The data contained in this repository can be downloaded to your computer using one of several clients.
Please see the documentation of your version control software client for more information.
Please select the desired protocol below to get the URL.
This URL has Read-Only access.
main_repo / wiretap / libpcap.c @ master
History | View | Annotate | Download (27.8 KB)
| 1 | 2925fdc2 | Mr. Scottbert | /* libpcap.c
|
|---|---|---|---|
| 2 | *
|
||
| 3 | * $Id$
|
||
| 4 | *
|
||
| 5 | * Wiretap Library
|
||
| 6 | * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
|
||
| 7 | *
|
||
| 8 | * This program is free software; you can redistribute it and/or
|
||
| 9 | * modify it under the terms of the GNU General Public License
|
||
| 10 | * as published by the Free Software Foundation; either version 2
|
||
| 11 | * of the License, or (at your option) any later version.
|
||
| 12 | *
|
||
| 13 | * This program is distributed in the hope that it will be useful,
|
||
| 14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
| 15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
| 16 | * GNU General Public License for more details.
|
||
| 17 | *
|
||
| 18 | * You should have received a copy of the GNU General Public License
|
||
| 19 | * along with this program; if not, write to the Free Software
|
||
| 20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||
| 21 | */
|
||
| 22 | |||
| 23 | #include "config.h" |
||
| 24 | |||
| 25 | #include <stdlib.h> |
||
| 26 | #include <string.h> |
||
| 27 | #include <errno.h> |
||
| 28 | #include "wtap-int.h" |
||
| 29 | #include "file_wrappers.h" |
||
| 30 | #include "buffer.h" |
||
| 31 | #include "pcap-common.h" |
||
| 32 | #include "pcap-encap.h" |
||
| 33 | #include "libpcap.h" |
||
| 34 | #include "erf.h" |
||
| 35 | |||
| 36 | /* See source to the "libpcap" library for information on the "libpcap"
|
||
| 37 | file format. */
|
||
| 38 | |||
| 39 | /*
|
||
| 40 | * Private per-wtap_t data needed to read a file.
|
||
| 41 | */
|
||
| 42 | typedef enum { |
||
| 43 | NOT_SWAPPED, |
||
| 44 | SWAPPED, |
||
| 45 | MAYBE_SWAPPED |
||
| 46 | } swapped_type_t; |
||
| 47 | |||
| 48 | typedef struct { |
||
| 49 | gboolean byte_swapped; |
||
| 50 | swapped_type_t lengths_swapped; |
||
| 51 | guint16 version_major; |
||
| 52 | guint16 version_minor; |
||
| 53 | } libpcap_t; |
||
| 54 | |||
| 55 | /* On some systems, the FDDI MAC addresses are bit-swapped. */
|
||
| 56 | #if !defined(ultrix) && !defined(__alpha) && !defined(__bsdi__)
|
||
| 57 | #define BIT_SWAPPED_MAC_ADDRS
|
||
| 58 | #endif
|
||
| 59 | |||
| 60 | /* Try to read the first two records of the capture file. */
|
||
| 61 | typedef enum { |
||
| 62 | THIS_FORMAT, /* the reads succeeded, assume it's this format */
|
||
| 63 | BAD_READ, /* the file is probably not valid */
|
||
| 64 | OTHER_FORMAT /* the file may be valid, but not in this format */
|
||
| 65 | } libpcap_try_t; |
||
| 66 | static libpcap_try_t libpcap_try(wtap *wth, int *err); |
||
| 67 | |||
| 68 | static gboolean libpcap_read(wtap *wth, int *err, gchar **err_info, |
||
| 69 | gint64 *data_offset); |
||
| 70 | static gboolean libpcap_seek_read(wtap *wth, gint64 seek_off,
|
||
| 71 | struct wtap_pkthdr *phdr, Buffer *buf, int length, |
||
| 72 | int *err, gchar **err_info);
|
||
| 73 | static int libpcap_read_header(wtap *wth, FILE_T fh, int *err, gchar **err_info, |
||
| 74 | struct pcaprec_ss990915_hdr *hdr);
|
||
| 75 | static void adjust_header(wtap *wth, struct pcaprec_hdr *hdr); |
||
| 76 | static gboolean libpcap_read_packet(wtap *wth, FILE_T fh,
|
||
| 77 | struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info); |
||
| 78 | static gboolean libpcap_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr, |
||
| 79 | const guint8 *pd, int *err); |
||
| 80 | |||
| 81 | int libpcap_open(wtap *wth, int *err, gchar **err_info) |
||
| 82 | {
|
||
| 83 | int bytes_read;
|
||
| 84 | guint32 magic; |
||
| 85 | struct pcap_hdr hdr;
|
||
| 86 | gboolean byte_swapped; |
||
| 87 | gboolean modified; |
||
| 88 | gboolean aix; |
||
| 89 | int file_encap;
|
||
| 90 | gint64 first_packet_offset; |
||
| 91 | libpcap_t *libpcap; |
||
| 92 | |||
| 93 | /* Read in the number that should be at the start of a "libpcap" file */
|
||
| 94 | errno = WTAP_ERR_CANT_READ; |
||
| 95 | bytes_read = file_read(&magic, sizeof magic, wth->fh);
|
||
| 96 | if (bytes_read != sizeof magic) { |
||
| 97 | *err = file_error(wth->fh, err_info); |
||
| 98 | if (*err != 0 && *err != WTAP_ERR_SHORT_READ) |
||
| 99 | return -1; |
||
| 100 | return 0; |
||
| 101 | } |
||
| 102 | |||
| 103 | switch (magic) {
|
||
| 104 | |||
| 105 | case PCAP_MAGIC:
|
||
| 106 | /* Host that wrote it has our byte order, and was running
|
||
| 107 | a program using either standard or ss990417 libpcap. */
|
||
| 108 | byte_swapped = FALSE; |
||
| 109 | modified = FALSE; |
||
| 110 | wth->tsprecision = WTAP_FILE_TSPREC_USEC; |
||
| 111 | break;
|
||
| 112 | |||
| 113 | case PCAP_MODIFIED_MAGIC:
|
||
| 114 | /* Host that wrote it has our byte order, and was running
|
||
| 115 | a program using either ss990915 or ss991029 libpcap. */
|
||
| 116 | byte_swapped = FALSE; |
||
| 117 | modified = TRUE; |
||
| 118 | wth->tsprecision = WTAP_FILE_TSPREC_USEC; |
||
| 119 | break;
|
||
| 120 | |||
| 121 | case PCAP_SWAPPED_MAGIC:
|
||
| 122 | /* Host that wrote it has a byte order opposite to ours,
|
||
| 123 | and was running a program using either standard or
|
||
| 124 | ss990417 libpcap. */
|
||
| 125 | byte_swapped = TRUE; |
||
| 126 | modified = FALSE; |
||
| 127 | wth->tsprecision = WTAP_FILE_TSPREC_USEC; |
||
| 128 | break;
|
||
| 129 | |||
| 130 | case PCAP_SWAPPED_MODIFIED_MAGIC:
|
||
| 131 | /* Host that wrote it out has a byte order opposite to
|
||
| 132 | ours, and was running a program using either ss990915
|
||
| 133 | or ss991029 libpcap. */
|
||
| 134 | byte_swapped = TRUE; |
||
| 135 | modified = TRUE; |
||
| 136 | wth->tsprecision = WTAP_FILE_TSPREC_USEC; |
||
| 137 | break;
|
||
| 138 | |||
| 139 | case PCAP_NSEC_MAGIC:
|
||
| 140 | /* Host that wrote it has our byte order, and was writing
|
||
| 141 | the file in a format similar to standard libpcap
|
||
| 142 | except that the time stamps have nanosecond resolution. */
|
||
| 143 | byte_swapped = FALSE; |
||
| 144 | modified = FALSE; |
||
| 145 | wth->tsprecision = WTAP_FILE_TSPREC_NSEC; |
||
| 146 | break;
|
||
| 147 | |||
| 148 | case PCAP_SWAPPED_NSEC_MAGIC:
|
||
| 149 | /* Host that wrote it out has a byte order opposite to
|
||
| 150 | ours, and was writing the file in a format similar to
|
||
| 151 | standard libpcap except that the time stamps have
|
||
| 152 | nanosecond resolution. */
|
||
| 153 | byte_swapped = TRUE; |
||
| 154 | modified = FALSE; |
||
| 155 | wth->tsprecision = WTAP_FILE_TSPREC_NSEC; |
||
| 156 | break;
|
||
| 157 | |||
| 158 | default:
|
||
| 159 | /* Not a "libpcap" type we know about. */
|
||
| 160 | return 0; |
||
| 161 | } |
||
| 162 | |||
| 163 | /* Read the rest of the header. */
|
||
| 164 | errno = WTAP_ERR_CANT_READ; |
||
| 165 | bytes_read = file_read(&hdr, sizeof hdr, wth->fh);
|
||
| 166 | if (bytes_read != sizeof hdr) { |
||
| 167 | *err = file_error(wth->fh, err_info); |
||
| 168 | if (*err == 0) |
||
| 169 | *err = WTAP_ERR_SHORT_READ; |
||
| 170 | return -1; |
||
| 171 | } |
||
| 172 | |||
| 173 | if (byte_swapped) {
|
||
| 174 | /* Byte-swap the header fields about which we care. */
|
||
| 175 | hdr.version_major = BSWAP16(hdr.version_major); |
||
| 176 | hdr.version_minor = BSWAP16(hdr.version_minor); |
||
| 177 | hdr.snaplen = BSWAP32(hdr.snaplen); |
||
| 178 | hdr.network = BSWAP32(hdr.network); |
||
| 179 | } |
||
| 180 | if (hdr.version_major < 2) { |
||
| 181 | /* We only support version 2.0 and later. */
|
||
| 182 | *err = WTAP_ERR_UNSUPPORTED; |
||
| 183 | *err_info = g_strdup_printf("pcap: major version %u unsupported",
|
||
| 184 | hdr.version_major); |
||
| 185 | return -1; |
||
| 186 | } |
||
| 187 | |||
| 188 | /*
|
||
| 189 | * AIX's non-standard tcpdump uses a minor version number of 2.
|
||
| 190 | * Unfortunately, older versions of libpcap might have used
|
||
| 191 | * that as well.
|
||
| 192 | *
|
||
| 193 | * The AIX libpcap uses RFC 1573 ifType values rather than
|
||
| 194 | * DLT_ values in the header; the ifType values for LAN devices
|
||
| 195 | * are:
|
||
| 196 | *
|
||
| 197 | * Ethernet 6
|
||
| 198 | * Token Ring 9
|
||
| 199 | * FDDI 15
|
||
| 200 | *
|
||
| 201 | * which correspond to DLT_IEEE802 (used for Token Ring),
|
||
| 202 | * DLT_PPP, and DLT_SLIP_BSDOS, respectively. The ifType value
|
||
| 203 | * for a loopback interface is 24, which currently isn't
|
||
| 204 | * used by any version of libpcap I know about (and, as
|
||
| 205 | * tcpdump.org are assigning DLT_ values above 100, and
|
||
| 206 | * NetBSD started assigning values starting at 50, and
|
||
| 207 | * the values chosen by other libpcaps appear to stop at
|
||
| 208 | * 19, it's probably not going to be used by any libpcap
|
||
| 209 | * in the future).
|
||
| 210 | *
|
||
| 211 | * We shall assume that if the minor version number is 2, and
|
||
| 212 | * the network type is 6, 9, 15, or 24, that it's AIX libpcap.
|
||
| 213 | *
|
||
| 214 | * I'm assuming those older versions of libpcap didn't
|
||
| 215 | * use DLT_IEEE802 for Token Ring, and didn't use DLT_SLIP_BSDOS
|
||
| 216 | * as that came later. It may have used DLT_PPP, however, in
|
||
| 217 | * which case we're out of luck; we assume it's Token Ring
|
||
| 218 | * in AIX libpcap rather than PPP in standard libpcap, as
|
||
| 219 | * you're probably more likely to be handing an AIX libpcap
|
||
| 220 | * token-ring capture than an old (pre-libpcap 0.4) PPP capture
|
||
| 221 | * to Wireshark.
|
||
| 222 | */
|
||
| 223 | aix = FALSE; /* assume it's not AIX */
|
||
| 224 | if (hdr.version_major == 2 && hdr.version_minor == 2) { |
||
| 225 | switch (hdr.network) {
|
||
| 226 | |||
| 227 | case 6: |
||
| 228 | hdr.network = 1; /* DLT_EN10MB, Ethernet */ |
||
| 229 | aix = TRUE; |
||
| 230 | break;
|
||
| 231 | |||
| 232 | case 9: |
||
| 233 | hdr.network = 6; /* DLT_IEEE802, Token Ring */ |
||
| 234 | aix = TRUE; |
||
| 235 | break;
|
||
| 236 | |||
| 237 | case 15: |
||
| 238 | hdr.network = 10; /* DLT_FDDI, FDDI */ |
||
| 239 | aix = TRUE; |
||
| 240 | break;
|
||
| 241 | |||
| 242 | case 24: |
||
| 243 | hdr.network = 0; /* DLT_NULL, loopback */ |
||
| 244 | aix = TRUE; |
||
| 245 | break;
|
||
| 246 | } |
||
| 247 | } |
||
| 248 | |||
| 249 | file_encap = wtap_pcap_encap_to_wtap_encap(hdr.network); |
||
| 250 | if (file_encap == WTAP_ENCAP_UNKNOWN) {
|
||
| 251 | *err = WTAP_ERR_UNSUPPORTED_ENCAP; |
||
| 252 | *err_info = g_strdup_printf("pcap: network type %u unknown or unsupported",
|
||
| 253 | hdr.network); |
||
| 254 | return -1; |
||
| 255 | } |
||
| 256 | |||
| 257 | /* This is a libpcap file */
|
||
| 258 | libpcap = (libpcap_t *)g_malloc(sizeof(libpcap_t));
|
||
| 259 | libpcap->byte_swapped = byte_swapped; |
||
| 260 | libpcap->version_major = hdr.version_major; |
||
| 261 | libpcap->version_minor = hdr.version_minor; |
||
| 262 | wth->priv = (void *)libpcap;
|
||
| 263 | wth->subtype_read = libpcap_read; |
||
| 264 | wth->subtype_seek_read = libpcap_seek_read; |
||
| 265 | wth->file_encap = file_encap; |
||
| 266 | wth->snapshot_length = hdr.snaplen; |
||
| 267 | |||
| 268 | /* In file format version 2.3, the order of the "incl_len" and
|
||
| 269 | "orig_len" fields in the per-packet header was reversed,
|
||
| 270 | in order to match the BPF header layout.
|
||
| 271 | |||
| 272 | Therefore, in files with versions prior to that, we must swap
|
||
| 273 | those two fields.
|
||
| 274 | |||
| 275 | Unfortunately, some files were, according to a comment in the
|
||
| 276 | "libpcap" source, written with version 2.3 in their headers
|
||
| 277 | but without the interchanged fields, so if "incl_len" is
|
||
| 278 | greater than "orig_len" - which would make no sense - we
|
||
| 279 | assume that we need to swap them in version 2.3 files
|
||
| 280 | as well.
|
||
| 281 | |||
| 282 | In addition, DG/UX's tcpdump uses version 543.0, and writes
|
||
| 283 | the two fields in the pre-2.3 order. */
|
||
| 284 | switch (hdr.version_major) {
|
||
| 285 | |||
| 286 | case 2: |
||
| 287 | if (hdr.version_minor < 3) |
||
| 288 | libpcap->lengths_swapped = SWAPPED; |
||
| 289 | else if (hdr.version_minor == 3) |
||
| 290 | libpcap->lengths_swapped = MAYBE_SWAPPED; |
||
| 291 | else
|
||
| 292 | libpcap->lengths_swapped = NOT_SWAPPED; |
||
| 293 | break;
|
||
| 294 | |||
| 295 | case 543: |
||
| 296 | libpcap->lengths_swapped = SWAPPED; |
||
| 297 | break;
|
||
| 298 | |||
| 299 | default:
|
||
| 300 | libpcap->lengths_swapped = NOT_SWAPPED; |
||
| 301 | break;
|
||
| 302 | } |
||
| 303 | |||
| 304 | /*
|
||
| 305 | * Is this AIX format?
|
||
| 306 | */
|
||
| 307 | if (aix) {
|
||
| 308 | /*
|
||
| 309 | * Yes. Skip all the tests for other mutant formats,
|
||
| 310 | * and for the ERF link-layer header type, and set the
|
||
| 311 | * precision to nanosecond precision.
|
||
| 312 | */
|
||
| 313 | wth->file_type = WTAP_FILE_PCAP_AIX; |
||
| 314 | wth->tsprecision = WTAP_FILE_TSPREC_NSEC; |
||
| 315 | return 1; |
||
| 316 | } |
||
| 317 | |||
| 318 | /*
|
||
| 319 | * No. Let's look at the header for the first record,
|
||
| 320 | * and see if, interpreting it as a standard header (if the
|
||
| 321 | * magic number was standard) or a modified header (if the
|
||
| 322 | * magic number was modified), the position where it says the
|
||
| 323 | * header for the *second* record is contains a corrupted header.
|
||
| 324 | *
|
||
| 325 | * If so, then:
|
||
| 326 | *
|
||
| 327 | * If this file had the standard magic number, it may be
|
||
| 328 | * an ss990417 capture file - in that version of Alexey's
|
||
| 329 | * patch, the packet header format was changed but the
|
||
| 330 | * magic number wasn't, and, alas, Red Hat appear to have
|
||
| 331 | * picked up that version of the patch for RH 6.1, meaning
|
||
| 332 | * RH 6.1 has a tcpdump that writes out files that can't
|
||
| 333 | * be read by any software that expects non-modified headers
|
||
| 334 | * if the magic number isn't the modified magic number (e.g.,
|
||
| 335 | * any normal version of tcpdump, and Wireshark if we don't
|
||
| 336 | * do this gross heuristic).
|
||
| 337 | *
|
||
| 338 | * If this file had the modified magic number, it may be
|
||
| 339 | * an ss990915 capture file - in that version of Alexey's
|
||
| 340 | * patch, the magic number was changed, but the record
|
||
| 341 | * header had some extra fields, and, alas, SuSE appear
|
||
| 342 | * to have picked up that version of the patch for SuSE
|
||
| 343 | * 6.3, meaning that programs expecting the standard per-
|
||
| 344 | * packet header in captures with the modified magic number
|
||
| 345 | * can't read dumps from its tcpdump.
|
||
| 346 | *
|
||
| 347 | * Oh, and if it has the standard magic number, it might, instead,
|
||
| 348 | * be a Nokia libpcap file, so we may need to try that if
|
||
| 349 | * neither normal nor ss990417 headers work.
|
||
| 350 | */
|
||
| 351 | if (modified) {
|
||
| 352 | /*
|
||
| 353 | * Well, we have the magic number from Alexey's
|
||
| 354 | * later two patches.
|
||
| 355 | *
|
||
| 356 | * Try ss991029, the last of his patches, first.
|
||
| 357 | */
|
||
| 358 | wth->file_type = WTAP_FILE_PCAP_SS991029; |
||
| 359 | first_packet_offset = file_tell(wth->fh); |
||
| 360 | switch (libpcap_try(wth, err)) {
|
||
| 361 | |||
| 362 | case BAD_READ:
|
||
| 363 | /*
|
||
| 364 | * Well, we couldn't even read it.
|
||
| 365 | * Give up.
|
||
| 366 | */
|
||
| 367 | return -1; |
||
| 368 | |||
| 369 | case THIS_FORMAT:
|
||
| 370 | /*
|
||
| 371 | * Well, it looks as if it might be 991029.
|
||
| 372 | * Put the seek pointer back, and finish.
|
||
| 373 | */
|
||
| 374 | if (file_seek(wth->fh, first_packet_offset, SEEK_SET, err) == -1) { |
||
| 375 | return -1; |
||
| 376 | } |
||
| 377 | goto done;
|
||
| 378 | |||
| 379 | case OTHER_FORMAT:
|
||
| 380 | /*
|
||
| 381 | * Try the next format.
|
||
| 382 | */
|
||
| 383 | break;
|
||
| 384 | } |
||
| 385 | |||
| 386 | /*
|
||
| 387 | * Well, it's not completely unreadable,
|
||
| 388 | * but it's not ss991029. Try ss990915;
|
||
| 389 | * there are no other types to try after that,
|
||
| 390 | * so we put the seek pointer back and treat
|
||
| 391 | * it as 990915.
|
||
| 392 | */
|
||
| 393 | wth->file_type = WTAP_FILE_PCAP_SS990915; |
||
| 394 | if (file_seek(wth->fh, first_packet_offset, SEEK_SET, err) == -1) { |
||
| 395 | return -1; |
||
| 396 | } |
||
| 397 | } else {
|
||
| 398 | /*
|
||
| 399 | * Well, we have the standard magic number.
|
||
| 400 | *
|
||
| 401 | * Try the standard format first.
|
||
| 402 | */
|
||
| 403 | if(wth->tsprecision == WTAP_FILE_TSPREC_NSEC) {
|
||
| 404 | wth->file_type = WTAP_FILE_PCAP_NSEC; |
||
| 405 | } else {
|
||
| 406 | wth->file_type = WTAP_FILE_PCAP; |
||
| 407 | } |
||
| 408 | first_packet_offset = file_tell(wth->fh); |
||
| 409 | switch (libpcap_try(wth, err)) {
|
||
| 410 | |||
| 411 | case BAD_READ:
|
||
| 412 | /*
|
||
| 413 | * Well, we couldn't even read it.
|
||
| 414 | * Give up.
|
||
| 415 | */
|
||
| 416 | return -1; |
||
| 417 | |||
| 418 | case THIS_FORMAT:
|
||
| 419 | /*
|
||
| 420 | * Well, it looks as if it might be a standard
|
||
| 421 | * libpcap file.
|
||
| 422 | * Put the seek pointer back, and finish.
|
||
| 423 | */
|
||
| 424 | if (file_seek(wth->fh, first_packet_offset, SEEK_SET, err) == -1) { |
||
| 425 | return -1; |
||
| 426 | } |
||
| 427 | goto done;
|
||
| 428 | |||
| 429 | case OTHER_FORMAT:
|
||
| 430 | /*
|
||
| 431 | * Try the next format.
|
||
| 432 | */
|
||
| 433 | break;
|
||
| 434 | } |
||
| 435 | |||
| 436 | /*
|
||
| 437 | * Well, it's not completely unreadable, but it's not
|
||
| 438 | * a standard file. Put the seek pointer back and try
|
||
| 439 | * ss990417.
|
||
| 440 | */
|
||
| 441 | wth->file_type = WTAP_FILE_PCAP_SS990417; |
||
| 442 | if (file_seek(wth->fh, first_packet_offset, SEEK_SET, err) == -1) { |
||
| 443 | return -1; |
||
| 444 | } |
||
| 445 | switch (libpcap_try(wth, err)) {
|
||
| 446 | |||
| 447 | case BAD_READ:
|
||
| 448 | /*
|
||
| 449 | * Well, we couldn't even read it.
|
||
| 450 | * Give up.
|
||
| 451 | */
|
||
| 452 | return -1; |
||
| 453 | |||
| 454 | case THIS_FORMAT:
|
||
| 455 | /*
|
||
| 456 | * Well, it looks as if it might be ss990417.
|
||
| 457 | * Put the seek pointer back, and finish.
|
||
| 458 | */
|
||
| 459 | if (file_seek(wth->fh, first_packet_offset, SEEK_SET, err) == -1) { |
||
| 460 | return -1; |
||
| 461 | } |
||
| 462 | goto done;
|
||
| 463 | |||
| 464 | case OTHER_FORMAT:
|
||
| 465 | /*
|
||
| 466 | * Try the next format.
|
||
| 467 | */
|
||
| 468 | break;
|
||
| 469 | } |
||
| 470 | |||
| 471 | /*
|
||
| 472 | * Well, it's not completely unreadable,
|
||
| 473 | * but it's not a standard file *nor* is it ss990417.
|
||
| 474 | * Try it as a Nokia file; there are no other types
|
||
| 475 | * to try after that, so we put the seek pointer back
|
||
| 476 | * and treat it as a Nokia file.
|
||
| 477 | */
|
||
| 478 | wth->file_type = WTAP_FILE_PCAP_NOKIA; |
||
| 479 | if (file_seek(wth->fh, first_packet_offset, SEEK_SET, err) == -1) { |
||
| 480 | return -1; |
||
| 481 | } |
||
| 482 | } |
||
| 483 | |||
| 484 | done:
|
||
| 485 | /*
|
||
| 486 | * We treat a DLT_ value of 13 specially - it appears that in
|
||
| 487 | * Nokia libpcap format, it's some form of ATM with what I
|
||
| 488 | * suspect is a pseudo-header (even though Nokia's IPSO is
|
||
| 489 | * based on FreeBSD, which #defines DLT_SLIP_BSDOS as 13).
|
||
| 490 | *
|
||
| 491 | * If this is a Nokia capture, treat 13 as WTAP_ENCAP_ATM_PDUS,
|
||
| 492 | * rather than as what we normally treat it.
|
||
| 493 | */
|
||
| 494 | if (wth->file_type == WTAP_FILE_PCAP_NOKIA && hdr.network == 13) |
||
| 495 | wth->file_encap = WTAP_ENCAP_ATM_PDUS; |
||
| 496 | |||
| 497 | if (wth->file_encap == WTAP_ENCAP_ERF) {
|
||
| 498 | /*
|
||
| 499 | * Populate set of interface IDs for ERF format.
|
||
| 500 | * Currently, this *has* to be done at open time.
|
||
| 501 | */
|
||
| 502 | erf_populate_interfaces(wth); |
||
| 503 | } |
||
| 504 | return 1; |
||
| 505 | } |
||
| 506 | |||
| 507 | /* Try to read the first two records of the capture file. */
|
||
| 508 | static libpcap_try_t libpcap_try(wtap *wth, int *err) |
||
| 509 | {
|
||
| 510 | /*
|
||
| 511 | * pcaprec_ss990915_hdr is the largest header type.
|
||
| 512 | */
|
||
| 513 | struct pcaprec_ss990915_hdr first_rec_hdr, second_rec_hdr;
|
||
| 514 | |||
| 515 | |||
| 516 | /*
|
||
| 517 | * Attempt to read the first record's header.
|
||
| 518 | */
|
||
| 519 | if (libpcap_read_header(wth, wth->fh, err, NULL, &first_rec_hdr) == -1) { |
||
| 520 | if (*err == 0 || *err == WTAP_ERR_SHORT_READ) { |
||
| 521 | /*
|
||
| 522 | * EOF or short read - assume the file is in this
|
||
| 523 | * format.
|
||
| 524 | * When our client tries to read the first packet
|
||
| 525 | * they will presumably get the same EOF or short
|
||
| 526 | * read.
|
||
| 527 | */
|
||
| 528 | return THIS_FORMAT;
|
||
| 529 | } |
||
| 530 | |||
| 531 | if (*err == WTAP_ERR_BAD_FILE) {
|
||
| 532 | /*
|
||
| 533 | * The first record is bogus, so this is probably
|
||
| 534 | * a corrupt file. Assume the file is in this
|
||
| 535 | * format. When our client tries to read the
|
||
| 536 | * first packet they will presumably get the
|
||
| 537 | * same bogus record.
|
||
| 538 | */
|
||
| 539 | return THIS_FORMAT;
|
||
| 540 | } |
||
| 541 | |||
| 542 | /*
|
||
| 543 | * Some other error, e.g. an I/O error; just give up.
|
||
| 544 | */
|
||
| 545 | return BAD_READ;
|
||
| 546 | } |
||
| 547 | |||
| 548 | /*
|
||
| 549 | * Now skip over the first record's data, under the assumption
|
||
| 550 | * that the header is sane.
|
||
| 551 | */
|
||
| 552 | if (file_seek(wth->fh, first_rec_hdr.hdr.incl_len, SEEK_CUR, err) == -1) |
||
| 553 | return BAD_READ;
|
||
| 554 | |||
| 555 | /*
|
||
| 556 | * Now attempt to read the second record's header.
|
||
| 557 | */
|
||
| 558 | if (libpcap_read_header(wth, wth->fh, err, NULL, &second_rec_hdr) == -1) { |
||
| 559 | if (*err == 0 || *err == WTAP_ERR_SHORT_READ) { |
||
| 560 | /*
|
||
| 561 | * EOF or short read - assume the file is in this
|
||
| 562 | * format.
|
||
| 563 | * When our client tries to read the second packet
|
||
| 564 | * they will presumably get the same EOF or short
|
||
| 565 | * read.
|
||
| 566 | */
|
||
| 567 | return THIS_FORMAT;
|
||
| 568 | } |
||
| 569 | |||
| 570 | if (*err == WTAP_ERR_BAD_FILE) {
|
||
| 571 | /*
|
||
| 572 | * The second record is bogus; maybe it's a
|
||
| 573 | * Capture File From Hell, and what looks like
|
||
| 574 | * the "header" of the next packet is actually
|
||
| 575 | * random junk from the middle of a packet.
|
||
| 576 | * Try the next format; if we run out of formats,
|
||
| 577 | * it probably *is* a corrupt file.
|
||
| 578 | */
|
||
| 579 | return OTHER_FORMAT;
|
||
| 580 | } |
||
| 581 | |||
| 582 | /*
|
||
| 583 | * Some other error, e.g. an I/O error; just give up.
|
||
| 584 | */
|
||
| 585 | return BAD_READ;
|
||
| 586 | } |
||
| 587 | |||
| 588 | /*
|
||
| 589 | * OK, the first two records look OK; assume this is the
|
||
| 590 | * right format.
|
||
| 591 | */
|
||
| 592 | return THIS_FORMAT;
|
||
| 593 | } |
||
| 594 | |||
| 595 | /* Read the next packet */
|
||
| 596 | static gboolean libpcap_read(wtap *wth, int *err, gchar **err_info, |
||
| 597 | gint64 *data_offset) |
||
| 598 | {
|
||
| 599 | *data_offset = file_tell(wth->fh); |
||
| 600 | |||
| 601 | return libpcap_read_packet(wth, wth->fh, &wth->phdr,
|
||
| 602 | wth->frame_buffer, err, err_info); |
||
| 603 | } |
||
| 604 | |||
| 605 | static gboolean
|
||
| 606 | libpcap_seek_read(wtap *wth, gint64 seek_off, struct wtap_pkthdr *phdr,
|
||
| 607 | Buffer *buf, int length _U_, int *err, gchar **err_info) |
||
| 608 | {
|
||
| 609 | if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1) |
||
| 610 | return FALSE;
|
||
| 611 | |||
| 612 | if (!libpcap_read_packet(wth, wth->random_fh, phdr, buf, err,
|
||
| 613 | err_info)) {
|
||
| 614 | if (*err == 0) |
||
| 615 | *err = WTAP_ERR_SHORT_READ; |
||
| 616 | return FALSE;
|
||
| 617 | } |
||
| 618 | return TRUE;
|
||
| 619 | } |
||
| 620 | |||
| 621 | static gboolean
|
||
| 622 | libpcap_read_packet(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
|
||
| 623 | Buffer *buf, int *err, gchar **err_info)
|
||
| 624 | {
|
||
| 625 | struct pcaprec_ss990915_hdr hdr;
|
||
| 626 | guint packet_size; |
||
| 627 | guint orig_size; |
||
| 628 | int bytes_read;
|
||
| 629 | int phdr_len;
|
||
| 630 | libpcap_t *libpcap; |
||
| 631 | |||
| 632 | bytes_read = libpcap_read_header(wth, fh, err, err_info, &hdr); |
||
| 633 | if (bytes_read == -1) { |
||
| 634 | /*
|
||
| 635 | * We failed to read the header.
|
||
| 636 | */
|
||
| 637 | return FALSE;
|
||
| 638 | } |
||
| 639 | |||
| 640 | packet_size = hdr.hdr.incl_len; |
||
| 641 | orig_size = hdr.hdr.orig_len; |
||
| 642 | |||
| 643 | /*
|
||
| 644 | * AIX appears to put 3 bytes of padding in front of FDDI
|
||
| 645 | * frames; strip that crap off.
|
||
| 646 | */
|
||
| 647 | if (wth->file_type == WTAP_FILE_PCAP_AIX &&
|
||
| 648 | (wth->file_encap == WTAP_ENCAP_FDDI || |
||
| 649 | wth->file_encap == WTAP_ENCAP_FDDI_BITSWAPPED)) {
|
||
| 650 | /*
|
||
| 651 | * The packet size is really a record size and includes
|
||
| 652 | * the padding.
|
||
| 653 | */
|
||
| 654 | packet_size -= 3;
|
||
| 655 | orig_size -= 3;
|
||
| 656 | |||
| 657 | /*
|
||
| 658 | * Skip the padding.
|
||
| 659 | */
|
||
| 660 | if (!file_skip(fh, 3, err)) |
||
| 661 | return FALSE;
|
||
| 662 | } |
||
| 663 | |||
| 664 | phdr_len = pcap_process_pseudo_header(fh, wth->file_type, |
||
| 665 | wth->file_encap, packet_size, TRUE, phdr, err, err_info); |
||
| 666 | if (phdr_len < 0) |
||
| 667 | return FALSE; /* error */ |
||
| 668 | |||
| 669 | /*
|
||
| 670 | * Don't count any pseudo-header as part of the packet.
|
||
| 671 | */
|
||
| 672 | orig_size -= phdr_len; |
||
| 673 | packet_size -= phdr_len; |
||
| 674 | |||
| 675 | phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN; |
||
| 676 | |||
| 677 | /* Update the timestamp, if not already done */
|
||
| 678 | if (wth->file_encap != WTAP_ENCAP_ERF) {
|
||
| 679 | phdr->ts.secs = hdr.hdr.ts_sec; |
||
| 680 | if (wth->tsprecision == WTAP_FILE_TSPREC_NSEC)
|
||
| 681 | phdr->ts.nsecs = hdr.hdr.ts_usec; |
||
| 682 | else
|
||
| 683 | phdr->ts.nsecs = hdr.hdr.ts_usec * 1000;
|
||
| 684 | } else {
|
||
| 685 | /* Set interface ID for ERF format */
|
||
| 686 | phdr->presence_flags |= WTAP_HAS_INTERFACE_ID; |
||
| 687 | phdr->interface_id = phdr->pseudo_header.erf.phdr.flags & 0x03;
|
||
| 688 | } |
||
| 689 | phdr->caplen = packet_size; |
||
| 690 | phdr->len = orig_size; |
||
| 691 | |||
| 692 | /*
|
||
| 693 | * Read the packet data.
|
||
| 694 | */
|
||
| 695 | if (!wtap_read_packet_bytes(fh, buf, packet_size, err, err_info))
|
||
| 696 | return FALSE; /* failed */ |
||
| 697 | |||
| 698 | libpcap = (libpcap_t *)wth->priv; |
||
| 699 | pcap_read_post_process(wth->file_type, wth->file_encap, |
||
| 700 | &phdr->pseudo_header, buffer_start_ptr(buf), packet_size, |
||
| 701 | libpcap->byte_swapped, -1);
|
||
| 702 | return TRUE;
|
||
| 703 | } |
||
| 704 | |||
| 705 | /* Read the header of the next packet.
|
||
| 706 | |||
| 707 | Return -1 on an error, or the number of bytes of header read on success. */
|
||
| 708 | static int libpcap_read_header(wtap *wth, FILE_T fh, int *err, gchar **err_info, |
||
| 709 | struct pcaprec_ss990915_hdr *hdr)
|
||
| 710 | {
|
||
| 711 | int bytes_to_read, bytes_read;
|
||
| 712 | |||
| 713 | /* Read record header. */
|
||
| 714 | errno = WTAP_ERR_CANT_READ; |
||
| 715 | switch (wth->file_type) {
|
||
| 716 | |||
| 717 | case WTAP_FILE_PCAP:
|
||
| 718 | case WTAP_FILE_PCAP_AIX:
|
||
| 719 | case WTAP_FILE_PCAP_NSEC:
|
||
| 720 | bytes_to_read = sizeof (struct pcaprec_hdr); |
||
| 721 | break;
|
||
| 722 | |||
| 723 | case WTAP_FILE_PCAP_SS990417:
|
||
| 724 | case WTAP_FILE_PCAP_SS991029:
|
||
| 725 | bytes_to_read = sizeof (struct pcaprec_modified_hdr); |
||
| 726 | break;
|
||
| 727 | |||
| 728 | case WTAP_FILE_PCAP_SS990915:
|
||
| 729 | bytes_to_read = sizeof (struct pcaprec_ss990915_hdr); |
||
| 730 | break;
|
||
| 731 | |||
| 732 | case WTAP_FILE_PCAP_NOKIA:
|
||
| 733 | bytes_to_read = sizeof (struct pcaprec_nokia_hdr); |
||
| 734 | break;
|
||
| 735 | |||
| 736 | default:
|
||
| 737 | g_assert_not_reached(); |
||
| 738 | bytes_to_read = 0;
|
||
| 739 | } |
||
| 740 | bytes_read = file_read(hdr, bytes_to_read, fh); |
||
| 741 | if (bytes_read != bytes_to_read) {
|
||
| 742 | *err = file_error(fh, err_info); |
||
| 743 | if (*err == 0 && bytes_read != 0) { |
||
| 744 | *err = WTAP_ERR_SHORT_READ; |
||
| 745 | } |
||
| 746 | return -1; |
||
| 747 | } |
||
| 748 | |||
| 749 | adjust_header(wth, &hdr->hdr); |
||
| 750 | |||
| 751 | if (hdr->hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
|
||
| 752 | /*
|
||
| 753 | * Probably a corrupt capture file; return an error,
|
||
| 754 | * so that our caller doesn't blow up trying to allocate
|
||
| 755 | * space for an immensely-large packet, and so that
|
||
| 756 | * the code to try to guess what type of libpcap file
|
||
| 757 | * this is can tell when it's not the type we're guessing
|
||
| 758 | * it is.
|
||
| 759 | */
|
||
| 760 | *err = WTAP_ERR_BAD_FILE; |
||
| 761 | if (err_info != NULL) { |
||
| 762 | *err_info = g_strdup_printf("pcap: File has %u-byte packet, bigger than maximum of %u",
|
||
| 763 | hdr->hdr.incl_len, WTAP_MAX_PACKET_SIZE); |
||
| 764 | } |
||
| 765 | return -1; |
||
| 766 | } |
||
| 767 | |||
| 768 | /* Disabling because this is not a fatal error, and packets that have
|
||
| 769 | * one such packet probably have thousands. For discussion, see
|
||
| 770 | * https://www.wireshark.org/lists/wireshark-dev/201307/msg00076.html
|
||
| 771 | * and related messages.
|
||
| 772 | *
|
||
| 773 | * The packet contents will be copied to a Buffer, which expands
|
||
| 774 | * as necessary to hold the contents; we don't have to worry
|
||
| 775 | * about fixed-length buffers allocated based on the original
|
||
| 776 | * snapshot length. */
|
||
| 777 | #if 0
|
||
| 778 | if (hdr->hdr.incl_len > wth->snapshot_length) {
|
||
| 779 | g_warning("pcap: File has packet larger than file's snapshot length.");
|
||
| 780 | }
|
||
| 781 | #endif
|
||
| 782 | |||
| 783 | return bytes_read;
|
||
| 784 | } |
||
| 785 | |||
| 786 | static void |
||
| 787 | adjust_header(wtap *wth, struct pcaprec_hdr *hdr)
|
||
| 788 | {
|
||
| 789 | guint32 temp; |
||
| 790 | libpcap_t *libpcap; |
||
| 791 | |||
| 792 | libpcap = (libpcap_t *)wth->priv; |
||
| 793 | if (libpcap->byte_swapped) {
|
||
| 794 | /* Byte-swap the record header fields. */
|
||
| 795 | hdr->ts_sec = BSWAP32(hdr->ts_sec); |
||
| 796 | hdr->ts_usec = BSWAP32(hdr->ts_usec); |
||
| 797 | hdr->incl_len = BSWAP32(hdr->incl_len); |
||
| 798 | hdr->orig_len = BSWAP32(hdr->orig_len); |
||
| 799 | } |
||
| 800 | |||
| 801 | /* Swap the "incl_len" and "orig_len" fields, if necessary. */
|
||
| 802 | switch (libpcap->lengths_swapped) {
|
||
| 803 | |||
| 804 | case NOT_SWAPPED:
|
||
| 805 | break;
|
||
| 806 | |||
| 807 | case MAYBE_SWAPPED:
|
||
| 808 | if (hdr->incl_len <= hdr->orig_len) {
|
||
| 809 | /*
|
||
| 810 | * The captured length is <= the actual length,
|
||
| 811 | * so presumably they weren't swapped.
|
||
| 812 | */
|
||
| 813 | break;
|
||
| 814 | } |
||
| 815 | /* FALLTHROUGH */
|
||
| 816 | |||
| 817 | case SWAPPED:
|
||
| 818 | temp = hdr->orig_len; |
||
| 819 | hdr->orig_len = hdr->incl_len; |
||
| 820 | hdr->incl_len = temp; |
||
| 821 | break;
|
||
| 822 | } |
||
| 823 | } |
||
| 824 | |||
| 825 | /* Returns 0 if we could write the specified encapsulation type,
|
||
| 826 | an error indication otherwise. */
|
||
| 827 | int libpcap_dump_can_write_encap(int encap) |
||
| 828 | {
|
||
| 829 | /* Per-packet encapsulations aren't supported. */
|
||
| 830 | if (encap == WTAP_ENCAP_PER_PACKET)
|
||
| 831 | return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
|
||
| 832 | |||
| 833 | if (wtap_wtap_encap_to_pcap_encap(encap) == -1) |
||
| 834 | return WTAP_ERR_UNSUPPORTED_ENCAP;
|
||
| 835 | |||
| 836 | return 0; |
||
| 837 | } |
||
| 838 | |||
| 839 | /* Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
|
||
| 840 | failure */
|
||
| 841 | gboolean libpcap_dump_open(wtap_dumper *wdh, int *err)
|
||
| 842 | {
|
||
| 843 | guint32 magic; |
||
| 844 | struct pcap_hdr file_hdr;
|
||
| 845 | |||
| 846 | /* This is a libpcap file */
|
||
| 847 | wdh->subtype_write = libpcap_dump; |
||
| 848 | wdh->subtype_close = NULL;
|
||
| 849 | |||
| 850 | /* Write the file header. */
|
||
| 851 | switch (wdh->file_type) {
|
||
| 852 | |||
| 853 | case WTAP_FILE_PCAP:
|
||
| 854 | case WTAP_FILE_PCAP_SS990417: /* modified, but with the old magic, sigh */ |
||
| 855 | case WTAP_FILE_PCAP_NOKIA: /* Nokia libpcap of some sort */ |
||
| 856 | magic = PCAP_MAGIC; |
||
| 857 | wdh->tsprecision = WTAP_FILE_TSPREC_USEC; |
||
| 858 | break;
|
||
| 859 | |||
| 860 | case WTAP_FILE_PCAP_SS990915: /* new magic, extra crap */ |
||
| 861 | case WTAP_FILE_PCAP_SS991029:
|
||
| 862 | magic = PCAP_MODIFIED_MAGIC; |
||
| 863 | wdh->tsprecision = WTAP_FILE_TSPREC_USEC; |
||
| 864 | break;
|
||
| 865 | |||
| 866 | case WTAP_FILE_PCAP_NSEC: /* same as WTAP_FILE_PCAP, but nsec precision */ |
||
| 867 | magic = PCAP_NSEC_MAGIC; |
||
| 868 | wdh->tsprecision = WTAP_FILE_TSPREC_NSEC; |
||
| 869 | break;
|
||
| 870 | |||
| 871 | default:
|
||
| 872 | /* We should never get here - our open routine
|
||
| 873 | should only get called for the types above. */
|
||
| 874 | *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE; |
||
| 875 | return FALSE;
|
||
| 876 | } |
||
| 877 | |||
| 878 | if (!wtap_dump_file_write(wdh, &magic, sizeof magic, err)) |
||
| 879 | return FALSE;
|
||
| 880 | wdh->bytes_dumped += sizeof magic;
|
||
| 881 | |||
| 882 | /* current "libpcap" format is 2.4 */
|
||
| 883 | file_hdr.version_major = 2;
|
||
| 884 | file_hdr.version_minor = 4;
|
||
| 885 | file_hdr.thiszone = 0; /* XXX - current offset? */ |
||
| 886 | file_hdr.sigfigs = 0; /* unknown, but also apparently unused */ |
||
| 887 | /*
|
||
| 888 | * Tcpdump cannot handle capture files with a snapshot length of 0,
|
||
| 889 | * as BPF filters return either 0 if they fail or the snapshot length
|
||
| 890 | * if they succeed, and a snapshot length of 0 means success is
|
||
| 891 | * indistinguishable from failure and the filter expression would
|
||
| 892 | * reject all packets.
|
||
| 893 | *
|
||
| 894 | * A snapshot length of 0, inside Wiretap, means "snapshot length
|
||
| 895 | * unknown"; if the snapshot length supplied to us is 0, we make
|
||
| 896 | * the snapshot length in the header file WTAP_MAX_PACKET_SIZE.
|
||
| 897 | */
|
||
| 898 | file_hdr.snaplen = (wdh->snaplen != 0) ? wdh->snaplen :
|
||
| 899 | WTAP_MAX_PACKET_SIZE; |
||
| 900 | file_hdr.network = wtap_wtap_encap_to_pcap_encap(wdh->encap); |
||
| 901 | if (!wtap_dump_file_write(wdh, &file_hdr, sizeof file_hdr, err)) |
||
| 902 | return FALSE;
|
||
| 903 | wdh->bytes_dumped += sizeof file_hdr;
|
||
| 904 | |||
| 905 | return TRUE;
|
||
| 906 | } |
||
| 907 | |||
| 908 | /* Write a record for a packet to a dump file.
|
||
| 909 | Returns TRUE on success, FALSE on failure. */
|
||
| 910 | static gboolean libpcap_dump(wtap_dumper *wdh,
|
||
| 911 | const struct wtap_pkthdr *phdr, |
||
| 912 | const guint8 *pd, int *err) |
||
| 913 | {
|
||
| 914 | const union wtap_pseudo_header *pseudo_header = &phdr->pseudo_header; |
||
| 915 | struct pcaprec_ss990915_hdr rec_hdr;
|
||
| 916 | size_t hdr_size; |
||
| 917 | int phdrsize;
|
||
| 918 | |||
| 919 | phdrsize = pcap_get_phdr_size(wdh->encap, pseudo_header); |
||
| 920 | |||
| 921 | rec_hdr.hdr.ts_sec = (guint32) phdr->ts.secs; |
||
| 922 | if(wdh->tsprecision == WTAP_FILE_TSPREC_NSEC) {
|
||
| 923 | rec_hdr.hdr.ts_usec = phdr->ts.nsecs; |
||
| 924 | } else {
|
||
| 925 | rec_hdr.hdr.ts_usec = phdr->ts.nsecs / 1000;
|
||
| 926 | } |
||
| 927 | rec_hdr.hdr.incl_len = phdr->caplen + phdrsize; |
||
| 928 | rec_hdr.hdr.orig_len = phdr->len + phdrsize; |
||
| 929 | |||
| 930 | if (rec_hdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
|
||
| 931 | *err = WTAP_ERR_BAD_FILE; |
||
| 932 | return FALSE;
|
||
| 933 | } |
||
| 934 | |||
| 935 | switch (wdh->file_type) {
|
||
| 936 | |||
| 937 | case WTAP_FILE_PCAP:
|
||
| 938 | case WTAP_FILE_PCAP_NSEC:
|
||
| 939 | hdr_size = sizeof (struct pcaprec_hdr); |
||
| 940 | break;
|
||
| 941 | |||
| 942 | case WTAP_FILE_PCAP_SS990417: /* modified, but with the old magic, sigh */ |
||
| 943 | case WTAP_FILE_PCAP_SS991029:
|
||
| 944 | /* XXX - what should we supply here?
|
||
| 945 | |||
| 946 | Alexey's "libpcap" looks up the interface in the system's
|
||
| 947 | interface list if "ifindex" is non-zero, and prints
|
||
| 948 | the interface name. It ignores "protocol", and uses
|
||
| 949 | "pkt_type" to tag the packet as "host", "broadcast",
|
||
| 950 | "multicast", "other host", "outgoing", or "none of the
|
||
| 951 | above", but that's it.
|
||
| 952 | |||
| 953 | If the capture we're writing isn't a modified or
|
||
| 954 | RH 6.1 capture, we'd have to do some work to
|
||
| 955 | generate the packet type and interface index - and
|
||
| 956 | we can't generate the interface index unless we
|
||
| 957 | just did the capture ourselves in any case.
|
||
| 958 | |||
| 959 | I'm inclined to continue to punt; systems other than
|
||
| 960 | those with the older patch can read standard "libpcap"
|
||
| 961 | files, and systems with the older patch, e.g. RH 6.1,
|
||
| 962 | will just have to live with this. */
|
||
| 963 | rec_hdr.ifindex = 0;
|
||
| 964 | rec_hdr.protocol = 0;
|
||
| 965 | rec_hdr.pkt_type = 0;
|
||
| 966 | hdr_size = sizeof (struct pcaprec_modified_hdr); |
||
| 967 | break;
|
||
| 968 | |||
| 969 | case WTAP_FILE_PCAP_SS990915: /* new magic, extra crap at the end */ |
||
| 970 | rec_hdr.ifindex = 0;
|
||
| 971 | rec_hdr.protocol = 0;
|
||
| 972 | rec_hdr.pkt_type = 0;
|
||
| 973 | rec_hdr.cpu1 = 0;
|
||
| 974 | rec_hdr.cpu2 = 0;
|
||
| 975 | hdr_size = sizeof (struct pcaprec_ss990915_hdr); |
||
| 976 | break;
|
||
| 977 | |||
| 978 | case WTAP_FILE_PCAP_NOKIA: /* old magic, extra crap at the end */ |
||
| 979 | /* restore the "mysterious stuff" that came with the packet */
|
||
| 980 | memcpy(&rec_hdr.ifindex, pseudo_header->nokia.stuff, 4);
|
||
| 981 | /* not written */
|
||
| 982 | rec_hdr.protocol = 0;
|
||
| 983 | rec_hdr.pkt_type = 0;
|
||
| 984 | rec_hdr.cpu1 = 0;
|
||
| 985 | rec_hdr.cpu2 = 0;
|
||
| 986 | hdr_size = sizeof (struct pcaprec_nokia_hdr); |
||
| 987 | break;
|
||
| 988 | |||
| 989 | default:
|
||
| 990 | /* We should never get here - our open routine
|
||
| 991 | should only get called for the types above. */
|
||
| 992 | g_assert_not_reached(); |
||
| 993 | *err = WTAP_ERR_UNSUPPORTED_FILE_TYPE; |
||
| 994 | return FALSE;
|
||
| 995 | } |
||
| 996 | |||
| 997 | if (!wtap_dump_file_write(wdh, &rec_hdr, hdr_size, err))
|
||
| 998 | return FALSE;
|
||
| 999 | wdh->bytes_dumped += hdr_size; |
||
| 1000 | |||
| 1001 | if (!pcap_write_phdr(wdh, wdh->encap, pseudo_header, err))
|
||
| 1002 | return FALSE;
|
||
| 1003 | |||
| 1004 | if (!wtap_dump_file_write(wdh, pd, phdr->caplen, err))
|
||
| 1005 | return FALSE;
|
||
| 1006 | wdh->bytes_dumped += phdr->caplen; |
||
| 1007 | return TRUE;
|
||
| 1008 | } |