/* libpcap.c
*
- * $Id: libpcap.c,v 1.47 2001/03/11 02:51:05 guy Exp $
+ * $Id: libpcap.c,v 1.119 2004/03/23 01:02:41 guy Exp $
*
* Wiretap Library
- * Copyright (c) 1998 by Gilbert Ramirez <gram@xiexie.org>
- *
+ * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
+ *
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
- *
+ *
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
- *
*/
+
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
+
+#ifdef HAVE_PCAP_H
+#include <pcap.h>
+#endif
+
#include <stdlib.h>
+#include <string.h>
#include <errno.h>
#include "wtap-int.h"
#include "file_wrappers.h"
#include "buffer.h"
+#include "atm.h"
#include "libpcap.h"
+#ifdef HAVE_PCAP_H
+# ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+# endif
+#include "wtap-capture.h"
+#endif
+
+/*
+ * The link-layer header on SunATM packets.
+ */
+struct sunatm_hdr {
+ guint8 flags; /* destination and traffic type */
+ guint8 vpi; /* VPI */
+ guint16 vci; /* VCI */
+};
+
+/*
+ * The link-layer header on Nokia IPSO ATM packets.
+ */
+struct nokiaatm_hdr {
+ guint8 flags; /* destination */
+ guint8 vpi; /* VPI */
+ guint16 vci; /* VCI */
+};
+
+/*
+ * The fake link-layer header of IrDA packets as introduced by Jean Tourrilhes
+ * to libpcap.
+ */
+struct irda_sll_hdr {
+ guint16 sll_pkttype; /* packet type */
+ guint8 unused[12]; /* usused SLL header fields */
+ guint16 sll_protocol; /* protocol, should be 0x0017 */
+};
+
/* See source to the "libpcap" library for information on the "libpcap"
file format. */
#define BIT_SWAPPED_MAC_ADDRS
#endif
-
/* Try to read the first two records of the capture file. */
typedef enum {
THIS_FORMAT, /* the reads succeeded, assume it's this format */
} libpcap_try_t;
static libpcap_try_t libpcap_try(wtap *wth, int *err);
-static gboolean libpcap_read(wtap *wth, int *err, int *data_offset);
-static int libpcap_read_header(wtap *wth, int *err,
- struct pcaprec_ss990915_hdr *hdr, gboolean silent);
+static gboolean libpcap_read(wtap *wth, int *err, gchar **err_info,
+ long *data_offset);
+static gboolean libpcap_seek_read(wtap *wth, long seek_off,
+ union wtap_pseudo_header *pseudo_header, guchar *pd, int length,
+ int *err, gchar **err_info);
+static int libpcap_read_header(wtap *wth, int *err, gchar **err_info,
+ struct pcaprec_ss990915_hdr *hdr);
static void adjust_header(wtap *wth, struct pcaprec_hdr *hdr);
+static void libpcap_get_sunatm_pseudoheader(const struct sunatm_hdr *atm_phdr,
+ union wtap_pseudo_header *pseudo_header);
+static gboolean libpcap_read_sunatm_pseudoheader(FILE_T fh,
+ union wtap_pseudo_header *pseudo_header, int *err);
+static gboolean libpcap_read_nokiaatm_pseudoheader(FILE_T fh,
+ union wtap_pseudo_header *pseudo_header, int *err);
+static gboolean libpcap_get_irda_pseudoheader(const struct irda_sll_hdr *irda_phdr,
+ union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info);
+static gboolean libpcap_read_irda_pseudoheader(FILE_T fh,
+ union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info);
+static gboolean libpcap_read_rec_data(FILE_T fh, guchar *pd, int length,
+ int *err);
static void libpcap_close(wtap *wth);
static gboolean libpcap_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
- const union wtap_pseudo_header *pseudo_header, const u_char *pd, int *err);
+ const union wtap_pseudo_header *pseudo_header, const guchar *pd, int *err);
/*
* Either LBL NRG wasn't an adequate central registry (e.g., because of
* using them are foreign, and we don't hazard a guess as to which
* platform they came from; we could, I guess, choose the most likely
* platform).
+ *
+ * Note: if you need a new encapsulation type for libpcap files, do
+ * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
+ * add a new encapsulation type by changing an existing entry;
+ * leave the existing entries alone.
+ *
+ * Instead, send mail to tcpdump-workers@tcpdump.org, asking for a new
+ * DLT_ value, and specifying the purpose of the new value. When you
+ * get the new DLT_ value, use that numerical value in the "dlt_value"
+ * field of "pcap_to_wtap_map[]".
*/
-#ifdef HAVE_PCAP_H
-#include <pcap.h>
-#endif
-
static const struct {
int dlt_value;
int wtap_encap_value;
{ 10, WTAP_ENCAP_FDDI },
#endif
+ /*
+ * 50 is DLT_PPP_SERIAL in NetBSD; it appears that DLT_PPP
+ * on BSD (at least according to standard tcpdump) has, as
+ * the first octet, an indication of whether the packet was
+ * transmitted or received (rather than having the standard
+ * PPP address value of 0xff), but that DLT_PPP_SERIAL puts
+ * a real live PPP header there, or perhaps a Cisco PPP header
+ * as per section 4.3.1 of RFC 1547 (implementations of this
+ * exist in various BSDs in "sys/net/if_spppsubr.c", and
+ * I think also exist either in standard Linux or in
+ * various Linux patches; the implementations show how to handle
+ * Cisco keepalive packets).
+ *
+ * However, I don't see any obvious place in FreeBSD "if_ppp.c"
+ * where anything other than the standard PPP header would be
+ * passed up. I see some stuff that sets the first octet
+ * to 0 for incoming and 1 for outgoing packets before applying
+ * a BPF filter to see whether to drop packets whose protocol
+ * field has the 0x8000 bit set, i.e. network control protocols -
+ * those are handed up to userland - but that code puts the
+ * address field back before passing the packet up.
+ *
+ * I also don't see anything immediately obvious that munges
+ * the address field for sync PPP, either.
+ *
+ * Ethereal currently assumes that if the first octet of a
+ * PPP frame is 0xFF, it's the address field and is followed
+ * by a control field and a 2-byte protocol, otherwise the
+ * address and control fields are absent and the frame begins
+ * with a protocol field. If we ever see a BSD/OS PPP
+ * capture, we'll have to handle it differently, and we may
+ * have to handle standard BSD captures differently if, in fact,
+ * they don't have 0xff 0x03 as the first two bytes - but, as per
+ * the two paragraphs preceding this, it's not clear that
+ * the address field *is* munged into an incoming/outgoing
+ * field when the packet is handed to the BPF device.
+ *
+ * For now, we just map DLT_PPP_SERIAL to WTAP_ENCAP_PPP, as
+ * we treat WTAP_ENCAP_PPP packets as if those beginning with
+ * 0xff have the standard RFC 1662 "PPP in HDLC-like Framing"
+ * 0xff 0x03 address/control header, and DLT_PPP_SERIAL frames
+ * appear to contain that unless they're Cisco frames (if we
+ * ever see a capture with them, we'd need to implement the
+ * RFC 1547 stuff, and the keepalive protocol stuff).
+ *
+ * We may have to distinguish between "PPP where if it doesn't
+ * begin with 0xff there's no HDLC encapsulation and the frame
+ * begins with the protocol field" (which is how we handle
+ * WTAP_ENCAP_PPP now) and "PPP where there's either HDLC
+ * encapsulation or Cisco PPP" (which is what DLT_PPP_SERIAL
+ * is) at some point.
+ *
+ * XXX - NetBSD has DLT_HDLC, which appears to be used for
+ * Cisco HDLC. Ideally, they should use DLT_PPP_SERIAL
+ * only for real live HDLC-encapsulated PPP, not for Cisco
+ * HDLC.
+ */
+ { 50, WTAP_ENCAP_PPP },
+
+ /*
+ * Apparently used by the Axent Raptor firewall (now Symantec
+ * Enterprise Firewall).
+ * Thanks, Axent, for not reserving that type with tcpdump.org
+ * and not telling anybody about it.
+ */
+ { 99, WTAP_ENCAP_SYMANTEC },
+
+ /*
+ * These are the values that libpcap 0.5 and later use in
+ * capture file headers, in an attempt to work around the
+ * confusion decried above, and that Wiretap and Ethereal
+ * currently support.
+ */
+ { 100, WTAP_ENCAP_ATM_RFC1483 },
+ { 101, WTAP_ENCAP_RAW_IP },
+#if 0
+ /*
+ * More values used by libpcap 0.5 as DLT_ values and used by the
+ * current CVS version of libpcap in capture file headers.
+ * They are not yet handled in Ethereal.
+ * If we get a capture that contains them, we'll implement them.
+ */
+ { 102, WTAP_ENCAP_SLIP_BSDOS },
+ { 103, WTAP_ENCAP_PPP_BSDOS },
+#endif
+
+ /*
+ * These ones are handled in Ethereal, though.
+ */
+ { 104, WTAP_ENCAP_CHDLC }, /* Cisco HDLC */
+ { 105, WTAP_ENCAP_IEEE_802_11 }, /* IEEE 802.11 */
+ { 106, WTAP_ENCAP_LINUX_ATM_CLIP },
+ { 107, WTAP_ENCAP_FRELAY }, /* Frame Relay */
+ { 108, WTAP_ENCAP_NULL }, /* OpenBSD loopback */
+ { 109, WTAP_ENCAP_ENC }, /* OpenBSD IPSEC enc */
+#if 0
+ { 110, WTAP_ENCAP_LANE_802_3 },/* ATM LANE 802.3 */
+ { 111, WTAP_ENCAP_HIPPI }, /* NetBSD HIPPI */
+#endif
+ { 112, WTAP_ENCAP_CHDLC }, /* NetBSD HDLC framing */
+
+ /*
+ * Linux "cooked mode" captures, used by the current CVS version
+ * of libpcap.
+ */
+ { 113, WTAP_ENCAP_SLL }, /* Linux cooked capture */
+
+ { 114, WTAP_ENCAP_LOCALTALK }, /* Localtalk */
+
+ /*
+ * The tcpdump.org version of libpcap uses 117, rather than 17,
+ * for OpenBSD packet filter logging, so as to avoid conflicting
+ * with DLT_LANE8023 in SuSE 6.3 libpcap.
+ */
+ { 117, WTAP_ENCAP_PFLOG },
+
+ { 118, WTAP_ENCAP_CISCO_IOS },
+ { 119, WTAP_ENCAP_PRISM_HEADER }, /* Prism monitor mode hdr */
+ { 121, WTAP_ENCAP_HHDLC }, /* HiPath HDLC */
+ { 122, WTAP_ENCAP_IP_OVER_FC }, /* RFC 2625 IP-over-FC */
+ { 123, WTAP_ENCAP_ATM_PDUS }, /* SunATM */
+ { 127, WTAP_ENCAP_IEEE_802_11_WLAN_BSD }, /* 802.11 plus BSD WLAN header */
+ { 128, WTAP_ENCAP_TZSP }, /* Tazmen Sniffer Protocol */
+ { 129, WTAP_ENCAP_ARCNET_LINUX },
+
+ /*
+ * Values 130 through 137 are reserved for use in Juniper
+ * hardware.
+ */
+
+ { 138, WTAP_ENCAP_APPLE_IP_OVER_IEEE1394 },
+ /* Apple IP-over-IEEE 1394 */
+
+ /* 139 is reserved for SS7 */
+
+ { 140, WTAP_ENCAP_MTP2 },
+ { 141, WTAP_ENCAP_MTP3 },
+ { 143, WTAP_ENCAP_DOCSIS },
+ { 144, WTAP_ENCAP_IRDA }, /* IrDA capture */
+
+ /* Reserved for private use. */
+ { 147, WTAP_ENCAP_USER0 },
+ { 148, WTAP_ENCAP_USER1 },
+ { 149, WTAP_ENCAP_USER2 },
+ { 150, WTAP_ENCAP_USER3 },
+ { 151, WTAP_ENCAP_USER4 },
+ { 152, WTAP_ENCAP_USER5 },
+ { 153, WTAP_ENCAP_USER6 },
+ { 154, WTAP_ENCAP_USER7 },
+ { 155, WTAP_ENCAP_USER8 },
+ { 156, WTAP_ENCAP_USER9 },
+ { 157, WTAP_ENCAP_USER10 },
+ { 158, WTAP_ENCAP_USER11 },
+ { 159, WTAP_ENCAP_USER12 },
+ { 160, WTAP_ENCAP_USER13 },
+ { 161, WTAP_ENCAP_USER14 },
+ { 162, WTAP_ENCAP_USER15 },
+
+ { 163, WTAP_ENCAP_IEEE_802_11_WLAN_AVS }, /* 802.11 plus AVS WLAN header */
+
+ /*
+ * 164 is reserved for Juniper-private chassis-internal
+ * meta-information such as QoS profiles, etc..
+ */
+
+ /*
+ * To repeat:
+ *
+ * If you need a new encapsulation type for libpcap files, do
+ * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
+ * add a new encapsulation type by changing an existing entry;
+ * leave the existing entries alone.
+ *
+ * Instead, send mail to tcpdump-workers@tcpdump.org, asking for
+ * a new DLT_ value, and specifying the purpose of the new value.
+ * When you get the new DLT_ value, use that numerical value in
+ * the "dlt_value" field of "pcap_to_wtap_map[]".
+ */
+
+ /*
+ * The following are entries for libpcap type values that have
+ * different meanings on different OSes.
+ *
+ * We put these *after* the entries for the platform-independent
+ * libpcap type values for those Wiretap encapsulation types, so
+ * that Ethereal chooses the platform-independent libpcap type
+ * value for those encapsulatioin types, not the platform-dependent
+ * one.
+ */
+
/*
* 11 is DLT_ATM_RFC1483 on most platforms; the only libpcaps I've
* seen that define anything other than DLT_ATM_RFC1483 as 11 are
* them correctly).
*/
#if defined(DLT_FR) && (DLT_FR == 11)
- /* Put entry for Frame Relay here */
+ { 11, WTAP_ENCAP_FRELAY },
#else
{ 11, WTAP_ENCAP_ATM_RFC1483 },
#endif
#if defined(DLT_LOOP) && (DLT_LOOP == 12)
{ 12, WTAP_ENCAP_NULL },
#elif defined(DLT_C_HDLC) && (DLT_C_HDLC == 12)
- /* Put entry for Cisco HDLC here */
+ /*
+ * Put entry for Cisco HDLC here.
+ * XXX - is this just WTAP_ENCAP_CHDLC, i.e. does the frame
+ * start with a 4-byte Cisco HDLC header?
+ */
#else
{ 12, WTAP_ENCAP_RAW_IP },
#endif
#if defined(DLT_ATM_RFC1483) && (DLT_ATM_RFC1483 == 13)
{ 13, WTAP_ENCAP_ATM_RFC1483 },
#elif defined(DLT_ENC) && (DLT_ENC == 13)
- /* Put entry for DLT_ENC here */
+ { 13, WTAP_ENCAP_ENC },
#endif
/*
{ 16, WTAP_ENCAP_LINUX_ATM_CLIP },
#endif
#if defined(DLT_HDLC) && (DLT_HDLC == 16)
- { 16, WTAP_ENCAP_PPP },
+ { 16, WTAP_ENCAP_CHDLC },
#endif
/*
* 17 is DLT_LANE8023 in SuSE 6.3 libpcap; we don't currently
* handle it.
+ * It is also used as the PF (Packet Filter) logging format beginning
+ * with OpenBSD 3.0; we use 17 for PF logs unless DLT_LANE8023 is
+ * defined with the value 17.
*/
+#if !defined(DLT_LANE8023) || (DLT_LANE8023 != 17)
+ { 17, WTAP_ENCAP_OLD_PFLOG },
+#endif
/*
* 18 is DLT_CIP in SuSE 6.3 libpcap; if it's the same as the
{ 19, WTAP_ENCAP_LINUX_ATM_CLIP },
/*
- * 50 is DLT_PPP_SERIAL in NetBSD; it appears that DLT_PPP
- * on BSD (at least according to standard tcpdump) has, as
- * the first octet, an indication of whether the packet was
- * transmitted or received (rather than having the standard
- * PPP address value of 0xff), but that DLT_PPP_SERIAL puts
- * a real live PPP header there, or perhaps a Cisco PPP header
- * as per section 4.3.1 of RFC 1547 (implementations of this
- * exist in various BSDs in "sys/net/if_spppsubr.c", and
- * I think also exist either in standard Linux or in
- * various Linux patches; the implementations show how to handle
- * Cisco keepalive packets).
- *
- * However, I don't see any obvious place in FreeBSD "if_ppp.c"
- * where anything other than the standard PPP header would be
- * passed up. I see some stuff that sets the first octet
- * to 0 for incoming and 1 for outgoing packets before applying
- * a BPF filter to see whether to drop packets whose protocol
- * field has the 0x8000 bit set, i.e. network control protocols -
- * those are handed up to userland - but that code puts the
- * address field back before passing the packet up.
- *
- * I also don't see anything immediately obvious that munges
- * the address field for sync PPP, either.
- *
- * Ethereal currently assumes that if the first octet of a
- * PPP frame is 0xFF, it's the address field and is followed
- * by a control field and a 2-byte protocol, otherwise the
- * address and control fields are absent and the frame begins
- * with a protocol field. If we ever see a BSD/OS PPP
- * capture, we'll have to handle it differently, and we may
- * have to handle standard BSD captures differently if, in fact,
- * they don't have 0xff 0x03 as the first two bytes - but, as per
- * the two paragraphs preceding this, it's not clear that
- * the address field *is* munged into an incoming/outgoing
- * field when the packet is handed to the BPF device.
+ * To repeat:
*
- * For now, we just map DLT_PPP_SERIAL to WTAP_ENCAP_PPP, as
- * we treat WTAP_ENCAP_PPP packets as if those beginning with
- * 0xff have the standard RFC 1662 "PPP in HDLC-like Framing"
- * 0xff 0x03 address/control header, and DLT_PPP_SERIAL frames
- * appear to contain that unless they're Cisco frames (if we
- * ever see a capture with them, we'd need to implement the
- * RFC 1547 stuff, and the keepalive protocol stuff).
+ * If you need a new encapsulation type for libpcap files, do
+ * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
+ * add a new encapsulation type by changing an existing entry;
+ * leave the existing entries alone.
*
- * We may have to distinguish between "PPP where if it doesn't
- * begin with 0xff there's no HDLC encapsulation and the frame
- * begins with the protocol field" (which is how we handle
- * WTAP_ENCAP_PPP now) and "PPP where there's either HDLC
- * encapsulation or Cisco PPP" (which is what DLT_PPP_SERIAL
- * is) at some point.
+ * Instead, send mail to tcpdump-workers@tcpdump.org, asking for
+ * a new DLT_ value, and specifying the purpose of the new value.
+ * When you get the new DLT_ value, use that numerical value in
+ * the "dlt_value" field of "pcap_to_wtap_map[]".
*/
- { 50, WTAP_ENCAP_PPP },
- /*
- * These are the values that libpcap 0.5 uses, in an attempt
- * to work around the confusion decried above, and that Wiretap
- * and Ethereal currently support.
- *
- * The next version of libpcap will probably not use them as
- * DLT_ values in its API, but will probably use them in capture
- * file headers.
- */
- { 100, WTAP_ENCAP_ATM_RFC1483 },
- { 101, WTAP_ENCAP_RAW_IP },
-#if 0
- /*
- * More values used by libpcap 0.5 as DLT_ values and used by the
- * current CVS version of libpcap in capture file headers.
- * They are not yet handled in Ethereal.
- * If we get a capture that contains them, we'll implement them.
- */
- { 102, WTAP_ENCAP_SLIP_BSDOS },
- { 103, WTAP_ENCAP_PPP_BSDOS },
-#endif
+};
+#define NUM_PCAP_ENCAPS (sizeof pcap_to_wtap_map / sizeof pcap_to_wtap_map[0])
- /*
- * These ones are handled in Ethereal, though.
- * (We currently handle Cisco HDLC like PPP; the PPP dissector
- * distinguishes between HDLC-encapsulated PPP and Cisco HDLC
- * by looking at the address field.)
- */
- { 104, WTAP_ENCAP_PPP }, /* Cisco HDLC */
- { 106, WTAP_ENCAP_LINUX_ATM_CLIP },
+int wtap_pcap_encap_to_wtap_encap(int encap)
+{
+ unsigned int i;
- /*
- * Values not yet used by the current CVS version of libpcap,
- * but reserved for future use; the IEEE 802.11 value is
- * there for use with a capture program from Axis Communications.
- */
- { 105, WTAP_ENCAP_IEEE_802_11 },
-#if 0
- /*
- * Not yet handled in Ethereal; we don't know what encapsulation
- * BSD/OS uses, so we don't know whether it can be handed to
- * the Frame Relay dissector or not.
- */
- { 107, WTAP_ENCAP_FR }, /* Frame Relay */
-#endif
- { 108, WTAP_ENCAP_NULL }, /* OpenBSD loopback */
-#if 0
- { 109, WTAP_ENCAP_ENC }, /* OpenBSD IPSEC enc */
- { 110, WTAP_ENCAP_LANE_802_3 },/* ATM LANE 802.3 */
- { 111, WTAP_ENCAP_HIPPI }, /* NetBSD HIPPI */
- { 112, WTAP_ENCAP_HDLC }, /* NetBSD HDLC framing */
-#endif
+ for (i = 0; i < NUM_PCAP_ENCAPS; i++) {
+ if (pcap_to_wtap_map[i].dlt_value == encap)
+ return pcap_to_wtap_map[i].wtap_encap_value;
+ }
+ return WTAP_ENCAP_UNKNOWN;
+}
- /*
- * Linux "cooked mode" captures, used by the current CVS version
- * of libpcap.
- */
- { 113, WTAP_ENCAP_SLL }, /* Linux cooked capture */
-};
-#define NUM_PCAP_ENCAPS (sizeof pcap_to_wtap_map / sizeof pcap_to_wtap_map[0])
-int libpcap_open(wtap *wth, int *err)
+int libpcap_open(wtap *wth, int *err, gchar **err_info)
{
int bytes_read;
guint32 magic;
struct pcap_hdr hdr;
gboolean byte_swapped;
gboolean modified;
+ gboolean aix;
int file_encap;
/* Read in the number that should be at the start of a "libpcap" file */
}
if (hdr.version_major < 2) {
/* We only support version 2.0 and later. */
- g_message("pcap: major version %u unsupported",
- hdr.version_major);
*err = WTAP_ERR_UNSUPPORTED;
- return -1;
- }
- file_encap = wtap_pcap_encap_to_wtap_encap(hdr.network);
- if (file_encap == WTAP_ENCAP_UNKNOWN) {
- g_message("pcap: network type %u unknown or unsupported",
- hdr.network);
- *err = WTAP_ERR_UNSUPPORTED_ENCAP;
+ *err_info = g_strdup_printf("pcap: major version %u unsupported",
+ hdr.version_major);
return -1;
}
- /* This is a libpcap file */
- wth->capture.pcap = g_malloc(sizeof(libpcap_t));
- wth->capture.pcap->byte_swapped = byte_swapped;
- wth->capture.pcap->version_major = hdr.version_major;
- wth->capture.pcap->version_minor = hdr.version_minor;
+ /*
+ * AIX's non-standard tcpdump uses a minor version number of 2.
+ * Unfortunately, older versions of libpcap might have used
+ * that as well.
+ *
+ * The AIX libpcap uses RFC 1573 ifType values rather than
+ * DLT_ values in the header; the ifType values for LAN devices
+ * are:
+ *
+ * Ethernet 6
+ * Token Ring 9
+ * FDDI 15
+ *
+ * which correspond to DLT_IEEE802 (used for Token Ring),
+ * DLT_PPP, and DLT_SLIP_BSDOS, respectively. The ifType value
+ * for a loopback interface is 24, which currently isn't
+ * used by any version of libpcap I know about (and, as
+ * tcpdump.org are assigning DLT_ values above 100, and
+ * NetBSD started assigning values starting at 50, and
+ * the values chosen by other libpcaps appear to stop at
+ * 19, it's probably not going to be used by any libpcap
+ * in the future).
+ *
+ * We shall assume that if the minor version number is 2, and
+ * the network type is 6, 9, 15, or 24, that it's AIX libpcap.
+ *
+ * I'm assuming those older versions of libpcap didn't
+ * use DLT_IEEE802 for Token Ring, and didn't use DLT_SLIP_BSDOS
+ * as that came later. It may have used DLT_PPP, however, in
+ * which case we're out of luck; we assume it's Token Ring
+ * in AIX libpcap rather than PPP in standard libpcap, as
+ * you're probably more likely to be handing an AIX libpcap
+ * token-ring capture than an old (pre-libpcap 0.4) PPP capture
+ * to Ethereal.
+ */
+ aix = FALSE; /* assume it's not AIX */
+ if (hdr.version_major == 2 && hdr.version_minor == 2) {
+ switch (hdr.network) {
+
+ case 6:
+ hdr.network = 1; /* DLT_EN10MB, Ethernet */
+ aix = TRUE;
+ break;
+
+ case 9:
+ hdr.network = 6; /* DLT_IEEE802, Token Ring */
+ aix = TRUE;
+ break;
+
+ case 15:
+ hdr.network = 10; /* DLT_FDDI, FDDI */
+ aix = TRUE;
+ break;
+
+ case 24:
+ hdr.network = 0; /* DLT_NULL, loopback */
+ aix = TRUE;
+ break;
+ }
+ }
+
+ /*
+ * We treat a DLT_ value of 13 specially - it appears that in
+ * Nokia libpcap format, it's some form of ATM with what I
+ * suspect is a pseudo-header (even though Nokia's IPSO is
+ * based on FreeBSD, which #defines DLT_SLIP_BSDOS as 13).
+ *
+ * We don't yet know whether this is a Nokia capture, so if
+ * "wtap_pcap_encap_to_wtap_encap()" returned WTAP_ENCAP_UNKNOWN
+ * but "hdr.network" is 13, we don't treat that as an error yet.
+ */
+ file_encap = wtap_pcap_encap_to_wtap_encap(hdr.network);
+ if (file_encap == WTAP_ENCAP_UNKNOWN && hdr.network != 13) {
+ *err = WTAP_ERR_UNSUPPORTED_ENCAP;
+ *err_info = g_strdup_printf("pcap: network type %u unknown or unsupported",
+ hdr.network);
+ return -1;
+ }
+
+ /* This is a libpcap file */
+ wth->capture.pcap = g_malloc(sizeof(libpcap_t));
+ wth->capture.pcap->byte_swapped = byte_swapped;
+ wth->capture.pcap->version_major = hdr.version_major;
+ wth->capture.pcap->version_minor = hdr.version_minor;
wth->subtype_read = libpcap_read;
- wth->subtype_seek_read = wtap_def_seek_read;
+ wth->subtype_seek_read = libpcap_seek_read;
wth->subtype_close = libpcap_close;
wth->file_encap = file_encap;
wth->snapshot_length = hdr.snaplen;
+ /* In file format version 2.3, the order of the "incl_len" and
+ "orig_len" fields in the per-packet header was reversed,
+ in order to match the BPF header layout.
+
+ Therefore, in files with versions prior to that, we must swap
+ those two fields.
+
+ Unfortunately, some files were, according to a comment in the
+ "libpcap" source, written with version 2.3 in their headers
+ but without the interchanged fields, so if "incl_len" is
+ greater than "orig_len" - which would make no sense - we
+ assume that we need to swap them in version 2.3 files
+ as well.
+
+ In addition, DG/UX's tcpdump uses version 543.0, and writes
+ the two fields in the pre-2.3 order. */
+ switch (hdr.version_major) {
+
+ case 2:
+ if (hdr.version_minor < 3)
+ wth->capture.pcap->lengths_swapped = SWAPPED;
+ else if (hdr.version_minor == 3)
+ wth->capture.pcap->lengths_swapped = MAYBE_SWAPPED;
+ else
+ wth->capture.pcap->lengths_swapped = NOT_SWAPPED;
+ break;
+
+ case 543:
+ wth->capture.pcap->lengths_swapped = SWAPPED;
+ break;
+
+ default:
+ wth->capture.pcap->lengths_swapped = NOT_SWAPPED;
+ break;
+ }
+
/*
- * Yes. Let's look at the header for the first record,
+ * Is this AIX format?
+ */
+ if (aix) {
+ /*
+ * Yes. Skip all the tests for other mutant formats.
+ */
+ wth->file_type = WTAP_FILE_PCAP_AIX;
+ return 1;
+ }
+
+ /*
+ * No. Let's look at the header for the first record,
* and see if, interpreting it as a standard header (if the
* magic number was standard) or a modified header (if the
* magic number was modified), the position where it says the
* Well, we couldn't even read it.
* Give up.
*/
+ g_free(wth->capture.pcap);
return -1;
case THIS_FORMAT:
* Well, it looks as if it might be 991029.
* Put the seek pointer back, and return success.
*/
- file_seek(wth->fh, wth->data_offset, SEEK_SET);
+ if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
+ g_free(wth->capture.pcap);
+ return -1;
+ }
return 1;
case OTHER_FORMAT:
* it as 990915.
*/
wth->file_type = WTAP_FILE_PCAP_SS990915;
- file_seek(wth->fh, wth->data_offset, SEEK_SET);
+ if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
+ g_free(wth->capture.pcap);
+ return -1;
+ }
} else {
/*
* Well, we have the standard magic number.
* Well, we couldn't even read it.
* Give up.
*/
+ g_free(wth->capture.pcap);
return -1;
case THIS_FORMAT:
* libpcap file.
* Put the seek pointer back, and return success.
*/
- file_seek(wth->fh, wth->data_offset, SEEK_SET);
+ if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
+ g_free(wth->capture.pcap);
+ return -1;
+ }
return 1;
case OTHER_FORMAT:
* ss990417.
*/
wth->file_type = WTAP_FILE_PCAP_SS990417;
- file_seek(wth->fh, wth->data_offset, SEEK_SET);
+ if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
+ g_free(wth->capture.pcap);
+ return -1;
+ }
switch (libpcap_try(wth, err)) {
case BAD_READ:
* Well, we couldn't even read it.
* Give up.
*/
+ g_free(wth->capture.pcap);
return -1;
case THIS_FORMAT:
* Well, it looks as if it might be ss990417.
* Put the seek pointer back, and return success.
*/
- file_seek(wth->fh, wth->data_offset, SEEK_SET);
+ if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
+ g_free(wth->capture.pcap);
+ return -1;
+ }
return 1;
case OTHER_FORMAT:
* and treat it as a Nokia file.
*/
wth->file_type = WTAP_FILE_PCAP_NOKIA;
- file_seek(wth->fh, wth->data_offset, SEEK_SET);
+ if (file_seek(wth->fh, wth->data_offset, SEEK_SET, err) == -1) {
+ g_free(wth->capture.pcap);
+ return -1;
+ }
+ }
+
+ if (hdr.network == 13) {
+ /*
+ * OK, if this was a Nokia capture, make it
+ * WTAP_ENCAP_ATM_PDUS, otherwise return
+ * an error.
+ */
+ if (wth->file_type == WTAP_FILE_PCAP_NOKIA)
+ wth->file_encap = WTAP_ENCAP_ATM_PDUS;
+ else {
+ *err = WTAP_ERR_UNSUPPORTED_ENCAP;
+ *err_info = g_strdup_printf("pcap: network type %u unknown or unsupported",
+ hdr.network);
+ return -1;
+ }
}
return 1;
/*
* Attempt to read the first record's header.
*/
- if (libpcap_read_header(wth, err, &first_rec_hdr, TRUE) == -1) {
+ if (libpcap_read_header(wth, err, NULL, &first_rec_hdr) == -1) {
if (*err == 0 || *err == WTAP_ERR_SHORT_READ) {
/*
* EOF or short read - assume the file is in this
* Now skip over the first record's data, under the assumption
* that the header is sane.
*/
- file_seek(wth->fh, first_rec_hdr.hdr.incl_len, SEEK_CUR);
+ if (file_seek(wth->fh, first_rec_hdr.hdr.incl_len, SEEK_CUR, err) == -1)
+ return BAD_READ;
/*
* Now attempt to read the second record's header.
*/
- if (libpcap_read_header(wth, err, &second_rec_hdr, TRUE) == -1) {
+ if (libpcap_read_header(wth, err, NULL, &second_rec_hdr) == -1) {
if (*err == 0 || *err == WTAP_ERR_SHORT_READ) {
/*
* EOF or short read - assume the file is in this
}
/* Read the next packet */
-static gboolean libpcap_read(wtap *wth, int *err, int *data_offset)
+static gboolean libpcap_read(wtap *wth, int *err, gchar **err_info,
+ long *data_offset)
{
struct pcaprec_ss990915_hdr hdr;
guint packet_size;
+ guint orig_size;
int bytes_read;
+ guchar fddi_padding[3];
- bytes_read = libpcap_read_header(wth, err, &hdr, FALSE);
+ bytes_read = libpcap_read_header(wth, err, err_info, &hdr);
if (bytes_read == -1) {
/*
* We failed to read the header.
wth->data_offset += bytes_read;
packet_size = hdr.hdr.incl_len;
+ orig_size = hdr.hdr.orig_len;
+
+ /*
+ * AIX appears to put 3 bytes of padding in front of FDDI
+ * frames; strip that crap off.
+ */
+ if (wth->file_type == WTAP_FILE_PCAP_AIX &&
+ (wth->file_encap == WTAP_ENCAP_FDDI ||
+ wth->file_encap == WTAP_ENCAP_FDDI_BITSWAPPED)) {
+ /*
+ * The packet size is really a record size and includes
+ * the padding.
+ */
+ packet_size -= 3;
+ orig_size -= 3;
+ wth->data_offset += 3;
+
+ /*
+ * Read the padding.
+ */
+ if (!libpcap_read_rec_data(wth->fh, fddi_padding, 3, err))
+ return FALSE; /* Read error */
+ }
- buffer_assure_space(wth->frame_buffer, packet_size);
*data_offset = wth->data_offset;
- errno = WTAP_ERR_CANT_READ;
- bytes_read = file_read(buffer_start_ptr(wth->frame_buffer), 1,
- packet_size, wth->fh);
- if (bytes_read != packet_size) {
- *err = file_error(wth->fh);
- if (*err == 0)
- *err = WTAP_ERR_SHORT_READ;
- return FALSE;
+ /*
+ * If this is an ATM packet, the first four bytes are the
+ * direction of the packet (transmit/receive), the VPI, and
+ * the VCI; read them and generate the pseudo-header from
+ * them.
+ */
+ switch (wth->file_encap) {
+
+ case WTAP_ENCAP_ATM_PDUS:
+ if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
+ /*
+ * Nokia IPSO ATM.
+ */
+ if (packet_size < sizeof (struct nokiaatm_hdr)) {
+ /*
+ * Uh-oh, the packet isn't big enough to even
+ * have a pseudo-header.
+ */
+ *err = WTAP_ERR_BAD_RECORD;
+ *err_info = g_strdup_printf("libpcap: Nokia IPSO ATM file has a %u-byte packet, too small to have even an ATM pseudo-header\n",
+ packet_size);
+ return FALSE;
+ }
+ if (!libpcap_read_nokiaatm_pseudoheader(wth->fh,
+ &wth->pseudo_header, err))
+ return FALSE; /* Read error */
+
+ /*
+ * Don't count the pseudo-header as part of the
+ * packet.
+ */
+ orig_size -= sizeof (struct nokiaatm_hdr);
+ packet_size -= sizeof (struct nokiaatm_hdr);
+ wth->data_offset += sizeof (struct nokiaatm_hdr);
+ } else {
+ /*
+ * SunATM.
+ */
+ if (packet_size < sizeof (struct sunatm_hdr)) {
+ /*
+ * Uh-oh, the packet isn't big enough to even
+ * have a pseudo-header.
+ */
+ *err = WTAP_ERR_BAD_RECORD;
+ *err_info = g_strdup_printf("libpcap: SunATM file has a %u-byte packet, too small to have even an ATM pseudo-header\n",
+ packet_size);
+ return FALSE;
+ }
+ if (!libpcap_read_sunatm_pseudoheader(wth->fh,
+ &wth->pseudo_header, err))
+ return FALSE; /* Read error */
+
+ /*
+ * Don't count the pseudo-header as part of the
+ * packet.
+ */
+ orig_size -= sizeof (struct sunatm_hdr);
+ packet_size -= sizeof (struct sunatm_hdr);
+ wth->data_offset += sizeof (struct sunatm_hdr);
+ }
+ break;
+
+ case WTAP_ENCAP_ETHERNET:
+ /*
+ * We don't know whether there's an FCS in this frame or not.
+ */
+ wth->pseudo_header.eth.fcs_len = -1;
+ break;
+
+ case WTAP_ENCAP_IEEE_802_11:
+ case WTAP_ENCAP_PRISM_HEADER:
+ case WTAP_ENCAP_IEEE_802_11_WLAN_BSD:
+ case WTAP_ENCAP_IEEE_802_11_WLAN_AVS:
+ /*
+ * We don't know whether there's an FCS in this frame or not.
+ * XXX - are there any OSes where the capture mechanism
+ * supplies an FCS?
+ */
+ wth->pseudo_header.ieee_802_11.fcs_len = -1;
+ break;
+
+ case WTAP_ENCAP_IRDA:
+ if (packet_size < sizeof (struct irda_sll_hdr)) {
+ /*
+ * Uh-oh, the packet isn't big enough to even
+ * have a pseudo-header.
+ */
+ *err = WTAP_ERR_BAD_RECORD;
+ *err_info = g_strdup_printf("libpcap: IrDA file has a %u-byte packet, too small to have even an IrDA pseudo-header\n",
+ packet_size);
+ return FALSE;
+ }
+ if (!libpcap_read_irda_pseudoheader(wth->fh, &wth->pseudo_header,
+ err, err_info))
+ return FALSE; /* Read error */
+
+ /*
+ * Don't count the pseudo-header as part of the packet.
+ */
+ orig_size -= sizeof (struct irda_sll_hdr);
+ packet_size -= sizeof (struct irda_sll_hdr);
+ wth->data_offset += sizeof (struct irda_sll_hdr);
+ break;
}
+
+ buffer_assure_space(wth->frame_buffer, packet_size);
+ if (!libpcap_read_rec_data(wth->fh, buffer_start_ptr(wth->frame_buffer),
+ packet_size, err))
+ return FALSE; /* Read error */
wth->data_offset += packet_size;
wth->phdr.ts.tv_sec = hdr.hdr.ts_sec;
wth->phdr.ts.tv_usec = hdr.hdr.ts_usec;
wth->phdr.caplen = packet_size;
- wth->phdr.len = hdr.hdr.orig_len;
- wth->phdr.pkt_encap = wth->file_encap;
+ wth->phdr.len = orig_size;
+
+ if (wth->file_encap == WTAP_ENCAP_ATM_PDUS) {
+ if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
+ /*
+ * Nokia IPSO ATM.
+ *
+ * Guess the traffic type based on the packet
+ * contents.
+ */
+ atm_guess_traffic_type(buffer_start_ptr(wth->frame_buffer),
+ wth->phdr.caplen, &wth->pseudo_header);
+ } else {
+ /*
+ * SunATM.
+ *
+ * If this is ATM LANE traffic, try to guess what
+ * type of LANE traffic it is based on the packet
+ * contents.
+ */
+ if (wth->pseudo_header.atm.type == TRAF_LANE) {
+ atm_guess_lane_type(buffer_start_ptr(wth->frame_buffer),
+ wth->phdr.caplen, &wth->pseudo_header);
+ }
+ }
+ }
return TRUE;
}
-/* Read the header of the next packet; if "silent" is TRUE, don't complain
- to the console, as we're testing to see if the file appears to be of a
- particular type.
+static gboolean
+libpcap_seek_read(wtap *wth, long seek_off,
+ union wtap_pseudo_header *pseudo_header, guchar *pd, int length,
+ int *err, gchar **err_info)
+{
+ if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
+ return FALSE;
+
+ switch (wth->file_encap) {
+
+ case WTAP_ENCAP_ATM_PDUS:
+ if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
+ /*
+ * Nokia IPSO ATM.
+ */
+ if (!libpcap_read_nokiaatm_pseudoheader(wth->random_fh,
+ pseudo_header, err)) {
+ /* Read error */
+ return FALSE;
+ }
+ } else {
+ /*
+ * SunATM.
+ */
+ if (!libpcap_read_sunatm_pseudoheader(wth->random_fh,
+ pseudo_header, err)) {
+ /* Read error */
+ return FALSE;
+ }
+ }
+ break;
+
+ case WTAP_ENCAP_ETHERNET:
+ /*
+ * We don't know whether there's an FCS in this frame or not.
+ */
+ pseudo_header->eth.fcs_len = -1;
+ break;
+
+ case WTAP_ENCAP_IEEE_802_11:
+ case WTAP_ENCAP_PRISM_HEADER:
+ case WTAP_ENCAP_IEEE_802_11_WLAN_BSD:
+ case WTAP_ENCAP_IEEE_802_11_WLAN_AVS:
+ /*
+ * We don't know whether there's an FCS in this frame or not.
+ * XXX - are there any OSes where the capture mechanism
+ * supplies an FCS?
+ */
+ pseudo_header->ieee_802_11.fcs_len = -1;
+ break;
+
+ case WTAP_ENCAP_IRDA:
+ if (!libpcap_read_irda_pseudoheader(wth->random_fh, pseudo_header,
+ err, err_info)) {
+ /* Read error */
+ return FALSE;
+ }
+ break;
+ }
+
+ /*
+ * Read the packet data.
+ */
+ if (!libpcap_read_rec_data(wth->random_fh, pd, length, err))
+ return FALSE; /* failed */
+
+ if (wth->file_encap == WTAP_ENCAP_ATM_PDUS) {
+ if (wth->file_type == WTAP_FILE_PCAP_NOKIA) {
+ /*
+ * Nokia IPSO ATM.
+ *
+ * Guess the traffic type based on the packet
+ * contents.
+ */
+ atm_guess_traffic_type(pd, length, pseudo_header);
+ } else {
+ /*
+ * SunATM.
+ *
+ * If this is ATM LANE traffic, try to guess what
+ * type of LANE traffic it is based on the packet
+ * contents.
+ */
+ if (pseudo_header->atm.type == TRAF_LANE)
+ atm_guess_lane_type(pd, length, pseudo_header);
+ }
+ }
+ return TRUE;
+}
+
+/* Read the header of the next packet.
Return -1 on an error, or the number of bytes of header read on success. */
-static int libpcap_read_header(wtap *wth, int *err,
- struct pcaprec_ss990915_hdr *hdr, gboolean silent)
+static int libpcap_read_header(wtap *wth, int *err, gchar **err_info,
+ struct pcaprec_ss990915_hdr *hdr)
{
int bytes_to_read, bytes_read;
switch (wth->file_type) {
case WTAP_FILE_PCAP:
+ case WTAP_FILE_PCAP_AIX:
bytes_to_read = sizeof (struct pcaprec_hdr);
break;
* this is can tell when it's not the type we're guessing
* it is.
*/
- if (!silent) {
- g_message("pcap: File has %u-byte packet, bigger than maximum of %u",
+ *err = WTAP_ERR_BAD_RECORD;
+ if (err_info != NULL) {
+ *err_info = g_strdup_printf("pcap: File has %u-byte packet, bigger than maximum of %u",
hdr->hdr.incl_len, WTAP_MAX_PACKET_SIZE);
}
- *err = WTAP_ERR_BAD_RECORD;
return -1;
}
* this is can tell when it's not the type we're guessing
* it is.
*/
- if (!silent) {
- g_message("pcap: File has %u-byte packet, bigger than maximum of %u",
+ *err = WTAP_ERR_BAD_RECORD;
+ if (err_info != NULL) {
+ *err_info = g_strdup_printf("pcap: File has %u-byte packet, bigger than maximum of %u",
hdr->hdr.orig_len, WTAP_MAX_PACKET_SIZE);
}
- *err = WTAP_ERR_BAD_RECORD;
return -1;
}
static void
adjust_header(wtap *wth, struct pcaprec_hdr *hdr)
{
+ guint32 temp;
+
if (wth->capture.pcap->byte_swapped) {
/* Byte-swap the record header fields. */
hdr->ts_sec = BSWAP32(hdr->ts_sec);
hdr->orig_len = BSWAP32(hdr->orig_len);
}
- /* In file format version 2.3, the "incl_len" and "orig_len" fields
- were swapped, in order to match the BPF header layout.
+ /* If this is AIX, convert the time stamp from seconds/nanoseconds
+ to seconds/microseconds. */
+ if (wth->file_type == WTAP_FILE_PCAP_AIX)
+ hdr->ts_usec = hdr->ts_usec/1000;
- Unfortunately, some files were, according to a comment in the
- "libpcap" source, written with version 2.3 in their headers
- but without the interchanged fields, so if "incl_len" is
- greater than "orig_len" - which would make no sense - we
- assume that we need to swap them. */
- if (wth->capture.pcap->version_major == 2 &&
- (wth->capture.pcap->version_minor < 3 ||
- (wth->capture.pcap->version_minor == 3 &&
- hdr->incl_len > hdr->orig_len))) {
- guint32 temp;
+ /* Swap the "incl_len" and "orig_len" fields, if necessary. */
+ switch (wth->capture.pcap->lengths_swapped) {
+
+ case NOT_SWAPPED:
+ break;
+ case MAYBE_SWAPPED:
+ if (hdr->incl_len <= hdr->orig_len) {
+ /*
+ * The captured length is <= the actual length,
+ * so presumably they weren't swapped.
+ */
+ break;
+ }
+ /* FALLTHROUGH */
+
+ case SWAPPED:
temp = hdr->orig_len;
hdr->orig_len = hdr->incl_len;
hdr->incl_len = temp;
+ break;
}
}
static void
-libpcap_close(wtap *wth)
+libpcap_get_sunatm_pseudoheader(const struct sunatm_hdr *atm_phdr,
+ union wtap_pseudo_header *pseudo_header)
{
- g_free(wth->capture.pcap);
+ guint8 vpi;
+ guint16 vci;
+
+ vpi = atm_phdr->vpi;
+ vci = pntohs(&atm_phdr->vci);
+
+ switch (atm_phdr->flags & 0x0F) {
+
+ case 0x01: /* LANE */
+ pseudo_header->atm.aal = AAL_5;
+ pseudo_header->atm.type = TRAF_LANE;
+ break;
+
+ case 0x02: /* RFC 1483 LLC multiplexed traffic */
+ pseudo_header->atm.aal = AAL_5;
+ pseudo_header->atm.type = TRAF_LLCMX;
+ break;
+
+ case 0x05: /* ILMI */
+ pseudo_header->atm.aal = AAL_5;
+ pseudo_header->atm.type = TRAF_ILMI;
+ break;
+
+ case 0x06: /* Q.2931 */
+ pseudo_header->atm.aal = AAL_SIGNALLING;
+ pseudo_header->atm.type = TRAF_UNKNOWN;
+ break;
+
+ case 0x03: /* MARS (RFC 2022) */
+ pseudo_header->atm.aal = AAL_5;
+ pseudo_header->atm.type = TRAF_UNKNOWN;
+ break;
+
+ case 0x04: /* IFMP (Ipsilon Flow Management Protocol; see RFC 1954) */
+ pseudo_header->atm.aal = AAL_5;
+ pseudo_header->atm.type = TRAF_UNKNOWN; /* XXX - TRAF_IPSILON? */
+ break;
+
+ default:
+ /*
+ * Assume it's AAL5, unless it's VPI 0 and VCI 5, in which
+ * case assume it's AAL_SIGNALLING; we know nothing more
+ * about it.
+ *
+ * XXX - is this necessary? Or are we guaranteed that
+ * all signalling traffic has a type of 0x06?
+ *
+ * XXX - is this guaranteed to be AAL5? Or, if the type is
+ * 0x00 ("raw"), might it be non-AAL5 traffic?
+ */
+ if (vpi == 0 && vci == 5)
+ pseudo_header->atm.aal = AAL_SIGNALLING;
+ else
+ pseudo_header->atm.aal = AAL_5;
+ pseudo_header->atm.type = TRAF_UNKNOWN;
+ break;
+ }
+ pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
+
+ pseudo_header->atm.vpi = vpi;
+ pseudo_header->atm.vci = vci;
+ pseudo_header->atm.channel = (atm_phdr->flags & 0x80) ? 0 : 1;
+
+ /* We don't have this information */
+ pseudo_header->atm.flags = 0;
+ pseudo_header->atm.cells = 0;
+ pseudo_header->atm.aal5t_u2u = 0;
+ pseudo_header->atm.aal5t_len = 0;
+ pseudo_header->atm.aal5t_chksum = 0;
}
-int wtap_pcap_encap_to_wtap_encap(int encap)
+static gboolean
+libpcap_read_sunatm_pseudoheader(FILE_T fh,
+ union wtap_pseudo_header *pseudo_header, int *err)
{
- int i;
+ struct sunatm_hdr atm_phdr;
+ int bytes_read;
- for (i = 0; i < NUM_PCAP_ENCAPS; i++) {
- if (pcap_to_wtap_map[i].dlt_value == encap)
- return pcap_to_wtap_map[i].wtap_encap_value;
+ errno = WTAP_ERR_CANT_READ;
+ bytes_read = file_read(&atm_phdr, 1, sizeof (struct sunatm_hdr), fh);
+ if (bytes_read != sizeof (struct sunatm_hdr)) {
+ *err = file_error(fh);
+ if (*err == 0)
+ *err = WTAP_ERR_SHORT_READ;
+ return FALSE;
}
- return WTAP_ENCAP_UNKNOWN;
+
+ libpcap_get_sunatm_pseudoheader(&atm_phdr, pseudo_header);
+
+ return TRUE;
+}
+
+static gboolean
+libpcap_read_nokiaatm_pseudoheader(FILE_T fh,
+ union wtap_pseudo_header *pseudo_header, int *err)
+{
+ struct nokiaatm_hdr atm_phdr;
+ int bytes_read;
+ guint8 vpi;
+ guint16 vci;
+
+ errno = WTAP_ERR_CANT_READ;
+ bytes_read = file_read(&atm_phdr, 1, sizeof (struct nokiaatm_hdr), fh);
+ if (bytes_read != sizeof (struct nokiaatm_hdr)) {
+ *err = file_error(fh);
+ if (*err == 0)
+ *err = WTAP_ERR_SHORT_READ;
+ return FALSE;
+ }
+
+ vpi = atm_phdr.vpi;
+ vci = pntohs(&atm_phdr.vci);
+
+ pseudo_header->atm.vpi = vpi;
+ pseudo_header->atm.vci = vci;
+ pseudo_header->atm.channel = (atm_phdr.flags & 0x80) ? 0 : 1;
+
+ /* We don't have this information */
+ pseudo_header->atm.flags = 0;
+ pseudo_header->atm.cells = 0;
+ pseudo_header->atm.aal5t_u2u = 0;
+ pseudo_header->atm.aal5t_len = 0;
+ pseudo_header->atm.aal5t_chksum = 0;
+
+ return TRUE;
+}
+
+static gboolean
+libpcap_get_irda_pseudoheader(const struct irda_sll_hdr *irda_phdr,
+ union wtap_pseudo_header *pseudo_header, int *err, gchar **err_info)
+{
+ if (pntohs(&irda_phdr->sll_protocol) != 0x0017) {
+ *err = WTAP_ERR_BAD_RECORD;
+ if (err_info != NULL)
+ *err_info = g_strdup("libpcap: IrDA capture has a packet with an invalid sll_protocol field\n");
+ return FALSE;
+ }
+
+ pseudo_header->irda.pkttype = pntohs(&irda_phdr->sll_pkttype);
+
+ return TRUE;
+}
+
+static gboolean
+libpcap_read_irda_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header,
+ int *err, gchar **err_info)
+{
+ struct irda_sll_hdr irda_phdr;
+ int bytes_read;
+
+ errno = WTAP_ERR_CANT_READ;
+ bytes_read = file_read(&irda_phdr, 1, sizeof (struct irda_sll_hdr), fh);
+ if (bytes_read != sizeof (struct irda_sll_hdr)) {
+ *err = file_error(fh);
+ if (*err == 0)
+ *err = WTAP_ERR_SHORT_READ;
+ return FALSE;
+ }
+
+ return libpcap_get_irda_pseudoheader(&irda_phdr, pseudo_header, err,
+ err_info);
+}
+
+static gboolean
+libpcap_read_rec_data(FILE_T fh, guchar *pd, int length, int *err)
+{
+ int bytes_read;
+
+ errno = WTAP_ERR_CANT_READ;
+ bytes_read = file_read(pd, 1, length, fh);
+
+ if (bytes_read != length) {
+ *err = file_error(fh);
+ if (*err == 0)
+ *err = WTAP_ERR_SHORT_READ;
+ return FALSE;
+ }
+ return TRUE;
+}
+
+static void
+libpcap_close(wtap *wth)
+{
+ g_free(wth->capture.pcap);
}
static int wtap_wtap_encap_to_pcap_encap(int encap)
{
- int i;
+ unsigned int i;
- /*
- * Special-case WTAP_ENCAP_FDDI and WTAP_ENCAP_FDDI_BITSWAPPED;
- * both of them get mapped to DLT_FDDI (even though that may
- * mean that the bit order in the FDDI MAC addresses is wrong;
- * so it goes - libpcap format doesn't record the byte order,
- * so that's not fixable).
- */
- if (encap == WTAP_ENCAP_FDDI || encap == WTAP_ENCAP_FDDI_BITSWAPPED)
+ switch (encap) {
+
+ case WTAP_ENCAP_FDDI:
+ case WTAP_ENCAP_FDDI_BITSWAPPED:
+ /*
+ * Special-case WTAP_ENCAP_FDDI and
+ * WTAP_ENCAP_FDDI_BITSWAPPED; both of them get mapped
+ * to DLT_FDDI (even though that may mean that the bit
+ * order in the FDDI MAC addresses is wrong; so it goes
+ * - libpcap format doesn't record the byte order,
+ * so that's not fixable).
+ */
return 10; /* that's DLT_FDDI */
+
+ case WTAP_ENCAP_PPP_WITH_PHDR:
+ /*
+ * Also special-case PPP with direction bits; map it to
+ * PPP, even though that means that the direction of the
+ * packet is lost.
+ */
+ return 9;
+
+ case WTAP_ENCAP_FRELAY_WITH_PHDR:
+ /*
+ * Do the same with Frame Relay.
+ */
+ return 107;
+
+ case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
+ /*
+ * Map this to DLT_IEEE802_11, for now, even though
+ * that means the radio information will be lost.
+ * Once tcpdump support for the BSD radiotap header
+ * is sufficiently widespread, we should probably
+ * use that, instead - although we should probably
+ * ultimately just have WTAP_ENCAP_IEEE_802_11
+ * as the only Wiretap encapsulation for 802.11,
+ * and have the pseudo-header include a radiotap-style
+ * list of attributes. If we do that, though, we
+ * should probably bypass the regular Wiretap code
+ * when writing out packets during a capture, and just
+ * do the equivalent of a libpcap write (unfortunately,
+ * libpcap doesn't have an "open dump by file descriptor"
+ * function, so we can't just use "pcap_dump()"), so
+ * that we don't spend cycles mapping from libpcap to
+ * Wiretap and then back to libpcap. (There are other
+ * reasons to do that, e.g. to handle AIX libpcap better.)
+ */
+ return 105;
+ }
+
for (i = 0; i < NUM_PCAP_ENCAPS; i++) {
if (pcap_to_wtap_map[i].wtap_encap_value == encap)
return pcap_to_wtap_map[i].dlt_value;
return -1;
}
+#ifdef HAVE_PCAP_H
+/*
+ * Given a Wiretap encapsulation type, and raw packet data and the packet
+ * header from libpcap, process any pseudo-header in the packet,
+ * fill in the Wiretap packet header, and return a pointer to the
+ * beginning of the non-pseudo-header data in the packet.
+ */
+const guchar *
+wtap_process_pcap_packet(gint linktype, const struct pcap_pkthdr *phdr,
+ const guchar *pd, union wtap_pseudo_header *pseudo_header,
+ struct wtap_pkthdr *whdr, int *err)
+{
+ /* "phdr->ts" may not necessarily be a "struct timeval" - it may
+ be a "struct bpf_timeval", with member sizes wired to 32
+ bits - and we may go that way ourselves in the future, so
+ copy the members individually. */
+ whdr->ts.tv_sec = phdr->ts.tv_sec;
+ whdr->ts.tv_usec = phdr->ts.tv_usec;
+ whdr->caplen = phdr->caplen;
+ whdr->len = phdr->len;
+ whdr->pkt_encap = linktype;
+
+ /*
+ * If this is an ATM packet, the first four bytes are the
+ * direction of the packet (transmit/receive), the VPI, and
+ * the VCI; read them and generate the pseudo-header from
+ * them.
+ */
+ if (linktype == WTAP_ENCAP_ATM_PDUS) {
+ if (whdr->caplen < sizeof (struct sunatm_hdr)) {
+ /*
+ * Uh-oh, the packet isn't big enough to even
+ * have a pseudo-header.
+ */
+ g_message("libpcap: SunATM capture has a %u-byte packet, too small to have even an ATM pseudo-header\n",
+ whdr->caplen);
+ *err = WTAP_ERR_BAD_RECORD;
+ return NULL;
+ }
+ libpcap_get_sunatm_pseudoheader((const struct sunatm_hdr *)pd,
+ pseudo_header);
+
+ /*
+ * Don't count the pseudo-header as part of the packet.
+ */
+ whdr->len -= sizeof (struct sunatm_hdr);
+ whdr->caplen -= sizeof (struct sunatm_hdr);
+ pd += sizeof (struct sunatm_hdr);
+
+ /*
+ * If this is ATM LANE traffic, try to guess what type of
+ * LANE traffic it is based on the packet contents.
+ */
+ if (pseudo_header->atm.type == TRAF_LANE)
+ atm_guess_lane_type(pd, whdr->caplen, pseudo_header);
+ }
+ else if (linktype == WTAP_ENCAP_IRDA) {
+ if (whdr->caplen < sizeof (struct irda_sll_hdr)) {
+ /*
+ * Uh-oh, the packet isn't big enough to even
+ * have a pseudo-header.
+ */
+ g_message("libpcap: IrDA capture has a %u-byte packet, too small to have even an IrDA pseudo-header\n",
+ whdr->caplen);
+ *err = WTAP_ERR_BAD_RECORD;
+ return NULL;
+ }
+ if (!libpcap_get_irda_pseudoheader((const struct irda_sll_hdr *)pd,
+ pseudo_header, err, NULL))
+ return NULL;
+
+ /*
+ * Don't count the pseudo-header as part of the packet.
+ */
+ whdr->len -= sizeof (struct irda_sll_hdr);
+ whdr->caplen -= sizeof (struct irda_sll_hdr);
+ pd += sizeof (struct irda_sll_hdr);
+ }
+ return pd;
+}
+#endif
+
/* Returns 0 if we could write the specified encapsulation type,
an error indication otherwise. */
-int libpcap_dump_can_write_encap(int filetype, int encap)
+int libpcap_dump_can_write_encap(int encap)
{
/* Per-packet encapsulations aren't supported. */
if (encap == WTAP_ENCAP_PER_PACKET)
/* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
failure */
-gboolean libpcap_dump_open(wtap_dumper *wdh, int *err)
+gboolean libpcap_dump_open(wtap_dumper *wdh, gboolean cant_seek _U_, int *err)
{
guint32 magic;
struct pcap_hdr file_hdr;
- int nwritten;
+ size_t nwritten;
/* This is a libpcap file */
wdh->subtype_write = libpcap_dump;
nwritten = fwrite(&magic, 1, sizeof magic, wdh->fh);
if (nwritten != sizeof magic) {
- if (nwritten < 0)
+ if (nwritten == 0 && ferror(wdh->fh))
*err = errno;
else
*err = WTAP_ERR_SHORT_WRITE;
return FALSE;
}
+ wdh->bytes_dumped += sizeof magic;
/* current "libpcap" format is 2.4 */
file_hdr.version_major = 2;
file_hdr.version_minor = 4;
file_hdr.thiszone = 0; /* XXX - current offset? */
file_hdr.sigfigs = 0; /* unknown, but also apparently unused */
- file_hdr.snaplen = wdh->snaplen;
+ /*
+ * Tcpdump cannot handle capture files with a snapshot length of 0,
+ * as BPF filters return either 0 if they fail or the snapshot length
+ * if they succeed, and a snapshot length of 0 means success is
+ * indistinguishable from failure and the filter expression would
+ * reject all packets.
+ *
+ * A snapshot length of 0, inside Wiretap, means "snapshot length
+ * unknown"; if the snapshot length supplied to us is 0, we make
+ * the snapshot length in the header file WTAP_MAX_PACKET_SIZE.
+ */
+ file_hdr.snaplen = (wdh->snaplen != 0) ? wdh->snaplen :
+ WTAP_MAX_PACKET_SIZE;
file_hdr.network = wtap_wtap_encap_to_pcap_encap(wdh->encap);
nwritten = fwrite(&file_hdr, 1, sizeof file_hdr, wdh->fh);
if (nwritten != sizeof file_hdr) {
- if (nwritten < 0)
+ if (nwritten == 0 && ferror(wdh->fh))
*err = errno;
else
*err = WTAP_ERR_SHORT_WRITE;
return FALSE;
}
+ wdh->bytes_dumped += sizeof file_hdr;
return TRUE;
}
/* Write a record for a packet to a dump file.
Returns TRUE on success, FALSE on failure. */
-static gboolean libpcap_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
- const union wtap_pseudo_header *pseudo_header, const u_char *pd, int *err)
+static gboolean libpcap_dump(wtap_dumper *wdh,
+ const struct wtap_pkthdr *phdr,
+ const union wtap_pseudo_header *pseudo_header _U_,
+ const guchar *pd, int *err)
{
struct pcaprec_ss990915_hdr rec_hdr;
- int hdr_size;
- int nwritten;
+ size_t hdr_size;
+ size_t nwritten;
+ struct sunatm_hdr atm_hdr;
+ struct irda_sll_hdr irda_hdr;
+ int hdrsize;
+
+ if (wdh->encap == WTAP_ENCAP_ATM_PDUS)
+ hdrsize = sizeof (struct sunatm_hdr);
+ else if (wdh->encap == WTAP_ENCAP_IRDA)
+ hdrsize = sizeof (struct irda_sll_hdr);
+ else
+ hdrsize = 0;
rec_hdr.hdr.ts_sec = phdr->ts.tv_sec;
rec_hdr.hdr.ts_usec = phdr->ts.tv_usec;
- rec_hdr.hdr.incl_len = phdr->caplen;
- rec_hdr.hdr.orig_len = phdr->len;
+ rec_hdr.hdr.incl_len = phdr->caplen + hdrsize;
+ rec_hdr.hdr.orig_len = phdr->len + hdrsize;
switch (wdh->file_type) {
case WTAP_FILE_PCAP:
nwritten = fwrite(&rec_hdr, 1, hdr_size, wdh->fh);
if (nwritten != hdr_size) {
- if (nwritten < 0)
+ if (nwritten == 0 && ferror(wdh->fh))
*err = errno;
else
*err = WTAP_ERR_SHORT_WRITE;
return FALSE;
}
+ wdh->bytes_dumped += hdr_size;
+
+ if (wdh->encap == WTAP_ENCAP_ATM_PDUS) {
+ /*
+ * Write the ATM header.
+ */
+ atm_hdr.flags =
+ (pseudo_header->atm.channel == 0) ? 0x80 : 0x00;
+ switch (pseudo_header->atm.aal) {
+
+ case AAL_SIGNALLING:
+ /* Q.2931 */
+ atm_hdr.flags |= 0x06;
+ break;
+
+ case AAL_5:
+ switch (pseudo_header->atm.type) {
+
+ case TRAF_LANE:
+ /* LANE */
+ atm_hdr.flags |= 0x01;
+ break;
+
+ case TRAF_LLCMX:
+ /* RFC 1483 LLC multiplexed traffic */
+ atm_hdr.flags |= 0x02;
+ break;
+
+ case TRAF_ILMI:
+ /* ILMI */
+ atm_hdr.flags |= 0x05;
+ break;
+ }
+ break;
+ }
+ atm_hdr.vpi = (guint8) pseudo_header->atm.vpi;
+ atm_hdr.vci = phtons(&pseudo_header->atm.vci);
+ nwritten = fwrite(&atm_hdr, 1, sizeof atm_hdr, wdh->fh);
+ if (nwritten != sizeof atm_hdr) {
+ if (nwritten == 0 && ferror(wdh->fh))
+ *err = errno;
+ else
+ *err = WTAP_ERR_SHORT_WRITE;
+ return FALSE;
+ }
+ wdh->bytes_dumped += sizeof atm_hdr;
+ }
+ else if (wdh->encap == WTAP_ENCAP_IRDA) {
+ /*
+ * Write the IrDA header.
+ */
+ memset(&irda_hdr, 0, sizeof(irda_hdr));
+ irda_hdr.sll_pkttype = phtons(&pseudo_header->irda.pkttype);
+ irda_hdr.sll_protocol = g_htons(0x0017);
+ nwritten = fwrite(&irda_hdr, 1, sizeof(irda_hdr), wdh->fh);
+ if (nwritten != sizeof(irda_hdr)) {
+ if (nwritten == 0 && ferror(wdh->fh))
+ *err = errno;
+ else
+ *err = WTAP_ERR_SHORT_WRITE;
+ return FALSE;
+ }
+ wdh->bytes_dumped += sizeof(irda_hdr);
+ }
+
nwritten = fwrite(pd, 1, phdr->caplen, wdh->fh);
if (nwritten != phdr->caplen) {
- if (nwritten < 0)
+ if (nwritten == 0 && ferror(wdh->fh))
*err = errno;
else
*err = WTAP_ERR_SHORT_WRITE;
return FALSE;
}
+ wdh->bytes_dumped += phdr->caplen;
return TRUE;
}
git.samba.org / obnox / wireshark / wip.git / blobdiff