1 /* 2 * Copyright (c) 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * savefile.c - supports offline use of tcpdump 22 * Extraction/creation by Jeffrey Mogul, DECWRL 23 * Modified by Steve McCanne, LBL. 24 * 25 * Used to save the received packet headers, after filtering, to 26 * a file, and then read them later. 27 * The first record in the file contains saved values for the machine 28 * dependent values so we can print the dump file on any architecture. 29 */ 30 31 #ifndef lint 32 static const char rcsid[] _U_ = 33 "@(#) $Header: /tcpdump/master/libpcap/savefile.c,v 1.126.2.30 2007/08/14 20:57:49 guy Exp $ (LBL)"; 34 #endif 35 36 #ifdef HAVE_CONFIG_H 37 #include "config.h" 38 #endif 39 40 #include <errno.h> 41 #include <memory.h> 42 #include <stdio.h> 43 #include <stdlib.h> 44 #include <string.h> 45 46 #include "pcap-int.h" 47 48 #ifdef HAVE_OS_PROTO_H 49 #include "os-proto.h" 50 #endif 51 52 /* 53 * Standard libpcap format. 54 */ 55 #define TCPDUMP_MAGIC 0xa1b2c3d4 56 57 /* 58 * Alexey Kuznetzov's modified libpcap format. 59 */ 60 #define KUZNETZOV_TCPDUMP_MAGIC 0xa1b2cd34 61 62 /* 63 * Reserved for Francisco Mesquita <francisco.mesquita (at) radiomovel.pt> 64 * for another modified format. 65 */ 66 #define FMESQUITA_TCPDUMP_MAGIC 0xa1b234cd 67 68 /* 69 * Navtel Communcations' format, with nanosecond timestamps, 70 * as per a request from Dumas Hwang <dumas.hwang (at) navtelcom.com>. 71 */ 72 #define NAVTEL_TCPDUMP_MAGIC 0xa12b3c4d 73 74 /* 75 * Normal libpcap format, except for seconds/nanoseconds timestamps, 76 * as per a request by Ulf Lamping <ulf.lamping (at) web.de> 77 */ 78 #define NSEC_TCPDUMP_MAGIC 0xa1b23c4d 79 80 /* 81 * We use the "receiver-makes-right" approach to byte order, 82 * because time is at a premium when we are writing the file. 83 * In other words, the pcap_file_header and pcap_pkthdr, 84 * records are written in host byte order. 85 * Note that the bytes of packet data are written out in the order in 86 * which they were received, so multi-byte fields in packets are not 87 * written in host byte order, they're written in whatever order the 88 * sending machine put them in. 89 * 90 * ntoh[ls] aren't sufficient because we might need to swap on a big-endian 91 * machine (if the file was written in little-end order). 92 */ 93 #define SWAPLONG(y) \ 94 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 95 #define SWAPSHORT(y) \ 96 ( (((y)&0xff)<<8) | ((u_short)((y)&0xff00)>>8) ) 97 98 #define SFERR_TRUNC 1 99 #define SFERR_BADVERSION 2 100 #define SFERR_BADF 3 101 #define SFERR_EOF 4 /* not really an error, just a status */ 102 103 /* 104 * Setting O_BINARY on DOS/Windows is a bit tricky 105 */ 106 #if defined(WIN32) 107 #define SET_BINMODE(f) _setmode(_fileno(f), _O_BINARY) 108 #elif defined(MSDOS) 109 #if defined(__HIGHC__) 110 #define SET_BINMODE(f) setmode(f, O_BINARY) 111 #else 112 #define SET_BINMODE(f) setmode(fileno(f), O_BINARY) 113 #endif 114 #endif 115 116 /* 117 * We don't write DLT_* values to the capture file header, because 118 * they're not the same on all platforms. 119 * 120 * Unfortunately, the various flavors of BSD have not always used the same 121 * numerical values for the same data types, and various patches to 122 * libpcap for non-BSD OSes have added their own DLT_* codes for link 123 * layer encapsulation types seen on those OSes, and those codes have had, 124 * in some cases, values that were also used, on other platforms, for other 125 * link layer encapsulation types. 126 * 127 * This means that capture files of a type whose numerical DLT_* code 128 * means different things on different BSDs, or with different versions 129 * of libpcap, can't always be read on systems other than those like 130 * the one running on the machine on which the capture was made. 131 * 132 * Instead, we define here a set of LINKTYPE_* codes, and map DLT_* codes 133 * to LINKTYPE_* codes when writing a savefile header, and map LINKTYPE_* 134 * codes to DLT_* codes when reading a savefile header. 135 * 136 * For those DLT_* codes that have, as far as we know, the same values on 137 * all platforms (DLT_NULL through DLT_FDDI), we define LINKTYPE_xxx as 138 * DLT_xxx; that way, captures of those types can still be read by 139 * versions of libpcap that map LINKTYPE_* values to DLT_* values, and 140 * captures of those types written by versions of libpcap that map DLT_ 141 * values to LINKTYPE_ values can still be read by older versions 142 * of libpcap. 143 * 144 * The other LINKTYPE_* codes are given values starting at 100, in the 145 * hopes that no DLT_* code will be given one of those values. 146 * 147 * In order to ensure that a given LINKTYPE_* code's value will refer to 148 * the same encapsulation type on all platforms, you should not allocate 149 * a new LINKTYPE_* value without consulting "tcpdump-workers (at) tcpdump.org". 150 * The tcpdump developers will allocate a value for you, and will not 151 * subsequently allocate it to anybody else; that value will be added to 152 * the "pcap.h" in the tcpdump.org CVS repository, so that a future 153 * libpcap release will include it. 154 * 155 * You should, if possible, also contribute patches to libpcap and tcpdump 156 * to handle the new encapsulation type, so that they can also be checked 157 * into the tcpdump.org CVS repository and so that they will appear in 158 * future libpcap and tcpdump releases. 159 * 160 * Do *NOT* assume that any values after the largest value in this file 161 * are available; you might not have the most up-to-date version of this 162 * file, and new values after that one might have been assigned. Also, 163 * do *NOT* use any values below 100 - those might already have been 164 * taken by one (or more!) organizations. 165 */ 166 #define LINKTYPE_NULL DLT_NULL 167 #define LINKTYPE_ETHERNET DLT_EN10MB /* also for 100Mb and up */ 168 #define LINKTYPE_EXP_ETHERNET DLT_EN3MB /* 3Mb experimental Ethernet */ 169 #define LINKTYPE_AX25 DLT_AX25 170 #define LINKTYPE_PRONET DLT_PRONET 171 #define LINKTYPE_CHAOS DLT_CHAOS 172 #define LINKTYPE_TOKEN_RING DLT_IEEE802 /* DLT_IEEE802 is used for Token Ring */ 173 #define LINKTYPE_ARCNET DLT_ARCNET /* BSD-style headers */ 174 #define LINKTYPE_SLIP DLT_SLIP 175 #define LINKTYPE_PPP DLT_PPP 176 #define LINKTYPE_FDDI DLT_FDDI 177 178 /* 179 * LINKTYPE_PPP is for use when there might, or might not, be an RFC 1662 180 * PPP in HDLC-like framing header (with 0xff 0x03 before the PPP protocol 181 * field) at the beginning of the packet. 182 * 183 * This is for use when there is always such a header; the address field 184 * might be 0xff, for regular PPP, or it might be an address field for Cisco 185 * point-to-point with HDLC framing as per section 4.3.1 of RFC 1547 ("Cisco 186 * HDLC"). This is, for example, what you get with NetBSD's DLT_PPP_SERIAL. 187 * 188 * We give it the same value as NetBSD's DLT_PPP_SERIAL, in the hopes that 189 * nobody else will choose a DLT_ value of 50, and so that DLT_PPP_SERIAL 190 * captures will be written out with a link type that NetBSD's tcpdump 191 * can read. 192 */ 193 #define LINKTYPE_PPP_HDLC 50 /* PPP in HDLC-like framing */ 194 195 #define LINKTYPE_PPP_ETHER 51 /* NetBSD PPP-over-Ethernet */ 196 197 #define LINKTYPE_SYMANTEC_FIREWALL 99 /* Symantec Enterprise Firewall */ 198 199 #define LINKTYPE_ATM_RFC1483 100 /* LLC/SNAP-encapsulated ATM */ 200 #define LINKTYPE_RAW 101 /* raw IP */ 201 #define LINKTYPE_SLIP_BSDOS 102 /* BSD/OS SLIP BPF header */ 202 #define LINKTYPE_PPP_BSDOS 103 /* BSD/OS PPP BPF header */ 203 #define LINKTYPE_C_HDLC 104 /* Cisco HDLC */ 204 #define LINKTYPE_IEEE802_11 105 /* IEEE 802.11 (wireless) */ 205 #define LINKTYPE_ATM_CLIP 106 /* Linux Classical IP over ATM */ 206 #define LINKTYPE_FRELAY 107 /* Frame Relay */ 207 #define LINKTYPE_LOOP 108 /* OpenBSD loopback */ 208 #define LINKTYPE_ENC 109 /* OpenBSD IPSEC enc */ 209 210 /* 211 * These three types are reserved for future use. 212 */ 213 #define LINKTYPE_LANE8023 110 /* ATM LANE + 802.3 */ 214 #define LINKTYPE_HIPPI 111 /* NetBSD HIPPI */ 215 #define LINKTYPE_HDLC 112 /* NetBSD HDLC framing */ 216 217 #define LINKTYPE_LINUX_SLL 113 /* Linux cooked socket capture */ 218 #define LINKTYPE_LTALK 114 /* Apple LocalTalk hardware */ 219 #define LINKTYPE_ECONET 115 /* Acorn Econet */ 220 221 /* 222 * Reserved for use with OpenBSD ipfilter. 223 */ 224 #define LINKTYPE_IPFILTER 116 225 226 #define LINKTYPE_PFLOG 117 /* OpenBSD DLT_PFLOG */ 227 #define LINKTYPE_CISCO_IOS 118 /* For Cisco-internal use */ 228 #define LINKTYPE_PRISM_HEADER 119 /* 802.11+Prism II monitor mode */ 229 #define LINKTYPE_AIRONET_HEADER 120 /* FreeBSD Aironet driver stuff */ 230 231 /* 232 * Reserved for Siemens HiPath HDLC. 233 */ 234 #define LINKTYPE_HHDLC 121 235 236 #define LINKTYPE_IP_OVER_FC 122 /* RFC 2625 IP-over-Fibre Channel */ 237 #define LINKTYPE_SUNATM 123 /* Solaris+SunATM */ 238 239 /* 240 * Reserved as per request from Kent Dahlgren <kent (at) praesum.com> 241 * for private use. 242 */ 243 #define LINKTYPE_RIO 124 /* RapidIO */ 244 #define LINKTYPE_PCI_EXP 125 /* PCI Express */ 245 #define LINKTYPE_AURORA 126 /* Xilinx Aurora link layer */ 246 247 #define LINKTYPE_IEEE802_11_RADIO 127 /* 802.11 plus BSD radio header */ 248 249 /* 250 * Reserved for the TZSP encapsulation, as per request from 251 * Chris Waters <chris.waters (at) networkchemistry.com> 252 * TZSP is a generic encapsulation for any other link type, 253 * which includes a means to include meta-information 254 * with the packet, e.g. signal strength and channel 255 * for 802.11 packets. 256 */ 257 #define LINKTYPE_TZSP 128 /* Tazmen Sniffer Protocol */ 258 259 #define LINKTYPE_ARCNET_LINUX 129 /* Linux-style headers */ 260 261 /* 262 * Juniper-private data link types, as per request from 263 * Hannes Gredler <hannes (at) juniper.net>. The corresponding 264 * DLT_s are used for passing on chassis-internal 265 * metainformation such as QOS profiles, etc.. 266 */ 267 #define LINKTYPE_JUNIPER_MLPPP 130 268 #define LINKTYPE_JUNIPER_MLFR 131 269 #define LINKTYPE_JUNIPER_ES 132 270 #define LINKTYPE_JUNIPER_GGSN 133 271 #define LINKTYPE_JUNIPER_MFR 134 272 #define LINKTYPE_JUNIPER_ATM2 135 273 #define LINKTYPE_JUNIPER_SERVICES 136 274 #define LINKTYPE_JUNIPER_ATM1 137 275 276 #define LINKTYPE_APPLE_IP_OVER_IEEE1394 138 /* Apple IP-over-IEEE 1394 cooked header */ 277 278 #define LINKTYPE_MTP2_WITH_PHDR 139 279 #define LINKTYPE_MTP2 140 280 #define LINKTYPE_MTP3 141 281 #define LINKTYPE_SCCP 142 282 283 #define LINKTYPE_DOCSIS 143 /* DOCSIS MAC frames */ 284 285 #define LINKTYPE_LINUX_IRDA 144 /* Linux-IrDA */ 286 287 /* 288 * Reserved for IBM SP switch and IBM Next Federation switch. 289 */ 290 #define LINKTYPE_IBM_SP 145 291 #define LINKTYPE_IBM_SN 146 292 293 /* 294 * Reserved for private use. If you have some link-layer header type 295 * that you want to use within your organization, with the capture files 296 * using that link-layer header type not ever be sent outside your 297 * organization, you can use these values. 298 * 299 * No libpcap release will use these for any purpose, nor will any 300 * tcpdump release use them, either. 301 * 302 * Do *NOT* use these in capture files that you expect anybody not using 303 * your private versions of capture-file-reading tools to read; in 304 * particular, do *NOT* use them in products, otherwise you may find that 305 * people won't be able to use tcpdump, or snort, or Ethereal, or... to 306 * read capture files from your firewall/intrusion detection/traffic 307 * monitoring/etc. appliance, or whatever product uses that LINKTYPE_ value, 308 * and you may also find that the developers of those applications will 309 * not accept patches to let them read those files. 310 * 311 * Also, do not use them if somebody might send you a capture using them 312 * for *their* private type and tools using them for *your* private type 313 * would have to read them. 314 * 315 * Instead, in those cases, ask "tcpdump-workers (at) tcpdump.org" for a new DLT_ 316 * and LINKTYPE_ value, as per the comment in pcap-bpf.h, and use the type 317 * you're given. 318 */ 319 #define LINKTYPE_USER0 147 320 #define LINKTYPE_USER1 148 321 #define LINKTYPE_USER2 149 322 #define LINKTYPE_USER3 150 323 #define LINKTYPE_USER4 151 324 #define LINKTYPE_USER5 152 325 #define LINKTYPE_USER6 153 326 #define LINKTYPE_USER7 154 327 #define LINKTYPE_USER8 155 328 #define LINKTYPE_USER9 156 329 #define LINKTYPE_USER10 157 330 #define LINKTYPE_USER11 158 331 #define LINKTYPE_USER12 159 332 #define LINKTYPE_USER13 160 333 #define LINKTYPE_USER14 161 334 #define LINKTYPE_USER15 162 335 336 /* 337 * For future use with 802.11 captures - defined by AbsoluteValue 338 * Systems to store a number of bits of link-layer information 339 * including radio information: 340 * 341 * http://www.shaftnet.org/~pizza/software/capturefrm.txt 342 * 343 * but could and arguably should also be used by non-AVS Linux 344 * 802.11 drivers; that may happen in the future. 345 */ 346 #define LINKTYPE_IEEE802_11_RADIO_AVS 163 /* 802.11 plus AVS radio header */ 347 348 /* 349 * Juniper-private data link type, as per request from 350 * Hannes Gredler <hannes (at) juniper.net>. The corresponding 351 * DLT_s are used for passing on chassis-internal 352 * metainformation such as QOS profiles, etc.. 353 */ 354 #define LINKTYPE_JUNIPER_MONITOR 164 355 356 /* 357 * Reserved for BACnet MS/TP. 358 */ 359 #define LINKTYPE_BACNET_MS_TP 165 360 361 /* 362 * Another PPP variant as per request from Karsten Keil <kkeil (at) suse.de>. 363 * 364 * This is used in some OSes to allow a kernel socket filter to distinguish 365 * between incoming and outgoing packets, on a socket intended to 366 * supply pppd with outgoing packets so it can do dial-on-demand and 367 * hangup-on-lack-of-demand; incoming packets are filtered out so they 368 * don't cause pppd to hold the connection up (you don't want random 369 * input packets such as port scans, packets from old lost connections, 370 * etc. to force the connection to stay up). 371 * 372 * The first byte of the PPP header (0xff03) is modified to accomodate 373 * the direction - 0x00 = IN, 0x01 = OUT. 374 */ 375 #define LINKTYPE_PPP_PPPD 166 376 377 /* 378 * Juniper-private data link type, as per request from 379 * Hannes Gredler <hannes (at) juniper.net>. The DLT_s are used 380 * for passing on chassis-internal metainformation such as 381 * QOS profiles, cookies, etc.. 382 */ 383 #define LINKTYPE_JUNIPER_PPPOE 167 384 #define LINKTYPE_JUNIPER_PPPOE_ATM 168 385 386 #define LINKTYPE_GPRS_LLC 169 /* GPRS LLC */ 387 #define LINKTYPE_GPF_T 170 /* GPF-T (ITU-T G.7041/Y.1303) */ 388 #define LINKTYPE_GPF_F 171 /* GPF-T (ITU-T G.7041/Y.1303) */ 389 390 /* 391 * Requested by Oolan Zimmer <oz (at) gcom.com> for use in Gcom's T1/E1 line 392 * monitoring equipment. 393 */ 394 #define LINKTYPE_GCOM_T1E1 172 395 #define LINKTYPE_GCOM_SERIAL 173 396 397 /* 398 * Juniper-private data link type, as per request from 399 * Hannes Gredler <hannes (at) juniper.net>. The DLT_ is used 400 * for internal communication to Physical Interface Cards (PIC) 401 */ 402 #define LINKTYPE_JUNIPER_PIC_PEER 174 403 404 /* 405 * Link types requested by Gregor Maier <gregor (at) endace.com> of Endace 406 * Measurement Systems. They add an ERF header (see 407 * http://www.endace.com/support/EndaceRecordFormat.pdf) in front of 408 * the link-layer header. 409 */ 410 #define LINKTYPE_ERF_ETH 175 /* Ethernet */ 411 #define LINKTYPE_ERF_POS 176 /* Packet-over-SONET */ 412 413 /* 414 * Requested by Daniele Orlandi <daniele (at) orlandi.com> for raw LAPD 415 * for vISDN (http://www.orlandi.com/visdn/). Its link-layer header 416 * includes additional information before the LAPD header, so it's 417 * not necessarily a generic LAPD header. 418 */ 419 #define LINKTYPE_LINUX_LAPD 177 420 421 /* 422 * Juniper-private data link type, as per request from 423 * Hannes Gredler <hannes (at) juniper.net>. 424 * The Link Types are used for prepending meta-information 425 * like interface index, interface name 426 * before standard Ethernet, PPP, Frelay & C-HDLC Frames 427 */ 428 #define LINKTYPE_JUNIPER_ETHER 178 429 #define LINKTYPE_JUNIPER_PPP 179 430 #define LINKTYPE_JUNIPER_FRELAY 180 431 #define LINKTYPE_JUNIPER_CHDLC 181 432 433 /* 434 * Multi Link Frame Relay (FRF.16) 435 */ 436 #define LINKTYPE_MFR 182 437 438 /* 439 * Juniper-private data link type, as per request from 440 * Hannes Gredler <hannes (at) juniper.net>. 441 * The DLT_ is used for internal communication with a 442 * voice Adapter Card (PIC) 443 */ 444 #define LINKTYPE_JUNIPER_VP 183 445 446 /* 447 * Arinc 429 frames. 448 * DLT_ requested by Gianluca Varenni <gianluca.varenni (at) cacetech.com>. 449 * Every frame contains a 32bit A429 label. 450 * More documentation on Arinc 429 can be found at 451 * http://www.condoreng.com/support/downloads/tutorials/ARINCTutorial.pdf 452 */ 453 #define LINKTYPE_A429 184 454 455 /* 456 * Arinc 653 Interpartition Communication messages. 457 * DLT_ requested by Gianluca Varenni <gianluca.varenni (at) cacetech.com>. 458 * Please refer to the A653-1 standard for more information. 459 */ 460 #define LINKTYPE_A653_ICM 185 461 462 /* 463 * USB packets, beginning with a USB setup header; requested by 464 * Paolo Abeni <paolo.abeni (at) email.it>. 465 */ 466 #define LINKTYPE_USB 186 467 468 /* 469 * Bluetooth HCI UART transport layer (part H:4); requested by 470 * Paolo Abeni. 471 */ 472 #define LINKTYPE_BLUETOOTH_HCI_H4 187 473 474 /* 475 * IEEE 802.16 MAC Common Part Sublayer; requested by Maria Cruz 476 * <cruz_petagay (at) bah.com>. 477 */ 478 #define LINKTYPE_IEEE802_16_MAC_CPS 188 479 480 /* 481 * USB packets, beginning with a Linux USB header; requested by 482 * Paolo Abeni <paolo.abeni (at) email.it>. 483 */ 484 #define LINKTYPE_USB_LINUX 189 485 486 /* 487 * Controller Area Network (CAN) v. 2.0B packets. 488 * DLT_ requested by Gianluca Varenni <gianluca.varenni (at) cacetech.com>. 489 * Used to dump CAN packets coming from a CAN Vector board. 490 * More documentation on the CAN v2.0B frames can be found at 491 * http://www.can-cia.org/downloads/?269 492 */ 493 #define LINKTYPE_CAN20B 190 494 495 /* 496 * IEEE 802.15.4, with address fields padded, as is done by Linux 497 * drivers; requested by Juergen Schimmer. 498 */ 499 #define LINKTYPE_IEEE802_15_4_LINUX 191 500 501 /* 502 * Per Packet Information encapsulated packets. 503 * LINKTYPE_ requested by Gianluca Varenni <gianluca.varenni (at) cacetech.com>. 504 */ 505 #define LINKTYPE_PPI 192 506 507 /* 508 * Header for 802.16 MAC Common Part Sublayer plus a radiotap radio header; 509 * requested by Charles Clancy. 510 */ 511 #define LINKTYPE_IEEE802_16_MAC_CPS_RADIO 193 512 513 /* 514 * Juniper-private data link type, as per request from 515 * Hannes Gredler <hannes (at) juniper.net>. 516 * The DLT_ is used for internal communication with a 517 * integrated service module (ISM). 518 */ 519 #define LINKTYPE_JUNIPER_ISM 194 520 521 /* 522 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no 523 * nothing); requested by Mikko Saarnivala <mikko.saarnivala (at) sensinode.com>. 524 */ 525 #define LINKTYPE_IEEE802_15_4 195 526 527 /* 528 * Various link-layer types, with a pseudo-header, for SITA 529 * (http://www.sita.aero/); requested by Fulko Hew (fulko.hew (at) gmail.com). 530 */ 531 #define LINKTYPE_SITA 196 532 533 /* 534 * Various link-layer types, with a pseudo-header, for Endace DAG cards; 535 * encapsulates Endace ERF records. Requested by Stephen Donnelly 536 * <stephen (at) endace.com>. 537 */ 538 #define LINKTYPE_ERF 197 539 540 /* 541 * Special header prepended to Ethernet packets when capturing from a 542 * u10 Networks board. Requested by Phil Mulholland 543 * <phil (at) u10networks.com>. 544 */ 545 #define LINKTYPE_RAIF1 198 546 547 /* 548 * IPMB packet for IPMI, beginning with the I2C slave address, followed 549 * by the netFn and LUN, etc.. Requested by Chanthy Toeung 550 * <chanthy.toeung (at) ca.kontron.com>. 551 */ 552 #define LINKTYPE_IPMB 199 553 554 555 static struct linktype_map { 556 int dlt; 557 int linktype; 558 } map[] = { 559 /* 560 * These DLT_* codes have LINKTYPE_* codes with values identical 561 * to the values of the corresponding DLT_* code. 562 */ 563 { DLT_NULL, LINKTYPE_NULL }, 564 { DLT_EN10MB, LINKTYPE_ETHERNET }, 565 { DLT_EN3MB, LINKTYPE_EXP_ETHERNET }, 566 { DLT_AX25, LINKTYPE_AX25 }, 567 { DLT_PRONET, LINKTYPE_PRONET }, 568 { DLT_CHAOS, LINKTYPE_CHAOS }, 569 { DLT_IEEE802, LINKTYPE_TOKEN_RING }, 570 { DLT_ARCNET, LINKTYPE_ARCNET }, 571 { DLT_SLIP, LINKTYPE_SLIP }, 572 { DLT_PPP, LINKTYPE_PPP }, 573 { DLT_FDDI, LINKTYPE_FDDI }, 574 575 /* 576 * These DLT_* codes have different values on different 577 * platforms; we map them to LINKTYPE_* codes that 578 * have values that should never be equal to any DLT_* 579 * code. 580 */ 581 #ifdef DLT_FR 582 /* BSD/OS Frame Relay */ 583 { DLT_FR, LINKTYPE_FRELAY }, 584 #endif 585 586 { DLT_SYMANTEC_FIREWALL, LINKTYPE_SYMANTEC_FIREWALL }, 587 { DLT_ATM_RFC1483, LINKTYPE_ATM_RFC1483 }, 588 { DLT_RAW, LINKTYPE_RAW }, 589 { DLT_SLIP_BSDOS, LINKTYPE_SLIP_BSDOS }, 590 { DLT_PPP_BSDOS, LINKTYPE_PPP_BSDOS }, 591 592 /* BSD/OS Cisco HDLC */ 593 { DLT_C_HDLC, LINKTYPE_C_HDLC }, 594 595 /* 596 * These DLT_* codes are not on all platforms, but, so far, 597 * there don't appear to be any platforms that define 598 * other codes with those values; we map them to 599 * different LINKTYPE_* values anyway, just in case. 600 */ 601 602 /* Linux ATM Classical IP */ 603 { DLT_ATM_CLIP, LINKTYPE_ATM_CLIP }, 604 605 /* NetBSD sync/async serial PPP (or Cisco HDLC) */ 606 { DLT_PPP_SERIAL, LINKTYPE_PPP_HDLC }, 607 608 /* NetBSD PPP over Ethernet */ 609 { DLT_PPP_ETHER, LINKTYPE_PPP_ETHER }, 610 611 /* IEEE 802.11 wireless */ 612 { DLT_IEEE802_11, LINKTYPE_IEEE802_11 }, 613 614 /* Frame Relay */ 615 { DLT_FRELAY, LINKTYPE_FRELAY }, 616 617 /* OpenBSD loopback */ 618 { DLT_LOOP, LINKTYPE_LOOP }, 619 620 /* Linux cooked socket capture */ 621 { DLT_LINUX_SLL, LINKTYPE_LINUX_SLL }, 622 623 /* Apple LocalTalk hardware */ 624 { DLT_LTALK, LINKTYPE_LTALK }, 625 626 /* Acorn Econet */ 627 { DLT_ECONET, LINKTYPE_ECONET }, 628 629 /* OpenBSD DLT_PFLOG */ 630 { DLT_PFLOG, LINKTYPE_PFLOG }, 631 632 /* For Cisco-internal use */ 633 { DLT_CISCO_IOS, LINKTYPE_CISCO_IOS }, 634 635 /* Prism II monitor-mode header plus 802.11 header */ 636 { DLT_PRISM_HEADER, LINKTYPE_PRISM_HEADER }, 637 638 /* FreeBSD Aironet driver stuff */ 639 { DLT_AIRONET_HEADER, LINKTYPE_AIRONET_HEADER }, 640 641 /* Siemens HiPath HDLC */ 642 { DLT_HHDLC, LINKTYPE_HHDLC }, 643 644 /* RFC 2625 IP-over-Fibre Channel */ 645 { DLT_IP_OVER_FC, LINKTYPE_IP_OVER_FC }, 646 647 /* Solaris+SunATM */ 648 { DLT_SUNATM, LINKTYPE_SUNATM }, 649 650 /* RapidIO */ 651 { DLT_RIO, LINKTYPE_RIO }, 652 653 /* PCI Express */ 654 { DLT_PCI_EXP, LINKTYPE_PCI_EXP }, 655 656 /* Xilinx Aurora link layer */ 657 { DLT_AURORA, LINKTYPE_AURORA }, 658 659 /* 802.11 plus BSD radio header */ 660 { DLT_IEEE802_11_RADIO, LINKTYPE_IEEE802_11_RADIO }, 661 662 /* Tazmen Sniffer Protocol */ 663 { DLT_TZSP, LINKTYPE_TZSP }, 664 665 /* Arcnet with Linux-style link-layer headers */ 666 { DLT_ARCNET_LINUX, LINKTYPE_ARCNET_LINUX }, 667 668 /* Juniper-internal chassis encapsulation */ 669 { DLT_JUNIPER_MLPPP, LINKTYPE_JUNIPER_MLPPP }, 670 { DLT_JUNIPER_MLFR, LINKTYPE_JUNIPER_MLFR }, 671 { DLT_JUNIPER_ES, LINKTYPE_JUNIPER_ES }, 672 { DLT_JUNIPER_GGSN, LINKTYPE_JUNIPER_GGSN }, 673 { DLT_JUNIPER_MFR, LINKTYPE_JUNIPER_MFR }, 674 { DLT_JUNIPER_ATM2, LINKTYPE_JUNIPER_ATM2 }, 675 { DLT_JUNIPER_SERVICES, LINKTYPE_JUNIPER_SERVICES }, 676 { DLT_JUNIPER_ATM1, LINKTYPE_JUNIPER_ATM1 }, 677 678 /* Apple IP-over-IEEE 1394 cooked header */ 679 { DLT_APPLE_IP_OVER_IEEE1394, LINKTYPE_APPLE_IP_OVER_IEEE1394 }, 680 681 /* SS7 */ 682 { DLT_MTP2_WITH_PHDR, LINKTYPE_MTP2_WITH_PHDR }, 683 { DLT_MTP2, LINKTYPE_MTP2 }, 684 { DLT_MTP3, LINKTYPE_MTP3 }, 685 { DLT_SCCP, LINKTYPE_SCCP }, 686 687 /* DOCSIS MAC frames */ 688 { DLT_DOCSIS, LINKTYPE_DOCSIS }, 689 690 /* IrDA IrLAP packets + Linux-cooked header */ 691 { DLT_LINUX_IRDA, LINKTYPE_LINUX_IRDA }, 692 693 /* IBM SP and Next Federation switches */ 694 { DLT_IBM_SP, LINKTYPE_IBM_SP }, 695 { DLT_IBM_SN, LINKTYPE_IBM_SN }, 696 697 /* 802.11 plus AVS radio header */ 698 { DLT_IEEE802_11_RADIO_AVS, LINKTYPE_IEEE802_11_RADIO_AVS }, 699 700 /* 701 * Any platform that defines additional DLT_* codes should: 702 * 703 * request a LINKTYPE_* code and value from tcpdump.org, 704 * as per the above; 705 * 706 * add, in their version of libpcap, an entry to map 707 * those DLT_* codes to the corresponding LINKTYPE_* 708 * code; 709 * 710 * redefine, in their "net/bpf.h", any DLT_* values 711 * that collide with the values used by their additional 712 * DLT_* codes, to remove those collisions (but without 713 * making them collide with any of the LINKTYPE_* 714 * values equal to 50 or above; they should also avoid 715 * defining DLT_* values that collide with those 716 * LINKTYPE_* values, either). 717 */ 718 719 /* Juniper-internal chassis encapsulation */ 720 { DLT_JUNIPER_MONITOR, LINKTYPE_JUNIPER_MONITOR }, 721 722 /* BACnet MS/TP */ 723 { DLT_BACNET_MS_TP, LINKTYPE_BACNET_MS_TP }, 724 725 /* PPP for pppd, with direction flag in the PPP header */ 726 { DLT_PPP_PPPD, LINKTYPE_PPP_PPPD}, 727 728 /* Juniper-internal chassis encapsulation */ 729 { DLT_JUNIPER_PPPOE, LINKTYPE_JUNIPER_PPPOE }, 730 { DLT_JUNIPER_PPPOE_ATM,LINKTYPE_JUNIPER_PPPOE_ATM }, 731 732 /* GPRS LLC */ 733 { DLT_GPRS_LLC, LINKTYPE_GPRS_LLC }, 734 735 /* Transparent Generic Framing Procedure (ITU-T G.7041/Y.1303) */ 736 { DLT_GPF_T, LINKTYPE_GPF_T }, 737 738 /* Framed Generic Framing Procedure (ITU-T G.7041/Y.1303) */ 739 { DLT_GPF_F, LINKTYPE_GPF_F }, 740 741 { DLT_GCOM_T1E1, LINKTYPE_GCOM_T1E1 }, 742 { DLT_GCOM_SERIAL, LINKTYPE_GCOM_SERIAL }, 743 744 /* Juniper-internal chassis encapsulation */ 745 { DLT_JUNIPER_PIC_PEER, LINKTYPE_JUNIPER_PIC_PEER }, 746 747 /* Endace types */ 748 { DLT_ERF_ETH, LINKTYPE_ERF_ETH }, 749 { DLT_ERF_POS, LINKTYPE_ERF_POS }, 750 751 /* viSDN LAPD */ 752 { DLT_LINUX_LAPD, LINKTYPE_LINUX_LAPD }, 753 754 /* Juniper meta-information before Ether, PPP, Frame Relay, C-HDLC Frames */ 755 { DLT_JUNIPER_ETHER, LINKTYPE_JUNIPER_ETHER }, 756 { DLT_JUNIPER_PPP, LINKTYPE_JUNIPER_PPP }, 757 { DLT_JUNIPER_FRELAY, LINKTYPE_JUNIPER_FRELAY }, 758 { DLT_JUNIPER_CHDLC, LINKTYPE_JUNIPER_CHDLC }, 759 760 /* Multi Link Frame Relay (FRF.16) */ 761 { DLT_MFR, LINKTYPE_MFR }, 762 763 /* Juniper Voice PIC */ 764 { DLT_JUNIPER_VP, LINKTYPE_JUNIPER_VP }, 765 766 /* Controller Area Network (CAN) v2.0B */ 767 { DLT_A429, LINKTYPE_A429 }, 768 769 /* Arinc 653 Interpartition Communication messages */ 770 { DLT_A653_ICM, LINKTYPE_A653_ICM }, 771 772 /* USB */ 773 { DLT_USB, LINKTYPE_USB }, 774 775 /* Bluetooth HCI UART transport layer */ 776 { DLT_BLUETOOTH_HCI_H4, LINKTYPE_BLUETOOTH_HCI_H4 }, 777 778 /* IEEE 802.16 MAC Common Part Sublayer */ 779 { DLT_IEEE802_16_MAC_CPS, LINKTYPE_IEEE802_16_MAC_CPS }, 780 781 /* USB with Linux header */ 782 { DLT_USB_LINUX, LINKTYPE_USB_LINUX }, 783 784 /* Controller Area Network (CAN) v2.0B */ 785 { DLT_CAN20B, LINKTYPE_CAN20B }, 786 787 /* IEEE 802.15.4 with address fields padded */ 788 { DLT_IEEE802_15_4_LINUX, LINKTYPE_IEEE802_15_4_LINUX }, 789 790 /* Per Packet Information encapsulated packets */ 791 { DLT_PPI, LINKTYPE_PPI }, 792 793 /* IEEE 802.16 MAC Common Part Sublayer plus radiotap header */ 794 { DLT_IEEE802_16_MAC_CPS_RADIO, LINKTYPE_IEEE802_16_MAC_CPS_RADIO }, 795 796 /* Juniper Voice ISM */ 797 { DLT_JUNIPER_ISM, LINKTYPE_JUNIPER_ISM }, 798 799 /* IEEE 802.15.4 exactly as it appears in the spec */ 800 { DLT_IEEE802_15_4, LINKTYPE_IEEE802_15_4 }, 801 802 /* Various link-layer types for SITA */ 803 { DLT_SITA, LINKTYPE_SITA }, 804 805 /* Various link-layer types for Endace */ 806 { DLT_ERF, LINKTYPE_ERF }, 807 808 /* Special header for u10 Networks boards */ 809 { DLT_RAIF1, LINKTYPE_RAIF1 }, 810 811 /* IPMB */ 812 { DLT_IPMB, LINKTYPE_IPMB }, 813 814 { -1, -1 } 815 }; 816 817 static int 818 dlt_to_linktype(int dlt) 819 { 820 int i; 821 822 for (i = 0; map[i].dlt != -1; i++) { 823 if (map[i].dlt == dlt) 824 return (map[i].linktype); 825 } 826 827 /* 828 * If we don't have a mapping for this DLT_ code, return an 829 * error; that means that the table above needs to have an 830 * entry added. 831 */ 832 return (-1); 833 } 834 835 static int 836 linktype_to_dlt(int linktype) 837 { 838 int i; 839 840 for (i = 0; map[i].linktype != -1; i++) { 841 if (map[i].linktype == linktype) 842 return (map[i].dlt); 843 } 844 845 /* 846 * If we don't have an entry for this link type, return 847 * the link type value; it may be a DLT_ value from an 848 * older version of libpcap. 849 */ 850 return linktype; 851 } 852 853 static int 854 sf_write_header(FILE *fp, int linktype, int thiszone, int snaplen) 855 { 856 struct pcap_file_header hdr; 857 858 hdr.magic = TCPDUMP_MAGIC; 859 hdr.version_major = PCAP_VERSION_MAJOR; 860 hdr.version_minor = PCAP_VERSION_MINOR; 861 862 hdr.thiszone = thiszone; 863 hdr.snaplen = snaplen; 864 hdr.sigfigs = 0; 865 hdr.linktype = linktype; 866 867 if (fwrite((char *)&hdr, sizeof(hdr), 1, fp) != 1) 868 return (-1); 869 870 return (0); 871 } 872 873 static void 874 swap_hdr(struct pcap_file_header *hp) 875 { 876 hp->version_major = SWAPSHORT(hp->version_major); 877 hp->version_minor = SWAPSHORT(hp->version_minor); 878 hp->thiszone = SWAPLONG(hp->thiszone); 879 hp->sigfigs = SWAPLONG(hp->sigfigs); 880 hp->snaplen = SWAPLONG(hp->snaplen); 881 hp->linktype = SWAPLONG(hp->linktype); 882 } 883 884 static int 885 sf_getnonblock(pcap_t *p, char *errbuf) 886 { 887 /* 888 * This is a savefile, not a live capture file, so never say 889 * it's in non-blocking mode. 890 */ 891 return (0); 892 } 893 894 static int 895 sf_setnonblock(pcap_t *p, int nonblock, char *errbuf) 896 { 897 /* 898 * This is a savefile, not a live capture file, so ignore 899 * requests to put it in non-blocking mode. 900 */ 901 return (0); 902 } 903 904 static int 905 sf_stats(pcap_t *p, struct pcap_stat *ps) 906 { 907 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 908 "Statistics aren't available from savefiles"); 909 return (-1); 910 } 911 912 static int 913 sf_inject(pcap_t *p, const void *buf _U_, size_t size _U_) 914 { 915 strlcpy(p->errbuf, "Sending packets isn't supported on savefiles", 916 PCAP_ERRBUF_SIZE); 917 return (-1); 918 } 919 920 /* 921 * Set direction flag: Which packets do we accept on a forwarding 922 * single device? IN, OUT or both? 923 */ 924 static int 925 sf_setdirection(pcap_t *p, pcap_direction_t d) 926 { 927 snprintf(p->errbuf, sizeof(p->errbuf), 928 "Setting direction is not supported on savefiles"); 929 return (-1); 930 } 931 932 static void 933 sf_close(pcap_t *p) 934 { 935 if (p->sf.rfile != stdin) 936 (void)fclose(p->sf.rfile); 937 if (p->sf.base != NULL) 938 free(p->sf.base); 939 } 940 941 pcap_t * 942 pcap_open_offline(const char *fname, char *errbuf) 943 { 944 FILE *fp; 945 pcap_t *p; 946 947 if (fname[0] == '-' && fname[1] == '\0') 948 { 949 fp = stdin; 950 #if defined(WIN32) || defined(MSDOS) 951 /* 952 * We're reading from the standard input, so put it in binary 953 * mode, as savefiles are binary files. 954 */ 955 SET_BINMODE(fp); 956 #endif 957 } 958 else { 959 #if !defined(WIN32) && !defined(MSDOS) 960 fp = fopen(fname, "r"); 961 #else 962 fp = fopen(fname, "rb"); 963 #endif 964 if (fp == NULL) { 965 snprintf(errbuf, PCAP_ERRBUF_SIZE, "%s: %s", fname, 966 pcap_strerror(errno)); 967 return (NULL); 968 } 969 } 970 p = pcap_fopen_offline(fp, errbuf); 971 if (p == NULL) { 972 if (fp != stdin) 973 fclose(fp); 974 } 975 return (p); 976 } 977 978 pcap_t * 979 pcap_fopen_offline(FILE *fp, char *errbuf) 980 { 981 register pcap_t *p; 982 struct pcap_file_header hdr; 983 size_t amt_read; 984 bpf_u_int32 magic; 985 int linklen; 986 987 p = (pcap_t *)malloc(sizeof(*p)); 988 if (p == NULL) { 989 strlcpy(errbuf, "out of swap", PCAP_ERRBUF_SIZE); 990 return (NULL); 991 } 992 993 memset((char *)p, 0, sizeof(*p)); 994 995 amt_read = fread((char *)&hdr, 1, sizeof(hdr), fp); 996 if (amt_read != sizeof(hdr)) { 997 if (ferror(fp)) { 998 snprintf(errbuf, PCAP_ERRBUF_SIZE, 999 "error reading dump file: %s", 1000 pcap_strerror(errno)); 1001 } else { 1002 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1003 "truncated dump file; tried to read %lu file header bytes, only got %lu", 1004 (unsigned long)sizeof(hdr), 1005 (unsigned long)amt_read); 1006 } 1007 goto bad; 1008 } 1009 magic = hdr.magic; 1010 if (magic != TCPDUMP_MAGIC && magic != KUZNETZOV_TCPDUMP_MAGIC) { 1011 magic = SWAPLONG(magic); 1012 if (magic != TCPDUMP_MAGIC && magic != KUZNETZOV_TCPDUMP_MAGIC) { 1013 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1014 "bad dump file format"); 1015 goto bad; 1016 } 1017 p->sf.swapped = 1; 1018 swap_hdr(&hdr); 1019 } 1020 if (magic == KUZNETZOV_TCPDUMP_MAGIC) { 1021 /* 1022 * XXX - the patch that's in some versions of libpcap 1023 * changes the packet header but not the magic number, 1024 * and some other versions with this magic number have 1025 * some extra debugging information in the packet header; 1026 * we'd have to use some hacks^H^H^H^H^Hheuristics to 1027 * detect those variants. 1028 * 1029 * Ethereal does that, but it does so by trying to read 1030 * the first two packets of the file with each of the 1031 * record header formats. That currently means it seeks 1032 * backwards and retries the reads, which doesn't work 1033 * on pipes. We want to be able to read from a pipe, so 1034 * that strategy won't work; we'd have to buffer some 1035 * data ourselves and read from that buffer in order to 1036 * make that work. 1037 */ 1038 p->sf.hdrsize = sizeof(struct pcap_sf_patched_pkthdr); 1039 } else 1040 p->sf.hdrsize = sizeof(struct pcap_sf_pkthdr); 1041 if (hdr.version_major < PCAP_VERSION_MAJOR) { 1042 snprintf(errbuf, PCAP_ERRBUF_SIZE, "archaic file format"); 1043 goto bad; 1044 } 1045 p->tzoff = hdr.thiszone; 1046 p->snapshot = hdr.snaplen; 1047 p->linktype = linktype_to_dlt(hdr.linktype); 1048 if (magic == KUZNETZOV_TCPDUMP_MAGIC && p->linktype == DLT_EN10MB) { 1049 /* 1050 * This capture might have been done in raw mode or cooked 1051 * mode. 1052 * 1053 * If it was done in cooked mode, p->snapshot was passed 1054 * to recvfrom() as the buffer size, meaning that the 1055 * most packet data that would be copied would be 1056 * p->snapshot. However, a faked Ethernet header would 1057 * then have been added to it, so the most data that would 1058 * be in a packet in the file would be p->snapshot + 14. 1059 * 1060 * We can't easily tell whether the capture was done in 1061 * raw mode or cooked mode, so we'll assume it was 1062 * cooked mode, and add 14 to the snapshot length. That 1063 * means that, for a raw capture, the snapshot length will 1064 * be misleading if you use it to figure out why a capture 1065 * doesn't have all the packet data, but there's not much 1066 * we can do to avoid that. 1067 */ 1068 p->snapshot += 14; 1069 } 1070 p->sf.rfile = fp; 1071 #ifndef WIN32 1072 p->bufsize = hdr.snaplen; 1073 #else 1074 /* Allocate the space for pcap_pkthdr as well. It will be used by pcap_read_ex */ 1075 p->bufsize = hdr.snaplen+sizeof(struct pcap_pkthdr); 1076 #endif 1077 1078 /* Align link header as required for proper data alignment */ 1079 /* XXX should handle all types */ 1080 switch (p->linktype) { 1081 1082 case DLT_EN10MB: 1083 linklen = 14; 1084 break; 1085 1086 case DLT_FDDI: 1087 linklen = 13 + 8; /* fddi_header + llc */ 1088 break; 1089 1090 case DLT_NULL: 1091 default: 1092 linklen = 0; 1093 break; 1094 } 1095 1096 if (p->bufsize < 0) 1097 p->bufsize = BPF_MAXBUFSIZE; 1098 p->sf.base = (u_char *)malloc(p->bufsize + BPF_ALIGNMENT); 1099 if (p->sf.base == NULL) { 1100 strlcpy(errbuf, "out of swap", PCAP_ERRBUF_SIZE); 1101 goto bad; 1102 } 1103 p->buffer = p->sf.base + BPF_ALIGNMENT - (linklen % BPF_ALIGNMENT); 1104 p->sf.version_major = hdr.version_major; 1105 p->sf.version_minor = hdr.version_minor; 1106 #ifdef PCAP_FDDIPAD 1107 /* Padding only needed for live capture fcode */ 1108 p->fddipad = 0; 1109 #endif 1110 1111 /* 1112 * We interchanged the caplen and len fields at version 2.3, 1113 * in order to match the bpf header layout. But unfortunately 1114 * some files were written with version 2.3 in their headers 1115 * but without the interchanged fields. 1116 * 1117 * In addition, DG/UX tcpdump writes out files with a version 1118 * number of 543.0, and with the caplen and len fields in the 1119 * pre-2.3 order. 1120 */ 1121 switch (hdr.version_major) { 1122 1123 case 2: 1124 if (hdr.version_minor < 3) 1125 p->sf.lengths_swapped = SWAPPED; 1126 else if (hdr.version_minor == 3) 1127 p->sf.lengths_swapped = MAYBE_SWAPPED; 1128 else 1129 p->sf.lengths_swapped = NOT_SWAPPED; 1130 break; 1131 1132 case 543: 1133 p->sf.lengths_swapped = SWAPPED; 1134 break; 1135 1136 default: 1137 p->sf.lengths_swapped = NOT_SWAPPED; 1138 break; 1139 } 1140 1141 #if !defined(WIN32) && !defined(MSDOS) 1142 /* 1143 * You can do "select()" and "poll()" on plain files on most 1144 * platforms, and should be able to do so on pipes. 1145 * 1146 * You can't do "select()" on anything other than sockets in 1147 * Windows, so, on Win32 systems, we don't have "selectable_fd". 1148 */ 1149 p->selectable_fd = fileno(fp); 1150 #endif 1151 1152 p->read_op = pcap_offline_read; 1153 p->inject_op = sf_inject; 1154 p->setfilter_op = install_bpf_program; 1155 p->setdirection_op = sf_setdirection; 1156 p->set_datalink_op = NULL; /* we don't support munging link-layer headers */ 1157 p->getnonblock_op = sf_getnonblock; 1158 p->setnonblock_op = sf_setnonblock; 1159 p->stats_op = sf_stats; 1160 p->close_op = sf_close; 1161 1162 return (p); 1163 bad: 1164 free(p); 1165 return (NULL); 1166 } 1167 1168 /* 1169 * Read sf_readfile and return the next packet. Return the header in hdr 1170 * and the contents in buf. Return 0 on success, SFERR_EOF if there were 1171 * no more packets, and SFERR_TRUNC if a partial packet was encountered. 1172 */ 1173 static int 1174 sf_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char *buf, u_int buflen) 1175 { 1176 struct pcap_sf_patched_pkthdr sf_hdr; 1177 FILE *fp = p->sf.rfile; 1178 size_t amt_read; 1179 bpf_u_int32 t; 1180 1181 /* 1182 * Read the packet header; the structure we use as a buffer 1183 * is the longer structure for files generated by the patched 1184 * libpcap, but if the file has the magic number for an 1185 * unpatched libpcap we only read as many bytes as the regular 1186 * header has. 1187 */ 1188 amt_read = fread(&sf_hdr, 1, p->sf.hdrsize, fp); 1189 if (amt_read != p->sf.hdrsize) { 1190 if (ferror(fp)) { 1191 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1192 "error reading dump file: %s", 1193 pcap_strerror(errno)); 1194 return (-1); 1195 } else { 1196 if (amt_read != 0) { 1197 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1198 "truncated dump file; tried to read %d header bytes, only got %lu", 1199 p->sf.hdrsize, (unsigned long)amt_read); 1200 return (-1); 1201 } 1202 /* EOF */ 1203 return (1); 1204 } 1205 } 1206 1207 if (p->sf.swapped) { 1208 /* these were written in opposite byte order */ 1209 hdr->caplen = SWAPLONG(sf_hdr.caplen); 1210 hdr->len = SWAPLONG(sf_hdr.len); 1211 hdr->ts.tv_sec = SWAPLONG(sf_hdr.ts.tv_sec); 1212 hdr->ts.tv_usec = SWAPLONG(sf_hdr.ts.tv_usec); 1213 } else { 1214 hdr->caplen = sf_hdr.caplen; 1215 hdr->len = sf_hdr.len; 1216 hdr->ts.tv_sec = sf_hdr.ts.tv_sec; 1217 hdr->ts.tv_usec = sf_hdr.ts.tv_usec; 1218 } 1219 /* Swap the caplen and len fields, if necessary. */ 1220 switch (p->sf.lengths_swapped) { 1221 1222 case NOT_SWAPPED: 1223 break; 1224 1225 case MAYBE_SWAPPED: 1226 if (hdr->caplen <= hdr->len) { 1227 /* 1228 * The captured length is <= the actual length, 1229 * so presumably they weren't swapped. 1230 */ 1231 break; 1232 } 1233 /* FALLTHROUGH */ 1234 1235 case SWAPPED: 1236 t = hdr->caplen; 1237 hdr->caplen = hdr->len; 1238 hdr->len = t; 1239 break; 1240 } 1241 1242 if (hdr->caplen > buflen) { 1243 /* 1244 * This can happen due to Solaris 2.3 systems tripping 1245 * over the BUFMOD problem and not setting the snapshot 1246 * correctly in the savefile header. If the caplen isn't 1247 * grossly wrong, try to salvage. 1248 */ 1249 static u_char *tp = NULL; 1250 static size_t tsize = 0; 1251 1252 if (hdr->caplen > 65535) { 1253 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1254 "bogus savefile header"); 1255 return (-1); 1256 } 1257 1258 if (tsize < hdr->caplen) { 1259 tsize = ((hdr->caplen + 1023) / 1024) * 1024; 1260 if (tp != NULL) 1261 free((u_char *)tp); 1262 tp = (u_char *)malloc(tsize); 1263 if (tp == NULL) { 1264 tsize = 0; 1265 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1266 "BUFMOD hack malloc"); 1267 return (-1); 1268 } 1269 } 1270 amt_read = fread((char *)tp, 1, hdr->caplen, fp); 1271 if (amt_read != hdr->caplen) { 1272 if (ferror(fp)) { 1273 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1274 "error reading dump file: %s", 1275 pcap_strerror(errno)); 1276 } else { 1277 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1278 "truncated dump file; tried to read %u captured bytes, only got %lu", 1279 hdr->caplen, (unsigned long)amt_read); 1280 } 1281 return (-1); 1282 } 1283 /* 1284 * We can only keep up to buflen bytes. Since caplen > buflen 1285 * is exactly how we got here, we know we can only keep the 1286 * first buflen bytes and must drop the remainder. Adjust 1287 * caplen accordingly, so we don't get confused later as 1288 * to how many bytes we have to play with. 1289 */ 1290 hdr->caplen = buflen; 1291 memcpy((char *)buf, (char *)tp, buflen); 1292 1293 } else { 1294 /* read the packet itself */ 1295 amt_read = fread((char *)buf, 1, hdr->caplen, fp); 1296 if (amt_read != hdr->caplen) { 1297 if (ferror(fp)) { 1298 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1299 "error reading dump file: %s", 1300 pcap_strerror(errno)); 1301 } else { 1302 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1303 "truncated dump file; tried to read %u captured bytes, only got %lu", 1304 hdr->caplen, (unsigned long)amt_read); 1305 } 1306 return (-1); 1307 } 1308 } 1309 return (0); 1310 } 1311 1312 /* 1313 * Print out packets stored in the file initialized by sf_read_init(). 1314 * If cnt > 0, return after 'cnt' packets, otherwise continue until eof. 1315 */ 1316 int 1317 pcap_offline_read(pcap_t *p, int cnt, pcap_handler callback, u_char *user) 1318 { 1319 struct bpf_insn *fcode; 1320 int status = 0; 1321 int n = 0; 1322 1323 while (status == 0) { 1324 struct pcap_pkthdr h; 1325 1326 /* 1327 * Has "pcap_breakloop()" been called? 1328 * If so, return immediately - if we haven't read any 1329 * packets, clear the flag and return -2 to indicate 1330 * that we were told to break out of the loop, otherwise 1331 * leave the flag set, so that the *next* call will break 1332 * out of the loop without having read any packets, and 1333 * return the number of packets we've processed so far. 1334 */ 1335 if (p->break_loop) { 1336 if (n == 0) { 1337 p->break_loop = 0; 1338 return (-2); 1339 } else 1340 return (n); 1341 } 1342 1343 status = sf_next_packet(p, &h, p->buffer, p->bufsize); 1344 if (status) { 1345 if (status == 1) 1346 return (0); 1347 return (status); 1348 } 1349 1350 if ((fcode = p->fcode.bf_insns) == NULL || 1351 bpf_filter(fcode, p->buffer, h.len, h.caplen)) { 1352 (*callback)(user, &h, p->buffer); 1353 if (++n >= cnt && cnt > 0) 1354 break; 1355 } 1356 } 1357 /*XXX this breaks semantics tcpslice expects */ 1358 return (n); 1359 } 1360 1361 /* 1362 * Output a packet to the initialized dump file. 1363 */ 1364 void 1365 pcap_dump(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) 1366 { 1367 register FILE *f; 1368 struct pcap_sf_pkthdr sf_hdr; 1369 1370 f = (FILE *)user; 1371 sf_hdr.ts.tv_sec = h->ts.tv_sec; 1372 sf_hdr.ts.tv_usec = h->ts.tv_usec; 1373 sf_hdr.caplen = h->caplen; 1374 sf_hdr.len = h->len; 1375 /* XXX we should check the return status */ 1376 (void)fwrite(&sf_hdr, sizeof(sf_hdr), 1, f); 1377 (void)fwrite(sp, h->caplen, 1, f); 1378 } 1379 1380 static pcap_dumper_t * 1381 pcap_setup_dump(pcap_t *p, int linktype, FILE *f, const char *fname) 1382 { 1383 1384 #if defined(WIN32) || defined(MSDOS) 1385 /* 1386 * If we're writing to the standard output, put it in binary 1387 * mode, as savefiles are binary files. 1388 * 1389 * Otherwise, we turn off buffering. 1390 * XXX - why? And why not on the standard output? 1391 */ 1392 if (f == stdout) 1393 SET_BINMODE(f); 1394 else 1395 setbuf(f, NULL); 1396 #endif 1397 if (sf_write_header(f, linktype, p->tzoff, p->snapshot) == -1) { 1398 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "Can't write to %s: %s", 1399 fname, pcap_strerror(errno)); 1400 if (f != stdout) 1401 (void)fclose(f); 1402 return (NULL); 1403 } 1404 return ((pcap_dumper_t *)f); 1405 } 1406 1407 /* 1408 * Initialize so that sf_write() will output to the file named 'fname'. 1409 */ 1410 pcap_dumper_t * 1411 pcap_dump_open(pcap_t *p, const char *fname) 1412 { 1413 FILE *f; 1414 int linktype; 1415 1416 linktype = dlt_to_linktype(p->linktype); 1417 if (linktype == -1) { 1418 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1419 "%s: link-layer type %d isn't supported in savefiles", 1420 fname, linktype); 1421 return (NULL); 1422 } 1423 1424 if (fname[0] == '-' && fname[1] == '\0') { 1425 f = stdout; 1426 fname = "standard output"; 1427 } else { 1428 #if !defined(WIN32) && !defined(MSDOS) 1429 f = fopen(fname, "w"); 1430 #else 1431 f = fopen(fname, "wb"); 1432 #endif 1433 if (f == NULL) { 1434 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "%s: %s", 1435 fname, pcap_strerror(errno)); 1436 return (NULL); 1437 } 1438 } 1439 return (pcap_setup_dump(p, linktype, f, fname)); 1440 } 1441 1442 /* 1443 * Initialize so that sf_write() will output to the given stream. 1444 */ 1445 pcap_dumper_t * 1446 pcap_dump_fopen(pcap_t *p, FILE *f) 1447 { 1448 int linktype; 1449 1450 linktype = dlt_to_linktype(p->linktype); 1451 if (linktype == -1) { 1452 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1453 "stream: link-layer type %d isn't supported in savefiles", 1454 linktype); 1455 return (NULL); 1456 } 1457 1458 return (pcap_setup_dump(p, linktype, f, "stream")); 1459 } 1460 1461 FILE * 1462 pcap_dump_file(pcap_dumper_t *p) 1463 { 1464 return ((FILE *)p); 1465 } 1466 1467 long 1468 pcap_dump_ftell(pcap_dumper_t *p) 1469 { 1470 return (ftell((FILE *)p)); 1471 } 1472 1473 int 1474 pcap_dump_flush(pcap_dumper_t *p) 1475 { 1476 1477 if (fflush((FILE *)p) == EOF) 1478 return (-1); 1479 else 1480 return (0); 1481 } 1482 1483 void 1484 pcap_dump_close(pcap_dumper_t *p) 1485 { 1486 1487 #ifdef notyet 1488 if (ferror((FILE *)p)) 1489 return-an-error; 1490 /* XXX should check return from fclose() too */ 1491 #endif 1492 (void)fclose((FILE *)p); 1493 } 1494
