epan/dissectors/pidl/samr/samr.cnf cnf_dissect_lsa_BinaryString => lsarpc_dissect_str...
[wireshark-sm.git] / epan / dissectors / file-pcap.c
blob8203a688ca849bfa7b19b0718c408f5a28f49f14
1 /* file-pcap.c
2 * Routines for PCAP File Format
3 * http://www.tcpdump.org/manpages/pcap-savefile.5.html
5 * Copyright 2015, Michal Labedzki for Tieto Corporation
7 * Wireshark - Network traffic analyzer
8 * By Gerald Combs <gerald@wireshark.org>
9 * Copyright 1998 Gerald Combs
11 * SPDX-License-Identifier: GPL-2.0-or-later
14 #include "config.h"
16 #include <epan/packet.h>
17 #include <epan/prefs.h>
18 #include <epan/expert.h>
19 #include <epan/exceptions.h>
20 #include <epan/show_exception.h>
21 #include <wsutil/array.h>
23 #include "packet-pcap_pktdata.h"
25 static int proto_pcap;
27 static dissector_handle_t pcap_pktdata_handle;
29 static int hf_pcap_header;
30 static int hf_pcap_header_magic_number;
31 static int hf_pcap_header_version_major;
32 static int hf_pcap_header_version_minor;
33 static int hf_pcap_header_this_zone;
34 static int hf_pcap_header_sigfigs;
35 static int hf_pcap_header_snapshot_length;
36 static int hf_pcap_header_link_type;
37 static int hf_pcap_packet;
38 static int hf_pcap_packet_timestamp;
39 static int hf_pcap_packet_timestamp_sec;
40 static int hf_pcap_packet_timestamp_usec;
41 static int hf_pcap_packet_captured_length;
42 static int hf_pcap_packet_original_length;
43 static int hf_pcap_packet_data;
45 static expert_field ei_pcap_capt_larger_than_orig;
46 static expert_field ei_pcap_capt_larger_than_snap;
48 static int ett_pcap;
49 static int ett_pcap_header;
50 static int ett_pcap_packet;
51 static int ett_pcap_packet_data;
52 static int ett_pcap_timestamp;
54 static bool pref_dissect_next_layer;
56 void proto_register_file_pcap(void);
57 void proto_reg_handoff_file_pcap(void);
59 #define MAGIC_NUMBER_SIZE 4
61 static int
62 dissect_pcap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
64 static const uint8_t pcap_big_endian_magic[MAGIC_NUMBER_SIZE] = {
65 0xa1, 0xb2, 0xc3, 0xd4
67 static const uint8_t pcap_little_endian_magic[MAGIC_NUMBER_SIZE] = {
68 0xd4, 0xc3, 0xb2, 0xa1
70 static const uint8_t pcap_nsec_big_endian_magic[MAGIC_NUMBER_SIZE] = {
71 0xa1, 0xb2, 0x3c, 0x4d
73 static const uint8_t pcap_nsec_little_endian_magic[MAGIC_NUMBER_SIZE] = {
74 0x4d, 0x3c, 0xb2, 0xa1
76 volatile int offset = 0;
77 proto_tree *main_tree;
78 proto_item *main_item;
79 proto_tree *header_tree;
80 proto_item *header_item;
81 proto_item *magic_number_item;
82 proto_tree *packet_tree;
83 proto_item *packet_item;
84 proto_tree *timestamp_tree;
85 proto_item *timestamp_item;
86 proto_tree *packet_data_tree;
87 proto_item *packet_data_item;
88 proto_item *capt_len_item;
89 volatile uint32_t encoding;
90 volatile unsigned timestamp_scale_factor;
91 const char *magic;
92 uint32_t snap_length;
93 uint32_t captured_length;
94 uint32_t original_length;
95 uint32_t link_type;
96 volatile uint32_t frame_number = 1;
97 nstime_t timestamp;
99 if (tvb_memeql(tvb, 0, pcap_big_endian_magic, MAGIC_NUMBER_SIZE) == 0) {
100 encoding = ENC_BIG_ENDIAN;
101 timestamp_scale_factor = 1000;
102 magic = "Big-endian";
103 } else if (tvb_memeql(tvb, 0, pcap_little_endian_magic, MAGIC_NUMBER_SIZE) == 0) {
104 encoding = ENC_LITTLE_ENDIAN;
105 timestamp_scale_factor = 1000;
106 magic = "Little-endian";
107 } else if (tvb_memeql(tvb, 0, pcap_nsec_big_endian_magic, MAGIC_NUMBER_SIZE) == 0) {
108 encoding = ENC_BIG_ENDIAN;
109 timestamp_scale_factor = 1;
110 magic = "Big-endian, nanosecond resolution";
111 } else if (tvb_memeql(tvb, 0, pcap_nsec_little_endian_magic, MAGIC_NUMBER_SIZE) == 0) {
112 encoding = ENC_LITTLE_ENDIAN;
113 timestamp_scale_factor = 1;
114 magic = "Little-endian, nanosecond resolution";
115 } else {
117 * Not one of the magic numbers we recognize.
118 * XXX - add them?
120 return 0;
123 main_item = proto_tree_add_item(tree, proto_pcap, tvb, offset, -1, ENC_NA);
124 main_tree = proto_item_add_subtree(main_item, ett_pcap);
126 header_item = proto_tree_add_item(main_tree, hf_pcap_header , tvb, offset, 24, ENC_NA);
127 header_tree = proto_item_add_subtree(header_item, ett_pcap_header);
129 magic_number_item = proto_tree_add_item(header_tree, hf_pcap_header_magic_number, tvb, offset, 4, ENC_NA);
130 proto_item_append_text(magic_number_item, " (%s)", magic);
131 offset += 4;
133 proto_tree_add_item(header_tree, hf_pcap_header_version_major, tvb, offset, 2, encoding);
134 offset += 2;
136 proto_tree_add_item(header_tree, hf_pcap_header_version_minor, tvb, offset, 2, encoding);
137 offset += 2;
139 proto_tree_add_item(header_tree, hf_pcap_header_this_zone, tvb, offset, 4, encoding);
140 offset += 4;
142 proto_tree_add_item(header_tree, hf_pcap_header_sigfigs, tvb, offset, 4, encoding);
143 offset += 4;
145 proto_tree_add_item_ret_uint(header_tree, hf_pcap_header_snapshot_length, tvb, offset, 4, encoding, &snap_length);
146 offset += 4;
148 proto_tree_add_item(header_tree, hf_pcap_header_link_type, tvb, offset, 4, encoding);
149 link_type = tvb_get_uint32(tvb, offset, encoding);
150 offset += 4;
152 while (offset < (int) tvb_reported_length(tvb)) {
153 packet_item = proto_tree_add_item(main_tree, hf_pcap_packet, tvb, offset, 4 * 4, ENC_NA);
154 packet_tree = proto_item_add_subtree(packet_item, ett_pcap_packet);
155 proto_item_append_text(packet_item, " %u", frame_number);
157 timestamp.secs = tvb_get_uint32(tvb, offset, encoding);
158 timestamp.nsecs = tvb_get_uint32(tvb, offset + 4, encoding) * timestamp_scale_factor;
160 timestamp_item = proto_tree_add_time(packet_tree, hf_pcap_packet_timestamp, tvb, offset, 8, &timestamp);
161 timestamp_tree = proto_item_add_subtree(timestamp_item, ett_pcap_timestamp);
163 proto_tree_add_item(timestamp_tree, hf_pcap_packet_timestamp_sec, tvb, offset, 4, encoding);
164 offset += 4;
166 proto_tree_add_item(timestamp_tree, hf_pcap_packet_timestamp_usec, tvb, offset, 4, encoding);
167 offset += 4;
169 capt_len_item = proto_tree_add_item_ret_uint(packet_tree, hf_pcap_packet_captured_length, tvb, offset, 4, encoding, &captured_length);
170 offset += 4;
172 proto_tree_add_item_ret_uint(packet_tree, hf_pcap_packet_original_length, tvb, offset, 4, encoding, &original_length);
173 offset += 4;
175 if (captured_length > snap_length)
177 expert_add_info(pinfo, capt_len_item,
178 &ei_pcap_capt_larger_than_snap);
181 if (captured_length > original_length) {
182 expert_add_info(pinfo, capt_len_item,
183 &ei_pcap_capt_larger_than_orig);
184 break;
187 packet_data_item = proto_tree_add_item(packet_tree, hf_pcap_packet_data, tvb, offset, captured_length, ENC_NA);
188 packet_data_tree = proto_item_add_subtree(packet_data_item, ett_pcap_packet_data);
190 pinfo->num = frame_number;
191 pinfo->abs_ts = timestamp;
193 if (pref_dissect_next_layer) {
194 TRY {
195 call_dissector_with_data(pcap_pktdata_handle, tvb_new_subset_length_caplen(tvb, offset, captured_length, original_length), pinfo, packet_data_tree, &link_type);
197 CATCH_BOUNDS_ERRORS {
198 show_exception(tvb, pinfo, packet_data_tree, EXCEPT_CODE, GET_MESSAGE);
200 ENDTRY;
202 offset += captured_length;
204 proto_item_set_len(packet_item, 4 * 4 + captured_length);
205 frame_number += 1;
208 return offset;
211 static bool
212 dissect_pcap_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
214 return dissect_pcap(tvb, pinfo, tree, data) > 0;
217 void
218 proto_register_file_pcap(void)
220 module_t *module;
221 expert_module_t *expert_pcap;
223 static hf_register_info hf[] = {
224 { &hf_pcap_header,
225 { "Header", "pcap.header",
226 FT_NONE, BASE_NONE, NULL, 0x00,
227 NULL, HFILL }
229 { &hf_pcap_header_magic_number,
230 { "Magic Number", "pcap.header.magic_number",
231 FT_BYTES, BASE_NONE, NULL, 0x00,
232 NULL, HFILL }
234 { &hf_pcap_header_version_major,
235 { "Version Major", "pcap.header.version.major",
236 FT_UINT16, BASE_DEC, NULL, 0x00,
237 NULL, HFILL }
239 { &hf_pcap_header_version_minor,
240 { "Version Minor", "pcap.header.version.minor",
241 FT_UINT16, BASE_DEC, NULL, 0x00,
242 NULL, HFILL }
244 { &hf_pcap_header_this_zone,
245 { "This Zone", "pcap.header.this_zone",
246 FT_INT32, BASE_DEC, NULL, 0x00,
247 NULL, HFILL }
249 { &hf_pcap_header_sigfigs,
250 { "Sigfigs", "pcap.header.sigfigs",
251 FT_UINT32, BASE_DEC, NULL, 0x00,
252 NULL, HFILL }
254 { &hf_pcap_header_snapshot_length,
255 { "Snapshot Length", "pcap.header.snapshot_length",
256 FT_UINT32, BASE_DEC, NULL, 0x00,
257 NULL, HFILL }
259 { &hf_pcap_header_link_type,
260 { "Link Type", "pcap.header.link_type",
261 FT_UINT32, BASE_DEC_HEX, VALS(link_type_vals), 0x00,
262 NULL, HFILL }
264 { &hf_pcap_packet,
265 { "Packet", "pcap.packet",
266 FT_NONE, BASE_NONE, NULL, 0x00,
267 NULL, HFILL }
269 { &hf_pcap_packet_timestamp,
270 { "Timestamp", "pcap.packet.timestamp",
271 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x00,
272 NULL, HFILL }
274 { &hf_pcap_packet_timestamp_sec,
275 { "Timestamp sec", "pcap.packet.timestamp.sec",
276 FT_UINT32, BASE_DEC, NULL, 0x00,
277 NULL, HFILL }
279 { &hf_pcap_packet_timestamp_usec,
280 { "Timestamp usec", "pcap.packet.timestamp.usec",
281 FT_UINT32, BASE_DEC, NULL, 0x00,
282 NULL, HFILL }
284 { &hf_pcap_packet_captured_length,
285 { "Captured Packet Length", "pcap.packet.captured_length",
286 FT_UINT32, BASE_DEC, NULL, 0x00,
287 NULL, HFILL }
289 { &hf_pcap_packet_original_length,
290 { "Original Packet Length", "pcap.packet.original_length",
291 FT_UINT32, BASE_DEC, NULL, 0x00,
292 NULL, HFILL }
294 { &hf_pcap_packet_data,
295 { "Data", "pcap.packet.data",
296 FT_NONE, BASE_NONE, NULL, 0x00,
297 NULL, HFILL }
301 static ei_register_info ei[] = {
302 { &ei_pcap_capt_larger_than_orig,
303 { "pcap.capt_len_larger_than_orig_len", PI_MALFORMED, PI_ERROR,
304 "captured length is larger than original length",
305 EXPFILL }},
306 { &ei_pcap_capt_larger_than_snap,
307 { "pcap.capt_len_larger_than_snap_len", PI_PROTOCOL, PI_WARN,
308 "captured length is larger than snapshot length",
309 EXPFILL }}
312 static int *ett[] = {
313 &ett_pcap,
314 &ett_pcap_header,
315 &ett_pcap_packet,
316 &ett_pcap_packet_data,
317 &ett_pcap_timestamp
320 proto_pcap = proto_register_protocol("PCAP File Format", "File-PCAP", "file-pcap");
321 proto_register_field_array(proto_pcap, hf, array_length(hf));
322 proto_register_subtree_array(ett, array_length(ett));
323 expert_pcap = expert_register_protocol(proto_pcap);
324 expert_register_field_array(expert_pcap, ei, array_length(ei));
326 register_dissector("file-pcap", dissect_pcap, proto_pcap);
328 module = prefs_register_protocol(proto_pcap, NULL);
329 prefs_register_static_text_preference(module, "version",
330 "PCAP version: >=2.4",
331 "Version of file-format supported by this dissector.");
333 prefs_register_bool_preference(module, "dissect_next_layer",
334 "Dissect next layer",
335 "Dissect next layer",
336 &pref_dissect_next_layer);
339 void
340 proto_reg_handoff_file_pcap(void)
342 heur_dissector_add("wtap_file", dissect_pcap_heur, "PCAP File", "pcap_wtap", proto_pcap, HEURISTIC_ENABLE);
343 pcap_pktdata_handle = find_dissector_add_dependency("pcap_pktdata", proto_pcap);
347 * Editor modelines - https://www.wireshark.org/tools/modelines.html
349 * Local variables:
350 * c-basic-offset: 4
351 * tab-width: 8
352 * indent-tabs-mode: nil
353 * End:
355 * vi: set shiftwidth=4 tabstop=8 expandtab:
356 * :indentSize=4:tabSize=8:noTabs=true: