3 * $Id: wtap.h,v 1.64 2000/02/19 08:00:08 guy Exp $
6 * Copyright (c) 1998 by Gilbert Ramirez <gram@xiexie.org>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 /* Encapsulation types. Choose names that truly reflect
28 * what is contained in the packet trace file.
30 * WTAP_ENCAP_PER_PACKET is a value passed to "wtap_dump_open()" or
31 * "wtap_dump_fd_open()" to indicate that there is no single encapsulation
32 * type for all packets in the file; this may cause those routines to
33 * fail if the capture file format being written can't support that.
34 * It's also returned by "wtap_file_encap()" for capture files that
35 * don't have a single encapsulation type for all packets in the file.
37 * WTAP_ENCAP_UNKNOWN is returned by "wtap_pcap_encap_to_wtap_encap()"
38 * if it's handed an unknown encapsulation.
40 * WTAP_ENCAP_FDDI_BITSWAPPED is for FDDI captures on systems where the
41 * MAC addresses you get from the hardware are bit-swapped. Ideally,
42 * the driver would tell us that, but I know of none that do, so, for
43 * now, we base it on the machine on which we're *reading* the
44 * capture, rather than on the machine on which the capture was taken
45 * (they're probably likely to be the same). We assume that they're
46 * bit-swapped on everything except for systems running Ultrix, Alpha
47 * systems, and BSD/OS systems (that's what "tcpdump" does; I guess
48 * Digital decided to bit-swap addresses in the hardware or in the
49 * driver, and I guess BSDI bit-swapped them in the driver, given that
50 * BSD/OS generally runs on Boring Old PC's). If we create a wiretap
51 * save file format, we'd use the WTAP_ENCAP values to flag the
52 * encapsulation of a packet, so there we'd at least be able to base
53 * it on the machine on which the capture was taken.
55 * WTAP_ENCAP_LINUX_ATM_CLIP is the encapsulation you get with the
56 * ATM on Linux code from <http://lrcwww.epfl.ch/linux-atm/>;
57 * that code adds a DLT_ATM_CLIP DLT_ code of 19, and that
58 * encapsulation isn't the same as the DLT_ATM_RFC1483 encapsulation
59 * presumably used on some BSD systems, which we turn into
60 * WTAP_ENCAP_ATM_RFC1483.
62 * WTAP_ENCAP_NULL corresponds to DLT_NULL from "libpcap". This
65 * 1) PPP-over-HDLC encapsulation, at least with some versions
66 * of ISDN4BSD (but not the current ones, it appears, unless
67 * I've missed something);
69 * 2) a 4-byte header containing the AF_ address family, in
70 * the byte order of the machine that saved the capture,
71 * for the packet, as used on many BSD systems for the
72 * loopback device and some other devices;
74 * 3) a 4-byte header containing 2 octets of 0 and an Ethernet
75 * type in the byte order from an Ethernet header, that being
76 * what "libpcap" on Linux turns the Ethernet header for
77 * loopback interfaces into. */
78 #define WTAP_ENCAP_PER_PACKET -1
79 #define WTAP_ENCAP_UNKNOWN 0
80 #define WTAP_ENCAP_ETHERNET 1
81 #define WTAP_ENCAP_TR 2
82 #define WTAP_ENCAP_SLIP 3
83 #define WTAP_ENCAP_PPP 4
84 #define WTAP_ENCAP_FDDI 5
85 #define WTAP_ENCAP_FDDI_BITSWAPPED 6
86 #define WTAP_ENCAP_RAW_IP 7
87 #define WTAP_ENCAP_ARCNET 8
88 #define WTAP_ENCAP_ATM_RFC1483 9
89 #define WTAP_ENCAP_LINUX_ATM_CLIP 10
90 #define WTAP_ENCAP_LAPB 11
91 #define WTAP_ENCAP_ATM_SNIFFER 12
92 #define WTAP_ENCAP_NULL 13
93 #define WTAP_ENCAP_ASCEND 14
94 #define WTAP_ENCAP_LAPD 15
95 #define WTAP_ENCAP_V120 16
97 /* last WTAP_ENCAP_ value + 1 */
98 #define WTAP_NUM_ENCAP_TYPES 17
100 /* File types that can be read by wiretap.
101 We may eventually support writing some or all of these file types,
102 too, so we distinguish between different versions of them. */
103 #define WTAP_FILE_UNKNOWN 0
104 #define WTAP_FILE_WTAP 1
105 #define WTAP_FILE_PCAP 2
106 #define WTAP_FILE_PCAP_MODIFIED 3
107 #define WTAP_FILE_PCAP_RH_6_1 4
108 #define WTAP_FILE_LANALYZER 5
109 #define WTAP_FILE_NGSNIFFER 6
110 #define WTAP_FILE_SNOOP 7
111 #define WTAP_FILE_IPTRACE_1_0 8
112 #define WTAP_FILE_IPTRACE_2_0 9
113 #define WTAP_FILE_NETMON_1_x 10
114 #define WTAP_FILE_NETMON_2_x 11
115 #define WTAP_FILE_NETXRAY_1_0 12
116 #define WTAP_FILE_NETXRAY_1_1 13
117 #define WTAP_FILE_NETXRAY_2_001 14
118 #define WTAP_FILE_RADCOM 15
119 #define WTAP_FILE_ASCEND 16
120 #define WTAP_FILE_NETTL 17
121 #define WTAP_FILE_TOSHIBA 18
122 #define WTAP_FILE_I4BTRACE 19
124 /* last WTAP_FILE_ value + 1 */
125 #define WTAP_NUM_FILE_TYPES 20
128 * Maximum packet size we'll support.
130 #define WTAP_MAX_PACKET_SIZE 65535
132 #include <sys/types.h>
134 #ifdef HAVE_SYS_TIME_H
135 #include <sys/time.h>
138 #ifdef HAVE_WINSOCK_H
147 #define FILE_T gzFile
149 #define FILE_T FILE *
150 #endif /* HAVE_LIBZ */
163 gboolean byte_swapped;
165 int bchannel_prot[2]; /* For the V.120 heuristic */
177 gboolean byte_swapped;
179 guint16 version_major;
180 guint16 version_minor;
186 guint8 version_major;
187 guint32 *frame_table;
195 double start_timestamp;
207 /* Packet "pseudo-header" information for X.25 capture files. */
209 guint8 flags; /* ENCAP_LAPB : 1st bit means From DCE */
212 /* Packet "pseudo-header" for ATM Sniffer capture files. */
213 struct ngsniffer_atm_phdr {
214 guint8 AppTrafType; /* traffic type */
215 guint8 AppHLType; /* protocol type */
216 guint16 Vpi; /* virtual path identifier */
217 guint16 Vci; /* virtual circuit identifier */
218 guint16 channel; /* link: 0 for DCE, 1 for DTE */
219 guint16 cells; /* number of cells */
220 guint16 aal5t_u2u; /* user-to-user indicator */
221 guint16 aal5t_len; /* length of the packet */
222 guint32 aal5t_chksum; /* checksum for AAL5 packet */
225 /* Packet "pseudo-header" for the output from "wandsession", "wannext",
226 "wandisplay", and similar commands on Lucent/Ascend access equipment. */
228 #define ASCEND_MAX_STR_LEN 64
230 #define ASCEND_PFX_WDS_X 1
231 #define ASCEND_PFX_WDS_R 2
232 #define ASCEND_PFX_WDD 3
235 guint16 type; /* ASCEND_PFX_*, as defined above */
236 char user[ASCEND_MAX_STR_LEN]; /* Username, from wandsession header */
237 guint32 sess; /* Session number, from wandsession header */
238 char call_num[ASCEND_MAX_STR_LEN]; /* Called number, from WDD header */
239 guint32 chunk; /* Chunk number, from WDD header */
240 guint32 task; /* Task number */
243 /* Packet "pseudo-header" information for LAPD capture files. */
245 gboolean from_network_to_user;
249 * Bits in AppTrafType.
251 * For AAL types other than AAL5, the packet data is presumably for a
252 * single cell, not a reassembled frame, as the ATM Sniffer manual says
253 * it dosn't reassemble cells other than AAL5 cells.
255 #define ATT_AALTYPE 0x0F /* AAL type: */
256 #define ATT_AAL_UNKNOWN 0x00 /* Unknown AAL */
257 #define ATT_AAL1 0x01 /* AAL1 */
258 #define ATT_AAL3_4 0x02 /* AAL3/4 */
259 #define ATT_AAL5 0x03 /* AAL5 */
260 #define ATT_AAL_USER 0x04 /* User AAL */
261 #define ATT_AAL_SIGNALLING 0x05 /* Signaling AAL */
262 #define ATT_OAMCELL 0x06 /* OAM cell */
264 #define ATT_HLTYPE 0xF0 /* Higher-layer type: */
265 #define ATT_HL_UNKNOWN 0x00 /* unknown */
266 #define ATT_HL_LLCMX 0x10 /* LLC multiplexed (probably RFC 1483) */
267 #define ATT_HL_VCMX 0x20 /* VC multiplexed (probably RFC 1483) */
268 #define ATT_HL_LANE 0x30 /* LAN Emulation */
269 #define ATT_HL_ILMI 0x40 /* ILMI */
270 #define ATT_HL_FRMR 0x50 /* Frame Relay */
271 #define ATT_HL_SPANS 0x60 /* FORE SPANS */
272 #define ATT_HL_IPSILON 0x70 /* Ipsilon */
275 * Values for AppHLType; the interpretation depends on the ATT_HLTYPE
276 * bits in AppTrafType.
278 #define AHLT_UNKNOWN 0x0
279 #define AHLT_VCMX_802_3_FCS 0x1 /* VCMX: 802.3 FCS */
280 #define AHLT_LANE_LE_CTRL 0x1 /* LANE: LE Ctrl */
281 #define AHLT_IPSILON_FT0 0x1 /* Ipsilon: Flow Type 0 */
282 #define AHLT_VCMX_802_4_FCS 0x2 /* VCMX: 802.4 FCS */
283 #define AHLT_LANE_802_3 0x2 /* LANE: 802.3 */
284 #define AHLT_IPSILON_FT1 0x2 /* Ipsilon: Flow Type 1 */
285 #define AHLT_VCMX_802_5_FCS 0x3 /* VCMX: 802.5 FCS */
286 #define AHLT_LANE_802_5 0x3 /* LANE: 802.5 */
287 #define AHLT_IPSILON_FT2 0x3 /* Ipsilon: Flow Type 2 */
288 #define AHLT_VCMX_FDDI_FCS 0x4 /* VCMX: FDDI FCS */
289 #define AHLT_LANE_802_3_MC 0x4 /* LANE: 802.3 multicast */
290 #define AHLT_VCMX_802_6_FCS 0x5 /* VCMX: 802.6 FCS */
291 #define AHLT_LANE_802_5_MC 0x5 /* LANE: 802.5 multicast */
292 #define AHLT_VCMX_802_3 0x7 /* VCMX: 802.3 */
293 #define AHLT_VCMX_802_4 0x8 /* VCMX: 802.4 */
294 #define AHLT_VCMX_802_5 0x9 /* VCMX: 802.5 */
295 #define AHLT_VCMX_FDDI 0xa /* VCMX: FDDI */
296 #define AHLT_VCMX_802_6 0xb /* VCMX: 802.6 */
297 #define AHLT_VCMX_FRAGMENTS 0xc /* VCMX: Fragments */
298 #define AHLT_VCMX_BPDU 0xe /* VCMX: BPDU */
300 union pseudo_header {
302 struct ngsniffer_atm_phdr ngsniffer_atm;
303 struct ascend_phdr ascend;
304 struct lapd_phdr lapd;
312 union pseudo_header pseudo_header;
315 typedef void (*wtap_handler)(u_char*, const struct wtap_pkthdr*,
316 int, const u_char *);
321 typedef int (*subtype_read_func)(struct wtap*, int*);
322 typedef struct wtap {
324 int fd; /* File descriptor for cap file */
327 struct Buffer *frame_buffer;
328 struct wtap_pkthdr phdr;
334 lanalyzer_t *lanalyzer;
335 ngsniffer_t *ngsniffer;
337 i4btrace_t *i4btrace;
344 subtype_read_func subtype_read;
345 int file_encap; /* per-file, for those
346 file formats that have
347 per-file encapsulation
353 typedef gboolean (*subtype_write_func)(struct wtap_dumper*,
354 const struct wtap_pkthdr*, const u_char*, int*);
355 typedef gboolean (*subtype_close_func)(struct wtap_dumper*, int*);
358 gboolean first_frame;
363 gboolean first_frame;
364 struct timeval start;
369 gboolean got_first_record_time;
370 struct timeval first_record_time;
371 guint32 frame_table_offset;
372 guint32 *frame_table;
373 int frame_table_index;
374 int frame_table_size;
377 typedef struct wtap_dumper {
385 ngsniffer_dump_t *ngsniffer;
386 netmon_dump_t *netmon;
387 netxray_dump_t *netxray;
390 subtype_write_func subtype_write;
391 subtype_close_func subtype_close;
395 * On failure, "wtap_open_offline()" returns NULL, and puts into the
396 * "int" pointed to by its second argument:
398 * a positive "errno" value if the capture file can't be opened;
400 * a negative number, indicating the type of error, on other failures.
402 wtap* wtap_open_offline(const char *filename, int *err);
403 int wtap_loop(wtap *wth, int, wtap_handler, u_char*, int*);
405 FILE* wtap_file(wtap *wth);
406 int wtap_fd(wtap *wth);
407 int wtap_snapshot_length(wtap *wth); /* per file */
408 int wtap_file_type(wtap *wth);
409 int wtap_file_encap(wtap *wth);
411 const char *wtap_file_type_string(int filetype);
412 const char *wtap_file_type_short_string(int filetype);
413 int wtap_short_string_to_file_type(const char *short_name);
415 const char *wtap_encap_string(int encap);
416 const char *wtap_encap_short_string(int encap);
417 int wtap_short_string_to_encap(const char *short_name);
419 const char *wtap_strerror(int err);
420 void wtap_close(wtap *wth);
421 int wtap_seek_read (int file_type, FILE *fh, int seek_off, guint8 *pd, int len);
422 int wtap_def_seek_read (FILE *fh, int seek_off, guint8 *pd, int len);
424 gboolean wtap_dump_can_open(int filetype);
425 gboolean wtap_dump_can_write_encap(int filetype, int encap);
426 wtap_dumper* wtap_dump_open(const char *filename, int filetype, int encap,
427 int snaplen, int *err);
428 wtap_dumper* wtap_dump_fdopen(int fd, int filetype, int encap, int snaplen,
430 gboolean wtap_dump(wtap_dumper *, const struct wtap_pkthdr *, const u_char *,
432 FILE* wtap_dump_file(wtap_dumper *);
433 gboolean wtap_dump_close(wtap_dumper *, int *);
435 /* XXX - needed until "wiretap" can do live packet captures */
436 int wtap_pcap_encap_to_wtap_encap(int encap);
439 * Wiretap error codes.
441 #define WTAP_ERR_NOT_REGULAR_FILE -1
442 /* The file being opened for reading isn't a plain file */
443 #define WTAP_ERR_FILE_UNKNOWN_FORMAT -2
444 /* The file being opened is not a capture file in a known format */
445 #define WTAP_ERR_UNSUPPORTED -3
446 /* Supported file type, but there's something in the file we
448 #define WTAP_ERR_CANT_OPEN -4
449 /* The file couldn't be opened, reason unknown */
450 #define WTAP_ERR_UNSUPPORTED_FILE_TYPE -5
451 /* Wiretap can't save files in the specified format */
452 #define WTAP_ERR_UNSUPPORTED_ENCAP -6
453 /* Wiretap can't read or save files in the specified format with the
454 specified encapsulation */
455 #define WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED -7
456 /* The specified format doesn't support per-packet encapsulations */
457 #define WTAP_ERR_CANT_CLOSE -8
458 /* The file couldn't be closed, reason unknown */
459 #define WTAP_ERR_CANT_READ -9
460 /* An attempt to read failed, reason unknown */
461 #define WTAP_ERR_SHORT_READ -10
462 /* An attempt to read read less data than it should have */
463 #define WTAP_ERR_BAD_RECORD -11
464 /* We read an invalid record */
465 #define WTAP_ERR_SHORT_WRITE -12
466 /* An attempt to write wrote less data than it should have */
468 /* Errors from zlib; zlib error Z_xxx turns into Wiretap error
469 WTAP_ERR_ZLIB + Z_xxx.
471 WTAP_ERR_ZLIB_MIN and WTAP_ERR_ZLIB_MAX bound the range of zlib
472 errors; we leave room for 100 positive and 100 negative error
475 #define WTAP_ERR_ZLIB -200
476 #define WTAP_ERR_ZLIB_MAX -100
477 #define WTAP_ERR_ZLIB_MIN -300
479 /* Macros to byte-swap 32-bit and 16-bit quantities. */
481 ((((x)&0xFF000000)>>24) | \
482 (((x)&0x00FF0000)>>8) | \
483 (((x)&0x0000FF00)<<8) | \
484 (((x)&0x000000FF)<<24))
486 ((((x)&0xFF00)>>8) | \
489 /* Turn host-byte-order values into little-endian values. */
490 #ifdef WORDS_BIGENDIAN
491 #define htoles(s) ((guint16) \
492 ((guint16)((s) & 0x00FF)<<8| \
493 (guint16)((s) & 0xFF00)>>8))
495 #define htolel(l) ((guint32)((l) & 0x000000FF)<<24| \
496 (guint32)((l) & 0x0000FF00)<<8| \
497 (guint32)((l) & 0x00FF0000)>>8| \
498 (guint32)((l) & 0xFF000000)>>24)
500 #define htoles(s) (s)
501 #define htolel(l) (l)
504 /* Pointer versions of ntohs and ntohl. Given a pointer to a member of a
505 * byte array, returns the value of the two or four bytes at the pointer.
506 * The pletoh[sl] versions return the little-endian representation.
510 #define pntohs(p) ((guint16) \
511 ((guint16)*((guint8 *)p+0)<<8| \
512 (guint16)*((guint8 *)p+1)<<0))
516 #define pntohl(p) ((guint32)*((guint8 *)p+0)<<24| \
517 (guint32)*((guint8 *)p+1)<<16| \
518 (guint32)*((guint8 *)p+2)<<8| \
519 (guint32)*((guint8 *)p+3)<<0)
523 #define phtons(p) ((guint16) \
524 ((guint16)*((guint8 *)p+0)<<8| \
525 (guint16)*((guint8 *)p+1)<<0))
529 #define phtonl(p) ((guint32)*((guint8 *)p+0)<<24| \
530 (guint32)*((guint8 *)p+1)<<16| \
531 (guint32)*((guint8 *)p+2)<<8| \
532 (guint32)*((guint8 *)p+3)<<0)
536 #define pletohs(p) ((guint16) \
537 ((guint16)*((guint8 *)p+1)<<8| \
538 (guint16)*((guint8 *)p+0)<<0))
542 #define pletohl(p) ((guint32)*((guint8 *)p+3)<<24| \
543 (guint32)*((guint8 *)p+2)<<16| \
544 (guint32)*((guint8 *)p+1)<<8| \
545 (guint32)*((guint8 *)p+0)<<0)
548 #endif /* __WTAP_H__ */