * 0xff have the standard RFC 1662 "PPP in HDLC-like Framing"
226 * 0xff 0x03 address/control header, and DLT_PPP_SERIAL frames
227 * appear to contain that unless they're Cisco frames (if we
228 * ever see a capture with them, we'd need to implement the
229 * RFC 1547 stuff, and the keepalive protocol stuff).
231 * We may have to distinguish between "PPP where if it doesn't
232 * begin with 0xff there's no HDLC encapsulation and the frame
233 * begins with the protocol field" (which is how we handle
234 * WTAP_ENCAP_PPP now) and "PPP where there's either HDLC
235 * encapsulation or Cisco PPP" (which is what DLT_PPP_SERIAL
238 * XXX - NetBSD has DLT_HDLC, which appears to be used for
239 * Cisco HDLC. Ideally, they should use DLT_PPP_SERIAL
240 * only for real live HDLC-encapsulated PPP, not for Cisco
243 { 50, WTAP_ENCAP_PPP },
246 * Apparently used by the Axent Raptor firewall (now Symantec
247 * Enterprise Firewall).
248 * Thanks, Axent, for not reserving that type with tcpdump.org
249 * and not telling anybody about it.
251 { 99, WTAP_ENCAP_SYMANTEC },
254 * These are the values that libpcap 0.5 and later use in
255 * capture file headers, in an attempt to work around the
256 * confusion decried above, and that Wiretap and Ethereal
259 { 100, WTAP_ENCAP_ATM_RFC1483 },
260 { 101, WTAP_ENCAP_RAW_IP },
263 * More values used by libpcap 0.5 as DLT_ values and used by the
264 * current CVS version of libpcap in capture file headers.
265 * They are not yet handled in Ethereal.
266 * If we get a capture that contains them, we'll implement them.
268 { 102, WTAP_ENCAP_SLIP_BSDOS },
269 { 103, WTAP_ENCAP_PPP_BSDOS },
273 * These ones are handled in Ethereal, though.
275 { 104, WTAP_ENCAP_CHDLC }, /* Cisco HDLC */
276 { 105, WTAP_ENCAP_IEEE_802_11 }, /* IEEE 802.11 */
277 { 106, WTAP_ENCAP_LINUX_ATM_CLIP },
278 { 107, WTAP_ENCAP_FRELAY }, /* Frame Relay */
279 { 108, WTAP_ENCAP_NULL }, /* OpenBSD loopback */
280 { 109, WTAP_ENCAP_ENC }, /* OpenBSD IPSEC enc */
282 { 110, WTAP_ENCAP_LANE_802_3 },/* ATM LANE 802.3 */
283 { 111, WTAP_ENCAP_HIPPI }, /* NetBSD HIPPI */
285 { 112, WTAP_ENCAP_CHDLC }, /* NetBSD HDLC framing */
288 * Linux "cooked mode" captures, used by the current CVS version
291 { 113, WTAP_ENCAP_SLL }, /* Linux cooked capture */
293 { 114, WTAP_ENCAP_LOCALTALK }, /* Localtalk */
296 * The tcpdump.org version of libpcap uses 117, rather than 17,
297 * for OpenBSD packet filter logging, so as to avoid conflicting
298 * with DLT_LANE8023 in SuSE 6.3 libpcap.
300 { 117, WTAP_ENCAP_PFLOG },
302 { 118, WTAP_ENCAP_CISCO_IOS },
303 { 119, WTAP_ENCAP_PRISM_HEADER }, /* Prism monitor mode hdr */
304 { 121, WTAP_ENCAP_HHDLC }, /* HiPath HDLC */
305 { 122, WTAP_ENCAP_IP_OVER_FC }, /* RFC 2625 IP-over-FC */
306 { 123, WTAP_ENCAP_ATM_PDUS }, /* SunATM */
307 { 127, WTAP_ENCAP_IEEE_802_11_WLAN_RADIOTAP }, /* 802.11 plus radiotap WLAN header */
308 { 128, WTAP_ENCAP_TZSP }, /* Tazmen Sniffer Protocol */
309 { 129, WTAP_ENCAP_ARCNET_LINUX },
310 { 130, WTAP_ENCAP_JUNIPER_MLPPP }, /* Juniper MLPPP on ML-, LS-, AS- PICs */
311 { 131, WTAP_ENCAP_JUNIPER_MLFR }, /* Juniper MLFR (FRF.15) on ML-, LS-, AS- PICs */
313 * Values 132-134, 136 not listed here are reserved for use
314 * in Juniper hardware.
316 { 135, WTAP_ENCAP_JUNIPER_ATM2 }, /* various encapsulations captured on the ATM2 PIC */
317 { 137, WTAP_ENCAP_JUNIPER_ATM1 }, /* various encapsulations captured on the ATM1 PIC */
319 { 138, WTAP_ENCAP_APPLE_IP_OVER_IEEE1394 },
320 /* Apple IP-over-IEEE 1394 */
322 { 139, WTAP_ENCAP_MTP2_WITH_PHDR },
323 { 140, WTAP_ENCAP_MTP2 },
324 { 141, WTAP_ENCAP_MTP3 },
325 { 143, WTAP_ENCAP_DOCSIS },
326 { 144, WTAP_ENCAP_IRDA }, /* IrDA capture */
328 /* Reserved for private use. */
329 { 147, WTAP_ENCAP_USER0 },
330 { 148, WTAP_ENCAP_USER1 },
331 { 149, WTAP_ENCAP_USER2 },
332 { 150, WTAP_ENCAP_USER3 },
333 { 151, WTAP_ENCAP_USER4 },
334 { 152, WTAP_ENCAP_USER5 },
335 { 153, WTAP_ENCAP_USER6 },
336 { 154, WTAP_ENCAP_USER7 },
337 { 155, WTAP_ENCAP_USER8 },
338 { 156, WTAP_ENCAP_USER9 },
339 { 157, WTAP_ENCAP_USER10 },
340 { 158, WTAP_ENCAP_USER11 },
341 { 159, WTAP_ENCAP_USER12 },
342 { 160, WTAP_ENCAP_USER13 },
343 { 161, WTAP_ENCAP_USER14 },
344 { 162, WTAP_ENCAP_USER15 },
346 { 163, WTAP_ENCAP_IEEE_802_11_WLAN_AVS }, /* 802.11 plus AVS WLAN header */
349 * 164 is reserved for Juniper-private chassis-internal
350 * meta-information such as QoS profiles, etc..
353 { 165, WTAP_ENCAP_BACNET_MS_TP },
356 * 166 is reserved for a PPP variant in which the first byte
357 * of the 0xff03 header, the 0xff, is replaced by a direction
358 * byte. I don't know whether any captures look like that,
359 * but it is used for some Linux IP filtering (ipfilter?).
362 /* Ethernet PPPoE frames captured on a service PIC */
363 { 167, WTAP_ENCAP_JUNIPER_PPPOE },
366 * 168 is reserved for more Juniper private-chassis-
367 * internal meta-information.
370 { 169, WTAP_ENCAP_GPRS_LLC },
373 * 170 and 171 are reserved for ITU-T G.7041/Y.1303 Generic
377 /* Registered by Gcom, Inc. */
378 { 172, WTAP_GCOM_TIE1 },
379 { 173, WTAP_GCOM_SERIAL },
384 * If you need a new encapsulation type for libpcap files, do
385 * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
386 * add a new encapsulation type by changing an existing entry;
387 * leave the existing entries alone.
389 * Instead, send mail to tcpdump-workers@tcpdump.org, asking for
390 * a new DLT_ value, and specifying the purpose of the new value.
391 * When you get the new DLT_ value, use that numerical value in
392 * the "dlt_value" field of "pcap_to_wtap_map[]".
396 * The following are entries for libpcap type values that have
397 * different meanings on different OSes.
399 * We put these *after* the entries for the platform-independent
400 * libpcap type values for those Wiretap encapsulation types, so
401 * that Ethereal chooses the platform-independent libpcap type
402 * value for those encapsulatioin types, not the platform-dependent
407 * 11 is DLT_ATM_RFC1483 on most platforms; the only libpcaps I've
408 * seen that define anything other than DLT_ATM_RFC1483 as 11 are
409 * the BSD/OS one, which defines DLT_FR as 11, and libpcap 0.5,
410 * which define it as 100, mapping the kernel's value to 100, in
411 * an attempt to hide the different values used on different
414 * If this is a platform where DLT_FR is defined as 11, we
415 * don't handle 11 at all; otherwise, we handle it as
416 * DLT_ATM_RFC1483 (this means we'd misinterpret Frame Relay
417 * captures from BSD/OS if running on platforms other than BSD/OS,
420 * 1) we don't yet support DLT_FR
424 * 2) nothing short of a heuristic would let us interpret
427 #if defined(DLT_FR) && (DLT_FR == 11)
428 { 11, WTAP_ENCAP_FRELAY },
430 { 11, WTAP_ENCAP_ATM_RFC1483 },
434 * 12 is DLT_RAW on most platforms, but it's DLT_C_HDLC on
435 * BSD/OS, and DLT_LOOP on OpenBSD.
437 * We don't yet handle DLT_C_HDLC, but we can handle DLT_LOOP
438 * (it's just like DLT_NULL, only with the AF_ value in network
439 * rather than host byte order - Ethereal figures out the
440 * byte order from the data, so we don't care what byte order
441 * it's in), so if DLT_LOOP is defined as 12, interpret 12
442 * as WTAP_ENCAP_NULL, otherwise, unless DLT_C_HDLC is defined
443 * as 12, interpret it as WTAP_ENCAP_RAW_IP.
445 #if defined(DLT_LOOP) && (DLT_LOOP == 12)
446 { 12, WTAP_ENCAP_NULL },
447 #elif defined(DLT_C_HDLC) && (DLT_C_HDLC == 12)
449 * Put entry for Cisco HDLC here.
450 * XXX - is this just WTAP_ENCAP_CHDLC, i.e. does the frame
451 * start with a 4-byte Cisco HDLC header?
454 { 12, WTAP_ENCAP_RAW_IP },
458 * 13 is DLT_SLIP_BSDOS on FreeBSD and NetBSD, but those OSes
459 * don't actually generate it. I infer that BSD/OS translates
460 * DLT_SLIP from the kernel BPF code to DLT_SLIP_BSDOS in
461 * libpcap, as the BSD/OS link-layer header is different;
462 * however, in BSD/OS, DLT_SLIP_BSDOS is 15.
464 * From this, I infer that there's no point in handling 13
467 * 13 is DLT_ATM_RFC1483 on BSD/OS.
469 * 13 is DLT_ENC in OpenBSD, which is, I suspect, some kind
470 * of decrypted IPSEC traffic.
472 #if defined(DLT_ATM_RFC1483) && (DLT_ATM_RFC1483 == 13)
473 { 13, WTAP_ENCAP_ATM_RFC1483 },
474 #elif defined(DLT_ENC) && (DLT_ENC == 13)
475 { 13, WTAP_ENCAP_ENC },
479 * 14 is DLT_PPP_BSDOS on FreeBSD and NetBSD, but those OSes
480 * don't actually generate it. I infer that BSD/OS translates
481 * DLT_PPP from the kernel BPF code to DLT_PPP_BSDOS in
482 * libpcap, as the BSD/OS link-layer header is different;
483 * however, in BSD/OS, DLT_PPP_BSDOS is 16.
485 * From this, I infer that there's no point in handling 14
488 * 14 is DLT_RAW on BSD/OS and OpenBSD.
490 { 14, WTAP_ENCAP_RAW_IP },
495 * DLT_SLIP_BSDOS on BSD/OS;
497 * DLT_HIPPI on NetBSD;
499 * DLT_LANE8023 with Alexey Kuznetzov's patches for
502 * DLT_I4L_RAWIP with the ISDN4Linux patches for libpcap
505 * but we don't currently handle any of those.
511 * DLT_PPP_BSDOS on BSD/OS;
513 * DLT_HDLC on NetBSD (Cisco HDLC);
515 * DLT_CIP with Alexey Kuznetzov's patches for
516 * Linux libpcap - this is WTAP_ENCAP_LINUX_ATM_CLIP;
518 * DLT_I4L_IP with the ISDN4Linux patches for libpcap
521 #if defined(DLT_CIP) && (DLT_CIP == 16)
522 { 16, WTAP_ENCAP_LINUX_ATM_CLIP },
524 #if defined(DLT_HDLC) && (DLT_HDLC == 16)
525 { 16, WTAP_ENCAP_CHDLC },
529 * 17 is DLT_LANE8023 in SuSE 6.3 libpcap; we don't currently
531 * It is also used as the PF (Packet Filter) logging format beginning
532 * with OpenBSD 3.0; we use 17 for PF logs unless DLT_LANE8023 is
533 * defined with the value 17.
535 #if !defined(DLT_LANE8023) || (DLT_LANE8023 != 17)
536 { 17, WTAP_ENCAP_OLD_PFLOG },
540 * 18 is DLT_CIP in SuSE 6.3 libpcap; if it's the same as the
541 * DLT_CIP of 16 that the Alexey Kuznetzov patches for
542 * libpcap/tcpdump define, it's WTAP_ENCAP_LINUX_ATM_CLIP.
543 * I've not found any libpcap that uses it for any other purpose -
544 * hopefully nobody will do so in the future.
546 { 18, WTAP_ENCAP_LINUX_ATM_CLIP },
549 * 19 is DLT_ATM_CLIP in the libpcap/tcpdump patches in the
550 * recent versions I've seen of the Linux ATM distribution;
551 * I've not yet found any libpcap that uses it for any other
552 * purpose - hopefully nobody will do so in the future.
554 { 19, WTAP_ENCAP_LINUX_ATM_CLIP },
557 * nettl (HP-UX) mappings to standard DLT values
560 { 1, WTAP_ENCAP_NETTL_ETHERNET },
561 { 6, WTAP_ENCAP_NETTL_TOKEN_RING },
562 { 10, WTAP_ENCAP_NETTL_FDDI },
563 { 101, WTAP_ENCAP_NETTL_RAW_IP },
568 * If you need a new encapsulation type for libpcap files, do
569 * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
570 * add a new encapsulation type by changing an existing entry;
571 * leave the existing entries alone.
573 * Instead, send mail to tcpdump-workers@tcpdump.org, asking for
574 * a new DLT_ value, and specifying the purpose of the new value.
575 * When you get the new DLT_ value, use that numerical value in
576 * the "dlt_value" field of "pcap_to_wtap_map[]".
580 #define NUM_PCAP_ENCAPS (sizeof pcap_to_wtap_map / sizeof pcap_to_wtap_map[0])
582 int wtap_pcap_encap_to_wtap_encap(int encap)
586 for (i = 0; i < NUM_PCAP_ENCAPS; i++) {
587 if (pcap_to_wtap_map[i].dlt_value == encap)
588 return pcap_to_wtap_map[i].wtap_encap_value;
590 return WTAP_ENCAP_UNKNOWN;
594 int libpcap_open(wtap *wth, int *err, gchar **err_info)
599 gboolean byte_swapped;
605 /* XXX - this must be done depending on the magic number */
606 /*wth->tsrecision = WTAP_FILE_TSPREC_NSEC;*/
608 /* Read in the number that should be at the start of a "libpcap" file */
609 errno = WTAP_ERR_CANT_READ;
610 bytes_read = file_read(&magic, 1, sizeof magic, wth->fh);
611 if (bytes_read != sizeof magic) {
612 *err = file_error(wth->fh);
617 wth->data_offset += sizeof magic;
622 /* Host that wrote it has our byte order, and was running
623 a program using either standard or ss990417 libpcap. */
624 byte_swapped = FALSE;
628 case PCAP_MODIFIED_MAGIC:
629 /* Host that wrote it has our byte order, and was running
630 a program using either ss990915 or ss991029 libpcap. */
631 byte_swapped = FALSE;
635 case PCAP_SWAPPED_MAGIC:
636 /* Host that wrote it has a byte order opposite to ours,
637 and was running a program using either standard or
643 case PCAP_SWAPPED_MODIFIED_MAGIC:
644 /* Host that wrote it out has a byte order opposite to
645 ours, and was running a program using either ss990915
646 or ss991029 libpcap. */
652 /* Not a "libpcap" type we know about. */
656 /* Read the rest of the header. */
657 errno = WTAP_ERR_CANT_READ;
658 bytes_read = file_read(&hdr, 1, sizeof hdr, wth->fh);
659 if (bytes_read != sizeof hdr) {
660 *err = file_error(wth->fh);
665 wth->data_offset += sizeof hdr;
668 /* Byte-swap the header fields about which we care. */
669 hdr.version_major = BSWAP16(hdr.version_major);
670 hdr.version_minor = BSWAP16(hdr.version_minor);
671 hdr.snaplen = BSWAP32(hdr.snaplen);
672 hdr.network = BSWAP32(hdr.network);
674 if (hdr.version_major < 2) {
675 /* We only support version 2.0 and later. */
676 *err = WTAP_ERR_UNSUPPORTED;
677 *err_info = g_strdup_printf("pcap: major version %u unsupported",
683 * AIX's non-standard tcpdump uses a minor version number of 2.
684 * Unfortunately, older versions of libpcap might have used
687 * The AIX libpcap uses RFC 1573 ifType values rather than
688 * DLT_ values in the header; the ifType values for LAN devices
695 * which correspond to DLT_IEEE802 (used for Token Ring),
696 * DLT_PPP, and DLT_SLIP_BSDOS, respectively. The ifType value
697 * for a loopback interface is 24, which currently isn't
698 * used by any version of libpcap I know about (and, as
699 * tcpdump.org are assigning DLT_ values above 100, and
700 * NetBSD started assigning values starting at 50, and
701 * the values chosen by other libpcaps appear to stop at
702 * 19, it's probably not going to be used by any libpcap
705 * We shall assume that if the minor version number is 2, and
706 * the network type is 6, 9, 15, or 24, that it's AIX libpcap.
708 * I'm assuming those older versions of libpcap didn't
709 * use DLT_IEEE802 for Token Ring, and didn't use DLT_SLIP_BSDOS
710 * as that came later. It may have used DLT_PPP, however, in
711 * which case we're out of luck; we assume it's Token Ring
712 * in AIX libpcap rather than PPP in standard libpcap, as
713 * you're probably more likely to be handing an AIX libpcap
714 * token-ring capture than an old (pre-libpcap 0.4) PPP capture
717 aix = FALSE; /* assume it's not AIX */
718 if (hdr.version_major == 2 && hdr.version_minor == 2) {
719 switch (hdr.network) {
722 hdr.network = 1; /* DLT_EN10MB, Ethernet */
727 hdr.network = 6; /* DLT_IEEE802, Token Ring */
732 hdr.network = 10; /* DLT_FDDI, FDDI */
737 hdr.network = 0; /* DLT_NULL, loopback */
744 * We treat a DLT_ value of 13 specially - it appears that in
745 * Nokia libpcap format, it's some form of ATM with what I
746 * suspect is a pseudo-header (even though Nokia's IPSO is
747 * based on FreeBSD, which #defines DLT_SLIP_BSDOS as 13).
749 * We don't yet know whether this is a Nokia capture, so if
750 * "wtap_pcap_encap_to_wtap_encap()" returned WTAP_ENCAP_UNKNOWN
751 * but "hdr.network" is 13, we don't treat that as an error yet.
753 file_encap = wtap_pcap_encap_to_wtap_encap(hdr.network);
754 if (file_encap == WTAP_ENCAP_UNKNOWN && hdr.network != 13) {
755 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
756 *err_info = g_strdup_printf("pcap: network type %u unknown or unsupported",
761 /* This is a libpcap file */
762 wth->capture.pcap = g_malloc(sizeof(libpcap_t));
763 wth->capture.pcap->byte_swapped = byte_swapped;
764 wth->capture.pcap->version_major = hdr.version_major;
765 wth->capture.pcap->version_minor = hdr.version_minor;
766 wth->subtype_read = libpcap_read;
767 wth->subtype_seek_read = libpcap_seek_read;
768 wth->subtype_close = libpcap_close;
769 wth->file_encap = file_encap;
770 wth->snapshot_length = hdr.snaplen;
772 /* In file format version 2.3, the order of the "incl_len" and
773 "orig_len" fields in the per-packet header was reversed,
774 in order to match the BPF header layout.
776 Therefore, in files with versions prior to that, we must swap
779 Unfortunately, some files were, according to a comment in the
780 "libpcap" source, written with version 2.3 in their headers
781 but without the interchanged fields, so if "incl_len" is
782 greater than "orig_len" - which would make no sense - we
783 assume that we need to swap them in version 2.3 files
786 In addition, DG/UX's tcpdump uses version 543.0, and writes
787 the two fields in the pre-2.3 order. */
788 switch (hdr.version_major) {
791 if (hdr.version_minor < 3)
792 wth->capture.pcap->lengths_swapped = SWAPPED;
793 else if (hdr.version_minor == 3)
794 wth->capture.pcap->lengths_swapped = MAYBE_SWAPPED;
796 wth->capture.pcap->lengths_swapped = NOT_SWAPPED;
800 wth->capture.pcap->lengths_swapped = SWAPPED;
804 wth->capture.pcap->lengths_swapped = NOT_SWAPPED;
809 * Is this AIX format?
813 * Yes. Skip all the tests for other mutant formats.
815 wth->file_type = WTAP_FILE_PCAP_AIX;
820 * No. Let's look at the header for the first record,
821 * and see if, interpreting it as a standard header (if the
822 * magic number was standard) or a modified header (if the
823 * magic number was modified), the position where it says the
824 * header for the *second* record is contains a corrupted header.
828 * If this file had the standard magic number, it may be
829 * an ss990417 capture file - in that version of Alexey's
830 * patch, the packet header format was changed but the
831 * magic number wasn't, and, alas, Red Hat appear to have
832 * picked up that version of the patch for RH 6.1, meaning
833 * RH 6.1 has a tcpdump that writes out files that can't
834 * be read by any software that expects non-modified headers
835 * if the magic number isn't the modified magic number (e.g.,
836 * any normal version of tcpdump, and Ethereal if we don't
837 * do this gross heuristic).
839 * If this file had the modified magic number, it may be
840 * an ss990915 capture file - in that version of Alexey's
841 * patch, the magic number was changed, but the record
842 * header had some extra fields, and, alas, SuSE appear
843 * to have picked up that version of the patch for SuSE
844 * 6.3, meaning that programs expecting the standard per-
845 * packet header in captures with the modified magic number
846 * can't read dumps from its tcpdump.
848 * Oh, and if it has the standard magic number, it might, instead,
849 * be a Nokia libpcap file, so we may need to try that if
850 * neither normal nor ss990417 headers work.
854 * Well, we have the magic number from Alexey's
857 * Try ss991029, the last of his patches, first.
859 wth->file_type = WTAP_FILE_PCAP_SS991029;
860 switch (libpcap_try(wth, err)) {
864 * Well, we couldn't even read it.
867 g_free(wth->capture.pcap);
872 * Well, it looks as if it might be 991029.
873 * Put the seek pointer back, and return success.
875 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
876 g_free(wth->capture.pcap);
883 * Try the next format.
889 * Well, it's not completely unreadable,
890 * but it's not ss991029. Try ss990915;
891 * there are no other types to try after that,
892 * so we put the seek pointer back and treat
895 wth->file_type = WTAP_FILE_PCAP_SS990915;
896 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
897 g_free(wth->capture.pcap);
902 * Well, we have the standard magic number.
904 * Try the standard format first.
906 wth->file_type = WTAP_FILE_PCAP;
907 switch (libpcap_try(wth, err)) {
911 * Well, we couldn't even read it.
914 g_free(wth->capture.pcap);
919 * Well, it looks as if it might be a standard
921 * Put the seek pointer back, and return success.
923 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
924 g_free(wth->capture.pcap);
931 * Try the next format.
937 * Well, it's not completely unreadable, but it's not
938 * a standard file. Put the seek pointer back and try
941 wth->file_type = WTAP_FILE_PCAP_SS990417;
942 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
943 g_free(wth->capture.pcap);
946 switch (libpcap_try(wth, err)) {
950 * Well, we couldn't even read it.
953 g_free(wth->capture.pcap);
958 * Well, it looks as if it might be ss990417.
959 * Put the seek pointer back, and return success.
961 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
962 g_free(wth->capture.pcap);
969 * Try the next format.
975 * Well, it's not completely unreadable,
976 * but it's not a standard file *nor* is it ss990417.
977 * Try it as a Nokia file; there are no other types
978 * to try after that, so we put the seek pointer back
979 * and treat it as a Nokia file.
981 wth->file_type = WTAP_FILE_PCAP_NOKIA;
982 if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
983 g_free(wth->capture.pcap);
988 if (hdr.network == 13) {
990 * OK, if this was a Nokia capture, make it
991 * WTAP_ENCAP_ATM_PDUS, otherwise return
994 if (wth->file_type == WTAP_FILE_PCAP_NOKIA)
995 wth->file_encap = WTAP_ENCAP_ATM_PDUS;
997 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
998 *err_info = g_strdup_printf("pcap: network type %u unknown or unsupported",
1000 g_free(wth->capture.pcap);
1008 /* Try to read the first two records of the capture file. */
1009 static libpcap_try_t libpcap_try(wtap *wth, int *err)
1012 * pcaprec_ss990915_hdr is the largest header type.
1014 struct pcaprec_ss990915_hdr first_rec_hdr, second_rec_hdr;
1017 * Attempt to read the first record's header.
1019 if (libpcap_read_header(wth, err, NULL, &first_rec_hdr) == -1) {
1020 if (*err == 0 || *err == WTAP_ERR_SHORT_READ) {
1022 * EOF or short read - assume the file is in this
1024 * When our client tries to read the first packet
1025 * they will presumably get the same EOF or short
1031 if (*err == WTAP_ERR_BAD_RECORD) {
1033 * The first record is bogus, so this is probably
1034 * a corrupt file. Assume the file is in this
1035 * format. When our client tries to read the
1036 * first packet they will presumably get the
1037 * same bogus record.
1043 * Some other error, e.g. an I/O error; just give up.
1049 * Now skip over the first record's data, under the assumption
1050 * that the header is sane.
1052 if (file_seek(wth->fh, first_rec_hdr.hdr.incl_len, SEEK_CUR, err) == -1)
1056 * Now attempt to read the second record's header.
1058 if (libpcap_read_header(wth, err, NULL, &second_rec_hdr) == -1) {
1059 if (*err == 0 || *err == WTAP_ERR_SHORT_READ) {
1061 * EOF or short read - assume the file is in this
1063 * When our client tries to read the second packet
1064 * they will presumably get the same EOF or short
1070 if (*err == WTAP_ERR_BAD_RECORD) {
1072 * The second record is bogus; maybe it's a
1073 * Capture File From Hell, and what looks like
1074 * the "header" of the next packet is actually
1075 * random junk from the middle of a packet.
1076 * Try the next format; if we run out of formats,
1077 * it probably *is* a corrupt file.
1079 return OTHER_FORMAT;
1083 * Some other error, e.g. an I/O error; just give up.
1089 * OK, the first two records look OK; assume this is the
1095 /* Read the next packet */
1096 static gboolean libpcap_read(wtap *wth, int *err, gchar **err_info,
1099 struct pcaprec_ss990915_hdr hdr;
1103 guchar fddi_padding[3];
1105 bytes_read = libpcap_read_header(wth, err, err_info, &hdr);
1106 if (bytes_read == -1) {
1108 * We failed to read the header.
1113 wth->data_offset += bytes_read;
1114 packet_size = hdr.hdr.incl_len;
1115 orig_size = hdr.hdr.orig_len;
1118 * AIX appears to put 3 bytes of padding in front of FDDI
1119 * frames; strip that crap off.
1121 if (wth->file_type == WTAP_FILE_PCAP_AIX &&
1122 (wth->file_encap == WTAP_ENCAP_FDDI ||
1123 wth->file_encap == WTAP_ENCAP_FDDI_BITSWAPPED)) {
1125 * The packet size is really a record size and includes
1130 wth->data_offset += 3;
1135 if (!libpcap_read_rec_data(wth->fh, fddi_padding, 3, err))
1136 return FALSE; /* Read error */
1139 *data_offset = wth->data_offset;
1142 * If this is an ATM packet, the first four bytes are the
1143 * direction of the packet (transmit/receive), the VPI, and
1144 * the VCI; read them and generate the pseudo-header from
1147 switch (wth->file_encap) {
1149 case WTAP_ENCAP_ATM_PDUS:
1150 if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
1154 if (packet_size < sizeof (struct nokiaatm_hdr)) {
1156 * Uh-oh, the packet isn't big enough to even
1157 * have a pseudo-header.
1159 *err = WTAP_ERR_BAD_RECORD;
1160 *err_info = g_strdup_printf("libpcap: Nokia IPSO ATM file has a %u-byte packet, too small to have even an ATM pseudo-header\n",
1164 if (!libpcap_read_nokiaatm_pseudoheader(wth->fh,
1165 &wth->pseudo_header, err))
1166 return FALSE; /* Read error */
1169 * Don't count the pseudo-header as part of the
1172 orig_size -= sizeof (struct nokiaatm_hdr);
1173 packet_size -= sizeof (struct nokiaatm_hdr);
1174 wth->data_offset += sizeof (struct nokiaatm_hdr);
1179 if (packet_size < sizeof (struct sunatm_hdr)) {
1181 * Uh-oh, the packet isn't big enough to even
1182 * have a pseudo-header.
1184 *err = WTAP_ERR_BAD_RECORD;
1185 *err_info = g_strdup_printf("libpcap: SunATM file has a %u-byte packet, too small to have even an ATM pseudo-header\n",
1189 if (!libpcap_read_sunatm_pseudoheader(wth->fh,
1190 &wth->pseudo_header, err))
1191 return FALSE; /* Read error */
1194 * Don't count the pseudo-header as part of the
1197 orig_size -= sizeof (struct sunatm_hdr);
1198 packet_size -= sizeof (struct sunatm_hdr);
1199 wth->data_offset += sizeof (struct sunatm_hdr);
1203 case WTAP_ENCAP_ETHERNET:
1205 * We don't know whether there's an FCS in this frame or not.
1207 wth->pseudo_header.eth.fcs_len = -1;
1210 case WTAP_ENCAP_IEEE_802_11:
1211 case WTAP_ENCAP_PRISM_HEADER:
1212 case WTAP_ENCAP_IEEE_802_11_WLAN_RADIOTAP:
1213 case WTAP_ENCAP_IEEE_802_11_WLAN_AVS:
1215 * We don't know whether there's an FCS in this frame or not.
1216 * XXX - are there any OSes where the capture mechanism
1219 wth->pseudo_header.ieee_802_11.fcs_len = -1;
1222 case WTAP_ENCAP_IRDA:
1223 if (packet_size < sizeof (struct irda_sll_hdr)) {
1225 * Uh-oh, the packet isn't big enough to even
1226 * have a pseudo-header.
1228 *err = WTAP_ERR_BAD_RECORD;
1229 *err_info = g_strdup_printf("libpcap: IrDA file has a %u-byte packet, too small to have even an IrDA pseudo-header\n",
1233 if (!libpcap_read_irda_pseudoheader(wth->fh, &wth->pseudo_header,
1235 return FALSE; /* Read error */
1238 * Don't count the pseudo-header as part of the packet.
1240 orig_size -= sizeof (struct irda_sll_hdr);
1241 packet_size -= sizeof (struct irda_sll_hdr);
1242 wth->data_offset += sizeof (struct irda_sll_hdr);
1244 case WTAP_ENCAP_MTP2_WITH_PHDR:
1245 if (packet_size < sizeof (struct mtp2_hdr)) {
1247 * Uh-oh, the packet isn't big enough to even
1248 * have a pseudo-header.
1250 *err = WTAP_ERR_BAD_RECORD;
1251 *err_info = g_strdup_printf("libpcap: MTP2 file has a %u-byte packet, too small to have even an MTP2 pseudo-header\n",
1255 if (!libpcap_read_mtp2_pseudoheader(wth->fh, &wth->pseudo_header,
1257 return FALSE; /* Read error */
1260 * Don't count the pseudo-header as part of the packet.
1262 orig_size -= sizeof (struct mtp2_hdr);
1263 packet_size -= sizeof (struct mtp2_hdr);
1264 wth->data_offset += sizeof (struct mtp2_hdr);
1268 buffer_assure_space(wth->frame_buffer, packet_size);
1269 if (!libpcap_read_rec_data(wth->fh, buffer_start_ptr(wth->frame_buffer),
1271 return FALSE; /* Read error */
1272 wth->data_offset += packet_size;
1274 wth->phdr.ts.secs = hdr.hdr.ts_sec;
1275 wth->phdr.ts.nsecs = hdr.hdr.ts_usec * 1000;
1276 wth->phdr.caplen = packet_size;
1277 wth->phdr.len = orig_size;
1279 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS) {
1280 if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
1284 * Guess the traffic type based on the packet
1287 atm_guess_traffic_type(buffer_start_ptr(wth->frame_buffer),
1288 wth->phdr.caplen, &wth->pseudo_header);
1293 * If this is ATM LANE traffic, try to guess what
1294 * type of LANE traffic it is based on the packet
1297 if (wth->pseudo_header.atm.type == TRAF_LANE) {
1298 atm_guess_lane_type(buffer_start_ptr(wth->frame_buffer),
1299 wth->phdr.caplen, &wth->pseudo_header);
1308 libpcap_seek_read(wtap *wth, long seek_off,
1309 union wtap_pseudo_header *pseudo_header, guchar *pd, int length,
1310 int *err, gchar **err_info)
1312 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
1315 switch (wth->file_encap) {
1317 case WTAP_ENCAP_ATM_PDUS:
1318 if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
1322 if (!libpcap_read_nokiaatm_pseudoheader(wth->random_fh,
1323 pseudo_header, err)) {
1331 if (!libpcap_read_sunatm_pseudoheader(wth->random_fh,
1332 pseudo_header, err)) {
1339 case WTAP_ENCAP_ETHERNET:
1341 * We don't know whether there's an FCS in this frame or not.
1343 pseudo_header->eth.fcs_len = -1;
1346 case WTAP_ENCAP_IEEE_802_11:
1347 case WTAP_ENCAP_PRISM_HEADER:
1348 case WTAP_ENCAP_IEEE_802_11_WLAN_RADIOTAP:
1349 case WTAP_ENCAP_IEEE_802_11_WLAN_AVS:
1351 * We don't know whether there's an FCS in this frame or not.
1352 * XXX - are there any OSes where the capture mechanism
1355 pseudo_header->ieee_802_11.fcs_len = -1;
1358 case WTAP_ENCAP_IRDA:
1359 if (!libpcap_read_irda_pseudoheader(wth->random_fh, pseudo_header,
1365 case WTAP_ENCAP_MTP2_WITH_PHDR:
1366 if (!libpcap_read_mtp2_pseudoheader(wth->random_fh, pseudo_header,
1375 * Read the packet data.
1377 if (!libpcap_read_rec_data(wth->random_fh, pd, length, err))
1378 return FALSE; /* failed */
1380 if (wth->file_encap == WTAP_ENCAP_ATM_PDUS) {
1381 if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
1385 * Guess the traffic type based on the packet
1388 atm_guess_traffic_type(pd, length, pseudo_header);
1393 * If this is ATM LANE traffic, try to guess what
1394 * type of LANE traffic it is based on the packet
1397 if (pseudo_header->atm.type == TRAF_LANE)
1398 atm_guess_lane_type(pd, length, pseudo_header);
1404 /* Read the header of the next packet.
1406 Return -1 on an error, or the number of bytes of header read on success. */
1407 static int libpcap_read_header(wtap *wth, int *err, gchar **err_info,
1408 struct pcaprec_ss990915_hdr *hdr)
1410 int bytes_to_read, bytes_read;
1412 /* Read record header. */
1413 errno = WTAP_ERR_CANT_READ;
1414 switch (wth->file_type) {
1416 case WTAP_FILE_PCAP:
1417 case WTAP_FILE_PCAP_AIX:
1418 bytes_to_read = sizeof (struct pcaprec_hdr);
1421 case WTAP_FILE_PCAP_SS990417:
1422 case WTAP_FILE_PCAP_SS991029:
1423 bytes_to_read = sizeof (struct pcaprec_modified_hdr);
1426 case WTAP_FILE_PCAP_SS990915:
1427 bytes_to_read = sizeof (struct pcaprec_ss990915_hdr);
1430 case WTAP_FILE_PCAP_NOKIA:
1431 bytes_to_read = sizeof (struct pcaprec_nokia_hdr);
1435 g_assert_not_reached();
1438 bytes_read = file_read(hdr, 1, bytes_to_read, wth->fh);
1439 if (bytes_read != bytes_to_read) {
1440 *err = file_error(wth->fh);
1441 if (*err == 0 && bytes_read != 0) {
1442 *err = WTAP_ERR_SHORT_READ;
1447 adjust_header(wth, &hdr->hdr);
1449 if (hdr->hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
1451 * Probably a corrupt capture file; return an error,
1452 * so that our caller doesn't blow up trying to allocate
1453 * space for an immensely-large packet, and so that
1454 * the code to try to guess what type of libpcap file
1455 * this is can tell when it's not the type we're guessing
1458 *err = WTAP_ERR_BAD_RECORD;
1459 if (err_info != NULL) {
1460 *err_info = g_strdup_printf("pcap: File has %u-byte packet, bigger than maximum of %u",
1461 hdr->hdr.incl_len, WTAP_MAX_PACKET_SIZE);
1466 if (hdr->hdr.orig_len > WTAP_MAX_PACKET_SIZE) {
1468 * Probably a corrupt capture file; return an error,
1469 * so that our caller doesn't blow up trying to
1470 * cope with a huge "real" packet length, and so that
1471 * the code to try to guess what type of libpcap file
1472 * this is can tell when it's not the type we're guessing
1475 *err = WTAP_ERR_BAD_RECORD;
1476 if (err_info != NULL) {
1477 *err_info = g_strdup_printf("pcap: File has %u-byte packet, bigger than maximum of %u",
1478 hdr->hdr.orig_len, WTAP_MAX_PACKET_SIZE);
1487 adjust_header(wtap *wth, struct pcaprec_hdr *hdr)
1491 if (wth->capture.pcap->byte_swapped) {
1492 /* Byte-swap the record header fields. */
1493 hdr->ts_sec = BSWAP32(hdr->ts_sec);
1494 hdr->ts_usec = BSWAP32(hdr->ts_usec);
1495 hdr->incl_len = BSWAP32(hdr->incl_len);
1496 hdr->orig_len = BSWAP32(hdr->orig_len);
1499 /* If this is AIX, convert the time stamp from seconds/nanoseconds
1500 to seconds/microseconds. */
1501 if (wth->file_type == WTAP_FILE_PCAP_AIX)
1502 hdr->ts_usec = hdr->ts_usec/1000;
1504 /* Swap the "incl_len" and "orig_len" fields, if necessary. */
1505 switch (wth->capture.pcap->lengths_swapped) {
1511 if (hdr->incl_len <= hdr->orig_len) {
1513 * The captured length is <= the actual length,
1514 * so presumably they weren't swapped.
1521 temp = hdr->orig_len;
1522 hdr->orig_len = hdr->incl_len;
1523 hdr->incl_len = temp;
1529 libpcap_get_sunatm_pseudoheader(const struct sunatm_hdr *atm_phdr,
1530 union wtap_pseudo_header *pseudo_header)
1535 vpi = atm_phdr->vpi;
1536 vci = pntohs(&atm_phdr->vci);
1538 switch (atm_phdr->flags & 0x0F) {
1540 case 0x01: /* LANE */
1541 pseudo_header->atm.aal = AAL_5;
1542 pseudo_header->atm.type = TRAF_LANE;
1545 case 0x02: /* RFC 1483 LLC multiplexed traffic */
1546 pseudo_header->atm.aal = AAL_5;
1547 pseudo_header->atm.type = TRAF_LLCMX;
1550 case 0x05: /* ILMI */
1551 pseudo_header->atm.aal = AAL_5;
1552 pseudo_header->atm.type = TRAF_ILMI;
1555 case 0x06: /* Q.2931 */
1556 pseudo_header->atm.aal = AAL_SIGNALLING;
1557 pseudo_header->atm.type = TRAF_UNKNOWN;
1560 case 0x03: /* MARS (RFC 2022) */
1561 pseudo_header->atm.aal = AAL_5;
1562 pseudo_header->atm.type = TRAF_UNKNOWN;
1565 case 0x04: /* IFMP (Ipsilon Flow Management Protocol; see RFC 1954) */
1566 pseudo_header->atm.aal = AAL_5;
1567 pseudo_header->atm.type = TRAF_UNKNOWN; /* XXX - TRAF_IPSILON? */
1572 * Assume it's AAL5, unless it's VPI 0 and VCI 5, in which
1573 * case assume it's AAL_SIGNALLING; we know nothing more
1576 * XXX - is this necessary? Or are we guaranteed that
1577 * all signalling traffic has a type of 0x06?
1579 * XXX - is this guaranteed to be AAL5? Or, if the type is
1580 * 0x00 ("raw"), might it be non-AAL5 traffic?
1582 if (vpi == 0 && vci == 5)
1583 pseudo_header->atm.aal = AAL_SIGNALLING;
1585 pseudo_header->atm.aal = AAL_5;
1586 pseudo_header->atm.type = TRAF_UNKNOWN;
1589 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
1591 pseudo_header->atm.vpi = vpi;
1592 pseudo_header->atm.vci = vci;
1593 pseudo_header->atm.channel = (atm_phdr->flags & 0x80) ? 0 : 1;
1595 /* We don't have this information */
1596 pseudo_header->atm.flags = 0;
1597 pseudo_header->atm.cells = 0;
1598 pseudo_header->atm.aal5t_u2u = 0;
1599 pseudo_header->atm.aal5t_len = 0;
1600 pseudo_header->atm.aal5t_chksum = 0;
1604 libpcap_read_sunatm_pseudoheader(FILE_T fh,
1605 union wtap_pseudo_header *pseudo_header, int *err)
1607 struct sunatm_hdr atm_phdr;
1610 errno = WTAP_ERR_CANT_READ;
1611 bytes_read = file_read(&atm_phdr, 1, sizeof (struct sunatm_hdr), fh);
1612 if (bytes_read != sizeof (struct sunatm_hdr)) {
1613 *err = file_error(fh);
1615 *err = WTAP_ERR_SHORT_READ;
1619 libpcap_get_sunatm_pseudoheader(&atm_phdr, pseudo_header);
1625 libpcap_read_nokiaatm_pseudoheader(FILE_T fh,
1626 union wtap_pseudo_header *pseudo_header, int *err)
1628 struct nokiaatm_hdr atm_phdr;
1633 errno = WTAP_ERR_CANT_READ;
1634 bytes_read = file_read(&atm_phdr, 1, sizeof (struct nokiaatm_hdr), fh);
1635 if (bytes_read != sizeof (struct nokiaatm_hdr)) {
1636 *err = file_error(fh);
1638 *err = WTAP_ERR_SHORT_READ;
1643 vci = pntohs(&atm_phdr.vci);
1645 pseudo_header->atm.vpi = vpi;
1646 pseudo_header->atm.vci = vci;
1647 pseudo_header->atm.channel = (atm_phdr.flags & 0x80) ? 0 : 1;
1649 /* We don't have this information */
1650 pseudo_header->atm.flags = 0;
1651 pseudo_header->atm.cells = 0;
1652 pseudo_header->atm.aal5t_u2u = 0;
1653 pseudo_header->atm.aal5t_len = 0;
1654 pseudo_header->atm.aal5t_chksum = 0;
1660 libpcap_get_irda_pseudoheader(const struct irda_sll_hdr *irda_phdr,
1661 union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info)
1663 if (pntohs(&irda_phdr->sll_protocol) != 0x0017) {
1664 *err = WTAP_ERR_BAD_RECORD;
1665 if (err_info != NULL)
1666 *err_info = g_strdup("libpcap: IrDA capture has a packet with an invalid sll_protocol field\n");
1670 pseudo_header->irda.pkttype = pntohs(&irda_phdr->sll_pkttype);
1676 libpcap_read_irda_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header,
1677 int *err, gchar **err_info)
1679 struct irda_sll_hdr irda_phdr;
1682 errno = WTAP_ERR_CANT_READ;
1683 bytes_read = file_read(&irda_phdr, 1, sizeof (struct irda_sll_hdr), fh);
1684 if (bytes_read != sizeof (struct irda_sll_hdr)) {
1685 *err = file_error(fh);
1687 *err = WTAP_ERR_SHORT_READ;
1691 return libpcap_get_irda_pseudoheader(&irda_phdr, pseudo_header, err,
1696 libpcap_get_mtp2_pseudoheader(const struct mtp2_hdr *mtp2_hdr, union wtap_pseudo_header *pseudo_header)
1698 pseudo_header->mtp2.sent = mtp2_hdr->sent;
1699 pseudo_header->mtp2.annex_a_used = mtp2_hdr->annex_a_used;
1700 pseudo_header->mtp2.link_number = pntohs(&mtp2_hdr->link_number);
1706 libpcap_read_mtp2_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info _U_)
1708 struct mtp2_hdr mtp2_hdr;
1711 errno = WTAP_ERR_CANT_READ;
1712 bytes_read = file_read(&mtp2_hdr, 1, sizeof (struct mtp2_hdr), fh);
1713 if (bytes_read != sizeof (struct mtp2_hdr)) {
1714 *err = file_error(fh);
1716 *err = WTAP_ERR_SHORT_READ;
1720 return libpcap_get_mtp2_pseudoheader(&mtp2_hdr, pseudo_header);
1725 libpcap_read_rec_data(FILE_T fh, guchar *pd, int length, int *err)
1729 errno = WTAP_ERR_CANT_READ;
1730 bytes_read = file_read(pd, 1, length, fh);
1732 if (bytes_read != length) {
1733 *err = file_error(fh);
1735 *err = WTAP_ERR_SHORT_READ;
1742 libpcap_close(wtap *wth)
1744 g_free(wth->capture.pcap);
1747 static int wtap_wtap_encap_to_pcap_encap(int encap)
1753 case WTAP_ENCAP_FDDI:
1754 case WTAP_ENCAP_FDDI_BITSWAPPED:
1755 case WTAP_ENCAP_NETTL_FDDI:
1757 * Special-case WTAP_ENCAP_FDDI and
1758 * WTAP_ENCAP_FDDI_BITSWAPPED; both of them get mapped
1759 * to DLT_FDDI (even though that may mean that the bit
1760 * order in the FDDI MAC addresses is wrong; so it goes
1761 * - libpcap format doesn't record the byte order,
1762 * so that's not fixable).
1764 return 10; /* that's DLT_FDDI */
1766 case WTAP_ENCAP_PPP_WITH_PHDR:
1768 * Also special-case PPP with direction bits; map it to
1769 * PPP, even though that means that the direction of the
1774 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1776 * Do the same with Frame Relay.
1780 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
1782 * Map this to DLT_IEEE802_11, for now, even though
1783 * that means the radio information will be lost.
1784 * Once tcpdump support for the BSD radiotap header
1785 * is sufficiently widespread, we should probably
1786 * use that, instead - although we should probably
1787 * ultimately just have WTAP_ENCAP_IEEE_802_11
1788 * as the only Wiretap encapsulation for 802.11,
1789 * and have the pseudo-header include a radiotap-style
1790 * list of attributes. If we do that, though, we
1791 * should probably bypass the regular Wiretap code
1792 * when writing out packets during a capture, and just
1793 * do the equivalent of a libpcap write (unfortunately,
1794 * libpcap doesn't have an "open dump by file descriptor"
1795 * function, so we can't just use "pcap_dump()"), so
1796 * that we don't spend cycles mapping from libpcap to
1797 * Wiretap and then back to libpcap. (There are other
1798 * reasons to do that, e.g. to handle AIX libpcap better.)
1803 for (i = 0; i < NUM_PCAP_ENCAPS; i++) {
1804 if (pcap_to_wtap_map[i].wtap_encap_value == encap)
1805 return pcap_to_wtap_map[i].dlt_value;
1812 * Given a Wiretap encapsulation type, and raw packet data and the packet
1813 * header from libpcap, process any pseudo-header in the packet,
1814 * fill in the Wiretap packet header, and return a pointer to the
1815 * beginning of the non-pseudo-header data in the packet.
1818 wtap_process_pcap_packet(gint linktype, const struct pcap_pkthdr *phdr,
1819 const guchar *pd, union wtap_pseudo_header *pseudo_header,
1820 struct wtap_pkthdr *whdr, int *err)
1822 /* "phdr->ts" may not necessarily be a "struct timeval" - it may
1823 be a "struct bpf_timeval", with member sizes wired to 32
1824 bits - and we may go that way ourselves in the future, so
1825 copy the members individually. */
1826 whdr->ts.secs = phdr->ts.tv_sec;
1827 whdr->ts.nsecs = phdr->ts.tv_usec * 1000;
1828 whdr->caplen = phdr->caplen;
1829 whdr->len = phdr->len;
1830 whdr->pkt_encap = linktype;
1833 * If this is an ATM packet, the first four bytes are the
1834 * direction of the packet (transmit/receive), the VPI, and
1835 * the VCI; read them and generate the pseudo-header from
1838 if (linktype == WTAP_ENCAP_ATM_PDUS) {
1839 if (whdr->caplen < sizeof (struct sunatm_hdr)) {
1841 * Uh-oh, the packet isn't big enough to even
1842 * have a pseudo-header.
1844 g_message("libpcap: SunATM capture has a %u-byte packet, too small to have even an ATM pseudo-header\n",
1846 *err = WTAP_ERR_BAD_RECORD;
1849 libpcap_get_sunatm_pseudoheader((const struct sunatm_hdr *)pd,
1853 * Don't count the pseudo-header as part of the packet.
1855 whdr->len -= sizeof (struct sunatm_hdr);
1856 whdr->caplen -= sizeof (struct sunatm_hdr);
1857 pd += sizeof (struct sunatm_hdr);
1860 * If this is ATM LANE traffic, try to guess what type of
1861 * LANE traffic it is based on the packet contents.
1863 if (pseudo_header->atm.type == TRAF_LANE)
1864 atm_guess_lane_type(pd, whdr->caplen, pseudo_header);
1866 else if (linktype == WTAP_ENCAP_IRDA) {
1867 if (whdr->caplen < sizeof (struct irda_sll_hdr)) {
1869 * Uh-oh, the packet isn't big enough to even
1870 * have a pseudo-header.
1872 g_message("libpcap: IrDA capture has a %u-byte packet, too small to have even an IrDA pseudo-header\n",
1874 *err = WTAP_ERR_BAD_RECORD;
1877 if (!libpcap_get_irda_pseudoheader((const struct irda_sll_hdr *)pd,
1878 pseudo_header, err, NULL))
1882 * Don't count the pseudo-header as part of the packet.
1884 whdr->len -= sizeof (struct irda_sll_hdr);
1885 whdr->caplen -= sizeof (struct irda_sll_hdr);
1886 pd += sizeof (struct irda_sll_hdr);
1888 else if (linktype == WTAP_ENCAP_MTP2_WITH_PHDR) {
1889 if (whdr->caplen < sizeof (struct mtp2_hdr)) {
1891 * Uh-oh, the packet isn't big enough to even
1892 * have a pseudo-header.
1894 g_message("libpcap: MTP2 capture has a %u-byte packet, too small to have even an MTP2 pseudo-header\n",
1896 *err = WTAP_ERR_BAD_RECORD;
1899 if (!libpcap_get_mtp2_pseudoheader((const struct mtp2_hdr *)pd, pseudo_header))
1903 * Don't count the pseudo-header as part of the packet.
1905 whdr->len -= sizeof (struct mtp2_hdr);
1906 whdr->caplen -= sizeof (struct mtp2_hdr);
1907 pd += sizeof (struct mtp2_hdr);
1913 /* Returns 0 if we could write the specified encapsulation type,
1914 an error indication otherwise. */
1915 int libpcap_dump_can_write_encap(int encap)
1917 /* Per-packet encapsulations aren't supported. */
1918 if (encap == WTAP_ENCAP_PER_PACKET)
1919 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1921 if (wtap_wtap_encap_to_pcap_encap(encap) == -1)
1922 return WTAP_ERR_UNSUPPORTED_ENCAP;
1927 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1929 gboolean libpcap_dump_open(wtap_dumper *wdh, gboolean cant_seek _U_, int *err)
1932 struct pcap_hdr file_hdr;
1935 /* This is a libpcap file */
1936 wdh->subtype_write = libpcap_dump;
1937 wdh->subtype_close = NULL;
1939 /* Write the file header. */
1940 switch (wdh->file_type) {
1942 case WTAP_FILE_PCAP:
1943 case WTAP_FILE_PCAP_SS990417: /* modified, but with the old magic, sigh */
1944 case WTAP_FILE_PCAP_NOKIA: /* Nokia libpcap of some sort */
1948 case WTAP_FILE_PCAP_SS990915: /* new magic, extra crap */
1949 case WTAP_FILE_PCAP_SS991029:
1950 magic = PCAP_MODIFIED_MAGIC;
1954 /* We should never get here - our open routine
1955 should only get called for the types above. */
1956 *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE;
1960 nwritten = fwrite(&magic, 1, sizeof magic, wdh->fh);
1961 if (nwritten != sizeof magic) {
1962 if (nwritten == 0 && ferror(wdh->fh))
1965 *err = WTAP_ERR_SHORT_WRITE;
1968 wdh->bytes_dumped += sizeof magic;
1970 /* current "libpcap" format is 2.4 */
1971 file_hdr.version_major = 2;
1972 file_hdr.version_minor = 4;
1973 file_hdr.thiszone = 0; /* XXX - current offset? */
1974 file_hdr.sigfigs = 0; /* unknown, but also apparently unused */
1976 * Tcpdump cannot handle capture files with a snapshot length of 0,
1977 * as BPF filters return either 0 if they fail or the snapshot length
1978 * if they succeed, and a snapshot length of 0 means success is
1979 * indistinguishable from failure and the filter expression would
1980 * reject all packets.
1982 * A snapshot length of 0, inside Wiretap, means "snapshot length
1983 * unknown"; if the snapshot length supplied to us is 0, we make
1984 * the snapshot length in the header file WTAP_MAX_PACKET_SIZE.
1986 file_hdr.snaplen = (wdh->snaplen != 0) ? wdh->snaplen :
1987 WTAP_MAX_PACKET_SIZE;
1988 file_hdr.network = wtap_wtap_encap_to_pcap_encap(wdh->encap);
1989 nwritten = fwrite(&file_hdr, 1, sizeof file_hdr, wdh->fh);
1990 if (nwritten != sizeof file_hdr) {
1991 if (nwritten == 0 && ferror(wdh->fh))
1994 *err = WTAP_ERR_SHORT_WRITE;
1997 wdh->bytes_dumped += sizeof file_hdr;
2002 /* Write a record for a packet to a dump file.
2003 Returns TRUE on success, FALSE on failure. */
2004 static gboolean libpcap_dump(wtap_dumper *wdh,
2005 const struct wtap_pkthdr *phdr,
2006 const union wtap_pseudo_header *pseudo_header _U_,
2007 const guchar *pd, int *err)
2009 struct pcaprec_ss990915_hdr rec_hdr;
2012 struct sunatm_hdr atm_hdr;
2013 struct irda_sll_hdr irda_hdr;
2014 struct mtp2_hdr mtp2_hdr;
2017 if (wdh->encap == WTAP_ENCAP_ATM_PDUS)
2018 hdrsize = sizeof (struct sunatm_hdr);
2019 else if (wdh->encap == WTAP_ENCAP_IRDA)
2020 hdrsize = sizeof (struct irda_sll_hdr);
2024 rec_hdr.hdr.ts_sec = phdr->ts.secs;
2025 rec_hdr.hdr.ts_usec = phdr->ts.nsecs / 1000;
2026 rec_hdr.hdr.incl_len = phdr->caplen + hdrsize;
2027 rec_hdr.hdr.orig_len = phdr->len + hdrsize;
2028 switch (wdh->file_type) {
2030 case WTAP_FILE_PCAP:
2031 hdr_size = sizeof (struct pcaprec_hdr);
2034 case WTAP_FILE_PCAP_SS990417: /* modified, but with the old magic, sigh */
2035 case WTAP_FILE_PCAP_SS991029:
2036 /* XXX - what should we supply here?
2038 Alexey's "libpcap" looks up the interface in the system's
2039 interface list if "ifindex" is non-zero, and prints
2040 the interface name. It ignores "protocol", and uses
2041 "pkt_type" to tag the packet as "host", "broadcast",
2042 "multicast", "other host", "outgoing", or "none of the
2043 above", but that's it.
2045 If the capture we're writing isn't a modified or
2046 RH 6.1 capture, we'd have to do some work to
2047 generate the packet type and interface index - and
2048 we can't generate the interface index unless we
2049 just did the capture ourselves in any case.
2051 I'm inclined to continue to punt; systems other than
2052 those with the older patch can read standard "libpcap"
2053 files, and systems with the older patch, e.g. RH 6.1,
2054 will just have to live with this. */
2055 rec_hdr.ifindex = 0;
2056 rec_hdr.protocol = 0;
2057 rec_hdr.pkt_type = 0;
2058 hdr_size = sizeof (struct pcaprec_modified_hdr);
2061 case WTAP_FILE_PCAP_SS990915: /* new magic, extra crap at the end */
2062 rec_hdr.ifindex = 0;
2063 rec_hdr.protocol = 0;
2064 rec_hdr.pkt_type = 0;
2067 hdr_size = sizeof (struct pcaprec_ss990915_hdr);
2070 case WTAP_FILE_PCAP_NOKIA: /* old magic, extra crap at the end */
2071 rec_hdr.ifindex = 0;
2072 rec_hdr.protocol = 0;
2073 rec_hdr.pkt_type = 0;
2076 hdr_size = sizeof (struct pcaprec_nokia_hdr);
2080 /* We should never get here - our open routine
2081 should only get called for the types above. */
2082 g_assert_not_reached();
2083 *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE;
2087 nwritten = fwrite(&rec_hdr, 1, hdr_size, wdh->fh);
2088 if (nwritten != hdr_size) {
2089 if (nwritten == 0 && ferror(wdh->fh))
2092 *err = WTAP_ERR_SHORT_WRITE;
2095 wdh->bytes_dumped += hdr_size;
2097 if (wdh->encap == WTAP_ENCAP_ATM_PDUS) {
2099 * Write the ATM header.
2102 (pseudo_header->atm.channel == 0) ? 0x80 : 0x00;
2103 switch (pseudo_header->atm.aal) {
2105 case AAL_SIGNALLING:
2107 atm_hdr.flags |= 0x06;
2111 switch (pseudo_header->atm.type) {
2115 atm_hdr.flags |= 0x01;
2119 /* RFC 1483 LLC multiplexed traffic */
2120 atm_hdr.flags |= 0x02;
2125 atm_hdr.flags |= 0x05;
2130 atm_hdr.vpi = (guint8) pseudo_header->atm.vpi;
2131 atm_hdr.vci = phtons(&pseudo_header->atm.vci);
2132 nwritten = fwrite(&atm_hdr, 1, sizeof atm_hdr, wdh->fh);
2133 if (nwritten != sizeof atm_hdr) {
2134 if (nwritten == 0 && ferror(wdh->fh))
2137 *err = WTAP_ERR_SHORT_WRITE;
2140 wdh->bytes_dumped += sizeof atm_hdr;
2142 else if (wdh->encap == WTAP_ENCAP_IRDA) {
2144 * Write the IrDA header.
2146 memset(&irda_hdr, 0, sizeof(irda_hdr));
2147 irda_hdr.sll_pkttype = phtons(&pseudo_header->irda.pkttype);
2148 irda_hdr.sll_protocol = g_htons(0x0017);
2149 nwritten = fwrite(&irda_hdr, 1, sizeof(irda_hdr), wdh->fh);
2150 if (nwritten != sizeof(irda_hdr)) {
2151 if (nwritten == 0 && ferror(wdh->fh))
2154 *err = WTAP_ERR_SHORT_WRITE;
2157 wdh->bytes_dumped += sizeof(irda_hdr);
2159 else if (wdh->encap == WTAP_ENCAP_MTP2_WITH_PHDR) {
2161 * Write the MTP2 header.
2163 memset(&mtp2_hdr, 0, sizeof(mtp2_hdr));
2164 mtp2_hdr.sent = pseudo_header->mtp2.sent;
2165 mtp2_hdr.annex_a_used = pseudo_header->mtp2.annex_a_used;
2166 mtp2_hdr.link_number = phtons(&pseudo_header->mtp2.link_number);
2167 nwritten = fwrite(&mtp2_hdr, 1, sizeof(mtp2_hdr), wdh->fh);
2168 if (nwritten != sizeof(mtp2_hdr)) {
2169 if (nwritten == 0 && ferror(wdh->fh))
2172 *err = WTAP_ERR_SHORT_WRITE;
2175 wdh->bytes_dumped += sizeof(mtp2_hdr);
2178 nwritten = fwrite(pd, 1, phdr->caplen, wdh->fh);
2179 if (nwritten != phdr->caplen) {
2180 if (nwritten == 0 && ferror(wdh->fh))
2183 *err = WTAP_ERR_SHORT_WRITE;
2186 wdh->bytes_dumped += phdr->caplen;