1 /* 2 * Copyright (c) 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * savefile.c - supports offline use of tcpdump 22 * Extraction/creation by Jeffrey Mogul, DECWRL 23 * Modified by Steve McCanne, LBL. 24 * 25 * Used to save the received packet headers, after filtering, to 26 * a file, and then read them later. 27 * The first record in the file contains saved values for the machine 28 * dependent values so we can print the dump file on any architecture. 29 */ 30 31 #ifndef lint 32 static const char rcsid[] _U_ = 33 "@(#) $Header: /tcpdump/master/libpcap/savefile.c,v 1.168.2.10 2008-10-06 15:38:39 gianluca Exp $ (LBL)"; 34 #endif 35 36 #ifdef HAVE_CONFIG_H 37 #include "config.h" 38 #endif 39 40 #include <errno.h> 41 #include <memory.h> 42 #include <stdio.h> 43 #include <stdlib.h> 44 #include <string.h> 45 46 #include "pcap-int.h" 47 #include "pcap/usb.h" 48 49 #ifdef HAVE_OS_PROTO_H 50 #include "os-proto.h" 51 #endif 52 53 /* 54 * Standard libpcap format. 55 */ 56 #define TCPDUMP_MAGIC 0xa1b2c3d4 57 58 /* 59 * Alexey Kuznetzov's modified libpcap format. 60 */ 61 #define KUZNETZOV_TCPDUMP_MAGIC 0xa1b2cd34 62 63 /* 64 * Reserved for Francisco Mesquita <francisco.mesquita@radiomovel.pt> 65 * for another modified format. 66 */ 67 #define FMESQUITA_TCPDUMP_MAGIC 0xa1b234cd 68 69 /* 70 * Navtel Communcations' format, with nanosecond timestamps, 71 * as per a request from Dumas Hwang <dumas.hwang@navtelcom.com>. 72 */ 73 #define NAVTEL_TCPDUMP_MAGIC 0xa12b3c4d 74 75 /* 76 * Normal libpcap format, except for seconds/nanoseconds timestamps, 77 * as per a request by Ulf Lamping <ulf.lamping@web.de> 78 */ 79 #define NSEC_TCPDUMP_MAGIC 0xa1b23c4d 80 81 /* 82 * We use the "receiver-makes-right" approach to byte order, 83 * because time is at a premium when we are writing the file. 84 * In other words, the pcap_file_header and pcap_pkthdr, 85 * records are written in host byte order. 86 * Note that the bytes of packet data are written out in the order in 87 * which they were received, so multi-byte fields in packets are not 88 * written in host byte order, they're written in whatever order the 89 * sending machine put them in. 90 * 91 * ntoh[ls] aren't sufficient because we might need to swap on a big-endian 92 * machine (if the file was written in little-end order). 93 */ 94 #define SWAPLONG(y) \ 95 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 96 #define SWAPSHORT(y) \ 97 ( (((y)&0xff)<<8) | ((u_short)((y)&0xff00)>>8) ) 98 99 #define SFERR_TRUNC 1 100 #define SFERR_BADVERSION 2 101 #define SFERR_BADF 3 102 #define SFERR_EOF 4 /* not really an error, just a status */ 103 104 /* 105 * Setting O_BINARY on DOS/Windows is a bit tricky 106 */ 107 #if defined(WIN32) 108 #define SET_BINMODE(f) _setmode(_fileno(f), _O_BINARY) 109 #elif defined(MSDOS) 110 #if defined(__HIGHC__) 111 #define SET_BINMODE(f) setmode(f, O_BINARY) 112 #else 113 #define SET_BINMODE(f) setmode(fileno(f), O_BINARY) 114 #endif 115 #endif 116 117 /* 118 * We don't write DLT_* values to the capture file header, because 119 * they're not the same on all platforms. 120 * 121 * Unfortunately, the various flavors of BSD have not always used the same 122 * numerical values for the same data types, and various patches to 123 * libpcap for non-BSD OSes have added their own DLT_* codes for link 124 * layer encapsulation types seen on those OSes, and those codes have had, 125 * in some cases, values that were also used, on other platforms, for other 126 * link layer encapsulation types. 127 * 128 * This means that capture files of a type whose numerical DLT_* code 129 * means different things on different BSDs, or with different versions 130 * of libpcap, can't always be read on systems other than those like 131 * the one running on the machine on which the capture was made. 132 * 133 * Instead, we define here a set of LINKTYPE_* codes, and map DLT_* codes 134 * to LINKTYPE_* codes when writing a savefile header, and map LINKTYPE_* 135 * codes to DLT_* codes when reading a savefile header. 136 * 137 * For those DLT_* codes that have, as far as we know, the same values on 138 * all platforms (DLT_NULL through DLT_FDDI), we define LINKTYPE_xxx as 139 * DLT_xxx; that way, captures of those types can still be read by 140 * versions of libpcap that map LINKTYPE_* values to DLT_* values, and 141 * captures of those types written by versions of libpcap that map DLT_ 142 * values to LINKTYPE_ values can still be read by older versions 143 * of libpcap. 144 * 145 * The other LINKTYPE_* codes are given values starting at 100, in the 146 * hopes that no DLT_* code will be given one of those values. 147 * 148 * In order to ensure that a given LINKTYPE_* code's value will refer to 149 * the same encapsulation type on all platforms, you should not allocate 150 * a new LINKTYPE_* value without consulting 151 * "tcpdump-workers@lists.tcpdump.org". The tcpdump developers will 152 * allocate a value for you, and will not subsequently allocate it to 153 * anybody else; that value will be added to the "pcap.h" in the 154 * tcpdump.org CVS repository, so that a future libpcap release will 155 * include it. 156 * 157 * You should, if possible, also contribute patches to libpcap and tcpdump 158 * to handle the new encapsulation type, so that they can also be checked 159 * into the tcpdump.org CVS repository and so that they will appear in 160 * future libpcap and tcpdump releases. 161 * 162 * Do *NOT* assume that any values after the largest value in this file 163 * are available; you might not have the most up-to-date version of this 164 * file, and new values after that one might have been assigned. Also, 165 * do *NOT* use any values below 100 - those might already have been 166 * taken by one (or more!) organizations. 167 */ 168 #define LINKTYPE_NULL DLT_NULL 169 #define LINKTYPE_ETHERNET DLT_EN10MB /* also for 100Mb and up */ 170 #define LINKTYPE_EXP_ETHERNET DLT_EN3MB /* 3Mb experimental Ethernet */ 171 #define LINKTYPE_AX25 DLT_AX25 172 #define LINKTYPE_PRONET DLT_PRONET 173 #define LINKTYPE_CHAOS DLT_CHAOS 174 #define LINKTYPE_TOKEN_RING DLT_IEEE802 /* DLT_IEEE802 is used for Token Ring */ 175 #define LINKTYPE_ARCNET DLT_ARCNET /* BSD-style headers */ 176 #define LINKTYPE_SLIP DLT_SLIP 177 #define LINKTYPE_PPP DLT_PPP 178 #define LINKTYPE_FDDI DLT_FDDI 179 180 /* 181 * LINKTYPE_PPP is for use when there might, or might not, be an RFC 1662 182 * PPP in HDLC-like framing header (with 0xff 0x03 before the PPP protocol 183 * field) at the beginning of the packet. 184 * 185 * This is for use when there is always such a header; the address field 186 * might be 0xff, for regular PPP, or it might be an address field for Cisco 187 * point-to-point with HDLC framing as per section 4.3.1 of RFC 1547 ("Cisco 188 * HDLC"). This is, for example, what you get with NetBSD's DLT_PPP_SERIAL. 189 * 190 * We give it the same value as NetBSD's DLT_PPP_SERIAL, in the hopes that 191 * nobody else will choose a DLT_ value of 50, and so that DLT_PPP_SERIAL 192 * captures will be written out with a link type that NetBSD's tcpdump 193 * can read. 194 */ 195 #define LINKTYPE_PPP_HDLC 50 /* PPP in HDLC-like framing */ 196 197 #define LINKTYPE_PPP_ETHER 51 /* NetBSD PPP-over-Ethernet */ 198 199 #define LINKTYPE_SYMANTEC_FIREWALL 99 /* Symantec Enterprise Firewall */ 200 201 #define LINKTYPE_ATM_RFC1483 100 /* LLC/SNAP-encapsulated ATM */ 202 #define LINKTYPE_RAW 101 /* raw IP */ 203 #define LINKTYPE_SLIP_BSDOS 102 /* BSD/OS SLIP BPF header */ 204 #define LINKTYPE_PPP_BSDOS 103 /* BSD/OS PPP BPF header */ 205 #define LINKTYPE_C_HDLC 104 /* Cisco HDLC */ 206 #define LINKTYPE_IEEE802_11 105 /* IEEE 802.11 (wireless) */ 207 #define LINKTYPE_ATM_CLIP 106 /* Linux Classical IP over ATM */ 208 #define LINKTYPE_FRELAY 107 /* Frame Relay */ 209 #define LINKTYPE_LOOP 108 /* OpenBSD loopback */ 210 #define LINKTYPE_ENC 109 /* OpenBSD IPSEC enc */ 211 212 /* 213 * These three types are reserved for future use. 214 */ 215 #define LINKTYPE_LANE8023 110 /* ATM LANE + 802.3 */ 216 #define LINKTYPE_HIPPI 111 /* NetBSD HIPPI */ 217 #define LINKTYPE_HDLC 112 /* NetBSD HDLC framing */ 218 219 #define LINKTYPE_LINUX_SLL 113 /* Linux cooked socket capture */ 220 #define LINKTYPE_LTALK 114 /* Apple LocalTalk hardware */ 221 #define LINKTYPE_ECONET 115 /* Acorn Econet */ 222 223 /* 224 * Reserved for use with OpenBSD ipfilter. 225 */ 226 #define LINKTYPE_IPFILTER 116 227 228 #define LINKTYPE_PFLOG 117 /* OpenBSD DLT_PFLOG */ 229 #define LINKTYPE_CISCO_IOS 118 /* For Cisco-internal use */ 230 #define LINKTYPE_PRISM_HEADER 119 /* 802.11+Prism II monitor mode */ 231 #define LINKTYPE_AIRONET_HEADER 120 /* FreeBSD Aironet driver stuff */ 232 233 /* 234 * Reserved for Siemens HiPath HDLC. 235 */ 236 #define LINKTYPE_HHDLC 121 237 238 #define LINKTYPE_IP_OVER_FC 122 /* RFC 2625 IP-over-Fibre Channel */ 239 #define LINKTYPE_SUNATM 123 /* Solaris+SunATM */ 240 241 /* 242 * Reserved as per request from Kent Dahlgren <kent@praesum.com> 243 * for private use. 244 */ 245 #define LINKTYPE_RIO 124 /* RapidIO */ 246 #define LINKTYPE_PCI_EXP 125 /* PCI Express */ 247 #define LINKTYPE_AURORA 126 /* Xilinx Aurora link layer */ 248 249 #define LINKTYPE_IEEE802_11_RADIO 127 /* 802.11 plus BSD radio header */ 250 251 /* 252 * Reserved for the TZSP encapsulation, as per request from 253 * Chris Waters <chris.waters@networkchemistry.com> 254 * TZSP is a generic encapsulation for any other link type, 255 * which includes a means to include meta-information 256 * with the packet, e.g. signal strength and channel 257 * for 802.11 packets. 258 */ 259 #define LINKTYPE_TZSP 128 /* Tazmen Sniffer Protocol */ 260 261 #define LINKTYPE_ARCNET_LINUX 129 /* Linux-style headers */ 262 263 /* 264 * Juniper-private data link types, as per request from 265 * Hannes Gredler <hannes@juniper.net>. The corresponding 266 * DLT_s are used for passing on chassis-internal 267 * metainformation such as QOS profiles, etc.. 268 */ 269 #define LINKTYPE_JUNIPER_MLPPP 130 270 #define LINKTYPE_JUNIPER_MLFR 131 271 #define LINKTYPE_JUNIPER_ES 132 272 #define LINKTYPE_JUNIPER_GGSN 133 273 #define LINKTYPE_JUNIPER_MFR 134 274 #define LINKTYPE_JUNIPER_ATM2 135 275 #define LINKTYPE_JUNIPER_SERVICES 136 276 #define LINKTYPE_JUNIPER_ATM1 137 277 278 #define LINKTYPE_APPLE_IP_OVER_IEEE1394 138 /* Apple IP-over-IEEE 1394 cooked header */ 279 280 #define LINKTYPE_MTP2_WITH_PHDR 139 281 #define LINKTYPE_MTP2 140 282 #define LINKTYPE_MTP3 141 283 #define LINKTYPE_SCCP 142 284 285 #define LINKTYPE_DOCSIS 143 /* DOCSIS MAC frames */ 286 287 #define LINKTYPE_LINUX_IRDA 144 /* Linux-IrDA */ 288 289 /* 290 * Reserved for IBM SP switch and IBM Next Federation switch. 291 */ 292 #define LINKTYPE_IBM_SP 145 293 #define LINKTYPE_IBM_SN 146 294 295 /* 296 * Reserved for private use. If you have some link-layer header type 297 * that you want to use within your organization, with the capture files 298 * using that link-layer header type not ever be sent outside your 299 * organization, you can use these values. 300 * 301 * No libpcap release will use these for any purpose, nor will any 302 * tcpdump release use them, either. 303 * 304 * Do *NOT* use these in capture files that you expect anybody not using 305 * your private versions of capture-file-reading tools to read; in 306 * particular, do *NOT* use them in products, otherwise you may find that 307 * people won't be able to use tcpdump, or snort, or Ethereal, or... to 308 * read capture files from your firewall/intrusion detection/traffic 309 * monitoring/etc. appliance, or whatever product uses that LINKTYPE_ value, 310 * and you may also find that the developers of those applications will 311 * not accept patches to let them read those files. 312 * 313 * Also, do not use them if somebody might send you a capture using them 314 * for *their* private type and tools using them for *your* private type 315 * would have to read them. 316 * 317 * Instead, in those cases, ask "tcpdump-workers@lists.tcpdump.org" for a 318 * new DLT_ and LINKTYPE_ value, as per the comment in pcap/bpf.h, and use 319 * the type you're given. 320 */ 321 #define LINKTYPE_USER0 147 322 #define LINKTYPE_USER1 148 323 #define LINKTYPE_USER2 149 324 #define LINKTYPE_USER3 150 325 #define LINKTYPE_USER4 151 326 #define LINKTYPE_USER5 152 327 #define LINKTYPE_USER6 153 328 #define LINKTYPE_USER7 154 329 #define LINKTYPE_USER8 155 330 #define LINKTYPE_USER9 156 331 #define LINKTYPE_USER10 157 332 #define LINKTYPE_USER11 158 333 #define LINKTYPE_USER12 159 334 #define LINKTYPE_USER13 160 335 #define LINKTYPE_USER14 161 336 #define LINKTYPE_USER15 162 337 338 /* 339 * For future use with 802.11 captures - defined by AbsoluteValue 340 * Systems to store a number of bits of link-layer information 341 * including radio information: 342 * 343 * http://www.shaftnet.org/~pizza/software/capturefrm.txt 344 * 345 * but could and arguably should also be used by non-AVS Linux 346 * 802.11 drivers; that may happen in the future. 347 */ 348 #define LINKTYPE_IEEE802_11_RADIO_AVS 163 /* 802.11 plus AVS radio header */ 349 350 /* 351 * Juniper-private data link type, as per request from 352 * Hannes Gredler <hannes@juniper.net>. The corresponding 353 * DLT_s are used for passing on chassis-internal 354 * metainformation such as QOS profiles, etc.. 355 */ 356 #define LINKTYPE_JUNIPER_MONITOR 164 357 358 /* 359 * Reserved for BACnet MS/TP. 360 */ 361 #define LINKTYPE_BACNET_MS_TP 165 362 363 /* 364 * Another PPP variant as per request from Karsten Keil <kkeil@suse.de>. 365 * 366 * This is used in some OSes to allow a kernel socket filter to distinguish 367 * between incoming and outgoing packets, on a socket intended to 368 * supply pppd with outgoing packets so it can do dial-on-demand and 369 * hangup-on-lack-of-demand; incoming packets are filtered out so they 370 * don't cause pppd to hold the connection up (you don't want random 371 * input packets such as port scans, packets from old lost connections, 372 * etc. to force the connection to stay up). 373 * 374 * The first byte of the PPP header (0xff03) is modified to accomodate 375 * the direction - 0x00 = IN, 0x01 = OUT. 376 */ 377 #define LINKTYPE_PPP_PPPD 166 378 379 /* 380 * Juniper-private data link type, as per request from 381 * Hannes Gredler <hannes@juniper.net>. The DLT_s are used 382 * for passing on chassis-internal metainformation such as 383 * QOS profiles, cookies, etc.. 384 */ 385 #define LINKTYPE_JUNIPER_PPPOE 167 386 #define LINKTYPE_JUNIPER_PPPOE_ATM 168 387 388 #define LINKTYPE_GPRS_LLC 169 /* GPRS LLC */ 389 #define LINKTYPE_GPF_T 170 /* GPF-T (ITU-T G.7041/Y.1303) */ 390 #define LINKTYPE_GPF_F 171 /* GPF-T (ITU-T G.7041/Y.1303) */ 391 392 /* 393 * Requested by Oolan Zimmer <oz@gcom.com> for use in Gcom's T1/E1 line 394 * monitoring equipment. 395 */ 396 #define LINKTYPE_GCOM_T1E1 172 397 #define LINKTYPE_GCOM_SERIAL 173 398 399 /* 400 * Juniper-private data link type, as per request from 401 * Hannes Gredler <hannes@juniper.net>. The DLT_ is used 402 * for internal communication to Physical Interface Cards (PIC) 403 */ 404 #define LINKTYPE_JUNIPER_PIC_PEER 174 405 406 /* 407 * Link types requested by Gregor Maier <gregor@endace.com> of Endace 408 * Measurement Systems. They add an ERF header (see 409 * http://www.endace.com/support/EndaceRecordFormat.pdf) in front of 410 * the link-layer header. 411 */ 412 #define LINKTYPE_ERF_ETH 175 /* Ethernet */ 413 #define LINKTYPE_ERF_POS 176 /* Packet-over-SONET */ 414 415 /* 416 * Requested by Daniele Orlandi <daniele@orlandi.com> for raw LAPD 417 * for vISDN (http://www.orlandi.com/visdn/). Its link-layer header 418 * includes additional information before the LAPD header, so it's 419 * not necessarily a generic LAPD header. 420 */ 421 #define LINKTYPE_LINUX_LAPD 177 422 423 /* 424 * Juniper-private data link type, as per request from 425 * Hannes Gredler <hannes@juniper.net>. 426 * The Link Types are used for prepending meta-information 427 * like interface index, interface name 428 * before standard Ethernet, PPP, Frelay & C-HDLC Frames 429 */ 430 #define LINKTYPE_JUNIPER_ETHER 178 431 #define LINKTYPE_JUNIPER_PPP 179 432 #define LINKTYPE_JUNIPER_FRELAY 180 433 #define LINKTYPE_JUNIPER_CHDLC 181 434 435 /* 436 * Multi Link Frame Relay (FRF.16) 437 */ 438 #define LINKTYPE_MFR 182 439 440 /* 441 * Juniper-private data link type, as per request from 442 * Hannes Gredler <hannes@juniper.net>. 443 * The DLT_ is used for internal communication with a 444 * voice Adapter Card (PIC) 445 */ 446 #define LINKTYPE_JUNIPER_VP 183 447 448 /* 449 * Arinc 429 frames. 450 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 451 * Every frame contains a 32bit A429 label. 452 * More documentation on Arinc 429 can be found at 453 * http://www.condoreng.com/support/downloads/tutorials/ARINCTutorial.pdf 454 */ 455 #define LINKTYPE_A429 184 456 457 /* 458 * Arinc 653 Interpartition Communication messages. 459 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 460 * Please refer to the A653-1 standard for more information. 461 */ 462 #define LINKTYPE_A653_ICM 185 463 464 /* 465 * USB packets, beginning with a USB setup header; requested by 466 * Paolo Abeni <paolo.abeni@email.it>. 467 */ 468 #define LINKTYPE_USB 186 469 470 /* 471 * Bluetooth HCI UART transport layer (part H:4); requested by 472 * Paolo Abeni. 473 */ 474 #define LINKTYPE_BLUETOOTH_HCI_H4 187 475 476 /* 477 * IEEE 802.16 MAC Common Part Sublayer; requested by Maria Cruz 478 * <cruz_petagay@bah.com>. 479 */ 480 #define LINKTYPE_IEEE802_16_MAC_CPS 188 481 482 /* 483 * USB packets, beginning with a Linux USB header; requested by 484 * Paolo Abeni <paolo.abeni@email.it>. 485 */ 486 #define LINKTYPE_USB_LINUX 189 487 488 /* 489 * Controller Area Network (CAN) v. 2.0B packets. 490 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 491 * Used to dump CAN packets coming from a CAN Vector board. 492 * More documentation on the CAN v2.0B frames can be found at 493 * http://www.can-cia.org/downloads/?269 494 */ 495 #define LINKTYPE_CAN20B 190 496 497 /* 498 * IEEE 802.15.4, with address fields padded, as is done by Linux 499 * drivers; requested by Juergen Schimmer. 500 */ 501 #define LINKTYPE_IEEE802_15_4_LINUX 191 502 503 /* 504 * Per Packet Information encapsulated packets. 505 * LINKTYPE_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 506 */ 507 #define LINKTYPE_PPI 192 508 509 /* 510 * Header for 802.16 MAC Common Part Sublayer plus a radiotap radio header; 511 * requested by Charles Clancy. 512 */ 513 #define LINKTYPE_IEEE802_16_MAC_CPS_RADIO 193 514 515 /* 516 * Juniper-private data link type, as per request from 517 * Hannes Gredler <hannes@juniper.net>. 518 * The DLT_ is used for internal communication with a 519 * integrated service module (ISM). 520 */ 521 #define LINKTYPE_JUNIPER_ISM 194 522 523 /* 524 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no 525 * nothing); requested by Mikko Saarnivala <mikko.saarnivala@sensinode.com>. 526 */ 527 #define LINKTYPE_IEEE802_15_4 195 528 529 /* 530 * Various link-layer types, with a pseudo-header, for SITA 531 * (http://www.sita.aero/); requested by Fulko Hew (fulko.hew@gmail.com). 532 */ 533 #define LINKTYPE_SITA 196 534 535 /* 536 * Various link-layer types, with a pseudo-header, for Endace DAG cards; 537 * encapsulates Endace ERF records. Requested by Stephen Donnelly 538 * <stephen@endace.com>. 539 */ 540 #define LINKTYPE_ERF 197 541 542 /* 543 * Special header prepended to Ethernet packets when capturing from a 544 * u10 Networks board. Requested by Phil Mulholland 545 * <phil@u10networks.com>. 546 */ 547 #define LINKTYPE_RAIF1 198 548 549 /* 550 * IPMB packet for IPMI, beginning with the I2C slave address, followed 551 * by the netFn and LUN, etc.. Requested by Chanthy Toeung 552 * <chanthy.toeung@ca.kontron.com>. 553 */ 554 #define LINKTYPE_IPMB 199 555 556 /* 557 * Juniper-private data link type, as per request from 558 * Hannes Gredler <hannes@juniper.net>. 559 * The DLT_ is used for capturing data on a secure tunnel interface. 560 */ 561 #define LINKTYPE_JUNIPER_ST 200 562 563 /* 564 * Bluetooth HCI UART transport layer (part H:4), with pseudo-header 565 * that includes direction information; requested by Paolo Abeni. 566 */ 567 #define LINKTYPE_BLUETOOTH_HCI_H4_WITH_PHDR 201 568 569 /* 570 * AX.25 packet with a 1-byte KISS header; see 571 * 572 * http://www.ax25.net/kiss.htm 573 * 574 * as per Richard Stearn <richard@rns-stearn.demon.co.uk>. 575 */ 576 #define LINKTYPE_AX25_KISS 202 577 578 /* 579 * LAPD packets from an ISDN channel, starting with the address field, 580 * with no pseudo-header. 581 * Requested by Varuna De Silva <varunax@gmail.com>. 582 */ 583 #define LINKTYPE_LAPD 203 584 585 /* 586 * Variants of various link-layer headers, with a one-byte direction 587 * pseudo-header prepended - zero means "received by this host", 588 * non-zero (any non-zero value) means "sent by this host" - as per 589 * Will Barker <w.barker@zen.co.uk>. 590 */ 591 #define LINKTYPE_PPP_WITH_DIR 204 /* PPP */ 592 #define LINKTYPE_C_HDLC_WITH_DIR 205 /* Cisco HDLC */ 593 #define LINKTYPE_FRELAY_WITH_DIR 206 /* Frame Relay */ 594 #define LINKTYPE_LAPB_WITH_DIR 207 /* LAPB */ 595 596 /* 597 * 208 is reserved for an as-yet-unspecified proprietary link-layer 598 * type, as requested by Will Barker. 599 */ 600 601 /* 602 * IPMB with a Linux-specific pseudo-header; as requested by Alexey Neyman 603 * <avn@pigeonpoint.com>. 604 */ 605 #define LINKTYPE_IPMB_LINUX 209 606 607 /* 608 * FlexRay automotive bus - http://www.flexray.com/ - as requested 609 * by Hannes Kaelber <hannes.kaelber@x2e.de>. 610 */ 611 #define LINKTYPE_FLEXRAY 210 612 613 /* 614 * Media Oriented Systems Transport (MOST) bus for multimedia 615 * transport - http://www.mostcooperation.com/ - as requested 616 * by Hannes Kaelber <hannes.kaelber@x2e.de>. 617 */ 618 #define LINKTYPE_MOST 211 619 620 /* 621 * Local Interconnect Network (LIN) bus for vehicle networks - 622 * http://www.lin-subbus.org/ - as requested by Hannes Kaelber 623 * <hannes.kaelber@x2e.de>. 624 */ 625 #define LINKTYPE_LIN 212 626 627 /* 628 * X2E-private data link type used for serial line capture, 629 * as requested by Hannes Kaelber <hannes.kaelber@x2e.de>. 630 */ 631 #define LINKTYPE_X2E_SERIAL 213 632 633 /* 634 * X2E-private data link type used for the Xoraya data logger 635 * family, as requested by Hannes Kaelber <hannes.kaelber@x2e.de>. 636 */ 637 #define LINKTYPE_X2E_XORAYA 214 638 639 /* 640 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no 641 * nothing), but with the PHY-level data for non-ASK PHYs (4 octets 642 * of 0 as preamble, one octet of SFD, one octet of frame length+ 643 * reserved bit, and then the MAC-layer data, starting with the 644 * frame control field). 645 * 646 * Requested by Max Filippov <jcmvbkbc@gmail.com>. 647 */ 648 #define LINKTYPE_IEEE802_15_4_NONASK_PHY 215 649 650 651 static struct linktype_map { 652 int dlt; 653 int linktype; 654 } map[] = { 655 /* 656 * These DLT_* codes have LINKTYPE_* codes with values identical 657 * to the values of the corresponding DLT_* code. 658 */ 659 { DLT_NULL, LINKTYPE_NULL }, 660 { DLT_EN10MB, LINKTYPE_ETHERNET }, 661 { DLT_EN3MB, LINKTYPE_EXP_ETHERNET }, 662 { DLT_AX25, LINKTYPE_AX25 }, 663 { DLT_PRONET, LINKTYPE_PRONET }, 664 { DLT_CHAOS, LINKTYPE_CHAOS }, 665 { DLT_IEEE802, LINKTYPE_TOKEN_RING }, 666 { DLT_ARCNET, LINKTYPE_ARCNET }, 667 { DLT_SLIP, LINKTYPE_SLIP }, 668 { DLT_PPP, LINKTYPE_PPP }, 669 { DLT_FDDI, LINKTYPE_FDDI }, 670 671 /* 672 * These DLT_* codes have different values on different 673 * platforms; we map them to LINKTYPE_* codes that 674 * have values that should never be equal to any DLT_* 675 * code. 676 */ 677 #ifdef DLT_FR 678 /* BSD/OS Frame Relay */ 679 { DLT_FR, LINKTYPE_FRELAY }, 680 #endif 681 682 { DLT_SYMANTEC_FIREWALL, LINKTYPE_SYMANTEC_FIREWALL }, 683 { DLT_ATM_RFC1483, LINKTYPE_ATM_RFC1483 }, 684 { DLT_RAW, LINKTYPE_RAW }, 685 { DLT_SLIP_BSDOS, LINKTYPE_SLIP_BSDOS }, 686 { DLT_PPP_BSDOS, LINKTYPE_PPP_BSDOS }, 687 688 /* BSD/OS Cisco HDLC */ 689 { DLT_C_HDLC, LINKTYPE_C_HDLC }, 690 691 /* 692 * These DLT_* codes are not on all platforms, but, so far, 693 * there don't appear to be any platforms that define 694 * other codes with those values; we map them to 695 * different LINKTYPE_* values anyway, just in case. 696 */ 697 698 /* Linux ATM Classical IP */ 699 { DLT_ATM_CLIP, LINKTYPE_ATM_CLIP }, 700 701 /* NetBSD sync/async serial PPP (or Cisco HDLC) */ 702 { DLT_PPP_SERIAL, LINKTYPE_PPP_HDLC }, 703 704 /* NetBSD PPP over Ethernet */ 705 { DLT_PPP_ETHER, LINKTYPE_PPP_ETHER }, 706 707 /* IEEE 802.11 wireless */ 708 { DLT_IEEE802_11, LINKTYPE_IEEE802_11 }, 709 710 /* Frame Relay */ 711 { DLT_FRELAY, LINKTYPE_FRELAY }, 712 713 /* OpenBSD loopback */ 714 { DLT_LOOP, LINKTYPE_LOOP }, 715 716 /* Linux cooked socket capture */ 717 { DLT_LINUX_SLL, LINKTYPE_LINUX_SLL }, 718 719 /* Apple LocalTalk hardware */ 720 { DLT_LTALK, LINKTYPE_LTALK }, 721 722 /* Acorn Econet */ 723 { DLT_ECONET, LINKTYPE_ECONET }, 724 725 /* OpenBSD DLT_PFLOG */ 726 { DLT_PFLOG, LINKTYPE_PFLOG }, 727 728 /* For Cisco-internal use */ 729 { DLT_CISCO_IOS, LINKTYPE_CISCO_IOS }, 730 731 /* Prism II monitor-mode header plus 802.11 header */ 732 { DLT_PRISM_HEADER, LINKTYPE_PRISM_HEADER }, 733 734 /* FreeBSD Aironet driver stuff */ 735 { DLT_AIRONET_HEADER, LINKTYPE_AIRONET_HEADER }, 736 737 /* Siemens HiPath HDLC */ 738 { DLT_HHDLC, LINKTYPE_HHDLC }, 739 740 /* RFC 2625 IP-over-Fibre Channel */ 741 { DLT_IP_OVER_FC, LINKTYPE_IP_OVER_FC }, 742 743 /* Solaris+SunATM */ 744 { DLT_SUNATM, LINKTYPE_SUNATM }, 745 746 /* RapidIO */ 747 { DLT_RIO, LINKTYPE_RIO }, 748 749 /* PCI Express */ 750 { DLT_PCI_EXP, LINKTYPE_PCI_EXP }, 751 752 /* Xilinx Aurora link layer */ 753 { DLT_AURORA, LINKTYPE_AURORA }, 754 755 /* 802.11 plus BSD radio header */ 756 { DLT_IEEE802_11_RADIO, LINKTYPE_IEEE802_11_RADIO }, 757 758 /* Tazmen Sniffer Protocol */ 759 { DLT_TZSP, LINKTYPE_TZSP }, 760 761 /* Arcnet with Linux-style link-layer headers */ 762 { DLT_ARCNET_LINUX, LINKTYPE_ARCNET_LINUX }, 763 764 /* Juniper-internal chassis encapsulation */ 765 { DLT_JUNIPER_MLPPP, LINKTYPE_JUNIPER_MLPPP }, 766 { DLT_JUNIPER_MLFR, LINKTYPE_JUNIPER_MLFR }, 767 { DLT_JUNIPER_ES, LINKTYPE_JUNIPER_ES }, 768 { DLT_JUNIPER_GGSN, LINKTYPE_JUNIPER_GGSN }, 769 { DLT_JUNIPER_MFR, LINKTYPE_JUNIPER_MFR }, 770 { DLT_JUNIPER_ATM2, LINKTYPE_JUNIPER_ATM2 }, 771 { DLT_JUNIPER_SERVICES, LINKTYPE_JUNIPER_SERVICES }, 772 { DLT_JUNIPER_ATM1, LINKTYPE_JUNIPER_ATM1 }, 773 774 /* Apple IP-over-IEEE 1394 cooked header */ 775 { DLT_APPLE_IP_OVER_IEEE1394, LINKTYPE_APPLE_IP_OVER_IEEE1394 }, 776 777 /* SS7 */ 778 { DLT_MTP2_WITH_PHDR, LINKTYPE_MTP2_WITH_PHDR }, 779 { DLT_MTP2, LINKTYPE_MTP2 }, 780 { DLT_MTP3, LINKTYPE_MTP3 }, 781 { DLT_SCCP, LINKTYPE_SCCP }, 782 783 /* DOCSIS MAC frames */ 784 { DLT_DOCSIS, LINKTYPE_DOCSIS }, 785 786 /* IrDA IrLAP packets + Linux-cooked header */ 787 { DLT_LINUX_IRDA, LINKTYPE_LINUX_IRDA }, 788 789 /* IBM SP and Next Federation switches */ 790 { DLT_IBM_SP, LINKTYPE_IBM_SP }, 791 { DLT_IBM_SN, LINKTYPE_IBM_SN }, 792 793 /* 802.11 plus AVS radio header */ 794 { DLT_IEEE802_11_RADIO_AVS, LINKTYPE_IEEE802_11_RADIO_AVS }, 795 796 /* 797 * Any platform that defines additional DLT_* codes should: 798 * 799 * request a LINKTYPE_* code and value from tcpdump.org, 800 * as per the above; 801 * 802 * add, in their version of libpcap, an entry to map 803 * those DLT_* codes to the corresponding LINKTYPE_* 804 * code; 805 * 806 * redefine, in their "net/bpf.h", any DLT_* values 807 * that collide with the values used by their additional 808 * DLT_* codes, to remove those collisions (but without 809 * making them collide with any of the LINKTYPE_* 810 * values equal to 50 or above; they should also avoid 811 * defining DLT_* values that collide with those 812 * LINKTYPE_* values, either). 813 */ 814 815 /* Juniper-internal chassis encapsulation */ 816 { DLT_JUNIPER_MONITOR, LINKTYPE_JUNIPER_MONITOR }, 817 818 /* BACnet MS/TP */ 819 { DLT_BACNET_MS_TP, LINKTYPE_BACNET_MS_TP }, 820 821 /* PPP for pppd, with direction flag in the PPP header */ 822 { DLT_PPP_PPPD, LINKTYPE_PPP_PPPD}, 823 824 /* Juniper-internal chassis encapsulation */ 825 { DLT_JUNIPER_PPPOE, LINKTYPE_JUNIPER_PPPOE }, 826 { DLT_JUNIPER_PPPOE_ATM,LINKTYPE_JUNIPER_PPPOE_ATM }, 827 828 /* GPRS LLC */ 829 { DLT_GPRS_LLC, LINKTYPE_GPRS_LLC }, 830 831 /* Transparent Generic Framing Procedure (ITU-T G.7041/Y.1303) */ 832 { DLT_GPF_T, LINKTYPE_GPF_T }, 833 834 /* Framed Generic Framing Procedure (ITU-T G.7041/Y.1303) */ 835 { DLT_GPF_F, LINKTYPE_GPF_F }, 836 837 { DLT_GCOM_T1E1, LINKTYPE_GCOM_T1E1 }, 838 { DLT_GCOM_SERIAL, LINKTYPE_GCOM_SERIAL }, 839 840 /* Juniper-internal chassis encapsulation */ 841 { DLT_JUNIPER_PIC_PEER, LINKTYPE_JUNIPER_PIC_PEER }, 842 843 /* Endace types */ 844 { DLT_ERF_ETH, LINKTYPE_ERF_ETH }, 845 { DLT_ERF_POS, LINKTYPE_ERF_POS }, 846 847 /* viSDN LAPD */ 848 { DLT_LINUX_LAPD, LINKTYPE_LINUX_LAPD }, 849 850 /* Juniper meta-information before Ether, PPP, Frame Relay, C-HDLC Frames */ 851 { DLT_JUNIPER_ETHER, LINKTYPE_JUNIPER_ETHER }, 852 { DLT_JUNIPER_PPP, LINKTYPE_JUNIPER_PPP }, 853 { DLT_JUNIPER_FRELAY, LINKTYPE_JUNIPER_FRELAY }, 854 { DLT_JUNIPER_CHDLC, LINKTYPE_JUNIPER_CHDLC }, 855 856 /* Multi Link Frame Relay (FRF.16) */ 857 { DLT_MFR, LINKTYPE_MFR }, 858 859 /* Juniper Voice PIC */ 860 { DLT_JUNIPER_VP, LINKTYPE_JUNIPER_VP }, 861 862 /* Controller Area Network (CAN) v2.0B */ 863 { DLT_A429, LINKTYPE_A429 }, 864 865 /* Arinc 653 Interpartition Communication messages */ 866 { DLT_A653_ICM, LINKTYPE_A653_ICM }, 867 868 /* USB */ 869 { DLT_USB, LINKTYPE_USB }, 870 871 /* Bluetooth HCI UART transport layer */ 872 { DLT_BLUETOOTH_HCI_H4, LINKTYPE_BLUETOOTH_HCI_H4 }, 873 874 /* IEEE 802.16 MAC Common Part Sublayer */ 875 { DLT_IEEE802_16_MAC_CPS, LINKTYPE_IEEE802_16_MAC_CPS }, 876 877 /* USB with Linux header */ 878 { DLT_USB_LINUX, LINKTYPE_USB_LINUX }, 879 880 /* Controller Area Network (CAN) v2.0B */ 881 { DLT_CAN20B, LINKTYPE_CAN20B }, 882 883 /* IEEE 802.15.4 with address fields padded */ 884 { DLT_IEEE802_15_4_LINUX, LINKTYPE_IEEE802_15_4_LINUX }, 885 886 /* Per Packet Information encapsulated packets */ 887 { DLT_PPI, LINKTYPE_PPI }, 888 889 /* IEEE 802.16 MAC Common Part Sublayer plus radiotap header */ 890 { DLT_IEEE802_16_MAC_CPS_RADIO, LINKTYPE_IEEE802_16_MAC_CPS_RADIO }, 891 892 /* Juniper Voice ISM */ 893 { DLT_JUNIPER_ISM, LINKTYPE_JUNIPER_ISM }, 894 895 /* IEEE 802.15.4 exactly as it appears in the spec */ 896 { DLT_IEEE802_15_4, LINKTYPE_IEEE802_15_4 }, 897 898 /* Various link-layer types for SITA */ 899 { DLT_SITA, LINKTYPE_SITA }, 900 901 /* Various link-layer types for Endace */ 902 { DLT_ERF, LINKTYPE_ERF }, 903 904 /* Special header for u10 Networks boards */ 905 { DLT_RAIF1, LINKTYPE_RAIF1 }, 906 907 /* IPMB */ 908 { DLT_IPMB, LINKTYPE_IPMB }, 909 910 /* enc0 device */ 911 { DLT_ENC, LINKTYPE_ENC }, 912 913 /* Juniper Secure Tunnel */ 914 { DLT_JUNIPER_ST, LINKTYPE_JUNIPER_ST }, 915 916 /* Bluetooth HCI UART transport layer, with pseudo-header */ 917 { DLT_BLUETOOTH_HCI_H4_WITH_PHDR, LINKTYPE_BLUETOOTH_HCI_H4_WITH_PHDR }, 918 919 /* AX.25 with KISS header */ 920 { DLT_AX25_KISS, LINKTYPE_AX25_KISS }, 921 922 /* Raw LAPD, with no pseudo-header */ 923 { DLT_LAPD, LINKTYPE_LAPD }, 924 925 /* PPP with one-byte pseudo-header giving direction */ 926 { DLT_PPP_WITH_DIR, LINKTYPE_PPP_WITH_DIR }, 927 928 /* Cisco HDLC with one-byte pseudo-header giving direction */ 929 { DLT_C_HDLC_WITH_DIR, LINKTYPE_C_HDLC_WITH_DIR }, 930 931 /* Frame Relay with one-byte pseudo-header giving direction */ 932 { DLT_FRELAY_WITH_DIR, LINKTYPE_FRELAY_WITH_DIR }, 933 934 /* LAPB with one-byte pseudo-header giving direction */ 935 { DLT_LAPB_WITH_DIR, LINKTYPE_LAPB_WITH_DIR }, 936 937 /* IPMB with Linux pseudo-header */ 938 { DLT_IPMB_LINUX, LINKTYPE_IPMB_LINUX }, 939 940 /* FlexRay */ 941 { DLT_FLEXRAY, LINKTYPE_FLEXRAY }, 942 943 /* MOST */ 944 { DLT_MOST, LINKTYPE_MOST }, 945 946 /* LIN */ 947 { DLT_LIN, LINKTYPE_LIN }, 948 949 /* X2E-private serial line capture */ 950 { DLT_X2E_SERIAL, LINKTYPE_X2E_SERIAL }, 951 952 /* X2E-private for Xoraya data logger family */ 953 { DLT_X2E_XORAYA, LINKTYPE_X2E_XORAYA }, 954 955 /* IEEE 802.15.4 with PHY data for non-ASK PHYs */ 956 { DLT_IEEE802_15_4_NONASK_PHY, LINKTYPE_IEEE802_15_4_NONASK_PHY }, 957 958 { -1, -1 } 959 }; 960 961 /* 962 * Mechanism for storing information about a capture in the upper 963 * 6 bits of a linktype value in a capture file. 964 * 965 * LT_LINKTYPE_EXT(x) extracts the additional information. 966 * 967 * The rest of the bits are for a value describing the link-layer 968 * value. LT_LINKTYPE(x) extracts that value. 969 */ 970 #define LT_LINKTYPE(x) ((x) & 0x03FFFFFF) 971 #define LT_LINKTYPE_EXT(x) ((x) & 0xFC000000) 972 973 static int 974 dlt_to_linktype(int dlt) 975 { 976 int i; 977 978 for (i = 0; map[i].dlt != -1; i++) { 979 if (map[i].dlt == dlt) 980 return (map[i].linktype); 981 } 982 983 /* 984 * If we don't have a mapping for this DLT_ code, return an 985 * error; that means that the table above needs to have an 986 * entry added. 987 */ 988 return (-1); 989 } 990 991 static int 992 linktype_to_dlt(int linktype) 993 { 994 int i; 995 996 for (i = 0; map[i].linktype != -1; i++) { 997 if (map[i].linktype == linktype) 998 return (map[i].dlt); 999 } 1000 1001 /* 1002 * If we don't have an entry for this link type, return 1003 * the link type value; it may be a DLT_ value from an 1004 * older version of libpcap. 1005 */ 1006 return linktype; 1007 } 1008 1009 static int 1010 sf_write_header(FILE *fp, int linktype, int thiszone, int snaplen) 1011 { 1012 struct pcap_file_header hdr; 1013 1014 hdr.magic = TCPDUMP_MAGIC; 1015 hdr.version_major = PCAP_VERSION_MAJOR; 1016 hdr.version_minor = PCAP_VERSION_MINOR; 1017 1018 hdr.thiszone = thiszone; 1019 hdr.snaplen = snaplen; 1020 hdr.sigfigs = 0; 1021 hdr.linktype = linktype; 1022 1023 if (fwrite((char *)&hdr, sizeof(hdr), 1, fp) != 1) 1024 return (-1); 1025 1026 return (0); 1027 } 1028 1029 static void 1030 swap_hdr(struct pcap_file_header *hp) 1031 { 1032 hp->version_major = SWAPSHORT(hp->version_major); 1033 hp->version_minor = SWAPSHORT(hp->version_minor); 1034 hp->thiszone = SWAPLONG(hp->thiszone); 1035 hp->sigfigs = SWAPLONG(hp->sigfigs); 1036 hp->snaplen = SWAPLONG(hp->snaplen); 1037 hp->linktype = SWAPLONG(hp->linktype); 1038 } 1039 1040 static int 1041 sf_getnonblock(pcap_t *p, char *errbuf) 1042 { 1043 /* 1044 * This is a savefile, not a live capture file, so never say 1045 * it's in non-blocking mode. 1046 */ 1047 return (0); 1048 } 1049 1050 static int 1051 sf_setnonblock(pcap_t *p, int nonblock, char *errbuf) 1052 { 1053 /* 1054 * This is a savefile, not a live capture file, so ignore 1055 * requests to put it in non-blocking mode. 1056 */ 1057 return (0); 1058 } 1059 1060 static int 1061 sf_stats(pcap_t *p, struct pcap_stat *ps) 1062 { 1063 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1064 "Statistics aren't available from savefiles"); 1065 return (-1); 1066 } 1067 1068 #ifdef WIN32 1069 static int 1070 sf_setbuff(pcap_t *p, int dim) 1071 { 1072 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1073 "The kernel buffer size cannot be set while reading from a file"); 1074 return (-1); 1075 } 1076 1077 static int 1078 sf_setmode(pcap_t *p, int mode) 1079 { 1080 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1081 "impossible to set mode while reading from a file"); 1082 return (-1); 1083 } 1084 1085 static int 1086 sf_setmintocopy(pcap_t *p, int size) 1087 { 1088 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1089 "The mintocopy parameter cannot be set while reading from a file"); 1090 return (-1); 1091 } 1092 #endif 1093 1094 static int 1095 sf_inject(pcap_t *p, const void *buf _U_, size_t size _U_) 1096 { 1097 strlcpy(p->errbuf, "Sending packets isn't supported on savefiles", 1098 PCAP_ERRBUF_SIZE); 1099 return (-1); 1100 } 1101 1102 /* 1103 * Set direction flag: Which packets do we accept on a forwarding 1104 * single device? IN, OUT or both? 1105 */ 1106 static int 1107 sf_setdirection(pcap_t *p, pcap_direction_t d) 1108 { 1109 snprintf(p->errbuf, sizeof(p->errbuf), 1110 "Setting direction is not supported on savefiles"); 1111 return (-1); 1112 } 1113 1114 static void 1115 sf_cleanup(pcap_t *p) 1116 { 1117 if (p->sf.rfile != stdin) 1118 (void)fclose(p->sf.rfile); 1119 if (p->sf.base != NULL) 1120 free(p->sf.base); 1121 } 1122 1123 pcap_t * 1124 pcap_open_offline(const char *fname, char *errbuf) 1125 { 1126 FILE *fp; 1127 pcap_t *p; 1128 1129 if (fname[0] == '-' && fname[1] == '\0') 1130 { 1131 fp = stdin; 1132 #if defined(WIN32) || defined(MSDOS) 1133 /* 1134 * We're reading from the standard input, so put it in binary 1135 * mode, as savefiles are binary files. 1136 */ 1137 SET_BINMODE(fp); 1138 #endif 1139 } 1140 else { 1141 #if !defined(WIN32) && !defined(MSDOS) 1142 fp = fopen(fname, "r"); 1143 #else 1144 fp = fopen(fname, "rb"); 1145 #endif 1146 if (fp == NULL) { 1147 snprintf(errbuf, PCAP_ERRBUF_SIZE, "%s: %s", fname, 1148 pcap_strerror(errno)); 1149 return (NULL); 1150 } 1151 } 1152 p = pcap_fopen_offline(fp, errbuf); 1153 if (p == NULL) { 1154 if (fp != stdin) 1155 fclose(fp); 1156 } 1157 return (p); 1158 } 1159 1160 #ifdef WIN32 1161 pcap_t* pcap_hopen_offline(intptr_t osfd, char *errbuf) 1162 { 1163 int fd; 1164 FILE *file; 1165 1166 fd = _open_osfhandle(osfd, _O_RDONLY); 1167 if ( fd < 0 ) 1168 { 1169 snprintf(errbuf, PCAP_ERRBUF_SIZE, pcap_strerror(errno)); 1170 return NULL; 1171 } 1172 1173 file = _fdopen(fd, "rb"); 1174 if ( file == NULL ) 1175 { 1176 snprintf(errbuf, PCAP_ERRBUF_SIZE, pcap_strerror(errno)); 1177 return NULL; 1178 } 1179 1180 return pcap_fopen_offline(file, errbuf); 1181 } 1182 #endif 1183 1184 #ifdef WIN32 1185 static 1186 #endif 1187 pcap_t * 1188 pcap_fopen_offline(FILE *fp, char *errbuf) 1189 { 1190 register pcap_t *p; 1191 struct pcap_file_header hdr; 1192 size_t amt_read; 1193 bpf_u_int32 magic; 1194 int linklen; 1195 1196 p = (pcap_t *)malloc(sizeof(*p)); 1197 if (p == NULL) { 1198 strlcpy(errbuf, "out of swap", PCAP_ERRBUF_SIZE); 1199 return (NULL); 1200 } 1201 1202 memset((char *)p, 0, sizeof(*p)); 1203 1204 amt_read = fread((char *)&hdr, 1, sizeof(hdr), fp); 1205 if (amt_read != sizeof(hdr)) { 1206 if (ferror(fp)) { 1207 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1208 "error reading dump file: %s", 1209 pcap_strerror(errno)); 1210 } else { 1211 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1212 "truncated dump file; tried to read %lu file header bytes, only got %lu", 1213 (unsigned long)sizeof(hdr), 1214 (unsigned long)amt_read); 1215 } 1216 goto bad; 1217 } 1218 magic = hdr.magic; 1219 if (magic != TCPDUMP_MAGIC && magic != KUZNETZOV_TCPDUMP_MAGIC) { 1220 magic = SWAPLONG(magic); 1221 if (magic != TCPDUMP_MAGIC && magic != KUZNETZOV_TCPDUMP_MAGIC) { 1222 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1223 "bad dump file format"); 1224 goto bad; 1225 } 1226 p->sf.swapped = 1; 1227 swap_hdr(&hdr); 1228 } 1229 if (magic == KUZNETZOV_TCPDUMP_MAGIC) { 1230 /* 1231 * XXX - the patch that's in some versions of libpcap 1232 * changes the packet header but not the magic number, 1233 * and some other versions with this magic number have 1234 * some extra debugging information in the packet header; 1235 * we'd have to use some hacks^H^H^H^H^Hheuristics to 1236 * detect those variants. 1237 * 1238 * Ethereal does that, but it does so by trying to read 1239 * the first two packets of the file with each of the 1240 * record header formats. That currently means it seeks 1241 * backwards and retries the reads, which doesn't work 1242 * on pipes. We want to be able to read from a pipe, so 1243 * that strategy won't work; we'd have to buffer some 1244 * data ourselves and read from that buffer in order to 1245 * make that work. 1246 */ 1247 p->sf.hdrsize = sizeof(struct pcap_sf_patched_pkthdr); 1248 } else 1249 p->sf.hdrsize = sizeof(struct pcap_sf_pkthdr); 1250 if (hdr.version_major < PCAP_VERSION_MAJOR) { 1251 snprintf(errbuf, PCAP_ERRBUF_SIZE, "archaic file format"); 1252 goto bad; 1253 } 1254 p->tzoff = hdr.thiszone; 1255 p->snapshot = hdr.snaplen; 1256 p->linktype = linktype_to_dlt(LT_LINKTYPE(hdr.linktype)); 1257 p->linktype_ext = LT_LINKTYPE_EXT(hdr.linktype); 1258 if (magic == KUZNETZOV_TCPDUMP_MAGIC && p->linktype == DLT_EN10MB) { 1259 /* 1260 * This capture might have been done in raw mode or cooked 1261 * mode. 1262 * 1263 * If it was done in cooked mode, p->snapshot was passed 1264 * to recvfrom() as the buffer size, meaning that the 1265 * most packet data that would be copied would be 1266 * p->snapshot. However, a faked Ethernet header would 1267 * then have been added to it, so the most data that would 1268 * be in a packet in the file would be p->snapshot + 14. 1269 * 1270 * We can't easily tell whether the capture was done in 1271 * raw mode or cooked mode, so we'll assume it was 1272 * cooked mode, and add 14 to the snapshot length. That 1273 * means that, for a raw capture, the snapshot length will 1274 * be misleading if you use it to figure out why a capture 1275 * doesn't have all the packet data, but there's not much 1276 * we can do to avoid that. 1277 */ 1278 p->snapshot += 14; 1279 } 1280 p->sf.rfile = fp; 1281 #ifndef WIN32 1282 p->bufsize = hdr.snaplen; 1283 #else 1284 /* Allocate the space for pcap_pkthdr as well. It will be used by pcap_read_ex */ 1285 p->bufsize = hdr.snaplen+sizeof(struct pcap_pkthdr); 1286 #endif 1287 1288 /* Align link header as required for proper data alignment */ 1289 /* XXX should handle all types */ 1290 switch (p->linktype) { 1291 1292 case DLT_EN10MB: 1293 linklen = 14; 1294 break; 1295 1296 case DLT_FDDI: 1297 linklen = 13 + 8; /* fddi_header + llc */ 1298 break; 1299 1300 case DLT_NULL: 1301 default: 1302 linklen = 0; 1303 break; 1304 } 1305 1306 if (p->bufsize < 0) 1307 p->bufsize = BPF_MAXBUFSIZE; 1308 p->sf.base = (u_char *)malloc(p->bufsize + BPF_ALIGNMENT); 1309 if (p->sf.base == NULL) { 1310 strlcpy(errbuf, "out of swap", PCAP_ERRBUF_SIZE); 1311 goto bad; 1312 } 1313 p->buffer = p->sf.base + BPF_ALIGNMENT - (linklen % BPF_ALIGNMENT); 1314 p->sf.version_major = hdr.version_major; 1315 p->sf.version_minor = hdr.version_minor; 1316 #ifdef PCAP_FDDIPAD 1317 /* Padding only needed for live capture fcode */ 1318 p->fddipad = 0; 1319 #endif 1320 1321 /* 1322 * We interchanged the caplen and len fields at version 2.3, 1323 * in order to match the bpf header layout. But unfortunately 1324 * some files were written with version 2.3 in their headers 1325 * but without the interchanged fields. 1326 * 1327 * In addition, DG/UX tcpdump writes out files with a version 1328 * number of 543.0, and with the caplen and len fields in the 1329 * pre-2.3 order. 1330 */ 1331 switch (hdr.version_major) { 1332 1333 case 2: 1334 if (hdr.version_minor < 3) 1335 p->sf.lengths_swapped = SWAPPED; 1336 else if (hdr.version_minor == 3) 1337 p->sf.lengths_swapped = MAYBE_SWAPPED; 1338 else 1339 p->sf.lengths_swapped = NOT_SWAPPED; 1340 break; 1341 1342 case 543: 1343 p->sf.lengths_swapped = SWAPPED; 1344 break; 1345 1346 default: 1347 p->sf.lengths_swapped = NOT_SWAPPED; 1348 break; 1349 } 1350 1351 #if !defined(WIN32) && !defined(MSDOS) 1352 /* 1353 * You can do "select()" and "poll()" on plain files on most 1354 * platforms, and should be able to do so on pipes. 1355 * 1356 * You can't do "select()" on anything other than sockets in 1357 * Windows, so, on Win32 systems, we don't have "selectable_fd". 1358 */ 1359 p->selectable_fd = fileno(fp); 1360 #endif 1361 1362 p->read_op = pcap_offline_read; 1363 p->inject_op = sf_inject; 1364 p->setfilter_op = install_bpf_program; 1365 p->setdirection_op = sf_setdirection; 1366 p->set_datalink_op = NULL; /* we don't support munging link-layer headers */ 1367 p->getnonblock_op = sf_getnonblock; 1368 p->setnonblock_op = sf_setnonblock; 1369 p->stats_op = sf_stats; 1370 #ifdef WIN32 1371 p->setbuff_op = sf_setbuff; 1372 p->setmode_op = sf_setmode; 1373 p->setmintocopy_op = sf_setmintocopy; 1374 #endif 1375 p->cleanup_op = sf_cleanup; 1376 p->activated = 1; 1377 1378 return (p); 1379 bad: 1380 free(p); 1381 return (NULL); 1382 } 1383 1384 /* 1385 * Read sf_readfile and return the next packet. Return the header in hdr 1386 * and the contents in buf. Return 0 on success, SFERR_EOF if there were 1387 * no more packets, and SFERR_TRUNC if a partial packet was encountered. 1388 */ 1389 static int 1390 sf_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char *buf, u_int buflen) 1391 { 1392 struct pcap_sf_patched_pkthdr sf_hdr; 1393 FILE *fp = p->sf.rfile; 1394 size_t amt_read; 1395 bpf_u_int32 t; 1396 1397 /* 1398 * Read the packet header; the structure we use as a buffer 1399 * is the longer structure for files generated by the patched 1400 * libpcap, but if the file has the magic number for an 1401 * unpatched libpcap we only read as many bytes as the regular 1402 * header has. 1403 */ 1404 amt_read = fread(&sf_hdr, 1, p->sf.hdrsize, fp); 1405 if (amt_read != p->sf.hdrsize) { 1406 if (ferror(fp)) { 1407 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1408 "error reading dump file: %s", 1409 pcap_strerror(errno)); 1410 return (-1); 1411 } else { 1412 if (amt_read != 0) { 1413 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1414 "truncated dump file; tried to read %lu header bytes, only got %lu", 1415 (unsigned long)p->sf.hdrsize, 1416 (unsigned long)amt_read); 1417 return (-1); 1418 } 1419 /* EOF */ 1420 return (1); 1421 } 1422 } 1423 1424 if (p->sf.swapped) { 1425 /* these were written in opposite byte order */ 1426 hdr->caplen = SWAPLONG(sf_hdr.caplen); 1427 hdr->len = SWAPLONG(sf_hdr.len); 1428 hdr->ts.tv_sec = SWAPLONG(sf_hdr.ts.tv_sec); 1429 hdr->ts.tv_usec = SWAPLONG(sf_hdr.ts.tv_usec); 1430 } else { 1431 hdr->caplen = sf_hdr.caplen; 1432 hdr->len = sf_hdr.len; 1433 hdr->ts.tv_sec = sf_hdr.ts.tv_sec; 1434 hdr->ts.tv_usec = sf_hdr.ts.tv_usec; 1435 } 1436 /* Swap the caplen and len fields, if necessary. */ 1437 switch (p->sf.lengths_swapped) { 1438 1439 case NOT_SWAPPED: 1440 break; 1441 1442 case MAYBE_SWAPPED: 1443 if (hdr->caplen <= hdr->len) { 1444 /* 1445 * The captured length is <= the actual length, 1446 * so presumably they weren't swapped. 1447 */ 1448 break; 1449 } 1450 /* FALLTHROUGH */ 1451 1452 case SWAPPED: 1453 t = hdr->caplen; 1454 hdr->caplen = hdr->len; 1455 hdr->len = t; 1456 break; 1457 } 1458 1459 if (hdr->caplen > buflen) { 1460 /* 1461 * This can happen due to Solaris 2.3 systems tripping 1462 * over the BUFMOD problem and not setting the snapshot 1463 * correctly in the savefile header. If the caplen isn't 1464 * grossly wrong, try to salvage. 1465 */ 1466 static u_char *tp = NULL; 1467 static size_t tsize = 0; 1468 1469 if (hdr->caplen > 65535) { 1470 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1471 "bogus savefile header"); 1472 return (-1); 1473 } 1474 1475 if (tsize < hdr->caplen) { 1476 tsize = ((hdr->caplen + 1023) / 1024) * 1024; 1477 if (tp != NULL) 1478 free((u_char *)tp); 1479 tp = (u_char *)malloc(tsize); 1480 if (tp == NULL) { 1481 tsize = 0; 1482 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1483 "BUFMOD hack malloc"); 1484 return (-1); 1485 } 1486 } 1487 amt_read = fread((char *)tp, 1, hdr->caplen, fp); 1488 if (amt_read != hdr->caplen) { 1489 if (ferror(fp)) { 1490 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1491 "error reading dump file: %s", 1492 pcap_strerror(errno)); 1493 } else { 1494 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1495 "truncated dump file; tried to read %u captured bytes, only got %lu", 1496 hdr->caplen, (unsigned long)amt_read); 1497 } 1498 return (-1); 1499 } 1500 /* 1501 * We can only keep up to buflen bytes. Since caplen > buflen 1502 * is exactly how we got here, we know we can only keep the 1503 * first buflen bytes and must drop the remainder. Adjust 1504 * caplen accordingly, so we don't get confused later as 1505 * to how many bytes we have to play with. 1506 */ 1507 hdr->caplen = buflen; 1508 memcpy((char *)buf, (char *)tp, buflen); 1509 1510 } else { 1511 /* read the packet itself */ 1512 amt_read = fread((char *)buf, 1, hdr->caplen, fp); 1513 if (amt_read != hdr->caplen) { 1514 if (ferror(fp)) { 1515 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1516 "error reading dump file: %s", 1517 pcap_strerror(errno)); 1518 } else { 1519 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1520 "truncated dump file; tried to read %u captured bytes, only got %lu", 1521 hdr->caplen, (unsigned long)amt_read); 1522 } 1523 return (-1); 1524 } 1525 } 1526 1527 /* 1528 * The DLT_USB_LINUX header is in host byte order when capturing 1529 * (it's supplied directly from a memory-mapped buffer shared 1530 * by the kernel). 1531 * 1532 * When reading a DLT_USB_LINUX capture file, we need to convert 1533 * it from the capturing host's byte order to the reading host's 1534 * byte order. 1535 */ 1536 if (p->sf.swapped && p->linktype == DLT_USB_LINUX) { 1537 pcap_usb_header* uhdr = (pcap_usb_header*) buf; 1538 /* 1539 * The URB id is a totally opaque value; do we really need to 1540 * converte it to the reading host's byte order??? 1541 */ 1542 if (hdr->caplen < 8) 1543 return 0; 1544 uhdr->id = SWAPLL(uhdr->id); 1545 if (hdr->caplen < 14) 1546 return 0; 1547 uhdr->bus_id = SWAPSHORT(uhdr->bus_id); 1548 if (hdr->caplen < 24) 1549 return 0; 1550 uhdr->ts_sec = SWAPLL(uhdr->ts_sec); 1551 if (hdr->caplen < 28) 1552 return 0; 1553 uhdr->ts_usec = SWAPLONG(uhdr->ts_usec); 1554 if (hdr->caplen < 32) 1555 return 0; 1556 uhdr->status = SWAPLONG(uhdr->status); 1557 if (hdr->caplen < 36) 1558 return 0; 1559 uhdr->urb_len = SWAPLONG(uhdr->urb_len); 1560 if (hdr->caplen < 40) 1561 return 0; 1562 uhdr->data_len = SWAPLONG(uhdr->data_len); 1563 } 1564 return (0); 1565 } 1566 1567 /* 1568 * Print out packets stored in the file initialized by sf_read_init(). 1569 * If cnt > 0, return after 'cnt' packets, otherwise continue until eof. 1570 */ 1571 int 1572 pcap_offline_read(pcap_t *p, int cnt, pcap_handler callback, u_char *user) 1573 { 1574 struct bpf_insn *fcode; 1575 int status = 0; 1576 int n = 0; 1577 1578 while (status == 0) { 1579 struct pcap_pkthdr h; 1580 1581 /* 1582 * Has "pcap_breakloop()" been called? 1583 * If so, return immediately - if we haven't read any 1584 * packets, clear the flag and return -2 to indicate 1585 * that we were told to break out of the loop, otherwise 1586 * leave the flag set, so that the *next* call will break 1587 * out of the loop without having read any packets, and 1588 * return the number of packets we've processed so far. 1589 */ 1590 if (p->break_loop) { 1591 if (n == 0) { 1592 p->break_loop = 0; 1593 return (-2); 1594 } else 1595 return (n); 1596 } 1597 1598 status = sf_next_packet(p, &h, p->buffer, p->bufsize); 1599 if (status) { 1600 if (status == 1) 1601 return (0); 1602 return (status); 1603 } 1604 1605 if ((fcode = p->fcode.bf_insns) == NULL || 1606 bpf_filter(fcode, p->buffer, h.len, h.caplen)) { 1607 (*callback)(user, &h, p->buffer); 1608 if (++n >= cnt && cnt > 0) 1609 break; 1610 } 1611 } 1612 /*XXX this breaks semantics tcpslice expects */ 1613 return (n); 1614 } 1615 1616 /* 1617 * Output a packet to the initialized dump file. 1618 */ 1619 void 1620 pcap_dump(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) 1621 { 1622 register FILE *f; 1623 struct pcap_sf_pkthdr sf_hdr; 1624 1625 f = (FILE *)user; 1626 sf_hdr.ts.tv_sec = h->ts.tv_sec; 1627 sf_hdr.ts.tv_usec = h->ts.tv_usec; 1628 sf_hdr.caplen = h->caplen; 1629 sf_hdr.len = h->len; 1630 /* XXX we should check the return status */ 1631 (void)fwrite(&sf_hdr, sizeof(sf_hdr), 1, f); 1632 (void)fwrite(sp, h->caplen, 1, f); 1633 } 1634 1635 static pcap_dumper_t * 1636 pcap_setup_dump(pcap_t *p, int linktype, FILE *f, const char *fname) 1637 { 1638 1639 #if defined(WIN32) || defined(MSDOS) 1640 /* 1641 * If we're writing to the standard output, put it in binary 1642 * mode, as savefiles are binary files. 1643 * 1644 * Otherwise, we turn off buffering. 1645 * XXX - why? And why not on the standard output? 1646 */ 1647 if (f == stdout) 1648 SET_BINMODE(f); 1649 else 1650 setbuf(f, NULL); 1651 #endif 1652 if (sf_write_header(f, linktype, p->tzoff, p->snapshot) == -1) { 1653 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "Can't write to %s: %s", 1654 fname, pcap_strerror(errno)); 1655 if (f != stdout) 1656 (void)fclose(f); 1657 return (NULL); 1658 } 1659 return ((pcap_dumper_t *)f); 1660 } 1661 1662 /* 1663 * Initialize so that sf_write() will output to the file named 'fname'. 1664 */ 1665 pcap_dumper_t * 1666 pcap_dump_open(pcap_t *p, const char *fname) 1667 { 1668 FILE *f; 1669 int linktype; 1670 1671 linktype = dlt_to_linktype(p->linktype); 1672 if (linktype == -1) { 1673 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1674 "%s: link-layer type %d isn't supported in savefiles", 1675 fname, linktype); 1676 return (NULL); 1677 } 1678 linktype |= p->linktype_ext; 1679 1680 if (fname[0] == '-' && fname[1] == '\0') { 1681 f = stdout; 1682 fname = "standard output"; 1683 } else { 1684 #if !defined(WIN32) && !defined(MSDOS) 1685 f = fopen(fname, "w"); 1686 #else 1687 f = fopen(fname, "wb"); 1688 #endif 1689 if (f == NULL) { 1690 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "%s: %s", 1691 fname, pcap_strerror(errno)); 1692 return (NULL); 1693 } 1694 } 1695 return (pcap_setup_dump(p, linktype, f, fname)); 1696 } 1697 1698 /* 1699 * Initialize so that sf_write() will output to the given stream. 1700 */ 1701 pcap_dumper_t * 1702 pcap_dump_fopen(pcap_t *p, FILE *f) 1703 { 1704 int linktype; 1705 1706 linktype = dlt_to_linktype(p->linktype); 1707 if (linktype == -1) { 1708 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1709 "stream: link-layer type %d isn't supported in savefiles", 1710 linktype); 1711 return (NULL); 1712 } 1713 linktype |= p->linktype_ext; 1714 1715 return (pcap_setup_dump(p, linktype, f, "stream")); 1716 } 1717 1718 FILE * 1719 pcap_dump_file(pcap_dumper_t *p) 1720 { 1721 return ((FILE *)p); 1722 } 1723 1724 long 1725 pcap_dump_ftell(pcap_dumper_t *p) 1726 { 1727 return (ftell((FILE *)p)); 1728 } 1729 1730 int 1731 pcap_dump_flush(pcap_dumper_t *p) 1732 { 1733 1734 if (fflush((FILE *)p) == EOF) 1735 return (-1); 1736 else 1737 return (0); 1738 } 1739 1740 void 1741 pcap_dump_close(pcap_dumper_t *p) 1742 { 1743 1744 #ifdef notyet 1745 if (ferror((FILE *)p)) 1746 return-an-error; 1747 /* XXX should check return from fclose() too */ 1748 #endif 1749 (void)fclose((FILE *)p); 1750 } 1751