search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
public dissect_krb5_PAC_NDRHEADERBLOB
[wireshark-sm.git] / wiretap / pcap-common.c
blob4b7097881cfe3d7d5d3ff71354ef45308ad9a504
1 /* pcap-common.c
2 * Code common to pcap and pcapng file formats
3 *
4 * Wiretap Library
5 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
6 *
7 * File format support for pcapng file format
8 * Copyright (c) 2007 by Ulf Lamping <ulf.lamping@web.de>
9 *
10 * SPDX-License-Identifier: GPL-2.0-or-later
11 */
12
13 #include "config.h"
14 #include "pcap-common.h"
15
16 #include <stdlib.h>
17 #include <string.h>
18 #include "wtap-int.h"
19 #include "file_wrappers.h"
20 #include "atm.h"
21 #include "erf_record.h"
22 #include "pcap-encap.h"
23
24 /*
25 * On some systems, the FDDI MAC addresses are bit-swapped.
26 *
27 * XXX - what we *really* need to know is whether the addresses are
28 * bit-swapped *in a particular capture*, which depends on the system
29 * on which it was captured, not on the system that's reading it.
30 * Unfortunately, we can't determine that.
31 */
32 #if !defined(ultrix) && !defined(__alpha) && !defined(__bsdi__)
33 #define BIT_SWAPPED_MAC_ADDRS
34 #endif
35
36 /*
37 * Map link-layer header types (LINKTYPE_ values) to Wiretap encapsulations.
38 *
39 * Either LBL NRG wasn't an adequate central registry (e.g., because of
40 * the slow rate of releases from them), or nobody bothered using them
41 * as a central registry, as many different groups have patched libpcap
42 * (and BPF, on the BSDs) to add new encapsulation types, and have ended
43 * up using the same DLT_ values for different encapsulation types.
44 *
45 * The Tcpdump Group now maintains the list of link-layer header types;
46 * they introduced a separate namespace of LINKTYPE_ values for the
47 * values to be used in capture files, and have libpcap map between
48 * those values in capture file headers and the DLT_ values that the
49 * pcap_datalink() and pcap_open_dead() APIs use. See
50 * https://www.tcpdump.org/linktypes.html for a list of LINKTYPE_ values.
51 *
52 * In most cases, the corresponding LINKTYPE_ and DLT_ values are the
53 * same. In the cases where the same link-layer header type was given
54 * different values in different OSes, a new LINKTYPE_ value was defined,
55 * different from all of the existing DLT_ values.
56 *
57 * This table maps LINKTYPE_ values to the corresponding Wiretap
58 * encapsulation. For cases where multiple DLT_ values were in use,
59 * it also checks what <pcap.h> defineds to determine how to interpret
60 * them, so that if a file was written by a version of libpcap prior
61 * to the introduction of the LINKTYPE_ values, and has a DLT_ value
62 * from the OS on which it was written rather than a LINKTYPE_ value
63 * as its linktype value in the file header, we map the numerical
64 * DLT_ value, as interpreted by the libpcap with which we're building
65 * Wireshark/Wiretap interprets them (which, if it doesn't support
66 * them at all, means we don't support them either - any capture files
67 * using them are foreign, and we don't hazard a guess as to which
68 * platform they came from; we could, I guess, choose the most likely
69 * platform), to the corresponding Wiretap encapsulation.
70 *
71 * Note: if you need a new encapsulation type for libpcap files, do
72 * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
73 * add a new encapsulation type by changing an existing entry;
74 * leave the existing entries alone.
75 *
76 * Instead, send mail to tcpdump-workers@lists.tcpdump.org, asking for
77 * a new LINKTYPE_/DLT_ value, and specifying the purpose of the new
78 * value. When you get the new LINKTYPE_/DLT_ value, use that numerical
79 * value in the "linktype_value" field of "pcap_to_wtap_map[]".
80 */
81
82 static const struct {
83 int linktype_value;
84 int wtap_encap_value;
85 } pcap_to_wtap_map[] = {
86 /*
87 * These are the values that are almost certainly the same
88 * in all libpcaps (I've yet to find one where the values
89 * in question are used for some purpose other than the
90 * one below, but...), and thus assigned as LINKTYPE_ values,
91 * and that Wiretap and Wireshark currently support.
92 */
93 { 0, WTAP_ENCAP_NULL }, /* null encapsulation */
94 { 1, WTAP_ENCAP_ETHERNET },
95 { 2, WTAP_ENCAP_3MB_ETHERNET },
96 { 3, WTAP_ENCAP_AX25 },
97 { 6, WTAP_ENCAP_TOKEN_RING }, /* IEEE 802 Networks - assume token ring */
98 { 7, WTAP_ENCAP_ARCNET },
99 { 8, WTAP_ENCAP_SLIP },
100 { 9, WTAP_ENCAP_PPP },
101 #ifdef BIT_SWAPPED_MAC_ADDRS
102 { 10, WTAP_ENCAP_FDDI_BITSWAPPED },
103 #else
104 { 10, WTAP_ENCAP_FDDI },
105 #endif
106
107 { 32, WTAP_ENCAP_REDBACK },
108
109 /*
110 * 50 is DLT_PPP_SERIAL in NetBSD; it appears that DLT_PPP
111 * on BSD (at least according to standard tcpdump) has, as
112 * the first octet, an indication of whether the packet was
113 * transmitted or received (rather than having the standard
114 * PPP address value of 0xff), but that DLT_PPP_SERIAL puts
115 * a real live PPP header there, or perhaps a Cisco PPP header
116 * as per section 4.3.1 of RFC 1547 (implementations of this
117 * exist in various BSDs in "sys/net/if_spppsubr.c", and
118 * I think also exist either in standard Linux or in
119 * various Linux patches; the implementations show how to handle
120 * Cisco keepalive packets).
121 *
122 * However, I don't see any obvious place in FreeBSD "if_ppp.c"
123 * where anything other than the standard PPP header would be
124 * passed up. I see some stuff that sets the first octet
125 * to 0 for incoming and 1 for outgoing packets before applying
126 * a BPF filter to see whether to drop packets whose protocol
127 * field has the 0x8000 bit set, i.e. network control protocols -
128 * those are handed up to userland - but that code puts the
129 * address field back before passing the packet up.
130 *
131 * I also don't see anything immediately obvious that munges
132 * the address field for sync PPP, either.
133 *
134 * Wireshark currently assumes that if the first octet of a
135 * PPP frame is 0xFF, it's the address field and is followed
136 * by a control field and a 2-byte protocol, otherwise the
137 * address and control fields are absent and the frame begins
138 * with a protocol field. If we ever see a BSD/OS PPP
139 * capture, we'll have to handle it differently, and we may
140 * have to handle standard BSD captures differently if, in fact,
141 * they don't have 0xff 0x03 as the first two bytes - but, as per
142 * the two paragraphs preceding this, it's not clear that
143 * the address field *is* munged into an incoming/outgoing
144 * field when the packet is handed to the BPF device.
145 *
146 * For now, we just map DLT_PPP_SERIAL to WTAP_ENCAP_PPP, as
147 * we treat WTAP_ENCAP_PPP packets as if those beginning with
148 * 0xff have the standard RFC 1662 "PPP in HDLC-like Framing"
149 * 0xff 0x03 address/control header, and DLT_PPP_SERIAL frames
150 * appear to contain that unless they're Cisco frames (if we
151 * ever see a capture with them, we'd need to implement the
152 * RFC 1547 stuff, and the keepalive protocol stuff).
153 *
154 * We may have to distinguish between "PPP where if it doesn't
155 * begin with 0xff there's no HDLC encapsulation and the frame
156 * begins with the protocol field" (which is how we handle
157 * WTAP_ENCAP_PPP now) and "PPP where there's either HDLC
158 * encapsulation or Cisco PPP" (which is what DLT_PPP_SERIAL
159 * is) at some point.
160 *
161 * XXX - NetBSD has DLT_HDLC, which appears to be used for
162 * Cisco HDLC. Ideally, they should use DLT_PPP_SERIAL
163 * only for real live HDLC-encapsulated PPP, not for Cisco
164 * HDLC.
165 */
166 { 50, WTAP_ENCAP_PPP },
167
168 /*
169 * Used by NetBSD and OpenBSD pppoe(4).
170 */
171 { 51, WTAP_ENCAP_PPP_ETHER },
172
173 /*
174 * Apparently used by the Axent Raptor firewall (now Symantec
175 * Enterprise Firewall).
176 * Thanks, Axent, for not reserving that type with tcpdump.org
177 * and not telling anybody about it.
178 */
179 { 99, WTAP_ENCAP_SYMANTEC },
180
181 /*
182 * These are the values that libpcap 0.5 and later use in
183 * capture file headers, in an attempt to work around the
184 * confusion decried above, and that Wiretap and Wireshark
185 * currently support. I.e., they're the LINKTYPE_ values
186 * for RFC 1483 ATM and "raw IP", respectively, not the
187 * DLT_ values for them on all platforms.
188 */
189 { 100, WTAP_ENCAP_ATM_RFC1483 },
190 { 101, WTAP_ENCAP_RAW_IP },
191 #if 0
192 /*
193 * More values used by libpcap 0.5 as DLT_ values and used by the
194 * current CVS version of libpcap in capture file headers.
195 * They are not yet handled in Wireshark.
196 * If we get a capture that contains them, we'll implement them.
197 */
198 { 102, WTAP_ENCAP_SLIP_BSDOS },
199 { 103, WTAP_ENCAP_PPP_BSDOS },
200 #endif
201
202 /*
203 * These ones are handled in Wireshark, though.
204 */
205 { 104, WTAP_ENCAP_CHDLC }, /* Cisco HDLC */
206 { 105, WTAP_ENCAP_IEEE_802_11 }, /* IEEE 802.11 */
207 { 106, WTAP_ENCAP_LINUX_ATM_CLIP },
208 { 107, WTAP_ENCAP_FRELAY }, /* Frame Relay */
209 { 108, WTAP_ENCAP_LOOP }, /* OpenBSD loopback */
210 { 109, WTAP_ENCAP_ENC }, /* OpenBSD IPSEC enc */
211 #if 0
212 { 110, WTAP_ENCAP_LANE_802_3 },/* ATM LANE 802.3 */
213 { 111, WTAP_ENCAP_HIPPI }, /* NetBSD HIPPI */
214 #endif
215 { 112, WTAP_ENCAP_CHDLC }, /* NetBSD HDLC framing */
216
217 /*
218 * Linux "cooked mode" captures, used by the current CVS version
219 * of libpcap
220 * OR
221 * it could be a packet in Cisco's ERSPAN encapsulation which uses
222 * this number as well (why can't people stick to protocols when it
223 * comes to allocating/using DLT types).
224 */
225 { 113, WTAP_ENCAP_SLL }, /* Linux cooked capture v1 */
226
227 { 114, WTAP_ENCAP_LOCALTALK }, /* Localtalk */
228
229 /*
230 * The tcpdump.org version of libpcap uses 117, rather than 17,
231 * for OpenBSD packet filter logging, so as to avoid conflicting
232 * with DLT_LANE8023 in SuSE 6.3 libpcap.
233 */
234 { 117, WTAP_ENCAP_PFLOG },
235
236 { 118, WTAP_ENCAP_CISCO_IOS },
237 { 119, WTAP_ENCAP_IEEE_802_11_PRISM }, /* 802.11 plus Prism monitor mode radio header */
238 { 121, WTAP_ENCAP_HHDLC }, /* HiPath HDLC */
239 { 122, WTAP_ENCAP_IP_OVER_FC }, /* RFC 2625 IP-over-FC */
240 { 123, WTAP_ENCAP_ATM_PDUS }, /* SunATM */
241 { 127, WTAP_ENCAP_IEEE_802_11_RADIOTAP }, /* 802.11 plus radiotap radio header */
242 { 128, WTAP_ENCAP_TZSP }, /* Tazmen Sniffer Protocol */
243 { 129, WTAP_ENCAP_ARCNET_LINUX },
244 { 130, WTAP_ENCAP_JUNIPER_MLPPP }, /* Juniper MLPPP on ML-, LS-, AS- PICs */
245 { 131, WTAP_ENCAP_JUNIPER_MLFR }, /* Juniper MLFR (FRF.15) on ML-, LS-, AS- PICs */
246 { 133, WTAP_ENCAP_JUNIPER_GGSN},
247 /*
248 * Values 132 and 134 not listed here are reserved for use
249 * in Juniper hardware.
250 */
251 { 135, WTAP_ENCAP_JUNIPER_ATM2 }, /* various encapsulations captured on the ATM2 PIC */
252 { 136, WTAP_ENCAP_JUNIPER_SVCS }, /* various encapsulations captured on the services PIC */
253 { 137, WTAP_ENCAP_JUNIPER_ATM1 }, /* various encapsulations captured on the ATM1 PIC */
254
255 { 138, WTAP_ENCAP_APPLE_IP_OVER_IEEE1394 },
256 /* Apple IP-over-IEEE 1394 */
257
258 { 139, WTAP_ENCAP_MTP2_WITH_PHDR },
259 { 140, WTAP_ENCAP_MTP2 },
260 { 141, WTAP_ENCAP_MTP3 },
261 { 142, WTAP_ENCAP_SCCP },
262 { 143, WTAP_ENCAP_DOCSIS },
263 { 144, WTAP_ENCAP_IRDA }, /* IrDA capture */
264
265 /* Reserved for private use. */
266 { 147, WTAP_ENCAP_USER0 },
267 { 148, WTAP_ENCAP_USER1 },
268 { 149, WTAP_ENCAP_USER2 },
269 { 150, WTAP_ENCAP_USER3 },
270 { 151, WTAP_ENCAP_USER4 },
271 { 152, WTAP_ENCAP_USER5 },
272 { 153, WTAP_ENCAP_USER6 },
273 { 154, WTAP_ENCAP_USER7 },
274 { 155, WTAP_ENCAP_USER8 },
275 { 156, WTAP_ENCAP_USER9 },
276 { 157, WTAP_ENCAP_USER10 },
277 { 158, WTAP_ENCAP_USER11 },
278 { 159, WTAP_ENCAP_USER12 },
279 { 160, WTAP_ENCAP_USER13 },
280 { 161, WTAP_ENCAP_USER14 },
281 { 162, WTAP_ENCAP_USER15 },
282
283 { 163, WTAP_ENCAP_IEEE_802_11_AVS }, /* 802.11 plus AVS radio header */
284
285 /*
286 * 164 is reserved for Juniper-private chassis-internal
287 * meta-information such as QoS profiles, etc..
288 */
289
290 { 165, WTAP_ENCAP_BACNET_MS_TP },
291
292 /*
293 * 166 is reserved for a PPP variant in which the first byte
294 * of the 0xff03 header, the 0xff, is replaced by a direction
295 * byte. I don't know whether any captures look like that,
296 * but it is used for some Linux IP filtering (ipfilter?).
297 */
298
299 /* Ethernet PPPoE frames captured on a service PIC */
300 { 167, WTAP_ENCAP_JUNIPER_PPPOE },
301
302 /*
303 * 168 is reserved for more Juniper private-chassis-
304 * internal meta-information.
305 */
306
307 { 169, WTAP_ENCAP_GPRS_LLC },
308
309 /* ITU-T G.7041/Y.1303 Generic Framing Procedure. */
310 { 170, WTAP_ENCAP_GFP_T },
311 { 171, WTAP_ENCAP_GFP_F },
312
313 /* Registered by Gcom, Inc. */
314 { 172, WTAP_ENCAP_GCOM_TIE1 },
315 { 173, WTAP_ENCAP_GCOM_SERIAL },
316
317 { 177, WTAP_ENCAP_LINUX_LAPD },
318
319 /* Ethernet frames prepended with meta-information */
320 { 178, WTAP_ENCAP_JUNIPER_ETHER },
321 /* PPP frames prepended with meta-information */
322 { 179, WTAP_ENCAP_JUNIPER_PPP },
323 /* Frame-Relay frames prepended with meta-information */
324 { 180, WTAP_ENCAP_JUNIPER_FRELAY },
325 /* C-HDLC frames prepended with meta-information */
326 { 181, WTAP_ENCAP_JUNIPER_CHDLC },
327 /* VOIP Frames prepended with meta-information */
328 { 183, WTAP_ENCAP_JUNIPER_VP },
329 /* Virtual Network Frames prepended with meta-information */
330 { 184, WTAP_ENCAP_JUNIPER_VN },
331 /* USB packets from FreeBSD's USB BPF tap */
332 { 186, WTAP_ENCAP_USB_FREEBSD },
333 /* Bluetooth HCI UART transport (part H:4) frames, like hcidump */
334 { 187, WTAP_ENCAP_BLUETOOTH_H4 },
335 /* IEEE 802.16 MAC Common Part Sublayer */
336 { 188, WTAP_ENCAP_IEEE802_16_MAC_CPS },
337 /* USB packets with Linux-specified header */
338 { 189, WTAP_ENCAP_USB_LINUX },
339 /* CAN 2.0b frame */
340 { 190, WTAP_ENCAP_CAN20B },
341 /* Per-Packet Information header */
342 { 192, WTAP_ENCAP_PPI },
343 /* IEEE 802.15.4 Wireless PAN */
344 { 195, WTAP_ENCAP_IEEE802_15_4 },
345 /* SITA File Encapsulation */
346 { 196, WTAP_ENCAP_SITA },
347 /* Endace Record File Encapsulation */
348 { 197, WTAP_ENCAP_ERF },
349 /* IPMB/I2C with Kontron pseudo-header */
350 { 199, WTAP_ENCAP_IPMB_KONTRON },
351 /* Juniper-private data link type, used for capturing data on a secure tunnel interface. */
352 { 200, WTAP_ENCAP_JUNIPER_ST },
353 /* Bluetooth HCI UART transport (part H:4) frames, like hcidump */
354 { 201, WTAP_ENCAP_BLUETOOTH_H4_WITH_PHDR },
355 /* AX.25 packet with a 1-byte KISS header */
356 { 202, WTAP_ENCAP_AX25_KISS },
357 /* LAPD frame */
358 { 203, WTAP_ENCAP_LAPD },
359 /* PPP with pseudoheader */
360 { 204, WTAP_ENCAP_PPP_WITH_PHDR },
361 /* I2C with a Linux-specific header (defined by Pigeon Point Systems) */
362 { 209, WTAP_ENCAP_I2C_LINUX },
363 /* FlexRay frame */
364 { 210, WTAP_ENCAP_FLEXRAY },
365 /* MOST frame */
366 { 211, WTAP_ENCAP_MOST },
367 /* LIN frame */
368 { 212, WTAP_ENCAP_LIN },
369 /* X2E Xoraya serial frame */
370 { 213, WTAP_ENCAP_X2E_SERIAL },
371 /* X2E Xoraya frame */
372 { 214, WTAP_ENCAP_X2E_XORAYA },
373 /* IEEE 802.15.4 Wireless PAN non-ASK PHY */
374 { 215, WTAP_ENCAP_IEEE802_15_4_NONASK_PHY },
375 /* USB packets with padded Linux-specified header */
376 { 220, WTAP_ENCAP_USB_LINUX_MMAPPED },
377 /* Fibre Channel FC-2 frame */
378 { 224, WTAP_ENCAP_FIBRE_CHANNEL_FC2 },
379 /* Fibre Channel FC-2 frame with Delimiter */
380 { 225, WTAP_ENCAP_FIBRE_CHANNEL_FC2_WITH_FRAME_DELIMS },
381 /* Solaris IPNET */
382 { 226, WTAP_ENCAP_IPNET },
383 /* SocketCAN frame */
384 { 227, WTAP_ENCAP_SOCKETCAN },
385 /* Raw IPv4 */
386 { 228, WTAP_ENCAP_RAW_IP4 },
387 /* Raw IPv6 */
388 { 229, WTAP_ENCAP_RAW_IP6 },
389 /* IEEE 802.15.4 Wireless PAN no fcs */
390 { 230, WTAP_ENCAP_IEEE802_15_4_NOFCS },
391 /* D-BUS */
392 { 231, WTAP_ENCAP_DBUS },
393 /* DVB-CI (Common Interface) */
394 { 235, WTAP_ENCAP_DVBCI },
395 /* MUX27010 */
396 { 236, WTAP_ENCAP_MUX27010 },
397 /* STANAG 5066 - DTS(Data Transfer Sublayer) PDU */
398 { 237, WTAP_ENCAP_STANAG_5066_D_PDU },
399 /* NFLOG */
400 { 239, WTAP_ENCAP_NFLOG },
401 /* netANALYZER pseudo-header followed by Ethernet with CRC */
402 { 240, WTAP_ENCAP_NETANALYZER },
403 /* netANALYZER pseudo-header in transparent mode */
404 { 241, WTAP_ENCAP_NETANALYZER_TRANSPARENT },
405 /* IP-over-Infiniband, as specified by RFC 4391 section 6 */
406 { 242, WTAP_ENCAP_IP_OVER_IB_PCAP },
407 /* ISO/IEC 13818-1 MPEG2-TS packets */
408 { 243, WTAP_ENCAP_MPEG_2_TS },
409 /* NFC LLCP */
410 { 245, WTAP_ENCAP_NFC_LLCP },
411 /* SCTP */
412 { 248, WTAP_ENCAP_SCTP},
413 /* USBPcap */
414 { 249, WTAP_ENCAP_USBPCAP},
415 /* RTAC SERIAL */
416 { 250, WTAP_ENCAP_RTAC_SERIAL},
417 /* Bluetooth Low Energy Link Layer */
418 { 251, WTAP_ENCAP_BLUETOOTH_LE_LL},
419 /* Wireshark Upper PDU export */
420 { 252, WTAP_ENCAP_WIRESHARK_UPPER_PDU},
421 /* Netlink Protocol (nlmon devices) */
422 { 253, WTAP_ENCAP_NETLINK },
423 /* Bluetooth Linux Monitor */
424 { 254, WTAP_ENCAP_BLUETOOTH_LINUX_MONITOR },
425 /* Bluetooth BR/EDR Baseband RF captures */
426 { 255, WTAP_ENCAP_BLUETOOTH_BREDR_BB },
427 /* Bluetooth Low Energy Link Layer RF captures */
428 { 256, WTAP_ENCAP_BLUETOOTH_LE_LL_WITH_PHDR },
429
430 /* Apple PKTAP */
431 { 258, WTAP_ENCAP_PKTAP },
432
433 /* Ethernet Passive Optical Network */
434 { 259, WTAP_ENCAP_EPON },
435
436 /* IPMI Trace Data Collection */
437 { 260, WTAP_ENCAP_IPMI_TRACE },
438
439 /* ISO 14443 contactless smartcard standards */
440 { 264, WTAP_ENCAP_ISO14443 },
441
442 /* USB packets from Darwin (macOS, iOS) BPF tap */
443 { 266, WTAP_ENCAP_USB_DARWIN },
444
445 /* IBM SDLC frames containing SNA PDUs */
446 { 268, WTAP_ENCAP_SDLC },
447
448 /* LoRaTap */
449 { 270, WTAP_ENCAP_LORATAP },
450
451 /* Linux vsock */
452 { 271, WTAP_ENCAP_VSOCK },
453
454 /* nRF Sniffer for Bluetooth LE */
455 { 272, WTAP_ENCAP_NORDIC_BLE },
456
457 /* DOCSIS31 XRA31 Sniffer */
458 { 273, WTAP_ENCAP_DOCSIS31_XRA31 },
459
460 /* mPackets as specified by 802.3br */
461 { 274, WTAP_ENCAP_ETHERNET_MPACKET },
462
463 /* DisplayPort AUX channel monitor */
464 { 275, WTAP_ENCAP_DPAUXMON },
465
466 /* Linux cooked capture v2 */
467 { 276, WTAP_ENCAP_SLL2 },
468
469 /* Elektrobit High Speed Capture and Replay */
470 { 279, WTAP_ENCAP_EBHSCR },
471
472 /* VPP dispatch trace */
473 { 280, WTAP_ENCAP_VPP },
474
475 /* IEEE 802.15.4 TAP */
476 { 283, WTAP_ENCAP_IEEE802_15_4_TAP },
477
478 /* Z-Wave Serial API */
479 { 287, WTAP_ENCAP_ZWAVE_SERIAL },
480
481 /* USB 2.0/1.1/1.0 packets as transmitted over the cable */
482 { 288, WTAP_ENCAP_USB_2_0 },
483
484 /* ATSC Link-Layer Protocol (A/330) packets */
485 { 289, WTAP_ENCAP_ATSC_ALP },
486
487 /* Event Tracing for Windows records */
488 { 290, WTAP_ENCAP_ETW },
489
490 /* Serial NCP (Network Co-Processor) protocol for Zigbee stack ZBOSS */
491 { 292, WTAP_ENCAP_ZBNCP },
492
493 /* USB 2.0/1.1/1.0 packets captured on Low/Full/High speed link */
494 { 293, WTAP_ENCAP_USB_2_0_LOW_SPEED },
495 { 294, WTAP_ENCAP_USB_2_0_FULL_SPEED },
496 { 295, WTAP_ENCAP_USB_2_0_HIGH_SPEED },
497
498 /* Auerswald log file captured from any supported Auerswald device */
499 { 296, WTAP_ENCAP_AUERSWALD_LOG },
500
501 /* Silicon Labs debug channel */
502 { 298, WTAP_ENCAP_SILABS_DEBUG_CHANNEL },
503
504 /* Ultra-wideband (UWB) controller interface protocol (UCI) */
505 { 299, WTAP_ENCAP_FIRA_UCI },
506
507 /* MDB (Multi-Drop Bus) */
508 { 300, WTAP_ENCAP_MDB },
509
510 /* DECT_NR (DECT-2020 New Radio (NR) MAC layer) */
511 { 301, WTAP_ENCAP_DECT_NR },
512
513 /*
514 * To repeat:
515 *
516 * If you need a new encapsulation type for pcap and pcapng files,
517 * do *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
518 * add a new encapsulation type by changing an existing entry;
519 * leave the existing entries alone.
520 *
521 * Instead, send mail to tcpdump-workers@lists.tcpdump.org, asking
522 * for a new DLT_ value, and specifying the purpose of the new value.
523 * When you get the new DLT_ value, use that numerical value in
524 * the "linktype_value" field of "pcap_to_wtap_map[]".
525 */
526
527 /*
528 * The following are entries for libpcap type values that have
529 * different meanings on different OSes. I.e., these are DLT_
530 * values that are different on different OSes, and that have
531 * a separate LINKTYPE_ value assigned to them.
532 *
533 * We put these *after* the entries for the LINKTYPE_ values for
534 * those Wiretap encapsulation types, so that, when writing a
535 * pcap or pcapng file, Wireshark writes the LINKTYPE_ value,
536 * not the OS's DLT_ value, as the file's link-layer header type
537 * for pcap or the interface's link-layer header type.
538 */
539
540 /*
541 * 11 is DLT_ATM_RFC1483 on most platforms; the only version of
542 * libpcap I've seen that define anything other than DLT_ATM_RFC1483
543 * as 11 is the BSD/OS one, which defines DLT_FR as 11. We handle
544 * it as Frame Relay on BSD/OS and LLC-encapsulated ATM on all other
545 * platforms.
546 */
547 #if defined(__bsdi__) /* BSD/OS */
548 { 11, WTAP_ENCAP_FRELAY },
549 #else
550 { 11, WTAP_ENCAP_ATM_RFC1483 },
551 #endif
552
553 /*
554 * 12 is DLT_RAW on most platforms, but it's DLT_C_HDLC on
555 * BSD/OS, and DLT_LOOP on OpenBSD.
556 *
557 * We don't yet handle DLT_C_HDLC, but we can handle DLT_LOOP
558 * (it's just like DLT_NULL, only with the AF_ value in network
559 * rather than host byte order - Wireshark figures out the
560 * byte order from the data, so we don't care what byte order
561 * it's in), so, on OpenBSD, interpret 12 as WTAP_ENCAP_LOOP,
562 * otherwise, if we're not on BSD/OS, interpret it as
563 * WTAP_ENCAP_RAW_IP.
564 */
565 #if defined(__OpenBSD__)
566 { 12, WTAP_ENCAP_LOOP },
567 #elif defined(__bsdi__) /* BSD/OS */
568 /*
569 * Put entry for Cisco HDLC here.
570 * XXX - is this just WTAP_ENCAP_CHDLC, i.e. does the frame
571 * start with a 4-byte Cisco HDLC header?
572 */
573 #else
574 { 12, WTAP_ENCAP_RAW_IP },
575 #endif
576
577 /*
578 * 13 is DLT_SLIP_BSDOS on FreeBSD and NetBSD, but those OSes
579 * don't actually generate it. I infer that BSD/OS translates
580 * DLT_SLIP from the kernel BPF code to DLT_SLIP_BSDOS in
581 * libpcap, as the BSD/OS link-layer header is different;
582 * however, in BSD/OS, DLT_SLIP_BSDOS is 15.
583 *
584 * From this, I infer that there's no point in handling 13
585 * as DLT_SLIP_BSDOS.
586 *
587 * 13 is DLT_ATM_RFC1483 on BSD/OS.
588 *
589 * 13 is DLT_ENC in OpenBSD, which is, I suspect, some kind
590 * of decrypted IPsec traffic.
591 *
592 * We treat 13 as WTAP_ENCAP_ENC on all systems except those
593 * that define DLT_ATM_RFC1483 as 13 - presumably only
594 * BSD/OS does so - so that, on BSD/OS systems, we still
595 * treat 13 as WTAP_ENCAP_ATM_RFC1483, but, on all other
596 * systems, we can read OpenBSD DLT_ENC captures.
597 */
598 #if defined(__bsdi__) /* BSD/OS */
599 { 13, WTAP_ENCAP_ATM_RFC1483 },
600 #else
601 { 13, WTAP_ENCAP_ENC },
602 #endif
603
604 /*
605 * 14 is DLT_PPP_BSDOS on FreeBSD and NetBSD, but those OSes
606 * don't actually generate it. I infer that BSD/OS translates
607 * DLT_PPP from the kernel BPF code to DLT_PPP_BSDOS in
608 * libpcap, as the BSD/OS link-layer header is different;
609 * however, in BSD/OS, DLT_PPP_BSDOS is 16.
610 *
611 * From this, I infer that there's no point in handling 14
612 * as DLT_PPP_BSDOS.
613 *
614 * 14 is DLT_RAW on BSD/OS and OpenBSD.
615 */
616 { 14, WTAP_ENCAP_RAW_IP },
617
618 /*
619 * 15 is:
620 *
621 * DLT_SLIP_BSDOS on BSD/OS;
622 *
623 * DLT_HIPPI on NetBSD;
624 *
625 * DLT_LANE8023 with Alexey Kuznetzov's patches for
626 * Linux libpcap;
627 *
628 * DLT_I4L_RAWIP with the ISDN4Linux patches for libpcap
629 * (and on SuSE 6.3);
630 *
631 * but we don't currently handle any of those.
632 */
633
634 /*
635 * 16 is:
636 *
637 * DLT_PPP_BSDOS on BSD/OS;
638 *
639 * DLT_HDLC on NetBSD (Cisco HDLC);
640 *
641 * DLT_CIP with Alexey Kuznetzov's patches for
642 * Linux libpcap - this is WTAP_ENCAP_LINUX_ATM_CLIP;
643 *
644 * DLT_I4L_IP with the ISDN4Linux patches for libpcap
645 * (and on SuSE 6.3).
646 */
647 #if defined(__NetBSD__)
648 { 16, WTAP_ENCAP_CHDLC },
649 #elif !defined(__bsdi__)
650 /*
651 * If you care about the two different Linux interpretations
652 * of 16, fix it yourself.
653 */
654 { 16, WTAP_ENCAP_LINUX_ATM_CLIP },
655 #endif
656
657 /*
658 * 17 is DLT_LANE8023 in SuSE 6.3 libpcap; we don't currently
659 * handle it.
660 * It is also used as the PF (Packet Filter) logging format beginning
661 * with OpenBSD 3.0; we use 17 for PF logs on OpenBSD and don't
662 * use it otherwise.
663 */
664 #if defined(__OpenBSD__)
665 { 17, WTAP_ENCAP_OLD_PFLOG },
666 #endif
667
668 /*
669 * 18 is DLT_CIP in SuSE 6.3 libpcap; if it's the same as the
670 * DLT_CIP of 16 that the Alexey Kuznetzov patches for
671 * libpcap/tcpdump define, it's WTAP_ENCAP_LINUX_ATM_CLIP.
672 * I've not found any version of libpcap that uses it for any
673 * other purpose - hopefully nobody will do so in the future.
674 */
675 { 18, WTAP_ENCAP_LINUX_ATM_CLIP },
676
677 /*
678 * 19 is DLT_ATM_CLIP in the libpcap/tcpdump patches in the
679 * recent versions I've seen of the Linux ATM distribution;
680 * I've not yet found any version of libpcap file that uses it
681 * for any other purpose - hopefully nobody will do so in
682 * the future.
683 */
684 { 19, WTAP_ENCAP_LINUX_ATM_CLIP },
685
686 /*
687 * To repeat:
688 *
689 * If you need a new encapsulation type for pcap and pcapng files,
690 * do *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
691 * add a new encapsulation type by changing an existing entry;
692 * leave the existing entries alone.
693 *
694 * Instead, send mail to tcpdump-workers@lists.tcpdump.org, asking
695 * for a new DLT_ value, and specifying the purpose of the new value.
696 * When you get the new DLT_ value, use that numerical value in
697 * the "linktype_value" field of "pcap_to_wtap_map[]".
698 */
699 };
700 #define NUM_PCAP_ENCAPS array_length(pcap_to_wtap_map)
701
702 int
703 wtap_pcap_encap_to_wtap_encap(int encap)
704 {
705 unsigned int i;
706
707 for (i = 0; i < NUM_PCAP_ENCAPS; i++) {
708 if (pcap_to_wtap_map[i].linktype_value == encap)
709 return pcap_to_wtap_map[i].wtap_encap_value;
710 }
711 return WTAP_ENCAP_UNKNOWN;
712 }
713
714 int
715 wtap_wtap_encap_to_pcap_encap(int encap)
716 {
717 unsigned int i;
718
719 switch (encap) {
720
721 case WTAP_ENCAP_FDDI:
722 case WTAP_ENCAP_FDDI_BITSWAPPED:
723 /*
724 * Special-case WTAP_ENCAP_FDDI and
725 * WTAP_ENCAP_FDDI_BITSWAPPED; both of them get mapped
726 * to DLT_FDDI (even though that may mean that the bit
727 * order in the FDDI MAC addresses is wrong; so it goes
728 * - libpcap format doesn't record the byte order,
729 * so that's not fixable).
730 *
731 * The pcap_to_wtap_map[] table will only have an
732 * entry for one of the above, which is why we have
733 * to special-case them.
734 */
735 return 10; /* that's DLT_FDDI */
736
737 case WTAP_ENCAP_NETTL_FDDI:
738 /*
739 * This will discard the nettl information, as that's
740 * in the pseudo-header.
741 *
742 * XXX - what about Ethernet and Token Ring?
743 */
744 return 10; /* that's DLT_FDDI */
745
746 case WTAP_ENCAP_FRELAY_WITH_PHDR:
747 /*
748 * This will discard the pseudo-header information.
749 */
750 return 107;
751
752 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
753 /*
754 * Map this to DLT_IEEE802_11, for now, even though
755 * that means the radio information will be lost.
756 * We should try to map those values to radiotap
757 * values and write this out as a radiotap file,
758 * if possible.
759 */
760 return 105;
761 }
762
763 for (i = 0; i < NUM_PCAP_ENCAPS; i++) {
764 if (pcap_to_wtap_map[i].wtap_encap_value == encap)
765 return pcap_to_wtap_map[i].linktype_value;
766 }
767 return -1;
768 }
769
770 /*
771 * For most encapsulations, we use WTAP_MAX_PACKET_SIZE_STANDARD, as
772 * that should be enough for most link-layer types, and shouldn't be
773 * too big.
774 *
775 * For some link-layer types, we use larger types, because, for each
776 * of them, the maximum packet size is larger than the standard
777 * maximum, and is bigger than we'd want for all link-layer types - files
778 * with that snapshot length might cause some programs reading them to
779 * allocate a huge and wasteful buffer and, at least on 32-bit platforms,
780 * run the risk of running out of memory.
781 */
782 unsigned
783 wtap_max_snaplen_for_encap(int wtap_encap)
784 {
785 switch (wtap_encap) {
786
787 case WTAP_ENCAP_DBUS:
788 return WTAP_MAX_PACKET_SIZE_DBUS;
789
790 case WTAP_ENCAP_EBHSCR:
791 return WTAP_MAX_PACKET_SIZE_EBHSCR;
792
793 case WTAP_ENCAP_USBPCAP:
794 case WTAP_ENCAP_USB_LINUX:
795 case WTAP_ENCAP_USB_LINUX_MMAPPED:
796 case WTAP_ENCAP_USB_DARWIN:
797 case WTAP_ENCAP_USB_FREEBSD:
798 return WTAP_MAX_PACKET_SIZE_USBPCAP;
799
800 default:
801 return WTAP_MAX_PACKET_SIZE_STANDARD;
802 }
803 }
804
805 /*
806 * Various pseudo-headers that appear at the beginning of packet data.
807 *
808 * We represent them as sets of offsets, as they might not be aligned on
809 * an appropriate structure boundary in the buffer, and as that makes them
810 * independent of the way the compiler might align fields.
811 */
812
813 /*
814 * The link-layer header on Nokia IPSO ATM packets.
815 */
816 #define NOKIAATM_FLAGS 0 /* destination - 1 byte */
817 #define NOKIAATM_VPI 1 /* VPI - 1 byte */
818 #define NOKIAATM_VCI 2 /* VCI - 2 bytes */
819 #define NOKIAATM_LEN 4 /* length of the header */
820
821 static int
822 pcap_read_nokiaatm_pseudoheader(FILE_T fh,
823 union wtap_pseudo_header *pseudo_header, unsigned packet_size,
824 int *err, char **err_info)
825 {
826 uint8_t atm_phdr[NOKIAATM_LEN];
827 uint8_t vpi;
828 uint16_t vci;
829
830 if (packet_size < NOKIAATM_LEN) {
831 /*
832 * Uh-oh, the packet isn't big enough to even
833 * have a pseudo-header.
834 */
835 *err = WTAP_ERR_BAD_FILE;
836 *err_info = ws_strdup_printf("pcap/pcapng: Nokia IPSO ATM file has a %u-byte packet, too small to have even an ATM pseudo-header",
837 packet_size);
838 return -1;
839 }
840 if (!wtap_read_bytes(fh, atm_phdr, NOKIAATM_LEN, err, err_info))
841 return -1;
842
843 vpi = atm_phdr[NOKIAATM_VPI];
844 vci = pntoh16(&atm_phdr[NOKIAATM_VCI]);
845
846 pseudo_header->atm.vpi = vpi;
847 pseudo_header->atm.vci = vci;
848 pseudo_header->atm.channel = (atm_phdr[NOKIAATM_FLAGS] & 0x80) ? 0 : 1;
849
850 /* We don't have this information */
851 pseudo_header->atm.flags = 0;
852 pseudo_header->atm.cells = 0;
853 pseudo_header->atm.aal5t_u2u = 0;
854 pseudo_header->atm.aal5t_len = 0;
855 pseudo_header->atm.aal5t_chksum = 0;
856
857 return NOKIAATM_LEN;
858 }
859
860 /*
861 * The link-layer header on SunATM packets.
862 */
863 #define SUNATM_FLAGS 0 /* destination and traffic type - 1 byte */
864 #define SUNATM_VPI 1 /* VPI - 1 byte */
865 #define SUNATM_VCI 2 /* VCI - 2 bytes */
866 #define SUNATM_LEN 4 /* length of the header */
867
868 static int
869 pcap_read_sunatm_pseudoheader(FILE_T fh,
870 union wtap_pseudo_header *pseudo_header, unsigned packet_size,
871 int *err, char **err_info)
872 {
873 uint8_t atm_phdr[SUNATM_LEN];
874 uint8_t vpi;
875 uint16_t vci;
876
877 if (packet_size < SUNATM_LEN) {
878 /*
879 * Uh-oh, the packet isn't big enough to even
880 * have a pseudo-header.
881 */
882 *err = WTAP_ERR_BAD_FILE;
883 *err_info = ws_strdup_printf("pcap/pcapng: SunATM file has a %u-byte packet, too small to have even an ATM pseudo-header",
884 packet_size);
885 return -1;
886 }
887 if (!wtap_read_bytes(fh, atm_phdr, SUNATM_LEN, err, err_info))
888 return -1;
889
890 vpi = atm_phdr[SUNATM_VPI];
891 vci = pntoh16(&atm_phdr[SUNATM_VCI]);
892
893 switch (atm_phdr[SUNATM_FLAGS] & 0x0F) {
894
895 case 0x01: /* LANE */
896 pseudo_header->atm.aal = AAL_5;
897 pseudo_header->atm.type = TRAF_LANE;
898 break;
899
900 case 0x02: /* RFC 1483 LLC multiplexed traffic */
901 pseudo_header->atm.aal = AAL_5;
902 pseudo_header->atm.type = TRAF_LLCMX;
903 break;
904
905 case 0x05: /* ILMI */
906 pseudo_header->atm.aal = AAL_5;
907 pseudo_header->atm.type = TRAF_ILMI;
908 break;
909
910 case 0x06: /* Q.2931 */
911 pseudo_header->atm.aal = AAL_SIGNALLING;
912 pseudo_header->atm.type = TRAF_UNKNOWN;
913 break;
914
915 case 0x03: /* MARS (RFC 2022) */
916 pseudo_header->atm.aal = AAL_5;
917 pseudo_header->atm.type = TRAF_UNKNOWN;
918 break;
919
920 case 0x04: /* IFMP (Ipsilon Flow Management Protocol; see RFC 1954) */
921 pseudo_header->atm.aal = AAL_5;
922 pseudo_header->atm.type = TRAF_UNKNOWN; /* XXX - TRAF_IPSILON? */
923 break;
924
925 default:
926 /*
927 * Assume it's AAL5, unless it's VPI 0 and VCI 5, in which
928 * case assume it's AAL_SIGNALLING; we know nothing more
929 * about it.
930 *
931 * XXX - is this necessary? Or are we guaranteed that
932 * all signalling traffic has a type of 0x06?
933 *
934 * XXX - is this guaranteed to be AAL5? Or, if the type is
935 * 0x00 ("raw"), might it be non-AAL5 traffic?
936 */
937 if (vpi == 0 && vci == 5)
938 pseudo_header->atm.aal = AAL_SIGNALLING;
939 else
940 pseudo_header->atm.aal = AAL_5;
941 pseudo_header->atm.type = TRAF_UNKNOWN;
942 break;
943 }
944 pseudo_header->atm.subtype = TRAF_ST_UNKNOWN;
945
946 pseudo_header->atm.vpi = vpi;
947 pseudo_header->atm.vci = vci;
948 pseudo_header->atm.channel = (atm_phdr[SUNATM_FLAGS] & 0x80) ? 0 : 1;
949
950 /* We don't have this information */
951 pseudo_header->atm.flags = 0;
952 pseudo_header->atm.cells = 0;
953 pseudo_header->atm.aal5t_u2u = 0;
954 pseudo_header->atm.aal5t_len = 0;
955 pseudo_header->atm.aal5t_chksum = 0;
956
957 return SUNATM_LEN;
958 }
959
960 static bool
961 pcap_write_sunatm_pseudoheader(wtap_dumper *wdh,
962 const union wtap_pseudo_header *pseudo_header, int *err)
963 {
964 uint8_t atm_hdr[SUNATM_LEN];
965
966 /*
967 * Write the ATM header.
968 */
969 atm_hdr[SUNATM_FLAGS] =
970 (pseudo_header->atm.channel == 0) ? 0x80 : 0x00;
971 switch (pseudo_header->atm.aal) {
972
973 case AAL_SIGNALLING:
974 /* Q.2931 */
975 atm_hdr[SUNATM_FLAGS] |= 0x06;
976 break;
977
978 case AAL_5:
979 switch (pseudo_header->atm.type) {
980
981 case TRAF_LANE:
982 /* LANE */
983 atm_hdr[SUNATM_FLAGS] |= 0x01;
984 break;
985
986 case TRAF_LLCMX:
987 /* RFC 1483 LLC multiplexed traffic */
988 atm_hdr[SUNATM_FLAGS] |= 0x02;
989 break;
990
991 case TRAF_ILMI:
992 /* ILMI */
993 atm_hdr[SUNATM_FLAGS] |= 0x05;
994 break;
995 }
996 break;
997 }
998 atm_hdr[SUNATM_VPI] = (uint8_t)pseudo_header->atm.vpi;
999 phtons(&atm_hdr[SUNATM_VCI], pseudo_header->atm.vci);
1000 if (!wtap_dump_file_write(wdh, atm_hdr, sizeof(atm_hdr), err))
1001 return false;
1002 return true;
1003 }
1004
1005 /*
1006 * The fake link-layer header of IrDA packets as introduced by Jean Tourrilhes
1007 * to libpcap.
1008 */
1009 #define IRDA_SLL_PKTTYPE_OFFSET 0 /* packet type - 2 bytes */
1010 /* 12 unused bytes */
1011 #define IRDA_SLL_PROTOCOL_OFFSET 14 /* protocol, should be ETH_P_LAPD - 2 bytes */
1012 #define IRDA_SLL_LEN 16 /* length of the header */
1013
1014 static int
1015 pcap_read_irda_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header,
1016 unsigned packet_size, int *err, char **err_info)
1017 {
1018 uint8_t irda_phdr[IRDA_SLL_LEN];
1019
1020 if (packet_size < IRDA_SLL_LEN) {
1021 /*
1022 * Uh-oh, the packet isn't big enough to even
1023 * have a pseudo-header.
1024 */
1025 *err = WTAP_ERR_BAD_FILE;
1026 *err_info = ws_strdup_printf("pcap/pcapng: IrDA file has a %u-byte packet, too small to have even an IrDA pseudo-header",
1027 packet_size);
1028 return -1;
1029 }
1030 if (!wtap_read_bytes(fh, irda_phdr, IRDA_SLL_LEN, err, err_info))
1031 return -1;
1032
1033 if (pntoh16(&irda_phdr[IRDA_SLL_PROTOCOL_OFFSET]) != 0x0017) {
1034 *err = WTAP_ERR_BAD_FILE;
1035 if (err_info != NULL)
1036 *err_info = g_strdup("pcap/pcapng: IrDA capture has a packet with an invalid sll_protocol field");
1037 return -1;
1038 }
1039
1040 pseudo_header->irda.pkttype = pntoh16(&irda_phdr[IRDA_SLL_PKTTYPE_OFFSET]);
1041
1042 return IRDA_SLL_LEN;
1043 }
1044
1045 static bool
1046 pcap_write_irda_pseudoheader(wtap_dumper *wdh,
1047 const union wtap_pseudo_header *pseudo_header, int *err)
1048 {
1049 uint8_t irda_hdr[IRDA_SLL_LEN];
1050
1051 /*
1052 * Write the IrDA header.
1053 */
1054 memset(irda_hdr, 0, sizeof(irda_hdr));
1055 phtons(&irda_hdr[IRDA_SLL_PKTTYPE_OFFSET], pseudo_header->irda.pkttype);
1056 phtons(&irda_hdr[IRDA_SLL_PROTOCOL_OFFSET], 0x0017);
1057 if (!wtap_dump_file_write(wdh, irda_hdr, sizeof(irda_hdr), err))
1058 return false;
1059 return true;
1060 }
1061
1062 /*
1063 * A header containing additional MTP information.
1064 */
1065 #define MTP2_SENT_OFFSET 0 /* 1 byte */
1066 #define MTP2_ANNEX_A_USED_OFFSET 1 /* 1 byte */
1067 #define MTP2_LINK_NUMBER_OFFSET 2 /* 2 bytes */
1068 #define MTP2_HDR_LEN 4 /* length of the header */
1069
1070 static int
1071 pcap_read_mtp2_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header,
1072 unsigned packet_size, int *err, char **err_info)
1073 {
1074 uint8_t mtp2_hdr[MTP2_HDR_LEN];
1075
1076 if (packet_size < MTP2_HDR_LEN) {
1077 /*
1078 * Uh-oh, the packet isn't big enough to even
1079 * have a pseudo-header.
1080 */
1081 *err = WTAP_ERR_BAD_FILE;
1082 *err_info = ws_strdup_printf("pcap/pcapng: MTP2 file has a %u-byte packet, too small to have even an MTP2 pseudo-header",
1083 packet_size);
1084 return -1;
1085 }
1086 if (!wtap_read_bytes(fh, mtp2_hdr, MTP2_HDR_LEN, err, err_info))
1087 return -1;
1088
1089 pseudo_header->mtp2.sent = mtp2_hdr[MTP2_SENT_OFFSET];
1090 pseudo_header->mtp2.annex_a_used = mtp2_hdr[MTP2_ANNEX_A_USED_OFFSET];
1091 pseudo_header->mtp2.link_number = pntoh16(&mtp2_hdr[MTP2_LINK_NUMBER_OFFSET]);
1092
1093 return MTP2_HDR_LEN;
1094 }
1095
1096 static bool
1097 pcap_write_mtp2_pseudoheader(wtap_dumper *wdh,
1098 const union wtap_pseudo_header *pseudo_header, int *err)
1099 {
1100 uint8_t mtp2_hdr[MTP2_HDR_LEN];
1101
1102 /*
1103 * Write the MTP2 header.
1104 */
1105 memset(&mtp2_hdr, 0, sizeof(mtp2_hdr));
1106 mtp2_hdr[MTP2_SENT_OFFSET] = pseudo_header->mtp2.sent;
1107 mtp2_hdr[MTP2_ANNEX_A_USED_OFFSET] = pseudo_header->mtp2.annex_a_used;
1108 phtons(&mtp2_hdr[MTP2_LINK_NUMBER_OFFSET],
1109 pseudo_header->mtp2.link_number);
1110 if (!wtap_dump_file_write(wdh, mtp2_hdr, sizeof(mtp2_hdr), err))
1111 return false;
1112 return true;
1113 }
1114
1115 /*
1116 * The fake link-layer header of LAPD packets.
1117 */
1118 #ifndef ETH_P_LAPD
1119 #define ETH_P_LAPD 0x0030
1120 #endif
1121
1122 #define LAPD_SLL_PKTTYPE_OFFSET 0 /* packet type - 2 bytes */
1123 #define LAPD_SLL_HATYPE_OFFSET 2 /* hardware address type - 2 bytes */
1124 #define LAPD_SLL_HALEN_OFFSET 4 /* hardware address length - 2 bytes */
1125 #define LAPD_SLL_ADDR_OFFSET 6 /* address - 8 bytes */
1126 #define LAPD_SLL_PROTOCOL_OFFSET 14 /* protocol, should be ETH_P_LAPD - 2 bytes */
1127 #define LAPD_SLL_LEN 16 /* length of the header */
1128
1129 static int
1130 pcap_read_lapd_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header,
1131 unsigned packet_size, int *err, char **err_info)
1132 {
1133 uint8_t lapd_phdr[LAPD_SLL_LEN];
1134
1135 if (packet_size < LAPD_SLL_LEN) {
1136 /*
1137 * Uh-oh, the packet isn't big enough to even
1138 * have a pseudo-header.
1139 */
1140 *err = WTAP_ERR_BAD_FILE;
1141 *err_info = ws_strdup_printf("pcap/pcapng: LAPD file has a %u-byte packet, too small to have even a LAPD pseudo-header",
1142 packet_size);
1143 return -1;
1144 }
1145 if (!wtap_read_bytes(fh, lapd_phdr, LAPD_SLL_LEN, err, err_info))
1146 return -1;
1147
1148 if (pntoh16(&lapd_phdr[LAPD_SLL_PROTOCOL_OFFSET]) != ETH_P_LAPD) {
1149 *err = WTAP_ERR_BAD_FILE;
1150 if (err_info != NULL)
1151 *err_info = g_strdup("pcap/pcapng: LAPD capture has a packet with an invalid sll_protocol field");
1152 return -1;
1153 }
1154
1155 pseudo_header->lapd.pkttype = pntoh16(&lapd_phdr[LAPD_SLL_PKTTYPE_OFFSET]);
1156 pseudo_header->lapd.we_network = !!lapd_phdr[LAPD_SLL_ADDR_OFFSET+0];
1157
1158 return LAPD_SLL_LEN;
1159 }
1160
1161 static bool
1162 pcap_write_lapd_pseudoheader(wtap_dumper *wdh,
1163 const union wtap_pseudo_header *pseudo_header, int *err)
1164 {
1165 uint8_t lapd_hdr[LAPD_SLL_LEN];
1166
1167 /*
1168 * Write the LAPD header.
1169 */
1170 memset(&lapd_hdr, 0, sizeof(lapd_hdr));
1171 phtons(&lapd_hdr[LAPD_SLL_PKTTYPE_OFFSET], pseudo_header->lapd.pkttype);
1172 phtons(&lapd_hdr[LAPD_SLL_PROTOCOL_OFFSET], ETH_P_LAPD);
1173 lapd_hdr[LAPD_SLL_ADDR_OFFSET + 0] =
1174 pseudo_header->lapd.we_network?0x01:0x00;
1175 if (!wtap_dump_file_write(wdh, lapd_hdr, sizeof(lapd_hdr), err))
1176 return false;
1177 return true;
1178 }
1179
1180 /*
1181 * A header containing additional SITA WAN information.
1182 */
1183 #define SITA_FLAGS_OFFSET 0 /* 1 byte */
1184 #define SITA_SIGNALS_OFFSET 1 /* 1 byte */
1185 #define SITA_ERRORS1_OFFSET 2 /* 1 byte */
1186 #define SITA_ERRORS2_OFFSET 3 /* 1 byte */
1187 #define SITA_PROTO_OFFSET 4 /* 1 byte */
1188 #define SITA_HDR_LEN 5 /* length of the header */
1189
1190 static int
1191 pcap_read_sita_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header,
1192 unsigned packet_size, int *err, char **err_info)
1193 {
1194 uint8_t sita_phdr[SITA_HDR_LEN];
1195
1196 if (packet_size < SITA_HDR_LEN) {
1197 /*
1198 * Uh-oh, the packet isn't big enough to even
1199 * have a pseudo-header.
1200 */
1201 *err = WTAP_ERR_BAD_FILE;
1202 *err_info = ws_strdup_printf("pcap/pcapng: SITA file has a %u-byte packet, too small to have even a SITA pseudo-header",
1203 packet_size);
1204 return -1;
1205 }
1206 if (!wtap_read_bytes(fh, sita_phdr, SITA_HDR_LEN, err, err_info))
1207 return -1;
1208
1209 pseudo_header->sita.sita_flags = sita_phdr[SITA_FLAGS_OFFSET];
1210 pseudo_header->sita.sita_signals = sita_phdr[SITA_SIGNALS_OFFSET];
1211 pseudo_header->sita.sita_errors1 = sita_phdr[SITA_ERRORS1_OFFSET];
1212 pseudo_header->sita.sita_errors2 = sita_phdr[SITA_ERRORS2_OFFSET];
1213 pseudo_header->sita.sita_proto = sita_phdr[SITA_PROTO_OFFSET];
1214
1215 return SITA_HDR_LEN;
1216 }
1217
1218 static bool
1219 pcap_write_sita_pseudoheader(wtap_dumper *wdh,
1220 const union wtap_pseudo_header *pseudo_header, int *err)
1221 {
1222 uint8_t sita_hdr[SITA_HDR_LEN];
1223
1224 /*
1225 * Write the SITA header.
1226 */
1227 memset(&sita_hdr, 0, sizeof(sita_hdr));
1228 sita_hdr[SITA_FLAGS_OFFSET] = pseudo_header->sita.sita_flags;
1229 sita_hdr[SITA_SIGNALS_OFFSET] = pseudo_header->sita.sita_signals;
1230 sita_hdr[SITA_ERRORS1_OFFSET] = pseudo_header->sita.sita_errors1;
1231 sita_hdr[SITA_ERRORS2_OFFSET] = pseudo_header->sita.sita_errors2;
1232 sita_hdr[SITA_PROTO_OFFSET] = pseudo_header->sita.sita_proto;
1233 if (!wtap_dump_file_write(wdh, sita_hdr, sizeof(sita_hdr), err))
1234 return false;
1235 return true;
1236 }
1237
1238 /*
1239 * Pseudo-header at the beginning of DLT_BLUETOOTH_HCI_H4_WITH_PHDR frames.
1240 * Values in network byte order.
1241 */
1242 struct pcap_bt_phdr {
1243 uint32_t direction; /* Bit 0 hold the frame direction. */
1244 };
1245
1246 #define LIBPCAP_BT_PHDR_SENT 0
1247 #define LIBPCAP_BT_PHDR_RECV 1
1248
1249 static int
1250 pcap_read_bt_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header,
1251 unsigned packet_size, int *err, char **err_info)
1252 {
1253 struct pcap_bt_phdr phdr;
1254
1255 if (packet_size < sizeof (struct pcap_bt_phdr)) {
1256 /*
1257 * Uh-oh, the packet isn't big enough to even
1258 * have a pseudo-header.
1259 */
1260 *err = WTAP_ERR_BAD_FILE;
1261 *err_info = ws_strdup_printf("pcap/pcapng: Bluetooth file has a %u-byte packet, too small to have even a pseudo-header",
1262 packet_size);
1263 return -1;
1264 }
1265 if (!wtap_read_bytes(fh, &phdr, sizeof (struct pcap_bt_phdr),
1266 err, err_info))
1267 return -1;
1268 pseudo_header->p2p.sent = ((g_ntohl(phdr.direction) & LIBPCAP_BT_PHDR_RECV) == 0)? true: false;
1269 return (int)sizeof (struct pcap_bt_phdr);
1270 }
1271
1272 static bool
1273 pcap_write_bt_pseudoheader(wtap_dumper *wdh,
1274 const union wtap_pseudo_header *pseudo_header, int *err)
1275 {
1276 uint32_t direction;
1277 struct pcap_bt_phdr bt_hdr;
1278
1279 direction = pseudo_header->p2p.sent ? LIBPCAP_BT_PHDR_SENT : LIBPCAP_BT_PHDR_RECV;
1280 bt_hdr.direction = GUINT32_TO_BE(direction);
1281 if (!wtap_dump_file_write(wdh, &bt_hdr, sizeof bt_hdr, err))
1282 return false;
1283 return true;
1284 }
1285
1286 /*
1287 * Pseudo-header at the beginning of DLT_BLUETOOTH_LINUX_MONITOR frames.
1288 * Values in network byte order.
1289 */
1290 struct pcap_bt_monitor_phdr {
1291 uint16_t adapter_id;
1292 uint16_t opcode;
1293 };
1294
1295 static int
1296 pcap_read_bt_monitor_pseudoheader(FILE_T fh,
1297 union wtap_pseudo_header *pseudo_header, unsigned packet_size,
1298 int *err, char **err_info)
1299 {
1300 struct pcap_bt_monitor_phdr phdr;
1301
1302 if (packet_size < sizeof (struct pcap_bt_monitor_phdr)) {
1303 /*
1304 * Uh-oh, the packet isn't big enough to even
1305 * have a pseudo-header.
1306 */
1307 *err = WTAP_ERR_BAD_FILE;
1308 *err_info = ws_strdup_printf("pcap/pcapng: Bluetooth monitor file has a %u-byte packet, too small to have even a pseudo-header",
1309 packet_size);
1310 return -1;
1311 }
1312 if (!wtap_read_bytes(fh, &phdr, sizeof (struct pcap_bt_monitor_phdr),
1313 err, err_info))
1314 return -1;
1315
1316 pseudo_header->btmon.adapter_id = g_ntohs(phdr.adapter_id);
1317 pseudo_header->btmon.opcode = g_ntohs(phdr.opcode);
1318 return (int)sizeof (struct pcap_bt_monitor_phdr);
1319 }
1320
1321 static bool
1322 pcap_write_bt_monitor_pseudoheader(wtap_dumper *wdh,
1323 const union wtap_pseudo_header *pseudo_header, int *err)
1324 {
1325 struct pcap_bt_monitor_phdr bt_monitor_hdr;
1326
1327 bt_monitor_hdr.adapter_id = GUINT16_TO_BE(pseudo_header->btmon.adapter_id);
1328 bt_monitor_hdr.opcode = GUINT16_TO_BE(pseudo_header->btmon.opcode);
1329
1330 if (!wtap_dump_file_write(wdh, &bt_monitor_hdr, sizeof bt_monitor_hdr, err))
1331 return false;
1332 return true;
1333 }
1334
1335 /*
1336 * The NFC LLCP per-packet header.
1337 */
1338 #define LLCP_ADAPTER_OFFSET 0
1339 #define LLCP_FLAGS_OFFSET 1
1340 #define LLCP_HEADER_LEN 2
1341
1342 static int
1343 pcap_read_llcp_pseudoheader(FILE_T fh,
1344 union wtap_pseudo_header *pseudo_header, unsigned packet_size,
1345 int *err, char **err_info)
1346 {
1347 uint8_t phdr[LLCP_HEADER_LEN];
1348
1349 if (packet_size < LLCP_HEADER_LEN) {
1350 *err = WTAP_ERR_BAD_FILE;
1351 *err_info = ws_strdup_printf("pcap/pcapng: NFC LLCP file has a %u-byte packet, too small to have even a pseudo-header",
1352 packet_size);
1353 return -1;
1354 }
1355 if (!wtap_read_bytes(fh, phdr, LLCP_HEADER_LEN, err, err_info))
1356 return -1;
1357 pseudo_header->llcp.adapter = phdr[LLCP_ADAPTER_OFFSET];
1358 pseudo_header->llcp.flags = phdr[LLCP_FLAGS_OFFSET];
1359 return LLCP_HEADER_LEN;
1360 }
1361
1362 static bool
1363 pcap_write_llcp_pseudoheader(wtap_dumper *wdh,
1364 const union wtap_pseudo_header *pseudo_header, int *err)
1365 {
1366 uint8_t phdr[LLCP_HEADER_LEN];
1367
1368 phdr[LLCP_ADAPTER_OFFSET] = pseudo_header->llcp.adapter;
1369 phdr[LLCP_FLAGS_OFFSET] = pseudo_header->llcp.flags;
1370 if (!wtap_dump_file_write(wdh, &phdr, sizeof phdr, err))
1371 return false;
1372 return true;
1373 }
1374
1375 /*
1376 * Pseudo-header at the beginning of DLT_PPP_WITH_DIR frames.
1377 */
1378 struct pcap_ppp_phdr {
1379 uint8_t direction;
1380 };
1381
1382 /*
1383 * Pseudo-header at the beginning of DLT_PPP_WITH_DIR frames.
1384 */
1385 static int
1386 pcap_read_ppp_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header,
1387 unsigned packet_size, int *err, char **err_info)
1388 {
1389 struct pcap_ppp_phdr phdr;
1390
1391 if (packet_size < sizeof (struct pcap_ppp_phdr)) {
1392 /*
1393 * Uh-oh, the packet isn't big enough to even
1394 * have a pseudo-header.
1395 */
1396 *err = WTAP_ERR_BAD_FILE;
1397 *err_info = ws_strdup_printf("pcap/pcapng: PPP file has a %u-byte packet, too small to have even a pseudo-header",
1398 packet_size);
1399 return -1;
1400 }
1401 if (!wtap_read_bytes(fh, &phdr, sizeof (struct pcap_ppp_phdr),
1402 err, err_info))
1403 return -1;
1404 /* Any non-zero value means "sent" */
1405 pseudo_header->p2p.sent = (phdr.direction != 0) ? true: false;
1406 return (int)sizeof (struct pcap_ppp_phdr);
1407 }
1408
1409 static bool
1410 pcap_write_ppp_pseudoheader(wtap_dumper *wdh,
1411 const union wtap_pseudo_header *pseudo_header, int *err)
1412 {
1413 struct pcap_ppp_phdr ppp_hdr;
1414
1415 /* Any non-zero value means "sent" */
1416 ppp_hdr.direction = (pseudo_header->p2p.sent ? 1 : 0);
1417 if (!wtap_dump_file_write(wdh, &ppp_hdr, sizeof ppp_hdr, err))
1418 return false;
1419 return true;
1420 }
1421
1422 static int
1423 pcap_read_erf_pseudoheader(FILE_T fh, wtap_rec *rec,
1424 union wtap_pseudo_header *pseudo_header, unsigned packet_size,
1425 int *err, char **err_info)
1426 {
1427 uint8_t erf_hdr[sizeof(struct erf_phdr)];
1428 uint8_t erf_subhdr[sizeof(union erf_subhdr)];
1429 int phdr_len;
1430
1431 if (packet_size < sizeof(struct erf_phdr)) {
1432 /*
1433 * Uh-oh, the packet isn't big enough to even
1434 * have a pseudo-header.
1435 */
1436 *err = WTAP_ERR_BAD_FILE;
1437 *err_info = ws_strdup_printf("pcap/pcapng: ERF file has a %u-byte packet, too small to have even an ERF pseudo-header",
1438 packet_size);
1439 return -1;
1440 }
1441 if (!wtap_read_bytes(fh, erf_hdr, sizeof(struct erf_phdr), err, err_info))
1442 return -1;
1443 phdr_len = (int)sizeof(struct erf_phdr);
1444 pseudo_header->erf.phdr.ts = pletoh64(&erf_hdr[0]); /* timestamp */
1445 pseudo_header->erf.phdr.type = erf_hdr[8];
1446 pseudo_header->erf.phdr.flags = erf_hdr[9];
1447 pseudo_header->erf.phdr.rlen = pntoh16(&erf_hdr[10]);
1448 pseudo_header->erf.phdr.lctr = pntoh16(&erf_hdr[12]);
1449 pseudo_header->erf.phdr.wlen = pntoh16(&erf_hdr[14]);
1450
1451 /* The high 32 bits of the timestamp contain the integer number of seconds
1452 * while the lower 32 bits contain the binary fraction of the second.
1453 * This allows an ultimate resolution of 1/(2^32) seconds, or approximately 233 picoseconds */
1454 if (rec) {
1455 uint64_t ts = pseudo_header->erf.phdr.ts;
1456 rec->ts.secs = (time_t) (ts >> 32);
1457 ts = ((ts & 0xffffffff) * 1000 * 1000 * 1000);
1458 ts += (ts & 0x80000000) << 1; /* rounding */
1459 rec->ts.nsecs = ((uint32_t) (ts >> 32));
1460 if (rec->ts.nsecs >= 1000000000) {
1461 rec->ts.nsecs -= 1000000000;
1462 rec->ts.secs += 1;
1463 }
1464
1465 /*
1466 * This time stamp came from the ERF header, not from the
1467 * pcap packet header or pcapng block header, so its
1468 * precision is that of ERF time stamps, not the pcap
1469 * file's time stamp or the pcapng interface's time
1470 * stamp.
1471 */
1472 rec->tsprec = WTAP_TSPREC_NSEC;
1473 }
1474
1475 /*
1476 * If the type of record given in the pseudo header indicates
1477 * the presence of an extension header, then read all the
1478 * extension headers.
1479 */
1480 if (pseudo_header->erf.phdr.type & 0x80) {
1481 int i = 0, max = array_length(pseudo_header->erf.ehdr_list);
1482 uint8_t erf_exhdr[8];
1483 uint8_t type;
1484
1485 do {
1486 if (phdr_len > INT_MAX - 8) {
1487 *err = WTAP_ERR_BAD_FILE;
1488 *err_info = ws_strdup_printf("pcap/pcapng: ERF file has a packet larger than %d bytes",
1489 INT_MAX);
1490 return -1;
1491 }
1492 if (packet_size < (unsigned)phdr_len + 8) {
1493 *err = WTAP_ERR_BAD_FILE;
1494 *err_info = ws_strdup_printf("pcap/pcapng: ERF file has a %u-byte packet, too small to include the extension headers",
1495 packet_size);
1496 return -1;
1497 }
1498 if (!wtap_read_bytes(fh, erf_exhdr, 8, err, err_info))
1499 return -1;
1500 type = erf_exhdr[0];
1501 if (i < max) {
1502 uint64_t erf_exhdr_sw;
1503
1504 erf_exhdr_sw = pntoh64(erf_exhdr);
1505 memcpy(&pseudo_header->erf.ehdr_list[i].ehdr, &erf_exhdr_sw, sizeof(erf_exhdr_sw));
1506 }
1507 phdr_len += 8;
1508 i++;
1509 } while (type & 0x80);
1510 }
1511
1512 /* check the optional subheader */
1513 switch (pseudo_header->erf.phdr.type & 0x7F) {
1514 case ERF_TYPE_MC_HDLC:
1515 case ERF_TYPE_MC_RAW:
1516 case ERF_TYPE_MC_ATM:
1517 case ERF_TYPE_MC_RAW_CHANNEL:
1518 case ERF_TYPE_MC_AAL5:
1519 case ERF_TYPE_MC_AAL2:
1520 case ERF_TYPE_COLOR_MC_HDLC_POS:
1521 /* Extract the Multi Channel header to include it in the pseudo header part */
1522 if (phdr_len > INT_MAX - (int)sizeof(erf_mc_header_t)) {
1523 *err = WTAP_ERR_BAD_FILE;
1524 *err_info = ws_strdup_printf("pcap/pcapng: ERF file has a packet larger than %d bytes",
1525 INT_MAX);
1526 return -1;
1527 }
1528 if (packet_size < (unsigned)(phdr_len + (int)sizeof(erf_mc_header_t))) {
1529 *err = WTAP_ERR_BAD_FILE;
1530 *err_info = ws_strdup_printf("pcap/pcapng: ERF file has a %u-byte packet, too small to include the Multi Channel header",
1531 packet_size);
1532 return -1;
1533 }
1534 if (!wtap_read_bytes(fh, erf_subhdr, sizeof(erf_mc_header_t), err, err_info))
1535 return -1;
1536 pseudo_header->erf.subhdr.mc_hdr = pntoh32(&erf_subhdr[0]);
1537 phdr_len += sizeof(erf_mc_header_t);
1538 break;
1539 case ERF_TYPE_AAL2:
1540 /* Extract the AAL2 header to include it in the pseudo header part */
1541 if (phdr_len > INT_MAX - (int)sizeof(erf_aal2_header_t)) {
1542 *err = WTAP_ERR_BAD_FILE;
1543 *err_info = ws_strdup_printf("pcap/pcapng: ERF file has a packet larger than %d bytes",
1544 INT_MAX);
1545 return -1;
1546 }
1547 if (packet_size < (unsigned)(phdr_len + (int)sizeof(erf_aal2_header_t))) {
1548 *err = WTAP_ERR_BAD_FILE;
1549 *err_info = ws_strdup_printf("pcap/pcapng: ERF file has a %u-byte packet, too small to include the AAL2 header",
1550 packet_size);
1551 return -1;
1552 }
1553 if (!wtap_read_bytes(fh, erf_subhdr, sizeof(erf_aal2_header_t), err, err_info))
1554 return -1;
1555 pseudo_header->erf.subhdr.aal2_hdr = pntoh32(&erf_subhdr[0]);
1556 phdr_len += sizeof(erf_aal2_header_t);
1557 break;
1558 case ERF_TYPE_ETH:
1559 case ERF_TYPE_COLOR_ETH:
1560 case ERF_TYPE_DSM_COLOR_ETH:
1561 case ERF_TYPE_COLOR_HASH_ETH:
1562 /* Extract the Ethernet additional header to include it in the pseudo header part */
1563 if (phdr_len > INT_MAX - (int)sizeof(erf_eth_header_t)) {
1564 *err = WTAP_ERR_BAD_FILE;
1565 *err_info = ws_strdup_printf("pcap/pcapng: ERF file has a packet larger than %d bytes",
1566 INT_MAX);
1567 return -1;
1568 }
1569 if (packet_size < (unsigned)(phdr_len + (int)sizeof(erf_eth_header_t))) {
1570 *err = WTAP_ERR_BAD_FILE;
1571 *err_info = ws_strdup_printf("pcap/pcapng: ERF file has a %u-byte packet, too small to include the Ethernet additional header",
1572 packet_size);
1573 return -1;
1574 }
1575 if (!wtap_read_bytes(fh, erf_subhdr, sizeof(erf_eth_header_t), err, err_info))
1576 return -1;
1577 memcpy(&pseudo_header->erf.subhdr.eth_hdr, erf_subhdr, sizeof pseudo_header->erf.subhdr.eth_hdr);
1578 phdr_len += sizeof(erf_eth_header_t);
1579 break;
1580 default:
1581 /* No optional pseudo header for this ERF type */
1582 break;
1583 }
1584 return phdr_len;
1585 }
1586
1587 static bool
1588 pcap_write_erf_pseudoheader(wtap_dumper *wdh,
1589 const union wtap_pseudo_header *pseudo_header, int *err)
1590 {
1591 uint8_t erf_hdr[sizeof(struct erf_phdr)];
1592 uint8_t erf_subhdr[sizeof(union erf_subhdr)];
1593
1594 /*
1595 * Write the ERF header.
1596 */
1597 memset(&erf_hdr, 0, sizeof(erf_hdr));
1598 phtolell(&erf_hdr[0], pseudo_header->erf.phdr.ts);
1599 erf_hdr[8] = pseudo_header->erf.phdr.type;
1600 erf_hdr[9] = pseudo_header->erf.phdr.flags;
1601
1602 /*
1603 * Recalculate rlen as padding (and maybe extension headers)
1604 * have been stripped from caplen.
1605 *
1606 * XXX: Since we don't have rec->rec_header.packet_header.caplen
1607 * here, assume caplen was calculated correctly and
1608 * recalculate from wlen.
1609 */
1610 phtons(&erf_hdr[10],
1611 MIN(pseudo_header->erf.phdr.rlen, pseudo_header->erf.phdr.wlen + pcap_get_phdr_size(WTAP_ENCAP_ERF, pseudo_header)));
1612
1613 phtons(&erf_hdr[12], pseudo_header->erf.phdr.lctr);
1614 phtons(&erf_hdr[14], pseudo_header->erf.phdr.wlen);
1615 if (!wtap_dump_file_write(wdh, erf_hdr, sizeof(struct erf_phdr), err))
1616 return false;
1617
1618 /*
1619 * Now write out the extension headers.
1620 */
1621 if (pseudo_header->erf.phdr.type & 0x80) {
1622 int i = 0, max = array_length(pseudo_header->erf.ehdr_list);
1623 uint8_t erf_exhdr[8];
1624 uint8_t type;
1625
1626 do {
1627 phtonll(erf_exhdr, pseudo_header->erf.ehdr_list[i].ehdr);
1628 type = erf_exhdr[0];
1629 /* Clear more extension headers bit if > 8 */
1630 if(i == max-1)
1631 erf_exhdr[0] = erf_exhdr[0] & 0x7F;
1632 if (!wtap_dump_file_write(wdh, erf_exhdr, 8, err))
1633 return false;
1634 i++;
1635 } while (type & 0x80 && i < max);
1636 }
1637
1638 /*
1639 * Now write out the subheader, if any
1640 */
1641 switch (pseudo_header->erf.phdr.type & 0x7F) {
1642 case ERF_TYPE_MC_HDLC:
1643 case ERF_TYPE_MC_RAW:
1644 case ERF_TYPE_MC_ATM:
1645 case ERF_TYPE_MC_RAW_CHANNEL:
1646 case ERF_TYPE_MC_AAL5:
1647 case ERF_TYPE_MC_AAL2:
1648 case ERF_TYPE_COLOR_MC_HDLC_POS:
1649 phtonl(&erf_subhdr[0], pseudo_header->erf.subhdr.mc_hdr);
1650 if (!wtap_dump_file_write(wdh, erf_subhdr,
1651 sizeof(struct erf_mc_hdr), err))
1652 return false;
1653 break;
1654 case ERF_TYPE_AAL2:
1655 phtonl(&erf_subhdr[0], pseudo_header->erf.subhdr.aal2_hdr);
1656 if (!wtap_dump_file_write(wdh, erf_subhdr,
1657 sizeof(struct erf_aal2_hdr), err))
1658 return false;
1659 break;
1660 case ERF_TYPE_ETH:
1661 case ERF_TYPE_COLOR_ETH:
1662 case ERF_TYPE_DSM_COLOR_ETH:
1663 case ERF_TYPE_COLOR_HASH_ETH:
1664 memcpy(&erf_subhdr[0], &pseudo_header->erf.subhdr.eth_hdr, sizeof pseudo_header->erf.subhdr.eth_hdr);
1665 if (!wtap_dump_file_write(wdh, erf_subhdr,
1666 sizeof(struct erf_eth_hdr), err))
1667 return false;
1668 break;
1669 default:
1670 break;
1671 }
1672 return true;
1673 }
1674
1675 /*
1676 * I2C-with=Linux-pseudoheader link-layer on-disk format, as defined by
1677 * Pigeon Point Systems.
1678 */
1679 struct i2c_linux_file_hdr {
1680 uint8_t bus;
1681 uint8_t flags[4];
1682 };
1683
1684 static int
1685 pcap_read_i2c_linux_pseudoheader(FILE_T fh, union wtap_pseudo_header *pseudo_header,
1686 unsigned packet_size, int *err, char **err_info)
1687 {
1688 struct i2c_linux_file_hdr i2c_linux_hdr;
1689
1690 if (packet_size < sizeof (struct i2c_linux_file_hdr)) {
1691 /*
1692 * Uh-oh, the packet isn't big enough to even
1693 * have a pseudo-header.
1694 */
1695 *err = WTAP_ERR_BAD_FILE;
1696 *err_info = ws_strdup_printf("pcap/pcapng: I2C file has a %u-byte packet, too small to have even a I2C pseudo-header",
1697 packet_size);
1698 return -1;
1699 }
1700 if (!wtap_read_bytes(fh, &i2c_linux_hdr, sizeof (i2c_linux_hdr), err, err_info))
1701 return -1;
1702
1703 pseudo_header->i2c.is_event = i2c_linux_hdr.bus & 0x80 ? 1 : 0;
1704 pseudo_header->i2c.bus = i2c_linux_hdr.bus & 0x7f;
1705 pseudo_header->i2c.flags = pntoh32(&i2c_linux_hdr.flags);
1706
1707 return (int)sizeof (struct i2c_linux_file_hdr);
1708 }
1709
1710 static bool
1711 pcap_write_i2c_linux_pseudoheader(wtap_dumper *wdh,
1712 const union wtap_pseudo_header *pseudo_header, int *err)
1713 {
1714 struct i2c_linux_file_hdr i2c_linux_hdr;
1715
1716 /*
1717 * Write the I2C Linux-specific pseudo-header.
1718 */
1719 memset(&i2c_linux_hdr, 0, sizeof(i2c_linux_hdr));
1720 i2c_linux_hdr.bus = pseudo_header->i2c.bus |
1721 (pseudo_header->i2c.is_event ? 0x80 : 0x00);
1722 phtonl((uint8_t *)&i2c_linux_hdr.flags, pseudo_header->i2c.flags);
1723 if (!wtap_dump_file_write(wdh, &i2c_linux_hdr, sizeof(i2c_linux_hdr), err))
1724 return false;
1725 return true;
1726 }
1727
1728 /*
1729 * The link-layer header on Nokia IPSO packets.
1730 */
1731 #define NOKIA_LEN 4 /* length of the header */
1732
1733 static bool
1734 pcap_read_nokia_pseudoheader(FILE_T fh,
1735 union wtap_pseudo_header *pseudo_header, int *err, char **err_info)
1736 {
1737 uint8_t phdr[NOKIA_LEN];
1738
1739
1740 /* backtrack to read the 4 mysterious bytes that aren't considered
1741 * part of the packet size
1742 */
1743 if (file_seek(fh, -NOKIA_LEN, SEEK_CUR, err) == -1)
1744 {
1745 *err = file_error(fh, err_info);
1746 if (*err == 0)
1747 *err = WTAP_ERR_SHORT_READ;
1748 return false;
1749 }
1750
1751 if (!wtap_read_bytes(fh, phdr, NOKIA_LEN, err, err_info))
1752 return false;
1753
1754 memcpy(pseudo_header->nokia.stuff, phdr, NOKIA_LEN);
1755
1756 return true;
1757 }
1758
1759 /*
1760 * When not using the memory-mapped interface to capture USB events,
1761 * code that reads those events can use the MON_IOCX_GET ioctl to
1762 * read a 48-byte header consisting of a "struct linux_usb_phdr", as
1763 * defined below, followed immediately by one of:
1764 *
1765 * 8 bytes of a "struct usb_device_setup_hdr", if "setup_flag"
1766 * in the preceding "struct linux_usb_phdr" is 0;
1767 *
1768 * in Linux 2.6.30 or later, 8 bytes of a "struct iso_rec", if
1769 * this is an isochronous transfer;
1770 *
1771 * 8 bytes of junk, otherwise.
1772 *
1773 * In Linux 2.6.31 and later, it can also use the MON_IOCX_GETX ioctl
1774 * to read a 64-byte header; that header consists of the 48 bytes
1775 * above, followed immediately by 16 bytes of a "struct linux_usb_phdr_ext",
1776 * as defined below.
1777 *
1778 * In Linux 2.6.21 and later, there's a memory-mapped interface to
1779 * capture USB events. In that interface, the events in the memory-mapped
1780 * buffer have a 64-byte header, followed immediately by the data.
1781 * In Linux 2.6.21 through 2.6.30.x, the 64-byte header is the 48-byte
1782 * header described above, followed by 16 bytes of zeroes; in Linux
1783 * 2.6.31 and later, the 64-byte header is the 64-byte header described
1784 * above.
1785 *
1786 * See linux/Documentation/usb/usbmon.txt and libpcap/pcap/usb.h for details.
1787 *
1788 * With WTAP_ENCAP_USB_LINUX, packets have the 48-byte header; with
1789 * WTAP_ENCAP_USB_LINUX_MMAPPED, they have the 64-byte header. There
1790 * is no indication of whether the header has the "struct iso_rec", or
1791 * whether the last 16 bytes of a 64-byte header are all zeros or are
1792 * a "struct linux_usb_phdr_ext".
1793 */
1794
1795 /*
1796 * URB transfer_type values
1797 */
1798 #define URB_ISOCHRONOUS 0x0
1799 #define URB_INTERRUPT 0x1
1800 #define URB_CONTROL 0x2
1801 #define URB_BULK 0x3
1802
1803 /*
1804 * Information from the URB for Isochronous transfers.
1805 *
1806 * This structure is 8 bytes long.
1807 */
1808 struct iso_rec {
1809 int32_t error_count;
1810 int32_t numdesc;
1811 };
1812
1813 /*
1814 * Header prepended by Linux kernel to each USB event.
1815 *
1816 * (Setup flag is '-', 'D', 'Z', or 0. Data flag is '<', '>', 'Z', or 0.)
1817 *
1818 * The values are in *host* byte order.
1819 */
1820 struct linux_usb_phdr {
1821 uint64_t id; /* urb id, to link submission and completion events */
1822 uint8_t event_type; /* Submit ('S'), Completed ('C'), Error ('E') */
1823 uint8_t transfer_type; /* ISO (0), Intr, Control, Bulk (3) */
1824 uint8_t endpoint_number; /* Endpoint number (0-15) and transfer direction */
1825 uint8_t device_address; /* 0-127 */
1826 uint16_t bus_id;
1827 int8_t setup_flag; /* 0, if the urb setup header is meaningful */
1828 int8_t data_flag; /* 0, if urb data is present */
1829 int64_t ts_sec;
1830 int32_t ts_usec;
1831 int32_t status;
1832 uint32_t urb_len; /* whole len of urb this event refers to */
1833 uint32_t data_len; /* amount of urb data really present in this event */
1834
1835 /*
1836 * Packet-type-dependent data.
1837 * USB setup information of setup_flag is true.
1838 * Otherwise, some isochronous transfer information.
1839 */
1840 union {
1841 uint8_t data[8];
1842 struct iso_rec iso;
1843 } s;
1844
1845 /*
1846 * This data is provided by Linux 2.6.31 and later kernels.
1847 *
1848 * For WTAP_ENCAP_USB_LINUX, it's not in the pseudo-header, so
1849 * the pseudo-header is always 48 bytes long, including the
1850 * packet-type-dependent data.
1851 *
1852 * For WTAP_ENCAP_USB_LINUX_MMAPPED, the pseudo-header is always
1853 * 64 bytes long, with the packet-type-dependent data preceding
1854 * these last 16 bytes. In pre-2.6.31 kernels, it's zero padding;
1855 * in 2.6.31 and later, it's the following data.
1856 */
1857 int32_t interval; /* only for Interrupt and Isochronous events */
1858 int32_t start_frame; /* for Isochronous */
1859 uint32_t xfer_flags; /* copy of URB's transfer_flags */
1860 uint32_t ndesc; /* actual number of isochronous descriptors */
1861 };
1862
1863 /*
1864 * event_type values
1865 */
1866 #define URB_SUBMIT 'S'
1867 #define URB_COMPLETE 'C'
1868 #define URB_ERROR 'E'
1869
1870 /*
1871 * URB transfer_type values
1872 */
1873 #define URB_ISOCHRONOUS 0x0
1874 #define URB_INTERRUPT 0x1
1875 #define URB_CONTROL 0x2
1876 #define URB_BULK 0x3
1877 #define URB_UNKNOWN 0xFF
1878
1879 #define URB_TRANSFER_IN 0x80 /* to host */
1880
1881 struct linux_usb_isodesc {
1882 int32_t iso_status;
1883 uint32_t iso_off;
1884 uint32_t iso_len;
1885 uint32_t _pad;
1886 };
1887
1888 /*
1889 * USB setup header as defined in USB specification
1890 * See usb_20.pdf, Chapter 9.3 'USB Device Requests' for details.
1891 * https://www.usb.org/document-library/usb-20-specification
1892 *
1893 * This structure is 8 bytes long.
1894 */
1895 struct usb_device_setup_hdr {
1896 int8_t bmRequestType;
1897 uint8_t bRequest;
1898 uint16_t wValue;
1899 uint16_t wIndex;
1900 uint16_t wLength;
1901 };
1902
1903 /*
1904 * Offset of the *end* of a field within a particular structure.
1905 */
1906 #define END_OFFSETOF(basep, fieldp) \
1907 (((char *)(void *)(fieldp)) - ((char *)(void *)(basep)) + \
1908 sizeof(*fieldp))
1909
1910 /*
1911 * Is that offset within the bounds of the packet?
1912 */
1913 #define WITHIN_PACKET(basep, fieldp) \
1914 (packet_size >= END_OFFSETOF((basep), (fieldp)))
1915
1916 #define CHECK_AND_SWAP16(fieldp) \
1917 { \
1918 if (!WITHIN_PACKET(usb_phdr, fieldp)) \
1919 return; \
1920 PBSWAP16((uint8_t *)fieldp); \
1921 }
1922
1923 #define CHECK_AND_SWAP32(fieldp) \
1924 { \
1925 if (!WITHIN_PACKET(usb_phdr, fieldp)) \
1926 return; \
1927 PBSWAP32((uint8_t *)fieldp); \
1928 }
1929
1930 #define CHECK_AND_SWAP64(fieldp) \
1931 { \
1932 if (!WITHIN_PACKET(usb_phdr, fieldp)) \
1933 return; \
1934 PBSWAP64((uint8_t *)fieldp); \
1935 }
1936
1937 /*
1938 * Offset and length of the CAN ID field in the CAN classic/CAN FD
1939 * SocketCAN header.
1940 */
1941 #define CAN_CANFD_CAN_ID_OFFSET 0
1942 #define CAN_CANFD_CAN_ID_LEN 4
1943
1944 /*
1945 * Offsets and lengths of fields in the CAN XL SocketCAN header.
1946 */
1947 #define CANXL_PRIORITY_VCID_OFFSET 0
1948 #define CANXL_PRIORITY_VCID_LEN 4
1949 #define CANXL_FLAGS_OFFSET (CANXL_PRIORITY_VCID_OFFSET + CANXL_PRIORITY_VCID_LEN)
1950 #define CANXL_FLAGS_LEN 1
1951 #define CANXL_SDU_TYPE_OFFSET (CANXL_FLAGS_OFFSET + CANXL_FLAGS_LEN)
1952 #define CANXL_SDU_TYPE_LEN 1
1953 #define CANXL_PAYLOAD_LENGTH_OFFSET (CANXL_SDU_TYPE_OFFSET + CANXL_SDU_TYPE_LEN)
1954 #define CANXL_PAYLOAD_LENGTH_LEN 2
1955 #define CANXL_ACCEPTANCE_FIELD_OFFSET (CANXL_PAYLOAD_LENGTH_OFFSET + CANXL_PAYLOAD_LENGTH_LEN)
1956 #define CANXL_ACCEPTANCE_FIELD_LEN 4
1957
1958 /*
1959 * CAN fake link-layer headers in Linux cooked packets.
1960 */
1961 #define LINUX_SLL_PROTOCOL_OFFSET 14 /* protocol */
1962 #define LINUX_SLL_LEN 16 /* length of the header */
1963
1964 #define LINUX_SLL2_PROTOCOL_OFFSET 0 /* protocol */
1965 #define LINUX_SLL2_LEN 20 /* length of the header */
1966
1967 /*
1968 * The protocols we have to check for.
1969 */
1970 #define LINUX_SLL_P_CAN 0x000C /* Controller Area Network classic */
1971 #define LINUX_SLL_P_CANFD 0x000D /* Controller Area Network flexible data rate */
1972 #define LINUX_SLL_P_CANXL 0x000E /* Controller Area Network extended length */
1973
1974 static void
1975 pcap_byteswap_can_socketcan_pseudoheader(unsigned packet_size, uint16_t protocol,
1976 uint8_t *pd)
1977 {
1978 switch (protocol) {
1979
1980 case LINUX_SLL_P_CAN:
1981 case LINUX_SLL_P_CANFD:
1982 /*
1983 * CAN classic or CAN FD; byte-swap the ID/flags field
1984 * into our host byte order.
1985 *
1986 * Make sure we have the entire field.
1987 */
1988 if (packet_size < (CAN_CANFD_CAN_ID_OFFSET + CAN_CANFD_CAN_ID_LEN)) {
1989 /* Not enough data to have the full CAN ID */
1990 return;
1991 }
1992 PBSWAP32(&pd[CAN_CANFD_CAN_ID_OFFSET]);
1993 break;
1994
1995 case LINUX_SLL_P_CANXL:
1996 /*
1997 * CAN classic or CAN FD; byte-swap the priority-and-VCID
1998 * field, the payload length, ad the acceptance field
1999 * into our host byte order.
2000 */
2001 if (packet_size < (CANXL_PRIORITY_VCID_OFFSET + CANXL_PRIORITY_VCID_LEN)) {
2002 /* Not enough data to have the full priority/VCID field */
2003 return;
2004 }
2005 PBSWAP32(&pd[CANXL_PRIORITY_VCID_OFFSET]);
2006 if (packet_size < (CANXL_PAYLOAD_LENGTH_OFFSET + CANXL_PAYLOAD_LENGTH_LEN)) {
2007 /* Not enough data to have the full payload length field */
2008 return;
2009 }
2010 PBSWAP16(&pd[CANXL_PAYLOAD_LENGTH_OFFSET]);
2011 if (packet_size < (CANXL_ACCEPTANCE_FIELD_OFFSET + CANXL_ACCEPTANCE_FIELD_LEN)) {
2012 /* Not enough data to have the full payload length field */
2013 return;
2014 }
2015 PBSWAP32(&pd[CANXL_ACCEPTANCE_FIELD_OFFSET]);
2016 break;
2017
2018 default:
2019 /* Not a CAN packet; nothing to fix */
2020 return;
2021 }
2022 }
2023
2024 static void
2025 pcap_byteswap_linux_sll_pseudoheader(wtap_rec *rec, uint8_t *pd)
2026 {
2027 unsigned packet_size;
2028 uint16_t protocol;
2029
2030 /*
2031 * Minimum of captured and actual length (just in case the
2032 * actual length < the captured length, which Should Never
2033 * Happen).
2034 */
2035 packet_size = rec->rec_header.packet_header.caplen;
2036 if (packet_size > rec->rec_header.packet_header.len)
2037 packet_size = rec->rec_header.packet_header.len;
2038
2039 if (packet_size < LINUX_SLL_LEN) {
2040 /* Not enough data to have the protocol */
2041 return;
2042 }
2043
2044 /*
2045 * Byte-swap the SocketCAN pseudoheader, if we have one.
2046 */
2047 protocol = pntoh16(&pd[LINUX_SLL_PROTOCOL_OFFSET]);
2048 pcap_byteswap_can_socketcan_pseudoheader(packet_size - LINUX_SLL_LEN,
2049 protocol, pd + LINUX_SLL_LEN);
2050 }
2051
2052 static void
2053 pcap_byteswap_linux_sll2_pseudoheader(wtap_rec *rec, uint8_t *pd)
2054 {
2055 unsigned packet_size;
2056 uint16_t protocol;
2057
2058 /*
2059 * Minimum of captured and actual length (just in case the
2060 * actual length < the captured length, which Should Never
2061 * Happen).
2062 */
2063 packet_size = rec->rec_header.packet_header.caplen;
2064 if (packet_size > rec->rec_header.packet_header.len)
2065 packet_size = rec->rec_header.packet_header.len;
2066
2067 if (packet_size < LINUX_SLL2_LEN) {
2068 /* Not enough data to have the protocol */
2069 return;
2070 }
2071
2072 /*
2073 * Byte-swap the SocketCAN pseudoheader, if we have one.
2074 */
2075 protocol = pntoh16(&pd[LINUX_SLL2_PROTOCOL_OFFSET]);
2076 pcap_byteswap_can_socketcan_pseudoheader(packet_size - LINUX_SLL2_LEN,
2077 protocol, pd + LINUX_SLL2_LEN);
2078 }
2079
2080 static void
2081 pcap_byteswap_linux_usb_pseudoheader(wtap_rec *rec, uint8_t *pd,
2082 bool header_len_64_bytes)
2083 {
2084 unsigned packet_size;
2085 struct linux_usb_phdr *usb_phdr;
2086 struct linux_usb_isodesc *pisodesc;
2087 int32_t iso_numdesc, i;
2088
2089 /*
2090 * Minimum of captured and actual length (just in case the
2091 * actual length < the captured length, which Should Never
2092 * Happen).
2093 */
2094 packet_size = rec->rec_header.packet_header.caplen;
2095 if (packet_size > rec->rec_header.packet_header.len)
2096 packet_size = rec->rec_header.packet_header.len;
2097
2098 /*
2099 * Greasy hack, but we never directly dereference any of
2100 * the fields in *usb_phdr, we just get offsets of and
2101 * addresses of its members and byte-swap it with a
2102 * byte-at-a-time macro, so it's alignment-safe.
2103 */
2104 usb_phdr = (struct linux_usb_phdr *)(void *)pd;
2105
2106 CHECK_AND_SWAP64(&usb_phdr->id);
2107 CHECK_AND_SWAP16(&usb_phdr->bus_id);
2108 CHECK_AND_SWAP64(&usb_phdr->ts_sec);
2109 CHECK_AND_SWAP32(&usb_phdr->ts_usec);
2110 CHECK_AND_SWAP32(&usb_phdr->status);
2111 CHECK_AND_SWAP32(&usb_phdr->urb_len);
2112 CHECK_AND_SWAP32(&usb_phdr->data_len);
2113
2114 if (usb_phdr->transfer_type == URB_ISOCHRONOUS) {
2115 CHECK_AND_SWAP32(&usb_phdr->s.iso.error_count);
2116 CHECK_AND_SWAP32(&usb_phdr->s.iso.numdesc);
2117 }
2118
2119 if (header_len_64_bytes) {
2120 /*
2121 * This is either the "version 1" header, with
2122 * 16 bytes of additional fields at the end, or
2123 * a "version 0" header from a memory-mapped
2124 * capture, with 16 bytes of zeroed-out padding
2125 * at the end. Byte swap them as if this were
2126 * a "version 1" header.
2127 *
2128 * Yes, the first argument to END_OFFSETOF() should
2129 * be usb_phdr, not usb_phdr_ext; we want the offset of
2130 * the additional fields from the beginning of
2131 * the packet.
2132 */
2133 CHECK_AND_SWAP32(&usb_phdr->interval);
2134 CHECK_AND_SWAP32(&usb_phdr->start_frame);
2135 CHECK_AND_SWAP32(&usb_phdr->xfer_flags);
2136 CHECK_AND_SWAP32(&usb_phdr->ndesc);
2137 }
2138
2139 if (usb_phdr->transfer_type == URB_ISOCHRONOUS) {
2140 /* swap the values in struct linux_usb_isodesc */
2141
2142 /*
2143 * See previous "Greasy hack" comment.
2144 */
2145 if (header_len_64_bytes) {
2146 pisodesc = (struct linux_usb_isodesc*)(void *)(pd + 64);
2147 } else {
2148 pisodesc = (struct linux_usb_isodesc*)(void *)(pd + 48);
2149 }
2150 iso_numdesc = usb_phdr->s.iso.numdesc;
2151 for (i = 0; i < iso_numdesc; i++) {
2152 CHECK_AND_SWAP32(&pisodesc->iso_status);
2153 CHECK_AND_SWAP32(&pisodesc->iso_off);
2154 CHECK_AND_SWAP32(&pisodesc->iso_len);
2155 CHECK_AND_SWAP32(&pisodesc->_pad);
2156
2157 pisodesc++;
2158 }
2159 }
2160 }
2161
2162 struct nflog_hdr {
2163 uint8_t nflog_family; /* address family */
2164 uint8_t nflog_version; /* version */
2165 uint16_t nflog_rid; /* resource ID */
2166 };
2167
2168 struct nflog_tlv {
2169 uint16_t tlv_length; /* tlv length */
2170 uint16_t tlv_type; /* tlv type */
2171 /* value follows this */
2172 };
2173
2174 static void
2175 pcap_byteswap_nflog_pseudoheader(wtap_rec *rec, uint8_t *pd)
2176 {
2177 unsigned packet_size;
2178 uint8_t *p;
2179 struct nflog_hdr *nfhdr;
2180 struct nflog_tlv *tlv;
2181 unsigned size;
2182
2183 /*
2184 * Minimum of captured and actual length (just in case the
2185 * actual length < the captured length, which Should Never
2186 * Happen).
2187 */
2188 packet_size = rec->rec_header.packet_header.caplen;
2189 if (packet_size > rec->rec_header.packet_header.len)
2190 packet_size = rec->rec_header.packet_header.len;
2191
2192 if (packet_size < sizeof(struct nflog_hdr)) {
2193 /* Not enough data to have any TLVs. */
2194 return;
2195 }
2196
2197 p = pd;
2198 nfhdr = (struct nflog_hdr *)pd;
2199 if (nfhdr->nflog_version != 0) {
2200 /* Unknown NFLOG version */
2201 return;
2202 }
2203
2204 packet_size -= (unsigned)sizeof(struct nflog_hdr);
2205 p += sizeof(struct nflog_hdr);
2206
2207 while (packet_size >= sizeof(struct nflog_tlv)) {
2208 tlv = (struct nflog_tlv *) p;
2209
2210 /* Swap the type and length. */
2211 PBSWAP16((uint8_t *)&tlv->tlv_type);
2212 PBSWAP16((uint8_t *)&tlv->tlv_length);
2213
2214 /* Get the length of the TLV. */
2215 size = tlv->tlv_length;
2216 if (size % 4 != 0)
2217 size += 4 - size % 4;
2218
2219 /* Is the TLV's length less than the minimum? */
2220 if (size < sizeof(struct nflog_tlv)) {
2221 /* Yes. Give up now. */
2222 return;
2223 }
2224
2225 /* Do we have enough data for the full TLV? */
2226 if (packet_size < size) {
2227 /* No. */
2228 return;
2229 }
2230
2231 /* Skip over the TLV. */
2232 packet_size -= size;
2233 p += size;
2234 }
2235 }
2236
2237 /*
2238 * pflog headers, at least as they exist now.
2239 */
2240 #define PFLOG_IFNAMSIZ 16
2241 #define PFLOG_RULESET_NAME_SIZE 16
2242
2243 struct pfloghdr {
2244 uint8_t length;
2245 uint8_t af;
2246 uint8_t action;
2247 uint8_t reason;
2248 char ifname[PFLOG_IFNAMSIZ];
2249 char ruleset[PFLOG_RULESET_NAME_SIZE];
2250 uint32_t rulenr;
2251 uint32_t subrulenr;
2252 uint32_t uid;
2253 int32_t pid;
2254 uint32_t rule_uid;
2255 int32_t rule_pid;
2256 uint8_t dir;
2257 /* More follows, depending on the header length */
2258 };
2259
2260 static void
2261 pcap_byteswap_pflog_pseudoheader(wtap_rec *rec, uint8_t *pd)
2262 {
2263 unsigned packet_size;
2264 struct pfloghdr *pflhdr;
2265
2266 /*
2267 * Minimum of captured and actual length (just in case the
2268 * actual length < the captured length, which Should Never
2269 * Happen).
2270 */
2271 packet_size = rec->rec_header.packet_header.caplen;
2272 if (packet_size > rec->rec_header.packet_header.len)
2273 packet_size = rec->rec_header.packet_header.len;
2274
2275 if (packet_size < sizeof(struct pfloghdr)) {
2276 /* Not enough data to have the UID and PID fields */
2277 return;
2278 }
2279
2280 pflhdr = (struct pfloghdr *)pd;
2281 if (pflhdr->length < (unsigned) (offsetof(struct pfloghdr, rule_pid) + sizeof pflhdr->rule_pid)) {
2282 /* Header doesn't include the UID and PID fields */
2283 return;
2284 }
2285 PBSWAP32((uint8_t *)&pflhdr->uid);
2286 PBSWAP32((uint8_t *)&pflhdr->pid);
2287 PBSWAP32((uint8_t *)&pflhdr->rule_uid);
2288 PBSWAP32((uint8_t *)&pflhdr->rule_pid);
2289 }
2290
2291 int
2292 pcap_process_pseudo_header(FILE_T fh, bool is_nokia, int wtap_encap,
2293 unsigned packet_size, wtap_rec *rec, int *err, char **err_info)
2294 {
2295 int phdr_len = 0;
2296
2297 switch (wtap_encap) {
2298
2299 case WTAP_ENCAP_ATM_PDUS:
2300 if (is_nokia) {
2301 /*
2302 * Nokia IPSO ATM.
2303 */
2304 phdr_len = pcap_read_nokiaatm_pseudoheader(fh,
2305 &rec->rec_header.packet_header.pseudo_header,
2306 packet_size, err, err_info);
2307 if (phdr_len == -1)
2308 return -1; /* Read error */
2309 } else {
2310 /*
2311 * SunATM.
2312 */
2313 phdr_len = pcap_read_sunatm_pseudoheader(fh,
2314 &rec->rec_header.packet_header.pseudo_header,
2315 packet_size, err, err_info);
2316 if (phdr_len == -1)
2317 return -1; /* Read error */
2318 }
2319 break;
2320
2321 case WTAP_ENCAP_ETHERNET:
2322 if (is_nokia) {
2323 /*
2324 * Nokia IPSO. Pseudo header has already been read, but it's not considered
2325 * part of the packet size, so reread it to store the data for later (when saving)
2326 */
2327 if (!pcap_read_nokia_pseudoheader(fh, &rec->rec_header.packet_header.pseudo_header, err, err_info))
2328 return -1; /* Read error */
2329 }
2330
2331 /*
2332 * We don't know whether there's an FCS in this frame or not.
2333 */
2334 rec->rec_header.packet_header.pseudo_header.eth.fcs_len = -1;
2335 break;
2336
2337 case WTAP_ENCAP_IEEE_802_11:
2338 case WTAP_ENCAP_IEEE_802_11_PRISM:
2339 case WTAP_ENCAP_IEEE_802_11_RADIOTAP:
2340 case WTAP_ENCAP_IEEE_802_11_AVS:
2341 /*
2342 * We don't know whether there's an FCS in this frame or not,
2343 * at least in pcap files. For radiotap, that's indicated in
2344 * the radiotap header.
2345 *
2346 * XXX - in pcapng, there *could* be a packet option
2347 * indicating the FCS length.
2348 */
2349 memset(&rec->rec_header.packet_header.pseudo_header.ieee_802_11, 0, sizeof(rec->rec_header.packet_header.pseudo_header.ieee_802_11));
2350 rec->rec_header.packet_header.pseudo_header.ieee_802_11.fcs_len = -1;
2351 rec->rec_header.packet_header.pseudo_header.ieee_802_11.decrypted = false;
2352 rec->rec_header.packet_header.pseudo_header.ieee_802_11.datapad = false;
2353 break;
2354
2355 case WTAP_ENCAP_IRDA:
2356 phdr_len = pcap_read_irda_pseudoheader(fh,
2357 &rec->rec_header.packet_header.pseudo_header,
2358 packet_size, err, err_info);
2359 if (phdr_len == -1)
2360 return -1; /* Read error */
2361 break;
2362
2363 case WTAP_ENCAP_MTP2_WITH_PHDR:
2364 phdr_len = pcap_read_mtp2_pseudoheader(fh,
2365 &rec->rec_header.packet_header.pseudo_header,
2366 packet_size, err, err_info);
2367 if (phdr_len == -1)
2368 return -1; /* Read error */
2369 break;
2370
2371 case WTAP_ENCAP_LINUX_LAPD:
2372 phdr_len = pcap_read_lapd_pseudoheader(fh,
2373 &rec->rec_header.packet_header.pseudo_header,
2374 packet_size, err, err_info);
2375 if (phdr_len == -1)
2376 return -1; /* Read error */
2377 break;
2378
2379 case WTAP_ENCAP_SITA:
2380 phdr_len = pcap_read_sita_pseudoheader(fh,
2381 &rec->rec_header.packet_header.pseudo_header,
2382 packet_size, err, err_info);
2383 if (phdr_len == -1)
2384 return -1; /* Read error */
2385 break;
2386
2387 case WTAP_ENCAP_BLUETOOTH_H4:
2388 /* We don't have pseudoheader, so just pretend we received everything. */
2389 rec->rec_header.packet_header.pseudo_header.p2p.sent = false;
2390 break;
2391
2392 case WTAP_ENCAP_BLUETOOTH_H4_WITH_PHDR:
2393 phdr_len = pcap_read_bt_pseudoheader(fh,
2394 &rec->rec_header.packet_header.pseudo_header,
2395 packet_size, err, err_info);
2396 if (phdr_len == -1)
2397 return -1; /* Read error */
2398 break;
2399
2400 case WTAP_ENCAP_BLUETOOTH_LINUX_MONITOR:
2401 phdr_len = pcap_read_bt_monitor_pseudoheader(fh,
2402 &rec->rec_header.packet_header.pseudo_header,
2403 packet_size, err, err_info);
2404 if (phdr_len == -1)
2405 return -1; /* Read error */
2406 break;
2407
2408 case WTAP_ENCAP_NFC_LLCP:
2409 phdr_len = pcap_read_llcp_pseudoheader(fh,
2410 &rec->rec_header.packet_header.pseudo_header,
2411 packet_size, err, err_info);
2412 if (phdr_len == -1)
2413 return -1; /* Read error */
2414 break;
2415
2416 case WTAP_ENCAP_PPP_WITH_PHDR:
2417 phdr_len = pcap_read_ppp_pseudoheader(fh,
2418 &rec->rec_header.packet_header.pseudo_header,
2419 packet_size, err, err_info);
2420 if (phdr_len == -1)
2421 return -1; /* Read error */
2422 break;
2423
2424 case WTAP_ENCAP_ERF:
2425 phdr_len = pcap_read_erf_pseudoheader(fh, rec,
2426 &rec->rec_header.packet_header.pseudo_header,
2427 packet_size, err, err_info);
2428 if (phdr_len == -1)
2429 return -1; /* Read error */
2430 break;
2431
2432 case WTAP_ENCAP_I2C_LINUX:
2433 phdr_len = pcap_read_i2c_linux_pseudoheader(fh,
2434 &rec->rec_header.packet_header.pseudo_header,
2435 packet_size, err, err_info);
2436 if (phdr_len == -1)
2437 return -1; /* Read error */
2438 break;
2439 }
2440
2441 return phdr_len;
2442 }
2443
2444 /*
2445 * Compute, from the data provided by the Linux USB memory-mapped capture
2446 * mechanism, the amount of packet data that would have been provided
2447 * had the capture mechanism not chopped off any data at the end, if, in
2448 * fact, it did so.
2449 *
2450 * Set the "unsliced length" field of the packet header to that value.
2451 */
2452 static void
2453 fix_linux_usb_mmapped_length(wtap_rec *rec, const u_char *bp)
2454 {
2455 const struct linux_usb_phdr *hdr;
2456 u_int bytes_left;
2457
2458 /*
2459 * All callers of this routine must ensure that pkth->caplen is
2460 * >= sizeof (struct linux_usb_phdr).
2461 */
2462 bytes_left = rec->rec_header.packet_header.caplen;
2463 bytes_left -= sizeof (struct linux_usb_phdr);
2464
2465 hdr = (const struct linux_usb_phdr *) bp;
2466 if (!hdr->data_flag && hdr->transfer_type == URB_ISOCHRONOUS &&
2467 hdr->event_type == URB_COMPLETE &&
2468 (hdr->endpoint_number & URB_TRANSFER_IN) &&
2469 rec->rec_header.packet_header.len == sizeof(struct linux_usb_phdr) +
2470 (hdr->ndesc * sizeof (struct linux_usb_isodesc)) + hdr->urb_len) {
2471 struct linux_usb_isodesc *descs;
2472 u_int pre_truncation_data_len, pre_truncation_len;
2473
2474 descs = (struct linux_usb_isodesc *) (bp + sizeof(struct linux_usb_phdr));
2475
2476 /*
2477 * We have data (yes, data_flag is 0 if we *do* have data),
2478 * and this is a "this is complete" incoming isochronous
2479 * transfer event, and the length was calculated based
2480 * on the URB length.
2481 *
2482 * That's not correct, because the data isn't contiguous,
2483 * and the isochronous descriptos show how it's scattered.
2484 *
2485 * Find the end of the last chunk of data in the buffer
2486 * referred to by the isochronous descriptors; that indicates
2487 * how far into the buffer the data would have gone.
2488 *
2489 * Make sure we don't run past the end of the captured data
2490 * while processing the isochronous descriptors.
2491 */
2492 pre_truncation_data_len = 0;
2493 for (uint32_t desc = 0;
2494 desc < hdr->ndesc && bytes_left >= sizeof (struct linux_usb_isodesc);
2495 desc++, bytes_left -= sizeof (struct linux_usb_isodesc)) {
2496 u_int desc_end;
2497
2498 if (descs[desc].iso_len != 0) {
2499 desc_end = descs[desc].iso_off + descs[desc].iso_len;
2500 if (desc_end > pre_truncation_data_len)
2501 pre_truncation_data_len = desc_end;
2502 }
2503 }
2504
2505 /*
2506 * Now calculate the total length based on that data
2507 * length.
2508 */
2509 pre_truncation_len = sizeof(struct linux_usb_phdr) +
2510 (hdr->ndesc * sizeof (struct linux_usb_isodesc)) +
2511 pre_truncation_data_len;
2512
2513 /*
2514 * If that's greater than or equal to the captured length,
2515 * use that as the length.
2516 */
2517 if (pre_truncation_len >= rec->rec_header.packet_header.caplen)
2518 rec->rec_header.packet_header.len = pre_truncation_len;
2519
2520 /*
2521 * If the captured length is greater than the length,
2522 * use the captured length.
2523 *
2524 * For completion events for incoming isochronous transfers,
2525 * it's based on data_len, which is calculated the same way
2526 * we calculated pre_truncation_data_len above, except that
2527 * it has access to all the isochronous descriptors, not
2528 * just the ones that the kernel were able to provide us or,
2529 * for a capture file, that weren't sliced off by a snapshot
2530 * length.
2531 *
2532 * However, it might have been reduced by the USB capture
2533 * mechanism arbitrarily limiting the amount of data it
2534 * provides to userland, or by the libpcap capture code
2535 * limiting it to being no more than the snapshot, so
2536 * we don't want to just use it all the time; we only
2537 * do so to try to get a better estimate of the actual
2538 * length - and to make sure the on-the-network length
2539 * is always >= the captured length.
2540 */
2541 if (rec->rec_header.packet_header.caplen > rec->rec_header.packet_header.len)
2542 rec->rec_header.packet_header.len = rec->rec_header.packet_header.caplen;
2543 }
2544 }
2545
2546 static void
2547 pcap_fixup_len(wtap_rec *rec, const uint8_t *pd)
2548 {
2549 struct linux_usb_phdr *usb_phdr;
2550
2551 /*
2552 * Greasy hack, but we never directly dereference any of
2553 * the fields in *usb_phdr, we just get offsets of and
2554 * addresses of its members and byte-swap it with a
2555 * byte-at-a-time macro, so it's alignment-safe.
2556 */
2557 usb_phdr = (struct linux_usb_phdr *)(void *)pd;
2558
2559 if (rec->rec_header.packet_header.caplen >=
2560 sizeof (struct linux_usb_phdr)) {
2561 /*
2562 * In older versions of libpcap, in memory-mapped captures,
2563 * the "on-the-bus length" for completion events for
2564 * incoming isochronous transfers was miscalculated; it
2565 * needed to be calculated based on the* offsets and lengths
2566 * in the descriptors, not on the raw URB length, but it
2567 * wasn't.
2568 *
2569 * If this packet contains transferred data (yes, data_flag
2570 * is 0 if we *do* have data), and the total on-the-network
2571 * length is equal to the value calculated from the raw URB
2572 * length, then it might be one of those transfers.
2573 *
2574 * We only do this if we have the full USB pseudo-header.
2575 */
2576 if (!usb_phdr->data_flag &&
2577 rec->rec_header.packet_header.len == sizeof (struct linux_usb_phdr) +
2578 (usb_phdr->ndesc * sizeof (struct linux_usb_isodesc)) + usb_phdr->urb_len) {
2579 /*
2580 * It might need fixing; fix it if it's a completion
2581 * event for an incoming isochronous transfer.
2582 */
2583 fix_linux_usb_mmapped_length(rec, pd);
2584 }
2585 }
2586 }
2587
2588 void
2589 pcap_read_post_process(bool is_nokia, int wtap_encap,
2590 wtap_rec *rec, uint8_t *pd, bool bytes_swapped, int fcs_len)
2591 {
2592 switch (wtap_encap) {
2593
2594 case WTAP_ENCAP_ATM_PDUS:
2595 if (is_nokia) {
2596 /*
2597 * Nokia IPSO ATM.
2598 *
2599 * Guess the traffic type based on the packet
2600 * contents.
2601 */
2602 atm_guess_traffic_type(rec, pd);
2603 } else {
2604 /*
2605 * SunATM.
2606 *
2607 * If this is ATM LANE traffic, try to guess what
2608 * type of LANE traffic it is based on the packet
2609 * contents.
2610 */
2611 if (rec->rec_header.packet_header.pseudo_header.atm.type == TRAF_LANE)
2612 atm_guess_lane_type(rec, pd);
2613 }
2614 break;
2615
2616 case WTAP_ENCAP_ETHERNET:
2617 /*
2618 * The FCS length is supposed to be in bits.
2619 * If it's < 8, assume it's in bytes; otherwise,
2620 * convert it to bytes.
2621 */
2622 if (fcs_len < 8)
2623 rec->rec_header.packet_header.pseudo_header.eth.fcs_len = fcs_len;
2624 else
2625 rec->rec_header.packet_header.pseudo_header.eth.fcs_len = fcs_len/8;
2626 break;
2627
2628 case WTAP_ENCAP_SLL:
2629 if (bytes_swapped)
2630 pcap_byteswap_linux_sll_pseudoheader(rec, pd);
2631 break;
2632
2633 case WTAP_ENCAP_SLL2:
2634 if (bytes_swapped)
2635 pcap_byteswap_linux_sll2_pseudoheader(rec, pd);
2636 break;
2637
2638 case WTAP_ENCAP_USB_LINUX:
2639 if (bytes_swapped)
2640 pcap_byteswap_linux_usb_pseudoheader(rec, pd, false);
2641 break;
2642
2643 case WTAP_ENCAP_USB_LINUX_MMAPPED:
2644 if (bytes_swapped)
2645 pcap_byteswap_linux_usb_pseudoheader(rec, pd, true);
2646
2647 /*
2648 * Fix up the on-the-network length if necessary.
2649 */
2650 pcap_fixup_len(rec, pd);
2651 break;
2652
2653 case WTAP_ENCAP_NETANALYZER:
2654 /*
2655 * Not strictly necessary, as the netANALYZER
2656 * dissector calls the "Ethernet with FCS"
2657 * dissector, but we might as well set it.
2658 */
2659 rec->rec_header.packet_header.pseudo_header.eth.fcs_len = 4;
2660 break;
2661
2662 case WTAP_ENCAP_NFLOG:
2663 if (bytes_swapped)
2664 pcap_byteswap_nflog_pseudoheader(rec, pd);
2665 break;
2666
2667 case WTAP_ENCAP_ERF:
2668 /*
2669 * Update packet size to account for ERF padding and snapping.
2670 * Captured length is minimum of wlen and previously calculated
2671 * caplen (which would have included padding but not phdr).
2672 */
2673 rec->rec_header.packet_header.len = rec->rec_header.packet_header.pseudo_header.erf.phdr.wlen;
2674 rec->rec_header.packet_header.caplen = MIN(rec->rec_header.packet_header.len, rec->rec_header.packet_header.caplen);
2675 break;
2676
2677 case WTAP_ENCAP_PFLOG:
2678 if (bytes_swapped)
2679 pcap_byteswap_pflog_pseudoheader(rec, pd);
2680 break;
2681
2682 default:
2683 break;
2684 }
2685 }
2686
2687 bool
2688 wtap_encap_requires_phdr(int wtap_encap)
2689 {
2690 switch (wtap_encap) {
2691
2692 case WTAP_ENCAP_ATM_PDUS:
2693 case WTAP_ENCAP_IRDA:
2694 case WTAP_ENCAP_MTP2_WITH_PHDR:
2695 case WTAP_ENCAP_LINUX_LAPD:
2696 case WTAP_ENCAP_SITA:
2697 case WTAP_ENCAP_BLUETOOTH_H4_WITH_PHDR:
2698 case WTAP_ENCAP_BLUETOOTH_LINUX_MONITOR:
2699 case WTAP_ENCAP_NFC_LLCP:
2700 case WTAP_ENCAP_PPP_WITH_PHDR:
2701 case WTAP_ENCAP_ERF:
2702 case WTAP_ENCAP_I2C_LINUX:
2703 return true;
2704 }
2705 return false;
2706 }
2707
2708 int
2709 pcap_get_phdr_size(int encap, const union wtap_pseudo_header *pseudo_header)
2710 {
2711 int hdrsize;
2712
2713 switch (encap) {
2714
2715 case WTAP_ENCAP_ATM_PDUS:
2716 hdrsize = SUNATM_LEN;
2717 break;
2718
2719 case WTAP_ENCAP_IRDA:
2720 hdrsize = IRDA_SLL_LEN;
2721 break;
2722
2723 case WTAP_ENCAP_MTP2_WITH_PHDR:
2724 hdrsize = MTP2_HDR_LEN;
2725 break;
2726
2727 case WTAP_ENCAP_LINUX_LAPD:
2728 hdrsize = LAPD_SLL_LEN;
2729 break;
2730
2731 case WTAP_ENCAP_SITA:
2732 hdrsize = SITA_HDR_LEN;
2733 break;
2734
2735 case WTAP_ENCAP_BLUETOOTH_H4_WITH_PHDR:
2736 hdrsize = (int)sizeof (struct pcap_bt_phdr);
2737 break;
2738
2739 case WTAP_ENCAP_BLUETOOTH_LINUX_MONITOR:
2740 hdrsize = (int)sizeof (struct pcap_bt_monitor_phdr);
2741 break;
2742
2743 case WTAP_ENCAP_NFC_LLCP:
2744 hdrsize = LLCP_HEADER_LEN;
2745 break;
2746
2747 case WTAP_ENCAP_PPP_WITH_PHDR:
2748 hdrsize = (int)sizeof (struct pcap_ppp_phdr);
2749 break;
2750
2751 case WTAP_ENCAP_ERF:
2752 hdrsize = (int)sizeof (struct erf_phdr);
2753
2754 /*
2755 * If the type of record given in the pseudo header
2756 * indicates the presence of an extension header, then
2757 * add in the lengths of the extension headers.
2758 */
2759 if (pseudo_header->erf.phdr.type & 0x80) {
2760 int i = 0, max = array_length(pseudo_header->erf.ehdr_list);
2761 uint8_t erf_exhdr[8];
2762 uint8_t type;
2763
2764 do {
2765 phtonll(erf_exhdr, pseudo_header->erf.ehdr_list[i].ehdr);
2766 type = erf_exhdr[0];
2767 hdrsize += 8;
2768 i++;
2769 } while (type & 0x80 && i < max);
2770 }
2771
2772 /*
2773 * Now add in the length of the subheader, if any.
2774 */
2775 switch (pseudo_header->erf.phdr.type & 0x7F) {
2776
2777 case ERF_TYPE_MC_HDLC:
2778 case ERF_TYPE_MC_RAW:
2779 case ERF_TYPE_MC_ATM:
2780 case ERF_TYPE_MC_RAW_CHANNEL:
2781 case ERF_TYPE_MC_AAL5:
2782 case ERF_TYPE_MC_AAL2:
2783 case ERF_TYPE_COLOR_MC_HDLC_POS:
2784 hdrsize += (int)sizeof(struct erf_mc_hdr);
2785 break;
2786 case ERF_TYPE_AAL2:
2787 hdrsize += (int)sizeof(struct erf_aal2_hdr);
2788 break;
2789
2790 case ERF_TYPE_ETH:
2791 case ERF_TYPE_COLOR_ETH:
2792 case ERF_TYPE_DSM_COLOR_ETH:
2793 case ERF_TYPE_COLOR_HASH_ETH:
2794 hdrsize += (int)sizeof(struct erf_eth_hdr);
2795 break;
2796
2797 default:
2798 break;
2799 }
2800 break;
2801
2802 case WTAP_ENCAP_I2C_LINUX:
2803 hdrsize = (int)sizeof (struct i2c_linux_file_hdr);
2804 break;
2805
2806 default:
2807 hdrsize = 0;
2808 break;
2809 }
2810
2811 return hdrsize;
2812 }
2813
2814 bool
2815 pcap_write_phdr(wtap_dumper *wdh, int encap, const union wtap_pseudo_header *pseudo_header,
2816 int *err)
2817 {
2818 switch (encap) {
2819
2820 case WTAP_ENCAP_ATM_PDUS:
2821 if (!pcap_write_sunatm_pseudoheader(wdh, pseudo_header, err))
2822 return false;
2823 break;
2824
2825 case WTAP_ENCAP_IRDA:
2826 if (!pcap_write_irda_pseudoheader(wdh, pseudo_header, err))
2827 return false;
2828 break;
2829
2830 case WTAP_ENCAP_MTP2_WITH_PHDR:
2831 if (!pcap_write_mtp2_pseudoheader(wdh, pseudo_header, err))
2832 return false;
2833 break;
2834
2835 case WTAP_ENCAP_LINUX_LAPD:
2836 if (!pcap_write_lapd_pseudoheader(wdh, pseudo_header, err))
2837 return false;
2838 break;
2839
2840 case WTAP_ENCAP_SITA:
2841 if (!pcap_write_sita_pseudoheader(wdh, pseudo_header, err))
2842 return false;
2843 break;
2844
2845 case WTAP_ENCAP_BLUETOOTH_H4_WITH_PHDR:
2846 if (!pcap_write_bt_pseudoheader(wdh, pseudo_header, err))
2847 return false;
2848 break;
2849
2850 case WTAP_ENCAP_BLUETOOTH_LINUX_MONITOR:
2851 if (!pcap_write_bt_monitor_pseudoheader(wdh, pseudo_header, err))
2852 return false;
2853 break;
2854
2855 case WTAP_ENCAP_NFC_LLCP:
2856 if (!pcap_write_llcp_pseudoheader(wdh, pseudo_header, err))
2857 return false;
2858 break;
2859
2860 case WTAP_ENCAP_PPP_WITH_PHDR:
2861 if (!pcap_write_ppp_pseudoheader(wdh, pseudo_header, err))
2862 return false;
2863 break;
2864
2865 case WTAP_ENCAP_ERF:
2866 if (!pcap_write_erf_pseudoheader(wdh, pseudo_header, err))
2867 return false;
2868 break;
2869
2870 case WTAP_ENCAP_I2C_LINUX:
2871 if (!pcap_write_i2c_linux_pseudoheader(wdh, pseudo_header, err))
2872 return false;
2873 break;
2874 }
2875 return true;
2876 }
2877
2878 /*
2879 * Editor modelines - https://www.wireshark.org/tools/modelines.html
2880 *
2881 * Local variables:
2882 * c-basic-offset: 8
2883 * tab-width: 8
2884 * indent-tabs-mode: t
2885 * End:
2886 *
2887 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
2888 * :indentSize=8:tabSize=8:noTabs=false:
2889 */
Metzes wireshark repo