3 * $Id: wtap.h,v 1.40 1999/09/23 04:39:01 ashokn Exp $
6 * Copyright (c) 1998 by Gilbert Ramirez <gram@verdict.uthscsa.edu>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 /* Encapsulation types. Choose names that truly reflect
28 * what is contained in the packet trace file.
30 * WTAP_ENCAP_PER_PACKET is a value passed to "wtap_dump_open()" or
31 * "wtap_dump_fd_open()" to indicate that there is no single encapsulation
32 * type for all packets in the file; this may cause those routines to
33 * fail if the capture file format being written can't support that.
35 * WTAP_ENCAP_UNKNOWN is returned by "wtap_pcap_encap_to_wtap_encap()"
36 * if it's handed an unknown encapsulation.
38 * WTAP_ENCAP_FDDI_BITSWAPPED is for FDDI captures on systems where the
39 * MAC addresses you get from the hardware are bit-swapped. Ideally,
40 * the driver would tell us that, but I know of none that do, so, for
41 * now, we base it on the machine on which we're *reading* the
42 * capture, rather than on the machine on which the capture was taken
43 * (they're probably likely to be the same). We assume that they're
44 * bit-swapped on everything except for systems running Ultrix, Alpha
45 * systems, and BSD/OS systems (that's what "tcpdump" does; I guess
46 * Digital decided to bit-swap addresses in the hardware or in the
47 * driver, and I guess BSDI bit-swapped them in the driver, given that
48 * BSD/OS generally runs on Boring Old PC's). If we create a wiretap
49 * save file format, we'd use the WTAP_ENCAP values to flag the
50 * encapsulation of a packet, so there we'd at least be able to base
51 * it on the machine on which the capture was taken.
53 * WTAP_ENCAP_LINUX_ATM_CLIP is the encapsulation you get with the
54 * ATM on Linux code from <http://lrcwww.epfl.ch/linux-atm/>;
55 * that code adds a DLT_ATM_CLIP DLT_ code of 19, and that
56 * encapsulation isn't the same as the DLT_ATM_RFC1483 encapsulation
57 * presumably used on some BSD systems, which we turn into
58 * WTAP_ENCAP_ATM_RFC1483.
60 * WTAP_ENCAP_NULL corresponds to DLT_NULL from "libpcap". This
63 * 1) PPP-over-HDLC encapsulation, at least with some versions
64 * of ISDN4BSD (but not the current ones, it appears, unless
65 * I've missed something);
67 * 2) a 4-byte header containing the AF_ address family, in
68 * the byte order of the machine that saved the capture,
69 * for the packet, as used on many BSD systems for the
70 * loopback device and some other devices;
72 * 3) a 4-byte header containing 2 octets of 0 and an Ethernet
73 * type in the byte order from an Ethernet header, that being
74 * what "libpcap" on Linux turns the Ethernet header for
75 * loopback interfaces into. */
76 #define WTAP_ENCAP_PER_PACKET -1
77 #define WTAP_ENCAP_UNKNOWN 0
78 #define WTAP_ENCAP_ETHERNET 1
79 #define WTAP_ENCAP_TR 2
80 #define WTAP_ENCAP_SLIP 3
81 #define WTAP_ENCAP_PPP 4
82 #define WTAP_ENCAP_FDDI 5
83 #define WTAP_ENCAP_FDDI_BITSWAPPED 6
84 #define WTAP_ENCAP_RAW_IP 7
85 #define WTAP_ENCAP_ARCNET 8
86 #define WTAP_ENCAP_ATM_RFC1483 9
87 #define WTAP_ENCAP_LINUX_ATM_CLIP 10
88 #define WTAP_ENCAP_LAPB 11
89 #define WTAP_ENCAP_ATM_SNIFFER 12
90 #define WTAP_ENCAP_NULL 13
91 #define WTAP_ENCAP_ASCEND 14
93 /* last WTAP_ENCAP_ value + 1 */
94 #define WTAP_NUM_ENCAP_TYPES 15
96 /* File types that can be read by wiretap.
97 We may eventually support writing some or all of these file types,
98 too, so we distinguish between different versions of them. */
99 #define WTAP_FILE_UNKNOWN 0
100 #define WTAP_FILE_WTAP 1
101 #define WTAP_FILE_PCAP 2
102 #define WTAP_FILE_LANALYZER 3
103 #define WTAP_FILE_NGSNIFFER 4
104 #define WTAP_FILE_SNOOP 6
105 #define WTAP_FILE_IPTRACE 7
106 #define WTAP_FILE_NETMON_1_x 8
107 #define WTAP_FILE_NETMON_2_x 9
108 #define WTAP_FILE_NETXRAY_1_0 10
109 #define WTAP_FILE_NETXRAY_1_1 11
110 #define WTAP_FILE_NETXRAY_2_001 12
111 #define WTAP_FILE_RADCOM 13
112 #define WTAP_FILE_ASCEND 14
115 * Maximum packet size we'll support.
117 #define WTAP_MAX_PACKET_SIZE 65535
119 #include <sys/types.h>
121 #ifdef HAVE_SYS_TIME_H
122 #include <sys/time.h>
125 #ifdef HAVE_WINSOCK_H
148 guint16 version_major;
149 guint16 version_minor;
155 guint8 version_major;
162 double start_timestamp;
174 /* Packet "pseudo-header" information for X.25 capture files. */
176 guint8 flags; /* ENCAP_LAPB : 1st bit means From DCE */
179 /* Packet "pseudo-header" for ATM Sniffer capture files. */
180 struct ngsniffer_atm_phdr {
181 guint8 AppTrafType; /* traffic type */
182 guint8 AppHLType; /* protocol type */
183 guint16 Vpi; /* virtual path identifier */
184 guint16 Vci; /* virtual circuit identifier */
185 guint16 channel; /* link: 0 for DCE, 1 for DTE */
186 guint16 cells; /* number of cells */
187 guint16 aal5t_u2u; /* user-to-user indicator */
188 guint16 aal5t_len; /* length of the packet */
189 guint32 aal5t_chksum; /* checksum for AAL5 packet */
192 /* Packet "pseudo-header" for the output from "wandsession", "wannext",
193 "wandisplay", and similar commands on Lucent/Ascend access equipment. */
195 #define ASCEND_MAX_STR_LEN 64
197 #define ASCEND_PFX_WDS_X 1
198 #define ASCEND_PFX_WDS_R 2
199 #define ASCEND_PFX_WDD 3
202 guint16 type; /* ASCEND_PFX_*, as defined above */
203 char user[ASCEND_MAX_STR_LEN]; /* Username, from wandsession header */
204 guint32 sess; /* Session number, from wandsession header */
205 char call_num[ASCEND_MAX_STR_LEN]; /* Called number, from WDD header */
206 guint32 chunk; /* Chunk number, from WDD header */
207 guint32 task; /* Task number */
211 * Bits in AppTrafType.
213 * For AAL types other than AAL5, the packet data is presumably for a
214 * single cell, not a reassembled frame, as the ATM Sniffer manual says
215 * it dosn't reassemble cells other than AAL5 cells.
217 #define ATT_AALTYPE 0x0F /* AAL type: */
218 #define ATT_AAL_UNKNOWN 0x00 /* Unknown AAL */
219 #define ATT_AAL1 0x01 /* AAL1 */
220 #define ATT_AAL3_4 0x02 /* AAL3/4 */
221 #define ATT_AAL5 0x03 /* AAL5 */
222 #define ATT_AAL_USER 0x04 /* User AAL */
223 #define ATT_AAL_SIGNALLING 0x05 /* Signaling AAL */
224 #define ATT_OAMCELL 0x06 /* OAM cell */
226 #define ATT_HLTYPE 0xF0 /* Higher-layer type: */
227 #define ATT_HL_UNKNOWN 0x00 /* unknown */
228 #define ATT_HL_LLCMX 0x10 /* LLC multiplexed (probably RFC 1483) */
229 #define ATT_HL_VCMX 0x20 /* VC multiplexed (probably RFC 1483) */
230 #define ATT_HL_LANE 0x30 /* LAN Emulation */
231 #define ATT_HL_ILMI 0x40 /* ILMI */
232 #define ATT_HL_FRMR 0x50 /* Frame Relay */
233 #define ATT_HL_SPANS 0x60 /* FORE SPANS */
234 #define ATT_HL_IPSILON 0x70 /* Ipsilon */
237 * Values for AppHLType; the interpretation depends on the ATT_HLTYPE
238 * bits in AppTrafType.
240 #define AHLT_UNKNOWN 0x0
241 #define AHLT_VCMX_802_3_FCS 0x1 /* VCMX: 802.3 FCS */
242 #define AHLT_LANE_LE_CTRL 0x1 /* LANE: LE Ctrl */
243 #define AHLT_IPSILON_FT0 0x1 /* Ipsilon: Flow Type 0 */
244 #define AHLT_VCMX_802_4_FCS 0x2 /* VCMX: 802.4 FCS */
245 #define AHLT_LANE_802_3 0x2 /* LANE: 802.3 */
246 #define AHLT_IPSILON_FT1 0x2 /* Ipsilon: Flow Type 1 */
247 #define AHLT_VCMX_802_5_FCS 0x3 /* VCMX: 802.5 FCS */
248 #define AHLT_LANE_802_5 0x3 /* LANE: 802.5 */
249 #define AHLT_IPSILON_FT2 0x3 /* Ipsilon: Flow Type 2 */
250 #define AHLT_VCMX_FDDI_FCS 0x4 /* VCMX: FDDI FCS */
251 #define AHLT_LANE_802_3_MC 0x4 /* LANE: 802.3 multicast */
252 #define AHLT_VCMX_802_6_FCS 0x5 /* VCMX: 802.6 FCS */
253 #define AHLT_LANE_802_5_MC 0x5 /* LANE: 802.5 multicast */
254 #define AHLT_VCMX_802_3 0x7 /* VCMX: 802.3 */
255 #define AHLT_VCMX_802_4 0x8 /* VCMX: 802.4 */
256 #define AHLT_VCMX_802_5 0x9 /* VCMX: 802.5 */
257 #define AHLT_VCMX_FDDI 0xa /* VCMX: FDDI */
258 #define AHLT_VCMX_802_6 0xb /* VCMX: 802.6 */
259 #define AHLT_VCMX_FRAGMENTS 0xc /* VCMX: Fragments */
260 #define AHLT_VCMX_BPDU 0xe /* VCMX: BPDU */
262 union pseudo_header {
264 struct ngsniffer_atm_phdr ngsniffer_atm;
265 struct ascend_phdr ascend;
273 union pseudo_header pseudo_header;
276 typedef void (*wtap_handler)(u_char*, const struct wtap_pkthdr*,
277 int, const u_char *);
280 struct bpf_instruction;
283 typedef int (*subtype_read_func)(struct wtap*, int*);
284 typedef struct wtap {
287 int fd; /* File descriptor for cap file */
290 struct Buffer *frame_buffer;
291 struct wtap_pkthdr phdr;
297 lanalyzer_t *lanalyzer;
298 ngsniffer_t *ngsniffer;
305 subtype_read_func subtype_read;
306 int file_encap; /* per-file, for those
307 file formats that have
308 per-file encapsulation
314 typedef int (*subtype_write_func)(struct wtap_dumper*,
315 const struct wtap_pkthdr*, const u_char*, int*);
316 typedef int (*subtype_close_func)(struct wtap_dumper*, int*);
317 typedef struct wtap_dumper {
323 subtype_write_func subtype_write;
324 subtype_close_func subtype_close;
328 * On failure, "wtap_open_offline()" returns NULL, and puts into the
329 * "int" pointed to by its second argument:
331 * a positive "errno" value if the capture file can't be opened;
333 * a negative number, indicating the type of error, on other failures.
335 wtap* wtap_open_offline(const char *filename, int *err);
336 int wtap_loop(wtap *wth, int, wtap_handler, u_char*, int*);
338 FILE* wtap_file(wtap *wth);
339 int wtap_fd(wtap *wth);
340 int wtap_snapshot_length(wtap *wth); /* per file */
341 int wtap_file_type(wtap *wth);
342 const char *wtap_file_type_string(wtap *wth);
343 const char *wtap_strerror(int err);
344 void wtap_close(wtap *wth);
345 int wtap_seek_read (int encaps, FILE *fh, int seek_off, guint8 *pd, int len);
346 int wtap_def_seek_read (FILE *fh, int seek_off, guint8 *pd, int len);
348 wtap_dumper* wtap_dump_open(const char *filename, int filetype, int encap,
349 int snaplen, int *err);
350 wtap_dumper* wtap_dump_fdopen(int fd, int filetype, int encap, int snaplen,
352 int wtap_dump(wtap_dumper *, const struct wtap_pkthdr *, const u_char *,
354 FILE* wtap_dump_file(wtap_dumper *);
355 int wtap_dump_close(wtap_dumper *, int *);
357 /* XXX - needed until "wiretap" can do live packet captures */
358 int wtap_pcap_encap_to_wtap_encap(int encap);
361 * Wiretap error codes.
363 #define WTAP_ERR_NOT_REGULAR_FILE -1
364 /* The file being opened for reading isn't a plain file */
365 #define WTAP_ERR_FILE_UNKNOWN_FORMAT -2
366 /* The file being opened is not a capture file in a known format */
367 #define WTAP_ERR_UNSUPPORTED -3
368 /* Supported file type, but there's something in the file we
370 #define WTAP_ERR_CANT_OPEN -4
371 /* The file couldn't be opened, reason unknown */
372 #define WTAP_ERR_UNSUPPORTED_FILE_TYPE -5
373 /* Wiretap can't save files in the specified format */
374 #define WTAP_ERR_UNSUPPORTED_ENCAP -6
375 /* Wiretap can't save files in the specified format with the
376 specified encapsulation */
377 #define WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED -7
378 /* The specified format doesn't support per-packet encapsulations */
379 #define WTAP_ERR_CANT_CLOSE -8
380 /* The file couldn't be closed, reason unknown */
381 #define WTAP_ERR_CANT_READ -9
382 /* An attempt to read failed, reason unknown */
383 #define WTAP_ERR_SHORT_READ -10
384 /* An attempt to read read less data than it should have */
385 #define WTAP_ERR_BAD_RECORD -11
386 /* We read an invalid record */
387 #define WTAP_ERR_SHORT_WRITE -12
388 /* An attempt to write wrote less data than it should have */
390 /* Pointer versions of ntohs and ntohl. Given a pointer to a member of a
391 * byte array, returns the value of the two or four bytes at the pointer.
392 * The pletoh[sl] versions return the little-endian representation.
396 #define pntohs(p) ((guint16) \
397 ((guint16)*((guint8 *)p+0)<<8| \
398 (guint16)*((guint8 *)p+1)<<0))
402 #define pntohl(p) ((guint32)*((guint8 *)p+0)<<24| \
403 (guint32)*((guint8 *)p+1)<<16| \
404 (guint32)*((guint8 *)p+2)<<8| \
405 (guint32)*((guint8 *)p+3)<<0)
409 #define phtons(p) ((guint16) \
410 ((guint16)*((guint8 *)p+0)<<8| \
411 (guint16)*((guint8 *)p+1)<<0))
415 #define phtonl(p) ((guint32)*((guint8 *)p+0)<<24| \
416 (guint32)*((guint8 *)p+1)<<16| \
417 (guint32)*((guint8 *)p+2)<<8| \
418 (guint32)*((guint8 *)p+3)<<0)
422 #define pletohs(p) ((guint16) \
423 ((guint16)*((guint8 *)p+1)<<8| \
424 (guint16)*((guint8 *)p+0)<<0))
428 #define pletohl(p) ((guint32)*((guint8 *)p+3)<<24| \
429 (guint32)*((guint8 *)p+2)<<16| \
430 (guint32)*((guint8 *)p+1)<<8| \
431 (guint32)*((guint8 *)p+0)<<0)
434 #endif /* __WTAP_H__ */