6 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
8 * File format support for pcap-ng file format
9 * Copyright (c) 2007 by Ulf Lamping <ulf.lamping@web.de>
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
26 /* File format reference:
27 * http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
29 * http://wiki.wireshark.org/Development/PcapNg
40 /* Needed for addrinfo */
41 #ifdef HAVE_SYS_TYPES_H
42 # include <sys/types.h>
45 #ifdef HAVE_SYS_SOCKET_H
46 #include <sys/socket.h>
49 #ifdef HAVE_NETINET_IN_H
50 # include <netinet/in.h>
57 #ifdef HAVE_WINSOCK2_H
58 # include <winsock2.h>
61 #if defined(_WIN32) && defined(INET6)
62 # include <ws2tcpip.h>
66 #include "file_wrappers.h"
69 #include "pcap-common.h"
70 #include "pcap-encap.h"
74 #define pcapng_debug0(str) g_warning(str)
75 #define pcapng_debug1(str,p1) g_warning(str,p1)
76 #define pcapng_debug2(str,p1,p2) g_warning(str,p1,p2)
77 #define pcapng_debug3(str,p1,p2,p3) g_warning(str,p1,p2,p3)
79 #define pcapng_debug0(str)
80 #define pcapng_debug1(str,p1)
81 #define pcapng_debug2(str,p1,p2)
82 #define pcapng_debug3(str,p1,p2,p3)
86 pcapng_read(wtap *wth, int *err, gchar **err_info,
89 pcapng_seek_read(wtap *wth, gint64 seek_off,
90 union wtap_pseudo_header *pseudo_header, guint8 *pd, int length,
91 int *err, gchar **err_info);
93 pcapng_close(wtap *wth);
96 /* pcapng: common block header for every block type */
97 typedef struct pcapng_block_header_s {
99 guint32 block_total_length;
100 /* x bytes block_body */
101 /* guint32 block_total_length */
102 } pcapng_block_header_t;
104 /* pcapng: section header block */
105 typedef struct pcapng_section_header_block_s {
106 /* pcapng_block_header_t */
108 guint16 version_major;
109 guint16 version_minor;
110 guint64 section_length; /* might be -1 for unknown */
111 /* ... Options ... */
112 } pcapng_section_header_block_t;
114 /* pcapng: interface description block */
115 typedef struct pcapng_interface_description_block_s {
119 /* ... Options ... */
120 } pcapng_interface_description_block_t;
122 /* pcapng: packet block (obsolete) */
123 typedef struct pcapng_packet_block_s {
124 guint16 interface_id;
126 guint32 timestamp_high;
127 guint32 timestamp_low;
128 guint32 captured_len;
130 /* ... Packet Data ... */
131 /* ... Padding ... */
132 /* ... Options ... */
133 } pcapng_packet_block_t;
135 /* pcapng: enhanced packet block */
136 typedef struct pcapng_enhanced_packet_block_s {
137 guint32 interface_id;
138 guint32 timestamp_high;
139 guint32 timestamp_low;
140 guint32 captured_len;
142 /* ... Packet Data ... */
143 /* ... Padding ... */
144 /* ... Options ... */
145 } pcapng_enhanced_packet_block_t;
147 /* pcapng: simple packet block */
148 typedef struct pcapng_simple_packet_block_s {
150 /* ... Packet Data ... */
151 /* ... Padding ... */
152 } pcapng_simple_packet_block_t;
154 /* pcapng: simple packet block */
155 typedef struct pcapng_name_resolution_block_s {
159 } pcapng_name_resolution_block_t;
161 /* pcapng: interface statistics block */
162 typedef struct pcapng_interface_statistics_block_s {
163 guint32 interface_id;
164 guint32 timestamp_high;
165 guint32 timestamp_low;
166 /* ... Options ... */
167 } pcapng_interface_statistics_block_t;
169 /* pcapng: common option header for every option type */
170 typedef struct pcapng_option_header_s {
172 guint16 option_length;
173 /* ... x bytes Option Body ... */
174 /* ... Padding ... */
175 } pcapng_option_header_t;
178 #define BLOCK_TYPE_IDB 0x00000001 /* Interface Description Block */
179 #define BLOCK_TYPE_PB 0x00000002 /* Packet Block (obsolete) */
180 #define BLOCK_TYPE_SPB 0x00000003 /* Simple Packet Block */
181 #define BLOCK_TYPE_NRB 0x00000004 /* Name Resolution Block */
182 #define BLOCK_TYPE_ISB 0x00000005 /* Interface Statistics Block */
183 #define BLOCK_TYPE_EPB 0x00000006 /* Enhanced Packet Block */
184 #define BLOCK_TYPE_SHB 0x0A0D0D0A /* Section Header Block */
188 /* Capture section */
189 typedef struct wtapng_section_s {
191 guint64 section_length;
193 gchar *opt_comment; /* NULL if not available */
194 gchar *shb_hardware; /* NULL if not available */
195 gchar *shb_os; /* NULL if not available */
196 gchar *shb_user_appl; /* NULL if not available */
199 /* Interface Description */
200 typedef struct wtapng_if_descr_s {
205 gchar *opt_comment; /* NULL if not available */
206 gchar *if_name; /* NULL if not available */
207 gchar *if_description;/* NULL if not available */
208 /* XXX: if_IPv4addr */
209 /* XXX: if_IPv6addr */
210 /* XXX: if_MACaddr */
211 /* XXX: if_EUIaddr */
212 guint64 if_speed; /* 0xFFFFFFFF if unknown */
213 guint8 if_tsresol; /* default is 6 for microsecond resolution */
214 gchar *if_filter; /* NULL if not available */
215 gchar *if_os; /* NULL if not available */
216 gint8 if_fcslen; /* -1 if unknown or changes between packets */
217 /* XXX: guint64 if_tsoffset; */
221 typedef struct wtapng_packet_s {
223 guint32 ts_high; /* seconds since 1.1.1970 */
224 guint32 ts_low; /* fraction of seconds, depends on if_tsresol */
225 guint32 cap_len; /* data length in the file */
226 guint32 packet_len; /* data length on the wire */
227 guint32 interface_id; /* identifier of the interface. */
228 guint16 drops_count; /* drops count, only valid for packet block */
229 /* 0xffff if information no available */
231 gchar *opt_comment; /* NULL if not available */
233 guint32 pack_flags; /* XXX - 0 for now (any value for "we don't have it"?) */
236 guint32 pseudo_header_len;
238 /* XXX - put the packet data / pseudo_header here as well? */
242 typedef struct wtapng_simple_packet_s {
244 guint32 cap_len; /* data length in the file */
245 guint32 packet_len; /* data length on the wire */
246 guint32 pseudo_header_len;
248 /* XXX - put the packet data / pseudo_header here as well? */
249 } wtapng_simple_packet_t;
251 /* Name Resolution */
252 typedef struct wtapng_name_res_s {
254 gchar *opt_comment; /* NULL if not available */
258 /* Interface Statistics */
259 typedef struct wtapng_if_stats_s {
261 guint64 interface_id;
265 gchar *opt_comment; /* NULL if not available */
267 /*guint32 isb_starttime_high;*/
268 /*guint32 isb_starttime_low;*/
269 /*guint32 isb_endtime_high;*/
270 /*guint32 isb_endtime_low;*/
273 /*guint64 isb_filteraccept;*/
274 /*guint64 isb_osdrop;*/
275 /*guint64 isb_usrdeliv;*/
279 typedef struct wtapng_block_s {
280 guint32 type; /* block_type as defined by pcapng */
282 wtapng_section_t section;
283 wtapng_if_descr_t if_descr;
284 wtapng_packet_t packet;
285 wtapng_simple_packet_t simple_packet;
286 wtapng_name_res_t name_res;
287 wtapng_if_stats_t if_stats;
291 * XXX - currently don't know how to handle these!
293 * For one thing, when we're reading a block, they must be
294 * writable, i.e. not const, so that we can read into them,
295 * but, when we're writing a block, they can be const, and,
296 * in fact, they sometimes point to const values.
298 const union wtap_pseudo_header *pseudo_header;
299 struct wtap_pkthdr *packet_header;
300 const guint8 *frame_buffer;
304 typedef struct interface_data_s {
306 guint64 time_units_per_second;
311 gboolean byte_swapped;
312 guint16 version_major;
313 guint16 version_minor;
315 GArray *interface_data;
316 guint number_of_interfaces;
317 wtap_new_ipv4_callback_t add_new_ipv4;
318 wtap_new_ipv6_callback_t add_new_ipv6;
322 pcapng_get_encap(gint id, pcapng_t *pn)
324 interface_data_t int_data;
326 if ((id >= 0) && ((guint)id < pn->number_of_interfaces)) {
327 int_data = g_array_index(pn->interface_data, interface_data_t, id);
328 return int_data.wtap_encap;
330 return WTAP_ERR_UNSUPPORTED_ENCAP;
336 pcapng_read_option(FILE_T fh, pcapng_t *pn, pcapng_option_header_t *oh,
337 char *content, int len, int *err, gchar **err_info)
341 guint64 file_offset64;
344 /* read option header */
345 errno = WTAP_ERR_CANT_READ;
346 bytes_read = file_read(oh, sizeof (*oh), fh);
347 if (bytes_read != sizeof (*oh)) {
348 pcapng_debug0("pcapng_read_option: failed to read option");
349 *err = file_error(fh, err_info);
354 block_read = sizeof (*oh);
355 if(pn->byte_swapped) {
356 oh->option_code = BSWAP16(oh->option_code);
357 oh->option_length = BSWAP16(oh->option_length);
360 /* sanity check: option length */
361 if (oh->option_length > len) {
362 pcapng_debug2("pcapng_read_option: option_length %u larger than buffer (%u)",
363 oh->option_length, len);
367 /* read option content */
368 errno = WTAP_ERR_CANT_READ;
369 bytes_read = file_read(content, oh->option_length, fh);
370 if (bytes_read != oh->option_length) {
371 pcapng_debug1("pcapng_read_option: failed to read content of option %u", oh->option_code);
372 *err = file_error(fh, err_info);
377 block_read += oh->option_length;
379 /* jump over potential padding bytes at end of option */
380 if( (oh->option_length % 4) != 0) {
381 file_offset64 = file_seek(fh, 4 - (oh->option_length % 4), SEEK_CUR, err);
382 if (file_offset64 <= 0) {
387 block_read += 4 - (oh->option_length % 4);
395 pcapng_read_section_header_block(FILE_T fh, gboolean first_block,
396 pcapng_block_header_t *bh, pcapng_t *pn,
397 wtapng_block_t *wblock, int *err,
403 pcapng_section_header_block_t shb;
404 pcapng_option_header_t oh;
405 char option_content[100]; /* XXX - size might need to be increased, if we see longer options */
408 /* read block content */
409 errno = WTAP_ERR_CANT_READ;
410 bytes_read = file_read(&shb, sizeof shb, fh);
411 if (bytes_read != sizeof shb) {
412 *err = file_error(fh, err_info);
416 * We're reading this as part of an open,
417 * and this block is too short to be
418 * an SHB, so the file is too short
419 * to be a pcap-ng file.
425 * Otherwise, just report this as an error.
427 *err = WTAP_ERR_SHORT_READ;
431 block_read = bytes_read;
433 /* is the magic number one we expect? */
436 /* this seems pcapng with correct byte order */
437 pn->byte_swapped = FALSE;
438 pn->version_major = shb.version_major;
439 pn->version_minor = shb.version_minor;
441 pcapng_debug3("pcapng_read_section_header_block: SHB (little endian) V%u.%u, len %u",
442 pn->version_major, pn->version_minor, bh->block_total_length);
445 /* this seems pcapng with swapped byte order */
446 pn->byte_swapped = TRUE;
447 pn->version_major = BSWAP16(shb.version_major);
448 pn->version_minor = BSWAP16(shb.version_minor);
450 /* tweak the block length to meet current swapping that we know now */
451 bh->block_total_length = BSWAP32(bh->block_total_length);
453 pcapng_debug3("pcapng_read_section_header_block: SHB (big endian) V%u.%u, len %u",
454 pn->version_major, pn->version_minor, bh->block_total_length);
457 /* Not a "pcapng" magic number we know about. */
459 /* Not a pcap-ng file. */
464 *err = WTAP_ERR_BAD_FILE;
465 *err_info = g_strdup_printf("pcapng_read_section_header_block: unknown byte-order magic number 0x%08x", shb.magic);
469 /* OK, at this point we assume it's a pcap-ng file. */
471 /* we currently only understand SHB V1.0 */
472 if (pn->version_major != 1 || pn->version_minor > 0) {
473 *err = WTAP_ERR_UNSUPPORTED;
474 *err_info = g_strdup_printf("pcapng_read_section_header_block: unknown SHB version %u.%u",
475 pn->version_major, pn->version_minor);
479 /* 64bit section_length (currently unused) */
480 if (pn->byte_swapped) {
481 wblock->data.section.section_length = BSWAP64(shb.section_length);
483 wblock->data.section.section_length = shb.section_length;
486 /* Option defaults */
487 wblock->data.section.opt_comment = NULL;
488 wblock->data.section.shb_hardware = NULL;
489 wblock->data.section.shb_os = NULL;
490 wblock->data.section.shb_user_appl = NULL;
493 errno = WTAP_ERR_CANT_READ;
494 to_read = bh->block_total_length
495 - (int)sizeof(pcapng_block_header_t)
496 - (int)sizeof (pcapng_section_header_block_t)
497 - (int)sizeof(bh->block_total_length);
500 bytes_read = pcapng_read_option(fh, pn, &oh, option_content, sizeof(option_content), err, err_info);
501 if (bytes_read <= 0) {
502 pcapng_debug0("pcapng_read_section_header_block: failed to read option");
505 block_read += bytes_read;
506 to_read -= bytes_read;
508 /* handle option content */
509 switch(oh.option_code) {
510 case(0): /* opt_endofopt */
512 pcapng_debug1("pcapng_read_section_header_block: %u bytes after opt_endofopt", to_read);
514 /* padding should be ok here, just get out of this */
517 case(1): /* opt_comment */
518 if(oh.option_length > 0 && oh.option_length < sizeof(option_content)) {
519 wblock->data.section.opt_comment = g_strndup(option_content, sizeof(option_content));
520 pcapng_debug1("pcapng_read_section_header_block: opt_comment %s", wblock->data.section.opt_comment);
522 pcapng_debug1("pcapng_read_section_header_block: opt_comment length %u seems strange", oh.option_length);
525 case(2): /* shb_hardware */
526 if(oh.option_length > 0 && oh.option_length < sizeof(option_content)) {
527 wblock->data.section.shb_hardware = g_strndup(option_content, sizeof(option_content));
528 pcapng_debug1("pcapng_read_section_header_block: shb_hardware %s", wblock->data.section.shb_hardware);
530 pcapng_debug1("pcapng_read_section_header_block: shb_hardware length %u seems strange", oh.option_length);
533 case(3): /* shb_os */
534 if(oh.option_length > 0 && oh.option_length < sizeof(option_content)) {
535 wblock->data.section.shb_os = g_strndup(option_content, sizeof(option_content));
536 pcapng_debug1("pcapng_read_section_header_block: shb_os %s", wblock->data.section.shb_os);
538 pcapng_debug1("pcapng_read_section_header_block: shb_os length %u seems strange", oh.option_length);
541 case(4): /* shb_userappl */
542 if(oh.option_length > 0 && oh.option_length < sizeof(option_content)) {
543 wblock->data.section.shb_user_appl = g_strndup(option_content, sizeof(option_content));
544 pcapng_debug1("pcapng_read_section_header_block: shb_userappl %s", wblock->data.section.shb_user_appl);
546 pcapng_debug1("pcapng_read_section_header_block: shb_userappl length %u seems strange", oh.option_length);
550 pcapng_debug2("pcapng_read_section_header_block: unknown option %u - ignoring %u bytes",
551 oh.option_code, oh.option_length);
555 if (pn->interface_data != NULL) {
556 g_array_free(pn->interface_data, TRUE);
557 pn->interface_data = NULL;
558 *err = WTAP_ERR_BAD_FILE;
559 *err_info = g_strdup_printf("pcapng: multiple section header blocks not supported.");
562 pn->interface_data = g_array_new(FALSE, FALSE, sizeof(interface_data_t));
563 pn->number_of_interfaces = 0;
569 /* "Interface Description Block" */
571 pcapng_read_if_descr_block(FILE_T fh, pcapng_block_header_t *bh, pcapng_t *pn,
572 wtapng_block_t *wblock, int *err, gchar **err_info)
574 guint64 time_units_per_second;
578 pcapng_interface_description_block_t idb;
579 pcapng_option_header_t oh;
580 interface_data_t int_data;
582 char option_content[100]; /* XXX - size might need to be increased, if we see longer options */
585 time_units_per_second = 1000000; /* default */
586 /* read block content */
587 errno = WTAP_ERR_CANT_READ;
588 bytes_read = file_read(&idb, sizeof idb, fh);
589 if (bytes_read != sizeof idb) {
590 pcapng_debug0("pcapng_read_if_descr_block: failed to read IDB");
591 *err = file_error(fh, err_info);
596 block_read = bytes_read;
598 /* mandatory values */
599 if (pn->byte_swapped) {
600 wblock->data.if_descr.link_type = BSWAP16(idb.linktype);
601 wblock->data.if_descr.snap_len = BSWAP32(idb.snaplen);
603 wblock->data.if_descr.link_type = idb.linktype;
604 wblock->data.if_descr.snap_len = idb.snaplen;
607 pcapng_debug3("pcapng_read_if_descr_block: IDB link_type %u (%s), snap %u",
608 wblock->data.if_descr.link_type,
609 wtap_encap_string(wtap_pcap_encap_to_wtap_encap(wblock->data.if_descr.link_type)),
610 wblock->data.if_descr.snap_len);
612 if (wblock->data.if_descr.snap_len > WTAP_MAX_PACKET_SIZE) {
613 /* This is unrealisitic, but text2pcap currently uses 102400.
614 * We do not use this value, maybe we should check the
615 * snap_len of the packets against it. For now, only warn.
617 pcapng_debug1("pcapng_read_if_descr_block: snapshot length %u unrealistic.",
618 wblock->data.if_descr.snap_len);
619 /*wblock->data.if_descr.snap_len = WTAP_MAX_PACKET_SIZE;*/
622 /* Option defaults */
623 wblock->data.if_descr.opt_comment = NULL;
624 wblock->data.if_descr.if_name = NULL;
625 wblock->data.if_descr.if_description = NULL;
626 /* XXX: if_IPv4addr */
627 /* XXX: if_IPv6addr */
628 /* XXX: if_MACaddr */
629 /* XXX: if_EUIaddr */
630 wblock->data.if_descr.if_speed = 0xFFFFFFFF; /* "unknown" */
631 wblock->data.if_descr.if_tsresol = 6; /* default is 6 for microsecond resolution */
632 wblock->data.if_descr.if_filter = NULL;
633 wblock->data.if_descr.if_os = NULL;
634 wblock->data.if_descr.if_fcslen = -1; /* unknown or changes between packets */
635 /* XXX: guint64 if_tsoffset; */
639 errno = WTAP_ERR_CANT_READ;
640 to_read = bh->block_total_length
641 - (int)sizeof(pcapng_block_header_t)
642 - (int)sizeof (pcapng_interface_description_block_t)
643 - (int)sizeof(bh->block_total_length);
644 while (to_read > 0) {
646 bytes_read = pcapng_read_option(fh, pn, &oh, option_content, sizeof(option_content), err, err_info);
647 if (bytes_read <= 0) {
648 pcapng_debug0("pcapng_read_if_descr_block: failed to read option");
651 block_read += bytes_read;
652 to_read -= bytes_read;
654 /* handle option content */
655 switch(oh.option_code) {
656 case(0): /* opt_endofopt */
658 pcapng_debug1("pcapng_read_if_descr_block: %u bytes after opt_endofopt", to_read);
660 /* padding should be ok here, just get out of this */
663 case(1): /* opt_comment */
664 if(oh.option_length > 0 && oh.option_length < sizeof(option_content)) {
665 wblock->data.if_descr.opt_comment = g_strndup(option_content, sizeof(option_content));
666 pcapng_debug1("pcapng_read_if_descr_block: opt_comment %s", wblock->data.if_descr.opt_comment);
668 pcapng_debug1("pcapng_read_if_descr_block: opt_comment length %u seems strange", oh.option_length);
671 case(2): /* if_name */
672 if(oh.option_length > 0 && oh.option_length < sizeof(option_content)) {
673 wblock->data.if_descr.if_name = g_strndup(option_content, sizeof(option_content));
674 pcapng_debug1("pcapng_read_if_descr_block: if_name %s", wblock->data.if_descr.if_name);
676 pcapng_debug1("pcapng_read_if_descr_block: if_name length %u seems strange", oh.option_length);
679 case(3): /* if_description */
680 if(oh.option_length > 0 && oh.option_length < sizeof(option_content)) {
681 wblock->data.if_descr.if_description = g_strndup(option_content, sizeof(option_content));
682 pcapng_debug1("pcapng_read_if_descr_block: if_description %s", wblock->data.if_descr.if_description);
684 pcapng_debug1("pcapng_read_if_descr_block: if_description length %u seems strange", oh.option_length);
687 case(8): /* if_speed */
688 if(oh.option_length == 8) {
689 /* Don't cast a char[] into a guint64--the
690 * char[] may not be aligned correctly.
692 memcpy(&wblock->data.if_descr.if_speed, option_content, sizeof(guint64));
694 wblock->data.if_descr.if_speed = BSWAP64(wblock->data.if_descr.if_speed);
695 pcapng_debug1("pcapng_read_if_descr_block: if_speed %" G_GINT64_MODIFIER "u (bps)", wblock->data.if_descr.if_speed);
697 pcapng_debug1("pcapng_read_if_descr_block: if_speed length %u not 8 as expected", oh.option_length);
700 case(9): /* if_tsresol */
701 if (oh.option_length == 1) {
706 wblock->data.if_descr.if_tsresol = option_content[0];
707 if (wblock->data.if_descr.if_tsresol & 0x80) {
712 exponent = (guint8)(wblock->data.if_descr.if_tsresol & 0x7f);
713 if (((base == 2) && (exponent < 64)) || ((base == 10) && (exponent < 20))) {
715 for (i = 0; i < exponent; i++) {
718 time_units_per_second = result;
720 time_units_per_second = G_MAXUINT64;
722 if (time_units_per_second > (((guint64)1) << 32)) {
723 pcapng_debug0("pcapng_open: time conversion might be inaccurate");
725 pcapng_debug1("pcapng_read_if_descr_block: if_tsresol %u", wblock->data.if_descr.if_tsresol);
727 pcapng_debug1("pcapng_read_if_descr_block: if_tsresol length %u not 1 as expected", oh.option_length);
730 case(11): /* if_filter */
731 if(oh.option_length > 0 && oh.option_length < sizeof(option_content)) {
732 wblock->data.if_descr.if_filter = g_strndup(option_content, sizeof(option_content));
733 pcapng_debug1("pcapng_read_if_descr_block: if_filter %s", wblock->data.if_descr.if_filter);
735 pcapng_debug1("pcapng_read_if_descr_block: if_filter length %u seems strange", oh.option_length);
738 case(13): /* if_fcslen */
739 if(oh.option_length == 1) {
740 wblock->data.if_descr.if_fcslen = option_content[0];
741 pn->if_fcslen = wblock->data.if_descr.if_fcslen;
742 pcapng_debug1("pcapng_read_if_descr_block: if_fcslen %u", wblock->data.if_descr.if_fcslen);
743 /* XXX - add sanity check */
745 pcapng_debug1("pcapng_read_if_descr_block: if_fcslen length %u not 1 as expected", oh.option_length);
749 pcapng_debug2("pcapng_read_if_descr_block: unknown option %u - ignoring %u bytes",
750 oh.option_code, oh.option_length);
754 encap = wtap_pcap_encap_to_wtap_encap(wblock->data.if_descr.link_type);
755 if (*wblock->file_encap == WTAP_ENCAP_UNKNOWN) {
756 *wblock->file_encap = encap;
758 if (*wblock->file_encap != encap) {
759 *wblock->file_encap = WTAP_ENCAP_PER_PACKET;
763 int_data.wtap_encap = encap;
764 int_data.time_units_per_second = time_units_per_second;
765 g_array_append_val(pn->interface_data, int_data);
766 pn->number_of_interfaces++;
772 pcapng_read_packet_block(FILE_T fh, pcapng_block_header_t *bh, pcapng_t *pn, wtapng_block_t *wblock, int *err, gchar **err_info, gboolean enhanced)
777 guint64 file_offset64;
778 pcapng_enhanced_packet_block_t epb;
779 pcapng_packet_block_t pb;
780 guint32 block_total_length;
781 pcapng_option_header_t oh;
783 int pseudo_header_len;
784 char option_content[100]; /* XXX - size might need to be increased, if we see longer options */
787 /* "(Enhanced) Packet Block" read fixed part */
788 errno = WTAP_ERR_CANT_READ;
790 bytes_read = file_read(&epb, sizeof epb, fh);
791 if (bytes_read != sizeof epb) {
792 pcapng_debug0("pcapng_read_packet_block: failed to read packet data");
793 *err = file_error(fh, err_info);
796 block_read = bytes_read;
798 if (pn->byte_swapped) {
799 wblock->data.packet.interface_id = BSWAP32(epb.interface_id);
800 wblock->data.packet.drops_count = -1; /* invalid */
801 wblock->data.packet.ts_high = BSWAP32(epb.timestamp_high);
802 wblock->data.packet.ts_low = BSWAP32(epb.timestamp_low);
803 wblock->data.packet.cap_len = BSWAP32(epb.captured_len);
804 wblock->data.packet.packet_len = BSWAP32(epb.packet_len);
806 wblock->data.packet.interface_id = epb.interface_id;
807 wblock->data.packet.drops_count = -1; /* invalid */
808 wblock->data.packet.ts_high = epb.timestamp_high;
809 wblock->data.packet.ts_low = epb.timestamp_low;
810 wblock->data.packet.cap_len = epb.captured_len;
811 wblock->data.packet.packet_len = epb.packet_len;
814 bytes_read = file_read(&pb, sizeof pb, fh);
815 if (bytes_read != sizeof pb) {
816 pcapng_debug0("pcapng_read_packet_block: failed to read packet data");
817 *err = file_error(fh, err_info);
820 block_read = bytes_read;
822 if (pn->byte_swapped) {
823 wblock->data.packet.interface_id = BSWAP16(pb.interface_id);
824 wblock->data.packet.drops_count = BSWAP16(pb.drops_count);
825 wblock->data.packet.ts_high = BSWAP32(pb.timestamp_high);
826 wblock->data.packet.ts_low = BSWAP32(pb.timestamp_low);
827 wblock->data.packet.cap_len = BSWAP32(pb.captured_len);
828 wblock->data.packet.packet_len = BSWAP32(pb.packet_len);
830 wblock->data.packet.interface_id = pb.interface_id;
831 wblock->data.packet.drops_count = pb.drops_count;
832 wblock->data.packet.ts_high = pb.timestamp_high;
833 wblock->data.packet.ts_low = pb.timestamp_low;
834 wblock->data.packet.cap_len = pb.captured_len;
835 wblock->data.packet.packet_len = pb.packet_len;
839 if (wblock->data.packet.cap_len > wblock->data.packet.packet_len) {
840 *err = WTAP_ERR_BAD_FILE;
841 *err_info = g_strdup_printf("pcapng_read_packet_block: cap_len %u is larger than packet_len %u.",
842 wblock->data.packet.cap_len, wblock->data.packet.packet_len);
845 if (wblock->data.packet.cap_len > WTAP_MAX_PACKET_SIZE) {
846 *err = WTAP_ERR_BAD_FILE;
847 *err_info = g_strdup_printf("pcapng_read_packet_block: cap_len %u is larger than WTAP_MAX_PACKET_SIZE %u.",
848 wblock->data.packet.cap_len, WTAP_MAX_PACKET_SIZE);
851 pcapng_debug3("pcapng_read_packet_block: packet data: packet_len %u captured_len %u interface_id %u",
852 wblock->data.packet.packet_len,
853 wblock->data.packet.cap_len,
854 wblock->data.packet.interface_id);
856 wtap_encap = pcapng_get_encap(wblock->data.packet.interface_id, pn);
857 pcapng_debug3("pcapng_read_packet_block: encapsulation = %d (%s), pseudo header size = %d.",
859 wtap_encap_string(wtap_encap),
860 pcap_get_phdr_size(wtap_encap, wblock->pseudo_header));
862 memset((void *)wblock->pseudo_header, 0, sizeof(union wtap_pseudo_header));
863 pseudo_header_len = pcap_process_pseudo_header(fh,
866 wblock->data.packet.cap_len,
868 wblock->packet_header,
869 (union wtap_pseudo_header *)wblock->pseudo_header,
872 if (pseudo_header_len < 0) {
875 wblock->data.packet.pseudo_header_len = (guint32)pseudo_header_len;
876 block_read += pseudo_header_len;
877 if (pseudo_header_len != pcap_get_phdr_size(wtap_encap, wblock->pseudo_header)) {
878 pcapng_debug1("pcapng_read_packet_block: Could only read %d bytes for pseudo header.",
882 /* "(Enhanced) Packet Block" read capture data */
883 errno = WTAP_ERR_CANT_READ;
884 bytes_read = file_read((guint8 *) (wblock->frame_buffer), wblock->data.packet.cap_len - pseudo_header_len, fh);
885 if (bytes_read != (int) (wblock->data.packet.cap_len - pseudo_header_len)) {
886 *err = file_error(fh, err_info);
887 pcapng_debug1("pcapng_read_packet_block: couldn't read %u bytes of captured data",
888 wblock->data.packet.cap_len - pseudo_header_len);
890 *err = WTAP_ERR_SHORT_READ;
893 block_read += bytes_read;
895 /* jump over potential padding bytes at end of the packet data */
896 if( (wblock->data.packet.cap_len % 4) != 0) {
897 file_offset64 = file_seek(fh, 4 - (wblock->data.packet.cap_len % 4), SEEK_CUR, err);
898 if (file_offset64 <= 0) {
903 block_read += 4 - (wblock->data.packet.cap_len % 4);
906 /* add padding bytes to "block total length" */
907 /* (the "block total length" of some example files don't contain the packet data padding bytes!) */
908 if (bh->block_total_length % 4) {
909 block_total_length = bh->block_total_length + 4 - (bh->block_total_length % 4);
911 block_total_length = bh->block_total_length;
914 /* Option defaults */
915 wblock->data.packet.opt_comment = NULL;
916 wblock->data.packet.drop_count = -1;
917 wblock->data.packet.pack_flags = 0; /* XXX - is 0 ok to signal "not used"? */
919 /* FCS length default */
920 fcslen = pn->if_fcslen;
923 errno = WTAP_ERR_CANT_READ;
924 to_read = block_total_length
925 - (int)sizeof(pcapng_block_header_t)
926 - block_read /* fixed and variable part, including padding */
927 - (int)sizeof(bh->block_total_length);
930 bytes_read = pcapng_read_option(fh, pn, &oh, option_content, sizeof(option_content), err, err_info);
931 if (bytes_read <= 0) {
932 pcapng_debug0("pcapng_read_packet_block: failed to read option");
935 block_read += bytes_read;
936 to_read -= bytes_read;
938 /* handle option content */
939 switch(oh.option_code) {
940 case(0): /* opt_endofopt */
942 pcapng_debug1("pcapng_read_packet_block: %u bytes after opt_endofopt", to_read);
944 /* padding should be ok here, just get out of this */
947 case(1): /* opt_comment */
948 if(oh.option_length > 0 && oh.option_length < sizeof(option_content)) {
949 wblock->data.packet.opt_comment = g_strndup(option_content, sizeof(option_content));
950 pcapng_debug1("pcapng_read_packet_block: opt_comment %s", wblock->data.packet.opt_comment);
952 pcapng_debug1("pcapng_read_packet_block: opt_comment length %u seems strange", oh.option_length);
955 case(2): /* pack_flags / epb_flags */
956 if(oh.option_length == 4) {
957 /* Don't cast a char[] into a guint32--the
958 * char[] may not be aligned correctly.
960 memcpy(&wblock->data.packet.pack_flags, option_content, sizeof(guint32));
962 wblock->data.packet.pack_flags = BSWAP32(wblock->data.packet.pack_flags);
963 if (wblock->data.packet.pack_flags & 0x000001E0) {
964 /* The FCS length is present */
965 fcslen = (wblock->data.packet.pack_flags & 0x000001E0) >> 5;
967 pcapng_debug1("pcapng_read_if_descr_block: pack_flags %u (ignored)", wblock->data.packet.pack_flags);
969 pcapng_debug1("pcapng_read_if_descr_block: pack_flags length %u not 4 as expected", oh.option_length);
973 pcapng_debug2("pcapng_read_packet_block: unknown option %u - ignoring %u bytes",
974 oh.option_code, oh.option_length);
978 pcap_read_post_process(WTAP_FILE_PCAPNG, wtap_encap,
979 (union wtap_pseudo_header *)wblock->pseudo_header,
980 (guint8 *) (wblock->frame_buffer),
981 (int) (wblock->data.packet.cap_len - pseudo_header_len),
982 pn->byte_swapped, fcslen);
988 pcapng_read_simple_packet_block(FILE_T fh, pcapng_block_header_t *bh, pcapng_t *pn, wtapng_block_t *wblock, int *err, gchar **err_info)
992 guint64 file_offset64;
994 int pseudo_header_len;
995 pcapng_simple_packet_block_t spb;
998 /* "Simple Packet Block" read fixed part */
999 errno = WTAP_ERR_CANT_READ;
1000 bytes_read = file_read(&spb, sizeof spb, fh);
1001 if (bytes_read != sizeof spb) {
1002 pcapng_debug0("pcapng_read_simple_packet_block: failed to read packet data");
1003 *err = file_error(fh, err_info);
1006 block_read = bytes_read;
1008 if (pn->byte_swapped) {
1009 wblock->data.simple_packet.packet_len = BSWAP32(spb.packet_len);
1011 wblock->data.simple_packet.packet_len = spb.packet_len;
1014 wblock->data.simple_packet.cap_len = bh->block_total_length
1015 - (guint32)sizeof(pcapng_simple_packet_block_t)
1016 - (guint32)sizeof(bh->block_total_length);
1018 if (wblock->data.simple_packet.cap_len > WTAP_MAX_PACKET_SIZE) {
1019 *err = WTAP_ERR_BAD_FILE;
1020 *err_info = g_strdup_printf("pcapng_read_simple_packet_block: cap_len %u is larger than WTAP_MAX_PACKET_SIZE %u.",
1021 wblock->data.simple_packet.cap_len, WTAP_MAX_PACKET_SIZE);
1024 pcapng_debug1("pcapng_read_simple_packet_block: packet data: packet_len %u",
1025 wblock->data.simple_packet.packet_len);
1027 encap = pcapng_get_encap(0, pn);
1028 pcapng_debug1("pcapng_read_simple_packet_block: Need to read pseudo header of size %d",
1029 pcap_get_phdr_size(encap, wblock->pseudo_header));
1031 memset((void *)wblock->pseudo_header, 0, sizeof(union wtap_pseudo_header));
1032 pseudo_header_len = pcap_process_pseudo_header(fh,
1035 wblock->data.simple_packet.cap_len,
1037 wblock->packet_header,
1038 (union wtap_pseudo_header *)wblock->pseudo_header,
1041 if (pseudo_header_len < 0) {
1044 wblock->data.simple_packet.pseudo_header_len = (guint32)pseudo_header_len;
1045 block_read += pseudo_header_len;
1046 if (pseudo_header_len != pcap_get_phdr_size(encap, wblock->pseudo_header)) {
1047 pcapng_debug1("pcapng_read_simple_packet_block: Could only read %d bytes for pseudo header.",
1051 memset((void *)wblock->pseudo_header, 0, sizeof(union wtap_pseudo_header));
1053 /* "Simple Packet Block" read capture data */
1054 errno = WTAP_ERR_CANT_READ;
1055 bytes_read = file_read((guint8 *) (wblock->frame_buffer), wblock->data.simple_packet.cap_len, fh);
1056 if (bytes_read != (int) wblock->data.simple_packet.cap_len) {
1057 *err = file_error(fh, err_info);
1058 pcapng_debug1("pcapng_read_simple_packet_block: couldn't read %u bytes of captured data",
1059 wblock->data.simple_packet.cap_len);
1061 *err = WTAP_ERR_SHORT_READ;
1064 block_read += bytes_read;
1066 /* jump over potential padding bytes at end of the packet data */
1067 if ((wblock->data.simple_packet.cap_len % 4) != 0) {
1068 file_offset64 = file_seek(fh, 4 - (wblock->data.simple_packet.cap_len % 4), SEEK_CUR, err);
1069 if (file_offset64 <= 0) {
1074 block_read += 4 - (wblock->data.simple_packet.cap_len % 4);
1077 pcap_read_post_process(WTAP_FILE_PCAPNG, encap,
1078 (union wtap_pseudo_header *)wblock->pseudo_header,
1079 (guint8 *) (wblock->frame_buffer),
1080 (int) wblock->data.simple_packet.cap_len,
1081 pn->byte_swapped, pn->if_fcslen);
1085 #define NRES_ENDOFRECORD 0
1086 #define NRES_IP4RECORD 1
1087 #define NRES_IP6RECORD 2
1088 #define PADDING4(x) ((((x + 3) >> 2) << 2) - x)
1089 /* IPv6 + MAXNAMELEN */
1090 #define MAX_NRB_REC_SIZE (16 + 64)
1092 pcapng_read_name_resolution_block(FILE_T fh, pcapng_block_header_t *bh, pcapng_t *pn, wtapng_block_t *wblock _U_,int *err, gchar **err_info)
1097 guint64 file_offset64;
1098 pcapng_name_resolution_block_t nrb;
1099 guint8 nrb_rec[MAX_NRB_REC_SIZE];
1102 errno = WTAP_ERR_CANT_READ;
1103 to_read = bh->block_total_length
1104 - sizeof(pcapng_block_header_t)
1105 - sizeof(bh->block_total_length);
1107 while (block_read < to_read) {
1108 bytes_read = file_read(&nrb, sizeof nrb, fh);
1109 if (bytes_read != sizeof nrb) {
1110 pcapng_debug0("pcapng_read_name_resolution_block: failed to read record header");
1111 *err = file_error(fh, err_info);
1114 block_read += bytes_read;
1116 if (pn->byte_swapped) {
1117 nrb.record_type = BSWAP16(nrb.record_type);
1118 nrb.record_len = BSWAP16(nrb.record_len);
1121 switch(nrb.record_type) {
1122 case NRES_ENDOFRECORD:
1123 /* There shouldn't be any more data */
1126 case NRES_IP4RECORD:
1127 if (nrb.record_len < 6 || nrb.record_len > MAX_NRB_REC_SIZE || to_read < nrb.record_len) {
1128 pcapng_debug0("pcapng_read_name_resolution_block: bad length or insufficient data for IPv4 record");
1131 bytes_read = file_read(nrb_rec, nrb.record_len, fh);
1132 if (bytes_read != nrb.record_len) {
1133 pcapng_debug0("pcapng_read_name_resolution_block: failed to read IPv4 record data");
1134 *err = file_error(fh, err_info);
1137 block_read += bytes_read;
1139 if (pn->add_new_ipv4) {
1140 memcpy(&v4_addr, nrb_rec, 4);
1141 if (pn->byte_swapped)
1142 v4_addr = BSWAP32(v4_addr);
1143 pn->add_new_ipv4(v4_addr, nrb_rec + 4);
1146 file_offset64 = file_seek(fh, PADDING4(nrb.record_len), SEEK_CUR, err);
1147 if (file_offset64 <= 0) {
1152 block_read += PADDING4(nrb.record_len);
1154 case NRES_IP6RECORD:
1155 if (nrb.record_len < 18 || nrb.record_len > MAX_NRB_REC_SIZE || to_read < nrb.record_len) {
1156 pcapng_debug0("pcapng_read_name_resolution_block: bad length or insufficient data for IPv6 record");
1159 bytes_read = file_read(nrb_rec, nrb.record_len, fh);
1160 if (bytes_read != nrb.record_len) {
1161 pcapng_debug0("pcapng_read_name_resolution_block: failed to read IPv6 record data");
1162 *err = file_error(fh, err_info);
1165 block_read += bytes_read;
1167 if (pn->add_new_ipv6) {
1168 pn->add_new_ipv6(nrb_rec, nrb_rec + 16);
1171 file_offset64 = file_seek(fh, PADDING4(nrb.record_len), SEEK_CUR, err);
1172 if (file_offset64 <= 0) {
1177 block_read += PADDING4(nrb.record_len);
1180 pcapng_debug1("pcapng_read_name_resolution_block: unknown record type 0x%x", nrb.record_type);
1181 file_offset64 = file_seek(fh, nrb.record_len + PADDING4(nrb.record_len), SEEK_CUR, err);
1182 if (file_offset64 <= 0) {
1187 block_read += nrb.record_len + PADDING4(nrb.record_len);
1196 pcapng_read_interface_statistics_block(FILE_T fh, pcapng_block_header_t *bh, pcapng_t *pn, wtapng_block_t *wblock,int *err, gchar **err_info)
1201 pcapng_interface_statistics_block_t isb;
1202 pcapng_option_header_t oh;
1203 char option_content[100]; /* XXX - size might need to be increased, if we see longer options */
1206 /* "Interface Statistics Block" read fixed part */
1207 errno = WTAP_ERR_CANT_READ;
1208 bytes_read = file_read(&isb, sizeof isb, fh);
1209 if (bytes_read != sizeof isb) {
1210 pcapng_debug0("pcapng_read_interface_statistics_block: failed to read packet data");
1211 *err = file_error(fh, err_info);
1214 block_read = bytes_read;
1216 if(pn->byte_swapped) {
1217 wblock->data.if_stats.interface_id = BSWAP64(isb.interface_id);
1218 wblock->data.if_stats.ts_high = BSWAP32(isb.timestamp_high);
1219 wblock->data.if_stats.ts_low = BSWAP32(isb.timestamp_low);
1221 wblock->data.if_stats.interface_id = isb.interface_id;
1222 wblock->data.if_stats.ts_high = isb.timestamp_high;
1223 wblock->data.if_stats.ts_low = isb.timestamp_low;
1225 pcapng_debug1("pcapng_read_interface_statistics_block: interface_id %" G_GINT64_MODIFIER "u", wblock->data.if_stats.interface_id);
1227 /* Option defaults */
1228 wblock->data.if_stats.opt_comment = NULL;
1229 wblock->data.if_stats.isb_ifrecv = -1;
1230 wblock->data.if_stats.isb_ifdrop = -1;
1233 errno = WTAP_ERR_CANT_READ;
1234 to_read = bh->block_total_length
1235 - sizeof(pcapng_block_header_t)
1236 - block_read /* fixed and variable part, including padding */
1237 - sizeof(bh->block_total_length);
1238 while(to_read > 0) {
1240 bytes_read = pcapng_read_option(fh, pn, &oh, option_content, sizeof(option_content), err, err_info);
1241 if (bytes_read <= 0) {
1242 pcapng_debug0("pcapng_read_interface_statistics_block: failed to read option");
1245 block_read += bytes_read;
1246 to_read -= bytes_read;
1248 /* handle option content */
1249 switch(oh.option_code) {
1250 case(0): /* opt_endofopt */
1252 pcapng_debug1("pcapng_read_interface_statistics_block: %u bytes after opt_endofopt", to_read);
1254 /* padding should be ok here, just get out of this */
1257 case(1): /* opt_comment */
1258 if(oh.option_length > 0 && oh.option_length < sizeof(option_content)) {
1259 wblock->data.if_stats.opt_comment = g_strndup(option_content, sizeof(option_content));
1260 pcapng_debug1("pcapng_read_interface_statistics_block: opt_comment %s", wblock->data.if_stats.opt_comment);
1262 pcapng_debug1("pcapng_read_interface_statistics_block: opt_comment length %u seems strange", oh.option_length);
1265 case(4): /* isb_ifrecv */
1266 if(oh.option_length == 8) {
1267 /* Don't cast a char[] into a guint32--the
1268 * char[] may not be aligned correctly.
1270 memcpy(&wblock->data.if_stats.isb_ifrecv, option_content, sizeof(guint64));
1271 if(pn->byte_swapped)
1272 wblock->data.if_stats.isb_ifrecv = BSWAP64(wblock->data.if_stats.isb_ifrecv);
1273 pcapng_debug1("pcapng_read_interface_statistics_block: isb_ifrecv %" G_GINT64_MODIFIER "u", wblock->data.if_stats.isb_ifrecv);
1275 pcapng_debug1("pcapng_read_interface_statistics_block: isb_ifrecv length %u not 8 as expected", oh.option_length);
1278 case(5): /* isb_ifdrop */
1279 if(oh.option_length == 8) {
1280 /* Don't cast a char[] into a guint32--the
1281 * char[] may not be aligned correctly.
1283 memcpy(&wblock->data.if_stats.isb_ifdrop, option_content, sizeof(guint64));
1284 if(pn->byte_swapped)
1285 wblock->data.if_stats.isb_ifdrop = BSWAP64(wblock->data.if_stats.isb_ifdrop);
1286 pcapng_debug1("pcapng_read_interface_statistics_block: isb_ifdrop %" G_GINT64_MODIFIER "u", wblock->data.if_stats.isb_ifdrop);
1288 pcapng_debug1("pcapng_read_interface_statistics_block: isb_ifdrop length %u not 8 as expected", oh.option_length);
1292 pcapng_debug2("pcapng_read_interface_statistics_block: unknown option %u - ignoring %u bytes",
1293 oh.option_code, oh.option_length);
1302 pcapng_read_unknown_block(FILE_T fh, pcapng_block_header_t *bh, pcapng_t *pn _U_, wtapng_block_t *wblock _U_,int *err, gchar **err_info _U_)
1305 guint64 file_offset64;
1306 guint32 block_total_length;
1309 /* add padding bytes to "block total length" */
1310 /* (the "block total length" of some example files don't contain any padding bytes!) */
1311 if (bh->block_total_length % 4) {
1312 block_total_length = bh->block_total_length + 4 - (bh->block_total_length % 4);
1314 block_total_length = bh->block_total_length;
1317 block_read = block_total_length - (guint32)sizeof(pcapng_block_header_t) - (guint32)sizeof(bh->block_total_length);
1319 /* jump over this unknown block */
1320 file_offset64 = file_seek(fh, block_read, SEEK_CUR, err);
1321 if (file_offset64 <= 0) {
1332 pcapng_read_block(FILE_T fh, gboolean first_block, pcapng_t *pn, wtapng_block_t *wblock, int *err, gchar **err_info)
1336 pcapng_block_header_t bh;
1337 guint32 block_total_length;
1340 /* Try to read the (next) block header */
1341 errno = WTAP_ERR_CANT_READ;
1342 bytes_read = file_read(&bh, sizeof bh, fh);
1343 if (bytes_read != sizeof bh) {
1344 *err = file_error(fh, err_info);
1345 pcapng_debug3("pcapng_read_block: file_read() returned %d instead of %u, err = %d.", bytes_read, (unsigned int)sizeof bh, *err);
1351 block_read = bytes_read;
1352 if (pn->byte_swapped) {
1353 bh.block_type = BSWAP32(bh.block_type);
1354 bh.block_total_length = BSWAP32(bh.block_total_length);
1357 wblock->type = bh.block_type;
1359 pcapng_debug1("pcapng_read_block: block_type 0x%x", bh.block_type);
1363 * This is being read in by pcapng_open(), so this block
1364 * must be an SHB. If it's not, this is not a pcap-ng
1367 * XXX - check for various forms of Windows <-> UN*X
1368 * mangling, and suggest that the file might be a
1369 * pcap-ng file that was damaged in transit?
1371 if (bh.block_type != BLOCK_TYPE_SHB)
1372 return 0; /* not a pcap-ng file */
1375 switch(bh.block_type) {
1376 case(BLOCK_TYPE_SHB):
1377 bytes_read = pcapng_read_section_header_block(fh, first_block, &bh, pn, wblock, err, err_info);
1379 case(BLOCK_TYPE_IDB):
1380 bytes_read = pcapng_read_if_descr_block(fh, &bh, pn, wblock, err, err_info);
1382 case(BLOCK_TYPE_PB):
1383 bytes_read = pcapng_read_packet_block(fh, &bh, pn, wblock, err, err_info, FALSE);
1385 case(BLOCK_TYPE_SPB):
1386 bytes_read = pcapng_read_simple_packet_block(fh, &bh, pn, wblock, err, err_info);
1388 case(BLOCK_TYPE_EPB):
1389 bytes_read = pcapng_read_packet_block(fh, &bh, pn, wblock, err, err_info, TRUE);
1391 case(BLOCK_TYPE_NRB):
1392 bytes_read = pcapng_read_name_resolution_block(fh, &bh, pn, wblock, err, err_info);
1394 case(BLOCK_TYPE_ISB):
1395 bytes_read = pcapng_read_interface_statistics_block(fh, &bh, pn, wblock, err, err_info);
1398 pcapng_debug2("pcapng_read_block: Unknown block_type: 0x%x (block ignored), block total length %d", bh.block_type, bh.block_total_length);
1399 bytes_read = pcapng_read_unknown_block(fh, &bh, pn, wblock, err, err_info);
1402 if (bytes_read <= 0) {
1405 block_read += bytes_read;
1407 /* sanity check: first and second block lengths must match */
1408 errno = WTAP_ERR_CANT_READ;
1409 bytes_read = file_read(&block_total_length, sizeof block_total_length, fh);
1410 if (bytes_read != sizeof block_total_length) {
1411 pcapng_debug0("pcapng_read_block: couldn't read second block length");
1412 *err = file_error(fh, err_info);
1414 *err = WTAP_ERR_SHORT_READ;
1417 block_read += bytes_read;
1419 if (pn->byte_swapped)
1420 block_total_length = BSWAP32(block_total_length);
1422 if (!(block_total_length == bh.block_total_length)) {
1423 *err = WTAP_ERR_BAD_FILE;
1424 *err_info = g_strdup_printf("pcapng_read_block: total block lengths (first %u and second %u) don't match",
1425 bh.block_total_length, block_total_length);
1433 /* classic wtap: open capture file */
1435 pcapng_open(wtap *wth, int *err, gchar **err_info)
1439 wtapng_block_t wblock;
1442 /* we don't know the byte swapping of the file yet */
1443 pn.byte_swapped = FALSE;
1445 pn.version_major = -1;
1446 pn.version_minor = -1;
1447 pn.interface_data = NULL;
1448 pn.number_of_interfaces = 0;
1450 /* we don't expect any packet blocks yet */
1451 wblock.frame_buffer = NULL;
1452 wblock.pseudo_header = NULL;
1453 wblock.packet_header = NULL;
1454 wblock.file_encap = &wth->file_encap;
1456 pcapng_debug0("pcapng_open: opening file");
1457 /* read first block */
1458 bytes_read = pcapng_read_block(wth->fh, TRUE, &pn, &wblock, err, err_info);
1459 if (bytes_read <= 0) {
1460 pcapng_debug0("pcapng_open: couldn't read first SHB");
1461 *err = file_error(wth->fh, err_info);
1466 wth->data_offset += bytes_read;
1468 /* first block must be a "Section Header Block" */
1469 if (wblock.type != BLOCK_TYPE_SHB) {
1471 * XXX - check for damage from transferring a file
1472 * between Windows and UN*X as text rather than
1475 pcapng_debug1("pcapng_open: first block type %u not SHB", wblock.type);
1479 wth->file_encap = WTAP_ENCAP_UNKNOWN;
1480 wth->snapshot_length = 0;
1481 wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
1482 pcapng = (pcapng_t *)g_malloc(sizeof(pcapng_t));
1483 wth->priv = (void *)pcapng;
1485 wth->subtype_read = pcapng_read;
1486 wth->subtype_seek_read = pcapng_seek_read;
1487 wth->subtype_close = pcapng_close;
1488 wth->file_type = WTAP_FILE_PCAPNG;
1494 /* classic wtap: read packet */
1496 pcapng_read(wtap *wth, int *err, gchar **err_info, gint64 *data_offset)
1498 pcapng_t *pcapng = (pcapng_t *)wth->priv;
1501 wtapng_block_t wblock;
1503 pcapng_debug1("pcapng_read: wth->data_offset is initially %" G_GINT64_MODIFIER "u", wth->data_offset);
1504 *data_offset = wth->data_offset;
1505 pcapng_debug1("pcapng_read: *data_offset is initially set to %" G_GINT64_MODIFIER "u", *data_offset);
1507 /* XXX - This should be done in the packet block reading function and
1508 * should make use of the caplen of the packet.
1510 if (wth->snapshot_length > 0) {
1511 buffer_assure_space(wth->frame_buffer, wth->snapshot_length);
1513 buffer_assure_space(wth->frame_buffer, WTAP_MAX_PACKET_SIZE);
1516 wblock.frame_buffer = buffer_start_ptr(wth->frame_buffer);
1517 wblock.pseudo_header = &wth->pseudo_header;
1518 wblock.packet_header = &wth->phdr;
1519 wblock.file_encap = &wth->file_encap;
1521 pcapng->add_new_ipv4 = wth->add_new_ipv4;
1522 pcapng->add_new_ipv6 = wth->add_new_ipv6;
1524 /* read next block */
1526 bytes_read = pcapng_read_block(wth->fh, FALSE, pcapng, &wblock, err, err_info);
1527 if (bytes_read <= 0) {
1528 wth->data_offset = *data_offset;
1529 pcapng_debug1("pcapng_read: wth->data_offset is finally %" G_GINT64_MODIFIER "u", wth->data_offset);
1530 pcapng_debug0("pcapng_read: couldn't read packet block");
1534 /* block must be a "Packet Block" or an "Enhanced Packet Block" -> otherwise continue */
1535 if (wblock.type == BLOCK_TYPE_PB || wblock.type == BLOCK_TYPE_EPB) {
1539 /* XXX - improve handling of "unknown" blocks */
1540 pcapng_debug1("pcapng_read: block type 0x%x not PB/EPB", wblock.type);
1541 *data_offset += bytes_read;
1542 pcapng_debug1("pcapng_read: *data_offset is updated to %" G_GINT64_MODIFIER "u", *data_offset);
1545 /* Combine the two 32-bit pieces of the timestamp into one 64-bit value */
1546 ts = (((guint64)wblock.data.packet.ts_high) << 32) | ((guint64)wblock.data.packet.ts_low);
1548 wth->phdr.caplen = wblock.data.packet.cap_len - wblock.data.packet.pseudo_header_len;
1549 wth->phdr.len = wblock.data.packet.packet_len - wblock.data.packet.pseudo_header_len;
1550 if (wblock.data.packet.interface_id < pcapng->number_of_interfaces) {
1551 interface_data_t int_data;
1552 guint64 time_units_per_second;
1555 id = (gint)wblock.data.packet.interface_id;
1556 int_data = g_array_index(pcapng->interface_data, interface_data_t, id);
1557 time_units_per_second = int_data.time_units_per_second;
1558 wth->phdr.pkt_encap = int_data.wtap_encap;
1559 wth->phdr.ts.secs = (time_t)(ts / time_units_per_second);
1560 wth->phdr.ts.nsecs = (int)(((ts % time_units_per_second) * 1000000000) / time_units_per_second);
1562 wth->phdr.pkt_encap = WTAP_ENCAP_UNKNOWN;
1563 *err = WTAP_ERR_BAD_FILE;
1564 *err_info = g_strdup_printf("pcapng: interface index %u is not less than interface count %u.",
1565 wblock.data.packet.interface_id, pcapng->number_of_interfaces);
1566 wth->data_offset = *data_offset + bytes_read;
1567 pcapng_debug1("pcapng_read: wth->data_offset is finally %" G_GINT64_MODIFIER "u", wth->data_offset);
1571 /*pcapng_debug2("Read length: %u Packet length: %u", bytes_read, wth->phdr.caplen);*/
1572 wth->data_offset = *data_offset + bytes_read;
1573 pcapng_debug1("pcapng_read: wth->data_offset is finally %" G_GINT64_MODIFIER "u", wth->data_offset);
1579 /* classic wtap: seek to file position and read packet */
1581 pcapng_seek_read(wtap *wth, gint64 seek_off,
1582 union wtap_pseudo_header *pseudo_header, guint8 *pd, int length _U_,
1583 int *err, gchar **err_info)
1585 pcapng_t *pcapng = (pcapng_t *)wth->priv;
1586 guint64 bytes_read64;
1588 wtapng_block_t wblock;
1591 /* seek to the right file position */
1592 bytes_read64 = file_seek(wth->random_fh, seek_off, SEEK_SET, err);
1593 if (bytes_read64 <= 0) {
1594 return FALSE; /* Seek error */
1596 pcapng_debug1("pcapng_seek_read: reading at offset %" G_GINT64_MODIFIER "u", seek_off);
1598 wblock.frame_buffer = pd;
1599 wblock.pseudo_header = pseudo_header;
1600 wblock.packet_header = &wth->phdr;
1601 wblock.file_encap = &wth->file_encap;
1603 /* read the block */
1604 bytes_read = pcapng_read_block(wth->random_fh, FALSE, pcapng, &wblock, err, err_info);
1605 if (bytes_read <= 0) {
1606 *err = file_error(wth->random_fh, err_info);
1607 pcapng_debug3("pcapng_seek_read: couldn't read packet block (err=%d, errno=%d, bytes_read=%d).",
1608 *err, errno, bytes_read);
1612 /* block must be a "Packet Block" or an "Enhanced Packet Block" */
1613 if (wblock.type != BLOCK_TYPE_PB && wblock.type != BLOCK_TYPE_EPB) {
1614 pcapng_debug1("pcapng_seek_read: block type %u not PB/EPB", wblock.type);
1622 /* classic wtap: close capture file */
1624 pcapng_close(wtap *wth)
1626 pcapng_t *pcapng = (pcapng_t *)wth->priv;
1628 pcapng_debug0("pcapng_close: closing file");
1629 if (pcapng->interface_data != NULL) {
1630 g_array_free(pcapng->interface_data, TRUE);
1637 GArray *interface_data;
1638 guint number_of_interfaces;
1639 struct addrinfo *addrinfo_list_last;
1643 pcapng_write_section_header_block(wtap_dumper *wdh, wtapng_block_t *wblock, int *err)
1645 pcapng_block_header_t bh;
1646 pcapng_section_header_block_t shb;
1649 /* write block header */
1650 bh.block_type = wblock->type;
1651 bh.block_total_length = sizeof(bh) + sizeof(shb) /* + options */ + 4;
1653 if (!wtap_dump_file_write(wdh, &bh, sizeof bh, err))
1655 wdh->bytes_dumped += sizeof bh;
1657 /* write block fixed content */
1658 /* XXX - get these values from wblock? */
1659 shb.magic = 0x1A2B3C4D;
1660 shb.version_major = 1;
1661 shb.version_minor = 0;
1662 shb.section_length = -1;
1664 if (!wtap_dump_file_write(wdh, &shb, sizeof shb, err))
1666 wdh->bytes_dumped += sizeof shb;
1668 /* XXX - write (optional) block options */
1670 /* write block footer */
1671 if (!wtap_dump_file_write(wdh, &bh.block_total_length,
1672 sizeof bh.block_total_length, err))
1674 wdh->bytes_dumped += sizeof bh.block_total_length;
1682 pcapng_write_if_descr_block(wtap_dumper *wdh, wtapng_block_t *wblock, int *err)
1684 pcapng_block_header_t bh;
1685 pcapng_interface_description_block_t idb;
1688 pcapng_debug3("pcapng_write_if_descr_block: encap = %d (%s), snaplen = %d",
1689 wblock->data.if_descr.link_type,
1690 wtap_encap_string(wtap_pcap_encap_to_wtap_encap(wblock->data.if_descr.link_type)),
1691 wblock->data.if_descr.snap_len);
1693 if (wblock->data.if_descr.link_type == (guint16)-1) {
1694 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
1698 /* write block header */
1699 bh.block_type = wblock->type;
1700 bh.block_total_length = sizeof(bh) + sizeof(idb) /* + options */ + 4;
1702 if (!wtap_dump_file_write(wdh, &bh, sizeof bh, err))
1704 wdh->bytes_dumped += sizeof bh;
1706 /* write block fixed content */
1707 idb.linktype = wblock->data.if_descr.link_type;
1709 idb.snaplen = wblock->data.if_descr.snap_len;
1711 if (!wtap_dump_file_write(wdh, &idb, sizeof idb, err))
1713 wdh->bytes_dumped += sizeof idb;
1715 /* XXX - write (optional) block options */
1717 /* write block footer */
1718 if (!wtap_dump_file_write(wdh, &bh.block_total_length,
1719 sizeof bh.block_total_length, err))
1721 wdh->bytes_dumped += sizeof bh.block_total_length;
1728 pcapng_write_packet_block(wtap_dumper *wdh, wtapng_block_t *wblock, int *err)
1730 pcapng_block_header_t bh;
1731 pcapng_enhanced_packet_block_t epb;
1732 const guint32 zero_pad = 0;
1736 phdr_len = (guint32)pcap_get_phdr_size(wblock->data.packet.wtap_encap, wblock->pseudo_header);
1737 if ((phdr_len + wblock->data.packet.cap_len) % 4) {
1738 pad_len = 4 - ((phdr_len + wblock->data.packet.cap_len) % 4);
1743 /* write (enhanced) packet block header */
1744 bh.block_type = wblock->type;
1745 bh.block_total_length = (guint32)sizeof(bh) + (guint32)sizeof(epb) + phdr_len + wblock->data.packet.cap_len + pad_len /* + options */ + 4;
1747 if (!wtap_dump_file_write(wdh, &bh, sizeof bh, err))
1749 wdh->bytes_dumped += sizeof bh;
1751 /* write block fixed content */
1752 epb.interface_id = wblock->data.packet.interface_id;
1753 epb.timestamp_high = wblock->data.packet.ts_high;
1754 epb.timestamp_low = wblock->data.packet.ts_low;
1755 epb.captured_len = wblock->data.packet.cap_len + phdr_len;
1756 epb.packet_len = wblock->data.packet.packet_len + phdr_len;
1758 if (!wtap_dump_file_write(wdh, &epb, sizeof epb, err))
1760 wdh->bytes_dumped += sizeof epb;
1762 /* write pseudo header */
1763 if (!pcap_write_phdr(wdh, wblock->data.packet.wtap_encap, wblock->pseudo_header, err)) {
1766 wdh->bytes_dumped += phdr_len;
1768 /* write packet data */
1769 if (!wtap_dump_file_write(wdh, wblock->frame_buffer,
1770 wblock->data.packet.cap_len, err))
1772 wdh->bytes_dumped += wblock->data.packet.cap_len;
1774 /* write padding (if any) */
1776 if (!wtap_dump_file_write(wdh, &zero_pad, pad_len, err))
1778 wdh->bytes_dumped += pad_len;
1781 /* XXX - write (optional) block options */
1783 /* write block footer */
1784 if (!wtap_dump_file_write(wdh, &bh.block_total_length,
1785 sizeof bh.block_total_length, err))
1787 wdh->bytes_dumped += sizeof bh.block_total_length;
1793 #define NRES_REC_MAX_SIZE ((WTAP_MAX_PACKET_SIZE * 4) + 16)
1795 pcapng_write_name_resolution_block(wtap_dumper *wdh, pcapng_dump_t *pcapng, int *err)
1797 pcapng_block_header_t bh;
1798 pcapng_name_resolution_block_t nrb;
1799 struct addrinfo *ai;
1800 struct sockaddr_in *sa4;
1801 struct sockaddr_in6 *sa6;
1803 gint rec_off, namelen, tot_rec_len;
1805 if (! pcapng->addrinfo_list_last || ! pcapng->addrinfo_list_last->ai_next) {
1809 rec_off = 8; /* block type + block total length */
1810 bh.block_type = BLOCK_TYPE_NRB;
1811 bh.block_total_length = rec_off + 8; /* end-of-record + block total length */
1812 rec_data = g_malloc(NRES_REC_MAX_SIZE);
1814 for (; pcapng->addrinfo_list_last && pcapng->addrinfo_list_last->ai_next; pcapng->addrinfo_list_last = pcapng->addrinfo_list_last->ai_next ) {
1815 ai = pcapng->addrinfo_list_last->ai_next; /* Skips over the first (dummy) entry */
1816 namelen = (gint)strlen(ai->ai_canonname) + 1;
1817 if (ai->ai_family == AF_INET) {
1818 nrb.record_type = NRES_IP4RECORD;
1819 nrb.record_len = 4 + namelen;
1820 tot_rec_len = 4 + nrb.record_len + PADDING4(nrb.record_len);
1821 bh.block_total_length += tot_rec_len;
1823 if (rec_off + tot_rec_len > NRES_REC_MAX_SIZE)
1827 * The joys of BSD sockaddrs. In practice, this
1828 * cast is alignment-safe.
1830 sa4 = (struct sockaddr_in *)(void *)ai->ai_addr;
1831 memcpy(rec_data + rec_off, &nrb, sizeof(nrb));
1834 memcpy(rec_data + rec_off, &(sa4->sin_addr.s_addr), 4);
1837 memcpy(rec_data + rec_off, ai->ai_canonname, namelen);
1840 memset(rec_data + rec_off, 0, PADDING4(namelen));
1841 rec_off += PADDING4(namelen);
1842 pcapng_debug1("NRB: added IPv4 record for %s", ai->ai_canonname);
1843 } else if (ai->ai_family == AF_INET6) {
1844 nrb.record_type = NRES_IP6RECORD;
1845 nrb.record_len = 16 + namelen;
1846 tot_rec_len = 4 + nrb.record_len + PADDING4(nrb.record_len);
1847 bh.block_total_length += tot_rec_len;
1849 if (rec_off + tot_rec_len > NRES_REC_MAX_SIZE)
1853 * The joys of BSD sockaddrs. In practice, this
1854 * cast is alignment-safe.
1856 sa6 = (struct sockaddr_in6 *)(void *)ai->ai_addr;
1857 memcpy(rec_data + rec_off, &nrb, sizeof(nrb));
1860 memcpy(rec_data + rec_off, sa6->sin6_addr.s6_addr, 16);
1863 memcpy(rec_data + rec_off, ai->ai_canonname, namelen);
1866 memset(rec_data + rec_off, 0, PADDING4(namelen));
1867 rec_off += PADDING4(namelen);
1868 pcapng_debug1("NRB: added IPv6 record for %s", ai->ai_canonname);
1872 /* We know the total length now; copy the block header. */
1873 memcpy(rec_data, &bh, sizeof(bh));
1876 memset(rec_data + rec_off, 0, 4);
1879 memcpy(rec_data + rec_off, &bh.block_total_length, sizeof(bh.block_total_length));
1881 if (!wtap_dump_file_write(wdh, rec_data, bh.block_total_length, err)) {
1887 wdh->bytes_dumped += bh.block_total_length;
1893 pcapng_write_block(wtap_dumper *wdh, /*pcapng_t *pn, */wtapng_block_t *wblock, int *err)
1895 switch(wblock->type) {
1896 case(BLOCK_TYPE_SHB):
1897 return pcapng_write_section_header_block(wdh, wblock, err);
1898 case(BLOCK_TYPE_IDB):
1899 return pcapng_write_if_descr_block(wdh, wblock, err);
1900 case(BLOCK_TYPE_PB):
1901 /* Packet Block is obsolete */
1903 case(BLOCK_TYPE_EPB):
1904 return pcapng_write_packet_block(wdh, wblock, err);
1906 pcapng_debug1("Unknown block_type: 0x%x", wblock->type);
1913 pcapng_lookup_interface_id_by_encap(int wtap_encap, wtap_dumper *wdh)
1916 interface_data_t int_data;
1917 pcapng_dump_t *pcapng = (pcapng_dump_t *)wdh->priv;
1919 for(i = 0; i < (gint)pcapng->number_of_interfaces; i++) {
1920 int_data = g_array_index(pcapng->interface_data, interface_data_t, i);
1921 if (wtap_encap == int_data.wtap_encap) {
1929 static gboolean pcapng_dump(wtap_dumper *wdh,
1930 const struct wtap_pkthdr *phdr,
1931 const union wtap_pseudo_header *pseudo_header,
1932 const guint8 *pd, int *err)
1934 wtapng_block_t wblock;
1935 interface_data_t int_data;
1936 guint32 interface_id;
1938 pcapng_dump_t *pcapng = (pcapng_dump_t *)wdh->priv;
1941 pcapng_debug2("pcapng_dump: encap = %d (%s)",
1943 wtap_encap_string(phdr->pkt_encap));
1945 if (!pcapng->addrinfo_list_last)
1946 pcapng->addrinfo_list_last = wdh->addrinfo_list;
1948 interface_id = pcapng_lookup_interface_id_by_encap(phdr->pkt_encap, wdh);
1949 if (interface_id == G_MAXUINT32) {
1951 * We haven't yet written out an interface description
1952 * block for an interface with this encapsulation.
1954 * Is this encapsulation even supported in pcap-ng?
1956 pcap_encap = wtap_wtap_encap_to_pcap_encap(phdr->pkt_encap);
1957 if (pcap_encap == -1) {
1961 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
1965 /* write the interface description block */
1966 wblock.frame_buffer = NULL;
1967 wblock.pseudo_header = NULL;
1968 wblock.packet_header = NULL;
1969 wblock.file_encap = NULL;
1970 wblock.type = BLOCK_TYPE_IDB;
1971 wblock.data.if_descr.link_type = pcap_encap;
1972 wblock.data.if_descr.snap_len = (wdh->snaplen != 0) ? wdh->snaplen :
1973 WTAP_MAX_PACKET_SIZE; /* XXX */
1975 /* XXX - options unused */
1976 wblock.data.if_descr.if_speed = -1;
1977 wblock.data.if_descr.if_tsresol = 6; /* default: usec */
1978 wblock.data.if_descr.if_os = NULL;
1979 wblock.data.if_descr.if_fcslen = -1;
1981 if (!pcapng_write_block(wdh, &wblock, err)) {
1985 interface_id = pcapng->number_of_interfaces;
1986 int_data.wtap_encap = phdr->pkt_encap;
1987 int_data.time_units_per_second = 0;
1988 g_array_append_val(pcapng->interface_data, int_data);
1989 pcapng->number_of_interfaces++;
1991 pcapng_debug3("pcapng_dump: added interface description block with index %u for encap = %d (%s).",
1994 wtap_encap_string(phdr->pkt_encap));
1997 /* Flush any hostname resolution info we may have */
1998 while (pcapng->addrinfo_list_last && pcapng->addrinfo_list_last->ai_next) {
1999 pcapng_write_name_resolution_block(wdh, pcapng, err);
2002 wblock.frame_buffer = pd;
2003 wblock.pseudo_header = pseudo_header;
2004 wblock.packet_header = NULL;
2005 wblock.file_encap = NULL;
2007 /* write the (enhanced) packet block */
2008 wblock.type = BLOCK_TYPE_EPB;
2010 /* default is to write out in microsecond resolution */
2011 ts = (((guint64)phdr->ts.secs) * 1000000) + (phdr->ts.nsecs / 1000);
2013 /* Split the 64-bit timestamp into two 32-bit pieces */
2014 wblock.data.packet.ts_high = (guint32)(ts >> 32);
2015 wblock.data.packet.ts_low = (guint32)ts;
2017 wblock.data.packet.cap_len = phdr->caplen;
2018 wblock.data.packet.packet_len = phdr->len;
2019 wblock.data.packet.interface_id = interface_id;
2020 wblock.data.packet.wtap_encap = phdr->pkt_encap;
2022 /* currently unused */
2023 wblock.data.packet.drop_count = -1;
2024 wblock.data.packet.opt_comment = NULL;
2026 if (!pcapng_write_block(wdh, &wblock, err)) {
2034 /* Finish writing to a dump file.
2035 Returns TRUE on success, FALSE on failure. */
2036 static gboolean pcapng_dump_close(wtap_dumper *wdh, int *err _U_)
2038 pcapng_dump_t *pcapng = (pcapng_dump_t *)wdh->priv;
2040 pcapng_debug0("pcapng_dump_close");
2041 g_array_free(pcapng->interface_data, TRUE);
2042 pcapng->number_of_interfaces = 0;
2047 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
2050 pcapng_dump_open(wtap_dumper *wdh, int *err)
2052 wtapng_block_t wblock;
2053 pcapng_dump_t *pcapng;
2055 wblock.frame_buffer = NULL;
2056 wblock.pseudo_header = NULL;
2057 wblock.packet_header = NULL;
2058 wblock.file_encap = NULL;
2060 pcapng_debug0("pcapng_dump_open");
2061 /* This is a pcapng file */
2062 wdh->subtype_write = pcapng_dump;
2063 wdh->subtype_close = pcapng_dump_close;
2064 pcapng = (pcapng_dump_t *)g_malloc0(sizeof(pcapng_dump_t));
2065 wdh->priv = (void *)pcapng;
2066 pcapng->interface_data = g_array_new(FALSE, FALSE, sizeof(interface_data_t));
2068 /* write the section header block */
2069 wblock.type = BLOCK_TYPE_SHB;
2070 wblock.data.section.section_length = -1;
2072 /* XXX - options unused */
2073 wblock.data.section.opt_comment = NULL;
2074 wblock.data.section.shb_hardware = NULL;
2075 wblock.data.section.shb_os = NULL;
2076 wblock.data.section.shb_user_appl = NULL;
2078 if (!pcapng_write_block(wdh, &wblock, err)) {
2081 pcapng_debug0("pcapng_dump_open: wrote section header block.");
2087 /* Returns 0 if we could write the specified encapsulation type,
2088 an error indication otherwise. */
2089 int pcapng_dump_can_write_encap(int wtap_encap)
2091 pcapng_debug2("pcapng_dump_can_write_encap: encap = %d (%s)",
2093 wtap_encap_string(wtap_encap));
2095 /* Per-packet encapsulations is supported. */
2096 if (wtap_encap == WTAP_ENCAP_PER_PACKET)
2099 /* Make sure we can figure out this DLT type */
2100 if (wtap_wtap_encap_to_pcap_encap(wtap_encap) == -1)
2101 return WTAP_ERR_UNSUPPORTED_ENCAP;