search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Witness: working witness.cnf
[wireshark-wip.git] / wiretap / libpcap.c
blob907f2311f928bb94660cd64d327fc9434c1d3928
1 /* libpcap.c
2 *
3 * $Id$
4 *
5 * Wiretap Library
6 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
7 *
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22
23 #include "config.h"
24
25 #include <stdlib.h>
26 #include <string.h>
27 #include <errno.h>
28 #include "wtap-int.h"
29 #include "file_wrappers.h"
30 #include "buffer.h"
31 #include "pcap-common.h"
32 #include "pcap-encap.h"
33 #include "libpcap.h"
34 #include "erf.h"
35
36 /* See source to the "libpcap" library for information on the "libpcap"
37 file format. */
38
39 /*
40 * Private per-wtap_t data needed to read a file.
41 */
42 typedef enum {
43 NOT_SWAPPED,
44 SWAPPED,
45 MAYBE_SWAPPED
46 } swapped_type_t;
47
48 typedef struct {
49 gboolean byte_swapped;
50 swapped_type_t lengths_swapped;
51 guint16 version_major;
52 guint16 version_minor;
53 } libpcap_t;
54
55 /* On some systems, the FDDI MAC addresses are bit-swapped. */
56 #if !defined(ultrix) && !defined(__alpha) && !defined(__bsdi__)
57 #define BIT_SWAPPED_MAC_ADDRS
58 #endif
59
60 /* Try to read the first two records of the capture file. */
61 typedef enum {
62 THIS_FORMAT, /* the reads succeeded, assume it's this format */
63 BAD_READ, /* the file is probably not valid */
64 OTHER_FORMAT /* the file may be valid, but not in this format */
65 } libpcap_try_t;
66 static libpcap_try_t libpcap_try(wtap *wth, int *err);
67
68 static gboolean libpcap_read(wtap *wth, int *err, gchar **err_info,
69 gint64 *data_offset);
70 static gboolean libpcap_seek_read(wtap *wth, gint64 seek_off,
71 struct wtap_pkthdr *phdr, Buffer *buf, int length,
72 int *err, gchar **err_info);
73 static int libpcap_read_header(wtap *wth, FILE_T fh, int *err, gchar **err_info,
74 struct pcaprec_ss990915_hdr *hdr);
75 static void adjust_header(wtap *wth, struct pcaprec_hdr *hdr);
76 static gboolean libpcap_read_packet(wtap *wth, FILE_T fh,
77 struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
78 static gboolean libpcap_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
79 const guint8 *pd, int *err);
80
81 int libpcap_open(wtap *wth, int *err, gchar **err_info)
82 {
83 int bytes_read;
84 guint32 magic;
85 struct pcap_hdr hdr;
86 gboolean byte_swapped;
87 gboolean modified;
88 gboolean aix;
89 int file_encap;
90 gint64 first_packet_offset;
91 libpcap_t *libpcap;
92
93 /* Read in the number that should be at the start of a "libpcap" file */
94 errno = WTAP_ERR_CANT_READ;
95 bytes_read = file_read(&magic, sizeof magic, wth->fh);
96 if (bytes_read != sizeof magic) {
97 *err = file_error(wth->fh, err_info);
98 if (*err != 0 && *err != WTAP_ERR_SHORT_READ)
99 return -1;
100 return 0;
101 }
102
103 switch (magic) {
104
105 case PCAP_MAGIC:
106 /* Host that wrote it has our byte order, and was running
107 a program using either standard or ss990417 libpcap. */
108 byte_swapped = FALSE;
109 modified = FALSE;
110 wth->tsprecision = WTAP_FILE_TSPREC_USEC;
111 break;
112
113 case PCAP_MODIFIED_MAGIC:
114 /* Host that wrote it has our byte order, and was running
115 a program using either ss990915 or ss991029 libpcap. */
116 byte_swapped = FALSE;
117 modified = TRUE;
118 wth->tsprecision = WTAP_FILE_TSPREC_USEC;
119 break;
120
121 case PCAP_SWAPPED_MAGIC:
122 /* Host that wrote it has a byte order opposite to ours,
123 and was running a program using either standard or
124 ss990417 libpcap. */
125 byte_swapped = TRUE;
126 modified = FALSE;
127 wth->tsprecision = WTAP_FILE_TSPREC_USEC;
128 break;
129
130 case PCAP_SWAPPED_MODIFIED_MAGIC:
131 /* Host that wrote it out has a byte order opposite to
132 ours, and was running a program using either ss990915
133 or ss991029 libpcap. */
134 byte_swapped = TRUE;
135 modified = TRUE;
136 wth->tsprecision = WTAP_FILE_TSPREC_USEC;
137 break;
138
139 case PCAP_NSEC_MAGIC:
140 /* Host that wrote it has our byte order, and was writing
141 the file in a format similar to standard libpcap
142 except that the time stamps have nanosecond resolution. */
143 byte_swapped = FALSE;
144 modified = FALSE;
145 wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
146 break;
147
148 case PCAP_SWAPPED_NSEC_MAGIC:
149 /* Host that wrote it out has a byte order opposite to
150 ours, and was writing the file in a format similar to
151 standard libpcap except that the time stamps have
152 nanosecond resolution. */
153 byte_swapped = TRUE;
154 modified = FALSE;
155 wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
156 break;
157
158 default:
159 /* Not a "libpcap" type we know about. */
160 return 0;
161 }
162
163 /* Read the rest of the header. */
164 errno = WTAP_ERR_CANT_READ;
165 bytes_read = file_read(&hdr, sizeof hdr, wth->fh);
166 if (bytes_read != sizeof hdr) {
167 *err = file_error(wth->fh, err_info);
168 if (*err == 0)
169 *err = WTAP_ERR_SHORT_READ;
170 return -1;
171 }
172
173 if (byte_swapped) {
174 /* Byte-swap the header fields about which we care. */
175 hdr.version_major = BSWAP16(hdr.version_major);
176 hdr.version_minor = BSWAP16(hdr.version_minor);
177 hdr.snaplen = BSWAP32(hdr.snaplen);
178 hdr.network = BSWAP32(hdr.network);
179 }
180 if (hdr.version_major < 2) {
181 /* We only support version 2.0 and later. */
182 *err = WTAP_ERR_UNSUPPORTED;
183 *err_info = g_strdup_printf("pcap: major version %u unsupported",
184 hdr.version_major);
185 return -1;
186 }
187
188 /*
189 * AIX's non-standard tcpdump uses a minor version number of 2.
190 * Unfortunately, older versions of libpcap might have used
191 * that as well.
192 *
193 * The AIX libpcap uses RFC 1573 ifType values rather than
194 * DLT_ values in the header; the ifType values for LAN devices
195 * are:
196 *
197 * Ethernet 6
198 * Token Ring 9
199 * FDDI 15
200 *
201 * which correspond to DLT_IEEE802 (used for Token Ring),
202 * DLT_PPP, and DLT_SLIP_BSDOS, respectively. The ifType value
203 * for a loopback interface is 24, which currently isn't
204 * used by any version of libpcap I know about (and, as
205 * tcpdump.org are assigning DLT_ values above 100, and
206 * NetBSD started assigning values starting at 50, and
207 * the values chosen by other libpcaps appear to stop at
208 * 19, it's probably not going to be used by any libpcap
209 * in the future).
210 *
211 * We shall assume that if the minor version number is 2, and
212 * the network type is 6, 9, 15, or 24, that it's AIX libpcap.
213 *
214 * I'm assuming those older versions of libpcap didn't
215 * use DLT_IEEE802 for Token Ring, and didn't use DLT_SLIP_BSDOS
216 * as that came later. It may have used DLT_PPP, however, in
217 * which case we're out of luck; we assume it's Token Ring
218 * in AIX libpcap rather than PPP in standard libpcap, as
219 * you're probably more likely to be handing an AIX libpcap
220 * token-ring capture than an old (pre-libpcap 0.4) PPP capture
221 * to Wireshark.
222 */
223 aix = FALSE; /* assume it's not AIX */
224 if (hdr.version_major == 2 && hdr.version_minor == 2) {
225 switch (hdr.network) {
226
227 case 6:
228 hdr.network = 1; /* DLT_EN10MB, Ethernet */
229 aix = TRUE;
230 break;
231
232 case 9:
233 hdr.network = 6; /* DLT_IEEE802, Token Ring */
234 aix = TRUE;
235 break;
236
237 case 15:
238 hdr.network = 10; /* DLT_FDDI, FDDI */
239 aix = TRUE;
240 break;
241
242 case 24:
243 hdr.network = 0; /* DLT_NULL, loopback */
244 aix = TRUE;
245 break;
246 }
247 }
248
249 file_encap = wtap_pcap_encap_to_wtap_encap(hdr.network);
250 if (file_encap == WTAP_ENCAP_UNKNOWN) {
251 *err = WTAP_ERR_UNSUPPORTED_ENCAP;
252 *err_info = g_strdup_printf("pcap: network type %u unknown or unsupported",
253 hdr.network);
254 return -1;
255 }
256
257 /* This is a libpcap file */
258 libpcap = (libpcap_t *)g_malloc(sizeof(libpcap_t));
259 libpcap->byte_swapped = byte_swapped;
260 libpcap->version_major = hdr.version_major;
261 libpcap->version_minor = hdr.version_minor;
262 wth->priv = (void *)libpcap;
263 wth->subtype_read = libpcap_read;
264 wth->subtype_seek_read = libpcap_seek_read;
265 wth->file_encap = file_encap;
266 wth->snapshot_length = hdr.snaplen;
267
268 /* In file format version 2.3, the order of the "incl_len" and
269 "orig_len" fields in the per-packet header was reversed,
270 in order to match the BPF header layout.
271
272 Therefore, in files with versions prior to that, we must swap
273 those two fields.
274
275 Unfortunately, some files were, according to a comment in the
276 "libpcap" source, written with version 2.3 in their headers
277 but without the interchanged fields, so if "incl_len" is
278 greater than "orig_len" - which would make no sense - we
279 assume that we need to swap them in version 2.3 files
280 as well.
281
282 In addition, DG/UX's tcpdump uses version 543.0, and writes
283 the two fields in the pre-2.3 order. */
284 switch (hdr.version_major) {
285
286 case 2:
287 if (hdr.version_minor < 3)
288 libpcap->lengths_swapped = SWAPPED;
289 else if (hdr.version_minor == 3)
290 libpcap->lengths_swapped = MAYBE_SWAPPED;
291 else
292 libpcap->lengths_swapped = NOT_SWAPPED;
293 break;
294
295 case 543:
296 libpcap->lengths_swapped = SWAPPED;
297 break;
298
299 default:
300 libpcap->lengths_swapped = NOT_SWAPPED;
301 break;
302 }
303
304 /*
305 * Is this AIX format?
306 */
307 if (aix) {
308 /*
309 * Yes. Skip all the tests for other mutant formats,
310 * and for the ERF link-layer header type, and set the
311 * precision to nanosecond precision.
312 */
313 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_PCAP_AIX;
314 wth->tsprecision = WTAP_FILE_TSPREC_NSEC;
315 return 1;
316 }
317
318 /*
319 * No. Let's look at the header for the first record,
320 * and see if, interpreting it as a standard header (if the
321 * magic number was standard) or a modified header (if the
322 * magic number was modified), the position where it says the
323 * header for the *second* record is contains a corrupted header.
324 *
325 * If so, then:
326 *
327 * If this file had the standard magic number, it may be
328 * an ss990417 capture file - in that version of Alexey's
329 * patch, the packet header format was changed but the
330 * magic number wasn't, and, alas, Red Hat appear to have
331 * picked up that version of the patch for RH 6.1, meaning
332 * RH 6.1 has a tcpdump that writes out files that can't
333 * be read by any software that expects non-modified headers
334 * if the magic number isn't the modified magic number (e.g.,
335 * any normal version of tcpdump, and Wireshark if we don't
336 * do this gross heuristic).
337 *
338 * If this file had the modified magic number, it may be
339 * an ss990915 capture file - in that version of Alexey's
340 * patch, the magic number was changed, but the record
341 * header had some extra fields, and, alas, SuSE appear
342 * to have picked up that version of the patch for SuSE
343 * 6.3, meaning that programs expecting the standard per-
344 * packet header in captures with the modified magic number
345 * can't read dumps from its tcpdump.
346 *
347 * Oh, and if it has the standard magic number, it might, instead,
348 * be a Nokia libpcap file, so we may need to try that if
349 * neither normal nor ss990417 headers work.
350 */
351 if (modified) {
352 /*
353 * Well, we have the magic number from Alexey's
354 * later two patches.
355 *
356 * Try ss991029, the last of his patches, first.
357 */
358 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_PCAP_SS991029;
359 first_packet_offset = file_tell(wth->fh);
360 switch (libpcap_try(wth, err)) {
361
362 case BAD_READ:
363 /*
364 * Well, we couldn't even read it.
365 * Give up.
366 */
367 return -1;
368
369 case THIS_FORMAT:
370 /*
371 * Well, it looks as if it might be 991029.
372 * Put the seek pointer back, and finish.
373 */
374 if (file_seek(wth->fh, first_packet_offset, SEEK_SET, err) == -1) {
375 return -1;
376 }
377 goto done;
378
379 case OTHER_FORMAT:
380 /*
381 * Try the next format.
382 */
383 break;
384 }
385
386 /*
387 * Well, it's not completely unreadable,
388 * but it's not ss991029. Try ss990915;
389 * there are no other types to try after that,
390 * so we put the seek pointer back and treat
391 * it as 990915.
392 */
393 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_PCAP_SS990915;
394 if (file_seek(wth->fh, first_packet_offset, SEEK_SET, err) == -1) {
395 return -1;
396 }
397 } else {
398 /*
399 * Well, we have the standard magic number.
400 *
401 * Try the standard format first.
402 */
403 if(wth->tsprecision == WTAP_FILE_TSPREC_NSEC) {
404 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_PCAP_NSEC;
405 } else {
406 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_PCAP;
407 }
408 first_packet_offset = file_tell(wth->fh);
409 switch (libpcap_try(wth, err)) {
410
411 case BAD_READ:
412 /*
413 * Well, we couldn't even read it.
414 * Give up.
415 */
416 return -1;
417
418 case THIS_FORMAT:
419 /*
420 * Well, it looks as if it might be a standard
421 * libpcap file.
422 * Put the seek pointer back, and finish.
423 */
424 if (file_seek(wth->fh, first_packet_offset, SEEK_SET, err) == -1) {
425 return -1;
426 }
427 goto done;
428
429 case OTHER_FORMAT:
430 /*
431 * Try the next format.
432 */
433 break;
434 }
435
436 /*
437 * Well, it's not completely unreadable, but it's not
438 * a standard file. Put the seek pointer back and try
439 * ss990417.
440 */
441 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_PCAP_SS990417;
442 if (file_seek(wth->fh, first_packet_offset, SEEK_SET, err) == -1) {
443 return -1;
444 }
445 switch (libpcap_try(wth, err)) {
446
447 case BAD_READ:
448 /*
449 * Well, we couldn't even read it.
450 * Give up.
451 */
452 return -1;
453
454 case THIS_FORMAT:
455 /*
456 * Well, it looks as if it might be ss990417.
457 * Put the seek pointer back, and finish.
458 */
459 if (file_seek(wth->fh, first_packet_offset, SEEK_SET, err) == -1) {
460 return -1;
461 }
462 goto done;
463
464 case OTHER_FORMAT:
465 /*
466 * Try the next format.
467 */
468 break;
469 }
470
471 /*
472 * Well, it's not completely unreadable,
473 * but it's not a standard file *nor* is it ss990417.
474 * Try it as a Nokia file; there are no other types
475 * to try after that, so we put the seek pointer back
476 * and treat it as a Nokia file.
477 */
478 wth->file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_PCAP_NOKIA;
479 if (file_seek(wth->fh, first_packet_offset, SEEK_SET, err) == -1) {
480 return -1;
481 }
482 }
483
484 done:
485 /*
486 * We treat a DLT_ value of 13 specially - it appears that in
487 * Nokia libpcap format, it's some form of ATM with what I
488 * suspect is a pseudo-header (even though Nokia's IPSO is
489 * based on FreeBSD, which #defines DLT_SLIP_BSDOS as 13).
490 *
491 * If this is a Nokia capture, treat 13 as WTAP_ENCAP_ATM_PDUS,
492 * rather than as what we normally treat it.
493 */
494 if (wth->file_type_subtype == WTAP_FILE_TYPE_SUBTYPE_PCAP_NOKIA && hdr.network == 13)
495 wth->file_encap = WTAP_ENCAP_ATM_PDUS;
496
497 if (wth->file_encap == WTAP_ENCAP_ERF) {
498 /*
499 * Populate set of interface IDs for ERF format.
500 * Currently, this *has* to be done at open time.
501 */
502 erf_populate_interfaces(wth);
503 }
504 return 1;
505 }
506
507 /* Try to read the first two records of the capture file. */
508 static libpcap_try_t libpcap_try(wtap *wth, int *err)
509 {
510 /*
511 * pcaprec_ss990915_hdr is the largest header type.
512 */
513 struct pcaprec_ss990915_hdr first_rec_hdr, second_rec_hdr;
514
515
516 /*
517 * Attempt to read the first record's header.
518 */
519 if (libpcap_read_header(wth, wth->fh, err, NULL, &first_rec_hdr) == -1) {
520 if (*err == 0 || *err == WTAP_ERR_SHORT_READ) {
521 /*
522 * EOF or short read - assume the file is in this
523 * format.
524 * When our client tries to read the first packet
525 * they will presumably get the same EOF or short
526 * read.
527 */
528 return THIS_FORMAT;
529 }
530
531 if (*err == WTAP_ERR_BAD_FILE) {
532 /*
533 * The first record is bogus, so this is probably
534 * a corrupt file. Assume the file is in this
535 * format. When our client tries to read the
536 * first packet they will presumably get the
537 * same bogus record.
538 */
539 return THIS_FORMAT;
540 }
541
542 /*
543 * Some other error, e.g. an I/O error; just give up.
544 */
545 return BAD_READ;
546 }
547
548 /*
549 * Now skip over the first record's data, under the assumption
550 * that the header is sane.
551 */
552 if (file_seek(wth->fh, first_rec_hdr.hdr.incl_len, SEEK_CUR, err) == -1)
553 return BAD_READ;
554
555 /*
556 * Now attempt to read the second record's header.
557 */
558 if (libpcap_read_header(wth, wth->fh, err, NULL, &second_rec_hdr) == -1) {
559 if (*err == 0 || *err == WTAP_ERR_SHORT_READ) {
560 /*
561 * EOF or short read - assume the file is in this
562 * format.
563 * When our client tries to read the second packet
564 * they will presumably get the same EOF or short
565 * read.
566 */
567 return THIS_FORMAT;
568 }
569
570 if (*err == WTAP_ERR_BAD_FILE) {
571 /*
572 * The second record is bogus; maybe it's a
573 * Capture File From Hell, and what looks like
574 * the "header" of the next packet is actually
575 * random junk from the middle of a packet.
576 * Try the next format; if we run out of formats,
577 * it probably *is* a corrupt file.
578 */
579 return OTHER_FORMAT;
580 }
581
582 /*
583 * Some other error, e.g. an I/O error; just give up.
584 */
585 return BAD_READ;
586 }
587
588 /*
589 * OK, the first two records look OK; assume this is the
590 * right format.
591 */
592 return THIS_FORMAT;
593 }
594
595 /* Read the next packet */
596 static gboolean libpcap_read(wtap *wth, int *err, gchar **err_info,
597 gint64 *data_offset)
598 {
599 *data_offset = file_tell(wth->fh);
600
601 return libpcap_read_packet(wth, wth->fh, &wth->phdr,
602 wth->frame_buffer, err, err_info);
603 }
604
605 static gboolean
606 libpcap_seek_read(wtap *wth, gint64 seek_off, struct wtap_pkthdr *phdr,
607 Buffer *buf, int length _U_, int *err, gchar **err_info)
608 {
609 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
610 return FALSE;
611
612 if (!libpcap_read_packet(wth, wth->random_fh, phdr, buf, err,
613 err_info)) {
614 if (*err == 0)
615 *err = WTAP_ERR_SHORT_READ;
616 return FALSE;
617 }
618 return TRUE;
619 }
620
621 static gboolean
622 libpcap_read_packet(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
623 Buffer *buf, int *err, gchar **err_info)
624 {
625 struct pcaprec_ss990915_hdr hdr;
626 guint packet_size;
627 guint orig_size;
628 int bytes_read;
629 int phdr_len;
630 libpcap_t *libpcap;
631
632 bytes_read = libpcap_read_header(wth, fh, err, err_info, &hdr);
633 if (bytes_read == -1) {
634 /*
635 * We failed to read the header.
636 */
637 return FALSE;
638 }
639
640 packet_size = hdr.hdr.incl_len;
641 orig_size = hdr.hdr.orig_len;
642
643 /*
644 * AIX appears to put 3 bytes of padding in front of FDDI
645 * frames; strip that crap off.
646 */
647 if (wth->file_type_subtype == WTAP_FILE_TYPE_SUBTYPE_PCAP_AIX &&
648 (wth->file_encap == WTAP_ENCAP_FDDI ||
649 wth->file_encap == WTAP_ENCAP_FDDI_BITSWAPPED)) {
650 /*
651 * The packet size is really a record size and includes
652 * the padding.
653 */
654 packet_size -= 3;
655 orig_size -= 3;
656
657 /*
658 * Skip the padding.
659 */
660 if (!file_skip(fh, 3, err))
661 return FALSE;
662 }
663
664 phdr_len = pcap_process_pseudo_header(fh, wth->file_type_subtype,
665 wth->file_encap, packet_size, TRUE, phdr, err, err_info);
666 if (phdr_len < 0)
667 return FALSE; /* error */
668
669 /*
670 * Don't count any pseudo-header as part of the packet.
671 */
672 orig_size -= phdr_len;
673 packet_size -= phdr_len;
674
675 phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
676
677 /* Update the timestamp, if not already done */
678 if (wth->file_encap != WTAP_ENCAP_ERF) {
679 phdr->ts.secs = hdr.hdr.ts_sec;
680 if (wth->tsprecision == WTAP_FILE_TSPREC_NSEC)
681 phdr->ts.nsecs = hdr.hdr.ts_usec;
682 else
683 phdr->ts.nsecs = hdr.hdr.ts_usec * 1000;
684 } else {
685 /* Set interface ID for ERF format */
686 phdr->presence_flags |= WTAP_HAS_INTERFACE_ID;
687 phdr->interface_id = phdr->pseudo_header.erf.phdr.flags & 0x03;
688 }
689 phdr->caplen = packet_size;
690 phdr->len = orig_size;
691
692 /*
693 * Read the packet data.
694 */
695 if (!wtap_read_packet_bytes(fh, buf, packet_size, err, err_info))
696 return FALSE; /* failed */
697
698 libpcap = (libpcap_t *)wth->priv;
699 pcap_read_post_process(wth->file_type_subtype, wth->file_encap,
700 &phdr->pseudo_header, buffer_start_ptr(buf), packet_size,
701 libpcap->byte_swapped, -1);
702 return TRUE;
703 }
704
705 /* Read the header of the next packet.
706
707 Return -1 on an error, or the number of bytes of header read on success. */
708 static int libpcap_read_header(wtap *wth, FILE_T fh, int *err, gchar **err_info,
709 struct pcaprec_ss990915_hdr *hdr)
710 {
711 int bytes_to_read, bytes_read;
712
713 /* Read record header. */
714 errno = WTAP_ERR_CANT_READ;
715 switch (wth->file_type_subtype) {
716
717 case WTAP_FILE_TYPE_SUBTYPE_PCAP:
718 case WTAP_FILE_TYPE_SUBTYPE_PCAP_AIX:
719 case WTAP_FILE_TYPE_SUBTYPE_PCAP_NSEC:
720 bytes_to_read = sizeof (struct pcaprec_hdr);
721 break;
722
723 case WTAP_FILE_TYPE_SUBTYPE_PCAP_SS990417:
724 case WTAP_FILE_TYPE_SUBTYPE_PCAP_SS991029:
725 bytes_to_read = sizeof (struct pcaprec_modified_hdr);
726 break;
727
728 case WTAP_FILE_TYPE_SUBTYPE_PCAP_SS990915:
729 bytes_to_read = sizeof (struct pcaprec_ss990915_hdr);
730 break;
731
732 case WTAP_FILE_TYPE_SUBTYPE_PCAP_NOKIA:
733 bytes_to_read = sizeof (struct pcaprec_nokia_hdr);
734 break;
735
736 default:
737 g_assert_not_reached();
738 bytes_to_read = 0;
739 }
740 bytes_read = file_read(hdr, bytes_to_read, fh);
741 if (bytes_read != bytes_to_read) {
742 *err = file_error(fh, err_info);
743 if (*err == 0 && bytes_read != 0) {
744 *err = WTAP_ERR_SHORT_READ;
745 }
746 return -1;
747 }
748
749 adjust_header(wth, &hdr->hdr);
750
751 if (hdr->hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
752 /*
753 * Probably a corrupt capture file; return an error,
754 * so that our caller doesn't blow up trying to allocate
755 * space for an immensely-large packet, and so that
756 * the code to try to guess what type of libpcap file
757 * this is can tell when it's not the type we're guessing
758 * it is.
759 */
760 *err = WTAP_ERR_BAD_FILE;
761 if (err_info != NULL) {
762 *err_info = g_strdup_printf("pcap: File has %u-byte packet, bigger than maximum of %u",
763 hdr->hdr.incl_len, WTAP_MAX_PACKET_SIZE);
764 }
765 return -1;
766 }
767
768 /* Disabling because this is not a fatal error, and packets that have
769 * one such packet probably have thousands. For discussion, see
770 * https://www.wireshark.org/lists/wireshark-dev/201307/msg00076.html
771 * and related messages.
772 *
773 * The packet contents will be copied to a Buffer, which expands
774 * as necessary to hold the contents; we don't have to worry
775 * about fixed-length buffers allocated based on the original
776 * snapshot length. */
777 #if 0
778 if (hdr->hdr.incl_len > wth->snapshot_length) {
779 g_warning("pcap: File has packet larger than file's snapshot length.");
780 }
781 #endif
782
783 return bytes_read;
784 }
785
786 static void
787 adjust_header(wtap *wth, struct pcaprec_hdr *hdr)
788 {
789 guint32 temp;
790 libpcap_t *libpcap;
791
792 libpcap = (libpcap_t *)wth->priv;
793 if (libpcap->byte_swapped) {
794 /* Byte-swap the record header fields. */
795 hdr->ts_sec = BSWAP32(hdr->ts_sec);
796 hdr->ts_usec = BSWAP32(hdr->ts_usec);
797 hdr->incl_len = BSWAP32(hdr->incl_len);
798 hdr->orig_len = BSWAP32(hdr->orig_len);
799 }
800
801 /* Swap the "incl_len" and "orig_len" fields, if necessary. */
802 switch (libpcap->lengths_swapped) {
803
804 case NOT_SWAPPED:
805 break;
806
807 case MAYBE_SWAPPED:
808 if (hdr->incl_len <= hdr->orig_len) {
809 /*
810 * The captured length is <= the actual length,
811 * so presumably they weren't swapped.
812 */
813 break;
814 }
815 /* FALLTHROUGH */
816
817 case SWAPPED:
818 temp = hdr->orig_len;
819 hdr->orig_len = hdr->incl_len;
820 hdr->incl_len = temp;
821 break;
822 }
823 }
824
825 /* Returns 0 if we could write the specified encapsulation type,
826 an error indication otherwise. */
827 int libpcap_dump_can_write_encap(int encap)
828 {
829 /* Per-packet encapsulations aren't supported. */
830 if (encap == WTAP_ENCAP_PER_PACKET)
831 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
832
833 if (wtap_wtap_encap_to_pcap_encap(encap) == -1)
834 return WTAP_ERR_UNSUPPORTED_ENCAP;
835
836 return 0;
837 }
838
839 /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
840 failure */
841 gboolean libpcap_dump_open(wtap_dumper *wdh, int *err)
842 {
843 guint32 magic;
844 struct pcap_hdr file_hdr;
845
846 /* This is a libpcap file */
847 wdh->subtype_write = libpcap_dump;
848 wdh->subtype_close = NULL;
849
850 /* Write the file header. */
851 switch (wdh->file_type_subtype) {
852
853 case WTAP_FILE_TYPE_SUBTYPE_PCAP:
854 case WTAP_FILE_TYPE_SUBTYPE_PCAP_SS990417: /* modified, but with the old magic, sigh */
855 case WTAP_FILE_TYPE_SUBTYPE_PCAP_NOKIA: /* Nokia libpcap of some sort */
856 magic = PCAP_MAGIC;
857 wdh->tsprecision = WTAP_FILE_TSPREC_USEC;
858 break;
859
860 case WTAP_FILE_TYPE_SUBTYPE_PCAP_SS990915: /* new magic, extra crap */
861 case WTAP_FILE_TYPE_SUBTYPE_PCAP_SS991029:
862 magic = PCAP_MODIFIED_MAGIC;
863 wdh->tsprecision = WTAP_FILE_TSPREC_USEC;
864 break;
865
866 case WTAP_FILE_TYPE_SUBTYPE_PCAP_NSEC: /* same as WTAP_FILE_TYPE_SUBTYPE_PCAP, but nsec precision */
867 magic = PCAP_NSEC_MAGIC;
868 wdh->tsprecision = WTAP_FILE_TSPREC_NSEC;
869 break;
870
871 default:
872 /* We should never get here - our open routine
873 should only get called for the types above. */
874 *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE;
875 return FALSE;
876 }
877
878 if (!wtap_dump_file_write(wdh, &magic, sizeof magic, err))
879 return FALSE;
880 wdh->bytes_dumped += sizeof magic;
881
882 /* current "libpcap" format is 2.4 */
883 file_hdr.version_major = 2;
884 file_hdr.version_minor = 4;
885 file_hdr.thiszone = 0; /* XXX - current offset? */
886 file_hdr.sigfigs = 0; /* unknown, but also apparently unused */
887 /*
888 * Tcpdump cannot handle capture files with a snapshot length of 0,
889 * as BPF filters return either 0 if they fail or the snapshot length
890 * if they succeed, and a snapshot length of 0 means success is
891 * indistinguishable from failure and the filter expression would
892 * reject all packets.
893 *
894 * A snapshot length of 0, inside Wiretap, means "snapshot length
895 * unknown"; if the snapshot length supplied to us is 0, we make
896 * the snapshot length in the header file WTAP_MAX_PACKET_SIZE.
897 */
898 file_hdr.snaplen = (wdh->snaplen != 0) ? wdh->snaplen :
899 WTAP_MAX_PACKET_SIZE;
900 file_hdr.network = wtap_wtap_encap_to_pcap_encap(wdh->encap);
901 if (!wtap_dump_file_write(wdh, &file_hdr, sizeof file_hdr, err))
902 return FALSE;
903 wdh->bytes_dumped += sizeof file_hdr;
904
905 return TRUE;
906 }
907
908 /* Write a record for a packet to a dump file.
909 Returns TRUE on success, FALSE on failure. */
910 static gboolean libpcap_dump(wtap_dumper *wdh,
911 const struct wtap_pkthdr *phdr,
912 const guint8 *pd, int *err)
913 {
914 const union wtap_pseudo_header *pseudo_header = &phdr->pseudo_header;
915 struct pcaprec_ss990915_hdr rec_hdr;
916 size_t hdr_size;
917 int phdrsize;
918
919 phdrsize = pcap_get_phdr_size(wdh->encap, pseudo_header);
920
921 rec_hdr.hdr.ts_sec = (guint32) phdr->ts.secs;
922 if(wdh->tsprecision == WTAP_FILE_TSPREC_NSEC) {
923 rec_hdr.hdr.ts_usec = phdr->ts.nsecs;
924 } else {
925 rec_hdr.hdr.ts_usec = phdr->ts.nsecs / 1000;
926 }
927 rec_hdr.hdr.incl_len = phdr->caplen + phdrsize;
928 rec_hdr.hdr.orig_len = phdr->len + phdrsize;
929
930 if (rec_hdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
931 *err = WTAP_ERR_BAD_FILE;
932 return FALSE;
933 }
934
935 switch (wdh->file_type_subtype) {
936
937 case WTAP_FILE_TYPE_SUBTYPE_PCAP:
938 case WTAP_FILE_TYPE_SUBTYPE_PCAP_NSEC:
939 hdr_size = sizeof (struct pcaprec_hdr);
940 break;
941
942 case WTAP_FILE_TYPE_SUBTYPE_PCAP_SS990417: /* modified, but with the old magic, sigh */
943 case WTAP_FILE_TYPE_SUBTYPE_PCAP_SS991029:
944 /* XXX - what should we supply here?
945
946 Alexey's "libpcap" looks up the interface in the system's
947 interface list if "ifindex" is non-zero, and prints
948 the interface name. It ignores "protocol", and uses
949 "pkt_type" to tag the packet as "host", "broadcast",
950 "multicast", "other host", "outgoing", or "none of the
951 above", but that's it.
952
953 If the capture we're writing isn't a modified or
954 RH 6.1 capture, we'd have to do some work to
955 generate the packet type and interface index - and
956 we can't generate the interface index unless we
957 just did the capture ourselves in any case.
958
959 I'm inclined to continue to punt; systems other than
960 those with the older patch can read standard "libpcap"
961 files, and systems with the older patch, e.g. RH 6.1,
962 will just have to live with this. */
963 rec_hdr.ifindex = 0;
964 rec_hdr.protocol = 0;
965 rec_hdr.pkt_type = 0;
966 hdr_size = sizeof (struct pcaprec_modified_hdr);
967 break;
968
969 case WTAP_FILE_TYPE_SUBTYPE_PCAP_SS990915: /* new magic, extra crap at the end */
970 rec_hdr.ifindex = 0;
971 rec_hdr.protocol = 0;
972 rec_hdr.pkt_type = 0;
973 rec_hdr.cpu1 = 0;
974 rec_hdr.cpu2 = 0;
975 hdr_size = sizeof (struct pcaprec_ss990915_hdr);
976 break;
977
978 case WTAP_FILE_TYPE_SUBTYPE_PCAP_NOKIA: /* old magic, extra crap at the end */
979 /* restore the "mysterious stuff" that came with the packet */
980 memcpy(&rec_hdr.ifindex, pseudo_header->nokia.stuff, 4);
981 /* not written */
982 rec_hdr.protocol = 0;
983 rec_hdr.pkt_type = 0;
984 rec_hdr.cpu1 = 0;
985 rec_hdr.cpu2 = 0;
986 hdr_size = sizeof (struct pcaprec_nokia_hdr);
987 break;
988
989 default:
990 /* We should never get here - our open routine
991 should only get called for the types above. */
992 g_assert_not_reached();
993 *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE;
994 return FALSE;
995 }
996
997 if (!wtap_dump_file_write(wdh, &rec_hdr, hdr_size, err))
998 return FALSE;
999 wdh->bytes_dumped += hdr_size;
1000
1001 if (!pcap_write_phdr(wdh, wdh->encap, pseudo_header, err))
1002 return FALSE;
1003
1004 if (!wtap_dump_file_write(wdh, pd, phdr->caplen, err))
1005 return FALSE;
1006 wdh->bytes_dumped += phdr->caplen;
1007 return TRUE;
1008 }