00001 /* 00002 * Copyright (c) 1993, 1994, 1995, 1996, 1997 00003 * The Regents of the University of California. All rights reserved. 00004 * 00005 * Redistribution and use in source and binary forms, with or without 00006 * modification, are permitted provided that: (1) source code distributions 00007 * retain the above copyright notice and this paragraph in its entirety, (2) 00008 * distributions including binary code include the above copyright notice and 00009 * this paragraph in its entirety in the documentation or other materials 00010 * provided with the distribution, and (3) all advertising materials mentioning 00011 * features or use of this software display the following acknowledgement: 00012 * ``This product includes software developed by the University of California, 00013 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 00014 * the University nor the names of its contributors may be used to endorse 00015 * or promote products derived from this software without specific prior 00016 * written permission. 00017 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 00018 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 00019 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 00020 * 00021 * savefile.c - supports offline use of tcpdump 00022 * Extraction/creation by Jeffrey Mogul, DECWRL 00023 * Modified by Steve McCanne, LBL. 00024 * 00025 * Used to save the received packet headers, after filtering, to 00026 * a file, and then read them later. 00027 * The first record in the file contains saved values for the machine 00028 * dependent values so we can print the dump file on any architecture. 00029 */ 00030 00031 #ifndef lint 00032 static const char rcsid[] _U_ = 00033 "@(#) $Header: /tcpdump/master/libpcap/savefile.c,v 1.92.2.12 2004/08/17 17:56:27 guy Exp $ (LBL)"; 00034 #endif 00035 00036 #ifdef HAVE_CONFIG_H 00037 #include "config.h" 00038 #endif 00039 00040 #include <errno.h> 00041 #include <memory.h> 00042 #include <stdio.h> 00043 #include <stdlib.h> 00044 #include <string.h> 00045 00046 #include "pcap-int.h" 00047 00048 #ifdef HAVE_OS_PROTO_H 00049 #include "os-proto.h" 00050 #endif 00051 00052 /* 00053 * Standard libpcap format. 00054 */ 00055 #define TCPDUMP_MAGIC 0xa1b2c3d4 00056 00057 /* 00058 * Alexey Kuznetzov's modified libpcap format. 00059 */ 00060 #define KUZNETZOV_TCPDUMP_MAGIC 0xa1b2cd34 00061 00062 /* 00063 * Reserved for Francisco Mesquita <francisco.mesquita@radiomovel.pt> 00064 * for another modified format. 00065 */ 00066 #define FMESQUITA_TCPDUMP_MAGIC 0xa1b234cd 00067 00068 /* 00069 * We use the "receiver-makes-right" approach to byte order, 00070 * because time is at a premium when we are writing the file. 00071 * In other words, the pcap_file_header and pcap_pkthdr, 00072 * records are written in host byte order. 00073 * Note that the bytes of packet data are written out in the order in 00074 * which they were received, so multi-byte fields in packets are not 00075 * written in host byte order, they're written in whatever order the 00076 * sending machine put them in. 00077 * 00078 * ntoh[ls] aren't sufficient because we might need to swap on a big-endian 00079 * machine (if the file was written in little-end order). 00080 */ 00081 #define SWAPLONG(y) \ 00082 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 00083 #define SWAPSHORT(y) \ 00084 ( (((y)&0xff)<<8) | ((u_short)((y)&0xff00)>>8) ) 00085 00086 #define SFERR_TRUNC 1 00087 #define SFERR_BADVERSION 2 00088 #define SFERR_BADF 3 00089 #define SFERR_EOF 4 /* not really an error, just a status */ 00090 00091 /* 00092 * We don't write DLT_* values to the capture file header, because 00093 * they're not the same on all platforms. 00094 * 00095 * Unfortunately, the various flavors of BSD have not always used the same 00096 * numerical values for the same data types, and various patches to 00097 * libpcap for non-BSD OSes have added their own DLT_* codes for link 00098 * layer encapsulation types seen on those OSes, and those codes have had, 00099 * in some cases, values that were also used, on other platforms, for other 00100 * link layer encapsulation types. 00101 * 00102 * This means that capture files of a type whose numerical DLT_* code 00103 * means different things on different BSDs, or with different versions 00104 * of libpcap, can't always be read on systems other than those like 00105 * the one running on the machine on which the capture was made. 00106 * 00107 * Instead, we define here a set of LINKTYPE_* codes, and map DLT_* codes 00108 * to LINKTYPE_* codes when writing a savefile header, and map LINKTYPE_* 00109 * codes to DLT_* codes when reading a savefile header. 00110 * 00111 * For those DLT_* codes that have, as far as we know, the same values on 00112 * all platforms (DLT_NULL through DLT_FDDI), we define LINKTYPE_xxx as 00113 * DLT_xxx; that way, captures of those types can still be read by 00114 * versions of libpcap that map LINKTYPE_* values to DLT_* values, and 00115 * captures of those types written by versions of libpcap that map DLT_ 00116 * values to LINKTYPE_ values can still be read by older versions 00117 * of libpcap. 00118 * 00119 * The other LINKTYPE_* codes are given values starting at 100, in the 00120 * hopes that no DLT_* code will be given one of those values. 00121 * 00122 * In order to ensure that a given LINKTYPE_* code's value will refer to 00123 * the same encapsulation type on all platforms, you should not allocate 00124 * a new LINKTYPE_* value without consulting "tcpdump-workers@tcpdump.org". 00125 * The tcpdump developers will allocate a value for you, and will not 00126 * subsequently allocate it to anybody else; that value will be added to 00127 * the "pcap.h" in the tcpdump.org CVS repository, so that a future 00128 * libpcap release will include it. 00129 * 00130 * You should, if possible, also contribute patches to libpcap and tcpdump 00131 * to handle the new encapsulation type, so that they can also be checked 00132 * into the tcpdump.org CVS repository and so that they will appear in 00133 * future libpcap and tcpdump releases. 00134 * 00135 * Do *NOT* assume that any values after the largest value in this file 00136 * are available; you might not have the most up-to-date version of this 00137 * file, and new values after that one might have been assigned. Also, 00138 * do *NOT* use any values below 100 - those might already have been 00139 * taken by one (or more!) organizations. 00140 */ 00141 #define LINKTYPE_NULL DLT_NULL 00142 #define LINKTYPE_ETHERNET DLT_EN10MB /* also for 100Mb and up */ 00143 #define LINKTYPE_EXP_ETHERNET DLT_EN3MB /* 3Mb experimental Ethernet */ 00144 #define LINKTYPE_AX25 DLT_AX25 00145 #define LINKTYPE_PRONET DLT_PRONET 00146 #define LINKTYPE_CHAOS DLT_CHAOS 00147 #define LINKTYPE_TOKEN_RING DLT_IEEE802 /* DLT_IEEE802 is used for Token Ring */ 00148 #define LINKTYPE_ARCNET DLT_ARCNET /* BSD-style headers */ 00149 #define LINKTYPE_SLIP DLT_SLIP 00150 #define LINKTYPE_PPP DLT_PPP 00151 #define LINKTYPE_FDDI DLT_FDDI 00152 00153 /* 00154 * LINKTYPE_PPP is for use when there might, or might not, be an RFC 1662 00155 * PPP in HDLC-like framing header (with 0xff 0x03 before the PPP protocol 00156 * field) at the beginning of the packet. 00157 * 00158 * This is for use when there is always such a header; the address field 00159 * might be 0xff, for regular PPP, or it might be an address field for Cisco 00160 * point-to-point with HDLC framing as per section 4.3.1 of RFC 1547 ("Cisco 00161 * HDLC"). This is, for example, what you get with NetBSD's DLT_PPP_SERIAL. 00162 * 00163 * We give it the same value as NetBSD's DLT_PPP_SERIAL, in the hopes that 00164 * nobody else will choose a DLT_ value of 50, and so that DLT_PPP_SERIAL 00165 * captures will be written out with a link type that NetBSD's tcpdump 00166 * can read. 00167 */ 00168 #define LINKTYPE_PPP_HDLC 50 /* PPP in HDLC-like framing */ 00169 00170 #define LINKTYPE_PPP_ETHER 51 /* NetBSD PPP-over-Ethernet */ 00171 00172 /* 00173 * This isn't supported in libpcap 0.8[.x], but is supported in the 00174 * current CVS version; we include it here to note that it's not available 00175 * for anybody else to use. 00176 */ 00177 #define LINKTYPE_SYMANTEC_FIREWALL 99 /* Symantec Enterprise Firewall */ 00178 00179 #define LINKTYPE_ATM_RFC1483 100 /* LLC/SNAP-encapsulated ATM */ 00180 #define LINKTYPE_RAW 101 /* raw IP */ 00181 #define LINKTYPE_SLIP_BSDOS 102 /* BSD/OS SLIP BPF header */ 00182 #define LINKTYPE_PPP_BSDOS 103 /* BSD/OS PPP BPF header */ 00183 #define LINKTYPE_C_HDLC 104 /* Cisco HDLC */ 00184 #define LINKTYPE_IEEE802_11 105 /* IEEE 802.11 (wireless) */ 00185 #define LINKTYPE_ATM_CLIP 106 /* Linux Classical IP over ATM */ 00186 #define LINKTYPE_FRELAY 107 /* Frame Relay */ 00187 #define LINKTYPE_LOOP 108 /* OpenBSD loopback */ 00188 #define LINKTYPE_ENC 109 /* OpenBSD IPSEC enc */ 00189 00190 /* 00191 * These three types are reserved for future use. 00192 */ 00193 #define LINKTYPE_LANE8023 110 /* ATM LANE + 802.3 */ 00194 #define LINKTYPE_HIPPI 111 /* NetBSD HIPPI */ 00195 #define LINKTYPE_HDLC 112 /* NetBSD HDLC framing */ 00196 00197 #define LINKTYPE_LINUX_SLL 113 /* Linux cooked socket capture */ 00198 #define LINKTYPE_LTALK 114 /* Apple LocalTalk hardware */ 00199 #define LINKTYPE_ECONET 115 /* Acorn Econet */ 00200 00201 /* 00202 * Reserved for use with OpenBSD ipfilter. 00203 */ 00204 #define LINKTYPE_IPFILTER 116 00205 00206 #define LINKTYPE_PFLOG 117 /* OpenBSD DLT_PFLOG */ 00207 #define LINKTYPE_CISCO_IOS 118 /* For Cisco-internal use */ 00208 #define LINKTYPE_PRISM_HEADER 119 /* 802.11+Prism II monitor mode */ 00209 #define LINKTYPE_AIRONET_HEADER 120 /* FreeBSD Aironet driver stuff */ 00210 00211 /* 00212 * Reserved for Siemens HiPath HDLC. 00213 */ 00214 #define LINKTYPE_HHDLC 121 00215 00216 #define LINKTYPE_IP_OVER_FC 122 /* RFC 2625 IP-over-Fibre Channel */ 00217 #define LINKTYPE_SUNATM 123 /* Solaris+SunATM */ 00218 00219 /* 00220 * Reserved as per request from Kent Dahlgren <kent@praesum.com> 00221 * for private use. 00222 */ 00223 #define LINKTYPE_RIO 124 /* RapidIO */ 00224 #define LINKTYPE_PCI_EXP 125 /* PCI Express */ 00225 #define LINKTYPE_AURORA 126 /* Xilinx Aurora link layer */ 00226 00227 #define LINKTYPE_IEEE802_11_RADIO 127 /* 802.11 plus BSD radio header */ 00228 00229 /* 00230 * Reserved for the TZSP encapsulation, as per request from 00231 * Chris Waters <chris.waters@networkchemistry.com> 00232 * TZSP is a generic encapsulation for any other link type, 00233 * which includes a means to include meta-information 00234 * with the packet, e.g. signal strength and channel 00235 * for 802.11 packets. 00236 */ 00237 #define LINKTYPE_TZSP 128 /* Tazmen Sniffer Protocol */ 00238 00239 #define LINKTYPE_ARCNET_LINUX 129 /* Linux-style headers */ 00240 00241 /* 00242 * Juniper-private data link types, as per request from 00243 * Hannes Gredler <hannes@juniper.net>. The corresponding 00244 * DLT_s are used for passing on chassis-internal 00245 * metainformation such as QOS profiles, etc.. 00246 */ 00247 #define LINKTYPE_JUNIPER_MLPPP 130 00248 #define LINKTYPE_JUNIPER_MLFR 131 00249 #define LINKTYPE_JUNIPER_ES 132 00250 #define LINKTYPE_JUNIPER_GGSN 133 00251 #define LINKTYPE_JUNIPER_MFR 134 00252 #define LINKTYPE_JUNIPER_ATM2 135 00253 #define LINKTYPE_JUNIPER_SERVICES 136 00254 #define LINKTYPE_JUNIPER_ATM1 137 00255 00256 #define LINKTYPE_APPLE_IP_OVER_IEEE1394 138 /* Apple IP-over-IEEE 1394 cooked header */ 00257 00258 #define LINKTYPE_RAWSS7 139 /* see rawss7.h for */ 00259 #define LINKTYPE_RAWSS7_MTP2 140 /* information on these */ 00260 #define LINKTYPE_RAWSS7_MTP3 141 /* definitions */ 00261 #define LINKTYPE_RAWSS7_SCCP 142 00262 00263 /* 00264 * This isn't supported in libpcap 0.8[.x], but is supported in the 00265 * current CVS version; we include it here to note that it's not available 00266 * for anybody else to use. 00267 */ 00268 #define LINKTYPE_DOCSIS 143 /* DOCSIS MAC frames */ 00269 00270 #define LINKTYPE_LINUX_IRDA 144 /* Linux-IrDA */ 00271 00272 /* 00273 * Reserved for IBM SP switch and IBM Next Federation switch. 00274 */ 00275 #define LINKTYPE_IBM_SP 145 00276 #define LINKTYPE_IBM_SN 146 00277 00278 /* 00279 * Reserved for private use. If you have some link-layer header type 00280 * that you want to use within your organization, with the capture files 00281 * using that link-layer header type not ever be sent outside your 00282 * organization, you can use these values. 00283 * 00284 * No libpcap release will use these for any purpose, nor will any 00285 * tcpdump release use them, either. 00286 * 00287 * Do *NOT* use these in capture files that you expect anybody not using 00288 * your private versions of capture-file-reading tools to read; in 00289 * particular, do *NOT* use them in products, otherwise you may find that 00290 * people won't be able to use tcpdump, or snort, or Ethereal, or... to 00291 * read capture files from your firewall/intrusion detection/traffic 00292 * monitoring/etc. appliance, or whatever product uses that LINKTYPE_ value, 00293 * and you may also find that the developers of those applications will 00294 * not accept patches to let them read those files. 00295 * 00296 * Also, do not use them if somebody might send you a capture using them 00297 * for *their* private type and tools using them for *your* private type 00298 * would have to read them. 00299 * 00300 * Instead, in those cases, ask "tcpdump-workers@tcpdump.org" for a new DLT_ 00301 * and LINKTYPE_ value, as per the comment in pcap-bpf.h, and use the type 00302 * you're given. 00303 */ 00304 #define LINKTYPE_USER0 147 00305 #define LINKTYPE_USER1 148 00306 #define LINKTYPE_USER2 149 00307 #define LINKTYPE_USER3 150 00308 #define LINKTYPE_USER4 151 00309 #define LINKTYPE_USER5 152 00310 #define LINKTYPE_USER6 153 00311 #define LINKTYPE_USER7 154 00312 #define LINKTYPE_USER8 155 00313 #define LINKTYPE_USER9 156 00314 #define LINKTYPE_USER10 157 00315 #define LINKTYPE_USER11 158 00316 #define LINKTYPE_USER12 159 00317 #define LINKTYPE_USER13 160 00318 #define LINKTYPE_USER14 161 00319 #define LINKTYPE_USER15 162 00320 00321 /* 00322 * For future use with 802.11 captures - defined by AbsoluteValue 00323 * Systems to store a number of bits of link-layer information 00324 * including radio information: 00325 * 00326 * http://www.shaftnet.org/~pizza/software/capturefrm.txt 00327 * 00328 * but could and arguably should also be used by non-AVS Linux 00329 * 802.11 drivers; that may happen in the future. 00330 */ 00331 #define LINKTYPE_IEEE802_11_RADIO_AVS 163 /* 802.11 plus AVS radio header */ 00332 00333 /* 00334 * Juniper-private data link type, as per request from 00335 * Hannes Gredler <hannes@juniper.net>. The corresponding 00336 * DLT_s are used for passing on chassis-internal 00337 * metainformation such as QOS profiles, etc.. 00338 */ 00339 #define LINKTYPE_JUNIPER_MONITOR 164 00340 00341 /* 00342 * This isn't supported in libpcap 0.8[.x], but is supported in the 00343 * current CVS version; we include it here to note that it's not available 00344 * for anybody else to use. 00345 */ 00346 #define LINKTYPE_BACNET_MS_TP 165 00347 00348 static struct linktype_map { 00349 int dlt; 00350 int linktype; 00351 } map[] = { 00352 /* 00353 * These DLT_* codes have LINKTYPE_* codes with values identical 00354 * to the values of the corresponding DLT_* code. 00355 */ 00356 { DLT_NULL, LINKTYPE_NULL }, 00357 { DLT_EN10MB, LINKTYPE_ETHERNET }, 00358 { DLT_EN3MB, LINKTYPE_EXP_ETHERNET }, 00359 { DLT_AX25, LINKTYPE_AX25 }, 00360 { DLT_PRONET, LINKTYPE_PRONET }, 00361 { DLT_CHAOS, LINKTYPE_CHAOS }, 00362 { DLT_IEEE802, LINKTYPE_TOKEN_RING }, 00363 { DLT_ARCNET, LINKTYPE_ARCNET }, 00364 { DLT_SLIP, LINKTYPE_SLIP }, 00365 { DLT_PPP, LINKTYPE_PPP }, 00366 { DLT_FDDI, LINKTYPE_FDDI }, 00367 00368 /* 00369 * These DLT_* codes have different values on different 00370 * platforms; we map them to LINKTYPE_* codes that 00371 * have values that should never be equal to any DLT_* 00372 * code. 00373 */ 00374 #ifdef DLT_FR 00375 /* BSD/OS Frame Relay */ 00376 { DLT_FR, LINKTYPE_FRELAY }, 00377 #endif 00378 00379 { DLT_SYMANTEC_FIREWALL, LINKTYPE_SYMANTEC_FIREWALL }, 00380 { DLT_ATM_RFC1483, LINKTYPE_ATM_RFC1483 }, 00381 { DLT_RAW, LINKTYPE_RAW }, 00382 { DLT_SLIP_BSDOS, LINKTYPE_SLIP_BSDOS }, 00383 { DLT_PPP_BSDOS, LINKTYPE_PPP_BSDOS }, 00384 00385 /* BSD/OS Cisco HDLC */ 00386 { DLT_C_HDLC, LINKTYPE_C_HDLC }, 00387 00388 /* 00389 * These DLT_* codes are not on all platforms, but, so far, 00390 * there don't appear to be any platforms that define 00391 * other codes with those values; we map them to 00392 * different LINKTYPE_* values anyway, just in case. 00393 */ 00394 00395 /* Linux ATM Classical IP */ 00396 { DLT_ATM_CLIP, LINKTYPE_ATM_CLIP }, 00397 00398 /* NetBSD sync/async serial PPP (or Cisco HDLC) */ 00399 { DLT_PPP_SERIAL, LINKTYPE_PPP_HDLC }, 00400 00401 /* NetBSD PPP over Ethernet */ 00402 { DLT_PPP_ETHER, LINKTYPE_PPP_ETHER }, 00403 00404 /* IEEE 802.11 wireless */ 00405 { DLT_IEEE802_11, LINKTYPE_IEEE802_11 }, 00406 00407 /* Frame Relay */ 00408 { DLT_FRELAY, LINKTYPE_FRELAY }, 00409 00410 /* OpenBSD loopback */ 00411 { DLT_LOOP, LINKTYPE_LOOP }, 00412 00413 /* Linux cooked socket capture */ 00414 { DLT_LINUX_SLL, LINKTYPE_LINUX_SLL }, 00415 00416 /* Apple LocalTalk hardware */ 00417 { DLT_LTALK, LINKTYPE_LTALK }, 00418 00419 /* Acorn Econet */ 00420 { DLT_ECONET, LINKTYPE_ECONET }, 00421 00422 /* OpenBSD DLT_PFLOG */ 00423 { DLT_PFLOG, LINKTYPE_PFLOG }, 00424 00425 /* For Cisco-internal use */ 00426 { DLT_CISCO_IOS, LINKTYPE_CISCO_IOS }, 00427 00428 /* Prism II monitor-mode header plus 802.11 header */ 00429 { DLT_PRISM_HEADER, LINKTYPE_PRISM_HEADER }, 00430 00431 /* FreeBSD Aironet driver stuff */ 00432 { DLT_AIRONET_HEADER, LINKTYPE_AIRONET_HEADER }, 00433 00434 /* Siemens HiPath HDLC */ 00435 { DLT_HHDLC, LINKTYPE_HHDLC }, 00436 00437 /* RFC 2625 IP-over-Fibre Channel */ 00438 { DLT_IP_OVER_FC, LINKTYPE_IP_OVER_FC }, 00439 00440 /* Solaris+SunATM */ 00441 { DLT_SUNATM, LINKTYPE_SUNATM }, 00442 00443 /* RapidIO */ 00444 { DLT_RIO, LINKTYPE_RIO }, 00445 00446 /* PCI Express */ 00447 { DLT_PCI_EXP, LINKTYPE_PCI_EXP }, 00448 00449 /* Xilinx Aurora link layer */ 00450 { DLT_AURORA, LINKTYPE_AURORA }, 00451 00452 /* 802.11 plus BSD radio header */ 00453 { DLT_IEEE802_11_RADIO, LINKTYPE_IEEE802_11_RADIO }, 00454 00455 /* Tazmen Sniffer Protocol */ 00456 { DLT_TZSP, LINKTYPE_TZSP }, 00457 00458 /* Arcnet with Linux-style link-layer headers */ 00459 { DLT_ARCNET_LINUX, LINKTYPE_ARCNET_LINUX }, 00460 00461 /* Juniper-internal chassis encapsulation */ 00462 { DLT_JUNIPER_MLPPP, LINKTYPE_JUNIPER_MLPPP }, 00463 { DLT_JUNIPER_MLFR, LINKTYPE_JUNIPER_MLFR }, 00464 { DLT_JUNIPER_ES, LINKTYPE_JUNIPER_ES }, 00465 { DLT_JUNIPER_GGSN, LINKTYPE_JUNIPER_GGSN }, 00466 { DLT_JUNIPER_MFR, LINKTYPE_JUNIPER_MFR }, 00467 { DLT_JUNIPER_ATM2, LINKTYPE_JUNIPER_ATM2 }, 00468 { DLT_JUNIPER_SERVICES, LINKTYPE_JUNIPER_SERVICES }, 00469 { DLT_JUNIPER_ATM1, LINKTYPE_JUNIPER_ATM1 }, 00470 00471 /* Apple IP-over-IEEE 1394 cooked header */ 00472 { DLT_APPLE_IP_OVER_IEEE1394, LINKTYPE_APPLE_IP_OVER_IEEE1394 }, 00473 00474 /* DOCSIS MAC frames */ 00475 { DLT_DOCSIS, LINKTYPE_DOCSIS }, 00476 00477 /* IrDA IrLAP packets + Linux-cooked header */ 00478 { DLT_LINUX_IRDA, LINKTYPE_LINUX_IRDA }, 00479 00480 /* IBM SP and Next Federation switches */ 00481 { DLT_IBM_SP, LINKTYPE_IBM_SP }, 00482 { DLT_IBM_SN, LINKTYPE_IBM_SN }, 00483 00484 /* 802.11 plus AVS radio header */ 00485 { DLT_IEEE802_11_RADIO_AVS, LINKTYPE_IEEE802_11_RADIO_AVS }, 00486 00487 /* 00488 * Any platform that defines additional DLT_* codes should: 00489 * 00490 * request a LINKTYPE_* code and value from tcpdump.org, 00491 * as per the above; 00492 * 00493 * add, in their version of libpcap, an entry to map 00494 * those DLT_* codes to the corresponding LINKTYPE_* 00495 * code; 00496 * 00497 * redefine, in their "net/bpf.h", any DLT_* values 00498 * that collide with the values used by their additional 00499 * DLT_* codes, to remove those collisions (but without 00500 * making them collide with any of the LINKTYPE_* 00501 * values equal to 50 or above; they should also avoid 00502 * defining DLT_* values that collide with those 00503 * LINKTYPE_* values, either). 00504 */ 00505 00506 /* Juniper-internal chassis encapsulation */ 00507 { DLT_JUNIPER_MONITOR, LINKTYPE_JUNIPER_MONITOR }, 00508 00509 { -1, -1 } 00510 }; 00511 00512 static int 00513 dlt_to_linktype(int dlt) 00514 { 00515 int i; 00516 00517 for (i = 0; map[i].dlt != -1; i++) { 00518 if (map[i].dlt == dlt) 00519 return (map[i].linktype); 00520 } 00521 00522 /* 00523 * If we don't have a mapping for this DLT_ code, return an 00524 * error; that means that the table above needs to have an 00525 * entry added. 00526 */ 00527 return (-1); 00528 } 00529 00530 static int 00531 linktype_to_dlt(int linktype) 00532 { 00533 int i; 00534 00535 for (i = 0; map[i].linktype != -1; i++) { 00536 if (map[i].linktype == linktype) 00537 return (map[i].dlt); 00538 } 00539 00540 /* 00541 * If we don't have an entry for this link type, return 00542 * the link type value; it may be a DLT_ value from an 00543 * older version of libpcap. 00544 */ 00545 return linktype; 00546 } 00547 00548 static int 00549 sf_write_header(FILE *fp, int linktype, int thiszone, int snaplen) 00550 { 00551 struct pcap_file_header hdr; 00552 00553 hdr.magic = TCPDUMP_MAGIC; 00554 hdr.version_major = PCAP_VERSION_MAJOR; 00555 hdr.version_minor = PCAP_VERSION_MINOR; 00556 00557 hdr.thiszone = thiszone; 00558 hdr.snaplen = snaplen; 00559 hdr.sigfigs = 0; 00560 hdr.linktype = linktype; 00561 00562 if (fwrite((char *)&hdr, sizeof(hdr), 1, fp) != 1) 00563 return (-1); 00564 00565 return (0); 00566 } 00567 00568 static void 00569 swap_hdr(struct pcap_file_header *hp) 00570 { 00571 hp->version_major = SWAPSHORT(hp->version_major); 00572 hp->version_minor = SWAPSHORT(hp->version_minor); 00573 hp->thiszone = SWAPLONG(hp->thiszone); 00574 hp->sigfigs = SWAPLONG(hp->sigfigs); 00575 hp->snaplen = SWAPLONG(hp->snaplen); 00576 hp->linktype = SWAPLONG(hp->linktype); 00577 } 00578 00579 static int 00580 sf_getnonblock(pcap_t *p, char *errbuf) 00581 { 00582 /* 00583 * This is a savefile, not a live capture file, so never say 00584 * it's in non-blocking mode. 00585 */ 00586 return (0); 00587 } 00588 00589 static int 00590 sf_setnonblock(pcap_t *p, int nonblock, char *errbuf) 00591 { 00592 /* 00593 * This is a savefile, not a live capture file, so ignore 00594 * requests to put it in non-blocking mode. 00595 */ 00596 return (0); 00597 } 00598 00599 static int 00600 sf_stats(pcap_t *p, struct pcap_stat *ps) 00601 { 00602 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 00603 "Statistics aren't available from savefiles"); 00604 return (-1); 00605 } 00606 00607 static void 00608 sf_close(pcap_t *p) 00609 { 00610 if (p->sf.rfile != stdin) 00611 (void)fclose(p->sf.rfile); 00612 if (p->sf.base != NULL) 00613 free(p->sf.base); 00614 } 00615 00616 pcap_t * 00617 pcap_open_offline(const char *fname, char *errbuf) 00618 { 00619 register pcap_t *p; 00620 register FILE *fp; 00621 struct pcap_file_header hdr; 00622 bpf_u_int32 magic; 00623 int linklen; 00624 00625 p = (pcap_t *)malloc(sizeof(*p)); 00626 if (p == NULL) { 00627 strlcpy(errbuf, "out of swap", PCAP_ERRBUF_SIZE); 00628 return (NULL); 00629 } 00630 00631 memset((char *)p, 0, sizeof(*p)); 00632 00633 if (fname[0] == '-' && fname[1] == '\0') 00634 fp = stdin; 00635 else { 00636 #ifndef WIN32 00637 fp = fopen(fname, "r"); 00638 #else 00639 fp = fopen(fname, "rb"); 00640 #endif 00641 if (fp == NULL) { 00642 snprintf(errbuf, PCAP_ERRBUF_SIZE, "%s: %s", fname, 00643 pcap_strerror(errno)); 00644 goto bad; 00645 } 00646 } 00647 if (fread((char *)&hdr, sizeof(hdr), 1, fp) != 1) { 00648 snprintf(errbuf, PCAP_ERRBUF_SIZE, "fread: %s", 00649 pcap_strerror(errno)); 00650 goto bad; 00651 } 00652 magic = hdr.magic; 00653 if (magic != TCPDUMP_MAGIC && magic != KUZNETZOV_TCPDUMP_MAGIC) { 00654 magic = SWAPLONG(magic); 00655 if (magic != TCPDUMP_MAGIC && magic != KUZNETZOV_TCPDUMP_MAGIC) { 00656 snprintf(errbuf, PCAP_ERRBUF_SIZE, 00657 "bad dump file format"); 00658 goto bad; 00659 } 00660 p->sf.swapped = 1; 00661 swap_hdr(&hdr); 00662 } 00663 if (magic == KUZNETZOV_TCPDUMP_MAGIC) { 00664 /* 00665 * XXX - the patch that's in some versions of libpcap 00666 * changes the packet header but not the magic number, 00667 * and some other versions with this magic number have 00668 * some extra debugging information in the packet header; 00669 * we'd have to use some hacks^H^H^H^H^Hheuristics to 00670 * detect those variants. 00671 * 00672 * Ethereal does that, but it does so by trying to read 00673 * the first two packets of the file with each of the 00674 * record header formats. That currently means it seeks 00675 * backwards and retries the reads, which doesn't work 00676 * on pipes. We want to be able to read from a pipe, so 00677 * that strategy won't work; we'd have to buffer some 00678 * data ourselves and read from that buffer in order to 00679 * make that work. 00680 */ 00681 p->sf.hdrsize = sizeof(struct pcap_sf_patched_pkthdr); 00682 } else 00683 p->sf.hdrsize = sizeof(struct pcap_sf_pkthdr); 00684 if (hdr.version_major < PCAP_VERSION_MAJOR) { 00685 snprintf(errbuf, PCAP_ERRBUF_SIZE, "archaic file format"); 00686 goto bad; 00687 } 00688 p->tzoff = hdr.thiszone; 00689 p->snapshot = hdr.snaplen; 00690 p->linktype = linktype_to_dlt(hdr.linktype); 00691 p->sf.rfile = fp; 00692 #ifndef WIN32 00693 p->bufsize = hdr.snaplen; 00694 #else 00695 /* Allocate the space for pcap_pkthdr as well. It will be used by pcap_read_ex */ 00696 p->bufsize = hdr.snaplen+sizeof(struct pcap_pkthdr); 00697 #endif 00698 00699 /* Align link header as required for proper data alignment */ 00700 /* XXX should handle all types */ 00701 switch (p->linktype) { 00702 00703 case DLT_EN10MB: 00704 linklen = 14; 00705 break; 00706 00707 case DLT_FDDI: 00708 linklen = 13 + 8; /* fddi_header + llc */ 00709 break; 00710 00711 case DLT_NULL: 00712 default: 00713 linklen = 0; 00714 break; 00715 } 00716 00717 if (p->bufsize < 0) 00718 p->bufsize = BPF_MAXBUFSIZE; 00719 p->sf.base = (u_char *)malloc(p->bufsize + BPF_ALIGNMENT); 00720 if (p->sf.base == NULL) { 00721 strlcpy(errbuf, "out of swap", PCAP_ERRBUF_SIZE); 00722 goto bad; 00723 } 00724 p->buffer = p->sf.base + BPF_ALIGNMENT - (linklen % BPF_ALIGNMENT); 00725 p->sf.version_major = hdr.version_major; 00726 p->sf.version_minor = hdr.version_minor; 00727 #ifdef PCAP_FDDIPAD 00728 /* XXX padding only needed for kernel fcode */ 00729 pcap_fddipad = 0; 00730 #endif 00731 00732 /* 00733 * We interchanged the caplen and len fields at version 2.3, 00734 * in order to match the bpf header layout. But unfortunately 00735 * some files were written with version 2.3 in their headers 00736 * but without the interchanged fields. 00737 * 00738 * In addition, DG/UX tcpdump writes out files with a version 00739 * number of 543.0, and with the caplen and len fields in the 00740 * pre-2.3 order. 00741 */ 00742 switch (hdr.version_major) { 00743 00744 case 2: 00745 if (hdr.version_minor < 3) 00746 p->sf.lengths_swapped = SWAPPED; 00747 else if (hdr.version_minor == 3) 00748 p->sf.lengths_swapped = MAYBE_SWAPPED; 00749 else 00750 p->sf.lengths_swapped = NOT_SWAPPED; 00751 break; 00752 00753 case 543: 00754 p->sf.lengths_swapped = SWAPPED; 00755 break; 00756 00757 default: 00758 p->sf.lengths_swapped = NOT_SWAPPED; 00759 break; 00760 } 00761 00762 #ifndef WIN32 00763 /* 00764 * You can do "select()" and "poll()" on plain files on most 00765 * platforms, and should be able to do so on pipes. 00766 * 00767 * You can't do "select()" on anything other than sockets in 00768 * Windows, so, on Win32 systems, we don't have "selectable_fd". 00769 */ 00770 p->selectable_fd = fileno(fp); 00771 #endif 00772 00773 p->read_op = pcap_offline_read; 00774 p->setfilter_op = install_bpf_program; 00775 p->set_datalink_op = NULL; /* we don't support munging link-layer headers */ 00776 p->getnonblock_op = sf_getnonblock; 00777 p->setnonblock_op = sf_setnonblock; 00778 p->stats_op = sf_stats; 00779 p->close_op = sf_close; 00780 00781 return (p); 00782 bad: 00783 if(fp) 00784 fclose(fp); 00785 free(p); 00786 return (NULL); 00787 } 00788 00789 /* 00790 * Read sf_readfile and return the next packet. Return the header in hdr 00791 * and the contents in buf. Return 0 on success, SFERR_EOF if there were 00792 * no more packets, and SFERR_TRUNC if a partial packet was encountered. 00793 */ 00794 static int 00795 sf_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char *buf, u_int buflen) 00796 { 00797 struct pcap_sf_patched_pkthdr sf_hdr; 00798 FILE *fp = p->sf.rfile; 00799 size_t amt_read; 00800 bpf_u_int32 t; 00801 00802 /* 00803 * Read the packet header; the structure we use as a buffer 00804 * is the longer structure for files generated by the patched 00805 * libpcap, but if the file has the magic number for an 00806 * unpatched libpcap we only read as many bytes as the regular 00807 * header has. 00808 */ 00809 amt_read = fread(&sf_hdr, 1, p->sf.hdrsize, fp); 00810 if (amt_read != p->sf.hdrsize) { 00811 if (ferror(fp)) { 00812 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 00813 "error reading dump file: %s", 00814 pcap_strerror(errno)); 00815 return (-1); 00816 } else { 00817 if (amt_read != 0) { 00818 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 00819 "truncated dump file; tried to read %d header bytes, only got %lu", 00820 p->sf.hdrsize, (unsigned long)amt_read); 00821 return (-1); 00822 } 00823 /* EOF */ 00824 return (1); 00825 } 00826 } 00827 00828 if (p->sf.swapped) { 00829 /* these were written in opposite byte order */ 00830 hdr->caplen = SWAPLONG(sf_hdr.caplen); 00831 hdr->len = SWAPLONG(sf_hdr.len); 00832 hdr->ts.tv_sec = SWAPLONG(sf_hdr.ts.tv_sec); 00833 hdr->ts.tv_usec = SWAPLONG(sf_hdr.ts.tv_usec); 00834 } else { 00835 hdr->caplen = sf_hdr.caplen; 00836 hdr->len = sf_hdr.len; 00837 hdr->ts.tv_sec = sf_hdr.ts.tv_sec; 00838 hdr->ts.tv_usec = sf_hdr.ts.tv_usec; 00839 } 00840 /* Swap the caplen and len fields, if necessary. */ 00841 switch (p->sf.lengths_swapped) { 00842 00843 case NOT_SWAPPED: 00844 break; 00845 00846 case MAYBE_SWAPPED: 00847 if (hdr->caplen <= hdr->len) { 00848 /* 00849 * The captured length is <= the actual length, 00850 * so presumably they weren't swapped. 00851 */ 00852 break; 00853 } 00854 /* FALLTHROUGH */ 00855 00856 case SWAPPED: 00857 t = hdr->caplen; 00858 hdr->caplen = hdr->len; 00859 hdr->len = t; 00860 break; 00861 } 00862 00863 if (hdr->caplen > buflen) { 00864 /* 00865 * This can happen due to Solaris 2.3 systems tripping 00866 * over the BUFMOD problem and not setting the snapshot 00867 * correctly in the savefile header. If the caplen isn't 00868 * grossly wrong, try to salvage. 00869 */ 00870 static u_char *tp = NULL; 00871 static size_t tsize = 0; 00872 00873 if (hdr->caplen > 65535) { 00874 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 00875 "bogus savefile header"); 00876 return (-1); 00877 } 00878 00879 if (tsize < hdr->caplen) { 00880 tsize = ((hdr->caplen + 1023) / 1024) * 1024; 00881 if (tp != NULL) 00882 free((u_char *)tp); 00883 tp = (u_char *)malloc(tsize); 00884 if (tp == NULL) { 00885 tsize = 0; 00886 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 00887 "BUFMOD hack malloc"); 00888 return (-1); 00889 } 00890 } 00891 amt_read = fread((char *)tp, 1, hdr->caplen, fp); 00892 if (amt_read != hdr->caplen) { 00893 if (ferror(fp)) { 00894 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 00895 "error reading dump file: %s", 00896 pcap_strerror(errno)); 00897 } else { 00898 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 00899 "truncated dump file; tried to read %u captured bytes, only got %lu", 00900 hdr->caplen, (unsigned long)amt_read); 00901 } 00902 return (-1); 00903 } 00904 /* 00905 * We can only keep up to buflen bytes. Since caplen > buflen 00906 * is exactly how we got here, we know we can only keep the 00907 * first buflen bytes and must drop the remainder. Adjust 00908 * caplen accordingly, so we don't get confused later as 00909 * to how many bytes we have to play with. 00910 */ 00911 hdr->caplen = buflen; 00912 memcpy((char *)buf, (char *)tp, buflen); 00913 00914 } else { 00915 /* read the packet itself */ 00916 amt_read = fread((char *)buf, 1, hdr->caplen, fp); 00917 if (amt_read != hdr->caplen) { 00918 if (ferror(fp)) { 00919 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 00920 "error reading dump file: %s", 00921 pcap_strerror(errno)); 00922 } else { 00923 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 00924 "truncated dump file; tried to read %u captured bytes, only got %lu", 00925 hdr->caplen, (unsigned long)amt_read); 00926 } 00927 return (-1); 00928 } 00929 } 00930 return (0); 00931 } 00932 00933 /* 00934 * Print out packets stored in the file initialized by sf_read_init(). 00935 * If cnt > 0, return after 'cnt' packets, otherwise continue until eof. 00936 */ 00937 int 00938 pcap_offline_read(pcap_t *p, int cnt, pcap_handler callback, u_char *user) 00939 { 00940 struct bpf_insn *fcode = p->fcode.bf_insns; 00941 int status = 0; 00942 int n = 0; 00943 00944 #ifdef HAVE_REMOTE 00945 static int samp_npkt; // parameter needed for sampling, whtn '1 out of N' method has been requested 00946 static struct timeval samp_time; // parameter needed for sampling, whtn '1 every N ms' method has been requested 00947 #endif /* HAVE_REMOTE */ 00948 00949 while (status == 0) { 00950 struct pcap_pkthdr h; 00951 00952 /* 00953 * Has "pcap_breakloop()" been called? 00954 * If so, return immediately - if we haven't read any 00955 * packets, clear the flag and return -2 to indicate 00956 * that we were told to break out of the loop, otherwise 00957 * leave the flag set, so that the *next* call will break 00958 * out of the loop without having read any packets, and 00959 * return the number of packets we've processed so far. 00960 */ 00961 if (p->break_loop) { 00962 if (n == 0) { 00963 p->break_loop = 0; 00964 return (-2); 00965 } else 00966 return (n); 00967 } 00968 00969 status = sf_next_packet(p, &h, p->buffer, p->bufsize); 00970 if (status) { 00971 if (status == 1) 00972 return (0); 00973 return (status); 00974 } 00975 00976 if (fcode == NULL || 00977 bpf_filter(fcode, p->buffer, h.len, h.caplen)) { 00978 00979 #ifdef HAVE_REMOTE 00980 if (p->rmt_samp.method == PCAP_SAMP_1_EVERY_N) 00981 { 00982 samp_npkt= (samp_npkt + 1) % p->rmt_samp.value; 00983 00984 // Discard all packets that are not '1 out of N' 00985 if (samp_npkt != 0) 00986 continue; 00987 } 00988 00989 if (p->rmt_samp.method == PCAP_SAMP_FIRST_AFTER_N_MS) 00990 { 00991 // Check if the timestamp of the arrived packet is smaller than our target time 00992 if ( (h.ts.tv_sec < samp_time.tv_sec) || 00993 ( (h.ts.tv_sec == samp_time.tv_sec) && (h.ts.tv_usec < samp_time.tv_usec) ) ) 00994 continue; 00995 00996 // The arrived packet is suitable for being sent to the remote host 00997 // So, let's update the target time 00998 samp_time.tv_usec= h.ts.tv_usec + p->rmt_samp.value * 1000; 00999 if (samp_time.tv_usec > 1000000) 01000 { 01001 samp_time.tv_sec= h.ts.tv_sec + samp_time.tv_usec / 1000000; 01002 samp_time.tv_usec= samp_time.tv_usec % 1000000; 01003 } 01004 01005 } 01006 #endif /* HAVE_REMOTE */ 01007 01008 (*callback)(user, &h, p->buffer); 01009 if (++n >= cnt && cnt > 0) 01010 break; 01011 } 01012 } 01013 /*XXX this breaks semantics tcpslice expects */ 01014 return (n); 01015 } 01016 01017 /* 01018 * Output a packet to the initialized dump file. 01019 */ 01020 void 01021 pcap_dump(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) 01022 { 01023 register FILE *f; 01024 struct pcap_sf_pkthdr sf_hdr; 01025 01026 f = (FILE *)user; 01027 sf_hdr.ts.tv_sec = h->ts.tv_sec; 01028 sf_hdr.ts.tv_usec = h->ts.tv_usec; 01029 sf_hdr.caplen = h->caplen; 01030 sf_hdr.len = h->len; 01031 /* XXX we should check the return status */ 01032 (void)fwrite(&sf_hdr, sizeof(sf_hdr), 1, f); 01033 (void)fwrite((char *)sp, h->caplen, 1, f); 01034 } 01035 01036 /* 01037 * Initialize so that sf_write() will output to the file named 'fname'. 01038 */ 01039 pcap_dumper_t * 01040 pcap_dump_open(pcap_t *p, const char *fname) 01041 { 01042 FILE *f; 01043 int linktype; 01044 01045 linktype = dlt_to_linktype(p->linktype); 01046 if (linktype == -1) { 01047 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 01048 "%s: link-layer type %d isn't supported in savefiles", 01049 fname, linktype); 01050 return (NULL); 01051 } 01052 01053 if (fname[0] == '-' && fname[1] == '\0') { 01054 f = stdout; 01055 #ifdef WIN32 01056 _setmode(_fileno(f), _O_BINARY); 01057 #endif 01058 } else { 01059 #ifndef WIN32 01060 f = fopen(fname, "w"); 01061 #else 01062 f = fopen(fname, "wb"); 01063 #endif 01064 if (f == NULL) { 01065 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "%s: %s", 01066 fname, pcap_strerror(errno)); 01067 return (NULL); 01068 } 01069 #ifdef WIN32 01070 setbuf(f, NULL); /* XXX - why? */ 01071 #endif 01072 } 01073 (void)sf_write_header(f, linktype, p->tzoff, p->snapshot); 01074 return ((pcap_dumper_t *)f); 01075 } 01076 01077 FILE * 01078 pcap_dump_file(pcap_dumper_t *p) 01079 { 01080 return ((FILE *)p); 01081 } 01082 01083 int 01084 pcap_dump_flush(pcap_dumper_t *p) 01085 { 01086 01087 if (fflush((FILE *)p) == EOF) 01088 return (-1); 01089 else 01090 return (0); 01091 } 01092 01093 void 01094 pcap_dump_close(pcap_dumper_t *p) 01095 { 01096 01097 #ifdef notyet 01098 if (ferror((FILE *)p)) 01099 return-an-error; 01100 /* XXX should check return from fclose() too */ 01101 #endif 01102 (void)fclose((FILE *)p); 01103 }
documentation. Copyright (c) 2002-2003 Politecnico di Torino. All rights reserved.