1 /* libpcap.c
2 *
3 * Wiretap Library
4 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
5 *
6 * SPDX-License-Identifier: GPL-2.0-or-later
7 */
8
9 #include "config.h"
10
11 #include <stdlib.h>
12 #include <string.h>
13 #include <errno.h>
14 #include "wtap-int.h"
15 #include "file_wrappers.h"
16 #include "required_file_handlers.h"
17 #include "pcap-common.h"
18 #include "pcap-encap.h"
19 #include "libpcap.h"
20 #include "erf-common.h"
21 #include <wsutil/ws_assert.h>
22
23 /* See source to the "libpcap" library for information on the "libpcap"
24 file format. */
25
26 /*
27 * Private per-wtap_t data needed to read a file.
28 */
29 typedef enum {
30 NOT_SWAPPED,
31 SWAPPED,
32 MAYBE_SWAPPED
33 } swapped_type_t;
34
35 /*
36 * Variants of pcap, some distinguished by the magic number and some,
37 * alas, not.
38 *
39 * (Don't do that. Srsly.)
40 */
41 typedef enum {
42 PCAP, /* OG pcap */
43 PCAP_NSEC, /* PCAP with nanosecond resolution */
44 PCAP_AIX, /* AIX pcap */
45 PCAP_SS990417, /* Modified, from 1999-04-17 patch */
46 PCAP_SS990915, /* Modified, from 1999-09-15 patch */
47 PCAP_SS991029, /* Modified, from 1999-10-29 patch */
48 PCAP_NOKIA, /* Nokia pcap */
49 PCAP_UNKNOWN /* Unknown as yet */
50 } pcap_variant_t;
51
52 typedef struct {
53 gboolean byte_swapped;
54 swapped_type_t lengths_swapped;
55 guint16 version_major;
56 guint16 version_minor;
57 pcap_variant_t variant;
58 void *encap_priv;
59 } libpcap_t;
60
61 /* Try to read the first few records of the capture file. */
62 static int libpcap_try(wtap *wth, int *err, gchar **err_info);
63 static int libpcap_try_record(wtap *wth, FILE_T fh, int *err, gchar **err_info);
64
65 static gboolean libpcap_read(wtap *wth, wtap_rec *rec, Buffer *buf,
66 int *err, gchar **err_info, gint64 *data_offset);
67 static gboolean libpcap_seek_read(wtap *wth, gint64 seek_off,
68 wtap_rec *rec, Buffer *buf, int *err, gchar **err_info);
69 static gboolean libpcap_read_packet(wtap *wth, FILE_T fh,
70 wtap_rec *rec, Buffer *buf, int *err, gchar **err_info);
71 static int libpcap_read_header(wtap *wth, FILE_T fh, int *err, gchar **err_info,
72 struct pcaprec_ss990915_hdr *hdr);
73 static void libpcap_close(wtap *wth);
74
75 static gboolean libpcap_dump_pcap(wtap_dumper *wdh, const wtap_rec *rec,
76 const guint8 *pd, int *err, gchar **err_info);
77 static gboolean libpcap_dump_pcap_nsec(wtap_dumper *wdh, const wtap_rec *rec,
78 const guint8 *pd, int *err, gchar **err_info);
79 static gboolean libpcap_dump_pcap_ss990417(wtap_dumper *wdh,
80 const wtap_rec *rec, const guint8 *pd, int *err, gchar **err_info);
81 static gboolean libpcap_dump_pcap_ss990915(wtap_dumper *wdh,
82 const wtap_rec *rec, const guint8 *pd, int *err, gchar **err_info);
83 static gboolean libpcap_dump_pcap_ss991029(wtap_dumper *wdh,
84 const wtap_rec *rec, const guint8 *pd, int *err, gchar **err_info);
85 static gboolean libpcap_dump_pcap_nokia(wtap_dumper *wdh, const wtap_rec *rec,
86 const guint8 *pd, int *err, gchar **err_info);
87
88 /*
89 * Private file type/subtype values; pcap and nanosecond-resolution
90 * pcap are imported from wiretap/file_access.c.
91 */
92 static int pcap_aix_file_type_subtype = -1;
93 static int pcap_ss990417_file_type_subtype = -1;
94 static int pcap_ss990915_file_type_subtype = -1;
95 static int pcap_ss991029_file_type_subtype = -1;
96 static int pcap_nokia_file_type_subtype = -1;
97
libpcap_open(wtap * wth,int * err,gchar ** err_info)98 wtap_open_return_val libpcap_open(wtap *wth, int *err, gchar **err_info)
99 {
100 guint32 magic;
101 struct pcap_hdr hdr;
102 gboolean byte_swapped;
103 gboolean modified;
104 gboolean aix;
105 int file_encap;
106 gint64 first_packet_offset;
107 libpcap_t *libpcap;
108 static const pcap_variant_t variants_modified[] = {
109 PCAP_SS991029,
110 PCAP_SS990915
111 };
112 #define N_VARIANTS_MODIFIED G_N_ELEMENTS(variants_modified)
113 static const pcap_variant_t variants_standard[] = {
114 PCAP,
115 PCAP_SS990417,
116 PCAP_NOKIA
117 };
118 #define N_VARIANTS_STANDARD G_N_ELEMENTS(variants_standard)
119 #define MAX_FIGURES_OF_MERIT \
120 MAX(N_VARIANTS_MODIFIED, N_VARIANTS_STANDARD)
121 int figures_of_merit[MAX_FIGURES_OF_MERIT];
122 const pcap_variant_t *variants;
123 int n_variants;
124 int best_variant;
125 int i;
126 int skip_size = 0;
127 int sizebytes;
128
129 /* Read in the number that should be at the start of a "libpcap" file */
130 if (!wtap_read_bytes(wth->fh, &magic, sizeof magic, err, err_info)) {
131 if (*err != WTAP_ERR_SHORT_READ)
132 return WTAP_OPEN_ERROR;
133 return WTAP_OPEN_NOT_MINE;
134 }
135
136 switch (magic) {
137
138 case PCAP_IXIAHW_MAGIC:
139 case PCAP_IXIASW_MAGIC:
140 skip_size = 1;
141 /* FALLTHROUGH */
142 case PCAP_MAGIC:
143 /* Host that wrote it has our byte order, and was running
144 a program using either standard or ss990417 libpcap. */
145 byte_swapped = FALSE;
146 modified = FALSE;
147 wth->file_tsprec = WTAP_TSPREC_USEC;
148 break;
149
150 case PCAP_MODIFIED_MAGIC:
151 /* Host that wrote it has our byte order, and was running
152 a program using either ss990915 or ss991029 libpcap. */
153 byte_swapped = FALSE;
154 modified = TRUE;
155 wth->file_tsprec = WTAP_TSPREC_USEC;
156 break;
157
158 case PCAP_SWAPPED_IXIAHW_MAGIC:
159 case PCAP_SWAPPED_IXIASW_MAGIC:
160 skip_size = 1;
161 /* FALLTHROUGH */
162 case PCAP_SWAPPED_MAGIC:
163 /* Host that wrote it has a byte order opposite to ours,
164 and was running a program using either standard or
165 ss990417 libpcap. */
166 byte_swapped = TRUE;
167 modified = FALSE;
168 wth->file_tsprec = WTAP_TSPREC_USEC;
169 break;
170
171 case PCAP_SWAPPED_MODIFIED_MAGIC:
172 /* Host that wrote it out has a byte order opposite to
173 ours, and was running a program using either ss990915
174 or ss991029 libpcap. */
175 byte_swapped = TRUE;
176 modified = TRUE;
177 wth->file_tsprec = WTAP_TSPREC_USEC;
178 break;
179
180 case PCAP_NSEC_MAGIC:
181 /* Host that wrote it has our byte order, and was writing
182 the file in a format similar to standard libpcap
183 except that the time stamps have nanosecond resolution. */
184 byte_swapped = FALSE;
185 modified = FALSE;
186 wth->file_tsprec = WTAP_TSPREC_NSEC;
187 break;
188
189 case PCAP_SWAPPED_NSEC_MAGIC:
190 /* Host that wrote it out has a byte order opposite to
191 ours, and was writing the file in a format similar to
192 standard libpcap except that the time stamps have
193 nanosecond resolution. */
194 byte_swapped = TRUE;
195 modified = FALSE;
196 wth->file_tsprec = WTAP_TSPREC_NSEC;
197 break;
198
199 default:
200 /* Not a "libpcap" type we know about. */
201 return WTAP_OPEN_NOT_MINE;
202 }
203
204 /* Read the rest of the header. */
205 if (!wtap_read_bytes(wth->fh, &hdr, sizeof hdr, err, err_info))
206 return WTAP_OPEN_ERROR;
207 if (skip_size==1 && !wtap_read_bytes(wth->fh, &sizebytes, sizeof sizebytes, err, err_info))
208 return WTAP_OPEN_ERROR;
209
210 if (byte_swapped) {
211 /* Byte-swap the header fields about which we care. */
212 hdr.version_major = GUINT16_SWAP_LE_BE(hdr.version_major);
213 hdr.version_minor = GUINT16_SWAP_LE_BE(hdr.version_minor);
214 hdr.snaplen = GUINT32_SWAP_LE_BE(hdr.snaplen);
215 hdr.network = GUINT32_SWAP_LE_BE(hdr.network);
216 }
217 if (hdr.version_major < 2) {
218 /* We only support version 2.0 and later. */
219 *err = WTAP_ERR_UNSUPPORTED;
220 *err_info = g_strdup_printf("pcap: major version %u unsupported",
221 hdr.version_major);
222 return WTAP_OPEN_ERROR;
223 }
224
225 /*
226 * Link-layer header types are assigned for both pcap and
227 * pcapng, and the same value must work with both. In pcapng,
228 * the link-layer header type field in an Interface Description
229 * Block is 16 bits, so only the bottommost 16 bits of the
230 * link-layer header type in a pcap file can be used for the
231 * header type value.
232 *
233 * In libpcap, the upper 16 bits are divided into:
234 *
235 * A "class" field, to support non-standard link-layer
236 * header types; class 0 is for standard header types,
237 * class 0x224 was reserved for a NetBSD feature, and
238 * all other class values are reserved. That is in the
239 * lower 10 bits of the upper 16 bits.
240 *
241 * An "FCS length" field, to allow the FCS length to
242 * be specified, just as it can be specified in the
243 * if_fcslen field of the pcapng IDB. That is in the
244 * topmost 4 bits of the upper 16 bits. The field is
245 * in units of 16 bits, i.e. 1 means 16 bits of FCS,
246 * 2 means 32 bits of FCS, etc..
247 *
248 * An "FCS length present" flag; if 0, the "FCS length"
249 * field should be ignored, and if 1, the "FCS length"
250 * field should be used. That is in the bit just above
251 * the "class" field.
252 *
253 * The one remaining bit is reserved.
254 */
255
256 /*
257 * AIX's non-standard tcpdump uses a minor version number of 2.
258 * Unfortunately, older versions of libpcap might have used
259 * that as well.
260 *
261 * The AIX libpcap uses RFC 1573 ifType values rather than
262 * DLT_ values in the header; the ifType values for LAN devices
263 * are:
264 *
265 * Ethernet 6
266 * Token Ring 9
267 * FDDI 15
268 *
269 * which correspond to DLT_IEEE802 (used for Token Ring),
270 * DLT_PPP, and DLT_SLIP_BSDOS, respectively. The ifType value
271 * for a loopback interface is 24, which currently isn't
272 * used by any version of libpcap I know about (and, as
273 * tcpdump.org are assigning DLT_ values above 100, and
274 * NetBSD started assigning values starting at 50, and
275 * the values chosen by other libpcaps appear to stop at
276 * 19, it's probably not going to be used by any libpcap
277 * in the future).
278 *
279 * We shall assume that if the minor version number is 2, and
280 * the network type is 6, 9, 15, or 24, that it's AIX libpcap.
281 *
282 * I'm assuming those older versions of libpcap didn't
283 * use DLT_IEEE802 for Token Ring, and didn't use DLT_SLIP_BSDOS
284 * as that came later. It may have used DLT_PPP, however, in
285 * which case we're out of luck; we assume it's Token Ring
286 * in AIX libpcap rather than PPP in standard libpcap, as
287 * you're probably more likely to be handing an AIX libpcap
288 * token-ring capture than an old (pre-libpcap 0.4) PPP capture
289 * to Wireshark.
290 */
291 aix = FALSE; /* assume it's not AIX */
292 if (hdr.version_major == 2 && hdr.version_minor == 2) {
293 /*
294 * AIX pcap files didn't use the upper 16 bits,
295 * so we don't need to ignore them here - they'll
296 * be 0.
297 */
298 switch (hdr.network) {
299
300 case 6:
301 hdr.network = 1; /* DLT_EN10MB, Ethernet */
302 aix = TRUE;
303 break;
304
305 case 9:
306 hdr.network = 6; /* DLT_IEEE802, Token Ring */
307 aix = TRUE;
308 break;
309
310 case 15:
311 hdr.network = 10; /* DLT_FDDI, FDDI */
312 aix = TRUE;
313 break;
314
315 case 24:
316 hdr.network = 0; /* DLT_NULL, loopback */
317 aix = TRUE;
318 break;
319 }
320 }
321
322 /*
323 * Map the "network" field from the header to a Wiretap
324 * encapsulation. We ignore the FCS information and reserved
325 * bit; we include the "class" field, in case there's ever
326 * a need to implement it - currently, any link-layer header
327 * type with a non-zero class value will fail.
328 */
329 file_encap = wtap_pcap_encap_to_wtap_encap(hdr.network & 0x03FFFFFF);
330 if (file_encap == WTAP_ENCAP_UNKNOWN) {
331 *err = WTAP_ERR_UNSUPPORTED;
332 *err_info = g_strdup_printf("pcap: network type %u unknown or unsupported",
333 hdr.network);
334 return WTAP_OPEN_ERROR;
335 }
336
337 /* This is a libpcap file */
338 libpcap = g_new(libpcap_t, 1);
339 libpcap->byte_swapped = byte_swapped;
340 libpcap->version_major = hdr.version_major;
341 libpcap->version_minor = hdr.version_minor;
342 libpcap->encap_priv = NULL;
343 wth->priv = (void *)libpcap;
344 wth->subtype_read = libpcap_read;
345 wth->subtype_seek_read = libpcap_seek_read;
346 wth->subtype_close = libpcap_close;
347 wth->file_encap = file_encap;
348 wth->snapshot_length = hdr.snaplen;
349
350 /* In file format version 2.3, the order of the "incl_len" and
351 "orig_len" fields in the per-packet header was reversed,
352 in order to match the BPF header layout.
353
354 Therefore, in files with versions prior to that, we must swap
355 those two fields.
356
357 Unfortunately, some files were, according to a comment in the
358 "libpcap" source, written with version 2.3 in their headers
359 but without the interchanged fields, so if "incl_len" is
360 greater than "orig_len" - which would make no sense - we
361 assume that we need to swap them in version 2.3 files
362 as well.
363
364 In addition, DG/UX's tcpdump uses version 543.0, and writes
365 the two fields in the pre-2.3 order. */
366 switch (hdr.version_major) {
367
368 case 2:
369 if (hdr.version_minor < 3)
370 libpcap->lengths_swapped = SWAPPED;
371 else if (hdr.version_minor == 3)
372 libpcap->lengths_swapped = MAYBE_SWAPPED;
373 else
374 libpcap->lengths_swapped = NOT_SWAPPED;
375 break;
376
377 case 543:
378 libpcap->lengths_swapped = SWAPPED;
379 break;
380
381 default:
382 libpcap->lengths_swapped = NOT_SWAPPED;
383 break;
384 }
385
386 /*
387 * Is this AIX format?
388 */
389 if (aix) {
390 /*
391 * Yes. Skip all the tests for other mutant formats,
392 * and for the ERF link-layer header type, and set the
393 * precision to nanosecond precision.
394 */
395 libpcap->variant = PCAP_AIX;
396 wth->file_type_subtype = pcap_aix_file_type_subtype;
397 wth->file_tsprec = WTAP_TSPREC_NSEC;
398
399 /*
400 * Add an IDB; we don't know how many interfaces were
401 * involved, so we just say one interface, about which
402 * we only know the link-layer type, snapshot length,
403 * and time stamp resolution.
404 */
405 wtap_add_generated_idb(wth);
406
407 return WTAP_OPEN_MINE;
408 }
409
410 /*
411 * No. Let's look at the header for the first record,
412 * and see if, interpreting it as a standard header (if the
413 * magic number was standard) or a modified header (if the
414 * magic number was modified), the position where it says the
415 * header for the *second* record is contains a corrupted header.
416 *
417 * If so, then:
418 *
419 * If this file had the standard magic number, it may be
420 * an ss990417 capture file - in that version of Alexey's
421 * patch, the packet header format was changed but the
422 * magic number wasn't, and, alas, Red Hat appear to have
423 * picked up that version of the patch for RH 6.1, meaning
424 * RH 6.1 has a tcpdump that writes out files that can't
425 * be read by any software that expects non-modified headers
426 * if the magic number isn't the modified magic number (e.g.,
427 * any normal version of tcpdump, and Wireshark if we don't
428 * do this gross heuristic).
429 *
430 * If this file had the modified magic number, it may be
431 * an ss990915 capture file - in that version of Alexey's
432 * patch, the magic number was changed, but the record
433 * header had some extra fields, and, alas, SuSE appear
434 * to have picked up that version of the patch for SuSE
435 * 6.3, meaning that programs expecting the standard per-
436 * packet header in captures with the modified magic number
437 * can't read dumps from its tcpdump.
438 *
439 * Oh, and if it has the standard magic number, it might, instead,
440 * be a Nokia libpcap file, so we may need to try that if
441 * neither normal nor ss990417 headers work.
442 *
443 * But don't do that if the input is a pipe; that would mean the
444 * open won't complete until two packets have been written to
445 * the pipe, unless the pipe is closed after one packet has
446 * been written, so a program reading from the file won't see
447 * the first packet until the second packet has been written.
448 */
449 if (modified) {
450 /*
451 * Well, we have the magic number from Alexey's
452 * later two patches. Try the variants for that,
453 * and fail if we're reading from a pipe.
454 */
455 libpcap->variant = PCAP_UNKNOWN;
456 variants = variants_modified;
457 n_variants = N_VARIANTS_MODIFIED;
458 } else {
459 if (wth->file_tsprec == WTAP_TSPREC_NSEC) {
460 /*
461 * We have nanosecond-format libpcap's magic
462 * number. There's only one format with that
463 * magic number (if somebody comes up with
464 * another one, we'll just refuse to support
465 * it and tell them to ask The Tcpdump Group
466 * for another magic number).
467 */
468 libpcap->variant = PCAP_NSEC;
469 variants = NULL;
470 n_variants = 0;
471 } else {
472 /*
473 * We have the regular libpcap magic number.
474 * Try the variants for that, unless we're
475 * reading from a pipe, in which case we
476 * just assume it's a regular libpcap file.
477 */
478 libpcap->variant = PCAP;
479 variants = variants_standard;
480 n_variants = N_VARIANTS_STANDARD;
481 }
482 }
483
484 /*
485 * Do we have any variants to try?
486 */
487 if (n_variants == 0) {
488 /*
489 * No, so just use what we picked.
490 */
491 goto done;
492 } else if (wth->ispipe) {
493 /*
494 * It's a pipe, so use what we picked, unless we picked
495 * PCAP_UNKNOWN, in which case we fail.
496 */
497 if (libpcap->variant == PCAP_UNKNOWN) {;
498 *err = WTAP_ERR_UNSUPPORTED;
499 *err_info = g_strdup("pcap: that type of pcap file can't be read from a pipe");
500 return WTAP_OPEN_ERROR;
501 }
502 goto done;
503 } else {
504 first_packet_offset = file_tell(wth->fh);
505 for (i = 0; i < n_variants; i++) {
506 libpcap->variant = variants[i];
507 figures_of_merit[i] = libpcap_try(wth, err, err_info);
508 if (figures_of_merit[i] == -1) {
509 /*
510 * Well, we couldn't even read it.
511 * Give up.
512 */
513 return WTAP_OPEN_ERROR;
514 }
515 if (figures_of_merit[i] == 0) {
516 /*
517 * This format doesn't have any issues.
518 * Put the seek pointer back, and finish,
519 * using that format as the subtype.
520 */
521 if (file_seek(wth->fh, first_packet_offset,
522 SEEK_SET, err) == -1) {
523 return WTAP_OPEN_ERROR;
524 }
525 goto done;
526 }
527
528 /*
529 * OK, we've recorded the figure of merit for this
530 * one; go back to the first packet and try the
531 * next one.
532 */
533 if (file_seek(wth->fh, first_packet_offset, SEEK_SET,
534 err) == -1) {
535 return WTAP_OPEN_ERROR;
536 }
537 }
538
539 /*
540 * OK, none are perfect; let's see which one is least bad.
541 */
542 best_variant = INT_MAX;
543 for (i = 0; i < n_variants; i++) {
544 /*
545 * Is this subtype better than the last one we saw?
546 */
547 if (figures_of_merit[i] < best_variant) {
548 /*
549 * Yes. Choose it until we find a better one.
550 */
551 libpcap->variant = variants[i];
552 best_variant = figures_of_merit[i];
553 }
554 }
555 }
556
557 done:
558 /*
559 * Set the file type and subtype.
560 */
561 switch (libpcap->variant) {
562
563 case PCAP:
564 wth->file_type_subtype = pcap_file_type_subtype;
565 break;
566
567 case PCAP_NSEC:
568 wth->file_type_subtype = pcap_nsec_file_type_subtype;
569 break;
570
571 case PCAP_SS990417:
572 wth->file_type_subtype = pcap_ss990417_file_type_subtype;
573 break;
574
575 case PCAP_SS990915:
576 wth->file_type_subtype = pcap_ss990915_file_type_subtype;
577 break;
578
579 case PCAP_SS991029:
580 wth->file_type_subtype = pcap_ss991029_file_type_subtype;
581 break;
582
583 case PCAP_NOKIA:
584 wth->file_type_subtype = pcap_nokia_file_type_subtype;
585 break;
586
587 default:
588 ws_assert_not_reached();
589 }
590
591 /*
592 * We treat a DLT_ value of 13 specially - it appears that in
593 * Nokia libpcap format, it's some form of ATM with what I
594 * suspect is a pseudo-header (even though Nokia's IPSO is
595 * based on FreeBSD, which #defines DLT_SLIP_BSDOS as 13).
596 *
597 * If this is a Nokia capture, treat 13 as WTAP_ENCAP_ATM_PDUS,
598 * rather than as what we normally treat it.
599 */
600 if (libpcap->variant == PCAP_NOKIA && hdr.network == 13)
601 wth->file_encap = WTAP_ENCAP_ATM_PDUS;
602
603 if (wth->file_encap == WTAP_ENCAP_ERF) {
604 /*Reset the ERF interface lookup table*/
605 libpcap->encap_priv = erf_priv_create();
606 } else {
607 /*
608 * Add an IDB; we don't know how many interfaces were
609 * involved, so we just say one interface, about which
610 * we only know the link-layer type, snapshot length,
611 * and time stamp resolution.
612 */
613 wtap_add_generated_idb(wth);
614 }
615
616 return WTAP_OPEN_MINE;
617 }
618
619 /*
620 * Maximum number of records to try to read. Must be >= 2.
621 */
622 #define MAX_RECORDS_TO_TRY 3
623
624 /* Try to read the first MAX_RECORDS_TO_TRY records of the capture file. */
libpcap_try(wtap * wth,int * err,gchar ** err_info)625 static int libpcap_try(wtap *wth, int *err, gchar **err_info)
626 {
627 int ret;
628 int i;
629
630 /*
631 * Attempt to read the first record.
632 */
633 ret = libpcap_try_record(wth, wth->fh, err, err_info);
634 if (ret != 0) {
635 /*
636 * Error or mismatch; return the error indication or
637 * the figure of merit (demerit?).
638 */
639 return ret;
640 }
641
642 /*
643 * Now attempt to read the next MAX_RECORDS_TO_TRY-1 records.
644 * Get the maximum figure of (de?)merit, as that represents the
645 * figure of merit for the record that had the most problems.
646 */
647 for (i = 1; i < MAX_RECORDS_TO_TRY; i++) {
648 /*
649 * Attempt to read this record.
650 */
651 ret = libpcap_try_record(wth, wth->fh, err, err_info);
652 if (ret != 0) {
653 /*
654 * Error or mismatch; return the error indication or
655 * the figure of merit (demerit?).
656 */
657 return ret;
658 }
659 }
660
661 /* They all succeeded. */
662 return 0;
663 }
664
665 /* Read the header of the next packet and, if that succeeds, read the
666 data of the next packet.
667
668 Return -1 on an I/O error, 0 on success, or a positive number if the
669 header looks corrupt. The higher the positive number, the more things
670 are wrong with the header; this is used by the heuristics that try to
671 guess what type of file it is, with the type with the fewest problems
672 being chosen. */
libpcap_try_record(wtap * wth,FILE_T fh,int * err,gchar ** err_info)673 static int libpcap_try_record(wtap *wth, FILE_T fh, int *err, gchar **err_info)
674 {
675 libpcap_t *libpcap = (libpcap_t *)wth->priv;
676
677 /*
678 * pcaprec_ss990915_hdr is the largest header type.
679 */
680 struct pcaprec_ss990915_hdr rec_hdr;
681 int ret;
682
683 if (!libpcap_read_header(wth, fh, err, err_info, &rec_hdr)) {
684 if (*err == 0) {
685 /*
686 * EOF - assume the file is in this format.
687 * This means it doesn't have all the
688 * records we're trying to read.
689 */
690 return 0;
691 }
692 if (*err == WTAP_ERR_SHORT_READ) {
693 /*
694 * Short read; this might be a corrupt
695 * file in this format or might not be
696 * in this format. Return a figure of
697 * merit of 1.
698 */
699 return 1;
700 }
701 /* Hard error. */
702 return -1;
703 }
704
705 ret = 0; /* start out presuming everything's OK */
706 switch (libpcap->variant) {
707 case PCAP_NSEC:
708 case PCAP_AIX:
709 /*
710 * Nanosecond resolution; treat fractions-of-a-second
711 * values >= 1 000 000 000 as an indication that
712 * the header format might not be what we think it is.
713 */
714 if (rec_hdr.hdr.ts_usec >= 1000000000)
715 ret++;
716 break;
717
718 default:
719 /*
720 * Microsecond resolution; treat fractions-of-a-second
721 * values >= 1 000 000 as an indication that the header
722 * format might not be what we think it is.
723 */
724 if (rec_hdr.hdr.ts_usec >= 1000000)
725 ret++;
726 break;
727 }
728 if (rec_hdr.hdr.incl_len > wtap_max_snaplen_for_encap(wth->file_encap)) {
729 /*
730 * Probably either a corrupt capture file or a file
731 * of a type different from the one we're trying.
732 */
733 ret++;
734 }
735
736 if (rec_hdr.hdr.orig_len > 128*1024*1024) {
737 /*
738 * In theory I guess the on-the-wire packet size can be
739 * arbitrarily large, and it can certainly be larger than the
740 * maximum snapshot length which bounds the snapshot size,
741 * but any file claiming 128MB in a single packet is *probably*
742 * corrupt, and treating them as such makes the heuristics
743 * much more reliable. See, for example,
744 *
745 * https://gitlab.com/wireshark/wireshark/-/issues/9634
746 *
747 * (128MB is an arbitrary size at this point, chosen to be
748 * large enough for the largest D-Bus packet).
749 */
750 ret++;
751 }
752
753 if (rec_hdr.hdr.incl_len > wth->snapshot_length) {
754 /*
755 * This is not a fatal error, and packets that have one
756 * such packet probably have thousands. For discussion,
757 * see
758 * https://www.wireshark.org/lists/wireshark-dev/201307/msg00076.html
759 * and related messages.
760 *
761 * The packet contents will be copied to a Buffer, which
762 * expands as necessary to hold the contents; we don't have
763 * to worry about fixed-length buffers allocated based on
764 * the original snapshot length.
765 *
766 * We just treat this as an indication that we might be
767 * trying the wrong file type here.
768 */
769 ret++;
770 }
771
772 if (rec_hdr.hdr.incl_len > rec_hdr.hdr.orig_len) {
773 /*
774 * Another hint that this might be the wrong file type.
775 */
776 ret++;
777 }
778
779 if (ret != 0) {
780 /*
781 * Might be the wrong file type; stop trying, and give
782 * this as the figure of merit for this file type.
783 */
784 return ret;
785 }
786
787 /*
788 * Now skip over the record's data, under the assumption that
789 * the header is sane.
790 */
791 if (!wtap_read_bytes(wth->fh, NULL, rec_hdr.hdr.incl_len, err,
792 err_info)) {
793 if (*err == WTAP_ERR_SHORT_READ) {
794 /*
795 * Short read - treat that as a suggestion that
796 * the header isn't sane, and return a figure of
797 * merit value of 1.
798 */
799 return 1;
800 }
801 /* Hard error. */
802 return -1;
803 }
804
805 /* Success. */
806 return 0;
807 }
808
809 /* Read the next packet */
libpcap_read(wtap * wth,wtap_rec * rec,Buffer * buf,int * err,gchar ** err_info,gint64 * data_offset)810 static gboolean libpcap_read(wtap *wth, wtap_rec *rec, Buffer *buf,
811 int *err, gchar **err_info, gint64 *data_offset)
812 {
813 *data_offset = file_tell(wth->fh);
814
815 return libpcap_read_packet(wth, wth->fh, rec, buf, err, err_info);
816 }
817
818 static gboolean
libpcap_seek_read(wtap * wth,gint64 seek_off,wtap_rec * rec,Buffer * buf,int * err,gchar ** err_info)819 libpcap_seek_read(wtap *wth, gint64 seek_off, wtap_rec *rec,
820 Buffer *buf, int *err, gchar **err_info)
821 {
822 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
823 return FALSE;
824
825 if (!libpcap_read_packet(wth, wth->random_fh, rec, buf, err,
826 err_info)) {
827 if (*err == 0)
828 *err = WTAP_ERR_SHORT_READ;
829 return FALSE;
830 }
831 return TRUE;
832 }
833
834 static gboolean
libpcap_read_packet(wtap * wth,FILE_T fh,wtap_rec * rec,Buffer * buf,int * err,gchar ** err_info)835 libpcap_read_packet(wtap *wth, FILE_T fh, wtap_rec *rec,
836 Buffer *buf, int *err, gchar **err_info)
837 {
838 struct pcaprec_ss990915_hdr hdr;
839 guint packet_size;
840 guint orig_size;
841 int phdr_len;
842 libpcap_t *libpcap = (libpcap_t *)wth->priv;
843 gboolean is_nokia;
844
845 if (!libpcap_read_header(wth, fh, err, err_info, &hdr))
846 return FALSE;
847
848 if (hdr.hdr.incl_len > wtap_max_snaplen_for_encap(wth->file_encap)) {
849 /*
850 * Probably a corrupt capture file; return an error,
851 * so that our caller doesn't blow up trying to allocate
852 * space for an immensely-large packet.
853 */
854 *err = WTAP_ERR_BAD_FILE;
855 if (err_info != NULL) {
856 *err_info = g_strdup_printf("pcap: File has %u-byte packet, bigger than maximum of %u",
857 hdr.hdr.incl_len,
858 wtap_max_snaplen_for_encap(wth->file_encap));
859 }
860 return FALSE;
861 }
862
863 packet_size = hdr.hdr.incl_len;
864 orig_size = hdr.hdr.orig_len;
865
866 /*
867 * AIX appears to put 3 bytes of padding in front of FDDI
868 * frames; strip that crap off.
869 */
870 if (libpcap->variant == PCAP_AIX &&
871 (wth->file_encap == WTAP_ENCAP_FDDI ||
872 wth->file_encap == WTAP_ENCAP_FDDI_BITSWAPPED)) {
873 /*
874 * The packet size is really a record size and includes
875 * the padding.
876 */
877 packet_size -= 3;
878 orig_size -= 3;
879
880 /*
881 * Skip the padding.
882 */
883 if (!wtap_read_bytes(fh, NULL, 3, err, err_info))
884 return FALSE;
885 }
886
887 is_nokia = (libpcap->variant == PCAP_NOKIA);
888 phdr_len = pcap_process_pseudo_header(fh, is_nokia,
889 wth->file_encap, packet_size, rec, err, err_info);
890 if (phdr_len < 0)
891 return FALSE; /* error */
892
893 /*
894 * Don't count any pseudo-header as part of the packet.
895 */
896 orig_size -= phdr_len;
897 packet_size -= phdr_len;
898
899 rec->rec_type = REC_TYPE_PACKET;
900 rec->block = wtap_block_create(WTAP_BLOCK_PACKET);
901 rec->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
902
903 /* Update the timestamp, if not already done */
904 if (wth->file_encap != WTAP_ENCAP_ERF) {
905 rec->ts.secs = hdr.hdr.ts_sec;
906 if (wth->file_tsprec == WTAP_TSPREC_NSEC)
907 rec->ts.nsecs = hdr.hdr.ts_usec;
908 else
909 rec->ts.nsecs = hdr.hdr.ts_usec * 1000;
910 } else {
911 int interface_id;
912 /* Set interface ID for ERF format */
913 rec->presence_flags |= WTAP_HAS_INTERFACE_ID;
914 if ((interface_id = erf_populate_interface_from_header((erf_t*) libpcap->encap_priv, wth, &rec->rec_header.packet_header.pseudo_header, err, err_info)) < 0)
915 return FALSE;
916
917 rec->rec_header.packet_header.interface_id = (guint) interface_id;
918 }
919 rec->rec_header.packet_header.caplen = packet_size;
920 rec->rec_header.packet_header.len = orig_size;
921
922 /*
923 * Read the packet data.
924 */
925 if (!wtap_read_packet_bytes(fh, buf, packet_size, err, err_info))
926 return FALSE; /* failed */
927
928 pcap_read_post_process(is_nokia, wth->file_encap, rec,
929 ws_buffer_start_ptr(buf), libpcap->byte_swapped, -1);
930 return TRUE;
931 }
932
933 /* Read the header of the next packet.
934
935 Return FALSE on an error, TRUE on success. */
libpcap_read_header(wtap * wth,FILE_T fh,int * err,gchar ** err_info,struct pcaprec_ss990915_hdr * hdr)936 static int libpcap_read_header(wtap *wth, FILE_T fh, int *err, gchar **err_info,
937 struct pcaprec_ss990915_hdr *hdr)
938 {
939 int bytes_to_read;
940 guint32 temp;
941 libpcap_t *libpcap = (libpcap_t *)wth->priv;
942
943 switch (libpcap->variant) {
944
945 case PCAP:
946 case PCAP_AIX:
947 case PCAP_NSEC:
948 bytes_to_read = sizeof (struct pcaprec_hdr);
949 break;
950
951 case PCAP_SS990417:
952 case PCAP_SS991029:
953 bytes_to_read = sizeof (struct pcaprec_modified_hdr);
954 break;
955
956 case PCAP_SS990915:
957 bytes_to_read = sizeof (struct pcaprec_ss990915_hdr);
958 break;
959
960 case PCAP_NOKIA:
961 bytes_to_read = sizeof (struct pcaprec_nokia_hdr);
962 break;
963
964 default:
965 ws_assert_not_reached();
966 bytes_to_read = 0;
967 }
968 if (!wtap_read_bytes_or_eof(fh, hdr, bytes_to_read, err, err_info))
969 return FALSE;
970
971 if (libpcap->byte_swapped) {
972 /* Byte-swap the record header fields. */
973 hdr->hdr.ts_sec = GUINT32_SWAP_LE_BE(hdr->hdr.ts_sec);
974 hdr->hdr.ts_usec = GUINT32_SWAP_LE_BE(hdr->hdr.ts_usec);
975 hdr->hdr.incl_len = GUINT32_SWAP_LE_BE(hdr->hdr.incl_len);
976 hdr->hdr.orig_len = GUINT32_SWAP_LE_BE(hdr->hdr.orig_len);
977 }
978
979 /* Swap the "incl_len" and "orig_len" fields, if necessary. */
980 switch (libpcap->lengths_swapped) {
981
982 case NOT_SWAPPED:
983 break;
984
985 case MAYBE_SWAPPED:
986 if (hdr->hdr.incl_len <= hdr->hdr.orig_len) {
987 /*
988 * The captured length is <= the actual length,
989 * so presumably they weren't swapped.
990 */
991 break;
992 }
993 /* FALLTHROUGH */
994
995 case SWAPPED:
996 temp = hdr->hdr.orig_len;
997 hdr->hdr.orig_len = hdr->hdr.incl_len;
998 hdr->hdr.incl_len = temp;
999 break;
1000 }
1001
1002 return TRUE;
1003 }
1004
1005 typedef struct {
1006 pcap_variant_t variant;
1007 } libpcap_dump_t;
1008
1009 /* Returns 0 if we could write the specified encapsulation type,
1010 an error indication otherwise. */
libpcap_dump_can_write_encap(int encap)1011 static int libpcap_dump_can_write_encap(int encap)
1012 {
1013 /* Per-packet encapsulations aren't supported. */
1014 if (encap == WTAP_ENCAP_PER_PACKET)
1015 return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1016
1017 if (wtap_wtap_encap_to_pcap_encap(encap) == -1)
1018 return WTAP_ERR_UNWRITABLE_ENCAP;
1019
1020 return 0;
1021 }
1022
libpcap_dump_write_file_header(wtap_dumper * wdh,guint32 magic,int * err)1023 static gboolean libpcap_dump_write_file_header(wtap_dumper *wdh, guint32 magic,
1024 int *err)
1025 {
1026 struct pcap_hdr file_hdr;
1027
1028 if (!wtap_dump_file_write(wdh, &magic, sizeof magic, err))
1029 return FALSE;
1030 wdh->bytes_dumped += sizeof magic;
1031
1032 /* current "libpcap" format is 2.4 */
1033 file_hdr.version_major = 2;
1034 file_hdr.version_minor = 4;
1035 file_hdr.thiszone = 0; /* XXX - current offset? */
1036 file_hdr.sigfigs = 0; /* unknown, but also apparently unused */
1037 /*
1038 * Tcpdump cannot handle capture files with a snapshot length of 0,
1039 * as BPF filters return either 0 if they fail or the snapshot length
1040 * if they succeed, and a snapshot length of 0 means success is
1041 * indistinguishable from failure and the filter expression would
1042 * reject all packets.
1043 *
1044 * A snapshot length of 0, inside Wiretap, means "snapshot length
1045 * unknown"; if the snapshot length supplied to us is 0, we make
1046 * the snapshot length in the header file the maximum for the
1047 * link-layer type we'll be writing.
1048 */
1049 file_hdr.snaplen = (wdh->snaplen != 0) ? (guint)wdh->snaplen :
1050 wtap_max_snaplen_for_encap(wdh->encap);
1051 file_hdr.network = wtap_wtap_encap_to_pcap_encap(wdh->encap);
1052 if (!wtap_dump_file_write(wdh, &file_hdr, sizeof file_hdr, err))
1053 return FALSE;
1054 wdh->bytes_dumped += sizeof file_hdr;
1055
1056 return TRUE;
1057 }
1058
1059 /* Good old fashioned pcap.
1060 Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1061 failure */
1062 static gboolean
libpcap_dump_open_pcap(wtap_dumper * wdh,int * err,gchar ** err_info _U_)1063 libpcap_dump_open_pcap(wtap_dumper *wdh, int *err, gchar **err_info _U_)
1064 {
1065 /* This is a libpcap file */
1066 wdh->subtype_write = libpcap_dump_pcap;
1067
1068 /* Write the file header. */
1069 return libpcap_dump_write_file_header(wdh, PCAP_MAGIC, err);
1070 }
1071
1072 /* Like classic pcap, but with nanosecond resolution.
1073 Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1074 failure */
1075 static gboolean
libpcap_dump_open_pcap_nsec(wtap_dumper * wdh,int * err,gchar ** err_info _U_)1076 libpcap_dump_open_pcap_nsec(wtap_dumper *wdh, int *err, gchar **err_info _U_)
1077 {
1078 /* This is a nanosecond-resolution libpcap file */
1079 wdh->subtype_write = libpcap_dump_pcap_nsec;
1080
1081 /* Write the file header. */
1082 return libpcap_dump_write_file_header(wdh, PCAP_NSEC_MAGIC, err);
1083 }
1084
1085 /* Modified, but with the old magic, sigh.
1086 Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1087 failure */
1088 static gboolean
libpcap_dump_open_pcap_ss990417(wtap_dumper * wdh,int * err,gchar ** err_info _U_)1089 libpcap_dump_open_pcap_ss990417(wtap_dumper *wdh, int *err,
1090 gchar **err_info _U_)
1091 {
1092 /* This is a modified-by-patch-SS990417 libpcap file */
1093 wdh->subtype_write = libpcap_dump_pcap_ss990417;
1094
1095 /* Write the file header. */
1096 return libpcap_dump_write_file_header(wdh, PCAP_MAGIC, err);
1097 }
1098
1099 /* New magic, extra crap.
1100 Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1101 failure */
1102 static gboolean
libpcap_dump_open_pcap_ss990915(wtap_dumper * wdh,int * err,gchar ** err_info _U_)1103 libpcap_dump_open_pcap_ss990915(wtap_dumper *wdh, int *err,
1104 gchar **err_info _U_)
1105 {
1106 /* This is a modified-by-patch-SS990915 libpcap file */
1107 wdh->subtype_write = libpcap_dump_pcap_ss990915;
1108
1109 /* Write the file header. */
1110 return libpcap_dump_write_file_header(wdh, PCAP_MODIFIED_MAGIC, err);
1111 }
1112
1113 /* Same magic as SS990915, *different* extra crap, sigh.
1114 Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1115 failure */
1116 static gboolean
libpcap_dump_open_pcap_ss991029(wtap_dumper * wdh,int * err,gchar ** err_info _U_)1117 libpcap_dump_open_pcap_ss991029(wtap_dumper *wdh, int *err,
1118 gchar **err_info _U_)
1119 {
1120 /* This is a modified-by-patch-SS991029 libpcap file */
1121 wdh->subtype_write = libpcap_dump_pcap_ss991029;
1122
1123 /* Write the file header. */
1124 return libpcap_dump_write_file_header(wdh, PCAP_MODIFIED_MAGIC, err);
1125 }
1126
libpcap_close(wtap * wth)1127 static void libpcap_close(wtap *wth)
1128 {
1129 libpcap_t *libpcap = (libpcap_t *)wth->priv;
1130
1131 if (libpcap->encap_priv) {
1132 switch (wth->file_encap) {
1133
1134 case WTAP_ENCAP_ERF:
1135 erf_priv_free((erf_t*) libpcap->encap_priv);
1136 break;
1137
1138 default:
1139 g_free(libpcap->encap_priv);
1140 break;
1141 }
1142 }
1143 }
1144
1145 /* Nokia libpcap of some sort.
1146 Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
1147 failure */
1148 static gboolean
libpcap_dump_open_pcap_nokia(wtap_dumper * wdh,int * err,gchar ** err_info _U_)1149 libpcap_dump_open_pcap_nokia(wtap_dumper *wdh, int *err, gchar **err_info _U_)
1150 {
1151 /* This is a Nokia libpcap file */
1152 wdh->subtype_write = libpcap_dump_pcap_nokia;
1153
1154 /* Write the file header. */
1155 return libpcap_dump_write_file_header(wdh, PCAP_MAGIC, err);
1156 }
1157
1158 static gboolean
libpcap_dump_write_packet(wtap_dumper * wdh,const wtap_rec * rec,struct pcaprec_hdr * hdr,size_t hdr_size,const guint8 * pd,int * err)1159 libpcap_dump_write_packet(wtap_dumper *wdh, const wtap_rec *rec,
1160 struct pcaprec_hdr *hdr, size_t hdr_size, const guint8 *pd, int *err)
1161 {
1162 const union wtap_pseudo_header *pseudo_header = &rec->rec_header.packet_header.pseudo_header;
1163 int phdrsize;
1164
1165 phdrsize = pcap_get_phdr_size(wdh->encap, pseudo_header);
1166
1167 /* We can only write packet records. */
1168 if (rec->rec_type != REC_TYPE_PACKET) {
1169 *err = WTAP_ERR_UNWRITABLE_REC_TYPE;
1170 return FALSE;
1171 }
1172
1173 /*
1174 * Make sure this packet doesn't have a link-layer type that
1175 * differs from the one for the file.
1176 */
1177 if (wdh->encap != rec->rec_header.packet_header.pkt_encap) {
1178 *err = WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
1179 return FALSE;
1180 }
1181
1182 /*
1183 * Don't write anything we're not willing to read.
1184 * (The cast is to prevent an overflow.)
1185 */
1186 if ((guint64)rec->rec_header.packet_header.caplen + phdrsize > wtap_max_snaplen_for_encap(wdh->encap)) {
1187 *err = WTAP_ERR_PACKET_TOO_LARGE;
1188 return FALSE;
1189 }
1190
1191 hdr->incl_len = rec->rec_header.packet_header.caplen + phdrsize;
1192 hdr->orig_len = rec->rec_header.packet_header.len + phdrsize;
1193
1194 if (!wtap_dump_file_write(wdh, hdr, hdr_size, err))
1195 return FALSE;
1196 wdh->bytes_dumped += hdr_size;
1197
1198 if (!pcap_write_phdr(wdh, wdh->encap, pseudo_header, err))
1199 return FALSE;
1200
1201 if (!wtap_dump_file_write(wdh, pd, rec->rec_header.packet_header.caplen, err))
1202 return FALSE;
1203 wdh->bytes_dumped += rec->rec_header.packet_header.caplen;
1204 return TRUE;
1205 }
1206
1207 /* Good old fashioned pcap.
1208 Write a record for a packet to a dump file.
1209 Returns TRUE on success, FALSE on failure. */
1210 static gboolean
libpcap_dump_pcap(wtap_dumper * wdh,const wtap_rec * rec,const guint8 * pd,int * err,gchar ** err_info _U_)1211 libpcap_dump_pcap(wtap_dumper *wdh, const wtap_rec *rec, const guint8 *pd,
1212 int *err, gchar **err_info _U_)
1213 {
1214 struct pcaprec_hdr rec_hdr;
1215
1216 rec_hdr.ts_sec = (guint32) rec->ts.secs;
1217 rec_hdr.ts_usec = rec->ts.nsecs / 1000;
1218 return libpcap_dump_write_packet(wdh, rec, &rec_hdr, sizeof rec_hdr,
1219 pd, err);
1220 }
1221
1222 /* Like classic pcap, but with nanosecond resolution.
1223 Write a record for a packet to a dump file.
1224 Returns TRUE on success, FALSE on failure. */
1225 static gboolean
libpcap_dump_pcap_nsec(wtap_dumper * wdh,const wtap_rec * rec,const guint8 * pd,int * err,gchar ** err_info _U_)1226 libpcap_dump_pcap_nsec(wtap_dumper *wdh, const wtap_rec *rec, const guint8 *pd,
1227 int *err, gchar **err_info _U_)
1228 {
1229 struct pcaprec_hdr rec_hdr;
1230
1231 rec_hdr.ts_sec = (guint32) rec->ts.secs;
1232 rec_hdr.ts_usec = rec->ts.nsecs;
1233 return libpcap_dump_write_packet(wdh, rec, &rec_hdr, sizeof rec_hdr,
1234 pd, err);
1235 }
1236
1237 /* Modified, but with the old magic, sigh.
1238 Write a record for a packet to a dump file.
1239 Returns TRUE on success, FALSE on failure. */
1240 static gboolean
libpcap_dump_pcap_ss990417(wtap_dumper * wdh,const wtap_rec * rec,const guint8 * pd,int * err,gchar ** err_info _U_)1241 libpcap_dump_pcap_ss990417(wtap_dumper *wdh, const wtap_rec *rec,
1242 const guint8 *pd, int *err, gchar **err_info _U_)
1243 {
1244 struct pcaprec_modified_hdr rec_hdr;
1245
1246 rec_hdr.hdr.ts_sec = (guint32) rec->ts.secs;
1247 rec_hdr.hdr.ts_usec = rec->ts.nsecs / 1000;
1248 /* XXX - what should we supply here?
1249
1250 Alexey's "libpcap" looks up the interface in the system's
1251 interface list if "ifindex" is non-zero, and prints
1252 the interface name. It ignores "protocol", and uses
1253 "pkt_type" to tag the packet as "host", "broadcast",
1254 "multicast", "other host", "outgoing", or "none of the
1255 above", but that's it.
1256
1257 If the capture we're writing isn't a modified or
1258 RH 6.1 capture, we'd have to do some work to
1259 generate the packet type and interface index - and
1260 we can't generate the interface index unless we
1261 just did the capture ourselves in any case.
1262
1263 I'm inclined to continue to punt; systems other than
1264 those with the older patch can read standard "libpcap"
1265 files, and systems with the older patch, e.g. RH 6.1,
1266 will just have to live with this. */
1267 rec_hdr.ifindex = 0;
1268 rec_hdr.protocol = 0;
1269 rec_hdr.pkt_type = 0;
1270 return libpcap_dump_write_packet(wdh, rec, &rec_hdr.hdr, sizeof rec_hdr,
1271 pd, err);
1272 }
1273
1274 /* New magic, extra crap.
1275 Write a record for a packet to a dump file.
1276 Returns TRUE on success, FALSE on failure. */
1277 static gboolean
libpcap_dump_pcap_ss990915(wtap_dumper * wdh,const wtap_rec * rec,const guint8 * pd,int * err,gchar ** err_info _U_)1278 libpcap_dump_pcap_ss990915(wtap_dumper *wdh, const wtap_rec *rec,
1279 const guint8 *pd, int *err, gchar **err_info _U_)
1280 {
1281 struct pcaprec_ss990915_hdr rec_hdr;
1282
1283 rec_hdr.hdr.ts_sec = (guint32) rec->ts.secs;
1284 rec_hdr.hdr.ts_usec = rec->ts.nsecs / 1000;
1285 rec_hdr.ifindex = 0;
1286 rec_hdr.protocol = 0;
1287 rec_hdr.pkt_type = 0;
1288 rec_hdr.cpu1 = 0;
1289 rec_hdr.cpu2 = 0;
1290 return libpcap_dump_write_packet(wdh, rec, &rec_hdr.hdr, sizeof rec_hdr,
1291 pd, err);
1292 }
1293
1294 /* Same magic as SS990915, *different* extra crap, sigh.
1295 Write a record for a packet to a dump file.
1296 Returns TRUE on success, FALSE on failure. */
1297 static gboolean
libpcap_dump_pcap_ss991029(wtap_dumper * wdh,const wtap_rec * rec,const guint8 * pd,int * err,gchar ** err_info _U_)1298 libpcap_dump_pcap_ss991029(wtap_dumper *wdh, const wtap_rec *rec,
1299 const guint8 *pd, int *err, gchar **err_info _U_)
1300 {
1301 struct pcaprec_modified_hdr rec_hdr;
1302
1303 rec_hdr.hdr.ts_sec = (guint32) rec->ts.secs;
1304 rec_hdr.hdr.ts_usec = rec->ts.nsecs / 1000;
1305 /* XXX - what should we supply here?
1306
1307 Alexey's "libpcap" looks up the interface in the system's
1308 interface list if "ifindex" is non-zero, and prints
1309 the interface name. It ignores "protocol", and uses
1310 "pkt_type" to tag the packet as "host", "broadcast",
1311 "multicast", "other host", "outgoing", or "none of the
1312 above", but that's it.
1313
1314 If the capture we're writing isn't a modified or
1315 RH 6.1 capture, we'd have to do some work to
1316 generate the packet type and interface index - and
1317 we can't generate the interface index unless we
1318 just did the capture ourselves in any case.
1319
1320 I'm inclined to continue to punt; systems other than
1321 those with the older patch can read standard "libpcap"
1322 files, and systems with the older patch, e.g. RH 6.1,
1323 will just have to live with this. */
1324 rec_hdr.ifindex = 0;
1325 rec_hdr.protocol = 0;
1326 rec_hdr.pkt_type = 0;
1327 return libpcap_dump_write_packet(wdh, rec, &rec_hdr.hdr, sizeof rec_hdr,
1328 pd, err);
1329 }
1330
1331 /* Nokia libpcap of some sort.
1332 Write a record for a packet to a dump file.
1333 Returns TRUE on success, FALSE on failure. */
1334 static gboolean
libpcap_dump_pcap_nokia(wtap_dumper * wdh,const wtap_rec * rec,const guint8 * pd,int * err,gchar ** err_info _U_)1335 libpcap_dump_pcap_nokia(wtap_dumper *wdh, const wtap_rec *rec,
1336 const guint8 *pd, int *err, gchar **err_info _U_)
1337 {
1338 struct pcaprec_nokia_hdr rec_hdr;
1339 const union wtap_pseudo_header *pseudo_header = &rec->rec_header.packet_header.pseudo_header;
1340
1341 rec_hdr.hdr.ts_sec = (guint32) rec->ts.secs;
1342 rec_hdr.hdr.ts_usec = rec->ts.nsecs / 1000;
1343 /* restore the "mysterious stuff" that came with the packet */
1344 memcpy(rec_hdr.stuff, pseudo_header->nokia.stuff, 4);
1345 return libpcap_dump_write_packet(wdh, rec, &rec_hdr.hdr, sizeof rec_hdr,
1346 pd, err);
1347 }
1348
1349 static const struct supported_block_type pcap_blocks_supported[] = {
1350 /*
1351 * We support packet blocks, with no comments or other options.
1352 */
1353 { WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, NO_OPTIONS_SUPPORTED }
1354 };
1355
1356 static const struct file_type_subtype_info pcap_info = {
1357 /* Gianluca Varenni suggests that we add "deprecated" to the description. */
1358 "Wireshark/tcpdump/... - pcap", "pcap", "pcap", "cap;dmp",
1359 FALSE, BLOCKS_SUPPORTED(pcap_blocks_supported),
1360 libpcap_dump_can_write_encap, libpcap_dump_open_pcap, NULL
1361 };
1362
1363 static const struct file_type_subtype_info pcap_nsec_info = {
1364 "Wireshark/tcpdump/... - nanosecond pcap", "nsecpcap", "pcap", "cap;dmp",
1365 FALSE, BLOCKS_SUPPORTED(pcap_blocks_supported),
1366 libpcap_dump_can_write_encap, libpcap_dump_open_pcap_nsec, NULL
1367 };
1368
1369 static const struct file_type_subtype_info pcap_aix_info = {
1370 "AIX tcpdump - pcap", "aixpcap", "pcap", "cap;dmp",
1371 FALSE, BLOCKS_SUPPORTED(pcap_blocks_supported),
1372 NULL, NULL, NULL
1373 };
1374
1375 static const struct file_type_subtype_info pcap_ss990417_info = {
1376 "RedHat 6.1 tcpdump - pcap", "rh6_1pcap", "pcap", "cap;dmp",
1377 FALSE, BLOCKS_SUPPORTED(pcap_blocks_supported),
1378 libpcap_dump_can_write_encap, libpcap_dump_open_pcap_ss990417, NULL
1379 };
1380
1381 static const struct file_type_subtype_info pcap_ss990915_info = {
1382 "SuSE 6.3 tcpdump - pcap", "suse6_3pcap", "pcap", "cap;dmp",
1383 FALSE, BLOCKS_SUPPORTED(pcap_blocks_supported),
1384 libpcap_dump_can_write_encap, libpcap_dump_open_pcap_ss990915, NULL
1385 };
1386
1387 static const struct file_type_subtype_info pcap_ss991029_info = {
1388 "Modified tcpdump - pcap", "modpcap", "pcap", "cap;dmp",
1389 FALSE, BLOCKS_SUPPORTED(pcap_blocks_supported),
1390 libpcap_dump_can_write_encap, libpcap_dump_open_pcap_ss991029, NULL
1391 };
1392
1393 static const struct file_type_subtype_info pcap_nokia_info = {
1394 "Nokia tcpdump - pcap", "nokiapcap", "pcap", "cap;dmp",
1395 FALSE, BLOCKS_SUPPORTED(pcap_blocks_supported),
1396 libpcap_dump_can_write_encap, libpcap_dump_open_pcap_nokia, NULL
1397 };
1398
register_pcap(void)1399 void register_pcap(void)
1400 {
1401 pcap_file_type_subtype = wtap_register_file_type_subtype(&pcap_info);
1402 pcap_nsec_file_type_subtype = wtap_register_file_type_subtype(&pcap_nsec_info);
1403 pcap_aix_file_type_subtype = wtap_register_file_type_subtype(&pcap_aix_info);
1404 pcap_ss990417_file_type_subtype = wtap_register_file_type_subtype(&pcap_ss990417_info);
1405 pcap_ss990915_file_type_subtype = wtap_register_file_type_subtype(&pcap_ss990915_info);
1406 pcap_ss991029_file_type_subtype = wtap_register_file_type_subtype(&pcap_ss991029_info);
1407 pcap_nokia_file_type_subtype = wtap_register_file_type_subtype(&pcap_nokia_info);
1408
1409 /*
1410 * We now call the libpcap file format just pcap, but we allow
1411 * the various variants of it to be specified using names
1412 * containing "libpcap" as well as "pcap", for backwards
1413 * compatibility.
1414 *
1415 * Register names for that purpose.
1416 */
1417 wtap_register_compatibility_file_subtype_name("libpcap", "pcap");
1418 wtap_register_compatibility_file_subtype_name("nseclibpcap", "nsecpcap");
1419 wtap_register_compatibility_file_subtype_name("aixlibpcap", "aixpcap");
1420 wtap_register_compatibility_file_subtype_name("modlibpcap", "modpcap");
1421 wtap_register_compatibility_file_subtype_name("nokialibpcap", "nokiapcap");
1422 wtap_register_compatibility_file_subtype_name("rh6_1libpcap", "rh6_1pcap");
1423 wtap_register_compatibility_file_subtype_name("suse6_3libpcap", "suse6_3pcap");
1424
1425 /*
1426 * Register names for backwards compatibility with the
1427 * wtap_filetypes table in Lua.
1428 */
1429 wtap_register_backwards_compatibility_lua_name("PCAP",
1430 pcap_file_type_subtype);
1431 wtap_register_backwards_compatibility_lua_name("PCAP_NSEC",
1432 pcap_nsec_file_type_subtype);
1433 wtap_register_backwards_compatibility_lua_name("PCAP_AIX",
1434 pcap_aix_file_type_subtype);
1435 wtap_register_backwards_compatibility_lua_name("PCAP_SS990417",
1436 pcap_ss990417_file_type_subtype);
1437 wtap_register_backwards_compatibility_lua_name("PCAP_SS990915",
1438 pcap_ss990915_file_type_subtype);
1439 wtap_register_backwards_compatibility_lua_name("PCAP_SS991029",
1440 pcap_ss991029_file_type_subtype);
1441 wtap_register_backwards_compatibility_lua_name("PCAP_NOKIA",
1442 pcap_nokia_file_type_subtype);
1443 }
1444
1445 /*
1446 * Editor modelines - https://www.wireshark.org/tools/modelines.html
1447 *
1448 * Local variables:
1449 * c-basic-offset: 8
1450 * tab-width: 8
1451 * indent-tabs-mode: t
1452 * End:
1453 *
1454 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
1455 * :indentSize=8:tabSize=8:noTabs=false:
1456 */
1457