4 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
6 * SPDX-License-Identifier: GPL-2.0-or-later
9 #ifndef __PCAP_MODULE_H__
10 #define __PCAP_MODULE_H__
13 * These are the officially registered block types, from the pcapng
16 * XXX - Dear Sysdig People: please add your blocks to the spec!
18 #define BLOCK_TYPE_SHB 0x0A0D0D0A /* Section Header Block */
19 #define BLOCK_TYPE_IDB 0x00000001 /* Interface Description Block */
20 #define BLOCK_TYPE_PB 0x00000002 /* Packet Block (obsolete) */
21 #define BLOCK_TYPE_SPB 0x00000003 /* Simple Packet Block */
22 #define BLOCK_TYPE_NRB 0x00000004 /* Name Resolution Block */
23 #define BLOCK_TYPE_ISB 0x00000005 /* Interface Statistics Block */
24 #define BLOCK_TYPE_EPB 0x00000006 /* Enhanced Packet Block */
25 #define BLOCK_TYPE_IRIG_TS 0x00000007 /* IRIG Timestamp Block */
26 #define BLOCK_TYPE_ARINC_429 0x00000008 /* ARINC 429 in AFDX Encapsulation Information Block */
27 #define BLOCK_TYPE_SYSTEMD_JOURNAL_EXPORT 0x00000009 /* systemd journal entry */
28 #define BLOCK_TYPE_DSB 0x0000000A /* Decryption Secrets Block */
29 #define BLOCK_TYPE_SYSDIG_MI 0x00000201 /* Sysdig Machine Info Block */
30 #define BLOCK_TYPE_SYSDIG_PL_V1 0x00000202 /* Sysdig Process List Block */
31 #define BLOCK_TYPE_SYSDIG_FDL_V1 0x00000203 /* Sysdig File Descriptor List Block */
32 #define BLOCK_TYPE_SYSDIG_EVENT 0x00000204 /* Sysdig Event Block */
33 #define BLOCK_TYPE_SYSDIG_IL_V1 0x00000205 /* Sysdig Interface List Block */
34 #define BLOCK_TYPE_SYSDIG_UL_V1 0x00000206 /* Sysdig User List Block */
35 #define BLOCK_TYPE_SYSDIG_PL_V2 0x00000207 /* Sysdig Process List Block version 2 */
36 #define BLOCK_TYPE_SYSDIG_EVF 0x00000208 /* Sysdig Event Block with flags */
37 #define BLOCK_TYPE_SYSDIG_PL_V3 0x00000209 /* Sysdig Process List Block version 3 */
38 #define BLOCK_TYPE_SYSDIG_PL_V4 0x00000210 /* Sysdig Process List Block version 4 */
39 #define BLOCK_TYPE_SYSDIG_PL_V5 0x00000211 /* Sysdig Process List Block version 5 */
40 #define BLOCK_TYPE_SYSDIG_PL_V6 0x00000212 /* Sysdig Process List Block version 6 */
41 #define BLOCK_TYPE_SYSDIG_PL_V7 0x00000213 /* Sysdig Process List Block version 7 */
42 #define BLOCK_TYPE_SYSDIG_PL_V8 0x00000214 /* Sysdig Process List Block version 8 */
43 #define BLOCK_TYPE_SYSDIG_PL_V9 0x00000215 /* Sysdig Process List Block version 9 */
44 #define BLOCK_TYPE_SYSDIG_EVENT_V2 0x00000216 /* Sysdig Event Block version 2 */
45 #define BLOCK_TYPE_SYSDIG_EVF_V2 0x00000217 /* Sysdig Event Block with flags version 2 */
46 #define BLOCK_TYPE_SYSDIG_FDL_V2 0x00000218 /* Sysdig File Descriptor List Block */
47 #define BLOCK_TYPE_SYSDIG_IL_V2 0x00000219 /* Sysdig Interface List Block version 2 */
48 #define BLOCK_TYPE_SYSDIG_UL_V2 0x00000220 /* Sysdig User List Block version 2 */
49 #define BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE 0x00000221 /* Sysdig Event Block version 2 with large payload */
50 #define BLOCK_TYPE_SYSDIG_EVF_V2_LARGE 0x00000222 /* Sysdig Event Block with flags version 2 with large payload */
51 #define BLOCK_TYPE_CB_COPY 0x00000BAD /* Custom Block which can be copied */
52 #define BLOCK_TYPE_CB_NO_COPY 0x40000BAD /* Custom Block which should not be copied */
54 /* TODO: the following are not yet well defined in the draft spec,
55 * and do not yet have block type values assigned to them:
60 * Traffic Statistics and Monitoring Blocks
61 * Event/Security Block
64 /* Block data to be passed between functions during reading */
65 typedef struct wtapng_block_s
{
66 uint32_t type
; /* block_type as defined by pcapng */
67 bool internal
; /* true if this block type shouldn't be returned from pcapng_read() */
73 /* Section data in private struct */
75 * XXX - there needs to be a more general way to implement the Netflix
76 * BBLog blocks and options.
78 typedef struct section_info_t
{
79 bool byte_swapped
; /**< true if this section is not in our byte order */
80 uint16_t version_major
; /**< Major version number of this section */
81 uint16_t version_minor
; /**< Minor version number of this section */
82 GArray
*interfaces
; /**< Interfaces found in this section */
83 int64_t shb_off
; /**< File offset of the SHB for this section */
84 uint32_t bblog_version
; /**< BBLog: version used */
85 uint64_t bblog_offset_tv_sec
; /**< BBLog: UTC offset */
86 uint64_t bblog_offset_tv_usec
;
90 * Reader and writer routines for pcapng block types.
92 typedef bool (*block_reader
)(FILE_T fh
, uint32_t block_read
,
94 wtapng_block_t
*wblock
,
95 int *err
, char **err_info
);
96 typedef bool (*block_writer
)(wtap_dumper
*wdh
, const wtap_rec
*rec
,
97 const uint8_t *pd
, int *err
);
100 * Register a handler for a pcapng block type.
103 void register_pcapng_block_type_handler(unsigned block_type
, block_reader reader
,
104 block_writer writer
);
107 * Handler routines for pcapng option type.
109 typedef bool (*option_parser
)(wtap_block_t block
,
111 unsigned option_length
,
112 const uint8_t *option_content
,
113 int *err
, char **err_info
);
114 typedef uint32_t (*option_sizer
)(unsigned option_id
, wtap_optval_t
*optval
);
115 typedef bool (*option_writer
)(wtap_dumper
*wdh
, unsigned option_id
,
116 wtap_optval_t
*optval
, int *err
);
119 * Register a handler for a pcapng option code for a particular block
123 void register_pcapng_option_handler(unsigned block_type
, unsigned option_code
,
124 option_parser parser
,
126 option_writer writer
);
129 * Byte order of the options within a block.
131 * This is usually the byte order of the section, but, for options
132 * within a Custom Block, it needs to be a specified byte order,
133 * or a byte order indicated by data in the Custom Data (stored in
134 * a fashion that doesn't require knowing the byte order of the
135 * Custom Data, as it's also the byte order of the Custom Data
136 * itself), so that programs ignorant of the format of a given
137 * type of Custom Block can still read a block from one file and
138 * write it to another, even if the host doing the writing has
139 * a byte order different from the host that previously wrote
143 OPT_SECTION_BYTE_ORDER
, /* byte order of this section */
144 OPT_BIG_ENDIAN
, /* as it says */
145 OPT_LITTLE_ENDIAN
/* ditto */
146 } pcapng_opt_byte_order_e
;
149 * Process the options section of a block. process_option points to
150 * a routine that processes all the block-specific options, i.e.
151 * options other than the end-of-options, comment, and custom
155 bool pcapng_process_options(FILE_T fh
, wtapng_block_t
*wblock
,
156 section_info_t
*section_info
,
157 unsigned opt_cont_buf_len
,
158 bool (*process_option
)(wtapng_block_t
*,
159 const section_info_t
*,
163 pcapng_opt_byte_order_e byte_order
,
164 int *err
, char **err_info
);
167 * Helper routines to process options with types used in more than one
171 void pcapng_process_uint8_option(wtapng_block_t
*wblock
,
172 uint16_t option_code
, uint16_t option_length
,
173 const uint8_t *option_content
);
176 void pcapng_process_uint32_option(wtapng_block_t
*wblock
,
177 const section_info_t
*section_info
,
178 pcapng_opt_byte_order_e byte_order
,
179 uint16_t option_code
, uint16_t option_length
,
180 const uint8_t *option_content
);
183 void pcapng_process_timestamp_option(wtapng_block_t
*wblock
,
184 const section_info_t
*section_info
,
185 pcapng_opt_byte_order_e byte_order
,
186 uint16_t option_code
, uint16_t option_length
,
187 const uint8_t *option_content
);
190 void pcapng_process_uint64_option(wtapng_block_t
*wblock
,
191 const section_info_t
*section_info
,
192 pcapng_opt_byte_order_e byte_order
,
193 uint16_t option_code
, uint16_t option_length
,
194 const uint8_t *option_content
);
197 void pcapng_process_int64_option(wtapng_block_t
*wblock
,
198 const section_info_t
*section_info
,
199 pcapng_opt_byte_order_e byte_order
,
200 uint16_t option_code
, uint16_t option_length
,
201 const uint8_t *option_content
);
204 void pcapng_process_string_option(wtapng_block_t
*wblock
, uint16_t option_code
,
205 uint16_t option_length
, const uint8_t *option_content
);
208 void pcapng_process_bytes_option(wtapng_block_t
*wblock
, uint16_t option_code
,
209 uint16_t option_length
, const uint8_t *option_content
);
211 #endif /* __PCAP_MODULE_H__ */
