xref: /freebsd/contrib/libpcap/savefile.c (revision 74bf4e164ba5851606a27d4feff27717452583e5)
1 /*
2  * Copyright (c) 1993, 1994, 1995, 1996, 1997
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that: (1) source code distributions
7  * retain the above copyright notice and this paragraph in its entirety, (2)
8  * distributions including binary code include the above copyright notice and
9  * this paragraph in its entirety in the documentation or other materials
10  * provided with the distribution, and (3) all advertising materials mentioning
11  * features or use of this software display the following acknowledgement:
12  * ``This product includes software developed by the University of California,
13  * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14  * the University nor the names of its contributors may be used to endorse
15  * or promote products derived from this software without specific prior
16  * written permission.
17  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20  *
21  * savefile.c - supports offline use of tcpdump
22  *	Extraction/creation by Jeffrey Mogul, DECWRL
23  *	Modified by Steve McCanne, LBL.
24  *
25  * Used to save the received packet headers, after filtering, to
26  * a file, and then read them later.
27  * The first record in the file contains saved values for the machine
28  * dependent values so we can print the dump file on any architecture.
29  */
30 
31 #ifndef lint
32 static const char rcsid[] _U_ =
33     "@(#) $Header: /tcpdump/master/libpcap/savefile.c,v 1.92.2.11 2004/03/11 23:46:14 guy Exp $ (LBL)";
34 #endif
35 
36 #ifdef HAVE_CONFIG_H
37 #include "config.h"
38 #endif
39 
40 #include <errno.h>
41 #include <memory.h>
42 #include <stdio.h>
43 #include <stdlib.h>
44 #include <string.h>
45 
46 #include "pcap-int.h"
47 
48 #ifdef HAVE_OS_PROTO_H
49 #include "os-proto.h"
50 #endif
51 
52 #define TCPDUMP_MAGIC 0xa1b2c3d4
53 #define PATCHED_TCPDUMP_MAGIC 0xa1b2cd34
54 
55 /*
56  * We use the "receiver-makes-right" approach to byte order,
57  * because time is at a premium when we are writing the file.
58  * In other words, the pcap_file_header and pcap_pkthdr,
59  * records are written in host byte order.
60  * Note that the bytes of packet data are written out in the order in
61  * which they were received, so multi-byte fields in packets are not
62  * written in host byte order, they're written in whatever order the
63  * sending machine put them in.
64  *
65  * ntoh[ls] aren't sufficient because we might need to swap on a big-endian
66  * machine (if the file was written in little-end order).
67  */
68 #define	SWAPLONG(y) \
69 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
70 #define	SWAPSHORT(y) \
71 	( (((y)&0xff)<<8) | ((u_short)((y)&0xff00)>>8) )
72 
73 #define SFERR_TRUNC		1
74 #define SFERR_BADVERSION	2
75 #define SFERR_BADF		3
76 #define SFERR_EOF		4 /* not really an error, just a status */
77 
78 /*
79  * We don't write DLT_* values to the capture file header, because
80  * they're not the same on all platforms.
81  *
82  * Unfortunately, the various flavors of BSD have not always used the same
83  * numerical values for the same data types, and various patches to
84  * libpcap for non-BSD OSes have added their own DLT_* codes for link
85  * layer encapsulation types seen on those OSes, and those codes have had,
86  * in some cases, values that were also used, on other platforms, for other
87  * link layer encapsulation types.
88  *
89  * This means that capture files of a type whose numerical DLT_* code
90  * means different things on different BSDs, or with different versions
91  * of libpcap, can't always be read on systems other than those like
92  * the one running on the machine on which the capture was made.
93  *
94  * Instead, we define here a set of LINKTYPE_* codes, and map DLT_* codes
95  * to LINKTYPE_* codes when writing a savefile header, and map LINKTYPE_*
96  * codes to DLT_* codes when reading a savefile header.
97  *
98  * For those DLT_* codes that have, as far as we know, the same values on
99  * all platforms (DLT_NULL through DLT_FDDI), we define LINKTYPE_xxx as
100  * DLT_xxx; that way, captures of those types can still be read by
101  * versions of libpcap that map LINKTYPE_* values to DLT_* values, and
102  * captures of those types written by versions of libpcap that map DLT_
103  * values to LINKTYPE_ values can still be read by older versions
104  * of libpcap.
105  *
106  * The other LINKTYPE_* codes are given values starting at 100, in the
107  * hopes that no DLT_* code will be given one of those values.
108  *
109  * In order to ensure that a given LINKTYPE_* code's value will refer to
110  * the same encapsulation type on all platforms, you should not allocate
111  * a new LINKTYPE_* value without consulting "tcpdump-workers@tcpdump.org".
112  * The tcpdump developers will allocate a value for you, and will not
113  * subsequently allocate it to anybody else; that value will be added to
114  * the "pcap.h" in the tcpdump.org CVS repository, so that a future
115  * libpcap release will include it.
116  *
117  * You should, if possible, also contribute patches to libpcap and tcpdump
118  * to handle the new encapsulation type, so that they can also be checked
119  * into the tcpdump.org CVS repository and so that they will appear in
120  * future libpcap and tcpdump releases.
121  *
122  * Do *NOT* assume that any values after the largest value in this file
123  * are available; you might not have the most up-to-date version of this
124  * file, and new values after that one might have been assigned.  Also,
125  * do *NOT* use any values below 100 - those might already have been
126  * taken by one (or more!) organizations.
127  */
128 #define LINKTYPE_NULL		DLT_NULL
129 #define LINKTYPE_ETHERNET	DLT_EN10MB	/* also for 100Mb and up */
130 #define LINKTYPE_EXP_ETHERNET	DLT_EN3MB	/* 3Mb experimental Ethernet */
131 #define LINKTYPE_AX25		DLT_AX25
132 #define LINKTYPE_PRONET		DLT_PRONET
133 #define LINKTYPE_CHAOS		DLT_CHAOS
134 #define LINKTYPE_TOKEN_RING	DLT_IEEE802	/* DLT_IEEE802 is used for Token Ring */
135 #define LINKTYPE_ARCNET		DLT_ARCNET	/* BSD-style headers */
136 #define LINKTYPE_SLIP		DLT_SLIP
137 #define LINKTYPE_PPP		DLT_PPP
138 #define LINKTYPE_FDDI		DLT_FDDI
139 
140 /*
141  * LINKTYPE_PPP is for use when there might, or might not, be an RFC 1662
142  * PPP in HDLC-like framing header (with 0xff 0x03 before the PPP protocol
143  * field) at the beginning of the packet.
144  *
145  * This is for use when there is always such a header; the address field
146  * might be 0xff, for regular PPP, or it might be an address field for Cisco
147  * point-to-point with HDLC framing as per section 4.3.1 of RFC 1547 ("Cisco
148  * HDLC").  This is, for example, what you get with NetBSD's DLT_PPP_SERIAL.
149  *
150  * We give it the same value as NetBSD's DLT_PPP_SERIAL, in the hopes that
151  * nobody else will choose a DLT_ value of 50, and so that DLT_PPP_SERIAL
152  * captures will be written out with a link type that NetBSD's tcpdump
153  * can read.
154  */
155 #define LINKTYPE_PPP_HDLC	50		/* PPP in HDLC-like framing */
156 
157 #define LINKTYPE_PPP_ETHER	51		/* NetBSD PPP-over-Ethernet */
158 
159 /*
160  * This isn't supported in libpcap 0.8[.x], but is supported in the
161  * current CVS version; we include it here to note that it's not available
162  * for anybody else to use.
163  */
164 #define LINKTYPE_SYMANTEC_FIREWALL 99		/* Symantec Enterprise Firewall */
165 
166 #define LINKTYPE_ATM_RFC1483	100		/* LLC/SNAP-encapsulated ATM */
167 #define LINKTYPE_RAW		101		/* raw IP */
168 #define LINKTYPE_SLIP_BSDOS	102		/* BSD/OS SLIP BPF header */
169 #define LINKTYPE_PPP_BSDOS	103		/* BSD/OS PPP BPF header */
170 #define LINKTYPE_C_HDLC		104		/* Cisco HDLC */
171 #define LINKTYPE_IEEE802_11	105		/* IEEE 802.11 (wireless) */
172 #define LINKTYPE_ATM_CLIP	106		/* Linux Classical IP over ATM */
173 #define LINKTYPE_FRELAY		107		/* Frame Relay */
174 #define LINKTYPE_LOOP		108		/* OpenBSD loopback */
175 #define LINKTYPE_ENC		109		/* OpenBSD IPSEC enc */
176 
177 /*
178  * These three types are reserved for future use.
179  */
180 #define LINKTYPE_LANE8023	110		/* ATM LANE + 802.3 */
181 #define LINKTYPE_HIPPI		111		/* NetBSD HIPPI */
182 #define LINKTYPE_HDLC		112		/* NetBSD HDLC framing */
183 
184 #define LINKTYPE_LINUX_SLL	113		/* Linux cooked socket capture */
185 #define LINKTYPE_LTALK		114		/* Apple LocalTalk hardware */
186 #define LINKTYPE_ECONET		115		/* Acorn Econet */
187 
188 /*
189  * Reserved for use with OpenBSD ipfilter.
190  */
191 #define LINKTYPE_IPFILTER	116
192 
193 #define LINKTYPE_PFLOG		117		/* OpenBSD DLT_PFLOG */
194 #define LINKTYPE_CISCO_IOS	118		/* For Cisco-internal use */
195 #define LINKTYPE_PRISM_HEADER	119		/* 802.11+Prism II monitor mode */
196 #define LINKTYPE_AIRONET_HEADER	120		/* FreeBSD Aironet driver stuff */
197 
198 /*
199  * Reserved for Siemens HiPath HDLC.
200  */
201 #define LINKTYPE_HHDLC		121
202 
203 #define LINKTYPE_IP_OVER_FC	122		/* RFC 2625 IP-over-Fibre Channel */
204 #define LINKTYPE_SUNATM		123		/* Solaris+SunATM */
205 
206 /*
207  * Reserved as per request from Kent Dahlgren <kent@praesum.com>
208  * for private use.
209  */
210 #define LINKTYPE_RIO		124		/* RapidIO */
211 #define LINKTYPE_PCI_EXP	125		/* PCI Express */
212 #define LINKTYPE_AURORA		126		/* Xilinx Aurora link layer */
213 
214 #define LINKTYPE_IEEE802_11_RADIO 127		/* 802.11 plus BSD radio header */
215 
216 /*
217  * Reserved for the TZSP encapsulation, as per request from
218  * Chris Waters <chris.waters@networkchemistry.com>
219  * TZSP is a generic encapsulation for any other link type,
220  * which includes a means to include meta-information
221  * with the packet, e.g. signal strength and channel
222  * for 802.11 packets.
223  */
224 #define LINKTYPE_TZSP		128		/* Tazmen Sniffer Protocol */
225 
226 #define LINKTYPE_ARCNET_LINUX	129		/* Linux-style headers */
227 
228 /*
229  * Juniper-private data link types, as per request from
230  * Hannes Gredler <hannes@juniper.net>.  The corresponding
231  * DLT_s are used for passing on chassis-internal
232  * metainformation such as QOS profiles, etc..
233  */
234 #define LINKTYPE_JUNIPER_MLPPP  130
235 #define LINKTYPE_JUNIPER_MLFR   131
236 #define LINKTYPE_JUNIPER_ES     132
237 #define LINKTYPE_JUNIPER_GGSN   133
238 #define LINKTYPE_JUNIPER_MFR    134
239 #define LINKTYPE_JUNIPER_ATM2   135
240 #define LINKTYPE_JUNIPER_SERVICES 136
241 #define LINKTYPE_JUNIPER_ATM1   137
242 
243 #define LINKTYPE_APPLE_IP_OVER_IEEE1394 138	/* Apple IP-over-IEEE 1394 cooked header */
244 
245 #define LINKTYPE_RAWSS7         139             /* see rawss7.h for */
246 #define LINKTYPE_RAWSS7_MTP2    140	        /* information  on these */
247 #define LINKTYPE_RAWSS7_MTP3    141             /* definitions */
248 #define LINKTYPE_RAWSS7_SCCP    142
249 
250 /*
251  * This isn't supported in libpcap 0.8[.x], but is supported in the
252  * current CVS version; we include it here to note that it's not available
253  * for anybody else to use.
254  */
255 #define LINKTYPE_DOCSIS		143		/* DOCSIS MAC frames */
256 
257 #define LINKTYPE_LINUX_IRDA	144		/* Linux-IrDA */
258 
259 /*
260  * Reserved for IBM SP switch and IBM Next Federation switch.
261  */
262 #define LINKTYPE_IBM_SP		145
263 #define LINKTYPE_IBM_SN		146
264 
265 /*
266  * Reserved for private use.  If you have some link-layer header type
267  * that you want to use within your organization, with the capture files
268  * using that link-layer header type not ever be sent outside your
269  * organization, you can use these values.
270  *
271  * No libpcap release will use these for any purpose, nor will any
272  * tcpdump release use them, either.
273  *
274  * Do *NOT* use these in capture files that you expect anybody not using
275  * your private versions of capture-file-reading tools to read; in
276  * particular, do *NOT* use them in products, otherwise you may find that
277  * people won't be able to use tcpdump, or snort, or Ethereal, or... to
278  * read capture files from your firewall/intrusion detection/traffic
279  * monitoring/etc. appliance, or whatever product uses that LINKTYPE_ value,
280  * and you may also find that the developers of those applications will
281  * not accept patches to let them read those files.
282  *
283  * Also, do not use them if somebody might send you a capture using them
284  * for *their* private type and tools using them for *your* private type
285  * would have to read them.
286  *
287  * Instead, in those cases, ask "tcpdump-workers@tcpdump.org" for a new DLT_
288  * and LINKTYPE_ value, as per the comment in pcap-bpf.h, and use the type
289  * you're given.
290  */
291 #define LINKTYPE_USER0		147
292 #define LINKTYPE_USER1		148
293 #define LINKTYPE_USER2		149
294 #define LINKTYPE_USER3		150
295 #define LINKTYPE_USER4		151
296 #define LINKTYPE_USER5		152
297 #define LINKTYPE_USER6		153
298 #define LINKTYPE_USER7		154
299 #define LINKTYPE_USER8		155
300 #define LINKTYPE_USER9		156
301 #define LINKTYPE_USER10		157
302 #define LINKTYPE_USER11		158
303 #define LINKTYPE_USER12		159
304 #define LINKTYPE_USER13		160
305 #define LINKTYPE_USER14		161
306 #define LINKTYPE_USER15		162
307 
308 /*
309  * For future use with 802.11 captures - defined by AbsoluteValue
310  * Systems to store a number of bits of link-layer information
311  * including radio information:
312  *
313  *	http://www.shaftnet.org/~pizza/software/capturefrm.txt
314  *
315  * but could and arguably should also be used by non-AVS Linux
316  * 802.11 drivers; that may happen in the future.
317  */
318 #define LINKTYPE_IEEE802_11_RADIO_AVS 163	/* 802.11 plus AVS radio header */
319 
320 /*
321  * Juniper-private data link type, as per request from
322  * Hannes Gredler <hannes@juniper.net>.  The corresponding
323  * DLT_s are used for passing on chassis-internal
324  * metainformation such as QOS profiles, etc..
325  */
326 #define LINKTYPE_JUNIPER_MONITOR 164
327 
328 static struct linktype_map {
329 	int	dlt;
330 	int	linktype;
331 } map[] = {
332 	/*
333 	 * These DLT_* codes have LINKTYPE_* codes with values identical
334 	 * to the values of the corresponding DLT_* code.
335 	 */
336 	{ DLT_NULL,		LINKTYPE_NULL },
337 	{ DLT_EN10MB,		LINKTYPE_ETHERNET },
338 	{ DLT_EN3MB,		LINKTYPE_EXP_ETHERNET },
339 	{ DLT_AX25,		LINKTYPE_AX25 },
340 	{ DLT_PRONET,		LINKTYPE_PRONET },
341 	{ DLT_CHAOS,		LINKTYPE_CHAOS },
342 	{ DLT_IEEE802,		LINKTYPE_TOKEN_RING },
343 	{ DLT_ARCNET,		LINKTYPE_ARCNET },
344 	{ DLT_SLIP,		LINKTYPE_SLIP },
345 	{ DLT_PPP,		LINKTYPE_PPP },
346 	{ DLT_FDDI,	 	LINKTYPE_FDDI },
347 
348 	/*
349 	 * These DLT_* codes have different values on different
350 	 * platforms; we map them to LINKTYPE_* codes that
351 	 * have values that should never be equal to any DLT_*
352 	 * code.
353 	 */
354 #ifdef DLT_FR
355 	/* BSD/OS Frame Relay */
356 	{ DLT_FR,		LINKTYPE_FRELAY },
357 #endif
358 
359 	{ DLT_SYMANTEC_FIREWALL, LINKTYPE_SYMANTEC_FIREWALL },
360 	{ DLT_ATM_RFC1483, 	LINKTYPE_ATM_RFC1483 },
361 	{ DLT_RAW,		LINKTYPE_RAW },
362 	{ DLT_SLIP_BSDOS,	LINKTYPE_SLIP_BSDOS },
363 	{ DLT_PPP_BSDOS,	LINKTYPE_PPP_BSDOS },
364 
365 	/* BSD/OS Cisco HDLC */
366 	{ DLT_C_HDLC,		LINKTYPE_C_HDLC },
367 
368 	/*
369 	 * These DLT_* codes are not on all platforms, but, so far,
370 	 * there don't appear to be any platforms that define
371 	 * other codes with those values; we map them to
372 	 * different LINKTYPE_* values anyway, just in case.
373 	 */
374 
375 	/* Linux ATM Classical IP */
376 	{ DLT_ATM_CLIP,		LINKTYPE_ATM_CLIP },
377 
378 	/* NetBSD sync/async serial PPP (or Cisco HDLC) */
379 	{ DLT_PPP_SERIAL,	LINKTYPE_PPP_HDLC },
380 
381 	/* NetBSD PPP over Ethernet */
382 	{ DLT_PPP_ETHER,	LINKTYPE_PPP_ETHER },
383 
384 	/* IEEE 802.11 wireless */
385 	{ DLT_IEEE802_11,	LINKTYPE_IEEE802_11 },
386 
387 	/* Frame Relay */
388 	{ DLT_FRELAY,		LINKTYPE_FRELAY },
389 
390 	/* OpenBSD loopback */
391 	{ DLT_LOOP,		LINKTYPE_LOOP },
392 
393 	/* Linux cooked socket capture */
394 	{ DLT_LINUX_SLL,	LINKTYPE_LINUX_SLL },
395 
396 	/* Apple LocalTalk hardware */
397 	{ DLT_LTALK,		LINKTYPE_LTALK },
398 
399 	/* Acorn Econet */
400 	{ DLT_ECONET,		LINKTYPE_ECONET },
401 
402 	/* OpenBSD DLT_PFLOG */
403 	{ DLT_PFLOG,		LINKTYPE_PFLOG },
404 
405 	/* For Cisco-internal use */
406 	{ DLT_CISCO_IOS,	LINKTYPE_CISCO_IOS },
407 
408 	/* Prism II monitor-mode header plus 802.11 header */
409 	{ DLT_PRISM_HEADER,	LINKTYPE_PRISM_HEADER },
410 
411 	/* FreeBSD Aironet driver stuff */
412 	{ DLT_AIRONET_HEADER,	LINKTYPE_AIRONET_HEADER },
413 
414 	/* Siemens HiPath HDLC */
415 	{ DLT_HHDLC,		LINKTYPE_HHDLC },
416 
417 	/* RFC 2625 IP-over-Fibre Channel */
418 	{ DLT_IP_OVER_FC,	LINKTYPE_IP_OVER_FC },
419 
420 	/* Solaris+SunATM */
421 	{ DLT_SUNATM,		LINKTYPE_SUNATM },
422 
423 	/* RapidIO */
424 	{ DLT_RIO,		LINKTYPE_RIO },
425 
426 	/* PCI Express */
427 	{ DLT_PCI_EXP,		LINKTYPE_PCI_EXP },
428 
429 	/* Xilinx Aurora link layer */
430 	{ DLT_AURORA,		LINKTYPE_AURORA },
431 
432 	/* 802.11 plus BSD radio header */
433 	{ DLT_IEEE802_11_RADIO,	LINKTYPE_IEEE802_11_RADIO },
434 
435 	/* Tazmen Sniffer Protocol */
436 	{ DLT_TZSP,		LINKTYPE_TZSP },
437 
438 	/* Arcnet with Linux-style link-layer headers */
439 	{ DLT_ARCNET_LINUX,	LINKTYPE_ARCNET_LINUX },
440 
441         /* Juniper-internal chassis encapsulation */
442         { DLT_JUNIPER_MLPPP,    LINKTYPE_JUNIPER_MLPPP },
443         { DLT_JUNIPER_MLFR,     LINKTYPE_JUNIPER_MLFR },
444         { DLT_JUNIPER_ES,       LINKTYPE_JUNIPER_ES },
445         { DLT_JUNIPER_GGSN,     LINKTYPE_JUNIPER_GGSN },
446         { DLT_JUNIPER_MFR,      LINKTYPE_JUNIPER_MFR },
447         { DLT_JUNIPER_ATM2,     LINKTYPE_JUNIPER_ATM2 },
448         { DLT_JUNIPER_SERVICES, LINKTYPE_JUNIPER_SERVICES },
449         { DLT_JUNIPER_ATM1,     LINKTYPE_JUNIPER_ATM1 },
450 
451 	/* Apple IP-over-IEEE 1394 cooked header */
452 	{ DLT_APPLE_IP_OVER_IEEE1394, LINKTYPE_APPLE_IP_OVER_IEEE1394 },
453 
454 	/* DOCSIS MAC frames */
455 	{ DLT_DOCSIS,		LINKTYPE_DOCSIS },
456 
457 	/* IrDA IrLAP packets + Linux-cooked header */
458 	{ DLT_LINUX_IRDA,	LINKTYPE_LINUX_IRDA },
459 
460 	/* IBM SP and Next Federation switches */
461 	{ DLT_IBM_SP,		LINKTYPE_IBM_SP },
462 	{ DLT_IBM_SN,		LINKTYPE_IBM_SN },
463 
464 	/* 802.11 plus AVS radio header */
465 	{ DLT_IEEE802_11_RADIO_AVS, LINKTYPE_IEEE802_11_RADIO_AVS },
466 
467 	/*
468 	 * Any platform that defines additional DLT_* codes should:
469 	 *
470 	 *	request a LINKTYPE_* code and value from tcpdump.org,
471 	 *	as per the above;
472 	 *
473 	 *	add, in their version of libpcap, an entry to map
474 	 *	those DLT_* codes to the corresponding LINKTYPE_*
475 	 *	code;
476 	 *
477 	 *	redefine, in their "net/bpf.h", any DLT_* values
478 	 *	that collide with the values used by their additional
479 	 *	DLT_* codes, to remove those collisions (but without
480 	 *	making them collide with any of the LINKTYPE_*
481 	 *	values equal to 50 or above; they should also avoid
482 	 *	defining DLT_* values that collide with those
483 	 *	LINKTYPE_* values, either).
484 	 */
485 
486         /* Juniper-internal chassis encapsulation */
487         { DLT_JUNIPER_MONITOR,     LINKTYPE_JUNIPER_MONITOR },
488 
489 	{ -1,			-1 }
490 };
491 
492 static int
493 dlt_to_linktype(int dlt)
494 {
495 	int i;
496 
497 	for (i = 0; map[i].dlt != -1; i++) {
498 		if (map[i].dlt == dlt)
499 			return (map[i].linktype);
500 	}
501 
502 	/*
503 	 * If we don't have a mapping for this DLT_ code, return an
504 	 * error; that means that the table above needs to have an
505 	 * entry added.
506 	 */
507 	return (-1);
508 }
509 
510 static int
511 linktype_to_dlt(int linktype)
512 {
513 	int i;
514 
515 	for (i = 0; map[i].linktype != -1; i++) {
516 		if (map[i].linktype == linktype)
517 			return (map[i].dlt);
518 	}
519 
520 	/*
521 	 * If we don't have an entry for this link type, return
522 	 * the link type value; it may be a DLT_ value from an
523 	 * older version of libpcap.
524 	 */
525 	return linktype;
526 }
527 
528 static int
529 sf_write_header(FILE *fp, int linktype, int thiszone, int snaplen)
530 {
531 	struct pcap_file_header hdr;
532 
533 	hdr.magic = TCPDUMP_MAGIC;
534 	hdr.version_major = PCAP_VERSION_MAJOR;
535 	hdr.version_minor = PCAP_VERSION_MINOR;
536 
537 	hdr.thiszone = thiszone;
538 	hdr.snaplen = snaplen;
539 	hdr.sigfigs = 0;
540 	hdr.linktype = linktype;
541 
542 	if (fwrite((char *)&hdr, sizeof(hdr), 1, fp) != 1)
543 		return (-1);
544 
545 	return (0);
546 }
547 
548 static void
549 swap_hdr(struct pcap_file_header *hp)
550 {
551 	hp->version_major = SWAPSHORT(hp->version_major);
552 	hp->version_minor = SWAPSHORT(hp->version_minor);
553 	hp->thiszone = SWAPLONG(hp->thiszone);
554 	hp->sigfigs = SWAPLONG(hp->sigfigs);
555 	hp->snaplen = SWAPLONG(hp->snaplen);
556 	hp->linktype = SWAPLONG(hp->linktype);
557 }
558 
559 static int
560 sf_getnonblock(pcap_t *p, char *errbuf)
561 {
562 	/*
563 	 * This is a savefile, not a live capture file, so never say
564 	 * it's in non-blocking mode.
565 	 */
566 	return (0);
567 }
568 
569 static int
570 sf_setnonblock(pcap_t *p, int nonblock, char *errbuf)
571 {
572 	/*
573 	 * This is a savefile, not a live capture file, so ignore
574 	 * requests to put it in non-blocking mode.
575 	 */
576 	return (0);
577 }
578 
579 static int
580 sf_stats(pcap_t *p, struct pcap_stat *ps)
581 {
582 	snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
583 	    "Statistics aren't available from savefiles");
584 	return (-1);
585 }
586 
587 static void
588 sf_close(pcap_t *p)
589 {
590 	if (p->sf.rfile != stdin)
591 		(void)fclose(p->sf.rfile);
592 	if (p->sf.base != NULL)
593 		free(p->sf.base);
594 }
595 
596 pcap_t *
597 pcap_open_offline(const char *fname, char *errbuf)
598 {
599 	register pcap_t *p;
600 	register FILE *fp;
601 	struct pcap_file_header hdr;
602 	bpf_u_int32 magic;
603 	int linklen;
604 
605 	p = (pcap_t *)malloc(sizeof(*p));
606 	if (p == NULL) {
607 		strlcpy(errbuf, "out of swap", PCAP_ERRBUF_SIZE);
608 		return (NULL);
609 	}
610 
611 	memset((char *)p, 0, sizeof(*p));
612 
613 	if (fname[0] == '-' && fname[1] == '\0')
614 		fp = stdin;
615 	else {
616 #ifndef WIN32
617 		fp = fopen(fname, "r");
618 #else
619 		fp = fopen(fname, "rb");
620 #endif
621 		if (fp == NULL) {
622 			snprintf(errbuf, PCAP_ERRBUF_SIZE, "%s: %s", fname,
623 			    pcap_strerror(errno));
624 			goto bad;
625 		}
626 	}
627 	if (fread((char *)&hdr, sizeof(hdr), 1, fp) != 1) {
628 		snprintf(errbuf, PCAP_ERRBUF_SIZE, "fread: %s",
629 		    pcap_strerror(errno));
630 		goto bad;
631 	}
632 	magic = hdr.magic;
633 	if (magic != TCPDUMP_MAGIC && magic != PATCHED_TCPDUMP_MAGIC) {
634 		magic = SWAPLONG(magic);
635 		if (magic != TCPDUMP_MAGIC && magic != PATCHED_TCPDUMP_MAGIC) {
636 			snprintf(errbuf, PCAP_ERRBUF_SIZE,
637 			    "bad dump file format");
638 			goto bad;
639 		}
640 		p->sf.swapped = 1;
641 		swap_hdr(&hdr);
642 	}
643 	if (magic == PATCHED_TCPDUMP_MAGIC) {
644 		/*
645 		 * XXX - the patch that's in some versions of libpcap
646 		 * changes the packet header but not the magic number;
647 		 * we'd have to use some hacks^H^H^H^H^Hheuristics to
648 		 * detect that.
649 		 */
650 		p->sf.hdrsize = sizeof(struct pcap_sf_patched_pkthdr);
651 	} else
652 		p->sf.hdrsize = sizeof(struct pcap_sf_pkthdr);
653 	if (hdr.version_major < PCAP_VERSION_MAJOR) {
654 		snprintf(errbuf, PCAP_ERRBUF_SIZE, "archaic file format");
655 		goto bad;
656 	}
657 	p->tzoff = hdr.thiszone;
658 	p->snapshot = hdr.snaplen;
659 	p->linktype = linktype_to_dlt(hdr.linktype);
660 	p->sf.rfile = fp;
661 #ifndef WIN32
662 	p->bufsize = hdr.snaplen;
663 #else
664 	/* Allocate the space for pcap_pkthdr as well. It will be used by pcap_read_ex */
665 	p->bufsize = hdr.snaplen+sizeof(struct pcap_pkthdr);
666 #endif
667 
668 	/* Align link header as required for proper data alignment */
669 	/* XXX should handle all types */
670 	switch (p->linktype) {
671 
672 	case DLT_EN10MB:
673 		linklen = 14;
674 		break;
675 
676 	case DLT_FDDI:
677 		linklen = 13 + 8;	/* fddi_header + llc */
678 		break;
679 
680 	case DLT_NULL:
681 	default:
682 		linklen = 0;
683 		break;
684 	}
685 
686 	if (p->bufsize < 0)
687 		p->bufsize = BPF_MAXBUFSIZE;
688 	p->sf.base = (u_char *)malloc(p->bufsize + BPF_ALIGNMENT);
689 	if (p->sf.base == NULL) {
690 		strlcpy(errbuf, "out of swap", PCAP_ERRBUF_SIZE);
691 		goto bad;
692 	}
693 	p->buffer = p->sf.base + BPF_ALIGNMENT - (linklen % BPF_ALIGNMENT);
694 	p->sf.version_major = hdr.version_major;
695 	p->sf.version_minor = hdr.version_minor;
696 #ifdef PCAP_FDDIPAD
697 	/* XXX padding only needed for kernel fcode */
698 	pcap_fddipad = 0;
699 #endif
700 
701 	/*
702 	 * We interchanged the caplen and len fields at version 2.3,
703 	 * in order to match the bpf header layout.  But unfortunately
704 	 * some files were written with version 2.3 in their headers
705 	 * but without the interchanged fields.
706 	 *
707 	 * In addition, DG/UX tcpdump writes out files with a version
708 	 * number of 543.0, and with the caplen and len fields in the
709 	 * pre-2.3 order.
710 	 */
711 	switch (hdr.version_major) {
712 
713 	case 2:
714 		if (hdr.version_minor < 3)
715 			p->sf.lengths_swapped = SWAPPED;
716 		else if (hdr.version_minor == 3)
717 			p->sf.lengths_swapped = MAYBE_SWAPPED;
718 		else
719 			p->sf.lengths_swapped = NOT_SWAPPED;
720 		break;
721 
722 	case 543:
723 		p->sf.lengths_swapped = SWAPPED;
724 		break;
725 
726 	default:
727 		p->sf.lengths_swapped = NOT_SWAPPED;
728 		break;
729 	}
730 
731 #ifndef WIN32
732 	/*
733 	 * You can do "select()" and "poll()" on plain files on most
734 	 * platforms, and should be able to do so on pipes.
735 	 *
736 	 * You can't do "select()" on anything other than sockets in
737 	 * Windows, so, on Win32 systems, we don't have "selectable_fd".
738 	 */
739 	p->selectable_fd = fileno(fp);
740 #endif
741 
742 	p->read_op = pcap_offline_read;
743 	p->setfilter_op = install_bpf_program;
744 	p->set_datalink_op = NULL;	/* we don't support munging link-layer headers */
745 	p->getnonblock_op = sf_getnonblock;
746 	p->setnonblock_op = sf_setnonblock;
747 	p->stats_op = sf_stats;
748 	p->close_op = sf_close;
749 
750 	return (p);
751  bad:
752 	if(fp)
753 		fclose(fp);
754 	free(p);
755 	return (NULL);
756 }
757 
758 /*
759  * Read sf_readfile and return the next packet.  Return the header in hdr
760  * and the contents in buf.  Return 0 on success, SFERR_EOF if there were
761  * no more packets, and SFERR_TRUNC if a partial packet was encountered.
762  */
763 static int
764 sf_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char *buf, u_int buflen)
765 {
766 	struct pcap_sf_patched_pkthdr sf_hdr;
767 	FILE *fp = p->sf.rfile;
768 	size_t amt_read;
769 	bpf_u_int32 t;
770 
771 	/*
772 	 * Read the packet header; the structure we use as a buffer
773 	 * is the longer structure for files generated by the patched
774 	 * libpcap, but if the file has the magic number for an
775 	 * unpatched libpcap we only read as many bytes as the regular
776 	 * header has.
777 	 */
778 	amt_read = fread(&sf_hdr, 1, p->sf.hdrsize, fp);
779 	if (amt_read != p->sf.hdrsize) {
780 		if (ferror(fp)) {
781 			snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
782 			    "error reading dump file: %s",
783 			    pcap_strerror(errno));
784 			return (-1);
785 		} else {
786 			if (amt_read != 0) {
787 				snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
788 				    "truncated dump file; tried to read %d header bytes, only got %lu",
789 				    p->sf.hdrsize, (unsigned long)amt_read);
790 				return (-1);
791 			}
792 			/* EOF */
793 			return (1);
794 		}
795 	}
796 
797 	if (p->sf.swapped) {
798 		/* these were written in opposite byte order */
799 		hdr->caplen = SWAPLONG(sf_hdr.caplen);
800 		hdr->len = SWAPLONG(sf_hdr.len);
801 		hdr->ts.tv_sec = SWAPLONG(sf_hdr.ts.tv_sec);
802 		hdr->ts.tv_usec = SWAPLONG(sf_hdr.ts.tv_usec);
803 	} else {
804 		hdr->caplen = sf_hdr.caplen;
805 		hdr->len = sf_hdr.len;
806 		hdr->ts.tv_sec = sf_hdr.ts.tv_sec;
807 		hdr->ts.tv_usec = sf_hdr.ts.tv_usec;
808 	}
809 	/* Swap the caplen and len fields, if necessary. */
810 	switch (p->sf.lengths_swapped) {
811 
812 	case NOT_SWAPPED:
813 		break;
814 
815 	case MAYBE_SWAPPED:
816 		if (hdr->caplen <= hdr->len) {
817 			/*
818 			 * The captured length is <= the actual length,
819 			 * so presumably they weren't swapped.
820 			 */
821 			break;
822 		}
823 		/* FALLTHROUGH */
824 
825 	case SWAPPED:
826 		t = hdr->caplen;
827 		hdr->caplen = hdr->len;
828 		hdr->len = t;
829 		break;
830 	}
831 
832 	if (hdr->caplen > buflen) {
833 		/*
834 		 * This can happen due to Solaris 2.3 systems tripping
835 		 * over the BUFMOD problem and not setting the snapshot
836 		 * correctly in the savefile header.  If the caplen isn't
837 		 * grossly wrong, try to salvage.
838 		 */
839 		static u_char *tp = NULL;
840 		static size_t tsize = 0;
841 
842 		if (hdr->caplen > 65535) {
843 			snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
844 			    "bogus savefile header");
845 			return (-1);
846 		}
847 
848 		if (tsize < hdr->caplen) {
849 			tsize = ((hdr->caplen + 1023) / 1024) * 1024;
850 			if (tp != NULL)
851 				free((u_char *)tp);
852 			tp = (u_char *)malloc(tsize);
853 			if (tp == NULL) {
854 				tsize = 0;
855 				snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
856 				    "BUFMOD hack malloc");
857 				return (-1);
858 			}
859 		}
860 		amt_read = fread((char *)tp, 1, hdr->caplen, fp);
861 		if (amt_read != hdr->caplen) {
862 			if (ferror(fp)) {
863 				snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
864 				    "error reading dump file: %s",
865 				    pcap_strerror(errno));
866 			} else {
867 				snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
868 				    "truncated dump file; tried to read %u captured bytes, only got %lu",
869 				    hdr->caplen, (unsigned long)amt_read);
870 			}
871 			return (-1);
872 		}
873 		/*
874 		 * We can only keep up to buflen bytes.  Since caplen > buflen
875 		 * is exactly how we got here, we know we can only keep the
876 		 * first buflen bytes and must drop the remainder.  Adjust
877 		 * caplen accordingly, so we don't get confused later as
878 		 * to how many bytes we have to play with.
879 		 */
880 		hdr->caplen = buflen;
881 		memcpy((char *)buf, (char *)tp, buflen);
882 
883 	} else {
884 		/* read the packet itself */
885 		amt_read = fread((char *)buf, 1, hdr->caplen, fp);
886 		if (amt_read != hdr->caplen) {
887 			if (ferror(fp)) {
888 				snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
889 				    "error reading dump file: %s",
890 				    pcap_strerror(errno));
891 			} else {
892 				snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
893 				    "truncated dump file; tried to read %u captured bytes, only got %lu",
894 				    hdr->caplen, (unsigned long)amt_read);
895 			}
896 			return (-1);
897 		}
898 	}
899 	return (0);
900 }
901 
902 /*
903  * Print out packets stored in the file initialized by sf_read_init().
904  * If cnt > 0, return after 'cnt' packets, otherwise continue until eof.
905  */
906 int
907 pcap_offline_read(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
908 {
909 	struct bpf_insn *fcode = p->fcode.bf_insns;
910 	int status = 0;
911 	int n = 0;
912 
913 	while (status == 0) {
914 		struct pcap_pkthdr h;
915 
916 		/*
917 		 * Has "pcap_breakloop()" been called?
918 		 * If so, return immediately - if we haven't read any
919 		 * packets, clear the flag and return -2 to indicate
920 		 * that we were told to break out of the loop, otherwise
921 		 * leave the flag set, so that the *next* call will break
922 		 * out of the loop without having read any packets, and
923 		 * return the number of packets we've processed so far.
924 		 */
925 		if (p->break_loop) {
926 			if (n == 0) {
927 				p->break_loop = 0;
928 				return (-2);
929 			} else
930 				return (n);
931 		}
932 
933 		status = sf_next_packet(p, &h, p->buffer, p->bufsize);
934 		if (status) {
935 			if (status == 1)
936 				return (0);
937 			return (status);
938 		}
939 
940 		if (fcode == NULL ||
941 		    bpf_filter(fcode, p->buffer, h.len, h.caplen)) {
942 			(*callback)(user, &h, p->buffer);
943 			if (++n >= cnt && cnt > 0)
944 				break;
945 		}
946 	}
947 	/*XXX this breaks semantics tcpslice expects */
948 	return (n);
949 }
950 
951 /*
952  * Output a packet to the initialized dump file.
953  */
954 void
955 pcap_dump(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
956 {
957 	register FILE *f;
958 	struct pcap_sf_pkthdr sf_hdr;
959 
960 	f = (FILE *)user;
961 	sf_hdr.ts.tv_sec  = h->ts.tv_sec;
962 	sf_hdr.ts.tv_usec = h->ts.tv_usec;
963 	sf_hdr.caplen     = h->caplen;
964 	sf_hdr.len        = h->len;
965 	/* XXX we should check the return status */
966 	(void)fwrite(&sf_hdr, sizeof(sf_hdr), 1, f);
967 	(void)fwrite((char *)sp, h->caplen, 1, f);
968 }
969 
970 /*
971  * Initialize so that sf_write() will output to the file named 'fname'.
972  */
973 pcap_dumper_t *
974 pcap_dump_open(pcap_t *p, const char *fname)
975 {
976 	FILE *f;
977 	int linktype;
978 
979 	linktype = dlt_to_linktype(p->linktype);
980 	if (linktype == -1) {
981 		snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
982 		    "%s: link-layer type %d isn't supported in savefiles",
983 		    fname, linktype);
984 		return (NULL);
985 	}
986 
987 	if (fname[0] == '-' && fname[1] == '\0') {
988 		f = stdout;
989 #ifdef WIN32
990 		_setmode(_fileno(f), _O_BINARY);
991 #endif
992 	} else {
993 #ifndef WIN32
994 		f = fopen(fname, "w");
995 #else
996 		f = fopen(fname, "wb");
997 		setbuf(f, NULL);	/* XXX - why? */
998 #endif
999 		if (f == NULL) {
1000 			snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "%s: %s",
1001 			    fname, pcap_strerror(errno));
1002 			return (NULL);
1003 		}
1004 	}
1005 	(void)sf_write_header(f, linktype, p->tzoff, p->snapshot);
1006 	return ((pcap_dumper_t *)f);
1007 }
1008 
1009 FILE *
1010 pcap_dump_file(pcap_dumper_t *p)
1011 {
1012 	return ((FILE *)p);
1013 }
1014 
1015 int
1016 pcap_dump_flush(pcap_dumper_t *p)
1017 {
1018 
1019 	if (fflush((FILE *)p) == EOF)
1020 		return (-1);
1021 	else
1022 		return (0);
1023 }
1024 
1025 void
1026 pcap_dump_close(pcap_dumper_t *p)
1027 {
1028 
1029 #ifdef notyet
1030 	if (ferror((FILE *)p))
1031 		return-an-error;
1032 	/* XXX should check return from fclose() too */
1033 #endif
1034 	(void)fclose((FILE *)p);
1035 }
1036