3 * $Id: wtap.h,v 1.59 1999/12/14 01:12:59 nneul Exp $
6 * Copyright (c) 1998 by Gilbert Ramirez <gram@verdict.uthscsa.edu>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 /* Encapsulation types. Choose names that truly reflect
28 * what is contained in the packet trace file.
30 * WTAP_ENCAP_PER_PACKET is a value passed to "wtap_dump_open()" or
31 * "wtap_dump_fd_open()" to indicate that there is no single encapsulation
32 * type for all packets in the file; this may cause those routines to
33 * fail if the capture file format being written can't support that.
34 * It's also returned by "wtap_file_encap()" for capture files that
35 * don't have a single encapsulation type for all packets in the file.
37 * WTAP_ENCAP_UNKNOWN is returned by "wtap_pcap_encap_to_wtap_encap()"
38 * if it's handed an unknown encapsulation.
40 * WTAP_ENCAP_FDDI_BITSWAPPED is for FDDI captures on systems where the
41 * MAC addresses you get from the hardware are bit-swapped. Ideally,
42 * the driver would tell us that, but I know of none that do, so, for
43 * now, we base it on the machine on which we're *reading* the
44 * capture, rather than on the machine on which the capture was taken
45 * (they're probably likely to be the same). We assume that they're
46 * bit-swapped on everything except for systems running Ultrix, Alpha
47 * systems, and BSD/OS systems (that's what "tcpdump" does; I guess
48 * Digital decided to bit-swap addresses in the hardware or in the
49 * driver, and I guess BSDI bit-swapped them in the driver, given that
50 * BSD/OS generally runs on Boring Old PC's). If we create a wiretap
51 * save file format, we'd use the WTAP_ENCAP values to flag the
52 * encapsulation of a packet, so there we'd at least be able to base
53 * it on the machine on which the capture was taken.
55 * WTAP_ENCAP_LINUX_ATM_CLIP is the encapsulation you get with the
56 * ATM on Linux code from <http://lrcwww.epfl.ch/linux-atm/>;
57 * that code adds a DLT_ATM_CLIP DLT_ code of 19, and that
58 * encapsulation isn't the same as the DLT_ATM_RFC1483 encapsulation
59 * presumably used on some BSD systems, which we turn into
60 * WTAP_ENCAP_ATM_RFC1483.
62 * WTAP_ENCAP_NULL corresponds to DLT_NULL from "libpcap". This
65 * 1) PPP-over-HDLC encapsulation, at least with some versions
66 * of ISDN4BSD (but not the current ones, it appears, unless
67 * I've missed something);
69 * 2) a 4-byte header containing the AF_ address family, in
70 * the byte order of the machine that saved the capture,
71 * for the packet, as used on many BSD systems for the
72 * loopback device and some other devices;
74 * 3) a 4-byte header containing 2 octets of 0 and an Ethernet
75 * type in the byte order from an Ethernet header, that being
76 * what "libpcap" on Linux turns the Ethernet header for
77 * loopback interfaces into. */
78 #define WTAP_ENCAP_PER_PACKET -1
79 #define WTAP_ENCAP_UNKNOWN 0
80 #define WTAP_ENCAP_ETHERNET 1
81 #define WTAP_ENCAP_TR 2
82 #define WTAP_ENCAP_SLIP 3
83 #define WTAP_ENCAP_PPP 4
84 #define WTAP_ENCAP_FDDI 5
85 #define WTAP_ENCAP_FDDI_BITSWAPPED 6
86 #define WTAP_ENCAP_RAW_IP 7
87 #define WTAP_ENCAP_ARCNET 8
88 #define WTAP_ENCAP_ATM_RFC1483 9
89 #define WTAP_ENCAP_LINUX_ATM_CLIP 10
90 #define WTAP_ENCAP_LAPB 11
91 #define WTAP_ENCAP_ATM_SNIFFER 12
92 #define WTAP_ENCAP_NULL 13
93 #define WTAP_ENCAP_ASCEND 14
94 #define WTAP_ENCAP_LAPD 15
95 #define WTAP_ENCAP_V120 16
97 /* last WTAP_ENCAP_ value + 1 */
98 #define WTAP_NUM_ENCAP_TYPES 17
100 /* File types that can be read by wiretap.
101 We may eventually support writing some or all of these file types,
102 too, so we distinguish between different versions of them. */
103 #define WTAP_FILE_UNKNOWN 0
104 #define WTAP_FILE_WTAP 1
105 #define WTAP_FILE_PCAP 2
106 #define WTAP_FILE_PCAP_MODIFIED 3
107 #define WTAP_FILE_PCAP_RH_6_1 4
108 #define WTAP_FILE_LANALYZER 5
109 #define WTAP_FILE_NGSNIFFER 6
110 #define WTAP_FILE_SNOOP 7
111 #define WTAP_FILE_IPTRACE_1_0 8
112 #define WTAP_FILE_IPTRACE_2_0 9
113 #define WTAP_FILE_NETMON_1_x 10
114 #define WTAP_FILE_NETMON_2_x 11
115 #define WTAP_FILE_NETXRAY_1_0 12
116 #define WTAP_FILE_NETXRAY_1_1 13
117 #define WTAP_FILE_NETXRAY_2_001 14
118 #define WTAP_FILE_RADCOM 15
119 #define WTAP_FILE_ASCEND 16
120 #define WTAP_FILE_NETTL 17
121 #define WTAP_FILE_TOSHIBA 18
122 #define WTAP_FILE_I4BTRACE 19
124 /* last WTAP_FILE_ value + 1 */
125 #define WTAP_NUM_FILE_TYPES 20
128 * Maximum packet size we'll support.
130 #define WTAP_MAX_PACKET_SIZE 65535
132 #include <sys/types.h>
134 #ifdef HAVE_SYS_TIME_H
135 #include <sys/time.h>
138 #ifdef HAVE_WINSOCK_H
147 #define FILE_T gzFile
149 #define FILE_T FILE *
150 #endif /* HAVE_LIBZ */
164 int bchannel_prot[2]; /* For the V.120 heuristic */
176 gboolean byte_swapped;
178 guint16 version_major;
179 guint16 version_minor;
185 guint8 version_major;
186 guint32 *frame_table;
194 double start_timestamp;
206 /* Packet "pseudo-header" information for X.25 capture files. */
208 guint8 flags; /* ENCAP_LAPB : 1st bit means From DCE */
211 /* Packet "pseudo-header" for ATM Sniffer capture files. */
212 struct ngsniffer_atm_phdr {
213 guint8 AppTrafType; /* traffic type */
214 guint8 AppHLType; /* protocol type */
215 guint16 Vpi; /* virtual path identifier */
216 guint16 Vci; /* virtual circuit identifier */
217 guint16 channel; /* link: 0 for DCE, 1 for DTE */
218 guint16 cells; /* number of cells */
219 guint16 aal5t_u2u; /* user-to-user indicator */
220 guint16 aal5t_len; /* length of the packet */
221 guint32 aal5t_chksum; /* checksum for AAL5 packet */
224 /* Packet "pseudo-header" for the output from "wandsession", "wannext",
225 "wandisplay", and similar commands on Lucent/Ascend access equipment. */
227 #define ASCEND_MAX_STR_LEN 64
229 #define ASCEND_PFX_WDS_X 1
230 #define ASCEND_PFX_WDS_R 2
231 #define ASCEND_PFX_WDD 3
234 guint16 type; /* ASCEND_PFX_*, as defined above */
235 char user[ASCEND_MAX_STR_LEN]; /* Username, from wandsession header */
236 guint32 sess; /* Session number, from wandsession header */
237 char call_num[ASCEND_MAX_STR_LEN]; /* Called number, from WDD header */
238 guint32 chunk; /* Chunk number, from WDD header */
239 guint32 task; /* Task number */
242 /* Packet "pseudo-header" information for LAPD capture files. */
244 gboolean from_network_to_user;
248 * Bits in AppTrafType.
250 * For AAL types other than AAL5, the packet data is presumably for a
251 * single cell, not a reassembled frame, as the ATM Sniffer manual says
252 * it dosn't reassemble cells other than AAL5 cells.
254 #define ATT_AALTYPE 0x0F /* AAL type: */
255 #define ATT_AAL_UNKNOWN 0x00 /* Unknown AAL */
256 #define ATT_AAL1 0x01 /* AAL1 */
257 #define ATT_AAL3_4 0x02 /* AAL3/4 */
258 #define ATT_AAL5 0x03 /* AAL5 */
259 #define ATT_AAL_USER 0x04 /* User AAL */
260 #define ATT_AAL_SIGNALLING 0x05 /* Signaling AAL */
261 #define ATT_OAMCELL 0x06 /* OAM cell */
263 #define ATT_HLTYPE 0xF0 /* Higher-layer type: */
264 #define ATT_HL_UNKNOWN 0x00 /* unknown */
265 #define ATT_HL_LLCMX 0x10 /* LLC multiplexed (probably RFC 1483) */
266 #define ATT_HL_VCMX 0x20 /* VC multiplexed (probably RFC 1483) */
267 #define ATT_HL_LANE 0x30 /* LAN Emulation */
268 #define ATT_HL_ILMI 0x40 /* ILMI */
269 #define ATT_HL_FRMR 0x50 /* Frame Relay */
270 #define ATT_HL_SPANS 0x60 /* FORE SPANS */
271 #define ATT_HL_IPSILON 0x70 /* Ipsilon */
274 * Values for AppHLType; the interpretation depends on the ATT_HLTYPE
275 * bits in AppTrafType.
277 #define AHLT_UNKNOWN 0x0
278 #define AHLT_VCMX_802_3_FCS 0x1 /* VCMX: 802.3 FCS */
279 #define AHLT_LANE_LE_CTRL 0x1 /* LANE: LE Ctrl */
280 #define AHLT_IPSILON_FT0 0x1 /* Ipsilon: Flow Type 0 */
281 #define AHLT_VCMX_802_4_FCS 0x2 /* VCMX: 802.4 FCS */
282 #define AHLT_LANE_802_3 0x2 /* LANE: 802.3 */
283 #define AHLT_IPSILON_FT1 0x2 /* Ipsilon: Flow Type 1 */
284 #define AHLT_VCMX_802_5_FCS 0x3 /* VCMX: 802.5 FCS */
285 #define AHLT_LANE_802_5 0x3 /* LANE: 802.5 */
286 #define AHLT_IPSILON_FT2 0x3 /* Ipsilon: Flow Type 2 */
287 #define AHLT_VCMX_FDDI_FCS 0x4 /* VCMX: FDDI FCS */
288 #define AHLT_LANE_802_3_MC 0x4 /* LANE: 802.3 multicast */
289 #define AHLT_VCMX_802_6_FCS 0x5 /* VCMX: 802.6 FCS */
290 #define AHLT_LANE_802_5_MC 0x5 /* LANE: 802.5 multicast */
291 #define AHLT_VCMX_802_3 0x7 /* VCMX: 802.3 */
292 #define AHLT_VCMX_802_4 0x8 /* VCMX: 802.4 */
293 #define AHLT_VCMX_802_5 0x9 /* VCMX: 802.5 */
294 #define AHLT_VCMX_FDDI 0xa /* VCMX: FDDI */
295 #define AHLT_VCMX_802_6 0xb /* VCMX: 802.6 */
296 #define AHLT_VCMX_FRAGMENTS 0xc /* VCMX: Fragments */
297 #define AHLT_VCMX_BPDU 0xe /* VCMX: BPDU */
299 union pseudo_header {
301 struct ngsniffer_atm_phdr ngsniffer_atm;
302 struct ascend_phdr ascend;
303 struct lapd_phdr lapd;
311 union pseudo_header pseudo_header;
314 typedef void (*wtap_handler)(u_char*, const struct wtap_pkthdr*,
315 int, const u_char *);
320 typedef int (*subtype_read_func)(struct wtap*, int*);
321 typedef struct wtap {
323 int fd; /* File descriptor for cap file */
326 struct Buffer *frame_buffer;
327 struct wtap_pkthdr phdr;
333 lanalyzer_t *lanalyzer;
334 ngsniffer_t *ngsniffer;
336 i4btrace_t *i4btrace;
343 subtype_read_func subtype_read;
344 int file_encap; /* per-file, for those
345 file formats that have
346 per-file encapsulation
352 typedef gboolean (*subtype_write_func)(struct wtap_dumper*,
353 const struct wtap_pkthdr*, const u_char*, int*);
354 typedef gboolean (*subtype_close_func)(struct wtap_dumper*, int*);
357 gboolean first_frame;
362 gboolean first_frame;
367 gboolean got_first_record_time;
368 struct timeval first_record_time;
369 guint32 frame_table_offset;
370 guint32 *frame_table;
371 int frame_table_index;
372 int frame_table_size;
375 typedef struct wtap_dumper {
383 ngsniffer_dump_t *ngsniffer;
384 netmon_dump_t *netmon;
385 netxray_dump_t *netxray;
388 subtype_write_func subtype_write;
389 subtype_close_func subtype_close;
393 * On failure, "wtap_open_offline()" returns NULL, and puts into the
394 * "int" pointed to by its second argument:
396 * a positive "errno" value if the capture file can't be opened;
398 * a negative number, indicating the type of error, on other failures.
400 wtap* wtap_open_offline(const char *filename, int *err);
401 int wtap_loop(wtap *wth, int, wtap_handler, u_char*, int*);
403 FILE* wtap_file(wtap *wth);
404 int wtap_fd(wtap *wth);
405 int wtap_snapshot_length(wtap *wth); /* per file */
406 int wtap_file_type(wtap *wth);
407 int wtap_file_encap(wtap *wth);
409 const char *wtap_file_type_string(int filetype);
410 const char *wtap_file_type_short_string(int filetype);
411 int wtap_short_string_to_file_type(const char *short_name);
413 const char *wtap_encap_string(int encap);
414 const char *wtap_encap_short_string(int encap);
415 int wtap_short_string_to_encap(const char *short_name);
417 const char *wtap_strerror(int err);
418 void wtap_close(wtap *wth);
419 int wtap_seek_read (int file_type, FILE *fh, int seek_off, guint8 *pd, int len);
420 int wtap_def_seek_read (FILE *fh, int seek_off, guint8 *pd, int len);
422 gboolean wtap_dump_can_open(int filetype);
423 gboolean wtap_dump_can_write_encap(int filetype, int encap);
424 wtap_dumper* wtap_dump_open(const char *filename, int filetype, int encap,
425 int snaplen, int *err);
426 wtap_dumper* wtap_dump_fdopen(int fd, int filetype, int encap, int snaplen,
428 gboolean wtap_dump(wtap_dumper *, const struct wtap_pkthdr *, const u_char *,
430 FILE* wtap_dump_file(wtap_dumper *);
431 gboolean wtap_dump_close(wtap_dumper *, int *);
433 /* XXX - needed until "wiretap" can do live packet captures */
434 int wtap_pcap_encap_to_wtap_encap(int encap);
437 * Wiretap error codes.
439 #define WTAP_ERR_NOT_REGULAR_FILE -1
440 /* The file being opened for reading isn't a plain file */
441 #define WTAP_ERR_FILE_UNKNOWN_FORMAT -2
442 /* The file being opened is not a capture file in a known format */
443 #define WTAP_ERR_UNSUPPORTED -3
444 /* Supported file type, but there's something in the file we
446 #define WTAP_ERR_CANT_OPEN -4
447 /* The file couldn't be opened, reason unknown */
448 #define WTAP_ERR_UNSUPPORTED_FILE_TYPE -5
449 /* Wiretap can't save files in the specified format */
450 #define WTAP_ERR_UNSUPPORTED_ENCAP -6
451 /* Wiretap can't save files in the specified format with the
452 specified encapsulation */
453 #define WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED -7
454 /* The specified format doesn't support per-packet encapsulations */
455 #define WTAP_ERR_CANT_CLOSE -8
456 /* The file couldn't be closed, reason unknown */
457 #define WTAP_ERR_CANT_READ -9
458 /* An attempt to read failed, reason unknown */
459 #define WTAP_ERR_SHORT_READ -10
460 /* An attempt to read read less data than it should have */
461 #define WTAP_ERR_BAD_RECORD -11
462 /* We read an invalid record */
463 #define WTAP_ERR_SHORT_WRITE -12
464 /* An attempt to write wrote less data than it should have */
466 /* Errors from zlib; zlib error Z_xxx turns into Wiretap error
467 WTAP_ERR_ZLIB + Z_xxx.
469 WTAP_ERR_ZLIB_MIN and WTAP_ERR_ZLIB_MAX bound the range of zlib
470 errors; we leave room for 100 positive and 100 negative error
473 #define WTAP_ERR_ZLIB -200
474 #define WTAP_ERR_ZLIB_MAX -100
475 #define WTAP_ERR_ZLIB_MIN -300
477 /* Turn host-byte-order values into little-endian values. */
478 #ifdef WORDS_BIGENDIAN
479 #define htoles(s) ((guint16) \
480 ((guint16)((s) & 0x00FF)<<8| \
481 (guint16)((s) & 0xFF00)>>8))
483 #define htolel(l) ((guint32)((l) & 0x000000FF)<<24| \
484 (guint32)((l) & 0x0000FF00)<<8| \
485 (guint32)((l) & 0x00FF0000)>>8| \
486 (guint32)((l) & 0xFF000000)>>24)
488 #define htoles(s) (s)
489 #define htolel(l) (l)
492 /* Pointer versions of ntohs and ntohl. Given a pointer to a member of a
493 * byte array, returns the value of the two or four bytes at the pointer.
494 * The pletoh[sl] versions return the little-endian representation.
498 #define pntohs(p) ((guint16) \
499 ((guint16)*((guint8 *)p+0)<<8| \
500 (guint16)*((guint8 *)p+1)<<0))
504 #define pntohl(p) ((guint32)*((guint8 *)p+0)<<24| \
505 (guint32)*((guint8 *)p+1)<<16| \
506 (guint32)*((guint8 *)p+2)<<8| \
507 (guint32)*((guint8 *)p+3)<<0)
511 #define phtons(p) ((guint16) \
512 ((guint16)*((guint8 *)p+0)<<8| \
513 (guint16)*((guint8 *)p+1)<<0))
517 #define phtonl(p) ((guint32)*((guint8 *)p+0)<<24| \
518 (guint32)*((guint8 *)p+1)<<16| \
519 (guint32)*((guint8 *)p+2)<<8| \
520 (guint32)*((guint8 *)p+3)<<0)
524 #define pletohs(p) ((guint16) \
525 ((guint16)*((guint8 *)p+1)<<8| \
526 (guint16)*((guint8 *)p+0)<<0))
530 #define pletohl(p) ((guint32)*((guint8 *)p+3)<<24| \
531 (guint32)*((guint8 *)p+2)<<16| \
532 (guint32)*((guint8 *)p+1)<<8| \
533 (guint32)*((guint8 *)p+0)<<0)
536 #endif /* __WTAP_H__ */