1 /* 2 * Copyright (c) 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * savefile.c - supports offline use of tcpdump 22 * Extraction/creation by Jeffrey Mogul, DECWRL 23 * Modified by Steve McCanne, LBL. 24 * 25 * Used to save the received packet headers, after filtering, to 26 * a file, and then read them later. 27 * The first record in the file contains saved values for the machine 28 * dependent values so we can print the dump file on any architecture. 29 */ 30 31 #ifndef lint 32 static const char rcsid[] _U_ = 33 "@(#) $Header: /tcpdump/master/libpcap/savefile.c,v 1.92.2.11 2004/03/11 23:46:14 guy Exp $ (LBL)"; 34 #endif 35 36 #ifdef HAVE_CONFIG_H 37 #include "config.h" 38 #endif 39 40 #include <errno.h> 41 #include <memory.h> 42 #include <stdio.h> 43 #include <stdlib.h> 44 #include <string.h> 45 46 #include "pcap-int.h" 47 48 #ifdef HAVE_OS_PROTO_H 49 #include "os-proto.h" 50 #endif 51 52 #define TCPDUMP_MAGIC 0xa1b2c3d4 53 #define PATCHED_TCPDUMP_MAGIC 0xa1b2cd34 54 55 /* 56 * We use the "receiver-makes-right" approach to byte order, 57 * because time is at a premium when we are writing the file. 58 * In other words, the pcap_file_header and pcap_pkthdr, 59 * records are written in host byte order. 60 * Note that the bytes of packet data are written out in the order in 61 * which they were received, so multi-byte fields in packets are not 62 * written in host byte order, they're written in whatever order the 63 * sending machine put them in. 64 * 65 * ntoh[ls] aren't sufficient because we might need to swap on a big-endian 66 * machine (if the file was written in little-end order). 67 */ 68 #define SWAPLONG(y) \ 69 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 70 #define SWAPSHORT(y) \ 71 ( (((y)&0xff)<<8) | ((u_short)((y)&0xff00)>>8) ) 72 73 #define SFERR_TRUNC 1 74 #define SFERR_BADVERSION 2 75 #define SFERR_BADF 3 76 #define SFERR_EOF 4 /* not really an error, just a status */ 77 78 /* 79 * We don't write DLT_* values to the capture file header, because 80 * they're not the same on all platforms. 81 * 82 * Unfortunately, the various flavors of BSD have not always used the same 83 * numerical values for the same data types, and various patches to 84 * libpcap for non-BSD OSes have added their own DLT_* codes for link 85 * layer encapsulation types seen on those OSes, and those codes have had, 86 * in some cases, values that were also used, on other platforms, for other 87 * link layer encapsulation types. 88 * 89 * This means that capture files of a type whose numerical DLT_* code 90 * means different things on different BSDs, or with different versions 91 * of libpcap, can't always be read on systems other than those like 92 * the one running on the machine on which the capture was made. 93 * 94 * Instead, we define here a set of LINKTYPE_* codes, and map DLT_* codes 95 * to LINKTYPE_* codes when writing a savefile header, and map LINKTYPE_* 96 * codes to DLT_* codes when reading a savefile header. 97 * 98 * For those DLT_* codes that have, as far as we know, the same values on 99 * all platforms (DLT_NULL through DLT_FDDI), we define LINKTYPE_xxx as 100 * DLT_xxx; that way, captures of those types can still be read by 101 * versions of libpcap that map LINKTYPE_* values to DLT_* values, and 102 * captures of those types written by versions of libpcap that map DLT_ 103 * values to LINKTYPE_ values can still be read by older versions 104 * of libpcap. 105 * 106 * The other LINKTYPE_* codes are given values starting at 100, in the 107 * hopes that no DLT_* code will be given one of those values. 108 * 109 * In order to ensure that a given LINKTYPE_* code's value will refer to 110 * the same encapsulation type on all platforms, you should not allocate 111 * a new LINKTYPE_* value without consulting "tcpdump-workers@tcpdump.org". 112 * The tcpdump developers will allocate a value for you, and will not 113 * subsequently allocate it to anybody else; that value will be added to 114 * the "pcap.h" in the tcpdump.org CVS repository, so that a future 115 * libpcap release will include it. 116 * 117 * You should, if possible, also contribute patches to libpcap and tcpdump 118 * to handle the new encapsulation type, so that they can also be checked 119 * into the tcpdump.org CVS repository and so that they will appear in 120 * future libpcap and tcpdump releases. 121 * 122 * Do *NOT* assume that any values after the largest value in this file 123 * are available; you might not have the most up-to-date version of this 124 * file, and new values after that one might have been assigned. Also, 125 * do *NOT* use any values below 100 - those might already have been 126 * taken by one (or more!) organizations. 127 */ 128 #define LINKTYPE_NULL DLT_NULL 129 #define LINKTYPE_ETHERNET DLT_EN10MB /* also for 100Mb and up */ 130 #define LINKTYPE_EXP_ETHERNET DLT_EN3MB /* 3Mb experimental Ethernet */ 131 #define LINKTYPE_AX25 DLT_AX25 132 #define LINKTYPE_PRONET DLT_PRONET 133 #define LINKTYPE_CHAOS DLT_CHAOS 134 #define LINKTYPE_TOKEN_RING DLT_IEEE802 /* DLT_IEEE802 is used for Token Ring */ 135 #define LINKTYPE_ARCNET DLT_ARCNET /* BSD-style headers */ 136 #define LINKTYPE_SLIP DLT_SLIP 137 #define LINKTYPE_PPP DLT_PPP 138 #define LINKTYPE_FDDI DLT_FDDI 139 140 /* 141 * LINKTYPE_PPP is for use when there might, or might not, be an RFC 1662 142 * PPP in HDLC-like framing header (with 0xff 0x03 before the PPP protocol 143 * field) at the beginning of the packet. 144 * 145 * This is for use when there is always such a header; the address field 146 * might be 0xff, for regular PPP, or it might be an address field for Cisco 147 * point-to-point with HDLC framing as per section 4.3.1 of RFC 1547 ("Cisco 148 * HDLC"). This is, for example, what you get with NetBSD's DLT_PPP_SERIAL. 149 * 150 * We give it the same value as NetBSD's DLT_PPP_SERIAL, in the hopes that 151 * nobody else will choose a DLT_ value of 50, and so that DLT_PPP_SERIAL 152 * captures will be written out with a link type that NetBSD's tcpdump 153 * can read. 154 */ 155 #define LINKTYPE_PPP_HDLC 50 /* PPP in HDLC-like framing */ 156 157 #define LINKTYPE_PPP_ETHER 51 /* NetBSD PPP-over-Ethernet */ 158 159 /* 160 * This isn't supported in libpcap 0.8[.x], but is supported in the 161 * current CVS version; we include it here to note that it's not available 162 * for anybody else to use. 163 */ 164 #define LINKTYPE_SYMANTEC_FIREWALL 99 /* Symantec Enterprise Firewall */ 165 166 #define LINKTYPE_ATM_RFC1483 100 /* LLC/SNAP-encapsulated ATM */ 167 #define LINKTYPE_RAW 101 /* raw IP */ 168 #define LINKTYPE_SLIP_BSDOS 102 /* BSD/OS SLIP BPF header */ 169 #define LINKTYPE_PPP_BSDOS 103 /* BSD/OS PPP BPF header */ 170 #define LINKTYPE_C_HDLC 104 /* Cisco HDLC */ 171 #define LINKTYPE_IEEE802_11 105 /* IEEE 802.11 (wireless) */ 172 #define LINKTYPE_ATM_CLIP 106 /* Linux Classical IP over ATM */ 173 #define LINKTYPE_FRELAY 107 /* Frame Relay */ 174 #define LINKTYPE_LOOP 108 /* OpenBSD loopback */ 175 #define LINKTYPE_ENC 109 /* OpenBSD IPSEC enc */ 176 177 /* 178 * These three types are reserved for future use. 179 */ 180 #define LINKTYPE_LANE8023 110 /* ATM LANE + 802.3 */ 181 #define LINKTYPE_HIPPI 111 /* NetBSD HIPPI */ 182 #define LINKTYPE_HDLC 112 /* NetBSD HDLC framing */ 183 184 #define LINKTYPE_LINUX_SLL 113 /* Linux cooked socket capture */ 185 #define LINKTYPE_LTALK 114 /* Apple LocalTalk hardware */ 186 #define LINKTYPE_ECONET 115 /* Acorn Econet */ 187 188 /* 189 * Reserved for use with OpenBSD ipfilter. 190 */ 191 #define LINKTYPE_IPFILTER 116 192 193 #define LINKTYPE_PFLOG 117 /* OpenBSD DLT_PFLOG */ 194 #define LINKTYPE_CISCO_IOS 118 /* For Cisco-internal use */ 195 #define LINKTYPE_PRISM_HEADER 119 /* 802.11+Prism II monitor mode */ 196 #define LINKTYPE_AIRONET_HEADER 120 /* FreeBSD Aironet driver stuff */ 197 198 /* 199 * Reserved for Siemens HiPath HDLC. 200 */ 201 #define LINKTYPE_HHDLC 121 202 203 #define LINKTYPE_IP_OVER_FC 122 /* RFC 2625 IP-over-Fibre Channel */ 204 #define LINKTYPE_SUNATM 123 /* Solaris+SunATM */ 205 206 /* 207 * Reserved as per request from Kent Dahlgren <kent@praesum.com> 208 * for private use. 209 */ 210 #define LINKTYPE_RIO 124 /* RapidIO */ 211 #define LINKTYPE_PCI_EXP 125 /* PCI Express */ 212 #define LINKTYPE_AURORA 126 /* Xilinx Aurora link layer */ 213 214 #define LINKTYPE_IEEE802_11_RADIO 127 /* 802.11 plus BSD radio header */ 215 216 /* 217 * Reserved for the TZSP encapsulation, as per request from 218 * Chris Waters <chris.waters@networkchemistry.com> 219 * TZSP is a generic encapsulation for any other link type, 220 * which includes a means to include meta-information 221 * with the packet, e.g. signal strength and channel 222 * for 802.11 packets. 223 */ 224 #define LINKTYPE_TZSP 128 /* Tazmen Sniffer Protocol */ 225 226 #define LINKTYPE_ARCNET_LINUX 129 /* Linux-style headers */ 227 228 /* 229 * Juniper-private data link types, as per request from 230 * Hannes Gredler <hannes@juniper.net>. The corresponding 231 * DLT_s are used for passing on chassis-internal 232 * metainformation such as QOS profiles, etc.. 233 */ 234 #define LINKTYPE_JUNIPER_MLPPP 130 235 #define LINKTYPE_JUNIPER_MLFR 131 236 #define LINKTYPE_JUNIPER_ES 132 237 #define LINKTYPE_JUNIPER_GGSN 133 238 #define LINKTYPE_JUNIPER_MFR 134 239 #define LINKTYPE_JUNIPER_ATM2 135 240 #define LINKTYPE_JUNIPER_SERVICES 136 241 #define LINKTYPE_JUNIPER_ATM1 137 242 243 #define LINKTYPE_APPLE_IP_OVER_IEEE1394 138 /* Apple IP-over-IEEE 1394 cooked header */ 244 245 #define LINKTYPE_RAWSS7 139 /* see rawss7.h for */ 246 #define LINKTYPE_RAWSS7_MTP2 140 /* information on these */ 247 #define LINKTYPE_RAWSS7_MTP3 141 /* definitions */ 248 #define LINKTYPE_RAWSS7_SCCP 142 249 250 /* 251 * This isn't supported in libpcap 0.8[.x], but is supported in the 252 * current CVS version; we include it here to note that it's not available 253 * for anybody else to use. 254 */ 255 #define LINKTYPE_DOCSIS 143 /* DOCSIS MAC frames */ 256 257 #define LINKTYPE_LINUX_IRDA 144 /* Linux-IrDA */ 258 259 /* 260 * Reserved for IBM SP switch and IBM Next Federation switch. 261 */ 262 #define LINKTYPE_IBM_SP 145 263 #define LINKTYPE_IBM_SN 146 264 265 /* 266 * Reserved for private use. If you have some link-layer header type 267 * that you want to use within your organization, with the capture files 268 * using that link-layer header type not ever be sent outside your 269 * organization, you can use these values. 270 * 271 * No libpcap release will use these for any purpose, nor will any 272 * tcpdump release use them, either. 273 * 274 * Do *NOT* use these in capture files that you expect anybody not using 275 * your private versions of capture-file-reading tools to read; in 276 * particular, do *NOT* use them in products, otherwise you may find that 277 * people won't be able to use tcpdump, or snort, or Ethereal, or... to 278 * read capture files from your firewall/intrusion detection/traffic 279 * monitoring/etc. appliance, or whatever product uses that LINKTYPE_ value, 280 * and you may also find that the developers of those applications will 281 * not accept patches to let them read those files. 282 * 283 * Also, do not use them if somebody might send you a capture using them 284 * for *their* private type and tools using them for *your* private type 285 * would have to read them. 286 * 287 * Instead, in those cases, ask "tcpdump-workers@tcpdump.org" for a new DLT_ 288 * and LINKTYPE_ value, as per the comment in pcap-bpf.h, and use the type 289 * you're given. 290 */ 291 #define LINKTYPE_USER0 147 292 #define LINKTYPE_USER1 148 293 #define LINKTYPE_USER2 149 294 #define LINKTYPE_USER3 150 295 #define LINKTYPE_USER4 151 296 #define LINKTYPE_USER5 152 297 #define LINKTYPE_USER6 153 298 #define LINKTYPE_USER7 154 299 #define LINKTYPE_USER8 155 300 #define LINKTYPE_USER9 156 301 #define LINKTYPE_USER10 157 302 #define LINKTYPE_USER11 158 303 #define LINKTYPE_USER12 159 304 #define LINKTYPE_USER13 160 305 #define LINKTYPE_USER14 161 306 #define LINKTYPE_USER15 162 307 308 /* 309 * For future use with 802.11 captures - defined by AbsoluteValue 310 * Systems to store a number of bits of link-layer information 311 * including radio information: 312 * 313 * http://www.shaftnet.org/~pizza/software/capturefrm.txt 314 * 315 * but could and arguably should also be used by non-AVS Linux 316 * 802.11 drivers; that may happen in the future. 317 */ 318 #define LINKTYPE_IEEE802_11_RADIO_AVS 163 /* 802.11 plus AVS radio header */ 319 320 /* 321 * Juniper-private data link type, as per request from 322 * Hannes Gredler <hannes@juniper.net>. The corresponding 323 * DLT_s are used for passing on chassis-internal 324 * metainformation such as QOS profiles, etc.. 325 */ 326 #define LINKTYPE_JUNIPER_MONITOR 164 327 328 static struct linktype_map { 329 int dlt; 330 int linktype; 331 } map[] = { 332 /* 333 * These DLT_* codes have LINKTYPE_* codes with values identical 334 * to the values of the corresponding DLT_* code. 335 */ 336 { DLT_NULL, LINKTYPE_NULL }, 337 { DLT_EN10MB, LINKTYPE_ETHERNET }, 338 { DLT_EN3MB, LINKTYPE_EXP_ETHERNET }, 339 { DLT_AX25, LINKTYPE_AX25 }, 340 { DLT_PRONET, LINKTYPE_PRONET }, 341 { DLT_CHAOS, LINKTYPE_CHAOS }, 342 { DLT_IEEE802, LINKTYPE_TOKEN_RING }, 343 { DLT_ARCNET, LINKTYPE_ARCNET }, 344 { DLT_SLIP, LINKTYPE_SLIP }, 345 { DLT_PPP, LINKTYPE_PPP }, 346 { DLT_FDDI, LINKTYPE_FDDI }, 347 348 /* 349 * These DLT_* codes have different values on different 350 * platforms; we map them to LINKTYPE_* codes that 351 * have values that should never be equal to any DLT_* 352 * code. 353 */ 354 #ifdef DLT_FR 355 /* BSD/OS Frame Relay */ 356 { DLT_FR, LINKTYPE_FRELAY }, 357 #endif 358 359 { DLT_SYMANTEC_FIREWALL, LINKTYPE_SYMANTEC_FIREWALL }, 360 { DLT_ATM_RFC1483, LINKTYPE_ATM_RFC1483 }, 361 { DLT_RAW, LINKTYPE_RAW }, 362 { DLT_SLIP_BSDOS, LINKTYPE_SLIP_BSDOS }, 363 { DLT_PPP_BSDOS, LINKTYPE_PPP_BSDOS }, 364 365 /* BSD/OS Cisco HDLC */ 366 { DLT_C_HDLC, LINKTYPE_C_HDLC }, 367 368 /* 369 * These DLT_* codes are not on all platforms, but, so far, 370 * there don't appear to be any platforms that define 371 * other codes with those values; we map them to 372 * different LINKTYPE_* values anyway, just in case. 373 */ 374 375 /* Linux ATM Classical IP */ 376 { DLT_ATM_CLIP, LINKTYPE_ATM_CLIP }, 377 378 /* NetBSD sync/async serial PPP (or Cisco HDLC) */ 379 { DLT_PPP_SERIAL, LINKTYPE_PPP_HDLC }, 380 381 /* NetBSD PPP over Ethernet */ 382 { DLT_PPP_ETHER, LINKTYPE_PPP_ETHER }, 383 384 /* IEEE 802.11 wireless */ 385 { DLT_IEEE802_11, LINKTYPE_IEEE802_11 }, 386 387 /* Frame Relay */ 388 { DLT_FRELAY, LINKTYPE_FRELAY }, 389 390 /* OpenBSD loopback */ 391 { DLT_LOOP, LINKTYPE_LOOP }, 392 393 /* Linux cooked socket capture */ 394 { DLT_LINUX_SLL, LINKTYPE_LINUX_SLL }, 395 396 /* Apple LocalTalk hardware */ 397 { DLT_LTALK, LINKTYPE_LTALK }, 398 399 /* Acorn Econet */ 400 { DLT_ECONET, LINKTYPE_ECONET }, 401 402 /* OpenBSD DLT_PFLOG */ 403 { DLT_PFLOG, LINKTYPE_PFLOG }, 404 405 /* For Cisco-internal use */ 406 { DLT_CISCO_IOS, LINKTYPE_CISCO_IOS }, 407 408 /* Prism II monitor-mode header plus 802.11 header */ 409 { DLT_PRISM_HEADER, LINKTYPE_PRISM_HEADER }, 410 411 /* FreeBSD Aironet driver stuff */ 412 { DLT_AIRONET_HEADER, LINKTYPE_AIRONET_HEADER }, 413 414 /* Siemens HiPath HDLC */ 415 { DLT_HHDLC, LINKTYPE_HHDLC }, 416 417 /* RFC 2625 IP-over-Fibre Channel */ 418 { DLT_IP_OVER_FC, LINKTYPE_IP_OVER_FC }, 419 420 /* Solaris+SunATM */ 421 { DLT_SUNATM, LINKTYPE_SUNATM }, 422 423 /* RapidIO */ 424 { DLT_RIO, LINKTYPE_RIO }, 425 426 /* PCI Express */ 427 { DLT_PCI_EXP, LINKTYPE_PCI_EXP }, 428 429 /* Xilinx Aurora link layer */ 430 { DLT_AURORA, LINKTYPE_AURORA }, 431 432 /* 802.11 plus BSD radio header */ 433 { DLT_IEEE802_11_RADIO, LINKTYPE_IEEE802_11_RADIO }, 434 435 /* Tazmen Sniffer Protocol */ 436 { DLT_TZSP, LINKTYPE_TZSP }, 437 438 /* Arcnet with Linux-style link-layer headers */ 439 { DLT_ARCNET_LINUX, LINKTYPE_ARCNET_LINUX }, 440 441 /* Juniper-internal chassis encapsulation */ 442 { DLT_JUNIPER_MLPPP, LINKTYPE_JUNIPER_MLPPP }, 443 { DLT_JUNIPER_MLFR, LINKTYPE_JUNIPER_MLFR }, 444 { DLT_JUNIPER_ES, LINKTYPE_JUNIPER_ES }, 445 { DLT_JUNIPER_GGSN, LINKTYPE_JUNIPER_GGSN }, 446 { DLT_JUNIPER_MFR, LINKTYPE_JUNIPER_MFR }, 447 { DLT_JUNIPER_ATM2, LINKTYPE_JUNIPER_ATM2 }, 448 { DLT_JUNIPER_SERVICES, LINKTYPE_JUNIPER_SERVICES }, 449 { DLT_JUNIPER_ATM1, LINKTYPE_JUNIPER_ATM1 }, 450 451 /* Apple IP-over-IEEE 1394 cooked header */ 452 { DLT_APPLE_IP_OVER_IEEE1394, LINKTYPE_APPLE_IP_OVER_IEEE1394 }, 453 454 /* DOCSIS MAC frames */ 455 { DLT_DOCSIS, LINKTYPE_DOCSIS }, 456 457 /* IrDA IrLAP packets + Linux-cooked header */ 458 { DLT_LINUX_IRDA, LINKTYPE_LINUX_IRDA }, 459 460 /* IBM SP and Next Federation switches */ 461 { DLT_IBM_SP, LINKTYPE_IBM_SP }, 462 { DLT_IBM_SN, LINKTYPE_IBM_SN }, 463 464 /* 802.11 plus AVS radio header */ 465 { DLT_IEEE802_11_RADIO_AVS, LINKTYPE_IEEE802_11_RADIO_AVS }, 466 467 /* 468 * Any platform that defines additional DLT_* codes should: 469 * 470 * request a LINKTYPE_* code and value from tcpdump.org, 471 * as per the above; 472 * 473 * add, in their version of libpcap, an entry to map 474 * those DLT_* codes to the corresponding LINKTYPE_* 475 * code; 476 * 477 * redefine, in their "net/bpf.h", any DLT_* values 478 * that collide with the values used by their additional 479 * DLT_* codes, to remove those collisions (but without 480 * making them collide with any of the LINKTYPE_* 481 * values equal to 50 or above; they should also avoid 482 * defining DLT_* values that collide with those 483 * LINKTYPE_* values, either). 484 */ 485 486 /* Juniper-internal chassis encapsulation */ 487 { DLT_JUNIPER_MONITOR, LINKTYPE_JUNIPER_MONITOR }, 488 489 { -1, -1 } 490 }; 491 492 static int 493 dlt_to_linktype(int dlt) 494 { 495 int i; 496 497 for (i = 0; map[i].dlt != -1; i++) { 498 if (map[i].dlt == dlt) 499 return (map[i].linktype); 500 } 501 502 /* 503 * If we don't have a mapping for this DLT_ code, return an 504 * error; that means that the table above needs to have an 505 * entry added. 506 */ 507 return (-1); 508 } 509 510 static int 511 linktype_to_dlt(int linktype) 512 { 513 int i; 514 515 for (i = 0; map[i].linktype != -1; i++) { 516 if (map[i].linktype == linktype) 517 return (map[i].dlt); 518 } 519 520 /* 521 * If we don't have an entry for this link type, return 522 * the link type value; it may be a DLT_ value from an 523 * older version of libpcap. 524 */ 525 return linktype; 526 } 527 528 static int 529 sf_write_header(FILE *fp, int linktype, int thiszone, int snaplen) 530 { 531 struct pcap_file_header hdr; 532 533 hdr.magic = TCPDUMP_MAGIC; 534 hdr.version_major = PCAP_VERSION_MAJOR; 535 hdr.version_minor = PCAP_VERSION_MINOR; 536 537 hdr.thiszone = thiszone; 538 hdr.snaplen = snaplen; 539 hdr.sigfigs = 0; 540 hdr.linktype = linktype; 541 542 if (fwrite((char *)&hdr, sizeof(hdr), 1, fp) != 1) 543 return (-1); 544 545 return (0); 546 } 547 548 static void 549 swap_hdr(struct pcap_file_header *hp) 550 { 551 hp->version_major = SWAPSHORT(hp->version_major); 552 hp->version_minor = SWAPSHORT(hp->version_minor); 553 hp->thiszone = SWAPLONG(hp->thiszone); 554 hp->sigfigs = SWAPLONG(hp->sigfigs); 555 hp->snaplen = SWAPLONG(hp->snaplen); 556 hp->linktype = SWAPLONG(hp->linktype); 557 } 558 559 static int 560 sf_getnonblock(pcap_t *p, char *errbuf) 561 { 562 /* 563 * This is a savefile, not a live capture file, so never say 564 * it's in non-blocking mode. 565 */ 566 return (0); 567 } 568 569 static int 570 sf_setnonblock(pcap_t *p, int nonblock, char *errbuf) 571 { 572 /* 573 * This is a savefile, not a live capture file, so ignore 574 * requests to put it in non-blocking mode. 575 */ 576 return (0); 577 } 578 579 static int 580 sf_stats(pcap_t *p, struct pcap_stat *ps) 581 { 582 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 583 "Statistics aren't available from savefiles"); 584 return (-1); 585 } 586 587 static void 588 sf_close(pcap_t *p) 589 { 590 if (p->sf.rfile != stdin) 591 (void)fclose(p->sf.rfile); 592 if (p->sf.base != NULL) 593 free(p->sf.base); 594 } 595 596 pcap_t * 597 pcap_open_offline(const char *fname, char *errbuf) 598 { 599 register pcap_t *p; 600 register FILE *fp; 601 struct pcap_file_header hdr; 602 bpf_u_int32 magic; 603 int linklen; 604 605 p = (pcap_t *)malloc(sizeof(*p)); 606 if (p == NULL) { 607 strlcpy(errbuf, "out of swap", PCAP_ERRBUF_SIZE); 608 return (NULL); 609 } 610 611 memset((char *)p, 0, sizeof(*p)); 612 613 if (fname[0] == '-' && fname[1] == '\0') 614 fp = stdin; 615 else { 616 #ifndef WIN32 617 fp = fopen(fname, "r"); 618 #else 619 fp = fopen(fname, "rb"); 620 #endif 621 if (fp == NULL) { 622 snprintf(errbuf, PCAP_ERRBUF_SIZE, "%s: %s", fname, 623 pcap_strerror(errno)); 624 goto bad; 625 } 626 } 627 if (fread((char *)&hdr, sizeof(hdr), 1, fp) != 1) { 628 snprintf(errbuf, PCAP_ERRBUF_SIZE, "fread: %s", 629 pcap_strerror(errno)); 630 goto bad; 631 } 632 magic = hdr.magic; 633 if (magic != TCPDUMP_MAGIC && magic != PATCHED_TCPDUMP_MAGIC) { 634 magic = SWAPLONG(magic); 635 if (magic != TCPDUMP_MAGIC && magic != PATCHED_TCPDUMP_MAGIC) { 636 snprintf(errbuf, PCAP_ERRBUF_SIZE, 637 "bad dump file format"); 638 goto bad; 639 } 640 p->sf.swapped = 1; 641 swap_hdr(&hdr); 642 } 643 if (magic == PATCHED_TCPDUMP_MAGIC) { 644 /* 645 * XXX - the patch that's in some versions of libpcap 646 * changes the packet header but not the magic number; 647 * we'd have to use some hacks^H^H^H^H^Hheuristics to 648 * detect that. 649 */ 650 p->sf.hdrsize = sizeof(struct pcap_sf_patched_pkthdr); 651 } else 652 p->sf.hdrsize = sizeof(struct pcap_sf_pkthdr); 653 if (hdr.version_major < PCAP_VERSION_MAJOR) { 654 snprintf(errbuf, PCAP_ERRBUF_SIZE, "archaic file format"); 655 goto bad; 656 } 657 p->tzoff = hdr.thiszone; 658 p->snapshot = hdr.snaplen; 659 p->linktype = linktype_to_dlt(hdr.linktype); 660 p->sf.rfile = fp; 661 #ifndef WIN32 662 p->bufsize = hdr.snaplen; 663 #else 664 /* Allocate the space for pcap_pkthdr as well. It will be used by pcap_read_ex */ 665 p->bufsize = hdr.snaplen+sizeof(struct pcap_pkthdr); 666 #endif 667 668 /* Align link header as required for proper data alignment */ 669 /* XXX should handle all types */ 670 switch (p->linktype) { 671 672 case DLT_EN10MB: 673 linklen = 14; 674 break; 675 676 case DLT_FDDI: 677 linklen = 13 + 8; /* fddi_header + llc */ 678 break; 679 680 case DLT_NULL: 681 default: 682 linklen = 0; 683 break; 684 } 685 686 if (p->bufsize < 0) 687 p->bufsize = BPF_MAXBUFSIZE; 688 p->sf.base = (u_char *)malloc(p->bufsize + BPF_ALIGNMENT); 689 if (p->sf.base == NULL) { 690 strlcpy(errbuf, "out of swap", PCAP_ERRBUF_SIZE); 691 goto bad; 692 } 693 p->buffer = p->sf.base + BPF_ALIGNMENT - (linklen % BPF_ALIGNMENT); 694 p->sf.version_major = hdr.version_major; 695 p->sf.version_minor = hdr.version_minor; 696 #ifdef PCAP_FDDIPAD 697 /* XXX padding only needed for kernel fcode */ 698 pcap_fddipad = 0; 699 #endif 700 701 /* 702 * We interchanged the caplen and len fields at version 2.3, 703 * in order to match the bpf header layout. But unfortunately 704 * some files were written with version 2.3 in their headers 705 * but without the interchanged fields. 706 * 707 * In addition, DG/UX tcpdump writes out files with a version 708 * number of 543.0, and with the caplen and len fields in the 709 * pre-2.3 order. 710 */ 711 switch (hdr.version_major) { 712 713 case 2: 714 if (hdr.version_minor < 3) 715 p->sf.lengths_swapped = SWAPPED; 716 else if (hdr.version_minor == 3) 717 p->sf.lengths_swapped = MAYBE_SWAPPED; 718 else 719 p->sf.lengths_swapped = NOT_SWAPPED; 720 break; 721 722 case 543: 723 p->sf.lengths_swapped = SWAPPED; 724 break; 725 726 default: 727 p->sf.lengths_swapped = NOT_SWAPPED; 728 break; 729 } 730 731 #ifndef WIN32 732 /* 733 * You can do "select()" and "poll()" on plain files on most 734 * platforms, and should be able to do so on pipes. 735 * 736 * You can't do "select()" on anything other than sockets in 737 * Windows, so, on Win32 systems, we don't have "selectable_fd". 738 */ 739 p->selectable_fd = fileno(fp); 740 #endif 741 742 p->read_op = pcap_offline_read; 743 p->setfilter_op = install_bpf_program; 744 p->set_datalink_op = NULL; /* we don't support munging link-layer headers */ 745 p->getnonblock_op = sf_getnonblock; 746 p->setnonblock_op = sf_setnonblock; 747 p->stats_op = sf_stats; 748 p->close_op = sf_close; 749 750 return (p); 751 bad: 752 if(fp) 753 fclose(fp); 754 free(p); 755 return (NULL); 756 } 757 758 /* 759 * Read sf_readfile and return the next packet. Return the header in hdr 760 * and the contents in buf. Return 0 on success, SFERR_EOF if there were 761 * no more packets, and SFERR_TRUNC if a partial packet was encountered. 762 */ 763 static int 764 sf_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char *buf, u_int buflen) 765 { 766 struct pcap_sf_patched_pkthdr sf_hdr; 767 FILE *fp = p->sf.rfile; 768 size_t amt_read; 769 bpf_u_int32 t; 770 771 /* 772 * Read the packet header; the structure we use as a buffer 773 * is the longer structure for files generated by the patched 774 * libpcap, but if the file has the magic number for an 775 * unpatched libpcap we only read as many bytes as the regular 776 * header has. 777 */ 778 amt_read = fread(&sf_hdr, 1, p->sf.hdrsize, fp); 779 if (amt_read != p->sf.hdrsize) { 780 if (ferror(fp)) { 781 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 782 "error reading dump file: %s", 783 pcap_strerror(errno)); 784 return (-1); 785 } else { 786 if (amt_read != 0) { 787 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 788 "truncated dump file; tried to read %d header bytes, only got %lu", 789 p->sf.hdrsize, (unsigned long)amt_read); 790 return (-1); 791 } 792 /* EOF */ 793 return (1); 794 } 795 } 796 797 if (p->sf.swapped) { 798 /* these were written in opposite byte order */ 799 hdr->caplen = SWAPLONG(sf_hdr.caplen); 800 hdr->len = SWAPLONG(sf_hdr.len); 801 hdr->ts.tv_sec = SWAPLONG(sf_hdr.ts.tv_sec); 802 hdr->ts.tv_usec = SWAPLONG(sf_hdr.ts.tv_usec); 803 } else { 804 hdr->caplen = sf_hdr.caplen; 805 hdr->len = sf_hdr.len; 806 hdr->ts.tv_sec = sf_hdr.ts.tv_sec; 807 hdr->ts.tv_usec = sf_hdr.ts.tv_usec; 808 } 809 /* Swap the caplen and len fields, if necessary. */ 810 switch (p->sf.lengths_swapped) { 811 812 case NOT_SWAPPED: 813 break; 814 815 case MAYBE_SWAPPED: 816 if (hdr->caplen <= hdr->len) { 817 /* 818 * The captured length is <= the actual length, 819 * so presumably they weren't swapped. 820 */ 821 break; 822 } 823 /* FALLTHROUGH */ 824 825 case SWAPPED: 826 t = hdr->caplen; 827 hdr->caplen = hdr->len; 828 hdr->len = t; 829 break; 830 } 831 832 if (hdr->caplen > buflen) { 833 /* 834 * This can happen due to Solaris 2.3 systems tripping 835 * over the BUFMOD problem and not setting the snapshot 836 * correctly in the savefile header. If the caplen isn't 837 * grossly wrong, try to salvage. 838 */ 839 static u_char *tp = NULL; 840 static size_t tsize = 0; 841 842 if (hdr->caplen > 65535) { 843 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 844 "bogus savefile header"); 845 return (-1); 846 } 847 848 if (tsize < hdr->caplen) { 849 tsize = ((hdr->caplen + 1023) / 1024) * 1024; 850 if (tp != NULL) 851 free((u_char *)tp); 852 tp = (u_char *)malloc(tsize); 853 if (tp == NULL) { 854 tsize = 0; 855 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 856 "BUFMOD hack malloc"); 857 return (-1); 858 } 859 } 860 amt_read = fread((char *)tp, 1, hdr->caplen, fp); 861 if (amt_read != hdr->caplen) { 862 if (ferror(fp)) { 863 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 864 "error reading dump file: %s", 865 pcap_strerror(errno)); 866 } else { 867 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 868 "truncated dump file; tried to read %u captured bytes, only got %lu", 869 hdr->caplen, (unsigned long)amt_read); 870 } 871 return (-1); 872 } 873 /* 874 * We can only keep up to buflen bytes. Since caplen > buflen 875 * is exactly how we got here, we know we can only keep the 876 * first buflen bytes and must drop the remainder. Adjust 877 * caplen accordingly, so we don't get confused later as 878 * to how many bytes we have to play with. 879 */ 880 hdr->caplen = buflen; 881 memcpy((char *)buf, (char *)tp, buflen); 882 883 } else { 884 /* read the packet itself */ 885 amt_read = fread((char *)buf, 1, hdr->caplen, fp); 886 if (amt_read != hdr->caplen) { 887 if (ferror(fp)) { 888 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 889 "error reading dump file: %s", 890 pcap_strerror(errno)); 891 } else { 892 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 893 "truncated dump file; tried to read %u captured bytes, only got %lu", 894 hdr->caplen, (unsigned long)amt_read); 895 } 896 return (-1); 897 } 898 } 899 return (0); 900 } 901 902 /* 903 * Print out packets stored in the file initialized by sf_read_init(). 904 * If cnt > 0, return after 'cnt' packets, otherwise continue until eof. 905 */ 906 int 907 pcap_offline_read(pcap_t *p, int cnt, pcap_handler callback, u_char *user) 908 { 909 struct bpf_insn *fcode = p->fcode.bf_insns; 910 int status = 0; 911 int n = 0; 912 913 while (status == 0) { 914 struct pcap_pkthdr h; 915 916 /* 917 * Has "pcap_breakloop()" been called? 918 * If so, return immediately - if we haven't read any 919 * packets, clear the flag and return -2 to indicate 920 * that we were told to break out of the loop, otherwise 921 * leave the flag set, so that the *next* call will break 922 * out of the loop without having read any packets, and 923 * return the number of packets we've processed so far. 924 */ 925 if (p->break_loop) { 926 if (n == 0) { 927 p->break_loop = 0; 928 return (-2); 929 } else 930 return (n); 931 } 932 933 status = sf_next_packet(p, &h, p->buffer, p->bufsize); 934 if (status) { 935 if (status == 1) 936 return (0); 937 return (status); 938 } 939 940 if (fcode == NULL || 941 bpf_filter(fcode, p->buffer, h.len, h.caplen)) { 942 (*callback)(user, &h, p->buffer); 943 if (++n >= cnt && cnt > 0) 944 break; 945 } 946 } 947 /*XXX this breaks semantics tcpslice expects */ 948 return (n); 949 } 950 951 /* 952 * Output a packet to the initialized dump file. 953 */ 954 void 955 pcap_dump(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) 956 { 957 register FILE *f; 958 struct pcap_sf_pkthdr sf_hdr; 959 960 f = (FILE *)user; 961 sf_hdr.ts.tv_sec = h->ts.tv_sec; 962 sf_hdr.ts.tv_usec = h->ts.tv_usec; 963 sf_hdr.caplen = h->caplen; 964 sf_hdr.len = h->len; 965 /* XXX we should check the return status */ 966 (void)fwrite(&sf_hdr, sizeof(sf_hdr), 1, f); 967 (void)fwrite((char *)sp, h->caplen, 1, f); 968 } 969 970 /* 971 * Initialize so that sf_write() will output to the file named 'fname'. 972 */ 973 pcap_dumper_t * 974 pcap_dump_open(pcap_t *p, const char *fname) 975 { 976 FILE *f; 977 int linktype; 978 979 linktype = dlt_to_linktype(p->linktype); 980 if (linktype == -1) { 981 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 982 "%s: link-layer type %d isn't supported in savefiles", 983 fname, linktype); 984 return (NULL); 985 } 986 987 if (fname[0] == '-' && fname[1] == '\0') { 988 f = stdout; 989 #ifdef WIN32 990 _setmode(_fileno(f), _O_BINARY); 991 #endif 992 } else { 993 #ifndef WIN32 994 f = fopen(fname, "w"); 995 #else 996 f = fopen(fname, "wb"); 997 setbuf(f, NULL); /* XXX - why? */ 998 #endif 999 if (f == NULL) { 1000 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "%s: %s", 1001 fname, pcap_strerror(errno)); 1002 return (NULL); 1003 } 1004 } 1005 (void)sf_write_header(f, linktype, p->tzoff, p->snapshot); 1006 return ((pcap_dumper_t *)f); 1007 } 1008 1009 FILE * 1010 pcap_dump_file(pcap_dumper_t *p) 1011 { 1012 return ((FILE *)p); 1013 } 1014 1015 int 1016 pcap_dump_flush(pcap_dumper_t *p) 1017 { 1018 1019 if (fflush((FILE *)p) == EOF) 1020 return (-1); 1021 else 1022 return (0); 1023 } 1024 1025 void 1026 pcap_dump_close(pcap_dumper_t *p) 1027 { 1028 1029 #ifdef notyet 1030 if (ferror((FILE *)p)) 1031 return-an-error; 1032 /* XXX should check return from fclose() too */ 1033 #endif 1034 (void)fclose((FILE *)p); 1035 } 1036