3 * $Id: wtap.h,v 1.117 2002/07/16 07:15:09 guy Exp $
6 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
26 /* Encapsulation types. Choose names that truly reflect
27 * what is contained in the packet trace file.
29 * WTAP_ENCAP_PER_PACKET is a value passed to "wtap_dump_open()" or
30 * "wtap_dump_fd_open()" to indicate that there is no single encapsulation
31 * type for all packets in the file; this may cause those routines to
32 * fail if the capture file format being written can't support that.
33 * It's also returned by "wtap_file_encap()" for capture files that
34 * don't have a single encapsulation type for all packets in the file.
36 * WTAP_ENCAP_UNKNOWN is returned by "wtap_pcap_encap_to_wtap_encap()"
37 * if it's handed an unknown encapsulation.
39 * WTAP_ENCAP_FDDI_BITSWAPPED is for FDDI captures on systems where the
40 * MAC addresses you get from the hardware are bit-swapped. Ideally,
41 * the driver would tell us that, but I know of none that do, so, for
42 * now, we base it on the machine on which we're *reading* the
43 * capture, rather than on the machine on which the capture was taken
44 * (they're probably likely to be the same). We assume that they're
45 * bit-swapped on everything except for systems running Ultrix, Alpha
46 * systems, and BSD/OS systems (that's what "tcpdump" does; I guess
47 * Digital decided to bit-swap addresses in the hardware or in the
48 * driver, and I guess BSDI bit-swapped them in the driver, given that
49 * BSD/OS generally runs on Boring Old PC's). If we create a wiretap
50 * save file format, we'd use the WTAP_ENCAP values to flag the
51 * encapsulation of a packet, so there we'd at least be able to base
52 * it on the machine on which the capture was taken.
54 * WTAP_ENCAP_LINUX_ATM_CLIP is the encapsulation you get with the
55 * ATM on Linux code from <http://linux-atm.sourceforge.net/>;
56 * that code adds a DLT_ATM_CLIP DLT_ code of 19, and that
57 * encapsulation isn't the same as the DLT_ATM_RFC1483 encapsulation
58 * presumably used on some BSD systems, which we turn into
59 * WTAP_ENCAP_ATM_RFC1483.
61 * WTAP_ENCAP_NULL corresponds to DLT_NULL from "libpcap". This
64 * 1) PPP-over-HDLC encapsulation, at least with some versions
65 * of ISDN4BSD (but not the current ones, it appears, unless
66 * I've missed something);
68 * 2) a 4-byte header containing the AF_ address family, in
69 * the byte order of the machine that saved the capture,
70 * for the packet, as used on many BSD systems for the
71 * loopback device and some other devices, or a 4-byte header
72 * containing the AF_ address family in network byte order,
73 * as used on recent OpenBSD systems for the loopback device;
75 * 3) a 4-byte header containing 2 octets of 0 and an Ethernet
76 * type in the byte order from an Ethernet header, that being
77 * what older versions of "libpcap" on Linux turn the Ethernet
78 * header for loopback interfaces into (0.6.0 and later versions
79 * leave the Ethernet header alone and make it DLT_EN10MB). */
80 #define WTAP_ENCAP_PER_PACKET -1
81 #define WTAP_ENCAP_UNKNOWN 0
82 #define WTAP_ENCAP_ETHERNET 1
83 #define WTAP_ENCAP_TOKEN_RING 2
84 #define WTAP_ENCAP_SLIP 3
85 #define WTAP_ENCAP_PPP 4
86 #define WTAP_ENCAP_FDDI 5
87 #define WTAP_ENCAP_FDDI_BITSWAPPED 6
88 #define WTAP_ENCAP_RAW_IP 7
89 #define WTAP_ENCAP_ARCNET 8
90 #define WTAP_ENCAP_ATM_RFC1483 9
91 #define WTAP_ENCAP_LINUX_ATM_CLIP 10
92 #define WTAP_ENCAP_LAPB 11
93 #define WTAP_ENCAP_ATM_SNIFFER 12
94 #define WTAP_ENCAP_NULL 13
95 #define WTAP_ENCAP_ASCEND 14
96 #define WTAP_ENCAP_LAPD 15
97 #define WTAP_ENCAP_V120 16
98 #define WTAP_ENCAP_PPP_WITH_PHDR 17
99 #define WTAP_ENCAP_IEEE_802_11 18
100 #define WTAP_ENCAP_IEEE_802_11_WITH_RADIO 19
101 #define WTAP_ENCAP_SLL 20
102 #define WTAP_ENCAP_FRELAY 21
103 #define WTAP_ENCAP_CHDLC 22
104 #define WTAP_ENCAP_CISCO_IOS 23
105 #define WTAP_ENCAP_LOCALTALK 24
106 #define WTAP_ENCAP_PRISM_HEADER 25
107 #define WTAP_ENCAP_PFLOG 26
108 #define WTAP_ENCAP_HHDLC 27
109 #define WTAP_ENCAP_DOCSIS 28
111 /* last WTAP_ENCAP_ value + 1 */
112 #define WTAP_NUM_ENCAP_TYPES 29
114 /* File types that can be read by wiretap.
115 We support writing some many of these file types, too, so we
116 distinguish between different versions of them. */
117 #define WTAP_FILE_UNKNOWN 0
118 #define WTAP_FILE_WTAP 1
119 #define WTAP_FILE_PCAP 2
120 #define WTAP_FILE_PCAP_SS990417 3
121 #define WTAP_FILE_PCAP_SS990915 4
122 #define WTAP_FILE_PCAP_SS991029 5
123 #define WTAP_FILE_PCAP_NOKIA 6
124 #define WTAP_FILE_PCAP_AIX 7
125 #define WTAP_FILE_LANALYZER 8
126 #define WTAP_FILE_NGSNIFFER_UNCOMPRESSED 9
127 #define WTAP_FILE_NGSNIFFER_COMPRESSED 10
128 #define WTAP_FILE_SNOOP 11
129 #define WTAP_FILE_IPTRACE_1_0 12
130 #define WTAP_FILE_IPTRACE_2_0 13
131 #define WTAP_FILE_NETMON_1_x 14
132 #define WTAP_FILE_NETMON_2_x 15
133 #define WTAP_FILE_NETXRAY_OLD 16
134 #define WTAP_FILE_NETXRAY_1_0 17
135 #define WTAP_FILE_NETXRAY_1_1 18
136 #define WTAP_FILE_NETXRAY_2_00x 19
137 #define WTAP_FILE_RADCOM 20
138 #define WTAP_FILE_ASCEND 21
139 #define WTAP_FILE_NETTL 22
140 #define WTAP_FILE_TOSHIBA 23
141 #define WTAP_FILE_I4BTRACE 24
142 #define WTAP_FILE_CSIDS 25
143 #define WTAP_FILE_PPPDUMP 26
144 #define WTAP_FILE_ETHERPEEK_V56 27
145 #define WTAP_FILE_ETHERPEEK_V7 28
146 #define WTAP_FILE_VMS 29
147 #define WTAP_FILE_DBS_ETHERWATCH 30
148 #define WTAP_FILE_VISUAL_NETWORKS 31
150 /* last WTAP_FILE_ value + 1 */
151 #define WTAP_NUM_FILE_TYPES 32
154 * Maximum packet size we'll support.
156 #define WTAP_MAX_PACKET_SIZE 65535
158 #ifdef HAVE_SYS_TYPES_H
159 #include <sys/types.h>
162 #ifdef HAVE_SYS_TIME_H
163 #include <sys/time.h>
166 #ifdef HAVE_WINSOCK2_H
167 #include <winsock2.h>
174 * "Pseudo-headers" are used to supply to the clients of wiretap
175 * per-packet information that's not part of the packet payload
178 * NOTE: do not use pseudo-header structures to hold information
179 * used by the code to read a particular capture file type; to
180 * keep that sort of state information, add a new structure for
181 * that private information to "wtap-int.h", add a pointer to that
182 * type of structure to the "capture" member of the "struct wtap"
183 * structure, and allocate one of those structures and set that member
184 * in the "open" routine for that capture file type if the open
185 * succeeds. See various other capture file type handlers for examples
189 /* Packet "pseudo-header" information for X.25 capture files. */
190 #define FROM_DCE 0x80
192 guint8 flags; /* ENCAP_LAPB, ENCAP_V120 : 1st bit means From DCE */
195 /* Packet "pseudo-header" for ATM capture files.
196 Not all of this information is supplied by all capture types. */
201 #define AAL_UNKNOWN 0 /* AAL unknown */
202 #define AAL_1 1 /* AAL1 */
203 #define AAL_2 2 /* AAL2 */
204 #define AAL_3_4 3 /* AAL3/4 */
205 #define AAL_5 4 /* AAL5 */
206 #define AAL_USER 5 /* User AAL */
207 #define AAL_SIGNALLING 6 /* Signaling AAL */
208 #define AAL_OAMCELL 7 /* OAM cell */
213 #define TRAF_UNKNOWN 0 /* Unknown */
214 #define TRAF_LLCMX 1 /* LLC multiplexed (RFC 1483) */
215 #define TRAF_VCMX 2 /* VC multiplexed (RFC 1483) */
216 #define TRAF_LANE 3 /* LAN Emulation */
217 #define TRAF_ILMI 4 /* ILMI */
218 #define TRAF_FR 5 /* Frame Relay */
219 #define TRAF_SPANS 6 /* FORE SPANS */
220 #define TRAF_IPSILON 7 /* Ipsilon */
225 #define TRAF_ST_UNKNOWN 0 /* Unknown */
230 #define TRAF_ST_VCMX_802_3_FCS 1 /* 802.3 with an FCS */
231 #define TRAF_ST_VCMX_802_4_FCS 2 /* 802.4 with an FCS */
232 #define TRAF_ST_VCMX_802_5_FCS 3 /* 802.5 with an FCS */
233 #define TRAF_ST_VCMX_FDDI_FCS 4 /* FDDI with an FCS */
234 #define TRAF_ST_VCMX_802_6_FCS 5 /* 802.6 with an FCS */
235 #define TRAF_ST_VCMX_802_3 7 /* 802.3 without an FCS */
236 #define TRAF_ST_VCMX_802_4 8 /* 802.4 without an FCS */
237 #define TRAF_ST_VCMX_802_5 9 /* 802.5 without an FCS */
238 #define TRAF_ST_VCMX_FDDI 10 /* FDDI without an FCS */
239 #define TRAF_ST_VCMX_802_6 11 /* 802.6 without an FCS */
240 #define TRAF_ST_VCMX_FRAGMENTS 12 /* Fragments */
241 #define TRAF_ST_VCMX_BPDU 13 /* BPDU */
246 #define TRAF_ST_LANE_LE_CTRL 1 /* LANE: LE Ctrl */
247 #define TRAF_ST_LANE_802_3 2 /* LANE: 802.3 */
248 #define TRAF_ST_LANE_802_5 3 /* LANE: 802.5 */
249 #define TRAF_ST_LANE_802_3_MC 4 /* LANE: 802.3 multicast */
250 #define TRAF_ST_LANE_802_5_MC 5 /* LANE: 802.5 multicast */
255 #define TRAF_ST_IPSILON_FT0 1 /* Ipsilon: Flow Type 0 */
256 #define TRAF_ST_IPSILON_FT1 2 /* Ipsilon: Flow Type 1 */
257 #define TRAF_ST_IPSILON_FT2 3 /* Ipsilon: Flow Type 2 */
260 guint8 aal; /* AAL of the traffic */
261 guint8 type; /* traffic type */
262 guint8 subtype; /* traffic subtype */
263 guint16 vpi; /* virtual path identifier */
264 guint16 vci; /* virtual circuit identifier */
265 guint16 channel; /* link: 0 for DCE, 1 for DTE */
266 guint16 cells; /* number of cells */
267 guint16 aal5t_u2u; /* user-to-user indicator */
268 guint16 aal5t_len; /* length of the packet */
269 guint32 aal5t_chksum; /* checksum for AAL5 packet */
272 /* Packet "pseudo-header" for the output from "wandsession", "wannext",
273 "wandisplay", and similar commands on Lucent/Ascend access equipment. */
275 #define ASCEND_MAX_STR_LEN 64
277 #define ASCEND_PFX_WDS_X 1
278 #define ASCEND_PFX_WDS_R 2
279 #define ASCEND_PFX_WDD 3
282 guint16 type; /* ASCEND_PFX_*, as defined above */
283 char user[ASCEND_MAX_STR_LEN]; /* Username, from wandsession header */
284 guint32 sess; /* Session number, from wandsession header */
285 char call_num[ASCEND_MAX_STR_LEN]; /* Called number, from WDD header */
286 guint32 chunk; /* Chunk number, from WDD header */
287 guint32 task; /* Task number */
290 /* Packet "pseudo-header" for point-to-point links with direction flags. */
292 gboolean sent; /* TRUE=sent, FALSE=received */
295 /* Packet "pseudo-header" information for 802.11 with radio information. */
296 struct ieee_802_11_phdr {
297 guint8 channel; /* Channel number */
298 guint8 data_rate; /* in .5 Mb/s units */
299 guint8 signal_level; /* percentage */
302 union wtap_pseudo_header {
305 struct ascend_phdr ascend;
307 struct ieee_802_11_phdr ieee_802_11;
317 typedef void (*wtap_handler)(u_char*, const struct wtap_pkthdr*,
318 long, union wtap_pseudo_header *pseudo_header, const u_char *);
324 typedef struct wtap wtap;
325 typedef struct wtap_dumper wtap_dumper;
328 * On failure, "wtap_open_offline()" returns NULL, and puts into the
329 * "int" pointed to by its second argument:
331 * a positive "errno" value if the capture file can't be opened;
333 * a negative number, indicating the type of error, on other failures.
335 struct wtap* wtap_open_offline(const char *filename, int *err, gboolean do_random);
337 /* Returns TRUE if entire loop-reading was successful. If read failure
338 * happened, FALSE is returned and err is set. */
339 gboolean wtap_loop(wtap *wth, int, wtap_handler, u_char*, int *err);
341 /* Returns TRUE if read was successful. FALSE if failure. data_offset is
342 * set the the offset in the file where the data for the read packet is
344 gboolean wtap_read(wtap *wth, int *err, long *data_offset);
346 struct wtap_pkthdr *wtap_phdr(wtap *wth);
347 union wtap_pseudo_header *wtap_pseudoheader(wtap *wth);
348 guint8 *wtap_buf_ptr(wtap *wth);
350 int wtap_fd(wtap *wth);
351 int wtap_snapshot_length(wtap *wth); /* per file */
352 int wtap_file_type(wtap *wth);
353 int wtap_file_encap(wtap *wth);
355 const char *wtap_file_type_string(int filetype);
356 const char *wtap_file_type_short_string(int filetype);
357 int wtap_short_string_to_file_type(const char *short_name);
359 const char *wtap_encap_string(int encap);
360 const char *wtap_encap_short_string(int encap);
361 int wtap_short_string_to_encap(const char *short_name);
363 const char *wtap_strerror(int err);
364 void wtap_sequential_close(wtap *wth);
365 void wtap_close(wtap *wth);
366 gboolean wtap_seek_read (wtap *wth, long seek_off,
367 union wtap_pseudo_header *pseudo_header, guint8 *pd, int len, int *err);
368 gboolean wtap_def_seek_read (wtap *wth, long seek_off,
369 union wtap_pseudo_header *pseudo_header, guint8 *pd, int len, int *err);
371 gboolean wtap_dump_can_open(int filetype);
372 gboolean wtap_dump_can_write_encap(int filetype, int encap);
373 wtap_dumper* wtap_dump_open(const char *filename, int filetype, int encap,
374 int snaplen, int *err);
375 wtap_dumper* wtap_dump_fdopen(int fd, int filetype, int encap, int snaplen,
377 gboolean wtap_dump(wtap_dumper *, const struct wtap_pkthdr *,
378 const union wtap_pseudo_header *pseudo_header, const u_char *, int *err);
379 FILE* wtap_dump_file(wtap_dumper *);
380 gboolean wtap_dump_close(wtap_dumper *, int *);
381 long wtap_get_bytes_dumped(wtap_dumper *);
382 void wtap_set_bytes_dumped(wtap_dumper *wdh, long bytes_dumped);
385 * Wiretap error codes.
387 #define WTAP_ERR_NOT_REGULAR_FILE -1
388 /* The file being opened for reading isn't a plain file (or pipe) */
389 #define WTAP_ERR_RANDOM_OPEN_PIPE -2
390 /* The file is being opened for random access and it's a pipe */
391 #define WTAP_ERR_FILE_UNKNOWN_FORMAT -3
392 /* The file being opened is not a capture file in a known format */
393 #define WTAP_ERR_UNSUPPORTED -4
394 /* Supported file type, but there's something in the file we
396 #define WTAP_ERR_CANT_WRITE_TO_PIPE -5
397 /* Wiretap can't save to a pipe in the specified format */
398 #define WTAP_ERR_CANT_OPEN -6
399 /* The file couldn't be opened, reason unknown */
400 #define WTAP_ERR_UNSUPPORTED_FILE_TYPE -7
401 /* Wiretap can't save files in the specified format */
402 #define WTAP_ERR_UNSUPPORTED_ENCAP -8
403 /* Wiretap can't read or save files in the specified format with the
404 specified encapsulation */
405 #define WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED -9
406 /* The specified format doesn't support per-packet encapsulations */
407 #define WTAP_ERR_CANT_CLOSE -10
408 /* The file couldn't be closed, reason unknown */
409 #define WTAP_ERR_CANT_READ -11
410 /* An attempt to read failed, reason unknown */
411 #define WTAP_ERR_SHORT_READ -12
412 /* An attempt to read read less data than it should have */
413 #define WTAP_ERR_BAD_RECORD -13
414 /* We read an invalid record */
415 #define WTAP_ERR_SHORT_WRITE -14
416 /* An attempt to write wrote less data than it should have */
417 #define WTAP_ERR_UNC_TRUNCATED -15
418 /* Sniffer compressed data was oddly truncated */
419 #define WTAP_ERR_UNC_OVERFLOW -16
420 /* Uncompressing Sniffer data would overflow buffer */
421 #define WTAP_ERR_UNC_BAD_OFFSET -17
422 /* LZ77 compressed data has bad offset to string */
424 /* Errors from zlib; zlib error Z_xxx turns into Wiretap error
425 WTAP_ERR_ZLIB + Z_xxx.
427 WTAP_ERR_ZLIB_MIN and WTAP_ERR_ZLIB_MAX bound the range of zlib
428 errors; we leave room for 100 positive and 100 negative error
431 #define WTAP_ERR_ZLIB -200
432 #define WTAP_ERR_ZLIB_MAX -100
433 #define WTAP_ERR_ZLIB_MIN -300
436 #endif /* __WTAP_H__ */