summaryrefslogtreecommitdiffstats
path: root/wiretap/libpcap.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-10 20:34:10 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-10 20:34:10 +0000
commite4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc (patch)
tree68cb5ef9081156392f1dd62a00c6ccc1451b93df /wiretap/libpcap.c
parentInitial commit. (diff)
downloadwireshark-e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc.tar.xz
wireshark-e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc.zip
Adding upstream version 4.2.2.upstream/4.2.2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'wiretap/libpcap.c')
-rw-r--r--wiretap/libpcap.c1590
1 files changed, 1590 insertions, 0 deletions
diff --git a/wiretap/libpcap.c b/wiretap/libpcap.c
new file mode 100644
index 00000000..f3538078
--- /dev/null
+++ b/wiretap/libpcap.c
@@ -0,0 +1,1590 @@
+/* libpcap.c
+ *
+ * Wiretap Library
+ * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "config.h"
+
+#include <stdlib.h>
+#include <string.h>
+#include "wtap-int.h"
+#include "file_wrappers.h"
+#include "required_file_handlers.h"
+#include "pcap-common.h"
+#include "pcap-encap.h"
+#include "libpcap.h"
+#include "erf-common.h"
+#include <wsutil/ws_assert.h>
+
+/* See source to the "libpcap" library for information on the "libpcap"
+ file format. */
+
+/*
+ * Private per-wtap_t data needed to read a file.
+ */
+typedef enum {
+ NOT_SWAPPED,
+ SWAPPED,
+ MAYBE_SWAPPED
+} swapped_type_t;
+
+/*
+ * Variants of pcap, some distinguished by the magic number and some,
+ * alas, not.
+ *
+ * (Don't do that. Srsly.)
+ */
+typedef enum {
+ PCAP, /* OG pcap */
+ PCAP_NSEC, /* PCAP with nanosecond resolution */
+ PCAP_AIX, /* AIX pcap */
+ PCAP_SS990417, /* Modified, from 1999-04-17 patch */
+ PCAP_SS990915, /* Modified, from 1999-09-15 patch */
+ PCAP_SS991029, /* Modified, from 1999-10-29 patch */
+ PCAP_NOKIA, /* Nokia pcap */
+ PCAP_UNKNOWN /* Unknown as yet */
+} pcap_variant_t;
+
+typedef struct {
+ gboolean byte_swapped;
+ swapped_type_t lengths_swapped;
+ guint16 version_major;
+ guint16 version_minor;
+ pcap_variant_t variant;
+ int fcs_len;
+ void *encap_priv;
+} libpcap_t;
+
+/* Try to read the first few records of the capture file. */
+static gboolean libpcap_try_variants(wtap *wth, const pcap_variant_t *variants,
+ size_t n_variants, int *err, gchar **err_info);
+static int libpcap_try(wtap *wth, int *err, gchar **err_info);
+static int libpcap_try_record(wtap *wth, int *err, gchar **err_info);
+
+static gboolean libpcap_read(wtap *wth, wtap_rec *rec, Buffer *buf,
+ int *err, gchar **err_info, gint64 *data_offset);
+static gboolean libpcap_seek_read(wtap *wth, gint64 seek_off,
+ wtap_rec *rec, Buffer *buf, int *err, gchar **err_info);
+static gboolean libpcap_read_packet(wtap *wth, FILE_T fh,
+ wtap_rec *rec, Buffer *buf, int *err, gchar **err_info);
+static int libpcap_read_header(wtap *wth, FILE_T fh, int *err, gchar **err_info,
+ struct pcaprec_ss990915_hdr *hdr);
+static void libpcap_close(wtap *wth);
+
+static gboolean libpcap_dump_pcap(wtap_dumper *wdh, const wtap_rec *rec,
+ const guint8 *pd, int *err, gchar **err_info);
+static gboolean libpcap_dump_pcap_nsec(wtap_dumper *wdh, const wtap_rec *rec,
+ const guint8 *pd, int *err, gchar **err_info);
+static gboolean libpcap_dump_pcap_ss990417(wtap_dumper *wdh,
+ const wtap_rec *rec, const guint8 *pd, int *err, gchar **err_info);
+static gboolean libpcap_dump_pcap_ss990915(wtap_dumper *wdh,
+ const wtap_rec *rec, const guint8 *pd, int *err, gchar **err_info);
+static gboolean libpcap_dump_pcap_ss991029(wtap_dumper *wdh,
+ const wtap_rec *rec, const guint8 *pd, int *err, gchar **err_info);
+static gboolean libpcap_dump_pcap_nokia(wtap_dumper *wdh, const wtap_rec *rec,
+ const guint8 *pd, int *err, gchar **err_info);
+
+/*
+ * Subfields of the field containing the link-layer header type.
+ *
+ * Link-layer header types are assigned for both pcap and
+ * pcapng, and the same value must work with both. In pcapng,
+ * the link-layer header type field in an Interface Description
+ * Block is 16 bits, so only the bottommost 16 bits of the
+ * link-layer header type in a pcap file can be used for the
+ * header type value.
+ *
+ * In libpcap, the upper 16 bits, from the top down, are divided into:
+ *
+ * A 4-bit "FCS length" field, to allow the FCS length to
+ * be specified, just as it can be specified in the if_fcslen
+ * field of the pcapng IDB. The field is in units of 16 bits,
+ * i.e. 1 means 16 bits of FCS, 2 means 32 bits of FCS, etc..
+ *
+ * A reserved bit, which must be zero.
+ *
+ * An "FCS length present" flag; if 0, the "FCS length" field
+ * should be ignored, and if 1, the "FCS length" field should
+ * be used.
+ *
+ * 10 reserved bits, which must be zero. They were originally
+ * intended to be used as a "class" field, allowing additional
+ * classes of link-layer types to be defined, with a class value
+ * of 0 indicating that the link-layer type is a LINKTYPE_ value.
+ * A value of 0x224 was, at one point, used by NetBSD to define
+ * "raw" packet types, with the lower 16 bits containing a
+ * NetBSD AF_ value; see
+ *
+ * https://marc.info/?l=tcpdump-workers&m=98296750229149&w=2
+ *
+ * It's unknown whether those were ever used in capture files,
+ * or if the intent was just to use it as a link-layer type
+ * for BPF programs; NetBSD's libpcap used to support them in
+ * the BPF code generator, but it no longer does so. If it
+ * was ever used in capture files, or if classes other than
+ * "LINKTYPE_ value" are ever useful in capture files, we could
+ * re-enable this, and use the reserved 16 bits following the
+ * link-layer type in pcapng files to hold the class information
+ * there. (Note, BTW, that LINKTYPE_RAW/DLT_RAW is now being
+ * interpreted by libpcap, tcpdump, and Wireshark as "raw IP",
+ * including both IPv4 and IPv6, with the version number in the
+ * header being checked to see which it is, not just "raw IPv4";
+ * there are LINKTYPE_IPV4/DLT_IPV4 and LINKTYPE_IPV6/DLT_IPV6
+ * values if "these are IPv{4,6} and only IPv{4,6} packets"
+ * types are needed.)
+ *
+ * Or we might be able to use it for other purposes.
+ */
+#define LT_LINKTYPE(x) ((x) & 0x0000FFFF)
+#define LT_RESERVED1(x) ((x) & 0x03FF0000)
+#define LT_FCS_LENGTH_PRESENT(x) ((x) & 0x04000000)
+#define LT_FCS_LENGTH(x) (((x) & 0xF0000000) >> 28)
+#define LT_FCS_DATALINK_EXT(x) (((x) & 0xF) << 28) | 0x04000000)
+
+/*
+ * Private file type/subtype values; pcap and nanosecond-resolution
+ * pcap are imported from wiretap/file_access.c.
+ */
+static int pcap_aix_file_type_subtype = -1;
+static int pcap_ss990417_file_type_subtype = -1;
+static int pcap_ss990915_file_type_subtype = -1;
+static int pcap_ss991029_file_type_subtype = -1;
+static int pcap_nokia_file_type_subtype = -1;
+
+/*
+ * pcap variants that use the standard magic number.
+ */
+static const pcap_variant_t variants_standard[] = {
+ PCAP,
+ PCAP_SS990417,
+ PCAP_NOKIA
+};
+#define N_VARIANTS_STANDARD G_N_ELEMENTS(variants_standard)
+
+/*
+ * pcap variants that use the modified magic number.
+ */
+static const pcap_variant_t variants_modified[] = {
+ PCAP_SS991029,
+ PCAP_SS990915
+};
+#define N_VARIANTS_MODIFIED G_N_ELEMENTS(variants_modified)
+
+wtap_open_return_val libpcap_open(wtap *wth, int *err, gchar **err_info)
+{
+ guint32 magic;
+ struct pcap_hdr hdr;
+ gboolean byte_swapped;
+ pcap_variant_t variant;
+ libpcap_t *libpcap;
+ int skip_size = 0;
+ int sizebytes;
+
+ /* Read in the number that should be at the start of a "libpcap" file */
+ if (!wtap_read_bytes(wth->fh, &magic, sizeof magic, err, err_info)) {
+ if (*err != WTAP_ERR_SHORT_READ)
+ return WTAP_OPEN_ERROR;
+ return WTAP_OPEN_NOT_MINE;
+ }
+
+ switch (magic) {
+
+ case PCAP_MAGIC:
+ /* Host that wrote it has our byte order, and was running
+ a program using either standard or ss990417 libpcap,
+ or maybe it was written by AIX. That means we don't
+ yet know the variant. */
+ byte_swapped = FALSE;
+ variant = PCAP_UNKNOWN;
+ break;
+
+ case PCAP_SWAPPED_MAGIC:
+ /* Host that wrote it has a byte order opposite to ours,
+ and was running a program using either standard or
+ ss990417 libpcap, or maybe it was written by AIX.
+ That means we don't yet know the variant. */
+ byte_swapped = TRUE;
+ variant = PCAP_UNKNOWN;
+ break;
+
+ case PCAP_IXIAHW_MAGIC:
+ case PCAP_IXIASW_MAGIC:
+ /* Weird Ixia variant that has extra crud, written in our
+ byte order. It's otherwise like standard pcap. */
+ skip_size = 1;
+ byte_swapped = FALSE;
+ variant = PCAP;
+ break;
+
+ case PCAP_SWAPPED_IXIAHW_MAGIC:
+ case PCAP_SWAPPED_IXIASW_MAGIC:
+ /* Weird Ixia variant that has extra crud, written in a
+ byte order opposite to ours. It's otherwise like
+ standard pcap. */
+ skip_size = 1;
+ byte_swapped = TRUE;
+ variant = PCAP;
+ break;
+
+ case PCAP_MODIFIED_MAGIC:
+ /* Host that wrote it has our byte order, and was running
+ a program using either ss990915 or ss991029 libpcap.
+ That means we don't yet know the variant; there's
+ no obvious default, so default to "unknown". */
+ byte_swapped = FALSE;
+ variant = PCAP_UNKNOWN;
+ break;
+
+ case PCAP_SWAPPED_MODIFIED_MAGIC:
+ /* Host that wrote it out has a byte order opposite to
+ ours, and was running a program using either ss990915
+ or ss991029 libpcap. That means we don't yet know
+ the variant; there's no obvious default, so default
+ to "unknown". */
+ byte_swapped = TRUE;
+ variant = PCAP_UNKNOWN;
+ break;
+
+ case PCAP_NSEC_MAGIC:
+ /* Host that wrote it has our byte order, and was writing
+ the file in a format similar to standard libpcap
+ except that the time stamps have nanosecond resolution. */
+ byte_swapped = FALSE;
+ variant = PCAP_NSEC;
+ break;
+
+ case PCAP_SWAPPED_NSEC_MAGIC:
+ /* Host that wrote it out has a byte order opposite to
+ ours, and was writing the file in a format similar to
+ standard libpcap except that the time stamps have
+ nanosecond resolution. */
+ byte_swapped = TRUE;
+ variant = PCAP_NSEC;
+ break;
+
+ default:
+ /* Not a "libpcap" type we know about. */
+ return WTAP_OPEN_NOT_MINE;
+ }
+
+ /* Read the rest of the header. */
+ if (!wtap_read_bytes(wth->fh, &hdr, sizeof hdr, err, err_info))
+ return WTAP_OPEN_ERROR;
+ if (skip_size==1 && !wtap_read_bytes(wth->fh, &sizebytes, sizeof sizebytes, err, err_info))
+ return WTAP_OPEN_ERROR;
+
+ if (byte_swapped) {
+ /* Byte-swap the header fields about which we care. */
+ magic = GUINT32_SWAP_LE_BE(magic);
+ hdr.version_major = GUINT16_SWAP_LE_BE(hdr.version_major);
+ hdr.version_minor = GUINT16_SWAP_LE_BE(hdr.version_minor);
+ hdr.snaplen = GUINT32_SWAP_LE_BE(hdr.snaplen);
+ hdr.network = GUINT32_SWAP_LE_BE(hdr.network);
+ }
+ if (hdr.version_major < 2) {
+ /* We only support version 2.0 and later. */
+ *err = WTAP_ERR_UNSUPPORTED;
+ *err_info = ws_strdup_printf("pcap: major version %u unsupported",
+ hdr.version_major);
+ return WTAP_OPEN_ERROR;
+ }
+
+ /* This is a libpcap file */
+ wth->subtype_read = libpcap_read;
+ wth->subtype_seek_read = libpcap_seek_read;
+ wth->subtype_close = libpcap_close;
+ wth->snapshot_length = hdr.snaplen;
+ libpcap = g_new0(libpcap_t, 1);
+ wth->priv = (void *)libpcap;
+ /*
+ * Fill in the information we already know or can determine
+ * at this point, so the private data is usable by the code
+ * that tries reading packets as a heuristic to guess the
+ * variant.
+ */
+ libpcap->byte_swapped = byte_swapped;
+ /* In file format version 2.3, the order of the "incl_len" and
+ "orig_len" fields in the per-packet header was reversed,
+ in order to match the BPF header layout.
+
+ Therefore, in files with versions prior to that, we must swap
+ those two fields.
+
+ Unfortunately, some files were, according to a comment in the
+ "libpcap" source, written with version 2.3 in their headers
+ but without the interchanged fields, so if "incl_len" is
+ greater than "orig_len" - which would make no sense - we
+ assume that we need to swap them in version 2.3 files
+ as well.
+
+ In addition, DG/UX's tcpdump uses version 543.0, and writes
+ the two fields in the pre-2.3 order. */
+ switch (hdr.version_major) {
+
+ case 2:
+ if (hdr.version_minor < 3)
+ libpcap->lengths_swapped = SWAPPED;
+ else if (hdr.version_minor == 3)
+ libpcap->lengths_swapped = MAYBE_SWAPPED;
+ else
+ libpcap->lengths_swapped = NOT_SWAPPED;
+ break;
+
+ case 543:
+ libpcap->lengths_swapped = SWAPPED;
+ break;
+
+ default:
+ libpcap->lengths_swapped = NOT_SWAPPED;
+ break;
+ }
+ libpcap->version_major = hdr.version_major;
+ libpcap->version_minor = hdr.version_minor;
+ /*
+ * Check whether this is an AIX pcap before we convert the
+ * link-layer type in the header file to an encapsulation,
+ * because AIX pcaps use RFC 1573 ifType values in the header.
+ *
+ * AIX pcap files use the standard magic number, and have a
+ * major and minor version of 2.
+ *
+ * Unfortunately, that's also true of older versions of libpcap,
+ * so we need to do some heuristics to try to identify AIX pcap
+ * files.
+ */
+ if (magic == PCAP_MAGIC && hdr.version_major == 2 &&
+ hdr.version_minor == 2) {
+ /*
+ * The AIX libpcap uses RFC 1573 ifType values rather
+ * than LINKTYPE_/DLT_ values in the header; the ifType
+ * values for LAN devices are:
+ *
+ * Ethernet 6
+ * Token Ring 9
+ * FDDI 15
+ *
+ * which correspond to LINKTYPE_IEEE802_5/DLT_IEEE802 (used
+ * for Token Ring), LINKTYPE_PPP/DLT_PPP, and
+ * LINKTYPE_SLIP_BSDOS/DLT_SLIP_BSDOS, respectively, and
+ * the ifType value for a loopback interface is 24, which
+ * currently isn't used by any version of libpcap I know
+ * about (and, as tcpdump.org are assigning LINKTYPE_/DLT_
+ * values above 100, and NetBSD started assigning values
+ * starting at 50, and the values chosen by other libpcaps
+ * appear to stop at 19, it's probably not going to be used
+ * by any libpcap in the future).
+ *
+ * So we shall assume that if the network type is 6, 9, 15,
+ * or 24 it's AIX libpcap.
+ *
+ * We also assume those older versions of libpcap didn't use
+ * LINKTYPE_IEEE802_5/DLT_IEEE802 for Token Ring, and didn't
+ * use LINKTYPE_SLIP_BSDOS/DLT_SLIP_BSDOS as that came later.
+ * It may have used LINKTYPE_PPP/DLT_PPP, however, in which
+ * case we're out of luck; we assume it's Token Ring in AIX
+ * libpcap rather than PPP in standard libpcap, as you're
+ * probably more likely to be handing an AIX libpcap token-
+ *ring capture than an old (pre-libpcap 0.4) PPP capture to
+ * Wireshark.
+ *
+ * AIX pcap files didn't use the upper 16 bits, so we don't
+ * need to ignore them here - they'll be 0.
+ */
+ switch (hdr.network) {
+
+ case 6:
+ hdr.network = 1; /* LINKTYPE_EN10MB, Ethernet */
+ variant = PCAP_AIX;
+ break;
+
+ case 9:
+ hdr.network = 6; /* LINKTYPE_IEEE802_5, Token Ring */
+ variant = PCAP_AIX;
+ break;
+
+ case 15:
+ hdr.network = 10; /* LINKTYPE_FDDI, FDDI */
+ variant = PCAP_AIX;
+ break;
+
+ case 24:
+ hdr.network = 0; /* LINKTYPE_NULL, loopback */
+ variant = PCAP_AIX;
+ break;
+ }
+ }
+
+ /*
+ * Check the main reserved field.
+ */
+ if (LT_RESERVED1(hdr.network) != 0) {
+ *err = WTAP_ERR_UNSUPPORTED;
+ *err_info = ws_strdup_printf("pcap: network type reserved field not zero (0x%08x)",
+ LT_RESERVED1(hdr.network));
+ return WTAP_OPEN_ERROR;
+ }
+
+ /*
+ * Map the link-layer type from the "network" field in
+ * the header to a Wiretap encapsulation.
+ */
+ wth->file_encap = wtap_pcap_encap_to_wtap_encap(LT_LINKTYPE(hdr.network));
+ if (wth->file_encap == WTAP_ENCAP_UNKNOWN) {
+ *err = WTAP_ERR_UNSUPPORTED;
+ *err_info = ws_strdup_printf("pcap: network type %u unknown or unsupported",
+ hdr.network);
+ return WTAP_OPEN_ERROR;
+ }
+
+ /*
+ * Extract the FCS information, if present.
+ */
+ libpcap->fcs_len = -1;
+ if (LT_FCS_LENGTH_PRESENT(hdr.network)) {
+ /*
+ * We have an FCS length, in units of 16 bits.
+ * Convert it to bits.
+ */
+ libpcap->fcs_len = LT_FCS_LENGTH(hdr.network) * 16;
+ }
+
+ libpcap->encap_priv = NULL;
+
+ /*
+ * If this file has the standard magic number, it could be
+ * one of a number of variants, including regular pcap, the
+ * AIX variant, the ss990417 variant, and a Nokia variant.
+ * The ss990417 variant is used in, for example, Red Hat 6.1,
+ * so some versions of AIX, RH 6.1, and some Nokia devices
+ * write files that can't be read by any software that expects
+ * standard libpcap packet record headers if the magic number
+ * is the standard magic number (e.g., any program such as
+ * tcpdump that uses libpcap, when using the standard libpcap,
+ * and Wireshark if we don't do the heuristics below).
+ *
+ * If this file has the patched magic number, used by the
+ * ss990915 and ss991029 variants, then it could be either
+ * of those. The ss991029 variant uses the same packet
+ * record header as the ss990417 variant, but the ss990915
+ * variant uses a packet record header with some additional
+ * fields and it is used in, for example, SuSE 6.3, so SuSE
+ * 6.3 writes files that can't be read by any software that
+ * expects ss990417 packet record headers if the magic number
+ * is the modified magic number.
+ *
+ * So, for the standard and modified magic number:
+ *
+ * For the standard magic number, we first do some heuristic
+ * checks of data from the file header to see if it looks like
+ * an AIX libpcap file. If so, we choose PCAP_AIX as the variant,
+ * and we don't have to do any more guessing.
+ *
+ * Otherwise, we determine the variant by, for each variant,
+ * trying to read the first few packets as if that file were
+ * in that variant's format, and seeing whether the packet
+ * record headers make sense.
+ *
+ * But don't do the latter if the input is a pipe; that would mean
+ * the open won't complete until two packets have been written to
+ * the pipe, unless the pipe is closed after one packet has been
+ * written, so a program reading from the file won't see the
+ * first packet until the second packet has been written.
+ */
+ switch (magic) {
+
+ case PCAP_MAGIC:
+ /*
+ * Original libpcap magic.
+ *
+ * If we still don't know the variant, look at the first
+ * few packets to see what type of per-packet header they
+ * have.
+ *
+ * Default to PCAP, as that's probably what this is;
+ * libpcap_try_variants() will just give up if we're
+ * reading from a pipe.
+ */
+ if (variant == PCAP_UNKNOWN) {
+ if (wth->ispipe) {
+ /*
+ * We can't do the heuristics.
+ * Just go with standard libpcap.
+ */
+ libpcap->variant = PCAP;
+ } else {
+ /*
+ * Try the variants that use the standard
+ * pcap magic number.
+ */
+ if (!libpcap_try_variants(wth, variants_standard,
+ N_VARIANTS_STANDARD, err, err_info)) {
+ /*
+ * File read error.
+ */
+ return WTAP_OPEN_ERROR;
+ }
+ }
+ } else {
+ /*
+ * Use the variant we found.
+ */
+ libpcap->variant = variant;
+ }
+ break;
+
+ case PCAP_MODIFIED_MAGIC:
+ /*
+ * Modified libpcap magic, from Alexey's later two
+ * patches.
+ *
+ * This might be one of two different flavors of
+ * pcap file, with different modified per-packet
+ * headers.
+ *
+ * If we're reading from a pipe, we don't have an
+ * obvious choice to use as a default.
+ */
+ if (wth->ispipe) {
+ /*
+ * We can't do the heuristics.
+ * There's no obvious choice to use as a
+ * default, so just report an error.
+ */
+ *err = WTAP_ERR_UNSUPPORTED;
+ *err_info = g_strdup("pcap: that type of pcap file can't be read from a pipe");
+ return WTAP_OPEN_ERROR;
+ } else {
+ /*
+ * Try the variants that use the modified
+ * pcap magic number.
+ */
+ if (!libpcap_try_variants(wth, variants_modified,
+ N_VARIANTS_MODIFIED, err, err_info)) {
+ /*
+ * File read error.
+ */
+ return WTAP_OPEN_ERROR;
+ }
+ }
+ break;
+
+ default:
+ /*
+ * None of these require heuristics to guess the
+ * variant; just use the variant we found.
+ */
+ libpcap->variant = variant;
+ break;
+ }
+
+ /*
+ * Set the file type and subtype, and handle some variants
+ * specially.
+ */
+ switch (libpcap->variant) {
+
+ case PCAP:
+ wth->file_type_subtype = pcap_file_type_subtype;
+ wth->file_tsprec = WTAP_TSPREC_USEC;
+ break;
+
+ case PCAP_NSEC:
+ wth->file_type_subtype = pcap_nsec_file_type_subtype;
+ wth->file_tsprec = WTAP_TSPREC_NSEC;
+ break;
+
+ case PCAP_SS990417:
+ wth->file_type_subtype = pcap_ss990417_file_type_subtype;
+ wth->file_tsprec = WTAP_TSPREC_USEC;
+ break;
+
+ case PCAP_SS990915:
+ wth->file_type_subtype = pcap_ss990915_file_type_subtype;
+ wth->file_tsprec = WTAP_TSPREC_USEC;
+ break;
+
+ case PCAP_SS991029:
+ wth->file_type_subtype = pcap_ss991029_file_type_subtype;
+ wth->file_tsprec = WTAP_TSPREC_USEC;
+ break;
+
+ case PCAP_AIX:
+ wth->file_type_subtype = pcap_aix_file_type_subtype;
+ wth->file_tsprec = WTAP_TSPREC_NSEC;
+ break;
+
+ case PCAP_NOKIA:
+ wth->file_type_subtype = pcap_nokia_file_type_subtype;
+ wth->file_tsprec = WTAP_TSPREC_USEC;
+ /*
+ * We treat a DLT_ value of 13 specially - it appears
+ * that in Nokia libpcap format, it's some form of ATM
+ * with what I suspect is a pseudo-header (even though
+ * Nokia's IPSO is based on FreeBSD, which #defines
+ * DLT_SLIP_BSDOS as 13).
+ *
+ * Treat 13 as WTAP_ENCAP_ATM_PDUS, rather than as what
+ * we normally treat it.
+ */
+ if (hdr.network == 13)
+ wth->file_encap = WTAP_ENCAP_ATM_PDUS;
+ break;
+
+ default:
+ ws_assert_not_reached();
+ }
+
+ if (wth->file_encap == WTAP_ENCAP_ERF) {
+ /* Reset the ERF interface lookup table */
+ libpcap->encap_priv = erf_priv_create();
+ } else {
+ /*
+ * Add an IDB; we don't know how many interfaces were
+ * involved, so we just say one interface, about which
+ * we only know the link-layer type, snapshot length,
+ * and time stamp resolution.
+ */
+ wtap_add_generated_idb(wth);
+ }
+
+ return WTAP_OPEN_MINE;
+}
+
+static gboolean libpcap_try_variants(wtap *wth, const pcap_variant_t *variants,
+ size_t n_variants, int *err, gchar **err_info)
+{
+ libpcap_t *libpcap = (libpcap_t *)wth->priv;
+#define MAX_FIGURES_OF_MERIT \
+ MAX(N_VARIANTS_MODIFIED, N_VARIANTS_STANDARD)
+ int figures_of_merit[MAX_FIGURES_OF_MERIT];
+ int best_variant;
+ gint64 first_packet_offset;
+
+ first_packet_offset = file_tell(wth->fh);
+ for (size_t i = 0; i < n_variants; i++) {
+ libpcap->variant = variants[i];
+ figures_of_merit[i] = libpcap_try(wth, err, err_info);
+ if (figures_of_merit[i] == -1) {
+ /*
+ * Well, we couldn't even read it. Give up.
+ */
+ return FALSE;
+ }
+ if (figures_of_merit[i] == 0) {
+ /*
+ * This format doesn't have any issues.
+ * Put the seek pointer back, and finish,
+ * using that format as the subtype.
+ */
+ if (file_seek(wth->fh, first_packet_offset, SEEK_SET,
+ err) == -1) {
+ return FALSE;
+ }
+ return TRUE;
+ }
+
+ /*
+ * OK, we've recorded the figure of merit for this
+ * one; go back to the first packet and try the
+ * next one.
+ */
+ if (file_seek(wth->fh, first_packet_offset, SEEK_SET,
+ err) == -1) {
+ return FALSE;
+ }
+ }
+
+ /*
+ * OK, none are perfect; let's see which one is least bad.
+ */
+ best_variant = INT_MAX;
+ for (size_t i = 0; i < n_variants; i++) {
+ /*
+ * Is this subtype better than the last one we saw?
+ */
+ if (figures_of_merit[i] < best_variant) {
+ /*
+ * Yes. Choose it until we find a better one.
+ */
+ libpcap->variant = variants[i];
+ best_variant = figures_of_merit[i];
+ }
+ }
+ return TRUE;
+}
+
+/*
+ * Maximum number of records to try to read. Must be >= 2.
+ */
+#define MAX_RECORDS_TO_TRY 3
+
+/* Try to read the first MAX_RECORDS_TO_TRY records of the capture file. */
+static int libpcap_try(wtap *wth, int *err, gchar **err_info)
+{
+ int ret;
+ int i;
+
+ /*
+ * Attempt to read the first record.
+ */
+ ret = libpcap_try_record(wth, err, err_info);
+ if (ret != 0) {
+ /*
+ * Error or mismatch; return the error indication or
+ * the figure of merit (demerit?).
+ */
+ return ret;
+ }
+
+ /*
+ * Now attempt to read the next MAX_RECORDS_TO_TRY-1 records.
+ * Get the maximum figure of (de?)merit, as that represents the
+ * figure of merit for the record that had the most problems.
+ */
+ for (i = 1; i < MAX_RECORDS_TO_TRY; i++) {
+ /*
+ * Attempt to read this record.
+ */
+ ret = libpcap_try_record(wth, err, err_info);
+ if (ret != 0) {
+ /*
+ * Error or mismatch; return the error indication or
+ * the figure of merit (demerit?).
+ */
+ return ret;
+ }
+ }
+
+ /* They all succeeded. */
+ return 0;
+}
+
+/* Read the header of the next packet and, if that succeeds, read the
+ data of the next packet.
+
+ Return -1 on an I/O error, 0 on success, or a positive number if the
+ header looks corrupt. The higher the positive number, the more things
+ are wrong with the header; this is used by the heuristics that try to
+ guess what type of file it is, with the type with the fewest problems
+ being chosen. */
+static int libpcap_try_record(wtap *wth, int *err, gchar **err_info)
+{
+ /*
+ * pcaprec_ss990915_hdr is the largest header type.
+ */
+ struct pcaprec_ss990915_hdr rec_hdr;
+ int ret;
+
+ if (!libpcap_read_header(wth, wth->fh, err, err_info, &rec_hdr)) {
+ if (*err == 0) {
+ /*
+ * EOF - assume the file is in this format.
+ * This means it doesn't have all the
+ * records we're trying to read.
+ */
+ return 0;
+ }
+ if (*err == WTAP_ERR_SHORT_READ) {
+ /*
+ * Short read; this might be a corrupt
+ * file in this format or might not be
+ * in this format. Return a figure of
+ * merit of 1.
+ */
+ return 1;
+ }
+ /* Hard error. */
+ return -1;
+ }
+
+ ret = 0; /* start out presuming everything's OK */
+
+ /*
+ * The only file types for which we have to do variant
+ * determination by looking at packets have microsecond
+ * resolution; treat fractions-of-a-second values >= 1 000 000
+ * as an indication that the header format might not be
+ * what we think it is.
+ */
+ if (rec_hdr.hdr.ts_usec >= 1000000)
+ ret++;
+
+ if (rec_hdr.hdr.incl_len > wtap_max_snaplen_for_encap(wth->file_encap)) {
+ /*
+ * Probably either a corrupt capture file or a file
+ * of a type different from the one we're trying.
+ */
+ ret++;
+ }
+
+ if (rec_hdr.hdr.orig_len > 128*1024*1024) {
+ /*
+ * In theory I guess the on-the-wire packet size can be
+ * arbitrarily large, and it can certainly be larger than the
+ * maximum snapshot length which bounds the snapshot size,
+ * but any file claiming 128MB in a single packet is *probably*
+ * corrupt, and treating them as such makes the heuristics
+ * much more reliable. See, for example,
+ *
+ * https://gitlab.com/wireshark/wireshark/-/issues/9634
+ *
+ * (128MB is an arbitrary size at this point, chosen to be
+ * large enough for the largest D-Bus packet).
+ */
+ ret++;
+ }
+
+ if (rec_hdr.hdr.incl_len > wth->snapshot_length) {
+ /*
+ * This is not a fatal error, and packets that have one
+ * such packet probably have thousands. For discussion,
+ * see
+ * https://www.wireshark.org/lists/wireshark-dev/201307/msg00076.html
+ * and related messages.
+ *
+ * The packet contents will be copied to a Buffer, which
+ * expands as necessary to hold the contents; we don't have
+ * to worry about fixed-length buffers allocated based on
+ * the original snapshot length.
+ *
+ * We just treat this as an indication that we might be
+ * trying the wrong file type here.
+ */
+ ret++;
+ }
+
+ if (rec_hdr.hdr.incl_len > rec_hdr.hdr.orig_len) {
+ /*
+ * Another hint that this might be the wrong file type.
+ */
+ ret++;
+ }
+
+ if (ret != 0) {
+ /*
+ * Might be the wrong file type; stop trying, and give
+ * this as the figure of merit for this file type.
+ */
+ return ret;
+ }
+
+ /*
+ * Now skip over the record's data, under the assumption that
+ * the header is sane.
+ */
+ if (!wtap_read_bytes(wth->fh, NULL, rec_hdr.hdr.incl_len, err,
+ err_info)) {
+ if (*err == WTAP_ERR_SHORT_READ) {
+ /*
+ * Short read - treat that as a suggestion that
+ * the header isn't sane, and return a figure of
+ * merit value of 1.
+ */
+ return 1;
+ }
+ /* Hard error. */
+ return -1;
+ }
+
+ /* Success. */
+ return 0;
+}
+
+/* Read the next packet */
+static gboolean libpcap_read(wtap *wth, wtap_rec *rec, Buffer *buf,
+ int *err, gchar **err_info, gint64 *data_offset)
+{
+ *data_offset = file_tell(wth->fh);
+
+ return libpcap_read_packet(wth, wth->fh, rec, buf, err, err_info);
+}
+
+static gboolean
+libpcap_seek_read(wtap *wth, gint64 seek_off, wtap_rec *rec,
+ Buffer *buf, int *err, gchar **err_info)
+{
+ if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
+ return FALSE;
+
+ if (!libpcap_read_packet(wth, wth->random_fh, rec, buf, err,
+ err_info)) {
+ if (*err == 0)
+ *err = WTAP_ERR_SHORT_READ;
+ return FALSE;
+ }
+ return TRUE;
+}
+
+static gboolean
+libpcap_read_packet(wtap *wth, FILE_T fh, wtap_rec *rec,
+ Buffer *buf, int *err, gchar **err_info)
+{
+ struct pcaprec_ss990915_hdr hdr;
+ guint packet_size;
+ guint orig_size;
+ int phdr_len;
+ libpcap_t *libpcap = (libpcap_t *)wth->priv;
+ gboolean is_nokia;
+
+ if (!libpcap_read_header(wth, fh, err, err_info, &hdr))
+ return FALSE;
+
+ if (hdr.hdr.incl_len > wtap_max_snaplen_for_encap(wth->file_encap)) {
+ /*
+ * Probably a corrupt capture file; return an error,
+ * so that our caller doesn't blow up trying to allocate
+ * space for an immensely-large packet.
+ */
+ *err = WTAP_ERR_BAD_FILE;
+ if (err_info != NULL) {
+ *err_info = ws_strdup_printf("pcap: File has %u-byte packet, bigger than maximum of %u",
+ hdr.hdr.incl_len,
+ wtap_max_snaplen_for_encap(wth->file_encap));
+ }
+ return FALSE;
+ }
+
+ packet_size = hdr.hdr.incl_len;
+ orig_size = hdr.hdr.orig_len;
+
+ /*
+ * AIX appears to put 3 bytes of padding in front of FDDI
+ * frames; strip that crap off.
+ */
+ if (libpcap->variant == PCAP_AIX &&
+ (wth->file_encap == WTAP_ENCAP_FDDI ||
+ wth->file_encap == WTAP_ENCAP_FDDI_BITSWAPPED)) {
+ /*
+ * The packet size is really a record size and includes
+ * the padding.
+ */
+ packet_size -= 3;
+ orig_size -= 3;
+
+ /*
+ * Skip the padding.
+ */
+ if (!wtap_read_bytes(fh, NULL, 3, err, err_info))
+ return FALSE;
+ }
+
+ is_nokia = (libpcap->variant == PCAP_NOKIA);
+ phdr_len = pcap_process_pseudo_header(fh, is_nokia,
+ wth->file_encap, packet_size, rec, err, err_info);
+ if (phdr_len < 0)
+ return FALSE; /* error */
+
+ /*
+ * Don't count any pseudo-header as part of the packet.
+ */
+ orig_size -= phdr_len;
+ packet_size -= phdr_len;
+
+ rec->rec_type = REC_TYPE_PACKET;
+ rec->block = wtap_block_create(WTAP_BLOCK_PACKET);
+ rec->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
+
+ /* Update the timestamp, if not already done */
+ if (wth->file_encap != WTAP_ENCAP_ERF) {
+ rec->ts.secs = hdr.hdr.ts_sec;
+ if (libpcap->variant == PCAP_NSEC ||
+ libpcap->variant == PCAP_AIX)
+ rec->ts.nsecs = hdr.hdr.ts_usec;
+ else
+ rec->ts.nsecs = hdr.hdr.ts_usec * 1000;
+ } else {
+ int interface_id;
+ /* Set interface ID for ERF format */
+ rec->presence_flags |= WTAP_HAS_INTERFACE_ID;
+ if ((interface_id = erf_populate_interface_from_header((erf_t*) libpcap->encap_priv, wth, &rec->rec_header.packet_header.pseudo_header, err, err_info)) < 0)
+ return FALSE;
+
+ rec->rec_header.packet_header.interface_id = (guint) interface_id;
+ }
+ rec->rec_header.packet_header.caplen = packet_size;
+ rec->rec_header.packet_header.len = orig_size;
+
+ /*
+ * Read the packet data.
+ */
+ if (!wtap_read_packet_bytes(fh, buf, packet_size, err, err_info))
+ return FALSE; /* failed */
+
+ pcap_read_post_process(is_nokia, wth->file_encap, rec,
+ ws_buffer_start_ptr(buf), libpcap->byte_swapped, libpcap->fcs_len);
+ return TRUE;
+}
+
+/* Read the header of the next packet.
+
+ Return FALSE on an error, TRUE on success. */
+static int libpcap_read_header(wtap *wth, FILE_T fh, int *err, gchar **err_info,
+ struct pcaprec_ss990915_hdr *hdr)
+{
+ int bytes_to_read;
+ guint32 temp;
+ libpcap_t *libpcap = (libpcap_t *)wth->priv;
+
+ switch (libpcap->variant) {
+
+ case PCAP:
+ case PCAP_AIX:
+ case PCAP_NSEC:
+ bytes_to_read = sizeof (struct pcaprec_hdr);
+ break;
+
+ case PCAP_SS990417:
+ case PCAP_SS991029:
+ bytes_to_read = sizeof (struct pcaprec_modified_hdr);
+ break;
+
+ case PCAP_SS990915:
+ bytes_to_read = sizeof (struct pcaprec_ss990915_hdr);
+ break;
+
+ case PCAP_NOKIA:
+ bytes_to_read = sizeof (struct pcaprec_nokia_hdr);
+ break;
+
+ default:
+ bytes_to_read = 0;
+ ws_assert_not_reached();
+ }
+ if (!wtap_read_bytes_or_eof(fh, hdr, bytes_to_read, err, err_info))
+ return FALSE;
+
+ if (libpcap->byte_swapped) {
+ /* Byte-swap the record header fields. */
+ hdr->hdr.ts_sec = GUINT32_SWAP_LE_BE(hdr->hdr.ts_sec);
+ hdr->hdr.ts_usec = GUINT32_SWAP_LE_BE(hdr->hdr.ts_usec);
+ hdr->hdr.incl_len = GUINT32_SWAP_LE_BE(hdr->hdr.incl_len);
+ hdr->hdr.orig_len = GUINT32_SWAP_LE_BE(hdr->hdr.orig_len);
+ }
+
+ /* Swap the "incl_len" and "orig_len" fields, if necessary. */
+ switch (libpcap->lengths_swapped) {
+
+ case NOT_SWAPPED:
+ break;
+
+ case MAYBE_SWAPPED:
+ if (hdr->hdr.incl_len <= hdr->hdr.orig_len) {
+ /*
+ * The captured length is <= the actual length,
+ * so presumably they weren't swapped.
+ */
+ break;
+ }
+ /* FALLTHROUGH */
+
+ case SWAPPED:
+ temp = hdr->hdr.orig_len;
+ hdr->hdr.orig_len = hdr->hdr.incl_len;
+ hdr->hdr.incl_len = temp;
+ break;
+ }
+
+ return TRUE;
+}
+
+/* Returns 0 if we could write the specified encapsulation type,
+ an error indication otherwise. */
+static int libpcap_dump_can_write_encap(int encap)
+{
+ /* Per-packet encapsulations aren't supported. */
+ if (encap == WTAP_ENCAP_PER_PACKET)
+ return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
+
+ if (wtap_wtap_encap_to_pcap_encap(encap) == -1)
+ return WTAP_ERR_UNWRITABLE_ENCAP;
+
+ return 0;
+}
+
+static gboolean libpcap_dump_write_file_header(wtap_dumper *wdh, guint32 magic,
+ int *err)
+{
+ struct pcap_hdr file_hdr;
+
+ if (!wtap_dump_file_write(wdh, &magic, sizeof magic, err))
+ return FALSE;
+
+ /* current "libpcap" format is 2.4 */
+ file_hdr.version_major = 2;
+ file_hdr.version_minor = 4;
+ file_hdr.thiszone = 0; /* XXX - current offset? */
+ file_hdr.sigfigs = 0; /* unknown, but also apparently unused */
+ /*
+ * Tcpdump cannot handle capture files with a snapshot length of 0,
+ * as BPF filters return either 0 if they fail or the snapshot length
+ * if they succeed, and a snapshot length of 0 means success is
+ * indistinguishable from failure and the filter expression would
+ * reject all packets.
+ *
+ * A snapshot length of 0, inside Wiretap, means "snapshot length
+ * unknown"; if the snapshot length supplied to us is 0, we make
+ * the snapshot length in the header file the maximum for the
+ * link-layer type we'll be writing.
+ */
+ file_hdr.snaplen = (wdh->snaplen != 0) ? (guint)wdh->snaplen :
+ wtap_max_snaplen_for_encap(wdh->file_encap);
+ file_hdr.network = wtap_wtap_encap_to_pcap_encap(wdh->file_encap);
+ if (!wtap_dump_file_write(wdh, &file_hdr, sizeof file_hdr, err))
+ return FALSE;
+
+ return TRUE;
+}
+
+/* Good old fashioned pcap.
+ Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
+ failure */
+static gboolean
+libpcap_dump_open_pcap(wtap_dumper *wdh, int *err, gchar **err_info _U_)
+{
+ /* This is a libpcap file */
+ wdh->subtype_write = libpcap_dump_pcap;
+
+ /* Write the file header. */
+ return libpcap_dump_write_file_header(wdh, PCAP_MAGIC, err);
+}
+
+/* Like classic pcap, but with nanosecond resolution.
+ Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
+ failure */
+static gboolean
+libpcap_dump_open_pcap_nsec(wtap_dumper *wdh, int *err, gchar **err_info _U_)
+{
+ /* This is a nanosecond-resolution libpcap file */
+ wdh->subtype_write = libpcap_dump_pcap_nsec;
+
+ /* Write the file header. */
+ return libpcap_dump_write_file_header(wdh, PCAP_NSEC_MAGIC, err);
+}
+
+/* Modified, but with the old magic, sigh.
+ Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
+ failure */
+static gboolean
+libpcap_dump_open_pcap_ss990417(wtap_dumper *wdh, int *err,
+ gchar **err_info _U_)
+{
+ /* This is a modified-by-patch-SS990417 libpcap file */
+ wdh->subtype_write = libpcap_dump_pcap_ss990417;
+
+ /* Write the file header. */
+ return libpcap_dump_write_file_header(wdh, PCAP_MAGIC, err);
+}
+
+/* New magic, extra crap.
+ Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
+ failure */
+static gboolean
+libpcap_dump_open_pcap_ss990915(wtap_dumper *wdh, int *err,
+ gchar **err_info _U_)
+{
+ /* This is a modified-by-patch-SS990915 libpcap file */
+ wdh->subtype_write = libpcap_dump_pcap_ss990915;
+
+ /* Write the file header. */
+ return libpcap_dump_write_file_header(wdh, PCAP_MODIFIED_MAGIC, err);
+}
+
+/* Same magic as SS990915, *different* extra crap, sigh.
+ Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
+ failure */
+static gboolean
+libpcap_dump_open_pcap_ss991029(wtap_dumper *wdh, int *err,
+ gchar **err_info _U_)
+{
+ /* This is a modified-by-patch-SS991029 libpcap file */
+ wdh->subtype_write = libpcap_dump_pcap_ss991029;
+
+ /* Write the file header. */
+ return libpcap_dump_write_file_header(wdh, PCAP_MODIFIED_MAGIC, err);
+}
+
+static void libpcap_close(wtap *wth)
+{
+ libpcap_t *libpcap = (libpcap_t *)wth->priv;
+
+ if (libpcap->encap_priv) {
+ switch (wth->file_encap) {
+
+ case WTAP_ENCAP_ERF:
+ erf_priv_free((erf_t*) libpcap->encap_priv);
+ break;
+
+ default:
+ g_free(libpcap->encap_priv);
+ break;
+ }
+ }
+}
+
+/* Nokia libpcap of some sort.
+ Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
+ failure */
+static gboolean
+libpcap_dump_open_pcap_nokia(wtap_dumper *wdh, int *err, gchar **err_info _U_)
+{
+ /* This is a Nokia libpcap file */
+ wdh->subtype_write = libpcap_dump_pcap_nokia;
+
+ /* Write the file header. */
+ return libpcap_dump_write_file_header(wdh, PCAP_MAGIC, err);
+}
+
+static gboolean
+libpcap_dump_write_packet(wtap_dumper *wdh, const wtap_rec *rec,
+ struct pcaprec_hdr *hdr, size_t hdr_size, const guint8 *pd, int *err)
+{
+ const union wtap_pseudo_header *pseudo_header = &rec->rec_header.packet_header.pseudo_header;
+ int phdrsize;
+
+ phdrsize = pcap_get_phdr_size(wdh->file_encap, pseudo_header);
+
+ /* We can only write packet records. */
+ if (rec->rec_type != REC_TYPE_PACKET) {
+ *err = WTAP_ERR_UNWRITABLE_REC_TYPE;
+ return FALSE;
+ }
+
+ /*
+ * Make sure this packet doesn't have a link-layer type that
+ * differs from the one for the file.
+ */
+ if (wdh->file_encap != rec->rec_header.packet_header.pkt_encap) {
+ *err = WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
+ return FALSE;
+ }
+
+ /*
+ * Don't write anything we're not willing to read.
+ * (The cast is to prevent an overflow.)
+ */
+ if ((guint64)rec->rec_header.packet_header.caplen + phdrsize > wtap_max_snaplen_for_encap(wdh->file_encap)) {
+ *err = WTAP_ERR_PACKET_TOO_LARGE;
+ return FALSE;
+ }
+
+ hdr->incl_len = rec->rec_header.packet_header.caplen + phdrsize;
+ hdr->orig_len = rec->rec_header.packet_header.len + phdrsize;
+
+ if (!wtap_dump_file_write(wdh, hdr, hdr_size, err))
+ return FALSE;
+
+ if (!pcap_write_phdr(wdh, wdh->file_encap, pseudo_header, err))
+ return FALSE;
+
+ if (!wtap_dump_file_write(wdh, pd, rec->rec_header.packet_header.caplen, err))
+ return FALSE;
+ return TRUE;
+}
+
+/* Good old fashioned pcap.
+ Write a record for a packet to a dump file.
+ Returns TRUE on success, FALSE on failure. */
+static gboolean
+libpcap_dump_pcap(wtap_dumper *wdh, const wtap_rec *rec, const guint8 *pd,
+ int *err, gchar **err_info _U_)
+{
+ struct pcaprec_hdr rec_hdr;
+
+ /*
+ * Some code that reads libpcap files may handle time
+ * stamps as unsigned, but most of it probably handles
+ * them as signed.
+ */
+ if (rec->ts.secs < 0 || rec->ts.secs > G_MAXINT32) {
+ *err = WTAP_ERR_TIME_STAMP_NOT_SUPPORTED;
+ return FALSE;
+ }
+ rec_hdr.ts_sec = (guint32) rec->ts.secs;
+ rec_hdr.ts_usec = rec->ts.nsecs / 1000;
+ return libpcap_dump_write_packet(wdh, rec, &rec_hdr, sizeof rec_hdr,
+ pd, err);
+}
+
+/* Like classic pcap, but with nanosecond resolution.
+ Write a record for a packet to a dump file.
+ Returns TRUE on success, FALSE on failure. */
+static gboolean
+libpcap_dump_pcap_nsec(wtap_dumper *wdh, const wtap_rec *rec, const guint8 *pd,
+ int *err, gchar **err_info _U_)
+{
+ struct pcaprec_hdr rec_hdr;
+
+ /*
+ * Some code that reads libpcap files may handle time
+ * stamps as unsigned, but most of it probably handles
+ * them as signed.
+ */
+ if (rec->ts.secs < 0 || rec->ts.secs > G_MAXINT32) {
+ *err = WTAP_ERR_TIME_STAMP_NOT_SUPPORTED;
+ return FALSE;
+ }
+ rec_hdr.ts_sec = (guint32) rec->ts.secs;
+ rec_hdr.ts_usec = rec->ts.nsecs;
+ return libpcap_dump_write_packet(wdh, rec, &rec_hdr, sizeof rec_hdr,
+ pd, err);
+}
+
+/* Modified, but with the old magic, sigh.
+ Write a record for a packet to a dump file.
+ Returns TRUE on success, FALSE on failure. */
+static gboolean
+libpcap_dump_pcap_ss990417(wtap_dumper *wdh, const wtap_rec *rec,
+ const guint8 *pd, int *err, gchar **err_info _U_)
+{
+ struct pcaprec_modified_hdr rec_hdr;
+
+ /*
+ * Some code that reads libpcap files may handle time
+ * stamps as unsigned, but most of it probably handles
+ * them as signed.
+ */
+ if (rec->ts.secs < 0 || rec->ts.secs > G_MAXINT32) {
+ *err = WTAP_ERR_TIME_STAMP_NOT_SUPPORTED;
+ return FALSE;
+ }
+ rec_hdr.hdr.ts_sec = (guint32) rec->ts.secs;
+ rec_hdr.hdr.ts_usec = rec->ts.nsecs / 1000;
+ /* XXX - what should we supply here?
+
+ Alexey's "libpcap" looks up the interface in the system's
+ interface list if "ifindex" is non-zero, and prints
+ the interface name. It ignores "protocol", and uses
+ "pkt_type" to tag the packet as "host", "broadcast",
+ "multicast", "other host", "outgoing", or "none of the
+ above", but that's it.
+
+ If the capture we're writing isn't a modified or
+ RH 6.1 capture, we'd have to do some work to
+ generate the packet type and interface index - and
+ we can't generate the interface index unless we
+ just did the capture ourselves in any case.
+
+ I'm inclined to continue to punt; systems other than
+ those with the older patch can read standard "libpcap"
+ files, and systems with the older patch, e.g. RH 6.1,
+ will just have to live with this. */
+ rec_hdr.ifindex = 0;
+ rec_hdr.protocol = 0;
+ rec_hdr.pkt_type = 0;
+ return libpcap_dump_write_packet(wdh, rec, &rec_hdr.hdr, sizeof rec_hdr,
+ pd, err);
+}
+
+/* New magic, extra crap.
+ Write a record for a packet to a dump file.
+ Returns TRUE on success, FALSE on failure. */
+static gboolean
+libpcap_dump_pcap_ss990915(wtap_dumper *wdh, const wtap_rec *rec,
+ const guint8 *pd, int *err, gchar **err_info _U_)
+{
+ struct pcaprec_ss990915_hdr rec_hdr;
+
+ /*
+ * Some code that reads libpcap files may handle time
+ * stamps as unsigned, but most of it probably handles
+ * them as signed.
+ */
+ if (rec->ts.secs < 0 || rec->ts.secs > G_MAXINT32) {
+ *err = WTAP_ERR_TIME_STAMP_NOT_SUPPORTED;
+ return FALSE;
+ }
+ rec_hdr.hdr.ts_sec = (guint32) rec->ts.secs;
+ rec_hdr.hdr.ts_usec = rec->ts.nsecs / 1000;
+ rec_hdr.ifindex = 0;
+ rec_hdr.protocol = 0;
+ rec_hdr.pkt_type = 0;
+ rec_hdr.cpu1 = 0;
+ rec_hdr.cpu2 = 0;
+ return libpcap_dump_write_packet(wdh, rec, &rec_hdr.hdr, sizeof rec_hdr,
+ pd, err);
+}
+
+/* Same magic as SS990915, *different* extra crap, sigh.
+ Write a record for a packet to a dump file.
+ Returns TRUE on success, FALSE on failure. */
+static gboolean
+libpcap_dump_pcap_ss991029(wtap_dumper *wdh, const wtap_rec *rec,
+ const guint8 *pd, int *err, gchar **err_info _U_)
+{
+ struct pcaprec_modified_hdr rec_hdr;
+
+ /*
+ * Some code that reads libpcap files may handle time
+ * stamps as unsigned, but most of it probably handles
+ * them as signed.
+ */
+ if (rec->ts.secs < 0 || rec->ts.secs > G_MAXINT32) {
+ *err = WTAP_ERR_TIME_STAMP_NOT_SUPPORTED;
+ return FALSE;
+ }
+ rec_hdr.hdr.ts_sec = (guint32) rec->ts.secs;
+ rec_hdr.hdr.ts_usec = rec->ts.nsecs / 1000;
+ /* XXX - what should we supply here?
+
+ Alexey's "libpcap" looks up the interface in the system's
+ interface list if "ifindex" is non-zero, and prints
+ the interface name. It ignores "protocol", and uses
+ "pkt_type" to tag the packet as "host", "broadcast",
+ "multicast", "other host", "outgoing", or "none of the
+ above", but that's it.
+
+ If the capture we're writing isn't a modified or
+ RH 6.1 capture, we'd have to do some work to
+ generate the packet type and interface index - and
+ we can't generate the interface index unless we
+ just did the capture ourselves in any case.
+
+ I'm inclined to continue to punt; systems other than
+ those with the older patch can read standard "libpcap"
+ files, and systems with the older patch, e.g. RH 6.1,
+ will just have to live with this. */
+ rec_hdr.ifindex = 0;
+ rec_hdr.protocol = 0;
+ rec_hdr.pkt_type = 0;
+ return libpcap_dump_write_packet(wdh, rec, &rec_hdr.hdr, sizeof rec_hdr,
+ pd, err);
+}
+
+/* Nokia libpcap of some sort.
+ Write a record for a packet to a dump file.
+ Returns TRUE on success, FALSE on failure. */
+static gboolean
+libpcap_dump_pcap_nokia(wtap_dumper *wdh, const wtap_rec *rec,
+ const guint8 *pd, int *err, gchar **err_info _U_)
+{
+ struct pcaprec_nokia_hdr rec_hdr;
+ const union wtap_pseudo_header *pseudo_header = &rec->rec_header.packet_header.pseudo_header;
+
+ /*
+ * Some code that reads libpcap files may handle time
+ * stamps as unsigned, but most of it probably handles
+ * them as signed.
+ */
+ if (rec->ts.secs < 0 || rec->ts.secs > G_MAXINT32) {
+ *err = WTAP_ERR_TIME_STAMP_NOT_SUPPORTED;
+ return FALSE;
+ }
+ rec_hdr.hdr.ts_sec = (guint32) rec->ts.secs;
+ rec_hdr.hdr.ts_usec = rec->ts.nsecs / 1000;
+ /* restore the "mysterious stuff" that came with the packet */
+ memcpy(rec_hdr.stuff, pseudo_header->nokia.stuff, 4);
+ return libpcap_dump_write_packet(wdh, rec, &rec_hdr.hdr, sizeof rec_hdr,
+ pd, err);
+}
+
+static const struct supported_block_type pcap_blocks_supported[] = {
+ /*
+ * We support packet blocks, with no comments or other options.
+ */
+ { WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, NO_OPTIONS_SUPPORTED }
+};
+
+static const struct file_type_subtype_info pcap_info = {
+ /* Gianluca Varenni suggests that we add "deprecated" to the description. */
+ "Wireshark/tcpdump/... - pcap", "pcap", "pcap", "cap;dmp",
+ FALSE, BLOCKS_SUPPORTED(pcap_blocks_supported),
+ libpcap_dump_can_write_encap, libpcap_dump_open_pcap, NULL
+};
+
+static const struct file_type_subtype_info pcap_nsec_info = {
+ "Wireshark/tcpdump/... - nanosecond pcap", "nsecpcap", "pcap", "cap;dmp",
+ FALSE, BLOCKS_SUPPORTED(pcap_blocks_supported),
+ libpcap_dump_can_write_encap, libpcap_dump_open_pcap_nsec, NULL
+};
+
+static const struct file_type_subtype_info pcap_aix_info = {
+ "AIX tcpdump - pcap", "aixpcap", "pcap", "cap;dmp",
+ FALSE, BLOCKS_SUPPORTED(pcap_blocks_supported),
+ NULL, NULL, NULL
+};
+
+static const struct file_type_subtype_info pcap_ss990417_info = {
+ "RedHat 6.1 tcpdump - pcap", "rh6_1pcap", "pcap", "cap;dmp",
+ FALSE, BLOCKS_SUPPORTED(pcap_blocks_supported),
+ libpcap_dump_can_write_encap, libpcap_dump_open_pcap_ss990417, NULL
+};
+
+static const struct file_type_subtype_info pcap_ss990915_info = {
+ "SuSE 6.3 tcpdump - pcap", "suse6_3pcap", "pcap", "cap;dmp",
+ FALSE, BLOCKS_SUPPORTED(pcap_blocks_supported),
+ libpcap_dump_can_write_encap, libpcap_dump_open_pcap_ss990915, NULL
+};
+
+static const struct file_type_subtype_info pcap_ss991029_info = {
+ "Modified tcpdump - pcap", "modpcap", "pcap", "cap;dmp",
+ FALSE, BLOCKS_SUPPORTED(pcap_blocks_supported),
+ libpcap_dump_can_write_encap, libpcap_dump_open_pcap_ss991029, NULL
+};
+
+static const struct file_type_subtype_info pcap_nokia_info = {
+ "Nokia tcpdump - pcap", "nokiapcap", "pcap", "cap;dmp",
+ FALSE, BLOCKS_SUPPORTED(pcap_blocks_supported),
+ libpcap_dump_can_write_encap, libpcap_dump_open_pcap_nokia, NULL
+};
+
+void register_pcap(void)
+{
+ pcap_file_type_subtype = wtap_register_file_type_subtype(&pcap_info);
+ pcap_nsec_file_type_subtype = wtap_register_file_type_subtype(&pcap_nsec_info);
+ pcap_aix_file_type_subtype = wtap_register_file_type_subtype(&pcap_aix_info);
+ pcap_ss990417_file_type_subtype = wtap_register_file_type_subtype(&pcap_ss990417_info);
+ pcap_ss990915_file_type_subtype = wtap_register_file_type_subtype(&pcap_ss990915_info);
+ pcap_ss991029_file_type_subtype = wtap_register_file_type_subtype(&pcap_ss991029_info);
+ pcap_nokia_file_type_subtype = wtap_register_file_type_subtype(&pcap_nokia_info);
+
+ /*
+ * We now call the libpcap file format just pcap, but we allow
+ * the various variants of it to be specified using names
+ * containing "libpcap" as well as "pcap", for backwards
+ * compatibility.
+ *
+ * Register names for that purpose.
+ */
+ wtap_register_compatibility_file_subtype_name("libpcap", "pcap");
+ wtap_register_compatibility_file_subtype_name("nseclibpcap", "nsecpcap");
+ wtap_register_compatibility_file_subtype_name("aixlibpcap", "aixpcap");
+ wtap_register_compatibility_file_subtype_name("modlibpcap", "modpcap");
+ wtap_register_compatibility_file_subtype_name("nokialibpcap", "nokiapcap");
+ wtap_register_compatibility_file_subtype_name("rh6_1libpcap", "rh6_1pcap");
+ wtap_register_compatibility_file_subtype_name("suse6_3libpcap", "suse6_3pcap");
+
+ /*
+ * Register names for backwards compatibility with the
+ * wtap_filetypes table in Lua.
+ */
+ wtap_register_backwards_compatibility_lua_name("PCAP",
+ pcap_file_type_subtype);
+ wtap_register_backwards_compatibility_lua_name("PCAP_NSEC",
+ pcap_nsec_file_type_subtype);
+ wtap_register_backwards_compatibility_lua_name("PCAP_AIX",
+ pcap_aix_file_type_subtype);
+ wtap_register_backwards_compatibility_lua_name("PCAP_SS990417",
+ pcap_ss990417_file_type_subtype);
+ wtap_register_backwards_compatibility_lua_name("PCAP_SS990915",
+ pcap_ss990915_file_type_subtype);
+ wtap_register_backwards_compatibility_lua_name("PCAP_SS991029",
+ pcap_ss991029_file_type_subtype);
+ wtap_register_backwards_compatibility_lua_name("PCAP_NOKIA",
+ pcap_nokia_file_type_subtype);
+}
+
+/*
+ * Editor modelines - https://www.wireshark.org/tools/modelines.html
+ *
+ * Local variables:
+ * c-basic-offset: 8
+ * tab-width: 8
+ * indent-tabs-mode: t
+ * End:
+ *
+ * vi: set shiftwidth=8 tabstop=8 noexpandtab:
+ * :indentSize=8:tabSize=8:noTabs=false:
+ */