6 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
8 * File format support for pcap-ng file format
9 * Copyright (c) 2007 by Ulf Lamping <ulf.lamping@web.de>
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
26 /* File format reference:
27 * http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
29 * http://wiki.wireshark.org/Development/PcapNg
40 /* Needed for addrinfo */
41 #ifdef HAVE_SYS_TYPES_H
42 # include <sys/types.h>
45 #ifdef HAVE_SYS_SOCKET_H
46 #include <sys/socket.h>
49 #ifdef HAVE_NETINET_IN_H
50 # include <netinet/in.h>
57 #ifdef HAVE_WINSOCK2_H
58 # include <winsock2.h>
61 #if defined(_WIN32) && defined(INET6)
62 # include <ws2tcpip.h>
66 #include "file_wrappers.h"
69 #include "pcap-common.h"
70 #include "pcap-encap.h"
74 #define pcapng_debug0(str) g_warning(str)
75 #define pcapng_debug1(str,p1) g_warning(str,p1)
76 #define pcapng_debug2(str,p1,p2) g_warning(str,p1,p2)
77 #define pcapng_debug3(str,p1,p2,p3) g_warning(str,p1,p2,p3)
79 #define pcapng_debug0(str)
80 #define pcapng_debug1(str,p1)
81 #define pcapng_debug2(str,p1,p2)
82 #define pcapng_debug3(str,p1,p2,p3)
86 pcapng_read(wtap *wth, int *err, gchar **err_info,
89 pcapng_seek_read(wtap *wth, gint64 seek_off,
90 union wtap_pseudo_header *pseudo_header, guchar *pd, int length,
91 int *err, gchar **err_info);
93 pcapng_close(wtap *wth);
96 /* pcapng: common block header for every block type */
97 typedef struct pcapng_block_header_s {
99 guint32 block_total_length;
100 /* x bytes block_body */
101 /* guint32 block_total_length */
102 } pcapng_block_header_t;
104 /* pcapng: section header block */
105 typedef struct pcapng_section_header_block_s {
106 /* pcapng_block_header_t */
108 guint16 version_major;
109 guint16 version_minor;
110 guint64 section_length; /* might be -1 for unknown */
111 /* ... Options ... */
112 } pcapng_section_header_block_t;
114 /* pcapng: interface description block */
115 typedef struct pcapng_interface_description_block_s {
119 /* ... Options ... */
120 } pcapng_interface_description_block_t;
122 /* pcapng: packet block (obsolete) */
123 typedef struct pcapng_packet_block_s {
124 guint16 interface_id;
126 guint32 timestamp_high;
127 guint32 timestamp_low;
128 guint32 captured_len;
130 /* ... Packet Data ... */
131 /* ... Padding ... */
132 /* ... Options ... */
133 } pcapng_packet_block_t;
135 /* pcapng: enhanced packet block */
136 typedef struct pcapng_enhanced_packet_block_s {
137 guint32 interface_id;
138 guint32 timestamp_high;
139 guint32 timestamp_low;
140 guint32 captured_len;
142 /* ... Packet Data ... */
143 /* ... Padding ... */
144 /* ... Options ... */
145 } pcapng_enhanced_packet_block_t;
147 /* pcapng: simple packet block */
148 typedef struct pcapng_simple_packet_block_s {
150 /* ... Packet Data ... */
151 /* ... Padding ... */
152 } pcapng_simple_packet_block_t;
154 /* pcapng: simple packet block */
155 typedef struct pcapng_name_resolution_block_s {
159 } pcapng_name_resolution_block_t;
161 /* pcapng: interface statistics block */
162 typedef struct pcapng_interface_statistics_block_s {
163 guint32 interface_id;
164 guint32 timestamp_high;
165 guint32 timestamp_low;
166 /* ... Options ... */
167 } pcapng_interface_statistics_block_t;
169 /* pcapng: common option header for every option type */
170 typedef struct pcapng_option_header_s {
172 guint16 option_length;
173 /* ... x bytes Option Body ... */
174 /* ... Padding ... */
175 } pcapng_option_header_t;
178 #define BLOCK_TYPE_IDB 0x00000001 /* Interface Description Block */
179 #define BLOCK_TYPE_PB 0x00000002 /* Packet Block (obsolete) */
180 #define BLOCK_TYPE_SPB 0x00000003 /* Simple Packet Block */
181 #define BLOCK_TYPE_NRB 0x00000004 /* Name Resolution Block */
182 #define BLOCK_TYPE_ISB 0x00000005 /* Interface Statistics Block */
183 #define BLOCK_TYPE_EPB 0x00000006 /* Enhanced Packet Block */
184 #define BLOCK_TYPE_SHB 0x0A0D0D0A /* Section Header Block */
188 /* Capture section */
189 typedef struct wtapng_section_s {
191 guint64 section_length;
193 gchar *opt_comment; /* NULL if not available */
194 gchar *shb_hardware; /* NULL if not available */
195 gchar *shb_os; /* NULL if not available */
196 gchar *shb_user_appl; /* NULL if not available */
199 /* Interface Description */
200 typedef struct wtapng_if_descr_s {
205 gchar *opt_comment; /* NULL if not available */
206 gchar *if_name; /* NULL if not available */
207 gchar *if_description;/* NULL if not available */
208 /* XXX: if_IPv4addr */
209 /* XXX: if_IPv6addr */
210 /* XXX: if_MACaddr */
211 /* XXX: if_EUIaddr */
212 guint64 if_speed; /* 0xFFFFFFFF if unknown */
213 guint8 if_tsresol; /* default is 6 for microsecond resolution */
214 gchar *if_filter; /* NULL if not available */
215 gchar *if_os; /* NULL if not available */
216 gint8 if_fcslen; /* -1 if unknown or changes between packets */
217 /* XXX: guint64 if_tsoffset; */
221 typedef struct wtapng_packet_s {
223 guint32 ts_high; /* seconds since 1.1.1970 */
224 guint32 ts_low; /* fraction of seconds, depends on if_tsresol */
225 guint32 cap_len; /* data length in the file */
226 guint32 packet_len; /* data length on the wire */
227 guint32 interface_id; /* identifier of the interface. */
228 guint16 drops_count; /* drops count, only valid for packet block */
229 /* 0xffff if information no available */
231 gchar *opt_comment; /* NULL if not available */
233 guint32 pack_flags; /* XXX - 0 for now (any value for "we don't have it"?) */
236 guint32 pseudo_header_len;
238 /* XXX - put the packet data / pseudo_header here as well? */
242 typedef struct wtapng_simple_packet_s {
244 guint32 cap_len; /* data length in the file */
245 guint32 packet_len; /* data length on the wire */
246 guint32 pseudo_header_len;
248 /* XXX - put the packet data / pseudo_header here as well? */
249 } wtapng_simple_packet_t;
251 /* Name Resolution */
252 typedef struct wtapng_name_res_s {
254 gchar *opt_comment; /* NULL if not available */
258 /* Interface Statistics */
259 typedef struct wtapng_if_stats_s {
261 guint64 interface_id;
265 gchar *opt_comment; /* NULL if not available */
267 /*guint32 isb_starttime_high;*/
268 /*guint32 isb_starttime_low;*/
269 /*guint32 isb_endtime_high;*/
270 /*guint32 isb_endtime_low;*/
273 /*guint64 isb_filteraccept;*/
274 /*guint64 isb_osdrop;*/
275 /*guint64 isb_usrdeliv;*/
279 typedef struct wtapng_block_s {
280 guint32 type; /* block_type as defined by pcapng */
282 wtapng_section_t section;
283 wtapng_if_descr_t if_descr;
284 wtapng_packet_t packet;
285 wtapng_simple_packet_t simple_packet;
286 wtapng_name_res_t name_res;
287 wtapng_if_stats_t if_stats;
291 * XXX - currently don't know how to handle these!
293 * For one thing, when we're reading a block, they must be
294 * writable, i.e. not const, so that we can read into them,
295 * but, when we're writing a block, they can be const, and,
296 * in fact, they sometimes point to const values.
298 const union wtap_pseudo_header *pseudo_header;
299 struct wtap_pkthdr *packet_header;
300 const guchar *frame_buffer;
304 typedef struct interface_data_s {
306 guint64 time_units_per_second;
311 gboolean byte_swapped;
312 guint16 version_major;
313 guint16 version_minor;
315 GArray *interface_data;
316 guint number_of_interfaces;
317 wtap_new_ipv4_callback_t add_new_ipv4;
318 wtap_new_ipv6_callback_t add_new_ipv6;
322 pcapng_get_encap(gint id, pcapng_t *pn)
324 interface_data_t int_data;
326 if ((id >= 0) && ((guint)id < pn->number_of_interfaces)) {
327 int_data = g_array_index(pn->interface_data, interface_data_t, id);
328 return int_data.wtap_encap;
330 return WTAP_ERR_UNSUPPORTED_ENCAP;
336 pcapng_read_option(FILE_T fh, pcapng_t *pn, pcapng_option_header_t *oh,
337 char *content, int len, int *err, gchar **err_info)
341 guint64 file_offset64;
344 /* read option header */
345 errno = WTAP_ERR_CANT_READ;
346 bytes_read = file_read(oh, sizeof (*oh), fh);
347 if (bytes_read != sizeof (*oh)) {
348 pcapng_debug0("pcapng_read_option: failed to read option");
349 *err = file_error(fh, err_info);
354 block_read = sizeof (*oh);
355 if(pn->byte_swapped) {
356 oh->option_code = BSWAP16(oh->option_code);
357 oh->option_length = BSWAP16(oh->option_length);
360 /* sanity check: option length */
361 if (oh->option_length > len) {
362 pcapng_debug2("pcapng_read_option: option_length %u larger than buffer (%u)",
363 oh->option_length, len);
367 /* read option content */
368 errno = WTAP_ERR_CANT_READ;
369 bytes_read = file_read(content, oh->option_length, fh);
370 if (bytes_read != oh->option_length) {
371 pcapng_debug1("pcapng_read_if_descr_block: failed to read content of option %u", oh->option_code);
372 *err = file_error(fh, err_info);
377 block_read += oh->option_length;
379 /* jump over potential padding bytes at end of option */
380 if( (oh->option_length % 4) != 0) {
381 file_offset64 = file_seek(fh, 4 - (oh->option_length % 4), SEEK_CUR, err);
382 if (file_offset64 <= 0) {
387 block_read += 4 - (oh->option_length % 4);
395 pcapng_read_section_header_block(FILE_T fh, gboolean first_block,
396 pcapng_block_header_t *bh, pcapng_t *pn,
397 wtapng_block_t *wblock, int *err,
403 pcapng_section_header_block_t shb;
404 pcapng_option_header_t oh;
405 char option_content[100]; /* XXX - size might need to be increased, if we see longer options */
408 /* read block content */
409 errno = WTAP_ERR_CANT_READ;
410 bytes_read = file_read(&shb, sizeof shb, fh);
411 if (bytes_read != sizeof shb) {
412 *err = file_error(fh, err_info);
416 * We're reading this as part of an open,
417 * and this block is too short to be
418 * an SHB, so the file is too short
419 * to be a pcap-ng file.
425 * Otherwise, just report this as an error.
427 *err = WTAP_ERR_SHORT_READ;
431 block_read = bytes_read;
433 /* is the magic number one we expect? */
436 /* this seems pcapng with correct byte order */
437 pn->byte_swapped = FALSE;
438 pn->version_major = shb.version_major;
439 pn->version_minor = shb.version_minor;
441 pcapng_debug3("pcapng_read_section_header_block: SHB (little endian) V%u.%u, len %u",
442 pn->version_major, pn->version_minor, bh->block_total_length);
445 /* this seems pcapng with swapped byte order */
446 pn->byte_swapped = TRUE;
447 pn->version_major = BSWAP16(shb.version_major);
448 pn->version_minor = BSWAP16(shb.version_minor);
450 /* tweak the block length to meet current swapping that we know now */
451 bh->block_total_length = BSWAP32(bh->block_total_length);
453 pcapng_debug3("pcapng_read_section_header_block: SHB (big endian) V%u.%u, len %u",
454 pn->version_major, pn->version_minor, bh->block_total_length);
457 /* Not a "pcapng" magic number we know about. */
459 /* Not a pcap-ng file. */
464 *err = WTAP_ERR_BAD_RECORD;
465 *err_info = g_strdup_printf("pcapng_read_section_header_block: unknown byte-order magic number 0x%08x", shb.magic);
469 /* OK, at this point we assume it's a pcap-ng file. */
471 /* we currently only understand SHB V1.0 */
472 if (pn->version_major != 1 || pn->version_minor > 0) {
473 *err = WTAP_ERR_UNSUPPORTED;
474 *err_info = g_strdup_printf("pcapng_read_section_header_block: unknown SHB version %u.%u",
475 pn->version_major, pn->version_minor);
479 /* 64bit section_length (currently unused) */
480 if (pn->byte_swapped) {
481 wblock->data.section.section_length = BSWAP64(shb.section_length);
483 wblock->data.section.section_length = shb.section_length;
486 /* Option defaults */
487 wblock->data.section.opt_comment = NULL;
488 wblock->data.section.shb_hardware = NULL;
489 wblock->data.section.shb_os = NULL;
490 wblock->data.section.shb_user_appl = NULL;
493 errno = WTAP_ERR_CANT_READ;
494 to_read = bh->block_total_length
495 - (int)sizeof(pcapng_block_header_t)
496 - (int)sizeof (pcapng_section_header_block_t)
497 - (int)sizeof(bh->block_total_length);
500 bytes_read = pcapng_read_option(fh, pn, &oh, option_content, sizeof(option_content), err, err_info);
501 if (bytes_read <= 0) {
502 pcapng_debug0("pcapng_read_section_header_block: failed to read option");
505 block_read += bytes_read;
506 to_read -= bytes_read;
508 /* handle option content */
509 switch(oh.option_code) {
510 case(0): /* opt_endofopt */
512 pcapng_debug1("pcapng_read_section_header_block: %u bytes after opt_endofopt", to_read);
514 /* padding should be ok here, just get out of this */
517 case(1): /* opt_comment */
518 if(oh.option_length > 0 && oh.option_length < sizeof(option_content)) {
519 wblock->data.section.opt_comment = g_strndup(option_content, sizeof(option_content));
520 pcapng_debug1("pcapng_read_section_header_block: opt_comment %s", wblock->data.section.opt_comment);
522 pcapng_debug1("pcapng_read_section_header_block: opt_comment length %u seems strange", oh.option_length);
525 case(2): /* shb_hardware */
526 if(oh.option_length > 0 && oh.option_length < sizeof(option_content)) {
527 wblock->data.section.shb_hardware = g_strndup(option_content, sizeof(option_content));
528 pcapng_debug1("pcapng_read_section_header_block: shb_hardware %s", wblock->data.section.shb_hardware);
530 pcapng_debug1("pcapng_read_section_header_block: shb_hardware length %u seems strange", oh.option_length);
533 case(3): /* shb_os */
534 if(oh.option_length > 0 && oh.option_length < sizeof(option_content)) {
535 wblock->data.section.shb_os = g_strndup(option_content, sizeof(option_content));
536 pcapng_debug1("pcapng_read_section_header_block: shb_os %s", wblock->data.section.shb_os);
538 pcapng_debug1("pcapng_read_section_header_block: shb_os length %u seems strange", oh.option_length);
541 case(4): /* shb_userappl */
542 if(oh.option_length > 0 && oh.option_length < sizeof(option_content)) {
543 wblock->data.section.shb_user_appl = g_strndup(option_content, sizeof(option_content));
544 pcapng_debug1("pcapng_read_section_header_block: shb_userappl %s", wblock->data.section.shb_user_appl);
546 pcapng_debug1("pcapng_read_section_header_block: shb_userappl length %u seems strange", oh.option_length);
550 pcapng_debug2("pcapng_read_section_header_block: unknown option %u - ignoring %u bytes",
551 oh.option_code, oh.option_length);
555 if (pn->interface_data != NULL) {
556 g_array_free(pn->interface_data, TRUE);
557 pn->interface_data = NULL;
558 *err = WTAP_ERR_BAD_RECORD;
559 *err_info = g_strdup_printf("pcapng: multiple section header blocks not supported.");
562 pn->interface_data = g_array_new(FALSE, FALSE, sizeof(interface_data_t));
563 pn->number_of_interfaces = 0;
569 /* "Interface Description Block" */
571 pcapng_read_if_descr_block(FILE_T fh, pcapng_block_header_t *bh, pcapng_t *pn,
572 wtapng_block_t *wblock, int *err, gchar **err_info)
574 guint64 time_units_per_second;
578 pcapng_interface_description_block_t idb;
579 pcapng_option_header_t oh;
580 interface_data_t int_data;
582 char option_content[100]; /* XXX - size might need to be increased, if we see longer options */
585 time_units_per_second = 1000000; /* default */
586 /* read block content */
587 errno = WTAP_ERR_CANT_READ;
588 bytes_read = file_read(&idb, sizeof idb, fh);
589 if (bytes_read != sizeof idb) {
590 pcapng_debug0("pcapng_read_if_descr_block: failed to read IDB");
591 *err = file_error(fh, err_info);
596 block_read = bytes_read;
598 /* mandatory values */
599 if (pn->byte_swapped) {
600 wblock->data.if_descr.link_type = BSWAP16(idb.linktype);
601 wblock->data.if_descr.snap_len = BSWAP32(idb.snaplen);
603 wblock->data.if_descr.link_type = idb.linktype;
604 wblock->data.if_descr.snap_len = idb.snaplen;
607 pcapng_debug3("pcapng_read_if_descr_block: IDB link_type %u (%s), snap %u",
608 wblock->data.if_descr.link_type,
609 wtap_encap_string(wtap_pcap_encap_to_wtap_encap(wblock->data.if_descr.link_type)),
610 wblock->data.if_descr.snap_len);
612 if (wblock->data.if_descr.snap_len > WTAP_MAX_PACKET_SIZE) {
613 /* This is unrealisitic, but text2pcap currently uses 102400.
614 * We do not use this value, maybe we should check the
615 * snap_len of the packets against it. For now, only warn.
617 pcapng_debug1("pcapng_read_if_descr_block: snapshot length %u unrealistic.",
618 wblock->data.if_descr.snap_len);
619 /*wblock->data.if_descr.snap_len = WTAP_MAX_PACKET_SIZE;*/
622 /* Option defaults */
623 wblock->data.if_descr.opt_comment = NULL;
624 wblock->data.if_descr.if_name = NULL;
625 wblock->data.if_descr.if_description = NULL;
626 /* XXX: if_IPv4addr */
627 /* XXX: if_IPv6addr */
628 /* XXX: if_MACaddr */
629 /* XXX: if_EUIaddr */
630 wblock->data.if_descr.if_speed = 0xFFFFFFFF; /* "unknown" */
631 wblock->data.if_descr.if_tsresol = 6; /* default is 6 for microsecond resolution */
632 wblock->data.if_descr.if_filter = NULL;
633 wblock->data.if_descr.if_os = NULL;
634 wblock->data.if_descr.if_fcslen = -1; /* unknown or changes between packets */
635 /* XXX: guint64 if_tsoffset; */
639 errno = WTAP_ERR_CANT_READ;
640 to_read = bh->block_total_length
641 - (int)sizeof(pcapng_block_header_t)
642 - (int)sizeof (pcapng_interface_description_block_t)
643 - (int)sizeof(bh->block_total_length);
644 while (to_read > 0) {
646 bytes_read = pcapng_read_option(fh, pn, &oh, option_content, sizeof(option_content), err, err_info);
647 if (bytes_read <= 0) {
648 pcapng_debug0("pcapng_read_if_descr_block: failed to read option");
651 block_read += bytes_read;
652 to_read -= bytes_read;
654 /* handle option content */
655 switch(oh.option_code) {
656 case(0): /* opt_endofopt */
658 pcapng_debug1("pcapng_read_if_descr_block: %u bytes after opt_endofopt", to_read);
660 /* padding should be ok here, just get out of this */
663 case(1): /* opt_comment */
664 if(oh.option_length > 0 && oh.option_length < sizeof(option_content)) {
665 wblock->data.section.opt_comment = g_strndup(option_content, sizeof(option_content));
666 pcapng_debug1("pcapng_read_if_descr_block: opt_comment %s", wblock->data.section.opt_comment);
668 pcapng_debug1("pcapng_read_if_descr_block: opt_comment length %u seems strange", oh.option_length);
671 case(2): /* if_name */
672 if(oh.option_length > 0 && oh.option_length < sizeof(option_content)) {
673 wblock->data.if_descr.if_name = g_strndup(option_content, sizeof(option_content));
674 pcapng_debug1("pcapng_read_if_descr_block: if_name %s", wblock->data.if_descr.if_name);
676 pcapng_debug1("pcapng_read_if_descr_block: if_name length %u seems strange", oh.option_length);
679 case(3): /* if_description */
680 if(oh.option_length > 0 && oh.option_length < sizeof(option_content)) {
681 wblock->data.if_descr.if_description = g_strndup(option_content, sizeof(option_content));
682 pcapng_debug1("pcapng_read_if_descr_block: if_description %s", wblock->data.if_descr.if_description);
684 pcapng_debug1("pcapng_read_if_descr_block: if_description length %u seems strange", oh.option_length);
687 case(8): /* if_speed */
688 if(oh.option_length == 8) {
689 /* Don't cast a char[] into a guint64--the
690 * char[] may not be aligned correctly.
692 memcpy(&wblock->data.if_descr.if_speed, option_content, sizeof(guint64));
694 wblock->data.if_descr.if_speed = BSWAP64(wblock->data.if_descr.if_speed);
695 pcapng_debug1("pcapng_read_if_descr_block: if_speed %" G_GINT64_MODIFIER "u (bps)", wblock->data.if_descr.if_speed);
697 pcapng_debug1("pcapng_read_if_descr_block: if_speed length %u not 8 as expected", oh.option_length);
700 case(9): /* if_tsresol */
701 if (oh.option_length == 1) {
706 wblock->data.if_descr.if_tsresol = option_content[0];
707 if (wblock->data.if_descr.if_tsresol & 0x80) {
712 exponent = (guint8)(wblock->data.if_descr.if_tsresol & 0x7f);
713 if (((base == 2) && (exponent < 64)) || ((base == 10) && (exponent < 20))) {
715 for (i = 0; i < exponent; i++) {
718 time_units_per_second = result;
720 time_units_per_second = G_MAXUINT64;
722 if (time_units_per_second > (((guint64)1) << 32)) {
723 pcapng_debug0("pcapng_open: time conversion might be inaccurate");
725 pcapng_debug1("pcapng_read_if_descr_block: if_tsresol %u", wblock->data.if_descr.if_tsresol);
727 pcapng_debug1("pcapng_read_if_descr_block: if_tsresol length %u not 1 as expected", oh.option_length);
730 case(11): /* if_filter */
731 if(oh.option_length > 0 && oh.option_length < sizeof(option_content)) {
732 wblock->data.if_descr.if_filter = g_strndup(option_content, sizeof(option_content));
733 pcapng_debug1("pcapng_read_if_descr_block: if_filter %s", wblock->data.if_descr.if_filter);
735 pcapng_debug1("pcapng_read_if_descr_block: if_filter length %u seems strange", oh.option_length);
738 case(13): /* if_fcslen */
739 if(oh.option_length == 1) {
740 wblock->data.if_descr.if_fcslen = option_content[0];
741 pn->if_fcslen = wblock->data.if_descr.if_fcslen;
742 pcapng_debug1("pcapng_read_if_descr_block: if_fcslen %u", wblock->data.if_descr.if_fcslen);
743 /* XXX - add sanity check */
745 pcapng_debug1("pcapng_read_if_descr_block: if_fcslen length %u not 1 as expected", oh.option_length);
749 pcapng_debug2("pcapng_read_if_descr_block: unknown option %u - ignoring %u bytes",
750 oh.option_code, oh.option_length);
754 encap = wtap_pcap_encap_to_wtap_encap(wblock->data.if_descr.link_type);
755 if (*wblock->file_encap == WTAP_ENCAP_UNKNOWN) {
756 *wblock->file_encap = encap;
758 if (*wblock->file_encap != encap) {
759 *wblock->file_encap = WTAP_ENCAP_PER_PACKET;
763 int_data.wtap_encap = encap;
764 int_data.time_units_per_second = time_units_per_second;
765 g_array_append_val(pn->interface_data, int_data);
766 pn->number_of_interfaces++;
772 pcapng_read_packet_block(FILE_T fh, pcapng_block_header_t *bh, pcapng_t *pn, wtapng_block_t *wblock, int *err, gchar **err_info, gboolean enhanced)
777 guint64 file_offset64;
778 pcapng_enhanced_packet_block_t epb;
779 pcapng_packet_block_t pb;
780 guint32 block_total_length;
781 pcapng_option_header_t oh;
783 int pseudo_header_len;
784 char option_content[100]; /* XXX - size might need to be increased, if we see longer options */
787 /* "(Enhanced) Packet Block" read fixed part */
788 errno = WTAP_ERR_CANT_READ;
790 bytes_read = file_read(&epb, sizeof epb, fh);
791 if (bytes_read != sizeof epb) {
792 pcapng_debug0("pcapng_read_packet_block: failed to read packet data");
793 *err = file_error(fh, err_info);
796 block_read = bytes_read;
798 if (pn->byte_swapped) {
799 wblock->data.packet.interface_id = BSWAP32(epb.interface_id);
800 wblock->data.packet.drops_count = -1; /* invalid */
801 wblock->data.packet.ts_high = BSWAP32(epb.timestamp_high);
802 wblock->data.packet.ts_low = BSWAP32(epb.timestamp_low);
803 wblock->data.packet.cap_len = BSWAP32(epb.captured_len);
804 wblock->data.packet.packet_len = BSWAP32(epb.packet_len);
806 wblock->data.packet.interface_id = epb.interface_id;
807 wblock->data.packet.drops_count = -1; /* invalid */
808 wblock->data.packet.ts_high = epb.timestamp_high;
809 wblock->data.packet.ts_low = epb.timestamp_low;
810 wblock->data.packet.cap_len = epb.captured_len;
811 wblock->data.packet.packet_len = epb.packet_len;
814 bytes_read = file_read(&pb, sizeof pb, fh);
815 if (bytes_read != sizeof pb) {
816 pcapng_debug0("pcapng_read_packet_block: failed to read packet data");
817 *err = file_error(fh, err_info);
820 block_read = bytes_read;
822 if (pn->byte_swapped) {
823 wblock->data.packet.interface_id = BSWAP16(pb.interface_id);
824 wblock->data.packet.drops_count = BSWAP16(pb.drops_count);
825 wblock->data.packet.ts_high = BSWAP32(pb.timestamp_high);
826 wblock->data.packet.ts_low = BSWAP32(pb.timestamp_low);
827 wblock->data.packet.cap_len = BSWAP32(pb.captured_len);
828 wblock->data.packet.packet_len = BSWAP32(pb.packet_len);
830 wblock->data.packet.interface_id = pb.interface_id;
831 wblock->data.packet.drops_count = pb.drops_count;
832 wblock->data.packet.ts_high = pb.timestamp_high;
833 wblock->data.packet.ts_low = pb.timestamp_low;
834 wblock->data.packet.cap_len = pb.captured_len;
835 wblock->data.packet.packet_len = pb.packet_len;
839 if (wblock->data.packet.cap_len > wblock->data.packet.packet_len) {
840 *err = WTAP_ERR_BAD_RECORD;
841 *err_info = g_strdup_printf("pcapng_read_packet_block: cap_len %u is larger than packet_len %u.",
842 wblock->data.packet.cap_len, wblock->data.packet.packet_len);
845 if (wblock->data.packet.cap_len > WTAP_MAX_PACKET_SIZE) {
846 *err = WTAP_ERR_BAD_RECORD;
847 *err_info = g_strdup_printf("pcapng_read_packet_block: cap_len %u is larger than WTAP_MAX_PACKET_SIZE %u.",
848 wblock->data.packet.cap_len, WTAP_MAX_PACKET_SIZE);
851 pcapng_debug3("pcapng_read_packet_block: packet data: packet_len %u captured_len %u interface_id %u",
852 wblock->data.packet.packet_len,
853 wblock->data.packet.cap_len,
854 wblock->data.packet.interface_id);
855 if (wblock->data.packet.packet_len > WTAP_MAX_PACKET_SIZE) {
856 *err = WTAP_ERR_BAD_RECORD;
857 *err_info = g_strdup_printf("pcapng_read_packet_block: packet_len %u is larger than WTAP_MAX_PACKET_SIZE %u.",
858 wblock->data.packet.packet_len, WTAP_MAX_PACKET_SIZE);
862 wtap_encap = pcapng_get_encap(wblock->data.packet.interface_id, pn);
863 pcapng_debug3("pcapng_read_packet_block: encapsulation = %d (%s), pseudo header size = %d.",
865 wtap_encap_string(wtap_encap),
866 pcap_get_phdr_size(wtap_encap, wblock->pseudo_header));
868 memset((void *)wblock->pseudo_header, 0, sizeof(union wtap_pseudo_header));
869 pseudo_header_len = pcap_process_pseudo_header(fh,
872 wblock->data.packet.cap_len,
874 wblock->packet_header,
875 (union wtap_pseudo_header *)wblock->pseudo_header,
878 if (pseudo_header_len < 0) {
881 wblock->data.packet.pseudo_header_len = (guint32)pseudo_header_len;
882 block_read += pseudo_header_len;
883 if (pseudo_header_len != pcap_get_phdr_size(wtap_encap, wblock->pseudo_header)) {
884 pcapng_debug1("pcapng_read_packet_block: Could only read %d bytes for pseudo header.",
888 /* "(Enhanced) Packet Block" read capture data */
889 errno = WTAP_ERR_CANT_READ;
890 bytes_read = file_read((guchar *) (wblock->frame_buffer), wblock->data.packet.cap_len - pseudo_header_len, fh);
891 if (bytes_read != (int) (wblock->data.packet.cap_len - pseudo_header_len)) {
892 *err = file_error(fh, err_info);
893 pcapng_debug1("pcapng_read_packet_block: couldn't read %u bytes of captured data",
894 wblock->data.packet.cap_len - pseudo_header_len);
896 *err = WTAP_ERR_SHORT_READ;
899 block_read += bytes_read;
901 /* jump over potential padding bytes at end of the packet data */
902 if( (wblock->data.packet.cap_len % 4) != 0) {
903 file_offset64 = file_seek(fh, 4 - (wblock->data.packet.cap_len % 4), SEEK_CUR, err);
904 if (file_offset64 <= 0) {
909 block_read += 4 - (wblock->data.packet.cap_len % 4);
912 /* add padding bytes to "block total length" */
913 /* (the "block total length" of some example files don't contain the packet data padding bytes!) */
914 if (bh->block_total_length % 4) {
915 block_total_length = bh->block_total_length + 4 - (bh->block_total_length % 4);
917 block_total_length = bh->block_total_length;
920 /* Option defaults */
921 wblock->data.packet.opt_comment = NULL;
922 wblock->data.packet.drop_count = -1;
923 wblock->data.packet.pack_flags = 0; /* XXX - is 0 ok to signal "not used"? */
926 errno = WTAP_ERR_CANT_READ;
927 to_read = block_total_length
928 - (int)sizeof(pcapng_block_header_t)
929 - block_read /* fixed and variable part, including padding */
930 - (int)sizeof(bh->block_total_length);
933 bytes_read = pcapng_read_option(fh, pn, &oh, option_content, sizeof(option_content), err, err_info);
934 if (bytes_read <= 0) {
935 pcapng_debug0("pcapng_read_packet_block: failed to read option");
938 block_read += bytes_read;
939 to_read -= bytes_read;
941 /* handle option content */
942 switch(oh.option_code) {
943 case(0): /* opt_endofopt */
945 pcapng_debug1("pcapng_read_packet_block: %u bytes after opt_endofopt", to_read);
947 /* padding should be ok here, just get out of this */
950 case(1): /* opt_comment */
951 if(oh.option_length > 0 && oh.option_length < sizeof(option_content)) {
952 wblock->data.section.opt_comment = g_strndup(option_content, sizeof(option_content));
953 pcapng_debug1("pcapng_read_packet_block: opt_comment %s", wblock->data.section.opt_comment);
955 pcapng_debug1("pcapng_read_packet_block: opt_comment length %u seems strange", oh.option_length);
958 case(2): /* pack_flags / epb_flags */
959 if(oh.option_length == 4) {
960 /* Don't cast a char[] into a guint32--the
961 * char[] may not be aligned correctly.
963 memcpy(&wblock->data.packet.pack_flags, option_content, sizeof(guint32));
965 wblock->data.packet.pack_flags = BSWAP32(wblock->data.packet.pack_flags);
966 pcapng_debug1("pcapng_read_if_descr_block: pack_flags %u (ignored)", wblock->data.packet.pack_flags);
968 pcapng_debug1("pcapng_read_if_descr_block: pack_flags length %u not 4 as expected", oh.option_length);
972 pcapng_debug2("pcapng_read_packet_block: unknown option %u - ignoring %u bytes",
973 oh.option_code, oh.option_length);
977 pcap_read_post_process(wtap_encap,
978 (int) (wblock->data.packet.cap_len - pseudo_header_len),
979 pn->byte_swapped, (guchar *) (wblock->frame_buffer));
985 pcapng_read_simple_packet_block(FILE_T fh, pcapng_block_header_t *bh, pcapng_t *pn, wtapng_block_t *wblock, int *err, gchar **err_info)
989 guint64 file_offset64;
991 int pseudo_header_len;
992 pcapng_simple_packet_block_t spb;
995 /* "Simple Packet Block" read fixed part */
996 errno = WTAP_ERR_CANT_READ;
997 bytes_read = file_read(&spb, sizeof spb, fh);
998 if (bytes_read != sizeof spb) {
999 pcapng_debug0("pcapng_read_simple_packet_block: failed to read packet data");
1000 *err = file_error(fh, err_info);
1003 block_read = bytes_read;
1005 if (pn->byte_swapped) {
1006 wblock->data.simple_packet.packet_len = BSWAP32(spb.packet_len);
1008 wblock->data.simple_packet.packet_len = spb.packet_len;
1011 wblock->data.simple_packet.cap_len = bh->block_total_length
1012 - (guint32)sizeof(pcapng_simple_packet_block_t)
1013 - (guint32)sizeof(bh->block_total_length);
1015 if (wblock->data.simple_packet.cap_len > WTAP_MAX_PACKET_SIZE) {
1016 *err = WTAP_ERR_BAD_RECORD;
1017 *err_info = g_strdup_printf("pcapng_read_simple_packet_block: cap_len %u is larger than WTAP_MAX_PACKET_SIZE %u.",
1018 wblock->data.simple_packet.cap_len, WTAP_MAX_PACKET_SIZE);
1021 pcapng_debug1("pcapng_read_simple_packet_block: packet data: packet_len %u",
1022 wblock->data.simple_packet.packet_len);
1023 if (wblock->data.simple_packet.packet_len > WTAP_MAX_PACKET_SIZE) {
1024 *err = WTAP_ERR_BAD_RECORD;
1025 *err_info = g_strdup_printf("pcapng_read_simple_packet_block: packet_len %u is larger than WTAP_MAX_PACKET_SIZE %u.",
1026 wblock->data.simple_packet.packet_len, WTAP_MAX_PACKET_SIZE);
1030 encap = pcapng_get_encap(0, pn);
1031 pcapng_debug1("pcapng_read_simple_packet_block: Need to read pseudo header of size %d",
1032 pcap_get_phdr_size(encap, wblock->pseudo_header));
1034 memset((void *)wblock->pseudo_header, 0, sizeof(union wtap_pseudo_header));
1035 pseudo_header_len = pcap_process_pseudo_header(fh,
1038 wblock->data.simple_packet.cap_len,
1040 wblock->packet_header,
1041 (union wtap_pseudo_header *)wblock->pseudo_header,
1044 if (pseudo_header_len < 0) {
1047 wblock->data.simple_packet.pseudo_header_len = (guint32)pseudo_header_len;
1048 block_read += pseudo_header_len;
1049 if (pseudo_header_len != pcap_get_phdr_size(encap, wblock->pseudo_header)) {
1050 pcapng_debug1("pcapng_read_simple_packet_block: Could only read %d bytes for pseudo header.",
1054 /* XXX - implement other linktypes then Ethernet */
1055 /* (or even better share the code with libpcap.c) */
1057 /* Ethernet FCS length, might be overwritten by "per packet" options */
1058 memset((void *)wblock->pseudo_header, 0, sizeof(union wtap_pseudo_header));
1059 ((union wtap_pseudo_header *) wblock->pseudo_header)->eth.fcs_len = pn->if_fcslen;
1061 /* "Simple Packet Block" read capture data */
1062 errno = WTAP_ERR_CANT_READ;
1063 bytes_read = file_read((guchar *) (wblock->frame_buffer), wblock->data.simple_packet.cap_len, fh);
1064 if (bytes_read != (int) wblock->data.simple_packet.cap_len) {
1065 *err = file_error(fh, err_info);
1066 pcapng_debug1("pcapng_read_simple_packet_block: couldn't read %u bytes of captured data",
1067 wblock->data.simple_packet.cap_len);
1069 *err = WTAP_ERR_SHORT_READ;
1072 block_read += bytes_read;
1074 /* jump over potential padding bytes at end of the packet data */
1075 if ((wblock->data.simple_packet.cap_len % 4) != 0) {
1076 file_offset64 = file_seek(fh, 4 - (wblock->data.simple_packet.cap_len % 4), SEEK_CUR, err);
1077 if (file_offset64 <= 0) {
1082 block_read += 4 - (wblock->data.simple_packet.cap_len % 4);
1085 pcap_read_post_process(encap, (int) wblock->data.simple_packet.cap_len,
1086 pn->byte_swapped, (guchar *) (wblock->frame_buffer));
1090 #define NRES_ENDOFRECORD 0
1091 #define NRES_IP4RECORD 1
1092 #define NRES_IP6RECORD 2
1093 #define PADDING4(x) ((((x + 3) >> 2) << 2) - x)
1094 /* IPv6 + MAXNAMELEN */
1095 #define MAX_NRB_REC_SIZE (16 + 64)
1097 pcapng_read_name_resolution_block(FILE_T fh, pcapng_block_header_t *bh, pcapng_t *pn, wtapng_block_t *wblock _U_,int *err, gchar **err_info)
1102 guint64 file_offset64;
1103 pcapng_name_resolution_block_t nrb;
1104 guchar nrb_rec[MAX_NRB_REC_SIZE];
1107 errno = WTAP_ERR_CANT_READ;
1108 to_read = bh->block_total_length
1109 - sizeof(pcapng_block_header_t)
1110 - sizeof(bh->block_total_length);
1112 while (block_read < to_read) {
1113 bytes_read = file_read(&nrb, sizeof nrb, fh);
1114 if (bytes_read != sizeof nrb) {
1115 pcapng_debug0("pcapng_read_name_resolution_block: failed to read record header");
1116 *err = file_error(fh, err_info);
1119 block_read += bytes_read;
1121 if (pn->byte_swapped) {
1122 nrb.record_type = BSWAP16(nrb.record_type);
1123 nrb.record_len = BSWAP16(nrb.record_len);
1126 switch(nrb.record_type) {
1127 case NRES_ENDOFRECORD:
1128 /* There shouldn't be any more data */
1131 case NRES_IP4RECORD:
1132 if (nrb.record_len < 6 || nrb.record_len > MAX_NRB_REC_SIZE || to_read < nrb.record_len) {
1133 pcapng_debug0("pcapng_read_name_resolution_block: bad length or insufficient data for IPv4 record");
1136 bytes_read = file_read(nrb_rec, nrb.record_len, fh);
1137 if (bytes_read != nrb.record_len) {
1138 pcapng_debug0("pcapng_read_name_resolution_block: failed to read IPv4 record data");
1139 *err = file_error(fh, err_info);
1142 block_read += bytes_read;
1144 if (pn->add_new_ipv4) {
1145 memcpy(&v4_addr, nrb_rec, 4);
1146 if (pn->byte_swapped)
1147 v4_addr = BSWAP32(v4_addr);
1148 pn->add_new_ipv4(v4_addr, nrb_rec + 4);
1151 file_offset64 = file_seek(fh, PADDING4(nrb.record_len), SEEK_CUR, err);
1152 if (file_offset64 <= 0) {
1157 block_read += PADDING4(nrb.record_len);
1159 case NRES_IP6RECORD:
1160 if (nrb.record_len < 18 || nrb.record_len > MAX_NRB_REC_SIZE || to_read < nrb.record_len) {
1161 pcapng_debug0("pcapng_read_name_resolution_block: bad length or insufficient data for IPv6 record");
1164 bytes_read = file_read(nrb_rec, nrb.record_len, fh);
1165 if (bytes_read != nrb.record_len) {
1166 pcapng_debug0("pcapng_read_name_resolution_block: failed to read IPv6 record data");
1167 *err = file_error(fh, err_info);
1170 block_read += bytes_read;
1172 if (pn->add_new_ipv6) {
1173 pn->add_new_ipv6(nrb_rec, nrb_rec + 16);
1176 file_offset64 = file_seek(fh, PADDING4(nrb.record_len), SEEK_CUR, err);
1177 if (file_offset64 <= 0) {
1182 block_read += PADDING4(nrb.record_len);
1185 pcapng_debug1("pcapng_read_name_resolution_block: unknown record type 0x%x", nrb.record_type);
1186 file_offset64 = file_seek(fh, nrb.record_len + PADDING4(nrb.record_len), SEEK_CUR, err);
1187 if (file_offset64 <= 0) {
1192 block_read += nrb.record_len + PADDING4(nrb.record_len);
1201 pcapng_read_interface_statistics_block(FILE_T fh, pcapng_block_header_t *bh, pcapng_t *pn, wtapng_block_t *wblock,int *err, gchar **err_info)
1206 pcapng_interface_statistics_block_t isb;
1207 pcapng_option_header_t oh;
1208 char option_content[100]; /* XXX - size might need to be increased, if we see longer options */
1211 /* "Interface Statistics Block" read fixed part */
1212 errno = WTAP_ERR_CANT_READ;
1213 bytes_read = file_read(&isb, sizeof isb, fh);
1214 if (bytes_read != sizeof isb) {
1215 pcapng_debug0("pcapng_read_interface_statistics_block: failed to read packet data");
1216 *err = file_error(fh, err_info);
1219 block_read = bytes_read;
1221 if(pn->byte_swapped) {
1222 wblock->data.if_stats.interface_id = BSWAP64(isb.interface_id);
1223 wblock->data.if_stats.ts_high = BSWAP32(isb.timestamp_high);
1224 wblock->data.if_stats.ts_low = BSWAP32(isb.timestamp_low);
1226 wblock->data.if_stats.interface_id = isb.interface_id;
1227 wblock->data.if_stats.ts_high = isb.timestamp_high;
1228 wblock->data.if_stats.ts_low = isb.timestamp_low;
1230 pcapng_debug1("pcapng_read_interface_statistics_block: interface_id %" G_GINT64_MODIFIER "u", wblock->data.if_stats.interface_id);
1232 /* Option defaults */
1233 wblock->data.if_stats.opt_comment = NULL;
1234 wblock->data.if_stats.isb_ifrecv = -1;
1235 wblock->data.if_stats.isb_ifdrop = -1;
1238 errno = WTAP_ERR_CANT_READ;
1239 to_read = bh->block_total_length
1240 - sizeof(pcapng_block_header_t)
1241 - block_read /* fixed and variable part, including padding */
1242 - sizeof(bh->block_total_length);
1243 while(to_read > 0) {
1245 bytes_read = pcapng_read_option(fh, pn, &oh, option_content, sizeof(option_content), err, err_info);
1246 if (bytes_read <= 0) {
1247 pcapng_debug0("pcapng_read_interface_statistics_block: failed to read option");
1250 block_read += bytes_read;
1251 to_read -= bytes_read;
1253 /* handle option content */
1254 switch(oh.option_code) {
1255 case(0): /* opt_endofopt */
1257 pcapng_debug1("pcapng_read_interface_statistics_block: %u bytes after opt_endofopt", to_read);
1259 /* padding should be ok here, just get out of this */
1262 case(1): /* opt_comment */
1263 if(oh.option_length > 0 && oh.option_length < sizeof(option_content)) {
1264 wblock->data.section.opt_comment = g_strndup(option_content, sizeof(option_content));
1265 pcapng_debug1("pcapng_read_interface_statistics_block: opt_comment %s", wblock->data.section.opt_comment);
1267 pcapng_debug1("pcapng_read_interface_statistics_block: opt_comment length %u seems strange", oh.option_length);
1270 case(4): /* isb_ifrecv */
1271 if(oh.option_length == 8) {
1272 /* Don't cast a char[] into a guint32--the
1273 * char[] may not be aligned correctly.
1275 memcpy(&wblock->data.if_stats.isb_ifrecv, option_content, sizeof(guint64));
1276 if(pn->byte_swapped)
1277 wblock->data.if_stats.isb_ifrecv = BSWAP64(wblock->data.if_stats.isb_ifrecv);
1278 pcapng_debug1("pcapng_read_interface_statistics_block: isb_ifrecv %" G_GINT64_MODIFIER "u", wblock->data.if_stats.isb_ifrecv);
1280 pcapng_debug1("pcapng_read_interface_statistics_block: isb_ifrecv length %u not 8 as expected", oh.option_length);
1283 case(5): /* isb_ifdrop */
1284 if(oh.option_length == 8) {
1285 /* Don't cast a char[] into a guint32--the
1286 * char[] may not be aligned correctly.
1288 memcpy(&wblock->data.if_stats.isb_ifdrop, option_content, sizeof(guint64));
1289 if(pn->byte_swapped)
1290 wblock->data.if_stats.isb_ifdrop = BSWAP64(wblock->data.if_stats.isb_ifdrop);
1291 pcapng_debug1("pcapng_read_interface_statistics_block: isb_ifdrop %" G_GINT64_MODIFIER "u", wblock->data.if_stats.isb_ifdrop);
1293 pcapng_debug1("pcapng_read_interface_statistics_block: isb_ifdrop length %u not 8 as expected", oh.option_length);
1297 pcapng_debug2("pcapng_read_interface_statistics_block: unknown option %u - ignoring %u bytes",
1298 oh.option_code, oh.option_length);
1307 pcapng_read_unknown_block(FILE_T fh, pcapng_block_header_t *bh, pcapng_t *pn _U_, wtapng_block_t *wblock _U_,int *err, gchar **err_info _U_)
1310 guint64 file_offset64;
1311 guint32 block_total_length;
1314 /* add padding bytes to "block total length" */
1315 /* (the "block total length" of some example files don't contain any padding bytes!) */
1316 if (bh->block_total_length % 4) {
1317 block_total_length = bh->block_total_length + 4 - (bh->block_total_length % 4);
1319 block_total_length = bh->block_total_length;
1322 block_read = block_total_length - (guint32)sizeof(pcapng_block_header_t) - (guint32)sizeof(bh->block_total_length);
1324 /* jump over this unknown block */
1325 file_offset64 = file_seek(fh, block_read, SEEK_CUR, err);
1326 if (file_offset64 <= 0) {
1337 pcapng_read_block(FILE_T fh, gboolean first_block, pcapng_t *pn, wtapng_block_t *wblock, int *err, gchar **err_info)
1341 pcapng_block_header_t bh;
1342 guint32 block_total_length;
1345 /* Try to read the (next) block header */
1346 errno = WTAP_ERR_CANT_READ;
1347 bytes_read = file_read(&bh, sizeof bh, fh);
1348 if (bytes_read != sizeof bh) {
1349 *err = file_error(fh, err_info);
1350 pcapng_debug3("pcapng_read_block: file_read() returned %d instead of %u, err = %d.", bytes_read, (unsigned int)sizeof bh, *err);
1356 block_read = bytes_read;
1357 if (pn->byte_swapped) {
1358 bh.block_type = BSWAP32(bh.block_type);
1359 bh.block_total_length = BSWAP32(bh.block_total_length);
1362 wblock->type = bh.block_type;
1364 pcapng_debug1("pcapng_read_block: block_type 0x%x", bh.block_type);
1368 * This is being read in by pcapng_open(), so this block
1369 * must be an SHB. If it's not, this is not a pcap-ng
1372 * XXX - check for various forms of Windows <-> UN*X
1373 * mangling, and suggest that the file might be a
1374 * pcap-ng file that was damaged in transit?
1376 if (bh.block_type != BLOCK_TYPE_SHB)
1377 return 0; /* not a pcap-ng file */
1380 switch(bh.block_type) {
1381 case(BLOCK_TYPE_SHB):
1382 bytes_read = pcapng_read_section_header_block(fh, first_block, &bh, pn, wblock, err, err_info);
1384 case(BLOCK_TYPE_IDB):
1385 bytes_read = pcapng_read_if_descr_block(fh, &bh, pn, wblock, err, err_info);
1387 case(BLOCK_TYPE_PB):
1388 bytes_read = pcapng_read_packet_block(fh, &bh, pn, wblock, err, err_info, FALSE);
1390 case(BLOCK_TYPE_SPB):
1391 bytes_read = pcapng_read_simple_packet_block(fh, &bh, pn, wblock, err, err_info);
1393 case(BLOCK_TYPE_EPB):
1394 bytes_read = pcapng_read_packet_block(fh, &bh, pn, wblock, err, err_info, TRUE);
1396 case(BLOCK_TYPE_NRB):
1397 bytes_read = pcapng_read_name_resolution_block(fh, &bh, pn, wblock, err, err_info);
1399 case(BLOCK_TYPE_ISB):
1400 bytes_read = pcapng_read_interface_statistics_block(fh, &bh, pn, wblock, err, err_info);
1403 pcapng_debug2("pcapng_read_block: Unknown block_type: 0x%x (block ignored), block total length %d", bh.block_type, bh.block_total_length);
1404 bytes_read = pcapng_read_unknown_block(fh, &bh, pn, wblock, err, err_info);
1407 if (bytes_read <= 0) {
1410 block_read += bytes_read;
1412 /* sanity check: first and second block lengths must match */
1413 errno = WTAP_ERR_CANT_READ;
1414 bytes_read = file_read(&block_total_length, sizeof block_total_length, fh);
1415 if (bytes_read != sizeof block_total_length) {
1416 pcapng_debug0("pcapng_read_block: couldn't read second block length");
1417 *err = file_error(fh, err_info);
1419 *err = WTAP_ERR_SHORT_READ;
1422 block_read += bytes_read;
1424 if (pn->byte_swapped)
1425 block_total_length = BSWAP32(block_total_length);
1427 if (!(block_total_length == bh.block_total_length)) {
1428 *err = WTAP_ERR_BAD_RECORD;
1429 *err_info = g_strdup_printf("pcapng_read_block: total block lengths (first %u and second %u) don't match",
1430 bh.block_total_length, block_total_length);
1438 /* classic wtap: open capture file */
1440 pcapng_open(wtap *wth, int *err, gchar **err_info)
1444 wtapng_block_t wblock;
1447 /* we don't know the byte swapping of the file yet */
1448 pn.byte_swapped = FALSE;
1450 pn.version_major = -1;
1451 pn.version_minor = -1;
1452 pn.interface_data = NULL;
1453 pn.number_of_interfaces = 0;
1455 /* we don't expect any packet blocks yet */
1456 wblock.frame_buffer = NULL;
1457 wblock.pseudo_header = NULL;
1458 wblock.packet_header = NULL;
1459 wblock.file_encap = &wth->file_encap;
1461 pcapng_debug0("pcapng_open: opening file");
1462 /* read first block */
1463 bytes_read = pcapng_read_block(wth->fh, TRUE, &pn, &wblock, err, err_info);
1464 if (bytes_read <= 0) {
1465 pcapng_debug0("pcapng_open: couldn't read first SHB");
1466 *err = file_error(wth->fh, err_info);
1471 wth->data_offset += bytes_read;
1473 /* first block must be a "Section Header Block" */
1474 if (wblock.type != BLOCK_TYPE_SHB) {
1476 * XXX - check for damage from transferring a file
1477 * between Windows and UN*X as text rather than
1480 pcapng_debug1("pcapng_open: first block type %u not SHB", wblock.type);
1484 wth->file_encap = WTAP_ENCAP_UNKNOWN;
1485 wth->snapshot_length = 0;
1486 wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
1487 pcapng = (pcapng_t *)g_malloc(sizeof(pcapng_t));
1488 wth->priv = (void *)pcapng;
1490 wth->subtype_read = pcapng_read;
1491 wth->subtype_seek_read = pcapng_seek_read;
1492 wth->subtype_close = pcapng_close;
1493 wth->file_type = WTAP_FILE_PCAPNG;
1499 /* classic wtap: read packet */
1501 pcapng_read(wtap *wth, int *err, gchar **err_info, gint64 *data_offset)
1503 pcapng_t *pcapng = (pcapng_t *)wth->priv;
1506 wtapng_block_t wblock;
1508 pcapng_debug1("pcapng_read: wth->data_offset is initially %" G_GINT64_MODIFIER "u", wth->data_offset);
1509 *data_offset = wth->data_offset;
1510 pcapng_debug1("pcapng_read: *data_offset is initially set to %" G_GINT64_MODIFIER "u", *data_offset);
1512 /* XXX - This should be done in the packet block reading function and
1513 * should make use of the caplen of the packet.
1515 if (wth->snapshot_length > 0) {
1516 buffer_assure_space(wth->frame_buffer, wth->snapshot_length);
1518 buffer_assure_space(wth->frame_buffer, WTAP_MAX_PACKET_SIZE);
1521 wblock.frame_buffer = buffer_start_ptr(wth->frame_buffer);
1522 wblock.pseudo_header = &wth->pseudo_header;
1523 wblock.packet_header = &wth->phdr;
1524 wblock.file_encap = &wth->file_encap;
1526 pcapng->add_new_ipv4 = wth->add_new_ipv4;
1527 pcapng->add_new_ipv6 = wth->add_new_ipv6;
1529 /* read next block */
1531 bytes_read = pcapng_read_block(wth->fh, FALSE, pcapng, &wblock, err, err_info);
1532 if (bytes_read <= 0) {
1533 wth->data_offset = *data_offset;
1534 pcapng_debug1("pcapng_read: wth->data_offset is finally %" G_GINT64_MODIFIER "u", wth->data_offset);
1535 pcapng_debug0("pcapng_read: couldn't read packet block");
1539 /* block must be a "Packet Block" or an "Enhanced Packet Block" -> otherwise continue */
1540 if (wblock.type == BLOCK_TYPE_PB || wblock.type == BLOCK_TYPE_EPB) {
1544 /* XXX - improve handling of "unknown" blocks */
1545 pcapng_debug1("pcapng_read: block type 0x%x not PB/EPB", wblock.type);
1546 *data_offset += bytes_read;
1547 pcapng_debug1("pcapng_read: *data_offset is updated to %" G_GINT64_MODIFIER "u", *data_offset);
1550 /* Combine the two 32-bit pieces of the timestamp into one 64-bit value */
1551 ts = (((guint64)wblock.data.packet.ts_high) << 32) | ((guint64)wblock.data.packet.ts_low);
1553 wth->phdr.caplen = wblock.data.packet.cap_len - wblock.data.packet.pseudo_header_len;
1554 wth->phdr.len = wblock.data.packet.packet_len - wblock.data.packet.pseudo_header_len;
1555 if (wblock.data.packet.interface_id < pcapng->number_of_interfaces) {
1556 interface_data_t int_data;
1557 guint64 time_units_per_second;
1560 id = (gint)wblock.data.packet.interface_id;
1561 int_data = g_array_index(pcapng->interface_data, interface_data_t, id);
1562 time_units_per_second = int_data.time_units_per_second;
1563 wth->phdr.pkt_encap = int_data.wtap_encap;
1564 wth->phdr.ts.secs = (time_t)(ts / time_units_per_second);
1565 wth->phdr.ts.nsecs = (int)(((ts % time_units_per_second) * 1000000000) / time_units_per_second);
1567 wth->phdr.pkt_encap = WTAP_ENCAP_UNKNOWN;
1568 *err = WTAP_ERR_BAD_RECORD;
1569 *err_info = g_strdup_printf("pcapng: interface index %u is not less than interface count %u.",
1570 wblock.data.packet.interface_id, pcapng->number_of_interfaces);
1571 wth->data_offset = *data_offset + bytes_read;
1572 pcapng_debug1("pcapng_read: wth->data_offset is finally %" G_GINT64_MODIFIER "u", wth->data_offset);
1576 /*pcapng_debug2("Read length: %u Packet length: %u", bytes_read, wth->phdr.caplen);*/
1577 wth->data_offset = *data_offset + bytes_read;
1578 pcapng_debug1("pcapng_read: wth->data_offset is finally %" G_GINT64_MODIFIER "u", wth->data_offset);
1584 /* classic wtap: seek to file position and read packet */
1586 pcapng_seek_read(wtap *wth, gint64 seek_off,
1587 union wtap_pseudo_header *pseudo_header, guchar *pd, int length _U_,
1588 int *err, gchar **err_info)
1590 pcapng_t *pcapng = (pcapng_t *)wth->priv;
1591 guint64 bytes_read64;
1593 wtapng_block_t wblock;
1596 /* seek to the right file position */
1597 bytes_read64 = file_seek(wth->random_fh, seek_off, SEEK_SET, err);
1598 if (bytes_read64 <= 0) {
1599 return FALSE; /* Seek error */
1601 pcapng_debug1("pcapng_seek_read: reading at offset %" G_GINT64_MODIFIER "u", seek_off);
1603 wblock.frame_buffer = pd;
1604 wblock.pseudo_header = pseudo_header;
1605 wblock.packet_header = &wth->phdr;
1606 wblock.file_encap = &wth->file_encap;
1608 /* read the block */
1609 bytes_read = pcapng_read_block(wth->random_fh, FALSE, pcapng, &wblock, err, err_info);
1610 if (bytes_read <= 0) {
1611 *err = file_error(wth->random_fh, err_info);
1612 pcapng_debug3("pcapng_seek_read: couldn't read packet block (err=%d, errno=%d, bytes_read=%d).",
1613 *err, errno, bytes_read);
1617 /* block must be a "Packet Block" or an "Enhanced Packet Block" */
1618 if (wblock.type != BLOCK_TYPE_PB && wblock.type != BLOCK_TYPE_EPB) {
1619 pcapng_debug1("pcapng_seek_read: block type %u not PB/EPB", wblock.type);
1627 /* classic wtap: close capture file */
1629 pcapng_close(wtap *wth)
1631 pcapng_t *pcapng = (pcapng_t *)wth->priv;
1633 pcapng_debug0("pcapng_close: closing file");
1634 if (pcapng->interface_data != NULL) {
1635 g_array_free(pcapng->interface_data, TRUE);
1642 GArray *interface_data;
1643 guint number_of_interfaces;
1644 struct addrinfo *addrinfo_list_last;
1648 pcapng_write_section_header_block(wtap_dumper *wdh, wtapng_block_t *wblock, int *err)
1650 pcapng_block_header_t bh;
1651 pcapng_section_header_block_t shb;
1654 /* write block header */
1655 bh.block_type = wblock->type;
1656 bh.block_total_length = sizeof(bh) + sizeof(shb) /* + options */ + 4;
1658 if (!wtap_dump_file_write(wdh, &bh, sizeof bh, err))
1660 wdh->bytes_dumped += sizeof bh;
1662 /* write block fixed content */
1663 /* XXX - get these values from wblock? */
1664 shb.magic = 0x1A2B3C4D;
1665 shb.version_major = 1;
1666 shb.version_minor = 0;
1667 shb.section_length = -1;
1669 if (!wtap_dump_file_write(wdh, &shb, sizeof shb, err))
1671 wdh->bytes_dumped += sizeof shb;
1673 /* XXX - write (optional) block options */
1675 /* write block footer */
1676 if (!wtap_dump_file_write(wdh, &bh.block_total_length,
1677 sizeof bh.block_total_length, err))
1679 wdh->bytes_dumped += sizeof bh.block_total_length;
1687 pcapng_write_if_descr_block(wtap_dumper *wdh, wtapng_block_t *wblock, int *err)
1689 pcapng_block_header_t bh;
1690 pcapng_interface_description_block_t idb;
1693 pcapng_debug3("pcapng_write_if_descr_block: encap = %d (%s), snaplen = %d",
1694 wblock->data.if_descr.link_type,
1695 wtap_encap_string(wtap_pcap_encap_to_wtap_encap(wblock->data.if_descr.link_type)),
1696 wblock->data.if_descr.snap_len);
1698 if (wblock->data.if_descr.link_type == (guint16)-1) {
1699 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
1703 /* write block header */
1704 bh.block_type = wblock->type;
1705 bh.block_total_length = sizeof(bh) + sizeof(idb) /* + options */ + 4;
1707 if (!wtap_dump_file_write(wdh, &bh, sizeof bh, err))
1709 wdh->bytes_dumped += sizeof bh;
1711 /* write block fixed content */
1712 idb.linktype = wblock->data.if_descr.link_type;
1714 idb.snaplen = wblock->data.if_descr.snap_len;
1716 if (!wtap_dump_file_write(wdh, &idb, sizeof idb, err))
1718 wdh->bytes_dumped += sizeof idb;
1720 /* XXX - write (optional) block options */
1722 /* write block footer */
1723 if (!wtap_dump_file_write(wdh, &bh.block_total_length,
1724 sizeof bh.block_total_length, err))
1726 wdh->bytes_dumped += sizeof bh.block_total_length;
1733 pcapng_write_packet_block(wtap_dumper *wdh, wtapng_block_t *wblock, int *err)
1735 pcapng_block_header_t bh;
1736 pcapng_enhanced_packet_block_t epb;
1737 const guint32 zero_pad = 0;
1741 phdr_len = (guint32)pcap_get_phdr_size(wblock->data.packet.wtap_encap, wblock->pseudo_header);
1742 if ((phdr_len + wblock->data.packet.cap_len) % 4) {
1743 pad_len = 4 - ((phdr_len + wblock->data.packet.cap_len) % 4);
1748 /* write (enhanced) packet block header */
1749 bh.block_type = wblock->type;
1750 bh.block_total_length = (guint32)sizeof(bh) + (guint32)sizeof(epb) + phdr_len + wblock->data.packet.cap_len + pad_len /* + options */ + 4;
1752 if (!wtap_dump_file_write(wdh, &bh, sizeof bh, err))
1754 wdh->bytes_dumped += sizeof bh;
1756 /* write block fixed content */
1757 epb.interface_id = wblock->data.packet.interface_id;
1758 epb.timestamp_high = wblock->data.packet.ts_high;
1759 epb.timestamp_low = wblock->data.packet.ts_low;
1760 epb.captured_len = wblock->data.packet.cap_len + phdr_len;
1761 epb.packet_len = wblock->data.packet.packet_len + phdr_len;
1763 if (!wtap_dump_file_write(wdh, &epb, sizeof epb, err))
1765 wdh->bytes_dumped += sizeof epb;
1767 /* write pseudo header */
1768 if (!pcap_write_phdr(wdh, wblock->data.packet.wtap_encap, wblock->pseudo_header, err)) {
1771 wdh->bytes_dumped += phdr_len;
1773 /* write packet data */
1774 if (!wtap_dump_file_write(wdh, wblock->frame_buffer,
1775 wblock->data.packet.cap_len, err))
1777 wdh->bytes_dumped += wblock->data.packet.cap_len;
1779 /* write padding (if any) */
1781 if (!wtap_dump_file_write(wdh, &zero_pad, pad_len, err))
1783 wdh->bytes_dumped += pad_len;
1786 /* XXX - write (optional) block options */
1788 /* write block footer */
1789 if (!wtap_dump_file_write(wdh, &bh.block_total_length,
1790 sizeof bh.block_total_length, err))
1792 wdh->bytes_dumped += sizeof bh.block_total_length;
1798 #define NRES_REC_MAX_SIZE ((WTAP_MAX_PACKET_SIZE * 4) + 16)
1800 pcapng_write_name_resolution_block(wtap_dumper *wdh, pcapng_dump_t *pcapng, int *err)
1802 pcapng_block_header_t bh;
1803 pcapng_name_resolution_block_t nrb;
1804 struct addrinfo *ai;
1805 struct sockaddr_in *sa4;
1806 struct sockaddr_in6 *sa6;
1808 gint rec_off, namelen, tot_rec_len;
1810 if (! pcapng->addrinfo_list_last || ! pcapng->addrinfo_list_last->ai_next) {
1814 rec_off = 8; /* block type + block total length */
1815 bh.block_type = BLOCK_TYPE_NRB;
1816 bh.block_total_length = rec_off + 8; /* end-of-record + block total length */
1817 rec_data = g_malloc(NRES_REC_MAX_SIZE);
1819 for (; pcapng->addrinfo_list_last && pcapng->addrinfo_list_last->ai_next; pcapng->addrinfo_list_last = pcapng->addrinfo_list_last->ai_next ) {
1820 ai = pcapng->addrinfo_list_last->ai_next; /* Skips over the first (dummy) entry */
1821 namelen = (gint)strlen(ai->ai_canonname) + 1;
1822 if (ai->ai_family == AF_INET) {
1823 nrb.record_type = NRES_IP4RECORD;
1824 nrb.record_len = 4 + namelen;
1825 tot_rec_len = 4 + nrb.record_len + PADDING4(nrb.record_len);
1826 bh.block_total_length += tot_rec_len;
1828 if (rec_off + tot_rec_len > NRES_REC_MAX_SIZE)
1832 * The joys of BSD sockaddrs. In practice, this
1833 * cast is alignment-safe.
1835 sa4 = (struct sockaddr_in *)(void *)ai->ai_addr;
1836 memcpy(rec_data + rec_off, &nrb, sizeof(nrb));
1839 memcpy(rec_data + rec_off, &(sa4->sin_addr.s_addr), 4);
1842 memcpy(rec_data + rec_off, ai->ai_canonname, namelen);
1845 memset(rec_data + rec_off, 0, PADDING4(namelen));
1846 rec_off += PADDING4(namelen);
1847 pcapng_debug1("NRB: added IPv4 record for %s", ai->ai_canonname);
1848 } else if (ai->ai_family == AF_INET6) {
1849 nrb.record_type = NRES_IP6RECORD;
1850 nrb.record_len = 16 + namelen;
1851 tot_rec_len = 4 + nrb.record_len + PADDING4(nrb.record_len);
1852 bh.block_total_length += tot_rec_len;
1854 if (rec_off + tot_rec_len > NRES_REC_MAX_SIZE)
1858 * The joys of BSD sockaddrs. In practice, this
1859 * cast is alignment-safe.
1861 sa6 = (struct sockaddr_in6 *)(void *)ai->ai_addr;
1862 memcpy(rec_data + rec_off, &nrb, sizeof(nrb));
1865 memcpy(rec_data + rec_off, sa6->sin6_addr.s6_addr, 16);
1868 memcpy(rec_data + rec_off, ai->ai_canonname, namelen);
1871 memset(rec_data + rec_off, 0, PADDING4(namelen));
1872 rec_off += PADDING4(namelen);
1873 pcapng_debug1("NRB: added IPv6 record for %s", ai->ai_canonname);
1877 /* We know the total length now; copy the block header. */
1878 memcpy(rec_data, &bh, sizeof(bh));
1881 memset(rec_data + rec_off, 0, 4);
1884 memcpy(rec_data + rec_off, &bh.block_total_length, sizeof(bh.block_total_length));
1886 if (!wtap_dump_file_write(wdh, rec_data, bh.block_total_length, err)) {
1892 wdh->bytes_dumped += bh.block_total_length;
1898 pcapng_write_block(wtap_dumper *wdh, /*pcapng_t *pn, */wtapng_block_t *wblock, int *err)
1900 switch(wblock->type) {
1901 case(BLOCK_TYPE_SHB):
1902 return pcapng_write_section_header_block(wdh, wblock, err);
1903 case(BLOCK_TYPE_IDB):
1904 return pcapng_write_if_descr_block(wdh, wblock, err);
1905 case(BLOCK_TYPE_PB):
1906 /* Packet Block is obsolete */
1908 case(BLOCK_TYPE_EPB):
1909 return pcapng_write_packet_block(wdh, wblock, err);
1911 pcapng_debug1("Unknown block_type: 0x%x", wblock->type);
1918 pcapng_lookup_interface_id_by_encap(int wtap_encap, wtap_dumper *wdh)
1921 interface_data_t int_data;
1922 pcapng_dump_t *pcapng = (pcapng_dump_t *)wdh->priv;
1924 for(i = 0; i < (gint)pcapng->number_of_interfaces; i++) {
1925 int_data = g_array_index(pcapng->interface_data, interface_data_t, i);
1926 if (wtap_encap == int_data.wtap_encap) {
1934 static gboolean pcapng_dump(wtap_dumper *wdh,
1935 const struct wtap_pkthdr *phdr,
1936 const union wtap_pseudo_header *pseudo_header,
1937 const guchar *pd, int *err)
1939 wtapng_block_t wblock;
1940 interface_data_t int_data;
1941 guint32 interface_id;
1943 pcapng_dump_t *pcapng = (pcapng_dump_t *)wdh->priv;
1945 pcapng_debug2("pcapng_dump: encap = %d (%s)",
1947 wtap_encap_string(phdr->pkt_encap));
1949 if (!pcapng->addrinfo_list_last)
1950 pcapng->addrinfo_list_last = wdh->addrinfo_list;
1952 interface_id = pcapng_lookup_interface_id_by_encap(phdr->pkt_encap, wdh);
1953 if (interface_id == G_MAXUINT32) {
1954 /* write the interface description block */
1955 wblock.frame_buffer = NULL;
1956 wblock.pseudo_header = NULL;
1957 wblock.packet_header = NULL;
1958 wblock.file_encap = NULL;
1959 wblock.type = BLOCK_TYPE_IDB;
1960 wblock.data.if_descr.link_type = wtap_wtap_encap_to_pcap_encap(phdr->pkt_encap);
1961 wblock.data.if_descr.snap_len = wdh->snaplen; /* XXX */
1963 /* XXX - options unused */
1964 wblock.data.if_descr.if_speed = -1;
1965 wblock.data.if_descr.if_tsresol = 6; /* default: usec */
1966 wblock.data.if_descr.if_os = NULL;
1967 wblock.data.if_descr.if_fcslen = -1;
1969 if (!pcapng_write_block(wdh, &wblock, err)) {
1973 interface_id = pcapng->number_of_interfaces;
1974 int_data.wtap_encap = phdr->pkt_encap;
1975 int_data.time_units_per_second = 0;
1976 g_array_append_val(pcapng->interface_data, int_data);
1977 pcapng->number_of_interfaces++;
1979 pcapng_debug3("pcapng_dump: added interface description block with index %u for encap = %d (%s).",
1982 wtap_encap_string(phdr->pkt_encap));
1985 /* Flush any hostname resolution info we may have */
1986 while (pcapng->addrinfo_list_last && pcapng->addrinfo_list_last->ai_next) {
1987 pcapng_write_name_resolution_block(wdh, pcapng, err);
1990 wblock.frame_buffer = pd;
1991 wblock.pseudo_header = pseudo_header;
1992 wblock.packet_header = NULL;
1993 wblock.file_encap = NULL;
1995 /* write the (enhanced) packet block */
1996 wblock.type = BLOCK_TYPE_EPB;
1998 /* default is to write out in microsecond resolution */
1999 ts = (((guint64)phdr->ts.secs) * 1000000) + (phdr->ts.nsecs / 1000);
2001 /* Split the 64-bit timestamp into two 32-bit pieces */
2002 wblock.data.packet.ts_high = (guint32)(ts >> 32);
2003 wblock.data.packet.ts_low = (guint32)ts;
2005 wblock.data.packet.cap_len = phdr->caplen;
2006 wblock.data.packet.packet_len = phdr->len;
2007 wblock.data.packet.interface_id = interface_id;
2008 wblock.data.packet.wtap_encap = phdr->pkt_encap;
2010 /* currently unused */
2011 wblock.data.packet.drop_count = -1;
2012 wblock.data.packet.opt_comment = NULL;
2014 if (!pcapng_write_block(wdh, &wblock, err)) {
2022 /* Finish writing to a dump file.
2023 Returns TRUE on success, FALSE on failure. */
2024 static gboolean pcapng_dump_close(wtap_dumper *wdh, int *err _U_)
2026 pcapng_dump_t *pcapng = (pcapng_dump_t *)wdh->priv;
2028 pcapng_debug0("pcapng_dump_close");
2029 g_array_free(pcapng->interface_data, TRUE);
2030 pcapng->number_of_interfaces = 0;
2035 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
2038 pcapng_dump_open(wtap_dumper *wdh, int *err)
2040 wtapng_block_t wblock;
2041 pcapng_dump_t *pcapng;
2043 wblock.frame_buffer = NULL;
2044 wblock.pseudo_header = NULL;
2045 wblock.packet_header = NULL;
2046 wblock.file_encap = NULL;
2048 pcapng_debug0("pcapng_dump_open");
2049 /* This is a pcapng file */
2050 wdh->subtype_write = pcapng_dump;
2051 wdh->subtype_close = pcapng_dump_close;
2052 pcapng = (pcapng_dump_t *)g_malloc0(sizeof(pcapng_dump_t));
2053 wdh->priv = (void *)pcapng;
2054 pcapng->interface_data = g_array_new(FALSE, FALSE, sizeof(interface_data_t));
2056 /* write the section header block */
2057 wblock.type = BLOCK_TYPE_SHB;
2058 wblock.data.section.section_length = -1;
2060 /* XXX - options unused */
2061 wblock.data.section.opt_comment = NULL;
2062 wblock.data.section.shb_hardware = NULL;
2063 wblock.data.section.shb_os = NULL;
2064 wblock.data.section.shb_user_appl = NULL;
2066 if (!pcapng_write_block(wdh, &wblock, err)) {
2069 pcapng_debug0("pcapng_dump_open: wrote section header block.");
2075 /* Returns 0 if we could write the specified encapsulation type,
2076 an error indication otherwise. */
2077 int pcapng_dump_can_write_encap(int wtap_encap)
2079 pcapng_debug2("pcapng_dump_can_write_encap: encap = %d (%s)",
2081 wtap_encap_string(wtap_encap));
2083 /* Per-packet encapsulations is supported. */
2084 if (wtap_encap == WTAP_ENCAP_PER_PACKET)
2087 /* Make sure we can figure out this DLT type */
2088 if (wtap_wtap_encap_to_pcap_encap(wtap_encap) == -1)
2089 return WTAP_ERR_UNSUPPORTED_ENCAP;